eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-15 12:50:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Reject LUKS2 decryption with broken cmd line arguments.

Browse Source 
LUKS2 decryption is currently not supported for devices
with LUKS2 metadata placed in head of data devices. The decryption
still works correctly, but resulting plaintext device has data on
unexpected (original) offset. For example at offset of 16MiB in case
of default LUKS2 header.

Fixes: #614.
This commit is contained in:
Ondrej Kozina
2020-11-26 15:47:28 +01:00
committed by Milan Broz
parent 0c29321407
commit 670d08b406
2 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/cryptsetup.c
View File

@@ -2993,6 +2993,11 @@ static int action_decrypt_luks2(struct crypt_device *cd)
}; };
size_t passwordLen; size_t passwordLen;
if (!crypt_get_metadata_device_name(cd) || crypt_header_is_detached(cd) <= 0) {
log_err(_("LUKS2 decryption is supported with detached header device only."));
return -ENOTSUP;
}
_set_reencryption_flags(&params.flags); _set_reencryption_flags(&params.flags);
r = tools_get_key(NULL, &password, &passwordLen, r = tools_get_key(NULL, &password, &passwordLen,

15
tests/luks2-reencryption-test
View File

@@ -23,6 +23,7 @@ VKEY1=vkey1
PWD1="93R4P4pIqAH8" PWD1="93R4P4pIqAH8"
PWD2="1cND4319812f" PWD2="1cND4319812f"
PWD3="1-9Qu5Ejfnqv" PWD3="1-9Qu5Ejfnqv"
DEV_LINK="reenc-test-link"
[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) [ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
@@ -97,7 +98,7 @@ function remove_mapping()
[ -b /dev/mapper/$OVRDEV-err ] && dmsetup remove --retry $OVRDEV-err 2>/dev/null [ -b /dev/mapper/$OVRDEV-err ] && dmsetup remove --retry $OVRDEV-err 2>/dev/null
[ -n "$LOOPDEV" ] && losetup -d $LOOPDEV [ -n "$LOOPDEV" ] && losetup -d $LOOPDEV
unset LOOPDEV unset LOOPDEV
rm -f $IMG $IMG_HDR $KEY1 $VKEY1 $DEVBIG >/dev/null 2>&1 rm -f $IMG $IMG_HDR $KEY1 $VKEY1 $DEVBIG $DEV_LINK >/dev/null 2>&1
rmmod scsi_debug 2> /dev/null rmmod scsi_debug 2> /dev/null
scsi_debug_teardown $DEV scsi_debug_teardown $DEV
} }
@@ -930,6 +931,18 @@ if ! dm_delay_features; then
exit 0 exit 0
fi fi
# check tool can block some funny user ideas
preparebig 64
ln -s $DEV $DEV_LINK || fail
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c serpent-xts-plain -q $FAST_PBKDF_ARGON $DEV || fail
$CRYPTSETUP reencrypt --decrypt $DEV -q 2>/dev/null && fail
$CRYPTSETUP reencrypt --decrypt $DEV --header $DEV -q 2>/dev/null && fail
$CRYPTSETUP reencrypt --decrypt $DEV --header $DEV_LINK -q 2>/dev/null && fail
open_crypt $PWD1
$CRYPTSETUP reencrypt --decrypt --active-name $DEV_NAME -q 2>/dev/null && fail
$CRYPTSETUP reencrypt --decrypt --active-name $DEV_NAME --header $DEV -q 2>/dev/null && fail
$CRYPTSETUP reencrypt --decrypt --active-name $DEV_NAME --header $DEV_LINK -q 2>/dev/null && fail
echo "[6] Reencryption recovery" echo "[6] Reencryption recovery"
# (check opt-io size optimization in reencryption code does not affect recovery) # (check opt-io size optimization in reencryption code does not affect recovery)
# device with opt-io size 32k # device with opt-io size 32k