diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h index 20e8de99..fc43e02d 100644 --- a/lib/libcryptsetup.h +++ b/lib/libcryptsetup.h @@ -1624,13 +1624,23 @@ int crypt_persistent_flags_get(struct crypt_device *cd, */ /** - * Activate device or check using keyslot context. + * Activate device or check using keyslot context. In some cases (device under + * reencryption), more than one keyslot context is required (e.g. one for the old + * volume key and one for the new volume key). The order of the keyslot + * contexts does not matter. When less keyslot contexts are supplied than + * required to unlock the device an -EPERM/-ENOKEY/TODO error code is returned + * and you should call the function again with more keyslot contexts. + * + * NOTE: the API at the moment works for one keyslot context only, the second + * keyslot context is just an API placeholder * * @param cd crypt device handle * @param name name of device to create, if @e NULL only check passphrase * @param keyslot requested keyslot to check or @e CRYPT_ANY_SLOT, keyslot is * ignored for unlock methods not based on passphrase * @param kc keyslot context providing volume key or passphrase. + * @param additional_kc keyslot context providing additional volume key or + * passphrase (e.g. old volume key for device under reencryption). * @param flags activation flags * * @return unlocked key slot number for passphrase-based unlock, zero for other @@ -1640,6 +1650,8 @@ int crypt_activate_by_keyslot_context(struct crypt_device *cd, const char *name, int keyslot, struct crypt_keyslot_context *kc, + int additional_keyslot, + struct crypt_keyslot_context *additional_kc, uint32_t flags); /** @@ -3088,8 +3100,25 @@ void crypt_safe_memzero(void *data, size_t size); /** * Link the volume key to the specified kernel keyring. * + * The volume can have one or two keys. Normally, the device has one key. + * However if reencryption was started and not finished yet, the volume will + * have two volume keys (the new VK for the already reencrypted segment and old + * VK for the not yet reencrypted segment). + * + * The @link old_key_description @endlink this argument is required only for + * devices that are in re-encryption and have two volume keys at the same time + * (old and new). You can set the @link old_key_description @endlink to NULL, + * but if you supply number of keys less than required, the function will + * return -EAGAIN. In that case you need to call the function again and set + * the missing key description. When supplying just one key description, make + * sure to supply it in the @link key_description @endlink + * + * NOTE: the API at the moment works for one key description only, the second + * name is just an API placeholder + * * @param cd crypt device handle - * @param key_description the key description of volume key linked in desired keyring. + * @param key_description the key description of the volume key linked in desired keyring. + * @param old_key_description the key description of the old volume key linked in desired keyring (for devices in re-encryption). * @param key_type the key type used for the volume key. Currently only "user" and "logon" types are * supported. if @e NULL is specified the default "user" type is applied. * @param keyring_to_link_vk the keyring description of the keyring in which volume key should @@ -3105,7 +3134,7 @@ void crypt_safe_memzero(void *data, size_t size); * @note key_description "%:" prefixes are ignored. Type is applied based on key_type parameter * value. */ -int crypt_set_keyring_to_link(struct crypt_device *cd, const char *key_description, +int crypt_set_keyring_to_link(struct crypt_device *cd, const char *key_description, const char *old_key_description, const char *key_type_desc, const char *keyring_to_link_vk); /** @} */ diff --git a/lib/setup.c b/lib/setup.c index 8e46bcf4..f4c3db7e 100644 --- a/lib/setup.c +++ b/lib/setup.c @@ -5391,9 +5391,11 @@ static int _activate_by_volume_key(struct crypt_device *cd, } int crypt_activate_by_keyslot_context(struct crypt_device *cd, - const char *name, +const char *name, int keyslot, struct crypt_keyslot_context *kc, + int additional_keyslot, + struct crypt_keyslot_context *additional_kc, uint32_t flags) { bool use_keyring; @@ -5404,6 +5406,9 @@ int crypt_activate_by_keyslot_context(struct crypt_device *cd, int