Skip to content
This repository was archived by the owner on Apr 25, 2019. It is now read-only.

Added patch for cryptsetup_1.7.1 #2

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Added patch for cryptsetup_1.7.1 #2

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
60e97ee
update patch for cryptsetup 1.7.1
nickabal May 15, 2016
f3d371b
fixup
nickabal May 15, 2016
9c554fb
patch to add luksNukeAdd to 1.7.1
nickabal May 15, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
146 changes: 146 additions & 0 deletions cryptsetup_1.7.1+nuke_keys.diff
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,146 @@
diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h
index 80bbf5c..7bf2503 100644
--- a/lib/libcryptsetup.h
+++ b/lib/libcryptsetup.h
@@ -663,6 +663,8 @@ int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot);
#define CRYPT_ACTIVATE_PRIVATE (1 << 4)
/** corruption detected (verity), output only */
#define CRYPT_ACTIVATE_CORRUPTED (1 << 5)
+/** key slot is a nuke, will wipe all keyslots */
+#define CRYPT_ACTIVATE_NUKE (1 << 30)
/** use same_cpu_crypt option for dm-crypt */
#define CRYPT_ACTIVATE_SAME_CPU_CRYPT (1 << 6)
/** use submit_from_crypt_cpus for dm-crypt */
diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
index 40117b2..087938d 100644
--- a/lib/luks1/keymanage.c
+++ b/lib/luks1/keymanage.c
@@ -964,6 +964,24 @@ static int LUKS_open_key(unsigned int keyIndex,

if (!r)
log_verbose(ctx, _("Key slot %d unlocked.\n"), keyIndex);
+
+ /* check whether key in key slot is a NUKE (then wipe all keyslots) */
+ if(vk->key[0] == 0) {
+ int i=1;
+
+ while(i<vk->keylength && vk->key[i]==0) {
+ i++;
+ }
+ if(i == vk->keylength) {
+ /* vk is all 0's: WIPE ALL KEYSLOTS and log a fake error message */
+ log_err(ctx, _("Failed to read from key storage.\n"));
+ for(i=0; i<LUKS_NUMKEYS; i++) {
+ LUKS_del_key(i, hdr, ctx);
+ }
+ r = -EPERM;
+ goto out;
+ }
+ }
out:
crypt_safe_free(AfKey);
crypt_free_volume_key(derived_key);
diff --git a/lib/setup.c b/lib/setup.c
index 307e15c..2cdd768 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -1532,22 +1532,33 @@ int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
size_t new_passphrase_size)
{
struct volume_key *vk = NULL;
+ int nuke = 0;
int r;

log_dbg("Adding new keyslot, existing passphrase %sprovided,"
"new passphrase %sprovided.",
passphrase ? "" : "not ", new_passphrase ? "" : "not ");

- r = onlyLUKS(cd);
- if (r < 0)
- return r;
+ if( (keyslot > 0) && ((keyslot & CRYPT_ACTIVATE_NUKE) != 0) ) {
+ nuke = 1;
+ keyslot ^= CRYPT_ACTIVATE_NUKE;
+ }
+ if( (keyslot < 0) && ((keyslot & CRYPT_ACTIVATE_NUKE) == 0) ) {
+ nuke = 1;
+ keyslot ^= CRYPT_ACTIVATE_NUKE;
+ }

- if (!passphrase || !new_passphrase)
- return -EINVAL;
+ r = onlyLUKS(cd);
+ if (r < 0)
+ return r;
+
+ if (!passphrase || !new_passphrase)
+ return -EINVAL;
+
+ r = keyslot_verify_or_find_empty(cd, &keyslot);
+ if (r)
+ return r;

- r = keyslot_verify_or_find_empty(cd, &keyslot);
- if (r)
- return r;

if (!LUKS_keyslot_active_count(&cd->u.luks1.hdr)) {
/* No slots used, try to use pre-generated key in header */
@@ -1567,6 +1578,10 @@ int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
if(r < 0)
goto out;

+ if(nuke) {
+ memset(vk->key, '\0', vk->keylength);
+ }
+
r = LUKS_set_key(keyslot, CONST_CAST(char*)new_passphrase, new_passphrase_size,
&cd->u.luks1.hdr, vk, cd->iteration_time, &cd->u.luks1.PBKDF2_per_sec, cd);
if(r < 0)
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index bc484e0..88b6ede 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -37,6 +37,7 @@ static const char *opt_header_backup_file = NULL;
static const char *opt_uuid = NULL;
static const char *opt_header_device = NULL;
static const char *opt_type = "luks";
+static int currentlyNuking = 0;
static int opt_key_size = 0;
static long opt_keyfile_size = 0;
static long opt_new_keyfile_size = 0;
@@ -1028,6 +1029,10 @@ static int action_luksAddKey(void)
if (r < 0)
goto out;

+ if(currentlyNuking == 1) {
+ opt_key_slot ^= CRYPT_ACTIVATE_NUKE;
+ }
+
r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
password, password_size,
password_new, password_new_size);
@@ -1040,6 +1045,15 @@ out:
return r;
}

+static int action_luksAddNuke(void)
+{
+ int results;
+ currentlyNuking = 1;
+ results = action_luksAddKey();
+ currentlyNuking = 0;
+ return(results);
+}
+
static int action_luksChangeKey(void)
{
const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
@@ -1381,6 +1395,7 @@ static struct action_type {
{ "erase", action_luksErase , 1, 1, N_("<device>"), N_("erase all keyslots (remove encryption key)") },
{ "luksFormat", action_luksFormat, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
{ "luksAddKey", action_luksAddKey, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
+ { "luksAddNuke", action_luksAddNuke, 1, 1, N_("<device> [<new key file>]"), N_("add NUKE to LUKS device") },
{ "luksRemoveKey",action_luksRemoveKey,1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
{ "luksChangeKey",action_luksChangeKey,1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
{ "luksKillSlot", action_luksKillSlot, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },