mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-19 14:50:09 +01:00
Do not resume reencryption with conflicting parameters.
Do not resume reencryption operation with conflicting parameters. For example if operation was initialized as --encrypt do not allow resume with oposing parameter --decrypt and vice versa. Also checks for conflicting --resilience parameters (datashift cannot be changed after initialization). Previously, conflicting reencryption parameters were silently ignored. So, for example operation initialized with mode --encrypt and resumed with mode --decrypt simply finished --encrypt operation and did not report any error. This could lead to impresion different type of operation was perfomed instead. Fixes: #570.
This commit is contained in:
Ondrej Kozina
@@ -141,10 +141,11 @@ static int reencrypt_get_active_name(struct crypt_device *cd, const char *data_d
|
|||||||
|
|
||||||
static int reencrypt_luks2_load(struct crypt_device *cd, const char *data_device)
|
static int reencrypt_luks2_load(struct crypt_device *cd, const char *data_device)
|
||||||
{
|
{
|
||||||
|
crypt_reencrypt_info ri;
|
||||||
int r;
|
int r;
|
||||||
size_t passwordLen;
|
size_t passwordLen;
|
||||||
char *active_name = NULL, *password = NULL;
|
char *active_name = NULL, *password = NULL;
|
||||||
struct crypt_params_reencrypt params = {
|
struct crypt_params_reencrypt ret_params, params = {
|
||||||
.resilience = ARG_STR(OPT_RESILIENCE_ID) ?: "checksum",
|
.resilience = ARG_STR(OPT_RESILIENCE_ID) ?: "checksum",
|
||||||
.hash = ARG_STR(OPT_RESILIENCE_HASH_ID) ?: "sha256",
|
.hash = ARG_STR(OPT_RESILIENCE_HASH_ID) ?: "sha256",
|
||||||
.max_hotzone_size = ARG_UINT64(OPT_HOTZONE_SIZE_ID) / SECTOR_SIZE,
|
.max_hotzone_size = ARG_UINT64(OPT_HOTZONE_SIZE_ID) / SECTOR_SIZE,
|
||||||
@@ -152,6 +153,35 @@ static int reencrypt_luks2_load(struct crypt_device *cd, const char *data_device
|
|||||||
.flags = CRYPT_REENCRYPT_RESUME_ONLY
|
.flags = CRYPT_REENCRYPT_RESUME_ONLY
|
||||||
};
|
};
|
||||||
|
|
||||||
|
ri = crypt_reencrypt_status(cd, &ret_params);
|
||||||
|
if (ri == CRYPT_REENCRYPT_CRASH)
|
||||||
|
log_err(_("Device requires reencryption recovery. Run repair first."));
|
||||||
|
|
||||||
|
if (ri != CRYPT_REENCRYPT_CLEAN)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
if (ARG_SET(OPT_ENCRYPT_ID) && ret_params.mode != CRYPT_REENCRYPT_ENCRYPT) {
|
||||||
|
log_err(_("Device is not in LUKS2 encryption. Conflicting option --encrypt."));
|
||||||
|
return -EINVAL;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ARG_SET(OPT_DECRYPT_ID) && ret_params.mode != CRYPT_REENCRYPT_DECRYPT) {
|
||||||
|
log_err(_("Device is not in LUKS2 decryption. Conflicting option --decrypt."));
|
||||||
|
return -EINVAL;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ARG_SET(OPT_RESILIENCE_ID) &&
|
||||||
|
!strcmp(ret_params.resilience, "datashift") && strcmp(ARG_STR(OPT_RESILIENCE_ID), "datashift")) {
|
||||||
|
log_err(_("Device is in reencryption using datashift resilience. Requested --resilience option cannot be applied."));
|
||||||
|
return -EINVAL;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ARG_SET(OPT_RESILIENCE_ID) &&
|
||||||
|
strcmp(ret_params.resilience, "datashift") && !strcmp(ARG_STR(OPT_RESILIENCE_ID), "datashift")) {
|
||||||
|
log_err(_("Requested --resilience option cannot be applied to current reencryption operation."));
|
||||||
|
return -EINVAL;
|
||||||
|
}
|
||||||
|
|
||||||
r = tools_get_key(NULL, &password, &passwordLen,
|
r = tools_get_key(NULL, &password, &passwordLen,
|
||||||
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
|
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
|
||||||
ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
|
ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd);
|
||||||
|
|||||||
@@ -158,13 +158,18 @@ function img_run_reenc_ok()
|
|||||||
$CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS -q --disable-locks --force-offline-reencrypt --resilience none || fail
|
$CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS -q --disable-locks --force-offline-reencrypt --resilience none || fail
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function img_run_reenc_ok_data_shift()
|
||||||
|
{
|
||||||
|
$CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS -q --disable-locks --force-offline-reencrypt || fail
|
||||||
|
}
|
||||||
|
|
||||||
function img_run_reenc_fail()
|
function img_run_reenc_fail()
|
||||||
{
|
{
|
||||||
$CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS --force-offline-reencrypt --disable-locks -q 2>/dev/null && fail "Reencryption passed (should have failed)."
|
$CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS --force-offline-reencrypt --disable-locks -q 2>/dev/null && fail "Reencryption passed (should have failed)."
|
||||||
img_hash_unchanged
|
img_hash_unchanged
|
||||||
}
|
}
|
||||||
|
|
||||||
function img_check_fail_repair_ok()
|
function img_check_fail_repair()
|
||||||
{
|
{
|
||||||
if [ $(id -u) == 0 ]; then
|
if [ $(id -u) == 0 ]; then
|
||||||
$CRYPTSETUP open $CS_PWPARAMS $IMG $DEV_NAME 2>/dev/null && fail
|
$CRYPTSETUP open $CS_PWPARAMS $IMG $DEV_NAME 2>/dev/null && fail
|
||||||
@@ -176,9 +181,20 @@ function img_check_fail_repair_ok()
|
|||||||
$CRYPTSETUP repair $IMG $CS_PARAMS || fail
|
$CRYPTSETUP repair $IMG $CS_PARAMS || fail
|
||||||
|
|
||||||
img_check_ok
|
img_check_ok
|
||||||
|
}
|
||||||
|
|
||||||
|
function img_check_fail_repair_ok()
|
||||||
|
{
|
||||||
|
img_check_fail_repair
|
||||||
img_run_reenc_ok
|
img_run_reenc_ok
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function img_check_fail_repair_ok_data_shift()
|
||||||
|
{
|
||||||
|
img_check_fail_repair
|
||||||
|
img_run_reenc_ok_data_shift
|
||||||
|
}
|
||||||
|
|
||||||
function valgrind_setup()
|
function valgrind_setup()
|
||||||
{
|
{
|
||||||
bin_check valgrind
|
bin_check valgrind
|
||||||
@@ -203,8 +219,6 @@ export LANG=C
|
|||||||
|
|
||||||
[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
|
[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
|
||||||
|
|
||||||
#while false; do
|
|
||||||
|
|
||||||
echo "[1] Reencryption with old flag is rejected"
|
echo "[1] Reencryption with old flag is rejected"
|
||||||
img_prepare
|
img_prepare
|
||||||
img_update_json '.config.requirements.mandatory = ["online-reencryptx"]'
|
img_update_json '.config.requirements.mandatory = ["online-reencryptx"]'
|
||||||
@@ -346,7 +360,7 @@ img_update_json '
|
|||||||
.digests."0".segments = ["0","2"] |
|
.digests."0".segments = ["0","2"] |
|
||||||
.digests."1".segments = ["1","3"] |
|
.digests."1".segments = ["1","3"] |
|
||||||
.config.requirements.mandatory = ["online-reencrypt"]'
|
.config.requirements.mandatory = ["online-reencrypt"]'
|
||||||
img_check_fail_repair_ok
|
img_check_fail_repair_ok_data_shift
|
||||||
|
|
||||||
#
|
#
|
||||||
# NEW metadata (with reenc digest)
|
# NEW metadata (with reenc digest)
|
||||||
|
|||||||
@@ -1686,5 +1686,27 @@ rm -f $IMG_HDR
|
|||||||
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV || fail
|
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV || fail
|
||||||
echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks1 --header $IMG_HDR $FAST_PBKDF2 $DEV 2>/dev/null && fail
|
echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --type luks1 --header $IMG_HDR $FAST_PBKDF2 $DEV 2>/dev/null && fail
|
||||||
|
|
||||||
|
echo "[29] Conflicting reencryption parameters"
|
||||||
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF2 $DEV || fail
|
||||||
|
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --init-only $FAST_PBKDF_ARGON || fail
|
||||||
|
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --reduce-device-size 4M $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
|
||||||
|
echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
|
||||||
|
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience datashift 2> /dev/null && fail
|
||||||
|
wipe_dev_head $DEV 1
|
||||||
|
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 16M $DEV -q $FAST_PBKDF_ARGON 2> /dev/null || fail
|
||||||
|
echo $PWD1 | $CRYPTSETUP reencrypt --decrypt $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
|
||||||
|
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --resilience journal 2> /dev/null && fail
|
||||||
|
wipe_dev_head $DEV 1
|
||||||
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV || fail
|
||||||
|
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --header $IMG_HDR --init-only $FAST_PBKDF_ARGON || fail
|
||||||
|
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --header $IMG_HDR $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
|
||||||
|
echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
|
||||||
|
rm -f $IMG_HDR
|
||||||
|
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --encrypt --header $IMG_HDR --init-only $FAST_PBKDF_ARGON || fail
|
||||||
|
echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --header $IMG_HDR $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
|
||||||
|
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --header $IMG_HDR $FAST_PBKDF2 $DEV || fail
|
||||||
|
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q --decrypt --header $IMG_HDR --init-only $FAST_PBKDF_ARGON || fail
|
||||||
|
echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --header $IMG_HDR $DEV -q $FAST_PBKDF_ARGON 2> /dev/null && fail
|
||||||
|
|
||||||
remove_mapping
|
remove_mapping
|
||||||
exit 0
|
exit 0
|
||||||
|
|||||||
Reference in New Issue
Block a user