eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-19 14:50:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix decryption with datashift initialization.

Browse Source 
It did not work with --active-name option for
active LUKS2 devices.
This commit is contained in:
Ondrej Kozina
2022-06-20 15:36:39 +02:00
parent f182d73001
commit a485f44b57
2 changed files with 40 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/utils_reencrypt.c
View File

@@ -598,10 +598,14 @@ static enum device_status_info load_luks2_by_name(struct crypt_device **r_cd, co
{ {
int r; int r;
struct crypt_device *cd; struct crypt_device *cd;
struct stat st;
assert(r_cd); assert(r_cd);
assert(active_name); assert(active_name);
if (header_device && stat(header_device, &st) < 0 && errno == ENOENT)
return DEVICE_NOT_LUKS;
r = crypt_init_by_name_and_header(&cd, active_name, header_device); r = crypt_init_by_name_and_header(&cd, active_name, header_device);
if (r) if (r)
return DEVICE_INVALID; return DEVICE_INVALID;
@@ -1321,20 +1325,31 @@ static int _encrypt(struct crypt_device *cd, const char *type, enum device_statu
static int _decrypt(struct crypt_device **cd, enum device_status_info dev_st, const char *data_device) static int _decrypt(struct crypt_device **cd, enum device_status_info dev_st, const char *data_device)
{ {
int r; int r;
struct stat st;
bool export_header = false; bool export_header = false;
assert(cd);
if (dev_st == DEVICE_LUKS1 || dev_st == DEVICE_LUKS1_UNUSABLE) if (dev_st == DEVICE_LUKS1 || dev_st == DEVICE_LUKS1_UNUSABLE)
return reencrypt_luks1(data_device); return reencrypt_luks1(data_device);
/* header file does not exist, try loading device type from data device */ /* header file does not exist, try loading device type from data device */
if (dev_st == DEVICE_NOT_LUKS && ARG_SET(OPT_HEADER_ID)) { if (dev_st == DEVICE_NOT_LUKS && ARG_SET(OPT_HEADER_ID) &&
(stat(ARG_STR(OPT_HEADER_ID), &st) < 0) && errno == ENOENT) {
if (ARG_SET(OPT_ACTIVE_NAME_ID)) if (ARG_SET(OPT_ACTIVE_NAME_ID))
dev_st = load_luks2_by_name(cd, ARG_STR(OPT_ACTIVE_NAME_ID), NULL); dev_st = load_luks2_by_name(cd, ARG_STR(OPT_ACTIVE_NAME_ID), NULL);
else else
dev_st = load_luks(cd, NULL, uuid_or_device(data_device)); dev_st = load_luks(cd, NULL, uuid_or_device(data_device));
if (dev_st != DEVICE_LUKS2) /*
* If data device is not LUKS2 report 'header is missing' error
* message user would get originally.
*/
if (dev_st != DEVICE_LUKS2) {
log_err(_("Device %s does not exist or access denied."),
ARG_STR(OPT_HEADER_ID));
return -EINVAL; return -EINVAL;
}
export_header = true; export_header = true;
} }
@@ -1355,8 +1370,11 @@ static int _decrypt(struct crypt_device **cd, enum device_status_info dev_st, co
if (r < 0 || ARG_SET(OPT_INIT_ONLY_ID)) if (r < 0 || ARG_SET(OPT_INIT_ONLY_ID))
return r; return r;
} else if (dev_st == DEVICE_NOT_LUKS) } else if (dev_st == DEVICE_NOT_LUKS) {
log_err(_("Device %s is not a valid LUKS device."),
ARG_STR(OPT_HEADER_ID) ?: uuid_or_device(data_device));
return -EINVAL; return -EINVAL;
}
r = reencrypt_luks2_resume(*cd); r = reencrypt_luks2_resume(*cd);
return r; return r;

19
tests/luks2-reencryption-test
View File

@@ -1955,6 +1955,25 @@ echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
wipe_dev /dev/mapper/$DEV_NAME wipe_dev /dev/mapper/$DEV_NAME
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR || fail
check_hash_dev_head $DEV 2048 $HASH2 check_hash_dev_head $DEV 2048 $HASH2
rm -f $IMG_HDR
# initialization by --active-name parameter
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
wipe_dev /dev/mapper/$DEV_NAME
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --active-name $DEV_NAME || fail
check_hash_dev_head $DEV 2048 $HASH2
rm -f $IMG_HDR
# initialization and resume by --active-name parameter
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV --offset 8192 || fail
echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
wipe_dev /dev/mapper/$DEV_NAME
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --active-name $DEV_NAME --init-only || fail
check_hash_dev /dev/mapper/$DEV_NAME $HASH2
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --header $IMG_HDR --active-name $DEV_NAME || fail
check_hash_dev_head $DEV 2048 $HASH2
rm -f $IMG_HDR
echo "[33] Decryption with datashift recovery (error in shift area)." echo "[33] Decryption with datashift recovery (error in shift area)."
prepare_linear_dev 32 prepare_linear_dev 32