From: Patrick Steinhardt <ps@pks.im>
To: Glenn Washburn <development@efficientek.com>
Cc: grub-devel@gnu.org, Daniel Kiper <dkiper@net-space.pl>
Subject: Re: [PATCH v6 2/2] cryptodisk: Allows UUIDs to be compared in a dash-insensitive manner
Date: Tue, 6 Sep 2022 17:28:40 +0200 [thread overview]
Message-ID: <YxdnKLGzZIHVer4s@tanuki> (raw)
In-Reply-To: <20220830151236.4e8c12ca@crass-HP-ZBook-15-G2>
[-- Attachment #1: Type: text/plain, Size: 11200 bytes --]
On Tue, Aug 30, 2022 at 03:12:36PM -0500, Glenn Washburn wrote:
> On Mon, 29 Aug 2022 07:38:24 +0200
> Patrick Steinhardt <ps@pks.im> wrote:
>
> > On Fri, Aug 19, 2022 at 06:06:15PM -0500, Glenn Washburn wrote:
> > > A user can now specify UUID strings with dashes, instead of having to remove
> > > dashes. This is backwards-compatability preserving and also fixes a source
> > > of user confusion over the inconsistency with how UUIDs are specified
> > > between file system UUIDs and cryptomount UUIDs. Since cryptsetup, the
> > > reference implementation for LUKS, displays and generates UUIDs with dashes
> > > there has been additional confusion when using the UUID strings from
> > > cryptsetup as exact input into GRUB does not find the expected cryptodisk.
> > >
> > > A new function grub_uuidcasecmp is added that is general enough to be used
> > > other places where UUIDs are being compared.
> > >
> > > Signed-off-by: Glenn Washburn <development@efficientek.com>
> > > ---
> > > grub-core/disk/cryptodisk.c | 4 ++--
> > > grub-core/disk/geli.c | 2 +-
> > > grub-core/disk/luks.c | 21 ++++-----------------
> > > grub-core/disk/luks2.c | 15 ++++-----------
> > > include/grub/misc.h | 32 ++++++++++++++++++++++++++++++++
> > > 5 files changed, 43 insertions(+), 31 deletions(-)
> > >
> > > diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
> > > index e89430812..a4cd8445f 100644
> > > --- a/grub-core/disk/cryptodisk.c
> > > +++ b/grub-core/disk/cryptodisk.c
> > > @@ -702,7 +702,7 @@ grub_cryptodisk_open (const char *name, grub_disk_t disk)
> > > if (grub_memcmp (name, "cryptouuid/", sizeof ("cryptouuid/") - 1) == 0)
> > > {
> > > for (dev = cryptodisk_list; dev != NULL; dev = dev->next)
> > > - if (grub_strcasecmp (name + sizeof ("cryptouuid/") - 1, dev->uuid) == 0)
> > > + if (grub_uuidcasecmp (name + sizeof ("cryptouuid/") - 1, dev->uuid, sizeof (dev->uuid)) == 0)
> > > break;
> > > }
> > > else
> > > @@ -929,7 +929,7 @@ grub_cryptodisk_get_by_uuid (const char *uuid)
> > > {
> > > grub_cryptodisk_t dev;
> > > for (dev = cryptodisk_list; dev != NULL; dev = dev->next)
> > > - if (grub_strcasecmp (dev->uuid, uuid) == 0)
> > > + if (grub_uuidcasecmp (dev->uuid, uuid, sizeof (dev->uuid)) == 0)
> > > return dev;
> > > return NULL;
> > > }
> > > diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
> > > index e190066f9..722910d64 100644
> > > --- a/grub-core/disk/geli.c
> > > +++ b/grub-core/disk/geli.c
> > > @@ -305,7 +305,7 @@ geli_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
> > > return NULL;
> > > }
> > >
> > > - if (cargs->search_uuid != NULL && grub_strcasecmp (cargs->search_uuid, uuid) != 0)
> > > + if (cargs->search_uuid != NULL && grub_uuidcasecmp (cargs->search_uuid, uuid, sizeof (uuid)) != 0)
> > > {
> > > grub_dprintf ("geli", "%s != %s\n", uuid, cargs->search_uuid);
> > > return NULL;
> > > diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
> > > index 7f837d52c..9e1e6a5d9 100644
> > > --- a/grub-core/disk/luks.c
> > > +++ b/grub-core/disk/luks.c
> > > @@ -66,10 +66,7 @@ static grub_cryptodisk_t
> > > luks_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
> > > {
> > > grub_cryptodisk_t newdev;
> > > - const char *iptr;
> > > struct grub_luks_phdr header;
> > > - char *optr;
> > > - char uuid[sizeof (header.uuid) + 1];
> > > char ciphername[sizeof (header.cipherName) + 1];
> > > char ciphermode[sizeof (header.cipherMode) + 1];
> > > char hashspec[sizeof (header.hashSpec) + 1];
> > > @@ -92,19 +89,9 @@ luks_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
> > > || grub_be_to_cpu16 (header.version) != 1)
> > > return NULL;
> > >
> > > - grub_memset (uuid, 0, sizeof (uuid));
> > > - optr = uuid;
> > > - for (iptr = header.uuid; iptr < &header.uuid[ARRAY_SIZE (header.uuid)];
> > > - iptr++)
> > > + if (cargs->search_uuid != NULL && grub_uuidcasecmp (cargs->search_uuid, header.uuid, sizeof (header.uuid)) != 0)
> > > {
> > > - if (*iptr != '-')
> > > - *optr++ = *iptr;
> > > - }
> > > - *optr = 0;
> > > -
> > > - if (cargs->search_uuid != NULL && grub_strcasecmp (cargs->search_uuid, uuid) != 0)
> > > - {
> > > - grub_dprintf ("luks", "%s != %s\n", uuid, cargs->search_uuid);
> > > + grub_dprintf ("luks", "%s != %s\n", header.uuid, cargs->search_uuid);
> > > return NULL;
> > > }
> >
> > I haven't noticed this in my previous review round, but I think this is
> > wrong because `header.uuid` is never NUL-terminated. It is explicitly 40
> > characters long and read directly from disk, so there wouldn't be any
> > room for it to be NUL-terminated.
>
> Why not? UUIDs are 32 hex characters with typically 4 dashes, that
> makes 37 bytes needed including the NULL byte. In fact, I believe that
> cryptsetup always creates the uuid field NULL terminated. Also, the
> LUKS1 spec, and by extension LUKS2 spec, mandates NULL termination. The
> uuid field is specified as "char[]" and "char[], a string stored as null
> terminated sequence of 8-bit characters7".
Indeed, you're right. I've read through the spec again and it matches
your explanation. That also makes my remaining points moot.
> >
> > So we'd rather have to:
> >
> > grub_dprintf ("luks2", "%.*s != %s\n", header.uuid, sizeof (header.uuid),
> > cargs->search_uuid);
> >
> > Sorry for not catching this in my first round.
>
> This seems reasonable for what should be a very uncommon and non-spec
> compliant case of having a uuid field with no NULL byte. I originally
> had a patch before this that explicitly put a NULL byte at the end of
> header.uuid so this problem didn't exist. I dropped it because it was
> generally redundant as pointed out by Daniel, but I didn't take this
> case into account. Perhaps its worth merging that with this one for
> clarity.
This is not as important anymore given that my initial point was moot.
But it may still be sensible as defennse against corrupted headers.
Anyway, with or without that change:
Reviewed-by: Patrick Steinhardt <ps@pks.im>
Thanks!
Patrick
> >
> > >
> > > @@ -123,7 +110,7 @@ luks_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
> > > newdev->source_disk = NULL;
> > > newdev->log_sector_size = GRUB_LUKS1_LOG_SECTOR_SIZE;
> > > newdev->total_sectors = grub_disk_native_sectors (disk) - newdev->offset_sectors;
> > > - grub_memcpy (newdev->uuid, uuid, sizeof (uuid));
> > > + grub_memcpy (newdev->uuid, header.uuid, sizeof (header.uuid));
> > > newdev->modname = "luks";
> >
> > This should be fine though because `newdev->uuid` is initialized to
> > all-zeroes.
> >
> > > /* Configure the hash used for the AF splitter and HMAC. */
> > > @@ -143,7 +130,7 @@ luks_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
> > > return NULL;
> > > }
> > >
> > > - COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
> > > + COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (header.uuid));
> > > return newdev;
> > > }
> >
> > This has an off-by-one bug now though: `sizeof(uuid)` is not the same as
> > `sizeof(header.uuid)`, but instead it was `sizeof(header.uuid)+1` to
> > account for the trailing NUL-byte. So we have to make this:
> >
> > COMPILE_TIME_ASSERT (sizeof (newdev->uuid) > sizeof (header.uuid));
>
> I don't think this is needed per above.
>
> Please let me know if I've missed something and thanks for being
> cautious.
>
> Glenn
>
> >
> > > diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
> > > index 5b3b36c8a..1174c4c2b 100644
> > > --- a/grub-core/disk/luks2.c
> > > +++ b/grub-core/disk/luks2.c
> > > @@ -350,8 +350,6 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
> > > {
> > > grub_cryptodisk_t cryptodisk;
> > > grub_luks2_header_t header;
> > > - char uuid[sizeof (header.uuid) + 1];
> > > - grub_size_t i, j;
> > >
> > > if (cargs->check_boot)
> > > return NULL;
> > > @@ -362,14 +360,9 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
> > > return NULL;
> > > }
> > >
> > > - for (i = 0, j = 0; i < sizeof (header.uuid); i++)
> > > - if (header.uuid[i] != '-')
> > > - uuid[j++] = header.uuid[i];
> > > - uuid[j] = '\0';
> > > -
> > > - if (cargs->search_uuid != NULL && grub_strcasecmp (cargs->search_uuid, uuid) != 0)
> > > + if (cargs->search_uuid != NULL && grub_uuidcasecmp (cargs->search_uuid, header.uuid, sizeof (header.uuid)) != 0)
> > > {
> > > - grub_dprintf ("luks2", "%s != %s\n", uuid, cargs->search_uuid);
> > > + grub_dprintf ("luks2", "%s != %s\n", header.uuid, cargs->search_uuid);
> > > return NULL;
> > > }
> >
> > Same here.
> >
> > > @@ -377,8 +370,8 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
> > > if (!cryptodisk)
> > > return NULL;
> > >
> > > - COMPILE_TIME_ASSERT (sizeof (cryptodisk->uuid) >= sizeof (uuid));
> > > - grub_memcpy (cryptodisk->uuid, uuid, sizeof (uuid));
> > > + COMPILE_TIME_ASSERT (sizeof (cryptodisk->uuid) >= sizeof (header.uuid));
> > > + grub_memcpy (cryptodisk->uuid, header.uuid, sizeof (header.uuid));
> >
> > And here.
> >
> > Patrick
> >
> > > cryptodisk->modname = "luks2";
> > > return cryptodisk;
> > > diff --git a/include/grub/misc.h b/include/grub/misc.h
> > > index 1c25c1767..76c5c7992 100644
> > > --- a/include/grub/misc.h
> > > +++ b/include/grub/misc.h
> > > @@ -244,6 +244,38 @@ grub_strncasecmp (const char *s1, const char *s2, grub_size_t n)
> > > - (int) grub_tolower ((grub_uint8_t) *s2);
> > > }
> > >
> > > +/*
> > > + * Do a case insensitive compare of two UUID strings by ignoring all dashes.
> > > + * Note that the parameter n, is the number of significant characters to
> > > + * compare, where significant characters are any except the dash.
> > > + */
> > > +static inline int
> > > +grub_uuidcasecmp (const char *uuid1, const char *uuid2, grub_size_t n)
> > > +{
> > > + if (n == 0)
> > > + return 0;
> > > +
> > > + while (*uuid1 && *uuid2 && --n)
> > > + {
> > > + /* Skip forward to non-dash on both UUIDs. */
> > > + while ('-' == *uuid1)
> > > + ++uuid1;
> > > +
> > > + while ('-' == *uuid2)
> > > + ++uuid2;
> > > +
> > > + if (grub_tolower ((grub_uint8_t) *uuid1)
> > > + != grub_tolower ((grub_uint8_t) *uuid2))
> > > + break;
> > > +
> > > + uuid1++;
> > > + uuid2++;
> > > + }
> > > +
> > > + return (int) grub_tolower ((grub_uint8_t) *uuid1)
> > > + - (int) grub_tolower ((grub_uint8_t) *uuid2);
> > > +}
> > > +
> > > /*
> > > * Note that these differ from the C standard's definitions of strtol,
> > > * strtoul(), and strtoull() by the addition of two const qualifiers on the end
> > > --
> > > 2.34.1
> > >
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2022-09-06 15:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-19 23:06 [PATCH v6 0/2] cryptodisk: Allows UUIDs to be compared in a dash-insensitive manner Glenn Washburn
2022-08-19 23:06 ` [PATCH v6 1/2] misc: Add cast in grub_strncasecmp() to drop sign when calling grub_tolower() Glenn Washburn
2022-08-19 23:06 ` [PATCH v6 2/2] cryptodisk: Allows UUIDs to be compared in a dash-insensitive manner Glenn Washburn
2022-08-29 5:38 ` Patrick Steinhardt
2022-08-30 20:12 ` Glenn Washburn
2022-09-06 15:28 ` Patrick Steinhardt [this message]
2022-10-06 13:38 ` Daniel Kiper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YxdnKLGzZIHVer4s@tanuki \
--to=ps@pks.im \
--cc=development@efficientek.com \
--cc=dkiper@net-space.pl \
--cc=grub-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.