[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 4/5] Cryptomount support plain dm-crypt
|
From: |
Vladimir 'φ-coder/phcoder' Serbinenko |
|
Subject: |
Re: [PATCH 4/5] Cryptomount support plain dm-crypt |
|
Date: |
Fri, 12 Feb 2016 16:19:47 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.5.0 |
On 29.06.2015 16:30, John Lane wrote:
> From: John Lane <address@hidden>
>
> ---
> grub-core/disk/cryptodisk.c | 298
> +++++++++++++++++++++++++++++++++++++++++++-
> grub-core/disk/luks.c | 195 +----------------------------
> include/grub/cryptodisk.h | 8 ++
> 3 files changed, 310 insertions(+), 191 deletions(-)
>
> diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
> index a27e70c..cd5cfc9 100644
> --- a/grub-core/disk/cryptodisk.c
> +++ b/grub-core/disk/cryptodisk.c
> @@ -44,6 +44,12 @@ static const struct grub_arg_option options[] =
> {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
> {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0,
> ARG_TYPE_INT},
> {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0,
> ARG_TYPE_INT},
> + {"plain", 'p', 0, N_("Plain (no LUKS header)"), 0, ARG_TYPE_NONE},
> + {"cipher", 'c', 0, N_("Plain mode cipher"), 0, ARG_TYPE_STRING},
> + {"digest", 'd', 0, N_("Plain mode passphrase digest (hash)"), 0,
> ARG_TYPE_STRING},
> + {"offset", 'o', 0, N_("Plain mode data sector offset"), 0, ARG_TYPE_INT},
> + {"size", 's', 0, N_("Size of raw device (sectors, defaults to whole
> device)"), 0, ARG_TYPE_INT},
> + {"key-size", 'K', 0, N_("Set key size (bits)"), 0, ARG_TYPE_INT},
> {0, 0, 0, 0, 0, 0}
> };
>
This is hairy, doesn't fit into cryptomount syntax and not maintainable.
Can we have a separate command for this?
> @@ -927,6 +933,48 @@ grub_cryptodisk_scan_device (const char *name,
> return have_it && search_uuid ? 1 : 0;
> }
>
> +/* Hashes a passphrase into a key and stores it with cipher. */
> +static gcry_err_code_t
> +set_passphrase (grub_cryptodisk_t dev, grub_size_t keysize, const char
> *passphrase)
> +{
> + grub_uint8_t derived_hash[GRUB_CRYPTODISK_MAX_KEYLEN * 2], *dh =
> derived_hash;
> + char *p;
> + unsigned int round, i;
> + unsigned int len, size;
> +
> + /* Need no passphrase if there's no key */
> + if (keysize == 0)
> + return GPG_ERR_INV_KEYLEN;
> +
> + /* Hack to support the "none" hash */
> + if (dev->hash)
> + len = dev->hash->mdlen;
> + else
> + len = grub_strlen (passphrase);
> +
> + if (keysize > GRUB_CRYPTODISK_MAX_KEYLEN || len >
> GRUB_CRYPTODISK_MAX_KEYLEN)
> + return GPG_ERR_INV_KEYLEN;
> +
> + p = grub_malloc (grub_strlen (passphrase) + 2 + keysize / len);
> + if (!p)
> + return grub_errno;
> +
> + for (round = 0, size = keysize; size; round++, dh += len, size -= len)
> + {
> + for (i = 0; i < round; i++)
> + p[i] = 'A';
> +
> + grub_strcpy (p + i, passphrase);
> +
> + if (len > size)
> + len = size;
> +
> + grub_crypto_hash (dev->hash, dh, p, grub_strlen (p));
> + }
> +
> + return grub_cryptodisk_setkey (dev, derived_hash, keysize);
> +}
> +
> static grub_err_t
> grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
> {
> @@ -1046,7 +1094,63 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
> argc, char **args)
> return GRUB_ERR_NONE;
> }
>
> - err = grub_cryptodisk_scan_device_real (args[0], disk);
> + if (state[7].set) /* Plain mode */
> + {
> + char *cipher;
> + char *mode;
> + char *digest;
> + int offset, size, key_size;
> +
> + cipher = grub_strdup (state[8].set ? state[8].arg :
> GRUB_CRYPTODISK_PLAIN_CIPHER);
> + digest = grub_strdup (state[9].set ? state[9].arg :
> GRUB_CRYPTODISK_PLAIN_DIGEST);
> + offset = state[10].set ? grub_strtoul (state[10].arg, 0, 0) : 0;
> + size = state[11].set ? grub_strtoul (state[11].arg, 0, 0) : 0;
> + key_size = ( state[12].set ? grub_strtoul (state[12].arg, 0, 0) \
> + : GRUB_CRYPTODISK_PLAIN_KEYSIZE ) / 8;
> +
> + /* no strtok, do it manually */
> + mode = grub_strchr(cipher,'-');
> + if (!mode)
> + return GRUB_ERR_BAD_ARGUMENT;
> + else
> + *mode++ = 0;
> +
> + dev = grub_cryptodisk_create (disk, NULL, cipher, mode, digest);
> +
> + dev->offset = offset;
> + if (size) dev->total_length = size;
> +
> + if (key)
> + {
> + err = grub_cryptodisk_setkey (dev, key, key_size);
> + if (err)
> + return err;
> + }
> + else
> + {
> + char passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = "";
> +
> + grub_printf_ (N_("Enter passphrase for %s: "), diskname);
> + if (!grub_password_get (passphrase,
> GRUB_CRYPTODISK_MAX_PASSPHRASE))
> + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not
> supplied");
> +
> + err = set_passphrase (dev, key_size, passphrase);
> + if (err)
> + {
> + grub_crypto_cipher_close (dev->cipher);
> + return err;
> + }
> + }
> +
> + grub_cryptodisk_insert (dev, diskname, disk);
> +
> + grub_free (cipher);
> + grub_free (digest);
> +
> + err = GRUB_ERR_NONE;
> + }
> + else
> + err = grub_cryptodisk_scan_device_real (args[0], disk);
>
> grub_disk_close (disk);
>
> @@ -1177,13 +1281,203 @@ struct grub_procfs_entry luks_script =
> .get_contents = luks_script_get
> };
>
> +grub_cryptodisk_t
> +grub_cryptodisk_create (grub_disk_t disk, char *uuid,
> + char *ciphername, char *ciphermode, char *hashspec)
> +{
> + grub_cryptodisk_t newdev;
> + char *cipheriv = NULL;
> + grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL;
> + grub_crypto_cipher_handle_t essiv_cipher = NULL;
> + const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL;
> + const struct gcry_cipher_spec *ciph;
> + grub_cryptodisk_mode_t mode;
> + grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
> + int benbi_log = 0;
> +
> + if (!uuid)
> + uuid = (char*)"00000000000000000000000000000000";
> +
> + ciph = grub_crypto_lookup_cipher_by_name (ciphername);
> + if (!ciph)
> + {
> + grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available",
> + ciphername);
> + return NULL;
> + }
> +
> + /* Configure the cipher used for the bulk data. */
> + cipher = grub_crypto_cipher_open (ciph);
> + if (!cipher)
> + return NULL;
> +
> + /* Configure the cipher mode. */
> + if (grub_strcmp (ciphermode, "ecb") == 0)
> + {
> + mode = GRUB_CRYPTODISK_MODE_ECB;
> + mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
> + cipheriv = NULL;
> + }
> + else if (grub_strcmp (ciphermode, "plain") == 0)
> + {
> + mode = GRUB_CRYPTODISK_MODE_CBC;
> + mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
> + cipheriv = NULL;
> + }
> + else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0)
> + {
> + mode = GRUB_CRYPTODISK_MODE_CBC;
> + cipheriv = ciphermode + sizeof ("cbc-") - 1;
> + }
> + else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0)
> + {
> + mode = GRUB_CRYPTODISK_MODE_PCBC;
> + cipheriv = ciphermode + sizeof ("pcbc-") - 1;
> + }
> + else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0)
> + {
> + mode = GRUB_CRYPTODISK_MODE_XTS;
> + cipheriv = ciphermode + sizeof ("xts-") - 1;
> + secondary_cipher = grub_crypto_cipher_open (ciph);
> + if (!secondary_cipher)
> + {
> + grub_crypto_cipher_close (cipher);
> + return NULL;
> + }
> + if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
> + {
> + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
> + cipher->cipher->blocksize);
> + grub_crypto_cipher_close (cipher);
> + grub_crypto_cipher_close (secondary_cipher);
> + return NULL;
> + }
> + if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
> + {
> + grub_crypto_cipher_close (cipher);
> + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
> + secondary_cipher->cipher->blocksize);
> + grub_crypto_cipher_close (secondary_cipher);
> + return NULL;
> + }
> + }
> + else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0)
> + {
> + mode = GRUB_CRYPTODISK_MODE_LRW;
> + cipheriv = ciphermode + sizeof ("lrw-") - 1;
> + if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
> + {
> + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d",
> + cipher->cipher->blocksize);
> + grub_crypto_cipher_close (cipher);
> + return NULL;
> + }
> + }
> + else
> + {
> + grub_crypto_cipher_close (cipher);
> + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s",
> + ciphermode);
> + return NULL;
> + }
> +
> + if (cipheriv == NULL);
> + else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0)
> + mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
> + else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0)
> + mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
> + else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0)
> + {
> + if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1)
> + || cipher->cipher->blocksize == 0)
> + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d",
> + cipher->cipher->blocksize);
> + /* FIXME should we return an error here? */
> + for (benbi_log = 0;
> + (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE;
> + benbi_log++);
> + mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI;
> + }
> + else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0)
> + mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL;
> + else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0)
> + {
> + char *hash_str = cipheriv + 6;
> +
> + mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV;
> +
> + /* Configure the hash and cipher used for ESSIV. */
> + essiv_hash = grub_crypto_lookup_md_by_name (hash_str);
> + if (!essiv_hash)
> + {
> + grub_crypto_cipher_close (cipher);
> + grub_crypto_cipher_close (secondary_cipher);
> + grub_error (GRUB_ERR_FILE_NOT_FOUND,
> + "Couldn't load %s hash", hash_str);
> + return NULL;
> + }
> + essiv_cipher = grub_crypto_cipher_open (ciph);
> + if (!essiv_cipher)
> + {
> + grub_crypto_cipher_close (cipher);
> + grub_crypto_cipher_close (secondary_cipher);
> + return NULL;
> + }
> + }
> + else
> + {
> + grub_crypto_cipher_close (cipher);
> + grub_crypto_cipher_close (secondary_cipher);
> + grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s",
> + cipheriv);
> + return NULL;
> + }
> +
> + /* Configure the passphrase hash (LUKS also uses AF splitter and HMAC). */
> + hash = grub_crypto_lookup_md_by_name (hashspec);
> + if (!hash)
> + {
> + grub_crypto_cipher_close (cipher);
> + grub_crypto_cipher_close (essiv_cipher);
> + grub_crypto_cipher_close (secondary_cipher);
> + grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash",
> + hashspec);
> + return NULL;
> + }
> +
> + newdev = grub_zalloc (sizeof (struct grub_cryptodisk));
> + if (!newdev)
> + {
> + grub_crypto_cipher_close (cipher);
> + grub_crypto_cipher_close (essiv_cipher);
> + grub_crypto_cipher_close (secondary_cipher);
> + return NULL;
> + }
> + newdev->cipher = cipher;
> + newdev->offset = 0;
> + newdev->source_disk = NULL;
> + newdev->benbi_log = benbi_log;
> + newdev->mode = mode;
> + newdev->mode_iv = mode_iv;
> + newdev->secondary_cipher = secondary_cipher;
> + newdev->essiv_cipher = essiv_cipher;
> + newdev->essiv_hash = essiv_hash;
> + newdev->hash = hash;
> + newdev->log_sector_size = 9;
> + newdev->total_length = grub_disk_get_size (disk) - newdev->offset;
> + grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
> + COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
> +
> + return newdev;
> +}
> +
> static grub_extcmd_t cmd;
>
> GRUB_MOD_INIT (cryptodisk)
> {
> grub_disk_dev_register (&grub_cryptodisk_dev);
> cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
> - N_("SOURCE|-u UUID|-a|-b|-H file"),
> + N_("SOURCE|-u UUID|-a|-b|-H file|-p -c cipher -d
> digest"),
> N_("Mount a crypto device."), options);
> grub_procfs_register ("luks_script", &luks_script);
> }
> diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
> index 11e437e..4ebe21b 100644
> --- a/grub-core/disk/luks.c
> +++ b/grub-core/disk/luks.c
> @@ -30,8 +30,6 @@
>
> GRUB_MOD_LICENSE ("GPLv3+");
>
> -#define MAX_PASSPHRASE 256
> -
> #define LUKS_KEY_ENABLED 0x00AC71F3
>
> /* On disk LUKS header */
> @@ -76,15 +74,7 @@ configure_ciphers (grub_disk_t disk, const char
> *check_uuid,
> char uuid[sizeof (header.uuid) + 1];
> char ciphername[sizeof (header.cipherName) + 1];
> char ciphermode[sizeof (header.cipherMode) + 1];
> - char *cipheriv = NULL;
> char hashspec[sizeof (header.hashSpec) + 1];
> - grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL;
> - grub_crypto_cipher_handle_t essiv_cipher = NULL;
> - const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL;
> - const struct gcry_cipher_spec *ciph;
> - grub_cryptodisk_mode_t mode;
> - grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
> - int benbi_log = 0;
> grub_err_t err;
>
> err = GRUB_ERR_NONE;
> @@ -119,7 +109,7 @@ configure_ciphers (grub_disk_t disk, const char
> *check_uuid,
> iptr++)
> {
> if (*iptr != '-')
> - *optr++ = *iptr;
> + *optr++ = *iptr;
> }
> *optr = 0;
>
> @@ -129,6 +119,7 @@ configure_ciphers (grub_disk_t disk, const char
> *check_uuid,
> return NULL;
> }
>
> +
> /* Make sure that strings are null terminated. */
> grub_memcpy (ciphername, header.cipherName, sizeof (header.cipherName));
> ciphername[sizeof (header.cipherName)] = 0;
> @@ -137,184 +128,10 @@ configure_ciphers (grub_disk_t disk, const char
> *check_uuid,
> grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec));
> hashspec[sizeof (header.hashSpec)] = 0;
>
> - ciph = grub_crypto_lookup_cipher_by_name (ciphername);
> - if (!ciph)
> - {
> - grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available",
> - ciphername);
> - return NULL;
> - }
> -
> - /* Configure the cipher used for the bulk data. */
> - cipher = grub_crypto_cipher_open (ciph);
> - if (!cipher)
> - return NULL;
> -
> - if (grub_be_to_cpu32 (header.keyBytes) > 1024)
> - {
> - grub_error (GRUB_ERR_BAD_ARGUMENT, "invalid keysize %d",
> - grub_be_to_cpu32 (header.keyBytes));
> - grub_crypto_cipher_close (cipher);
> - return NULL;
> - }
> -
> - /* Configure the cipher mode. */
> - if (grub_strcmp (ciphermode, "ecb") == 0)
> - {
> - mode = GRUB_CRYPTODISK_MODE_ECB;
> - mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
> - cipheriv = NULL;
> - }
> - else if (grub_strcmp (ciphermode, "plain") == 0)
> - {
> - mode = GRUB_CRYPTODISK_MODE_CBC;
> - mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
> - cipheriv = NULL;
> - }
> - else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0)
> - {
> - mode = GRUB_CRYPTODISK_MODE_CBC;
> - cipheriv = ciphermode + sizeof ("cbc-") - 1;
> - }
> - else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0)
> - {
> - mode = GRUB_CRYPTODISK_MODE_PCBC;
> - cipheriv = ciphermode + sizeof ("pcbc-") - 1;
> - }
> - else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0)
> - {
> - mode = GRUB_CRYPTODISK_MODE_XTS;
> - cipheriv = ciphermode + sizeof ("xts-") - 1;
> - secondary_cipher = grub_crypto_cipher_open (ciph);
> - if (!secondary_cipher)
> - {
> - grub_crypto_cipher_close (cipher);
> - return NULL;
> - }
> - if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
> - {
> - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
> - cipher->cipher->blocksize);
> - grub_crypto_cipher_close (cipher);
> - grub_crypto_cipher_close (secondary_cipher);
> - return NULL;
> - }
> - if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
> - {
> - grub_crypto_cipher_close (cipher);
> - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
> - secondary_cipher->cipher->blocksize);
> - grub_crypto_cipher_close (secondary_cipher);
> - return NULL;
> - }
> - }
> - else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0)
> - {
> - mode = GRUB_CRYPTODISK_MODE_LRW;
> - cipheriv = ciphermode + sizeof ("lrw-") - 1;
> - if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
> - {
> - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d",
> - cipher->cipher->blocksize);
> - grub_crypto_cipher_close (cipher);
> - return NULL;
> - }
> - }
> - else
> - {
> - grub_crypto_cipher_close (cipher);
> - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s",
> - ciphermode);
> - return NULL;
> - }
> -
> - if (cipheriv == NULL);
> - else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0)
> - mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
> - else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0)
> - mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
> - else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0)
> - {
> - if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1)
> - || cipher->cipher->blocksize == 0)
> - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d",
> - cipher->cipher->blocksize);
> - /* FIXME should we return an error here? */
> - for (benbi_log = 0;
> - (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE;
> - benbi_log++);
> - mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI;
> - }
> - else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0)
> - mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL;
> - else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0)
> - {
> - char *hash_str = cipheriv + 6;
> -
> - mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV;
> -
> - /* Configure the hash and cipher used for ESSIV. */
> - essiv_hash = grub_crypto_lookup_md_by_name (hash_str);
> - if (!essiv_hash)
> - {
> - grub_crypto_cipher_close (cipher);
> - grub_crypto_cipher_close (secondary_cipher);
