diff --git a/src/cryptsetup.c b/src/cryptsetup.c index f25e8fe5..f5844f5b 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -906,10 +906,8 @@ static int action_close(void) static int action_resize(void) { int r; - size_t passwordLen; struct crypt_active_device cad; uint64_t dev_size = 0; - char *password = NULL; struct crypt_device *cd = NULL; struct crypt_keyslot_context *kc = NULL; @@ -953,9 +951,7 @@ static int action_resize(void) if (r >= 0 || quit || ARG_SET(OPT_TOKEN_ONLY_ID)) goto out; - r = luks_init_keyslot_context(cd, NULL, &password, &passwordLen, - verify_passphrase(0), false, false, &kc); - crypt_safe_free(password); + r = luks_init_keyslot_context(cd, NULL, verify_passphrase(0), false, &kc); if (r < 0) goto out; @@ -1491,15 +1487,15 @@ static int strcmp_or_null(const char *str, const char *expected) return !str ? 0 : strcmp(str, expected); } -int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_passwordLen) +int luksFormat(struct crypt_device **r_cd, struct crypt_keyslot_context **r_kc) { bool wipe_signatures = false; - int encrypt_type, r = -EINVAL, keysize, integrity_keysize = 0, required_integrity_key_size = 0, fd, created = 0; + int encrypt_type, r = -EINVAL, integrity_keysize = 0, required_integrity_key_size = 0, fd, created = 0; struct stat st; const char *header_device, *type; - char *msg = NULL, *key = NULL, *password = NULL; + char *msg = NULL, *key = NULL; char cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN], integrity[MAX_CIPHER_LEN]; - size_t passwordLen = 0, signatures = 0; + size_t keysize, signatures = 0; struct crypt_device *cd = NULL; struct crypt_params_luks1 params1 = { .hash = ARG_STR(OPT_HASH_ID) ?: DEFAULT_LUKS1_HASH, @@ -1666,9 +1662,8 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password else if (ARG_SET(OPT_USE_URANDOM_ID)) crypt_set_rng_type(cd, CRYPT_RNG_URANDOM); - r = luks_init_keyslot_context(cd, NULL, &password, &passwordLen, - verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), - r_password != NULL, &new_kc); + r = luks_init_keyslot_context(cd, NULL, verify_passphrase(1), + !ARG_SET(OPT_FORCE_PASSWORD_ID), &new_kc); if (r < 0) goto out; @@ -1721,10 +1716,25 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password if (r < 0) goto out; + if (!key && r_kc) { + key = crypt_safe_alloc(keysize); + if (!key) { + r = -ENOMEM; + goto out; + } + /* Extract VK for LUKS2 encryption later */ + r = crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, key, &keysize, NULL); + if (r < 0) + goto out; + } + r = crypt_keyslot_context_init_by_volume_key(cd, key, keysize, &kc); if (r < 0) goto out; + crypt_safe_free(key); + key = NULL; + r = crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, kc, ARG_INT32(OPT_KEY_SLOT_ID), new_kc, 0); if (r < 0) { @@ -1742,7 +1752,6 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password } out: crypt_safe_free(key); - crypt_keyslot_context_free(kc); crypt_keyslot_context_free(new_kc); if (r < 0) { @@ -1759,22 +1768,21 @@ out: crypt_safe_free(CONST_CAST(void *)opal_params.admin_key); - if (r >= 0 && r_cd && r_password && r_passwordLen) { + if (r >= 0 && r_cd && r_kc) { *r_cd = cd; - *r_password = password; - *r_passwordLen = passwordLen; + *r_kc = kc; return r; } + crypt_keyslot_context_free(kc); crypt_free(cd); - crypt_safe_free(password); return r; } static int action_luksFormat(void) { - return luksFormat(NULL, NULL, NULL); + return luksFormat(NULL, NULL); } static int action_open_luks(void) @@ -1785,8 +1793,6 @@ static int action_open_luks(void) char *key = NULL, *vk_description_activation1 = NULL, *vk_description_activation2 = NULL; uint32_t activate_flags = 0; int r, keysize, tries; - char *password = NULL; - size_t passwordLen; struct stat st; struct crypt_keyslot_context *kc = NULL, *kc1 = NULL, *kc2 = NULL; @@ -1898,12 +1904,9 @@ static int action_open_luks(void) tries = set_tries_tty(true); do { - r = luks_init_keyslot_context(cd, NULL, &password, &passwordLen, - verify_passphrase(0), false, false, &kc); + r = luks_init_keyslot_context(cd, NULL, verify_passphrase(0), false, &kc); if (r < 0) goto out; - crypt_safe_free(password); - password = NULL; r = crypt_activate_by_keyslot_context(cd, activated_name, ARG_INT32(OPT_KEY_SLOT_ID), kc, CRYPT_ANY_SLOT, kc, activate_flags); @@ -2221,8 +2224,7 @@ static int action_luksAddKey(void) { bool pin_provided = false; int keyslot_old, keyslot_new, keysize = 0, r = -EINVAL; - char *key, *vk_description, *password = NULL; - size_t password_size = 0; + char *key, *vk_description; struct crypt_device *cd = NULL; struct crypt_keyslot_context *p_kc_new = NULL, *kc = NULL, *kc_new = NULL; @@ -2321,11 +2323,9 @@ static int action_luksAddKey(void) NULL, 0, NULL, &kc); } else { r = luks_init_keyslot_context(cd, _("Enter any existing passphrase: "), - &password, &password_size, - verify_passphrase(0), false, false, &kc); + verify_passphrase(0), false, &kc); if (r < 0) goto out; - crypt_safe_free(password); /* Check password before asking for new one */ r = crypt_activate_by_keyslot_context(cd, NULL, keyslot_old, kc, CRYPT_ANY_SLOT, NULL, 0); @@ -2551,8 +2551,7 @@ out: static int luksDump_with_volume_key(struct crypt_device *cd) { - char *vk = NULL, *password = NULL; - size_t passwordLen = 0; + char *vk = NULL; struct crypt_keyslot_context *kc = NULL; size_t vk_size; int r; @@ -2569,11 +2568,9 @@ static int luksDump_with_volume_key(struct crypt_device *cd) if (!vk) return -ENOMEM; - r = luks_init_keyslot_context(cd, NULL, &password, &passwordLen, - false, false, false, &kc); + r = luks_init_keyslot_context(cd, NULL, false, false, &kc); if (r < 0) goto out; - crypt_safe_free(password); r = crypt_volume_key_get_by_keyslot_context(cd, CRYPT_ANY_SLOT, vk, &vk_size, kc); tools_passphrase_msg(r); @@ -2726,8 +2723,7 @@ static int action_luksSuspend(void) static int action_luksResume(void) { struct crypt_device *cd = NULL; - char *password = NULL, *vk_description_activation = NULL; - size_t passwordLen; + char *vk_description_activation = NULL; int r, tries; struct crypt_active_device cad; const char *req_type = luksType(device_type); @@ -2798,12 +2794,9 @@ static int action_luksResume(void) tries = set_tries_tty(true); do { - r = luks_init_keyslot_context(cd, NULL, &password, &passwordLen, - verify_passphrase(0), false, false, &kc); + r = luks_init_keyslot_context(cd, NULL, verify_passphrase(0), false, &kc); if (r < 0) goto out; - crypt_safe_free(password); - password = NULL; r = crypt_resume_by_keyslot_context(cd, action_argv[0], ARG_INT32(OPT_KEY_SLOT_ID), kc); crypt_keyslot_context_free(kc); diff --git a/src/utils_luks.c b/src/utils_luks.c index ace68d9e..7457b2c6 100644 --- a/src/utils_luks.c +++ b/src/utils_luks.c @@ -271,31 +271,32 @@ out: return r; } -/* - * FIXME: Refactor password and passwordLen params away after keyslot context support - * is added in --encrypt reencryption mode. - */ int luks_init_keyslot_context(struct crypt_device *cd, - const char *msg, - char **password, size_t *passwordLen, bool verify, bool pwquality, - bool reencrypt, /* tmp hack to use old get_key */ - struct crypt_keyslot_context **kc) + const char *msg, + bool verify, bool pwquality, + struct crypt_keyslot_context **r_kc) { + char *password; + size_t passwordLen; int r = -EINVAL; + assert(cd); + assert(r_kc); + if (ARG_SET(OPT_KEY_DESCRIPTION_ID)) - r = crypt_keyslot_context_init_by_keyring(cd, ARG_STR(OPT_KEY_DESCRIPTION_ID), kc); - else if (ARG_SET(OPT_KEY_FILE_ID) && !tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)) && !reencrypt) + r = crypt_keyslot_context_init_by_keyring(cd, ARG_STR(OPT_KEY_DESCRIPTION_ID), r_kc); + else if (ARG_SET(OPT_KEY_FILE_ID) && !tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID))) r = crypt_keyslot_context_init_by_keyfile(cd, ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), - ARG_UINT64(OPT_KEYFILE_OFFSET_ID), kc); - else if (password) { - r = tools_get_key(msg, password, passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID), + ARG_UINT64(OPT_KEYFILE_OFFSET_ID), r_kc); + else { + r = tools_get_key(msg, &password, &passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID), verify, pwquality, cd); if (r < 0) return r; - r = crypt_keyslot_context_init_by_passphrase(cd, *password, *passwordLen, kc); + r = crypt_keyslot_context_init_by_passphrase(cd, password, passwordLen, r_kc); + crypt_safe_free(password); } return r; diff --git a/src/utils_luks.h b/src/utils_luks.h index 8fca1b1e..f966b503 100644 --- a/src/utils_luks.h +++ b/src/utils_luks.h @@ -30,7 +30,7 @@ int set_tries_tty(bool keyring); int get_adjusted_key_size(const char *cipher_mode, uint32_t keysize_bits, uint32_t default_size_bits, int integrity_keysize); -int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_passwordLen); +int luksFormat(struct crypt_device **r_cd, struct crypt_keyslot_context **r_kc); int reencrypt(int action_argc, const char **action_argv); @@ -40,8 +40,7 @@ int reencrypt_luks1_in_progress(const char *device); int luks_init_keyslot_context(struct crypt_device *cd, const char *msg, - char **password, size_t *passwordLen, bool verify, - bool pwquality, bool reencrypt, /* tmp hack to use old get_key */ - struct crypt_keyslot_context **kc); + bool verify, bool pwquality, + struct crypt_keyslot_context **r_kc); #endif /* UTILS_LUKS_H */ diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c index fa58a3ca..86d0032e 100644 --- a/src/utils_reencrypt.c +++ b/src/utils_reencrypt.c @@ -493,8 +493,7 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device, { int keyslot, r, fd; uuid_t uuid; - size_t passwordLen; - char *tmp, uuid_str[37], header_file[PATH_MAX] = { 0 }, *password = NULL; + char *tmp, uuid_str[37], header_file[PATH_MAX] = { 0 }; uint32_t activate_flags = 0; const struct crypt_params_luks2 luks2_params = { .sector_size = ARG_UINT32(OPT_SECTOR_SIZE_ID) ?: SECTOR_SIZE @@ -509,6 +508,7 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device, .luks2 = &luks2_params, .flags = CRYPT_REENCRYPT_INITIALIZE_ONLY }; + struct crypt_keyslot_context *kc = NULL; _set_reencryption_flags(¶ms.flags); @@ -603,7 +603,7 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device, } } - r = luksFormat(cd, &password, &passwordLen); + r = luksFormat(cd, &kc); if (r < 0) goto out; @@ -617,9 +617,11 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device, params.resilience = "datashift"; } keyslot = !ARG_SET(OPT_KEY_SLOT_ID) ? 0 : ARG_INT32(OPT_KEY_SLOT_ID); - r = crypt_reencrypt_init_by_passphrase(*cd, NULL, password, passwordLen, - CRYPT_ANY_SLOT, keyslot, crypt_get_cipher(*cd), - crypt_get_cipher_mode(*cd), ¶ms); + r = crypt_reencrypt_init_by_keyslot_context(*cd, NULL, NULL, kc, + CRYPT_ANY_SLOT, keyslot, + crypt_get_cipher(*cd), + crypt_get_cipher_mode(*cd), + ¶ms); if (r < 0) { crypt_keyslot_destroy(*cd, keyslot); goto out; @@ -643,7 +645,10 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device, /* activate device */ if (device_name) { set_activation_flags(&activate_flags); - r = crypt_activate_by_passphrase(*cd, device_name, ARG_INT32(OPT_KEY_SLOT_ID), password, passwordLen, activate_flags); + r = crypt_activate_by_keyslot_context(*cd, device_name, + ARG_INT32(OPT_KEY_SLOT_ID), kc, + CRYPT_ANY_SLOT, NULL, + activate_flags); if (r >= 0) log_std(_("%s/%s is now active and ready for online encryption.\n"), crypt_get_dir(), device_name); } @@ -654,11 +659,12 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device, /* just load reencryption context to continue reencryption */ if (!ARG_SET(OPT_INIT_ONLY_ID)) { params.flags &= ~CRYPT_REENCRYPT_INITIALIZE_ONLY; - r = crypt_reencrypt_init_by_passphrase(*cd, device_name, password, passwordLen, - CRYPT_ANY_SLOT, keyslot, NULL, NULL, ¶ms); + r = crypt_reencrypt_init_by_keyslot_context(*cd, device_name, NULL, kc, + CRYPT_ANY_SLOT, keyslot, + NULL, NULL, ¶ms); } out: - crypt_safe_free(password); + crypt_keyslot_context_free(kc); if (*header_file) unlink(header_file); return r;