@@ -33,7 +33,6 @@ int luks_get_version(struct udevice *blk, struct disk_partition *pinfo)
ALLOC_CACHE_ALIGN_BUFFER(unsigned char, buffer, desc->blksz);
int version;
-
/* Read first block of the partition */
if (blk_read(blk, pinfo->start, 1, buffer) != 1) {
log_debug("Error: failed to read LUKS header\n");
@@ -114,19 +113,19 @@ int luks_show_info(struct udevice *blk, struct disk_partition *pinfo)
if (IS_ENABLED(CONFIG_JSON)) {
u64 json_size;
char *json_start;
- int blocks;
+ int count;
/* Read the full header to get JSON area */
- blocks = (hdr_size + desc->blksz - 1) / desc->blksz;
- ALLOC_CACHE_ALIGN_BUFFER(unsigned char, full_hdr, blocks * desc->blksz);
+ count = (hdr_size + desc->blksz - 1) / desc->blksz;
+ ALLOC_CACHE_ALIGN_BUFFER(u8, hdr, count * desc->blksz);
- if (blk_read(blk, pinfo->start, blocks, full_hdr) != blocks) {
- printf("Error: failed to read full LUKS2 header\n");
+ if (blk_read(blk, pinfo->start, count, hdr) != count) {
+ printf("Error: can't read full LUKS2 header\n");
return -EIO;
}
/* JSON starts after the 4096-byte binary header */
- json_start = (char *)(full_hdr + 4096);
+ json_start = (char *)(hdr + 4096);
json_size = hdr_size - 4096;
printf("\nJSON metadata (%llx bytes):\n", json_size);
@@ -196,9 +195,9 @@ static int af_hash(struct hash_algo *algo, size_t key_size, u8 *block_buf)
/**
* af_merge() - Merge anti-forensic split key into original key
*
- * This performs the LUKS AF-merge operation to recover the original key from its
- * AF-split representation. The algorithm XORs all stripes together, applying
- * diffusion between each stripe.
+ * This performs the LUKS AF-merge operation to recover the original key from
+ * its AF-split representation. The algorithm XORs all stripes together,
+ * applying diffusion between each stripe.
*
* @src: AF-split key material (key_size * stripes bytes)
* @dst: Output buffer for merged key (key_size bytes)
@@ -248,25 +247,6 @@ int af_merge(const u8 *src, u8 *dst, size_t key_size, uint stripes,
return 0;
}
-/**
- * try_keyslot() - Unlock a LUKS key slot with a passphrase
- *
- * @blk: Block device
- * @pinfo: Partition information
- * @hdr: LUKS header
- * @slot_idx: Key slot index to try
- * @passphrase: Passphrase to try
- * @md_type: Hash algorithm type
- * @key_size: Size of the key
- * @derived_key: Buffer for derived key (key_size bytes)
- * @km: Buffer for encrypted key material
- * @km_blocks: Size of km buffer in blocks
- * @split_key: Buffer for AF-split key
- * @candidate_key: Buffer to receive decrypted master key
- *
- * Return: 0 on success (correct passphrase), -EPROTO on mbedtls error, -ve on
- * other error
- */
/**
* essiv_decrypt() - Decrypt key material using ESSIV mode
*
@@ -282,8 +262,8 @@ int af_merge(const u8 *src, u8 *dst, size_t key_size, uint stripes,
* @km_blocks: Number of blocks of key material
* @blksz: Block size in bytes
*/
-static void essiv_decrypt(u8 *derived_key, uint key_size, u8 *expkey,
- u8 *km, u8 *split_key, uint km_blocks, uint blksz)
+static void essiv_decrypt(u8 *derived_key, uint key_size, u8 *expkey, u8 *km,
+ u8 *split_key, uint km_blocks, uint blksz)
{
u8 essiv_expkey[AES256_EXPAND_KEY_LENGTH];
u8 essiv_key_material[SHA256_SUM_LEN];
@@ -333,14 +313,33 @@ static void essiv_decrypt(u8 *derived_key, uint key_size, u8 *expkey,
}
}
+/**
+ * try_keyslot() - Unlock a LUKS key slot with a passphrase
+ *
+ * @blk: Block device
+ * @pinfo: Partition information
+ * @hdr: LUKS header
+ * @slot_idx: Key slot index to try
+ * @pass: Passphrase to try
+ * @md_type: Hash algorithm type
+ * @key_size: Size of the key
+ * @derived_key: Buffer for derived key (key_size bytes)
+ * @km: Buffer for encrypted key material
+ * @km_blocks: Size of km buffer in blocks
+ * @split_key: Buffer for AF-split key
+ * @candidate_key: Buffer to receive decrypted master key
+ *
+ * Return: 0 on success (correct passphrase), -EPROTO on mbedtls error, -ve on
+ * other error
+ */
static int try_keyslot(struct udevice *blk, struct disk_partition *pinfo,
struct luks1_phdr *hdr, int slot_idx,
- const char *passphrase, mbedtls_md_type_t md_type,
+ const char *pass, mbedtls_md_type_t md_type,
uint key_size, u8 *derived_key, u8 *km, uint km_blocks,
u8 *split_key, u8 *candidate_key)
{
struct luks1_keyslot *slot = &hdr->key_slot[slot_idx];
- uint iterations, km_offset, stripes, split_key_size;
+ uint iters, km_offset, stripes, split_key_size;
struct blk_desc *desc = dev_get_uclass_plat(blk);
u8 expkey[AES256_EXPAND_KEY_LENGTH];
u8 key_digest[LUKS_DIGESTSIZE];
@@ -353,21 +352,20 @@ static int try_keyslot(struct udevice *blk, struct disk_partition *pinfo,
log_debug("trying key slot %d...\n", slot_idx);
- iterations = be32_to_cpu(slot->iterations);
+ iters = be32_to_cpu(slot->iterations);
km_offset = be32_to_cpu(slot->key_material_offset);
stripes = be32_to_cpu(slot->stripes);
split_key_size = key_size * stripes;
/* Derive key from passphrase using PBKDF2 */
- log_debug("PBKDF2(pass '%s'[len %zu], ", passphrase,
- strlen(passphrase));
+ log_debug("PBKDF2(pass '%s'[len %zu], ", pass, strlen(pass));
log_debug_hex("salt[0-7]", (u8 *)slot->salt, 8);
- log_debug("iter %u, keylen %u)\n", iterations, key_size);
- ret = mbedtls_pkcs5_pbkdf2_hmac_ext(md_type, (const u8 *)passphrase,
- strlen(passphrase),
+ log_debug("iter %u, keylen %u)\n", iters, key_size);
+ ret = mbedtls_pkcs5_pbkdf2_hmac_ext(md_type, (const u8 *)pass,
+ strlen(pass),
(const u8 *)slot->salt,
- LUKS_SALTSIZE, iterations,
- key_size, derived_key);
+ LUKS_SALTSIZE, iters, key_size,
+ derived_key);
if (ret) {
log_debug("PBKDF2 failed: %d\n", ret);
return -EPROTO;
@@ -389,7 +387,6 @@ static int try_keyslot(struct udevice *blk, struct disk_partition *pinfo,
log_debug_hex("input key (derived_key) full:", derived_key, key_size);
aes_expand_key(derived_key, key_size * 8, expkey);
-
log_debug_hex("expanded key [0-15]:", expkey, 16);
/* Decrypt with CBC mode: first check if ESSIV is used */
@@ -433,7 +430,7 @@ static int try_keyslot(struct udevice *blk, struct disk_partition *pinfo,
log_debug_hex("mk_digest[0-7]", (u8 *)hdr->mk_digest, 8);
/* Check if the digest matches */
- if (memcmp(key_digest, hdr->mk_digest, LUKS_DIGESTSIZE) == 0) {
+ if (!memcmp(key_digest, hdr->mk_digest, LUKS_DIGESTSIZE)) {
log_debug("Uunlocked with key slot %d\n", slot_idx);
return 0;
}
@@ -443,20 +440,18 @@ static int try_keyslot(struct udevice *blk, struct disk_partition *pinfo,
}
int luks_unlock(struct udevice *blk, struct disk_partition *pinfo,
- const char *passphrase, u8 *master_key, u32 *key_size)
+ const char *pass, u8 *master_key, u32 *key_size)
{
uint version, split_key_size, km_blocks, hdr_blocks;
+ u8 *split_key, *derived_key;
struct hash_algo *hash_algo;
+ u8 candidate_key[128], *km;
mbedtls_md_type_t md_type;
struct luks1_phdr *hdr;
struct blk_desc *desc;
- u8 candidate_key[128];
- u8 *split_key = NULL;
- u8 *derived_key = NULL;
- u8 *km = NULL;
- int i, ret = -EINVAL;
+ int i, ret;
- if (!blk || !pinfo || !passphrase || !master_key || !key_size)
+ if (!blk || !pinfo || !pass || !master_key || !key_size)
return -EINVAL;
desc = dev_get_uclass_plat(blk);
@@ -482,14 +477,15 @@ int luks_unlock(struct udevice *blk, struct disk_partition *pinfo,
version = be16_to_cpu(*(__be16 *)(buffer + LUKS_MAGIC_LEN));
if (version != LUKS_VERSION_1) {
- log_debug("only LUKS1 decryption is currently supported\n");
+ log_debug("unsupported LUKS version %d\n", version);
return -ENOTSUPP;
}
hdr = (struct luks1_phdr *)buffer;
/* Debug: show what we read from header */
- log_debug("Read header at sector %llu, mk_digest[0-7] ", (unsigned long long)pinfo->start);
+ log_debug("Read header at sector %llu, mk_digest[0-7] ",
+ (unsigned long long)pinfo->start);
log_debug_hex("", (u8 *)hdr->mk_digest, 8);
/* Verify cipher mode - only CBC supported */
@@ -518,7 +514,7 @@ int luks_unlock(struct udevice *blk, struct disk_partition *pinfo,
break;
}
}
- if (stripes == 0) {
+ if (!stripes) {
log_debug("no active key slots found\n");
return -ENOENT;
}
@@ -541,7 +537,7 @@ int luks_unlock(struct udevice *blk, struct disk_partition *pinfo,
/* Try each key slot */
for (i = 0; i < LUKS_NUMKEYS; i++) {
- ret = try_keyslot(blk, pinfo, hdr, i, passphrase, md_type,
+ ret = try_keyslot(blk, pinfo, hdr, i, pass, md_type,
*key_size, derived_key, km, km_blocks,
split_key, candidate_key);
@@ -586,12 +582,12 @@ out:
* @master_key: Unlocked master key
* @key_size: Size of the master key in bytes
* @label: Label for the blkmap device
- * @blkmap_dev: Output pointer for created blkmap device
+ * @blkmapp: Output pointer for created blkmap device
* Return: 0 on success, -ve on error
*/
int luks_create_blkmap(struct udevice *blk, struct disk_partition *pinfo,
const u8 *master_key, u32 key_size, const char *label,
- struct udevice **blkmap_dev)
+ struct udevice **blkmapp)
{
u8 essiv_key[SHA256_SUM_LEN]; /* SHA-256 output */
struct luks1_phdr *hdr;
@@ -601,7 +597,7 @@ int luks_create_blkmap(struct udevice *blk, struct disk_partition *pinfo,
bool use_essiv;
int ret;
- if (!blk || !pinfo || !master_key || !label || !blkmap_dev)
+ if (!blk || !pinfo || !master_key || !label || !blkmapp)
return -EINVAL;
desc = dev_get_uclass_plat(blk);
@@ -651,7 +647,7 @@ int luks_create_blkmap(struct udevice *blk, struct disk_partition *pinfo,
/* Wipe ESSIV key from stack */
if (use_essiv)
memset(essiv_key, '\0', sizeof(essiv_key));
- *blkmap_dev = dev;
+ *blkmapp = dev;
return 0;
}
@@ -145,13 +145,13 @@ int luks_show_info(struct udevice *blk, struct disk_partition *pinfo);
*
* @blk: Block device
* @pinfo: Partition information
- * @passphrase: Passphrase to unlock the partition
+ * @pass: Passphrase to unlock the partition
* @master_key: Buffer to receive the decrypted master key
* @key_size: Size of the master_key buffer
* Return: 0 on success, -ve on error
*/
int luks_unlock(struct udevice *blk, struct disk_partition *pinfo,
- const char *passphrase, u8 *master_key, u32 *key_size);
+ const char *pass, u8 *master_key, u32 *key_size);
/**
* luks_create_blkmap() - Create a blkmap device for a LUKS partition