cryptsetup: Adjust XTS keys size also if cipher is specified with capi: prefix.

Fixes: #776
2025-12-12 03:10:08 +01:00 · 2025-05-15 12:24:47 +02:00
parent bd2f7eb671
commit e5c2892cd5
4 changed files with 5 additions and 5 deletions
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -1589,7 +1589,7 @@ int luksFormat(struct crypt_device **r_cd, struct crypt_keyslot_context **r_kc)
 			goto out;
 	}

-	keysize = get_adjusted_key_size(cipher_mode, ARG_UINT32(OPT_KEY_SIZE_ID),
+	keysize = get_adjusted_key_size(cipher, cipher_mode, ARG_UINT32(OPT_KEY_SIZE_ID),
 					DEFAULT_LUKS1_KEYBITS, integrity_keysize);

 	if (ARG_SET(OPT_HW_OPAL_ONLY_ID))
--- a/src/utils_luks.c
+++ b/src/utils_luks.c
@@ -139,11 +139,11 @@ int set_tries_tty(bool keyring)
 	return (tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)) && isatty(STDIN_FILENO)) ? ARG_UINT32(OPT_TRIES_ID) : 1;
 }

-int get_adjusted_key_size(const char *cipher_mode, uint32_t keysize_bits,
+int get_adjusted_key_size(const char *cipher, const char *cipher_mode, uint32_t keysize_bits,
 			  uint32_t default_size_bits, int integrity_keysize)
 {
 #if ENABLE_LUKS_ADJUST_XTS_KEYSIZE
-	if (!keysize_bits && !strncmp(cipher_mode, "xts-", 4)) {
+	if (!keysize_bits && (!strncmp(cipher_mode, "xts-", 4) || !strncmp(cipher, "capi:xts(", 9))) {
 		if (default_size_bits == 128)
 			keysize_bits = 256;
 		else if (default_size_bits == 256)
--- a/src/utils_luks.h
+++ b/src/utils_luks.h
@@ -27,7 +27,7 @@ int set_pbkdf_params(struct crypt_device *cd, const char *dev_type);

 int set_tries_tty(bool keyring);

-int get_adjusted_key_size(const char *cipher_mode, uint32_t keysize_bits,
+int get_adjusted_key_size(const char *cipher, const char *cipher_mode, uint32_t keysize_bits,
 			  uint32_t default_size_bits, int integrity_keysize);

 int luksFormat(struct crypt_device **r_cd, struct crypt_keyslot_context **r_kc);
--- a/src/utils_reencrypt.c
+++ b/src/utils_reencrypt.c
@@ -1910,7 +1910,7 @@ static int reencrypt_luks2_init(struct crypt_device *cd, const char *data_device
 			new_key_size = ARG_UINT32(OPT_NEW_KEY_SIZE_ID);

 		if (new_key_size || new_cipher)
-			new_key_size = get_adjusted_key_size(mode, new_key_size,
+			new_key_size = get_adjusted_key_size(cipher, mode, new_key_size,
 							 DEFAULT_LUKS1_KEYBITS, 0);
 		else
 			new_key_size = key_size;