Hello, Ondrej Kozina: > For anyone interested, > > there was a minor bug in LUKS1 crypt_keyslot_get_pbkdf() where we > returned pbkdf values even for an inactive keyslot. It was fixed with > commit > https://gitlab.com/cryptsetup/cryptsetup/commit/47d0cf495dae03822c76ef2ef482f940208d9062 > and it will get distributed with upstream 2.3.0 release. And for anyone interested in my code example, the major bug was there. I passed 'ki' (which is the flag that indicates the keyslot status) instead of 'j' (the keyslot number) to crypt_keyslot_get_pbkdf(). Thanks to Ondrej for pointing that out! Here's a fixed version of my example code: #include <stdlib.h> #include <stdio.h> #include <err.h> #include <string.h> #include <libcryptsetup.h> int main(int argc, char *argv[]) { if (argc != 3 || (strcmp(argv[1], CRYPT_LUKS1) != 0 && strcmp(argv[1], CRYPT_LUKS2) != 0)) errx(EXIT_FAILURE, "expects LUKS1/LUKS2 as first and LUKS device as second argument"); struct crypt_device *cd = NULL; if (crypt_init(&cd, argv[2]) < 0) err(EXIT_FAILURE, "crypt_init failed"); if (crypt_load(cd, argv[1], NULL) < 0) err(EXIT_FAILURE, "crypt_load failed"); fprintf(stderr, "Device %s (type %s)\n", argv[2], crypt_get_type(cd)); int ks_max = crypt_keyslot_max(crypt_get_type(cd)); for (int j = 0; j < ks_max; j++) { crypt_keyslot_info ki = crypt_keyslot_status(cd, j); if (ki != CRYPT_SLOT_ACTIVE && ki != CRYPT_SLOT_ACTIVE_LAST) continue; fprintf(stderr, "Active keyslot %d: %d\n", j, ki); struct crypt_pbkdf_type pbkdf_ki; int res = crypt_keyslot_get_pbkdf(cd, j, &pbkdf_ki); fprintf(stderr, " return code: %d\n", res); fprintf(stderr, " iterations: %d\n", pbkdf_ki.iterations); fprintf(stderr, " max_memory_kb: %d\n", pbkdf_ki.max_memory_kb); } crypt_free(cd); } Cheers jonas
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
