david.venhoff/QEMU-Nyx-fork
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcrypto-luks: simplify masterkey and masterkey length

Browse Source 
Let the caller allocate masterkey
Always use master key len from the header

Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Maxim Levitsky 2019-09-26 00:35:18 +03:00 committed by Daniel P. Berrangé
parent 70b2a1fed5
commit 1ddd52e4b5
1 changed files with 21 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
crypto/block-luks.c
View File

@ -419,7 +419,6 @@ qcrypto_block_luks_load_key(QCryptoBlock *block,
QCryptoCipherAlgorithm ivcipheralg, QCryptoCipherAlgorithm ivcipheralg,
QCryptoHashAlgorithm ivhash, QCryptoHashAlgorithm ivhash,
uint8_t *masterkey, uint8_t *masterkey,
size_t masterkeylen,
QCryptoBlockReadFunc readfunc, QCryptoBlockReadFunc readfunc,
void *opaque, void *opaque,
Error **errp) Error **errp)
@ -438,9 +437,9 @@ qcrypto_block_luks_load_key(QCryptoBlock *block,
return 0; return 0;
} }
splitkeylen = masterkeylen * slot->stripes; splitkeylen = luks->header.master_key_len * slot->stripes;
splitkey = g_new0(uint8_t, splitkeylen); splitkey = g_new0(uint8_t, splitkeylen);
possiblekey = g_new0(uint8_t, masterkeylen); possiblekey = g_new0(uint8_t, luks->header.master_key_len);
/* /*
* The user password is used to generate a (possible) * The user password is used to generate a (possible)
@ -453,7 +452,7 @@ qcrypto_block_luks_load_key(QCryptoBlock *block,
(const uint8_t *)password, strlen(password), (const uint8_t *)password, strlen(password),
slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN, slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN,
slot->iterations, slot->iterations,
possiblekey, masterkeylen, possiblekey, luks->header.master_key_len,
errp) < 0) { errp) < 0) {
return -1; return -1;
} }
@ -478,7 +477,7 @@ qcrypto_block_luks_load_key(QCryptoBlock *block,
/* Setup the cipher/ivgen that we'll use to try to decrypt /* Setup the cipher/ivgen that we'll use to try to decrypt
* the split master key material */ * the split master key material */
cipher = qcrypto_cipher_new(cipheralg, ciphermode, cipher = qcrypto_cipher_new(cipheralg, ciphermode,
possiblekey, masterkeylen, possiblekey, luks->header.master_key_len,
errp); errp);
if (!cipher) { if (!cipher) {
return -1; return -1;
@ -489,7 +488,7 @@ qcrypto_block_luks_load_key(QCryptoBlock *block,
ivgen = qcrypto_ivgen_new(ivalg, ivgen = qcrypto_ivgen_new(ivalg,
ivcipheralg, ivcipheralg,
ivhash, ivhash,
possiblekey, masterkeylen, possiblekey, luks->header.master_key_len,
errp); errp);
if (!ivgen) { if (!ivgen) {
return -1; return -1;
@ -519,7 +518,7 @@ qcrypto_block_luks_load_key(QCryptoBlock *block,
* it back together to get the actual master key. * it back together to get the actual master key.
*/ */
if (qcrypto_afsplit_decode(hash, if (qcrypto_afsplit_decode(hash,
masterkeylen, luks->header.master_key_len,
slot->stripes, slot->stripes,
splitkey, splitkey,
masterkey, masterkey,
@ -537,11 +536,13 @@ qcrypto_block_luks_load_key(QCryptoBlock *block,
* header * header
*/ */
if (qcrypto_pbkdf2(hash, if (qcrypto_pbkdf2(hash,
masterkey, masterkeylen, masterkey,
luks->header.master_key_len,
luks->header.master_key_salt, luks->header.master_key_salt,
QCRYPTO_BLOCK_LUKS_SALT_LEN, QCRYPTO_BLOCK_LUKS_SALT_LEN,
luks->header.master_key_iterations, luks->header.master_key_iterations,
keydigest, G_N_ELEMENTS(keydigest), keydigest,
G_N_ELEMENTS(keydigest),
errp) < 0) { errp) < 0) {
return -1; return -1;
} }
@ -574,8 +575,7 @@ qcrypto_block_luks_find_key(QCryptoBlock *block,
QCryptoIVGenAlgorithm ivalg, QCryptoIVGenAlgorithm ivalg,
QCryptoCipherAlgorithm ivcipheralg, QCryptoCipherAlgorithm ivcipheralg,
QCryptoHashAlgorithm ivhash, QCryptoHashAlgorithm ivhash,
uint8_t **masterkey, uint8_t *masterkey,
size_t *masterkeylen,
QCryptoBlockReadFunc readfunc, QCryptoBlockReadFunc readfunc,
void *opaque, void *opaque,
Error **errp) Error **errp)
@ -584,9 +584,6 @@ qcrypto_block_luks_find_key(QCryptoBlock *block,
size_t i; size_t i;
int rv; int rv;
*masterkey = g_new0(uint8_t, luks->header.master_key_len);
*masterkeylen = luks->header.master_key_len;
for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
rv = qcrypto_block_luks_load_key(block, rv = qcrypto_block_luks_load_key(block,
&luks->header.key_slots[i], &luks->header.key_slots[i],
@ -597,8 +594,7 @@ qcrypto_block_luks_find_key(QCryptoBlock *block,
ivalg, ivalg,
ivcipheralg, ivcipheralg,
ivhash, ivhash,
*masterkey, masterkey,
*masterkeylen,
readfunc, readfunc,
opaque, opaque,
errp); errp);
@ -613,9 +609,6 @@ qcrypto_block_luks_find_key(QCryptoBlock *block,
error_setg(errp, "Invalid password, cannot unlock any keyslot"); error_setg(errp, "Invalid password, cannot unlock any keyslot");
error: error:
g_free(*masterkey);
*masterkey = NULL;
*masterkeylen = 0;
return -1; return -1;
} }
@ -636,7 +629,6 @@ qcrypto_block_luks_open(QCryptoBlock *block,
size_t i; size_t i;
ssize_t rv; ssize_t rv;
g_autofree uint8_t *masterkey = NULL; g_autofree uint8_t *masterkey = NULL;
size_t masterkeylen;
char *ivgen_name, *ivhash_name; char *ivgen_name, *ivhash_name;
QCryptoCipherMode ciphermode; QCryptoCipherMode ciphermode;
QCryptoCipherAlgorithm cipheralg; QCryptoCipherAlgorithm cipheralg;
@ -802,6 +794,9 @@ qcrypto_block_luks_open(QCryptoBlock *block,
/* Try to find which key slot our password is valid for /* Try to find which key slot our password is valid for
* and unlock the master key from that slot. * and unlock the master key from that slot.
*/ */
masterkey = g_new0(uint8_t, luks->header.master_key_len);
if (qcrypto_block_luks_find_key(block, if (qcrypto_block_luks_find_key(block,
password, password,
cipheralg, ciphermode, cipheralg, ciphermode,
@ -809,7 +804,7 @@ qcrypto_block_luks_open(QCryptoBlock *block,
ivalg, ivalg,
ivcipheralg, ivcipheralg,
ivhash, ivhash,
&masterkey, &masterkeylen, masterkey,
readfunc, opaque, readfunc, opaque,
errp) < 0) { errp) < 0) {
ret = -EACCES; ret = -EACCES;
@ -825,7 +820,8 @@ qcrypto_block_luks_open(QCryptoBlock *block,
block->ivgen = qcrypto_ivgen_new(ivalg, block->ivgen = qcrypto_ivgen_new(ivalg,
ivcipheralg, ivcipheralg,
ivhash, ivhash,
masterkey, masterkeylen, masterkey,
luks->header.master_key_len,
errp); errp);
if (!block->ivgen) { if (!block->ivgen) {
ret = -ENOTSUP; ret = -ENOTSUP;
@ -833,7 +829,9 @@ qcrypto_block_luks_open(QCryptoBlock *block,
} }
ret = qcrypto_block_init_cipher(block, cipheralg, ciphermode, ret = qcrypto_block_init_cipher(block, cipheralg, ciphermode,
masterkey, masterkeylen, n_threads, masterkey,
luks->header.master_key_len,
n_threads,
errp); errp);
if (ret < 0) { if (ret < 0) {
ret = -ENOTSUP; ret = -ENOTSUP;