From 03e810ec72b5fb0b5ce84e8e4fcbbd3b5debf558 Mon Sep 17 00:00:00 2001 From: Ondrej Kozina Date: Fri, 1 Mar 2019 11:44:49 +0100 Subject: [PATCH] Split crypt_drop_keyring_key in two different routines. crypt_drop_keyring_key function allow to drop all keys in keyring assocatiated with passed volume key list. crypt_drop_keyring_key_by_description is used to drop independent key. --- lib/internal.h | 3 ++- lib/luks2/luks2_token.c | 8 ++++---- lib/setup.c | 42 ++++++++++++++++++++++++++--------------- 3 files changed, 33 insertions(+), 20 deletions(-) diff --git a/lib/internal.h b/lib/internal.h index 8e544ec8..2c3e0e01 100644 --- a/lib/internal.h +++ b/lib/internal.h @@ -226,7 +226,8 @@ int crypt_key_in_keyring(struct crypt_device *cd); void crypt_set_key_in_keyring(struct crypt_device *cd, unsigned key_in_keyring); int crypt_volume_key_load_in_keyring(struct crypt_device *cd, struct volume_key *vk); int crypt_use_keyring_for_vk(struct crypt_device *cd); -void crypt_drop_keyring_key(struct crypt_device *cd, const char *key_description); +void crypt_drop_keyring_key_by_description(struct crypt_device *cd, const char *key_description, key_type_t ktype); +void crypt_drop_keyring_key(struct crypt_device *cd, struct volume_key *vks); static inline uint64_t version(uint16_t major, uint16_t minor, uint16_t patch, uint16_t release) { diff --git a/lib/luks2/luks2_token.c b/lib/luks2/luks2_token.c index 58ba61d8..2e9bda01 100644 --- a/lib/luks2/luks2_token.c +++ b/lib/luks2/luks2_token.c @@ -410,8 +410,8 @@ int LUKS2_token_open_and_activate(struct crypt_device *cd, if (r >= 0 && name) r = LUKS2_activate(cd, name, vk, flags); - if (r < 0 && vk) - crypt_drop_keyring_key(cd, vk->key_description); + if (r < 0) + crypt_drop_keyring_key(cd, vk); crypt_free_volume_key(vk); return r < 0 ? r : keyslot; @@ -455,8 +455,8 @@ int LUKS2_token_open_and_activate_any(struct crypt_device *cd, if (r >= 0 && name) r = LUKS2_activate(cd, name, vk, flags); - if (r < 0 && vk) - crypt_drop_keyring_key(cd, vk->key_description); + if (r < 0) + crypt_drop_keyring_key(cd, vk); crypt_free_volume_key(vk); return r < 0 ? r : keyslot; diff --git a/lib/setup.c b/lib/setup.c index 44c7a7ef..bb0403f3 100644 --- a/lib/setup.c +++ b/lib/setup.c @@ -2928,7 +2928,7 @@ int crypt_suspend(struct crypt_device *cd, else if (r) log_err(cd, _("Error during suspending device %s."), name); else - crypt_drop_keyring_key(cd, key_desc); + crypt_drop_keyring_key_by_description(cd, key_desc, LOGON_KEY); free(key_desc); out: dm_backend_exit(cd); @@ -2992,8 +2992,8 @@ int crypt_resume_by_passphrase(struct crypt_device *cd, else if (r) log_err(cd, _("Error during resuming device %s."), name); out: - if (r < 0 && vk) - crypt_drop_keyring_key(cd, vk->key_description); + if (r < 0) + crypt_drop_keyring_key(cd, vk); crypt_free_volume_key(vk); return r < 0 ? r : keyslot; @@ -3061,8 +3061,8 @@ int crypt_resume_by_keyfile_device_offset(struct crypt_device *cd, log_err(cd, _("Error during resuming device %s."), name); out: crypt_safe_free(passphrase_read); - if (r < 0 && vk) - crypt_drop_keyring_key(cd, vk->key_description); + if (r < 0) + crypt_drop_keyring_key(cd, vk); crypt_free_volume_key(vk); return r < 0 ? r : keyslot; } @@ -3687,8 +3687,8 @@ static int _activate_by_passphrase(struct crypt_device *cd, r = -EINVAL; } out: - if (r < 0 && vk) - crypt_drop_keyring_key(cd, vk->key_description); + if (r < 0) + crypt_drop_keyring_key(cd, vk); crypt_free_volume_key(vk); return r < 0 ? r : keyslot; @@ -3955,8 +3955,8 @@ int crypt_activate_by_volume_key(struct crypt_device *cd, r = -EINVAL; } - if (r < 0 && vk) - crypt_drop_keyring_key(cd, vk->key_description); + if (r < 0) + crypt_drop_keyring_key(cd, vk); crypt_free_volume_key(vk); return r; @@ -4016,7 +4016,7 @@ int crypt_deactivate_by_name(struct crypt_device *cd, const char *name, uint32_t r = dm_remove_device(cd, namei, 0); } if (!r) - crypt_drop_keyring_key(cd, key_desc); + crypt_drop_keyring_key_by_description(cd, key_desc, LOGON_KEY); free(key_desc); break; case CRYPT_INACTIVE: @@ -5413,21 +5413,33 @@ void crypt_set_key_in_keyring(struct crypt_device *cd, unsigned key_in_keyring) } /* internal only */ -void crypt_drop_keyring_key(struct crypt_device *cd, const char *key_description) +void crypt_drop_keyring_key_by_description(struct crypt_device *cd, const char *key_description, key_type_t ktype) { int r; + const char *type_name = key_type_name(ktype); - if (!key_description) + if (!key_description || !type_name) return; - log_dbg(cd, "Requesting keyring logon key for revoke and unlink."); + log_dbg(cd, "Requesting keyring %s key for revoke and unlink.", type_name); - r = keyring_revoke_and_unlink_key(LOGON_KEY, key_description); + r = keyring_revoke_and_unlink_key(ktype, key_description); if (r) - log_dbg(cd, "keyring_revoke_and_unlink_logon_key failed (error %d)", r); + log_dbg(cd, "keyring_revoke_and_unlink_key failed (error %d)", r); crypt_set_key_in_keyring(cd, 0); } +/* internal only */ +void crypt_drop_keyring_key(struct crypt_device *cd, struct volume_key *vks) +{ + struct volume_key *vk = vks; + + while (vk) { + crypt_drop_keyring_key_by_description(cd, vk->key_description, LOGON_KEY); + vk = crypt_volume_key_next(vk); + } +} + int crypt_activate_by_keyring(struct crypt_device *cd, const char *name, const char *key_description,