eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-11 19:00:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix default xts mode key size in reencryption.

Browse Source 
Reencryption did not take into account adjusted xts
key size configuration option. This patch fix the
issue by using same logic as in luksFormat with xts
mode selected for data encryption.
This commit is contained in:
Ondrej Kozina
2021-02-18 11:08:32 +01:00
committed by Milan Broz
parent 207383782a
commit fb8aa6d03b
2 changed files with 23 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/cryptsetup.c
View File

@@ -1242,6 +1242,21 @@ static int strcmp_or_null(const char *str, const char *expected)
return !str ? 0 : strcmp(str, expected);
}
static int get_adjusted_key_size(const char *cipher_mode, uint32_t default_size_bits, int integrity_keysize)
{
uint32_t keysize_bits = opt_key_size;
#ifdef ENABLE_LUKS_ADJUST_XTS_KEYSIZE
if (!opt_key_size && !strncmp(cipher_mode, "xts-", 4)) {
if (default_size_bits == 128)
keysize_bits = 256;
else if (default_size_bits == 256)
keysize_bits = 512;
}
#endif
return (keysize_bits ?: default_size_bits) / 8 + integrity_keysize;
}
static int _luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_passwordLen)
{
int r = -EINVAL, keysize, integrity_keysize = 0, fd, created = 0;
@@ -1374,15 +1389,7 @@ static int _luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_
goto out;
}
#ifdef ENABLE_LUKS_ADJUST_XTS_KEYSIZE
if (!opt_key_size && !strncmp(cipher_mode, "xts-", 4)) {
if (DEFAULT_LUKS1_KEYBITS == 128)
opt_key_size = 256;
else if (DEFAULT_LUKS1_KEYBITS == 256)
opt_key_size = 512;
}
#endif
keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8 + integrity_keysize;
keysize = get_adjusted_key_size(cipher_mode, DEFAULT_LUKS1_KEYBITS, integrity_keysize);
if (opt_random)
crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
@@ -3215,10 +3222,8 @@ static int action_reencrypt_luks2(struct crypt_device *cd)
if (r)
return r;
if (opt_key_size)
key_size = opt_key_size / 8;
else if (opt_cipher)
key_size = DEFAULT_LUKS1_KEYBITS / 8;
if (opt_key_size || opt_cipher)
key_size = get_adjusted_key_size(mode, DEFAULT_LUKS1_KEYBITS, 0);
else
key_size = crypt_get_volume_key_size(cd);

6
tests/luks2-reencryption-test
View File

@@ -654,7 +654,7 @@ function reencrypt_online_fixed_size() {
}
function setup_luks2_env() {
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV || fail
echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c aes-xts-plain64 $FAST_PBKDF_ARGON $DEV || fail
echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
HAVE_KEYRING=$($CRYPTSETUP status $DEV_NAME | grep "key location: keyring")
if [ -n "$HAVE_KEYRING" ]; then
@@ -662,6 +662,8 @@ function setup_luks2_env() {
else
HAVE_KEYRING=0
fi
DEF_XTS_KEY=$($CRYPTSETUP status $DEV_NAME | grep "keysize:" | sed 's/\( keysize: \)\([0-9]\+\)\(.*\)/\2/')
[ -n "$DEF_XTS_KEY" ] || fail "Failed to parse xts mode key size."
$CRYPTSETUP close $DEV_NAME || fail
}
@@ -736,6 +738,8 @@ check_hash $PWD1 $HASH1
echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -c aes-xts-plain64 --init-only $FAST_PBKDF_ARGON || fail
echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP reencrypt --active-name /dev/mapper/$DEV_NAME --resilience none -q || fail
XTS_KEY=$($CRYPTSETUP status $DEV_NAME | grep "keysize:" | sed 's/\( keysize: \)\([0-9]\+\)\(.*\)/\2/')
[ "$XTS_KEY" -eq "$DEF_XTS_KEY" ] || fail "xts mode has wrong key size after reencryption ($XTS_KEY != expected $DEF_XTS_KEY)"
echo $PWD1 | $CRYPTSETUP close $DEV_NAME || fail
echo -n "[OK][4096 sector]"
prepare sector_size=4096 dev_size_mb=32