mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-05 16:00:05 +01:00
Remove unused code.
Due to complete shift to device activation via keyslot context, remove all remaining internal code activating device by passphrase or by token.
This commit is contained in:
Ondrej Kozina
@@ -196,13 +196,6 @@ int LUKS2_keyslot_open(struct crypt_device *cd,
|
||||
size_t password_len,
|
||||
struct volume_key **vk);
|
||||
|
||||
int LUKS2_keyslot_open_all_segments(struct crypt_device *cd,
|
||||
int keyslot_old,
|
||||
int keyslot_new,
|
||||
const char *password,
|
||||
size_t password_len,
|
||||
struct volume_key **vks);
|
||||
|
||||
int LUKS2_keyslot_context_open_all_segments(struct crypt_device *cd,
|
||||
int keyslot_old,
|
||||
int keyslot_new,
|
||||
@@ -270,17 +263,6 @@ crypt_token_info LUKS2_token_status(struct crypt_device *cd,
|
||||
int token,
|
||||
const char **type);
|
||||
|
||||
int LUKS2_token_open_and_activate(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr,
|
||||
int keyslot,
|
||||
int token,
|
||||
const char *name,
|
||||
const char *type,
|
||||
const char *pin,
|
||||
size_t pin_size,
|
||||
uint32_t flags,
|
||||
void *usrptr);
|
||||
|
||||
int LUKS2_token_unlock_key(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr,
|
||||
int keyslot,
|
||||
@@ -445,8 +427,6 @@ int LUKS2_unmet_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uin
|
||||
|
||||
int LUKS2_key_description_by_segment(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr, struct volume_key *vk, int segment);
|
||||
int LUKS2_volume_key_load_in_keyring_by_keyslot(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr, struct volume_key *vk, int keyslot);
|
||||
int LUKS2_volume_key_load_in_keyring_by_digest(struct crypt_device *cd,
|
||||
struct volume_key *vk, int digest);
|
||||
|
||||
@@ -460,13 +440,6 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd,
|
||||
/*
|
||||
* LUKS2 reencryption
|
||||
*/
|
||||
int LUKS2_reencrypt_locked_recovery_by_passphrase(struct crypt_device *cd,
|
||||
int keyslot_old,
|
||||
int keyslot_new,
|
||||
const char *passphrase,
|
||||
size_t passphrase_size,
|
||||
struct volume_key **vks);
|
||||
|
||||
int LUKS2_reencrypt_locked_recovery_by_vks(struct crypt_device *cd,
|
||||
struct volume_key *vks);
|
||||
|
||||
@@ -495,10 +468,6 @@ int LUKS2_reencrypt_check_device_size(struct crypt_device *cd,
|
||||
bool device_exclusive_check,
|
||||
bool dynamic);
|
||||
|
||||
void LUKS2_reencrypt_lookup_key_ids(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr,
|
||||
struct volume_key *vk);
|
||||
|
||||
int LUKS2_reencrypt_digest_verify(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr,
|
||||
struct volume_key *vks);
|
||||
|
||||
@@ -424,20 +424,6 @@ int LUKS2_key_description_by_segment(struct crypt_device *cd,
|
||||
return r;
|
||||
}
|
||||
|
||||
int LUKS2_volume_key_load_in_keyring_by_keyslot(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr, struct volume_key *vk, int keyslot)
|
||||
{
|
||||
char *desc = get_key_description_by_digest(cd, LUKS2_digest_by_keyslot(hdr, keyslot));
|
||||
int r;
|
||||
|
||||
r = crypt_volume_key_set_description(vk, desc);
|
||||
if (!r)
|
||||
r = crypt_volume_key_load_in_keyring(cd, vk);
|
||||
|
||||
free(desc);
|
||||
return r;
|
||||
}
|
||||
|
||||
int LUKS2_volume_key_load_in_keyring_by_digest(struct crypt_device *cd,
|
||||
struct volume_key *vk, int digest)
|
||||
{
|
||||
|
||||
@@ -124,16 +124,6 @@ static int _keyslot_for_segment(struct luks2_hdr *hdr, int keyslot, int segment)
|
||||
return count;
|
||||
}
|
||||
|
||||
static int _keyslot_for_digest(struct luks2_hdr *hdr, int keyslot, int digest)
|
||||
{
|
||||
int r = -EINVAL;
|
||||
|
||||
r = LUKS2_digest_by_keyslot(hdr, keyslot);
|
||||
if (r < 0)
|
||||
return r;
|
||||
return r == digest ? 0 : -ENOENT;
|
||||
}
|
||||
|
||||
int LUKS2_keyslot_for_segment(struct luks2_hdr *hdr, int keyslot, int segment)
|
||||
{
|
||||
int r = -EINVAL;
|
||||
@@ -376,36 +366,6 @@ static int _open_and_verify(struct crypt_device *cd,
|
||||
return r < 0 ? r : keyslot;
|
||||
}
|
||||
|
||||
static int LUKS2_open_and_verify_by_digest(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr,
|
||||
int keyslot,
|
||||
int digest,
|
||||
const char *password,
|
||||
size_t password_len,
|
||||
struct volume_key **vk)
|
||||
{
|
||||
const keyslot_handler *h;
|
||||
int r;
|
||||
|
||||
if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
|
||||
return -ENOENT;
|
||||
|
||||
r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
|
||||
if (r) {
|
||||
log_dbg(cd, "Keyslot %d validation failed.", keyslot);
|
||||
return r;
|
||||
}
|
||||
|
||||
r = _keyslot_for_digest(hdr, keyslot, digest);
|
||||
if (r) {
|
||||
if (r == -ENOENT)
|
||||
log_dbg(cd, "Keyslot %d unusable for digest %d.", keyslot, digest);
|
||||
return r;
|
||||
}
|
||||
|
||||
return _open_and_verify(cd, hdr, h, keyslot, password, password_len, vk);
|
||||
}
|
||||
|
||||
static int LUKS2_open_and_verify(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr,
|
||||
int keyslot,
|
||||
@@ -436,49 +396,6 @@ static int LUKS2_open_and_verify(struct crypt_device *cd,
|
||||
return _open_and_verify(cd, hdr, h, keyslot, password, password_len, vk);
|
||||
}
|
||||
|
||||
static int LUKS2_keyslot_open_priority_digest(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr,
|
||||
crypt_keyslot_priority priority,
|
||||
const char *password,
|
||||
size_t password_len,
|
||||
int digest,
|
||||
struct volume_key **vk)
|
||||
{
|
||||
json_object *jobj_keyslots, *jobj;
|
||||
crypt_keyslot_priority slot_priority;
|
||||
int keyslot, r = -ENOENT, r_old;
|
||||
|
||||
json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots);
|
||||
|
||||
json_object_object_foreach(jobj_keyslots, slot, val) {
|
||||
r_old = r;
|
||||
|
||||
if (!json_object_object_get_ex(val, "priority", &jobj))
|
||||
slot_priority = CRYPT_SLOT_PRIORITY_NORMAL;
|
||||
else
|
||||
slot_priority = json_object_get_int(jobj);
|
||||
|
||||
keyslot = atoi(slot);
|
||||
if (slot_priority != priority) {
|
||||
log_dbg(cd, "Keyslot %d priority %d != %d (required), skipped.",
|
||||
keyslot, slot_priority, priority);
|
||||
continue;
|
||||
}
|
||||
|
||||
r = LUKS2_open_and_verify_by_digest(cd, hdr, keyslot, digest, password, password_len, vk);
|
||||
|
||||
/* Do not retry for errors that are no -EPERM or -ENOENT,
|
||||
former meaning password wrong, latter key slot unusable for segment */
|
||||
if ((r != -EPERM) && (r != -ENOENT))
|
||||
break;
|
||||
/* If a previous keyslot failed with EPERM (bad password) prefer it */
|
||||
if (r_old == -EPERM && r == -ENOENT)
|
||||
r = -EPERM;
|
||||
}
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
static int LUKS2_keyslot_open_priority(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr,
|
||||
crypt_keyslot_priority priority,
|
||||
@@ -522,38 +439,6 @@ static int LUKS2_keyslot_open_priority(struct crypt_device *cd,
|
||||
return r;
|
||||
}
|
||||
|
||||
static int LUKS2_keyslot_open_by_digest(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr,
|
||||
int keyslot,
|
||||
int digest,
|
||||
const char *password,
|
||||
size_t password_len,
|
||||
struct volume_key **vk)
|
||||
{
|
||||
int r_prio, r = -EINVAL;
|
||||
|
||||
if (digest < 0)
|
||||
return r;
|
||||
|
||||
if (keyslot == CRYPT_ANY_SLOT) {
|
||||
r_prio = LUKS2_keyslot_open_priority_digest(cd, hdr, CRYPT_SLOT_PRIORITY_PREFER,
|
||||
password, password_len, digest, vk);
|
||||
if (r_prio >= 0)
|
||||
r = r_prio;
|
||||
else if (r_prio != -EPERM && r_prio != -ENOENT)
|
||||
r = r_prio;
|
||||
else
|
||||
r = LUKS2_keyslot_open_priority_digest(cd, hdr, CRYPT_SLOT_PRIORITY_NORMAL,
|
||||
password, password_len, digest, vk);
|
||||
/* Prefer password wrong to no entry from priority slot */
|
||||
if (r_prio == -EPERM && r == -ENOENT)
|
||||
r = r_prio;
|
||||
} else
|
||||
r = LUKS2_open_and_verify_by_digest(cd, hdr, keyslot, digest, password, password_len, vk);
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
static int keyslot_context_open_all_segments(struct crypt_device *cd,
|
||||
int keyslot_old,
|
||||
int keyslot_new,
|
||||
@@ -653,47 +538,6 @@ int LUKS2_keyslot_context_open_all_segments(struct crypt_device *cd,
|
||||
return r;
|
||||
}
|
||||
|
||||
int LUKS2_keyslot_open_all_segments(struct crypt_device *cd,
|
||||
int keyslot_old,
|
||||
int keyslot_new,
|
||||
const char *password,
|
||||
size_t password_len,
|
||||
struct volume_key **vks)
|
||||
{
|
||||
struct volume_key *vk = NULL;
|
||||
int digest_old, digest_new, r = -EINVAL;
|
||||
struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
|
||||
|
||||
digest_old = LUKS2_reencrypt_digest_old(hdr);
|
||||
if (digest_old >= 0) {
|
||||
log_dbg(cd, "Trying to unlock volume key (digest: %d) using keyslot %d.", digest_old, keyslot_old);
|
||||
r = LUKS2_keyslot_open_by_digest(cd, hdr, keyslot_old, digest_old, password, password_len, &vk);
|
||||
if (r < 0)
|
||||
goto out;
|
||||
crypt_volume_key_add_next(vks, vk);
|
||||
}
|
||||
|
||||
digest_new = LUKS2_reencrypt_digest_new(hdr);
|
||||
if (digest_new >= 0 && digest_old != digest_new) {
|
||||
log_dbg(cd, "Trying to unlock volume key (digest: %d) using keyslot %d.", digest_new, keyslot_new);
|
||||
r = LUKS2_keyslot_open_by_digest(cd, hdr, keyslot_new, digest_new, password, password_len, &vk);
|
||||
if (r < 0)
|
||||
goto out;
|
||||
crypt_volume_key_add_next(vks, vk);
|
||||
}
|
||||
out:
|
||||
if (r < 0) {
|
||||
crypt_free_volume_key(*vks);
|
||||
*vks = NULL;
|
||||
|
||||
if (r == -ENOMEM)
|
||||
log_err(cd, _("Not enough available memory to open a keyslot."));
|
||||
else if (r != -EPERM && r != -ENOENT)
|
||||
log_err(cd, _("Keyslot open failed."));
|
||||
}
|
||||
return r;
|
||||
}
|
||||
|
||||
int LUKS2_keyslot_open(struct crypt_device *cd,
|
||||
int keyslot,
|
||||
int segment,
|
||||
|
||||
@@ -4452,54 +4452,6 @@ int LUKS2_reencrypt_check_device_size(struct crypt_device *cd, struct luks2_hdr
|
||||
}
|
||||
#if USE_LUKS2_REENCRYPTION
|
||||
/* returns keyslot number on success (>= 0) or negative errnor otherwise */
|
||||
int LUKS2_reencrypt_locked_recovery_by_passphrase(struct crypt_device *cd,
|
||||
int keyslot_old,
|
||||
int keyslot_new,
|
||||
const char *passphrase,
|
||||
size_t passphrase_size,
|
||||
struct volume_key **vks)
|
||||
{
|
||||
uint64_t minimal_size, device_size;
|
||||
int keyslot, r = -EINVAL;
|
||||
struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
|
||||
struct volume_key *vk = NULL, *_vks = NULL;
|
||||
|
||||
log_dbg(cd, "Entering reencryption crash recovery.");
|
||||
|
||||
if (LUKS2_get_data_size(hdr, &minimal_size, NULL))
|
||||
return r;
|
||||
|
||||
r = LUKS2_keyslot_open_all_segments(cd, keyslot_old, keyslot_new,
|
||||
passphrase, passphrase_size, &_vks);
|
||||
if (r < 0)
|
||||
goto out;
|
||||
keyslot = r;
|
||||
|
||||
if (crypt_use_keyring_for_vk(cd))
|
||||
vk = _vks;
|
||||
|
||||
while (vk) {
|
||||
r = LUKS2_volume_key_load_in_keyring_by_digest(cd, vk, crypt_volume_key_get_id(vk));
|
||||
if (r < 0)
|
||||
goto out;
|
||||
vk = crypt_volume_key_next(vk);
|
||||
}
|
||||
|
||||
if (LUKS2_reencrypt_check_device_size(cd, hdr, minimal_size, &device_size, true, false))
|
||||
goto out;
|
||||
|
||||
r = reencrypt_recovery(cd, hdr, device_size, _vks);
|
||||
|
||||
if (!r && vks)
|
||||
MOVE_REF(*vks, _vks);
|
||||
out:
|
||||
if (r < 0)
|
||||
crypt_drop_keyring_key(cd, _vks);
|
||||
crypt_free_volume_key(_vks);
|
||||
|
||||
return r < 0 ? r : keyslot;
|
||||
}
|
||||
|
||||
int LUKS2_reencrypt_locked_recovery_by_vks(struct crypt_device *cd,
|
||||
struct volume_key *vks)
|
||||
{
|
||||
|
||||
@@ -362,22 +362,6 @@ int LUKS2_keyslot_reencrypt_digest_create(struct crypt_device *cd,
|
||||
return LUKS2_digest_assign(cd, hdr, keyslot_reencrypt, digest_reencrypt, 1, 0);
|
||||
}
|
||||
|
||||
void LUKS2_reencrypt_lookup_key_ids(struct crypt_device *cd, struct luks2_hdr *hdr, struct volume_key *vk)
|
||||
{
|
||||
int digest_old, digest_new;
|
||||
|
||||
digest_old = LUKS2_reencrypt_digest_old(hdr);
|
||||
digest_new = LUKS2_reencrypt_digest_new(hdr);
|
||||
|
||||
while (vk) {
|
||||
if (digest_old >= 0 && LUKS2_digest_verify_by_digest(cd, digest_old, vk) == digest_old)
|
||||
crypt_volume_key_set_id(vk, digest_old);
|
||||
if (digest_new >= 0 && LUKS2_digest_verify_by_digest(cd, digest_new, vk) == digest_new)
|
||||
crypt_volume_key_set_id(vk, digest_new);
|
||||
vk = vk->next;
|
||||
}
|
||||
}
|
||||
|
||||
int LUKS2_reencrypt_digest_verify(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr,
|
||||
struct volume_key *vks)
|
||||
|
||||
@@ -842,71 +842,6 @@ int LUKS2_token_unlock_key(struct crypt_device *cd,
|
||||
return r;
|
||||
}
|
||||
|
||||
int LUKS2_token_open_and_activate(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr,
|
||||
int keyslot,
|
||||
int token,
|
||||
const char *name,
|
||||
const char *type,
|
||||
const char *pin,
|
||||
size_t pin_size,
|
||||
uint32_t flags,
|
||||
void *usrptr)
|
||||
{
|
||||
bool use_keyring;
|
||||
int r, segment;
|
||||
struct volume_key *p_crypt, *p_opal, *crypt_key = NULL, *opal_key = NULL, *vk = NULL;
|
||||
|
||||
if (flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY)
|
||||
segment = CRYPT_ANY_SEGMENT;
|
||||
else
|
||||
segment = CRYPT_DEFAULT_SEGMENT;
|
||||
|
||||
r = LUKS2_token_unlock_key(cd, hdr, keyslot, token, type, pin, pin_size, segment, usrptr, &vk);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
assert(vk);
|
||||
|
||||
keyslot = r;
|
||||
|
||||
if (LUKS2_segment_is_hw_opal(hdr, CRYPT_DEFAULT_SEGMENT)) {
|
||||
r = LUKS2_split_crypt_and_opal_keys(cd, hdr, vk, &crypt_key, &opal_key);
|
||||
if (r < 0) {
|
||||
crypt_free_volume_key(vk);
|
||||
return r;
|
||||
}
|
||||
|
||||
p_crypt = crypt_key;
|
||||
p_opal = opal_key ?: vk;
|
||||
} else {
|
||||
p_crypt = vk;
|
||||
p_opal = NULL;
|
||||
}
|
||||
|
||||
if (!crypt_use_keyring_for_vk(cd) || !p_crypt)
|
||||
use_keyring = false;
|
||||
else
|
||||
use_keyring = ((name && !crypt_is_cipher_null(crypt_get_cipher(cd))) ||
|
||||
(flags & CRYPT_ACTIVATE_KEYRING_KEY));
|
||||
|
||||
if (use_keyring) {
|
||||
if (!(r = LUKS2_volume_key_load_in_keyring_by_keyslot(cd, hdr, p_crypt, keyslot)))
|
||||
flags |= CRYPT_ACTIVATE_KEYRING_KEY;
|
||||
}
|
||||
|
||||
if (r >= 0 && name)
|
||||
r = LUKS2_activate(cd, name, p_crypt, p_opal, flags);
|
||||
|
||||
if (r < 0)
|
||||
crypt_drop_keyring_key(cd, p_crypt);
|
||||
crypt_free_volume_key(vk);
|
||||
crypt_free_volume_key(crypt_key);
|
||||
crypt_free_volume_key(opal_key);
|
||||
|
||||
return r < 0 ? r : keyslot;
|
||||
}
|
||||
|
||||
void LUKS2_token_dump(struct crypt_device *cd, int token)
|
||||
{
|
||||
const crypt_token_handler *h;
|
||||
|
||||
Reference in New Issue
Block a user