eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-06 00:10:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add --key-description and --new-key-description for luksAddKey command.

Browse Source
This commit is contained in:
Milan Broz
2024-02-14 15:53:59 +01:00
parent 73975857a3
commit 1e58ad570e
3 changed files with 49 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
man/common_options.adoc
View File

@@ -441,7 +441,7 @@ it is requested.
Reencrypt only the LUKS1 header and keyslots. Skips data in-place reencryption.
endif::[]
ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_LUKSDUMP,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_TOKEN[]
ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_LUKSDUMP,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_LUKSADDKEY,ACTION_TOKEN[]
*--key-description <text>*::
Set key description in keyring that will be used for passphrase retrieval.
endif::[]
@@ -666,7 +666,7 @@ Supplying more than the compiled in maximum aborts the operation. When
--new-keyfile-offset is also given, reading starts after the offset.
endif::[]
ifdef::UNUSED[]
ifdef::ACTION_LUKSADDKEY[]
*--new-key-description <text>*::
Set key description in keyring that will be used for new passphrase retrieval.
endif::[]

93
src/cryptsetup.c
View File

@@ -98,6 +98,7 @@ static int _set_keyslot_encryption_params(struct crypt_device *cd)
}
static int init_keyslot_context(struct crypt_device *cd,
const char *msg,
char **password, size_t *passwordLen, bool verify, bool pwquality,
bool reencrypt, /* tmp hack to use old get_key */
struct crypt_keyslot_context **kc)
@@ -111,7 +112,7 @@ static int init_keyslot_context(struct crypt_device *cd,
ARG_UINT32(OPT_KEYFILE_SIZE_ID),
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), kc);
else if (password) {
r = tools_get_key(NULL, password, passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID),
r = tools_get_key(msg, password, passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID),
ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
ARG_UINT32(OPT_TIMEOUT_ID), verify, pwquality, cd);
if (r < 0)
@@ -122,6 +123,31 @@ static int init_keyslot_context(struct crypt_device *cd,
return r;
}
static int init_new_keyslot_context(struct crypt_device *cd,
const char *msg,
char **password, size_t *passwordLen, bool verify, bool pwquality,
struct crypt_keyslot_context **kc)
{
int r = -EINVAL;
if (ARG_SET(OPT_NEW_KEY_DESCRIPTION_ID))
r = crypt_keyslot_context_init_by_keyring(cd, ARG_STR(OPT_NEW_KEY_DESCRIPTION_ID), kc);
else if (ARG_SET(OPT_NEW_KEYFILE_ID) && !tools_is_stdin(ARG_STR(OPT_NEW_KEYFILE_ID)))
r = crypt_keyslot_context_init_by_keyfile(cd, ARG_STR(OPT_NEW_KEYFILE_ID),
ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID),
ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID), kc);
else if (password) {
r = tools_get_key(msg, password, passwordLen, ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID),
ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID), ARG_STR(OPT_NEW_KEYFILE_ID),
ARG_UINT32(OPT_TIMEOUT_ID), verify, pwquality, cd);
if (r < 0)
return r;
r = crypt_keyslot_context_init_by_passphrase(cd, *password, *passwordLen, kc);
}
return r;
}
static int _try_token_unlock(struct crypt_device *cd,
int keyslot,
int token_id,
@@ -937,7 +963,7 @@ static int action_resize(void)
if (r >= 0 || quit || ARG_SET(OPT_TOKEN_ONLY_ID))
goto out;
r = init_keyslot_context(cd, &password, &passwordLen, verify_passphrase(0),
r = init_keyslot_context(cd, NULL, &password, &passwordLen, verify_passphrase(0),
false, false, &kc);
if (r < 0)
goto out;
@@ -1620,7 +1646,7 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password
else if (ARG_SET(OPT_USE_URANDOM_ID))
crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
r = init_keyslot_context(cd, &password, &passwordLen, verify_passphrase(1),
r = init_keyslot_context(cd, NULL, &password, &passwordLen, verify_passphrase(1),
!ARG_SET(OPT_FORCE_PASSWORD_ID), r_password != NULL, &new_kc);
if (r < 0)
goto out;
@@ -1994,7 +2020,8 @@ static int action_open_luks(void)
tries = set_tries_tty(true);
do {
r = init_keyslot_context(cd, &password, &passwordLen, verify_passphrase(0), false, false, &kc);
r = init_keyslot_context(cd, NULL, &password, &passwordLen, verify_passphrase(0),
false, false, &kc);
if (r < 0)
goto out;
@@ -2315,7 +2342,6 @@ static int try_keyslot_add(struct crypt_device *cd,
static int action_luksAddKey(void)
{
int keyslot_old, keyslot_new, keysize = 0, r = -EINVAL;
const char *new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
char *key = NULL, *password = NULL, *password_new = NULL, *pin = NULL, *pin_new = NULL,
*vk_description = NULL;
size_t pin_size, pin_size_new, password_size = 0, password_new_size = 0;
@@ -2327,8 +2353,8 @@ static int action_luksAddKey(void)
return luksAddUnboundKey();
/* maintain backward compatibility of luksAddKey action positional parameter */
if (!new_key_file)
new_key_file = ARG_STR(OPT_NEW_KEYFILE_ID);
if (action_argc > 1)
ARG_SET_STR(OPT_NEW_KEYFILE_ID, strdup(action_argv[1]));
keyslot_old = ARG_INT32(OPT_KEY_SLOT_ID);
keyslot_new = ARG_INT32(OPT_NEW_KEY_SLOT_ID);
@@ -2396,13 +2422,7 @@ static int action_luksAddKey(void)
if (r < 0)
goto out;
r = crypt_keyslot_context_init_by_volume_key(cd, key, keysize, &kc);
} else if (ARG_SET(OPT_KEY_FILE_ID) && !tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)))
r = crypt_keyslot_context_init_by_keyfile(cd,
ARG_STR(OPT_KEY_FILE_ID),
ARG_UINT32(OPT_KEYFILE_SIZE_ID),
ARG_UINT64(OPT_KEYFILE_OFFSET_ID),
&kc);
else if (ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) {
} else if (ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) {
r = parse_vk_description(ARG_STR(OPT_VOLUME_KEY_KEYRING_ID), &vk_description);
if (!r)
r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description, &kc);
@@ -2412,41 +2432,24 @@ static int action_luksAddKey(void)
ARG_STR(OPT_TOKEN_TYPE_ID),
NULL, 0, NULL, &kc);
} else {
r = tools_get_key(_("Enter any existing passphrase: "),
&password, &password_size,
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
r = init_keyslot_context(cd, _("Enter any existing passphrase: "), &password, &password_size,
verify_passphrase(0), false, false, &kc);
if (r < 0)
goto out;
/* Check password before asking for new one */
r = crypt_activate_by_passphrase(cd, NULL, keyslot_old,
password, password_size, 0);
r = crypt_activate_by_keyslot_context(cd, NULL, keyslot_old, kc, CRYPT_ANY_SLOT, NULL, 0);
check_signal(&r);
tools_passphrase_msg(r);
if (r < 0)
goto out;
tools_keyslot_msg(r, UNLOCKED);
r = crypt_keyslot_context_init_by_passphrase(cd, password, password_size, &kc);
}
if (r < 0)
goto out;
if (new_key_file && !tools_is_stdin(new_key_file)) {
if (ARG_SET(OPT_KEY_FILE_ID) && !strcmp(ARG_STR(OPT_KEY_FILE_ID), new_key_file))
p_kc_new = kc;
else {
r = crypt_keyslot_context_init_by_keyfile(cd,
new_key_file,
ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID),
ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID),
&kc_new);
p_kc_new = kc_new;
}
} else if (ARG_SET(OPT_NEW_TOKEN_ID_ID)) {
if (ARG_SET(OPT_NEW_TOKEN_ID_ID)) {
if (ARG_INT32(OPT_NEW_TOKEN_ID_ID) == ARG_INT32(OPT_TOKEN_ID_ID))
p_kc_new = kc;
else {
@@ -2455,17 +2458,10 @@ static int action_luksAddKey(void)
NULL, NULL, 0, NULL, &kc_new);
p_kc_new = kc_new;
}
} else {
r = tools_get_key(_("Enter new passphrase for key slot: "),
&password_new, &password_new_size,
ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID), new_key_file,
ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd);
if (r < 0)
goto out;
r = crypt_keyslot_context_init_by_passphrase(cd, password_new, password_new_size, &kc_new);
}
} else
r = init_new_keyslot_context(cd, _("Enter new passphrase for key slot: "),
&password_new, &password_new_size,
verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), &kc_new);
if (r < 0)
goto out;
@@ -2688,7 +2684,7 @@ static int luksDump_with_volume_key(struct crypt_device *cd)
if (!vk)
return -ENOMEM;
r = init_keyslot_context(cd, &password, &passwordLen, false, false, false, &kc);
r = init_keyslot_context(cd, NULL, &password, &passwordLen, false, false, false, &kc);
if (r < 0)
goto out;
@@ -2915,7 +2911,8 @@ static int action_luksResume(void)
tries = set_tries_tty(true);
do {
r = init_keyslot_context(cd, &password, &passwordLen, verify_passphrase(0), false, false, &kc);
r = init_keyslot_context(cd, NULL, &password, &passwordLen, verify_passphrase(0),
false, false, &kc);
if (r < 0)
goto out;

4
src/cryptsetup_args.h
View File

@@ -71,7 +71,7 @@
#define OPT_ITER_TIME_ACTIONS { BENCHMARK_ACTION, FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, REENCRYPT_ACTION }
#define OPT_IV_LARGE_SECTORS_ACTIONS { OPEN_ACTION }
#define OPT_KEEP_KEY_ACTIONS { REENCRYPT_ACTION }
#define OPT_KEY_DESCRIPTION_ACTIONS { TOKEN_ACTION, LUKSDUMP_ACTION, FORMAT_ACTION, RESIZE_ACTION, OPEN_ACTION, RESUME_ACTION }
#define OPT_KEY_DESCRIPTION_ACTIONS { TOKEN_ACTION, LUKSDUMP_ACTION, FORMAT_ACTION, RESIZE_ACTION, OPEN_ACTION, RESUME_ACTION, ADDKEY_ACTION }
#define OPT_KEY_SIZE_ACTIONS { OPEN_ACTION, BENCHMARK_ACTION, FORMAT_ACTION, REENCRYPT_ACTION, ADDKEY_ACTION }
#define OPT_KEY_SLOT_ACTIONS { OPEN_ACTION, REENCRYPT_ACTION, CONFIG_ACTION, FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, LUKSDUMP_ACTION, TOKEN_ACTION, RESUME_ACTION }
#define OPT_KEYSLOT_CIPHER_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION }
@@ -81,7 +81,7 @@
#define OPT_LUKS2_KEYSLOTS_SIZE_ACTIONS { REENCRYPT_ACTION, FORMAT_ACTION }
#define OPT_LUKS2_METADATA_SIZE_ACTIONS { REENCRYPT_ACTION, FORMAT_ACTION }
#define OPT_NEW_KEYFILE_ACTIONS { ADDKEY_ACTION }
#define OPT_NEW_KEY_DESCRIPTION_ACTIONS { }
#define OPT_NEW_KEY_DESCRIPTION_ACTIONS { ADDKEY_ACTION }
#define OPT_NEW_KEY_SLOT_ACTIONS { ADDKEY_ACTION }
#define OPT_NEW_TOKEN_ID_ACTIONS { ADDKEY_ACTION }
#define OPT_OFFSET_ACTIONS { OPEN_ACTION, REENCRYPT_ACTION, FORMAT_ACTION }