Add disable-luks2 reencryption configure option.

The option --disable-luks2-reencryption completely disable
LUKS2 reencryption code.

When used, the libcryptsetup library can read metadata with
reencryption code, but all reencryption API calls and cryptsetup
reencrypt commands are disabled.

Devices with online reencryption in progress cannot be activated.

This option can cause some incompatibilities. Please use with care.

configure.ac

@@ -56,7 +56,6 @@ dnl ==========================================================================
 AC_C_RESTRICT
 
 AC_HEADER_DIRENT
-AC_HEADER_STDC
 AC_CHECK_HEADERS(fcntl.h malloc.h inttypes.h sys/ioctl.h sys/mman.h \
 	sys/sysmacros.h sys/statvfs.h ctype.h unistd.h locale.h byteswap.h endian.h stdint.h)
 
@@ -139,6 +138,14 @@ AC_DEFUN([NO_FIPS], [
 	fi
 ])
 
+dnl LUKS2 online reencryption
+AC_ARG_ENABLE([luks2-reencryption],
+	AS_HELP_STRING([--disable-luks2-reencryption], [disable LUKS2 online reencryption extension]),
+	[], [enable_luks2_reencryption=yes])
+if test "x$enable_luks2_reencryption" = "xyes"; then
+	AC_DEFINE(USE_LUKS2_REENCRYPTION, 1, [Use LUKS2 online reencryption extension])
+fi
+
 dnl ==========================================================================
 dnl pwquality library (cryptsetup CLI only)
 AC_ARG_ENABLE([pwquality],

lib/luks2/luks2_internal.h

@@ -59,9 +59,9 @@ json_object *LUKS2_get_segments_jobj(struct luks2_hdr *hdr);
 void hexprint_base64(struct crypt_device *cd, json_object *jobj,
 		     const char *sep, const char *line_sep);
 
-uint64_t json_object_get_uint64(json_object *jobj);
-uint32_t json_object_get_uint32(json_object *jobj);
-json_object *json_object_new_uint64(uint64_t value);
+uint64_t crypt_jobj_get_uint64(json_object *jobj);
+uint32_t crypt_jobj_get_uint32(json_object *jobj);
+json_object *crypt_jobj_new_uint64(uint64_t value);
 
 int json_object_object_add_by_uint(json_object *jobj, unsigned key, json_object *jobj_val);
 void json_object_object_del_by_uint(json_object *jobj, unsigned key);

lib/luks2/luks2_json_format.c

@@ -325,8 +325,8 @@ int LUKS2_generate_hdr(
 
 	json_object_object_add_by_uint(jobj_segments, 0, jobj_segment);
 
-	json_object_object_add(jobj_config, "json_size", json_object_new_uint64(metadata_size - LUKS2_HDR_BIN_LEN));
-	json_object_object_add(jobj_config, "keyslots_size", json_object_new_uint64(keyslots_size));
+	json_object_object_add(jobj_config, "json_size", crypt_jobj_new_uint64(metadata_size - LUKS2_HDR_BIN_LEN));
+	json_object_object_add(jobj_config, "keyslots_size", crypt_jobj_new_uint64(keyslots_size));
 
 	JSON_DBG(cd, hdr->jobj, "Header JSON:");
 	return 0;
@@ -400,6 +400,6 @@ int LUKS2_set_keyslots_size(struct crypt_device *cd,
 	if (!json_object_object_get_ex(hdr->jobj, "config", &jobj_config))
 		return 1;
 
-	json_object_object_add(jobj_config, "keyslots_size", json_object_new_uint64(keyslots_size));
+	json_object_object_add(jobj_config, "keyslots_size", crypt_jobj_new_uint64(keyslots_size));
 	return 0;
 }

lib/luks2/luks2_json_metadata.c

@@ -219,7 +219,7 @@ int LUKS2_get_default_segment(struct luks2_hdr *hdr)
  * json_type_int needs to be validated first.
  * See validate_json_uint32()
  */
-uint32_t json_object_get_uint32(json_object *jobj)
+uint32_t crypt_jobj_get_uint32(json_object *jobj)
 {
 	return json_object_get_int64(jobj);
 }
@@ -234,21 +234,21 @@ static json_bool json_str_to_uint64(json_object *jobj, uint64_t *value)
 	tmp = strtoull(json_object_get_string(jobj), &endptr, 10);
 	if (*endptr || errno) {
 		*value = 0;
-		return FALSE;
+		return 0;
 	}
 
 	*value = tmp;
-	return TRUE;
+	return 1;
 }
 
-uint64_t json_object_get_uint64(json_object *jobj)
+uint64_t crypt_jobj_get_uint64(json_object *jobj)
 {
 	uint64_t r;
 	json_str_to_uint64(jobj, &r);
 	return r;
 }
 
-json_object *json_object_new_uint64(uint64_t value)
+json_object *crypt_jobj_new_uint64(uint64_t value)
 {
 	/* 18446744073709551615 */
 	char num[21];
@@ -273,9 +273,9 @@ static json_bool numbered(struct crypt_device *cd, const char *name, const char
 	for (i = 0; key[i]; i++)
 		if (!isdigit(key[i])) {
 			log_dbg(cd, "%s \"%s\" is not in numbered form.", name, key);
-			return FALSE;
+			return 0;
 		}
-	return TRUE;
+	return 1;
 }
 
 json_object *json_contains(struct crypt_device *cd, json_object *jobj, const char *name,
@@ -300,7 +300,7 @@ json_bool validate_json_uint32(json_object *jobj)
 	errno = 0;
 	tmp = json_object_get_int64(jobj);
 
-	return (errno || tmp < 0 || tmp > UINT32_MAX) ? FALSE : TRUE;
+	return (errno || tmp < 0 || tmp > UINT32_MAX) ? 0 : 1;
 }
 
 static json_bool validate_keyslots_array(struct crypt_device *cd,
@@ -313,17 +313,17 @@ static json_bool validate_keyslots_array(struct crypt_device *cd,
 		jobj = json_object_array_get_idx(jarr, i);
 		if (!json_object_is_type(jobj, json_type_string)) {
 			log_dbg(cd, "Illegal value type in keyslots array at index %d.", i);
-			return FALSE;
+			return 0;
 		}
 
 		if (!json_contains(cd, jobj_keys, "", "Keyslots section",
 				   json_object_get_string(jobj), json_type_object))
-			return FALSE;
+			return 0;
 
 		i++;
 	}
 
-	return TRUE;
+	return 1;
 }
 
 static json_bool validate_segments_array(struct crypt_device *cd,
@@ -336,17 +336,17 @@ static json_bool validate_segments_array(struct crypt_device *cd,
 		jobj = json_object_array_get_idx(jarr, i);
 		if (!json_object_is_type(jobj, json_type_string)) {
 			log_dbg(cd, "Illegal value type in segments array at index %d.", i);
-			return FALSE;
+			return 0;
 		}
 
 		if (!json_contains(cd, jobj_segments, "", "Segments section",
 				   json_object_get_string(jobj), json_type_object))
-			return FALSE;
+			return 0;
 
 		i++;
 	}
 
-	return TRUE;
+	return 1;
 }
 
 static json_bool segment_has_digest(const char *segment_name, json_object *jobj_digests)
@@ -357,10 +357,10 @@ static json_bool segment_has_digest(const char *segment_name, json_object *jobj_
 		UNUSED(key);
 		json_object_object_get_ex(val, "segments", &jobj_segments);
 		if (LUKS2_array_jobj(jobj_segments, segment_name))
-			return TRUE;
+			return 1;
 	}
 
-	return FALSE;
+	return 0;
 }
 
 static json_bool validate_intervals(struct crypt_device *cd,
@@ -372,18 +372,18 @@ static json_bool validate_intervals(struct crypt_device *cd,
 	while (i < length) {
 		if (ix[i].offset < 2 * metadata_size) {
 			log_dbg(cd, "Illegal area offset: %" PRIu64 ".", ix[i].offset);
-			return FALSE;
+			return 0;
 		}
 
 		if (!ix[i].length) {
 			log_dbg(cd, "Area length must be greater than zero.");
-			return FALSE;
+			return 0;
 		}
 
 		if ((ix[i].offset + ix[i].length) > keyslots_area_end) {
 			log_dbg(cd, "Area [%" PRIu64 ", %" PRIu64 "] overflows binary keyslots area (ends at offset: %" PRIu64 ").",
 				ix[i].offset, ix[i].offset + ix[i].length, keyslots_area_end);
-			return FALSE;
+			return 0;
 		}
 
 		for (j = 0; j < length; j++) {
@@ -393,14 +393,14 @@ static json_bool validate_intervals(struct crypt_device *cd,
 				log_dbg(cd, "Overlapping areas [%" PRIu64 ",%" PRIu64 "] and [%" PRIu64 ",%" PRIu64 "].",
 					ix[i].offset, ix[i].offset + ix[i].length,
 					ix[j].offset, ix[j].offset + ix[j].length);
-				return FALSE;
+				return 0;
 			}
 		}
 
 		i++;
 	}
 
-	return TRUE;
+	return 1;
 }
 
 static int LUKS2_keyslot_validate(struct crypt_device *cd, json_object *hdr_jobj, json_object *hdr_keyslot, const char *key)
@@ -455,7 +455,7 @@ static int hdr_validate_json_size(struct crypt_device *cd, json_object *hdr_jobj
 
 	json = json_object_to_json_string_ext(hdr_jobj,
 		JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE);
-	json_area_size = json_object_get_uint64(jobj1);
+	json_area_size = crypt_jobj_get_uint64(jobj1);
 	json_size = (uint64_t)strlen(json);
 
 	if (hdr_json_size != json_area_size) {
@@ -543,7 +543,7 @@ static int hdr_validate_crypt_segment(struct crypt_device *cd,
 		return 1;
 	}
 
-	sector_size = json_object_get_uint32(jobj_sector_size);
+	sector_size = crypt_jobj_get_uint32(jobj_sector_size);
 	if (!sector_size || MISALIGNED_512(sector_size)) {
 		log_dbg(cd, "Illegal sector size: %" PRIu32, sector_size);
 		return 1;
@@ -1567,7 +1567,7 @@ static void hdr_dump_keyslots(struct crypt_device *cd, json_object *hdr_jobj)
 		log_std(cd, "  %s: %s%s\n", slot, tmps, r == -ENOENT ? " (unbound)" : "");
 
 		if (json_object_object_get_ex(val, "key_size", &jobj2))
-			log_std(cd, "\tKey:        %u bits\n", json_object_get_uint32(jobj2) * 8);
+			log_std(cd, "\tKey:        %u bits\n", crypt_jobj_get_uint32(jobj2) * 8);
 
 		log_std(cd, "\tPriority:   %s\n", get_priority_desc(val));
 
@@ -1650,7 +1650,7 @@ static void hdr_dump_segments(struct crypt_device *cd, json_object *hdr_jobj)
 			log_std(cd, "\tcipher: %s\n", json_object_get_string(jobj1));
 
 		if (json_object_object_get_ex(jobj_segment, "sector_size", &jobj1))
-			log_std(cd, "\tsector: %" PRIu32 " [bytes]\n", json_object_get_uint32(jobj1));
+			log_std(cd, "\tsector: %" PRIu32 " [bytes]\n", crypt_jobj_get_uint32(jobj1));
 
 		if (json_object_object_get_ex(jobj_segment, "integrity", &jobj1) &&
 		    json_object_object_get_ex(jobj1, "type", &jobj2))
@@ -1747,7 +1747,7 @@ int LUKS2_get_data_size(struct luks2_hdr *hdr, uint64_t *size, bool *dynamic)
 			return 0;
 		}
 
-		tmp += json_object_get_uint64(jobj_size);
+		tmp += crypt_jobj_get_uint64(jobj_size);
 	}
 
 	/* impossible, real device size must not be zero */

lib/luks2/luks2_keyslot.c

@@ -27,7 +27,9 @@ extern const keyslot_handler reenc_keyslot;
 
 static const keyslot_handler *keyslot_handlers[LUKS2_KEYSLOTS_MAX] = {
 	&luks2_keyslot,
+#if USE_LUKS2_REENCRYPTION
 	&reenc_keyslot,
+#endif
 	NULL
 };
 
@@ -301,11 +303,11 @@ int LUKS2_keyslot_area(struct luks2_hdr *hdr,
 
 	if (!json_object_object_get_ex(jobj_area, "offset", &jobj))
 		return -EINVAL;
-	*offset = json_object_get_uint64(jobj);
+	*offset = crypt_jobj_get_uint64(jobj);
 
 	if (!json_object_object_get_ex(jobj_area, "size", &jobj))
 		return -EINVAL;
-	*length = json_object_get_uint64(jobj);
+	*length = crypt_jobj_get_uint64(jobj);
 
 	return 0;
 }
@@ -840,8 +842,8 @@ int placeholder_keyslot_alloc(struct crypt_device *cd,
 
 	/* Area object */
 	jobj_area = json_object_new_object();
-	json_object_object_add(jobj_area, "offset", json_object_new_uint64(area_offset));
-	json_object_object_add(jobj_area, "size", json_object_new_uint64(area_length));
+	json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset));
+	json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length));
 	json_object_object_add(jobj_keyslot, "area", jobj_area);
 
 	json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot);

lib/luks2/luks2_keyslot_luks2.c

@@ -220,7 +220,7 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
 
 	if (!json_object_object_get_ex(jobj_area, "offset", &jobj2))
 		return -EINVAL;
-	area_offset = json_object_get_uint64(jobj2);
+	area_offset = crypt_jobj_get_uint64(jobj2);
 
 	if (!json_object_object_get_ex(jobj_area, "encryption", &jobj2))
 		return -EINVAL;
@@ -313,7 +313,7 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
 
 	if (!json_object_object_get_ex(jobj_area, "offset", &jobj2))
 		return -EINVAL;
-	area_offset = json_object_get_uint64(jobj2);
+	area_offset = crypt_jobj_get_uint64(jobj2);
 
 	if (!json_object_object_get_ex(jobj_area, "encryption", &jobj2))
 		return -EINVAL;
@@ -494,8 +494,8 @@ static int luks2_keyslot_alloc(struct crypt_device *cd,
 	/* Area object */
 	jobj_area = json_object_new_object();
 	json_object_object_add(jobj_area, "type", json_object_new_string("raw"));
-	json_object_object_add(jobj_area, "offset", json_object_new_uint64(area_offset));
-	json_object_object_add(jobj_area, "size", json_object_new_uint64(area_length));
+	json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset));
+	json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length));
 	json_object_object_add(jobj_keyslot, "area", jobj_area);
 
 	json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot);
@@ -607,7 +607,7 @@ static int luks2_keyslot_dump(struct crypt_device *cd, int keyslot)
 	log_std(cd, "\tCipher:     %s\n", json_object_get_string(jobj1));
 
 	json_object_object_get_ex(jobj_area, "key_size", &jobj1);
-	log_std(cd, "\tCipher key: %u bits\n", json_object_get_uint32(jobj1) * 8);
+	log_std(cd, "\tCipher key: %u bits\n", crypt_jobj_get_uint32(jobj1) * 8);
 
 	json_object_object_get_ex(jobj_kdf, "type", &jobj1);
 	log_std(cd, "\tPBKDF:      %s\n", json_object_get_string(jobj1));
@@ -617,7 +617,7 @@ static int luks2_keyslot_dump(struct crypt_device *cd, int keyslot)
 		log_std(cd, "\tHash:       %s\n", json_object_get_string(jobj1));
 
 		json_object_object_get_ex(jobj_kdf, "iterations", &jobj1);
-		log_std(cd, "\tIterations: %" PRIu64 "\n", json_object_get_uint64(jobj1));
+		log_std(cd, "\tIterations: %" PRIu64 "\n", crypt_jobj_get_uint64(jobj1));
 	} else {
 		json_object_object_get_ex(jobj_kdf, "time", &jobj1);
 		log_std(cd, "\tTime cost:  %" PRIu64 "\n", json_object_get_int64(jobj1));
@@ -640,10 +640,10 @@ static int luks2_keyslot_dump(struct crypt_device *cd, int keyslot)
 	log_std(cd, "\tAF hash:    %s\n", json_object_get_string(jobj1));
 
 	json_object_object_get_ex(jobj_area, "offset", &jobj1);
-	log_std(cd, "\tArea offset:%" PRIu64 " [bytes]\n", json_object_get_uint64(jobj1));
+	log_std(cd, "\tArea offset:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1));
 
 	json_object_object_get_ex(jobj_area, "size", &jobj1);
-	log_std(cd, "\tArea length:%" PRIu64 " [bytes]\n", json_object_get_uint64(jobj1));
+	log_std(cd, "\tArea length:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1));
 
 	return 0;
 }

lib/luks2/luks2_keyslot_reenc.c

@@ -67,13 +67,13 @@ int reenc_keyslot_alloc(struct crypt_device *cd,
 
 	if (params->data_shift) {
 		json_object_object_add(jobj_area, "type", json_object_new_string("datashift"));
-		json_object_object_add(jobj_area, "shift_size", json_object_new_uint64(params->data_shift << SECTOR_SHIFT));
+		json_object_object_add(jobj_area, "shift_size", crypt_jobj_new_uint64(params->data_shift << SECTOR_SHIFT));
 	} else
 		/* except data shift protection, initial setting is irrelevant. Type can be changed during reencryption */
 		json_object_object_add(jobj_area, "type", json_object_new_string("none"));
 
-	json_object_object_add(jobj_area, "offset", json_object_new_uint64(area_offset));
-	json_object_object_add(jobj_area, "size", json_object_new_uint64(area_length));
+	json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset));
+	json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length));
 
 	json_object_object_add(jobj_keyslot, "type", json_object_new_string("reencrypt"));
 	json_object_object_add(jobj_keyslot, "key_size", json_object_new_int(1)); /* useless but mandatory */
@@ -113,8 +113,8 @@ static int reenc_keyslot_store_data(struct crypt_device *cd,
 	    !json_object_object_get_ex(jobj_area, "size", &jobj_length))
 		return -EINVAL;
 
-	area_offset = json_object_get_uint64(jobj_offset);
-	area_length = json_object_get_uint64(jobj_length);
+	area_offset = crypt_jobj_get_uint64(jobj_offset);
+	area_length = crypt_jobj_get_uint64(jobj_length);
 
 	if (!area_offset || !area_length || ((uint64_t)buffer_len > area_length))
 		return -EINVAL;
@@ -242,14 +242,14 @@ static int reenc_keyslot_dump(struct crypt_device *cd, int keyslot)
 		log_std(cd, "\t%-12s%d [bytes]\n", "Hash data:", json_object_get_int(jobj1));
 	} else if (!strcmp(json_object_get_string(jobj_resilience), "datashift")) {
 		json_object_object_get_ex(jobj_area, "shift_size", &jobj1);
-		log_std(cd, "\t%-12s%" PRIu64 "[bytes]\n", "Shift size:", json_object_get_uint64(jobj1));
+		log_std(cd, "\t%-12s%" PRIu64 "[bytes]\n", "Shift size:", crypt_jobj_get_uint64(jobj1));
 	}
 
 	json_object_object_get_ex(jobj_area, "offset", &jobj1);
-	log_std(cd, "\tArea offset:%" PRIu64 " [bytes]\n", json_object_get_uint64(jobj1));
+	log_std(cd, "\tArea offset:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1));
 
 	json_object_object_get_ex(jobj_area, "size", &jobj1);
-	log_std(cd, "\tArea length:%" PRIu64 " [bytes]\n", json_object_get_uint64(jobj1));
+	log_std(cd, "\tArea length:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1));
 
 	return 0;
 }
@@ -304,7 +304,7 @@ static int reenc_keyslot_validate(struct crypt_device *cd, json_object *jobj_key
 			return -EINVAL;
 		if (!validate_json_uint32(jobj_sector_size))
 			return -EINVAL;
-		sector_size = json_object_get_uint32(jobj_sector_size);
+		sector_size = crypt_jobj_get_uint32(jobj_sector_size);
 		if (sector_size < SECTOR_SIZE || NOTPOW2(sector_size)) {
 			log_dbg(cd, "Invalid sector_size (%" PRIu32 ") for checksum resilience mode.", sector_size);
 			return -EINVAL;
@@ -313,7 +313,7 @@ static int reenc_keyslot_validate(struct crypt_device *cd, json_object *jobj_key
 		if (!(jobj_shift_size = json_contains(cd, jobj_area, "type:datashift", "Keyslot area", "shift_size", json_type_string)))
 			return -EINVAL;
 
-		shift_size = json_object_get_uint64(jobj_shift_size);
+		shift_size = crypt_jobj_get_uint64(jobj_shift_size);
 		if (!shift_size)
 			return -EINVAL;
 

lib/luks2/luks2_luks1_convert.c

@@ -91,8 +91,8 @@ static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, struc
 	}
 	area_size = offs_b - offs_a;
 	json_object_object_add(jobj_area, "key_size", json_object_new_int(hdr_v1->keyBytes));
-	json_object_object_add(jobj_area, "offset", json_object_new_uint64(offset));
-	json_object_object_add(jobj_area, "size", json_object_new_uint64(area_size));
+	json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(offset));
+	json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_size));
 	json_object_object_add(keyslot_obj, "area", jobj_area);
 
 	*keyslot_object = keyslot_obj;
@@ -145,7 +145,7 @@ static int json_luks1_segment(const struct luks_phdr *hdr_v1, struct json_object
 	/* offset field */
 	number = (uint64_t)hdr_v1->payloadOffset * SECTOR_SIZE;
 
-	field = json_object_new_uint64(number);
+	field = crypt_jobj_new_uint64(number);
 	if (!field) {
 		json_object_put(segment_obj);
 		return -ENOMEM;
@@ -401,8 +401,9 @@ static int json_luks1_object(struct luks_phdr *hdr_v1, struct json_object **luks
 	json_object_object_add(luks1_obj, "config", field);
 
 	json_size = LUKS2_HDR_16K_LEN - LUKS2_HDR_BIN_LEN;
-	json_object_object_add(field, "json_size", json_object_new_uint64(json_size));
-	json_object_object_add(field, "keyslots_size", json_object_new_uint64(keyslots_size));
+	json_object_object_add(field, "json_size", crypt_jobj_new_uint64(json_size));
+	keyslots_size -= (keyslots_size % 4096);
+	json_object_object_add(field, "keyslots_size", crypt_jobj_new_uint64(keyslots_size));
 
 	*luks1_object = luks1_obj;
 	return 0;
@@ -418,8 +419,8 @@ static void move_keyslot_offset(json_object *jobj, int offset_add)
 		UNUSED(key);
 		json_object_object_get_ex(val, "area", &jobj_area);
 		json_object_object_get_ex(jobj_area, "offset", &jobj2);
-		offset = json_object_get_uint64(jobj2) + offset_add;
-		json_object_object_add(jobj_area, "offset", json_object_new_uint64(offset));
+		offset = crypt_jobj_get_uint64(jobj2) + offset_add;
+		json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(offset));
 	}
 }
 
@@ -586,6 +587,14 @@ int LUKS2_luks1_to_luks2(struct crypt_device *cd, struct luks_phdr *hdr1, struct
 	// move keyslots 4k -> 32k offset
 	buf_offset = 2 * LUKS2_HDR_16K_LEN;
 	buf_size   = luks1_size - LUKS_ALIGN_KEYSLOTS;
+
+	/* check future LUKS2 keyslots area is at least as large as LUKS1 keyslots area */
+	if (buf_size > LUKS2_keyslots_size(hdr2->jobj)) {
+		log_err(cd, _("Unable to move keyslot area. LUKS2 keyslots area too small."));
+		r = -EINVAL;
+		goto out;
+	}
+
 	if ((r = move_keyslot_areas(cd, 8 * SECTOR_SIZE, buf_offset, buf_size)) < 0) {
 		log_err(cd, _("Unable to move keyslot area."));
 		goto out;
@@ -749,7 +758,7 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
 				return -EINVAL;
 			if (!json_object_object_get_ex(jobj_area, "offset", &jobj1))
 				return -EINVAL;
-			offset = json_object_get_uint64(jobj1);
+			offset = crypt_jobj_get_uint64(jobj1);
 		} else {
 			if (LUKS2_find_area_gap(cd, hdr2, key_size, &offset, &area_length))
 				return -EINVAL;
@@ -781,7 +790,7 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
 
 		if (!json_object_object_get_ex(jobj_kdf, "iterations", &jobj1))
 			continue;
-		hdr1->keyblock[i].passwordIterations = json_object_get_uint32(jobj1);
+		hdr1->keyblock[i].passwordIterations = crypt_jobj_get_uint32(jobj1);
 
 		if (!json_object_object_get_ex(jobj_kdf, "salt", &jobj1))
 			continue;
@@ -822,7 +831,7 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
 
 	if (!json_object_object_get_ex(jobj_digest, "iterations", &jobj1))
 		return -EINVAL;
-	hdr1->mkDigestIterations = json_object_get_uint32(jobj1);
+	hdr1->mkDigestIterations = crypt_jobj_get_uint32(jobj1);
 
 	if (!json_object_object_get_ex(jobj_digest, "digest", &jobj1))
 		return -EINVAL;
@@ -847,7 +856,7 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
 
 	if (!json_object_object_get_ex(jobj_segment, "offset", &jobj1))
 		return -EINVAL;
-	offset = json_object_get_uint64(jobj1) / SECTOR_SIZE;
+	offset = crypt_jobj_get_uint64(jobj1) / SECTOR_SIZE;
 	if (offset > UINT32_MAX)
 		return -EINVAL;
 	/* FIXME: LUKS1 requires offset == 0 || offset >= luks1_hdr_size */

lib/luks2/luks2_reencrypt.c

@@ -22,6 +22,7 @@
 #include "luks2_internal.h"
 #include "utils_device_locking.h"
 
+#if USE_LUKS2_REENCRYPTION
 static json_object *reencrypt_segment(struct luks2_hdr *hdr, unsigned new)
 {
 	return LUKS2_get_segment_by_flag(hdr, new ? "backup-final" : "backup-previous");
@@ -85,7 +86,7 @@ static uint64_t reencrypt_get_data_offset_old(struct luks2_hdr *hdr)
 {
 	return reencrypt_data_offset(hdr, 0);
 }
-
+#endif
 static int reencrypt_digest(struct luks2_hdr *hdr, unsigned new)
 {
 	int segment = LUKS2_get_segment_id_by_flag(hdr, new ? "backup-final" : "backup-previous");
@@ -144,7 +145,7 @@ static const char *reencrypt_resilience_hash(struct luks2_hdr *hdr)
 
 	return json_object_get_string(jobj_hash);
 }
-
+#if USE_LUKS2_REENCRYPTION
 static uint32_t reencrypt_alignment(struct luks2_hdr *hdr)
 {
 	json_object *jobj_keyslot, *jobj_area, *jobj_type, *jobj_hash, *jobj_sector_size;
@@ -165,7 +166,7 @@ static uint32_t reencrypt_alignment(struct luks2_hdr *hdr)
 	if (!json_object_object_get_ex(jobj_area, "sector_size", &jobj_sector_size))
 		return 0;
 
-	return json_object_get_uint32(jobj_sector_size);
+	return crypt_jobj_get_uint32(jobj_sector_size);
 }
 
 static json_object *_enc_create_segments_shift_after(struct crypt_device *cd,
@@ -200,13 +201,13 @@ static json_object *_enc_create_segments_shift_after(struct crypt_device *cd,
 		json_segment_remove_flag(jobj_seg_new, "in-reencryption");
 		tmp = rh->length;
 	} else {
-		json_object_object_add(jobj_seg_new, "offset", json_object_new_uint64(rh->offset + data_offset));
-		json_object_object_add(jobj_seg_new, "iv_tweak", json_object_new_uint64(rh->offset >> SECTOR_SHIFT));
+		json_object_object_add(jobj_seg_new, "offset", crypt_jobj_new_uint64(rh->offset + data_offset));
+		json_object_object_add(jobj_seg_new, "iv_tweak", crypt_jobj_new_uint64(rh->offset >> SECTOR_SHIFT));
 		tmp = json_segment_get_size(jobj_seg_new, 0) + rh->length;
 	}
 
 	/* alter size of new segment, reenc_seg == 0 we're finished */
-	json_object_object_add(jobj_seg_new, "size", reenc_seg > 0 ? json_object_new_uint64(tmp) : json_object_new_string("dynamic"));
+	json_object_object_add(jobj_seg_new, "size", reenc_seg > 0 ? crypt_jobj_new_uint64(tmp) : json_object_new_string("dynamic"));
 	json_object_object_add_by_uint(jobj_segs_post, reenc_seg, jobj_seg_new);
 
 	return jobj_segs_post;
@@ -256,7 +257,7 @@ static json_object *reencrypt_make_hot_segments_encrypt_shift(struct crypt_devic
 		jobj_seg_shrunk = NULL;
 		if (json_object_copy(LUKS2_get_segment_jobj(hdr, sg), &jobj_seg_shrunk))
 			goto err;
-		json_object_object_add(jobj_seg_shrunk, "size", json_object_new_uint64(segment_size - rh->length));
+		json_object_object_add(jobj_seg_shrunk, "size", crypt_jobj_new_uint64(segment_size - rh->length));
 		json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_seg_shrunk);
 	}
 
@@ -336,7 +337,7 @@ static json_object *reencrypt_make_post_segments_forward(struct crypt_device *cd
 				goto err;
 			jobj_old_seg = jobj_old_seg_copy;
 			fixed_length = rh->device_size - fixed_length;
-			json_object_object_add(jobj_old_seg, "size", json_object_new_uint64(fixed_length));
+			json_object_object_add(jobj_old_seg, "size", crypt_jobj_new_uint64(fixed_length));
 		} else
 			json_object_get(jobj_old_seg);
 		json_object_object_add_by_uint(jobj_segs_post, 1, jobj_old_seg);
@@ -491,7 +492,7 @@ static json_object *reencrypt_make_hot_segments_backward(struct crypt_device *cd
 	if (rh->offset) {
 		if (json_object_copy(LUKS2_get_segment_jobj(hdr, 0), &jobj_old_seg))
 			goto err;
-		json_object_object_add(jobj_old_seg, "size", json_object_new_uint64(rh->offset));
+		json_object_object_add(jobj_old_seg, "size", crypt_jobj_new_uint64(rh->offset));
 
 		json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_old_seg);
 	}
@@ -560,7 +561,7 @@ static int reencrypt_make_post_segments(struct crypt_device *cd,
 
 	return rh->jobj_segs_post ? 0 : -EINVAL;
 }
-
+#endif
 static uint64_t reencrypt_data_shift(struct luks2_hdr *hdr)
 {
 	json_object *jobj_keyslot, *jobj_area, *jobj_data_shift;
@@ -575,7 +576,7 @@ static uint64_t reencrypt_data_shift(struct luks2_hdr *hdr)
 	if (!json_object_object_get_ex(jobj_area, "shift_size", &jobj_data_shift))
 		return 0;
 
-	return json_object_get_uint64(jobj_data_shift);
+	return crypt_jobj_get_uint64(jobj_data_shift);
 }
 
 static crypt_reencrypt_mode_info reencrypt_mode(struct luks2_hdr *hdr)
@@ -666,7 +667,7 @@ void LUKS2_reenc_context_free(struct crypt_device *cd, struct luks2_reenc_contex
 	crypt_unlock_internal(cd, rh->reenc_lock);
 	free(rh);
 }
-
+#if USE_LUKS2_REENCRYPTION
 static size_t reencrypt_get_alignment(struct crypt_device *cd,
 		struct luks2_hdr *hdr)
 {
@@ -2545,7 +2546,7 @@ static int reencrypt_load(struct crypt_device *cd, struct luks2_hdr *hdr,
 
 	return 0;
 }
-
+#endif
 /* internal only */
 int crypt_reencrypt_lock(struct crypt_device *cd, const char *uuid, struct crypt_lock_handle **reencrypt_lock)
 {
@@ -2587,7 +2588,7 @@ void crypt_reencrypt_unlock(struct crypt_device *cd, struct crypt_lock_handle *r
 {
 	crypt_unlock_internal(cd, reencrypt_lock);
 }
-
+#if USE_LUKS2_REENCRYPTION
 static int reencrypt_lock_and_verify(struct crypt_device *cd, struct luks2_hdr *hdr,
 		struct crypt_lock_handle **reencrypt_lock)
 {
@@ -2842,7 +2843,7 @@ static int reencrypt_recovery_by_passphrase(struct crypt_device *cd,
 	crypt_reencrypt_unlock(cd, reencrypt_lock);
 	return r;
 }
-
+#endif
 static int reencrypt_init_by_passphrase(struct crypt_device *cd,
 	const char *name,
 	const char *passphrase,
@@ -2853,6 +2854,7 @@ static int reencrypt_init_by_passphrase(struct crypt_device *cd,
 	const char *cipher_mode,
 	const struct crypt_params_reencrypt *params)
 {
+#if USE_LUKS2_REENCRYPTION
 	int r;
 	crypt_reencrypt_info ri;
 	struct volume_key *vks = NULL;
@@ -2908,6 +2910,10 @@ out:
 		crypt_drop_keyring_key(cd, vks);
 	crypt_free_volume_key(vks);
 	return r < 0 ? r : LUKS2_find_keyslot(hdr, "reencrypt");
+#else
+	log_err(cd, _("This operation is not supported for this device type."));
+	return -ENOTSUP;
+#endif
 }
 
 int crypt_reencrypt_init_by_keyring(struct crypt_device *cd,
@@ -2960,6 +2966,7 @@ int crypt_reencrypt_init_by_passphrase(struct crypt_device *cd,
 	return reencrypt_init_by_passphrase(cd, name, passphrase, passphrase_size, keyslot_old, keyslot_new, cipher, cipher_mode, params);
 }
 
+#if USE_LUKS2_REENCRYPTION
 static reenc_status_t reencrypt_step(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
 		struct luks2_reenc_context *rh,
@@ -3200,10 +3207,11 @@ static int reencrypt_teardown(struct crypt_device *cd, struct luks2_hdr *hdr,
 
 	return r;
 }
-
+#endif
 int crypt_reencrypt(struct crypt_device *cd,
 		    int (*progress)(uint64_t size, uint64_t offset, void *usrptr))
 {
+#if USE_LUKS2_REENCRYPTION
 	int r;
 	crypt_reencrypt_info ri;
 	struct luks2_hdr *hdr;
@@ -3261,8 +3269,12 @@ int crypt_reencrypt(struct crypt_device *cd,
 
 	r = reencrypt_teardown(cd, hdr, rh, rs, quit, progress);
 	return r;
+#else
+	log_err(cd, _("This operation is not supported for this device type."));
+	return -ENOTSUP;
+#endif
 }
-
+#if USE_LUKS2_REENCRYPTION
 static int reencrypt_recovery(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
 		uint64_t device_size,
@@ -3298,7 +3310,7 @@ err:
 
 	return r;
 }
-
+#endif
 /*
  * use only for calculation of minimal data device size.
  * The real data offset is taken directly from segments!
@@ -3313,7 +3325,7 @@ int LUKS2_reencrypt_data_offset(struct luks2_hdr *hdr, bool blockwise)
 
 	return blockwise ? data_offset : data_offset << SECTOR_SHIFT;
 }
-
+#if USE_LUKS2_REENCRYPTION
 /* internal only */
 int luks2_check_device_size(struct crypt_device *cd, struct luks2_hdr *hdr, uint64_t check_size, uint64_t *dev_size, bool activation, bool dynamic)
 {
@@ -3403,7 +3415,7 @@ err:
 
 	return r < 0 ? r : keyslot;
 }
-
+#endif
 crypt_reencrypt_info LUKS2_reencrypt_status(struct crypt_device *cd, struct crypt_params_reencrypt *params)
 {
 	crypt_reencrypt_info ri;

lib/luks2/luks2_segment.c

@@ -55,7 +55,7 @@ uint64_t json_segment_get_offset(json_object *jobj_segment, unsigned blockwise)
 	    !json_object_object_get_ex(jobj_segment, "offset", &jobj))
 		return 0;
 
-	return blockwise ? json_object_get_uint64(jobj) >> SECTOR_SHIFT : json_object_get_uint64(jobj);
+	return blockwise ? crypt_jobj_get_uint64(jobj) >> SECTOR_SHIFT : crypt_jobj_get_uint64(jobj);
 }
 
 const char *json_segment_type(json_object *jobj_segment)
@@ -77,7 +77,7 @@ uint64_t json_segment_get_iv_offset(json_object *jobj_segment)
 	    !json_object_object_get_ex(jobj_segment, "iv_tweak", &jobj))
 		return 0;
 
-	return json_object_get_uint64(jobj);
+	return crypt_jobj_get_uint64(jobj);
 }
 
 uint64_t json_segment_get_size(json_object *jobj_segment, unsigned blockwise)
@@ -88,7 +88,7 @@ uint64_t json_segment_get_size(json_object *jobj_segment, unsigned blockwise)
 	    !json_object_object_get_ex(jobj_segment, "size", &jobj))
 		return 0;
 
-	return blockwise ? json_object_get_uint64(jobj) >> SECTOR_SHIFT : json_object_get_uint64(jobj);
+	return blockwise ? crypt_jobj_get_uint64(jobj) >> SECTOR_SHIFT : crypt_jobj_get_uint64(jobj);
 }
 
 const char *json_segment_get_cipher(json_object *jobj_segment)
@@ -229,8 +229,8 @@ static json_object *_segment_create_generic(const char *type, uint64_t offset, c
 		return NULL;
 
 	json_object_object_add(jobj, "type",		json_object_new_string(type));
-	json_object_object_add(jobj, "offset",		json_object_new_uint64(offset));
-	json_object_object_add(jobj, "size",		length ? json_object_new_uint64(*length) : json_object_new_string("dynamic"));
+	json_object_object_add(jobj, "offset",		crypt_jobj_new_uint64(offset));
+	json_object_object_add(jobj, "size",		length ? crypt_jobj_new_uint64(*length) : json_object_new_string("dynamic"));
 
 	return jobj;
 }
@@ -252,7 +252,7 @@ json_object *json_segment_create_crypt(uint64_t offset,
 	if (!jobj)
 		return NULL;
 
-	json_object_object_add(jobj, "iv_tweak",	json_object_new_uint64(iv_offset));
+	json_object_object_add(jobj, "iv_tweak",	crypt_jobj_new_uint64(iv_offset));
 	json_object_object_add(jobj, "encryption",	json_object_new_string(cipher));
 	json_object_object_add(jobj, "sector_size",	json_object_new_int(sector_size));
 	if (reencryption)

lib/setup.c

@@ -3708,21 +3708,6 @@ out:
 	return r;
 }
 
-static int load_all_keys(struct crypt_device *cd, struct luks2_hdr *hdr, struct volume_key *vks)
-{
-	int r;
-	struct volume_key *vk = vks;
-
-	while (vk) {
-		r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk));
-		if (r < 0)
-			return r;
-		vk = vk->next;
-	}
-
-	return 0;
-}
-
 /* See fixmes in _open_and_activate_luks2 */
 int update_reencryption_flag(struct crypt_device *cd, int enable, bool commit);
 
@@ -3764,6 +3749,22 @@ out:
 	return r < 0 ? r : keyslot;
 }
 
+#if USE_LUKS2_REENCRYPTION
+static int load_all_keys(struct crypt_device *cd, struct luks2_hdr *hdr, struct volume_key *vks)
+{
+	int r;
+	struct volume_key *vk = vks;
+
+	while (vk) {
+		r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk));
+		if (r < 0)
+			return r;
+		vk = vk->next;
+	}
+
+	return 0;
+}
+
 static int _open_all_keys(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	int keyslot,
@@ -3925,6 +3926,28 @@ static int _open_and_activate_luks2(struct crypt_device *cd,
 
 	return r;
 }
+#else
+static int _open_and_activate_luks2(struct crypt_device *cd,
+	int keyslot,
+	const char *name,
+	const char *passphrase,
+	size_t passphrase_size,
+	uint32_t flags)
+{
+	crypt_reencrypt_info ri;
+
+	ri = LUKS2_reenc_status(&cd->u.luks2.hdr);
+	if (ri == CRYPT_REENCRYPT_INVALID)
+		return -EINVAL;
+
+	if (ri > CRYPT_REENCRYPT_NONE) {
+		log_err(cd, _("This operation is not supported for this device type."));
+		return -ENOTSUP;
+	}
+
+	return _open_and_activate(cd, keyslot, name, passphrase, passphrase_size, flags);
+}
+#endif
 
 static int _activate_by_passphrase(struct crypt_device *cd,
 	const char *name,

tests/api-test-2.c

@@ -3622,7 +3622,7 @@ static void Luks2Flags(void)
 
 	CRYPT_FREE(cd);
 }
-
+#if KERNEL_KEYRING && USE_LUKS2_REENCRYPTION
 static int test_progress(uint64_t size, uint64_t offset, void *usrptr)
 {
 	while (--test_progress_steps)
@@ -3633,7 +3633,6 @@ static int test_progress(uint64_t size, uint64_t offset, void *usrptr)
 static void Luks2Reencryption(void)
 {
 /* reencryption currently depends on kernel keyring support */
-#if KERNEL_KEYRING
 	/* NOTES:
 	 *  - reencryption requires luks2 parameters. can we avoid it?
 	 */
@@ -4302,8 +4301,8 @@ static void Luks2Reencryption(void)
 	CRYPT_FREE(cd);
 
 	_cleanup_dmdevices();
-#endif
 }
+#endif
 
 static void Luks2Repair(void)
 {
@@ -4419,7 +4418,9 @@ int main(int argc, char *argv[])
 	RUN_(Luks2Integrity, "LUKS2 with data integrity");
 	RUN_(Luks2Refresh, "Active device table refresh");
 	RUN_(Luks2Flags, "LUKS2 persistent flags");
+#if KERNEL_KEYRING && USE_LUKS2_REENCRYPTION
 	RUN_(Luks2Reencryption, "LUKS2 reencryption");
+#endif
 	RUN_(Luks2Repair, "LUKS2 repair"); // test disables metadata locking. Run always last!
 
 	_cleanup();

tests/compat-test2

@@ -752,6 +752,12 @@ $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 -d $KEY5 || fail
 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 1024 $LOOPDEV $KEY5 || fail
 $CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
 
+# create LUKS1 with data offset not aligned to 4KiB
+$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV $KEY5 --align-payload 4097 || fail
+$CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail
+$CRYPTSETUP isLuks --type luks2 $LOOPDEV || fail
+$CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 -d $KEY5 || fail
+
 if dm_crypt_keyring_flawed; then
 	prepare "[32a] LUKS2 keyring dm-crypt bug" wipe
 	echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail

tests/luks2-reencryption-test

@@ -114,6 +114,7 @@ function fail()
 function skip()
 {
 	[ -n "$1" ] && echo "$1"
+	remove_mapping
 	exit 77
 }
 
@@ -745,6 +746,7 @@ prepare sector_size=512 physblk_exp=3 dev_size_mb=32
 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
 wipe $PWD1
 check_hash $PWD1 $HASH1
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON 2>&1 | tail -1 | grep -q "not supported" && skip " No reenryption support, test skipped."
 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
 check_hash $PWD1 $HASH1
 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail