[dm-crypt] about invalid key slots

.. ink .. mhogomchungu at gmail.com
Mon Apr 2 12:10:42 CEST 2012


resending the email to the list as i think the first one was sent not to
the mailing list

i am seeing something odd, i can not explain it but this is what i am
seeing, atleast there is consistency finally.

i wrote a simple program to test this and this is what i have found out.
the program is called cik in this example and it takes 4 args,path to luks
volume,offset,junk to write at the offset,new hopefully corrupted volume

on-disk-format.pdf says key-slot-2 is at offset 256, luksDump says its at
264. Is this expected?

the output of "zuluCrypt-cli -b" to show slot status :
0 - inactive slot
1- active slot
2- invalid slot

test1
[ink at mtz ~]$ ./cik luks 256  tiufvtfbuybougougbtvtvviytrf  cvol
[ink at mtz ~]$ zuluCrypt-cli -b -d cvol
12100000
[ink at mtz ~]$

when i try my test with offset 256 , luksDump reports the slot as disabled
but crypt_keyslot_status API reports it as invalid as the above test show.

the above is output as reported by crypt_keyslot_max(), full code at the
end of this email.

test2
[ink at mtz ~]$ ./cik luks 264  tiufvtfbuybougougbtvtvviytrf  cvol
[ink at mtz ~]$ zuluCrypt-cli -b -d cvol
11100000
[ink at mtz ~]$

when i add junk at offset 264 of length less than 32 characters as
above,crypt_keyslot_max() and luksDump reports the slot as active and
cryptsetup ask for a passphrase when attempting to open the volume.

test3
[ink at mtz ~]$ ./cik luks 264  tiufvtfbuybougougbtvtfgytfvytr

    yfbyfvviytrf  cvol
    [ink at mtz ~]$ zuluCrypt-cli -b -d cvol
    device "cvol" is not a luks device
    [ink at mtz ~]$

    if i increase the junk to above 32 characters as above, luksDump
reports:
    [root at mtz ink]# cryptsetup luksDump cvol
    LUKS keyslot 1 is invalid.

    and zuluCrypt reports:

     ./cik luks 264  tiufvtfbuybougougbtvtfgytfvytryfbyfvviytrf  cvol
    [ink at mtz ~]$ zuluCrypt-cli -b -d cvol
    device "cvol" is not a luks device

    can these 3 tests be explained? i am using cryptsetup 1.4.1



    zuluCypt code that check for keyslots as promised above:

    char * empty_slots( const char * device )
    {
        crypt_keyslot_info cki ;
        struct crypt_device * cd;
        int i ;
        int j ;
        int k ;
        char * slot ;

        if( is_luks( device ) == 1 )
            return NULL ;

        i = crypt_init( &cd,device ) ;

        if( i != 0 )
            return NULL ;

        i = crypt_load( cd, CRYPT_LUKS1, NULL ) ;

        if( i != 0 )
            return NULL ;

        k = crypt_keyslot_max( CRYPT_LUKS1 ) ;

        slot = ( char * ) malloc( sizeof( char ) * ( k + 1 ) ) ;

        for( j = 0 ; j < k ; j++){
            cki = crypt_keyslot_status(cd, j);
            switch ( cki ){
                case CRYPT_SLOT_INACTIVE :   slot[j] = '0' ; break ;
                case CRYPT_SLOT_ACTIVE :     slot[j] = '1' ; break ;
                case CRYPT_SLOT_INVALID :    slot[j] = '2' ; break ;
                case CRYPT_SLOT_ACTIVE_LAST: slot[j] = '3' ; break
;
            }
        }
        slot[j] = '\0' ;
        crypt_free( cd );
        return slot ;
    }
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20120402/04aecfb4/attachment.html>


More information about the dm-crypt mailing list