From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jonas@freesources.org>
Received: from mx3.freesources.org (mx3.freesources.org [195.34.172.217])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Fri, 31 Jan 2020 14:55:55 +0100 (CET)
References: <9c428b57-b3e7-38e1-d963-4596e46f69ea@freesources.org>
 <f97b602f-f88f-7d9f-9cb9-4d7fa32b76dd@redhat.com>
From: Jonas Meurer <jonas@freesources.org>
Message-ID: <d7ff66c0-6060-90e8-e45b-d1fc0b2d4cff@freesources.org>
Date: Fri, 31 Jan 2020 14:55:49 +0100
MIME-Version: 1.0
In-Reply-To: <f97b602f-f88f-7d9f-9cb9-4d7fa32b76dd@redhat.com>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="3CneSEtIIGw69Fu2yg66hq4ZJbWgqpNXh"
Subject: Re: [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <https://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <https://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <https://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: Ondrej Kozina <okozina@redhat.com>, dm-crypt <dm-crypt@saout.de>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--3CneSEtIIGw69Fu2yg66hq4ZJbWgqpNXh
Content-Type: multipart/mixed; boundary="SGULAi3wBCXegAe0zSZfY5CMBUjZS6lRp";
 protected-headers="v1"
From: Jonas Meurer <jonas@freesources.org>
To: Ondrej Kozina <okozina@redhat.com>, dm-crypt <dm-crypt@saout.de>
Message-ID: <d7ff66c0-6060-90e8-e45b-d1fc0b2d4cff@freesources.org>
Subject: Re: [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup
References: <9c428b57-b3e7-38e1-d963-4596e46f69ea@freesources.org>
 <f97b602f-f88f-7d9f-9cb9-4d7fa32b76dd@redhat.com>
In-Reply-To: <f97b602f-f88f-7d9f-9cb9-4d7fa32b76dd@redhat.com>

--SGULAi3wBCXegAe0zSZfY5CMBUjZS6lRp
Content-Type: text/plain; charset=utf-8
Content-Language: de-DE
Content-Transfer-Encoding: quoted-printable

Hello,

Ondrej Kozina:
> For anyone interested,
>=20
> there was a minor bug in LUKS1 crypt_keyslot_get_pbkdf() where we
> returned pbkdf values even for an inactive keyslot. It was fixed with
> commit
> https://gitlab.com/cryptsetup/cryptsetup/commit/47d0cf495dae03822c76ef2=
ef482f940208d9062
> and it will get distributed with upstream 2.3.0 release.

And for anyone interested in my code example, the major bug was there. I
passed 'ki' (which is the flag that indicates the keyslot status)
instead of 'j' (the keyslot number) to crypt_keyslot_get_pbkdf(). Thanks
to Ondrej for pointing that out!

Here's a fixed version of my example code:

#include <stdlib.h>
#include <stdio.h>
#include <err.h>
#include <string.h>

#include <libcryptsetup.h>

int main(int argc, char *argv[]) {
    if (argc !=3D 3 || (strcmp(argv[1], CRYPT_LUKS1) !=3D 0 &&
strcmp(argv[1], CRYPT_LUKS2) !=3D 0))
        errx(EXIT_FAILURE, "expects LUKS1/LUKS2 as first and LUKS device
as second argument");
    struct crypt_device *cd =3D NULL;
    if (crypt_init(&cd, argv[2]) < 0)
        err(EXIT_FAILURE, "crypt_init failed");
    if (crypt_load(cd, argv[1], NULL) < 0)
        err(EXIT_FAILURE, "crypt_load failed");
    fprintf(stderr, "Device %s (type %s)\n", argv[2], crypt_get_type(cd))=
;
    int ks_max =3D crypt_keyslot_max(crypt_get_type(cd));
    for (int j =3D 0; j < ks_max; j++) {
        crypt_keyslot_info ki =3D crypt_keyslot_status(cd, j);
        if (ki !=3D CRYPT_SLOT_ACTIVE && ki !=3D CRYPT_SLOT_ACTIVE_LAST)
            continue;
        fprintf(stderr, "Active keyslot %d: %d\n", j, ki);
        struct crypt_pbkdf_type pbkdf_ki;
        int res =3D crypt_keyslot_get_pbkdf(cd, j, &pbkdf_ki);
        fprintf(stderr, "  return code: %d\n", res);
        fprintf(stderr, "  iterations: %d\n", pbkdf_ki.iterations);
        fprintf(stderr, "  max_memory_kb: %d\n", pbkdf_ki.max_memory_kb);=

    }
    crypt_free(cd);
}

Cheers
 jonas


--SGULAi3wBCXegAe0zSZfY5CMBUjZS6lRp--

--3CneSEtIIGw69Fu2yg66hq4ZJbWgqpNXh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAl40MeYACgkQUmLn/0kQ
Sf6IPg/9FnUNFNUdrhB89CY7/2rv0ieFouT0/r1mNgn2uevBgJU2zsKkCFWwcsyA
oJoXVPMxtUgI2lXnKprweeFRrBy99YSP52iQNSayUfxLB4/Qbwch7ciw9yPxRNIB
J6zKeqBBKMIlg3DfGuj0heKEubom7Fqny1djyuvocbYGDUhXonCrkxuwqpy8EVF2
TNJx228uBmnEvES1qJSKs6yfDWbE6eFbifnrZn3hr7BTm0+HPDSELa88lcxjk1lE
0gG65R82CpC3yP0JtNw7WqLne8r2PtmpOBfEr05U7Kftqn3H1zPOpmIK/rqbP/+W
b0C7fnSEHeUCaLnXm65KjXRx8oCEpAbcLQk79wtP8cWCzcDJ825t2baro2xRHeIP
S/7H4uc4MPLzTcHDhvNdp4Ht6KKnytdd6dwBJ+EBobdUTsPG+w4MwUjVNlqQZefe
bZyZ/KWagHTwBjZTPCLRPCxseYIO3Z1H8qmw9NCmgnuxWRGLV8uK4t4qM7n2Z+K4
ZJVmYGRx7MlJfMjT2sTk/vBkm3lEXkTYXXMaHLxn19DXoWkkPJZWP6rEPT7+nX2M
RTXuvUrDnU9U3fiOiaIXRvAwTjSFIo+xiScRA8O3E63p21f35UUmd+rX/4J5cPO/
gM9m900FS/Dh/9PX9ypTtz7pA0uB8K8O2Wn2G1vPDaQ1tdXvTvI=
=bbGd
-----END PGP SIGNATURE-----

--3CneSEtIIGw69Fu2yg66hq4ZJbWgqpNXh--