mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-05 16:00:05 +01:00
Switch away from accessing volume key internals directly.
Switch current code to use following volume key helpers for accessing internal properties: crypt_volume_key_length(), crypt_volume_key_get_key(), crypt_volume_key_description() and crypt_volume_key_kernel_key_type() Remaining direct access to volume key internals will be dealt with in later commits since it requires some further changes.
This commit is contained in:
Ondrej Kozina
committed by
Milan Broz
Milan Broz
parent
fd9be9e777
commit
54d937dfc7
@@ -310,12 +310,13 @@ static int opal_range_check_attributes_fd(struct crypt_device *cd,
|
||||
.session = {
|
||||
.who = segment_number + 1,
|
||||
.opal_key = {
|
||||
.key_len = vk->keylength,
|
||||
.key_len = crypt_volume_key_length(vk),
|
||||
.lr = segment_number
|
||||
}
|
||||
}
|
||||
};
|
||||
crypt_safe_memcpy(lrs->session.opal_key.key, vk->key, vk->keylength);
|
||||
crypt_safe_memcpy(lrs->session.opal_key.key, crypt_volume_key_get_key(vk),
|
||||
crypt_volume_key_length(vk));
|
||||
|
||||
r = opal_ioctl(cd, fd, IOC_OPAL_GET_LR_STATUS, lrs);
|
||||
if (r != OPAL_STATUS_SUCCESS) {
|
||||
@@ -417,7 +418,7 @@ int opal_setup_ranges(struct crypt_device *cd,
|
||||
assert(dev);
|
||||
assert(vk);
|
||||
assert(admin_key);
|
||||
assert(vk->keylength <= OPAL_KEY_MAX);
|
||||
assert(crypt_volume_key_length(vk) <= OPAL_KEY_MAX);
|
||||
assert(opal_block_bytes >= SECTOR_SIZE);
|
||||
|
||||
if (admin_key_len > OPAL_KEY_MAX)
|
||||
@@ -582,12 +583,13 @@ int opal_setup_ranges(struct crypt_device *cd,
|
||||
.new_user_pw = {
|
||||
.who = segment_number + 1,
|
||||
.opal_key = {
|
||||
.key_len = vk->keylength,
|
||||
.key_len = crypt_volume_key_length(vk),
|
||||
.lr = segment_number,
|
||||
},
|
||||
},
|
||||
};
|
||||
crypt_safe_memcpy(new_pw->new_user_pw.opal_key.key, vk->key, vk->keylength);
|
||||
crypt_safe_memcpy(new_pw->new_user_pw.opal_key.key, crypt_volume_key_get_key(vk),
|
||||
crypt_volume_key_length(vk));
|
||||
crypt_safe_memcpy(new_pw->session.opal_key.key, admin_key, admin_key_len);
|
||||
|
||||
r = opal_ioctl(cd, fd, IOC_OPAL_SET_PW, new_pw);
|
||||
@@ -642,12 +644,13 @@ int opal_setup_ranges(struct crypt_device *cd,
|
||||
.session = {
|
||||
.who = segment_number + 1,
|
||||
.opal_key = {
|
||||
.key_len = vk->keylength,
|
||||
.key_len = crypt_volume_key_length(vk),
|
||||
.lr = segment_number,
|
||||
},
|
||||
}
|
||||
};
|
||||
crypt_safe_memcpy(lock->session.opal_key.key, vk->key, vk->keylength);
|
||||
crypt_safe_memcpy(lock->session.opal_key.key, crypt_volume_key_get_key(vk),
|
||||
crypt_volume_key_length(vk));
|
||||
|
||||
r = opal_ioctl(cd, fd, IOC_OPAL_LOCK_UNLOCK, lock);
|
||||
if (r != OPAL_STATUS_SUCCESS) {
|
||||
@@ -700,10 +703,11 @@ static int opal_lock_unlock(struct crypt_device *cd,
|
||||
return -EIO;
|
||||
|
||||
if (!lock) {
|
||||
assert(vk->keylength <= OPAL_KEY_MAX);
|
||||
assert(crypt_volume_key_length(vk) <= OPAL_KEY_MAX);
|
||||
|
||||
unlock.session.opal_key.key_len = vk->keylength;
|
||||
crypt_safe_memcpy(unlock.session.opal_key.key, vk->key, vk->keylength);
|
||||
unlock.session.opal_key.key_len = crypt_volume_key_length(vk);
|
||||
crypt_safe_memcpy(unlock.session.opal_key.key, crypt_volume_key_get_key(vk),
|
||||
crypt_volume_key_length(vk));
|
||||
}
|
||||
|
||||
r = opal_ioctl(cd, fd, IOC_OPAL_LOCK_UNLOCK, &unlock);
|
||||
|
||||
@@ -75,7 +75,7 @@ int LUKS2_digest_create(struct crypt_device *cd,
|
||||
|
||||
log_dbg(cd, "Creating new digest %d (%s).", digest, type);
|
||||
|
||||
return dh->store(cd, digest, vk->key, vk->keylength) ?: digest;
|
||||
return dh->store(cd, digest, crypt_volume_key_get_key(vk), crypt_volume_key_length(vk)) ?: digest;
|
||||
}
|
||||
|
||||
int LUKS2_digest_by_keyslot(struct luks2_hdr *hdr, int keyslot)
|
||||
@@ -108,7 +108,7 @@ int LUKS2_digest_verify_by_digest(struct crypt_device *cd,
|
||||
if (!h)
|
||||
return -EINVAL;
|
||||
|
||||
r = h->verify(cd, digest, vk->key, vk->keylength);
|
||||
r = h->verify(cd, digest, crypt_volume_key_get_key(vk), crypt_volume_key_length(vk));
|
||||
if (r < 0) {
|
||||
log_dbg(cd, "Digest %d (%s) verify failed with %d.", digest, h->name, r);
|
||||
return r;
|
||||
|
||||
@@ -2894,7 +2894,7 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr
|
||||
tgt = &dmdc.segment;
|
||||
while (tgt) {
|
||||
if (tgt->type == DM_CRYPT)
|
||||
crypt_drop_keyring_key_by_description(cd, tgt->u.crypt.vk->key_description,
|
||||
crypt_drop_keyring_key_by_description(cd, crypt_volume_key_description(tgt->u.crypt.vk),
|
||||
LOGON_KEY);
|
||||
tgt = tgt->next;
|
||||
}
|
||||
@@ -2930,7 +2930,7 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr
|
||||
tgt = &dmdc.segment;
|
||||
while (tgt) {
|
||||
if (tgt->type == DM_CRYPT)
|
||||
crypt_drop_keyring_key_by_description(cd, tgt->u.crypt.vk->key_description,
|
||||
crypt_drop_keyring_key_by_description(cd, crypt_volume_key_description(tgt->u.crypt.vk),
|
||||
LOGON_KEY);
|
||||
tgt = tgt->next;
|
||||
}
|
||||
@@ -3115,22 +3115,22 @@ int LUKS2_split_crypt_and_opal_keys(struct crypt_device *cd __attribute__((unuse
|
||||
if (r < 0)
|
||||
return -EINVAL;
|
||||
|
||||
if (vk->keylength < opal_user_key_size)
|
||||
if (crypt_volume_key_length(vk) < opal_user_key_size)
|
||||
return -EINVAL;
|
||||
|
||||
/* OPAL SEGMENT only */
|
||||
if (vk->keylength == opal_user_key_size) {
|
||||
if (crypt_volume_key_length(vk) == opal_user_key_size) {
|
||||
*ret_crypt_key = NULL;
|
||||
*ret_opal_key = NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
opal_key = crypt_alloc_volume_key(opal_user_key_size, vk->key);
|
||||
opal_key = crypt_alloc_volume_key(opal_user_key_size, crypt_volume_key_get_key(vk));
|
||||
if (!opal_key)
|
||||
return -ENOMEM;
|
||||
|
||||
crypt_key = crypt_alloc_volume_key(vk->keylength - opal_user_key_size,
|
||||
vk->key + opal_user_key_size);
|
||||
crypt_key = crypt_alloc_volume_key(crypt_volume_key_length(vk) - opal_user_key_size,
|
||||
crypt_volume_key_get_key(vk) + opal_user_key_size);
|
||||
if (!crypt_key) {
|
||||
crypt_free_volume_key(opal_key);
|
||||
return -ENOMEM;
|
||||
|
||||
@@ -620,7 +620,7 @@ int LUKS2_keyslot_store(struct crypt_device *cd,
|
||||
if (!h)
|
||||
return -EINVAL;
|
||||
|
||||
r = h->alloc(cd, keyslot, vk->keylength, params);
|
||||
r = h->alloc(cd, keyslot, crypt_volume_key_length(vk), params);
|
||||
if (r)
|
||||
return r;
|
||||
} else {
|
||||
@@ -644,7 +644,7 @@ int LUKS2_keyslot_store(struct crypt_device *cd,
|
||||
return -EINVAL;
|
||||
|
||||
return h->store(cd, keyslot, password, password_len,
|
||||
vk->key, vk->keylength);
|
||||
crypt_volume_key_get_key(vk), crypt_volume_key_length(vk));
|
||||
}
|
||||
|
||||
int LUKS2_keyslot_wipe(struct crypt_device *cd,
|
||||
|
||||
@@ -37,7 +37,8 @@ static int luks2_encrypt_to_storage(char *src, size_t srcLength,
|
||||
return -EINVAL;
|
||||
|
||||
/* Encrypt buffer */
|
||||
r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false);
|
||||
r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode,
|
||||
crypt_volume_key_get_key(vk), crypt_volume_key_length(vk), false);
|
||||
if (r) {
|
||||
log_err(cd, _("Cannot use %s-%s cipher for keyslot encryption."), cipher, cipher_mode);
|
||||
return r;
|
||||
@@ -92,7 +93,9 @@ static int luks2_decrypt_from_storage(char *dst, size_t dstLength,
|
||||
if (MISALIGNED_512(dstLength))
|
||||
return -EINVAL;
|
||||
|
||||
r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false);
|
||||
r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode,
|
||||
crypt_volume_key_get_key(vk),
|
||||
crypt_volume_key_length(vk), false);
|
||||
if (r) {
|
||||
log_err(cd, _("Cannot use %s-%s cipher for keyslot encryption."), cipher, cipher_mode);
|
||||
return r;
|
||||
|
||||
@@ -3544,7 +3544,7 @@ static int reencrypt_load_by_keyslot_context(struct crypt_device *cd,
|
||||
* above. The code checks if new VK is eligible for keyring.
|
||||
*/
|
||||
vk = crypt_volume_key_by_id(*vks, LUKS2_reencrypt_digest_new(hdr));
|
||||
if (vk && vk->key_description && crypt_is_cipher_null(reencrypt_segment_cipher_old(hdr))) {
|
||||
if (vk && crypt_volume_key_description(vk) && crypt_is_cipher_null(reencrypt_segment_cipher_old(hdr))) {
|
||||
flags |= CRYPT_ACTIVATE_KEYRING_KEY;
|
||||
dmd_source.flags |= CRYPT_ACTIVATE_KEYRING_KEY;
|
||||
}
|
||||
|
||||
@@ -274,7 +274,7 @@ static int reencrypt_assembly_verification_data(struct crypt_device *cd,
|
||||
log_dbg(cd, "Key (digest id %d) required but not unlocked.", digest_old);
|
||||
return -EINVAL;
|
||||
}
|
||||
data_len += blob_serialize(vk_old->key, vk_old->keylength, NULL);
|
||||
data_len += blob_serialize(crypt_volume_key_get_key(vk_old), crypt_volume_key_length(vk_old), NULL);
|
||||
}
|
||||
|
||||
if (digest_new >= 0 && digest_old != digest_new) {
|
||||
@@ -283,7 +283,7 @@ static int reencrypt_assembly_verification_data(struct crypt_device *cd,
|
||||
log_dbg(cd, "Key (digest id %d) required but not unlocked.", digest_new);
|
||||
return -EINVAL;
|
||||
}
|
||||
data_len += blob_serialize(vk_new->key, vk_new->keylength, NULL);
|
||||
data_len += blob_serialize(crypt_volume_key_get_key(vk_new), crypt_volume_key_length(vk_new), NULL);
|
||||
}
|
||||
|
||||
if (data_len == 2)
|
||||
@@ -309,10 +309,12 @@ static int reencrypt_assembly_verification_data(struct crypt_device *cd,
|
||||
*ptr++ = 0x30 + version;
|
||||
|
||||
if (vk_old)
|
||||
ptr += blob_serialize(vk_old->key, vk_old->keylength, ptr);
|
||||
ptr += blob_serialize(crypt_volume_key_get_key(vk_old),
|
||||
crypt_volume_key_length(vk_old), ptr);
|
||||
|
||||
if (vk_new)
|
||||
ptr += blob_serialize(vk_new->key, vk_new->keylength, ptr);
|
||||
ptr += blob_serialize(crypt_volume_key_get_key(vk_new),
|
||||
crypt_volume_key_length(vk_new), ptr);
|
||||
|
||||
if (!reenc_keyslot_serialize(hdr, ptr))
|
||||
goto bad;
|
||||
|
||||
Reference in New Issue
Block a user