{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
{"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING},
+ {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
+ {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
+ {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
{0, 0, 0, 0, 0, 0}
};
static int check_boot, have_it;
static char *search_uuid;
static grub_file_t hdr;
+static grub_uint8_t *keyfile_buffer;
+static grub_size_t keyfile_size;
static void
cryptodisk_close (grub_cryptodisk_t dev)
if (!dev)
continue;
- err = cr->recover_key (source, dev, hdr);
+ err = cr->recover_key (source, dev, hdr, keyfile_buffer, keyfile_size);
if (err)
{
cryptodisk_close (dev);
hdr = NULL;
have_it = 0;
+ keyfile_buffer = NULL;
+ keyfile_size = 0;
+
+ if (state[4].set) /* Key file; fails back to passphrase entry */
+ {
+ grub_file_t keyfile;
+ int keyfile_offset;
+ grub_size_t requested_keyfile_size;
+
+ requested_keyfile_size = state[6].set ? grub_strtoul(state[6].arg, 0, 0) : 0;
+
+ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
+ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \
+ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
+ else
+ {
+ keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0;
+ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \
+ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE;
+
+ keyfile = grub_file_open (state[4].arg);
+ if (!keyfile)
+ {
+ grub_printf (N_("Unable to open key file %s\n"), state[4].arg);
+ goto keyfile_fail;
+ }
+ keyfile_buffer = grub_malloc(GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
+ if (!keyfile_buffer)
+ {
+ grub_printf (N_("keyfile memory allocation failed for %s\n"), state[4].arg);
+ goto keyfile_fail;
+ }
+ if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
+ {
+ grub_printf (N_("Unable to seek to offset %d in key file %s\n"),
+ keyfile_offset,
+ state[4].arg);
+ goto keyfile_fail;
+ }
+ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size);
+ if (keyfile_size == (grub_size_t)-1)
+ {
+ grub_printf (N_("Error reading key file %s\n"), state[4].arg);
+ goto keyfile_fail;
+ }
+ if (requested_keyfile_size && (keyfile_size != requested_keyfile_size))
+ {
+ grub_printf (N_("Cannot read %llu bytes for key file %s (read %llu bytes)\n"),
+ (unsigned long long) requested_keyfile_size,
+ state[4].arg,
+ (unsigned long long) keyfile_size);
+ goto keyfile_fail;
+ }
+ goto keyfile_success;
+ }
+ }
+ keyfile_fail:
+ if (keyfile_buffer)
+ {
+ grub_free (keyfile_buffer);
+ keyfile_buffer = NULL;
+ }
+ keyfile_success:
+ if (keyfile)
+ grub_file_close (keyfile);
+
if (state[0].set)
{
grub_cryptodisk_t dev;
static grub_err_t
luks_recover_key (grub_disk_t source,
grub_cryptodisk_t dev,
- grub_file_t hdr)
+ grub_file_t hdr,
+ grub_uint8_t *keyfile_bytes,
+ grub_size_t keyfile_bytes_size)
{
struct grub_luks_phdr header;
grub_size_t keysize;
grub_uint8_t *split_key = NULL;
- char passphrase[MAX_PASSPHRASE] = "";
+ grub_uint8_t *passphrasei = NULL;
+ grub_size_t passphrase_length;
grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
unsigned i;
grub_size_t length;
char *tmp;
grub_uint32_t sector;
- err = GRUB_ERR_NONE;
-
if (hdr)
{
grub_file_seek (hdr, 0);
goto fail;
}
+ if (keyfile_bytes)
+ {
+ /* Use bytestring from key file as passphrase */
+ passphrase = keyfile_bytes;
+ passphrase_length = keyfile_bytes_size;
+ goto passphrase_got;
+ }
+
/* Get the passphrase from the user. */
tmp = NULL;
if (source->partition)
- tmp = grub_partition_get_name (source->partition);
+ tmp = grub_partition_get_name (source->partition);
grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
- source->partition ? "," : "", tmp ? : "",
- dev->uuid);
+ source->partition ? "," : "", tmp ? : "",
+ dev->uuid);
grub_free (tmp);
+ passphrase = grub_malloc (MAX_PASSPHRASE);
+ if (!passphrase)
+ {
+ err = GRUB_ERR_OUT_OF_MEMORY;
+ err_msg = "Cannot allocate memory for passphrase";
+ goto fail;
+ }
if (!grub_password_get (passphrase, MAX_PASSPHRASE))
{
err = GRUB_ERR_BAD_ARGUMENT;
goto fail;
}
+passphrase_got:
+
/* Try to recover master key from each active keyslot. */
for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
{
/* Calculate the PBKDF2 of the user supplied passphrase. */
gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
- grub_strlen (passphrase),
+ passphrase_length,
header.keyblock[i].passwordSalt,
sizeof (header.keyblock[i].passwordSalt),
grub_be_to_cpu32 (header.keyblock[i].
}
fail:
+ grub_free (passphrase);
grub_free (split_key);
if(err && err_msg)
grub_error (err, errmsg);
#define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES)
#define GRUB_CRYPTODISK_MAX_KEYLEN 128
+#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
+
struct grub_cryptodisk;
typedef gcry_err_code_t
grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
int boot_only, grub_file_t hdr);
- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr);
+ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev,
+ grub_file_t hdr, grub_uint8_t *key, grub_size_t keyfile_size);
};
typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;