Commit 09fd551e authored by Milan Broz's avatar Milan Broz

Fix support for LUKS header created by cryptsetup-1.0.0

(no 4k alignment for the first keyslot).
Also skip repair for such header.

Thanks to Dick Middleton for reporting the issue.
parent ee8425b8
2012-04-02 Milan Broz <gmazyland@gmail.com> 2012-04-09 Milan Broz <gmazyland@gmail.com>
* Fix header check to support old (cryptsetup 1.0.0) header alignment. (1.4.0)
* Version 1.4.2. * Version 1.4.2.
2012-03-16 Milan Broz <gmazyland@gmail.com> 2012-03-16 Milan Broz <gmazyland@gmail.com>
......
...@@ -87,7 +87,7 @@ static int LUKS_check_keyslot_size(const struct luks_phdr *phdr, unsigned int ke ...@@ -87,7 +87,7 @@ static int LUKS_check_keyslot_size(const struct luks_phdr *phdr, unsigned int ke
uint32_t secs_per_stripes; uint32_t secs_per_stripes;
/* First sectors is the header itself */ /* First sectors is the header itself */
if (phdr->keyblock[keyIndex].keyMaterialOffset * SECTOR_SIZE < LUKS_ALIGN_KEYSLOTS) { if (phdr->keyblock[keyIndex].keyMaterialOffset * SECTOR_SIZE < sizeof(*phdr)) {
log_dbg("Invalid offset %u in keyslot %u.", log_dbg("Invalid offset %u in keyslot %u.",
phdr->keyblock[keyIndex].keyMaterialOffset, keyIndex); phdr->keyblock[keyIndex].keyMaterialOffset, keyIndex);
return 1; return 1;
...@@ -310,6 +310,12 @@ static int _keyslot_repair(const char *device, struct luks_phdr *phdr, struct cr ...@@ -310,6 +310,12 @@ static int _keyslot_repair(const char *device, struct luks_phdr *phdr, struct cr
log_err(ctx, _("Non standard key size, manual repair required.\n")); log_err(ctx, _("Non standard key size, manual repair required.\n"));
return -EINVAL; return -EINVAL;
} }
/* cryptsetup 1.0 did not align to 4k, cannot repair this one */
if (phdr->keyblock[0].keyMaterialOffset < (LUKS_ALIGN_KEYSLOTS / SECTOR_SIZE)) {
log_err(ctx, _("Non standard keyslots alignment, manual repair required.\n"));
return -EINVAL;
}
vk = crypt_alloc_volume_key(phdr->keyBytes, NULL); vk = crypt_alloc_volume_key(phdr->keyBytes, NULL);
log_verbose(ctx, _("Repairing keyslots.\n")); log_verbose(ctx, _("Repairing keyslots.\n"));
...@@ -328,6 +334,11 @@ static int _keyslot_repair(const char *device, struct luks_phdr *phdr, struct cr ...@@ -328,6 +334,11 @@ static int _keyslot_repair(const char *device, struct luks_phdr *phdr, struct cr
} }
for(i = 0; i < LUKS_NUMKEYS; ++i) { for(i = 0; i < LUKS_NUMKEYS; ++i) {
if (phdr->keyblock[i].active == LUKS_KEY_ENABLED) {
log_dbg("Skipping repair for active keyslot %i.", i);
continue;
}
bad = 0; bad = 0;
if (phdr->keyblock[i].keyMaterialOffset != temp_phdr.keyblock[i].keyMaterialOffset) { if (phdr->keyblock[i].keyMaterialOffset != temp_phdr.keyblock[i].keyMaterialOffset) {
log_err(ctx, _("Keyslot %i: offset repaired (%u -> %u).\n"), i, log_err(ctx, _("Keyslot %i: offset repaired (%u -> %u).\n"), i,
...@@ -345,20 +356,17 @@ static int _keyslot_repair(const char *device, struct luks_phdr *phdr, struct cr ...@@ -345,20 +356,17 @@ static int _keyslot_repair(const char *device, struct luks_phdr *phdr, struct cr
bad = 1; bad = 1;
} }
/* if enabled, do not try to wipe salt */ /* Known case - MSDOS partition table signature */
if (phdr->keyblock[i].active != LUKS_KEY_ENABLED) { if (i == 6 && sector[0x1fe] == 0x55 && sector[0x1ff] == 0xaa) {
/* Known case - MSDOS partition table signature */ log_err(ctx, _("Keyslot %i: bogus partition signature.\n"), i);
if (i == 6 && sector[0x1fe] == 0x55 && sector[0x1ff] == 0xaa) { bad = 1;
log_err(ctx, _("Keyslot %i: bogus partition signature.\n"), i); }
bad = 1;
} if(bad) {
log_err(ctx, _("Keyslot %i: salt wiped.\n"), i);
if(bad) { phdr->keyblock[i].active = LUKS_KEY_DISABLED;
log_err(ctx, _("Keyslot %i: salt wiped.\n"), i); memset(&phdr->keyblock[i].passwordSalt, 0x00, LUKS_SALTSIZE);
phdr->keyblock[i].active = LUKS_KEY_DISABLED; phdr->keyblock[i].passwordIterations = 0;
memset(&phdr->keyblock[i].passwordSalt, 0x00, LUKS_SALTSIZE);
phdr->keyblock[i].passwordIterations = 0;
}
} }
if (bad) if (bad)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment