alex/bcachefs-tools
1
0
Fork 0
mirror of https://github.com/koverstreet/bcachefs-tools.git synced 2025-02-23 00:00:02 +03:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #329 from ticpu/set-passphrase

Browse Source 
Fix set-passphrase on --no_passphrase FS
This commit is contained in:
koverstreet 2024-12-03 22:41:13 -05:00 committed by GitHub
commit 077677e61c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 48 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
c_src/cmd_key.c
View File

@ -104,24 +104,19 @@ int cmd_set_passphrase(int argc, char *argv[])
if (IS_ERR(c)) if (IS_ERR(c))
die("Error opening %s: %s", argv[1], bch2_err_str(PTR_ERR(c))); die("Error opening %s: %s", argv[1], bch2_err_str(PTR_ERR(c)));
struct bch_sb_field_crypt *crypt = bch2_sb_field_get(c->disk_sb.sb, crypt); struct bch_sb *sb = c->disk_sb.sb;
struct bch_sb_field_crypt *crypt = bch2_sb_field_get(sb, crypt);
if (!crypt) if (!crypt)
die("Filesystem does not have encryption enabled"); die("Filesystem does not have encryption enabled");
struct bch_encrypted_key new_key; struct bch_key key;
new_key.magic = BCH_KEY_MAGIC; int ret = bch2_decrypt_sb_key(c, crypt, &key);
int ret = bch2_decrypt_sb_key(c, crypt, &new_key.key);
if (ret) if (ret)
die("Error getting current key"); die("Error getting current key");
char *new_passphrase = read_passphrase_twice("Enter new passphrase: "); char *new_passphrase = read_passphrase_twice("Enter new passphrase: ");
struct bch_key passphrase_key = derive_passphrase(crypt, new_passphrase);
if (bch2_chacha_encrypt_key(&passphrase_key, __bch2_sb_key_nonce(c->disk_sb.sb), bch_crypt_update_passphrase(sb, crypt, &key, new_passphrase);
&new_key, sizeof(new_key)))
die("error encrypting key");
crypt->key = new_key;
bch2_revoke_key(c->disk_sb.sb); bch2_revoke_key(c->disk_sb.sb);
bch2_write_super(c); bch2_write_super(c);
@ -142,18 +137,17 @@ int cmd_remove_passphrase(int argc, char *argv[])
if (IS_ERR(c)) if (IS_ERR(c))
die("Error opening %s: %s", argv[1], bch2_err_str(PTR_ERR(c))); die("Error opening %s: %s", argv[1], bch2_err_str(PTR_ERR(c)));
struct bch_sb_field_crypt *crypt = bch2_sb_field_get(c->disk_sb.sb, crypt); struct bch_sb *sb = c->disk_sb.sb;
struct bch_sb_field_crypt *crypt = bch2_sb_field_get(sb, crypt);
if (!crypt) if (!crypt)
die("Filesystem does not have encryption enabled"); die("Filesystem does not have encryption enabled");
struct bch_encrypted_key new_key; struct bch_key key;
new_key.magic = BCH_KEY_MAGIC; int ret = bch2_decrypt_sb_key(c, crypt, &key);
int ret = bch2_decrypt_sb_key(c, crypt, &new_key.key);
if (ret) if (ret)
die("Error getting current key"); die("Error getting current key");
crypt->key = new_key; bch_crypt_update_passphrase(sb, crypt, &key, NULL);
bch2_write_super(c); bch2_write_super(c);
bch2_fs_stop(c); bch2_fs_stop(c);

39
c_src/crypto.c
View File

@ -176,26 +176,47 @@ void bch_sb_crypt_init(struct bch_sb *sb,
struct bch_sb_field_crypt *crypt, struct bch_sb_field_crypt *crypt,
const char *passphrase) const char *passphrase)
{ {
struct bch_key key;
get_random_bytes(&key, sizeof(key));
crypt->key.magic = BCH_KEY_MAGIC; crypt->key.magic = BCH_KEY_MAGIC;
get_random_bytes(&crypt->key.key, sizeof(crypt->key.key)); crypt->key.key = key;
if (passphrase) { bch_crypt_update_passphrase(sb, crypt, &key, passphrase);
}
void bch_crypt_update_passphrase(
struct bch_sb *sb,
struct bch_sb_field_crypt *crypt,
struct bch_key *key,
const char *new_passphrase)
{
struct bch_encrypted_key new_key;
new_key.magic = BCH_KEY_MAGIC;
new_key.key = *key;
if(!new_passphrase) {
crypt->key = new_key;
return;
}
// If crypt already has an encrypted key reuse it's encryption params
if (!bch2_key_is_encrypted(&crypt->key)) {
SET_BCH_CRYPT_KDF_TYPE(crypt, BCH_KDF_SCRYPT); SET_BCH_CRYPT_KDF_TYPE(crypt, BCH_KDF_SCRYPT);
SET_BCH_KDF_SCRYPT_N(crypt, ilog2(16384)); SET_BCH_KDF_SCRYPT_N(crypt, ilog2(16384));
SET_BCH_KDF_SCRYPT_R(crypt, ilog2(8)); SET_BCH_KDF_SCRYPT_R(crypt, ilog2(8));
SET_BCH_KDF_SCRYPT_P(crypt, ilog2(16)); SET_BCH_KDF_SCRYPT_P(crypt, ilog2(16));
}
struct bch_key passphrase_key = derive_passphrase(crypt, passphrase); struct bch_key passphrase_key = derive_passphrase(crypt, new_passphrase);
assert(!bch2_key_is_encrypted(&crypt->key));
if (bch2_chacha_encrypt_key(&passphrase_key, __bch2_sb_key_nonce(sb), if (bch2_chacha_encrypt_key(&passphrase_key, __bch2_sb_key_nonce(sb),
&crypt->key, sizeof(crypt->key))) &new_key, sizeof(new_key)))
die("error encrypting key"); die("error encrypting key");
assert(bch2_key_is_encrypted(&crypt->key));
memzero_explicit(&passphrase_key, sizeof(passphrase_key)); memzero_explicit(&passphrase_key, sizeof(passphrase_key));
}
crypt->key = new_key;
assert(bch2_key_is_encrypted(&crypt->key));
} }

3
c_src/crypto.h
View File

@ -19,4 +19,7 @@ void bch2_add_key(struct bch_sb *, const char *, const char *, const char *);
void bch_sb_crypt_init(struct bch_sb *sb, struct bch_sb_field_crypt *, void bch_sb_crypt_init(struct bch_sb *sb, struct bch_sb_field_crypt *,
const char *); const char *);
void bch_crypt_update_passphrase(struct bch_sb *sb, struct bch_sb_field_crypt *crypt,
struct bch_key *key, const char *new_passphrase);
#endif /* _CRYPTO_H */ #endif /* _CRYPTO_H */