diff options
| -rw-r--r-- | src/cryptenroll/cryptenroll-fido2.c | 16 | ||||
| -rw-r--r-- | src/cryptenroll/cryptenroll-pkcs11.c | 9 | ||||
| -rw-r--r-- | src/cryptenroll/cryptenroll-tpm2.c | 9 | ||||
| -rw-r--r-- | src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c | 9 | ||||
| -rw-r--r-- | src/cryptsetup/cryptsetup-tokens/luks2-fido2.c | 9 | ||||
| -rw-r--r-- | src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c | 9 | ||||
| -rw-r--r-- | src/cryptsetup/cryptsetup.c | 21 | ||||
| -rw-r--r-- | src/home/homectl-fido2.c | 14 | ||||
| -rw-r--r-- | src/home/homectl-pkcs11.c | 7 | ||||
| -rw-r--r-- | src/home/homework-fido2.c | 7 | ||||
| -rw-r--r-- | src/home/homework-fscrypt.c | 9 | ||||
| -rw-r--r-- | src/partition/repart.c | 9 |
12 files changed, 72 insertions, 56 deletions
diff --git a/src/cryptenroll/cryptenroll-fido2.c b/src/cryptenroll/cryptenroll-fido2.c index e49b4a0cfe..2baeb92e07 100644 --- a/src/cryptenroll/cryptenroll-fido2.c +++ b/src/cryptenroll/cryptenroll-fido2.c @@ -19,6 +19,7 @@ int load_volume_key_fido2( _cleanup_(erase_and_freep) void *decrypted_key = NULL; _cleanup_(erase_and_freep) char *passphrase = NULL; size_t decrypted_key_size; + ssize_t passphrase_size; int r; assert_se(cd); @@ -43,8 +44,8 @@ int load_volume_key_fido2( /* Because cryptenroll requires a LUKS header, we can assume that this device is not * a PLAIN device. In this case, we need to base64 encode the secret to use as the passphrase */ - r = base64mem(decrypted_key, decrypted_key_size, &passphrase); - if (r < 0) + passphrase_size = base64mem(decrypted_key, decrypted_key_size, &passphrase); + if (passphrase_size < 0) return log_oom(); r = crypt_volume_key_get( @@ -53,7 +54,7 @@ int load_volume_key_fido2( ret_vk, ret_vks, passphrase, - /* passphrase_size= */ r); + passphrase_size); if (r < 0) return log_error_errno(r, "Unlocking via FIDO2 device failed: %m"); @@ -74,6 +75,7 @@ int enroll_fido2( _cleanup_free_ char *keyslot_as_string = NULL; size_t cid_size, salt_size, secret_size; _cleanup_free_ void *cid = NULL; + ssize_t base64_encoded_size; const char *node, *un; int r, keyslot; @@ -106,9 +108,9 @@ int enroll_fido2( return r; /* Before we use the secret, we base64 encode it, for compat with homed, and to make it easier to type in manually */ - r = base64mem(secret, secret_size, &base64_encoded); - if (r < 0) - return log_error_errno(r, "Failed to base64 encode secret key: %m"); + base64_encoded_size = base64mem(secret, secret_size, &base64_encoded); + if (base64_encoded_size < 0) + return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m"); r = cryptsetup_set_minimal_pbkdf(cd); if (r < 0) @@ -120,7 +122,7 @@ int enroll_fido2( volume_key, volume_key_size, base64_encoded, - strlen(base64_encoded)); + base64_encoded_size); if (keyslot < 0) return log_error_errno(keyslot, "Failed to add new FIDO2 key to %s: %m", node); diff --git a/src/cryptenroll/cryptenroll-pkcs11.c b/src/cryptenroll/cryptenroll-pkcs11.c index 9f07a2e01d..54b6b86242 100644 --- a/src/cryptenroll/cryptenroll-pkcs11.c +++ b/src/cryptenroll/cryptenroll-pkcs11.c @@ -21,6 +21,7 @@ int enroll_pkcs11( size_t decrypted_key_size, encrypted_key_size; _cleanup_free_ void *encrypted_key = NULL; _cleanup_(X509_freep) X509 *cert = NULL; + ssize_t base64_encoded_size; const char *node; EVP_PKEY *pkey; int keyslot, r; @@ -60,9 +61,9 @@ int enroll_pkcs11( /* Let's base64 encode the key to use, for compat with homed (and it's easier to type it in by * keyboard, if that might ever end up being necessary.) */ - r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); - if (r < 0) - return log_error_errno(r, "Failed to base64 encode secret key: %m"); + base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); + if (base64_encoded_size < 0) + return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m"); r = cryptsetup_set_minimal_pbkdf(cd); if (r < 0) @@ -74,7 +75,7 @@ int enroll_pkcs11( volume_key, volume_key_size, base64_encoded, - strlen(base64_encoded)); + base64_encoded_size); if (keyslot < 0) return log_error_errno(keyslot, "Failed to add new PKCS#11 key to %s: %m", node); diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c index 5c902908c4..96d5fc0695 100644 --- a/src/cryptenroll/cryptenroll-tpm2.c +++ b/src/cryptenroll/cryptenroll-tpm2.c @@ -145,6 +145,7 @@ int enroll_tpm2(struct crypt_device *cd, uint16_t pcr_bank, primary_alg; const char *node; _cleanup_(erase_and_freep) char *pin_str = NULL; + ssize_t base64_encoded_size; int r, keyslot; TPM2Flags flags = 0; @@ -230,9 +231,9 @@ int enroll_tpm2(struct crypt_device *cd, } /* let's base64 encode the key to use, for compat with homed (and it's easier to every type it in by keyboard, if that might end up being necessary. */ - r = base64mem(secret, secret_size, &base64_encoded); - if (r < 0) - return log_error_errno(r, "Failed to base64 encode secret key: %m"); + base64_encoded_size = base64mem(secret, secret_size, &base64_encoded); + if (base64_encoded_size < 0) + return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m"); r = cryptsetup_set_minimal_pbkdf(cd); if (r < 0) @@ -244,7 +245,7 @@ int enroll_tpm2(struct crypt_device *cd, volume_key, volume_key_size, base64_encoded, - strlen(base64_encoded)); + base64_encoded_size); if (keyslot < 0) return log_error_errno(keyslot, "Failed to add new TPM2 key to %s: %m", node); diff --git a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c index abe80720af..1eb924529c 100644 --- a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c +++ b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c @@ -51,6 +51,7 @@ _public_ int cryptsetup_token_open_pin( .search_pcr_mask = UINT32_MAX }; uint16_t pcr_bank, primary_alg; + ssize_t base64_encoded_size; TPM2Flags flags = 0; const char *json; int r; @@ -116,13 +117,13 @@ _public_ int cryptsetup_token_open_pin( return log_debug_open_error(cd, r); /* Before using this key as passphrase we base64 encode it, for compat with homed */ - r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); - if (r < 0) - return log_debug_open_error(cd, r); + base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); + if (base64_encoded_size < 0) + return log_debug_open_error(cd, base64_encoded_size); /* free'd automatically by libcryptsetup */ - *ret_password_len = strlen(base64_encoded); *ret_password = TAKE_PTR(base64_encoded); + *ret_password_len = base64_encoded_size; return 0; } diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-fido2.c b/src/cryptsetup/cryptsetup-tokens/luks2-fido2.c index a0e1ccbeeb..a1c85e600c 100644 --- a/src/cryptsetup/cryptsetup-tokens/luks2-fido2.c +++ b/src/cryptsetup/cryptsetup-tokens/luks2-fido2.c @@ -25,6 +25,7 @@ int acquire_luks2_key( _cleanup_(erase_and_freep) void *decrypted_key = NULL; _cleanup_(erase_and_freep) char *base64_encoded = NULL; _cleanup_strv_free_erase_ char **pins = NULL; + ssize_t base64_encoded_size; assert(ret_keyslot_passphrase); assert(ret_keyslot_passphrase_size); @@ -58,12 +59,12 @@ int acquire_luks2_key( return r; /* Before using this key as passphrase we base64 encode it, for compat with homed */ - r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); - if (r < 0) - return crypt_log_error_errno(cd, r, "Failed to base64 encode key: %m"); + base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); + if (base64_encoded_size < 0) + return crypt_log_error_errno(cd, (int) base64_encoded_size, "Failed to base64 encode key: %m"); *ret_keyslot_passphrase = TAKE_PTR(base64_encoded); - *ret_keyslot_passphrase_size = strlen(*ret_keyslot_passphrase); + *ret_keyslot_passphrase_size = base64_encoded_size; return 0; } diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c b/src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c index 2e0450aa5b..1ed9e2bb86 100644 --- a/src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c +++ b/src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c @@ -187,6 +187,7 @@ int acquire_luks2_key( _cleanup_free_ char *pkcs11_uri = NULL; _cleanup_free_ void *encrypted_key = NULL; systemd_pkcs11_plugin_params *pkcs11_params = userdata; + ssize_t base64_encoded_size; assert(json); assert(ret_password); @@ -213,12 +214,12 @@ int acquire_luks2_key( if (r < 0) return r; - r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); - if (r < 0) - return crypt_log_error_errno(cd, r, "Can not base64 encode key: %m"); + base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); + if (base64_encoded_size < 0) + return crypt_log_error_errno(cd, (int) base64_encoded_size, "Can not base64 encode key: %m"); *ret_password = TAKE_PTR(base64_encoded); - *ret_password_size = strlen(*ret_password); + *ret_password_size = base64_encoded_size; return 0; } diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index a79a08e566..cd2065f480 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -1160,14 +1160,15 @@ static int attach_luks_or_plain_or_bitlk_by_fido2( r = crypt_activate_by_volume_key(cd, name, decrypted_key, decrypted_key_size, flags); else { _cleanup_(erase_and_freep) char *base64_encoded = NULL; + ssize_t base64_encoded_size; /* Before using this key as passphrase we base64 encode it, for compat with homed */ - r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); - if (r < 0) + base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); + if (base64_encoded_size < 0) return log_oom(); - r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, strlen(base64_encoded), flags); + r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, base64_encoded_size, flags); } if (r == -EPERM) { log_error_errno(r, "Failed to activate with FIDO2 decrypted key. (Key incorrect?)"); @@ -1307,6 +1308,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11( r = crypt_activate_by_volume_key(cd, name, decrypted_key, decrypted_key_size, flags); else { _cleanup_(erase_and_freep) char *base64_encoded = NULL; + ssize_t base64_encoded_size; /* Before using this key as passphrase we base64 encode it. Why? For compatibility * with homed's PKCS#11 hookup: there we want to use the key we acquired through @@ -1316,11 +1318,11 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11( * without embedded NUL here too, and that's easiest to generate from a binary blob * via base64 encoding. */ - r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); - if (r < 0) + base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); + if (base64_encoded_size < 0) return log_oom(); - r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, strlen(base64_encoded), flags); + r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, base64_encoded_size, flags); } if (r == -EPERM) { log_error_errno(r, "Failed to activate with PKCS#11 decrypted key. (Key incorrect?)"); @@ -1595,14 +1597,15 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2( r = crypt_activate_by_volume_key(cd, name, decrypted_key, decrypted_key_size, flags); else { _cleanup_(erase_and_freep) char *base64_encoded = NULL; + ssize_t base64_encoded_size; /* Before using this key as passphrase we base64 encode it, for compat with homed */ - r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); - if (r < 0) + base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); + if (base64_encoded_size < 0) return log_oom(); - r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, strlen(base64_encoded), flags); + r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, base64_encoded_size, flags); } if (r == -EPERM) { log_error_errno(r, "Failed to activate with TPM2 decrypted key. (Key incorrect?)"); diff --git a/src/home/homectl-fido2.c b/src/home/homectl-fido2.c index 61f0d081a3..3cbdf912aa 100644 --- a/src/home/homectl-fido2.c +++ b/src/home/homectl-fido2.c @@ -26,14 +26,15 @@ static int add_fido2_credential_id( _cleanup_(json_variant_unrefp) JsonVariant *w = NULL; _cleanup_strv_free_ char **l = NULL; _cleanup_free_ char *escaped = NULL; + ssize_t escaped_size; int r; assert(v); assert(cid); - r = base64mem(cid, cid_size, &escaped); - if (r < 0) - return log_error_errno(r, "Failed to base64 encode FIDO2 credential ID: %m"); + escaped_size = base64mem(cid, cid_size, &escaped); + if (escaped_size < 0) + return log_error_errno(escaped_size, "Failed to base64 encode FIDO2 credential ID: %m"); w = json_variant_ref(json_variant_by_key(*v, "fido2HmacCredential")); if (w) { @@ -73,13 +74,14 @@ static int add_fido2_salt( _cleanup_(json_variant_unrefp) JsonVariant *l = NULL, *w = NULL, *e = NULL; _cleanup_(erase_and_freep) char *base64_encoded = NULL, *hashed = NULL; + ssize_t base64_encoded_size; int r; /* Before using UNIX hashing on the supplied key we base64 encode it, since crypt_r() and friends * expect a NUL terminated string, and we use a binary key */ - r = base64mem(secret, secret_size, &base64_encoded); - if (r < 0) - return log_error_errno(r, "Failed to base64 encode secret key: %m"); + base64_encoded_size = base64mem(secret, secret_size, &base64_encoded); + if (base64_encoded_size < 0) + return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m"); r = hash_password(base64_encoded, &hashed); if (r < 0) diff --git a/src/home/homectl-pkcs11.c b/src/home/homectl-pkcs11.c index 69c9d97aca..dc6ecf1665 100644 --- a/src/home/homectl-pkcs11.c +++ b/src/home/homectl-pkcs11.c @@ -19,6 +19,7 @@ static int add_pkcs11_encrypted_key( _cleanup_(json_variant_unrefp) JsonVariant *l = NULL, *w = NULL, *e = NULL; _cleanup_(erase_and_freep) char *base64_encoded = NULL, *hashed = NULL; + ssize_t base64_encoded_size; int r; assert(v); @@ -30,9 +31,9 @@ static int add_pkcs11_encrypted_key( /* Before using UNIX hashing on the supplied key we base64 encode it, since crypt_r() and friends * expect a NUL terminated string, and we use a binary key */ - r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); - if (r < 0) - return log_error_errno(r, "Failed to base64 encode secret key: %m"); + base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); + if (base64_encoded_size < 0) + return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m"); r = hash_password(base64_encoded, &hashed); if (r < 0) diff --git a/src/home/homework-fido2.c b/src/home/homework-fido2.c index 23fda4a355..5c7cd52e1b 100644 --- a/src/home/homework-fido2.c +++ b/src/home/homework-fido2.c @@ -17,6 +17,7 @@ int fido2_use_token( _cleanup_(erase_and_freep) void *hmac = NULL; size_t hmac_size; Fido2EnrollFlags flags = 0; + ssize_t ss; int r; assert(h); @@ -65,9 +66,9 @@ int fido2_use_token( if (r < 0) return r; - r = base64mem(hmac, hmac_size, ret); - if (r < 0) - return log_error_errno(r, "Failed to base64 encode HMAC secret: %m"); + ss = base64mem(hmac, hmac_size, ret); + if (ss < 0) + return log_error_errno(ss, "Failed to base64 encode HMAC secret: %m"); return 0; } diff --git a/src/home/homework-fscrypt.c b/src/home/homework-fscrypt.c index f8f9f462bb..afe3447d62 100644 --- a/src/home/homework-fscrypt.c +++ b/src/home/homework-fscrypt.c @@ -407,6 +407,7 @@ static int fscrypt_slot_set( _cleanup_free_ void *encrypted = NULL; const EVP_CIPHER *cc; size_t encrypted_size; + ssize_t ss; r = crypto_random_bytes(salt, sizeof(salt)); if (r < 0) @@ -457,12 +458,12 @@ static int fscrypt_slot_set( assert((size_t) encrypted_size_out1 + (size_t) encrypted_size_out2 < encrypted_size); encrypted_size = (size_t) encrypted_size_out1 + (size_t) encrypted_size_out2; - r = base64mem(salt, sizeof(salt), &salt_base64); - if (r < 0) + ss = base64mem(salt, sizeof(salt), &salt_base64); + if (ss < 0) return log_oom(); - r = base64mem(encrypted, encrypted_size, &encrypted_base64); - if (r < 0) + ss = base64mem(encrypted, encrypted_size, &encrypted_base64); + if (ss < 0) return log_oom(); joined = strjoin(salt_base64, ":", encrypted_base64); diff --git a/src/partition/repart.c b/src/partition/repart.c index 6802a9c874..674bb08015 100644 --- a/src/partition/repart.c +++ b/src/partition/repart.c @@ -3314,6 +3314,7 @@ static int partition_encrypt(Context *context, Partition *p, const char *node) { _cleanup_free_ void *pubkey = NULL; _cleanup_free_ void *blob = NULL, *hash = NULL; size_t secret_size, blob_size, hash_size, pubkey_size = 0; + ssize_t base64_encoded_size; uint16_t pcr_bank, primary_alg; int keyslot; @@ -3341,9 +3342,9 @@ static int partition_encrypt(Context *context, Partition *p, const char *node) { if (r < 0) return log_error_errno(r, "Failed to seal to TPM2: %m"); - r = base64mem(secret, secret_size, &base64_encoded); - if (r < 0) - return log_error_errno(r, "Failed to base64 encode secret key: %m"); + base64_encoded_size = base64mem(secret, secret_size, &base64_encoded); + if (base64_encoded_size < 0) + return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m"); r = cryptsetup_set_minimal_pbkdf(cd); if (r < 0) @@ -3355,7 +3356,7 @@ static int partition_encrypt(Context *context, Partition *p, const char *node) { NULL, VOLUME_KEY_SIZE, base64_encoded, - strlen(base64_encoded)); + base64_encoded_size); if (keyslot < 0) return log_error_errno(keyslot, "Failed to add new TPM2 key: %m"); |