eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-06 00:10:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add debug messages for incompatible LUKS1 conversion.

Browse Source 
If LUKS2 keyslot is not compatible, print debug message with more
specific info.

Fixes: #850
This commit is contained in:
Milan Broz
2025-05-15 14:27:37 +02:00
parent e5c2892cd5
commit 11dd8d318c
1 changed files with 41 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
lib/luks2/luks2_luks1_convert.c
View File

@@ -687,30 +687,54 @@ static int keyslot_LUKS1_compatible(struct crypt_device *cd, struct luks2_hdr *h
if (!jobj_keyslot)
return 1;
if (!json_object_object_get_ex(jobj_keyslot, "type", &jobj) ||
strcmp(json_object_get_string(jobj), "luks2"))
/* Keyslot type */
if (!json_object_object_get_ex(jobj_keyslot, "type", &jobj))
return 0;
if (strcmp(json_object_get_string(jobj), "luks2")) {
log_dbg(cd, "Keyslot %d type %s is not compatible.",
keyslot, json_object_get_string(jobj));
return 0;
}
/* Using PBKDF2, this implies memory and parallel is not used. */
/* Keyslot uses PBKDF2, this implies memory and parallel is not used. */
jobj = NULL;
if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf) ||
!json_object_object_get_ex(jobj_kdf, "type", &jobj) ||
strcmp(json_object_get_string(jobj), CRYPT_KDF_PBKDF2) ||
!json_object_object_get_ex(jobj_kdf, "hash", &jobj) ||
strcmp(json_object_get_string(jobj), hash))
!json_object_object_get_ex(jobj_kdf, "type", &jobj))
return 0;
if (strcmp(json_object_get_string(jobj), CRYPT_KDF_PBKDF2)) {
log_dbg(cd, "Keyslot %d does not use PBKDF2.", keyslot);
return 0;
}
/* Keyslot KDF hash is the same as the digest hash. */
jobj = NULL;
if (!json_object_object_get_ex(jobj_kdf, "hash", &jobj))
return 0;
if (strcmp(json_object_get_string(jobj), hash)) {
log_dbg(cd, "Keyslot %d PBKDF uses different hash %s than digest hash %s.",
keyslot, json_object_get_string(jobj), hash);
return 0;
}
/* Keyslot AF use compatible striptes. */
jobj = NULL;
if (!json_object_object_get_ex(jobj_keyslot, "af", &jobj_af) ||
!json_object_object_get_ex(jobj_af, "stripes", &jobj) ||
json_object_get_int(jobj) != LUKS_STRIPES)
!json_object_object_get_ex(jobj_af, "stripes", &jobj))
return 0;
if (json_object_get_int(jobj) != LUKS_STRIPES) {
log_dbg(cd, "Keyslot %d AF uses incompatible stripes count.", keyslot);
return 0;
}
/* Keyslot AF hash is the same as the digest hash. */
jobj = NULL;
if (!json_object_object_get_ex(jobj_af, "hash", &jobj) ||
(crypt_hash_size(json_object_get_string(jobj)) < 0) ||
strcmp(json_object_get_string(jobj), hash))
if (!json_object_object_get_ex(jobj_af, "hash", &jobj))
return 0;
if (strcmp(json_object_get_string(jobj), hash)) {
log_dbg(cd, "Keyslot %d AF uses different hash %s than digest hash %s.",
keyslot, json_object_get_string(jobj), hash);
return 0;
}
ks_cipher = LUKS2_get_keyslot_cipher(hdr, keyslot, &ks_key_size);
data_cipher = LUKS2_get_cipher(hdr, CRYPT_DEFAULT_SEGMENT);
@@ -767,6 +791,8 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
if (!json_object_object_get_ex(jobj_digest, "hash", &jobj2))
return -EINVAL;
hash = json_object_get_string(jobj2);
if (crypt_hash_size(hash) < 0)
return -EINVAL;
r = crypt_parse_name_and_mode(LUKS2_get_cipher(hdr2, CRYPT_DEFAULT_SEGMENT), cipher, NULL, cipher_mode);
if (r < 0)
@@ -791,8 +817,10 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
}
r = LUKS2_get_volume_key_size(hdr2, 0);
if (r < 0)
if (r < 0) {
log_err(cd, _("Cannot convert to LUKS1 format - there are no active keyslots."), r);
return -EINVAL;
}
key_size = r;
for (i = 0; i < LUKS2_KEYSLOTS_MAX; i++) {