alex/bcachefs-tools
1
0
Fork 0
mirror of https://github.com/koverstreet/bcachefs-tools.git synced 2025-02-23 00:00:02 +03:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Apply naming convention: passphrase->unlock->key->decrypt->fs

Browse Source 
Signed-off-by: Roland Vet <RlndVt@protonmail.com>
This commit is contained in:
Roland Vet 2024-02-22 21:37:37 +01:00
parent 387e2a01ce
commit 817e957697
3 changed files with 59 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
c_src/cmd_key.c
View File

@ -18,7 +18,7 @@ static void unlock_usage(void)
" -c Check if a device is encrypted\n" " -c Check if a device is encrypted\n"
" -k (session|user|user_session)\n" " -k (session|user|user_session)\n"
" Keyring to add to (default: user)\n" " Keyring to add to (default: user)\n"
" -f Keyfile to read from (disables password prompt)\n" " -f Passphrase file to read from (disables passphrase prompt)\n"
" -h Display this help and exit\n" " -h Display this help and exit\n"
"Report bugs to <linux-bcachefs@vger.kernel.org>"); "Report bugs to <linux-bcachefs@vger.kernel.org>");
} }
@ -27,7 +27,7 @@ int cmd_unlock(int argc, char *argv[])
{ {
const char *keyring = "user"; const char *keyring = "user";
bool check = false; bool check = false;
const char *key_file_path = NULL; const char *passphrase_file_path = NULL;
char *passphrase = NULL; char *passphrase = NULL;
int opt; int opt;
@ -41,7 +41,7 @@ int cmd_unlock(int argc, char *argv[])
keyring = strdup(optarg); keyring = strdup(optarg);
break; break;
case 'f': case 'f':
key_file_path = strdup(optarg); passphrase_file_path = strdup(optarg);
break; break;
case 'h': case 'h':
unlock_usage(); unlock_usage();
@ -71,8 +71,8 @@ int cmd_unlock(int argc, char *argv[])
if (check) if (check)
exit(EXIT_SUCCESS); exit(EXIT_SUCCESS);
if (key_file_path){ if (passphrase_file_path){
passphrase = read_file_str(AT_FDCWD, key_file_path); passphrase = read_file_str(AT_FDCWD, passphrase_file_path);
} else { } else {
passphrase = read_passphrase("Enter passphrase: "); passphrase = read_passphrase("Enter passphrase: ");
} }

33
src/commands/cmd_mount.rs
View File

@ -5,7 +5,7 @@ use uuid::Uuid;
use std::io::{stdout, IsTerminal}; use std::io::{stdout, IsTerminal};
use std::path::PathBuf; use std::path::PathBuf;
use crate::key; use crate::key;
use crate::key::KeyPolicy; use crate::key::UnlockPolicy;
use std::ffi::{CString, c_char, c_void}; use std::ffi::{CString, c_char, c_void};
use std::os::unix::ffi::OsStrExt; use std::os::unix::ffi::OsStrExt;
@ -128,13 +128,13 @@ fn get_devices_by_uuid(uuid: Uuid) -> anyhow::Result<Vec<(PathBuf, bch_sb_handle
#[derive(Parser, Debug)] #[derive(Parser, Debug)]
#[command(author, version, about, long_about = None)] #[command(author, version, about, long_about = None)]
pub struct Cli { pub struct Cli {
/// Path to password key file /// Path to passphrase/key file
/// ///
/// Precedes key_location: if the filesystem can be decrypted by the /// Precedes key_location/unlock_policy: if the filesystem can be decrypted
/// specified key_file; it is decrypted. (i.e. Regardless if "fail" /// by the specified passphrase file; it is decrypted. (i.e. Regardless
/// is specified for key_location.) /// if "fail" is specified for key_location/unlock_policy.)
#[arg(short = 'f', long)] #[arg(short = 'f', long)]
key_file: Option<PathBuf>, passphrase_file: Option<PathBuf>,
/// Password policy to use in case of encrypted filesystem. /// Password policy to use in case of encrypted filesystem.
/// ///
@ -143,7 +143,7 @@ pub struct Cli {
/// "wait" - wait for password to become available before mounting; /// "wait" - wait for password to become available before mounting;
/// "ask" - prompt the user for password; /// "ask" - prompt the user for password;
#[arg(short = 'k', long = "key_location", default_value = "ask", verbatim_doc_comment)] #[arg(short = 'k', long = "key_location", default_value = "ask", verbatim_doc_comment)]
key_policy: KeyPolicy, unlock_policy: UnlockPolicy,
/// Device, or UUID=\<UUID\> /// Device, or UUID=\<UUID\>
dev: String, dev: String,
@ -207,27 +207,26 @@ fn cmd_mount_inner(opt: Cli) -> anyhow::Result<()> {
} }
// Check if the filesystem's master key is encrypted // Check if the filesystem's master key is encrypted
if unsafe { bcachefs::bch2_sb_is_encrypted(block_devices_to_mount[0].sb) } { if unsafe { bcachefs::bch2_sb_is_encrypted(block_devices_to_mount[0].sb) } {
// Filesystem's master key is encrypted, attempt to decrypt // First by password_file, if available
// First by key_file, if available let fallback_to_unlock_policy = if let Some(passphrase_file) = &opt.passphrase_file {
let fallback_to_prepare_key = if let Some(key_file) = &opt.key_file { match key::read_from_passphrase_file(&block_devices_to_mount[0], passphrase_file.as_path()) {
match key::read_from_key_file(&block_devices_to_mount[0], key_file.as_path()) {
Ok(()) => { Ok(()) => {
// Decryption succeeded // Decryption succeeded
false false
} }
Err(err) => { Err(err) => {
// Decryption failed, fall back to prepare_key // Decryption failed, fall back to unlock_policy
error!("Failed to decrypt using key_file: {}", err); error!("Failed to decrypt using passphrase_file: {}", err);
true true
} }
} }
} else { } else {
// No key_file specified, fall back to prepare_key // No passphrase_file specified, fall back to unlock_policy
true true
}; };
// If decryption by key_file was unsuccesful, prompt for password (or follow key_policy) // If decryption by key_file was unsuccesful, prompt for passphrase (or follow key_policy)
if fallback_to_prepare_key { if fallback_to_unlock_policy {
key::prepare_key(&block_devices_to_mount[0], opt.key_policy)?; key::apply_key_unlocking_policy(&block_devices_to_mount[0], opt.unlock_policy)?;
}; };
} }

76
src/key.rs
View File

@ -7,33 +7,33 @@ use crate::c_str;
use anyhow::anyhow; use anyhow::anyhow;
#[derive(Clone, Debug)] #[derive(Clone, Debug)]
pub enum KeyPolicy { pub enum UnlockPolicy {
None, None,
Fail, Fail,
Wait, Wait,
Ask, Ask,
} }
impl std::str::FromStr for KeyPolicy { impl std::str::FromStr for UnlockPolicy {
type Err = anyhow::Error; type Err = anyhow::Error;
fn from_str(s: &str) -> anyhow::Result<Self> { fn from_str(s: &str) -> anyhow::Result<Self> {
match s { match s {
""|"none" => Ok(KeyPolicy::None), ""|"none" => Ok(UnlockPolicy::None),
"fail" => Ok(KeyPolicy::Fail), "fail" => Ok(UnlockPolicy::Fail),
"wait" => Ok(KeyPolicy::Wait), "wait" => Ok(UnlockPolicy::Wait),
"ask" => Ok(KeyPolicy::Ask), "ask" => Ok(UnlockPolicy::Ask),
_ => Err(anyhow!("Invalid key policy provided")), _ => Err(anyhow!("Invalid unlock policy provided")),
} }
} }
} }
impl clap::ValueEnum for KeyPolicy { impl clap::ValueEnum for UnlockPolicy {
fn value_variants<'a>() -> &'a [Self] { fn value_variants<'a>() -> &'a [Self] {
&[ &[
KeyPolicy::None, UnlockPolicy::None,
KeyPolicy::Fail, UnlockPolicy::Fail,
KeyPolicy::Wait, UnlockPolicy::Wait,
KeyPolicy::Ask, UnlockPolicy::Ask,
] ]
} }
@ -47,13 +47,13 @@ impl clap::ValueEnum for KeyPolicy {
} }
} }
impl fmt::Display for KeyPolicy { impl fmt::Display for UnlockPolicy {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
match self { match self {
KeyPolicy::None => write!(f, "None"), UnlockPolicy::None => write!(f, "None"),
KeyPolicy::Fail => write!(f, "Fail"), UnlockPolicy::Fail => write!(f, "Fail"),
KeyPolicy::Wait => write!(f, "Wait"), UnlockPolicy::Wait => write!(f, "Wait"),
KeyPolicy::Ask => write!(f, "Ask"), UnlockPolicy::Ask => write!(f, "Ask"),
} }
} }
} }
@ -75,7 +75,7 @@ fn check_for_key(key_name: &std::ffi::CStr) -> anyhow::Result<bool> {
} }
} }
fn wait_for_key(uuid: &uuid::Uuid) -> anyhow::Result<()> { fn wait_for_unlock(uuid: &uuid::Uuid) -> anyhow::Result<()> {
let key_name = std::ffi::CString::new(format!("bcachefs:{}", uuid)).unwrap(); let key_name = std::ffi::CString::new(format!("bcachefs:{}", uuid)).unwrap();
loop { loop {
if check_for_key(&key_name)? { if check_for_key(&key_name)? {
@ -86,19 +86,19 @@ fn wait_for_key(uuid: &uuid::Uuid) -> anyhow::Result<()> {
} }
} }
fn ask_for_key(sb: &bch_sb_handle) -> anyhow::Result<()> { fn ask_for_passphrase(sb: &bch_sb_handle) -> anyhow::Result<()> {
let pass = if stdin().is_terminal() { let passphrase = if stdin().is_terminal() {
rpassword::prompt_password("Enter passphrase: ")? rpassword::prompt_password("Enter passphrase: ")?
} else { } else {
let mut line = String::new(); let mut line = String::new();
stdin().read_line(&mut line)?; stdin().read_line(&mut line)?;
line line
}; };
decrypt_master_key(sb, pass) unlock_master_key(sb, &passphrase)
} }
const BCH_KEY_MAGIC: &str = "bch**key"; const BCH_KEY_MAGIC: &str = "bch**key";
fn decrypt_master_key(sb: &bch_sb_handle, pass: String) -> anyhow::Result<()> { fn unlock_master_key(sb: &bch_sb_handle, passphrase: &String) -> anyhow::Result<()> {
use bch_bindgen::bcachefs::{self, bch2_chacha_encrypt_key, bch_encrypted_key, bch_key}; use bch_bindgen::bcachefs::{self, bch2_chacha_encrypt_key, bch_encrypted_key, bch_key};
use byteorder::{LittleEndian, ReadBytesExt}; use byteorder::{LittleEndian, ReadBytesExt};
use std::os::raw::c_char; use std::os::raw::c_char;
@ -110,11 +110,11 @@ fn decrypt_master_key(sb: &bch_sb_handle, pass: String) -> anyhow::Result<()> {
let bch_key_magic = BCH_KEY_MAGIC.as_bytes().read_u64::<LittleEndian>().unwrap(); let bch_key_magic = BCH_KEY_MAGIC.as_bytes().read_u64::<LittleEndian>().unwrap();
let crypt = sb.sb().crypt().unwrap(); let crypt = sb.sb().crypt().unwrap();
let pass = std::ffi::CString::new(pass.trim_end())?; // bind to keep the CString alive let passphrase = std::ffi::CString::new(passphrase.trim_end())?; // bind to keep the CString alive
let mut output: bch_key = unsafe { let mut output: bch_key = unsafe {
bcachefs::derive_passphrase( bcachefs::derive_passphrase(
crypt as *const _ as *mut _, crypt as *const _ as *mut _,
pass.as_c_str().to_bytes_with_nul().as_ptr() as *const _, passphrase.as_c_str().to_bytes_with_nul().as_ptr() as *const _,
) )
}; };
@ -150,22 +150,22 @@ fn decrypt_master_key(sb: &bch_sb_handle, pass: String) -> anyhow::Result<()> {
} }
} }
pub fn read_from_key_file(block_device: &bch_sb_handle, key_file: &std::path::Path) -> anyhow::Result<()> { pub fn read_from_passphrase_file(block_device: &bch_sb_handle, passphrase_file: &std::path::Path) -> anyhow::Result<()> {
// Attempts to decrypt the master key by key_file // Attempts to unlock the master key by password_file
// Return true if decryption was successful, false otherwise // Return true if unlock was successful, false otherwise
info!("Attempting to decrypt master key for filesystem {}, using key file {}", block_device.sb().uuid(), key_file.display()); info!("Attempting to unlock master key for filesystem {}, using password from file {}", block_device.sb().uuid(), passphrase_file.display());
// Read the contents of the key file into a string // Read the contents of the password_file into a string
let pass = fs::read_to_string(key_file)?; let passphrase = fs::read_to_string(passphrase_file)?;
// Call decrypt_master_key with the read string // Call decrypt_master_key with the read string
decrypt_master_key(block_device, pass) unlock_master_key(block_device, &passphrase)
} }
pub fn prepare_key(block_device: &bch_sb_handle, password_policy: KeyPolicy) -> anyhow::Result<()> { pub fn apply_key_unlocking_policy(block_device: &bch_sb_handle, unlock_policy: UnlockPolicy) -> anyhow::Result<()> {
info!("Attempting to decrypt master key for filesystem {}, using key policy {}", block_device.sb().uuid(), password_policy); info!("Attempting to unlock master key for filesystem {}, using unlock policy {}", block_device.sb().uuid(), unlock_policy);
match password_policy { match unlock_policy {
KeyPolicy::Fail => Err(anyhow!("no key available")), UnlockPolicy::Fail => Err(anyhow!("no passphrase available")),
KeyPolicy::Wait => Ok(wait_for_key(&block_device.sb().uuid())?), UnlockPolicy::Wait => Ok(wait_for_unlock(&block_device.sb().uuid())?),
KeyPolicy::Ask => ask_for_key(block_device), UnlockPolicy::Ask => ask_for_passphrase(block_device),
_ => Err(anyhow!("no keyoption specified for locked filesystem")), _ => Err(anyhow!("no unlock policy specified for locked filesystem")),
} }
} }