shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-21 22:04:01 +03:00
Code

Merge pull request #26016 from poettering/base64mem-ret-fix

Browse Source 
base64mem() return type fix
This commit is contained in:
Lennart Poettering 2023-01-11 13:57:03 +01:00 committed by GitHub
commit 5596331a32
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 98 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
src/basic/hexdecoct.c
View File

@ -588,67 +588,66 @@ ssize_t base64mem_full(
const void *p,
size_t l,
size_t line_break,
char **out) {
char **ret) {
const uint8_t *x;
char *r, *z;
char *b, *z;
size_t m;
assert(p || l == 0);
assert(out);
assert(line_break > 0);
assert(ret);
/* three input bytes makes four output bytes, padding is added so we must round up */
m = 4 * (l + 2) / 3 + 1;
if (line_break != SIZE_MAX)
m += m / line_break;
z = r = malloc(m);
if (!r)
z = b = malloc(m);
if (!b)
return -ENOMEM;
for (x = p; x && x < (const uint8_t*) p + (l / 3) * 3; x += 3) {
/* x[0] == XXXXXXXX; x[1] == YYYYYYYY; x[2] == ZZZZZZZZ */
maybe_line_break(&z, r, line_break);
maybe_line_break(&z, b, line_break);
*(z++) = base64char(x[0] >> 2); /* 00XXXXXX */
maybe_line_break(&z, r, line_break);
maybe_line_break(&z, b, line_break);
*(z++) = base64char((x[0] & 3) << 4 | x[1] >> 4); /* 00XXYYYY */
maybe_line_break(&z, r, line_break);
maybe_line_break(&z, b, line_break);
*(z++) = base64char((x[1] & 15) << 2 | x[2] >> 6); /* 00YYYYZZ */
maybe_line_break(&z, r, line_break);
maybe_line_break(&z, b, line_break);
*(z++) = base64char(x[2] & 63); /* 00ZZZZZZ */
}
switch (l % 3) {
case 2:
maybe_line_break(&z, r, line_break);
maybe_line_break(&z, b, line_break);
*(z++) = base64char(x[0] >> 2); /* 00XXXXXX */
maybe_line_break(&z, r, line_break);
maybe_line_break(&z, b, line_break);
*(z++) = base64char((x[0] & 3) << 4 | x[1] >> 4); /* 00XXYYYY */
maybe_line_break(&z, r, line_break);
maybe_line_break(&z, b, line_break);
*(z++) = base64char((x[1] & 15) << 2); /* 00YYYY00 */
maybe_line_break(&z, r, line_break);
maybe_line_break(&z, b, line_break);
*(z++) = '=';
break;
case 1:
maybe_line_break(&z, r, line_break);
*(z++) = base64char(x[0] >> 2); /* 00XXXXXX */
maybe_line_break(&z, r, line_break);
*(z++) = base64char((x[0] & 3) << 4); /* 00XX0000 */
maybe_line_break(&z, r, line_break);
*(z++) = '=';
maybe_line_break(&z, r, line_break);
*(z++) = '=';
case 1:
maybe_line_break(&z, b, line_break);
*(z++) = base64char(x[0] >> 2); /* 00XXXXXX */
maybe_line_break(&z, b, line_break);
*(z++) = base64char((x[0] & 3) << 4); /* 00XX0000 */
maybe_line_break(&z, b, line_break);
*(z++) = '=';
maybe_line_break(&z, b, line_break);
*(z++) = '=';
break;
}
*z = 0;
*out = r;
assert(z >= r); /* Let static analyzers know that the answer is non-negative. */
return z - r;
*ret = b;
assert(z >= b); /* Let static analyzers know that the answer is non-negative. */
return z - b;
}
static ssize_t base64_append_width(

16
src/cryptenroll/cryptenroll-fido2.c
View File

@ -19,6 +19,7 @@ int load_volume_key_fido2(
_cleanup_(erase_and_freep) void *decrypted_key = NULL;
_cleanup_(erase_and_freep) char *passphrase = NULL;
size_t decrypted_key_size;
ssize_t passphrase_size;
int r;
assert_se(cd);
@ -43,8 +44,8 @@ int load_volume_key_fido2(
/* Because cryptenroll requires a LUKS header, we can assume that this device is not
* a PLAIN device. In this case, we need to base64 encode the secret to use as the passphrase */
r = base64mem(decrypted_key, decrypted_key_size, &passphrase);
if (r < 0)
passphrase_size = base64mem(decrypted_key, decrypted_key_size, &passphrase);
if (passphrase_size < 0)
return log_oom();
r = crypt_volume_key_get(
@ -53,7 +54,7 @@ int load_volume_key_fido2(
ret_vk,
ret_vks,
passphrase,
/* passphrase_size= */ r);
passphrase_size);
if (r < 0)
return log_error_errno(r, "Unlocking via FIDO2 device failed: %m");
@ -74,6 +75,7 @@ int enroll_fido2(
_cleanup_free_ char *keyslot_as_string = NULL;
size_t cid_size, salt_size, secret_size;
_cleanup_free_ void *cid = NULL;
ssize_t base64_encoded_size;
const char *node, *un;
int r, keyslot;
@ -106,9 +108,9 @@ int enroll_fido2(
return r;
/* Before we use the secret, we base64 encode it, for compat with homed, and to make it easier to type in manually */
r = base64mem(secret, secret_size, &base64_encoded);
if (r < 0)
return log_error_errno(r, "Failed to base64 encode secret key: %m");
base64_encoded_size = base64mem(secret, secret_size, &base64_encoded);
if (base64_encoded_size < 0)
return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m");
r = cryptsetup_set_minimal_pbkdf(cd);
if (r < 0)
@ -120,7 +122,7 @@ int enroll_fido2(
volume_key,
volume_key_size,
base64_encoded,
strlen(base64_encoded));
base64_encoded_size);
if (keyslot < 0)
return log_error_errno(keyslot, "Failed to add new FIDO2 key to %s: %m", node);

9
src/cryptenroll/cryptenroll-pkcs11.c
View File

@ -21,6 +21,7 @@ int enroll_pkcs11(
size_t decrypted_key_size, encrypted_key_size;
_cleanup_free_ void *encrypted_key = NULL;
_cleanup_(X509_freep) X509 *cert = NULL;
ssize_t base64_encoded_size;
const char *node;
EVP_PKEY *pkey;
int keyslot, r;
@ -60,9 +61,9 @@ int enroll_pkcs11(
/* Let's base64 encode the key to use, for compat with homed (and it's easier to type it in by
* keyboard, if that might ever end up being necessary.) */
r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
if (r < 0)
return log_error_errno(r, "Failed to base64 encode secret key: %m");
base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
if (base64_encoded_size < 0)
return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m");
r = cryptsetup_set_minimal_pbkdf(cd);
if (r < 0)
@ -74,7 +75,7 @@ int enroll_pkcs11(
volume_key,
volume_key_size,
base64_encoded,
strlen(base64_encoded));
base64_encoded_size);
if (keyslot < 0)
return log_error_errno(keyslot, "Failed to add new PKCS#11 key to %s: %m", node);

9
src/cryptenroll/cryptenroll-tpm2.c
View File

@ -145,6 +145,7 @@ int enroll_tpm2(struct crypt_device *cd,
uint16_t pcr_bank, primary_alg;
const char *node;
_cleanup_(erase_and_freep) char *pin_str = NULL;
ssize_t base64_encoded_size;
int r, keyslot;
TPM2Flags flags = 0;
@ -230,9 +231,9 @@ int enroll_tpm2(struct crypt_device *cd,
}
/* let's base64 encode the key to use, for compat with homed (and it's easier to every type it in by keyboard, if that might end up being necessary. */
r = base64mem(secret, secret_size, &base64_encoded);
if (r < 0)
return log_error_errno(r, "Failed to base64 encode secret key: %m");
base64_encoded_size = base64mem(secret, secret_size, &base64_encoded);
if (base64_encoded_size < 0)
return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m");
r = cryptsetup_set_minimal_pbkdf(cd);
if (r < 0)
@ -244,7 +245,7 @@ int enroll_tpm2(struct crypt_device *cd,
volume_key,
volume_key_size,
base64_encoded,
strlen(base64_encoded));
base64_encoded_size);
if (keyslot < 0)
return log_error_errno(keyslot, "Failed to add new TPM2 key to %s: %m", node);

9
src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c
View File

@ -51,6 +51,7 @@ _public_ int cryptsetup_token_open_pin(
.search_pcr_mask = UINT32_MAX
};
uint16_t pcr_bank, primary_alg;
ssize_t base64_encoded_size;
TPM2Flags flags = 0;
const char *json;
int r;
@ -116,13 +117,13 @@ _public_ int cryptsetup_token_open_pin(
return log_debug_open_error(cd, r);
/* Before using this key as passphrase we base64 encode it, for compat with homed */
r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
if (r < 0)
return log_debug_open_error(cd, r);
base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
if (base64_encoded_size < 0)
return log_debug_open_error(cd, base64_encoded_size);
/* free'd automatically by libcryptsetup */
*ret_password_len = strlen(base64_encoded);
*ret_password = TAKE_PTR(base64_encoded);
*ret_password_len = base64_encoded_size;
return 0;
}

9
src/cryptsetup/cryptsetup-tokens/luks2-fido2.c
View File

@ -25,6 +25,7 @@ int acquire_luks2_key(
_cleanup_(erase_and_freep) void *decrypted_key = NULL;
_cleanup_(erase_and_freep) char *base64_encoded = NULL;
_cleanup_strv_free_erase_ char **pins = NULL;
ssize_t base64_encoded_size;
assert(ret_keyslot_passphrase);
assert(ret_keyslot_passphrase_size);
@ -58,12 +59,12 @@ int acquire_luks2_key(
return r;
/* Before using this key as passphrase we base64 encode it, for compat with homed */
r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
if (r < 0)
return crypt_log_error_errno(cd, r, "Failed to base64 encode key: %m");
base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
if (base64_encoded_size < 0)
return crypt_log_error_errno(cd, (int) base64_encoded_size, "Failed to base64 encode key: %m");
*ret_keyslot_passphrase = TAKE_PTR(base64_encoded);
*ret_keyslot_passphrase_size = strlen(*ret_keyslot_passphrase);
*ret_keyslot_passphrase_size = base64_encoded_size;
return 0;
}

9
src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c
View File

@ -187,6 +187,7 @@ int acquire_luks2_key(
_cleanup_free_ char *pkcs11_uri = NULL;
_cleanup_free_ void *encrypted_key = NULL;
systemd_pkcs11_plugin_params *pkcs11_params = userdata;
ssize_t base64_encoded_size;
assert(json);
assert(ret_password);
@ -213,12 +214,12 @@ int acquire_luks2_key(
if (r < 0)
return r;
r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
if (r < 0)
return crypt_log_error_errno(cd, r, "Can not base64 encode key: %m");
base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
if (base64_encoded_size < 0)
return crypt_log_error_errno(cd, (int) base64_encoded_size, "Can not base64 encode key: %m");
*ret_password = TAKE_PTR(base64_encoded);
*ret_password_size = strlen(*ret_password);
*ret_password_size = base64_encoded_size;
return 0;
}

21
src/cryptsetup/cryptsetup.c
View File

@ -1160,14 +1160,15 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
r = crypt_activate_by_volume_key(cd, name, decrypted_key, decrypted_key_size, flags);
else {
_cleanup_(erase_and_freep) char *base64_encoded = NULL;
ssize_t base64_encoded_size;
/* Before using this key as passphrase we base64 encode it, for compat with homed */
r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
if (r < 0)
base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
if (base64_encoded_size < 0)
return log_oom();
r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, strlen(base64_encoded), flags);
r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, base64_encoded_size, flags);
}
if (r == -EPERM) {
log_error_errno(r, "Failed to activate with FIDO2 decrypted key. (Key incorrect?)");
@ -1307,6 +1308,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
r = crypt_activate_by_volume_key(cd, name, decrypted_key, decrypted_key_size, flags);
else {
_cleanup_(erase_and_freep) char *base64_encoded = NULL;
ssize_t base64_encoded_size;
/* Before using this key as passphrase we base64 encode it. Why? For compatibility
* with homed's PKCS#11 hookup: there we want to use the key we acquired through
@ -1316,11 +1318,11 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
* without embedded NUL here too, and that's easiest to generate from a binary blob
* via base64 encoding. */
r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
if (r < 0)
base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
if (base64_encoded_size < 0)
return log_oom();
r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, strlen(base64_encoded), flags);
r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, base64_encoded_size, flags);
}
if (r == -EPERM) {
log_error_errno(r, "Failed to activate with PKCS#11 decrypted key. (Key incorrect?)");
@ -1595,14 +1597,15 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
r = crypt_activate_by_volume_key(cd, name, decrypted_key, decrypted_key_size, flags);
else {
_cleanup_(erase_and_freep) char *base64_encoded = NULL;
ssize_t base64_encoded_size;
/* Before using this key as passphrase we base64 encode it, for compat with homed */
r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
if (r < 0)
base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
if (base64_encoded_size < 0)
return log_oom();
r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, strlen(base64_encoded), flags);
r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, base64_encoded_size, flags);
}
if (r == -EPERM) {
log_error_errno(r, "Failed to activate with TPM2 decrypted key. (Key incorrect?)");

14
src/home/homectl-fido2.c
View File

@ -26,14 +26,15 @@ static int add_fido2_credential_id(
_cleanup_(json_variant_unrefp) JsonVariant *w = NULL;
_cleanup_strv_free_ char **l = NULL;
_cleanup_free_ char *escaped = NULL;
ssize_t escaped_size;
int r;
assert(v);
assert(cid);
r = base64mem(cid, cid_size, &escaped);
if (r < 0)
return log_error_errno(r, "Failed to base64 encode FIDO2 credential ID: %m");
escaped_size = base64mem(cid, cid_size, &escaped);
if (escaped_size < 0)
return log_error_errno(escaped_size, "Failed to base64 encode FIDO2 credential ID: %m");
w = json_variant_ref(json_variant_by_key(*v, "fido2HmacCredential"));
if (w) {
@ -73,13 +74,14 @@ static int add_fido2_salt(
_cleanup_(json_variant_unrefp) JsonVariant *l = NULL, *w = NULL, *e = NULL;
_cleanup_(erase_and_freep) char *base64_encoded = NULL, *hashed = NULL;
ssize_t base64_encoded_size;
int r;
/* Before using UNIX hashing on the supplied key we base64 encode it, since crypt_r() and friends
* expect a NUL terminated string, and we use a binary key */
r = base64mem(secret, secret_size, &base64_encoded);
if (r < 0)
return log_error_errno(r, "Failed to base64 encode secret key: %m");
base64_encoded_size = base64mem(secret, secret_size, &base64_encoded);
if (base64_encoded_size < 0)
return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m");
r = hash_password(base64_encoded, &hashed);
if (r < 0)

7
src/home/homectl-pkcs11.c
View File

@ -19,6 +19,7 @@ static int add_pkcs11_encrypted_key(
_cleanup_(json_variant_unrefp) JsonVariant *l = NULL, *w = NULL, *e = NULL;
_cleanup_(erase_and_freep) char *base64_encoded = NULL, *hashed = NULL;
ssize_t base64_encoded_size;
int r;
assert(v);
@ -30,9 +31,9 @@ static int add_pkcs11_encrypted_key(
/* Before using UNIX hashing on the supplied key we base64 encode it, since crypt_r() and friends
* expect a NUL terminated string, and we use a binary key */
r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
if (r < 0)
return log_error_errno(r, "Failed to base64 encode secret key: %m");
base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
if (base64_encoded_size < 0)
return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m");
r = hash_password(base64_encoded, &hashed);
if (r < 0)

7
src/home/homework-fido2.c
View File

@ -17,6 +17,7 @@ int fido2_use_token(
_cleanup_(erase_and_freep) void *hmac = NULL;
size_t hmac_size;
Fido2EnrollFlags flags = 0;
ssize_t ss;
int r;
assert(h);
@ -65,9 +66,9 @@ int fido2_use_token(
if (r < 0)
return r;
r = base64mem(hmac, hmac_size, ret);
if (r < 0)
return log_error_errno(r, "Failed to base64 encode HMAC secret: %m");
ss = base64mem(hmac, hmac_size, ret);
if (ss < 0)
return log_error_errno(ss, "Failed to base64 encode HMAC secret: %m");
return 0;
}

9
src/home/homework-fscrypt.c
View File

@ -407,6 +407,7 @@ static int fscrypt_slot_set(
_cleanup_free_ void *encrypted = NULL;
const EVP_CIPHER *cc;
size_t encrypted_size;
ssize_t ss;
r = crypto_random_bytes(salt, sizeof(salt));
if (r < 0)
@ -457,12 +458,12 @@ static int fscrypt_slot_set(
assert((size_t) encrypted_size_out1 + (size_t) encrypted_size_out2 < encrypted_size);
encrypted_size = (size_t) encrypted_size_out1 + (size_t) encrypted_size_out2;
r = base64mem(salt, sizeof(salt), &salt_base64);
if (r < 0)
ss = base64mem(salt, sizeof(salt), &salt_base64);
if (ss < 0)
return log_oom();
r = base64mem(encrypted, encrypted_size, &encrypted_base64);
if (r < 0)
ss = base64mem(encrypted, encrypted_size, &encrypted_base64);
if (ss < 0)
return log_oom();
joined = strjoin(salt_base64, ":", encrypted_base64);

9
src/partition/repart.c
View File

@ -3314,6 +3314,7 @@ static int partition_encrypt(Context *context, Partition *p, const char *node) {
_cleanup_free_ void *pubkey = NULL;
_cleanup_free_ void *blob = NULL, *hash = NULL;
size_t secret_size, blob_size, hash_size, pubkey_size = 0;
ssize_t base64_encoded_size;
uint16_t pcr_bank, primary_alg;
int keyslot;
@ -3341,9 +3342,9 @@ static int partition_encrypt(Context *context, Partition *p, const char *node) {
if (r < 0)
return log_error_errno(r, "Failed to seal to TPM2: %m");
r = base64mem(secret, secret_size, &base64_encoded);
if (r < 0)
return log_error_errno(r, "Failed to base64 encode secret key: %m");
base64_encoded_size = base64mem(secret, secret_size, &base64_encoded);
if (base64_encoded_size < 0)
return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m");
r = cryptsetup_set_minimal_pbkdf(cd);
if (r < 0)
@ -3355,7 +3356,7 @@ static int partition_encrypt(Context *context, Partition *p, const char *node) {
NULL,
VOLUME_KEY_SIZE,
base64_encoded,
strlen(base64_encoded));
base64_encoded_size);
if (keyslot < 0)
return log_error_errno(keyslot, "Failed to add new TPM2 key: %m");