2 * LUKS - Linux Unified Key Setup, keyslot unlock helpers
4 * Copyright (C) 2022-2023 Red Hat, Inc. All rights reserved.
5 * Copyright (C) 2022-2023 Ondrej Kozina
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 2
10 * of the License, or (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 #include "luks1/luks.h"
25 #include "luks2/luks2.h"
26 #include "keyslot_context.h"
28 static int get_luks2_key_by_passphrase(struct crypt_device *cd,
29 struct crypt_keyslot_context *kc,
32 struct volume_key **r_vk)
37 assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
40 r = LUKS2_keyslot_open(cd, keyslot, segment, kc->u.p.passphrase, kc->u.p.passphrase_size, r_vk);
47 static int get_luks1_volume_key_by_passphrase(struct crypt_device *cd,
48 struct crypt_keyslot_context *kc,
50 struct volume_key **r_vk)
55 assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
58 r = LUKS_open_key_with_hdr(keyslot, kc->u.p.passphrase, kc->u.p.passphrase_size,
59 crypt_get_hdr(cd, CRYPT_LUKS1), r_vk, cd);
66 static int get_luks2_volume_key_by_passphrase(struct crypt_device *cd,
67 struct crypt_keyslot_context *kc,
69 struct volume_key **r_vk)
71 return get_luks2_key_by_passphrase(cd, kc, keyslot, CRYPT_DEFAULT_SEGMENT, r_vk);
74 static int get_passphrase_by_passphrase(struct crypt_device *cd,
75 struct crypt_keyslot_context *kc,
76 const char **r_passphrase,
77 size_t *r_passphrase_size)
80 assert(kc && kc->type == CRYPT_KC_TYPE_PASSPHRASE);
82 assert(r_passphrase_size);
84 *r_passphrase = kc->u.p.passphrase;
85 *r_passphrase_size = kc->u.p.passphrase_size;
90 static int get_passphrase_by_keyfile(struct crypt_device *cd,
91 struct crypt_keyslot_context *kc,
92 const char **r_passphrase,
93 size_t *r_passphrase_size)
98 assert(kc && kc->type == CRYPT_KC_TYPE_KEYFILE);
100 assert(r_passphrase_size);
102 if (!kc->i_passphrase) {
103 r = crypt_keyfile_device_read(cd, kc->u.kf.keyfile,
104 &kc->i_passphrase, &kc->i_passphrase_size,
105 kc->u.kf.keyfile_offset, kc->u.kf.keyfile_size, 0);
112 *r_passphrase = kc->i_passphrase;
113 *r_passphrase_size = kc->i_passphrase_size;
118 static int get_luks2_key_by_keyfile(struct crypt_device *cd,
119 struct crypt_keyslot_context *kc,
122 struct volume_key **r_vk)
125 const char *passphrase;
126 size_t passphrase_size;
129 assert(kc && kc->type == CRYPT_KC_TYPE_KEYFILE);
132 r = get_passphrase_by_keyfile(cd, kc, &passphrase, &passphrase_size);
136 r = LUKS2_keyslot_open(cd, keyslot, segment, passphrase, passphrase_size, r_vk);
143 static int get_luks2_volume_key_by_keyfile(struct crypt_device *cd,
144 struct crypt_keyslot_context *kc,
146 struct volume_key **r_vk)
148 return get_luks2_key_by_keyfile(cd, kc, keyslot, CRYPT_DEFAULT_SEGMENT, r_vk);
151 static int get_luks1_volume_key_by_keyfile(struct crypt_device *cd,
152 struct crypt_keyslot_context *kc,
154 struct volume_key **r_vk)
157 const char *passphrase;
158 size_t passphrase_size;
161 assert(kc && kc->type == CRYPT_KC_TYPE_KEYFILE);
164 r = get_passphrase_by_keyfile(cd, kc, &passphrase, &passphrase_size);
168 r = LUKS_open_key_with_hdr(keyslot, passphrase, passphrase_size,
169 crypt_get_hdr(cd, CRYPT_LUKS1), r_vk, cd);
176 static int get_key_by_key(struct crypt_device *cd,
177 struct crypt_keyslot_context *kc,
178 int keyslot __attribute__((unused)),
179 int segment __attribute__((unused)),
180 struct volume_key **r_vk)
182 assert(kc && kc->type == CRYPT_KC_TYPE_KEY);
185 if (!kc->u.k.volume_key) {
190 *r_vk = crypt_alloc_volume_key(kc->u.k.volume_key_size, kc->u.k.volume_key);
199 static int get_volume_key_by_key(struct crypt_device *cd,
200 struct crypt_keyslot_context *kc,
201 int keyslot __attribute__((unused)),
202 struct volume_key **r_vk)
204 return get_key_by_key(cd, kc, -2 /* unused */, -2 /* unused */, r_vk);
207 static int get_luks2_key_by_token(struct crypt_device *cd,
208 struct crypt_keyslot_context *kc,
209 int keyslot __attribute__((unused)),
211 struct volume_key **r_vk)
216 assert(kc && kc->type == CRYPT_KC_TYPE_TOKEN);
219 r = LUKS2_token_unlock_key(cd, crypt_get_hdr(cd, CRYPT_LUKS2), kc->u.t.id, kc->u.t.type,
220 kc->u.t.pin, kc->u.t.pin_size, segment, kc->u.t.usrptr, r_vk);
227 static int get_luks2_volume_key_by_token(struct crypt_device *cd,
228 struct crypt_keyslot_context *kc,
229 int keyslot __attribute__((unused)),
230 struct volume_key **r_vk)
232 return get_luks2_key_by_token(cd, kc, -2 /* unused */, CRYPT_DEFAULT_SEGMENT, r_vk);
235 static int get_passphrase_by_token(struct crypt_device *cd,
236 struct crypt_keyslot_context *kc,
237 const char **r_passphrase,
238 size_t *r_passphrase_size)
243 assert(kc && kc->type == CRYPT_KC_TYPE_TOKEN);
244 assert(r_passphrase);
245 assert(r_passphrase_size);
247 if (!kc->i_passphrase) {
248 r = LUKS2_token_unlock_passphrase(cd, crypt_get_hdr(cd, CRYPT_LUKS2), kc->u.t.id,
249 kc->u.t.type, kc->u.t.pin, kc->u.t.pin_size,
250 kc->u.t.usrptr, &kc->i_passphrase, &kc->i_passphrase_size);
258 *r_passphrase = kc->i_passphrase;
259 *r_passphrase_size = kc->i_passphrase_size;
264 static void unlock_method_init_internal(struct crypt_keyslot_context *kc)
269 kc->i_passphrase = NULL;
270 kc->i_passphrase_size = 0;
273 void crypt_keyslot_unlock_by_key_init_internal(struct crypt_keyslot_context *kc,
274 const char *volume_key,
275 size_t volume_key_size)
279 kc->type = CRYPT_KC_TYPE_KEY;
280 kc->u.k.volume_key = volume_key;
281 kc->u.k.volume_key_size = volume_key_size;
282 kc->get_luks2_key = get_key_by_key;
283 kc->get_luks2_volume_key = get_volume_key_by_key;
284 kc->get_luks1_volume_key = get_volume_key_by_key;
285 kc->get_passphrase = NULL; /* keyslot key context does not provide passphrase */
286 unlock_method_init_internal(kc);
289 void crypt_keyslot_unlock_by_passphrase_init_internal(struct crypt_keyslot_context *kc,
290 const char *passphrase,
291 size_t passphrase_size)
295 kc->type = CRYPT_KC_TYPE_PASSPHRASE;
296 kc->u.p.passphrase = passphrase;
297 kc->u.p.passphrase_size = passphrase_size;
298 kc->get_luks2_key = get_luks2_key_by_passphrase;
299 kc->get_luks2_volume_key = get_luks2_volume_key_by_passphrase;
300 kc->get_luks1_volume_key = get_luks1_volume_key_by_passphrase;
301 kc->get_passphrase = get_passphrase_by_passphrase;
302 unlock_method_init_internal(kc);
305 void crypt_keyslot_unlock_by_keyfile_init_internal(struct crypt_keyslot_context *kc,
308 uint64_t keyfile_offset)
312 kc->type = CRYPT_KC_TYPE_KEYFILE;
313 kc->u.kf.keyfile = keyfile;
314 kc->u.kf.keyfile_size = keyfile_size;
315 kc->u.kf.keyfile_offset = keyfile_offset;
316 kc->get_luks2_key = get_luks2_key_by_keyfile;
317 kc->get_luks2_volume_key = get_luks2_volume_key_by_keyfile;
318 kc->get_luks1_volume_key = get_luks1_volume_key_by_keyfile;
319 kc->get_passphrase = get_passphrase_by_keyfile;
320 unlock_method_init_internal(kc);
323 void crypt_keyslot_unlock_by_token_init_internal(struct crypt_keyslot_context *kc,
332 kc->type = CRYPT_KC_TYPE_TOKEN;
336 kc->u.t.pin_size = pin_size;
337 kc->u.t.usrptr = usrptr;
338 kc->get_luks2_key = get_luks2_key_by_token;
339 kc->get_luks2_volume_key = get_luks2_volume_key_by_token;
340 kc->get_luks1_volume_key = NULL; /* LUKS1 is not supported */
341 kc->get_passphrase = get_passphrase_by_token;
342 unlock_method_init_internal(kc);
345 void crypt_keyslot_context_destroy_internal(struct crypt_keyslot_context *kc)
350 crypt_safe_free(kc->i_passphrase);
351 kc->i_passphrase = NULL;
352 kc->i_passphrase_size = 0;
355 void crypt_keyslot_context_free(struct crypt_keyslot_context *kc)
357 crypt_keyslot_context_destroy_internal(kc);
361 int crypt_keyslot_context_init_by_passphrase(struct crypt_device *cd,
362 const char *passphrase,
363 size_t passphrase_size,
364 struct crypt_keyslot_context **kc)
366 struct crypt_keyslot_context *tmp;
368 if (!kc || !passphrase)
371 tmp = malloc(sizeof(*tmp));
375 crypt_keyslot_unlock_by_passphrase_init_internal(tmp, passphrase, passphrase_size);
382 int crypt_keyslot_context_init_by_keyfile(struct crypt_device *cd,
385 uint64_t keyfile_offset,
386 struct crypt_keyslot_context **kc)
388 struct crypt_keyslot_context *tmp;
393 tmp = malloc(sizeof(*tmp));
397 crypt_keyslot_unlock_by_keyfile_init_internal(tmp, keyfile, keyfile_size, keyfile_offset);
404 int crypt_keyslot_context_init_by_token(struct crypt_device *cd,
407 const char *pin, size_t pin_size,
409 struct crypt_keyslot_context **kc)
411 struct crypt_keyslot_context *tmp;
413 if (!kc || (token < 0 && token != CRYPT_ANY_TOKEN))
416 tmp = malloc(sizeof(*tmp));
420 crypt_keyslot_unlock_by_token_init_internal(tmp, token, type, pin, pin_size, usrptr);
427 int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd,
428 const char *volume_key,
429 size_t volume_key_size,
430 struct crypt_keyslot_context **kc)
432 struct crypt_keyslot_context *tmp;
437 tmp = malloc(sizeof(*tmp));
441 crypt_keyslot_unlock_by_key_init_internal(tmp, volume_key, volume_key_size);
448 int crypt_keyslot_context_get_error(struct crypt_keyslot_context *kc)
450 return kc ? kc->error : -EINVAL;
453 int crypt_keyslot_context_set_pin(struct crypt_device *cd,
454 const char *pin, size_t pin_size,
455 struct crypt_keyslot_context *kc)
457 if (!kc || kc->type != CRYPT_KC_TYPE_TOKEN)
461 kc->u.t.pin_size = pin_size;
467 int crypt_keyslot_context_get_type(const struct crypt_keyslot_context *kc)
469 return kc ? kc->type : -EINVAL;
472 const char *keyslot_context_type_string(const struct crypt_keyslot_context *kc)
477 case CRYPT_KC_TYPE_PASSPHRASE:
479 case CRYPT_KC_TYPE_KEYFILE:
481 case CRYPT_KC_TYPE_TOKEN:
483 case CRYPT_KC_TYPE_KEY: