Allocate internal buffer in LUKS2 keyring token with crypt_safe_alloc.

With changes in db65a5ceac and subsequent drop of library memlock_all we should lock keyring key material buffer in memory system memory as well.
2025-12-05 16:00:05 +01:00 · 2022-11-10 16:44:09 +01:00
parent dab00bfd4f
commit cdfa213ad0
5 changed files with 11 additions and 6 deletions
--- a/lib/luks2/luks2_internal.h
+++ b/lib/luks2/luks2_internal.h
@@ -189,6 +189,8 @@ void keyring_dump(struct crypt_device *cd, const char *json);

 int keyring_validate(struct crypt_device *cd, const char *json);

+void keyring_buffer_free(void *buffer, size_t buffer_size);
+
 struct crypt_token_handler_v2 {
 	const char *name;
 	crypt_token_open_func open;
--- a/lib/luks2/luks2_token.c
+++ b/lib/luks2/luks2_token.c
@@ -37,6 +37,7 @@ static struct crypt_token_handler_internal token_handlers[LUKS2_TOKENS_MAX] = {
 	  .u = {
 		  .v1 = { .name = LUKS2_TOKEN_KEYRING,
 			  .open = keyring_open,
+			  .buffer_free = keyring_buffer_free,
 			  .validate = keyring_validate,
 			  .dump = keyring_dump }
 	       }
--- a/lib/luks2/luks2_token_keyring.c
+++ b/lib/luks2/luks2_token_keyring.c
@@ -137,3 +137,8 @@ int LUKS2_token_keyring_get(struct luks2_hdr *hdr,

 	return token;
 }
+
+void keyring_buffer_free(void *buffer, size_t buffer_len __attribute__((unused)))
+{
+	crypt_safe_free(buffer);
+}