source-git / cryptsetup

Clone
Source Code
GIT

Blame lib/luks2/luks2_keyslot_reenc.c

c8 c8s master
  1.   a9384cf68f3e8c68f79c2d5167f909020081f3df
  2.   lib
  3.   luks2
  4.   luks2_keyslot_reenc.c
Blob History Raw
Packit Service a9384c 
/*
Packit Service a9384c 
 * LUKS - Linux Unified Key Setup v2, reencryption keyslot handler
Packit Service a9384c 
 *
Packit Service a9384c 
 * Copyright (C) 2016-2020, Red Hat, Inc. All rights reserved.
Packit Service a9384c 
 * Copyright (C) 2016-2020, Ondrej Kozina
Packit Service a9384c 
 *
Packit Service a9384c 
 * This program is free software; you can redistribute it and/or
Packit Service a9384c 
 * modify it under the terms of the GNU General Public License
Packit Service a9384c 
 * as published by the Free Software Foundation; either version 2
Packit Service a9384c 
 * of the License, or (at your option) any later version.
Packit Service a9384c 
 *
Packit Service a9384c 
 * This program is distributed in the hope that it will be useful,
Packit Service a9384c 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
Packit Service a9384c 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
Packit Service a9384c 
 * GNU General Public License for more details.
Packit Service a9384c 
 *
Packit Service a9384c 
 * You should have received a copy of the GNU General Public License
Packit Service a9384c 
 * along with this program; if not, write to the Free Software
Packit Service a9384c 
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Packit Service a9384c 
 */
Packit Service a9384c
Packit Service a9384c 
#include "luks2_internal.h"
Packit Service a9384c
Packit Service a9384c 
static int reenc_keyslot_open(struct crypt_device *cd,
Packit Service a9384c 
	int keyslot,
Packit Service a9384c 
	const char *password,
Packit Service a9384c 
	size_t password_len,
Packit Service a9384c 
	char *volume_key,
Packit Service a9384c 
	size_t volume_key_len)
Packit Service a9384c 
{
Packit Service a9384c 
	return -ENOENT;
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
int reenc_keyslot_alloc(struct crypt_device *cd,
Packit Service a9384c 
	struct luks2_hdr *hdr,
Packit Service a9384c 
	int keyslot,
Packit Service a9384c 
	const struct crypt_params_reencrypt *params)
Packit Service a9384c 
{
Packit Service a9384c 
	int r;
Packit Service a9384c 
	json_object *jobj_keyslots, *jobj_keyslot, *jobj_area;
Packit Service a9384c 
	uint64_t area_offset, area_length;
Packit Service a9384c
Packit Service a9384c 
	log_dbg(cd, "Allocating reencrypt keyslot %d.", keyslot);
Packit Service a9384c
Packit Service a9384c 
	if (keyslot < 0 || keyslot >= LUKS2_KEYSLOTS_MAX)
Packit Service a9384c 
		return -ENOMEM;
Packit Service a9384c
Packit Service a9384c 
	if (!json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots))
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
	/* encryption doesn't require area (we shift data and backup will be available) */
Packit Service a9384c 
	if (!params->data_shift) {
Packit Service a9384c 
		r = LUKS2_find_area_max_gap(cd, hdr, &area_offset, &area_length);
Packit Service a9384c 
		if (r < 0)
Packit Service a9384c 
			return r;
Packit Service a9384c 
	} else { /* we can't have keyslot w/o area...bug? */
Packit Service a9384c 
		r = LUKS2_find_area_gap(cd, hdr, 1, &area_offset, &area_length);
Packit Service a9384c 
		if (r < 0)
Packit Service a9384c 
			return r;
Packit Service a9384c 
	}
Packit Service a9384c
Packit Service a9384c 
	jobj_keyslot = json_object_new_object();
Packit Service a9384c 
	if (!jobj_keyslot)
Packit Service a9384c 
		return -ENOMEM;
Packit Service a9384c
Packit Service a9384c 
	jobj_area = json_object_new_object();
Packit Service a9384c
Packit Service a9384c 
	if (params->data_shift) {
Packit Service a9384c 
