const void *p,
size_t l,
size_t line_break,
- char **out) {
+ char **ret) {
const uint8_t *x;
- char *r, *z;
+ char *b, *z;
size_t m;
assert(p || l == 0);
- assert(out);
assert(line_break > 0);
+ assert(ret);
/* three input bytes makes four output bytes, padding is added so we must round up */
m = 4 * (l + 2) / 3 + 1;
-
if (line_break != SIZE_MAX)
m += m / line_break;
- z = r = malloc(m);
- if (!r)
+ z = b = malloc(m);
+ if (!b)
return -ENOMEM;
for (x = p; x && x < (const uint8_t*) p + (l / 3) * 3; x += 3) {
/* x[0] == XXXXXXXX; x[1] == YYYYYYYY; x[2] == ZZZZZZZZ */
- maybe_line_break(&z, r, line_break);
+ maybe_line_break(&z, b, line_break);
*(z++) = base64char(x[0] >> 2); /* 00XXXXXX */
- maybe_line_break(&z, r, line_break);
+ maybe_line_break(&z, b, line_break);
*(z++) = base64char((x[0] & 3) << 4 | x[1] >> 4); /* 00XXYYYY */
- maybe_line_break(&z, r, line_break);
+ maybe_line_break(&z, b, line_break);
*(z++) = base64char((x[1] & 15) << 2 | x[2] >> 6); /* 00YYYYZZ */
- maybe_line_break(&z, r, line_break);
+ maybe_line_break(&z, b, line_break);
*(z++) = base64char(x[2] & 63); /* 00ZZZZZZ */
}
switch (l % 3) {
case 2:
- maybe_line_break(&z, r, line_break);
+ maybe_line_break(&z, b, line_break);
*(z++) = base64char(x[0] >> 2); /* 00XXXXXX */
- maybe_line_break(&z, r, line_break);
+ maybe_line_break(&z, b, line_break);
*(z++) = base64char((x[0] & 3) << 4 | x[1] >> 4); /* 00XXYYYY */
- maybe_line_break(&z, r, line_break);
+ maybe_line_break(&z, b, line_break);
*(z++) = base64char((x[1] & 15) << 2); /* 00YYYY00 */
- maybe_line_break(&z, r, line_break);
+ maybe_line_break(&z, b, line_break);
*(z++) = '=';
-
break;
+
case 1:
- maybe_line_break(&z, r, line_break);
+ maybe_line_break(&z, b, line_break);
*(z++) = base64char(x[0] >> 2); /* 00XXXXXX */
- maybe_line_break(&z, r, line_break);
+ maybe_line_break(&z, b, line_break);
*(z++) = base64char((x[0] & 3) << 4); /* 00XX0000 */
- maybe_line_break(&z, r, line_break);
+ maybe_line_break(&z, b, line_break);
*(z++) = '=';
- maybe_line_break(&z, r, line_break);
+ maybe_line_break(&z, b, line_break);
*(z++) = '=';
-
break;
}
*z = 0;
- *out = r;
- assert(z >= r); /* Let static analyzers know that the answer is non-negative. */
- return z - r;
+ *ret = b;
+
+ assert(z >= b); /* Let static analyzers know that the answer is non-negative. */
+ return z - b;
}
static ssize_t base64_append_width(
_cleanup_(erase_and_freep) void *decrypted_key = NULL;
_cleanup_(erase_and_freep) char *passphrase = NULL;
size_t decrypted_key_size;
+ ssize_t passphrase_size;
int r;
assert_se(cd);
/* Because cryptenroll requires a LUKS header, we can assume that this device is not
* a PLAIN device. In this case, we need to base64 encode the secret to use as the passphrase */
- r = base64mem(decrypted_key, decrypted_key_size, &passphrase);
- if (r < 0)
+ passphrase_size = base64mem(decrypted_key, decrypted_key_size, &passphrase);
+ if (passphrase_size < 0)
return log_oom();
r = crypt_volume_key_get(
ret_vk,
ret_vks,
passphrase,
- /* passphrase_size= */ r);
+ passphrase_size);
if (r < 0)
return log_error_errno(r, "Unlocking via FIDO2 device failed: %m");
_cleanup_free_ char *keyslot_as_string = NULL;
size_t cid_size, salt_size, secret_size;
_cleanup_free_ void *cid = NULL;
+ ssize_t base64_encoded_size;
const char *node, *un;
int r, keyslot;
return r;
/* Before we use the secret, we base64 encode it, for compat with homed, and to make it easier to type in manually */
- r = base64mem(secret, secret_size, &base64_encoded);
- if (r < 0)
- return log_error_errno(r, "Failed to base64 encode secret key: %m");
+ base64_encoded_size = base64mem(secret, secret_size, &base64_encoded);
+ if (base64_encoded_size < 0)
+ return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m");
r = cryptsetup_set_minimal_pbkdf(cd);
if (r < 0)
volume_key,
volume_key_size,
base64_encoded,
- strlen(base64_encoded));
+ base64_encoded_size);
if (keyslot < 0)
return log_error_errno(keyslot, "Failed to add new FIDO2 key to %s: %m", node);
size_t decrypted_key_size, encrypted_key_size;
_cleanup_free_ void *encrypted_key = NULL;
_cleanup_(X509_freep) X509 *cert = NULL;
+ ssize_t base64_encoded_size;
const char *node;
EVP_PKEY *pkey;
int keyslot, r;
/* Let's base64 encode the key to use, for compat with homed (and it's easier to type it in by
* keyboard, if that might ever end up being necessary.) */
- r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
- if (r < 0)
- return log_error_errno(r, "Failed to base64 encode secret key: %m");
+ base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
+ if (base64_encoded_size < 0)
+ return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m");
r = cryptsetup_set_minimal_pbkdf(cd);
if (r < 0)
volume_key,
volume_key_size,
base64_encoded,
- strlen(base64_encoded));
+ base64_encoded_size);
if (keyslot < 0)
return log_error_errno(keyslot, "Failed to add new PKCS#11 key to %s: %m", node);
uint16_t pcr_bank, primary_alg;
const char *node;
_cleanup_(erase_and_freep) char *pin_str = NULL;
+ ssize_t base64_encoded_size;
int r, keyslot;
TPM2Flags flags = 0;
}
/* let's base64 encode the key to use, for compat with homed (and it's easier to every type it in by keyboard, if that might end up being necessary. */
- r = base64mem(secret, secret_size, &base64_encoded);
- if (r < 0)
- return log_error_errno(r, "Failed to base64 encode secret key: %m");
+ base64_encoded_size = base64mem(secret, secret_size, &base64_encoded);
+ if (base64_encoded_size < 0)
+ return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m");
r = cryptsetup_set_minimal_pbkdf(cd);
if (r < 0)
volume_key,
volume_key_size,
base64_encoded,
- strlen(base64_encoded));
+ base64_encoded_size);
if (keyslot < 0)
return log_error_errno(keyslot, "Failed to add new TPM2 key to %s: %m", node);
.search_pcr_mask = UINT32_MAX
};
uint16_t pcr_bank, primary_alg;
+ ssize_t base64_encoded_size;
TPM2Flags flags = 0;
const char *json;
int r;
return log_debug_open_error(cd, r);
/* Before using this key as passphrase we base64 encode it, for compat with homed */
- r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
- if (r < 0)
- return log_debug_open_error(cd, r);
+ base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
+ if (base64_encoded_size < 0)
+ return log_debug_open_error(cd, base64_encoded_size);
/* free'd automatically by libcryptsetup */
- *ret_password_len = strlen(base64_encoded);
*ret_password = TAKE_PTR(base64_encoded);
+ *ret_password_len = base64_encoded_size;
return 0;
}
_cleanup_(erase_and_freep) void *decrypted_key = NULL;
_cleanup_(erase_and_freep) char *base64_encoded = NULL;
_cleanup_strv_free_erase_ char **pins = NULL;
+ ssize_t base64_encoded_size;
assert(ret_keyslot_passphrase);
assert(ret_keyslot_passphrase_size);
return r;
/* Before using this key as passphrase we base64 encode it, for compat with homed */
- r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
- if (r < 0)
- return crypt_log_error_errno(cd, r, "Failed to base64 encode key: %m");
+ base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
+ if (base64_encoded_size < 0)
+ return crypt_log_error_errno(cd, (int) base64_encoded_size, "Failed to base64 encode key: %m");
*ret_keyslot_passphrase = TAKE_PTR(base64_encoded);
- *ret_keyslot_passphrase_size = strlen(*ret_keyslot_passphrase);
+ *ret_keyslot_passphrase_size = base64_encoded_size;
return 0;
}
_cleanup_free_ char *pkcs11_uri = NULL;
_cleanup_free_ void *encrypted_key = NULL;
systemd_pkcs11_plugin_params *pkcs11_params = userdata;
+ ssize_t base64_encoded_size;
assert(json);
assert(ret_password);
if (r < 0)
return r;
- r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
- if (r < 0)
- return crypt_log_error_errno(cd, r, "Can not base64 encode key: %m");
+ base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
+ if (base64_encoded_size < 0)
+ return crypt_log_error_errno(cd, (int) base64_encoded_size, "Can not base64 encode key: %m");
*ret_password = TAKE_PTR(base64_encoded);
- *ret_password_size = strlen(*ret_password);
+ *ret_password_size = base64_encoded_size;
return 0;
}
r = crypt_activate_by_volume_key(cd, name, decrypted_key, decrypted_key_size, flags);
else {
_cleanup_(erase_and_freep) char *base64_encoded = NULL;
+ ssize_t base64_encoded_size;
/* Before using this key as passphrase we base64 encode it, for compat with homed */
- r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
- if (r < 0)
+ base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
+ if (base64_encoded_size < 0)
return log_oom();
- r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, strlen(base64_encoded), flags);
+ r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, base64_encoded_size, flags);
}
if (r == -EPERM) {
log_error_errno(r, "Failed to activate with FIDO2 decrypted key. (Key incorrect?)");
r = crypt_activate_by_volume_key(cd, name, decrypted_key, decrypted_key_size, flags);
else {
_cleanup_(erase_and_freep) char *base64_encoded = NULL;
+ ssize_t base64_encoded_size;
/* Before using this key as passphrase we base64 encode it. Why? For compatibility
* with homed's PKCS#11 hookup: there we want to use the key we acquired through
* without embedded NUL here too, and that's easiest to generate from a binary blob
* via base64 encoding. */
- r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
- if (r < 0)
+ base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
+ if (base64_encoded_size < 0)
return log_oom();
- r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, strlen(base64_encoded), flags);
+ r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, base64_encoded_size, flags);
}
if (r == -EPERM) {
log_error_errno(r, "Failed to activate with PKCS#11 decrypted key. (Key incorrect?)");
r = crypt_activate_by_volume_key(cd, name, decrypted_key, decrypted_key_size, flags);
else {
_cleanup_(erase_and_freep) char *base64_encoded = NULL;
+ ssize_t base64_encoded_size;
/* Before using this key as passphrase we base64 encode it, for compat with homed */
- r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
- if (r < 0)
+ base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
+ if (base64_encoded_size < 0)
return log_oom();
- r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, strlen(base64_encoded), flags);
+ r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, base64_encoded_size, flags);
}
if (r == -EPERM) {
log_error_errno(r, "Failed to activate with TPM2 decrypted key. (Key incorrect?)");
_cleanup_(json_variant_unrefp) JsonVariant *w = NULL;
_cleanup_strv_free_ char **l = NULL;
_cleanup_free_ char *escaped = NULL;
+ ssize_t escaped_size;
int r;
assert(v);
assert(cid);
- r = base64mem(cid, cid_size, &escaped);
- if (r < 0)
- return log_error_errno(r, "Failed to base64 encode FIDO2 credential ID: %m");
+ escaped_size = base64mem(cid, cid_size, &escaped);
+ if (escaped_size < 0)
+ return log_error_errno(escaped_size, "Failed to base64 encode FIDO2 credential ID: %m");
w = json_variant_ref(json_variant_by_key(*v, "fido2HmacCredential"));
if (w) {
_cleanup_(json_variant_unrefp) JsonVariant *l = NULL, *w = NULL, *e = NULL;
_cleanup_(erase_and_freep) char *base64_encoded = NULL, *hashed = NULL;
+ ssize_t base64_encoded_size;
int r;
/* Before using UNIX hashing on the supplied key we base64 encode it, since crypt_r() and friends
* expect a NUL terminated string, and we use a binary key */
- r = base64mem(secret, secret_size, &base64_encoded);
- if (r < 0)
- return log_error_errno(r, "Failed to base64 encode secret key: %m");
+ base64_encoded_size = base64mem(secret, secret_size, &base64_encoded);
+ if (base64_encoded_size < 0)
+ return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m");
r = hash_password(base64_encoded, &hashed);
if (r < 0)
_cleanup_(json_variant_unrefp) JsonVariant *l = NULL, *w = NULL, *e = NULL;
_cleanup_(erase_and_freep) char *base64_encoded = NULL, *hashed = NULL;
+ ssize_t base64_encoded_size;
int r;
assert(v);
/* Before using UNIX hashing on the supplied key we base64 encode it, since crypt_r() and friends
* expect a NUL terminated string, and we use a binary key */
- r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
- if (r < 0)
- return log_error_errno(r, "Failed to base64 encode secret key: %m");
+ base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
+ if (base64_encoded_size < 0)
+ return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m");
r = hash_password(base64_encoded, &hashed);
if (r < 0)
_cleanup_(erase_and_freep) void *hmac = NULL;
size_t hmac_size;
Fido2EnrollFlags flags = 0;
+ ssize_t ss;
int r;
assert(h);
if (r < 0)
return r;
- r = base64mem(hmac, hmac_size, ret);
- if (r < 0)
- return log_error_errno(r, "Failed to base64 encode HMAC secret: %m");
+ ss = base64mem(hmac, hmac_size, ret);
+ if (ss < 0)
+ return log_error_errno(ss, "Failed to base64 encode HMAC secret: %m");
return 0;
}
_cleanup_free_ void *encrypted = NULL;
const EVP_CIPHER *cc;
size_t encrypted_size;
+ ssize_t ss;
r = crypto_random_bytes(salt, sizeof(salt));
if (r < 0)
assert((size_t) encrypted_size_out1 + (size_t) encrypted_size_out2 < encrypted_size);
encrypted_size = (size_t) encrypted_size_out1 + (size_t) encrypted_size_out2;
- r = base64mem(salt, sizeof(salt), &salt_base64);
- if (r < 0)
+ ss = base64mem(salt, sizeof(salt), &salt_base64);
+ if (ss < 0)
return log_oom();
- r = base64mem(encrypted, encrypted_size, &encrypted_base64);
- if (r < 0)
+ ss = base64mem(encrypted, encrypted_size, &encrypted_base64);
+ if (ss < 0)
return log_oom();
joined = strjoin(salt_base64, ":", encrypted_base64);
_cleanup_free_ void *pubkey = NULL;
_cleanup_free_ void *blob = NULL, *hash = NULL;
size_t secret_size, blob_size, hash_size, pubkey_size = 0;
+ ssize_t base64_encoded_size;
uint16_t pcr_bank, primary_alg;
int keyslot;
if (r < 0)
return log_error_errno(r, "Failed to seal to TPM2: %m");
- r = base64mem(secret, secret_size, &base64_encoded);
- if (r < 0)
- return log_error_errno(r, "Failed to base64 encode secret key: %m");
+ base64_encoded_size = base64mem(secret, secret_size, &base64_encoded);
+ if (base64_encoded_size < 0)
+ return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m");
r = cryptsetup_set_minimal_pbkdf(cd);
if (r < 0)
NULL,
VOLUME_KEY_SIZE,
base64_encoded,
- strlen(base64_encoded));
+ base64_encoded_size);
if (keyslot < 0)
return log_error_errno(keyslot, "Failed to add new TPM2 key: %m");