From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1iWcfK-0003bf-HE for mharc-grub-devel@gnu.org; Mon, 18 Nov 2019 03:45:46 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:52471) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iWcfE-0003Tp-Od for grub-devel@gnu.org; Mon, 18 Nov 2019 03:45:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iWcfB-0001G1-HW for grub-devel@gnu.org; Mon, 18 Nov 2019 03:45:40 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:38457) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iWcfB-0001En-8X for grub-devel@gnu.org; Mon, 18 Nov 2019 03:45:37 -0500 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 210C721C28; Mon, 18 Nov 2019 03:45:35 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Mon, 18 Nov 2019 03:45:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pks.im; h=from :to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=fm2; bh=vIYJmxKdSthYO 7Bn/GR+izkoAs/AskR/1LGyqdXZu9E=; b=FOeGDcNN3m1B/Yp56Srvh/Zx0pKe6 a7hE2wwYxL/DOm6mUQll2cRERKq2DbrBZ7pMjdoC1epdhVBOtRCFeI41PCbfodv6 vqTsjtzJnIKFAIxhcKo+CDiZ42aeYa745LV/vqXHxcD4VDZEFkQYGzBgSWdOevdl eLRkyvy/52gySE2Iqr0uJkXm52LIp12surPKAwNRHOFTyQw7I7AbJYEtxkY0i9d0 Aa+LJKEYTylyugOQNl0Jra7zpXbnB3thvK7yhm5LeivAR+da3LKcxoKGN9Ipnu/a WZ70VNHy8+c/JIml4bA62/qeLmk9WLaCpmEeQ4cAjqNjEhWuc8jOwk/8g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=vIYJmxKdSthYO7Bn/GR+izkoAs/AskR/1LGyqdXZu9E=; b=T/C9u3tB wA9stfm4xE4Q8erBJ+f2en+407ZQ+A8WMe5sCnYNTa7c7MQNhL90fw2raiAF3gs1 LbvWCEPsMN2L4US99MRB8VXVasC0HlV6Xk8rYk8VASaSyC7MU9XNcXVpItwms5TS VzRCOCMw0VgFtf96jq6+o2+dvIshi7tBU7h2fpA+lcFGyLFmqGStVHFHUPt5sMT8 jBrkajXfFxgMl1YoojVkr2dH8fX1dh2Yuo2sJGE5C7SAEJPDyFLewj+iTpRFuWnr PPD83L4VD2OB37k7sSWZZPB61Aat/CgDCiaGul5ug5riymf9tSd2ysCgWG7eDkaF DZ7xCnWldMRROQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudeggedguddvgecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvffufffkofgjfhgggfestdekredtredttdenucfhrhhomheprfgrthhr ihgtkhcuufhtvghinhhhrghrughtuceophhssehpkhhsrdhimheqnecuffhomhgrihhnpe hgihhthhhusgdrtghomhenucfkphepkeelrddugedrvddvledrudekudenucfrrghrrghm pehmrghilhhfrhhomhepphhssehpkhhsrdhimhenucevlhhushhtvghrufhiiigvpedt X-ME-Proxy:

Received: from NSJAIL (x590ee5b5.dyn.telefonica.de [89.14.229.181]) by mail.messagingengine.com (Postfix) with ESMTPA id D4E5E3060057; Mon, 18 Nov 2019 03:45:33 -0500 (EST) Received: from localhost ( [10.192.0.11]) by NSJAIL (OpenSMTPD) with ESMTPSA id 2b11cb95 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Mon, 18 Nov 2019 08:45:31 +0000 (UTC) From: Patrick Steinhardt To: grub-devel@gnu.org Cc: Patrick Steinhardt , Max Tottenham , Daniel Kiper Subject: [PATCH v4 0/6] Support for LUKS2 disk encryption Date: Mon, 18 Nov 2019 09:45:11 +0100 Message-Id: X-Mailer: git-send-email 2.24.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.111.4.28 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Nov 2019 08:45:45 -0000 Hi, another week, another new version of this patch series. Changes to v3 include the following: - Renamed `err` variables to `ret`. - Fixed formatting of multiline comments. - Aligned struct members. - Moved some defines around. - Added EXPORT_FUNC() to the JSON interface. All in all it's mostly cosmetical changes to better match GRUB's coding style. I've attached the range-diff against v3 to this mail. Patrick Patrick Steinhardt (6): json: Import upstream jsmn-1.1.0 json: Implement wrapping interface bootstrap: Add gnulib's base64 module afsplitter: Move into its own module luks: Move configuration of ciphers into cryptodisk disk: Implement support for LUKS2 Makefile.util.def | 4 +- bootstrap.conf | 3 +- conf/Makefile.extra-dist | 1 + docs/grub-dev.texi | 14 + docs/grub.texi | 5 +- grub-core/Makefile.core.def | 19 +- grub-core/disk/AFSplitter.c | 3 + grub-core/disk/cryptodisk.c | 163 ++++- grub-core/disk/luks.c | 190 +---- grub-core/disk/luks2.c | 674 ++++++++++++++++++ grub-core/lib/gnulib-patches/fix-base64.patch | 23 + grub-core/lib/json/jsmn.h | 468 ++++++++++++ grub-core/lib/json/json.c | 240 +++++++ grub-core/lib/json/json.h | 103 +++ include/grub/cryptodisk.h | 3 + 15 files changed, 1733 insertions(+), 180 deletions(-) create mode 100644 grub-core/disk/luks2.c create mode 100644 grub-core/lib/gnulib-patches/fix-base64.patch create mode 100644 grub-core/lib/json/jsmn.h create mode 100644 grub-core/lib/json/json.c create mode 100644 grub-core/lib/json/json.h Range-diff against v3: 1: 7bd619827 ! 1: 2469e96f9 json: Import upstream jsmn-1.1.0 @@ Commit message [1]: https://github.com/zserge/jsmn Signed-off-by: Patrick Steinhardt + Reviewed-by: Daniel Kiper ## docs/grub-dev.texi ## @@ docs/grub-dev.texi: to update it. 2: 680b5add5 ! 2: 126fd8408 json: Implement wrapping interface @@ grub-core/lib/json/json.c +{ + grub_json_t *json = NULL; + jsmn_parser parser; -+ grub_err_t err; ++ grub_err_t ret = GRUB_ERR_NONE; + int jsmn_err; + ++ if (!string) ++ return GRUB_ERR_BAD_ARGUMENT; ++ + json = grub_zalloc (sizeof (*json)); + if (!json) + return GRUB_ERR_OUT_OF_MEMORY; -+ json->idx = 0; + json->string = string; -+ if (!json->string) -+ { -+ err = GRUB_ERR_OUT_OF_MEMORY; -+ goto out; -+ } + ++ /* ++ * Parse the string twice: first to determine how many tokens ++ * we need to allocate, second to fill allocated tokens. ++ */ + jsmn_init(&parser); + jsmn_err = jsmn_parse (&parser, string, string_len, NULL, 0); + if (jsmn_err <= 0) + { -+ err = GRUB_ERR_BAD_ARGUMENT; -+ goto out; ++ ret = GRUB_ERR_BAD_ARGUMENT; ++ goto err; + } + + json->tokens = grub_malloc (sizeof (jsmntok_t) * jsmn_err); + if (!json->tokens) + { -+ err = GRUB_ERR_OUT_OF_MEMORY; -+ goto out; ++ ret = GRUB_ERR_OUT_OF_MEMORY; ++ goto err; + } + -+ jsmn_init(&parser); ++ jsmn_init (&parser); + jsmn_err = jsmn_parse (&parser, string, string_len, json->tokens, jsmn_err); + if (jsmn_err <= 0) + { -+ err = GRUB_ERR_BAD_ARGUMENT; -+ goto out; ++ ret = GRUB_ERR_BAD_ARGUMENT; ++ goto err; + } + -+ err = GRUB_ERR_NONE; + *out = json; -+out: -+ if (err && json) ++ ++ err: ++ if (ret && json) + { + grub_free (json->string); + grub_free (json->tokens); + grub_free (json); + } -+ return err; ++ return ret; +} + +void @@ grub-core/lib/json/json.c +grub_json_getsize (const grub_json_t *json) +{ + jsmntok_t *p = &((jsmntok_t *)json->tokens)[json->idx]; ++ + return p->size; +} + @@ grub-core/lib/json/json.c +grub_json_gettype (const grub_json_t *json) +{ + jsmntok_t *p = &((jsmntok_t *)json->tokens)[json->idx]; ++ + switch (p->type) + { + case JSMN_OBJECT: @@ grub-core/lib/json/json.c + default: + break; + } ++ + return GRUB_JSON_UNDEFINED; +} + @@ grub-core/lib/json/json.c + jsmntok_t *p = &((jsmntok_t *)parent->tokens)[parent->idx]; + grub_size_t offset = 1; + -+ if (n >= (unsigned) p->size) ++ if (n >= (grub_size_t) p->size) + return GRUB_ERR_BAD_ARGUMENT; + + while (n--) @@ grub-core/lib/json/json.c +{ + const grub_json_t *p = parent; + grub_json_t child; ++ grub_err_t ret; + jsmntok_t *tok; + + if (key) + { -+ grub_err_t err = grub_json_getvalue (&child, parent, key); -+ if (err) -+ return err; ++ ret = grub_json_getvalue (&child, parent, key); ++ if (ret) ++ return ret; + p = &child; + } + @@ grub-core/lib/json/json.c +{ + grub_json_type_t type; + const char *value; -+ grub_err_t err; ++ grub_err_t ret; + -+ err = get_value(&type, &value, parent, key); -+ if (err) -+ return err; ++ ret = get_value(&type, &value, parent, key); ++ if (ret) ++ return ret; + if (type != GRUB_JSON_STRING) + return GRUB_ERR_BAD_ARGUMENT; + @@ grub-core/lib/json/json.c +{ + grub_json_type_t type; + const char *value; -+ grub_err_t err; ++ grub_err_t ret; + -+ err = get_value(&type, &value, parent, key); -+ if (err) -+ return err; ++ ret = get_value(&type, &value, parent, key); ++ if (ret) ++ return ret; + if (type != GRUB_JSON_STRING && type != GRUB_JSON_PRIMITIVE) + return GRUB_ERR_BAD_ARGUMENT; + @@ grub-core/lib/json/json.c +{ + grub_json_type_t type; + const char *value; -+ grub_err_t err; ++ grub_err_t ret; + -+ err = get_value(&type, &value, parent, key); -+ if (err) -+ return err; ++ ret = get_value(&type, &value, parent, key); ++ if (ret) ++ return ret; + if (type != GRUB_JSON_STRING && type != GRUB_JSON_PRIMITIVE) + return GRUB_ERR_BAD_ARGUMENT; + @@ grub-core/lib/json/json.h (new) +}; +typedef struct grub_json grub_json_t; + -+/* Parse a JSON-encoded string. Note that the string passed to ++/* ++ * Parse a JSON-encoded string. Note that the string passed to + * this function will get modified on subsequent calls to -+ * `grub_json_get*`. Returns the root object of the parsed JSON -+ * object, which needs to be free'd via `grub_json_free`. ++ * grub_json_get*(). Returns the root object of the parsed JSON ++ * object, which needs to be free'd via grub_json_free(). + */ -+grub_err_t -+grub_json_parse (grub_json_t **out, char *string, grub_size_t string_len); ++extern grub_err_t EXPORT_FUNC(grub_json_parse) (grub_json_t **out, ++ char *string, ++ grub_size_t string_len); + -+/* Free the structure and its contents. The string passed to -+ * `grub_json_parse` will not be free'd. ++/* ++ * Free the structure and its contents. The string passed to ++ * grub_json_parse() will not be free'd. + */ -+void -+grub_json_free (grub_json_t *json); ++extern void EXPORT_FUNC(grub_json_free) (grub_json_t *json); + -+/* Get the child count of the given JSON token. Children are -+ * present for arrays, objects (dicts) and keys of a dict. */ -+grub_size_t -+grub_json_getsize (const grub_json_t *json); ++/* ++ * Get the child count of the given JSON token. Children are ++ * present for arrays, objects (dicts) and keys of a dict. ++ */ ++extern grub_size_t EXPORT_FUNC(grub_json_getsize) (const grub_json_t *json); + +/* Get the type of the given JSON token. */ -+grub_json_type_t -+grub_json_gettype (const grub_json_t *json); ++extern grub_json_type_t EXPORT_FUNC(grub_json_gettype) (const grub_json_t *json); + -+/* Get n'th child of object, array or key. Will return an error if no -+ * such child exists. The result does not need to be free'd. */ -+grub_err_t -+grub_json_getchild (grub_json_t *out, const grub_json_t *parent, grub_size_t n); ++/* ++ * Get n'th child of object, array or key. Will return an error if no ++ * such child exists. The result does not need to be free'd. ++ */ ++extern grub_err_t EXPORT_FUNC(grub_json_getchild) (grub_json_t *out, ++ const grub_json_t *parent, ++ grub_size_t n); + -+/* Get value of key from a JSON object. The result does not need -+ * to be free'd. */ -+grub_err_t -+grub_json_getvalue (grub_json_t *out, const grub_json_t *parent, const char *key); ++/* ++ * Get value of key from a JSON object. The result does not need ++ * to be free'd. ++ */ ++extern grub_err_t EXPORT_FUNC(grub_json_getvalue) (grub_json_t *out, ++ const grub_json_t *parent, ++ const char *key); + +/* Get the string representation of a JSON object. */ -+grub_err_t -+grub_json_getstring (const char **out, const grub_json_t *parent, const char *key); ++extern grub_err_t EXPORT_FUNC(grub_json_getstring) (const char **out, ++ const grub_json_t *parent, ++ const char *key); + +/* Get the uint64 representation of a JSON object. */ -+grub_err_t -+grub_json_getuint64 (grub_uint64_t *out, const grub_json_t *parent, const char *key); ++extern grub_err_t EXPORT_FUNC(grub_json_getuint64) (grub_uint64_t *out, ++ const grub_json_t *parent, ++ const char *key); + +/* Get the int64 representation of a JSON object. */ -+grub_err_t -+grub_json_getint64 (grub_int64_t *out, const grub_json_t *parent, const char *key); ++extern grub_err_t EXPORT_FUNC(grub_json_getint64) (grub_int64_t *out, ++ const grub_json_t *parent, ++ const char *key); + +#endif 3: 461696fe7 = 3: e29ef98a2 bootstrap: Add gnulib's base64 module 4: 18cfacbe5 = 4: f95f7b1c2 afsplitter: Move into its own module 5: 1a185b6d8 = 5: 5a3bb8742 luks: Move configuration of ciphers into cryptodisk 6: 9d88fcbab ! 6: 9c21363ee disk: Implement support for LUKS2 @@ docs/grub.texi: is requested interactively. Option @var{device} configures speci devices; option @option{-b} configures all geli containers that have boot flag set. -GRUB suports devices encrypted using LUKS and geli. Note that necessary modules (@var{luks} and @var{geli}) have to be loaded manually before this command can -+GRUB suports devices encrypted using LUKS and geli. Note that necessary modules (@var{luks}, @var{luks2} and @var{geli}) have to be loaded manually before this command can - be used. +-be used. ++GRUB suports devices encrypted using LUKS, LUKS2 and geli. Note that necessary ++modules (@var{luks}, @var{luks2} and @var{geli}) have to be loaded manually ++before this command can be used. @end deffn + ## grub-core/Makefile.core.def ## @@ grub-core/Makefile.core.def: module = { @@ grub-core/disk/luks2.c (new) +#include +#include + -+#define MAX_PASSPHRASE 256 -+ +GRUB_MOD_LICENSE ("GPLv3+"); + -+gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src, -+ grub_uint8_t * dst, grub_size_t blocksize, -+ grub_size_t blocknumbers); ++#define LUKS_MAGIC_1ST "LUKS\xBA\xBE" ++#define LUKS_MAGIC_2ND "SKUL\xBA\xBE" ++#define MAX_PASSPHRASE 256 + +enum grub_luks2_kdf_type +{ @@ grub-core/disk/luks2.c (new) +/* On disk LUKS header */ +struct grub_luks2_header +{ -+ char magic[6]; -+#define LUKS_MAGIC_1ST "LUKS\xBA\xBE" -+#define LUKS_MAGIC_2ND "SKUL\xBA\xBE" ++ char magic[6]; + grub_uint16_t version; + grub_uint64_t hdr_size; + grub_uint64_t seqid; -+ char label[48]; -+ char csum_alg[32]; -+ grub_uint8_t salt[64]; -+ char uuid[40]; -+ char subsystem[48]; -+ grub_uint64_t hdr_offset; -+ char _padding[184]; -+ grub_uint8_t csum[64]; -+ char _padding4096[7*512]; ++ char label[48]; ++ char csum_alg[32]; ++ grub_uint8_t salt[64]; ++ char uuid[40]; ++ char subsystem[48]; ++ grub_uint64_t hdr_offset; ++ char _padding[184]; ++ grub_uint8_t csum[64]; ++ char _padding4096[7*512]; +} GRUB_PACKED; +typedef struct grub_luks2_header grub_luks2_header_t; + @@ grub-core/disk/luks2.c (new) + grub_int64_t priority; + struct + { -+ const char *encryption; ++ const char *encryption; + grub_uint64_t offset; + grub_uint64_t size; -+ grub_int64_t key_size; ++ grub_int64_t key_size; + } area; + struct + { -+ const char *hash; ++ const char *hash; + grub_int64_t stripes; + } af; + struct + { + grub_luks2_kdf_type_t type; -+ const char *salt; ++ const char *salt; + union + { + struct @@ grub-core/disk/luks2.c (new) + } argon2i; + struct + { -+ const char *hash; ++ const char *hash; + grub_int64_t iterations; + } pbkdf2; + } u; @@ grub-core/disk/luks2.c (new) +struct grub_luks2_segment +{ + grub_uint64_t offset; -+ const char *size; -+ const char *encryption; -+ grub_int64_t sector_size; ++ const char *size; ++ const char *encryption; ++ grub_int64_t sector_size; +}; +typedef struct grub_luks2_segment grub_luks2_segment_t; + +struct grub_luks2_digest +{ + /* Both keyslots and segments are interpreted as bitfields here */ -+ grub_uint64_t keyslots; -+ grub_uint64_t segments; -+ const char *salt; -+ const char *digest; -+ const char *hash; -+ grub_int64_t iterations; ++ grub_uint64_t keyslots; ++ grub_uint64_t segments; ++ const char *salt; ++ const char *digest; ++ const char *hash; ++ grub_int64_t iterations; +}; +typedef struct grub_luks2_digest grub_luks2_digest_t; + ++gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src, ++ grub_uint8_t * dst, grub_size_t blocksize, ++ grub_size_t blocknumbers); ++ +static grub_err_t +luks2_parse_keyslot (grub_luks2_keyslot_t *out, const grub_json_t *keyslot) +{ @@ grub-core/disk/luks2.c (new) +luks2_read_header (grub_disk_t disk, grub_luks2_header_t *outhdr) +{ + grub_luks2_header_t primary, secondary, *header = &primary; -+ grub_err_t err; ++ grub_err_t ret; + + /* Read the primary LUKS header. */ -+ err = grub_disk_read (disk, 0, 0, sizeof (primary), &primary); -+ if (err) -+ return err; ++ ret = grub_disk_read (disk, 0, 0, sizeof (primary), &primary); ++ if (ret) ++ return ret; + + /* Look for LUKS magic sequence. */ -+ if (grub_memcmp (primary.magic, LUKS_MAGIC_1ST, sizeof (primary.magic)) -+ || grub_be_to_cpu16 (primary.version) != 2) ++ if (grub_memcmp (primary.magic, LUKS_MAGIC_1ST, sizeof (primary.magic)) || ++ grub_be_to_cpu16 (primary.version) != 2) + return GRUB_ERR_BAD_SIGNATURE; + + /* Read the secondary header. */ -+ err = grub_disk_read (disk, 0, grub_be_to_cpu64 (primary.hdr_size), sizeof (secondary), &secondary); -+ if (err) -+ return err; ++ ret = grub_disk_read (disk, 0, grub_be_to_cpu64 (primary.hdr_size), sizeof (secondary), &secondary); ++ if (ret) ++ return ret; + + /* Look for LUKS magic sequence. */ -+ if (grub_memcmp (secondary.magic, LUKS_MAGIC_2ND, sizeof (secondary.magic)) -+ || grub_be_to_cpu16 (secondary.version) != 2) ++ if (grub_memcmp (secondary.magic, LUKS_MAGIC_2ND, sizeof (secondary.magic)) || ++ grub_be_to_cpu16 (secondary.version) != 2) + return GRUB_ERR_BAD_SIGNATURE; + + if (grub_be_to_cpu64 (primary.seqid) < grub_be_to_cpu64 (secondary.seqid)) @@ grub-core/disk/luks2.c (new) +{ + grub_cryptodisk_t cryptodisk; + grub_luks2_header_t header; -+ grub_err_t err; + + if (check_boot) + return NULL; + -+ err = luks2_read_header (disk, &header); -+ if (err) ++ if (luks2_read_header (disk, &header)) + { + grub_errno = GRUB_ERR_NONE; + return NULL; @@ grub-core/disk/luks2.c (new) + cryptodisk = grub_zalloc (sizeof (*cryptodisk)); + if (!cryptodisk) + return NULL; ++ + COMPILE_TIME_ASSERT (sizeof (cryptodisk->uuid) >= sizeof (header.uuid)); ++ + grub_memcpy (cryptodisk->uuid, header.uuid, sizeof (header.uuid)); + cryptodisk->modname = "luks2"; + return cryptodisk; @@ grub-core/disk/luks2.c (new) + grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN], salt[GRUB_CRYPTODISK_MAX_KEYLEN]; + grub_size_t saltlen = sizeof (salt), digestlen = sizeof (digest); + const gcry_md_spec_t *hash; -+ gcry_err_code_t gcry_err; ++ gcry_err_code_t gcry_ret; + -+ /* Decdoe both digest and salt */ ++ /* Decode both digest and salt */ + if (!base64_decode(d->digest, grub_strlen (d->digest), (char *)digest, &digestlen)) -+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid digest"); ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid digest"); + if (!base64_decode(d->salt, grub_strlen (d->salt), (char *)salt, &saltlen)) -+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid digest salt"); ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid digest salt"); + + /* Configure the hash used for the digest. */ + hash = grub_crypto_lookup_md_by_name (d->hash); + if (!hash) -+ return grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash", d->hash); ++ return grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash", d->hash); + + /* Calculate the candidate key's digest */ -+ gcry_err = grub_crypto_pbkdf2 (hash, ++ gcry_ret = grub_crypto_pbkdf2 (hash, + candidate_key, candidate_key_len, + salt, saltlen, + d->iterations, + candidate_digest, digestlen); -+ if (gcry_err) -+ return grub_crypto_gcry_error (gcry_err); ++ if (gcry_ret) ++ return grub_crypto_gcry_error (gcry_ret); + + if (grub_memcmp (candidate_digest, digest, digestlen) != 0) -+ return grub_error (GRUB_ERR_ACCESS_DENIED, "Mismatching digests"); ++ return grub_error (GRUB_ERR_ACCESS_DENIED, "Mismatching digests"); + + return GRUB_ERR_NONE; +} @@ grub-core/disk/luks2.c (new) + grub_size_t saltlen = sizeof (salt); + char cipher[32], *p;; + const gcry_md_spec_t *hash; -+ gcry_err_code_t gcry_err; -+ grub_err_t err; ++ gcry_err_code_t gcry_ret; ++ grub_err_t ret; + + if (!base64_decode(k->kdf.salt, grub_strlen (k->kdf.salt), + (char *)salt, &saltlen)) + { -+ err = grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid keyslot salt"); ++ ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid keyslot salt"); + goto err; + } + @@ grub-core/disk/luks2.c (new) + switch (k->kdf.type) + { + case LUKS2_KDF_TYPE_ARGON2I: -+ err = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported"); ++ ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported"); + goto err; + case LUKS2_KDF_TYPE_PBKDF2: + hash = grub_crypto_lookup_md_by_name (k->kdf.u.pbkdf2.hash); + if (!hash) + { -+ err = grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash", ++ ret = grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash", + k->kdf.u.pbkdf2.hash); + goto err; + } + -+ gcry_err = grub_crypto_pbkdf2 (hash, (grub_uint8_t *) passphrase, ++ gcry_ret = grub_crypto_pbkdf2 (hash, (grub_uint8_t *) passphrase, + passphraselen, + salt, saltlen, + k->kdf.u.pbkdf2.iterations, + area_key, k->area.key_size); -+ if (gcry_err) ++ if (gcry_ret) + { -+ err = grub_crypto_gcry_error (gcry_err); ++ ret = grub_crypto_gcry_error (gcry_ret); + goto err; + } + @@ grub-core/disk/luks2.c (new) + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid encryption"); + *p = '\0'; + -+ err = grub_cryptodisk_setcipher (crypt, cipher, p + 1); -+ if (err) -+ return err; ++ ret = grub_cryptodisk_setcipher (crypt, cipher, p + 1); ++ if (ret) ++ return ret; + -+ gcry_err = grub_cryptodisk_setkey (crypt, area_key, k->area.key_size); -+ if (gcry_err) ++ gcry_ret = grub_cryptodisk_setkey (crypt, area_key, k->area.key_size); ++ if (gcry_ret) + { -+ err = grub_crypto_gcry_error (gcry_err); ++ ret = grub_crypto_gcry_error (gcry_ret); + goto err; + } + @@ grub-core/disk/luks2.c (new) + split_key = grub_malloc (k->area.size); + if (!split_key) + { -+ err = grub_errno; ++ ret = grub_errno; + goto err; + } + + grub_errno = GRUB_ERR_NONE; -+ err = grub_disk_read (disk, 0, k->area.offset, k->area.size, split_key); -+ if (err) ++ ret = grub_disk_read (disk, 0, k->area.offset, k->area.size, split_key); ++ if (ret) + { + grub_dprintf ("luks2", "Read error: %s\n", grub_errmsg); + goto err; + } + -+ gcry_err = grub_cryptodisk_decrypt (crypt, split_key, k->area.size, 0); -+ if (gcry_err) ++ gcry_ret = grub_cryptodisk_decrypt (crypt, split_key, k->area.size, 0); ++ if (gcry_ret) + { -+ err = grub_crypto_gcry_error (gcry_err); ++ ret = grub_crypto_gcry_error (gcry_ret); + goto err; + } + @@ grub-core/disk/luks2.c (new) + hash = grub_crypto_lookup_md_by_name (k->af.hash); + if (!hash) + { -+ err = grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash", ++ ret = grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash", + k->af.hash); + goto err; + } + + /* Merge the decrypted key material to get the candidate master key. */ -+ gcry_err = AF_merge (hash, split_key, out_key, k->key_size, k->af.stripes); -+ if (gcry_err) ++ gcry_ret = AF_merge (hash, split_key, out_key, k->key_size, k->af.stripes); ++ if (gcry_ret) + { -+ err = grub_crypto_gcry_error (gcry_err); ++ ret = grub_crypto_gcry_error (gcry_ret); + goto err; + } + + grub_dprintf ("luks2", "Candidate key recovered\n"); + -+err: ++ err: + grub_free (split_key); -+ return err; ++ return ret; +} + +static grub_err_t @@ grub-core/disk/luks2.c (new) + grub_luks2_keyslot_t keyslot; + grub_luks2_digest_t digest; + grub_luks2_segment_t segment; -+ gcry_err_code_t gcry_err; ++ gcry_err_code_t gcry_ret; + grub_json_t *json = NULL, keyslots; -+ grub_err_t err; ++ grub_err_t ret; + -+ err = luks2_read_header (disk, &header); -+ if (err) -+ return err; ++ ret = luks2_read_header (disk, &header); ++ if (ret) ++ return ret; + + json_header = grub_zalloc (grub_be_to_cpu64 (header.hdr_size) - sizeof (header)); + if (!json_header) + return GRUB_ERR_OUT_OF_MEMORY; + + /* Read the JSON area. */ -+ err = grub_disk_read (disk, 0, grub_be_to_cpu64 (header.hdr_offset) + sizeof (header), ++ ret = grub_disk_read (disk, 0, grub_be_to_cpu64 (header.hdr_offset) + sizeof (header), + grub_be_to_cpu64 (header.hdr_size) - sizeof (header), json_header); -+ if (err) ++ if (ret) + goto err; + + ptr = grub_memchr(json_header, 0, grub_be_to_cpu64 (header.hdr_size) - sizeof (header)); + if (!ptr) + goto err; + -+ err = grub_json_parse (&json, json_header, grub_be_to_cpu64 (header.hdr_size)); -+ if (err) ++ ret = grub_json_parse (&json, json_header, grub_be_to_cpu64 (header.hdr_size)); ++ if (ret) + { -+ err = grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid LUKS2 JSON header"); ++ ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid LUKS2 JSON header"); + goto err; + } + @@ grub-core/disk/luks2.c (new) + crypt->uuid); + if (!grub_password_get (passphrase, MAX_PASSPHRASE)) + { -+ err = grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); ++ ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); + goto err; + } + -+ err = grub_json_getvalue (&keyslots, json, "keyslots"); -+ if (err) ++ ret = grub_json_getvalue (&keyslots, json, "keyslots"); ++ if (ret) + goto err; + + /* Try all keyslot */ + for (i = 0; i < grub_json_getsize (&keyslots); i++) + { -+ err = luks2_get_keyslot (&keyslot, &digest, &segment, json, i); -+ if (err) ++ ret = luks2_get_keyslot (&keyslot, &digest, &segment, json, i); ++ if (ret) + goto err; + + if (keyslot.priority == 0) @@ grub-core/disk/luks2.c (new) + else + crypt->total_length = grub_strtoull(segment.size, NULL, 10); + -+ err = luks2_decrypt_key (candidate_key, disk, crypt, &keyslot, ++ ret = luks2_decrypt_key (candidate_key, disk, crypt, &keyslot, + (const grub_uint8_t *) passphrase, grub_strlen (passphrase)); -+ if (err) ++ if (ret) + { + grub_dprintf ("luks2", "Decryption with keyslot %"PRIuGRUB_SIZE" failed", i); + continue; + } + -+ err = luks2_verify_key (&digest, candidate_key, keyslot.key_size); -+ if (err) ++ ret = luks2_verify_key (&digest, candidate_key, keyslot.key_size); ++ if (ret) + { + grub_dprintf ("luks2", "Could not open keyslot %"PRIuGRUB_SIZE"\n", i); + continue; + } + -+ /* TRANSLATORS: It's a cryptographic key slot: one element of an array -+ where each element is either empty or holds a key. */ ++ /* ++ * TRANSLATORS: It's a cryptographic key slot: one element of an array ++ * where each element is either empty or holds a key. ++ */ + grub_printf_ (N_("Slot %"PRIuGRUB_SIZE" opened\n"), i); + + candidate_key_len = keyslot.key_size; @@ grub-core/disk/luks2.c (new) + } + if (candidate_key_len == 0) + { -+ err = grub_error (GRUB_ERR_ACCESS_DENIED, "Invalid passphrase"); ++ ret = grub_error (GRUB_ERR_ACCESS_DENIED, "Invalid passphrase"); + goto err; + } + @@ grub-core/disk/luks2.c (new) + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid encryption"); + *ptr = '\0'; + -+ err = grub_cryptodisk_setcipher (crypt, cipher, ptr + 1); -+ if (err) ++ ret = grub_cryptodisk_setcipher (crypt, cipher, ptr + 1); ++ if (ret) + goto err; + + /* Set the master key. */ -+ gcry_err = grub_cryptodisk_setkey (crypt, candidate_key, candidate_key_len); -+ if (gcry_err) ++ gcry_ret = grub_cryptodisk_setkey (crypt, candidate_key, candidate_key_len); ++ if (gcry_ret) + { -+ err = grub_crypto_gcry_error (gcry_err); ++ ret = grub_crypto_gcry_error (gcry_ret); + goto err; + } + -+err: ++ err: + grub_free (part); + grub_free (json_header); + grub_json_free (json); -+ return err; ++ return ret; +} + +static struct grub_cryptodisk_dev luks2_crypto = { -- 2.24.0