unlocked_keyslot, r = -EINVAL; key_serial_t user_vk_kid = 0; + UNUSED(additional_keyslot); + UNUSED(additional_kc); + log_dbg(cd, "%s volume %s [keyslot %d] using %s.", name ? "Activating" : "Checking", name ?: "passphrase", keyslot, keyslot_context_type_string(kc)); @@ -5582,7 +5587,7 @@ int crypt_activate_by_passphrase(struct crypt_device *cd, struct crypt_keyslot_context kc; crypt_keyslot_unlock_by_passphrase_init_internal(&kc, passphrase, passphrase_size); - r = crypt_activate_by_keyslot_context(cd, name, keyslot, &kc, flags); + r = crypt_activate_by_keyslot_context(cd, name, keyslot, &kc, CRYPT_ANY_SLOT, NULL, flags); crypt_keyslot_context_destroy_internal(&kc); return r; @@ -5600,7 +5605,7 @@ int crypt_activate_by_keyfile_device_offset(struct crypt_device *cd, struct crypt_keyslot_context kc; crypt_keyslot_unlock_by_keyfile_init_internal(&kc, keyfile, keyfile_size, keyfile_offset); - r = crypt_activate_by_keyslot_context(cd, name, keyslot, &kc, flags); + r = crypt_activate_by_keyslot_context(cd, name, keyslot, &kc, CRYPT_ANY_SLOT, NULL, flags); crypt_keyslot_context_destroy_internal(&kc); return r; @@ -5639,7 +5644,7 @@ int crypt_activate_by_volume_key(struct crypt_device *cd, struct crypt_keyslot_context kc; crypt_keyslot_unlock_by_key_init_internal(&kc, volume_key, volume_key_size); - r = crypt_activate_by_keyslot_context(cd, name, CRYPT_ANY_SLOT /* unused */, &kc, flags); + r = crypt_activate_by_keyslot_context(cd, name, CRYPT_ANY_SLOT /* unused */, &kc, CRYPT_ANY_SLOT, NULL, flags); crypt_keyslot_context_destroy_internal(&kc); return r; @@ -5669,7 +5674,7 @@ int crypt_activate_by_signed_key(struct crypt_device *cd, signature, signature_size); else crypt_keyslot_unlock_by_key_init_internal(&kc, volume_key, volume_key_size); - r = crypt_activate_by_keyslot_context(cd, name, -2 /* unused */, &kc, flags); + r = crypt_activate_by_keyslot_context(cd, name, -2 /* unused */, &kc, CRYPT_ANY_SLOT, NULL, flags); crypt_keyslot_context_destroy_internal(&kc); return r; @@ -6872,7 +6877,7 @@ int crypt_activate_by_token_pin(struct crypt_device *cd, const char *name, struct crypt_keyslot_context kc; crypt_keyslot_unlock_by_token_init_internal(&kc, token, type, pin, pin_size, usrptr); - r = crypt_activate_by_keyslot_context(cd, name, CRYPT_ANY_SLOT, &kc, flags); + r = crypt_activate_by_keyslot_context(cd, name, CRYPT_ANY_SLOT, &kc, CRYPT_ANY_SLOT, NULL, flags); crypt_keyslot_context_destroy_internal(&kc); return r; @@ -7556,18 +7561,21 @@ void crypt_drop_keyring_key_by_description(struct crypt_device *cd, const char * } int crypt_set_keyring_to_link(struct crypt_device *cd, const char *key_description, - const char *key_type_description, const char *keyring_to_link_vk) + const char *old_key_description, + const char *key_type_desc, const char *keyring_to_link_vk) { key_type_t key_type = USER_KEY; const char *name = NULL; int32_t id = 0; + UNUSED(old_key_description); + if (!cd || (!key_description && keyring_to_link_vk) || (key_description && !keyring_to_link_vk)) return -EINVAL; - if (key_type_description) - key_type = key_type_by_name(key_type_description); + if (key_type_desc) + key_type = key_type_by_name(key_type_desc); if (key_type != LOGON_KEY && key_type != USER_KEY) return -EINVAL; @@ -7616,7 +7624,7 @@ int crypt_activate_by_keyring(struct crypt_device *cd, return -EINVAL; crypt_keyslot_unlock_by_keyring_internal(&kc, key_description); - r = crypt_activate_by_keyslot_context(cd, name, keyslot, &kc, flags); + r = crypt_activate_by_keyslot_context(cd, name, keyslot, &kc, CRYPT_ANY_SLOT, NULL, flags); crypt_keyslot_context_destroy_internal(&kc); return r; diff --git a/src/cryptsetup.c b/src/cryptsetup.c index d12776be..cbe28a1d 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -113,7 +113,7 @@ static int _try_token_unlock(struct crypt_device *cd, return r; if (activation) - r = crypt_activate_by_keyslot_context(cd, activated_name, keyslot, kc, activate_flags); + r = crypt_activate_by_keyslot_context(cd, activated_name, keyslot, kc, CRYPT_ANY_SLOT, NULL, activate_flags); else r = crypt_resume_by_keyslot_context(cd, activated_name, keyslot, kc); @@ -147,7 +147,7 @@ static int _try_token_unlock(struct crypt_device *cd, if (activation) r = crypt_activate_by_keyslot_context(cd, activated_name, keyslot, - kc, activate_flags); + kc, CRYPT_ANY_SLOT, NULL, activate_flags); else r = crypt_resume_by_keyslot_context(cd, activated_name, keyslot, kc); @@ -1759,7 +1759,7 @@ static int parse_vk_and_keyring_description( goto out; } - r = crypt_set_keyring_to_link(cd, key_part, type_part, keyring_part); + r = crypt_set_keyring_to_link(cd, key_part, NULL, type_part, keyring_part); out: if (r == -EINVAL) log_err(_("Invalid --link-vk-to-keyring value.")); @@ -1854,7 +1854,7 @@ static int action_open_luks(void) r = crypt_keyslot_context_init_by_vk_in_keyring(cd, vk_description_activation, &kc); if (r) goto out; - r = crypt_activate_by_keyslot_context(cd, activated_name, CRYPT_ANY_SLOT, kc, activate_flags); + r = crypt_activate_by_keyslot_context(cd, activated_name, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, activate_flags); if (r) goto out; } else { diff --git a/tests/api-test-2.c b/tests/api-test-2.c index 32852da3..e0c94eab 100644 --- a/tests/api-test-2.c +++ b/tests/api-test-2.c @@ -2322,14 +2322,14 @@ static void Tokens(void) */ OK_(crypt_keyslot_context_init_by_token(cd, 0, NULL, NULL, 0, NULL, &kc)); - EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, 0), 1); - EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY), 6); - EQ_(crypt_activate_by_keyslot_context(cd, NULL, 7, kc, CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY), -ENOENT); - EQ_(crypt_activate_by_keyslot_context(cd, NULL, 5, kc, CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY), -EPERM); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 1); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY), 6); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, 7, kc, CRYPT_ANY_SLOT, NULL, CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY), -ENOENT); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, 5, kc, CRYPT_ANY_SLOT, NULL, CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY), -EPERM); crypt_keyslot_context_free(kc); OK_(crypt_keyslot_context_init_by_token(cd, CRYPT_ANY_TOKEN, NULL, NULL, 0, NULL, &kc)); - EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, 0), 5); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 5); crypt_keyslot_context_free(kc); CRYPT_FREE(cd); @@ -5241,52 +5241,52 @@ static void KeyslotContextAndKeyringLink(void) // test passphrase OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &kc)); - EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, 0), 0); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); crypt_keyslot_context_free(kc); OK_(crypt_keyslot_context_init_by_passphrase(cd, KEY1, strlen(KEY1), &kc)); - EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, 0), 1); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 1); crypt_keyslot_context_free(kc); OK_(crypt_keyslot_context_init_by_volume_key(cd, key, key_size, &kc)); - EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, 0), 0); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); crypt_keyslot_context_free(kc); OK_(prepare_keyfile(KEYFILE1, KEY1, strlen(KEY1))); OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &kc)); - EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, 0), 1); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 1); crypt_keyslot_context_free(kc); OK_(crypt_keyslot_context_init_by_keyring(cd, KEY_DESC_TEST0, &kc)); - EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, 0), 0); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); crypt_keyslot_context_free(kc); // test activation OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &kc)); - EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, 0), 0); - FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, 0), "already active"); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); + FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), "already active"); OK_(crypt_deactivate(cd, CDEVICE_1)); crypt_keyslot_context_free(kc); OK_(crypt_keyslot_context_init_by_volume_key(cd, key, key_size, &kc)); - EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, 0), 0); - FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, 0), "already active"); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); + FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), "already active"); OK_(crypt_deactivate(cd, CDEVICE_1)); crypt_keyslot_context_free(kc); OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &kc)); - EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, 0), 1); - FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, 0), "already active"); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 1); + FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), "already active"); OK_(crypt_deactivate(cd, CDEVICE_1)); crypt_keyslot_context_free(kc); OK_(crypt_keyslot_context_init_by_keyring(cd, KEY_DESC_TEST0, &kc)); - EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, 0), 0); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); OK_(crypt_deactivate(cd, CDEVICE_1)); crypt_keyslot_context_free(kc); // test linking to a custom keyring linked in user keyring - OK_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, "user", keyring_in_user_str_id /* TEST_KEYRING_USER_NAME */)); + OK_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, NULL, "user", keyring_in_user_str_id /* TEST_KEYRING_USER_NAME */)); OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0)); /* @@ -5302,7 +5302,7 @@ static void KeyslotContextAndKeyringLink(void) NOTFAIL_(keyctl_unlink(linked_kid, keyring_in_user_id), "VK was not linked to custom keyring after deactivation."); FAIL_(_kernel_key_by_segment_and_type(cd, 0, "logon"), "dm-crypt VK remain linked in thread keyring."); - OK_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_LOGON, "logon", keyring_in_user_str_id /* TEST_KEYRING_USER_NAME */)); + OK_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_LOGON, NULL, "logon", keyring_in_user_str_id /* TEST_KEYRING_USER_NAME */)); OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0)); NOTFAIL_((linked_kid = request_key("logon", TEST_KEY_VK_LOGON, NULL, 0)), "VK was not linked to custom keyring."); NOTFAIL_(_kernel_key_by_segment_and_type(cd, 0, "logon"), "dm-crypt VK was not uploaded in thread kernel keyring."); @@ -5310,7 +5310,7 @@ static void KeyslotContextAndKeyringLink(void) NOTFAIL_(keyctl_unlink(linked_kid, keyring_in_user_id), "VK was not linked to custom keyring after deactivation."); FAIL_(_kernel_key_by_segment_and_type(cd, 0, "logon"), "dm-crypt VK remain linked in thread keyring."); - OK_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_LOGON, "logon", TEST_KEYRING_SESSION_NAME)); + OK_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_LOGON, NULL, "logon", TEST_KEYRING_SESSION_NAME)); OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0)); NOTFAIL_((linked_kid = request_key("logon", TEST_KEY_VK_LOGON, NULL, 0)), "VK was not linked to custom keyring."); NOTFAIL_(_kernel_key_by_segment_and_type(cd, 0, "logon"), "dm-crypt VK was not uploaded in thread kernel keyring."); @@ -5327,7 +5327,7 @@ static void KeyslotContextAndKeyringLink(void) FAIL_(request_key("logon", TEST_KEY_VK_LOGON, NULL, 0), "VK was probably wrongly linked in yet another keyring "); // change key type to default (user) - OK_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, NULL, TEST_KEYRING_USER_NAME)); + OK_(crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, NULL, NULL, TEST_KEYRING_USER_NAME)); OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0)); NOTFAIL_((linked_kid = request_key("user", TEST_KEY_VK_USER, NULL, 0)), "VK was not linked to custom keyring after resetting key type."); OK_(crypt_deactivate(cd, CDEVICE_1)); @@ -5336,7 +5336,7 @@ static void KeyslotContextAndKeyringLink(void) FAIL_(request_key("user", TEST_KEY_VK_USER, NULL, 0), "VK was probably wrongly linked in yet another keyring "); // disable linking to session keyring - crypt_set_keyring_to_link(cd, NULL, NULL, NULL); + crypt_set_keyring_to_link(cd, NULL, NULL, NULL, NULL); OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0)); FAIL_(request_key("user", TEST_KEY_VK_USER, NULL, 0), "VK was probably wrongly linked in yet another keyring "); FAIL_(request_key("logon", TEST_KEY_VK_LOGON, NULL, 0), "VK was probably wrongly linked in yet another keyring "); @@ -5345,16 +5345,16 @@ static void KeyslotContextAndKeyringLink(void) FAIL_(_kernel_key_by_segment_and_type(cd, 0, "logon"), "failed to unlink the key from thread keyring"); // link VK to keyring and re-activate by the linked VK - crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, "user", TEST_KEYRING_SESSION_NAME); + crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, NULL, "user", TEST_KEYRING_SESSION_NAME); OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0)); OK_(crypt_deactivate(cd, CDEVICE_1)); NOTFAIL_(request_key("user", TEST_KEY_VK_USER, NULL, 0), "VK was not linked to session keyring."); OK_(crypt_keyslot_context_init_by_vk_in_keyring(cd, TEST_KEY_VK_USER_NAME, &kc)); - EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, 0), 0); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); OK_(crypt_deactivate(cd, CDEVICE_1)); NOTFAIL_(request_key("user", TEST_KEY_VK_USER, NULL, 0), "VK was not linked to session keyring after deactivation."); OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_session_id, "user")); - FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, 0), "activation via VK in keyring after dropping the key"); + FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), "activation via VK in keyring after dropping the key"); // load VK back to keyring by activating OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0)); @@ -5365,13 +5365,13 @@ static void KeyslotContextAndKeyringLink(void) GE_((vk_len = keyctl_read(linked_kid, vk_buf, sizeof(vk_buf))), 0); vk_buf[0] = ~vk_buf[0]; OK_(keyctl_update(linked_kid, vk_buf, vk_len)); - FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, 0), 0); + FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_session_id, "user")); crypt_keyslot_context_free(kc); // After this point put resume tests only! OK_(crypt_keyslot_context_init_by_passphrase(cd, PASSPHRASE, strlen(PASSPHRASE), &kc)); - EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, 0), 0); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); suspend_status = crypt_suspend(cd, CDEVICE_1); if (suspend_status == -ENOTSUP) { printf("WARNING: Suspend/Resume not supported, skipping test.\n"); @@ -5392,14 +5392,14 @@ static void KeyslotContextAndKeyringLink(void) crypt_keyslot_context_free(kc); OK_(crypt_keyslot_context_init_by_volume_key(cd, key, key_size, &kc)); - EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, 0), 0); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); OK_(crypt_suspend(cd, CDEVICE_1)); EQ_(crypt_resume_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc), 0); OK_(crypt_deactivate(cd, CDEVICE_1)); crypt_keyslot_context_free(kc); OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &kc)); - EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, 0), 1); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 1); OK_(crypt_suspend(cd, CDEVICE_1)); OK_(crypt_get_active_device(cd, CDEVICE_1, &cad)); EQ_(CRYPT_ACTIVATE_SUSPENDED, cad.flags & CRYPT_ACTIVATE_SUSPENDED); @@ -5408,25 +5408,25 @@ static void KeyslotContextAndKeyringLink(void) crypt_keyslot_context_free(kc); OK_(crypt_keyslot_context_init_by_keyring(cd, KEY_DESC_TEST0, &kc)); - EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, 0), 0); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); OK_(crypt_suspend(cd, CDEVICE_1)); EQ_(crypt_resume_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc), 0); OK_(crypt_deactivate(cd, CDEVICE_1)); crypt_keyslot_context_free(kc); // resume by VK keyring context - crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, "user", TEST_KEYRING_SESSION_NAME); + crypt_set_keyring_to_link(cd, TEST_KEY_VK_USER, NULL, "user", TEST_KEYRING_SESSION_NAME); OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0)); NOTFAIL_(request_key("user", TEST_KEY_VK_USER, NULL, 0), "VK was not linked to session keyring."); OK_(crypt_suspend(cd, CDEVICE_1)); OK_(crypt_keyslot_context_init_by_vk_in_keyring(cd, TEST_KEY_VK_USER_NAME, &kc)); EQ_(crypt_resume_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc), 0); OK_(crypt_deactivate(cd, CDEVICE_1)); - EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, 0), 0); + EQ_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), 0); OK_(crypt_deactivate(cd, CDEVICE_1)); NOTFAIL_(request_key("user", TEST_KEY_VK_USER, NULL, 0), "VK was not linked to session keyring after deactivation."); OK_(_drop_keyring_key_from_keyring_name(TEST_KEY_VK_USER, keyring_in_session_id, "user")); - FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, 0), "activation via VK in keyring after dropping the key"); + FAIL_(crypt_activate_by_keyslot_context(cd, CDEVICE_1, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), "activation via VK in keyring after dropping the key"); crypt_keyslot_context_free(kc); NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");