LUKS2 code cleanup.

- drop unused code - drop unused function declarations - remove local routines from internal api
2025-12-06 00:10:04 +01:00 · 2019-08-05 18:26:07 +02:00
parent 91879960e6
commit a23e1cf729
8 changed files with 79 additions and 172 deletions
--- a/lib/luks2/luks2.h
+++ b/lib/luks2/luks2.h
@@ -367,19 +367,15 @@ int LUKS2_tokens_count(struct luks2_hdr *hdr);
 /*
 * Generic LUKS2 segment
 */
 json_object *json_get_segments_jobj(json_object *hdr_jobj);
 uint64_t json_segment_get_offset(json_object *jobj_segment, unsigned blockwise);
 const char *json_segment_type(json_object *jobj_segment);
 uint64_t json_segment_get_iv_offset(json_object *jobj_segment);
 uint64_t json_segment_get_size(json_object *jobj_segment, unsigned blockwise);
 const char *json_segment_get_cipher(json_object *jobj_segment);
 int json_segment_get_sector_size(json_object *jobj_segment);
 json_object *json_segment_get_flags(json_object *jobj_segment);
 bool json_segment_is_backup(json_object *jobj_segment);
 bool json_segment_is_reencrypt(json_object *jobj_segment);
 json_object *json_segments_get_segment(json_object *jobj_segments, int segment);
 unsigned json_segments_count(json_object *jobj_segments);
 json_object *json_segments_get_segment_by_flag(json_object *jobj_segments, const char *flag);
 void json_segment_remove_flag(json_object *jobj_segment, const char *flag);
 uint64_t json_segments_get_minimal_offset(json_object *jobj_segments, unsigned blockwise);
 json_object *json_segment_create_linear(uint64_t offset, const uint64_t *length, unsigned reencryption);
@@ -396,8 +392,6 @@ json_object *LUKS2_get_segment_by_flag(struct luks2_hdr *hdr, const char *flag);
 int LUKS2_get_segment_id_by_flag(struct luks2_hdr *hdr, const char *flag);
 json_object *LUKS2_get_ignored_segments(struct luks2_hdr *hdr);
 int LUKS2_segments_set(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	json_object *jobj_segments,
@@ -425,11 +419,6 @@ int LUKS2_get_default_segment(struct luks2_hdr *hdr);
 int LUKS2_reencrypt_digest_new(struct luks2_hdr *hdr);
 int LUKS2_reencrypt_digest_old(struct luks2_hdr *hdr);
 const char *LUKS2_reencrypt_protection_type(struct luks2_hdr *hdr);
 const char *LUKS2_reencrypt_protection_hash(struct luks2_hdr *hdr);
 uint64_t LUKS2_reencrypt_data_shift(struct luks2_hdr *hdr);
 crypt_reencrypt_mode_info LUKS2_reencrypt_mode(struct luks2_hdr *hdr);
 crypt_reencrypt_direction_info LUKS2_reencrypt_direction(struct luks2_hdr *hdr);
 int LUKS2_reencrypt_data_offset(struct luks2_hdr *hdr, bool blockwise);
 /*
@@ -511,12 +500,6 @@ int LUKS2_reload(struct crypt_device *cd,
 	uint64_t device_size,
 	uint32_t flags);
 int LUKS2_keyslot_luks2_format(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	int keyslot,
 	const char *cipher,
 	size_t keylength);
 int LUKS2_generate_hdr(
 	struct crypt_device *cd,
 	struct luks2_hdr *hdr,
@@ -552,7 +535,6 @@ int LUKS2_keyslot_find_empty(struct luks2_hdr *hdr);
 int LUKS2_keyslot_active_count(struct luks2_hdr *hdr, int segment);
 int LUKS2_keyslot_for_segment(struct luks2_hdr *hdr, int keyslot, int segment);
 int LUKS2_find_keyslot(struct luks2_hdr *hdr, const char *type);
 int LUKS2_find_keyslot_for_segment(struct luks2_hdr *hdr, int segment, const char *type);
 crypt_keyslot_info LUKS2_keyslot_info(struct luks2_hdr *hdr, int keyslot);
 int LUKS2_keyslot_area(struct luks2_hdr *hdr,
 	int keyslot,
@@ -577,7 +559,6 @@ int LUKS2_config_set_requirements(struct crypt_device *cd, struct luks2_hdr *hdr
 int LUKS2_unmet_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t reqs_mask, int quiet);
 char *LUKS2_key_description_by_digest(struct crypt_device *cd, int digest);
 int LUKS2_key_description_by_segment(struct crypt_device *cd,
 		struct luks2_hdr *hdr, struct volume_key *vk, int segment);
 int LUKS2_volume_key_load_in_keyring_by_keyslot(struct crypt_device *cd,
@@ -596,16 +577,6 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd,
 /*
 * LUKS2 reencryption
 */
 int LUKS2_verify_and_upload_keys(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	int digest_old,
 	int digest_new,
 	struct volume_key *vks);
 int LUKS2_reenc_update_segments(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
 		struct luks2_reenc_context *rh);
 int LUKS2_reencrypt_locked_recovery_by_passphrase(struct crypt_device *cd,
 	int keyslot_old,
 	int keyslot_new,
--- a/lib/luks2/luks2_digest.c
+++ b/lib/luks2/luks2_digest.c
@@ -28,7 +28,7 @@ static const digest_handler *digest_handlers[LUKS2_DIGEST_MAX] = {
 	NULL
 };
-const digest_handler *LUKS2_digest_handler_type(struct crypt_device *cd, const char *type)
+static const digest_handler *LUKS2_digest_handler_type(struct crypt_device *cd, const char *type)
 {
 	int i;
@@ -415,11 +415,6 @@ static char *get_key_description_by_digest(struct crypt_device *cd, int digest)
 	return desc;
 }
 char *LUKS2_key_description_by_digest(struct crypt_device *cd, int digest)
 {
 	return get_key_description_by_digest(cd, digest);
 }
 int LUKS2_key_description_by_segment(struct crypt_device *cd,
 		struct luks2_hdr *hdr, struct volume_key *vk, int segment)
 {
--- a/lib/luks2/luks2_disk_metadata.c
+++ b/lib/luks2/luks2_disk_metadata.c
@@ -26,7 +26,7 @@
 /*
 * Helper functions
 */
-json_object *parse_json_len(struct crypt_device *cd, const char *json_area,
+static json_object *parse_json_len(struct crypt_device *cd, const char *json_area,
 			    uint64_t max_length, int *json_len)
 {
 	json_object *jobj;
--- a/lib/luks2/luks2_internal.h
+++ b/lib/luks2/luks2_internal.h
@@ -59,8 +59,6 @@ json_object *LUKS2_get_segments_jobj(struct luks2_hdr *hdr);
 void hexprint_base64(struct crypt_device *cd, json_object *jobj,
 		     const char *sep, const char *line_sep);
 json_object *parse_json_len(struct crypt_device *cd, const char *json_area,
 			    uint64_t max_length, int *json_len);
 uint64_t json_object_get_uint64(json_object *jobj);
 uint32_t json_object_get_uint32(json_object *jobj);
 json_object *json_object_new_uint64(uint64_t value);
@@ -81,8 +79,6 @@ json_object *json_contains(struct crypt_device *cd, json_object *jobj, const cha
 			   const char *section, const char *key, json_type type);
 int LUKS2_hdr_validate(struct crypt_device *cd, json_object *hdr_jobj, uint64_t json_size);
 int LUKS2_keyslot_validate(struct crypt_device *cd, json_object *hdr_jobj,
 			   json_object *hdr_keyslot, const char *key);
 int LUKS2_check_json_size(struct crypt_device *cd, const struct luks2_hdr *hdr);
 int LUKS2_token_validate(struct crypt_device *cd, json_object *hdr_jobj,
 			 json_object *jobj_token, const char *key);
@@ -167,8 +163,6 @@ typedef struct  {
 	digest_dump_func   dump;
 } digest_handler;
 const digest_handler *LUKS2_digest_handler_type(struct crypt_device *cd, const char *type);
 /**
 * LUKS2 token handlers (internal use only)
 */
--- a/lib/luks2/luks2_json_metadata.c
+++ b/lib/luks2/luks2_json_metadata.c
@@ -169,6 +169,16 @@ json_object *LUKS2_get_digest_jobj(struct luks2_hdr *hdr, int digest)
 	return jobj2;
 }
 static json_object *json_get_segments_jobj(json_object *hdr_jobj)
 {
 	json_object *jobj_segments;
 	if (!hdr_jobj || !json_object_object_get_ex(hdr_jobj, "segments", &jobj_segments))
 		return NULL;
 	return jobj_segments;
 }
 json_object *LUKS2_get_segment_jobj(struct luks2_hdr *hdr, int segment)
 {
 	if (!hdr)
@@ -393,7 +403,7 @@ static json_bool validate_intervals(struct crypt_device *cd,
 	return TRUE;
 }
-int LUKS2_keyslot_validate(struct crypt_device *cd, json_object *hdr_jobj, json_object *hdr_keyslot, const char *key)
+static int LUKS2_keyslot_validate(struct crypt_device *cd, json_object *hdr_jobj, json_object *hdr_keyslot, const char *key)
 {
 	json_object *jobj_key_size;
--- a/lib/luks2/luks2_keyslot.c
+++ b/lib/luks2/luks2_keyslot.c
@@ -928,24 +928,3 @@ int LUKS2_find_keyslot(struct luks2_hdr *hdr, const char *type)
 	return -ENOENT;
 }
 int LUKS2_find_keyslot_for_segment(struct luks2_hdr *hdr, int segment, const char *type)
 {
 	int i;
 	json_object *jobj_keyslot, *jobj_type;
 	for (i = 0; i < LUKS2_KEYSLOTS_MAX; i++) {
 		jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, i);
 		if (!jobj_keyslot)
 			continue;
 		json_object_object_get_ex(jobj_keyslot, "type", &jobj_type);
 		if (strcmp(json_object_get_string(jobj_type), type))
 			continue;
 		if (!LUKS2_keyslot_for_segment(hdr, i, segment))
 			return i;
 	}
 	return -EINVAL;
 }
--- a/lib/luks2/luks2_reencrypt.c
+++ b/lib/luks2/luks2_reencrypt.c
@@ -107,7 +107,7 @@ int LUKS2_reencrypt_digest_old(struct luks2_hdr *hdr)
 }
 /* none, checksums, journal or shift */
-const char *LUKS2_reencrypt_protection_type(struct luks2_hdr *hdr)
+static const char *reencrypt_resilience_type(struct luks2_hdr *hdr)
 {
 	json_object *jobj_keyslot, *jobj_area, *jobj_type;
 	int ks = LUKS2_find_keyslot(hdr, "reencrypt");
@@ -124,7 +124,7 @@ const char *LUKS2_reencrypt_protection_type(struct luks2_hdr *hdr)
 	return json_object_get_string(jobj_type);
 }
-const char *LUKS2_reencrypt_protection_hash(struct luks2_hdr *hdr)
+static const char *reencrypt_resilience_hash(struct luks2_hdr *hdr)
 {
 	json_object *jobj_keyslot, *jobj_area, *jobj_type, *jobj_hash;
 	int ks = LUKS2_find_keyslot(hdr, "reencrypt");
@@ -561,7 +561,7 @@ static int reencrypt_make_post_segments(struct crypt_device *cd,
 	return rh->jobj_segs_post ? 0 : -EINVAL;
 }
-uint64_t LUKS2_reencrypt_data_shift(struct luks2_hdr *hdr)
+static uint64_t reencrypt_data_shift(struct luks2_hdr *hdr)
 {
 	json_object *jobj_keyslot, *jobj_area, *jobj_data_shift;
 	int ks = LUKS2_find_keyslot(hdr, "reencrypt");
@@ -578,7 +578,7 @@ uint64_t LUKS2_reencrypt_data_shift(struct luks2_hdr *hdr)
 	return json_object_get_uint64(jobj_data_shift);
 }
-crypt_reencrypt_mode_info LUKS2_reencrypt_mode(struct luks2_hdr *hdr)
+static crypt_reencrypt_mode_info reencrypt_mode(struct luks2_hdr *hdr)
 {
 	const char *mode;
 	crypt_reencrypt_mode_info mi = CRYPT_REENCRYPT_REENCRYPT;
@@ -600,7 +600,7 @@ crypt_reencrypt_mode_info LUKS2_reencrypt_mode(struct luks2_hdr *hdr)
 	return mi;
 }
-crypt_reencrypt_direction_info LUKS2_reencrypt_direction(struct luks2_hdr *hdr)
+static crypt_reencrypt_direction_info reencrypt_direction(struct luks2_hdr *hdr)
 {
 	const char *value;
 	json_object *jobj_keyslot, *jobj_mode;
@@ -792,7 +792,7 @@ static int reencrypt_offset(struct luks2_hdr *hdr,
 {
 	int sg;
 	json_object *jobj_segments;
-	uint64_t data_shift = LUKS2_reencrypt_data_shift(hdr);
+	uint64_t data_shift = reencrypt_data_shift(hdr);
 	if (!offset)
 		return -EINVAL;
@@ -808,7 +808,7 @@ static int reencrypt_offset(struct luks2_hdr *hdr,
 	if (di == CRYPT_REENCRYPT_FORWARD)
 		return _offset_forward(hdr, jobj_segments, offset);
 	else if (di == CRYPT_REENCRYPT_BACKWARD) {
-		if (LUKS2_reencrypt_mode(hdr) == CRYPT_REENCRYPT_ENCRYPT &&
+		if (reencrypt_mode(hdr) == CRYPT_REENCRYPT_ENCRYPT &&
 		    LUKS2_get_segment_id_by_flag(hdr, "backup-moved-segment") >= 0)
 			return reencrypt_offset_backward_moved(hdr, jobj_segments, reencrypt_length, data_shift, offset);
 		return _offset_backward(hdr, jobj_segments, device_size, reencrypt_length, offset);
@@ -826,7 +826,7 @@ static uint64_t reencrypt_length(struct luks2_hdr *hdr, struct luks2_reenc_conte
 	else if (rh->rp.type == REENC_PROTECTION_CHECKSUM)
 		length = (keyslot_area_length / rh->rp.p.csum.hash_size) * rh->alignment;
 	else if (rh->rp.type == REENC_PROTECTION_DATASHIFT)
-		return LUKS2_reencrypt_data_shift(hdr);
+		return reencrypt_data_shift(hdr);
 	else
 		length = keyslot_area_length;
@@ -849,7 +849,7 @@ static int reencrypt_context_init(struct crypt_device *cd, struct luks2_hdr *hdr
 	if (LUKS2_keyslot_area(hdr, rh->reenc_keyslot, &dummy, &area_length) < 0)
 		return -EINVAL;
-	rh->mode = LUKS2_reencrypt_mode(hdr);
+	rh->mode = reencrypt_mode(hdr);
 	rh->alignment = reencrypt_get_alignment(cd, hdr);
 	if (!rh->alignment)
@@ -869,12 +869,12 @@ static int reencrypt_context_init(struct crypt_device *cd, struct luks2_hdr *hdr
 		return -EINVAL;
 	}
-	rh->direction = LUKS2_reencrypt_direction(hdr);
+	rh->direction = reencrypt_direction(hdr);
 	if (!strcmp(params->resilience, "datashift")) {
 		log_dbg(cd, "Initializaing reencryption context with data_shift resilience.");
 		rh->rp.type = REENC_PROTECTION_DATASHIFT;
-		rh->data_shift = LUKS2_reencrypt_data_shift(hdr);
+		rh->data_shift = reencrypt_data_shift(hdr);
 	} else if (!strcmp(params->resilience, "journal")) {
 		log_dbg(cd, "Initializaing reencryption context with journal resilience.");
 		rh->rp.type = REENC_PROTECTION_JOURNAL;
@@ -968,8 +968,8 @@ static int reencrypt_load_clean(struct crypt_device *cd,
 {
 	int r;
 	const struct crypt_params_reencrypt hdr_reenc_params = {
-		.resilience = LUKS2_reencrypt_protection_type(hdr),
+		.resilience = reencrypt_resilience_type(hdr),
-		.hash = LUKS2_reencrypt_protection_hash(hdr),
+		.hash = reencrypt_resilience_hash(hdr),
 		.device_size = params ? params->device_size : 0
 	};
 	struct luks2_reenc_context *tmp = crypt_zalloc(sizeof (*tmp));
@@ -2192,6 +2192,46 @@ err:
 	return r;
 }
 static int reencrypt_verify_and_upload_keys(struct crypt_device *cd, struct luks2_hdr *hdr, int digest_old, int digest_new, struct volume_key *vks)
 {
 	int r;
 	struct volume_key *vk;
 	if (digest_new >= 0) {
 		vk = crypt_volume_key_by_id(vks, digest_new);
 		if (!vk)
 			return -ENOENT;
 		else {
 			if (LUKS2_digest_verify_by_digest(cd, hdr, digest_new, vk) != digest_new)
 				return -EINVAL;
 			r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk));
 			if (r)
 				return r;
 		}
 	}
 	if (digest_old >= 0 && digest_old != digest_new) {
 		vk = crypt_volume_key_by_id(vks, digest_old);
 		if (!vk) {
 			r = -ENOENT;
 			goto err;
 		} else {
 			if (LUKS2_digest_verify_by_digest(cd, hdr, digest_old, vk) != digest_old) {
 				r = -EINVAL;
 				goto err;
 			}
 			r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk));
 			if (r)
 				goto err;
 		}
 	}
 	return 0;
 err:
 	crypt_drop_keyring_key(cd, vks);
 	return r;
 }
 /* This function must be called with metadata lock held */
 static int reencrypt_init(struct crypt_device *cd,
 		const char *name,
@@ -2317,7 +2357,7 @@ static int reencrypt_init(struct crypt_device *cd,
 		goto err;
 	if (name && params->mode != CRYPT_REENCRYPT_ENCRYPT) {
-		r = LUKS2_verify_and_upload_keys(cd, hdr, LUKS2_reencrypt_digest_old(hdr), LUKS2_reencrypt_digest_new(hdr), *vks);
+		r = reencrypt_verify_and_upload_keys(cd, hdr, LUKS2_reencrypt_digest_old(hdr), LUKS2_reencrypt_digest_new(hdr), *vks);
 		if (r)
 			goto err;
@@ -2443,46 +2483,6 @@ static int reencrypt_context_update(struct crypt_device *cd,
 	return 0;
 }
 int LUKS2_verify_and_upload_keys(struct crypt_device *cd, struct luks2_hdr *hdr, int digest_old, int digest_new, struct volume_key *vks)
 {
 	int r;
 	struct volume_key *vk;
 	if (digest_new >= 0) {
 		vk = crypt_volume_key_by_id(vks, digest_new);
 		if (!vk)
 			return -ENOENT;
 		else {
 			if (LUKS2_digest_verify_by_digest(cd, hdr, digest_new, vk) != digest_new)
 				return -EINVAL;
 			r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk));
 			if (r)
 				return r;
 		}
 	}
 	if (digest_old >= 0 && digest_old != digest_new) {
 		vk = crypt_volume_key_by_id(vks, digest_old);
 		if (!vk) {
 			r = -ENOENT;
 			goto err;
 		} else {
 			if (LUKS2_digest_verify_by_digest(cd, hdr, digest_old, vk) != digest_old) {
 				r = -EINVAL;
 				goto err;
 			}
 			r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk));
 			if (r)
 				goto err;
 		}
 	}
 	return 0;
 err:
 	crypt_drop_keyring_key(cd, vks);
 	return r;
 }
 static int reencrypt_load(struct crypt_device *cd, struct luks2_hdr *hdr,
 		uint64_t device_size,
 		const struct crypt_params_reencrypt *params,
@@ -2656,13 +2656,13 @@ static int reencrypt_load_by_passphrase(struct crypt_device *cd,
 	old_ss = reencrypt_get_sector_size_old(hdr);
 	new_ss = reencrypt_get_sector_size_new(hdr);
-	r = LUKS2_verify_and_upload_keys(cd, hdr, LUKS2_reencrypt_digest_old(hdr), LUKS2_reencrypt_digest_new(hdr), *vks);
+	r = reencrypt_verify_and_upload_keys(cd, hdr, LUKS2_reencrypt_digest_old(hdr), LUKS2_reencrypt_digest_new(hdr), *vks);
 	if (r == -ENOENT) {
 		log_dbg(cd, "Keys are not ready. Unlocking all volume keys.");
 		r = LUKS2_keyslot_open_all_segments(cd, keyslot_old, keyslot_new, passphrase, passphrase_size, vks);
 		if (r < 0)
 			goto err;
-		r = LUKS2_verify_and_upload_keys(cd, hdr, LUKS2_reencrypt_digest_old(hdr), LUKS2_reencrypt_digest_new(hdr), *vks);
+		r = reencrypt_verify_and_upload_keys(cd, hdr, LUKS2_reencrypt_digest_old(hdr), LUKS2_reencrypt_digest_new(hdr), *vks);
 	}
 	if (r < 0)
@@ -3263,8 +3263,8 @@ int LUKS2_reencrypt_data_offset(struct luks2_hdr *hdr, bool blockwise)
 {
 	uint64_t data_offset = LUKS2_get_data_offset(hdr);
-	if (LUKS2_reencrypt_direction(hdr) == CRYPT_REENCRYPT_FORWARD)
+	if (reencrypt_direction(hdr) == CRYPT_REENCRYPT_FORWARD)
-		data_offset += LUKS2_reencrypt_data_shift(hdr) >> SECTOR_SHIFT;
+		data_offset += reencrypt_data_shift(hdr) >> SECTOR_SHIFT;
 	return blockwise ? data_offset : data_offset << SECTOR_SHIFT;
 }
@@ -3275,9 +3275,9 @@ int luks2_check_device_size(struct crypt_device *cd, struct luks2_hdr *hdr, uint
 	int r;
 	uint64_t data_offset, real_size = 0;
-	if (LUKS2_reencrypt_direction(hdr) == CRYPT_REENCRYPT_BACKWARD &&
+	if (reencrypt_direction(hdr) == CRYPT_REENCRYPT_BACKWARD &&
 	    (LUKS2_get_segment_by_flag(hdr, "backup-moved-segment") || dynamic))
-		check_size += LUKS2_reencrypt_data_shift(hdr);
+		check_size += reencrypt_data_shift(hdr);
 	r = device_check_access(cd, crypt_data_device(cd), activation ? DEV_EXCL : DEV_OK);
 	if (r)
@@ -3366,11 +3366,11 @@ crypt_reencrypt_info LUKS2_reencrypt_status(struct crypt_device *cd, struct cryp
 	if (ri == CRYPT_REENCRYPT_NONE || ri == CRYPT_REENCRYPT_INVALID || !params)
