eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-11 19:00:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improve reencryption parameters verification in cli.

Browse Source 
Try to catch as many invalid parameters as possible
before entering library call.
This commit is contained in:
Ondrej Kozina
2022-07-11 12:51:43 +02:00
committed by Milan Broz
parent 25b877a403
commit 912109ae66
2 changed files with 67 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
src/utils_reencrypt.c
View File

@@ -163,11 +163,40 @@ static int reencrypt_get_active_name(struct crypt_device *cd,
return get_active_device_name(cd, data_device, r_active_name);
}
static int decrypt_verify_and_set_params(struct crypt_params_reencrypt *params)
{
const char *resilience;
assert(params);
if (!ARG_SET(OPT_RESILIENCE_ID))
return 0;
resilience = ARG_STR(OPT_RESILIENCE_ID);
if (!strcmp(resilience, "datashift") ||
!strcmp(resilience, "none")) {
log_err(_("Requested --resilience option cannot be applied "
"to current reencryption operation."));
return -EINVAL;
} else if (!strcmp(resilience, "journal"))
params->resilience = "datashift-journal";
else if (!strcmp(resilience, "checksum"))
params->resilience = "datashift-checksum";
else if (!strcmp(resilience, "datashift-checksum") ||
!strcmp(resilience, "datashift-journal"))
params->resilience = resilience;
else {
log_err(_("Unsupported resilience mode %s"), resilience);
return -EINVAL;
}
return 0;
}
static int reencrypt_verify_and_update_params(struct crypt_params_reencrypt *params,
char **r_hash)
{
bool decrypt_datashift = false;
assert(params);
assert(r_hash);
@@ -194,29 +223,16 @@ static int reencrypt_verify_and_update_params(struct crypt_params_reencrypt *par
"to current reencryption operation."));
return -EINVAL;
}
if (strncmp(params->resilience, "datashift-", 10) &&
!strncmp(ARG_STR(OPT_RESILIENCE_ID), "datashift-", 10)) {
if (!strncmp(params->resilience, "datashift-", 10)) {
/* decryption with datashift in progress */
if (decrypt_verify_and_set_params(params))
return -EINVAL;
} else if (!strncmp(ARG_STR(OPT_RESILIENCE_ID), "datashift-", 10)) {
log_err(_("Requested --resilience option cannot be applied "
"to current reencryption operation."));
return -EINVAL;
}
if (!strncmp(params->resilience, "datashift-", 10)) {
if (!strcmp(ARG_STR(OPT_RESILIENCE_ID), "datashift")) {
log_err(_("Requested --resilience option cannot be applied "
"to current reencryption operation."));
return -EINVAL;
}
decrypt_datashift = true;
}
}
params->resilience = NULL;
if (ARG_SET(OPT_RESILIENCE_ID)) {
if (decrypt_datashift && !strcmp(ARG_STR(OPT_RESILIENCE_ID), "checksum"))
params->resilience = "datashift-checksum";
else if (decrypt_datashift && !strcmp(ARG_STR(OPT_RESILIENCE_ID), "journal"))
params->resilience = "datashift-journal";
else
} else
params->resilience = ARG_STR(OPT_RESILIENCE_ID);
/* we have to copy hash string returned by API */
@@ -229,13 +245,15 @@ static int reencrypt_verify_and_update_params(struct crypt_params_reencrypt *par
}
/* Add default hash when switching to checksum based resilience */
if (!params->hash && (!strcmp(params->resilience, "checksum") ||
if (!params->hash && !ARG_SET(OPT_RESILIENCE_HASH_ID) &&
(!strcmp(params->resilience, "checksum") ||
!strcmp(params->resilience, "datashift-checksum")))
params->hash = "sha256";
if (ARG_SET(OPT_RESILIENCE_HASH_ID))
params->hash = ARG_STR(OPT_RESILIENCE_HASH_ID);
}
} else
params->resilience = NULL;
params->max_hotzone_size = ARG_UINT64(OPT_HOTZONE_SIZE_ID) / SECTOR_SIZE;
params->device_size = ARG_UINT64(OPT_DEVICE_SIZE_ID) / SECTOR_SIZE;
@@ -676,18 +694,8 @@ static int decrypt_luks2_datashift_init(struct crypt_device **cd,
.flags = CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT
};
if (ARG_SET(OPT_RESILIENCE_ID)) {
if (!strcmp(ARG_STR(OPT_RESILIENCE_ID), "datashift")) {
log_err(_("Requested --resilience option cannot be applied "
"to current reencryption operation."));
return -EINVAL;
}
else if (!strcmp(ARG_STR(OPT_RESILIENCE_ID), "journal"))
params.resilience = "datashift-journal";
else
params.resilience = ARG_STR(OPT_RESILIENCE_ID);
}
if ((r = decrypt_verify_and_set_params(&params)))
return r;
r = tools_get_key(NULL, &password, &passwordLen,
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID),

23
tests/luks2-reencryption-test
View File

@@ -1799,21 +1799,44 @@ echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --init-only $FAST_PBKDF_ARGON || fail
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --reduce-device-size 4M $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience datashift 2> /dev/null && fail
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience datashift-checksum 2> /dev/null && fail
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience datashift-journal 2> /dev/null && fail
wipe_dev_head $DEV 1
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 16M $DEV -q $FAST_PBKDF_ARGON 2> /dev/null || fail
echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience journal 2> /dev/null && fail
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience datashift-checksum 2> /dev/null && fail
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience datashift-journal 2> /dev/null && fail
wipe_dev_head $DEV 1
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV || fail
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --header $IMG_HDR --init-only $FAST_PBKDF_ARGON || fail
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --header $IMG_HDR $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --header $IMG_HDR --resilience datashift-checksum 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --header $IMG_HDR --resilience datashift-journal 2>/dev/null && fail
rm -f $IMG_HDR
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --encrypt --header $IMG_HDR --init-only $FAST_PBKDF_ARGON || fail
echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV || fail
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --init-only $FAST_PBKDF_ARGON || fail
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --header $IMG_HDR $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
rm -f $IMG_HDR
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF2 $DEV || fail
echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --init-only $FAST_PBKDF_ARGON --resilience datashift 2> /dev/null && fail
test -f $IMG_HDR && fail
echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --init-only $FAST_PBKDF_ARGON --resilience none 2> /dev/null && fail
test -f $IMG_HDR && fail
$CRYPTSETUP luksDump $DEV | grep -q "online-reencrypt" && fail
# FIXME: There's a bug in --hotzone-size parameter when initializing decryption with datashift
#echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --init-only $FAST_PBKDF_ARGON --resilience checksum --hotzone-size 4m || fail
echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --init-only $FAST_PBKDF_ARGON --resilience checksum || fail
$CRYPTSETUP isLuks $DEV -q && fail
# $CRYPTSETUP luksDump $IMG_HDR
echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --resilience datashift 2> /dev/null && fail
echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --resilience none 2> /dev/null && fail
# FIXME: (see above)
#echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV --header $IMG_HDR -q --resilience journal || fail
rm -f $IMG_HDR
check_blkid
if [ "$HAVE_BLKID" -gt 0 ]; then