Retain keyslot number in luksChangeKey for LUKS2.

With JSON, we can actually retain the slot number in all cases (except user intentionally set new slot #). This patch changes the crypt_keyslot_change_by_passphrase() API call to retain keyslot number for LUKS2. Fixes: #464
2025-12-12 03:10:08 +01:00 · 2021-01-29 09:54:49 +01:00
parent 5a252c9166
commit 04b781d613
5 changed files with 68 additions and 16 deletions
--- a/lib/luks2/luks2.h
+++ b/lib/luks2/luks2.h
@@ -224,6 +224,11 @@ int LUKS2_keyslot_priority_set(struct crypt_device *cd,
 	crypt_keyslot_priority priority,
 	int commit);

+int LUKS2_keyslot_swap(struct crypt_device *cd,
+	struct luks2_hdr *hdr,
+	int keyslot,
+	int keyslot2);
+
 /*
 * Generic LUKS2 token
 */
--- a/lib/luks2/luks2_keyslot.c
+++ b/lib/luks2/luks2_keyslot.c
@@ -935,3 +935,40 @@ int LUKS2_find_keyslot(struct luks2_hdr *hdr, const char *type)

 	return -ENOENT;
 }
+
+/* assumes valid header, it does not move references in tokens/digests etc! */
+int LUKS2_keyslot_swap(struct crypt_device *cd, struct luks2_hdr *hdr,
+	int keyslot, int keyslot2)
+{
+	json_object *jobj_keyslots, *jobj_keyslot, *jobj_keyslot2;
+	int r;
+
+	if (!json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots))
+		return -EINVAL;
+
+	jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
+	if (!jobj_keyslot)
+		return -EINVAL;
+
+	jobj_keyslot2 = LUKS2_get_keyslot_jobj(hdr, keyslot2);
+	if (!jobj_keyslot2)
+		return -EINVAL;
+
+	/* This transfer owner of object, no need for json_object_put */
+	json_object_get(jobj_keyslot);
+	json_object_get(jobj_keyslot2);
+
+	json_object_object_del_by_uint(jobj_keyslots, keyslot);
+	r = json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot2);
+	if (r < 0) {
+		log_dbg(cd, "Failed to swap keyslot %d.", keyslot);
+		return r;
+	}
+
+	json_object_object_del_by_uint(jobj_keyslots, keyslot2);
+	r = json_object_object_add_by_uint(jobj_keyslots, keyslot2, jobj_keyslot);
+	if (r < 0)
+		log_dbg(cd, "Failed to swap keyslot2 %d.", keyslot2);
+
+	return r;
+}