2 * LUKS - Linux Unified Key Setup v2, LUKS2 type keyslot handler
4 * Copyright (C) 2015-2021 Red Hat, Inc. All rights reserved.
5 * Copyright (C) 2015-2021 Milan Broz
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 2
10 * of the License, or (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 #include "luks2_internal.h"
24 /* FIXME: move keyslot encryption to crypto backend */
25 #include "../luks1/af.h"
27 #define LUKS_SALTSIZE 32
28 #define LUKS_SLOT_ITERATIONS_MIN 1000
29 #define LUKS_STRIPES 4000
31 /* Serialize memory-hard keyslot access: optional workaround for parallel processing */
32 #define MIN_MEMORY_FOR_SERIALIZE_LOCK_KB 32*1024 /* 32MB */
34 static int luks2_encrypt_to_storage(char *src, size_t srcLength,
35 const char *cipher, const char *cipher_mode,
36 struct volume_key *vk, unsigned int sector,
37 struct crypt_device *cd)
39 #ifndef ENABLE_AF_ALG /* Support for old kernel without Crypto API */
40 return LUKS_encrypt_to_storage(src, srcLength, cipher, cipher_mode, vk, sector, cd);
42 struct crypt_storage *s;
44 struct device *device = crypt_metadata_device(cd);
46 /* Only whole sector writes supported */
47 if (MISALIGNED_512(srcLength))
51 r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false);
53 log_err(cd, _("Cannot use %s-%s cipher for keyslot encryption."), cipher, cipher_mode);
57 r = crypt_storage_encrypt(s, 0, srcLength, src);
58 crypt_storage_destroy(s);
60 log_err(cd, _("IO error while encrypting keyslot."));
64 devfd = device_open_locked(cd, device, O_RDWR);
66 if (write_lseek_blockwise(devfd, device_block_size(cd, device),
67 device_alignment(device), src,
68 srcLength, sector * SECTOR_SIZE) < 0)
73 device_sync(cd, device);
78 log_err(cd, _("IO error while encrypting keyslot."));
84 static int luks2_decrypt_from_storage(char *dst, size_t dstLength,
85 const char *cipher, const char *cipher_mode, struct volume_key *vk,
86 unsigned int sector, struct crypt_device *cd)
88 struct device *device = crypt_metadata_device(cd);
89 #ifndef ENABLE_AF_ALG /* Support for old kernel without Crypto API */
90 int r = device_read_lock(cd, device);
92 log_err(cd, _("Failed to acquire read lock on device %s."), device_path(device));
95 r = LUKS_decrypt_from_storage(dst, dstLength, cipher, cipher_mode, vk, sector, cd);
96 device_read_unlock(cd, crypt_metadata_device(cd));
99 struct crypt_storage *s;
102 /* Only whole sector writes supported */
103 if (MISALIGNED_512(dstLength))
106 r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength, false);
108 log_err(cd, _("Cannot use %s-%s cipher for keyslot encryption."), cipher, cipher_mode);
112 r = device_read_lock(cd, device);
114 log_err(cd, _("Failed to acquire read lock on device %s."),
115 device_path(device));
116 crypt_storage_destroy(s);
120 devfd = device_open_locked(cd, device, O_RDONLY);
122 if (read_lseek_blockwise(devfd, device_block_size(cd, device),
123 device_alignment(device), dst,
124 dstLength, sector * SECTOR_SIZE) < 0)
131 device_read_unlock(cd, device);
135 r = crypt_storage_decrypt(s, 0, dstLength, dst);
137 log_err(cd, _("IO error while decrypting keyslot."));
139 crypt_storage_destroy(s);
144 static int luks2_keyslot_get_pbkdf_params(json_object *jobj_keyslot,
145 struct crypt_pbkdf_type *pbkdf, char *salt)
147 json_object *jobj_kdf, *jobj1, *jobj2;
150 if (!jobj_keyslot || !pbkdf)
153 memset(pbkdf, 0, sizeof(*pbkdf));
155 if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf))
158 if (!json_object_object_get_ex(jobj_kdf, "type", &jobj1))
160 pbkdf->type = json_object_get_string(jobj1);
161 if (!strcmp(pbkdf->type, CRYPT_KDF_PBKDF2)) {
162 if (!json_object_object_get_ex(jobj_kdf, "hash", &jobj2))
164 pbkdf->hash = json_object_get_string(jobj2);
165 if (!json_object_object_get_ex(jobj_kdf, "iterations", &jobj2))
167 pbkdf->iterations = json_object_get_int(jobj2);
168 pbkdf->max_memory_kb = 0;
169 pbkdf->parallel_threads = 0;
171 if (!json_object_object_get_ex(jobj_kdf, "time", &jobj2))
173 pbkdf->iterations = json_object_get_int(jobj2);
174 if (!json_object_object_get_ex(jobj_kdf, "memory", &jobj2))
176 pbkdf->max_memory_kb = json_object_get_int(jobj2);
177 if (!json_object_object_get_ex(jobj_kdf, "cpus", &jobj2))
179 pbkdf->parallel_threads = json_object_get_int(jobj2);
182 if (!json_object_object_get_ex(jobj_kdf, "salt", &jobj2))
184 salt_len = LUKS_SALTSIZE;
185 if (!base64_decode(json_object_get_string(jobj2),
186 json_object_get_string_len(jobj2),
189 if (salt_len != LUKS_SALTSIZE)
195 static int luks2_keyslot_set_key(struct crypt_device *cd,
196 json_object *jobj_keyslot,
197 const char *password, size_t passwordLen,
198 const char *volume_key, size_t volume_key_len)
200 struct volume_key *derived_key;
201 char salt[LUKS_SALTSIZE], cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
203 const char *af_hash = NULL;
204 size_t AFEKSize, keyslot_key_len;
205 json_object *jobj2, *jobj_kdf, *jobj_af, *jobj_area;
206 uint64_t area_offset;
207 struct crypt_pbkdf_type pbkdf;
210 if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) ||
211 !json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
212 !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
215 /* prevent accidental volume key size change after allocation */
216 if (!json_object_object_get_ex(jobj_keyslot, "key_size", &jobj2))
218 if (json_object_get_int(jobj2) != (int)volume_key_len)
221 if (!json_object_object_get_ex(jobj_area, "offset", &jobj2))
223 area_offset = crypt_jobj_get_uint64(jobj2);
225 if (!json_object_object_get_ex(jobj_area, "encryption", &jobj2))
227 r = crypt_parse_name_and_mode(json_object_get_string(jobj2), cipher, NULL, cipher_mode);
231 if (!json_object_object_get_ex(jobj_area, "key_size", &jobj2))
233 keyslot_key_len = json_object_get_int(jobj2);
235 if (!json_object_object_get_ex(jobj_af, "hash", &jobj2))
237 af_hash = json_object_get_string(jobj2);
239 if (luks2_keyslot_get_pbkdf_params(jobj_keyslot, &pbkdf, salt))
243 * Allocate derived key storage.
245 derived_key = crypt_alloc_volume_key(keyslot_key_len, NULL);
249 * Calculate keyslot content, split and store it to keyslot area.
251 r = crypt_pbkdf(pbkdf.type, pbkdf.hash, password, passwordLen,
253 derived_key->key, derived_key->keylength,
254 pbkdf.iterations, pbkdf.max_memory_kb,
255 pbkdf.parallel_threads);
257 crypt_free_volume_key(derived_key);
261 // FIXME: verity key_size to AFEKSize
262 AFEKSize = AF_split_sectors(volume_key_len, LUKS_STRIPES) * SECTOR_SIZE;
263 AfKey = crypt_safe_alloc(AFEKSize);
265 crypt_free_volume_key(derived_key);
269 r = AF_split(cd, volume_key, AfKey, volume_key_len, LUKS_STRIPES, af_hash);
272 log_dbg(cd, "Updating keyslot area [0x%04x].", (unsigned)area_offset);
273 /* FIXME: sector_offset should be size_t, fix LUKS_encrypt... accordingly */
274 r = luks2_encrypt_to_storage(AfKey, AFEKSize, cipher, cipher_mode,
275 derived_key, (unsigned)(area_offset / SECTOR_SIZE), cd);
278 crypt_safe_free(AfKey);
279 crypt_free_volume_key(derived_key);
286 static int luks2_keyslot_get_key(struct crypt_device *cd,
287 json_object *jobj_keyslot,
288 const char *password, size_t passwordLen,
289 char *volume_key, size_t volume_key_len)
291 struct volume_key *derived_key;
292 struct crypt_pbkdf_type pbkdf;
295 const char *af_hash = NULL;
296 char salt[LUKS_SALTSIZE], cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
297 json_object *jobj2, *jobj_af, *jobj_area;
298 uint64_t area_offset;
299 size_t keyslot_key_len;
300 bool try_serialize_lock = false;
303 if (!json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
304 !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
307 if (luks2_keyslot_get_pbkdf_params(jobj_keyslot, &pbkdf, salt))
310 if (!json_object_object_get_ex(jobj_af, "hash", &jobj2))
312 af_hash = json_object_get_string(jobj2);
314 if (!json_object_object_get_ex(jobj_area, "offset", &jobj2))
316 area_offset = crypt_jobj_get_uint64(jobj2);
318 if (!json_object_object_get_ex(jobj_area, "encryption", &jobj2))
320 r = crypt_parse_name_and_mode(json_object_get_string(jobj2), cipher, NULL, cipher_mode);
324 if (!json_object_object_get_ex(jobj_area, "key_size", &jobj2))
326 keyslot_key_len = json_object_get_int(jobj2);
329 * If requested, serialize unlocking for memory-hard KDF. Usually NOOP.
331 if (pbkdf.max_memory_kb > MIN_MEMORY_FOR_SERIALIZE_LOCK_KB)
332 try_serialize_lock = true;
333 if (try_serialize_lock && crypt_serialize_lock(cd))
336 * Allocate derived key storage space.
338 derived_key = crypt_alloc_volume_key(keyslot_key_len, NULL);
342 AFEKSize = AF_split_sectors(volume_key_len, LUKS_STRIPES) * SECTOR_SIZE;
343 AfKey = crypt_safe_alloc(AFEKSize);
345 crypt_free_volume_key(derived_key);
349 * Calculate derived key, decrypt keyslot content and merge it.
351 r = crypt_pbkdf(pbkdf.type, pbkdf.hash, password, passwordLen,
353 derived_key->key, derived_key->keylength,
354 pbkdf.iterations, pbkdf.max_memory_kb,
355 pbkdf.parallel_threads);
357 if (try_serialize_lock)
358 crypt_serialize_unlock(cd);
361 log_dbg(cd, "Reading keyslot area [0x%04x].", (unsigned)area_offset);
362 /* FIXME: sector_offset should be size_t, fix LUKS_decrypt... accordingly */
363 r = luks2_decrypt_from_storage(AfKey, AFEKSize, cipher, cipher_mode,
364 derived_key, (unsigned)(area_offset / SECTOR_SIZE), cd);
368 r = AF_merge(cd, AfKey, volume_key, volume_key_len, LUKS_STRIPES, af_hash);
370 crypt_free_volume_key(derived_key);
371 crypt_safe_free(AfKey);
377 * currently we support update of only:
382 static int luks2_keyslot_update_json(struct crypt_device *cd,
383 json_object *jobj_keyslot,
384 const struct luks2_keyslot_params *params)
386 const struct crypt_pbkdf_type *pbkdf;
387 json_object *jobj_af, *jobj_area, *jobj_kdf;
388 char salt[LUKS_SALTSIZE], *salt_base64 = NULL;
391 /* jobj_keyslot is not yet validated */
393 if (!json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
394 !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
397 /* update area encryption parameters */
398 json_object_object_add(jobj_area, "encryption", json_object_new_string(params->area.raw.encryption));
399 json_object_object_add(jobj_area, "key_size", json_object_new_int(params->area.raw.key_size));
401 pbkdf = crypt_get_pbkdf_type(cd);
405 r = crypt_benchmark_pbkdf_internal(cd, CONST_CAST(struct crypt_pbkdf_type *)pbkdf, params->area.raw.key_size);
409 /* refresh whole 'kdf' object */
410 jobj_kdf = json_object_new_object();
413 json_object_object_add(jobj_kdf, "type", json_object_new_string(pbkdf->type));
414 if (!strcmp(pbkdf->type, CRYPT_KDF_PBKDF2)) {
415 json_object_object_add(jobj_kdf, "hash", json_object_new_string(pbkdf->hash));
416 json_object_object_add(jobj_kdf, "iterations", json_object_new_int(pbkdf->iterations));
418 json_object_object_add(jobj_kdf, "time", json_object_new_int(pbkdf->iterations));
419 json_object_object_add(jobj_kdf, "memory", json_object_new_int(pbkdf->max_memory_kb));
420 json_object_object_add(jobj_kdf, "cpus", json_object_new_int(pbkdf->parallel_threads));
422 json_object_object_add(jobj_keyslot, "kdf", jobj_kdf);
425 * Regenerate salt and add it in 'kdf' object
427 r = crypt_random_get(cd, salt, LUKS_SALTSIZE, CRYPT_RND_SALT);
430 base64_encode_alloc(salt, LUKS_SALTSIZE, &salt_base64);
433 json_object_object_add(jobj_kdf, "salt", json_object_new_string(salt_base64));
436 /* update 'af' hash */
437 json_object_object_add(jobj_af, "hash", json_object_new_string(params->af.luks1.hash));
439 JSON_DBG(cd, jobj_keyslot, "Keyslot JSON:");
443 static int luks2_keyslot_alloc(struct crypt_device *cd,
445 size_t volume_key_len,
446 const struct luks2_keyslot_params *params)
448 struct luks2_hdr *hdr;
449 uint64_t area_offset, area_length;
450 json_object *jobj_keyslots, *jobj_keyslot, *jobj_af, *jobj_area;
453 log_dbg(cd, "Trying to allocate LUKS2 keyslot %d.", keyslot);
455 if (!params || params->area_type != LUKS2_KEYSLOT_AREA_RAW ||
456 params->af_type != LUKS2_KEYSLOT_AF_LUKS1) {
457 log_dbg(cd, "Invalid LUKS2 keyslot parameters.");
461 if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
464 if (keyslot == CRYPT_ANY_SLOT)
465 keyslot = LUKS2_keyslot_find_empty(hdr);
467 if (keyslot < 0 || keyslot >= LUKS2_KEYSLOTS_MAX)
470 if (LUKS2_get_keyslot_jobj(hdr, keyslot)) {
471 log_dbg(cd, "Cannot modify already active keyslot %d.", keyslot);
475 if (!json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots))
478 r = LUKS2_find_area_gap(cd, hdr, volume_key_len, &area_offset, &area_length);
480 log_err(cd, _("No space for new keyslot."));
484 jobj_keyslot = json_object_new_object();
485 json_object_object_add(jobj_keyslot, "type", json_object_new_string("luks2"));
486 json_object_object_add(jobj_keyslot, "key_size", json_object_new_int(volume_key_len));
489 jobj_af = json_object_new_object();
490 json_object_object_add(jobj_af, "type", json_object_new_string("luks1"));
491 json_object_object_add(jobj_af, "stripes", json_object_new_int(params->af.luks1.stripes));
492 json_object_object_add(jobj_keyslot, "af", jobj_af);
495 jobj_area = json_object_new_object();
496 json_object_object_add(jobj_area, "type", json_object_new_string("raw"));
497 json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset));
498 json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length));
499 json_object_object_add(jobj_keyslot, "area", jobj_area);
501 json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot);
503 r = luks2_keyslot_update_json(cd, jobj_keyslot, params);
505 if (!r && LUKS2_check_json_size(cd, hdr)) {
506 log_dbg(cd, "Not enough space in header json area for new keyslot.");
511 json_object_object_del_by_uint(jobj_keyslots, keyslot);
516 static int luks2_keyslot_open(struct crypt_device *cd,
518 const char *password,
521 size_t volume_key_len)
523 struct luks2_hdr *hdr;
524 json_object *jobj_keyslot;
526 log_dbg(cd, "Trying to open LUKS2 keyslot %d.", keyslot);
528 if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
531 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
535 return luks2_keyslot_get_key(cd, jobj_keyslot,
536 password, password_len,
537 volume_key, volume_key_len);
541 * This function must not modify json.
542 * It's called after luks2 keyslot validation.
544 static int luks2_keyslot_store(struct crypt_device *cd,
546 const char *password,
548 const char *volume_key,
549 size_t volume_key_len)
551 struct luks2_hdr *hdr;
552 json_object *jobj_keyslot;
555 log_dbg(cd, "Calculating attributes for LUKS2 keyslot %d.", keyslot);
557 if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
560 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
564 r = LUKS2_device_write_lock(cd, hdr, crypt_metadata_device(cd));
568 r = luks2_keyslot_set_key(cd, jobj_keyslot,
569 password, password_len,
570 volume_key, volume_key_len);
572 r = LUKS2_hdr_write(cd, hdr);
574 device_write_unlock(cd, crypt_metadata_device(cd));
576 return r < 0 ? r : keyslot;
579 static int luks2_keyslot_wipe(struct crypt_device *cd, int keyslot)
581 struct luks2_hdr *hdr;
583 if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
586 /* Remove any reference of deleted keyslot from digests and tokens */
587 LUKS2_digest_assign(cd, hdr, keyslot, CRYPT_ANY_DIGEST, 0, 0);
588 LUKS2_token_assign(cd, hdr, keyslot, CRYPT_ANY_TOKEN, 0, 0);
593 static int luks2_keyslot_dump(struct crypt_device *cd, int keyslot)
595 json_object *jobj_keyslot, *jobj1, *jobj_kdf, *jobj_af, *jobj_area;
597 jobj_keyslot = LUKS2_get_keyslot_jobj(crypt_get_hdr(cd, CRYPT_LUKS2), keyslot);
601 if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) ||
602 !json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
603 !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
606 json_object_object_get_ex(jobj_area, "encryption", &jobj1);
607 log_std(cd, "\tCipher: %s\n", json_object_get_string(jobj1));
609 json_object_object_get_ex(jobj_area, "key_size", &jobj1);
610 log_std(cd, "\tCipher key: %u bits\n", crypt_jobj_get_uint32(jobj1) * 8);
612 json_object_object_get_ex(jobj_kdf, "type", &jobj1);
613 log_std(cd, "\tPBKDF: %s\n", json_object_get_string(jobj1));
615 if (!strcmp(json_object_get_string(jobj1), CRYPT_KDF_PBKDF2)) {
616 json_object_object_get_ex(jobj_kdf, "hash", &jobj1);
617 log_std(cd, "\tHash: %s\n", json_object_get_string(jobj1));
619 json_object_object_get_ex(jobj_kdf, "iterations", &jobj1);
620 log_std(cd, "\tIterations: %" PRIu64 "\n", crypt_jobj_get_uint64(jobj1));
622 json_object_object_get_ex(jobj_kdf, "time", &jobj1);
623 log_std(cd, "\tTime cost: %" PRIu64 "\n", json_object_get_int64(jobj1));
625 json_object_object_get_ex(jobj_kdf, "memory", &jobj1);
626 log_std(cd, "\tMemory: %" PRIu64 "\n", json_object_get_int64(jobj1));
628 json_object_object_get_ex(jobj_kdf, "cpus", &jobj1);
629 log_std(cd, "\tThreads: %" PRIu64 "\n", json_object_get_int64(jobj1));
631 json_object_object_get_ex(jobj_kdf, "salt", &jobj1);
632 log_std(cd, "\tSalt: ");
633 hexprint_base64(cd, jobj1, " ", " ");
636 json_object_object_get_ex(jobj_af, "stripes", &jobj1);
637 log_std(cd, "\tAF stripes: %u\n", json_object_get_int(jobj1));
639 json_object_object_get_ex(jobj_af, "hash", &jobj1);
640 log_std(cd, "\tAF hash: %s\n", json_object_get_string(jobj1));
642 json_object_object_get_ex(jobj_area, "offset", &jobj1);
643 log_std(cd, "\tArea offset:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1));
645 json_object_object_get_ex(jobj_area, "size", &jobj1);
646 log_std(cd, "\tArea length:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1));
651 static int luks2_keyslot_validate(struct crypt_device *cd, json_object *jobj_keyslot)
653 json_object *jobj_kdf, *jobj_af, *jobj_area, *jobj1;
660 if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) ||
661 !json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
662 !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
665 count = json_object_object_length(jobj_kdf);
667 jobj1 = json_contains(cd, jobj_kdf, "", "kdf section", "type", json_type_string);
670 type = json_object_get_string(jobj1);
672 if (!strcmp(type, CRYPT_KDF_PBKDF2)) {
673 if (count != 4 || /* type, salt, hash, iterations only */
674 !json_contains(cd, jobj_kdf, "kdf type", type, "hash", json_type_string) ||
675 !json_contains(cd, jobj_kdf, "kdf type", type, "iterations", json_type_int) ||
676 !json_contains(cd, jobj_kdf, "kdf type", type, "salt", json_type_string))
678 } else if (!strcmp(type, CRYPT_KDF_ARGON2I) || !strcmp(type, CRYPT_KDF_ARGON2ID)) {
679 if (count != 5 || /* type, salt, time, memory, cpus only */
680 !json_contains(cd, jobj_kdf, "kdf type", type, "time", json_type_int) ||
681 !json_contains(cd, jobj_kdf, "kdf type", type, "memory", json_type_int) ||
682 !json_contains(cd, jobj_kdf, "kdf type", type, "cpus", json_type_int) ||
683 !json_contains(cd, jobj_kdf, "kdf type", type, "salt", json_type_string))
687 if (!json_object_object_get_ex(jobj_af, "type", &jobj1))
689 if (!strcmp(json_object_get_string(jobj1), "luks1")) {
690 if (!json_contains(cd, jobj_af, "", "luks1 af", "hash", json_type_string) ||
691 !json_contains(cd, jobj_af, "", "luks1 af", "stripes", json_type_int))
696 // FIXME check numbered
697 if (!json_object_object_get_ex(jobj_area, "type", &jobj1))
699 if (!strcmp(json_object_get_string(jobj1), "raw")) {
700 if (!json_contains(cd, jobj_area, "area", "raw type", "encryption", json_type_string) ||
701 !json_contains(cd, jobj_area, "area", "raw type", "key_size", json_type_int) ||
702 !json_contains(cd, jobj_area, "area", "raw type", "offset", json_type_string) ||
703 !json_contains(cd, jobj_area, "area", "raw type", "size", json_type_string))
711 static int luks2_keyslot_update(struct crypt_device *cd,
713 const struct luks2_keyslot_params *params)
715 struct luks2_hdr *hdr;
716 json_object *jobj_keyslot;
719 log_dbg(cd, "Updating LUKS2 keyslot %d.", keyslot);
721 if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
724 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
728 r = luks2_keyslot_update_json(cd, jobj_keyslot, params);
730 if (!r && LUKS2_check_json_size(cd, hdr)) {
731 log_dbg(cd, "Not enough space in header json area for updated keyslot %d.", keyslot);
738 static void luks2_keyslot_repair(struct crypt_device *cd, json_object *jobj_keyslot)
741 json_object *jobj_kdf, *jobj_type;
743 if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) ||
744 !json_object_is_type(jobj_kdf, json_type_object))
747 if (!json_object_object_get_ex(jobj_kdf, "type", &jobj_type) ||
748 !json_object_is_type(jobj_type, json_type_string))
751 type = json_object_get_string(jobj_type);
753 if (!strcmp(type, CRYPT_KDF_PBKDF2)) {
754 /* type, salt, hash, iterations only */
755 json_object_object_foreach(jobj_kdf, key, val) {
757 if (!strcmp(key, "type") || !strcmp(key, "salt") ||
758 !strcmp(key, "hash") || !strcmp(key, "iterations"))
760 json_object_object_del(jobj_kdf, key);
762 } else if (!strcmp(type, CRYPT_KDF_ARGON2I) || !strcmp(type, CRYPT_KDF_ARGON2ID)) {
763 /* type, salt, time, memory, cpus only */
764 json_object_object_foreach(jobj_kdf, key, val) {
766 if (!strcmp(key, "type") || !strcmp(key, "salt") ||
767 !strcmp(key, "time") || !strcmp(key, "memory") ||
768 !strcmp(key, "cpus"))
770 json_object_object_del(jobj_kdf, key);
775 const keyslot_handler luks2_keyslot = {
777 .alloc = luks2_keyslot_alloc,
778 .update = luks2_keyslot_update,
779 .open = luks2_keyslot_open,
780 .store = luks2_keyslot_store,
781 .wipe = luks2_keyslot_wipe,
782 .dump = luks2_keyslot_dump,
783 .validate = luks2_keyslot_validate,
784 .repair = luks2_keyslot_repair