git.ipfire.org Git - thirdparty/grub.git/commit

author	Patrick Steinhardt <ps@pks.im>
	Mon, 15 Aug 2022 15:53:06 +0000 (17:53 +0200)
committer	Daniel Kiper <daniel.kiper@oracle.com>
	Fri, 19 Aug 2022 21:55:50 +0000 (23:55 +0200)
commit	de6921ced332951e6493eef629d2f7f54716189b
tree	c8d70f061dfe2c2b61048e95f60e963d4af54f97	tree
parent	b4055ebb8b3c1bbbc068f28099bd04b73df6fb67	commit \| diff

disk/luks2: Fix decoding of digests and salts with escaped chars

It was reported in the #grub IRC channel on Libera that decryption of
LUKS2 partitions fails with errors about invalid digests and/or salts.
In all of these cases, what failed was decoding the Base64
representation of these, where the encoded data contained invalid
characters.

As it turns out, the root cause is that json-c, which is used by
cryptsetup to read and write the JSON header, will escape some
characters by prepending a backslash when writing JSON strings by
default. Most importantly, json-c also escapes the forward slash, which
is part of the Base64 alphabet. Because GRUB doesn't know to unescape
such characters, decoding this string will rightfully fail.

Interestingly, this issue has until now only been reported by users of
Ubuntu 18.04. And a bit of digging in fact reveals that cryptsetup has
changed the logic in a054206d (Suppress useless slash escaping in json
lib, 2018-04-20), which has been released with cryptsetup v2.0.3. Ubuntu
18.04 is still shipping with cryptsetup v2.0.2 though, which explains
why this is not a more frequent issue.

Fix the issue by using our new grub_json_unescape() helper function
that handles unescaping for us.

Reported-by: Afdal
Signed-off-by: Patrick Steinhardt <ps@pks.im>
Reviewed-by: Daniel Kiper <dkiper@net-space.pl>