Avoid LUKS2 decryption without detached header.

This is temporary hotfix for stable 2.3.6 release. The full fix that requires new API will be provided in later 2.4.0 release. For more info see issue #614.
2025-12-05 16:00:05 +01:00 · 2021-05-21 14:08:06 +02:00
parent c7789719d8
commit 28dd0f5c05
2 changed files with 17 additions and 0 deletions
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -3003,6 +3003,12 @@ static int action_decrypt_luks2(struct crypt_device *cd)
 	};
 	size_t passwordLen;

+	if (!crypt_get_metadata_device_name(cd) || !crypt_get_device_name(cd) ||
+	    !strcmp(crypt_get_metadata_device_name(cd), crypt_get_device_name(cd))) {
+		log_err(_("LUKS2 decryption is supported with detached header device only."));
+		return -ENOTSUP;
+	}
+
 	_set_reencryption_flags(&params.flags);

 	r = tools_get_key(NULL, &password, &passwordLen,
--- a/tests/luks2-reencryption-test
+++ b/tests/luks2-reencryption-test
@@ -942,6 +942,17 @@ $CRYPTSETUP status $DEV_NAME >/dev/null || fail
 dmsetup remove --retry $DEV_NAME2
 $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail

+# check tool can block some funny user ideas
+preparebig 64
+echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c serpent-xts-plain -q $FAST_PBKDF_ARGON $DEV || fail
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV -q 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $DEV -q 2>/dev/null && fail
+open_crypt $PWD1
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --active-name $DEV_NAME -q 2>/dev/null && fail
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --active-name $DEV_NAME --header $DEV -q 2>/dev/null && fail
+$CRYPTSETUP status $DEV_NAME | grep -q "reencryption:  in-progress" && fail
+$CRYPTSETUP close $DEV_NAME
+
 if ! dm_delay_features; then
 	echo "dm-delay target is missing, skipping recovery tests."
 	remove_mapping