> - grub_error (GRUB_ERR_FILE_NOT_FOUND,
> - "Couldn't load %s hash", hash_str);
> - return NULL;
> - }
> - essiv_cipher = grub_crypto_cipher_open (ciph);
> - if (!essiv_cipher)
> - {
> - grub_crypto_cipher_close (cipher);
> - grub_crypto_cipher_close (secondary_cipher);
> - return NULL;
> - }
> - }
> - else
> - {
> - grub_crypto_cipher_close (cipher);
> - grub_crypto_cipher_close (secondary_cipher);
> - grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s",
> - cipheriv);
> - return NULL;
> - }
> -
> - /* Configure the hash used for the AF splitter and HMAC. */
> - hash = grub_crypto_lookup_md_by_name (hashspec);
> - if (!hash)
> - {
> - grub_crypto_cipher_close (cipher);
> - grub_crypto_cipher_close (essiv_cipher);
> - grub_crypto_cipher_close (secondary_cipher);
> - grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash",
> - hashspec);
> - return NULL;
> - }
> + newdev = grub_cryptodisk_create (disk, uuid, ciphername, ciphermode,
> hashspec);
>
> - newdev = grub_zalloc (sizeof (struct grub_cryptodisk));
> - if (!newdev)
> - {
> - grub_crypto_cipher_close (cipher);
> - grub_crypto_cipher_close (essiv_cipher);
> - grub_crypto_cipher_close (secondary_cipher);
> - return NULL;
> - }
> - newdev->cipher = cipher;
> newdev->offset = grub_be_to_cpu32 (header.payloadOffset);
> - newdev->source_disk = NULL;
> - newdev->benbi_log = benbi_log;
> - newdev->mode = mode;
> - newdev->mode_iv = mode_iv;
> - newdev->secondary_cipher = secondary_cipher;
> - newdev->essiv_cipher = essiv_cipher;
> - newdev->essiv_hash = essiv_hash;
> - newdev->hash = hash;
> - newdev->log_sector_size = 9;
> - newdev->total_length = grub_disk_get_size (disk) - newdev->offset;
> - grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
> newdev->modname = "luks";
> - COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
>
> return newdev;
> }
> @@ -329,7 +146,7 @@ luks_recover_key (grub_disk_t source,
> struct grub_luks_phdr header;
> grub_size_t keysize;
> grub_uint8_t *split_key = NULL;
> - char interactive_passphrase[MAX_PASSPHRASE] = "";
> + char interactive_passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = "";
> grub_uint8_t *passphrase;
> grub_size_t passphrase_length;
> grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
> @@ -376,7 +193,7 @@ luks_recover_key (grub_disk_t source,
> /* Use bytestring from key file as passphrase */
> passphrase = keyfile_bytes;
> passphrase_length = keyfile_bytes_size;
> - keyfile_bytes = NULL; /* use it only once */
> + keyfile_bytes = NULL; /* use it only once */
> }
> else
> {
> @@ -387,7 +204,7 @@ luks_recover_key (grub_disk_t source,
> grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "),
> source->name,
> source->partition ? "," : "", tmp ? : "",
> dev->uuid);
> grub_free (tmp);
> - if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
> + if (!grub_password_get (interactive_passphrase,
> GRUB_CRYPTODISK_MAX_PASSPHRASE))
> {
> grub_free (split_key);
> return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not
> supplied");
> diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
> index 0299625..4076412 100644
> --- a/include/grub/cryptodisk.h
> +++ b/include/grub/cryptodisk.h
> @@ -54,9 +54,14 @@ typedef enum
> #define GRUB_CRYPTODISK_GF_LOG_BYTES (GRUB_CRYPTODISK_GF_LOG_SIZE - 3)
> #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES)
> #define GRUB_CRYPTODISK_MAX_KEYLEN 128
> +#define GRUB_CRYPTODISK_MAX_PASSPHRASE 256
>
> #define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
>
> +#define GRUB_CRYPTODISK_PLAIN_CIPHER "aes-cbc-essiv:sha256"
> +#define GRUB_CRYPTODISK_PLAIN_DIGEST "ripemd160"
> +#define GRUB_CRYPTODISK_PLAIN_KEYSIZE 256
> +
> struct grub_cryptodisk;
>
> typedef gcry_err_code_t
> @@ -159,4 +164,7 @@ grub_util_get_geli_uuid (const char *dev);
> grub_cryptodisk_t grub_cryptodisk_get_by_uuid (const char *uuid);
> grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk);
>
> +grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid,
> + char *ciphername, char *ciphermode, char
> *digest);
> +
> #endif
>
signature.asc
Description: OpenPGP digital signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [PATCH 4/5] Cryptomount support plain dm-crypt,
Vladimir 'φ-coder/phcoder' Serbinenko <=