From a15008d876b48a23b464fc392318a5fee914da4c Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Tue, 16 Jun 2020 12:21:29 +0200
Subject: [PATCH] Do not create excessively large headers.

When creating LUKS2 header with specified --offset much larger
then LUKS2 header size we needlessly also wipe (allocate up to
--offset) much larger file than needed.
---
 lib/luks2/luks2.h             | 2 +-
 lib/luks2/luks2_json_format.c | 4 ++--
 lib/setup.c                   | 2 +-
 tests/compat-test2            | 6 ++++++
 4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/lib/luks2/luks2.h b/lib/luks2/luks2.h
index 6ab753a4..5b29a627 100644
--- a/lib/luks2/luks2.h
+++ b/lib/luks2/luks2.h
@@ -523,7 +523,7 @@ int LUKS2_check_metadata_area_size(uint64_t metadata_size);
 int LUKS2_check_keyslots_area_size(uint64_t keyslots_size);
 
 int LUKS2_wipe_header_areas(struct crypt_device *cd,
-	struct luks2_hdr *hdr);
+	struct luks2_hdr *hdr, bool detached_header);
 
 uint64_t LUKS2_get_data_offset(struct luks2_hdr *hdr);
 int LUKS2_get_data_size(struct luks2_hdr *hdr, uint64_t *size, bool *dynamic);
diff --git a/lib/luks2/luks2_json_format.c b/lib/luks2/luks2_json_format.c
index 1416766e..fb695f08 100644
--- a/lib/luks2/luks2_json_format.c
+++ b/lib/luks2/luks2_json_format.c
@@ -337,7 +337,7 @@ err:
 }
 
 int LUKS2_wipe_header_areas(struct crypt_device *cd,
-	struct luks2_hdr *hdr)
+	struct luks2_hdr *hdr, bool detached_header)
 {
 	int r;
 	uint64_t offset, length;
@@ -352,7 +352,7 @@ int LUKS2_wipe_header_areas(struct crypt_device *cd,
 		return -EINVAL;
 
 	/* On detached header wipe at least the first 4k */
-	if (length == 0) {
+	if (detached_header) {
 		length = 4096;
 		wipe_block = 4096;
 	}
diff --git a/lib/setup.c b/lib/setup.c
index 567f2624..52b472a1 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -1874,7 +1874,7 @@ static int _crypt_format_luks2(struct crypt_device *cd,
 			goto out;
 	}
 
-	r = LUKS2_wipe_header_areas(cd, &cd->u.luks2.hdr);
+	r = LUKS2_wipe_header_areas(cd, &cd->u.luks2.hdr, cd->metadata_device != NULL);
 	if (r < 0) {
 		log_err(cd, _("Cannot wipe header on device %s."),
 			mdata_device_path(cd));
diff --git a/tests/compat-test2 b/tests/compat-test2
index fd8d6f02..0fad9997 100755
--- a/tests/compat-test2
+++ b/tests/compat-test2
@@ -713,6 +713,12 @@ $CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "5: luks2" || fail
 $CRYPTSETUP luksKillSlot -q _fakedev_ --header $HEADER_IMG 5 || fail
 $CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "5: luks2" && fail
 echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_IMG || fail
+rm $HEADER_IMG || fail
+# create exactly 16 MiBs LUKS2 header
+echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG --luks2-keyslots-size 16352k --luks2-metadata-size 16k --offset 131072 >/dev/null || fail
+SIZE=$(stat --printf=%s $HEADER_IMG)
+test $SIZE -eq 16777216 || fail
+$CRYPTSETUP -q luksDump  $HEADER_IMG | grep -q "offset: $((512 * 131072)) \[bytes\]" || fail
 
 prepare "[29] Repair metadata" wipe
 xz -dk $HEADER_LUKS2_PV.xz