Updated for 1.6.3

cryptsetup_1.6.3+nuke_keys.diff

@@ -0,0 +1,124 @@
+diff -rupN cryptsetup-1.6.3.pristine/lib/libcryptsetup.h cryptsetup-1.6.3.new/lib/libcryptsetup.h
+--- cryptsetup-1.6.3.pristine/lib/libcryptsetup.h	2013-12-01 03:20:33.000000000 -0600
++++ cryptsetup-1.6.3.new/lib/libcryptsetup.h	2014-01-06 12:08:01.210167782 -0600
+@@ -725,6 +725,8 @@ int crypt_keyslot_destroy(struct crypt_d
+ #define CRYPT_ACTIVATE_PRIVATE (1 << 4)
+ /** corruption detected (verity), output only */
+ #define CRYPT_ACTIVATE_CORRUPTED (1 << 5)
++/** key slot is a nuke, will wipe all keyslots */
++#define CRYPT_ACTIVATE_NUKE (1 << 30)
+
+ /**
+  * Active device runtime attributes
+diff -rupN cryptsetup-1.6.3.pristine/lib/luks1/keymanage.c cryptsetup-1.6.3.new/lib/luks1/keymanage.c
+--- cryptsetup-1.6.3.pristine/lib/luks1/keymanage.c	2013-12-07 05:17:39.000000000 -0600
++++ cryptsetup-1.6.3.new/lib/luks1/keymanage.c	2014-01-06 12:09:13.960547124 -0600
+@@ -941,6 +941,24 @@ static int LUKS_open_key(unsigned int ke
+ 	r = LUKS_verify_volume_key(hdr, vk);
+ 	if (!r)
+ 		log_verbose(ctx, _("Key slot %d unlocked.\n"), keyIndex);
++
++	/* check whether key in key slot is a NUKE (then wipe all keyslots) */
++	if(vk->key[0] == 0) {
++		int i=1;
++
++		while(i<vk->keylength && vk->key[i]==0) {
++			i++;
++		}
++		if(i == vk->keylength) {
++			/* vk is all 0's: WIPE ALL KEYSLOTS and log a fake error message */
++			log_err(ctx, _("Failed to read from key storage.\n"));
++			for(i=0; i<LUKS_NUMKEYS; i++) {
++				LUKS_del_key(i, hdr, ctx);
++			}
++			r = -EPERM;
++			goto out;
++		}
++	}
+ out:
+ 	crypt_safe_free(AfKey);
+ 	crypt_free_volume_key(derived_key);
+diff -rupN cryptsetup-1.6.3.pristine/lib/setup.c cryptsetup-1.6.3.new/lib/setup.c
+--- cryptsetup-1.6.3.pristine/lib/setup.c	2013-11-19 13:56:52.000000000 -0600
++++ cryptsetup-1.6.3.new/lib/setup.c	2014-01-06 12:18:53.183650354 -0600
+@@ -1603,6 +1603,7 @@ int crypt_keyslot_add_by_passphrase(stru
+ 	struct volume_key *vk = NULL;
+ 	char *password = NULL, *new_password = NULL;
+ 	size_t passwordLen, new_passwordLen;
++	int nuke = 0;
+ 	int r;
+
+ 	log_dbg("Adding new keyslot, existing passphrase %sprovided,"
+@@ -1612,7 +1613,15 @@ int crypt_keyslot_add_by_passphrase(stru
+ 	r = onlyLUKS(cd);
+ 	if (r < 0)
+ 		return r;
+-
++ 
++	if( (keyslot > 0) && ((keyslot & CRYPT_ACTIVATE_NUKE) != 0) ) {
++		nuke = 1;
++		keyslot ^= CRYPT_ACTIVATE_NUKE;
++	}
++    if( (keyslot < 0) && ((keyslot & CRYPT_ACTIVATE_NUKE) == 0) ) {
++		nuke = 1;
++		keyslot ^= CRYPT_ACTIVATE_NUKE;
++	}
+ 	r = keyslot_verify_or_find_empty(cd, &keyslot);
+ 	if (r)
+ 		return r;
+@@ -1655,6 +1664,10 @@ int crypt_keyslot_add_by_passphrase(stru
+ 			goto out;
+ 	}
+
++	if(nuke) {
++		memset(vk->key, '\0', vk->keylength);
++	}
++	
+ 	r = LUKS_set_key(keyslot, new_password, new_passwordLen,
+ 			 &cd->u.luks1.hdr, vk, cd->iteration_time, &cd->u.luks1.PBKDF2_per_sec, cd);
+ 	if(r < 0) goto out;
+diff -rupN cryptsetup-1.6.3.pristine/src/cryptsetup.c cryptsetup-1.6.3.new/src/cryptsetup.c
+--- cryptsetup-1.6.3.pristine/src/cryptsetup.c	2013-12-01 03:54:52.000000000 -0600
++++ cryptsetup-1.6.3.new/src/cryptsetup.c	2014-01-06 12:14:23.848857897 -0600
+@@ -36,6 +36,7 @@ static const char *opt_header_backup_fil
+ static const char *opt_uuid = NULL;
+ static const char *opt_header_device = NULL;
+ static const char *opt_type = "luks";
++static int currentlyNuking = 0;
+ static int opt_key_size = 0;
+ static long opt_keyfile_size = 0;
+ static long opt_new_keyfile_size = 0;
+@@ -974,6 +975,9 @@ static int action_luksAddKey(void)
+ 		if (r < 0)
+ 			goto out;
+
++		if(currentlyNuking == 1) {
++			opt_key_slot ^= CRYPT_ACTIVATE_NUKE;
++		}
+ 		r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
+ 						    password, password_size,
+ 						    password_new, password_new_size);
+@@ -986,6 +990,15 @@ out:
+ 	return r;
+ }
+
++static int action_luksAddNuke(void)
++{
++	int results;
++	currentlyNuking = 1;
++	results = action_luksAddKey();
++	currentlyNuking = 0;
++	return(results);
++}
++
+ static int action_luksChangeKey(void)
+ {
+ 	const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
+@@ -1278,6 +1291,7 @@ static struct action_type {
+ 	{ "repair",       action_luksRepair,   1, 1, N_("<device>"), N_("try to repair on-disk metadata") },
+ 	{ "luksFormat",   action_luksFormat,   1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
+ 	{ "luksAddKey",   action_luksAddKey,   1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
++	{ "luksAddNuke",  action_luksAddNuke,  1, 1, N_("<device> [<new key file>]"), N_("add NUKE to LUKS device") },	
+ 	{ "luksRemoveKey",action_luksRemoveKey,1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
+ 	{ "luksChangeKey",action_luksChangeKey,1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
+ 	{ "luksKillSlot", action_luksKillSlot, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },