From 54d937dfc7846cbdf8faeec5ae80b8686bb1ba8e Mon Sep 17 00:00:00 2001 From: Ondrej Kozina Date: Fri, 31 Jan 2025 16:03:44 +0100 Subject: [PATCH] Switch away from accessing volume key internals directly. Switch current code to use following volume key helpers for accessing internal properties: crypt_volume_key_length(), crypt_volume_key_get_key(), crypt_volume_key_description() and crypt_volume_key_kernel_key_type() Remaining direct access to volume key internals will be dealt with in later commits since it requires some further changes. --- lib/bitlk/bitlk.c | 19 ++++--- lib/fvault2/fvault2.c | 4 +- lib/keyslot_context.c | 6 +- lib/libdevmapper.c | 51 +++++++++-------- lib/luks1/keyencryption.c | 12 ++-- lib/luks1/keymanage.c | 22 +++++--- lib/luks2/hw_opal/hw_opal.c | 24 ++++---- lib/luks2/luks2_digest.c | 4 +- lib/luks2/luks2_json_metadata.c | 14 ++--- lib/luks2/luks2_keyslot.c | 4 +- lib/luks2/luks2_keyslot_luks2.c | 7 ++- lib/luks2/luks2_reencrypt.c | 2 +- lib/luks2/luks2_reencrypt_digest.c | 10 ++-- lib/setup.c | 89 +++++++++++++++++------------- lib/tcrypt/tcrypt.c | 4 +- lib/utils_storage_wrappers.c | 6 +- lib/verity/verity.c | 11 ++-- 17 files changed, 165 insertions(+), 124 deletions(-) diff --git a/lib/bitlk/bitlk.c b/lib/bitlk/bitlk.c index 6b3e7740..6d07f216 100644 --- a/lib/bitlk/bitlk.c +++ b/lib/bitlk/bitlk.c @@ -756,7 +756,7 @@ int BITLK_dump(struct crypt_device *cd, struct device *device, struct bitlk_meta vk_p = vmk_p->vk; while (vk_p) { - log_std(cd, "\tKey data size:\t%zu [bytes]\n", vk_p->keylength); + log_std(cd, "\tKey data size:\t%zu [bytes]\n", crypt_volume_key_length(vk_p)); vk_p = crypt_volume_key_next(vk_p); } vmk_p = vmk_p->next; @@ -764,7 +764,7 @@ int BITLK_dump(struct crypt_device *cd, struct device *device, struct bitlk_meta } log_std(cd, " %d: FVEK\n", next_id); - log_std(cd, "\tKey data size:\t%zu [bytes]\n", params->fvek->vk->keylength); + log_std(cd, "\tKey data size:\t%zu [bytes]\n", crypt_volume_key_length(params->fvek->vk)); log_std(cd, "\n"); @@ -1053,11 +1053,14 @@ static int decrypt_key(struct crypt_device *cd, int r; uint16_t key_size = 0; - outbuf = crypt_safe_alloc(enc_key->keylength); + outbuf = crypt_safe_alloc(crypt_volume_key_length(enc_key)); if (!outbuf) return -ENOMEM; - r = crypt_bitlk_decrypt_key(key->key, key->keylength, enc_key->key, outbuf, enc_key->keylength, + r = crypt_bitlk_decrypt_key(crypt_volume_key_get_key(key), + crypt_volume_key_length(key), + crypt_volume_key_get_key(enc_key), outbuf, + crypt_volume_key_length(enc_key), (const char*)iv, iv_size, (const char*)tag, tag_size); if (r < 0) { if (r == -ENOTSUP) @@ -1068,9 +1071,10 @@ static int decrypt_key(struct crypt_device *cd, /* key_data has it's size as part of the metadata */ memcpy(&key_size, outbuf, 2); key_size = le16_to_cpu(key_size); - if (enc_key->keylength != key_size) { + if (crypt_volume_key_length(enc_key) != key_size) { log_err(cd, _("Unexpected key data size.")); - log_dbg(cd, "Expected key data size: %zu, got %" PRIu16 "", enc_key->keylength, key_size); + log_dbg(cd, "Expected key data size: %zu, got %" PRIu16 "", + crypt_volume_key_length(enc_key), key_size); r = -EINVAL; goto out; @@ -1129,7 +1133,8 @@ int BITLK_get_volume_key(struct crypt_device *cd, continue; } log_dbg(cd, "Trying to use given password as a recovery key."); - r = bitlk_kdf(recovery_key->key, recovery_key->keylength, + r = bitlk_kdf(crypt_volume_key_get_key(recovery_key), + crypt_volume_key_length(recovery_key), true, next_vmk->salt, &vmk_dec_key); crypt_free_volume_key(recovery_key); if (r) diff --git a/lib/fvault2/fvault2.c b/lib/fvault2/fvault2.c index 7868525e..ae7d9d1a 100644 --- a/lib/fvault2/fvault2.c +++ b/lib/fvault2/fvault2.c @@ -704,7 +704,7 @@ static int _read_encrypted_metadata( goto out; } - r = crypt_cipher_init(&cipher, "aes", "xts", key->key, FVAULT2_XTS_KEY_SIZE); + r = crypt_cipher_init(&cipher, "aes", "xts", crypt_volume_key_get_key(key), FVAULT2_XTS_KEY_SIZE); if (r < 0) goto out; @@ -1002,7 +1002,7 @@ int FVAULT2_activate_by_volume_key( const struct fvault2_params *params, uint32_t flags) { - assert(vk && vk->keylength == FVAULT2_XTS_KEY_SIZE); + assert(crypt_volume_key_length(vk) == FVAULT2_XTS_KEY_SIZE); return _activate(cd, name, vk, params, flags); } diff --git a/lib/keyslot_context.c b/lib/keyslot_context.c index a9ceeb73..a4d58c31 100644 --- a/lib/keyslot_context.c +++ b/lib/keyslot_context.c @@ -948,7 +948,7 @@ static int _crypt_keyslot_context_init_by_volume_key(const char *volume_key, free(tmp); return -ENOMEM; } - volume_key = i_vk->key; + volume_key = crypt_volume_key_get_key(i_vk); } crypt_keyslot_context_init_by_key_internal(tmp, volume_key, volume_key_size); @@ -1003,13 +1003,13 @@ static int _crypt_keyslot_context_init_by_signed_key(const char *volume_key, if (self_contained && volume_key) { if (!(i_vk = crypt_alloc_volume_key(volume_key_size, volume_key))) goto err; - volume_key = i_vk->key; + volume_key = crypt_volume_key_get_key(i_vk); } if (self_contained && signature) { if (!(i_vk_sig = crypt_alloc_volume_key(signature_size, signature))) goto err; - signature = i_vk_sig->key; + signature = crypt_volume_key_get_key(i_vk_sig); } crypt_keyslot_context_init_by_signed_key_internal(tmp, volume_key, volume_key_size, diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c index 32e7d43c..43e23e35 100644 --- a/lib/libdevmapper.c +++ b/lib/libdevmapper.c @@ -599,20 +599,23 @@ static char *get_dm_crypt_params(const struct dm_target *tgt, uint32_t flags) if (null_cipher) hexkey = crypt_bytes_to_hex(0, NULL); else if (flags & CRYPT_ACTIVATE_KEYRING_KEY) { - if (!tgt->u.crypt.vk->key_description || tgt->u.crypt.vk->keyring_key_type == INVALID_KEY) + if (!crypt_volume_key_description(tgt->u.crypt.vk) || + crypt_volume_key_kernel_key_type(tgt->u.crypt.vk) == INVALID_KEY) goto out; - keystr_len = strlen(tgt->u.crypt.vk->key_description) + - int_log10(tgt->u.crypt.vk->keylength) + + keystr_len = strlen(crypt_volume_key_description(tgt->u.crypt.vk)) + + int_log10(crypt_volume_key_length(tgt->u.crypt.vk)) + 24 /* type and separators */; hexkey = crypt_safe_alloc(keystr_len); if (!hexkey) goto out; - r = snprintf(hexkey, keystr_len, ":%zu:%s:%s", tgt->u.crypt.vk->keylength, - key_type_name(tgt->u.crypt.vk->keyring_key_type), tgt->u.crypt.vk->key_description); + r = snprintf(hexkey, keystr_len, ":%zu:%s:%s", crypt_volume_key_length(tgt->u.crypt.vk), + key_type_name(crypt_volume_key_kernel_key_type(tgt->u.crypt.vk)), + crypt_volume_key_description(tgt->u.crypt.vk)); if (r < 0 || r >= keystr_len) goto out; } else - hexkey = crypt_bytes_to_hex(tgt->u.crypt.vk->keylength, tgt->u.crypt.vk->key); + hexkey = crypt_bytes_to_hex(crypt_volume_key_length(tgt->u.crypt.vk), + crypt_volume_key_get_key(tgt->u.crypt.vk)); if (!hexkey) goto out; @@ -760,13 +763,13 @@ static char *get_dm_integrity_params(const struct dm_target *tgt, uint32_t flags if (!tgt) return NULL; - max_integrity = (tgt->u.integrity.integrity && tgt->u.integrity.vk ? tgt->u.integrity.vk->keylength * 2 : 0) + + max_integrity = (tgt->u.integrity.integrity && tgt->u.integrity.vk ? crypt_volume_key_length(tgt->u.integrity.vk) * 2 : 0) + (tgt->u.integrity.integrity ? strlen(tgt->u.integrity.integrity) : 0) + 32; max_journal_integrity = (tgt->u.integrity.journal_integrity && tgt->u.integrity.journal_integrity_key ? - tgt->u.integrity.journal_integrity_key->keylength * 2 : 0) + + crypt_volume_key_length(tgt->u.integrity.journal_integrity_key) * 2 : 0) + (tgt->u.integrity.journal_integrity ? strlen(tgt->u.integrity.journal_integrity) : 0) + 32; max_journal_crypt = (tgt->u.integrity.journal_crypt && tgt->u.integrity.journal_crypt_key ? - tgt->u.integrity.journal_crypt_key->keylength * 2 : 0) + + crypt_volume_key_length(tgt->u.integrity.journal_crypt_key) * 2 : 0) + (tgt->u.integrity.journal_crypt ? strlen(tgt->u.integrity.journal_crypt) : 0) + 32; max_size = strlen(device_block_path(tgt->data_device)) + (tgt->u.integrity.meta_device ? strlen(device_block_path(tgt->u.integrity.meta_device)) : 0) + @@ -784,7 +787,8 @@ static char *get_dm_integrity_params(const struct dm_target *tgt, uint32_t flags num_options++; if (tgt->u.integrity.vk) { - hexkey = crypt_bytes_to_hex(tgt->u.integrity.vk->keylength, tgt->u.integrity.vk->key); + hexkey = crypt_bytes_to_hex(crypt_volume_key_length(tgt->u.integrity.vk), + crypt_volume_key_get_key(tgt->u.integrity.vk)); if (!hexkey) goto out; } else @@ -801,8 +805,8 @@ static char *get_dm_integrity_params(const struct dm_target *tgt, uint32_t flags num_options++; if (tgt->u.integrity.journal_integrity_key) { - hexkey = crypt_bytes_to_hex( tgt->u.integrity.journal_integrity_key->keylength, - tgt->u.integrity.journal_integrity_key->key); + hexkey = crypt_bytes_to_hex(crypt_volume_key_length(tgt->u.integrity.journal_integrity_key), + crypt_volume_key_get_key(tgt->u.integrity.journal_integrity_key)); if (!hexkey) goto out; } else @@ -819,8 +823,8 @@ static char *get_dm_integrity_params(const struct dm_target *tgt, uint32_t flags num_options++; if (tgt->u.integrity.journal_crypt_key) { - hexkey = crypt_bytes_to_hex(tgt->u.integrity.journal_crypt_key->keylength, - tgt->u.integrity.journal_crypt_key->key); + hexkey = crypt_bytes_to_hex(crypt_volume_key_length(tgt->u.integrity.journal_crypt_key), + crypt_volume_key_get_key(tgt->u.integrity.journal_crypt_key)); if (!hexkey) goto out; } else @@ -2135,7 +2139,7 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags, goto err; } else if (key_size) { buffer[2] = '\0'; - for(i = 0; i < vk->keylength; i++) { + for(i = 0; i < crypt_volume_key_length(vk); i++) { crypt_safe_memcpy(buffer, &key_[i * 2], 2); vk->key[i] = strtoul(buffer, &endp, 16); if (endp != &buffer[2]) { @@ -3077,12 +3081,12 @@ int dm_resume_and_reinstate_key(struct crypt_device *cd, const char *name, if (!(dmt_flags & DM_KEY_WIPE_SUPPORTED)) goto out; - if (!vk->keylength) + if (!crypt_volume_key_length(vk)) msg_size = 11; // key set - - else if (vk->key_description) - msg_size = strlen(vk->key_description) + int_log10(vk->keylength) + 18; + else if (crypt_volume_key_description(vk)) + msg_size = strlen(crypt_volume_key_description(vk)) + int_log10(crypt_volume_key_length(vk)) + 18; else - msg_size = vk->keylength * 2 + 10; // key set + msg_size = crypt_volume_key_length(vk) * 2 + 10; // key set msg = crypt_safe_alloc(msg_size); if (!msg) { @@ -3090,11 +3094,12 @@ int dm_resume_and_reinstate_key(struct crypt_device *cd, const char *name, goto out; } - if (vk->key_description) { - r = snprintf(msg, msg_size, "key set :%zu:logon:%s", vk->keylength, - vk->key_description); + if (crypt_volume_key_description(vk)) { + r = snprintf(msg, msg_size, "key set :%zu:logon:%s", crypt_volume_key_length(vk), + crypt_volume_key_description(vk)); } else { - key = crypt_bytes_to_hex(vk->keylength, vk->key); + key = crypt_bytes_to_hex(crypt_volume_key_length(vk), + crypt_volume_key_get_key(vk)); if (!key) { r = -ENOMEM; goto out; diff --git a/lib/luks1/keyencryption.c b/lib/luks1/keyencryption.c index e7b549f5..5698318c 100644 --- a/lib/luks1/keyencryption.c +++ b/lib/luks1/keyencryption.c @@ -96,7 +96,7 @@ static int LUKS_endec_template(char *src, size_t srcLength, if (r < 0) { if (r != -EACCES && r != -ENOTSUP) _error_hint(ctx, device_path(crypt_metadata_device(ctx)), - cipher, cipher_mode, vk->keylength * 8); + cipher, cipher_mode, crypt_volume_key_length(vk) * 8); r = -EIO; goto out; } @@ -140,7 +140,8 @@ int LUKS_encrypt_to_storage(char *src, size_t srcLength, return -EINVAL; /* Encrypt buffer */ - r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false); + r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, crypt_volume_key_get_key(vk), + crypt_volume_key_length(vk), false); if (r) log_dbg(ctx, "Userspace crypto wrapper cannot use %s-%s (%d).", @@ -153,7 +154,7 @@ int LUKS_encrypt_to_storage(char *src, size_t srcLength, if (r) { _error_hint(ctx, device_path(device), cipher, cipher_mode, - vk->keylength * 8); + crypt_volume_key_length(vk) * 8); return r; } @@ -205,7 +206,8 @@ int LUKS_decrypt_from_storage(char *dst, size_t dstLength, if (MISALIGNED_512(dstLength)) return -EINVAL; - r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false); + r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, crypt_volume_key_get_key(vk), + crypt_volume_key_length(vk), false); if (r) log_dbg(ctx, "Userspace crypto wrapper cannot use %s-%s (%d).", @@ -218,7 +220,7 @@ int LUKS_decrypt_from_storage(char *dst, size_t dstLength, if (r) { _error_hint(ctx, device_path(device), cipher, cipher_mode, - vk->keylength * 8); + crypt_volume_key_length(vk) * 8); return r; } diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c index 64216a19..f0739b9b 100644 --- a/lib/luks1/keymanage.c +++ b/lib/luks1/keymanage.c @@ -746,7 +746,7 @@ int LUKS_generate_phdr(struct luks_phdr *header, memset(header, 0, sizeof(struct luks_phdr)); - keyslot_sectors = AF_split_sectors(vk->keylength, LUKS_STRIPES); + keyslot_sectors = AF_split_sectors(crypt_volume_key_length(vk), LUKS_STRIPES); header_sectors = LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE; for (i = 0; i < LUKS_NUMKEYS; i++) { @@ -793,7 +793,7 @@ int LUKS_generate_phdr(struct luks_phdr *header, strncpy(header->hashSpec,hashSpec,LUKS_HASHSPEC_L-1); _to_lower(header->hashSpec, LUKS_HASHSPEC_L); - header->keyBytes=vk->keylength; + header->keyBytes = crypt_volume_key_length(vk); log_dbg(ctx, "Generating LUKS header version %d using hash %s, %s, %s, MK %d bytes", header->version, header->hashSpec ,header->cipherName, header->cipherMode, @@ -807,7 +807,7 @@ int LUKS_generate_phdr(struct luks_phdr *header, /* Compute volume key digest */ pbkdf = crypt_get_pbkdf(ctx); - r = crypt_benchmark_pbkdf_internal(ctx, pbkdf, vk->keylength); + r = crypt_benchmark_pbkdf_internal(ctx, pbkdf, crypt_volume_key_length(vk)); if (r < 0) return r; assert(pbkdf->iterations); @@ -822,7 +822,9 @@ int LUKS_generate_phdr(struct luks_phdr *header, header->mkDigestIterations = AT_LEAST((uint32_t)PBKDF2_temp, LUKS_MKD_ITERATIONS_MIN); assert(header->mkDigestIterations); - r = crypt_pbkdf(CRYPT_KDF_PBKDF2, header->hashSpec, vk->key,vk->keylength, + r = crypt_pbkdf(CRYPT_KDF_PBKDF2, header->hashSpec, + crypt_volume_key_get_key(vk), + crypt_volume_key_length(vk), header->mkDigestSalt, LUKS_SALTSIZE, header->mkDigest,LUKS_DIGESTSIZE, header->mkDigestIterations, 0, 0); @@ -884,7 +886,7 @@ int LUKS_set_key(unsigned int keyIndex, log_dbg(ctx, "Calculating data for key slot %d", keyIndex); pbkdf = crypt_get_pbkdf(ctx); - r = crypt_benchmark_pbkdf_internal(ctx, pbkdf, vk->keylength); + r = crypt_benchmark_pbkdf_internal(ctx, pbkdf, crypt_volume_key_length(vk)); if (r < 0) return r; assert(pbkdf->iterations); @@ -920,8 +922,8 @@ int LUKS_set_key(unsigned int keyIndex, /* * AF splitting, the volume key stored in vk->key is split to AfKey */ - assert(vk->keylength == hdr->keyBytes); - AFEKSize = AF_split_sectors(vk->keylength, hdr->keyblock[keyIndex].stripes) * SECTOR_SIZE; + assert(crypt_volume_key_length(vk) == hdr->keyBytes); + AFEKSize = AF_split_sectors(crypt_volume_key_length(vk), hdr->keyblock[keyIndex].stripes) * SECTOR_SIZE; AfKey = crypt_safe_alloc(AFEKSize); if (!AfKey) { r = -ENOMEM; @@ -930,7 +932,8 @@ int LUKS_set_key(unsigned int keyIndex, log_dbg(ctx, "Using hash %s for AF in key slot %d, %d stripes", hdr->hashSpec, keyIndex, hdr->keyblock[keyIndex].stripes); - r = AF_split(ctx, vk->key, AfKey, vk->keylength, hdr->keyblock[keyIndex].stripes, hdr->hashSpec); + r = AF_split(ctx, crypt_volume_key_get_key(vk), AfKey, crypt_volume_key_length(vk), + hdr->keyblock[keyIndex].stripes, hdr->hashSpec); if (r < 0) goto out; @@ -968,7 +971,8 @@ int LUKS_verify_volume_key(const struct luks_phdr *hdr, { char checkHashBuf[LUKS_DIGESTSIZE]; - if (crypt_pbkdf(CRYPT_KDF_PBKDF2, hdr->hashSpec, vk->key, vk->keylength, + if (crypt_pbkdf(CRYPT_KDF_PBKDF2, hdr->hashSpec, crypt_volume_key_get_key(vk), + crypt_volume_key_length(vk), hdr->mkDigestSalt, LUKS_SALTSIZE, checkHashBuf, LUKS_DIGESTSIZE, hdr->mkDigestIterations, 0, 0) < 0) diff --git a/lib/luks2/hw_opal/hw_opal.c b/lib/luks2/hw_opal/hw_opal.c index 15060ff4..27189ebc 100644 --- a/lib/luks2/hw_opal/hw_opal.c +++ b/lib/luks2/hw_opal/hw_opal.c @@ -310,12 +310,13 @@ static int opal_range_check_attributes_fd(struct crypt_device *cd, .session = { .who = segment_number + 1, .opal_key = { - .key_len = vk->keylength, + .key_len = crypt_volume_key_length(vk), .lr = segment_number } } }; - crypt_safe_memcpy(lrs->session.opal_key.key, vk->key, vk->keylength); + crypt_safe_memcpy(lrs->session.opal_key.key, crypt_volume_key_get_key(vk), + crypt_volume_key_length(vk)); r = opal_ioctl(cd, fd, IOC_OPAL_GET_LR_STATUS, lrs); if (r != OPAL_STATUS_SUCCESS) { @@ -417,7 +418,7 @@ int opal_setup_ranges(struct crypt_device *cd, assert(dev); assert(vk); assert(admin_key); - assert(vk->keylength <= OPAL_KEY_MAX); + assert(crypt_volume_key_length(vk) <= OPAL_KEY_MAX); assert(opal_block_bytes >= SECTOR_SIZE); if (admin_key_len > OPAL_KEY_MAX) @@ -582,12 +583,13 @@ int opal_setup_ranges(struct crypt_device *cd, .new_user_pw = { .who = segment_number + 1, .opal_key = { - .key_len = vk->keylength, + .key_len = crypt_volume_key_length(vk), .lr = segment_number, }, }, }; - crypt_safe_memcpy(new_pw->new_user_pw.opal_key.key, vk->key, vk->keylength); + crypt_safe_memcpy(new_pw->new_user_pw.opal_key.key, crypt_volume_key_get_key(vk), + crypt_volume_key_length(vk)); crypt_safe_memcpy(new_pw->session.opal_key.key, admin_key, admin_key_len); r = opal_ioctl(cd, fd, IOC_OPAL_SET_PW, new_pw); @@ -642,12 +644,13 @@ int opal_setup_ranges(struct crypt_device *cd, .session = { .who = segment_number + 1, .opal_key = { - .key_len = vk->keylength, + .key_len = crypt_volume_key_length(vk), .lr = segment_number, }, } }; - crypt_safe_memcpy(lock->session.opal_key.key, vk->key, vk->keylength); + crypt_safe_memcpy(lock->session.opal_key.key, crypt_volume_key_get_key(vk), + crypt_volume_key_length(vk)); r = opal_ioctl(cd, fd, IOC_OPAL_LOCK_UNLOCK, lock); if (r != OPAL_STATUS_SUCCESS) { @@ -700,10 +703,11 @@ static int opal_lock_unlock(struct crypt_device *cd, return -EIO; if (!lock) { - assert(vk->keylength <= OPAL_KEY_MAX); + assert(crypt_volume_key_length(vk) <= OPAL_KEY_MAX); - unlock.session.opal_key.key_len = vk->keylength; - crypt_safe_memcpy(unlock.session.opal_key.key, vk->key, vk->keylength); + unlock.session.opal_key.key_len = crypt_volume_key_length(vk); + crypt_safe_memcpy(unlock.session.opal_key.key, crypt_volume_key_get_key(vk), + crypt_volume_key_length(vk)); } r = opal_ioctl(cd, fd, IOC_OPAL_LOCK_UNLOCK, &unlock); diff --git a/lib/luks2/luks2_digest.c b/lib/luks2/luks2_digest.c index b5b6a61b..03bfa55f 100644 --- a/lib/luks2/luks2_digest.c +++ b/lib/luks2/luks2_digest.c @@ -75,7 +75,7 @@ int LUKS2_digest_create(struct crypt_device *cd, log_dbg(cd, "Creating new digest %d (%s).", digest, type); - return dh->store(cd, digest, vk->key, vk->keylength) ?: digest; + return dh->store(cd, digest, crypt_volume_key_get_key(vk), crypt_volume_key_length(vk)) ?: digest; } int LUKS2_digest_by_keyslot(struct luks2_hdr *hdr, int keyslot) @@ -108,7 +108,7 @@ int LUKS2_digest_verify_by_digest(struct crypt_device *cd, if (!h) return -EINVAL; - r = h->verify(cd, digest, vk->key, vk->keylength); + r = h->verify(cd, digest, crypt_volume_key_get_key(vk), crypt_volume_key_length(vk)); if (r < 0) { log_dbg(cd, "Digest %d (%s) verify failed with %d.", digest, h->name, r); return r; diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c index d1b75903..bc020242 100644 --- a/lib/luks2/luks2_json_metadata.c +++ b/lib/luks2/luks2_json_metadata.c @@ -2894,7 +2894,7 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr tgt = &dmdc.segment; while (tgt) { if (tgt->type == DM_CRYPT) - crypt_drop_keyring_key_by_description(cd, tgt->u.crypt.vk->key_description, + crypt_drop_keyring_key_by_description(cd, crypt_volume_key_description(tgt->u.crypt.vk), LOGON_KEY); tgt = tgt->next; } @@ -2930,7 +2930,7 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr tgt = &dmdc.segment; while (tgt) { if (tgt->type == DM_CRYPT) - crypt_drop_keyring_key_by_description(cd, tgt->u.crypt.vk->key_description, + crypt_drop_keyring_key_by_description(cd, crypt_volume_key_description(tgt->u.crypt.vk), LOGON_KEY); tgt = tgt->next; } @@ -3115,22 +3115,22 @@ int LUKS2_split_crypt_and_opal_keys(struct crypt_device *cd __attribute__((unuse if (r < 0) return -EINVAL; - if (vk->keylength < opal_user_key_size) + if (crypt_volume_key_length(vk) < opal_user_key_size) return -EINVAL; /* OPAL SEGMENT only */ - if (vk->keylength == opal_user_key_size) { + if (crypt_volume_key_length(vk) == opal_user_key_size) { *ret_crypt_key = NULL; *ret_opal_key = NULL; return 0; } - opal_key = crypt_alloc_volume_key(opal_user_key_size, vk->key); + opal_key = crypt_alloc_volume_key(opal_user_key_size, crypt_volume_key_get_key(vk)); if (!opal_key) return -ENOMEM; - crypt_key = crypt_alloc_volume_key(vk->keylength - opal_user_key_size, - vk->key + opal_user_key_size); + crypt_key = crypt_alloc_volume_key(crypt_volume_key_length(vk) - opal_user_key_size, + crypt_volume_key_get_key(vk) + opal_user_key_size); if (!crypt_key) { crypt_free_volume_key(opal_key); return -ENOMEM; diff --git a/lib/luks2/luks2_keyslot.c b/lib/luks2/luks2_keyslot.c index 85cf3351..d0286d82 100644 --- a/lib/luks2/luks2_keyslot.c +++ b/lib/luks2/luks2_keyslot.c @@ -620,7 +620,7 @@ int LUKS2_keyslot_store(struct crypt_device *cd, if (!h) return -EINVAL; - r = h->alloc(cd, keyslot, vk->keylength, params); + r = h->alloc(cd, keyslot, crypt_volume_key_length(vk), params); if (r) return r; } else { @@ -644,7 +644,7 @@ int LUKS2_keyslot_store(struct crypt_device *cd, return -EINVAL; return h->store(cd, keyslot, password, password_len, - vk->key, vk->keylength); + crypt_volume_key_get_key(vk), crypt_volume_key_length(vk)); } int LUKS2_keyslot_wipe(struct crypt_device *cd, diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c index 1bd99cd1..2007dd53 100644 --- a/lib/luks2/luks2_keyslot_luks2.c +++ b/lib/luks2/luks2_keyslot_luks2.c @@ -37,7 +37,8 @@ static int luks2_encrypt_to_storage(char *src, size_t srcLength, return -EINVAL; /* Encrypt buffer */ - r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false); + r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, + crypt_volume_key_get_key(vk), crypt_volume_key_length(vk), false); if (r) { log_err(cd, _("Cannot use %s-%s cipher for keyslot encryption."), cipher, cipher_mode); return r; @@ -92,7 +93,9 @@ static int luks2_decrypt_from_storage(char *dst, size_t dstLength, if (MISALIGNED_512(dstLength)) return -EINVAL; - r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false); + r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, + crypt_volume_key_get_key(vk), + crypt_volume_key_length(vk), false); if (r) { log_err(cd, _("Cannot use %s-%s cipher for keyslot encryption."), cipher, cipher_mode); return r; diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c index 302856e6..73ecba61 100644 --- a/lib/luks2/luks2_reencrypt.c +++ b/lib/luks2/luks2_reencrypt.c @@ -3544,7 +3544,7 @@ static int reencrypt_load_by_keyslot_context(struct crypt_device *cd, * above. The code checks if new VK is eligible for keyring. */ vk = crypt_volume_key_by_id(*vks, LUKS2_reencrypt_digest_new(hdr)); - if (vk && vk->key_description && crypt_is_cipher_null(reencrypt_segment_cipher_old(hdr))) { + if (vk && crypt_volume_key_description(vk) && crypt_is_cipher_null(reencrypt_segment_cipher_old(hdr))) { flags |= CRYPT_ACTIVATE_KEYRING_KEY; dmd_source.flags |= CRYPT_ACTIVATE_KEYRING_KEY; } diff --git a/lib/luks2/luks2_reencrypt_digest.c b/lib/luks2/luks2_reencrypt_digest.c index 7ed89a59..d5a1fae3 100644 --- a/lib/luks2/luks2_reencrypt_digest.c +++ b/lib/luks2/luks2_reencrypt_digest.c @@ -274,7 +274,7 @@ static int reencrypt_assembly_verification_data(struct crypt_device *cd, log_dbg(cd, "Key (digest id %d) required but not unlocked.", digest_old); return -EINVAL; } - data_len += blob_serialize(vk_old->key, vk_old->keylength, NULL); + data_len += blob_serialize(crypt_volume_key_get_key(vk_old), crypt_volume_key_length(vk_old), NULL); } if (digest_new >= 0 && digest_old != digest_new) { @@ -283,7 +283,7 @@ static int reencrypt_assembly_verification_data(struct crypt_device *cd, log_dbg(cd, "Key (digest id %d) required but not unlocked.", digest_new); return -EINVAL; } - data_len += blob_serialize(vk_new->key, vk_new->keylength, NULL); + data_len += blob_serialize(crypt_volume_key_get_key(vk_new), crypt_volume_key_length(vk_new), NULL); } if (data_len == 2) @@ -309,10 +309,12 @@ static int reencrypt_assembly_verification_data(struct crypt_device *cd, *ptr++ = 0x30 + version; if (vk_old) - ptr += blob_serialize(vk_old->key, vk_old->keylength, ptr); + ptr += blob_serialize(crypt_volume_key_get_key(vk_old), + crypt_volume_key_length(vk_old), ptr); if (vk_new) - ptr += blob_serialize(vk_new->key, vk_new->keylength, ptr); + ptr += blob_serialize(crypt_volume_key_get_key(vk_new), + crypt_volume_key_length(vk_new), ptr); if (!reenc_keyslot_serialize(hdr, ptr)) goto bad; diff --git a/lib/setup.c b/lib/setup.c index ead237c9..bbf99437 100644 --- a/lib/setup.c +++ b/lib/setup.c @@ -1262,7 +1262,7 @@ static int _init_by_name_crypt_none(struct crypt_device *cd) r = -EINVAL; else { cd->u.none.cipher_mode = cd->u.none.cipher_spec + strlen(cd->u.none.cipher) + 1; - cd->u.none.key_size = tgt->u.crypt.vk->keylength; + cd->u.none.key_size = crypt_volume_key_length(tgt->u.crypt.vk); r = 0; } } @@ -1407,7 +1407,7 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name) cd->u.plain.hdr.offset = tgt->u.crypt.offset; cd->u.plain.hdr.skip = tgt->u.crypt.iv_offset; cd->u.plain.hdr.sector_size = tgt->u.crypt.sector_size; - cd->u.plain.key_size = tgt->u.crypt.vk->keylength; + cd->u.plain.key_size = crypt_volume_key_length(tgt->u.crypt.vk); cd->u.plain.cipher = strdup(cipher); MOVE_REF(cd->u.plain.cipher_spec, cipher_spec); cd->u.plain.cipher_mode = cd->u.plain.cipher_spec + strlen(cipher) + 1; @@ -1419,9 +1419,9 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name) MOVE_REF(cd->u.loopaes.cipher_spec, cipher_spec); cd->u.loopaes.cipher_mode = cd->u.loopaes.cipher_spec + strlen(cipher) + 1; /* version 3 uses last key for IV */ - if (tgt->u.crypt.vk->keylength % key_nums) + if (crypt_volume_key_length(tgt->u.crypt.vk) % key_nums) key_nums++; - cd->u.loopaes.key_size = tgt->u.crypt.vk->keylength / key_nums; + cd->u.loopaes.key_size = crypt_volume_key_length(tgt->u.crypt.vk) / key_nums; } else if (isLUKS1(cd->type) || isLUKS2(cd->type)) { if (crypt_metadata_device(cd)) { r = _crypt_load_luks(cd, cd->type, true, false); @@ -1558,11 +1558,11 @@ static int _init_by_name_integrity(struct crypt_device *cd, const char *name) MOVE_REF(cd->u.integrity.params.journal_crypt, tgt->u.integrity.journal_crypt); if (tgt->u.integrity.vk) - cd->u.integrity.params.integrity_key_size = tgt->u.integrity.vk->keylength; + cd->u.integrity.params.integrity_key_size = crypt_volume_key_length(tgt->u.integrity.vk); if (tgt->u.integrity.journal_integrity_key) - cd->u.integrity.params.journal_integrity_key_size = tgt->u.integrity.journal_integrity_key->keylength; + cd->u.integrity.params.journal_integrity_key_size = crypt_volume_key_length(tgt->u.integrity.journal_integrity_key); if (tgt->u.integrity.journal_crypt_key) - cd->u.integrity.params.journal_crypt_key_size = tgt->u.integrity.journal_crypt_key->keylength; + cd->u.integrity.params.journal_crypt_key_size = crypt_volume_key_length(tgt->u.integrity.journal_crypt_key); MOVE_REF(cd->metadata_device, tgt->u.integrity.meta_device); } out: @@ -2183,7 +2183,7 @@ static int _crypt_format_luks2(struct crypt_device *cd, if (integrity_key_size) { integrity_key = crypt_alloc_volume_key(integrity_key_size, - cd->volume_key->key + volume_key_size - integrity_key_size); + crypt_volume_key_get_key(cd->volume_key) + volume_key_size - integrity_key_size); if (!integrity_key) { r = -ENOMEM; goto out; @@ -2447,7 +2447,7 @@ int crypt_format_luks2_opal(struct crypt_device *cd, } if (cipher) { - user_key = crypt_alloc_volume_key(opal_params->user_key_size, cd->volume_key->key); + user_key = crypt_alloc_volume_key(opal_params->user_key_size, crypt_volume_key_get_key(cd->volume_key)); if (!user_key) { r = -ENOMEM; goto out; @@ -2634,7 +2634,7 @@ int crypt_format_luks2_opal(struct crypt_device *cd, if (integrity_key_size) { integrity_key = crypt_alloc_volume_key(integrity_key_size, - cd->volume_key->key + volume_keys_size - integrity_key_size); + crypt_volume_key_get_key(cd->volume_key) + volume_keys_size - integrity_key_size); if (!integrity_key) { r = -ENOMEM; @@ -3169,15 +3169,15 @@ static int _compare_volume_keys(struct volume_key *svk, unsigned skeyring_only, else if (!svk || !tvk) return 1; - if (svk->keylength != tvk->keylength) + if (crypt_volume_key_length(svk) != crypt_volume_key_length(tvk)) return 1; if (!skeyring_only && !tkeyring_only) - return crypt_backend_memeq(svk->key, tvk->key, svk->keylength); + return crypt_backend_memeq(crypt_volume_key_get_key(svk), crypt_volume_key_get_key(tvk), crypt_volume_key_length(svk)); - if (svk->key_description && tvk->key_description) - return (svk->keyring_key_type != tvk->keyring_key_type || - strcmp(svk->key_description, tvk->key_description)); + if (crypt_volume_key_description(svk) && crypt_volume_key_description(tvk)) + return (crypt_volume_key_kernel_key_type(svk) != crypt_volume_key_kernel_key_type(tvk) || + strcmp(crypt_volume_key_description(svk), crypt_volume_key_description(tvk))); return 0; } @@ -3243,9 +3243,9 @@ static int _compare_crypt_devices(struct crypt_device *cd, goto out; } - if (tgt->u.crypt.vk->keylength == 0 && crypt_is_cipher_null(tgt->u.crypt.cipher)) + if (crypt_volume_key_length(tgt->u.crypt.vk) == 0 && crypt_is_cipher_null(tgt->u.crypt.cipher)) log_dbg(cd, "Existing device uses cipher null. Skipping key comparison."); - else if (_compare_volume_keys(src->u.crypt.vk, 0, tgt->u.crypt.vk, tgt->u.crypt.vk->key_description != NULL)) { + else if (_compare_volume_keys(src->u.crypt.vk, 0, tgt->u.crypt.vk, crypt_volume_key_description(tgt->u.crypt.vk) != NULL)) { log_dbg(cd, "Keys in context and target device do not match."); goto out; } @@ -3415,13 +3415,14 @@ static int _reload_device(struct crypt_device *cd, const char *name, if (tgt->type == DM_CRYPT && sdmd->flags & CRYPT_ACTIVATE_KEYRING_KEY) { r = crypt_volume_key_set_description(tgt->u.crypt.vk, - src->u.crypt.vk->key_description, - src->u.crypt.vk->keyring_key_type); + crypt_volume_key_description(src->u.crypt.vk), + crypt_volume_key_kernel_key_type(src->u.crypt.vk)); if (r) goto out; } else if (tgt->type == DM_CRYPT) { crypt_free_volume_key(tgt->u.crypt.vk); - tgt->u.crypt.vk = crypt_alloc_volume_key(src->u.crypt.vk->keylength, src->u.crypt.vk->key); + tgt->u.crypt.vk = crypt_alloc_volume_key(crypt_volume_key_length(src->u.crypt.vk), + crypt_volume_key_get_key(src->u.crypt.vk)); if (!tgt->u.crypt.vk) { r = -ENOMEM; goto out; @@ -3539,13 +3540,14 @@ static int _reload_device_with_integrity(struct crypt_device *cd, if (sdmd->flags & CRYPT_ACTIVATE_KEYRING_KEY) { r = crypt_volume_key_set_description(tgt->u.crypt.vk, - src->u.crypt.vk->key_description, - src->u.crypt.vk->keyring_key_type); + crypt_volume_key_description(src->u.crypt.vk), + crypt_volume_key_kernel_key_type(src->u.crypt.vk)); if (r) goto out; } else { crypt_free_volume_key(tgt->u.crypt.vk); - tgt->u.crypt.vk = crypt_alloc_volume_key(src->u.crypt.vk->keylength, src->u.crypt.vk->key); + tgt->u.crypt.vk = crypt_alloc_volume_key(crypt_volume_key_length(src->u.crypt.vk), + crypt_volume_key_get_key(src->u.crypt.vk)); if (!tgt->u.crypt.vk) { r = -ENOMEM; goto out; @@ -4004,8 +4006,8 @@ static char *crypt_get_device_key_description(struct crypt_device *cd, const cha return NULL; if (single_segment(&dmd) && tgt->type == DM_CRYPT && - (dmd.flags & CRYPT_ACTIVATE_KEYRING_KEY) && tgt->u.crypt.vk->key_description) - desc = strdup(tgt->u.crypt.vk->key_description); + (dmd.flags & CRYPT_ACTIVATE_KEYRING_KEY) && crypt_volume_key_description(tgt->u.crypt.vk)) + desc = strdup(crypt_volume_key_description(tgt->u.crypt.vk)); dm_targets_free(cd, &dmd); @@ -4222,7 +4224,10 @@ static key_serial_t crypt_single_volume_key_load_in_user_keyring(struct crypt_de log_dbg(cd, "Linking volume key (type %s, name %s) to the specified keyring", type_name, user_key_name); - kid = keyring_add_key_to_custom_keyring(cd->keyring_key_type, user_key_name, vk->key, vk->keylength, cd->keyring_to_link_vk); + kid = keyring_add_key_to_custom_keyring(cd->keyring_key_type, user_key_name, + crypt_volume_key_get_key(vk), + crypt_volume_key_length(vk), + cd->keyring_to_link_vk); if (kid <= 0) log_dbg(cd, "The keyring_link_key_to_keyring function failed (error %d).", errno); @@ -4620,7 +4625,7 @@ int crypt_keyslot_change_by_passphrase(struct crypt_device *cd, } else if (isLUKS2(cd->type)) { /* If there is a free keyslot (both id and binary area) avoid in-place keyslot area overwrite */ if (keyslot_new == CRYPT_ANY_SLOT || keyslot_new == keyslot_old) { - keyslot_new = LUKS2_keyslot_find_empty(cd, &cd->u.luks2.hdr, vk->keylength); + keyslot_new = LUKS2_keyslot_find_empty(cd, &cd->u.luks2.hdr, crypt_volume_key_length(vk)); if (keyslot_new < 0) keyslot_new = keyslot_old; else @@ -5215,7 +5220,7 @@ static int _verify_key(struct crypt_device *cd, assert(cd); if (isPLAIN(cd->type)) { - if (vk && vk->keylength == cd->u.plain.key_size) { + if (vk && crypt_volume_key_length(vk) == cd->u.plain.key_size) { r = KEY_VERIFIED; } else log_err(cd, _("Incorrect volume key specified for plain device.")); @@ -5246,7 +5251,7 @@ static int _verify_key(struct crypt_device *cd, else if (isBITLK(cd->type)) r = KEY_VERIFIED; else if (isFVAULT2(cd->type)) { - if (vk && vk->keylength == FVAULT2_volume_key_size()) + if (vk && crypt_volume_key_length(vk) == FVAULT2_volume_key_size()) r = KEY_VERIFIED; } else log_err(cd, _("Device type is not properly initialized.")); @@ -5439,7 +5444,8 @@ int crypt_activate_by_keyslot_context(struct crypt_device *cd, unlocked_keyslot = r; if (r == -ENOENT && isLUKS(cd->type) && cd->volume_key) { - vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key); + vk = crypt_alloc_volume_key(crypt_volume_key_length(cd->volume_key), + crypt_volume_key_get_key(cd->volume_key)); r = vk ? 0 : -ENOMEM; } if (r == -ENOENT && isINTEGRITY(cd->type)) @@ -5911,13 +5917,14 @@ int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd, log_err(cd, _("This operation is not supported for %s crypt device."), cd->type ?: "(none)"); if (r == -ENOENT && isLUKS(cd->type) && cd->volume_key) { - vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key); + vk = crypt_alloc_volume_key(crypt_volume_key_length(cd->volume_key), + crypt_volume_key_get_key(cd->volume_key)); r = vk ? 0 : -ENOMEM; } if (r >= 0 && vk) { - crypt_safe_memcpy(volume_key, vk->key, vk->keylength); - *volume_key_size = vk->keylength; + crypt_safe_memcpy(volume_key, crypt_volume_key_get_key(vk), crypt_volume_key_length(vk)); + *volume_key_size = crypt_volume_key_length(vk); } crypt_free_volume_key(vk); @@ -6337,7 +6344,7 @@ int crypt_get_volume_key_size(struct crypt_device *cd) if (isLUKS2(cd->type)) { r = LUKS2_get_volume_key_size(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT); if (r < 0 && cd->volume_key) - r = cd->volume_key->keylength; + r = crypt_volume_key_length(cd->volume_key); return r < 0 ? 0 : r; } @@ -7335,7 +7342,8 @@ int crypt_keyslot_add_by_keyslot_context(struct crypt_device *cd, return -ENOMEM; r = 0; } else if (cd->volume_key) { - if (!(vk = crypt_alloc_volume_key(cd->volume_key->keylength, cd->volume_key->key))) + if (!(vk = crypt_alloc_volume_key(crypt_volume_key_length(cd->volume_key), + crypt_volume_key_get_key(cd->volume_key)))) return -ENOMEM; r = 0; } else if (active_slots == 0) { @@ -7401,14 +7409,17 @@ int crypt_volume_key_load_in_keyring(struct crypt_device *cd, struct volume_key if (!vk || !cd) return -EINVAL; - if (!vk->key_description) { + if (!crypt_volume_key_description(vk)) { log_dbg(cd, "Invalid key description"); return -EINVAL; } - log_dbg(cd, "Loading key (type logon, name %s) in thread keyring.", vk->key_description); + log_dbg(cd, "Loading key (type logon, name %s) in thread keyring.", + crypt_volume_key_description(vk)); - kid = keyring_add_key_in_thread_keyring(LOGON_KEY, vk->key_description, vk->key, vk->keylength); + kid = keyring_add_key_in_thread_keyring(LOGON_KEY, crypt_volume_key_description(vk), + crypt_volume_key_get_key(vk), + crypt_volume_key_length(vk)); if (kid < 0) { log_dbg(cd, "keyring_add_key_in_thread_keyring failed (error %d)", errno); log_err(cd, _("Failed to load key in kernel keyring.")); @@ -7605,7 +7616,7 @@ void crypt_drop_uploaded_keyring_key(struct crypt_device *cd, struct volume_key while (vk) { if (vk->uploaded) - crypt_drop_keyring_key_by_description(cd, vk->key_description, LOGON_KEY); + crypt_drop_keyring_key_by_description(cd, crypt_volume_key_description(vk), LOGON_KEY); vk = crypt_volume_key_next(vk); } } diff --git a/lib/tcrypt/tcrypt.c b/lib/tcrypt/tcrypt.c index 1056e12f..568dc5a1 100644 --- a/lib/tcrypt/tcrypt.c +++ b/lib/tcrypt/tcrypt.c @@ -999,7 +999,7 @@ static int TCRYPT_status_one(struct crypt_device *cd, const char *name, *c = '\0'; strcat(cipher, "-"); strncat(cipher, tgt->u.crypt.cipher, MAX_CIPHER_LEN); - *key_size += tgt->u.crypt.vk->keylength; + *key_size += crypt_volume_key_length(tgt->u.crypt.vk); tcrypt_hdr->d.mk_offset = tgt->u.crypt.offset * SECTOR_SIZE; device_free(cd, *device); MOVE_REF(*device, tgt->data_device); @@ -1036,7 +1036,7 @@ int TCRYPT_init_by_name(struct crypt_device *cd, const char *name, mode[MAX_CIPHER_LEN] = '\0'; strncpy(mode, ++tmp, MAX_CIPHER_LEN); - key_size = tgt->u.crypt.vk->keylength; + key_size = crypt_volume_key_length(tgt->u.crypt.vk); r = TCRYPT_status_one(cd, name, uuid, 1, &key_size, cipher, tcrypt_hdr, device); if (!r) diff --git a/lib/utils_storage_wrappers.c b/lib/utils_storage_wrappers.c index 07638e23..54492d05 100644 --- a/lib/utils_storage_wrappers.c +++ b/lib/utils_storage_wrappers.c @@ -49,7 +49,9 @@ static int crypt_storage_backend_init(struct crypt_device *cd, struct crypt_storage *s; /* iv_start, sector_size */ - r = crypt_storage_init(&s, sector_size, cipher, cipher_mode, vk->key, vk->keylength, flags & LARGE_IV); + r = crypt_storage_init(&s, sector_size, cipher, cipher_mode, + crypt_volume_key_get_key(vk), + crypt_volume_key_length(vk), flags & LARGE_IV); if (r) return r; @@ -103,7 +105,7 @@ static int crypt_storage_dmcrypt_init( if (dmd.flags & CRYPT_ACTIVATE_READONLY) mode = (open_flags & ~O_ACCMODE) | O_RDONLY; - if (vk->key_description) + if (crypt_volume_key_description(vk)) dmd.flags |= CRYPT_ACTIVATE_KEYRING_KEY; r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, device, vk, cipher_spec, iv_start, diff --git a/lib/verity/verity.c b/lib/verity/verity.c index 476c22eb..c583eb6a 100644 --- a/lib/verity/verity.c +++ b/lib/verity/verity.c @@ -271,7 +271,8 @@ int VERITY_verify_params(struct crypt_device *cd, return 0; log_dbg(cd, "Verification of VERITY data in userspace required."); - r = VERITY_verify(cd, hdr, root_hash->key, root_hash->keylength); + r = VERITY_verify(cd, hdr, crypt_volume_key_get_key(root_hash), + crypt_volume_key_length(root_hash)); if ((r == -EPERM || r == -EFAULT) && fec_device) { v = r; @@ -324,7 +325,9 @@ int VERITY_activate(struct crypt_device *cd, return -EINVAL; log_dbg(cd, "Adding signature %s (type user) into thread keyring.", description); - kid = keyring_add_key_in_thread_keyring(USER_KEY, description, signature->key, signature->keylength); + kid = keyring_add_key_in_thread_keyring(USER_KEY, description, + crypt_volume_key_get_key(signature), + crypt_volume_key_length(signature)); if (kid < 0) { log_dbg(cd, "keyring_add_key_in_thread_keyring failed with errno %d.", errno); log_err(cd, _("Failed to load key in kernel keyring.")); @@ -352,8 +355,8 @@ int VERITY_activate(struct crypt_device *cd, } r = dm_verity_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd), - crypt_metadata_device(cd), fec_device, root_hash->key, - root_hash->keylength, description, + crypt_metadata_device(cd), fec_device, crypt_volume_key_get_key(root_hash), + crypt_volume_key_length(root_hash), description, VERITY_hash_offset_block(verity_hdr), VERITY_FEC_blocks(cd, fec_device, verity_hdr), verity_hdr);