On 1/28/20 3:51 PM, Jonas Meurer wrote:
Hello dm-crypt folks,
I want to retrieve pbkdf params for active keyslots of LUKS devices.
First I looked into `crypt_keyslot_get_pbkdf()`, but contrary to what
the code suggests[1], it doesn't return values for LUKS1 devices.
No, it should definitely work. What version of library have you tested
it with?
Also, looking at the actual return valudes, it seems to return the
calculated values for a new keyslot, not the ones for the active
keyslot, right?
Again, this would be either bug in libcryptsetup or some mistake in your
application code. Looking at libcryptsetup code it extracts values
directly from metadata for both LUKS1 and LUKS2.
Is there another way to retrieve the values that `cryptsetup luksDump`
shows? I'm particularely interested in the `iterations` values for LUKS1
and `memory` values for LUKS2 devices.
Here's my (non-working code):
struct crypt_device *cd = NULL;
if (crypt_init_by_name(&cd, devices[i])) {
errx(EXIT_FAILURE, "couldn't init LUKS device %s", devices[i]);
} else {
int ks_max = crypt_keyslot_max(crypt_get_type(cd));
for (int j = 0; j < ks_max; j++) {
crypt_keyslot_info ki = crypt_keyslot_status(cd, j);
if (ki == CRYPT_SLOT_ACTIVE || ki == CRYPT_SLOT_ACTIVE_LAST) {
// Keyslot is active
struct crypt_pbkdf_type pbkdf_ki;
if (crypt_keyslot_get_pbkdf(cd, ki, &pbkdf_ki)) {
printf(" max_memory_kb: %d\n", pbkdf_ki.max_memory_kb);
} else {
warn("No PBKDF for ks %d (device %s)", j, devices[i]);
}
}
}
}
crypt_free(cd);
Do you get same values when you try to modify your code a bit?
Could you replace crypt_init_by_name() with
crypt_init(/path/to/luks/metadata/device)
and subsequent
crypt_load()
Do you get same (wrong) values?
O.
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt
