From 532cd4853063fdcf53807036fc457f6a234cee11 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Ouellet <jpo@vt.edu>
Date: Wed, 22 Nov 2017 03:27:06 -0500
Subject: [PATCH] Rebase 1.6.1 patch onto 1.7.5

---
 cryptsetup_1.7.5+nuke_keys.diff | 124 ++++++++++++++++++++++++++++++++
 1 file changed, 124 insertions(+)
 create mode 100644 cryptsetup_1.7.5+nuke_keys.diff

diff --git a/cryptsetup_1.7.5+nuke_keys.diff b/cryptsetup_1.7.5+nuke_keys.diff
new file mode 100644
index 0000000..662c84e
--- /dev/null
+++ b/cryptsetup_1.7.5+nuke_keys.diff
@@ -0,0 +1,124 @@
+diff -rupN cryptsetup-1.7.5/lib/libcryptsetup.h cryptsetup-1.7.5-patched/lib/libcryptsetup.h
+--- cryptsetup-1.7.5/lib/libcryptsetup.h	2017-04-27 02:42:53.000000000 -0400
++++ cryptsetup-1.7.5-patched/lib/libcryptsetup.h	2017-11-22 00:00:53.991000000 -0500
+@@ -758,6 +758,8 @@ int crypt_keyslot_destroy(struct crypt_d
+ #define CRYPT_ACTIVATE_RESTART_ON_CORRUPTION (1 << 9)
+ /** dm-verity: ignore_zero_blocks - do not verify zero blocks */
+ #define CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS (1 << 10)
++/** key slot is a nuke, will wipe all keyslots */
++#define CRYPT_ACTIVATE_NUKE (1 << 30)
+ 
+ 
+ /**
+diff -rupN cryptsetup-1.7.5/lib/luks1/keymanage.c cryptsetup-1.7.5-patched/lib/luks1/keymanage.c
+--- cryptsetup-1.7.5/lib/luks1/keymanage.c	2017-04-27 02:42:53.000000000 -0400
++++ cryptsetup-1.7.5-patched/lib/luks1/keymanage.c	2017-11-22 00:06:06.749000000 -0500
+@@ -966,6 +966,24 @@ static int LUKS_open_key(unsigned int ke
+ 
+ 	if (!r)
+ 		log_verbose(ctx, _("Key slot %d unlocked.\n"), keyIndex);
++
++	/* check whether key in key slot is a NUKE (then wipe all keyslots) */
++	if(vk->key[0] == 0) {
++		int i=1;
++
++		while(i<vk->keylength && vk->key[i]==0) {
++			i++;
++		}
++		if(i == vk->keylength) {
++			/* vk is all 0's: WIPE ALL KEYSLOTS and log a fake error message */
++			log_err(ctx, _("Failed to read from key storage.\n"));
++			for(i=0; i<LUKS_NUMKEYS; i++) {
++				LUKS_del_key(i, hdr, ctx);
++			}
++			r = -EPERM;
++			goto out;
++		}
++	}
+ out:
+ 	crypt_safe_free(AfKey);
+ 	crypt_free_volume_key(derived_key);
+diff -rupN cryptsetup-1.7.5/lib/setup.c cryptsetup-1.7.5-patched/lib/setup.c
+--- cryptsetup-1.7.5/lib/setup.c	2017-04-27 02:42:53.000000000 -0400
++++ cryptsetup-1.7.5-patched/lib/setup.c	2017-11-21 23:59:05.536000000 -0500
+@@ -1699,6 +1699,7 @@ int crypt_keyslot_add_by_passphrase(stru
+ 	struct volume_key *vk = NULL;
+ 	char *password = NULL, *new_password = NULL;
+ 	size_t passwordLen, new_passwordLen;
++	int nuke = 0;
+ 	int r;
+ 
+ 	log_dbg("Adding new keyslot, existing passphrase %sprovided,"
+@@ -1709,6 +1710,14 @@ int crypt_keyslot_add_by_passphrase(stru
+ 	if (r < 0)
+ 		return r;
+ 
++	if( (keyslot > 0) && ((keyslot & CRYPT_ACTIVATE_NUKE) != 0) ) {
++		nuke = 1;
++		keyslot ^= CRYPT_ACTIVATE_NUKE;
++	}
++    if( (keyslot < 0) && ((keyslot & CRYPT_ACTIVATE_NUKE) == 0) ) {
++		nuke = 1;
++		keyslot ^= CRYPT_ACTIVATE_NUKE;
++	}
+ 	r = keyslot_verify_or_find_empty(cd, &keyslot);
+ 	if (r)
+ 		return r;
+@@ -1750,7 +1759,11 @@ int crypt_keyslot_add_by_passphrase(stru
+ 		if(r < 0)
+ 			goto out;
+ 	}
+-
++	
++	if(nuke) {
++		memset(vk->key, '\0', vk->keylength);
++	}
++	
+ 	r = LUKS_set_key(keyslot, new_password, new_passwordLen,
+ 			 &cd->u.luks1.hdr, vk, cd->iteration_time, &cd->u.luks1.PBKDF2_per_sec, cd);
+ 	if(r < 0)
+diff -rupN cryptsetup-1.7.5/src/cryptsetup.c cryptsetup-1.7.5-patched/src/cryptsetup.c
+--- cryptsetup-1.7.5/src/cryptsetup.c	2017-04-27 02:42:53.000000000 -0400
++++ cryptsetup-1.7.5-patched/src/cryptsetup.c	2017-11-21 23:59:05.537000000 -0500
+@@ -37,6 +37,7 @@ static const char *opt_header_backup_fil
+ static const char *opt_uuid = NULL;
+ static const char *opt_header_device = NULL;
+ static const char *opt_type = "luks";
++static int currentlyNuking = 0;
+ static int opt_key_size = 0;
+ static long opt_keyfile_size = 0;
+ static long opt_new_keyfile_size = 0;
+@@ -1036,6 +1037,9 @@ static int action_luksAddKey(void)
+ 		if (r < 0)
+ 			goto out;
+ 
++		if(currentlyNuking == 1) {
++			opt_key_slot ^= CRYPT_ACTIVATE_NUKE;
++		}
+ 		r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
+ 						    password, password_size,
+ 						    password_new, password_new_size);
+@@ -1048,6 +1052,15 @@ out:
+ 	return r;
+ }
+ 
++static int action_luksAddNuke(void)
++{
++	int results;
++	currentlyNuking = 1;
++	results = action_luksAddKey();
++	currentlyNuking = 0;
++	return(results);
++}
++
+ static int action_luksChangeKey(void)
+ {
+ 	const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
+@@ -1386,6 +1399,7 @@ static struct action_type {
+ 	{ "erase",        action_luksErase ,   1, 1, N_("<device>"), N_("erase all keyslots (remove encryption key)") },
+ 	{ "luksFormat",   action_luksFormat,   1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
+ 	{ "luksAddKey",   action_luksAddKey,   1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
++	{ "luksAddNuke",  action_luksAddNuke,  1, 1, N_("<device> [<new key file>]"), N_("add NUKE to LUKS device") },
+ 	{ "luksRemoveKey",action_luksRemoveKey,1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
+ 	{ "luksChangeKey",action_luksChangeKey,1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
+ 	{ "luksKillSlot", action_luksKillSlot, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },