cryptsetup supports key files thourh the --key-file
--header command line argument for both LUKS1 and LUKS2.
This adds support for LUKS1 key files.
Signed-off-by: John Lane <j...@lane.uk.net>
gnu...@cyberdimension.org: rebase, fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli <gnu...@cyberdimension.org>
---
grub-core/disk/luks.c | 42 +++++++++++++++++++++++++++---------------
1 file changed, 27 insertions(+), 15 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index d0f65700d..376895259 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -162,13 +162,14 @@ luks_scan (grub_disk_t disk, const char *check_uuid, int
check_boot,
static grub_err_t
luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr,
- grub_uint8_t *keyfile_bytes __attribute__ ((unused)),
- grub_size_t keyfile_bytes_size __attribute__ ((unused)))
+ grub_uint8_t *keyfile_bytes, grub_size_t keyfile_bytes_size)
{
struct grub_luks_phdr header;
grub_size_t keysize;
grub_uint8_t *split_key = NULL;
- char passphrase[MAX_PASSPHRASE] = "";
+ char interactive_passphrase[MAX_PASSPHRASE] = "";
+ grub_uint8_t *passphrase;
+ grub_size_t passphrase_length;
grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
unsigned i;
grub_size_t length;
@@ -205,18 +206,29 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
if (!split_key)
return grub_errno;
- /* Get the passphrase from the user. */
- tmp = NULL;
- if (source->partition)
- tmp = grub_partition_get_name (source->partition);
- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
- source->partition ? "," : "", tmp ? : "",
- dev->uuid);
- grub_free (tmp);
- if (!grub_password_get (passphrase, MAX_PASSPHRASE))
+ if (keyfile_bytes)
{
- grub_free (split_key);
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+ /* Use bytestring from key file as passphrase */
+ passphrase = keyfile_bytes;
+ passphrase_length = keyfile_bytes_size;
+ }
+ else
+ {
+ /* Get the passphrase from the user. */
+ tmp = NULL;
+ if (source->partition)
+ tmp = grub_partition_get_name (source->partition);
+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+ source->partition ? "," : "", tmp ? : "", dev->uuid);
+ grub_free (tmp);
+ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
+ {
+ grub_free (split_key);
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+ }
+
+ passphrase = (grub_uint8_t *)interactive_passphrase;
+ passphrase_length = grub_strlen (interactive_passphrase);
}
/* Try to recover master key from each active keyslot. */
@@ -234,7 +246,7 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
/* Calculate the PBKDF2 of the user supplied passphrase. */
gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
- grub_strlen (passphrase),
+ passphrase_length,
header.keyblock[i].passwordSalt,
sizeof (header.keyblock[i].passwordSalt),
grub_be_to_cpu32 (header.keyblock[i].
--
2.25.1
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
