2 * LUKS - Linux Unified Key Setup v2, keyslot handling
4 * Copyright (C) 2015-2020 Red Hat, Inc. All rights reserved.
5 * Copyright (C) 2015-2020 Milan Broz
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 2
10 * of the License, or (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 #include "luks2_internal.h"
24 /* Internal implementations */
25 extern const keyslot_handler luks2_keyslot;
26 extern const keyslot_handler reenc_keyslot;
28 static const keyslot_handler *keyslot_handlers[LUKS2_KEYSLOTS_MAX] = {
34 static const keyslot_handler
35 *LUKS2_keyslot_handler_type(struct crypt_device *cd, const char *type)
39 for (i = 0; i < LUKS2_KEYSLOTS_MAX && keyslot_handlers[i]; i++) {
40 if (!strcmp(keyslot_handlers[i]->name, type))
41 return keyslot_handlers[i];
47 static const keyslot_handler
48 *LUKS2_keyslot_handler(struct crypt_device *cd, int keyslot)
50 struct luks2_hdr *hdr;
51 json_object *jobj1, *jobj2;
56 if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
59 if (!(jobj1 = LUKS2_get_keyslot_jobj(hdr, keyslot)))
62 if (!json_object_object_get_ex(jobj1, "type", &jobj2))
65 return LUKS2_keyslot_handler_type(cd, json_object_get_string(jobj2));
68 int LUKS2_keyslot_find_empty(struct luks2_hdr *hdr)
72 for (i = 0; i < LUKS2_KEYSLOTS_MAX; i++)
73 if (!LUKS2_get_keyslot_jobj(hdr, i))
79 /* Check if a keyslot is assigned to specific segment */
80 static int _keyslot_for_segment(struct luks2_hdr *hdr, int keyslot, int segment)
82 int keyslot_digest, count = 0;
85 keyslot_digest = LUKS2_digest_by_keyslot(hdr, keyslot);
86 if (keyslot_digest < 0)
87 return keyslot_digest;
90 return keyslot_digest == LUKS2_digest_by_segment(hdr, segment);
92 for (s = 0; s < json_segments_count(LUKS2_get_segments_jobj(hdr)); s++) {
93 if (keyslot_digest == LUKS2_digest_by_segment(hdr, s))
100 static int _keyslot_for_digest(struct luks2_hdr *hdr, int keyslot, int digest)
104 r = LUKS2_digest_by_keyslot(hdr, keyslot);
107 return r == digest ? 0 : -ENOENT;
110 int LUKS2_keyslot_for_segment(struct luks2_hdr *hdr, int keyslot, int segment)
114 /* no need to check anything */
115 if (segment == CRYPT_ANY_SEGMENT)
117 if (segment == CRYPT_DEFAULT_SEGMENT) {
118 segment = LUKS2_get_default_segment(hdr);
123 r = _keyslot_for_segment(hdr, keyslot, segment);
127 return r >= 1 ? 0 : -ENOENT;
130 /* Number of keyslots assigned to a segment or all keyslots for CRYPT_ANY_SEGMENT */
131 int LUKS2_keyslot_active_count(struct luks2_hdr *hdr, int segment)
134 json_object *jobj_keyslots;
136 json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots);
138 json_object_object_foreach(jobj_keyslots, slot, val) {
140 if (!LUKS2_keyslot_for_segment(hdr, atoi(slot), segment))
147 int LUKS2_keyslot_cipher_incompatible(struct crypt_device *cd, const char *cipher_spec)
149 char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
151 if (!cipher_spec || !strcmp(cipher_spec, "null") || !strcmp(cipher_spec, "cipher_null"))
154 if (crypt_parse_name_and_mode(cipher_spec, cipher, NULL, cipher_mode) < 0)
157 /* Keyslot is already authenticated; we cannot use integrity tags here */
158 if (crypt_get_integrity_tag_size(cd))
161 /* Wrapped key schemes cannot be used for keyslot encryption */
162 if (crypt_cipher_wrapped_key(cipher, cipher_mode))
165 /* Check if crypto backend can use the cipher */
166 if (crypt_cipher_ivsize(cipher, cipher_mode) < 0)
172 int LUKS2_keyslot_params_default(struct crypt_device *cd, struct luks2_hdr *hdr,
173 struct luks2_keyslot_params *params)
175 const struct crypt_pbkdf_type *pbkdf = crypt_get_pbkdf_type(cd);
176 const char *cipher_spec;
180 if (!hdr || !pbkdf || !params)
184 * set keyslot area encryption parameters
186 params->area_type = LUKS2_KEYSLOT_AREA_RAW;
187 cipher_spec = crypt_keyslot_get_encryption(cd, CRYPT_ANY_SLOT, &key_size);
188 if (!cipher_spec || !key_size)
191 params->area.raw.key_size = key_size;
192 r = snprintf(params->area.raw.encryption, sizeof(params->area.raw.encryption), "%s", cipher_spec);
193 if (r < 0 || (size_t)r >= sizeof(params->area.raw.encryption))
197 * set keyslot AF parameters
199 params->af_type = LUKS2_KEYSLOT_AF_LUKS1;
200 /* currently we use hash for AF from pbkdf settings */
201 r = snprintf(params->af.luks1.hash, sizeof(params->af.luks1.hash), "%s", pbkdf->hash ?: DEFAULT_LUKS1_HASH);
202 if (r < 0 || (size_t)r >= sizeof(params->af.luks1.hash))
204 params->af.luks1.stripes = 4000;
209 int LUKS2_keyslot_pbkdf(struct luks2_hdr *hdr, int keyslot, struct crypt_pbkdf_type *pbkdf)
211 json_object *jobj_keyslot, *jobj_kdf, *jobj;
216 if (LUKS2_keyslot_info(hdr, keyslot) == CRYPT_SLOT_INVALID)
219 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
223 if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf))
226 if (!json_object_object_get_ex(jobj_kdf, "type", &jobj))
229 memset(pbkdf, 0, sizeof(*pbkdf));
231 pbkdf->type = json_object_get_string(jobj);
232 if (json_object_object_get_ex(jobj_kdf, "hash", &jobj))
233 pbkdf->hash = json_object_get_string(jobj);
234 if (json_object_object_get_ex(jobj_kdf, "iterations", &jobj))
235 pbkdf->iterations = json_object_get_int(jobj);
236 if (json_object_object_get_ex(jobj_kdf, "time", &jobj))
237 pbkdf->iterations = json_object_get_int(jobj);
238 if (json_object_object_get_ex(jobj_kdf, "memory", &jobj))
239 pbkdf->max_memory_kb = json_object_get_int(jobj);
240 if (json_object_object_get_ex(jobj_kdf, "cpus", &jobj))
241 pbkdf->parallel_threads = json_object_get_int(jobj);
246 static int LUKS2_keyslot_unbound(struct luks2_hdr *hdr, int keyslot)
248 json_object *jobj_digest, *jobj_segments;
249 int digest = LUKS2_digest_by_keyslot(hdr, keyslot);
254 if (!(jobj_digest = LUKS2_get_digest_jobj(hdr, digest)))
257 json_object_object_get_ex(jobj_digest, "segments", &jobj_segments);
258 if (!jobj_segments || !json_object_is_type(jobj_segments, json_type_array) ||
259 json_object_array_length(jobj_segments) == 0)
265 crypt_keyslot_info LUKS2_keyslot_info(struct luks2_hdr *hdr, int keyslot)
267 if(keyslot >= LUKS2_KEYSLOTS_MAX || keyslot < 0)
268 return CRYPT_SLOT_INVALID;
270 if (!LUKS2_get_keyslot_jobj(hdr, keyslot))
271 return CRYPT_SLOT_INACTIVE;
273 if (LUKS2_digest_by_keyslot(hdr, keyslot) < 0 ||
274 LUKS2_keyslot_unbound(hdr, keyslot))
275 return CRYPT_SLOT_UNBOUND;
277 if (LUKS2_keyslot_active_count(hdr, CRYPT_DEFAULT_SEGMENT) == 1 &&
278 !LUKS2_keyslot_for_segment(hdr, keyslot, CRYPT_DEFAULT_SEGMENT))
279 return CRYPT_SLOT_ACTIVE_LAST;
281 return CRYPT_SLOT_ACTIVE;
284 int LUKS2_keyslot_area(struct luks2_hdr *hdr,
289 json_object *jobj_keyslot, *jobj_area, *jobj;
291 if(LUKS2_keyslot_info(hdr, keyslot) == CRYPT_SLOT_INVALID)
294 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
298 if (!json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
301 if (!json_object_object_get_ex(jobj_area, "offset", &jobj))
303 *offset = crypt_jobj_get_uint64(jobj);
305 if (!json_object_object_get_ex(jobj_area, "size", &jobj))
307 *length = crypt_jobj_get_uint64(jobj);
312 static int _open_and_verify(struct crypt_device *cd,
313 struct luks2_hdr *hdr,
314 const keyslot_handler *h,
316 const char *password,
318 struct volume_key **vk)
320 int r, key_size = LUKS2_get_keyslot_stored_key_size(hdr, keyslot);
325 *vk = crypt_alloc_volume_key(key_size, NULL);
329 r = h->open(cd, keyslot, password, password_len, (*vk)->key, (*vk)->keylength);
331 log_dbg(cd, "Keyslot %d (%s) open failed with %d.", keyslot, h->name, r);
333 r = LUKS2_digest_verify(cd, hdr, *vk, keyslot);
336 crypt_free_volume_key(*vk);
340 crypt_volume_key_set_id(*vk, r);
342 return r < 0 ? r : keyslot;
345 static int LUKS2_open_and_verify_by_digest(struct crypt_device *cd,
346 struct luks2_hdr *hdr,
349 const char *password,
351 struct volume_key **vk)
353 const keyslot_handler *h;
356 if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
359 r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
361 log_dbg(cd, "Keyslot %d validation failed.", keyslot);
365 r = _keyslot_for_digest(hdr, keyslot, digest);
368 log_dbg(cd, "Keyslot %d unusable for digest %d.", keyslot, digest);
372 return _open_and_verify(cd, hdr, h, keyslot, password, password_len, vk);
375 static int LUKS2_open_and_verify(struct crypt_device *cd,
376 struct luks2_hdr *hdr,
379 const char *password,
381 struct volume_key **vk)
383 const keyslot_handler *h;
386 if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
389 r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
391 log_dbg(cd, "Keyslot %d validation failed.", keyslot);
395 r = LUKS2_keyslot_for_segment(hdr, keyslot, segment);
398 log_dbg(cd, "Keyslot %d unusable for segment %d.", keyslot, segment);
402 return _open_and_verify(cd, hdr, h, keyslot, password, password_len, vk);
405 static int LUKS2_keyslot_open_priority_digest(struct crypt_device *cd,
406 struct luks2_hdr *hdr,
407 crypt_keyslot_priority priority,
408 const char *password,
411 struct volume_key **vk)
413 json_object *jobj_keyslots, *jobj;
414 crypt_keyslot_priority slot_priority;
415 int keyslot, r = -ENOENT;
417 json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots);
419 json_object_object_foreach(jobj_keyslots, slot, val) {
420 if (!json_object_object_get_ex(val, "priority", &jobj))
421 slot_priority = CRYPT_SLOT_PRIORITY_NORMAL;
423 slot_priority = json_object_get_int(jobj);
425 keyslot = atoi(slot);
426 if (slot_priority != priority) {
427 log_dbg(cd, "Keyslot %d priority %d != %d (required), skipped.",
428 keyslot, slot_priority, priority);
432 r = LUKS2_open_and_verify_by_digest(cd, hdr, keyslot, digest, password, password_len, vk);
434 /* Do not retry for errors that are no -EPERM or -ENOENT,
435 former meaning password wrong, latter key slot unusable for segment */
436 if ((r != -EPERM) && (r != -ENOENT))
443 static int LUKS2_keyslot_open_priority(struct crypt_device *cd,
444 struct luks2_hdr *hdr,
445 crypt_keyslot_priority priority,
446 const char *password,
449 struct volume_key **vk)
451 json_object *jobj_keyslots, *jobj;
452 crypt_keyslot_priority slot_priority;
453 int keyslot, r = -ENOENT;
455 json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots);
457 json_object_object_foreach(jobj_keyslots, slot, val) {
458 if (!json_object_object_get_ex(val, "priority", &jobj))
459 slot_priority = CRYPT_SLOT_PRIORITY_NORMAL;
461 slot_priority = json_object_get_int(jobj);
463 keyslot = atoi(slot);
464 if (slot_priority != priority) {
465 log_dbg(cd, "Keyslot %d priority %d != %d (required), skipped.",
466 keyslot, slot_priority, priority);
470 r = LUKS2_open_and_verify(cd, hdr, keyslot, segment, password, password_len, vk);
472 /* Do not retry for errors that are no -EPERM or -ENOENT,
473 former meaning password wrong, latter key slot unusable for segment */
474 if ((r != -EPERM) && (r != -ENOENT))
481 static int LUKS2_keyslot_open_by_digest(struct crypt_device *cd,
482 struct luks2_hdr *hdr,
485 const char *password,
487 struct volume_key **vk)
489 int r_prio, r = -EINVAL;
494 if (keyslot == CRYPT_ANY_SLOT) {
495 r_prio = LUKS2_keyslot_open_priority_digest(cd, hdr, CRYPT_SLOT_PRIORITY_PREFER,
496 password, password_len, digest, vk);
499 else if (r_prio != -EPERM && r_prio != -ENOENT)
502 r = LUKS2_keyslot_open_priority_digest(cd, hdr, CRYPT_SLOT_PRIORITY_NORMAL,
503 password, password_len, digest, vk);
504 /* Prefer password wrong to no entry from priority slot */
505 if (r_prio == -EPERM && r == -ENOENT)
508 r = LUKS2_open_and_verify_by_digest(cd, hdr, keyslot, digest, password, password_len, vk);
513 int LUKS2_keyslot_open_all_segments(struct crypt_device *cd,
516 const char *password,
518 struct volume_key **vks)
520 struct volume_key *vk = NULL;
521 int digest_old, digest_new, r = -EINVAL;
522 struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
524 digest_old = LUKS2_reencrypt_digest_old(hdr);
525 if (digest_old >= 0) {
526 log_dbg(cd, "Trying to unlock volume key (digest: %d) using keyslot %d.", digest_old, keyslot_old);
527 r = LUKS2_keyslot_open_by_digest(cd, hdr, keyslot_old, digest_old, password, password_len, &vk);
530 crypt_volume_key_add_next(vks, vk);
533 digest_new = LUKS2_reencrypt_digest_new(hdr);
534 if (digest_new >= 0 && digest_old != digest_new) {
535 log_dbg(cd, "Trying to unlock volume key (digest: %d) using keyslot %d.", digest_new, keyslot_new);
536 r = LUKS2_keyslot_open_by_digest(cd, hdr, keyslot_new, digest_new, password, password_len, &vk);
539 crypt_volume_key_add_next(vks, vk);
543 crypt_free_volume_key(*vks);
547 log_err(cd, _("Not enough available memory to open a keyslot."));
548 else if (r != -EPERM)
549 log_err(cd, _("Keyslot open failed."));
554 int LUKS2_keyslot_open(struct crypt_device *cd,
557 const char *password,
559 struct volume_key **vk)
561 struct luks2_hdr *hdr;
562 int r_prio, r = -EINVAL;
564 hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
566 if (keyslot == CRYPT_ANY_SLOT) {
567 r_prio = LUKS2_keyslot_open_priority(cd, hdr, CRYPT_SLOT_PRIORITY_PREFER,
568 password, password_len, segment, vk);
571 else if (r_prio != -EPERM && r_prio != -ENOENT)
574 r = LUKS2_keyslot_open_priority(cd, hdr, CRYPT_SLOT_PRIORITY_NORMAL,
575 password, password_len, segment, vk);
576 /* Prefer password wrong to no entry from priority slot */
577 if (r_prio == -EPERM && r == -ENOENT)
580 r = LUKS2_open_and_verify(cd, hdr, keyslot, segment, password, password_len, vk);
584 log_err(cd, _("Not enough available memory to open a keyslot."));
585 else if (r != -EPERM)
586 log_err(cd, _("Keyslot open failed."));
592 int LUKS2_keyslot_reencrypt_create(struct crypt_device *cd,
593 struct luks2_hdr *hdr,
595 const struct crypt_params_reencrypt *params)
597 const keyslot_handler *h;
600 if (keyslot == CRYPT_ANY_SLOT)
603 /* FIXME: find keyslot by type */
604 h = LUKS2_keyslot_handler_type(cd, "reencrypt");
608 r = reenc_keyslot_alloc(cd, hdr, keyslot, params);
612 r = LUKS2_keyslot_priority_set(cd, hdr, keyslot, CRYPT_SLOT_PRIORITY_IGNORE, 0);
616 r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
618 log_dbg(cd, "Keyslot validation failed.");
622 if (LUKS2_hdr_validate(cd, hdr->jobj, hdr->hdr_size - LUKS2_HDR_BIN_LEN))
628 int LUKS2_keyslot_reencrypt_store(struct crypt_device *cd,
629 struct luks2_hdr *hdr,
632 size_t buffer_length)
634 const keyslot_handler *h;
637 if (!(h = LUKS2_keyslot_handler(cd, keyslot)) || strcmp(h->name, "reencrypt"))
640 r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
642 log_dbg(cd, "Keyslot validation failed.");
646 return h->store(cd, keyslot, NULL, 0,
647 buffer, buffer_length);
650 int LUKS2_keyslot_store(struct crypt_device *cd,
651 struct luks2_hdr *hdr,
653 const char *password,
655 const struct volume_key *vk,
656 const struct luks2_keyslot_params *params)
658 const keyslot_handler *h;
661 if (keyslot == CRYPT_ANY_SLOT)
664 if (!LUKS2_get_keyslot_jobj(hdr, keyslot)) {
665 /* Try to allocate default and empty keyslot type */
666 h = LUKS2_keyslot_handler_type(cd, "luks2");
670 r = h->alloc(cd, keyslot, vk->keylength, params);
674 if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
677 r = h->update(cd, keyslot, params);
679 log_dbg(cd, "Failed to update keyslot %d json.", keyslot);
684 r = h->validate(cd, LUKS2_get_keyslot_jobj(hdr, keyslot));
686 log_dbg(cd, "Keyslot validation failed.");
690 if (LUKS2_hdr_validate(cd, hdr->jobj, hdr->hdr_size - LUKS2_HDR_BIN_LEN))
693 return h->store(cd, keyslot, password, password_len,
694 vk->key, vk->keylength);
697 int LUKS2_keyslot_wipe(struct crypt_device *cd,
698 struct luks2_hdr *hdr,
702 struct device *device = crypt_metadata_device(cd);
703 uint64_t area_offset, area_length;
705 json_object *jobj_keyslot, *jobj_keyslots;
706 const keyslot_handler *h;
708 h = LUKS2_keyslot_handler(cd, keyslot);
710 if (!json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots))
713 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
718 log_dbg(cd, "Wiping keyslot %d area only.", keyslot);
720 r = LUKS2_device_write_lock(cd, hdr, device);
724 /* secure deletion of possible key material in keyslot area */
725 r = crypt_keyslot_area(cd, keyslot, &area_offset, &area_length);
726 if (r && r != -ENOENT)
730 r = crypt_wipe_device(cd, device, CRYPT_WIPE_SPECIAL, area_offset,
731 area_length, area_length, NULL, NULL);
734 log_err(cd, _("Cannot write to device %s, permission denied."),
735 device_path(device));
738 log_err(cd, _("Cannot wipe device %s."), device_path(device));
746 /* Slot specific wipe */
748 r = h->wipe(cd, keyslot);
752 log_dbg(cd, "Wiping keyslot %d without specific-slot handler loaded.", keyslot);
754 json_object_object_del_by_uint(jobj_keyslots, keyslot);
756 r = LUKS2_hdr_write(cd, hdr);
758 device_write_unlock(cd, crypt_metadata_device(cd));
762 int LUKS2_keyslot_dump(struct crypt_device *cd, int keyslot)
764 const keyslot_handler *h;
766 if (!(h = LUKS2_keyslot_handler(cd, keyslot)))
769 return h->dump(cd, keyslot);
772 crypt_keyslot_priority LUKS2_keyslot_priority_get(struct crypt_device *cd,
773 struct luks2_hdr *hdr, int keyslot)
775 json_object *jobj_keyslot, *jobj_priority;
777 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
779 return CRYPT_SLOT_PRIORITY_INVALID;
781 if (!json_object_object_get_ex(jobj_keyslot, "priority", &jobj_priority))
782 return CRYPT_SLOT_PRIORITY_NORMAL;
784 return json_object_get_int(jobj_priority);
787 int LUKS2_keyslot_priority_set(struct crypt_device *cd, struct luks2_hdr *hdr,
788 int keyslot, crypt_keyslot_priority priority, int commit)
790 json_object *jobj_keyslot;
792 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
796 if (priority == CRYPT_SLOT_PRIORITY_NORMAL)
797 json_object_object_del(jobj_keyslot, "priority");
799 json_object_object_add(jobj_keyslot, "priority", json_object_new_int(priority));
801 return commit ? LUKS2_hdr_write(cd, hdr) : 0;
804 int placeholder_keyslot_alloc(struct crypt_device *cd,
806 uint64_t area_offset,
807 uint64_t area_length,
808 size_t volume_key_len)
810 struct luks2_hdr *hdr;
811 json_object *jobj_keyslots, *jobj_keyslot, *jobj_area;
813 log_dbg(cd, "Allocating placeholder keyslot %d for LUKS1 down conversion.", keyslot);
815 if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
818 if (keyslot < 0 || keyslot >= LUKS2_KEYSLOTS_MAX)
821 if (LUKS2_get_keyslot_jobj(hdr, keyslot))
824 if (!json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots))
827 jobj_keyslot = json_object_new_object();
828 json_object_object_add(jobj_keyslot, "type", json_object_new_string("placeholder"));
830 * key_size = -1 makes placeholder keyslot impossible to pass validation.
831 * It's a safeguard against accidentally storing temporary conversion
834 json_object_object_add(jobj_keyslot, "key_size", json_object_new_int(-1));
837 jobj_area = json_object_new_object();
838 json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset));
839 json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length));
840 json_object_object_add(jobj_keyslot, "area", jobj_area);
842 json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot);
847 static unsigned LUKS2_get_keyslot_digests_count(json_object *hdr_jobj, int keyslot)
850 json_object *jobj_digests, *jobj_keyslots;
853 if (!json_object_object_get_ex(hdr_jobj, "digests", &jobj_digests))
856 if (snprintf(num, sizeof(num), "%u", keyslot) < 0)
859 json_object_object_foreach(jobj_digests, key, val) {
861 json_object_object_get_ex(val, "keyslots", &jobj_keyslots);
862 if (LUKS2_array_jobj(jobj_keyslots, num))
869 /* run only on header that passed basic format validation */
870 int LUKS2_keyslots_validate(struct crypt_device *cd, json_object *hdr_jobj)
872 const keyslot_handler *h;
874 json_object *jobj_keyslots, *jobj_type;
876 if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots))
879 json_object_object_foreach(jobj_keyslots, slot, val) {
880 keyslot = atoi(slot);
881 json_object_object_get_ex(val, "type", &jobj_type);
882 h = LUKS2_keyslot_handler_type(cd, json_object_get_string(jobj_type));
885 if (h->validate && h->validate(cd, val)) {
886 log_dbg(cd, "Keyslot type %s validation failed on keyslot %d.", h->name, keyslot);
890 if (!strcmp(h->name, "luks2") && LUKS2_get_keyslot_digests_count(hdr_jobj, keyslot) != 1) {
891 log_dbg(cd, "Keyslot %d is not assigned to exactly 1 digest.", keyslot);
899 void LUKS2_keyslots_repair(struct crypt_device *cd, json_object *jobj_keyslots)
901 const keyslot_handler *h;
902 json_object *jobj_type;
904 json_object_object_foreach(jobj_keyslots, slot, val) {
906 if (!json_object_is_type(val, json_type_object) ||
907 !json_object_object_get_ex(val, "type", &jobj_type) ||
908 !json_object_is_type(jobj_type, json_type_string))
911 h = LUKS2_keyslot_handler_type(cd, json_object_get_string(jobj_type));
917 /* assumes valid header */
918 int LUKS2_find_keyslot(struct luks2_hdr *hdr, const char *type)
921 json_object *jobj_keyslot, *jobj_type;
926 for (i = 0; i < LUKS2_KEYSLOTS_MAX; i++) {
927 jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, i);
931 json_object_object_get_ex(jobj_keyslot, "type", &jobj_type);
932 if (!strcmp(json_object_get_string(jobj_type), type))