eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-13 11:50:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Cleanup LUKS2 keyslot specific validation.

Browse Source 
- do not run general LUKS2 format validation from inside the specific one
- validate luks2 json object only
- temporary move digests count restrictions, going to be fixed in next
  commit
This commit is contained in:
Ondrej Kozina
2018-04-19 13:45:02 +02:00
committed by Milan Broz
parent 172af5465d
commit 9b635a3e90
3 changed files with 17 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/luks2/luks2_internal.h
View File

@@ -100,7 +100,7 @@ typedef int (*keyslot_store_func)(struct crypt_device *cd, int keyslot,
const char *volume_key, size_t volume_key_len); const char *volume_key, size_t volume_key_len);
typedef int (*keyslot_wipe_func) (struct crypt_device *cd, int keyslot); typedef int (*keyslot_wipe_func) (struct crypt_device *cd, int keyslot);
typedef int (*keyslot_dump_func) (struct crypt_device *cd, int keyslot); typedef int (*keyslot_dump_func) (struct crypt_device *cd, int keyslot);
typedef int (*keyslot_validate_func) (struct crypt_device *cd, int keyslot); typedef int (*keyslot_validate_func) (struct crypt_device *cd, json_object *jobj_keyslot);
/* see LUKS2_luks2_to_luks1 */ /* see LUKS2_luks2_to_luks1 */
int placeholder_keyslot_alloc(struct crypt_device *cd, int placeholder_keyslot_alloc(struct crypt_device *cd,

16
lib/luks2/luks2_keyslot.c
View File

@@ -249,12 +249,18 @@ static int LUKS2_open_and_verify(struct crypt_device *cd,
if (!(h = LUKS2_keyslot_handler(cd, keyslot))) if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
return -ENOENT; return -ENOENT;
r = h->validate(cd, keyslot); r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
if (r) { if (r) {
log_dbg("Keyslot %d validation failed.", keyslot); log_dbg("Keyslot %d validation failed.", keyslot);
return r; return r;
} }
/* FIXME: this belongs elsewhere, stay tuned */
if (LUKS2_get_keyslot_digests_count(hdr, keyslot) != 1) {
log_dbg("Keyslot %d is not assigned to exactly 1 digest.");
return -EINVAL;
}
r = LUKS2_keyslot_for_segment(hdr, keyslot, segment); r = LUKS2_keyslot_for_segment(hdr, keyslot, segment);
if (r) { if (r) {
if (r == -ENOENT) if (r == -ENOENT)
@@ -389,12 +395,18 @@ int LUKS2_keyslot_store(struct crypt_device *cd,
} }
} }
r = h->validate(cd, keyslot); r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
if (r) { if (r) {
log_dbg("Keyslot validation failed."); log_dbg("Keyslot validation failed.");
return r; return r;
} }
/* FIXME: this belongs elsewhere, stay tuned */
if (LUKS2_get_keyslot_digests_count(hdr, keyslot) != 1) {
log_dbg("Keyslot %d is not assigned to exactly 1 digest.");
return -EINVAL;
}
return h->store(cd, keyslot, password, password_len, return h->store(cd, keyslot, password, password_len,
vk->key, vk->keylength); vk->key, vk->keylength);
} }

20
lib/luks2/luks2_keyslot_luks2.c
View File

@@ -641,24 +641,15 @@ static int luks2_keyslot_dump(struct crypt_device *cd, int keyslot)
return 0; return 0;
} }
static int luks2_keyslot_validate(struct crypt_device *cd, int keyslot) static int luks2_keyslot_validate(struct crypt_device *cd, json_object *jobj_keyslot)
{ {
struct luks2_hdr *hdr; json_object *jobj_kdf, *jobj_af, *jobj_area, *jobj1;
json_object *jobj_keyslot, *jobj_kdf, *jobj_af, *jobj_area, *jobj1;
const char *type; const char *type;
char num[16];
int count; int count;
hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
if (!jobj_keyslot) if (!jobj_keyslot)
return -EINVAL; return -EINVAL;
snprintf(num, sizeof(num), "%d", keyslot);
if (LUKS2_keyslot_validate(hdr->jobj, jobj_keyslot, num))
return -EINVAL;
if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) || if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) ||
!json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) || !json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
!json_object_object_get_ex(jobj_keyslot, "area", &jobj_area)) !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
@@ -707,13 +698,6 @@ static int luks2_keyslot_validate(struct crypt_device *cd, int keyslot)
} else } else
return -EINVAL; return -EINVAL;
/* luks2 keyslot must have exactly one digest */
count = LUKS2_get_keyslot_digests_count(hdr, keyslot);
if (count != 1) {
log_dbg("Keyslot %d is assigned to %d digest(s). Expected value is 1.", keyslot, count);
return -EINVAL;
}
return 0; return 0;
} }