From 4862c38ca9048adddcb00a7760ae284e2a26a7c5 Mon Sep 17 00:00:00 2001 From: Ondrej Kozina Date: Tue, 16 Feb 2021 17:08:53 +0100 Subject: [PATCH] Prefer default cipher when reencrypting cipher_null device. By default when reencrypting LUKS2 device we regenerate only the volume key. But if the device was 'encrypted' by cipher_null this change did not make sense. The key was always empty. Change the behaviour so that unless user specifies --cipher parameter on command line, we change data encryption cipher to default when old segment cipher was cipher_null. --- src/cryptsetup.c | 5 +++++ tests/luks2-reencryption-test | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/cryptsetup.c b/src/cryptsetup.c index 5e222866..6f8f9f88 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -3177,6 +3177,11 @@ static int action_reencrypt_luks2(struct crypt_device *cd) _set_reencryption_flags(¶ms.flags); + if (!ARG_SET(OPT_CIPHER_ID) && crypt_is_cipher_null(crypt_get_cipher(cd))) { + log_std(_("Switching data encryption cipher to %s.\n"), DEFAULT_CIPHER(LUKS1)); + ARG_SET_STR(OPT_CIPHER_ID, strdup(DEFAULT_CIPHER(LUKS1))); + } + if (!ARG_SET(OPT_CIPHER_ID)) { strncpy(cipher, crypt_get_cipher(cd), MAX_CIPHER_LEN - 1); strncpy(mode, crypt_get_cipher_mode(cd), MAX_CIPHER_LEN - 1); diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test index b7d97017..51b54735 100755 --- a/tests/luks2-reencryption-test +++ b/tests/luks2-reencryption-test @@ -1419,9 +1419,9 @@ $CRYPTSETUP close $DEV_NAME echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 -s 128 -c cipher_null-ecb --offset 8192 $FAST_PBKDF2 $DEV || fail $CRYPTSETUP convert -q --type luks2 $DEV || fail wipe $PWD1 -echo $PWD1 | $CRYPTSETUP reencrypt $DEV -c aes-xts-plain64 -q $FAST_PBKDF_ARGON || fail +echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON >/dev/null || fail check_hash $PWD1 $HASH1 -# both keyslot and segment cipher must not be null +# both keyslot and segment cipher must not be null after reencryption with default params $CRYPTSETUP luksDump $DEV | grep -q "cipher_null" && fail remove_mapping