From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1aUFVq-0004OT-Mu for mharc-grub-devel@gnu.org; Fri, 12 Feb 2016 10:20:02 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48499) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aUFVl-0004Hq-4X for grub-devel@gnu.org; Fri, 12 Feb 2016 10:19:59 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aUFVi-0004PI-Gj for grub-devel@gnu.org; Fri, 12 Feb 2016 10:19:57 -0500 Received: from mail-wm0-x232.google.com ([2a00:1450:400c:c09::232]:33250) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aUFVh-0004P7-Vc for grub-devel@gnu.org; Fri, 12 Feb 2016 10:19:54 -0500 Received: by mail-wm0-x232.google.com with SMTP id g62so66722254wme.0 for ; Fri, 12 Feb 2016 07:19:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type; bh=MSEuWcM29y4pd6ujV4X/o26N0adNQJKx+dizBhqYX/4=; b=frAtkPkfLnlYAcN9phI/N5PnavD99ZCT8mthKZwN8ftQJqFSVzgG9dZI1Uk8GNovhO qS7ctklGqVG1w0CvB/KgcA4tijxYES48BDHiARt/sN7tpsJ0Q3l7kwTF9RM/XwLyx0Jr vDaret/202KC+0bMYRfUMk788stF0SdUM+Z1I8QfTqkKME46T+5j6y1ZlFxVINtheFsI vjlOUPzGDbAxczSkpWfZuxTV8mRAIBlVOzATaa9wNKW+f0KujsLEPY2qRLJg1S3xjUzn ePRC0uF3FIukmUa0/G3hR/xS277ZzC6vMGxfRp4bDrWXAJ4v/meymF0lyKUBJEb9J3r6 nXgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type; bh=MSEuWcM29y4pd6ujV4X/o26N0adNQJKx+dizBhqYX/4=; b=QoTri2cvvhnuuKbkFSeJdc8lVXZJJvD4xkM2QAYMhFDejeLHyYI2xFEVUUl8y1XnXT zXTRPTQAt1c3h6z+kN2eOhFAZ1H9J6jaw00QcO76DrK+P1nU7rAv1h4luXxSGl4jfOF3 Qnqp2Sw1CadWgymW9SEcuXQE7oz+O3BOYnTUiB3ORVr3NjuX/d9M/voeI7kh0vxlHXdg GhDmngnueRExTla5DKdJl6VE4N1bTeGR142DZaGjW792NqX4LWgv9LikOkZe9Fg3y1UG 4sj4iKFjFNT8pzOcWqr7htbAV9pgFHs+uWCS+9O3pN3VksqV/fXFaNkR/1pBGzF8t77z sezw== X-Gm-Message-State: AG10YOTgZNH7nakXWGLk6+SHhg88oZlrTQRalN1UdVgsh2HxAitg2VYm7fBUFpLXgOuOjg== X-Received: by 10.194.120.229 with SMTP id lf5mr2482676wjb.151.1455290389147; Fri, 12 Feb 2016 07:19:49 -0800 (PST) Received: from ?IPv6:2620:0:105f:fd00:a2a8:cdff:fe64:b3b5? ([2620:0:105f:fd00:a2a8:cdff:fe64:b3b5]) by smtp.gmail.com with ESMTPSA id w8sm12460603wjx.21.2016.02.12.07.19.47 for (version=TLSv1/SSLv3 cipher=OTHER); Fri, 12 Feb 2016 07:19:47 -0800 (PST) Subject: Re: [PATCH 4/5] Cryptomount support plain dm-crypt To: The development of GNU GRUB References: <1435588260-29456-1-git-send-email-grub@jelmail.com> <1435588260-29456-5-git-send-email-grub@jelmail.com> From: =?UTF-8?Q?Vladimir_'=cf=86-coder/phcoder'_Serbinenko?= Message-ID: <56BDF813.2010101@gmail.com> Date: Fri, 12 Feb 2016 16:19:47 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.5.0 MIME-Version: 1.0 In-Reply-To: <1435588260-29456-5-git-send-email-grub@jelmail.com> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="5o6HPIf8IPOQ76t2xA9Jsfxnv8WeS8GWT" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2a00:1450:400c:c09::232 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Feb 2016 15:20:00 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --5o6HPIf8IPOQ76t2xA9Jsfxnv8WeS8GWT Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 29.06.2015 16:30, John Lane wrote: > From: John Lane >=20 > --- > grub-core/disk/cryptodisk.c | 298 ++++++++++++++++++++++++++++++++++++= +++++++- > grub-core/disk/luks.c | 195 +---------------------------- > include/grub/cryptodisk.h | 8 ++ > 3 files changed, 310 insertions(+), 191 deletions(-) >=20 > diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c > index a27e70c..cd5cfc9 100644 > --- a/grub-core/disk/cryptodisk.c > +++ b/grub-core/disk/cryptodisk.c > @@ -44,6 +44,12 @@ static const struct grub_arg_option options[] =3D > {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING}, > {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_T= YPE_INT}, > {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_= TYPE_INT}, > + {"plain", 'p', 0, N_("Plain (no LUKS header)"), 0, ARG_TYPE_NONE},= > + {"cipher", 'c', 0, N_("Plain mode cipher"), 0, ARG_TYPE_STRING}, > + {"digest", 'd', 0, N_("Plain mode passphrase digest (hash)"), 0, A= RG_TYPE_STRING}, > + {"offset", 'o', 0, N_("Plain mode data sector offset"), 0, ARG_TYP= E_INT}, > + {"size", 's', 0, N_("Size of raw device (sectors, defaults to whol= e device)"), 0, ARG_TYPE_INT}, > + {"key-size", 'K', 0, N_("Set key size (bits)"), 0, ARG_TYPE_INT}, > {0, 0, 0, 0, 0, 0} > }; > =20 This is hairy, doesn't fit into cryptomount syntax and not maintainable. Can we have a separate command for this? > @@ -927,6 +933,48 @@ grub_cryptodisk_scan_device (const char *name, > return have_it && search_uuid ? 1 : 0; > } > =20 > +/* Hashes a passphrase into a key and stores it with cipher. */ > +static gcry_err_code_t > +set_passphrase (grub_cryptodisk_t dev, grub_size_t keysize, const char= *passphrase) > +{ > + grub_uint8_t derived_hash[GRUB_CRYPTODISK_MAX_KEYLEN * 2], *dh =3D d= erived_hash; > + char *p; > + unsigned int round, i; > + unsigned int len, size; > + > + /* Need no passphrase if there's no key */ > + if (keysize =3D=3D 0) > + return GPG_ERR_INV_KEYLEN; > + > + /* Hack to support the "none" hash */ > + if (dev->hash) > + len =3D dev->hash->mdlen; > + else > + len =3D grub_strlen (passphrase); > + > + if (keysize > GRUB_CRYPTODISK_MAX_KEYLEN || len > GRUB_CRYPTODISK_MA= X_KEYLEN) > + return GPG_ERR_INV_KEYLEN; > + > + p =3D grub_malloc (grub_strlen (passphrase) + 2 + keysize / len); > + if (!p) > + return grub_errno; > + > + for (round =3D 0, size =3D keysize; size; round++, dh +=3D len, size= -=3D len) > + { > + for (i =3D 0; i < round; i++) > + p[i] =3D 'A'; > + > + grub_strcpy (p + i, passphrase); > + > + if (len > size) > + len =3D size; > + > + grub_crypto_hash (dev->hash, dh, p, grub_strlen (p)); > + } > + > + return grub_cryptodisk_setkey (dev, derived_hash, keysize); > +} > + > static grub_err_t > grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **arg= s) > { > @@ -1046,7 +1094,63 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt= , int argc, char **args) > return GRUB_ERR_NONE; > } > =20 > - err =3D grub_cryptodisk_scan_device_real (args[0], disk); > + if (state[7].set) /* Plain mode */ > + { > + char *cipher; > + char *mode; > + char *digest; > + int offset, size, key_size; > + > + cipher =3D grub_strdup (state[8].set ? state[8].arg : GRUB_C= RYPTODISK_PLAIN_CIPHER); > + digest =3D grub_strdup (state[9].set ? state[9].arg : GRUB_C= RYPTODISK_PLAIN_DIGEST); > + offset =3D state[10].set ? grub_strtoul (state[10].arg, 0, 0= ) : 0; > + size =3D state[11].set ? grub_strtoul (state[11].arg, 0, 0= ) : 0; > + key_size =3D ( state[12].set ? grub_strtoul (state[12].arg, = 0, 0) \ > + : GRUB_CRYPTODISK_PLAIN_KEYSIZE ) / 8; > + > + /* no strtok, do it manually */ > + mode =3D grub_strchr(cipher,'-'); > + if (!mode) > + return GRUB_ERR_BAD_ARGUMENT; > + else > + *mode++ =3D 0; > + > + dev =3D grub_cryptodisk_create (disk, NULL, cipher, mode, di= gest); > + > + dev->offset =3D offset; > + if (size) dev->total_length =3D size; > + > + if (key) > + { > + err =3D grub_cryptodisk_setkey (dev, key, key_size); > + if (err) > + return err; > + } > + else > + { > + char passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] =3D ""; > + > + grub_printf_ (N_("Enter passphrase for %s: "), diskname)= ; > + if (!grub_password_get (passphrase, GRUB_CRYPTODISK_MAX_= PASSPHRASE)) > + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase = not supplied"); > + > + err =3D set_passphrase (dev, key_size, passphrase); > + if (err) > + { > + grub_crypto_cipher_close (dev->cipher); > + return err; > + } > + } > + > + grub_cryptodisk_insert (dev, diskname, disk); > + > + grub_free (cipher); > + grub_free (digest); > + > + err =3D GRUB_ERR_NONE; > + } > + else > + err =3D grub_cryptodisk_scan_device_real (args[0], disk); > =20 > grub_disk_close (disk); > =20 > @@ -1177,13 +1281,203 @@ struct grub_procfs_entry luks_script =3D > .get_contents =3D luks_script_get > }; > =20 > +grub_cryptodisk_t > +grub_cryptodisk_create (grub_disk_t disk, char *uuid, > + char *ciphername, char *ciphermode, char *hashspec) > +{ > + grub_cryptodisk_t newdev; > + char *cipheriv =3D NULL; > + grub_crypto_cipher_handle_t cipher =3D NULL, secondary_cipher =3D NU= LL; > + grub_crypto_cipher_handle_t essiv_cipher =3D NULL; > + const gcry_md_spec_t *hash =3D NULL, *essiv_hash =3D NULL; > + const struct gcry_cipher_spec *ciph; > + grub_cryptodisk_mode_t mode; > + grub_cryptodisk_mode_iv_t mode_iv =3D GRUB_CRYPTODISK_MODE_IV_PLAIN6= 4; > + int benbi_log =3D 0; > + > + if (!uuid) > + uuid =3D (char*)"00000000000000000000000000000000"; > + > + ciph =3D grub_crypto_lookup_cipher_by_name (ciphername); > + if (!ciph) > + { > + grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available"= , > + ciphername); > + return NULL; > + } > + > + /* Configure the cipher used for the bulk data. */ > + cipher =3D grub_crypto_cipher_open (ciph); > + if (!cipher) > + return NULL; > + > + /* Configure the cipher mode. */ > + if (grub_strcmp (ciphermode, "ecb") =3D=3D 0) > + { > + mode =3D GRUB_CRYPTODISK_MODE_ECB; > + mode_iv =3D GRUB_CRYPTODISK_MODE_IV_PLAIN; > + cipheriv =3D NULL; > + } > + else if (grub_strcmp (ciphermode, "plain") =3D=3D 0) > + { > + mode =3D GRUB_CRYPTODISK_MODE_CBC; > + mode_iv =3D GRUB_CRYPTODISK_MODE_IV_PLAIN; > + cipheriv =3D NULL; > + } > + else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) =3D=3D= 0) > + { > + mode =3D GRUB_CRYPTODISK_MODE_CBC; > + cipheriv =3D ciphermode + sizeof ("cbc-") - 1; > + } > + else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) =3D= =3D 0) > + { > + mode =3D GRUB_CRYPTODISK_MODE_PCBC; > + cipheriv =3D ciphermode + sizeof ("pcbc-") - 1; > + } > + else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) =3D=3D= 0) > + { > + mode =3D GRUB_CRYPTODISK_MODE_XTS; > + cipheriv =3D ciphermode + sizeof ("xts-") - 1; > + secondary_cipher =3D grub_crypto_cipher_open (ciph); > + if (!secondary_cipher) > + { > + grub_crypto_cipher_close (cipher); > + return NULL; > + } > + if (cipher->cipher->blocksize !=3D GRUB_CRYPTODISK_GF_BYTES) > + { > + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d"= , > + cipher->cipher->blocksize); > + grub_crypto_cipher_close (cipher); > + grub_crypto_cipher_close (secondary_cipher); > + return NULL; > + } > + if (secondary_cipher->cipher->blocksize !=3D GRUB_CRYPTODISK_GF_= BYTES) > + { > + grub_crypto_cipher_close (cipher); > + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d"= , > + secondary_cipher->cipher->blocksize); > + grub_crypto_cipher_close (secondary_cipher); > + return NULL; > + } > + } > + else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) =3D=3D= 0) > + { > + mode =3D GRUB_CRYPTODISK_MODE_LRW; > + cipheriv =3D ciphermode + sizeof ("lrw-") - 1; > + if (cipher->cipher->blocksize !=3D GRUB_CRYPTODISK_GF_BYTES) > + { > + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d"= , > + cipher->cipher->blocksize); > + grub_crypto_cipher_close (cipher); > + return NULL; > + } > + } > + else > + { > + grub_crypto_cipher_close (cipher); > + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s", > + ciphermode); > + return NULL; > + } > + > + if (cipheriv =3D=3D NULL); > + else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) =3D=3D= 0) > + mode_iv =3D GRUB_CRYPTODISK_MODE_IV_PLAIN; > + else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) =3D= =3D 0) > + mode_iv =3D GRUB_CRYPTODISK_MODE_IV_PLAIN64; > + else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) =3D=3D= 0) > + { > + if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1) > + || cipher->cipher->blocksize =3D=3D 0) > + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d",= > + cipher->cipher->blocksize); > + /* FIXME should we return an error here? */ > + for (benbi_log =3D 0; > + (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE; > + benbi_log++); > + mode_iv =3D GRUB_CRYPTODISK_MODE_IV_BENBI; > + } > + else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) =3D=3D = 0) > + mode_iv =3D GRUB_CRYPTODISK_MODE_IV_NULL; > + else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) =3D= =3D 0) > + { > + char *hash_str =3D cipheriv + 6; > + > + mode_iv =3D GRUB_CRYPTODISK_MODE_IV_ESSIV; > + > + /* Configure the hash and cipher used for ESSIV. */ > + essiv_hash =3D grub_crypto_lookup_md_by_name (hash_str); > + if (!essiv_hash) > + { > + grub_crypto_cipher_close (cipher); > + grub_crypto_cipher_close (secondary_cipher); > + grub_error (GRUB_ERR_FILE_NOT_FOUND, > + "Couldn't load %s hash", hash_str); > + return NULL; > + } > + essiv_cipher =3D grub_crypto_cipher_open (ciph); > + if (!essiv_cipher) > + { > + grub_crypto_cipher_close (cipher); > + grub_crypto_cipher_close (secondary_cipher); > + return NULL; > + } > + } > + else > + { > + grub_crypto_cipher_close (cipher); > + grub_crypto_cipher_close (secondary_cipher); > + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s", > + cipheriv); > + return NULL; > + } > + > + /* Configure the passphrase hash (LUKS also uses AF splitter and HMA= C). */ > + hash =3D grub_crypto_lookup_md_by_name (hashspec); > + if (!hash) > + { > + grub_crypto_cipher_close (cipher); > + grub_crypto_cipher_close (essiv_cipher); > + grub_crypto_cipher_close (secondary_cipher); > + grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash", > + hashspec); > + return NULL; > + } > + > + newdev =3D grub_zalloc (sizeof (struct grub_cryptodisk)); > + if (!newdev) > + { > + grub_crypto_cipher_close (cipher); > + grub_crypto_cipher_close (essiv_cipher); > + grub_crypto_cipher_close (secondary_cipher); > + return NULL; > + } > + newdev->cipher =3D cipher; > + newdev->offset =3D 0; > + newdev->source_disk =3D NULL; > + newdev->benbi_log =3D benbi_log; > + newdev->mode =3D mode; > + newdev->mode_iv =3D mode_iv; > + newdev->secondary_cipher =3D secondary_cipher; > + newdev->essiv_cipher =3D essiv_cipher; > + newdev->essiv_hash =3D essiv_hash; > + newdev->hash =3D hash; > + newdev->log_sector_size =3D 9; > + newdev->total_length =3D grub_disk_get_size (disk) - newdev->offset;= > + grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid)); > + COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >=3D sizeof (uuid)); > + > + return newdev; > +} > + > static grub_extcmd_t cmd; > =20 > GRUB_MOD_INIT (cryptodisk) > { > grub_disk_dev_register (&grub_cryptodisk_dev); > cmd =3D grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0= , > - N_("SOURCE|-u UUID|-a|-b|-H file"), > + N_("SOURCE|-u UUID|-a|-b|-H file|-p -c cipher -d digest"), > N_("Mount a crypto device."), options); > grub_procfs_register ("luks_script", &luks_script); > } > diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c > index 11e437e..4ebe21b 100644 > --- a/grub-core/disk/luks.c > +++ b/grub-core/disk/luks.c > @@ -30,8 +30,6 @@ > =20 > GRUB_MOD_LICENSE ("GPLv3+"); > =20 > -#define MAX_PASSPHRASE 256 > - > #define LUKS_KEY_ENABLED 0x00AC71F3 > =20 > /* On disk LUKS header */ > @@ -76,15 +74,7 @@ configure_ciphers (grub_disk_t disk, const char *che= ck_uuid, > char uuid[sizeof (header.uuid) + 1]; > char ciphername[sizeof (header.cipherName) + 1]; > char ciphermode[sizeof (header.cipherMode) + 1]; > - char *cipheriv =3D NULL; > char hashspec[sizeof (header.hashSpec) + 1]; > - grub_crypto_cipher_handle_t cipher =3D NULL, secondary_cipher =3D NU= LL; > - grub_crypto_cipher_handle_t essiv_cipher =3D NULL; > - const gcry_md_spec_t *hash =3D NULL, *essiv_hash =3D NULL; > - const struct gcry_cipher_spec *ciph; > - grub_cryptodisk_mode_t mode; > - grub_cryptodisk_mode_iv_t mode_iv =3D GRUB_CRYPTODISK_MODE_IV_PLAIN6= 4; > - int benbi_log =3D 0; > grub_err_t err; > =20 > err =3D GRUB_ERR_NONE; > @@ -119,7 +109,7 @@ configure_ciphers (grub_disk_t disk, const char *ch= eck_uuid, > iptr++) > { > if (*iptr !=3D '-') > - *optr++ =3D *iptr; > + *optr++ =3D *iptr; > } > *optr =3D 0; > =20 > @@ -129,6 +119,7 @@ configure_ciphers (grub_disk_t disk, const char *ch= eck_uuid, > return NULL; > } > =20 > + > /* Make sure that strings are null terminated. */ > grub_memcpy (ciphername, header.cipherName, sizeof (header.cipherNam= e)); > ciphername[sizeof (header.cipherName)] =3D 0; > @@ -137,184 +128,10 @@ configure_ciphers (grub_disk_t disk, const char = *check_uuid, > grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec)); > hashspec[sizeof (header.hashSpec)] =3D 0; > =20 > - ciph =3D grub_crypto_lookup_cipher_by_name (ciphername); > - if (!ciph) > - { > - grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available"= , > - ciphername); > - return NULL; > - } > - > - /* Configure the cipher used for the bulk data. */ > - cipher =3D grub_crypto_cipher_open (ciph); > - if (!cipher) > - return NULL; > - > - if (grub_be_to_cpu32 (header.keyBytes) > 1024) > - { > - grub_error (GRUB_ERR_BAD_ARGUMENT, "invalid keysize %d", > - grub_be_to_cpu32 (header.keyBytes)); > - grub_crypto_cipher_close (cipher); > - return NULL; > - } > - > - /* Configure the cipher mode. */ > - if (grub_strcmp (ciphermode, "ecb") =3D=3D 0) > - { > - mode =3D GRUB_CRYPTODISK_MODE_ECB; > - mode_iv =3D GRUB_CRYPTODISK_MODE_IV_PLAIN; > - cipheriv =3D NULL; > - } > - else if (grub_strcmp (ciphermode, "plain") =3D=3D 0) > - { > - mode =3D GRUB_CRYPTODISK_MODE_CBC; > - mode_iv =3D GRUB_CRYPTODISK_MODE_IV_PLAIN; > - cipheriv =3D NULL; > - } > - else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) =3D=3D= 0) > - { > - mode =3D GRUB_CRYPTODISK_MODE_CBC; > - cipheriv =3D ciphermode + sizeof ("cbc-") - 1; > - } > - else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) =3D= =3D 0) > - { > - mode =3D GRUB_CRYPTODISK_MODE_PCBC; > - cipheriv =3D ciphermode + sizeof ("pcbc-") - 1; > - } > - else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) =3D=3D= 0) > - { > - mode =3D GRUB_CRYPTODISK_MODE_XTS; > - cipheriv =3D ciphermode + sizeof ("xts-") - 1; > - secondary_cipher =3D grub_crypto_cipher_open (ciph); > - if (!secondary_cipher) > - { > - grub_crypto_cipher_close (cipher); > - return NULL; > - } > - if (cipher->cipher->blocksize !=3D GRUB_CRYPTODISK_GF_BYTES) > - { > - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d"= , > - cipher->cipher->blocksize); > - grub_crypto_cipher_close (cipher); > - grub_crypto_cipher_close (secondary_cipher); > - return NULL; > - } > - if (secondary_cipher->cipher->blocksize !=3D GRUB_CRYPTODISK_GF_= BYTES) > - { > - grub_crypto_cipher_close (cipher); > - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d"= , > - secondary_cipher->cipher->blocksize); > - grub_crypto_cipher_close (secondary_cipher); > - return NULL; > - } > - } > - else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) =3D=3D= 0) > - { > - mode =3D GRUB_CRYPTODISK_MODE_LRW; > - cipheriv =3D ciphermode + sizeof ("lrw-") - 1; > - if (cipher->cipher->blocksize !=3D GRUB_CRYPTODISK_GF_BYTES) > - { > - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d"= , > - cipher->cipher->blocksize); > - grub_crypto_cipher_close (cipher); > - return NULL; > - } > - } > - else > - { > - grub_crypto_cipher_close (cipher); > - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s", > - ciphermode); > - return NULL; > - } > - > - if (cipheriv =3D=3D NULL); > - else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) =3D=3D= 0) > - mode_iv =3D GRUB_CRYPTODISK_MODE_IV_PLAIN; > - else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) =3D= =3D 0) > - mode_iv =3D GRUB_CRYPTODISK_MODE_IV_PLAIN64; > - else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) =3D=3D= 0) > - { > - if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1) > - || cipher->cipher->blocksize =3D=3D 0) > - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d",= > - cipher->cipher->blocksize); > - /* FIXME should we return an error here? */ > - for (benbi_log =3D 0;=20 > - (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE; > - benbi_log++); > - mode_iv =3D GRUB_CRYPTODISK_MODE_IV_BENBI; > - } > - else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) =3D=3D = 0) > - mode_iv =3D GRUB_CRYPTODISK_MODE_IV_NULL; > - else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) =3D= =3D 0) > - { > - char *hash_str =3D cipheriv + 6; > - > - mode_iv =3D GRUB_CRYPTODISK_MODE_IV_ESSIV; > - > - /* Configure the hash and cipher used for ESSIV. */ > - essiv_hash =3D grub_crypto_lookup_md_by_name (hash_str); > - if (!essiv_hash) > - { > - grub_crypto_cipher_close (cipher); > - grub_crypto_cipher_close (secondary_cipher); > - grub_error (GRUB_ERR_FILE_NOT_FOUND, > - "Couldn't load %s hash", hash_str); > - return NULL; > - } > - essiv_cipher =3D grub_crypto_cipher_open (ciph); > - if (!essiv_cipher) > - { > - grub_crypto_cipher_close (cipher); > - grub_crypto_cipher_close (secondary_cipher); > - return NULL; > - } > - } > - else > - { > - grub_crypto_cipher_close (cipher); > - grub_crypto_cipher_close (secondary_cipher); > - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s", > - cipheriv); > - return NULL; > - } > - > - /* Configure the hash used for the AF splitter and HMAC. */ > - hash =3D grub_crypto_lookup_md_by_name (hashspec); > - if (!hash) > - { > - grub_crypto_cipher_close (cipher); > - grub_crypto_cipher_close (essiv_cipher); > - grub_crypto_cipher_close (secondary_cipher); > - grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash", > - hashspec); > - return NULL; > - } > + newdev =3D grub_cryptodisk_create (disk, uuid, ciphername, ciphermod= e, hashspec); > =20 > - newdev =3D grub_zalloc (sizeof (struct grub_cryptodisk)); > - if (!newdev) > - { > - grub_crypto_cipher_close (cipher); > - grub_crypto_cipher_close (essiv_cipher); > - grub_crypto_cipher_close (secondary_cipher); > - return NULL; > - } > - newdev->cipher =3D cipher; > newdev->offset =3D grub_be_to_cpu32 (header.payloadOffset); > - newdev->source_disk =3D NULL; > - newdev->benbi_log =3D benbi_log; > - newdev->mode =3D mode; > - newdev->mode_iv =3D mode_iv; > - newdev->secondary_cipher =3D secondary_cipher; > - newdev->essiv_cipher =3D essiv_cipher; > - newdev->essiv_hash =3D essiv_hash; > - newdev->hash =3D hash; > - newdev->log_sector_size =3D 9; > - newdev->total_length =3D grub_disk_get_size (disk) - newdev->offset;= > - grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid)); > newdev->modname =3D "luks"; > - COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >=3D sizeof (uuid)); > =20 > return newdev; > } > @@ -329,7 +146,7 @@ luks_recover_key (grub_disk_t source, > struct grub_luks_phdr header; > grub_size_t keysize; > grub_uint8_t *split_key =3D NULL; > - char interactive_passphrase[MAX_PASSPHRASE] =3D ""; > + char interactive_passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] =3D ""; > grub_uint8_t *passphrase; > grub_size_t passphrase_length; > grub_uint8_t candidate_digest[sizeof (header.mkDigest)]; > @@ -376,7 +193,7 @@ luks_recover_key (grub_disk_t source, > /* Use bytestring from key file as passphrase */ > passphrase =3D keyfile_bytes; > passphrase_length =3D keyfile_bytes_size; > - keyfile_bytes =3D NULL; /* use it only once */ > + keyfile_bytes =3D NULL; /* use it only once */ > } > else > { > @@ -387,7 +204,7 @@ luks_recover_key (grub_disk_t source, > grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), sour= ce->name, > source->partition ? "," : "", tmp ? : ""= , dev->uuid); > grub_free (tmp); > - if (!grub_password_get (interactive_passphrase, MAX_PASSPHRA= SE)) > + if (!grub_password_get (interactive_passphrase, GRUB_CRYPTOD= ISK_MAX_PASSPHRASE)) > { > grub_free (split_key); > return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase no= t supplied"); > diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h > index 0299625..4076412 100644 > --- a/include/grub/cryptodisk.h > +++ b/include/grub/cryptodisk.h > @@ -54,9 +54,14 @@ typedef enum > #define GRUB_CRYPTODISK_GF_LOG_BYTES (GRUB_CRYPTODISK_GF_LOG_SIZE - 3)= > #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES) > #define GRUB_CRYPTODISK_MAX_KEYLEN 128 > +#define GRUB_CRYPTODISK_MAX_PASSPHRASE 256 > =20 > #define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192 > =20 > +#define GRUB_CRYPTODISK_PLAIN_CIPHER "aes-cbc-essiv:sha256" > +#define GRUB_CRYPTODISK_PLAIN_DIGEST "ripemd160" > +#define GRUB_CRYPTODISK_PLAIN_KEYSIZE 256 > + > struct grub_cryptodisk; > =20 > typedef gcry_err_code_t > @@ -159,4 +164,7 @@ grub_util_get_geli_uuid (const char *dev); > grub_cryptodisk_t grub_cryptodisk_get_by_uuid (const char *uuid); > grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk= ); > =20 > +grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid= , > + char *ciphername, char *ciphermode, char *digest); > + > #endif >=20 --5o6HPIf8IPOQ76t2xA9Jsfxnv8WeS8GWT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREKAAYFAla9+BMACgkQmBXlbbo5nOvSJQD/SgJzxHqvS0zoNULo07RJIMcu AaMCq8ktwppB+OL8OR4A/ApinjAKL9VCcwgJ9M6FSV7tmbwPVEmTb9n3f+SpoKDt =Tcsh -----END PGP SIGNATURE----- --5o6HPIf8IPOQ76t2xA9Jsfxnv8WeS8GWT--