dmsetup: hide integrity encryption keys on table output

2024-12-21 13:34:40 +03:00 · 2017-11-10 13:55:04 +01:00 · 2017-11-10 13:55:04 +01:00 · 32e747dd31
commit 32e747dd31
parent 512b2adc77
3 changed files with 48 additions and 19 deletions
--- a/1
+++ b/1
@ -1,5 +1,6 @@
 Version 1.02.146 -
 ====================================
+  Suppress integrity encryption keys in 'table' output unless --showkeys supplied.

 Version 1.02.145 - 3rd November 2017
 ====================================
--- a/man/dmsetup.8_main
+++ b/man/dmsetup.8_main
@ -842,10 +842,10 @@ Outputs the current table for the device in a format that can be fed
 back in using the create or load commands.
 With \fB--target\fP, only information relating to the specified target type
 is displayed.
-Real encryption keys are suppressed in the table output for the crypt
-target unless the \fB--showkeys\fP parameter is supplied. Kernel key
+Real encryption keys are suppressed in the table output for crypt and integrity
+targets unless the \fB--showkeys\fP parameter is supplied. Kernel key
 references prefixed with \fB:\fP are not affected by the parameter and get
-displayed always.
+displayed always (crypt target only).
 With \fB--concise\fP, the output is presented concisely on a single line.
 Commas then separate the name, uuid, minor device number, flags ('ro' or 'rw')
 and the table (if present). Semi-colons separate devices. Backslashes escape
--- a/tools/dmsetup.c
+++ b/tools/dmsetup.c
@ -2375,6 +2375,24 @@ static void _print_string_quoted(const char *s)
 	}
 }

+static void hide_key(char *params, const char *name)
+{
+	char *c = strstr(params, name);
+
+	if (!c)
+		return;
+
+	c += strlen(name);
+
+	/* key is optional */
+	c = strpbrk(c, " :");
+	if (!c || *c++ != ':')
+		return;
+
+	while (*c && *c != ' ')
+		*c++ = '0';
+}
+
 static int _status(CMD_ARGS)
 {
 	int r = 0;
@ -2480,10 +2498,10 @@ static int _status(CMD_ARGS)
 			}
 			/* Next print any target-specific information */
 			if (target_type) {
-				/* Suppress encryption key */
+				/* Suppress encryption keys */
 				if (!_switches[SHOWKEYS_ARG] &&
-				    cmdno == DM_DEVICE_TABLE &&
-				    !strcmp(target_type, "crypt")) {
+				    cmdno == DM_DEVICE_TABLE) {
+					if (!strcmp(target_type, "crypt")) {
 						c = params;
 						while (*c && *c != ' ')
 							c++;
@ -2498,6 +2516,16 @@ static int _status(CMD_ARGS)
 						if (*c != ':')
 							while (*c && *c != ' ')
 								*c++ = '0';
+					} else if (!strcmp(target_type, "integrity")) {
+						/*
+						 * "internal_hash", "journal_crypt" and "journal_mac"
+						 *  params allow keys optionally in hexbyte
+						 *  representation.
+						 */
+						hide_key(params, "internal_hash:");
+						hide_key(params, "journal_crypt:");
+						hide_key(params, "journal_mac:");
+					}
 				}
 				if (use_concise)
 					putchar(',');