eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-16 13:20:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Do not use real password when unlocking "fake" header on reecryption.

Browse Source 
If reencrypt removes encryption (or adds encryption to not yet encrypted system)
there is a temporary header using null (none) cipher.
We do not need to pass through password when unlocking these devices.
This commit is contained in:
Milan Broz
2015-07-02 08:18:44 +02:00
parent 0dc245401f
commit 6e82bdd9a5
1 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/cryptsetup_reencrypt.c
View File

@@ -391,10 +391,30 @@ static int open_log(struct reenc_ctx *rc)
static int activate_luks_headers(struct reenc_ctx *rc) static int activate_luks_headers(struct reenc_ctx *rc)
{ {
struct crypt_device *cd = NULL, *cd_new = NULL; struct crypt_device *cd = NULL, *cd_new = NULL;
const char *pwd_old, *pwd_new, pwd_empty[] = "";
size_t pwd_old_len, pwd_new_len;
int r; int r;
log_dbg("Activating LUKS devices from headers."); log_dbg("Activating LUKS devices from headers.");
/* Never use real password for empty header processing */
if (rc->reencrypt_mode == REENCRYPT) {
pwd_old = rc->p[rc->keyslot].password;
pwd_old_len = rc->p[rc->keyslot].passwordLen;
pwd_new = pwd_old;
pwd_new_len = pwd_old_len;
} else if (rc->reencrypt_mode == DECRYPT) {
pwd_old = rc->p[rc->keyslot].password;
pwd_old_len = rc->p[rc->keyslot].passwordLen;
pwd_new = pwd_empty;
pwd_new_len = 0;
} else if (rc->reencrypt_mode == ENCRYPT) {
pwd_old = pwd_empty;
pwd_old_len = 0;
pwd_new = rc->p[rc->keyslot].password;
pwd_new_len = rc->p[rc->keyslot].passwordLen;
}
if ((r = crypt_init(&cd, rc->header_file_org)) || if ((r = crypt_init(&cd, rc->header_file_org)) ||
(r = crypt_load(cd, CRYPT_LUKS1, NULL)) || (r = crypt_load(cd, CRYPT_LUKS1, NULL)) ||
(r = crypt_set_data_device(cd, rc->device))) (r = crypt_set_data_device(cd, rc->device)))
@@ -402,7 +422,7 @@ static int activate_luks_headers(struct reenc_ctx *rc)
log_verbose(_("Activating temporary device using old LUKS header.\n")); log_verbose(_("Activating temporary device using old LUKS header.\n"));
if ((r = crypt_activate_by_passphrase(cd, rc->header_file_org, if ((r = crypt_activate_by_passphrase(cd, rc->header_file_org,
opt_key_slot, rc->p[rc->keyslot].password, rc->p[rc->keyslot].passwordLen, opt_key_slot, pwd_old, pwd_old_len,
CRYPT_ACTIVATE_READONLY|CRYPT_ACTIVATE_PRIVATE)) < 0) CRYPT_ACTIVATE_READONLY|CRYPT_ACTIVATE_PRIVATE)) < 0)
goto out; goto out;
@@ -413,7 +433,7 @@ static int activate_luks_headers(struct reenc_ctx *rc)
log_verbose(_("Activating temporary device using new LUKS header.\n")); log_verbose(_("Activating temporary device using new LUKS header.\n"));
if ((r = crypt_activate_by_passphrase(cd_new, rc->header_file_new, if ((r = crypt_activate_by_passphrase(cd_new, rc->header_file_new,
opt_key_slot, rc->p[rc->keyslot].password, rc->p[rc->keyslot].passwordLen, opt_key_slot, pwd_new, pwd_new_len,
CRYPT_ACTIVATE_SHARED|CRYPT_ACTIVATE_PRIVATE)) < 0) CRYPT_ACTIVATE_SHARED|CRYPT_ACTIVATE_PRIVATE)) < 0)
goto out; goto out;
r = 0; r = 0;