		json_object_object_add(jobj_area, "type", json_object_new_string("datashift"));
Packit Service a9384c 
		json_object_object_add(jobj_area, "shift_size", crypt_jobj_new_uint64(params->data_shift << SECTOR_SHIFT));
Packit Service a9384c 
	} else
Packit Service a9384c 
		/* except data shift protection, initial setting is irrelevant. Type can be changed during reencryption */
Packit Service a9384c 
		json_object_object_add(jobj_area, "type", json_object_new_string("none"));
Packit Service a9384c
Packit Service a9384c 
	json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset));
Packit Service a9384c 
	json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length));
Packit Service a9384c
Packit Service a9384c 
	json_object_object_add(jobj_keyslot, "type", json_object_new_string("reencrypt"));
Packit Service a9384c 
	json_object_object_add(jobj_keyslot, "key_size", json_object_new_int(1)); /* useless but mandatory */
Packit Service a9384c 
	json_object_object_add(jobj_keyslot, "mode", json_object_new_string(crypt_reencrypt_mode_to_str(params->mode)));
Packit Service a9384c 
	if (params->direction == CRYPT_REENCRYPT_FORWARD)
Packit Service a9384c 
		json_object_object_add(jobj_keyslot, "direction", json_object_new_string("forward"));
Packit Service a9384c 
	else if (params->direction == CRYPT_REENCRYPT_BACKWARD)
Packit Service a9384c 
		json_object_object_add(jobj_keyslot, "direction", json_object_new_string("backward"));
Packit Service a9384c 
	else
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
	json_object_object_add(jobj_keyslot, "area", jobj_area);
Packit Service a9384c
Packit Service a9384c 
	json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot);
Packit Service a9384c 
	if (LUKS2_check_json_size(cd, hdr)) {
Packit Service a9384c 
		log_dbg(cd, "New keyslot too large to fit in free metadata space.");
Packit Service a9384c 
		json_object_object_del_by_uint(jobj_keyslots, keyslot);
Packit Service a9384c 
		return -ENOSPC;
Packit Service a9384c 
	}
Packit Service a9384c
Packit Service a9384c 
	JSON_DBG(cd, hdr->jobj, "JSON:");
Packit Service a9384c
Packit Service a9384c 
	return 0;
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
static int reenc_keyslot_store_data(struct crypt_device *cd,
Packit Service a9384c 
	json_object *jobj_keyslot,
Packit Service a9384c 
	const void *buffer, size_t buffer_len)
Packit Service a9384c 
{
Packit Service a9384c 
	int devfd, r;
Packit Service a9384c 
	json_object *jobj_area, *jobj_offset, *jobj_length;
Packit Service a9384c 
	uint64_t area_offset, area_length;
Packit Service a9384c 
	struct device *device = crypt_metadata_device(cd);
Packit Service a9384c
Packit Service a9384c 
	if (!json_object_object_get_ex(jobj_keyslot, "area", &jobj_area) ||
Packit Service a9384c 
	    !json_object_object_get_ex(jobj_area, "offset", &jobj_offset) ||
Packit Service a9384c 
	    !json_object_object_get_ex(jobj_area, "size", &jobj_length))
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
	area_offset = crypt_jobj_get_uint64(jobj_offset);
Packit Service a9384c 
	area_length = crypt_jobj_get_uint64(jobj_length);
Packit Service a9384c
Packit Service a9384c 
	if (!area_offset || !area_length || ((uint64_t)buffer_len > area_length))
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
	devfd = device_open_locked(cd, device, O_RDWR);
Packit Service a9384c 
	if (devfd >= 0) {
Packit Service a9384c 
		if (write_lseek_blockwise(devfd, device_block_size(cd, device),
Packit Service a9384c 
					  device_alignment(device), CONST_CAST(void *)buffer,
Packit Service a9384c 
					  buffer_len, area_offset) < 0)
Packit Service a9384c 
			r = -EIO;
Packit Service a9384c 
		else
Packit Service a9384c 
			r = 0;
Packit Service a9384c 
	} else
Packit Service a9384c 
		r = -EINVAL;
