projects / platform / upstream / cryptsetup.git / blob
? search:


3b8c889d44733d2a19f61d79093547c09848128d
[platform/upstream/cryptsetup.git] / lib / luks2 / luks2_keyslot.c
1 /*
2  * LUKS - Linux Unified Key Setup v2, keyslot handling
3  *
4  * Copyright (C) 2015-2020 Red Hat, Inc. All rights reserved.
5  * Copyright (C) 2015-2020 Milan Broz
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU General Public License
9  * as published by the Free Software Foundation; either version 2
10  * of the License, or (at your option) any later version.
11  *
12  * This program is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  * GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License
18  * along with this program; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20  */
21
22 #include "luks2_internal.h"
23
24 /* Internal implementations */
25 extern const keyslot_handler luks2_keyslot;
26 extern const keyslot_handler reenc_keyslot;
27
28 static const keyslot_handler *keyslot_handlers[LUKS2_KEYSLOTS_MAX] = {
29         &luks2_keyslot,
30         &reenc_keyslot,
31         NULL
32 };
33
34 static const keyslot_handler
35 *LUKS2_keyslot_handler_type(struct crypt_device *cd, const char *type)
36 {
37         int i;
38
39         for (i = 0; i < LUKS2_KEYSLOTS_MAX && keyslot_handlers[i]; i++) {
40                 if (!strcmp(keyslot_handlers[i]->name, type))
41                         return keyslot_handlers[i];
42         }
43
44         return NULL;
45 }
46
47 static const keyslot_handler
48 *LUKS2_keyslot_handler(struct crypt_device *cd, int keyslot)
49 {
50         struct luks2_hdr *hdr;
51         json_object *jobj1, *jobj2;
52
53         if (keyslot < 0)
54                 return NULL;
55
56         if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
57                 return NULL;
58
59         if (!(jobj1 = LUKS2_get_keyslot_jobj(hdr, keyslot)))
60                 return NULL;
61
62         if (!json_object_object_get_ex(jobj1, "type", &jobj2))
63                 return NULL;
64
65         return LUKS2_keyslot_handler_type(cd, json_object_get_string(jobj2));
66 }
67
68 int LUKS2_keyslot_find_empty(struct luks2_hdr *hdr)
69 {
70         int i;
71
72         for (i = 0; i < LUKS2_KEYSLOTS_MAX; i++)
73                 if (!LUKS2_get_keyslot_jobj(hdr, i))
74                         return i;
75
76         return -EINVAL;
77 }
78
79 /* Check if a keyslot is assigned to specific segment */
80 static int _keyslot_for_segment(struct luks2_hdr *hdr, int keyslot, int segment)
81 {
82         int keyslot_digest, count = 0;
83         unsigned s;
84
85         keyslot_digest = LUKS2_digest_by_keyslot(hdr, keyslot);
86         if (keyslot_digest < 0)
87                 return keyslot_digest;
88
89         if (segment >= 0)
90                 return keyslot_digest == LUKS2_digest_by_segment(hdr, segment);
91
92         for (s = 0; s < json_segments_count(LUKS2_get_segments_jobj(hdr)); s++) {
93                 if (keyslot_digest == LUKS2_digest_by_segment(hdr, s))
94                         count++;
95         }
96
97         return count;
98 }
99
100 static int _keyslot_for_digest(struct luks2_hdr *hdr, int keyslot, int digest)
101 {
102         int r = -EINVAL;
103
104         r = LUKS2_digest_by_keyslot(hdr, keyslot);
105         if (r < 0)
106                 return r;
107         return r == digest ? 0 : -ENOENT;
108 }
109
110 int LUKS2_keyslot_for_segment(struct luks2_hdr *hdr, int keyslot, int segment)
111 {
112         int r = -EINVAL;
113
114         /* no need to check anything */
115         if (segment == CRYPT_ANY_SEGMENT)
116                 return 0; /* ok */
117         if (segment == CRYPT_DEFAULT_SEGMENT) {
118                 segment = LUKS2_get_default_segment(hdr);
119                 if (segment < 0)
120                         return segment;
121         }
122
123         r = _keyslot_for_segment(hdr, keyslot, segment);
124         if (r < 0)
125                 return r;
126
127         return r >= 1 ? 0 : -ENOENT;
128 }
129
130 /* Number of keyslots assigned to a segment or all keyslots for CRYPT_ANY_SEGMENT */
131 int LUKS2_keyslot_active_count(struct luks2_hdr *hdr, int segment)
132 {
133         int num = 0;
134         json_object *jobj_keyslots;
135
136         json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots);
137
138         json_object_object_foreach(jobj_keyslots, slot, val) {
139                 UNUSED(val);
140                 if (!LUKS2_keyslot_for_segment(hdr, atoi(slot), segment))
141                         num++;
142         }
143
144         return num;
145 }
146
147 int LUKS2_keyslot_cipher_incompatible(struct crypt_device *cd, const char *cipher_spec)
148 {
149         char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
150
151         if (!cipher_spec || !strcmp(cipher_spec, "null") || !strcmp(cipher_spec, "cipher_null"))
152                 return 1;
153
154         if (crypt_parse_name_and_mode(cipher_spec, cipher, NULL, cipher_mode) < 0)
155                 return 1;
156
157         /* Keyslot is already authenticated; we cannot use integrity tags here */
158         if (crypt_get_integrity_tag_size(cd))
159                 return 1;
160
161         /* Wrapped key schemes cannot be used for keyslot encryption */
162         if (crypt_cipher_wrapped_key(cipher, cipher_mode))
163                 return 1;
164
165         /* Check if crypto backend can use the cipher */
166         if (crypt_cipher_ivsize(cipher, cipher_mode) < 0)
167                 return 1;
168
169         return 0;
170 }
171
172 int LUKS2_keyslot_params_default(struct crypt_device *cd, struct luks2_hdr *hdr,
173                                  struct luks2_keyslot_params *params)
174 {
175         const struct crypt_pbkdf_type *pbkdf = crypt_get_pbkdf_type(cd);
176         const char *cipher_spec;
177         size_t key_size;
178         int r;
179
180         if (!hdr || !pbkdf || !params)
181                 return -EINVAL;
182
183         /*
184          * set keyslot area encryption parameters
185          */
186         params->area_type = LUKS2_KEYSLOT_AREA_RAW;
187         cipher_spec = crypt_keyslot_get_encryption(cd, CRYPT_ANY_SLOT, &key_size);
188         if (!cipher_spec || !key_size)
189                 return -EINVAL;
190
191         params->area.raw.key_size = key_size;
192         r = snprintf(params->area.raw.encryption, sizeof(params->area.raw.encryption), "%s", cipher_spec);
193         if (r < 0 || (size_t)r >= sizeof(params->area.raw.encryption))
194                 return -EINVAL;
195
196         /*
197          * set keyslot AF parameters
198          */
199         params->af_type = LUKS2_KEYSLOT_AF_LUKS1;
200         /* currently we use hash for AF from pbkdf settings */
201         r = snprintf(params->af.luks1.hash, sizeof(params->af.luks1.hash), "%s", pbkdf->hash ?: DEFAULT_LUKS1_HASH);
202         if (r < 0 || (size_t)r >= sizeof(params->af.luks1.hash))
203                 return -EINVAL;
204         params->af.luks1.stripes = 4000;
205
206         return 0;
207 }
208
209 int LUKS2_keyslot_pbkdf(struct luks2_hdr *hdr, int keyslot, struct crypt_pbkdf_type *pbkdf)
210 {
211         json_object *jobj_keyslot, *jobj_kdf, *jobj;
212
213         if (!hdr || !pbkdf)
214                 return -EINVAL;
215
216         if (LUKS2_keyslot_info(hdr, keyslot) == CRYPT_SLOT_INVALID)
217                 return -EINVAL;
218
219         jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
220         if (!jobj_keyslot)
221                 return -ENOENT;
222
223         if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf))
224                 return -EINVAL;
225
226         if (!json_object_object_get_ex(jobj_kdf, "type", &jobj))
227                 return -EINVAL;
228
229         memset(pbkdf, 0, sizeof(*pbkdf));
230
231         pbkdf->type = json_object_get_string(jobj);
232         if (json_object_object_get_ex(jobj_kdf, "hash", &jobj))
233                 pbkdf->hash = json_object_get_string(jobj);
234         if (json_object_object_get_ex(jobj_kdf, "iterations", &jobj))
235                 pbkdf->iterations = json_object_get_int(jobj);
236         if (json_object_object_get_ex(jobj_kdf, "time", &jobj))
237                 pbkdf->iterations = json_object_get_int(jobj);
238         if (json_object_object_get_ex(jobj_kdf, "memory", &jobj))
239                 pbkdf->max_memory_kb = json_object_get_int(jobj);
240         if (json_object_object_get_ex(jobj_kdf, "cpus", &jobj))
241                 pbkdf->parallel_threads = json_object_get_int(jobj);
242
243         return 0;
244 }
245
246 static int LUKS2_keyslot_unbound(struct luks2_hdr *hdr, int keyslot)