 		return ri;
-	params->mode = LUKS2_reencrypt_mode(hdr);
+	params->mode = reencrypt_mode(hdr);
-	params->direction = LUKS2_reencrypt_direction(hdr);
+	params->direction = reencrypt_direction(hdr);
-	params->resilience = LUKS2_reencrypt_protection_type(hdr);
+	params->resilience = reencrypt_resilience_type(hdr);
-	params->hash = LUKS2_reencrypt_protection_hash(hdr);
+	params->hash = reencrypt_resilience_hash(hdr);
-	params->data_shift = LUKS2_reencrypt_data_shift(hdr) >> SECTOR_SHIFT;
+	params->data_shift = reencrypt_data_shift(hdr) >> SECTOR_SHIFT;
 	params->max_hotzone_size = 0;
 	if (LUKS2_get_segment_id_by_flag(hdr, "backup-moved-segment") >= 0)
 		params->flags |= CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT;
--- a/lib/luks2/luks2_segment.c
+++ b/lib/luks2/luks2_segment.c
@@ -21,16 +21,6 @@
 #include "luks2_internal.h"
 json_object *json_get_segments_jobj(json_object *hdr_jobj)
 {
 	json_object *jobj_segments;
 	if (!hdr_jobj || !json_object_object_get_ex(hdr_jobj, "segments", &jobj_segments))
 		return NULL;
 	return jobj_segments;
 }
 /* use only on already validated 'segments' object */
 uint64_t json_segments_get_minimal_offset(json_object *jobj_segments, unsigned blockwise)
 {
@@ -124,7 +114,7 @@ int json_segment_get_sector_size(json_object *jobj_segment)
 	return json_object_get_int(jobj);
 }
-json_object *json_segment_get_flags(json_object *jobj_segment)
+static json_object *json_segment_get_flags(json_object *jobj_segment)
 {
 	json_object *jobj;
@@ -159,11 +149,6 @@ bool json_segment_is_backup(json_object *jobj_segment)
 	return json_segment_contains_flag(jobj_segment, "backup-", 7);
 }
 bool json_segment_is_reencrypt(json_object *jobj_segment)
 {
 	return json_segment_contains_flag(jobj_segment, "in-reencryption", 0);
 }
 json_object *json_segments_get_segment(json_object *jobj_segments, int segment)
 {
 	json_object *jobj;
@@ -215,16 +200,6 @@ static void _get_segment_or_id_by_flag(json_object *jobj_segments, const char *f
 	}
 }
 json_object *json_segments_get_segment_by_flag(json_object *jobj_segments, const char *flag)
 {
 	json_object *jobj_segment = NULL;
 	if (jobj_segments)
 		_get_segment_or_id_by_flag(jobj_segments, flag, 0, &jobj_segment);
 	return jobj_segment;
 }
 void json_segment_remove_flag(json_object *jobj_segment, const char *flag)
 {
 	json_object *jobj_flags, *jobj_flags_new;
@@ -435,20 +410,3 @@ json_object *LUKS2_get_segment_by_flag(struct luks2_hdr *hdr, const char *flag)
 	return jobj_segment;
 }
 json_object *LUKS2_get_ignored_segments(struct luks2_hdr *hdr)
 {
 	json_object *jobj_segments, *jobj = json_object_new_object();
 	int i = 0;
 	if (!jobj || !json_object_object_get_ex(hdr->jobj, "segments", &jobj_segments))
 		return NULL;
 	json_object_object_foreach(jobj_segments, key, value) {
 		UNUSED(key);
 		if (json_segment_is_backup(value))
 			json_object_object_add_by_uint(jobj, i++, json_object_get(value));
 	}
 	return jobj;
 }