Packit Service a9384c
Packit Service a9384c 
	if (r)
Packit Service a9384c 
		log_err(cd, _("IO error while encrypting keyslot."));
Packit Service a9384c
Packit Service a9384c 
	return r;
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
static int reenc_keyslot_store(struct crypt_device *cd,
Packit Service a9384c 
	int keyslot,
Packit Service a9384c 
	const char *password __attribute__((unused)),
Packit Service a9384c 
	size_t password_len __attribute__((unused)),
Packit Service a9384c 
	const char *buffer,
Packit Service a9384c 
	size_t buffer_len)
Packit Service a9384c 
{
Packit Service a9384c 
	struct luks2_hdr *hdr;
Packit Service a9384c 
	json_object *jobj_keyslot;
Packit Service a9384c 
	int r = 0;
Packit Service a9384c
Packit Service a9384c 
	if (!cd || !buffer || !buffer_len)
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
	if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
	log_dbg(cd, "Reencrypt keyslot %d store.", keyslot);
Packit Service a9384c
Packit Service a9384c 
	jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
Packit Service a9384c 
	if (!jobj_keyslot)
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
	r = LUKS2_device_write_lock(cd, hdr, crypt_metadata_device(cd));
Packit Service a9384c 
	if (r)
Packit Service a9384c 
		return r;
Packit Service a9384c
Packit Service a9384c 
	r = reenc_keyslot_store_data(cd, jobj_keyslot, buffer, buffer_len);
Packit Service a9384c 
	if (r < 0) {
Packit Service a9384c 
		device_write_unlock(cd, crypt_metadata_device(cd));
Packit Service a9384c 
		return r;
Packit Service a9384c 
	}
Packit Service a9384c
Packit Service a9384c 
	r = LUKS2_hdr_write(cd, hdr);
Packit Service a9384c
Packit Service a9384c 
	device_write_unlock(cd, crypt_metadata_device(cd));
Packit Service a9384c
Packit Service a9384c 
	return r < 0 ? r : keyslot;
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
int reenc_keyslot_update(struct crypt_device *cd,
Packit Service a9384c 
	const struct luks2_reenc_context *rh)
Packit Service a9384c 
{
Packit Service a9384c 
	json_object *jobj_keyslot, *jobj_area, *jobj_area_type;
Packit Service a9384c 
	struct luks2_hdr *hdr;
Packit Service a9384c
Packit Service a9384c 
	if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
	jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, rh->reenc_keyslot);
Packit Service a9384c 
	if (!jobj_keyslot)
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
	json_object_object_get_ex(jobj_keyslot, "area", &jobj_area);
Packit Service a9384c 
	json_object_object_get_ex(jobj_area, "type", &jobj_area_type);
Packit Service a9384c
Packit Service a9384c 
	if (rh->rp.type == REENC_PROTECTION_CHECKSUM) {
Packit Service a9384c 
		log_dbg(cd, "Updating reencrypt keyslot for checksum protection.");
Packit Service a9384c 
		json_object_object_add(jobj_area, "type", json_object_new_string("checksum"));
Packit Service a9384c 
		json_object_object_add(jobj_area, "hash", json_object_new_string(rh->rp.p.csum.hash));
Packit Service a9384c 
		json_object_object_add(jobj_area, "sector_size", json_object_new_int64(rh->alignment));
Packit Service a9384c 
	} else if (rh->rp.type == REENC_PROTECTION_NONE) {
Packit Service a9384c 
		log_dbg(cd, "Updating reencrypt keyslot for none protection.");
Packit Service a9384c 
		json_object_object_add(jobj_area, "type", json_object_new_string("none"));
Packit Service a9384c 
		json_object_object_del(jobj_area, "hash");
Packit Service a9384c 
	} else if (rh->rp.type == REENC_PROTECTION_JOURNAL) {
Packit Service a9384c 
		log_dbg(cd, "Updating reencrypt keyslot for journal protection.");
Packit Service a9384c 
		json_object_object_add(jobj_area, "type", json_object_new_string("journal"));
Packit Service a9384c 
		json_object_object_del(jobj_area, "hash");
Packit Service a9384c 
	} else
Packit Service a9384c 
		log_dbg(cd, "No update of reencrypt keyslot needed.");
Packit Service a9384c
Packit Service a9384c 
	return 0;
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
static int reenc_keyslot_wipe(struct crypt_device *cd, int keyslot)
Packit Service a9384c 
{
Packit Service a9384c 
	return 0;
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
static int reenc_keyslot_dump(struct crypt_device *cd, int keyslot)
Packit Service a9384c 
{
Packit Service a9384c 
	json_object *jobj_keyslot, *jobj_area, *jobj_direction, *jobj_mode, *jobj_resilience,
Packit Service a9384c 
		    *jobj1;
Packit Service a9384c
Packit Service a9384c 
	jobj_keyslot = LUKS2_get_keyslot_jobj(crypt_get_hdr(cd, CRYPT_LUKS2), keyslot);
Packit Service a9384c 
	if (!jobj_keyslot)
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
	if (!json_object_object_get_ex(jobj_keyslot, "direction", &jobj_direction) ||
Packit Service a9384c 
	    !json_object_object_get_ex(jobj_keyslot, "mode", &jobj_mode) ||
Packit Service a9384c 
	    !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area) ||
Packit Service a9384c 
	    !json_object_object_get_ex(jobj_area, "type", &jobj_resilience))
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
	log_std(cd, "\t%-12s%s\n", "Mode:", json_object_get_string(jobj_mode));
Packit Service a9384c 
	log_std(cd, "\t%-12s%s\n", "Direction:", json_object_get_string(jobj_direction));
Packit Service a9384c 
	log_std(cd, "\t%-12s%s\n", "Resilience:", json_object_get_string(jobj_resilience));
Packit Service a9384c
Packit Service a9384c 
	if (!strcmp(json_object_get_string(jobj_resilience), "checksum")) {
Packit Service a9384c 
		json_object_object_get_ex(jobj_area, "hash", &jobj1);
Packit Service a9384c 
		log_std(cd, "\t%-12s%s\n", "Hash:", json_object_get_string(jobj1));
Packit Service a9384c 
		json_object_object_get_ex(jobj_area, "sector_size", &jobj1);
Packit Service a9384c 
		log_std(cd, "\t%-12s%d [bytes]\n", "Hash data:", json_object_get_int(jobj1));
Packit Service a9384c 
	} else if (!strcmp(json_object_get_string(jobj_resilience), "datashift")) {
Packit Service a9384c 
		json_object_object_get_ex(jobj_area, "shift_size", &jobj1);
Packit Service a9384c 
		log_std(cd, "\t%-12s%" PRIu64 "[bytes]\n", "Shift size:", crypt_jobj_get_uint64(jobj1));
Packit Service a9384c 
	}
Packit Service a9384c
Packit Service a9384c 
	json_object_object_get_ex(jobj_area, "offset", &jobj1);
Packit Service a9384c 
	log_std(cd, "\tArea offset:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1));
Packit Service a9384c
Packit Service a9384c 
	json_object_object_get_ex(jobj_area, "size", &jobj1);
Packit Service a9384c 
	log_std(cd, "\tArea length:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1));
Packit Service a9384c
Packit Service a9384c 
	return 0;
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
static int reenc_keyslot_validate(struct crypt_device *cd, json_object *jobj_keyslot)
Packit Service a9384c 
{
Packit Service a9384c 
	json_object *jobj_mode, *jobj_area, *jobj_type, *jobj_shift_size, *jobj_hash, *jobj_sector_size, *jobj_direction;
Packit Service a9384c 
	const char *mode, *type, *direction;
Packit Service a9384c 
	uint32_t sector_size;
Packit Service a9384c 
	uint64_t shift_size;
Packit Service a9384c
Packit Service a9384c 
	/* mode (string: encrypt,reencrypt,decrypt)
Packit Service a9384c 
	 * direction (string:)
Packit Service a9384c 
	 * area {
Packit Service a9384c 
	 *   type: (string: datashift, journal, checksum, none)
Packit Service a9384c 
	 *   	hash: (string: checksum only)
Packit Service a9384c 
	 *   	sector_size (uint32: checksum only)
Packit Service a9384c 
	 *   	shift_size (uint64: datashift only)
Packit Service a9384c 
	 * }
Packit Service a9384c 
	 */
Packit Service a9384c
Packit Service a9384c 
	/* area and area type are validated in general validation code */
Packit Service a9384c 
	if (!jobj_keyslot || !json_object_object_get_ex(jobj_keyslot, "area", &jobj_area) ||
Packit Service a9384c 
	    !json_object_object_get_ex(jobj_area, "type", &jobj_type))
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
	jobj_mode = json_contains(cd, jobj_keyslot, "", "reencrypt keyslot", "mode", json_type_string);
Packit Service a9384c 
	jobj_direction = json_contains(cd, jobj_keyslot, "", "reencrypt keyslot", "direction", json_type_string);
Packit Service a9384c
Packit Service a9384c 
	if (!jobj_mode || !jobj_direction)
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
	mode = json_object_get_string(jobj_mode);
Packit Service a9384c 
	type = json_object_get_string(jobj_type);
Packit Service a9384c 
	direction = json_object_get_string(jobj_direction);
Packit Service a9384c
Packit Service a9384c 
	if (strcmp(mode, "reencrypt") && strcmp(mode, "encrypt") &&
Packit Service a9384c 
	    strcmp(mode, "decrypt")) {
Packit Service a9384c 
		log_dbg(cd, "Illegal reencrypt mode %s.", mode);
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c 
	}
Packit Service a9384c
Packit Service a9384c 
	if (strcmp(direction, "forward") && strcmp(direction, "backward")) {
Packit Service a9384c 
		log_dbg(cd, "Illegal reencrypt direction %s.", direction);
Packit Service a9384c 
		return -EINVAL;
Packit Service a9384c 
	}
Packit Service a9384c
Packit Service a9384c 
	if (!strcmp(type, "checksum")) {
Packit Service a9384c 
		jobj_hash = json_contains(cd, jobj_area, "type:checksum", "Keyslot area", "hash", json_type_string);
Packit Service a9384c 
		jobj_sector_size = json_contains(cd, jobj_area, "type:checksum", "Keyslot area", "sector_size", json_type_int);
Packit Service a9384c 
		if (!jobj_hash || !jobj_sector_size)
Packit Service a9384c 
			return -EINVAL;
Packit Service a9384c 
		if (!validate_json_uint32(jobj_sector_size))
Packit Service a9384c 
			return -EINVAL;
Packit Service a9384c 
		sector_size = crypt_jobj_get_uint32(jobj_sector_size);
Packit Service a9384c 
		if (sector_size < SECTOR_SIZE || NOTPOW2(sector_size)) {
Packit Service a9384c 
			log_dbg(cd, "Invalid sector_size (%" PRIu32 ") for checksum resilience mode.", sector_size);
Packit Service a9384c 
			return -EINVAL;
Packit Service a9384c 
		}
Packit Service a9384c 
	} else if (!strcmp(type, "datashift")) {
Packit Service a9384c 
		if (!(jobj_shift_size = json_contains(cd, jobj_area, "type:datashift", "Keyslot area", "shift_size", json_type_string)))
Packit Service a9384c 
			return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
		shift_size = crypt_jobj_get_uint64(jobj_shift_size);
Packit Service a9384c 
		if (!shift_size)
Packit Service a9384c 
			return -EINVAL;
Packit Service a9384c
Packit Service a9384c 
		if (MISALIGNED_512(shift_size)) {
Packit Service a9384c 
			log_dbg(cd, "Shift size field has to be aligned to sector size: %" PRIu32, SECTOR_SIZE);
Packit Service a9384c 
			return -EINVAL;
Packit Service a9384c 
		}
Packit Service a9384c 
	}
Packit Service a9384c
Packit Service a9384c 
	return 0;
Packit Service a9384c 
}
Packit Service a9384c
Packit Service a9384c 
const keyslot_handler reenc_keyslot = {
Packit Service a9384c 
	.name  = "reencrypt",
Packit Service a9384c 
	.open  = reenc_keyslot_open,
Packit Service a9384c 
	.store = reenc_keyslot_store, /* initialization only or also per every chunk write */
Packit Service a9384c 
	.wipe  = reenc_keyslot_wipe,
Packit Service a9384c 
	.dump  = reenc_keyslot_dump,
Packit Service a9384c 
	.validate  = reenc_keyslot_validate
Packit Service a9384c 
};

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation