hello,
i prepared some patches which apply against cryptsetup 1.0.3-3 from
debian.
[error_newline.diff]
If "Command failed" is printed without a trailing error code/msg, the
final dot missed a newline.
[luksAddKey.diff]
There was a typo in the luksAddKey source that caused cryptsetup to
ask for the passphrase to unlock twice.
[protect_delkey.diff]
This one adds passphrase/key protection to luksDelKey. It asks for one
of the remaining passphrases/keys before actually deleting/disabling
the given slot.
the patches depend upon each other. in other words, protect_delkey.diff
does not apply cleanly without applying error_newline.diff and
luksAddKey.diff first.
i hope that the patches don't come to late for cryptsetup 1.0.4-rc1.
and last but not least a minor issue:
action_luksAddKey from src/cryptsetup.c has a duplicated line:
.key_file = opt_key_file,
i guess that this was not intended, even though it doesn't do any harm.
...
jonas
--- cryptsetup-1.0.3/src/cryptsetup.c
+++ cryptsetup-1.0.3/src/cryptsetup.c
@@ -91,7 +91,7 @@
if (*error)
fprintf(stderr, ": %s\n", error);
else
- fputs(".", stderr);
+ fputs(".\n", stderr);
return;
}
--- cryptsetup-1.0.3/lib/setup.c
+++ cryptsetup-1.0.3/lib/setup.c
@@ -680,7 +680,7 @@
const char *device = options->device;
struct crypt_options optionsCheck = {
.key_file = options->key_file,
- .flags = options->flags & ~CRYPT_FLAG_VERIFY,
+ .flags = options->flags & ~CRYPT_FLAG_VERIFY_IF_POSSIBLE,
};
struct crypt_options optionsSet = {
.key_file = options->new_key_file,
--- cryptsetup-1.0.3/lib/setup.c
+++ cryptsetup-1.0.3/lib/setup.c
@@ -729,6 +729,37 @@
return r;
}
+static int __crypt_luks_del_key(int arg, struct setup_backend *backend, struct crypt_options *options)
+{
+ struct luks_masterkey mk;
+ struct luks_phdr hdr;
+ char *password; unsigned int passwordLen;
+ const char *device = options->device;
+ int keyIndex = options->key_slot;
+ int r;
+
+ // r = LUKS_read_phdr(device, &hdr);
+ // if(r < 0) return r;
+
+ options->key_size = 0; // FIXME, define a clean interface some day.
+ get_key(options,"Enter any remaining LUKS passphrase: ",&password,&passwordLen);
+ if(!password) {
+ r = -EINVAL; goto out;
+ }
+ if(LUKS_open_any_other_key(device, keyIndex, password, passwordLen, &hdr, &mk, backend) < 0) {
+ printf("No remaining key available with this passphrase.\n");
+ r = -EPERM; goto out;
+ }
+ safe_free(password);
+
+ r = LUKS_del_key(device, keyIndex);
+ if(r < 0) goto out;
+
+ r = 0;
+out:
+ return r;
+}
+
static int crypt_job(int (*job)(int arg, struct setup_backend *backend,
struct crypt_options *options),
int arg, struct crypt_options *options)
@@ -796,7 +827,7 @@
int crypt_luksDelKey(struct crypt_options *options)
{
- return LUKS_del_key(options->device, options->key_slot);
+ return crypt_job(__crypt_luks_del_key, 0, options);
}
int crypt_luksAddKey(struct crypt_options *options)
--- cryptsetup-1.0.3/luks/keymanage.c
+++ cryptsetup-1.0.3/luks/keymanage.c
@@ -341,6 +341,30 @@
return i==LUKS_NUMKEYS?-EPERM:0;
}
+int LUKS_open_any_other_key(const char *device,
+ unsigned int key_slot,
+ const char *password,
+ size_t passwordLen,
+ struct luks_phdr *hdr,
+ struct luks_masterkey *mk,
+ struct setup_backend *backend)
+{
+ unsigned int i;
+ int r;
+
+ r = LUKS_read_phdr(device, hdr);
+ if(r < 0)
+ return r;
+
+ mk->keyLength = hdr->keyBytes;
+ for(i=0; i<LUKS_NUMKEYS; i++) {
+ if(i != key_slot && LUKS_open_key(device, i, password, passwordLen, hdr, mk, backend) == 0)
+ break;
+ }
+ if(i!=LUKS_NUMKEYS) printf("key slot %d unlocked.\n",i);
+ return i==LUKS_NUMKEYS?-EPERM:0;
+}
+
/*
* Wipe patterns according to Gutmann's Paper
*/
--- cryptsetup-1.0.3/luks/luks.h
+++ cryptsetup-1.0.3/luks/luks.h
@@ -113,6 +113,14 @@
struct luks_masterkey *mk,
struct setup_backend *backend);
+int LUKS_open_any_other_key(const char *device,
+ unsigned int key_slot,
+ const char *password,
+ size_t passwordLen,
+ struct luks_phdr *hdr,
+ struct luks_masterkey *mk,
+ struct setup_backend *backend);
+
int LUKS_del_key(const char *device, unsigned int keyIndex);
int LUKS_is_last_keyslot(const char *device, unsigned int keyIndex);
int LUKS_benchmarkt_iterations();
--- cryptsetup-1.0.3/man/cryptsetup.8
+++ cryptsetup-1.0.3/man/cryptsetup.8
@@ -60,7 +60,7 @@
.PP
\fIluksDelKey\fR <device> <key slot number>
.IP
-remove key from key slot. No options.
+remove key from key slot. A remaining passphrase or key file (via \-\-key-file) must be supplied. <options> can be [\-\-key-file].
.PP
\fIluksUUID\fR <device>
.IP
--- cryptsetup-1.0.3/src/cryptsetup.c
+++ cryptsetup-1.0.3/src/cryptsetup.c
@@ -258,6 +258,8 @@
struct crypt_options options = {
.device = action_argv[0],
.key_slot = atoi(action_argv[1]),
+ .key_file = opt_key_file,
+ .timeout = opt_timeout,
};
int r;
---------------------------------------------------------------------
- http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
