eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-16 21:29:59 +01:00
Code Issues Packages Projects Releases Wiki Activity

Support trusted & encrypted keyring for plain device.

Browse Source
This commit is contained in:
Milan Broz
2024-11-22 14:05:40 +01:00
parent 42e85571df
commit 4b7920975c
7 changed files with 108 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/cryptsetup.c
View File

@@ -224,7 +224,8 @@ static int action_open_plain(void)
.offset = ARG_UINT64(OPT_OFFSET_ID),
.sector_size = ARG_UINT32(OPT_SECTOR_SIZE_ID) ?: SECTOR_SIZE
};
char *password = NULL;
struct crypt_keyslot_context *kc = NULL;
char *password = NULL, *vk_description_activation = NULL;
const char *activated_name = NULL;
size_t passwordLen, key_size_max, signatures = 0,
key_size = (ARG_UINT32(OPT_KEY_SIZE_ID) ?: DEFAULT_PLAIN_KEYBITS) / 8;
@@ -249,12 +250,12 @@ static int action_open_plain(void)
cipher, cipher_mode, key_size * 8);
compat_warning = true;
}
if (!ARG_SET(OPT_HASH_ID) && !ARG_SET(OPT_KEY_FILE_ID)) {
if (!ARG_SET(OPT_HASH_ID) && !ARG_SET(OPT_KEY_FILE_ID) && !ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) {
log_err(_("WARNING: Using default options for hash (%s) that could be incompatible with older versions."), params.hash);
compat_warning = true;
}
if (compat_warning)
log_err(_("For plain mode, always use options --cipher, --key-size and if no keyfile is used, then also --hash."));
log_err(_("For plain mode, always use options --cipher, --key-size and if no keyfile or keyring is used, then also --hash."));
/* FIXME: temporary hack, no hashing for keyfiles in plain mode */
if (ARG_SET(OPT_KEY_FILE_ID) && !tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID))) {
@@ -264,6 +265,12 @@ static int action_open_plain(void)
"in plain mode with keyfile specified.\n"));
}
if (ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) {
r = tools_parse_vk_description(ARG_STR(OPT_VOLUME_KEY_KEYRING_ID), &vk_description_activation);
if (r < 0)
goto out;
}
if (params.hash && !strcmp(params.hash, "plain"))
params.hash = NULL;
@@ -349,7 +356,14 @@ static int action_open_plain(void)
set_activation_flags(&activate_flags);
if (!tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID))) {
if (ARG_SET(OPT_VOLUME_KEY_KEYRING_ID)) {
r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description_activation, &kc);
if (r < 0)
goto out;
r = crypt_activate_by_keyslot_context(cd, activated_name, CRYPT_ANY_SLOT,
kc, CRYPT_ANY_SLOT, NULL, activate_flags | CRYPT_ACTIVATE_KEYRING_KEY);
} else if (!tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID))) {
/* If no hash, key is read directly, read size is always key_size
* (possible --keyfile_size is ignored.
* If hash is specified, --keyfile_size is applied.
@@ -372,6 +386,8 @@ static int action_open_plain(void)
CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
}
out:
free(vk_description_activation);
crypt_keyslot_context_free(kc);
crypt_free(cd);
crypt_free(cd1);
crypt_safe_free(password);
@@ -3336,7 +3352,7 @@ static const char *verify_tcryptdump(void)
return NULL;
}
static const char * verify_open(void)
static const char *verify_open(void)
{
if (ARG_SET(OPT_PERSISTENT_ID) && ARG_SET(OPT_TEST_PASSPHRASE_ID))
return _("Option --persistent is not allowed with --test-passphrase.");
@@ -3378,6 +3394,10 @@ static const char * verify_open(void)
if (ARG_SET(OPT_UNBOUND_ID) && !ARG_SET(OPT_TEST_PASSPHRASE_ID))
return _("Option --unbound cannot be used without --test-passphrase.");
if (ARG_SET(OPT_VOLUME_KEY_KEYRING_ID) && (ARG_SET(OPT_HASH_ID) ||
ARG_SET(OPT_VOLUME_KEY_FILE_ID)) && !strcmp_or_null(device_type, "plain"))
return _("Option --volume-key-keyring cannot be combined with --hash or --volume-key-file.");
/* "open --type tcrypt" and "tcryptDump" checks are identical */
return verify_tcryptdump();
}