Due to previous fix it's no longer needed to add
all keyslot area lengths and check if result sum
is lower than keyslots_size.
(We already check lower limit, upper limit and
overlapping areas)
This commit fixes two problems:
a) Replace hardcoded 16KiB metadata variant as lower limit
for keyslot area offset with current value set in config
section (already validated).
b) Replace segment offset (if not zero) as upper limit for
keyslot area offset + size with value calculated as
2 * metadata size + keyslots_size as acquired from
config section (also already validated)
Swap config and keyslot areas validation code order.
Also split original keyslots_size validation code in
between config and keyslot areas routines for furhter
changes in the code later. This commit has no funtional
impact.
Keyslot areas were validated from each keyslot
validation routine and later one more time
in general header validation routine. The call
from header validation routine is good enough.
Test archive contains images with all supported
LUKS2 metadata size configurations. There's
one active keyslot 0 in every image that can be
unlocked with following passphrase (ignore
quotation marks): "Qx3qn46vq0v"
Test both primary and secondary header validation tests
with non-default LUKS2 json area size.
Check validation rejects config.keyslots_size with zero value.
Check validation rejects mismatching values for metadata size
set in binary header and in config json section.
Kernel prevents activation of device that is not aligned
to requested sector size.
Add early check to plain and LUKS2 formats to disallow
creation of such a device.
(Activation will fail in kernel later anyway.)
Fixes#390.
LUKS2 specification allows various size of LUKS2 metadata.
The single metadata instance is composed of LUKS2 binary header
(4096 bytes) and immediately following json area. The resulting
assembled metadata size have to be one of following values,
all in KiB:
16, 32, 64, 128, 256, 512, 1024, 2048 or 4096
We used to preset compat cipher and cipher_mode values during
crypt_format() or crypt_load(). Since we can change 'default segment'
dynamically during reencryption (encryption, decryption included) we
need to parse those values from default segment json encryption field
each time crypt_get_cipher() or crypt_get_cipher_mode() is called.
