From eca0d8b8b1360f745131158bf6b5b5c1c04d98c9 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Thomas=20Wei=C3=9Fschuh?= <thomas@t-8ch.de>
Date: Sun, 11 Sep 2022 15:46:19 +0200
Subject: [PATCH] libblkid: luks: add checksum support
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
---
 libblkid/src/superblocks/luks.c       |  20 ++++++++++++++++++++
 tests/ts/blkid/images-fs/luks2.img.xz | Bin 276 -> 744 bytes
 2 files changed, 20 insertions(+)

diff --git a/libblkid/src/superblocks/luks.c b/libblkid/src/superblocks/luks.c
index 0230b34926..a3aa84c5ea 100644
--- a/libblkid/src/superblocks/luks.c
+++ b/libblkid/src/superblocks/luks.c
@@ -17,6 +17,7 @@
 #include <stdint.h>
 
 #include "superblocks.h"
+#include "sha256.h"
 
 #define LUKS_CIPHERNAME_L		32
 #define LUKS_CIPHERMODE_L		32
@@ -96,6 +97,23 @@ static int luks_attributes(blkid_probe pr, struct luks2_phdr *header, uint64_t o
 	return BLKID_PROBE_OK;
 }
 
+static int luks_verify_csum(blkid_probe pr, struct luks2_phdr *header)
+{
+	if (strncmp(header->checksum_alg, "sha256", sizeof(header->checksum_alg)))
+		return 1;
+
+	uint64_t header_size = be64_to_cpu(header->hdr_size);
+	unsigned char *checksummed = blkid_probe_get_buffer(pr, 0, header_size);
+	if (!checksummed)
+		return 0;
+	memset(checksummed + offsetof(struct luks2_phdr, csum), 0, LUKS2_CHECKSUM_L);
+
+	unsigned char csum[32];
+	ul_SHA256(csum, checksummed, header_size);
+
+	return blkid_probe_verify_csum(pr, 1, !memcmp(header->csum, csum, 32));
+}
+
 static int probe_luks(blkid_probe pr, const struct blkid_idmag *mag __attribute__((__unused__)))
 {
 	struct luks2_phdr *header;
@@ -106,6 +124,8 @@ static int probe_luks(blkid_probe pr, const struct blkid_idmag *mag __attribute_
 		return errno ? -errno : BLKID_PROBE_NONE;
 
 	if (!memcmp(header->magic, LUKS_MAGIC, LUKS_MAGIC_L)) {
+		if (!luks_verify_csum(pr, header))
+			return BLKID_PROBE_NONE;
 		/* LUKS primary header was found. */
 		return luks_attributes(pr, header, 0);
 	}
diff --git a/tests/ts/blkid/images-fs/luks2.img.xz b/tests/ts/blkid/images-fs/luks2.img.xz
index 997fb0483d6e1f4827543f9267e8cf830898144f..311a4e865608e81dcc79f1e0351558c0d1a9f796 100644
GIT binary patch
delta 718
zc-jHZ0x|uR0_X)D{Wp48S^xk9=GL@E0stWa8~^|S5YJf5;6MKYrjZ>ee_C>^U7wOd
zoK&dj>IJybGqW$Ycuh9aSkrLEXqaLd-^CM!hVU~s8$wb&qHMjuF*&;w?Dw=S^+SgB
zWrG_1TjN~+iRN|9)n_Y>O<jFtQqluyaCCY}=Pg!#9ABtfGQ|6bsY1)Yg#V~uV>#<!
zq|$PwLtKS;*}IWT;gUqEe>L=Xd?I*tHC9K^@o)|JehM|`eP4YS4w?YT0Yi%(0AD3c
z;x%xWJ*in&N{a%B!uT6k>4CDvP+`WB*7;{!X1*QI01`b~lE*KobkfcXaE5M!nRKs0
zduM*nK9oitTYNMXl<EzbPW2rCKbt%N^Qr^MCl>MilA^p%G%a6}f5O`_aI>{(bygeZ
zslR8LYnT9--k)uh;R7z{+$<=f0)2&@>2wpcNwmfvpdg>b3jftZ(sL4^OV+CLwR{(*
z@I1>rN9}5+8!;E<V?Q|MC*l~fxfSHkBSw%eSRsivto{R-S$+adQ~>ZznaRx=%7d<R
z?b)j3ww(S*;VbYGf79?nzgM7asfsP+#C|-{vDJ8{tA4Ks_+B5Xn)H*PyOCdjrrSTd
zY4QsBO9b>o4;>@k&-R}61HwLdSQ_8oRD75eeG!tiO;P7Y`e!PwW89O8Cbsw(Ip>76
zf2=n^rKeg(5KH?CMkK5jFq!G$8gcmvayi?-SwSWAZ{Dd%f9~R2jzg_5Vn>O0)erns
zm`le9M*CBwjYZMlFKPjzS)xdE8e2_eF)gXy=jx>XQm9NBm4NDgkw!w6LwJ!&H($5c
zBdMLD<Z^;MPZDZv)K<5AHz(n%NLL~_@=yI5!Hs{(eM04It^3YIV%maG8GciUeykk=
zr|*4d*uEK%C<sv@_5c6?04rr@SrH~sbN~Uu1%QA70O)w)Lb1eW`vL#}000D8TG)nF
AYybcN

delta 246
zc-jH>015x-1(X6E{Wp48S^xk9=GL@E0stWa761SMbT8$j;1B-*)R7%1e-MFPh^CO8
zN7@_eT!XSyRqZPJI}nw;Jrd{xZ`5C9&-gQ6B%SW;UyrD`w3I|LkFWN2%<|!(jRfA(
zcAIMxeelWQtk!Z{irJF6&TO%E4U#v9!12>Y-#9D8b<K{-%kSSbKWXFg-<y{?XqWHF
z09<Y4m7<TXR?}g@#RqMFP_!f@mQ?JF4$lp>e#jrR^=>W4i}hiq7#4CS2x<;@-$mMq
wZr}2|F#An7$VdeM05qX^m2PaLJpcjl0e~O?0Iw9YKC#4S`vL#}000D8S~%@=?EnA(

-- 
2.47.3