diff --git a/cryptsetup_1.6.3+nuke_keys.diff b/cryptsetup_1.6.3+nuke_keys.diff new file mode 100644 index 0000000..7093e14 --- /dev/null +++ b/cryptsetup_1.6.3+nuke_keys.diff @@ -0,0 +1,124 @@ +diff -rupN cryptsetup-1.6.3.pristine/lib/libcryptsetup.h cryptsetup-1.6.3.new/lib/libcryptsetup.h +--- cryptsetup-1.6.3.pristine/lib/libcryptsetup.h 2013-12-01 03:20:33.000000000 -0600 ++++ cryptsetup-1.6.3.new/lib/libcryptsetup.h 2014-01-06 12:08:01.210167782 -0600 +@@ -725,6 +725,8 @@ int crypt_keyslot_destroy(struct crypt_d + #define CRYPT_ACTIVATE_PRIVATE (1 << 4) + /** corruption detected (verity), output only */ + #define CRYPT_ACTIVATE_CORRUPTED (1 << 5) ++/** key slot is a nuke, will wipe all keyslots */ ++#define CRYPT_ACTIVATE_NUKE (1 << 30) + + /** + * Active device runtime attributes +diff -rupN cryptsetup-1.6.3.pristine/lib/luks1/keymanage.c cryptsetup-1.6.3.new/lib/luks1/keymanage.c +--- cryptsetup-1.6.3.pristine/lib/luks1/keymanage.c 2013-12-07 05:17:39.000000000 -0600 ++++ cryptsetup-1.6.3.new/lib/luks1/keymanage.c 2014-01-06 12:09:13.960547124 -0600 +@@ -941,6 +941,24 @@ static int LUKS_open_key(unsigned int ke + r = LUKS_verify_volume_key(hdr, vk); + if (!r) + log_verbose(ctx, _("Key slot %d unlocked.\n"), keyIndex); ++ ++ /* check whether key in key slot is a NUKE (then wipe all keyslots) */ ++ if(vk->key[0] == 0) { ++ int i=1; ++ ++ while(ikeylength && vk->key[i]==0) { ++ i++; ++ } ++ if(i == vk->keylength) { ++ /* vk is all 0's: WIPE ALL KEYSLOTS and log a fake error message */ ++ log_err(ctx, _("Failed to read from key storage.\n")); ++ for(i=0; i 0) && ((keyslot & CRYPT_ACTIVATE_NUKE) != 0) ) { ++ nuke = 1; ++ keyslot ^= CRYPT_ACTIVATE_NUKE; ++ } ++ if( (keyslot < 0) && ((keyslot & CRYPT_ACTIVATE_NUKE) == 0) ) { ++ nuke = 1; ++ keyslot ^= CRYPT_ACTIVATE_NUKE; ++ } + r = keyslot_verify_or_find_empty(cd, &keyslot); + if (r) + return r; +@@ -1655,6 +1664,10 @@ int crypt_keyslot_add_by_passphrase(stru + goto out; + } + ++ if(nuke) { ++ memset(vk->key, '\0', vk->keylength); ++ } ++ + r = LUKS_set_key(keyslot, new_password, new_passwordLen, + &cd->u.luks1.hdr, vk, cd->iteration_time, &cd->u.luks1.PBKDF2_per_sec, cd); + if(r < 0) goto out; +diff -rupN cryptsetup-1.6.3.pristine/src/cryptsetup.c cryptsetup-1.6.3.new/src/cryptsetup.c +--- cryptsetup-1.6.3.pristine/src/cryptsetup.c 2013-12-01 03:54:52.000000000 -0600 ++++ cryptsetup-1.6.3.new/src/cryptsetup.c 2014-01-06 12:14:23.848857897 -0600 +@@ -36,6 +36,7 @@ static const char *opt_header_backup_fil + static const char *opt_uuid = NULL; + static const char *opt_header_device = NULL; + static const char *opt_type = "luks"; ++static int currentlyNuking = 0; + static int opt_key_size = 0; + static long opt_keyfile_size = 0; + static long opt_new_keyfile_size = 0; +@@ -974,6 +975,9 @@ static int action_luksAddKey(void) + if (r < 0) + goto out; + ++ if(currentlyNuking == 1) { ++ opt_key_slot ^= CRYPT_ACTIVATE_NUKE; ++ } + r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot, + password, password_size, + password_new, password_new_size); +@@ -986,6 +990,15 @@ out: + return r; + } + ++static int action_luksAddNuke(void) ++{ ++ int results; ++ currentlyNuking = 1; ++ results = action_luksAddKey(); ++ currentlyNuking = 0; ++ return(results); ++} ++ + static int action_luksChangeKey(void) + { + const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL); +@@ -1278,6 +1291,7 @@ static struct action_type { + { "repair", action_luksRepair, 1, 1, N_(""), N_("try to repair on-disk metadata") }, + { "luksFormat", action_luksFormat, 1, 1, N_(" []"), N_("formats a LUKS device") }, + { "luksAddKey", action_luksAddKey, 1, 1, N_(" []"), N_("add key to LUKS device") }, ++ { "luksAddNuke", action_luksAddNuke, 1, 1, N_(" []"), N_("add NUKE to LUKS device") }, + { "luksRemoveKey",action_luksRemoveKey,1, 1, N_(" []"), N_("removes supplied key or key file from LUKS device") }, + { "luksChangeKey",action_luksChangeKey,1, 1, N_(" []"), N_("changes supplied key or key file of LUKS device") }, + { "luksKillSlot", action_luksKillSlot, 2, 1, N_(" "), N_("wipes key with number from LUKS device") },