From: John Lane <j...@lane.uk.net> --- grub-core/disk/cryptodisk.c | 46 ++++++++++++++++++++++++++++++++++++++++++++- grub-core/disk/geli.c | 4 +++- grub-core/disk/luks.c | 44 +++++++++++++++++++++++++++++-------------- include/grub/cryptodisk.h | 5 ++++- 4 files changed, 82 insertions(+), 17 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c index 6f596a0..a27e70c 100644 --- a/grub-core/disk/cryptodisk.c +++ b/grub-core/disk/cryptodisk.c @@ -41,6 +41,9 @@ static const struct grub_arg_option options[] = {"all", 'a', 0, N_("Mount all."), 0, 0}, {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0}, {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING}, + {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING}, + {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT}, + {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT}, {0, 0, 0, 0, 0, 0} }; @@ -805,6 +808,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk) static int check_boot, have_it; static char *search_uuid; static grub_file_t hdr; +static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE]; +static grub_size_t keyfile_size; static void cryptodisk_close (grub_cryptodisk_t dev) @@ -835,7 +840,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source) if (!dev) continue; - err = cr->recover_key (source, dev, hdr); + err = cr->recover_key (source, dev, hdr, key, keyfile_size); if (err) { cryptodisk_close (dev); @@ -943,6 +948,45 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) hdr = NULL; have_it = 0; + key = NULL; + + if (state[4].set) /* Key file; fails back to passphrase entry */ + { + grub_file_t keyfile; + int keyfile_offset; + grub_size_t requested_keyfile_size; + + requested_keyfile_size = state[6].set ? grub_strtoul(state[6].arg, 0, 0) : 0; + + if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE) + grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \ + (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE); + else + { + keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0; + keyfile_size = requested_keyfile_size ? requested_keyfile_size : \ + GRUB_CRYPTODISK_MAX_KEYFILE_SIZE; + + keyfile = grub_file_open (state[4].arg); + if (!keyfile) + grub_printf (N_("Unable to open key file %s\n"), state[4].arg); + else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1) + grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset); + else + { + keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size); + if (keyfile_size == (grub_size_t)-1) + grub_printf (N_("Error reading key file\n")); + else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size)) + grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"), + (unsigned long long) requested_keyfile_size, + (unsigned long long) keyfile_size); + else + key = keyfile_buffer; + } + } + } + if (state[0].set) { grub_cryptodisk_t dev; diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c index f4394eb..da6aa6a 100644 --- a/grub-core/disk/geli.c +++ b/grub-core/disk/geli.c @@ -401,7 +401,9 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, static grub_err_t recover_key (grub_disk_t source, grub_cryptodisk_t dev, - grub_file_t hdr __attribute__ ((unused)) ) + grub_file_t hdr __attribute__ ((unused)), + grub_uint8_t *key __attribute__ ((unused)), + grub_size_t keyfile_size __attribute__ ((unused)) ) { grub_size_t keysize; grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN]; diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c index 66e64c0..5882368 100644 --- a/grub-core/disk/luks.c +++ b/grub-core/disk/luks.c @@ -322,12 +322,16 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, static grub_err_t luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev, - grub_file_t hdr) + grub_file_t hdr, + grub_uint8_t *keyfile_bytes, + grub_size_t keyfile_bytes_size) { struct grub_luks_phdr header; grub_size_t keysize; grub_uint8_t *split_key = NULL; - char passphrase[MAX_PASSPHRASE] = ""; + char interactive_passphrase[MAX_PASSPHRASE] = ""; + grub_uint8_t *passphrase; + grub_size_t passphrase_length; grub_uint8_t candidate_digest[sizeof (header.mkDigest)]; unsigned i; grub_size_t length; @@ -364,18 +368,30 @@ luks_recover_key (grub_disk_t source, if (!split_key) return grub_errno; - /* Get the passphrase from the user. */ - tmp = NULL; - if (source->partition) - tmp = grub_partition_get_name (source->partition); - grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, - source->partition ? "," : "", tmp ? : "", - dev->uuid); - grub_free (tmp); - if (!grub_password_get (passphrase, MAX_PASSPHRASE)) + if (keyfile_bytes) { - grub_free (split_key); - return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); + /* Use bytestring from key file as passphrase */ + passphrase = keyfile_bytes; + passphrase_length = keyfile_bytes_size; + } + else + { + /* Get the passphrase from the user. */ + tmp = NULL; + if (source->partition) + tmp = grub_partition_get_name (source->partition); + grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, + source->partition ? "," : "", tmp ? : "", dev->uuid); + grub_free (tmp); + if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) + { + grub_free (split_key); + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); + } + + passphrase = (grub_uint8_t *)interactive_passphrase; + passphrase_length = grub_strlen (interactive_passphrase); + } /* Try to recover master key from each active keyslot. */ @@ -393,7 +409,7 @@ luks_recover_key (grub_disk_t source, /* Calculate the PBKDF2 of the user supplied passphrase. */ gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase, - grub_strlen (passphrase), + passphrase_length, header.keyblock[i].passwordSalt, sizeof (header.keyblock[i].passwordSalt), grub_be_to_cpu32 (header.keyblock[i]. diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h index 16dee3c..0299625 100644 --- a/include/grub/cryptodisk.h +++ b/include/grub/cryptodisk.h @@ -55,6 +55,8 @@ typedef enum #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES) #define GRUB_CRYPTODISK_MAX_KEYLEN 128 +#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192 + struct grub_cryptodisk; typedef gcry_err_code_t @@ -108,7 +110,8 @@ struct grub_cryptodisk_dev grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid, int boot_only, grub_file_t hdr); - grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr); + grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, + grub_file_t hdr, grub_uint8_t *key, grub_size_t keyfile_size); }; typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t; -- 2.1.2 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel