2 * LUKS - Linux Unified Key Setup v2, LUKS2 type keyslot handler
4 * Copyright (C) 2015-2023 Red Hat, Inc. All rights reserved.
5 * Copyright (C) 2015-2023 Milan Broz
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 2
10 * of the License, or (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 #include "luks2_internal.h"
25 /* FIXME: move keyslot encryption to crypto backend */
26 #include "../luks1/af.h"
28 #define LUKS_SALTSIZE 32
29 #define LUKS_SLOT_ITERATIONS_MIN 1000
30 #define LUKS_STRIPES 4000
32 /* Serialize memory-hard keyslot access: optional workaround for parallel processing */
33 #define MIN_MEMORY_FOR_SERIALIZE_LOCK_KB 32*1024 /* 32MB */
35 /* coverity[ -taint_source : arg-0 ] */
36 static int luks2_encrypt_to_storage(char *src, size_t srcLength,
37 const char *cipher, const char *cipher_mode,
38 struct volume_key *vk, unsigned int sector,
39 struct crypt_device *cd)
41 #ifndef ENABLE_AF_ALG /* Support for old kernel without Crypto API */
42 return LUKS_encrypt_to_storage(src, srcLength, cipher, cipher_mode, vk, sector, cd);
44 struct crypt_storage *s;
46 struct device *device = crypt_metadata_device(cd);
48 /* Only whole sector writes supported */
49 if (MISALIGNED_512(srcLength))
53 r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false);
55 log_err(cd, _("Cannot use %s-%s cipher for keyslot encryption."), cipher, cipher_mode);
59 r = crypt_storage_encrypt(s, 0, srcLength, src);
60 crypt_storage_destroy(s);
62 log_err(cd, _("IO error while encrypting keyslot."));
66 devfd = device_open_locked(cd, device, O_RDWR);
68 if (write_lseek_blockwise(devfd, device_block_size(cd, device),
69 device_alignment(device), src,
70 srcLength, sector * SECTOR_SIZE) < 0)
75 device_sync(cd, device);
80 log_err(cd, _("IO error while encrypting keyslot."));
86 static int luks2_decrypt_from_storage(char *dst, size_t dstLength,
87 const char *cipher, const char *cipher_mode, struct volume_key *vk,
88 unsigned int sector, struct crypt_device *cd)
90 struct device *device = crypt_metadata_device(cd);
91 #ifndef ENABLE_AF_ALG /* Support for old kernel without Crypto API */
92 int r = device_read_lock(cd, device);
94 log_err(cd, _("Failed to acquire read lock on device %s."), device_path(device));
97 r = LUKS_decrypt_from_storage(dst, dstLength, cipher, cipher_mode, vk, sector, cd);
98 device_read_unlock(cd, crypt_metadata_device(cd));
101 struct crypt_storage *s;
104 /* Only whole sector writes supported */
105 if (MISALIGNED_512(dstLength))
108 r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false);
110 log_err(cd, _("Cannot use %s-%s cipher for keyslot encryption."), cipher, cipher_mode);
114 r = device_read_lock(cd, device);
116 log_err(cd, _("Failed to acquire read lock on device %s."),
117 device_path(device));
118 crypt_storage_destroy(s);
122 devfd = device_open_locked(cd, device, O_RDONLY);
124 if (read_lseek_blockwise(devfd, device_block_size(cd, device),
125 device_alignment(device), dst,
126 dstLength, sector * SECTOR_SIZE) < 0)
133 device_read_unlock(cd, device);
137 r = crypt_storage_decrypt(s, 0, dstLength, dst);
139 log_err(cd, _("IO error while decrypting keyslot."));
141 crypt_storage_destroy(s);
146 static int luks2_keyslot_get_pbkdf_params(json_object *jobj_keyslot,
147 struct crypt_pbkdf_type *pbkdf, char **salt)
149 json_object *jobj_kdf, *jobj1, *jobj2;
153 if (!jobj_keyslot || !pbkdf)
156 memset(pbkdf, 0, sizeof(*pbkdf));
158 if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf))
161 if (!json_object_object_get_ex(jobj_kdf, "type", &jobj1))
163 pbkdf->type = json_object_get_string(jobj1);
164 if (!strcmp(pbkdf->type, CRYPT_KDF_PBKDF2)) {
165 if (!json_object_object_get_ex(jobj_kdf, "hash", &jobj2))
167 pbkdf->hash = json_object_get_string(jobj2);
168 if (!json_object_object_get_ex(jobj_kdf, "iterations", &jobj2))
170 pbkdf->iterations = json_object_get_int(jobj2);
171 pbkdf->max_memory_kb = 0;
172 pbkdf->parallel_threads = 0;
174 if (!json_object_object_get_ex(jobj_kdf, "time", &jobj2))
176 pbkdf->iterations = json_object_get_int(jobj2);
177 if (!json_object_object_get_ex(jobj_kdf, "memory", &jobj2))
179 pbkdf->max_memory_kb = json_object_get_int(jobj2);
180 if (!json_object_object_get_ex(jobj_kdf, "cpus", &jobj2))
182 pbkdf->parallel_threads = json_object_get_int(jobj2);
185 if (!json_object_object_get_ex(jobj_kdf, "salt", &jobj2))
188 r = crypt_base64_decode(salt, &salt_len, json_object_get_string(jobj2),
189 json_object_get_string_len(jobj2));
193 if (salt_len != LUKS_SALTSIZE) {
201 static int luks2_keyslot_set_key(struct crypt_device *cd,
202 json_object *jobj_keyslot,
203 const char *password, size_t passwordLen,
204 const char *volume_key, size_t volume_key_len)
206 struct volume_key *derived_key;
207 char *salt = NULL, cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
209 const char *af_hash = NULL;
210 size_t AFEKSize, keyslot_key_len;
211 json_object *jobj2, *jobj_kdf, *jobj_af, *jobj_area;
212 uint64_t area_offset;
213 struct crypt_pbkdf_type pbkdf;
216 if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) ||
217 !json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
218 !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
221 /* prevent accidental volume key size change after allocation */
222 if (!json_object_object_get_ex(jobj_keyslot, "key_size", &jobj2))
224 if (json_object_get_int(jobj2) != (int)volume_key_len)
227 if (!json_object_object_get_ex(jobj_area, "offset", &jobj2))
229 area_offset = crypt_jobj_get_uint64(jobj2);
231 if (!json_object_object_get_ex(jobj_area, "encryption", &jobj2))
233 r = crypt_parse_name_and_mode(json_object_get_string(jobj2), cipher, NULL, cipher_mode);
237 if (!json_object_object_get_ex(jobj_area, "key_size", &jobj2))
239 keyslot_key_len = json_object_get_int(jobj2);
241 if (!json_object_object_get_ex(jobj_af, "hash", &jobj2))
243 af_hash = json_object_get_string(jobj2);
245 r = luks2_keyslot_get_pbkdf_params(jobj_keyslot, &pbkdf, &salt);
250 * Allocate derived key storage.
252 derived_key = crypt_alloc_volume_key(keyslot_key_len, NULL);
258 * Calculate keyslot content, split and store it to keyslot area.
260 log_dbg(cd, "Running keyslot key derivation.");
261 r = crypt_pbkdf(pbkdf.type, pbkdf.hash, password, passwordLen,
263 derived_key->key, derived_key->keylength,
264 pbkdf.iterations, pbkdf.max_memory_kb,
265 pbkdf.parallel_threads);
268 if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
269 pbkdf.iterations > INT_MAX)
270 log_err(cd, _("PBKDF2 iteration value overflow."));
271 crypt_free_volume_key(derived_key);
275 // FIXME: verity key_size to AFEKSize
276 AFEKSize = AF_split_sectors(volume_key_len, LUKS_STRIPES) * SECTOR_SIZE;
277 AfKey = crypt_safe_alloc(AFEKSize);
279 crypt_free_volume_key(derived_key);
283 r = crypt_hash_size(af_hash);
285 log_err(cd, _("Hash algorithm %s is not available."), af_hash);
287 r = AF_split(cd, volume_key, AfKey, volume_key_len, LUKS_STRIPES, af_hash);
290 log_dbg(cd, "Updating keyslot area [0x%04" PRIx64 "].", area_offset);
291 /* FIXME: sector_offset should be size_t, fix LUKS_encrypt... accordingly */
292 r = luks2_encrypt_to_storage(AfKey, AFEKSize, cipher, cipher_mode,
293 derived_key, (unsigned)(area_offset / SECTOR_SIZE), cd);
296 crypt_safe_free(AfKey);
297 crypt_free_volume_key(derived_key);
304 static int luks2_keyslot_get_key(struct crypt_device *cd,
305 json_object *jobj_keyslot,
306 const char *password, size_t passwordLen,
307 char *volume_key, size_t volume_key_len)
309 struct volume_key *derived_key = NULL;
310 struct crypt_pbkdf_type pbkdf;
313 const char *af_hash = NULL;
314 char *salt = NULL, cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
315 json_object *jobj2, *jobj_af, *jobj_area;
316 uint64_t area_offset;
317 size_t keyslot_key_len;
318 bool try_serialize_lock = false;
321 if (!json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
322 !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
325 if (!json_object_object_get_ex(jobj_af, "hash", &jobj2))
327 af_hash = json_object_get_string(jobj2);
329 if (!json_object_object_get_ex(jobj_area, "offset", &jobj2))
331 area_offset = crypt_jobj_get_uint64(jobj2);
333 if (!json_object_object_get_ex(jobj_area, "encryption", &jobj2))
335 r = crypt_parse_name_and_mode(json_object_get_string(jobj2), cipher, NULL, cipher_mode);
339 if (!json_object_object_get_ex(jobj_area, "key_size", &jobj2))
341 keyslot_key_len = json_object_get_int(jobj2);
343 r = luks2_keyslot_get_pbkdf_params(jobj_keyslot, &pbkdf, &salt);
348 * Allocate derived key storage space.
350 derived_key = crypt_alloc_volume_key(keyslot_key_len, NULL);
356 AFEKSize = AF_split_sectors(volume_key_len, LUKS_STRIPES) * SECTOR_SIZE;
357 AfKey = crypt_safe_alloc(AFEKSize);
364 * If requested, serialize unlocking for memory-hard KDF. Usually NOOP.
366 if (pbkdf.max_memory_kb > MIN_MEMORY_FOR_SERIALIZE_LOCK_KB)
367 try_serialize_lock = true;
368 if (try_serialize_lock && (r = crypt_serialize_lock(cd)))
372 * Calculate derived key, decrypt keyslot content and merge it.
374 log_dbg(cd, "Running keyslot key derivation.");
375 r = crypt_pbkdf(pbkdf.type, pbkdf.hash, password, passwordLen,
377 derived_key->key, derived_key->keylength,
378 pbkdf.iterations, pbkdf.max_memory_kb,
379 pbkdf.parallel_threads);
381 if (try_serialize_lock)
382 crypt_serialize_unlock(cd);
385 log_dbg(cd, "Reading keyslot area [0x%04" PRIx64 "].", area_offset);
386 /* FIXME: sector_offset should be size_t, fix LUKS_decrypt... accordingly */
387 r = luks2_decrypt_from_storage(AfKey, AFEKSize, cipher, cipher_mode,
388 derived_key, (unsigned)(area_offset / SECTOR_SIZE), cd);
392 r = crypt_hash_size(af_hash);
394 log_err(cd, _("Hash algorithm %s is not available."), af_hash);
396 r = AF_merge(AfKey, volume_key, volume_key_len, LUKS_STRIPES, af_hash);
400 crypt_free_volume_key(derived_key);
401 crypt_safe_free(AfKey);
407 * currently we support update of only:
412 static int luks2_keyslot_update_json(struct crypt_device *cd,
413 json_object *jobj_keyslot,
414 const struct luks2_keyslot_params *params)
416 const struct crypt_pbkdf_type *pbkdf;
417 json_object *jobj_af, *jobj_area, *jobj_kdf;
418 char salt[LUKS_SALTSIZE], *salt_base64 = NULL;
421 /* jobj_keyslot is not yet validated */
423 if (!json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
424 !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
427 /* update area encryption parameters */
428 json_object_object_add(jobj_area, "encryption", json_object_new_string(params->area.raw.encryption));
429 json_object_object_add(jobj_area, "key_size", json_object_new_int(params->area.raw.key_size));
431 pbkdf = crypt_get_pbkdf_type(cd);
435 r = crypt_benchmark_pbkdf_internal(cd, CONST_CAST(struct crypt_pbkdf_type *)pbkdf, params->area.raw.key_size);
439 /* refresh whole 'kdf' object */
440 jobj_kdf = json_object_new_object();
443 json_object_object_add(jobj_kdf, "type", json_object_new_string(pbkdf->type));
444 if (!strcmp(pbkdf->type, CRYPT_KDF_PBKDF2)) {
445 json_object_object_add(jobj_kdf, "hash", json_object_new_string(pbkdf->hash));
446 json_object_object_add(jobj_kdf, "iterations", json_object_new_int(pbkdf->iterations));
448 json_object_object_add(jobj_kdf, "time", json_object_new_int(pbkdf->iterations));
449 json_object_object_add(jobj_kdf, "memory", json_object_new_int(pbkdf->max_memory_kb));
450 json_object_object_add(jobj_kdf, "cpus", json_object_new_int(pbkdf->parallel_threads));
452 json_object_object_add(jobj_keyslot, "kdf", jobj_kdf);
455 * Regenerate salt and add it in 'kdf' object
457 r = crypt_random_get(cd, salt, LUKS_SALTSIZE, CRYPT_RND_SALT);
460 r = crypt_base64_encode(&salt_base64, NULL, salt, LUKS_SALTSIZE);
463 json_object_object_add(jobj_kdf, "salt", json_object_new_string(salt_base64));
466 /* update 'af' hash */
467 json_object_object_add(jobj_af, "hash", json_object_new_string(params->af.luks1.hash));
469 JSON_DBG(cd, jobj_keyslot, "Keyslot JSON:");
473 static int luks2_keyslot_alloc(struct crypt_device *cd,
475 size_t volume_key_len,
476 const struct luks2_keyslot_params *params)
478 struct luks2_hdr *hdr;
479 uint64_t area_offset, area_length;
480 json_object *jobj_keyslots, *jobj_keyslot, *jobj_af, *jobj_area;
483 log_dbg(cd, "Trying to allocate LUKS2 keyslot %d.", keyslot);
485 if (!params || params->area_type != LUKS2_KEYSLOT_AREA_RAW ||
486 params->af_type != LUKS2_KEYSLOT_AF_LUKS1) {
487 log_dbg(cd, "Invalid LUKS2 keyslot parameters.");
491 if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
494 if (keyslot == CRYPT_ANY_SLOT)
495 keyslot = LUKS2_keyslot_find_empty(cd, hdr, 0);
497 if (keyslot < 0 || keyslot >= LUKS2_KEYSLOTS_MAX)
500 if (LUKS2_get_keyslot_jobj(hdr, keyslot)) {
501 log_dbg(cd, "Cannot modify already active keyslot %d.", keyslot);
505 if (!json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots))
508 r = LUKS2_find_area_gap(cd, hdr, volume_key_len, &area_offset, &area_length);
510 log_err(cd, _("No space for new keyslot."));
514 jobj_keyslot = json_object_new_object();
515 json_object_object_add(jobj_keyslot, "type", json_object_new_string("luks2"));
516 json_object_object_add(jobj_keyslot, "key_size", json_object_new_int(volume_key_len));
519 jobj_af = json_object_new_object();
520 json_object_object_add(jobj_af, "type", json_object_new_string("luks1"));
521 json_object_object_add(jobj_af, "stripes", json_object_new_int(params->af.luks1.stripes));
522 json_object_object_add(jobj_keyslot, "af", jobj_af);
525 jobj_area = json_object_new_object();
526 json_object_object_add(jobj_area, "type", json_object_new_string("raw"));
527 json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset));
528 json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length));
529 json_object_object_add(jobj_keyslot, "area", jobj_area);
531 json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot);
533 r = luks2_keyslot_update_json(cd, jobj_keyslot, params);
535 if (!r && LUKS2_check_json_size(cd, hdr)) {
536 log_dbg(cd, "Not enough space in header json area for new keyslot.");
541 json_object_object_del_by_uint(jobj_keyslots, keyslot);
546 static int luks2_keyslot_open(struct crypt_device *cd,
548 const char *password,
551 size_t volume_key_len)
553 struct luks2_hdr *hdr;
554 json_object *jobj_keyslot;
556 log_dbg(cd, "Trying to open LUKS2 keyslot %d.", keyslot);
558 if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
561 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
565 return luks2_keyslot_get_key(cd, jobj_keyslot,
566 password, password_len,
567 volume_key, volume_key_len);
571 * This function must not modify json.
572 * It's called after luks2 keyslot validation.
574 static int luks2_keyslot_store(struct crypt_device *cd,
576 const char *password,
578 const char *volume_key,
579 size_t volume_key_len)
581 struct luks2_hdr *hdr;
582 json_object *jobj_keyslot;
585 log_dbg(cd, "Calculating attributes for LUKS2 keyslot %d.", keyslot);
587 if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
590 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
594 r = LUKS2_device_write_lock(cd, hdr, crypt_metadata_device(cd));
598 r = luks2_keyslot_set_key(cd, jobj_keyslot,
599 password, password_len,
600 volume_key, volume_key_len);
602 r = LUKS2_hdr_write(cd, hdr);
604 device_write_unlock(cd, crypt_metadata_device(cd));
606 return r < 0 ? r : keyslot;
609 static int luks2_keyslot_wipe(struct crypt_device *cd, int keyslot)
611 struct luks2_hdr *hdr;
613 if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
616 /* Remove any reference of deleted keyslot from digests and tokens */
617 LUKS2_digest_assign(cd, hdr, keyslot, CRYPT_ANY_DIGEST, 0, 0);
618 LUKS2_token_assign(cd, hdr, keyslot, CRYPT_ANY_TOKEN, 0, 0);
623 static int luks2_keyslot_dump(struct crypt_device *cd, int keyslot)
625 json_object *jobj_keyslot, *jobj1, *jobj_kdf, *jobj_af, *jobj_area;
627 jobj_keyslot = LUKS2_get_keyslot_jobj(crypt_get_hdr(cd, CRYPT_LUKS2), keyslot);
631 if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) ||
632 !json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
633 !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
636 json_object_object_get_ex(jobj_area, "encryption", &jobj1);
637 log_std(cd, "\tCipher: %s\n", json_object_get_string(jobj1));
639 json_object_object_get_ex(jobj_area, "key_size", &jobj1);
640 log_std(cd, "\tCipher key: %u bits\n", crypt_jobj_get_uint32(jobj1) * 8);
642 json_object_object_get_ex(jobj_kdf, "type", &jobj1);
643 log_std(cd, "\tPBKDF: %s\n", json_object_get_string(jobj1));
645 if (!strcmp(json_object_get_string(jobj1), CRYPT_KDF_PBKDF2)) {
646 json_object_object_get_ex(jobj_kdf, "hash", &jobj1);
647 log_std(cd, "\tHash: %s\n", json_object_get_string(jobj1));
649 json_object_object_get_ex(jobj_kdf, "iterations", &jobj1);
650 log_std(cd, "\tIterations: %" PRIu64 "\n", crypt_jobj_get_uint64(jobj1));
652 json_object_object_get_ex(jobj_kdf, "time", &jobj1);
653 log_std(cd, "\tTime cost: %" PRIu64 "\n", json_object_get_int64(jobj1));
655 json_object_object_get_ex(jobj_kdf, "memory", &jobj1);
656 log_std(cd, "\tMemory: %" PRIu64 "\n", json_object_get_int64(jobj1));
658 json_object_object_get_ex(jobj_kdf, "cpus", &jobj1);
659 log_std(cd, "\tThreads: %" PRIu64 "\n", json_object_get_int64(jobj1));
661 json_object_object_get_ex(jobj_kdf, "salt", &jobj1);
662 log_std(cd, "\tSalt: ");
663 hexprint_base64(cd, jobj1, " ", " ");
666 json_object_object_get_ex(jobj_af, "stripes", &jobj1);
667 log_std(cd, "\tAF stripes: %u\n", json_object_get_int(jobj1));
669 json_object_object_get_ex(jobj_af, "hash", &jobj1);
670 log_std(cd, "\tAF hash: %s\n", json_object_get_string(jobj1));
672 json_object_object_get_ex(jobj_area, "offset", &jobj1);
673 log_std(cd, "\tArea offset:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1));
675 json_object_object_get_ex(jobj_area, "size", &jobj1);
676 log_std(cd, "\tArea length:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1));
681 static int luks2_keyslot_validate(struct crypt_device *cd, json_object *jobj_keyslot)
683 json_object *jobj_kdf, *jobj_af, *jobj_area, *jobj1;
690 if (!(jobj_kdf = json_contains(cd, jobj_keyslot, "", "keyslot", "kdf", json_type_object)) ||
691 !(jobj_af = json_contains(cd, jobj_keyslot, "", "keyslot", "af", json_type_object)) ||
692 !(jobj_area = json_contains(cd, jobj_keyslot, "", "keyslot", "area", json_type_object)))
695 count = json_object_object_length(jobj_kdf);
697 jobj1 = json_contains_string(cd, jobj_kdf, "", "kdf section", "type");
700 type = json_object_get_string(jobj1);
702 if (!strcmp(type, CRYPT_KDF_PBKDF2)) {
703 if (count != 4 || /* type, salt, hash, iterations only */
704 !json_contains_string(cd, jobj_kdf, "kdf type", type, "hash") ||
705 !json_contains(cd, jobj_kdf, "kdf type", type, "iterations", json_type_int) ||
706 !json_contains_string(cd, jobj_kdf, "kdf type", type, "salt"))
708 } else if (!strcmp(type, CRYPT_KDF_ARGON2I) || !strcmp(type, CRYPT_KDF_ARGON2ID)) {
709 if (count != 5 || /* type, salt, time, memory, cpus only */
710 !json_contains(cd, jobj_kdf, "kdf type", type, "time", json_type_int) ||
711 !json_contains(cd, jobj_kdf, "kdf type", type, "memory", json_type_int) ||
712 !json_contains(cd, jobj_kdf, "kdf type", type, "cpus", json_type_int) ||
713 !json_contains_string(cd, jobj_kdf, "kdf type", type, "salt"))
717 jobj1 = json_contains_string(cd, jobj_af, "", "af section", "type");
720 type = json_object_get_string(jobj1);
722 if (!strcmp(type, "luks1")) {
723 if (!json_contains_string(cd, jobj_af, "", "luks1 af", "hash") ||
724 !json_contains(cd, jobj_af, "", "luks1 af", "stripes", json_type_int))
729 // FIXME check numbered
730 jobj1 = json_contains_string(cd, jobj_area, "", "area section", "type");
733 type = json_object_get_string(jobj1);
735 if (!strcmp(type, "raw")) {
736 if (!json_contains_string(cd, jobj_area, "area", "raw type", "encryption") ||
737 !json_contains(cd, jobj_area, "area", "raw type", "key_size", json_type_int) ||
738 !json_contains_string(cd, jobj_area, "area", "raw type", "offset") ||
739 !json_contains_string(cd, jobj_area, "area", "raw type", "size"))
747 static int luks2_keyslot_update(struct crypt_device *cd,
749 const struct luks2_keyslot_params *params)
751 struct luks2_hdr *hdr;
752 json_object *jobj_keyslot;
755 log_dbg(cd, "Updating LUKS2 keyslot %d.", keyslot);
757 if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
760 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
764 r = luks2_keyslot_update_json(cd, jobj_keyslot, params);
766 if (!r && LUKS2_check_json_size(cd, hdr)) {
767 log_dbg(cd, "Not enough space in header json area for updated keyslot %d.", keyslot);
774 static void luks2_keyslot_repair(json_object *jobj_keyslot)
777 json_object *jobj_kdf, *jobj_type;
779 if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) ||
780 !json_object_is_type(jobj_kdf, json_type_object))
783 if (!json_object_object_get_ex(jobj_kdf, "type", &jobj_type) ||
784 !json_object_is_type(jobj_type, json_type_string))
787 type = json_object_get_string(jobj_type);
789 if (!strcmp(type, CRYPT_KDF_PBKDF2)) {
790 /* type, salt, hash, iterations only */
791 json_object_object_foreach(jobj_kdf, key, val) {
793 if (!strcmp(key, "type") || !strcmp(key, "salt") ||
794 !strcmp(key, "hash") || !strcmp(key, "iterations"))
796 json_object_object_del(jobj_kdf, key);
798 } else if (!strcmp(type, CRYPT_KDF_ARGON2I) || !strcmp(type, CRYPT_KDF_ARGON2ID)) {
799 /* type, salt, time, memory, cpus only */
800 json_object_object_foreach(jobj_kdf, key, val) {
802 if (!strcmp(key, "type") || !strcmp(key, "salt") ||
803 !strcmp(key, "time") || !strcmp(key, "memory") ||
804 !strcmp(key, "cpus"))
806 json_object_object_del(jobj_kdf, key);
811 const keyslot_handler luks2_keyslot = {
813 .alloc = luks2_keyslot_alloc,
814 .update = luks2_keyslot_update,
815 .open = luks2_keyslot_open,
816 .store = luks2_keyslot_store,
817 .wipe = luks2_keyslot_wipe,
818 .dump = luks2_keyslot_dump,
819 .validate = luks2_keyslot_validate,
820 .repair = luks2_keyslot_repair