eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-11 19:00:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add crypt_volume_key_get_by_keyslot_context.

Browse Source 
Extends avaiable methods for retrieving device volume key.
The volume key now may be extracted using passphrase, keyfile
(passphrase in a file) or token (LUKS2 only).

For LUKS devices, it returns generated volume key after
sucessfull crypt_format where new volume key got generated.

Fixes: #777.
This commit is contained in:
Ondrej Kozina
2022-10-21 14:02:33 +02:00
parent 0e6264c53c
commit f7e2ed956b
5 changed files with 370 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
lib/libcryptsetup.h
View File

@@ -1666,6 +1666,41 @@ int crypt_volume_key_get(struct crypt_device *cd,
const char *passphrase,
size_t passphrase_size);
/**
* Get volume key from crypt device by keyslot context.
*
* @param cd crypt device handle
* @param keyslot use this keyslot or @e CRYPT_ANY_SLOT
* @param volume_key buffer for volume key
* @param volume_key_size on input, size of buffer @e volume_key,
* on output size of @e volume_key
* @param kc keyslot context used to unlock volume key
*
* @return unlocked key slot number or negative errno otherwise.
*
* @note See @link crypt-keyslot-context-types @endlink for info on keyslot
* context initialization.
* @note For TCRYPT cipher chain is the volume key concatenated
* for all ciphers in chain (kc may be NULL).
* @note For VERITY the volume key means root hash used for activation
* (kc may be NULL).
* @note For LUKS devices, if kc is @e NULL and volume key is cached in
* device context it returns the volume key generated in preceding
* @link crypt_format @endlink call.
* @note @link CRYPT_KC_TYPE_TOKEN @endlink keyslot context is usable only with LUKS2 devices.
* @note @link CRYPT_KC_TYPE_KEY @endlink keyslot context can not be used.
* @note To get LUKS2 unbound key, keyslot parameter must not be @e CRYPT_ANY_SLOT.
* @note EPERM errno means provided keyslot context could not unlock any (or selected)
* keyslot.
* @note ENOENT errno means no LUKS keyslot is available to retrieve volume key from
* and there's no cached volume key in device handle.
*/
int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd,
int keyslot,
char *volume_key,
size_t *volume_key_size,
struct crypt_keyslot_context *kc);
/**
* Verify that provided volume key is valid for crypt device.
*