From: Jonas Meurer <jonas@freesources.org>
To: Ondrej Kozina <okozina@redhat.com>, dm-crypt <dm-crypt@saout.de>
Subject: Re: [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup
Date: Fri, 31 Jan 2020 14:55:49 +0100 [thread overview]
Message-ID: <d7ff66c0-6060-90e8-e45b-d1fc0b2d4cff@freesources.org> (raw)
In-Reply-To: <f97b602f-f88f-7d9f-9cb9-4d7fa32b76dd@redhat.com>
[-- Attachment #1.1: Type: text/plain, Size: 1961 bytes --]
Hello,
Ondrej Kozina:
> For anyone interested,
>
> there was a minor bug in LUKS1 crypt_keyslot_get_pbkdf() where we
> returned pbkdf values even for an inactive keyslot. It was fixed with
> commit
> https://gitlab.com/cryptsetup/cryptsetup/commit/47d0cf495dae03822c76ef2ef482f940208d9062
> and it will get distributed with upstream 2.3.0 release.
And for anyone interested in my code example, the major bug was there. I
passed 'ki' (which is the flag that indicates the keyslot status)
instead of 'j' (the keyslot number) to crypt_keyslot_get_pbkdf(). Thanks
to Ondrej for pointing that out!
Here's a fixed version of my example code:
#include <stdlib.h>
#include <stdio.h>
#include <err.h>
#include <string.h>
#include <libcryptsetup.h>
int main(int argc, char *argv[]) {
if (argc != 3 || (strcmp(argv[1], CRYPT_LUKS1) != 0 &&
strcmp(argv[1], CRYPT_LUKS2) != 0))
errx(EXIT_FAILURE, "expects LUKS1/LUKS2 as first and LUKS device
as second argument");
struct crypt_device *cd = NULL;
if (crypt_init(&cd, argv[2]) < 0)
err(EXIT_FAILURE, "crypt_init failed");
if (crypt_load(cd, argv[1], NULL) < 0)
err(EXIT_FAILURE, "crypt_load failed");
fprintf(stderr, "Device %s (type %s)\n", argv[2], crypt_get_type(cd));
int ks_max = crypt_keyslot_max(crypt_get_type(cd));
for (int j = 0; j < ks_max; j++) {
crypt_keyslot_info ki = crypt_keyslot_status(cd, j);
if (ki != CRYPT_SLOT_ACTIVE && ki != CRYPT_SLOT_ACTIVE_LAST)
continue;
fprintf(stderr, "Active keyslot %d: %d\n", j, ki);
struct crypt_pbkdf_type pbkdf_ki;
int res = crypt_keyslot_get_pbkdf(cd, j, &pbkdf_ki);
fprintf(stderr, " return code: %d\n", res);
fprintf(stderr, " iterations: %d\n", pbkdf_ki.iterations);
fprintf(stderr, " max_memory_kb: %d\n", pbkdf_ki.max_memory_kb);
}
crypt_free(cd);
}
Cheers
jonas
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
prev parent reply other threads:[~2020-01-31 13:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-28 14:51 [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup Jonas Meurer
2020-01-29 10:23 ` Ondrej Kozina
2020-01-29 14:14 ` Jonas Meurer
2020-01-29 10:32 ` Ondrej Kozina
2020-01-29 10:36 ` Ondrej Kozina
2020-01-30 4:38 ` [dm-crypt] Superblock size calculation EXTERNAL D Sharmila (Iwave, RBEI/PAC-PF)
2020-01-31 13:52 ` [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup Ondrej Kozina
2020-01-31 13:55 ` Jonas Meurer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d7ff66c0-6060-90e8-e45b-d1fc0b2d4cff@freesources.org \
--to=jonas@freesources.org \
--cc=dm-crypt@saout.de \
--cc=okozina@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox