diff --git a/lib/luks2/luks2_internal.h b/lib/luks2/luks2_internal.h index ee6e3f43..79038315 100644 --- a/lib/luks2/luks2_internal.h +++ b/lib/luks2/luks2_internal.h @@ -100,7 +100,7 @@ typedef int (*keyslot_store_func)(struct crypt_device *cd, int keyslot, const char *volume_key, size_t volume_key_len); typedef int (*keyslot_wipe_func) (struct crypt_device *cd, int keyslot); typedef int (*keyslot_dump_func) (struct crypt_device *cd, int keyslot); -typedef int (*keyslot_validate_func) (struct crypt_device *cd, int keyslot); +typedef int (*keyslot_validate_func) (struct crypt_device *cd, json_object *jobj_keyslot); /* see LUKS2_luks2_to_luks1 */ int placeholder_keyslot_alloc(struct crypt_device *cd, diff --git a/lib/luks2/luks2_keyslot.c b/lib/luks2/luks2_keyslot.c index 417e5c89..b37685c6 100644 --- a/lib/luks2/luks2_keyslot.c +++ b/lib/luks2/luks2_keyslot.c @@ -249,12 +249,18 @@ static int LUKS2_open_and_verify(struct crypt_device *cd, if (!(h = LUKS2_keyslot_handler(cd, keyslot))) return -ENOENT; - r = h->validate(cd, keyslot); + r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot)); if (r) { log_dbg("Keyslot %d validation failed.", keyslot); return r; } + /* FIXME: this belongs elsewhere, stay tuned */ + if (LUKS2_get_keyslot_digests_count(hdr, keyslot) != 1) { + log_dbg("Keyslot %d is not assigned to exactly 1 digest."); + return -EINVAL; + } + r = LUKS2_keyslot_for_segment(hdr, keyslot, segment); if (r) { if (r == -ENOENT) @@ -389,12 +395,18 @@ int LUKS2_keyslot_store(struct crypt_device *cd, } } - r = h->validate(cd, keyslot); + r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot)); if (r) { log_dbg("Keyslot validation failed."); return r; } + /* FIXME: this belongs elsewhere, stay tuned */ + if (LUKS2_get_keyslot_digests_count(hdr, keyslot) != 1) { + log_dbg("Keyslot %d is not assigned to exactly 1 digest."); + return -EINVAL; + } + return h->store(cd, keyslot, password, password_len, vk->key, vk->keylength); } diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c index f4139901..d72fae7d 100644 --- a/lib/luks2/luks2_keyslot_luks2.c +++ b/lib/luks2/luks2_keyslot_luks2.c @@ -641,24 +641,15 @@ static int luks2_keyslot_dump(struct crypt_device *cd, int keyslot) return 0; } -static int luks2_keyslot_validate(struct crypt_device *cd, int keyslot) +static int luks2_keyslot_validate(struct crypt_device *cd, json_object *jobj_keyslot) { - struct luks2_hdr *hdr; - json_object *jobj_keyslot, *jobj_kdf, *jobj_af, *jobj_area, *jobj1; + json_object *jobj_kdf, *jobj_af, *jobj_area, *jobj1; const char *type; - char num[16]; int count; - hdr = crypt_get_hdr(cd, CRYPT_LUKS2); - - jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot); if (!jobj_keyslot) return -EINVAL; - snprintf(num, sizeof(num), "%d", keyslot); - if (LUKS2_keyslot_validate(hdr->jobj, jobj_keyslot, num)) - return -EINVAL; - if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) || !json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) || !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area)) @@ -707,13 +698,6 @@ static int luks2_keyslot_validate(struct crypt_device *cd, int keyslot) } else return -EINVAL; - /* luks2 keyslot must have exactly one digest */ - count = LUKS2_get_keyslot_digests_count(hdr, keyslot); - if (count != 1) { - log_dbg("Keyslot %d is assigned to %d digest(s). Expected value is 1.", keyslot, count); - return -EINVAL; - } - return 0; }