From: "Vladimir 'φ-coder/phcoder' Serbinenko" <phcoder@gmail.com>
To: The development of GNU GRUB <grub-devel@gnu.org>
Subject: Re: [PATCH 4/5] Cryptomount support plain dm-crypt
Date: Fri, 12 Feb 2016 16:19:47 +0100 [thread overview]
Message-ID: <56BDF813.2010101@gmail.com> (raw)
In-Reply-To: <1435588260-29456-5-git-send-email-grub@jelmail.com>
[-- Attachment #1: Type: text/plain, Size: 23641 bytes --]
On 29.06.2015 16:30, John Lane wrote:
> From: John Lane <john@lane.uk.net>
>
> ---
> grub-core/disk/cryptodisk.c | 298 +++++++++++++++++++++++++++++++++++++++++++-
> grub-core/disk/luks.c | 195 +----------------------------
> include/grub/cryptodisk.h | 8 ++
> 3 files changed, 310 insertions(+), 191 deletions(-)
>
> diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
> index a27e70c..cd5cfc9 100644
> --- a/grub-core/disk/cryptodisk.c
> +++ b/grub-core/disk/cryptodisk.c
> @@ -44,6 +44,12 @@ static const struct grub_arg_option options[] =
> {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
> {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
> {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
> + {"plain", 'p', 0, N_("Plain (no LUKS header)"), 0, ARG_TYPE_NONE},
> + {"cipher", 'c', 0, N_("Plain mode cipher"), 0, ARG_TYPE_STRING},
> + {"digest", 'd', 0, N_("Plain mode passphrase digest (hash)"), 0, ARG_TYPE_STRING},
> + {"offset", 'o', 0, N_("Plain mode data sector offset"), 0, ARG_TYPE_INT},
> + {"size", 's', 0, N_("Size of raw device (sectors, defaults to whole device)"), 0, ARG_TYPE_INT},
> + {"key-size", 'K', 0, N_("Set key size (bits)"), 0, ARG_TYPE_INT},
> {0, 0, 0, 0, 0, 0}
> };
>
This is hairy, doesn't fit into cryptomount syntax and not maintainable.
Can we have a separate command for this?
> @@ -927,6 +933,48 @@ grub_cryptodisk_scan_device (const char *name,
> return have_it && search_uuid ? 1 : 0;
> }
>
> +/* Hashes a passphrase into a key and stores it with cipher. */
> +static gcry_err_code_t
> +set_passphrase (grub_cryptodisk_t dev, grub_size_t keysize, const char *passphrase)
> +{
> + grub_uint8_t derived_hash[GRUB_CRYPTODISK_MAX_KEYLEN * 2], *dh = derived_hash;
> + char *p;
> + unsigned int round, i;
> + unsigned int len, size;
> +
> + /* Need no passphrase if there's no key */
> + if (keysize == 0)
> + return GPG_ERR_INV_KEYLEN;
> +
> + /* Hack to support the "none" hash */
> + if (dev->hash)
> + len = dev->hash->mdlen;
> + else
> + len = grub_strlen (passphrase);
> +
> + if (keysize > GRUB_CRYPTODISK_MAX_KEYLEN || len > GRUB_CRYPTODISK_MAX_KEYLEN)
> + return GPG_ERR_INV_KEYLEN;
> +
> + p = grub_malloc (grub_strlen (passphrase) + 2 + keysize / len);
> + if (!p)
> + return grub_errno;
> +
> + for (round = 0, size = keysize; size; round++, dh += len, size -= len)
> + {
> + for (i = 0; i < round; i++)
> + p[i] = 'A';
> +
> + grub_strcpy (p + i, passphrase);
> +
> + if (len > size)
> + len = size;
> +
> + grub_crypto_hash (dev->hash, dh, p, grub_strlen (p));
> + }
> +
> + return grub_cryptodisk_setkey (dev, derived_hash, keysize);
> +}
> +
> static grub_err_t
> grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
> {
> @@ -1046,7 +1094,63 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
> return GRUB_ERR_NONE;
> }
>
> - err = grub_cryptodisk_scan_device_real (args[0], disk);
> + if (state[7].set) /* Plain mode */
> + {
> + char *cipher;
> + char *mode;
> + char *digest;
> + int offset, size, key_size;
> +
> + cipher = grub_strdup (state[8].set ? state[8].arg : GRUB_CRYPTODISK_PLAIN_CIPHER);
> + digest = grub_strdup (state[9].set ? state[9].arg : GRUB_CRYPTODISK_PLAIN_DIGEST);
> + offset = state[10].set ? grub_strtoul (state[10].arg, 0, 0) : 0;
> + size = state[11].set ? grub_strtoul (state[11].arg, 0, 0) : 0;
> + key_size = ( state[12].set ? grub_strtoul (state[12].arg, 0, 0) \
> + : GRUB_CRYPTODISK_PLAIN_KEYSIZE ) / 8;
> +
> + /* no strtok, do it manually */
> + mode = grub_strchr(cipher,'-');
> + if (!mode)
> + return GRUB_ERR_BAD_ARGUMENT;
> + else
> + *mode++ = 0;
> +
> + dev = grub_cryptodisk_create (disk, NULL, cipher, mode, digest);
> +
> + dev->offset = offset;
> + if (size) dev->total_length = size;
> +
> + if (key)
> + {
> + err = grub_cryptodisk_setkey (dev, key, key_size);
> + if (err)
> + return err;
> + }
> + else
> + {
> + char passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = "";
> +
> + grub_printf_ (N_("Enter passphrase for %s: "), diskname);
> + if (!grub_password_get (passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE))
> + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
> +
> + err = set_passphrase (dev, key_size, passphrase);
> + if (err)
> + {
> + grub_crypto_cipher_close (dev->cipher);
> + return err;
> + }
> + }
> +
> + grub_cryptodisk_insert (dev, diskname, disk);
> +
> + grub_free (cipher);
> + grub_free (digest);
> +
> + err = GRUB_ERR_NONE;
> + }
> + else
> + err = grub_cryptodisk_scan_device_real (args[0], disk);
>
> grub_disk_close (disk);
>
> @@ -1177,13 +1281,203 @@ struct grub_procfs_entry luks_script =
> .get_contents = luks_script_get
> };
>
> +grub_cryptodisk_t
> +grub_cryptodisk_create (grub_disk_t disk, char *uuid,
> + char *ciphername, char *ciphermode, char *hashspec)
> +{
> + grub_cryptodisk_t newdev;
> + char *cipheriv = NULL;
> + grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL;
> + grub_crypto_cipher_handle_t essiv_cipher = NULL;
> + const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL;
> + const struct gcry_cipher_spec *ciph;
> + grub_cryptodisk_mode_t mode;
> + grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
> + int benbi_log = 0;
> +
> + if (!uuid)
> + uuid = (char*)"00000000000000000000000000000000";
> +
> + ciph = grub_crypto_lookup_cipher_by_name (ciphername);
> + if (!ciph)
> + {
> + grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available",
> + ciphername);
> + return NULL;
> + }
> +
> + /* Configure the cipher used for the bulk data. */
> + cipher = grub_crypto_cipher_open (ciph);
> + if (!cipher)
> + return NULL;
> +
> + /* Configure the cipher mode. */
> + if (grub_strcmp (ciphermode, "ecb") == 0)
> + {
> + mode = GRUB_CRYPTODISK_MODE_ECB;
> + mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
> + cipheriv = NULL;
> + }
> + else if (grub_strcmp (ciphermode, "plain") == 0)
> + {
> + mode = GRUB_CRYPTODISK_MODE_CBC;
> + mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
> + cipheriv = NULL;
> + }
> + else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0)
> + {
> + mode = GRUB_CRYPTODISK_MODE_CBC;
> + cipheriv = ciphermode + sizeof ("cbc-") - 1;
> + }
> + else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0)
> + {
> + mode = GRUB_CRYPTODISK_MODE_PCBC;
> + cipheriv = ciphermode + sizeof ("pcbc-") - 1;
> + }
> + else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0)
> + {
> + mode = GRUB_CRYPTODISK_MODE_XTS;
> + cipheriv = ciphermode + sizeof ("xts-") - 1;
> + secondary_cipher = grub_crypto_cipher_open (ciph);
> + if (!secondary_cipher)
> + {
> + grub_crypto_cipher_close (cipher);
> + return NULL;
> + }
> + if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
> + {
> + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
> + cipher->cipher->blocksize);
> + grub_crypto_cipher_close (cipher);
> + grub_crypto_cipher_close (secondary_cipher);
> + return NULL;
> + }
> + if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
> + {
> + grub_crypto_cipher_close (cipher);
> + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
> + secondary_cipher->cipher->blocksize);
> + grub_crypto_cipher_close (secondary_cipher);
> + return NULL;
> + }
> + }
> + else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0)
> + {
> + mode = GRUB_CRYPTODISK_MODE_LRW;
> + cipheriv = ciphermode + sizeof ("lrw-") - 1;
> + if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
> + {
> + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d",
> + cipher->cipher->blocksize);
> + grub_crypto_cipher_close (cipher);
> + return NULL;
> + }
> + }
> + else
> + {
> + grub_crypto_cipher_close (cipher);
> + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s",
> + ciphermode);
> + return NULL;
> + }
> +
> + if (cipheriv == NULL);
> + else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0)
> + mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
> + else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0)
> + mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
> + else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0)
> + {
> + if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1)
> + || cipher->cipher->blocksize == 0)
> + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d",
> + cipher->cipher->blocksize);
> + /* FIXME should we return an error here? */
> + for (benbi_log = 0;
> + (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE;
> + benbi_log++);
> + mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI;
> + }
> + else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0)
> + mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL;
> + else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0)
> + {
> + char *hash_str = cipheriv + 6;
> +
> + mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV;
> +
> + /* Configure the hash and cipher used for ESSIV. */
> + essiv_hash = grub_crypto_lookup_md_by_name (hash_str);
> + if (!essiv_hash)
> + {
> + grub_crypto_cipher_close (cipher);
> + grub_crypto_cipher_close (secondary_cipher);
> + grub_error (GRUB_ERR_FILE_NOT_FOUND,
> + "Couldn't load %s hash", hash_str);
> + return NULL;
> + }
> + essiv_cipher = grub_crypto_cipher_open (ciph);
> + if (!essiv_cipher)
> + {
> + grub_crypto_cipher_close (cipher);
> + grub_crypto_cipher_close (secondary_cipher);
> + return NULL;
> + }
> + }
> + else
> + {
> + grub_crypto_cipher_close (cipher);
> + grub_crypto_cipher_close (secondary_cipher);
> + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s",
> + cipheriv);
> + return NULL;
> + }
> +
> + /* Configure the passphrase hash (LUKS also uses AF splitter and HMAC). */
> + hash = grub_crypto_lookup_md_by_name (hashspec);
> + if (!hash)
> + {
> + grub_crypto_cipher_close (cipher);
> + grub_crypto_cipher_close (essiv_cipher);
> + grub_crypto_cipher_close (secondary_cipher);
> + grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash",
> + hashspec);
> + return NULL;
> + }
> +
> + newdev = grub_zalloc (sizeof (struct grub_cryptodisk));
> + if (!newdev)
> + {
> + grub_crypto_cipher_close (cipher);
> + grub_crypto_cipher_close (essiv_cipher);
> + grub_crypto_cipher_close (secondary_cipher);
> + return NULL;
> + }
> + newdev->cipher = cipher;
> + newdev->offset = 0;
> + newdev->source_disk = NULL;
> + newdev->benbi_log = benbi_log;
> + newdev->mode = mode;
> + newdev->mode_iv = mode_iv;
> + newdev->secondary_cipher = secondary_cipher;
> + newdev->essiv_cipher = essiv_cipher;
> + newdev->essiv_hash = essiv_hash;
> + newdev->hash = hash;
> + newdev->log_sector_size = 9;
> + newdev->total_length = grub_disk_get_size (disk) - newdev->offset;
> + grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
> + COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
> +
> + return newdev;
> +}
> +
> static grub_extcmd_t cmd;
>
> GRUB_MOD_INIT (cryptodisk)
> {
> grub_disk_dev_register (&grub_cryptodisk_dev);
> cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
> - N_("SOURCE|-u UUID|-a|-b|-H file"),
> + N_("SOURCE|-u UUID|-a|-b|-H file|-p -c cipher -d digest"),
> N_("Mount a crypto device."), options);
> grub_procfs_register ("luks_script", &luks_script);
> }
> diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
> index 11e437e..4ebe21b 100644
> --- a/grub-core/disk/luks.c
> +++ b/grub-core/disk/luks.c
> @@ -30,8 +30,6 @@
>
> GRUB_MOD_LICENSE ("GPLv3+");
>
> -#define MAX_PASSPHRASE 256
> -
> #define LUKS_KEY_ENABLED 0x00AC71F3
>
> /* On disk LUKS header */
> @@ -76,15 +74,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
> char uuid[sizeof (header.uuid) + 1];
> char ciphername[sizeof (header.cipherName) + 1];
> char ciphermode[sizeof (header.cipherMode) + 1];
> - char *cipheriv = NULL;
> char hashspec[sizeof (header.hashSpec) + 1];
> - grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL;
> - grub_crypto_cipher_handle_t essiv_cipher = NULL;
> - const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL;
> - const struct gcry_cipher_spec *ciph;
> - grub_cryptodisk_mode_t mode;
> - grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
> - int benbi_log = 0;
> grub_err_t err;
>
> err = GRUB_ERR_NONE;
> @@ -119,7 +109,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
> iptr++)
> {
> if (*iptr != '-')
> - *optr++ = *iptr;
> + *optr++ = *iptr;
> }
> *optr = 0;
>
> @@ -129,6 +119,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
> return NULL;
> }
>
> +
> /* Make sure that strings are null terminated. */
> grub_memcpy (ciphername, header.cipherName, sizeof (header.cipherName));
> ciphername[sizeof (header.cipherName)] = 0;
> @@ -137,184 +128,10 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
> grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec));
> hashspec[sizeof (header.hashSpec)] = 0;
>
> - ciph = grub_crypto_lookup_cipher_by_name (ciphername);
> - if (!ciph)
> - {
> - grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available",
> - ciphername);
> - return NULL;
> - }
> -
> - /* Configure the cipher used for the bulk data. */
> - cipher = grub_crypto_cipher_open (ciph);
> - if (!cipher)
> - return NULL;
> -
> - if (grub_be_to_cpu32 (header.keyBytes) > 1024)
> - {
> - grub_error (GRUB_ERR_BAD_ARGUMENT, "invalid keysize %d",
> - grub_be_to_cpu32 (header.keyBytes));
> - grub_crypto_cipher_close (cipher);
> - return NULL;
> - }
> -
> - /* Configure the cipher mode. */
> - if (grub_strcmp (ciphermode, "ecb") == 0)
> - {
> - mode = GRUB_CRYPTODISK_MODE_ECB;
> - mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
> - cipheriv = NULL;
> - }
> - else if (grub_strcmp (ciphermode, "plain") == 0)
> - {
> - mode = GRUB_CRYPTODISK_MODE_CBC;
> - mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
> - cipheriv = NULL;
> - }
> - else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0)
> - {
> - mode = GRUB_CRYPTODISK_MODE_CBC;
> - cipheriv = ciphermode + sizeof ("cbc-") - 1;
> - }
> - else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0)
> - {
> - mode = GRUB_CRYPTODISK_MODE_PCBC;
> - cipheriv = ciphermode + sizeof ("pcbc-") - 1;
> - }
> - else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0)
> - {
> - mode = GRUB_CRYPTODISK_MODE_XTS;
> - cipheriv = ciphermode + sizeof ("xts-") - 1;
> - secondary_cipher = grub_crypto_cipher_open (ciph);
> - if (!secondary_cipher)
> - {
> - grub_crypto_cipher_close (cipher);
> - return NULL;
> - }
> - if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
> - {
> - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
> - cipher->cipher->blocksize);
> - grub_crypto_cipher_close (cipher);
> - grub_crypto_cipher_close (secondary_cipher);
> - return NULL;
> - }
> - if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
> - {
> - grub_crypto_cipher_close (cipher);
> - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
> - secondary_cipher->cipher->blocksize);
> - grub_crypto_cipher_close (secondary_cipher);
> - return NULL;
> - }
> - }
> - else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0)
> - {
> - mode = GRUB_CRYPTODISK_MODE_LRW;
> - cipheriv = ciphermode + sizeof ("lrw-") - 1;
> - if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
> - {
> - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d",
> - cipher->cipher->blocksize);
> - grub_crypto_cipher_close (cipher);
> - return NULL;
> - }
> - }
> - else
> - {
> - grub_crypto_cipher_close (cipher);
> - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s",
> - ciphermode);
> - return NULL;
> - }
> -
> - if (cipheriv == NULL);
> - else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0)
> - mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
> - else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0)
> - mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
> - else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0)
> - {
> - if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1)
> - || cipher->cipher->blocksize == 0)
> - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d",
> - cipher->cipher->blocksize);
> - /* FIXME should we return an error here? */
> - for (benbi_log = 0;
> - (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE;
> - benbi_log++);
> - mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI;
> - }
> - else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0)
> - mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL;
> - else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0)
> - {
> - char *hash_str = cipheriv + 6;
> -
> - mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV;
> -
> - /* Configure the hash and cipher used for ESSIV. */
> - essiv_hash = grub_crypto_lookup_md_by_name (hash_str);
> - if (!essiv_hash)
> - {
> - grub_crypto_cipher_close (cipher);
> - grub_crypto_cipher_close (secondary_cipher);
> - grub_error (GRUB_ERR_FILE_NOT_FOUND,
> - "Couldn't load %s hash", hash_str);
> - return NULL;
> - }
> - essiv_cipher = grub_crypto_cipher_open (ciph);
> - if (!essiv_cipher)
> - {
> - grub_crypto_cipher_close (cipher);
> - grub_crypto_cipher_close (secondary_cipher);
> - return NULL;
> - }
> - }
> - else
> - {
> - grub_crypto_cipher_close (cipher);
> - grub_crypto_cipher_close (secondary_cipher);
> - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s",
> - cipheriv);
> - return NULL;
> - }
> -
> - /* Configure the hash used for the AF splitter and HMAC. */
> - hash = grub_crypto_lookup_md_by_name (hashspec);
> - if (!hash)
> - {
> - grub_crypto_cipher_close (cipher);
> - grub_crypto_cipher_close (essiv_cipher);
> - grub_crypto_cipher_close (secondary_cipher);
> - grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash",
> - hashspec);
> - return NULL;
> - }
> + newdev = grub_cryptodisk_create (disk, uuid, ciphername, ciphermode, hashspec);
>
> - newdev = grub_zalloc (sizeof (struct grub_cryptodisk));
> - if (!newdev)
> - {
> - grub_crypto_cipher_close (cipher);
> - grub_crypto_cipher_close (essiv_cipher);
> - grub_crypto_cipher_close (secondary_cipher);
> - return NULL;
> - }
> - newdev->cipher = cipher;
> newdev->offset = grub_be_to_cpu32 (header.payloadOffset);
> - newdev->source_disk = NULL;
> - newdev->benbi_log = benbi_log;
> - newdev->mode = mode;
> - newdev->mode_iv = mode_iv;
> - newdev->secondary_cipher = secondary_cipher;
> - newdev->essiv_cipher = essiv_cipher;
> - newdev->essiv_hash = essiv_hash;
> - newdev->hash = hash;
> - newdev->log_sector_size = 9;
> - newdev->total_length = grub_disk_get_size (disk) - newdev->offset;
> - grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
> newdev->modname = "luks";
> - COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
>
> return newdev;
> }
> @@ -329,7 +146,7 @@ luks_recover_key (grub_disk_t source,
> struct grub_luks_phdr header;
> grub_size_t keysize;
> grub_uint8_t *split_key = NULL;
> - char interactive_passphrase[MAX_PASSPHRASE] = "";
> + char interactive_passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = "";
> grub_uint8_t *passphrase;
> grub_size_t passphrase_length;
> grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
> @@ -376,7 +193,7 @@ luks_recover_key (grub_disk_t source,
> /* Use bytestring from key file as passphrase */
> passphrase = keyfile_bytes;
> passphrase_length = keyfile_bytes_size;
> - keyfile_bytes = NULL; /* use it only once */
> + keyfile_bytes = NULL; /* use it only once */
> }
> else
> {
> @@ -387,7 +204,7 @@ luks_recover_key (grub_disk_t source,
> grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
> source->partition ? "," : "", tmp ? : "", dev->uuid);
> grub_free (tmp);
> - if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
> + if (!grub_password_get (interactive_passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE))
> {
> grub_free (split_key);
> return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
> diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
> index 0299625..4076412 100644
> --- a/include/grub/cryptodisk.h
> +++ b/include/grub/cryptodisk.h
> @@ -54,9 +54,14 @@ typedef enum
> #define GRUB_CRYPTODISK_GF_LOG_BYTES (GRUB_CRYPTODISK_GF_LOG_SIZE - 3)
> #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES)
> #define GRUB_CRYPTODISK_MAX_KEYLEN 128
> +#define GRUB_CRYPTODISK_MAX_PASSPHRASE 256
>
> #define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
>
> +#define GRUB_CRYPTODISK_PLAIN_CIPHER "aes-cbc-essiv:sha256"
> +#define GRUB_CRYPTODISK_PLAIN_DIGEST "ripemd160"
> +#define GRUB_CRYPTODISK_PLAIN_KEYSIZE 256
> +
> struct grub_cryptodisk;
>
> typedef gcry_err_code_t
> @@ -159,4 +164,7 @@ grub_util_get_geli_uuid (const char *dev);
> grub_cryptodisk_t grub_cryptodisk_get_by_uuid (const char *uuid);
> grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk);
>
> +grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid,
> + char *ciphername, char *ciphermode, char *digest);
> +
> #endif
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 213 bytes --]
next prev parent reply other threads:[~2016-02-12 15:20 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-29 14:30 Cryptomount enhancements - revised John Lane
2015-06-29 14:30 ` [PATCH 1/5] Cryptomount support LUKS detached header John Lane
2015-06-29 14:30 ` [PATCH 2/5] Cryptomount support key files John Lane
2015-06-29 14:30 ` [PATCH 3/5] cryptomount luks allow multiple passphrase attempts John Lane
2015-06-29 14:56 ` John Lane
2015-06-29 14:30 ` [PATCH 4/5] Cryptomount support plain dm-crypt John Lane
2016-02-12 15:19 ` Vladimir 'φ-coder/phcoder' Serbinenko [this message]
2015-06-29 14:31 ` [PATCH 5/5] Cryptomount support for hyphens in UUID John Lane
2015-06-29 14:52 ` John Lane
2015-07-29 3:08 ` Andrei Borzenkov
2015-07-29 6:51 ` John Lane
2015-07-29 16:51 ` Andrei Borzenkov
2015-07-29 18:53 ` John Lane
2015-07-28 18:51 ` Cryptomount enhancements - revised John Lane
2015-07-28 21:38 ` Vladimir 'phcoder' Serbinenko
2015-07-29 6:48 ` John Lane
2015-07-29 17:21 ` Andrei Borzenkov
2015-08-01 16:22 ` John Lane
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56BDF813.2010101@gmail.com \
--to=phcoder@gmail.com \
--cc=grub-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.