* [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup
@ 2020-01-28 14:51 Jonas Meurer
2020-01-29 10:23 ` Ondrej Kozina
` (4 more replies)
0 siblings, 5 replies; 8+ messages in thread
From: Jonas Meurer @ 2020-01-28 14:51 UTC (permalink / raw)
To: dm-crypt
[-- Attachment #1.1: Type: text/plain, Size: 1707 bytes --]
Hello dm-crypt folks,
I want to retrieve pbkdf params for active keyslots of LUKS devices.
First I looked into `crypt_keyslot_get_pbkdf()`, but contrary to what
the code suggests[1], it doesn't return values for LUKS1 devices.
Also, looking at the actual return valudes, it seems to return the
calculated values for a new keyslot, not the ones for the active
keyslot, right?
Is there another way to retrieve the values that `cryptsetup luksDump`
shows? I'm particularely interested in the `iterations` values for LUKS1
and `memory` values for LUKS2 devices.
Here's my (non-working code):
struct crypt_device *cd = NULL;
if (crypt_init_by_name(&cd, devices[i])) {
errx(EXIT_FAILURE, "couldn't init LUKS device %s", devices[i]);
} else {
int ks_max = crypt_keyslot_max(crypt_get_type(cd));
for (int j = 0; j < ks_max; j++) {
crypt_keyslot_info ki = crypt_keyslot_status(cd, j);
if (ki == CRYPT_SLOT_ACTIVE || ki == CRYPT_SLOT_ACTIVE_LAST) {
// Keyslot is active
struct crypt_pbkdf_type pbkdf_ki;
if (crypt_keyslot_get_pbkdf(cd, ki, &pbkdf_ki)) {
printf(" max_memory_kb: %d\n", pbkdf_ki.max_memory_kb);
} else {
warn("No PBKDF for ks %d (device %s)", j, devices[i]);
}
}
}
}
crypt_free(cd);
When giving a LUKS2 device, I get (somewhat strange) results:
max_memory_kb: 1824273616
When giving a LUKS1 device, crypt_keyslot_get_pbkdf isn't successful:
cryptsetup-suspend: No PBKDF for ks 0 (device cont3_crypt): Success
Cheers
jonas
[1]
https://gitlab.com/cryptsetup/cryptsetup/blob/4448ddc/lib/setup.c#L5175-5178
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup
2020-01-28 14:51 [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup Jonas Meurer
@ 2020-01-29 10:23 ` Ondrej Kozina
2020-01-29 14:14 ` Jonas Meurer
2020-01-29 10:32 ` Ondrej Kozina
` (3 subsequent siblings)
4 siblings, 1 reply; 8+ messages in thread
From: Ondrej Kozina @ 2020-01-29 10:23 UTC (permalink / raw)
To: dm-crypt; +Cc: Jonas Meurer
On 1/28/20 3:51 PM, Jonas Meurer wrote:
> Hello dm-crypt folks,
>
> I want to retrieve pbkdf params for active keyslots of LUKS devices.
> First I looked into `crypt_keyslot_get_pbkdf()`, but contrary to what
> the code suggests[1], it doesn't return values for LUKS1 devices.
No, it should definitely work. What version of library have you tested
it with?
>
> Also, looking at the actual return valudes, it seems to return the
> calculated values for a new keyslot, not the ones for the active
> keyslot, right?
Again, this would be either bug in libcryptsetup or some mistake in your
application code. Looking at libcryptsetup code it extracts values
directly from metadata for both LUKS1 and LUKS2.
>
> Is there another way to retrieve the values that `cryptsetup luksDump`
> shows? I'm particularely interested in the `iterations` values for LUKS1
> and `memory` values for LUKS2 devices.
>
> Here's my (non-working code):
>
> struct crypt_device *cd = NULL;
> if (crypt_init_by_name(&cd, devices[i])) {
> errx(EXIT_FAILURE, "couldn't init LUKS device %s", devices[i]);
> } else {
> int ks_max = crypt_keyslot_max(crypt_get_type(cd));
> for (int j = 0; j < ks_max; j++) {
> crypt_keyslot_info ki = crypt_keyslot_status(cd, j);
> if (ki == CRYPT_SLOT_ACTIVE || ki == CRYPT_SLOT_ACTIVE_LAST) {
> // Keyslot is active
> struct crypt_pbkdf_type pbkdf_ki;
> if (crypt_keyslot_get_pbkdf(cd, ki, &pbkdf_ki)) {
> printf(" max_memory_kb: %d\n", pbkdf_ki.max_memory_kb);
> } else {
> warn("No PBKDF for ks %d (device %s)", j, devices[i]);
> }
> }
> }
> }
> crypt_free(cd);
Do you get same values when you try to modify your code a bit?
Could you replace crypt_init_by_name() with
crypt_init(/path/to/luks/metadata/device)
and subsequent
crypt_load()
Do you get same (wrong) values?
O.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup
2020-01-28 14:51 [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup Jonas Meurer
2020-01-29 10:23 ` Ondrej Kozina
@ 2020-01-29 10:32 ` Ondrej Kozina
2020-01-29 10:36 ` Ondrej Kozina
` (2 subsequent siblings)
4 siblings, 0 replies; 8+ messages in thread
From: Ondrej Kozina @ 2020-01-29 10:32 UTC (permalink / raw)
To: dm-crypt; +Cc: Jonas Meurer
On 1/28/20 3:51 PM, Jonas Meurer wrote:
>
> When giving a LUKS1 device, crypt_keyslot_get_pbkdf isn't successful:
>
> cryptsetup-suspend: No PBKDF for ks 0 (device cont3_crypt): Success
For _valid_ LUKS1 device with keyslot 0, this is impossible to get from
cryptsetup library. The crypt_keyslot_get_pbkdf can't fail in such case.
So, are you sure *cd contains proper LUKS1 context?
O.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup
2020-01-28 14:51 [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup Jonas Meurer
2020-01-29 10:23 ` Ondrej Kozina
2020-01-29 10:32 ` Ondrej Kozina
@ 2020-01-29 10:36 ` Ondrej Kozina
2020-01-30 4:38 ` [dm-crypt] Superblock size calculation EXTERNAL D Sharmila (Iwave, RBEI/PAC-PF)
2020-01-31 13:52 ` [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup Ondrej Kozina
4 siblings, 0 replies; 8+ messages in thread
From: Ondrej Kozina @ 2020-01-29 10:36 UTC (permalink / raw)
To: dm-crypt; +Cc: Jonas Meurer
Hi,
On 1/28/20 3:51 PM, Jonas Meurer wrote:
> if (crypt_keyslot_get_pbkdf(cd, ki, &pbkdf_ki)) {
> printf(" max_memory_kb: %d\n", pbkdf_ki.max_memory_kb);
> } else {
> warn("No PBKDF for ks %d (device %s)", j, devices[i]);
> }
Probably, you've just switched the condition on
crypt_keyslot_get_pbkdf(). It returns 0 on success and negative value
otherwise.
Regards O.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup
2020-01-29 10:23 ` Ondrej Kozina
@ 2020-01-29 14:14 ` Jonas Meurer
0 siblings, 0 replies; 8+ messages in thread
From: Jonas Meurer @ 2020-01-29 14:14 UTC (permalink / raw)
To: Ondrej Kozina, dm-crypt
[-- Attachment #1.1: Type: text/plain, Size: 3096 bytes --]
Hey Ondrej,
Ondrej Kozina:
> On 1/28/20 3:51 PM, Jonas Meurer wrote:
>> Hello dm-crypt folks,
>>
>> I want to retrieve pbkdf params for active keyslots of LUKS devices.
>> First I looked into `crypt_keyslot_get_pbkdf()`, but contrary to what
>> the code suggests[1], it doesn't return values for LUKS1 devices.
>
> No, it should definitely work. What version of library have you tested
> it with?
Thanks for your comments and confirming that I'm on the right track :)
I'm using the latest cryptsetup 2.2.2 version (from the Debian packages).
> So, are you sure *cd contains proper LUKS1 context?
At least I hope so. `crypt_get_type(cd)` returns 'LUKS1' and 'LUKS2'
respectively.
> Probably, you've just switched the condition on
> crypt_keyslot_get_pbkdf(). It returns 0 on success and negative value
> otherwise.
That's how I first understood it that way as well. But after some
testing I got the impression that my crypt_pbkdf_type struct contains
values if the return code is *not* 0. Anyway, I checked the return codes
of `crypt_keyslot_get_pbkdf(cd, ki, &pbkdf_ki)` now for LUKS1 and LUKS2
devices and interestingly, I always get return code '0' for LUKS1
devices and '-2' for LUKS2 devices:
Device cont1_crypt (type LUKS2)
Active keyslot 0: 2
return code: -2
Active keyslot 1: 2
return code: -2
Device cont3_crypt (type LUKS1)
Active keyslot 0: 3
cryptsetup-suspend: couldn't get PBKDF for keyslot 0 of device
cont3_crypt: Success
return code: 0
Also, the crypt_pbkdf_type struct has values '0' for all integers for
LUKS1 and seems to have random values for LUKS2 (probably pointers to
random memory pages?).
Simplified code:
struct crypt_device *cd = NULL;
crypt_init_by_name(&cd, devices[i]);
printf("Device %s (type %s)\n", devices[i], crypt_get_type(cd));
int ks_max = crypt_keyslot_max(crypt_get_type(cd));
for (int j = 0; j < ks_max; j++) {
crypt_keyslot_info ki = crypt_keyslot_status(cd, j);
if (ki != CRYPT_SLOT_ACTIVE && ki != CRYPT_SLOT_ACTIVE_LAST)
continue;
printf("Active keyslot %d: %d\n", j, ki);
struct crypt_pbkdf_type pbkdf_ki;
int res = crypt_keyslot_get_pbkdf(cd, ki, &pbkdf_ki);
printf(" return code: %d\n", res);
}
crypt_free(cd);
>> Also, looking at the actual return valudes, it seems to return the
>> calculated values for a new keyslot, not the ones for the active
>> keyslot, right?
>
> Again, this would be either bug in libcryptsetup or some mistake in your
> application code. Looking at libcryptsetup code it extracts values
> directly from metadata for both LUKS1 and LUKS2.
Yep, apparently either I'm doing something wrong or there's a bug in
libcryptsetup. Unfortunately I'm not sure which one is true ;)
> Do you get same values when you try to modify your code a bit?
>
> Could you replace crypt_init_by_name() with
>
> crypt_init(/path/to/luks/metadata/device)
> and subsequent
> crypt_load()
>
> Do you get same (wrong) values?
Jep, I now tried that with exactly the same results.
Cheers
jonas
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* [dm-crypt] Superblock size calculation
2020-01-28 14:51 [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup Jonas Meurer
` (2 preceding siblings ...)
2020-01-29 10:36 ` Ondrej Kozina
@ 2020-01-30 4:38 ` EXTERNAL D Sharmila (Iwave, RBEI/PAC-PF)
2020-01-31 13:52 ` [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup Ondrej Kozina
4 siblings, 0 replies; 8+ messages in thread
From: EXTERNAL D Sharmila (Iwave, RBEI/PAC-PF) @ 2020-01-30 4:38 UTC (permalink / raw)
To: dm-crypt
Hi team,
How to find the superblock size of the physical device which is
encrypted using dm-crypt utility. I have formatted my device using
integritysetup tool and applied integrity using dm-integrity and dm-
crypt stacked on top of that. So my requirement is to corrupt the
physical layer of the device except superblock and check whether it is
mounting successfully.
Note: I tried corrupting the super block (initial some blocks ) and
tried mounting and it fails. so now I have to try without corrupting
any blocks of the superblock and rest of the things I need to corrupt.
The integritysetup dump is giving me the following result.
root@imx8dx_ccu:~# integritysetup dump /dev/mmcblk0p5
Info for integrity device /dev/mmcblk0p5.
superblock_version 1
log2_interleave_sectors 15
integrity_tag_size 32
journal_sections 1
provided_data_sectors 14240
sector_size 512
flags
root@imx8dx_ccu:~#
How to find the superblock size of the device ?
Regards,
Sharmila
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup
2020-01-28 14:51 [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup Jonas Meurer
` (3 preceding siblings ...)
2020-01-30 4:38 ` [dm-crypt] Superblock size calculation EXTERNAL D Sharmila (Iwave, RBEI/PAC-PF)
@ 2020-01-31 13:52 ` Ondrej Kozina
2020-01-31 13:55 ` Jonas Meurer
4 siblings, 1 reply; 8+ messages in thread
From: Ondrej Kozina @ 2020-01-31 13:52 UTC (permalink / raw)
To: dm-crypt; +Cc: Jonas Meurer
For anyone interested,
there was a minor bug in LUKS1 crypt_keyslot_get_pbkdf() where we
returned pbkdf values even for an inactive keyslot. It was fixed with
commit
https://gitlab.com/cryptsetup/cryptsetup/commit/47d0cf495dae03822c76ef2ef482f940208d9062
and it will get distributed with upstream 2.3.0 release.
O.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup
2020-01-31 13:52 ` [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup Ondrej Kozina
@ 2020-01-31 13:55 ` Jonas Meurer
0 siblings, 0 replies; 8+ messages in thread
From: Jonas Meurer @ 2020-01-31 13:55 UTC (permalink / raw)
To: Ondrej Kozina, dm-crypt
[-- Attachment #1.1: Type: text/plain, Size: 1961 bytes --]
Hello,
Ondrej Kozina:
> For anyone interested,
>
> there was a minor bug in LUKS1 crypt_keyslot_get_pbkdf() where we
> returned pbkdf values even for an inactive keyslot. It was fixed with
> commit
> https://gitlab.com/cryptsetup/cryptsetup/commit/47d0cf495dae03822c76ef2ef482f940208d9062
> and it will get distributed with upstream 2.3.0 release.
And for anyone interested in my code example, the major bug was there. I
passed 'ki' (which is the flag that indicates the keyslot status)
instead of 'j' (the keyslot number) to crypt_keyslot_get_pbkdf(). Thanks
to Ondrej for pointing that out!
Here's a fixed version of my example code:
#include <stdlib.h>
#include <stdio.h>
#include <err.h>
#include <string.h>
#include <libcryptsetup.h>
int main(int argc, char *argv[]) {
if (argc != 3 || (strcmp(argv[1], CRYPT_LUKS1) != 0 &&
strcmp(argv[1], CRYPT_LUKS2) != 0))
errx(EXIT_FAILURE, "expects LUKS1/LUKS2 as first and LUKS device
as second argument");
struct crypt_device *cd = NULL;
if (crypt_init(&cd, argv[2]) < 0)
err(EXIT_FAILURE, "crypt_init failed");
if (crypt_load(cd, argv[1], NULL) < 0)
err(EXIT_FAILURE, "crypt_load failed");
fprintf(stderr, "Device %s (type %s)\n", argv[2], crypt_get_type(cd));
int ks_max = crypt_keyslot_max(crypt_get_type(cd));
for (int j = 0; j < ks_max; j++) {
crypt_keyslot_info ki = crypt_keyslot_status(cd, j);
if (ki != CRYPT_SLOT_ACTIVE && ki != CRYPT_SLOT_ACTIVE_LAST)
continue;
fprintf(stderr, "Active keyslot %d: %d\n", j, ki);
struct crypt_pbkdf_type pbkdf_ki;
int res = crypt_keyslot_get_pbkdf(cd, j, &pbkdf_ki);
fprintf(stderr, " return code: %d\n", res);
fprintf(stderr, " iterations: %d\n", pbkdf_ki.iterations);
fprintf(stderr, " max_memory_kb: %d\n", pbkdf_ki.max_memory_kb);
}
crypt_free(cd);
}
Cheers
jonas
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-01-31 13:55 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-28 14:51 [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup Jonas Meurer
2020-01-29 10:23 ` Ondrej Kozina
2020-01-29 14:14 ` Jonas Meurer
2020-01-29 10:32 ` Ondrej Kozina
2020-01-29 10:36 ` Ondrej Kozina
2020-01-30 4:38 ` [dm-crypt] Superblock size calculation EXTERNAL D Sharmila (Iwave, RBEI/PAC-PF)
2020-01-31 13:52 ` [dm-crypt] how to get keyslog PBKDF settings via libcryptsetup Ondrej Kozina
2020-01-31 13:55 ` Jonas Meurer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).