Use struct volume key thorough.

git-svn-id: https://cryptsetup.googlecode.com/svn/trunk@571 36d66b0a-2a48-0410-832c-cd162a569da5

lib/libdevmapper.c

@@ -239,16 +239,16 @@ static void hex_key(char *hexkey, size_t key_size, const char *key)
 }
 
 static char *get_params(const char *device, uint64_t skip, uint64_t offset,
-			const char *cipher, size_t key_size, const char *key)
+			const char *cipher, struct volume_key *vk)
 {
 	char *params;
 	char *hexkey;
 
-	hexkey = crypt_safe_alloc(key_size * 2 + 1);
+	hexkey = crypt_safe_alloc(vk->keylength * 2 + 1);
 	if (!hexkey)
 		return NULL;
 
-	hex_key(hexkey, key_size, key);
+	hex_key(hexkey, vk->keylength, vk->key);
 
 	params = crypt_safe_alloc(strlen(hexkey) + strlen(cipher) + strlen(device) + 64);
 	if (!params)
@@ -411,7 +411,7 @@ int dm_create_device(const char *name,
 	uint16_t udev_flags = 0;
 
 	params = get_params(dmd->device, dmd->iv_offset, dmd->offset,
-			    dmd->cipher, dmd->key_size, dmd->key);
+			    dmd->cipher, dmd->vk);
 	if (!params)
 		goto out_no_removal;
 
@@ -641,24 +641,21 @@ int dm_query_device(const char *name, uint32_t get_flags,
 		goto out;
 	dmd->offset = val64;
 
-	/* key_size */
+	if (get_flags & DM_ACTIVE_KEY) {
-	dmd->key_size = strlen(key_) / 2;
+		dmd->vk = crypt_alloc_volume_key(strlen(key_) / 2, NULL);
-
+		if (!dmd->vk) {
-	/* key */
-	if (dmd->key_size && (get_flags & DM_ACTIVE_KEY)) {
-		dmd->key = crypt_safe_alloc(dmd->key_size);
-		if (!dmd->key) {
 			r = -ENOMEM;
 			goto out;
 		}
 
 		buffer[2] = '\0';
-		for(i = 0; i < dmd->key_size; i++) {
+		for(i = 0; i < dmd->vk->keylength; i++) {
 			memcpy(buffer, &key_[i * 2], 2);
-			dmd->key[i] = strtoul(buffer, &endp, 16);
+			dmd->vk->key[i] = strtoul(buffer, &endp, 16);
 			if (endp != &buffer[2]) {
-				crypt_safe_free(dmd->key);
+				crypt_free_volume_key(dmd->vk);
-				dmd->key = NULL;
+				dmd->vk = NULL;
+				r = -EINVAL;
 				goto out;
 			}
 		}

lib/loopaes/loopaes.c

@@ -195,8 +195,7 @@ int LOOPAES_activate(struct crypt_device *cd,
 		.device = crypt_get_device_name(cd),
 		.cipher = NULL,
 		.uuid   = crypt_get_uuid(cd),
-		.key    = vk->key,
+		.vk    = vk,
-		.key_size = vk->keylength,
 		.offset = crypt_get_data_offset(cd),
 		.iv_offset = skip,
 		.size   = 0,

lib/loopaes/loopaes.h

@@ -4,6 +4,9 @@
 #include <unistd.h>
 #include "config.h"
 
+struct crypt_device;
+struct volume_key;
+
 #define LOOPAES_KEYS_MAX 65
 
 int LOOPAES_parse_keyfile(struct crypt_device *cd,

lib/luks1/keyencryption.c

@@ -51,7 +51,7 @@ static int devfd=-1;
 
 static int setup_mapping(const char *cipher, const char *name,
 			 const char *device,
-			 const char *key, size_t keyLength,
+			 struct volume_key *vk,
 			 unsigned int sector, size_t srcLength,
 			 int mode, struct crypt_device *ctx)
 {
@@ -60,8 +60,7 @@ static int setup_mapping(const char *cipher, const char *name,
 		.device = device,
 		.cipher = cipher,
 		.uuid   = NULL,
-		.key    = (char*)key,
+		.vk     = vk,
-		.key_size = keyLength,
 		.offset = sector,
 		.iv_offset = 0,
 		.size   = 0,
@@ -128,7 +127,7 @@ static const char *_error_hint(char *cipherMode, size_t keyLength)
    handler and global vars for cleaning */
 static int LUKS_endec_template(char *src, size_t srcLength,
 			       struct luks_phdr *hdr,
-			       char *key, size_t keyLength,
+			       struct volume_key *vk,
 			       const char *device,
 			       unsigned int sector,
 			       ssize_t (*func)(int, void *, size_t),
@@ -156,12 +155,12 @@ static int LUKS_endec_template(char *src, size_t srcLength,
 	cleaner_name = name;
 
 	r = setup_mapping(dmCipherSpec, name, device,
-			  key, keyLength, sector, srcLength, mode, ctx);
+			  vk, sector, srcLength, mode, ctx);
 	if(r < 0) {
 		log_err(ctx, _("Failed to setup dm-crypt key mapping for device %s.\n"
 			"Check that kernel supports %s cipher (check syslog for more info).\n%s"),
 			device, dmCipherSpec,
-			_error_hint(hdr->cipherMode, keyLength * 8));
+			_error_hint(hdr->cipherMode, vk->keylength * 8));
 		r = -EIO;
 		goto out1;
 	}
@@ -198,22 +197,22 @@ static int LUKS_endec_template(char *src, size_t srcLength,
 
 int LUKS_encrypt_to_storage(char *src, size_t srcLength,
 			    struct luks_phdr *hdr,
-			    char *key, size_t keyLength,
+			    struct volume_key *vk,
 			    const char *device,
 			    unsigned int sector,
 			    struct crypt_device *ctx)
 {
-	return LUKS_endec_template(src,srcLength,hdr,key,keyLength, device,
+	return LUKS_endec_template(src,srcLength,hdr,vk, device,
 				   sector, write_blockwise, O_RDWR, ctx);
 }
 
 int LUKS_decrypt_from_storage(char *dst, size_t dstLength,
 			      struct luks_phdr *hdr,
-			      char *key, size_t keyLength,
+			      struct volume_key *vk,
 			      const char *device,
 			      unsigned int sector,
 			      struct crypt_device *ctx)
 {
-	return LUKS_endec_template(dst,dstLength,hdr,key,keyLength, device,
+	return LUKS_endec_template(dst,dstLength,hdr,vk, device,
 				   sector, read_blockwise, O_RDONLY, ctx);
 }

lib/luks1/keymanage.c

@@ -29,6 +29,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
+#include <assert.h>
 #include <uuid/uuid.h>
 
 #include "luks.h"
@@ -525,7 +526,7 @@ int LUKS_set_key(const char *device, unsigned int keyIndex,
 		 uint64_t *PBKDF2_per_sec,
 		 struct crypt_device *ctx)
 {
-	char derivedKey[hdr->keyBytes];
+	struct volume_key *derived_key;
 	char *AfKey = NULL;
 	unsigned int AFEKSize;
 	uint64_t PBKDF2_temp;
@@ -560,23 +561,26 @@ int LUKS_set_key(const char *device, unsigned int keyIndex,
 
 	log_dbg("Key slot %d use %d password iterations.", keyIndex, hdr->keyblock[keyIndex].passwordIterations);
 
+	derived_key = crypt_alloc_volume_key(hdr->keyBytes, NULL);
+	if (!derived_key)
+		return -ENOMEM;
+
 	r = crypt_random_get(ctx, hdr->keyblock[keyIndex].passwordSalt,
 		       LUKS_SALTSIZE, CRYPT_RND_NORMAL);
 	if (r < 0)
 		return r;
 
-//	assert((vk->keylength % TWOFISH_BLOCKSIZE) == 0); FIXME
-
 	r = PBKDF2_HMAC(hdr->hashSpec, password,passwordLen,
 			hdr->keyblock[keyIndex].passwordSalt,LUKS_SALTSIZE,
 			hdr->keyblock[keyIndex].passwordIterations,
-			derivedKey, hdr->keyBytes);
+			derived_key->key, hdr->keyBytes);
 	if (r < 0)
 		goto out;
 
 	/*
 	 * AF splitting, the masterkey stored in vk->key is split to AfKey
 	 */
+	assert(vk->keylength == hdr->keyBytes);
 	AFEKSize = hdr->keyblock[keyIndex].stripes*vk->keylength;
 	AfKey = crypt_safe_alloc(AFEKSize);
 	if (!AfKey) {
@@ -596,8 +600,7 @@ int LUKS_set_key(const char *device, unsigned int keyIndex,
 	r = LUKS_encrypt_to_storage(AfKey,
 				    AFEKSize,
 				    hdr,
-				    derivedKey,
+				    derived_key,
-				    hdr->keyBytes,
 				    device,
 				    hdr->keyblock[keyIndex].keyMaterialOffset,
 				    ctx);
@@ -619,7 +622,7 @@ int LUKS_set_key(const char *device, unsigned int keyIndex,
 	r = 0;
 out:
 	crypt_safe_free(AfKey);
-	memset(derivedKey, 0, sizeof(derivedKey));
+	crypt_free_volume_key(derived_key);
 	return r;
 }
 
@@ -651,7 +654,7 @@ static int LUKS_open_key(const char *device,
 		  struct crypt_device *ctx)
 {
 	crypt_keyslot_info ki = LUKS_keyslot_info(hdr, keyIndex);
-	char derivedKey[hdr->keyBytes];
+	struct volume_key *derived_key;
 	char *AfKey;
 	size_t AFEKSize;
 	int r;
@@ -662,8 +665,11 @@ static int LUKS_open_key(const char *device,
 	if (ki < CRYPT_SLOT_ACTIVE)
 		return -ENOENT;
 
-	// assert((vk->keylength % TWOFISH_BLOCKSIZE) == 0); FIXME
+	derived_key = crypt_alloc_volume_key(hdr->keyBytes, NULL);
+	if (!derived_key)
+		return -ENOMEM;
 
+	assert(vk->keylength == hdr->keyBytes);
 	AFEKSize = hdr->keyblock[keyIndex].stripes*vk->keylength;
 	AfKey = crypt_safe_alloc(AFEKSize);
 	if (!AfKey)
@@ -672,7 +678,7 @@ static int LUKS_open_key(const char *device,
 	r = PBKDF2_HMAC(hdr->hashSpec, password,passwordLen,
 			hdr->keyblock[keyIndex].passwordSalt,LUKS_SALTSIZE,
 			hdr->keyblock[keyIndex].passwordIterations,
-			derivedKey, hdr->keyBytes);
+			derived_key->key, hdr->keyBytes);
 	if (r < 0)
 		goto out;
 
@@ -680,8 +686,7 @@ static int LUKS_open_key(const char *device,
 	r = LUKS_decrypt_from_storage(AfKey,
 				      AFEKSize,
 				      hdr,
-				      derivedKey,
+				      derived_key,
-				      hdr->keyBytes,
 				      device,
 				      hdr->keyblock[keyIndex].keyMaterialOffset,
 				      ctx);
@@ -699,7 +704,7 @@ static int LUKS_open_key(const char *device,
 		log_verbose(ctx, _("Key slot %d unlocked.\n"), keyIndex);
 out:
 	crypt_safe_free(AfKey);
-	memset(derivedKey, 0, sizeof(derivedKey));
+	crypt_free_volume_key(derived_key);
 	return r;
 }
 
@@ -909,8 +914,7 @@ int LUKS1_activate(struct crypt_device *cd,
 		.device = crypt_get_device_name(cd),
 		.cipher = NULL,
 		.uuid   = crypt_get_uuid(cd),
-		.key    = vk->key,
+		.vk    = vk,
-		.key_size = vk->keylength,
 		.offset = crypt_get_data_offset(cd),
 		.iv_offset = 0,
 		.size   = 0,

lib/luks1/luks.h

@@ -160,7 +160,7 @@ int LUKS_keyslot_set(struct luks_phdr *hdr, int keyslot, int enable);
 int LUKS_encrypt_to_storage(
 	char *src, size_t srcLength,
 	struct luks_phdr *hdr,
-	char *key, size_t keyLength,
+	struct volume_key *vk,
 	const char *device,
 	unsigned int sector,
 	struct crypt_device *ctx);
@@ -168,7 +168,7 @@ int LUKS_encrypt_to_storage(
 int LUKS_decrypt_from_storage(
 	char *dst, size_t dstLength,
 	struct luks_phdr *hdr,
-	char *key, size_t keyLength,
+	struct volume_key *vk,
 	const char *device,
 	unsigned int sector,
 	struct crypt_device *ctx);

lib/setup.c

@@ -225,8 +225,7 @@ int PLAIN_activate(struct crypt_device *cd,
 		.device = crypt_get_device_name(cd),
 		.cipher = NULL,
 		.uuid   = crypt_get_uuid(cd),
-		.key    = vk->key,
+		.vk    = vk,
-		.key_size = vk->keylength,
 		.offset = crypt_get_data_offset(cd),
 		.iv_offset = iv_offset,
 		.size   = size,
@@ -527,11 +526,8 @@ int crypt_init_by_name(struct crypt_device **cd, const char *name)
 			(*cd)->plain_hdr.hash = NULL; /* no way to get this */
 			(*cd)->plain_hdr.offset = dmd.offset;
 			(*cd)->plain_hdr.skip = dmd.iv_offset;
-			(*cd)->volume_key = crypt_alloc_volume_key(dmd.key_size, dmd.key);
+			(*cd)->volume_key = dmd.vk;
-			if (!(*cd)->volume_key) {
+			dmd.vk = NULL;
-				r = -ENOMEM;
-				goto out;
-			}
 
 			r = crypt_parse_name_and_mode(dmd.cipher, cipher, NULL, cipher_mode);
 			if (!r) {
@@ -549,23 +545,20 @@ int crypt_init_by_name(struct crypt_device **cd, const char *name)
 				(*cd)->loopaes_cipher = strdup(cipher);
 				(*cd)->loopaes_cipher_mode = strdup(cipher_mode);
 				/* version 3 uses last key for IV */
-				if (dmd.key_size % key_nums)
+				if (dmd.vk->keylength % key_nums)
 					key_nums++;
-				(*cd)->loopaes_key_size = dmd.key_size / key_nums;
+				(*cd)->loopaes_key_size = dmd.vk->keylength / key_nums;
 			}
 		} else if (!strncmp(CRYPT_LUKS1, dmd.uuid, sizeof(CRYPT_LUKS1)-1)) {
 			if (dmd.device) {
 				if (crypt_load(*cd, CRYPT_LUKS1, NULL) < 0 ||
-				    crypt_volume_key_verify(*cd, dmd.key, dmd.key_size) < 0) {
+				    crypt_volume_key_verify(*cd, dmd.vk->key, dmd.vk->keylength) < 0) {
 					log_dbg("LUKS device header does not match active device.");
 					goto out;
 				}
 
-				(*cd)->volume_key = crypt_alloc_volume_key(dmd.key_size, dmd.key);
+				(*cd)->volume_key = dmd.vk;
-				if (!(*cd)->volume_key) {
+				dmd.vk = NULL;
-					r = -ENOMEM;
-					goto out;
-				}
 			}
 		}
 	} else
@@ -576,7 +569,7 @@ out:
 		crypt_free(*cd);
 		*cd = NULL;
 	}
-	crypt_safe_free(dmd.key);
+	crypt_free_volume_key(dmd.vk);
 	free((char*)dmd.device);
 	free((char*)dmd.cipher);
 	free((char*)dmd.uuid);
@@ -826,7 +819,7 @@ int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
 		r = dm_create_device(name, cd->type, &dmd, 1);
 	}
 out:
-	crypt_safe_free(dmd.key);
+	crypt_free_volume_key(dmd.vk);
 	free((char*)dmd.cipher);
 	free((char*)dmd.device);
 	free((char*)dmd.uuid);

lib/utils_dm.h

@@ -5,6 +5,7 @@
 #include <inttypes.h>
 
 struct crypt_device;
+struct volume_key;
 
 /* Device mapper backend - kernel support flags */
 #define DM_KEY_WIPE_SUPPORTED (1 << 0)	/* key wipe message */
@@ -28,8 +29,9 @@ struct crypt_dm_active_device {
 	const char *device;
 	const char *cipher;
 	const char *uuid;
-	char *key;
+
-	size_t key_size;
+	/* Active key for device */
+	struct volume_key *vk;
 
 	/* struct crypt_active_device */
 	uint64_t offset;	/* offset in sectors */