diff options
Diffstat (limited to 'resources/grub/patch/grub.johnlane.ie/0004-Cryptomount-support-plain-dm-crypt.patch')
| -rw-r--r-- | resources/grub/patch/grub.johnlane.ie/0004-Cryptomount-support-plain-dm-crypt.patch | 636 |
1 files changed, 636 insertions, 0 deletions
diff --git a/resources/grub/patch/grub.johnlane.ie/0004-Cryptomount-support-plain-dm-crypt.patch b/resources/grub/patch/grub.johnlane.ie/0004-Cryptomount-support-plain-dm-crypt.patch new file mode 100644 index 0000000..c8ee671 --- /dev/null +++ b/resources/grub/patch/grub.johnlane.ie/0004-Cryptomount-support-plain-dm-crypt.patch @@ -0,0 +1,636 @@ +From c584bacaad58facb9124df26f98fff2542f7237a Mon Sep 17 00:00:00 2001 +From: John Lane <john@lane.uk.net> +Date: Fri, 26 Jun 2015 22:09:52 +0100 +Subject: [PATCH 4/5] Cryptomount support plain dm-crypt + +--- + grub-core/disk/cryptodisk.c | 298 +++++++++++++++++++++++++++++++++++++++++++- + grub-core/disk/luks.c | 195 +---------------------------- + include/grub/cryptodisk.h | 8 ++ + 3 files changed, 310 insertions(+), 191 deletions(-) + +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c +index a27e70c..cd5cfc9 100644 +--- a/grub-core/disk/cryptodisk.c ++++ b/grub-core/disk/cryptodisk.c +@@ -44,6 +44,12 @@ static const struct grub_arg_option options[] = + {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING}, + {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT}, + {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT}, ++ {"plain", 'p', 0, N_("Plain (no LUKS header)"), 0, ARG_TYPE_NONE}, ++ {"cipher", 'c', 0, N_("Plain mode cipher"), 0, ARG_TYPE_STRING}, ++ {"digest", 'd', 0, N_("Plain mode passphrase digest (hash)"), 0, ARG_TYPE_STRING}, ++ {"offset", 'o', 0, N_("Plain mode data sector offset"), 0, ARG_TYPE_INT}, ++ {"size", 's', 0, N_("Size of raw device (sectors, defaults to whole device)"), 0, ARG_TYPE_INT}, ++ {"key-size", 'K', 0, N_("Set key size (bits)"), 0, ARG_TYPE_INT}, + {0, 0, 0, 0, 0, 0} + }; + +@@ -927,6 +933,48 @@ grub_cryptodisk_scan_device (const char *name, + return have_it && search_uuid ? 1 : 0; + } + ++/* Hashes a passphrase into a key and stores it with cipher. */ ++static gcry_err_code_t ++set_passphrase (grub_cryptodisk_t dev, grub_size_t keysize, const char *passphrase) ++{ ++ grub_uint8_t derived_hash[GRUB_CRYPTODISK_MAX_KEYLEN * 2], *dh = derived_hash; ++ char *p; ++ unsigned int round, i; ++ unsigned int len, size; ++ ++ /* Need no passphrase if there's no key */ ++ if (keysize == 0) ++ return GPG_ERR_INV_KEYLEN; ++ ++ /* Hack to support the "none" hash */ ++ if (dev->hash) ++ len = dev->hash->mdlen; ++ else ++ len = grub_strlen (passphrase); ++ ++ if (keysize > GRUB_CRYPTODISK_MAX_KEYLEN || len > GRUB_CRYPTODISK_MAX_KEYLEN) ++ return GPG_ERR_INV_KEYLEN; ++ ++ p = grub_malloc (grub_strlen (passphrase) + 2 + keysize / len); ++ if (!p) ++ return grub_errno; ++ ++ for (round = 0, size = keysize; size; round++, dh += len, size -= len) ++ { ++ for (i = 0; i < round; i++) ++ p[i] = 'A'; ++ ++ grub_strcpy (p + i, passphrase); ++ ++ if (len > size) ++ len = size; ++ ++ grub_crypto_hash (dev->hash, dh, p, grub_strlen (p)); ++ } ++ ++ return grub_cryptodisk_setkey (dev, derived_hash, keysize); ++} ++ + static grub_err_t + grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + { +@@ -1046,7 +1094,63 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + return GRUB_ERR_NONE; + } + +- err = grub_cryptodisk_scan_device_real (args[0], disk); ++ if (state[7].set) /* Plain mode */ ++ { ++ char *cipher; ++ char *mode; ++ char *digest; ++ int offset, size, key_size; ++ ++ cipher = grub_strdup (state[8].set ? state[8].arg : GRUB_CRYPTODISK_PLAIN_CIPHER); ++ digest = grub_strdup (state[9].set ? state[9].arg : GRUB_CRYPTODISK_PLAIN_DIGEST); ++ offset = state[10].set ? grub_strtoul (state[10].arg, 0, 0) : 0; ++ size = state[11].set ? grub_strtoul (state[11].arg, 0, 0) : 0; ++ key_size = ( state[12].set ? grub_strtoul (state[12].arg, 0, 0) \ ++ : GRUB_CRYPTODISK_PLAIN_KEYSIZE ) / 8; ++ ++ /* no strtok, do it manually */ ++ mode = grub_strchr(cipher,'-'); ++ if (!mode) ++ return GRUB_ERR_BAD_ARGUMENT; ++ else ++ *mode++ = 0; ++ ++ dev = grub_cryptodisk_create (disk, NULL, cipher, mode, digest); ++ ++ dev->offset = offset; ++ if (size) dev->total_length = size; ++ ++ if (key) ++ { ++ err = grub_cryptodisk_setkey (dev, key, key_size); ++ if (err) ++ return err; ++ } ++ else ++ { ++ char passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = ""; ++ ++ grub_printf_ (N_("Enter passphrase for %s: "), diskname); ++ if (!grub_password_get (passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE)) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); ++ ++ err = set_passphrase (dev, key_size, passphrase); ++ if (err) ++ { ++ grub_crypto_cipher_close (dev->cipher); ++ return err; ++ } ++ } ++ ++ grub_cryptodisk_insert (dev, diskname, disk); ++ ++ grub_free (cipher); ++ grub_free (digest); ++ ++ err = GRUB_ERR_NONE; ++ } ++ else ++ err = grub_cryptodisk_scan_device_real (args[0], disk); + + grub_disk_close (disk); + +@@ -1177,13 +1281,203 @@ struct grub_procfs_entry luks_script = + .get_contents = luks_script_get + }; + ++grub_cryptodisk_t ++grub_cryptodisk_create (grub_disk_t disk, char *uuid, ++ char *ciphername, char *ciphermode, char *hashspec) ++{ ++ grub_cryptodisk_t newdev; ++ char *cipheriv = NULL; ++ grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL; ++ grub_crypto_cipher_handle_t essiv_cipher = NULL; ++ const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL; ++ const struct gcry_cipher_spec *ciph; ++ grub_cryptodisk_mode_t mode; ++ grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64; ++ int benbi_log = 0; ++ ++ if (!uuid) ++ uuid = (char*)"00000000000000000000000000000000"; ++ ++ ciph = grub_crypto_lookup_cipher_by_name (ciphername); ++ if (!ciph) ++ { ++ grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available", ++ ciphername); ++ return NULL; ++ } ++ ++ /* Configure the cipher used for the bulk data. */ ++ cipher = grub_crypto_cipher_open (ciph); ++ if (!cipher) ++ return NULL; ++ ++ /* Configure the cipher mode. */ ++ if (grub_strcmp (ciphermode, "ecb") == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_ECB; ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; ++ cipheriv = NULL; ++ } ++ else if (grub_strcmp (ciphermode, "plain") == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_CBC; ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; ++ cipheriv = NULL; ++ } ++ else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_CBC; ++ cipheriv = ciphermode + sizeof ("cbc-") - 1; ++ } ++ else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_PCBC; ++ cipheriv = ciphermode + sizeof ("pcbc-") - 1; ++ } ++ else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_XTS; ++ cipheriv = ciphermode + sizeof ("xts-") - 1; ++ secondary_cipher = grub_crypto_cipher_open (ciph); ++ if (!secondary_cipher) ++ { ++ grub_crypto_cipher_close (cipher); ++ return NULL; ++ } ++ if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) ++ { ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d", ++ cipher->cipher->blocksize); ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ return NULL; ++ } ++ if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d", ++ secondary_cipher->cipher->blocksize); ++ grub_crypto_cipher_close (secondary_cipher); ++ return NULL; ++ } ++ } ++ else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_LRW; ++ cipheriv = ciphermode + sizeof ("lrw-") - 1; ++ if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) ++ { ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d", ++ cipher->cipher->blocksize); ++ grub_crypto_cipher_close (cipher); ++ return NULL; ++ } ++ } ++ else ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s", ++ ciphermode); ++ return NULL; ++ } ++ ++ if (cipheriv == NULL); ++ else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0) ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; ++ else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0) ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64; ++ else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0) ++ { ++ if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1) ++ || cipher->cipher->blocksize == 0) ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d", ++ cipher->cipher->blocksize); ++ /* FIXME should we return an error here? */ ++ for (benbi_log = 0; ++ (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE; ++ benbi_log++); ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI; ++ } ++ else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0) ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL; ++ else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0) ++ { ++ char *hash_str = cipheriv + 6; ++ ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV; ++ ++ /* Configure the hash and cipher used for ESSIV. */ ++ essiv_hash = grub_crypto_lookup_md_by_name (hash_str); ++ if (!essiv_hash) ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ grub_error (GRUB_ERR_FILE_NOT_FOUND, ++ "Couldn't load %s hash", hash_str); ++ return NULL; ++ } ++ essiv_cipher = grub_crypto_cipher_open (ciph); ++ if (!essiv_cipher) ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ return NULL; ++ } ++ } ++ else ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s", ++ cipheriv); ++ return NULL; ++ } ++ ++ /* Configure the passphrase hash (LUKS also uses AF splitter and HMAC). */ ++ hash = grub_crypto_lookup_md_by_name (hashspec); ++ if (!hash) ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (essiv_cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash", ++ hashspec); ++ return NULL; ++ } ++ ++ newdev = grub_zalloc (sizeof (struct grub_cryptodisk)); ++ if (!newdev) ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (essiv_cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ return NULL; ++ } ++ newdev->cipher = cipher; ++ newdev->offset = 0; ++ newdev->source_disk = NULL; ++ newdev->benbi_log = benbi_log; ++ newdev->mode = mode; ++ newdev->mode_iv = mode_iv; ++ newdev->secondary_cipher = secondary_cipher; ++ newdev->essiv_cipher = essiv_cipher; ++ newdev->essiv_hash = essiv_hash; ++ newdev->hash = hash; ++ newdev->log_sector_size = 9; ++ newdev->total_length = grub_disk_get_size (disk) - newdev->offset; ++ grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid)); ++ COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid)); ++ ++ return newdev; ++} ++ + static grub_extcmd_t cmd; + + GRUB_MOD_INIT (cryptodisk) + { + grub_disk_dev_register (&grub_cryptodisk_dev); + cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0, +- N_("SOURCE|-u UUID|-a|-b|-H file"), ++ N_("SOURCE|-u UUID|-a|-b|-H file|-p -c cipher -d digest"), + N_("Mount a crypto device."), options); + grub_procfs_register ("luks_script", &luks_script); + } +diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c +index 11e437e..4ebe21b 100644 +--- a/grub-core/disk/luks.c ++++ b/grub-core/disk/luks.c +@@ -30,8 +30,6 @@ + + GRUB_MOD_LICENSE ("GPLv3+"); + +-#define MAX_PASSPHRASE 256 +- + #define LUKS_KEY_ENABLED 0x00AC71F3 + + /* On disk LUKS header */ +@@ -76,15 +74,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + char uuid[sizeof (header.uuid) + 1]; + char ciphername[sizeof (header.cipherName) + 1]; + char ciphermode[sizeof (header.cipherMode) + 1]; +- char *cipheriv = NULL; + char hashspec[sizeof (header.hashSpec) + 1]; +- grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL; +- grub_crypto_cipher_handle_t essiv_cipher = NULL; +- const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL; +- const struct gcry_cipher_spec *ciph; +- grub_cryptodisk_mode_t mode; +- grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64; +- int benbi_log = 0; + grub_err_t err; + + err = GRUB_ERR_NONE; +@@ -119,7 +109,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + iptr++) + { + if (*iptr != '-') +- *optr++ = *iptr; ++ *optr++ = *iptr; + } + *optr = 0; + +@@ -129,6 +119,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + return NULL; + } + ++ + /* Make sure that strings are null terminated. */ + grub_memcpy (ciphername, header.cipherName, sizeof (header.cipherName)); + ciphername[sizeof (header.cipherName)] = 0; +@@ -137,184 +128,10 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec)); + hashspec[sizeof (header.hashSpec)] = 0; + +- ciph = grub_crypto_lookup_cipher_by_name (ciphername); +- if (!ciph) +- { +- grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available", +- ciphername); +- return NULL; +- } +- +- /* Configure the cipher used for the bulk data. */ +- cipher = grub_crypto_cipher_open (ciph); +- if (!cipher) +- return NULL; +- +- if (grub_be_to_cpu32 (header.keyBytes) > 1024) +- { +- grub_error (GRUB_ERR_BAD_ARGUMENT, "invalid keysize %d", +- grub_be_to_cpu32 (header.keyBytes)); +- grub_crypto_cipher_close (cipher); +- return NULL; +- } +- +- /* Configure the cipher mode. */ +- if (grub_strcmp (ciphermode, "ecb") == 0) +- { +- mode = GRUB_CRYPTODISK_MODE_ECB; +- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; +- cipheriv = NULL; +- } +- else if (grub_strcmp (ciphermode, "plain") == 0) +- { +- mode = GRUB_CRYPTODISK_MODE_CBC; +- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; +- cipheriv = NULL; +- } +- else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0) +- { +- mode = GRUB_CRYPTODISK_MODE_CBC; +- cipheriv = ciphermode + sizeof ("cbc-") - 1; +- } +- else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0) +- { +- mode = GRUB_CRYPTODISK_MODE_PCBC; +- cipheriv = ciphermode + sizeof ("pcbc-") - 1; +- } +- else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0) +- { +- mode = GRUB_CRYPTODISK_MODE_XTS; +- cipheriv = ciphermode + sizeof ("xts-") - 1; +- secondary_cipher = grub_crypto_cipher_open (ciph); +- if (!secondary_cipher) +- { +- grub_crypto_cipher_close (cipher); +- return NULL; +- } +- if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) +- { +- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d", +- cipher->cipher->blocksize); +- grub_crypto_cipher_close (cipher); +- grub_crypto_cipher_close (secondary_cipher); +- return NULL; +- } +- if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) +- { +- grub_crypto_cipher_close (cipher); +- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d", +- secondary_cipher->cipher->blocksize); +- grub_crypto_cipher_close (secondary_cipher); +- return NULL; +- } +- } +- else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0) +- { +- mode = GRUB_CRYPTODISK_MODE_LRW; +- cipheriv = ciphermode + sizeof ("lrw-") - 1; +- if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) +- { +- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d", +- cipher->cipher->blocksize); +- grub_crypto_cipher_close (cipher); +- return NULL; +- } +- } +- else +- { +- grub_crypto_cipher_close (cipher); +- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s", +- ciphermode); +- return NULL; +- } +- +- if (cipheriv == NULL); +- else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0) +- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; +- else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0) +- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64; +- else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0) +- { +- if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1) +- || cipher->cipher->blocksize == 0) +- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d", +- cipher->cipher->blocksize); +- /* FIXME should we return an error here? */ +- for (benbi_log = 0; +- (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE; +- benbi_log++); +- mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI; +- } +- else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0) +- mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL; +- else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0) +- { +- char *hash_str = cipheriv + 6; +- +- mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV; +- +- /* Configure the hash and cipher used for ESSIV. */ +- essiv_hash = grub_crypto_lookup_md_by_name (hash_str); +- if (!essiv_hash) +- { +- grub_crypto_cipher_close (cipher); +- grub_crypto_cipher_close (secondary_cipher); +- grub_error (GRUB_ERR_FILE_NOT_FOUND, +- "Couldn't load %s hash", hash_str); +- return NULL; +- } +- essiv_cipher = grub_crypto_cipher_open (ciph); +- if (!essiv_cipher) +- { +- grub_crypto_cipher_close (cipher); +- grub_crypto_cipher_close (secondary_cipher); +- return NULL; +- } +- } +- else +- { +- grub_crypto_cipher_close (cipher); +- grub_crypto_cipher_close (secondary_cipher); +- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s", +- cipheriv); +- return NULL; +- } +- +- /* Configure the hash used for the AF splitter and HMAC. */ +- hash = grub_crypto_lookup_md_by_name (hashspec); +- if (!hash) +- { +- grub_crypto_cipher_close (cipher); +- grub_crypto_cipher_close (essiv_cipher); +- grub_crypto_cipher_close (secondary_cipher); +- grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash", +- hashspec); +- return NULL; +- } ++ newdev = grub_cryptodisk_create (disk, uuid, ciphername, ciphermode, hashspec); + +- newdev = grub_zalloc (sizeof (struct grub_cryptodisk)); +- if (!newdev) +- { +- grub_crypto_cipher_close (cipher); +- grub_crypto_cipher_close (essiv_cipher); +- grub_crypto_cipher_close (secondary_cipher); +- return NULL; +- } +- newdev->cipher = cipher; + newdev->offset = grub_be_to_cpu32 (header.payloadOffset); +- newdev->source_disk = NULL; +- newdev->benbi_log = benbi_log; +- newdev->mode = mode; +- newdev->mode_iv = mode_iv; +- newdev->secondary_cipher = secondary_cipher; +- newdev->essiv_cipher = essiv_cipher; +- newdev->essiv_hash = essiv_hash; +- newdev->hash = hash; +- newdev->log_sector_size = 9; +- newdev->total_length = grub_disk_get_size (disk) - newdev->offset; +- grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid)); + newdev->modname = "luks"; +- COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid)); + + return newdev; + } +@@ -329,7 +146,7 @@ luks_recover_key (grub_disk_t source, + struct grub_luks_phdr header; + grub_size_t keysize; + grub_uint8_t *split_key = NULL; +- char interactive_passphrase[MAX_PASSPHRASE] = ""; ++ char interactive_passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = ""; + grub_uint8_t *passphrase; + grub_size_t passphrase_length; + grub_uint8_t candidate_digest[sizeof (header.mkDigest)]; +@@ -376,7 +193,7 @@ luks_recover_key (grub_disk_t source, + /* Use bytestring from key file as passphrase */ + passphrase = keyfile_bytes; + passphrase_length = keyfile_bytes_size; +- keyfile_bytes = NULL; /* use it only once */ ++ keyfile_bytes = NULL; /* use it only once */ + } + else + { +@@ -387,7 +204,7 @@ luks_recover_key (grub_disk_t source, + grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, + source->partition ? "," : "", tmp ? : "", dev->uuid); + grub_free (tmp); +- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) ++ if (!grub_password_get (interactive_passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE)) + { + grub_free (split_key); + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); +diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h +index 0299625..4076412 100644 +--- a/include/grub/cryptodisk.h ++++ b/include/grub/cryptodisk.h +@@ -54,9 +54,14 @@ typedef enum + #define GRUB_CRYPTODISK_GF_LOG_BYTES (GRUB_CRYPTODISK_GF_LOG_SIZE - 3) + #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES) + #define GRUB_CRYPTODISK_MAX_KEYLEN 128 ++#define GRUB_CRYPTODISK_MAX_PASSPHRASE 256 + + #define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192 + ++#define GRUB_CRYPTODISK_PLAIN_CIPHER "aes-cbc-essiv:sha256" ++#define GRUB_CRYPTODISK_PLAIN_DIGEST "ripemd160" ++#define GRUB_CRYPTODISK_PLAIN_KEYSIZE 256 ++ + struct grub_cryptodisk; + + typedef gcry_err_code_t +@@ -159,4 +164,7 @@ grub_util_get_geli_uuid (const char *dev); + grub_cryptodisk_t grub_cryptodisk_get_by_uuid (const char *uuid); + grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk); + ++grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid, ++ char *ciphername, char *ciphermode, char *digest); ++ + #endif +-- +2.1.2 + |