just for update,
just did way 1 - here i got a question - in luks/keymanage.c around line
341 (at least in cryptsetup-luks-1.0.3) i read
"return i==LUKS_NUMKEYS?-EPERM:0;"
which i changed into
"return i==LUKS_NUMKEYS?-EPERM:i;"
so that i get back the number of the used keyslot in lib/setup.c which i
need in this solution to determine whether i should give rw or ro access.
does this throw up any problems ? and sorry for asking (didn't dive into
the whole thing all to deep) what is -EPERM for, or how should i read
the whole statement (and the sense of it)
just for completeness the code parts i changed as attachment
Martin Strigl schrieb:
hi there, first of all congrats to your work.
i got an idea or to be more precise a feature request. and although i'm
not quite sure if it would be useful to others i want to propose it. and
just for the case noone finds it useful, i would appreciate it if you
could point me in the right direction where to start.
* i got a scenario where it would be very useful if i could open a luks
encrypted device just readonly for certain key slots.
let's say if someone gives the credentials for key slot 1 or 3 it's
opened AUTOMATICALLY as readonly, but if you use key slot 0 or 2 it's
opened just the way you want (normally rw, but in respect to the options
given).
* i thought of 2 ways accomplishing this:
- the first one is the quickndirty hack which just says "okay if its
key slot 0 do what the user wants todo, for all others ALWAYS set
options.flags |= CRYPT_FLAG_READONLY"
- the second one would be more fine. lets define add key creation
time the right (rw or just ro) this key has and according to that do
what you ought todo
* as to the first way, it seems quite clear to me that i just need to
modify the function __crypt_luks_open in lib/setup.c (around the call
LUKS_open_any_key) and according to the return value modify options
* for the second i'm not quite sure where to start
so please share your ideas with me (and excuse my english)
mfg,
martin strigl
diff -urN cryptsetup-luks-1.0.3-orig/lib/setup.c cryptsetup-luks-1.0.3/lib/setup.c
--- cryptsetup-luks-1.0.3-orig/lib/setup.c 2006-04-02 10:58:18.000000000 +0200
+++ cryptsetup-luks-1.0.3/lib/setup.c 2007-04-04 10:47:00.000000000 +0200
@@ -546,6 +546,7 @@
};
char *dmCipherSpec;
int r, tries = options->tries;
+ int whichkey;
r = backend->status(0, &tmp, NULL);
if (r >= 0) {
@@ -571,10 +572,18 @@
if(!password) {
r = -EINVAL; goto out;
}
- if(LUKS_open_any_key(options->device, password, passwordLen, &hdr, &mk, backend) < 0) {
+ whichkey=LUKS_open_any_key(options->device, password, passwordLen, &hdr, &mk, backend);
+ if(whichkey < 0) {
set_error("No key available with this passphrase.\n");
r = -EPERM; goto out1;
}
+ printf("MST: KEYSLOT %d used\n",whichkey);
+ if (whichkey>0) {
+ printf("MST: KEYSLOT %d unlocked -> readonly\n",whichkey);
+ infos.readonly = 1;
+ options->flags |= CRYPT_FLAG_READONLY;
+ }
+
options->offset = hdr.payloadOffset;
asprintf(&dmCipherSpec, "%s-%s", hdr.cipherName, hdr.cipherMode);
diff -urN cryptsetup-luks-1.0.3-orig/luks/keymanage.c cryptsetup-luks-1.0.3/luks/keymanage.c
--- cryptsetup-luks-1.0.3-orig/luks/keymanage.c 2006-04-02 10:36:11.000000000 +0200
+++ cryptsetup-luks-1.0.3/luks/keymanage.c 2007-04-04 10:53:53.000000000 +0200
@@ -338,7 +338,7 @@
break;
}
if(i!=LUKS_NUMKEYS) printf("key slot %d unlocked.\n",i);
- return i==LUKS_NUMKEYS?-EPERM:0;
+ return i==LUKS_NUMKEYS?-EPERM:i;
}
/*
---------------------------------------------------------------------
dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