247 {
248         json_object *jobj_digest, *jobj_segments;
249         int digest = LUKS2_digest_by_keyslot(hdr, keyslot);
250
251         if (digest < 0)
252                 return 0;
253
254         if (!(jobj_digest = LUKS2_get_digest_jobj(hdr, digest)))
255                 return 0;
256
257         json_object_object_get_ex(jobj_digest, "segments", &jobj_segments);
258         if (!jobj_segments || !json_object_is_type(jobj_segments, json_type_array) ||
259             json_object_array_length(jobj_segments) == 0)
260                 return 1;
261
262         return 0;
263 }
264
265 crypt_keyslot_info LUKS2_keyslot_info(struct luks2_hdr *hdr, int keyslot)
266 {
267         if(keyslot >= LUKS2_KEYSLOTS_MAX || keyslot < 0)
268                 return CRYPT_SLOT_INVALID;
269
270         if (!LUKS2_get_keyslot_jobj(hdr, keyslot))
271                 return CRYPT_SLOT_INACTIVE;
272
273         if (LUKS2_digest_by_keyslot(hdr, keyslot) < 0 ||
274             LUKS2_keyslot_unbound(hdr, keyslot))
275                 return CRYPT_SLOT_UNBOUND;
276
277         if (LUKS2_keyslot_active_count(hdr, CRYPT_DEFAULT_SEGMENT) == 1 &&
278             !LUKS2_keyslot_for_segment(hdr, keyslot, CRYPT_DEFAULT_SEGMENT))
279                 return CRYPT_SLOT_ACTIVE_LAST;
280
281         return CRYPT_SLOT_ACTIVE;
282 }
283
284 int LUKS2_keyslot_area(struct luks2_hdr *hdr,
285         int keyslot,
286         uint64_t *offset,
287         uint64_t *length)
288 {
289         json_object *jobj_keyslot, *jobj_area, *jobj;
290
291         if(LUKS2_keyslot_info(hdr, keyslot) == CRYPT_SLOT_INVALID)
292                 return -EINVAL;
293
294         jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
295         if (!jobj_keyslot)
296                 return -ENOENT;
297
298         if (!json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
299                 return -EINVAL;
300
301         if (!json_object_object_get_ex(jobj_area, "offset", &jobj))
302                 return -EINVAL;
303         *offset = crypt_jobj_get_uint64(jobj);
304
305         if (!json_object_object_get_ex(jobj_area, "size", &jobj))
306                 return -EINVAL;
307         *length = crypt_jobj_get_uint64(jobj);
308
309         return 0;
310 }
311
312 static int _open_and_verify(struct crypt_device *cd,
313         struct luks2_hdr *hdr,
314         const keyslot_handler *h,
315         int keyslot,
316         const char *password,
317         size_t password_len,
318         struct volume_key **vk)
319 {
320         int r, key_size = LUKS2_get_keyslot_stored_key_size(hdr, keyslot);
321
322         if (key_size < 0)
323                 return -EINVAL;
324
325         *vk = crypt_alloc_volume_key(key_size, NULL);
326         if (!*vk)
327                 return -ENOMEM;
328
329         r = h->open(cd, keyslot, password, password_len, (*vk)->key, (*vk)->keylength);
330         if (r < 0)
331                 log_dbg(cd, "Keyslot %d (%s) open failed with %d.", keyslot, h->name, r);
332         else
333                 r = LUKS2_digest_verify(cd, hdr, *vk, keyslot);
334
335         if (r < 0) {
336                 crypt_free_volume_key(*vk);
337                 *vk = NULL;
338         }
339
340         crypt_volume_key_set_id(*vk, r);
341
342         return r < 0 ? r : keyslot;
343 }
344
345 static int LUKS2_open_and_verify_by_digest(struct crypt_device *cd,
346         struct luks2_hdr *hdr,
347         int keyslot,
348         int digest,
349         const char *password,
350         size_t password_len,
351         struct volume_key **vk)
352 {
353         const keyslot_handler *h;
354         int r;
355
356         if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
357                 return -ENOENT;
358
359         r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
360         if (r) {
361                 log_dbg(cd, "Keyslot %d validation failed.", keyslot);
362                 return r;
363         }
364
365         r = _keyslot_for_digest(hdr, keyslot, digest);
366         if (r) {
367                 if (r == -ENOENT)
368                         log_dbg(cd, "Keyslot %d unusable for digest %d.", keyslot, digest);
369                 return r;
370         }
371
372         return _open_and_verify(cd, hdr, h, keyslot, password, password_len, vk);
373 }
374
375 static int LUKS2_open_and_verify(struct crypt_device *cd,
376         struct luks2_hdr *hdr,
377         int keyslot,
378         int segment,
379         const char *password,
380         size_t password_len,
381         struct volume_key **vk)
382 {
383         const keyslot_handler *h;
384         int r;
385
386         if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
387                 return -ENOENT;
388
389         r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
390         if (r) {
391                 log_dbg(cd, "Keyslot %d validation failed.", keyslot);
392                 return r;
393         }
394
395         r = LUKS2_keyslot_for_segment(hdr, keyslot, segment);
396         if (r) {
397                 if (r == -ENOENT)
398                         log_dbg(cd, "Keyslot %d unusable for segment %d.", keyslot, segment);
399                 return r;
400         }
401
402         return _open_and_verify(cd, hdr, h, keyslot, password, password_len, vk);
403 }
404
405 static int LUKS2_keyslot_open_priority_digest(struct crypt_device *cd,
406         struct luks2_hdr *hdr,
407         crypt_keyslot_priority priority,
408         const char *password,
409         size_t password_len,
410         int digest,
411         struct volume_key **vk)
412 {
413         json_object *jobj_keyslots, *jobj;
414         crypt_keyslot_priority slot_priority;
415         int keyslot, r = -ENOENT;
416
417         json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots);
418
419         json_object_object_foreach(jobj_keyslots, slot, val) {
420                 if (!json_object_object_get_ex(val, "priority", &jobj))
421                         slot_priority = CRYPT_SLOT_PRIORITY_NORMAL;
422                 else
423                         slot_priority = json_object_get_int(jobj);
424
425                 keyslot = atoi(slot);
426                 if (slot_priority != priority) {
427                         log_dbg(cd, "Keyslot %d priority %d != %d (required), skipped.",
428                                 keyslot, slot_priority, priority);
429                         continue;
430                 }
431
432                 r = LUKS2_open_and_verify_by_digest(cd, hdr, keyslot, digest, password, password_len, vk);
433
434                 /* Do not retry for errors that are no -EPERM or -ENOENT,
435                    former meaning password wrong, latter key slot unusable for segment */
436                 if ((r != -EPERM) && (r != -ENOENT))
437                         break;
438         }
439
440         return r;
441 }
442
443 static int LUKS2_keyslot_open_priority(struct crypt_device *cd,
444         struct luks2_hdr *hdr,
445         crypt_keyslot_priority priority,
446         const char *password,
447         size_t password_len,
448         int segment,
449         struct volume_key **vk)
450 {
451         json_object *jobj_keyslots, *jobj;
452         crypt_keyslot_priority slot_priority;
453         int keyslot, r = -ENOENT;
454
455         json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots);
456
457         json_object_object_foreach(jobj_keyslots, slot, val) {
458                 if (!json_object_object_get_ex(val, "priority", &jobj))
459                         slot_priority = CRYPT_SLOT_PRIORITY_NORMAL;
460                 else
461                         slot_priority = json_object_get_int(jobj);
462
463                 keyslot = atoi(slot);
464                 if (slot_priority != priority) {
465                         log_dbg(cd, "Keyslot %d priority %d != %d (required), skipped.",
466                                 keyslot, slot_priority, priority);
467                         continue;
468                 }
469
470                 r = LUKS2_open_and_verify(cd, hdr, keyslot, segment, password, password_len, vk);
471
472                 /* Do not retry for errors that are no -EPERM or -ENOENT,
473                    former meaning password wrong, latter key slot unusable for segment */
474                 if ((r != -EPERM) && (r != -ENOENT))
475                         break;
476         }
477
478         return r;
479 }
480
481 static int LUKS2_keyslot_open_by_digest(struct crypt_device *cd,
482         struct luks2_hdr *hdr,
483         int keyslot,
484         int digest,
485         const char *password,
486         size_t password_len,
487         struct volume_key **vk)
488 {
489         int r_prio, r = -EINVAL;
490
491         if (digest < 0)
492                 return r;
493
494         if (keyslot == CRYPT_ANY_SLOT) {
495                 r_prio = LUKS2_keyslot_open_priority_digest(cd, hdr, CRYPT_SLOT_PRIORITY_PREFER,
496                         password, password_len, digest, vk);
497                 if (r_prio >= 0)
498                         r = r_prio;
499                 else if (r_prio != -EPERM && r_prio != -ENOENT)
500                         r = r_prio;
501                 else
502                         r = LUKS2_keyslot_open_priority_digest(cd, hdr, CRYPT_SLOT_PRIORITY_NORMAL,
503                                 password, password_len, digest, vk);
504                 /* Prefer password wrong to no entry from priority slot */
505                 if (r_prio == -EPERM && r == -ENOENT)
506                         r = r_prio;
507         } else
508                 r = LUKS2_open_and_verify_by_digest(cd, hdr, keyslot, digest, password, password_len, vk);
509
510         return r;
511 }
512
513 int LUKS2_keyslot_open_all_segments(struct crypt_device *cd,
514         int keyslot_old,
515         int keyslot_new,
516         const char *password,
517         size_t password_len,
518         struct volume_key **vks)
519 {
520         struct volume_key *vk = NULL;
521         int digest_old, digest_new, r = -EINVAL;
522         struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
523
524         digest_old = LUKS2_reencrypt_digest_old(hdr);
525         if (digest_old >= 0) {
526                 log_dbg(cd, "Trying to unlock volume key (digest: %d) using keyslot %d.", digest_old, keyslot_old);
527                 r = LUKS2_keyslot_open_by_digest(cd, hdr, keyslot_old, digest_old, password, password_len, &vk);
528                 if (r < 0)
529                         goto out;
530                 crypt_volume_key_add_next(vks, vk);
531         }
532
533         digest_new = LUKS2_reencrypt_digest_new(hdr);
534         if (digest_new >= 0 && digest_old != digest_new) {
535                 log_dbg(cd, "Trying to unlock volume key (digest: %d) using keyslot %d.", digest_new, keyslot_new);
536                 r = LUKS2_keyslot_open_by_digest(cd, hdr, keyslot_new, digest_new, password, password_len, &vk);
537                 if (r < 0)
538                         goto out;
539                 crypt_volume_key_add_next(vks, vk);
540         }
541 out:
542         if (r < 0) {
543                 crypt_free_volume_key(*vks);
544                 *vks = NULL;
545
546                 if (r == -ENOMEM)
547                         log_err(cd, _("Not enough available memory to open a keyslot."));
548                 else if (r != -EPERM)
549                         log_err(cd, _("Keyslot open failed."));
550         }
551         return r;
552 }
553
554 int LUKS2_keyslot_open(struct crypt_device *cd,
555         int keyslot,
556         int segment,
557         const char *password,
558         size_t password_len,
559         struct volume_key **vk)
560 {
561         struct luks2_hdr *hdr;
562         int r_prio, r = -EINVAL;
563
564         hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
565
566         if (keyslot == CRYPT_ANY_SLOT) {
567                 r_prio = LUKS2_keyslot_open_priority(cd, hdr, CRYPT_SLOT_PRIORITY_PREFER,
568                         password, password_len, segment, vk);
569                 if (r_prio >= 0)
570                         r = r_prio;
571                 else if (r_prio != -EPERM && r_prio != -ENOENT)
572                         r = r_prio;
573                 else
574                         r = LUKS2_keyslot_open_priority(cd, hdr, CRYPT_SLOT_PRIORITY_NORMAL,
575                                 password, password_len, segment, vk);
576                 /* Prefer password wrong to no entry from priority slot */
577                 if (r_prio == -EPERM && r == -ENOENT)
578                         r = r_prio;
579         } else
580                 r = LUKS2_open_and_verify(cd, hdr, keyslot, segment, password, password_len, vk);
581
582         if (r < 0) {
583                 if (r == -ENOMEM)
584                         log_err(cd, _("Not enough available memory to open a keyslot."));
585                 else if (r != -EPERM)
586                         log_err(cd, _("Keyslot open failed."));
587         }
588
589         return r;
590 }
591
592 int LUKS2_keyslot_reencrypt_create(struct crypt_device *cd,
593         struct luks2_hdr *hdr,
594         int keyslot,
595         const struct crypt_params_reencrypt *params)
596 {
597         const keyslot_handler *h;
598         int r;
599
600         if (keyslot == CRYPT_ANY_SLOT)
601                 return -EINVAL;
602
603         /* FIXME: find keyslot by type */
604         h = LUKS2_keyslot_handler_type(cd, "reencrypt");
605         if (!h)
606                 return -EINVAL;
607
608         r = reenc_keyslot_alloc(cd, hdr, keyslot, params);
609         if (r < 0)
610                 return r;
611
612         r = LUKS2_keyslot_priority_set(cd, hdr, keyslot, CRYPT_SLOT_PRIORITY_IGNORE, 0);
613         if (r < 0)
614                 return r;
615
616         r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
617         if (r) {
618                 log_dbg(cd, "Keyslot validation failed.");
619                 return r;
620         }
621
622         if (LUKS2_hdr_validate(cd, hdr->jobj, hdr->hdr_size - LUKS2_HDR_BIN_LEN))
623                 return -EINVAL;
624
625         return 0;
626 }
627
628 int LUKS2_keyslot_reencrypt_store(struct crypt_device *cd,
629         struct luks2_hdr *hdr,
630         int keyslot,
631         const void *buffer,
632         size_t buffer_length)
633 {
634         const keyslot_handler *h;
635         int r;
636
637         if (!(h = LUKS2_keyslot_handler(cd, keyslot)) || strcmp(h->name, "reencrypt"))
638                 return -EINVAL;
639
640         r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
641         if (r) {
642                 log_dbg(cd, "Keyslot validation failed.");
643                 return r;
644         }
645
646         return h->store(cd, keyslot, NULL, 0,
647                         buffer, buffer_length);
648 }
649
650 int LUKS2_keyslot_store(struct crypt_device *cd,
651         struct luks2_hdr *hdr,
652         int keyslot,
653         const char *password,
654         size_t password_len,
655         const struct volume_key *vk,
656         const struct luks2_keyslot_params *params)
657 {
658         const keyslot_handler *h;
659         int r;
660
661         if (keyslot == CRYPT_ANY_SLOT)
662                 return -EINVAL;
663
664         if (!LUKS2_get_keyslot_jobj(hdr, keyslot)) {
665                 /* Try to allocate default and empty keyslot type */
666                 h = LUKS2_keyslot_handler_type(cd, "luks2");
667                 if (!h)
668                         return -EINVAL;
669
670                 r = h->alloc(cd, keyslot, vk->keylength, params);
671                 if (r)
672                         return r;
673         } else {
674                 if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
675                         return -EINVAL;
676
677                 r = h->update(cd, keyslot, params);
678                 if (r) {
679                         log_dbg(cd, "Failed to update keyslot %d json.", keyslot);
680                         return r;
681                 }
682         }
683
684         r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
685         if (r) {
686                 log_dbg(cd, "Keyslot validation failed.");
687                 return r;
688         }
689
690         if (LUKS2_hdr_validate(cd, hdr->jobj, hdr->hdr_size - LUKS2_HDR_BIN_LEN))
691                 return -EINVAL;
692
693         return h->store(cd, keyslot, password, password_len,
694                         vk->key, vk->keylength);
695 }
696
697 int LUKS2_keyslot_wipe(struct crypt_device *cd,
698         struct luks2_hdr *hdr,
699         int keyslot,
700         int wipe_area_only)
701 {
702         struct device *device = crypt_metadata_device(cd);
703         uint64_t area_offset, area_length;
704         int r;
705         json_object *jobj_keyslot, *jobj_keyslots;
706         const keyslot_handler *h;
707
708         h = LUKS2_keyslot_handler(cd, keyslot);
709
710         if (!json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots))
711                 return -EINVAL;
712
713         jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
714         if (!jobj_keyslot)
715                 return -ENOENT;
716
717         if (wipe_area_only)
718                 log_dbg(cd, "Wiping keyslot %d area only.", keyslot);
719
720         r = LUKS2_device_write_lock(cd, hdr, device);
721         if (r)
722                 return r;
723
724         /* secure deletion of possible key material in keyslot area */
725         r = crypt_keyslot_area(cd, keyslot, &area_offset, &area_length);
726         if (r && r != -ENOENT)
727                 goto out;
728
729         if (!r) {
730                 r = crypt_wipe_device(cd, device, CRYPT_WIPE_SPECIAL, area_offset,
731                               area_length, area_length, NULL, NULL);
732                 if (r) {
733                         if (r == -EACCES) {
734                                 log_err(cd, _("Cannot write to device %s, permission denied."),
735                                         device_path(device));
736                                 r = -EINVAL;
737                         } else
738                                 log_err(cd, _("Cannot wipe device %s."), device_path(device));
739                         goto out;
740                 }
741         }
742
743         if (wipe_area_only)
744                 goto out;
745
746         /* Slot specific wipe */
747         if (h) {
748                 r = h->wipe(cd, keyslot);
749                 if (r < 0)
750                         goto out;
751         } else
752                 log_dbg(cd, "Wiping keyslot %d without specific-slot handler loaded.", keyslot);
753
754         json_object_object_del_by_uint(jobj_keyslots, keyslot);
755
756         r = LUKS2_hdr_write(cd, hdr);
757 out:
758         device_write_unlock(cd, crypt_metadata_device(cd));
759         return r;
760 }
761
762 int LUKS2_keyslot_dump(struct crypt_device *cd, int keyslot)
763 {
764         const keyslot_handler *h;
765
766         if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
767                 return -EINVAL;
768
769         return h->dump(cd, keyslot);
770 }
771
772 crypt_keyslot_priority LUKS2_keyslot_priority_get(struct crypt_device *cd,
773           struct luks2_hdr *hdr, int keyslot)
774 {
775         json_object *jobj_keyslot, *jobj_priority;
776
777         jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
778         if (!jobj_keyslot)
779                 return CRYPT_SLOT_PRIORITY_INVALID;
780
781         if (!json_object_object_get_ex(jobj_keyslot, "priority", &jobj_priority))
782                 return CRYPT_SLOT_PRIORITY_NORMAL;
783
784         return json_object_get_int(jobj_priority);
785 }
786
787 int LUKS2_keyslot_priority_set(struct crypt_device *cd, struct luks2_hdr *hdr,
788                                int keyslot, crypt_keyslot_priority priority, int commit)
789 {
790         json_object *jobj_keyslot;
791
792         jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
793         if (!jobj_keyslot)
794                 return -EINVAL;
795
796         if (priority == CRYPT_SLOT_PRIORITY_NORMAL)
797                 json_object_object_del(jobj_keyslot, "priority");
798         else
799                 json_object_object_add(jobj_keyslot, "priority", json_object_new_int(priority));
800
801         return commit ? LUKS2_hdr_write(cd, hdr) : 0;
802 }
803
804 int placeholder_keyslot_alloc(struct crypt_device *cd,
805         int keyslot,
806         uint64_t area_offset,
807         uint64_t area_length,
808         size_t volume_key_len)
809 {
810         struct luks2_hdr *hdr;
811         json_object *jobj_keyslots, *jobj_keyslot, *jobj_area;
812
813         log_dbg(cd, "Allocating placeholder keyslot %d for LUKS1 down conversion.", keyslot);
814
815         if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
816                 return -EINVAL;
817
818         if (keyslot < 0 || keyslot >= LUKS2_KEYSLOTS_MAX)
819                 return -EINVAL;
820
821         if (LUKS2_get_keyslot_jobj(hdr, keyslot))
822                 return -EINVAL;
823
824         if (!json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots))
825                 return -EINVAL;
826
827         jobj_keyslot = json_object_new_object();
828         json_object_object_add(jobj_keyslot, "type", json_object_new_string("placeholder"));
829         /*
830          * key_size = -1 makes placeholder keyslot impossible to pass validation.
831          * It's a safeguard against accidentally storing temporary conversion
832          * LUKS2 header.
833          */
834         json_object_object_add(jobj_keyslot, "key_size", json_object_new_int(-1));
835
836         /* Area object */
837         jobj_area = json_object_new_object();
838         json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset));
839         json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length));
840         json_object_object_add(jobj_keyslot, "area", jobj_area);
841
842         json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot);
843
844         return 0;
845 }
846
847 static unsigned LUKS2_get_keyslot_digests_count(json_object *hdr_jobj, int keyslot)
848 {
849         char num[16];
850         json_object *jobj_digests, *jobj_keyslots;
851         unsigned count = 0;
852
853         if (!json_object_object_get_ex(hdr_jobj, "digests", &jobj_digests))
854                 return 0;
855
856         if (snprintf(num, sizeof(num), "%u", keyslot) < 0)
857                 return 0;
858
859         json_object_object_foreach(jobj_digests, key, val) {
860                 UNUSED(key);
861                 json_object_object_get_ex(val, "keyslots", &jobj_keyslots);
862                 if (LUKS2_array_jobj(jobj_keyslots, num))
863                         count++;
864         }
865
866         return count;
867 }
868
869 /* run only on header that passed basic format validation */
870 int LUKS2_keyslots_validate(struct crypt_device *cd, json_object *hdr_jobj)
871 {
872         const keyslot_handler *h;
873         int keyslot;
874         json_object *jobj_keyslots, *jobj_type;
875
876         if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots))
877                 return -EINVAL;
878
879         json_object_object_foreach(jobj_keyslots, slot, val) {
880                 keyslot = atoi(slot);
881                 json_object_object_get_ex(val, "type", &jobj_type);
882                 h = LUKS2_keyslot_handler_type(cd, json_object_get_string(jobj_type));
883                 if (!h)
884                         continue;
885                 if (h->validate && h->validate(cd, val)) {
886                         log_dbg(cd, "Keyslot type %s validation failed on keyslot %d.", h->name, keyslot);
887                         return -EINVAL;
888                 }
889
890                 if (!strcmp(h->name, "luks2") && LUKS2_get_keyslot_digests_count(hdr_jobj, keyslot) != 1) {
891                         log_dbg(cd, "Keyslot %d is not assigned to exactly 1 digest.", keyslot);
892                         return -EINVAL;
893                 }
894         }
895
896         return 0;
897 }
898
899 void LUKS2_keyslots_repair(struct crypt_device *cd, json_object *jobj_keyslots)
900 {
901         const keyslot_handler *h;
902         json_object *jobj_type;
903
904         json_object_object_foreach(jobj_keyslots, slot, val) {
905                 UNUSED(slot);
906                 if (!json_object_is_type(val, json_type_object) ||
907                     !json_object_object_get_ex(val, "type", &jobj_type) ||
908                     !json_object_is_type(jobj_type, json_type_string))
909                         continue;
910
911                 h = LUKS2_keyslot_handler_type(cd, json_object_get_string(jobj_type));
912                 if (h && h->repair)
913                         h->repair(cd, val);
914         }
915 }
916
917 /* assumes valid header */
918 int LUKS2_find_keyslot(struct luks2_hdr *hdr, const char *type)
919 {
920         int i;
921         json_object *jobj_keyslot, *jobj_type;
922
923         if (!type)
924                 return -EINVAL;
925
926         for (i = 0; i < LUKS2_KEYSLOTS_MAX; i++) {
927                 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, i);
928                 if (!jobj_keyslot)
929                         continue;
930
931                 json_object_object_get_ex(jobj_keyslot, "type", &jobj_type);
932                 if (!strcmp(json_object_get_string(jobj_type), type))
933                         return i;
934         }
935
936         return -ENOENT;
937 }
Domain: System / System Framework;