Update README.

crypt_reencrypt_status() returns this flag if old
online-reencrypt requirement is detected and reencryption
keyslot digest is missing.

crypt_reencrypt_init_by_passphrase() with same flag applied
repairs (upgrade) reencryption metadata so that
automatic reencryption recovery during activation
is again possible and reencryption operation can be resumed
post CVE-2021-4122 fix.

README.md

@@ -44,16 +44,16 @@ Download
 --------
 All release tarballs and release notes are hosted on [kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
 
-**The latest stable cryptsetup version is 2.3.5**
-  * [cryptsetup-2.3.5.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-2.3.5.tar.xz)
-  * Signature [cryptsetup-2.3.5.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-2.3.5.tar.sign)
+**The latest stable cryptsetup version is 2.4.3**
+  * [cryptsetup-2.4.3.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-2.4.3.tar.xz)
+  * Signature [cryptsetup-2.4.3.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-2.4.3.tar.sign)
     _(You need to decompress file first to check signature.)_
-  * [Cryptsetup 2.3.5 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/v2.3.5-ReleaseNotes).
+  * [Cryptsetup 2.4.3 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/v2.4.3-ReleaseNotes).
 
 Previous versions
- * [Version 2.0.6](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.6.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.6.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.6-ReleaseNotes).
+ * [Version 2.3.7](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-2.3.7.tar.xz) -
+   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-2.3.7.tar.sign) -
+   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/v2.3.7-ReleaseNotes).
  * [Version 1.7.5](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.xz) -
    [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.sign) -
    [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.5-ReleaseNotes).

configure.ac

@@ -1,5 +1,5 @@
 AC_PREREQ([2.67])
-AC_INIT([cryptsetup],[2.3.6])
+AC_INIT([cryptsetup],[2.3.7])
 
 dnl library version from <major>.<minor>.<release>[-<suffix>]
 LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
@@ -57,7 +57,6 @@ dnl ==========================================================================
 AC_C_RESTRICT
 
 AC_HEADER_DIRENT
-AC_HEADER_STDC
 AC_CHECK_HEADERS(fcntl.h malloc.h inttypes.h sys/ioctl.h sys/mman.h \
 	sys/sysmacros.h sys/statvfs.h ctype.h unistd.h locale.h byteswap.h endian.h stdint.h)
 AC_CHECK_DECLS([O_CLOEXEC],,[AC_DEFINE([O_CLOEXEC],[0], [Defined to 0 if not provided])],
@@ -146,6 +145,14 @@ AC_DEFUN([NO_FIPS], [
 	fi
 ])
 
+dnl LUKS2 online reencryption
+AC_ARG_ENABLE([luks2-reencryption],
+	AS_HELP_STRING([--disable-luks2-reencryption], [disable LUKS2 online reencryption extension]),
+	[], [enable_luks2_reencryption=yes])
+if test "x$enable_luks2_reencryption" = "xyes"; then
+	AC_DEFINE(USE_LUKS2_REENCRYPTION, 1, [Use LUKS2 online reencryption extension])
+fi
+
 dnl ==========================================================================
 dnl pwquality library (cryptsetup CLI only)
 AC_ARG_ENABLE([pwquality],

docs/v2.3.7-ReleaseNotes

@@ -0,0 +1,95 @@
+Cryptsetup 2.3.7 Release Notes
+==============================
+Stable security bug-fix release that fixes CVE-2021-4122.
+
+All users of cryptsetup 2.3.x must upgrade to this version.
+
+Changes since version 2.3.6
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Fix possible attacks against data confidentiality through LUKS2 online
+  reencryption extension crash recovery (CVE-2021-4122).
+
+  An attacker can modify on-disk metadata to simulate decryption in
+  progress with crashed (unfinished) reencryption step and persistently
+  decrypt part of the LUKS device.
+
+  This attack requires repeated physical access to the LUKS device but
+  no knowledge of user passphrases.
+
+  The decryption step is performed after a valid user activates
+  the device with a correct passphrase and modified metadata.
+  There are no visible warnings for the user that such recovery happened
+  (except using the luksDump command). The attack can also be reversed
+  afterward (simulating crashed encryption from a plaintext) with
+  possible modification of revealed plaintext.
+
+  The size of possible decrypted data depends on configured LUKS2 header
+  size (metadata size is configurable for LUKS2).
+  With the default parameters (16 MiB LUKS2 header) and only one
+  allocated keyslot (512 bit key for AES-XTS), simulated decryption with
+  checksum resilience SHA1 (20 bytes checksum for 4096-byte blocks),
+  the maximal decrypted size can be over 3GiB.
+
+  The attack is not applicable to LUKS1 format, but the attacker can
+  update metadata in place to LUKS2 format as an additional step.
+  For such a converted LUKS2 header, the keyslot area is limited to
+  decrypted size (with SHA1 checksums) over 300 MiB.
+
+  The issue is present in all cryptsetup releases since 2.2.0.
+  Versions 1.x, 2.0.x, and 2.1.x are not affected, as these do not
+  contain LUKS2 reencryption extension.
+
+  The problem was caused by reusing a mechanism designed for actual
+  reencryption operation without reassessing the security impact for new
+  encryption and decryption operations. While the reencryption requires
+  calculating and verifying both key digests, no digest was needed to
+  initiate decryption recovery if the destination is plaintext (no
+  encryption key). Also, some metadata (like encryption cipher) is not
+  protected, and an attacker could change it. Note that LUKS2 protects
+  visible metadata only when a random change occurs. It does not protect
+  against intentional modification but such modification must not cause
+  a violation of data confidentiality.
+
+  The fix introduces additional digest protection of reencryption
+  metadata. The digest is calculated from known keys and critical
+  reencryption metadata. Now an attacker cannot create correct metadata
+  digest without knowledge of a passphrase for used keyslots.
+  For more details, see LUKS2 On-Disk Format Specification version 1.1.0.
+
+  The former reencryption operation (without the additional digest) is no
+  longer supported (reencryption with the digest is not backward
+  compatible). You need to finish in-progress reencryption before
+  updating to new packages. The alternative approach is to perform
+  a repair command from the updated package to recalculate reencryption
+  digest and fix metadata.
+  The reencryption repair operation always require a user passphrase.
+
+  WARNING: Devices with older reencryption in progress can be no longer
+  activated without performing the action mentioned above.
+
+  Encryption in progress can be detected by running the luksDump command
+  (output includes reencrypt keyslot with reencryption parameters). Also,
+  during the active reencryption, no keyslot operations are available
+  (change of passphrases, etc.).
+
+  The issue was found by Milan Broz as cryptsetup maintainer.
+
+Other changes
+~~~~~~~~~~~~~
+* Add configure option --disable-luks2-reencryption to completely disable
+  LUKS2 reencryption code.
+
+  When used, the libcryptsetup library can read metadata with
+  reencryption code, but all reencryption API calls and cryptsetup
+  reencrypt commands are disabled.
+
+  Devices with online reencryption in progress cannot be activated.
+  This option can cause some incompatibilities. Please use with care.
+
+* Improve internal metadata validation code for reencryption metadata.
+
+* Add updated documentation for LUKS2 On-Disk Format Specification
+  version 1.1.0 (with reencryption extension description and updated
+  metadata description). See docs/on-disk-format-luks2.pdf or online
+  version in https://gitlab.com/cryptsetup/LUKS2-docs repository.

lib/Makemodule.am

@@ -104,6 +104,7 @@ libcryptsetup_la_SOURCES = \
 	lib/luks2/luks2_keyslot_luks2.c	\
 	lib/luks2/luks2_keyslot_reenc.c	\
 	lib/luks2/luks2_reencrypt.c	\
+	lib/luks2/luks2_reencrypt_digest.c	\
 	lib/luks2/luks2_segment.c	\
 	lib/luks2/luks2_token_keyring.c	\
 	lib/luks2/luks2_token.c		\

lib/internal.h

@@ -83,7 +83,7 @@
 #endif
 
 struct crypt_device;
-struct luks2_reenc_context;
+struct luks2_reencrypt;
 
 struct volume_key {
 	int id;
@@ -222,8 +222,8 @@ int PLAIN_activate(struct crypt_device *cd,
 		     uint32_t flags);
 
 void *crypt_get_hdr(struct crypt_device *cd, const char *type);
-void crypt_set_reenc_context(struct crypt_device *cd, struct luks2_reenc_context *rh);
-struct luks2_reenc_context *crypt_get_reenc_context(struct crypt_device *cd);
+void crypt_set_luks2_reencrypt(struct crypt_device *cd, struct luks2_reencrypt *rh);
+struct luks2_reencrypt *crypt_get_luks2_reencrypt(struct crypt_device *cd);
 
 int onlyLUKS2(struct crypt_device *cd);
 int onlyLUKS2mask(struct crypt_device *cd, uint32_t mask);

lib/libcryptsetup.h

@@ -2204,6 +2204,8 @@ int crypt_activate_by_token(struct crypt_device *cd,
 #define CRYPT_REENCRYPT_RESUME_ONLY        (1 << 2)
 /** Run reencryption recovery only. (in) */
 #define CRYPT_REENCRYPT_RECOVERY           (1 << 3)
+/** Reencryption requires metadata protection. (in/out) */
+#define CRYPT_REENCRYPT_REPAIR_NEEDED      (1 << 4)
 
 /**
  * Reencryption direction

lib/luks2/luks2.h

@@ -61,6 +61,10 @@
 #define LUKS2_REENCRYPT_MAX_HOTZONE_LENGTH 0x40000000
 
 struct device;
+struct luks2_reencrypt;
+struct crypt_lock_handle;
+struct crypt_dm_active_device;
+struct luks_phdr; /* LUKS1 for conversion */
 
 /*
  * LUKS2 header on-disk.
@@ -96,7 +100,6 @@ struct luks2_hdr_disk {
 /*
  * LUKS2 header in-memory.
  */
-typedef struct json_object json_object;
 struct luks2_hdr {
 	size_t		hdr_size;
 	uint64_t	seqid;
@@ -107,7 +110,7 @@ struct luks2_hdr {
 	uint8_t		salt1[LUKS2_SALT_L];
 	uint8_t		salt2[LUKS2_SALT_L];
 	char		uuid[LUKS2_UUID_L];
-	json_object	*jobj;
+	void		*jobj;
 };
 
 struct luks2_keyslot_params {
@@ -129,77 +132,6 @@ struct luks2_keyslot_params {
 	} area;
 };
 
-struct reenc_protection {
-	enum { REENC_PROTECTION_NONE = 0, /* none should be 0 always */
-	       REENC_PROTECTION_CHECKSUM,
-	       REENC_PROTECTION_JOURNAL,
-               REENC_PROTECTION_DATASHIFT } type;
-
-	union {
-	struct {
-	} none;
-	struct {
-		char hash[LUKS2_CHECKSUM_ALG_L]; // or include luks.h
-		struct crypt_hash *ch;
-		size_t hash_size;
-		/* buffer for checksums */
-		void *checksums;
-		size_t checksums_len;
-	} csum;
-	struct {
-	} ds;
-	} p;
-};
-
-struct luks2_reenc_context {
-	/* reencryption window attributes */
-	uint64_t offset;
-	uint64_t progress;
-	uint64_t length;
-	uint64_t data_shift;
-	size_t alignment;
-	uint64_t device_size;
-	bool online;
-	bool fixed_length;
-	crypt_reencrypt_direction_info direction;
-	crypt_reencrypt_mode_info mode;
-
-	char *device_name;
-	char *hotzone_name;
-	char *overlay_name;
-	uint32_t flags;
-
-	/* reencryption window persistence attributes */
-	struct reenc_protection rp;
-
-	int reenc_keyslot;
-
-	/* already running reencryption */
-	json_object *jobj_segs_hot;
-	json_object *jobj_segs_post;
-
-	/* backup segments */
-	json_object *jobj_segment_new;
-	int digest_new;
-	json_object *jobj_segment_old;
-	int digest_old;
-	json_object *jobj_segment_moved;
-
-	struct volume_key *vks;
-
-	void *reenc_buffer;
-	ssize_t read;
-
-	struct crypt_storage_wrapper *cw1;
-	struct crypt_storage_wrapper *cw2;
-
-	uint32_t wflags1;
-	uint32_t wflags2;
-
-	struct crypt_lock_handle *reenc_lock;
-};
-
-crypt_reencrypt_info LUKS2_reenc_status(struct luks2_hdr *hdr);
 /*
  * Supportable header sizes (hdr_disk + JSON area)
  * Also used as offset for the 2nd header.
@@ -222,9 +154,6 @@ crypt_reencrypt_info LUKS2_reenc_status(struct luks2_hdr *hdr);
 int LUKS2_hdr_version_unlocked(struct crypt_device *cd,
 	const char *backup_file);
 
-int LUKS2_device_write_lock(struct crypt_device *cd,
-	struct luks2_hdr *hdr, struct device *device);
-
 int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, int repair);
 int LUKS2_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr);
 int LUKS2_hdr_write_force(struct crypt_device *cd, struct luks2_hdr *hdr);
@@ -249,9 +178,9 @@ int LUKS2_hdr_restore(struct crypt_device *cd,
 		      struct luks2_hdr *hdr,
 		      const char *backup_file);
 
-uint64_t LUKS2_hdr_and_areas_size(json_object *jobj);
-uint64_t LUKS2_keyslots_size(json_object *jobj);
-uint64_t LUKS2_metadata_size(json_object *jobj);
+uint64_t LUKS2_hdr_and_areas_size(struct luks2_hdr *hdr);
+uint64_t LUKS2_keyslots_size(struct luks2_hdr *hdr);
+uint64_t LUKS2_metadata_size(struct luks2_hdr *hdr);
 
 int LUKS2_keyslot_cipher_incompatible(struct crypt_device *cd, const char *cipher_spec);
 
@@ -280,28 +209,11 @@ int LUKS2_keyslot_store(struct crypt_device *cd,
 	const struct volume_key *vk,
 	const struct luks2_keyslot_params *params);
 
-int LUKS2_keyslot_reencrypt_store(struct crypt_device *cd,
-	struct luks2_hdr *hdr,
-	int keyslot,
-	const void *buffer,
-	size_t buffer_length);
-
-int LUKS2_keyslot_reencrypt_create(struct crypt_device *cd,
-	struct luks2_hdr *hdr,
-	int keyslot,
-	const struct crypt_params_reencrypt *params);
-
-int reenc_keyslot_update(struct crypt_device *cd,
-	const struct luks2_reenc_context *rh);
-
 int LUKS2_keyslot_wipe(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	int keyslot,
 	int wipe_area_only);
 
-int LUKS2_keyslot_dump(struct crypt_device *cd,
-	int keyslot);
-
 crypt_keyslot_priority LUKS2_keyslot_priority_get(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	int keyslot);
@@ -374,65 +286,6 @@ int LUKS2_token_open_and_activate_any(struct crypt_device *cd,
 	const char *name,
 	uint32_t flags);
 
-int LUKS2_tokens_count(struct luks2_hdr *hdr);
-
-/*
- * Generic LUKS2 segment
- */
-uint64_t json_segment_get_offset(json_object *jobj_segment, unsigned blockwise);
-const char *json_segment_type(json_object *jobj_segment);
-uint64_t json_segment_get_iv_offset(json_object *jobj_segment);
-uint64_t json_segment_get_size(json_object *jobj_segment, unsigned blockwise);
-const char *json_segment_get_cipher(json_object *jobj_segment);
-int json_segment_get_sector_size(json_object *jobj_segment);
-bool json_segment_is_backup(json_object *jobj_segment);
-json_object *json_segments_get_segment(json_object *jobj_segments, int segment);
-unsigned json_segments_count(json_object *jobj_segments);
-void json_segment_remove_flag(json_object *jobj_segment, const char *flag);
-uint64_t json_segments_get_minimal_offset(json_object *jobj_segments, unsigned blockwise);
-json_object *json_segment_create_linear(uint64_t offset, const uint64_t *length, unsigned reencryption);
-json_object *json_segment_create_crypt(uint64_t offset, uint64_t iv_offset, const uint64_t *length, const char *cipher, uint32_t sector_size, unsigned reencryption);
-int json_segments_segment_in_reencrypt(json_object *jobj_segments);
-
-int LUKS2_segments_count(struct luks2_hdr *hdr);
-
-int LUKS2_segment_first_unused_id(struct luks2_hdr *hdr);
-
-int LUKS2_segment_set_flag(json_object *jobj_segment, const char *flag);
-
-json_object *LUKS2_get_segment_by_flag(struct luks2_hdr *hdr, const char *flag);
-
-int LUKS2_get_segment_id_by_flag(struct luks2_hdr *hdr, const char *flag);
-
-int LUKS2_segments_set(struct crypt_device *cd,
-	struct luks2_hdr *hdr,
-	json_object *jobj_segments,
-	int commit);
-
-uint64_t LUKS2_segment_offset(struct luks2_hdr *hdr,
-	int segment,
-	unsigned blockwise);
-
-uint64_t LUKS2_segment_size(struct luks2_hdr *hdr,
-	int segment,
-	unsigned blockwise);
-
-int LUKS2_segment_is_type(struct luks2_hdr *hdr,
-	int segment,
-	const char *type);
-
-int LUKS2_segment_by_type(struct luks2_hdr *hdr,
-	const char *type);
-
-int LUKS2_last_segment_by_type(struct luks2_hdr *hdr,
-	const char *type);
-
-int LUKS2_get_default_segment(struct luks2_hdr *hdr);
-
-int LUKS2_reencrypt_digest_new(struct luks2_hdr *hdr);
-int LUKS2_reencrypt_digest_old(struct luks2_hdr *hdr);
-int LUKS2_reencrypt_data_offset(struct luks2_hdr *hdr, bool blockwise);
-
 /*
  * Generic LUKS2 digest
  */
@@ -440,29 +293,16 @@ int LUKS2_digest_any_matching(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
 		const struct volume_key *vk);
 
-int LUKS2_digest_by_segment(struct luks2_hdr *hdr, int segment);
-
-int LUKS2_digest_verify_by_digest(struct crypt_device *cd,
-	struct luks2_hdr *hdr,
-	int digest,
-	const struct volume_key *vk);
-
 int LUKS2_digest_verify_by_segment(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	int segment,
 	const struct volume_key *vk);
 
-void LUKS2_digests_erase_unused(struct crypt_device *cd,
-	struct luks2_hdr *hdr);
-
 int LUKS2_digest_verify(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	const struct volume_key *vk,
 	int keyslot);
 
-int LUKS2_digest_dump(struct crypt_device *cd,
-	int digest);
-
 int LUKS2_digest_assign(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	int keyslot,
@@ -479,6 +319,8 @@ int LUKS2_digest_segment_assign(struct crypt_device *cd,
 
 int LUKS2_digest_by_keyslot(struct luks2_hdr *hdr, int keyslot);
 
+int LUKS2_digest_by_segment(struct luks2_hdr *hdr, int segment);
+
 int LUKS2_digest_create(struct crypt_device *cd,
 	const char *type,
 	struct luks2_hdr *hdr,
@@ -498,20 +340,12 @@ int LUKS2_activate_multi(struct crypt_device *cd,
 	uint64_t device_size,
 	uint32_t flags);
 
-struct crypt_dm_active_device;
-
 int LUKS2_deactivate(struct crypt_device *cd,
 	const char *name,
 	struct luks2_hdr *hdr,
 	struct crypt_dm_active_device *dmd,
 	uint32_t flags);
 
-int LUKS2_reload(struct crypt_device *cd,
-	const char *name,
-	struct volume_key *vks,
-	uint64_t device_size,
-	uint32_t flags);
-
 int LUKS2_generate_hdr(
 	struct crypt_device *cd,
 	struct luks2_hdr *hdr,
@@ -545,17 +379,12 @@ int LUKS2_get_keyslot_stored_key_size(struct luks2_hdr *hdr, int keyslot);
 const char *LUKS2_get_keyslot_cipher(struct luks2_hdr *hdr, int keyslot, size_t *key_size);
 int LUKS2_keyslot_find_empty(struct luks2_hdr *hdr);
 int LUKS2_keyslot_active_count(struct luks2_hdr *hdr, int segment);
-int LUKS2_keyslot_for_segment(struct luks2_hdr *hdr, int keyslot, int segment);
-int LUKS2_find_keyslot(struct luks2_hdr *hdr, const char *type);
 crypt_keyslot_info LUKS2_keyslot_info(struct luks2_hdr *hdr, int keyslot);
 int LUKS2_keyslot_area(struct luks2_hdr *hdr,
 	int keyslot,
 	uint64_t *offset,
 	uint64_t *length);
 int LUKS2_keyslot_pbkdf(struct luks2_hdr *hdr, int keyslot, struct crypt_pbkdf_type *pbkdf);
-int LUKS2_set_keyslots_size(struct crypt_device *cd,
-	struct luks2_hdr *hdr,
-	uint64_t data_offset);
 
 /*
  * Permanent activation flags stored in header
@@ -569,6 +398,8 @@ int LUKS2_config_set_flags(struct crypt_device *cd, struct luks2_hdr *hdr, uint3
 int LUKS2_config_get_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t *reqs);
 int LUKS2_config_set_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t reqs, bool commit);
 
+int LUKS2_config_get_reencrypt_version(struct luks2_hdr *hdr, uint32_t *version);
+
 int LUKS2_unmet_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t reqs_mask, int quiet);
 
 int LUKS2_key_description_by_segment(struct crypt_device *cd,
@@ -578,7 +409,6 @@ int LUKS2_volume_key_load_in_keyring_by_keyslot(struct crypt_device *cd,
 int LUKS2_volume_key_load_in_keyring_by_digest(struct crypt_device *cd,
 		struct luks2_hdr *hdr, struct volume_key *vk, int digest);
 
-struct luks_phdr;
 int LUKS2_luks1_to_luks2(struct crypt_device *cd,
 			 struct luks_phdr *hdr1,
 			 struct luks2_hdr *hdr2);
@@ -597,21 +427,33 @@ int LUKS2_reencrypt_locked_recovery_by_passphrase(struct crypt_device *cd,
 	uint32_t flags,
 	struct volume_key **vks);
 
-void LUKS2_reenc_context_free(struct crypt_device *cd, struct luks2_reenc_context *rh);
+void LUKS2_reencrypt_free(struct crypt_device *cd,
+	struct luks2_reencrypt *rh);
 
-int LUKS2_assembly_multisegment_dmd(struct crypt_device *cd,
-	struct luks2_hdr *hdr,
-	struct volume_key *vks,
-	json_object *jobj_segments,
-	struct crypt_dm_active_device *dmd);
+crypt_reencrypt_info LUKS2_reencrypt_status(struct luks2_hdr *hdr);
 
-crypt_reencrypt_info LUKS2_reencrypt_status(struct crypt_device *cd,
+crypt_reencrypt_info LUKS2_reencrypt_get_params(struct luks2_hdr *hdr,
 	struct crypt_params_reencrypt *params);
 
-int crypt_reencrypt_lock(struct crypt_device *cd, struct crypt_lock_handle **reencrypt_lock);
-int crypt_reencrypt_lock_by_dm_uuid(struct crypt_device *cd, const char *dm_uuid, struct crypt_lock_handle **reencrypt_lock);
-void crypt_reencrypt_unlock(struct crypt_device *cd, struct crypt_lock_handle *reencrypt_lock);
+int LUKS2_reencrypt_lock(struct crypt_device *cd,
+	struct crypt_lock_handle **reencrypt_lock);
 
-int luks2_check_device_size(struct crypt_device *cd, struct luks2_hdr *hdr, uint64_t check_size, uint64_t *dev_size, bool activation, bool dynamic);
+int LUKS2_reencrypt_lock_by_dm_uuid(struct crypt_device *cd,
+	const char *dm_uuid,
+	struct crypt_lock_handle **reencrypt_lock);
+
+void LUKS2_reencrypt_unlock(struct crypt_device *cd,
+	struct crypt_lock_handle *reencrypt_lock);
+
+int LUKS2_reencrypt_check_device_size(struct crypt_device *cd,
+	struct luks2_hdr *hdr,
+	uint64_t check_size,
+	uint64_t *dev_size,
+	bool activation,
+	bool dynamic);
+
+int LUKS2_reencrypt_digest_verify(struct crypt_device *cd,
+	struct luks2_hdr *hdr,
+	struct volume_key *vks);
 
 #endif

lib/luks2/luks2_disk_metadata.c

@@ -385,7 +385,7 @@ int LUKS2_device_write_lock(struct crypt_device *cd, struct luks2_hdr *hdr, stru
 	}
 
 	/* run sequence id check only on first write lock (r == 1) and w/o LUKS2 reencryption in-progress */
-	if (r == 1 && !crypt_get_reenc_context(cd)) {
+	if (r == 1 && !crypt_get_luks2_reencrypt(cd)) {
 		log_dbg(cd, "Checking context sequence id matches value stored on disk.");
 		if (LUKS2_check_sequence_id(cd, hdr, device)) {
 			device_write_unlock(cd, device);
@@ -413,7 +413,7 @@ int LUKS2_disk_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr, struct
 		return -EINVAL;
 	}
 
-	r = device_check_size(cd, crypt_metadata_device(cd), LUKS2_hdr_and_areas_size(hdr->jobj), 1);
+	r = device_check_size(cd, crypt_metadata_device(cd), LUKS2_hdr_and_areas_size(hdr), 1);
 	if (r)
 		return r;
 
@@ -669,9 +669,9 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
 
 	/* check header with keyslots to fit the device */
 	if (state_hdr1 == HDR_OK)
-		hdr_size = LUKS2_hdr_and_areas_size(jobj_hdr1);
+		hdr_size = LUKS2_hdr_and_areas_size_jobj(jobj_hdr1);
 	else if (state_hdr2 == HDR_OK)
-		hdr_size = LUKS2_hdr_and_areas_size(jobj_hdr2);
+		hdr_size = LUKS2_hdr_and_areas_size_jobj(jobj_hdr2);
 	else {
 		r = (state_hdr1 == HDR_FAIL_IO && state_hdr2 == HDR_FAIL_IO) ? -EIO : -EINVAL;
 		goto err;

lib/luks2/luks2_internal.h

@@ -44,6 +44,8 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
 			struct device *device, int do_recovery, int do_blkprobe);
 int LUKS2_disk_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr,
 			 struct device *device, bool seqid_check);
+int LUKS2_device_write_lock(struct crypt_device *cd,
+	struct luks2_hdr *hdr, struct device *device);
 
 /*
  * JSON struct access helpers
@@ -92,8 +94,8 @@ void LUKS2_keyslots_repair(struct crypt_device *cd, json_object *jobj_hdr);
 /*
  * JSON array helpers
  */
-struct json_object *LUKS2_array_jobj(struct json_object *array, const char *num);
-struct json_object *LUKS2_array_remove(struct json_object *array, const char *num);
+json_object *LUKS2_array_jobj(json_object *array, const char *num);
+json_object *LUKS2_array_remove(json_object *array, const char *num);
 
 /*
  * Plugins API
@@ -184,6 +186,8 @@ int LUKS2_find_area_gap(struct crypt_device *cd, struct luks2_hdr *hdr,
 int LUKS2_find_area_max_gap(struct crypt_device *cd, struct luks2_hdr *hdr,
 			    uint64_t *area_offset, uint64_t *area_length);
 
+uint64_t LUKS2_hdr_and_areas_size_jobj(json_object *jobj);
+
 int LUKS2_check_cipher(struct crypt_device *cd,
 		      size_t keylength,
 		      const char *cipher,
@@ -200,4 +204,127 @@ static inline const char *crypt_reencrypt_mode_to_str(crypt_reencrypt_mode_info
 	return "<unknown>";
 }
 
+/*
+ * Generic LUKS2 keyslot
+ */
+int LUKS2_keyslot_reencrypt_store(struct crypt_device *cd,
+	struct luks2_hdr *hdr,
+	int keyslot,
+	const void *buffer,
+	size_t buffer_length);
+
+int LUKS2_keyslot_reencrypt_allocate(struct crypt_device *cd,
+	struct luks2_hdr *hdr,
+	int keyslot,
+	const struct crypt_params_reencrypt *params);
+
+int LUKS2_keyslot_reencrypt_digest_create(struct crypt_device *cd,
+	struct luks2_hdr *hdr,
+	struct volume_key *vks);
+
+int LUKS2_keyslot_dump(struct crypt_device *cd,
+	int keyslot);
+
+int LUKS2_keyslot_jobj_area(json_object *jobj_keyslot, uint64_t *offset, uint64_t *length);
+
+/* JSON helpers */
+uint64_t json_segment_get_offset(json_object *jobj_segment, unsigned blockwise);
+const char *json_segment_type(json_object *jobj_segment);
+uint64_t json_segment_get_iv_offset(json_object *jobj_segment);
+uint64_t json_segment_get_size(json_object *jobj_segment, unsigned blockwise);
+const char *json_segment_get_cipher(json_object *jobj_segment);
+int json_segment_get_sector_size(json_object *jobj_segment);
+bool json_segment_is_backup(json_object *jobj_segment);
+json_object *json_segments_get_segment(json_object *jobj_segments, int segment);
+unsigned json_segments_count(json_object *jobj_segments);
+void json_segment_remove_flag(json_object *jobj_segment, const char *flag);
+uint64_t json_segments_get_minimal_offset(json_object *jobj_segments, unsigned blockwise);
+json_object *json_segment_create_linear(uint64_t offset, const uint64_t *length, unsigned reencryption);
+json_object *json_segment_create_crypt(uint64_t offset, uint64_t iv_offset, const uint64_t *length, const char *cipher, uint32_t sector_size, unsigned reencryption);
+int json_segments_segment_in_reencrypt(json_object *jobj_segments);
+bool json_segment_cmp(json_object *jobj_segment_1, json_object *jobj_segment_2);
+bool json_segment_contains_flag(json_object *jobj_segment, const char *flag_str, size_t len);
+
+int LUKS2_assembly_multisegment_dmd(struct crypt_device *cd,
+	struct luks2_hdr *hdr,
+	struct volume_key *vks,
+	json_object *jobj_segments,
+	struct crypt_dm_active_device *dmd);
+
+/*
+ * Generic LUKS2 segment
+ */
+int LUKS2_segments_count(struct luks2_hdr *hdr);
+
+int LUKS2_segment_first_unused_id(struct luks2_hdr *hdr);
+
+int LUKS2_segment_set_flag(json_object *jobj_segment, const char *flag);
+
+json_object *LUKS2_get_segment_by_flag(struct luks2_hdr *hdr, const char *flag);
+
+int LUKS2_get_segment_id_by_flag(struct luks2_hdr *hdr, const char *flag);
+
+int LUKS2_segments_set(struct crypt_device *cd,
+	struct luks2_hdr *hdr,
+	json_object *jobj_segments,
+	int commit);
+
+uint64_t LUKS2_segment_offset(struct luks2_hdr *hdr,
+	int segment,
+	unsigned blockwise);
+
+uint64_t LUKS2_segment_size(struct luks2_hdr *hdr,
+	int segment,
+	unsigned blockwise);
+
+int LUKS2_segment_is_type(struct luks2_hdr *hdr,
+	int segment,
+	const char *type);
+
+int LUKS2_segment_by_type(struct luks2_hdr *hdr,
+	const char *type);
+
+int LUKS2_last_segment_by_type(struct luks2_hdr *hdr,
+	const char *type);
+
+int LUKS2_get_default_segment(struct luks2_hdr *hdr);
+
+int LUKS2_reencrypt_digest_new(struct luks2_hdr *hdr);
+int LUKS2_reencrypt_digest_old(struct luks2_hdr *hdr);
+int LUKS2_reencrypt_data_offset(struct luks2_hdr *hdr, bool blockwise);
+
+/*
+ * Generic LUKS2 digest
+ */
+int LUKS2_digest_verify_by_digest(struct crypt_device *cd,
+	struct luks2_hdr *hdr,
+	int digest,
+	const struct volume_key *vk);
+
+void LUKS2_digests_erase_unused(struct crypt_device *cd,
+	struct luks2_hdr *hdr);
+
+int LUKS2_digest_dump(struct crypt_device *cd,
+	int digest);
+
+/*
+ * Generic LUKS2 token
+ */
+int LUKS2_tokens_count(struct luks2_hdr *hdr);
+
+/*
+ * LUKS2 generic
+ */
+int LUKS2_reload(struct crypt_device *cd,
+	const char *name,
+	struct volume_key *vks,
+	uint64_t device_size,
+	uint32_t flags);
+
+int LUKS2_keyslot_for_segment(struct luks2_hdr *hdr, int keyslot, int segment);
+int LUKS2_find_keyslot(struct luks2_hdr *hdr, const char *type);
+int LUKS2_set_keyslots_size(struct crypt_device *cd,
+	struct luks2_hdr *hdr,
+	uint64_t data_offset);
+
 #endif

lib/luks2/luks2_json_format.c

@@ -41,7 +41,7 @@ static size_t get_min_offset(struct luks2_hdr *hdr)
 
 static size_t get_max_offset(struct luks2_hdr *hdr)
 {
-	return LUKS2_hdr_and_areas_size(hdr->jobj);
+	return LUKS2_hdr_and_areas_size(hdr);
 }
 
 int LUKS2_find_area_max_gap(struct crypt_device *cd, struct luks2_hdr *hdr,
@@ -371,7 +371,7 @@ int LUKS2_wipe_header_areas(struct crypt_device *cd,
 	/* Wipe keyslot area */
 	wipe_block = 1024 * 1024;
 	offset = get_min_offset(hdr);
-	length = LUKS2_keyslots_size(hdr->jobj);
+	length = LUKS2_keyslots_size(hdr);
 
 	log_dbg(cd, "Wiping keyslots area (0x%06" PRIx64 " - 0x%06" PRIx64") with random data.",
 		offset, length + offset);

lib/luks2/luks2_json_metadata.c

@@ -591,6 +591,78 @@ static bool validate_segment_intervals(struct crypt_device *cd,
 	return true;
 }
 
+static int reqs_unknown(uint32_t reqs)
+{
+	return reqs & CRYPT_REQUIREMENT_UNKNOWN;
+}
+
+static int reqs_reencrypt(uint32_t reqs)
+{
+	return reqs & CRYPT_REQUIREMENT_OFFLINE_REENCRYPT;
+}
+
+static int reqs_reencrypt_online(uint32_t reqs)
+{
+	return reqs & CRYPT_REQUIREMENT_ONLINE_REENCRYPT;
+}
+
+/*
+ * Config section requirements object must be valid.
+ * Also general segments section must be validated first.
+ */
+static int validate_reencrypt_segments(struct crypt_device *cd, json_object *hdr_jobj, json_object *jobj_segments, int first_backup, int segments_count)
+{
+	json_object *jobj, *jobj_backup_previous = NULL, *jobj_backup_final = NULL;
+	uint32_t reqs;
+	int i, r;
+	struct luks2_hdr dummy = {
+		.jobj = hdr_jobj
+	};
+
+	r = LUKS2_config_get_requirements(cd, &dummy, &reqs);
+	if (r)
+		return 1;
+
+	if (reqs_reencrypt_online(reqs)) {
+		for (i = first_backup; i < segments_count; i++) {
+			jobj = json_segments_get_segment(jobj_segments, i);
+			if (!jobj)
+				return 1;
+			if (json_segment_contains_flag(jobj, "backup-final", 0))
+				jobj_backup_final = jobj;
+			else if (json_segment_contains_flag(jobj, "backup-previous", 0))
+				jobj_backup_previous = jobj;
+		}
+
+		if (!jobj_backup_final || !jobj_backup_previous) {
+			log_dbg(cd, "Backup segment is missing.");
+			return 1;
+		}
+
+		for (i = 0; i < first_backup; i++) {
+			jobj = json_segments_get_segment(jobj_segments, i);
+			if (!jobj)
+				return 1;
+
+			if (json_segment_contains_flag(jobj, "in-reencryption", 0)) {
+				if (!json_segment_cmp(jobj, jobj_backup_final)) {
+					log_dbg(cd, "Segment in reencryption does not match backup final segment.");
+					return 1;
+				}
+				continue;
+			}
+
+			if (!json_segment_cmp(jobj, jobj_backup_final) &&
+			    !json_segment_cmp(jobj, jobj_backup_previous)) {
+				log_dbg(cd, "Segment does not match neither backup final or backup previous segment.");
+				return 1;
+			}
+		}
+	}
+
+	return 0;
+}
+
 static int hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj)
 {
 	json_object *jobj_segments, *jobj_digests, *jobj_offset, *jobj_size, *jobj_type, *jobj_flags, *jobj;
@@ -717,10 +789,10 @@ static int hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj)
 		}
 	}
 
-	return 0;
+	return validate_reencrypt_segments(cd, hdr_jobj, jobj_segments, first_backup, count);
 }
 
-uint64_t LUKS2_metadata_size(json_object *jobj)
+static uint64_t LUKS2_metadata_size_jobj(json_object *jobj)
 {
 	json_object *jobj1, *jobj2;
 	uint64_t json_size;
@@ -732,6 +804,11 @@ uint64_t LUKS2_metadata_size(json_object *jobj)
 	return json_size + LUKS2_HDR_BIN_LEN;
 }
 
+uint64_t LUKS2_metadata_size(struct luks2_hdr *hdr)
+{
+	return LUKS2_metadata_size_jobj(hdr->jobj);
+}
+
 static int hdr_validate_areas(struct crypt_device *cd, json_object *hdr_jobj)
 {
 	struct interval *intervals;
@@ -747,7 +824,7 @@ static int hdr_validate_areas(struct crypt_device *cd, json_object *hdr_jobj)
 		return 1;
 
 	/* config is already validated */
-	metadata_size = LUKS2_metadata_size(hdr_jobj);
+	metadata_size = LUKS2_metadata_size_jobj(hdr_jobj);
 
 	length = json_object_object_length(jobj_keyslots);
 
@@ -793,7 +870,7 @@ static int hdr_validate_areas(struct crypt_device *cd, json_object *hdr_jobj)
 		return 1;
 	}
 
-	ret = validate_intervals(cd, length, intervals, metadata_size, LUKS2_hdr_and_areas_size(hdr_jobj)) ? 0 : 1;
+	ret = validate_intervals(cd, length, intervals, metadata_size, LUKS2_hdr_and_areas_size_jobj(hdr_jobj)) ? 0 : 1;
 
 	free(intervals);
 
@@ -835,9 +912,10 @@ static int hdr_validate_digests(struct crypt_device *cd, json_object *hdr_jobj)
 	return 0;
 }
 
+/* requirements being validated in stand-alone routine */
 static int hdr_validate_config(struct crypt_device *cd, json_object *hdr_jobj)
 {
-	json_object *jobj_config, *jobj, *jobj1;
+	json_object *jobj_config, *jobj;
 	int i;
 	uint64_t keyslots_size, metadata_size, segment_offset;
 
@@ -892,6 +970,19 @@ static int hdr_validate_config(struct crypt_device *cd, json_object *hdr_jobj)
 				return 1;
 	}
 
+	return 0;
+}
+
+static int hdr_validate_requirements(struct crypt_device *cd, json_object *hdr_jobj)
+{
+	int i;
+	json_object *jobj_config, *jobj, *jobj1;
+
+	if (!json_object_object_get_ex(hdr_jobj, "config", &jobj_config)) {
+		log_dbg(cd, "Missing config section.");
+		return 1;
+	}
+
 	/* Requirements object is optional */
 	if (json_object_object_get_ex(jobj_config, "requirements", &jobj)) {
 		if (!json_contains(cd, jobj_config, "section", "Config", "requirements", json_type_object))
@@ -917,6 +1008,7 @@ int LUKS2_hdr_validate(struct crypt_device *cd, json_object *hdr_jobj, uint64_t
 	struct {
 		int (*validate)(struct crypt_device *, json_object *);
 	} checks[] = {
+		{ hdr_validate_requirements },
 		{ hdr_validate_tokens   },
 		{ hdr_validate_digests  },
 		{ hdr_validate_segments },
@@ -1041,7 +1133,7 @@ void LUKS2_hdr_free(struct crypt_device *cd, struct luks2_hdr *hdr)
 		log_dbg(cd, "LUKS2 header still in use");
 }
 
-uint64_t LUKS2_keyslots_size(json_object *jobj)
+static uint64_t LUKS2_keyslots_size_jobj(json_object *jobj)
 {
 	json_object *jobj1, *jobj2;
 	uint64_t keyslots_size;
@@ -1053,9 +1145,19 @@ uint64_t LUKS2_keyslots_size(json_object *jobj)
 	return keyslots_size;
 }
 
-uint64_t LUKS2_hdr_and_areas_size(json_object *jobj)
+uint64_t LUKS2_keyslots_size(struct luks2_hdr *hdr)
 {
-	return 2 * LUKS2_metadata_size(jobj) + LUKS2_keyslots_size(jobj);
+	return LUKS2_keyslots_size_jobj(hdr->jobj);
+}
+
+uint64_t LUKS2_hdr_and_areas_size_jobj(json_object *jobj)
+{
+	return 2 * LUKS2_metadata_size_jobj(jobj) + LUKS2_keyslots_size_jobj(jobj);
+}
+
+uint64_t LUKS2_hdr_and_areas_size(struct luks2_hdr *hdr)
+{
+	return LUKS2_hdr_and_areas_size_jobj(hdr->jobj);
 }
 
 int LUKS2_hdr_backup(struct crypt_device *cd, struct luks2_hdr *hdr,
@@ -1067,7 +1169,7 @@ int LUKS2_hdr_backup(struct crypt_device *cd, struct luks2_hdr *hdr,
 	ssize_t ret, buffer_size;
 	char *buffer = NULL;
 
-	hdr_size = LUKS2_hdr_and_areas_size(hdr->jobj);
+	hdr_size = LUKS2_hdr_and_areas_size(hdr);
 	buffer_size = size_round_up(hdr_size, crypt_getpagesize());
 
 	buffer = crypt_safe_alloc(buffer_size);
@@ -1123,21 +1225,6 @@ int LUKS2_hdr_backup(struct crypt_device *cd, struct luks2_hdr *hdr,
 	return r;
 }
 
-static int reqs_unknown(uint32_t reqs)
-{
-	return reqs & CRYPT_REQUIREMENT_UNKNOWN;
-}
-
-static int reqs_reencrypt(uint32_t reqs)
-{
-	return reqs & CRYPT_REQUIREMENT_OFFLINE_REENCRYPT;
-}
-
-static int reqs_reencrypt_online(uint32_t reqs)
-{
-	return reqs & CRYPT_REQUIREMENT_ONLINE_REENCRYPT;
-}
-
 int LUKS2_hdr_restore(struct crypt_device *cd, struct luks2_hdr *hdr,
 		     const char *backup_file)
 {
@@ -1178,7 +1265,7 @@ int LUKS2_hdr_restore(struct crypt_device *cd, struct luks2_hdr *hdr,
 		goto out;
 	}
 
-	buffer_size = LUKS2_hdr_and_areas_size(hdr_file.jobj);
+	buffer_size = LUKS2_hdr_and_areas_size(&hdr_file);
 	buffer = crypt_safe_alloc(buffer_size);
 	if (!buffer) {
 		r = -ENOMEM;
@@ -1218,7 +1305,7 @@ int LUKS2_hdr_restore(struct crypt_device *cd, struct luks2_hdr *hdr,
 				goto out;
 			}
 			/* FIXME: what could go wrong? Erase if we're fine with consequences */
-			if (buffer_size != (ssize_t) LUKS2_hdr_and_areas_size(tmp_hdr.jobj)) {
+			if (buffer_size != (ssize_t) LUKS2_hdr_and_areas_size(&tmp_hdr)) {
 				log_err(cd, _("Binary header with keyslot areas size differ on device and backup, restore failed."));
 				r = -EINVAL;
 				goto out;
@@ -1373,24 +1460,106 @@ int LUKS2_config_set_flags(struct crypt_device *cd, struct luks2_hdr *hdr, uint3
  */
 
 /* LUKS2 library requirements */
-static const struct  {
+struct requirement_flag {
 	uint32_t flag;
+	uint32_t version;
 	const char *description;
-} requirements_flags[] = {
-	{ CRYPT_REQUIREMENT_OFFLINE_REENCRYPT, "offline-reencrypt" },
-	{ CRYPT_REQUIREMENT_ONLINE_REENCRYPT, "online-reencrypt" },
-	{ 0, NULL }
 };
 
-static uint32_t get_requirement_by_name(const char *requirement)
+static const struct requirement_flag unknown_requirement_flag = { CRYPT_REQUIREMENT_UNKNOWN, 0, NULL };
+
+static const struct requirement_flag requirements_flags[] = {
+	{ CRYPT_REQUIREMENT_OFFLINE_REENCRYPT,1, "offline-reencrypt" },
+	{ CRYPT_REQUIREMENT_ONLINE_REENCRYPT, 2, "online-reencrypt-v2" },
+	{ CRYPT_REQUIREMENT_ONLINE_REENCRYPT, 1, "online-reencrypt" },
+	{ 0, 0, NULL }
+};
+
+static const struct requirement_flag *get_requirement_by_name(const char *requirement)
 {
 	int i;
 
 	for (i = 0; requirements_flags[i].description; i++)
 		if (!strcmp(requirement, requirements_flags[i].description))
-			return requirements_flags[i].flag;
+			return requirements_flags + i;
 
-	return CRYPT_REQUIREMENT_UNKNOWN;
+	return &unknown_requirement_flag;
+}
+
+int LUKS2_config_get_reencrypt_version(struct luks2_hdr *hdr, uint32_t *version)
+{
+	json_object *jobj_config, *jobj_requirements, *jobj_mandatory, *jobj;
+	int i, len;
+	const struct requirement_flag *req;
+
+	assert(hdr && version);
+	if (!hdr || !version)
+		return -EINVAL;
+
+	if (!json_object_object_get_ex(hdr->jobj, "config", &jobj_config))
+		return -EINVAL;
+
+	if (!json_object_object_get_ex(jobj_config, "requirements", &jobj_requirements))
+		return -ENOENT;
+
+	if (!json_object_object_get_ex(jobj_requirements, "mandatory", &jobj_mandatory))
+		return -ENOENT;
+
+	len = (int) json_object_array_length(jobj_mandatory);
+	if (len <= 0)
+		return -ENOENT;
+
+	for (i = 0; i < len; i++) {
+		jobj = json_object_array_get_idx(jobj_mandatory, i);
+
+		/* search for requirements prefixed with "online-reencrypt" */
+		if (strncmp(json_object_get_string(jobj), "online-reencrypt", 16))
+			continue;
+
+		/* check current library is aware of the requirement */
+		req = get_requirement_by_name(json_object_get_string(jobj));
+		if (req->flag == (uint32_t)CRYPT_REQUIREMENT_UNKNOWN)
+			continue;
+
+		*version = req->version;
+
+		return 0;
+	}
+
+	return -ENOENT;
+}
+
+static const struct requirement_flag *stored_requirement_name_by_id(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t req_id)
+{
+	json_object *jobj_config, *jobj_requirements, *jobj_mandatory, *jobj;
+	int i, len;
+	const struct requirement_flag *req;
+
+	assert(hdr);
+	if (!hdr)
+		return NULL;
+
+	if (!json_object_object_get_ex(hdr->jobj, "config", &jobj_config))
+		return NULL;
+
+	if (!json_object_object_get_ex(jobj_config, "requirements", &jobj_requirements))
+		return NULL;
+
+	if (!json_object_object_get_ex(jobj_requirements, "mandatory", &jobj_mandatory))
+		return NULL;
+
+	len = (int) json_object_array_length(jobj_mandatory);
+	if (len <= 0)
+		return 0;
+
+	for (i = 0; i < len; i++) {
+		jobj = json_object_array_get_idx(jobj_mandatory, i);
+		req = get_requirement_by_name(json_object_get_string(jobj));
+		if (req->flag == req_id)
+			return req;
+	}
+
+	return NULL;
 }
 
 /*
@@ -1400,7 +1569,7 @@ int LUKS2_config_get_requirements(struct crypt_device *cd, struct luks2_hdr *hdr
 {
 	json_object *jobj_config, *jobj_requirements, *jobj_mandatory, *jobj;
 	int i, len;
-	uint32_t req;
+	const struct requirement_flag *req;
 
 	assert(hdr);
 	if (!hdr || !reqs)
@@ -1427,8 +1596,8 @@ int LUKS2_config_get_requirements(struct crypt_device *cd, struct luks2_hdr *hdr
 		jobj = json_object_array_get_idx(jobj_mandatory, i);
 		req = get_requirement_by_name(json_object_get_string(jobj));
 		log_dbg(cd, "%s - %sknown", json_object_get_string(jobj),
-				        reqs_unknown(req) ? "un" : "");
-		*reqs |= req;
+				        reqs_unknown(req->flag) ? "un" : "");
+		*reqs |= req->flag;
 	}
 
 	return 0;
@@ -1438,6 +1607,8 @@ int LUKS2_config_set_requirements(struct crypt_device *cd, struct luks2_hdr *hdr
 {
 	json_object *jobj_config, *jobj_requirements, *jobj_mandatory, *jobj;
 	int i, r = -EINVAL;
+	const struct requirement_flag *req;
+	uint32_t req_id;
 
 	if (!hdr)
 		return -EINVAL;
@@ -1447,8 +1618,14 @@ int LUKS2_config_set_requirements(struct crypt_device *cd, struct luks2_hdr *hdr
 		return -ENOMEM;
 
 	for (i = 0; requirements_flags[i].description; i++) {
-		if (reqs & requirements_flags[i].flag) {
-			jobj = json_object_new_string(requirements_flags[i].description);
+		req_id = reqs & requirements_flags[i].flag;
+		if (req_id) {
+			/* retain already stored version of requirement flag */
+			req = stored_requirement_name_by_id(cd, hdr, req_id);
+			if (req)
+				jobj = json_object_new_string(req->description);
+			else
+				jobj = json_object_new_string(requirements_flags[i].description);
 			if (!jobj) {
 				r = -ENOMEM;
 				goto err;
@@ -1714,8 +1891,8 @@ int LUKS2_hdr_dump(struct crypt_device *cd, struct luks2_hdr *hdr)
 	log_std(cd, "LUKS header information\n");
 	log_std(cd, "Version:       \t%u\n", hdr->version);
 	log_std(cd, "Epoch:         \t%" PRIu64 "\n", hdr->seqid);
-	log_std(cd, "Metadata area: \t%" PRIu64 " [bytes]\n", LUKS2_metadata_size(hdr->jobj));
-	log_std(cd, "Keyslots area: \t%" PRIu64 " [bytes]\n", LUKS2_keyslots_size(hdr->jobj));
+	log_std(cd, "Metadata area: \t%" PRIu64 " [bytes]\n", LUKS2_metadata_size(hdr));
+	log_std(cd, "Keyslots area: \t%" PRIu64 " [bytes]\n", LUKS2_keyslots_size(hdr));
 	log_std(cd, "UUID:          \t%s\n", *hdr->uuid ? hdr->uuid : "(no UUID)");
 	log_std(cd, "Label:         \t%s\n", *hdr->label ? hdr->label : "(no label)");
 	log_std(cd, "Subsystem:     \t%s\n", *hdr->subsystem ? hdr->subsystem : "(no subsystem)");
@@ -1774,7 +1951,7 @@ uint64_t LUKS2_get_data_offset(struct luks2_hdr *hdr)
 	crypt_reencrypt_info ri;
 	json_object *jobj;
 
-	ri = LUKS2_reenc_status(hdr);
+	ri = LUKS2_reencrypt_status(hdr);
 	if (ri == CRYPT_REENCRYPT_CLEAN || ri == CRYPT_REENCRYPT_CRASH) {
 		jobj = LUKS2_get_segment_by_flag(hdr, "backup-final");
 		if (jobj)
@@ -1802,7 +1979,7 @@ const char *LUKS2_get_cipher(struct luks2_hdr *hdr, int segment)
 	return json_segment_get_cipher(jobj_segment) ?: "null";
 }
 
-crypt_reencrypt_info LUKS2_reenc_status(struct luks2_hdr *hdr)
+crypt_reencrypt_info LUKS2_reencrypt_status(struct luks2_hdr *hdr)
 {
 	uint32_t reqs;
 
@@ -2245,7 +2422,7 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr
 		goto out;
 
 	if (contains_reencryption_helper(deps)) {
-		r = crypt_reencrypt_lock_by_dm_uuid(cd, dmd->uuid, &reencrypt_lock);
+		r = LUKS2_reencrypt_lock_by_dm_uuid(cd, dmd->uuid, &reencrypt_lock);
 		if (r) {
 			if (r == -EBUSY)
 				log_err(cd, _("Reencryption in-progress. Cannot deactivate device."));
@@ -2324,7 +2501,7 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr
 	}
 
 out:
-	crypt_reencrypt_unlock(cd, reencrypt_lock);
+	LUKS2_reencrypt_unlock(cd, reencrypt_lock);
 	dep = deps;
 	while (*dep)
 		free(*dep++);

lib/luks2/luks2_keyslot.c

@@ -27,7 +27,9 @@ extern const keyslot_handler reenc_keyslot;
 
 static const keyslot_handler *keyslot_handlers[LUKS2_KEYSLOTS_MAX] = {
 	&luks2_keyslot,
+#if USE_LUKS2_REENCRYPTION
 	&reenc_keyslot,
+#endif
 	NULL
 };
 
@@ -281,19 +283,9 @@ crypt_keyslot_info LUKS2_keyslot_info(struct luks2_hdr *hdr, int keyslot)
 	return CRYPT_SLOT_ACTIVE;
 }
 
-int LUKS2_keyslot_area(struct luks2_hdr *hdr,
-	int keyslot,
-	uint64_t *offset,
-	uint64_t *length)
+int LUKS2_keyslot_jobj_area(json_object *jobj_keyslot, uint64_t *offset, uint64_t *length)
 {
-	json_object *jobj_keyslot, *jobj_area, *jobj;
-
-	if(LUKS2_keyslot_info(hdr, keyslot) == CRYPT_SLOT_INVALID)
-		return -EINVAL;
-
-	jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
-	if (!jobj_keyslot)
-		return -ENOENT;
+	json_object *jobj_area, *jobj;
 
 	if (!json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
 		return -EINVAL;
@@ -309,6 +301,23 @@ int LUKS2_keyslot_area(struct luks2_hdr *hdr,
 	return 0;
 }
 
+int LUKS2_keyslot_area(struct luks2_hdr *hdr,
+	int keyslot,
+	uint64_t *offset,
+	uint64_t *length)
+{
+	json_object *jobj_keyslot;
+
+	if (LUKS2_keyslot_info(hdr, keyslot) == CRYPT_SLOT_INVALID)
+		return -EINVAL;
+
+	jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot);
+	if (!jobj_keyslot)
+		return -ENOENT;
+
+	return LUKS2_keyslot_jobj_area(jobj_keyslot, offset, length);
+}
+
 static int _open_and_verify(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	const keyslot_handler *h,
@@ -589,7 +598,7 @@ int LUKS2_keyslot_open(struct crypt_device *cd,
 	return r;
 }
 
-int LUKS2_keyslot_reencrypt_create(struct crypt_device *cd,
+int LUKS2_keyslot_reencrypt_allocate(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	int keyslot,
 	const struct crypt_params_reencrypt *params)
@@ -619,9 +628,6 @@ int LUKS2_keyslot_reencrypt_create(struct crypt_device *cd,
 		return r;
 	}
 
-	if (LUKS2_hdr_validate(cd, hdr->jobj, hdr->hdr_size - LUKS2_HDR_BIN_LEN))
-		return -EINVAL;
-
 	return 0;
 }
 
@@ -872,10 +878,17 @@ int LUKS2_keyslots_validate(struct crypt_device *cd, json_object *hdr_jobj)
 	const keyslot_handler *h;
 	int keyslot;
 	json_object *jobj_keyslots, *jobj_type;
+	uint32_t reqs, reencrypt_count = 0;
+	struct luks2_hdr dummy = {
+		.jobj = hdr_jobj
+	};
 
 	if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots))
 		return -EINVAL;
 
+	if (LUKS2_config_get_requirements(cd, &dummy, &reqs))
+		return -EINVAL;
+
 	json_object_object_foreach(jobj_keyslots, slot, val) {
 		keyslot = atoi(slot);
 		json_object_object_get_ex(val, "type", &jobj_type);
@@ -891,6 +904,24 @@ int LUKS2_keyslots_validate(struct crypt_device *cd, json_object *hdr_jobj)
 			log_dbg(cd, "Keyslot %d is not assigned to exactly 1 digest.", keyslot);
 			return -EINVAL;
 		}
+
+		if (!strcmp(h->name, "reencrypt"))
+			reencrypt_count++;
+	}
+
+	if ((reqs & CRYPT_REQUIREMENT_ONLINE_REENCRYPT) && reencrypt_count == 0) {
+		log_dbg(cd, "Missing reencryption keyslot.");
+		return -EINVAL;
+	}
+
+	if (!(reqs & CRYPT_REQUIREMENT_ONLINE_REENCRYPT) && reencrypt_count) {
+		log_dbg(cd, "Missing reencryption requirement flag.");
+		return -EINVAL;
+	}
+
+	if (reencrypt_count > 1) {
+		log_dbg(cd, "Too many reencryption keyslots.");
+		return -EINVAL;
 	}
 
 	return 0;

lib/luks2/luks2_keyslot_reenc.c

@@ -176,43 +176,17 @@ static int reenc_keyslot_store(struct crypt_device *cd,
 	return r < 0 ? r : keyslot;
 }
 
-int reenc_keyslot_update(struct crypt_device *cd,
-	const struct luks2_reenc_context *rh)
+static int reenc_keyslot_wipe(struct crypt_device *cd,
+	int keyslot)
 {
-	json_object *jobj_keyslot, *jobj_area, *jobj_area_type;
 	struct luks2_hdr *hdr;
 
 	if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
 		return -EINVAL;
 
-	jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, rh->reenc_keyslot);
-	if (!jobj_keyslot)
-		return -EINVAL;
+	/* remove reencryption verification data */
+	LUKS2_digest_assign(cd, hdr, keyslot, CRYPT_ANY_DIGEST, 0, 0);
 
-	json_object_object_get_ex(jobj_keyslot, "area", &jobj_area);
-	json_object_object_get_ex(jobj_area, "type", &jobj_area_type);
-
-	if (rh->rp.type == REENC_PROTECTION_CHECKSUM) {
-		log_dbg(cd, "Updating reencrypt keyslot for checksum protection.");
-		json_object_object_add(jobj_area, "type", json_object_new_string("checksum"));
-		json_object_object_add(jobj_area, "hash", json_object_new_string(rh->rp.p.csum.hash));
-		json_object_object_add(jobj_area, "sector_size", json_object_new_int64(rh->alignment));
-	} else if (rh->rp.type == REENC_PROTECTION_NONE) {
-		log_dbg(cd, "Updating reencrypt keyslot for none protection.");
-		json_object_object_add(jobj_area, "type", json_object_new_string("none"));
-		json_object_object_del(jobj_area, "hash");
-	} else if (rh->rp.type == REENC_PROTECTION_JOURNAL) {
-		log_dbg(cd, "Updating reencrypt keyslot for journal protection.");
-		json_object_object_add(jobj_area, "type", json_object_new_string("journal"));
-		json_object_object_del(jobj_area, "hash");
-	} else
-		log_dbg(cd, "No update of reencrypt keyslot needed.");
-
-	return 0;
-}
-
-static int reenc_keyslot_wipe(struct crypt_device *cd, int keyslot)
-{
 	return 0;
 }
 
@@ -256,7 +230,7 @@ static int reenc_keyslot_dump(struct crypt_device *cd, int keyslot)
 
 static int reenc_keyslot_validate(struct crypt_device *cd, json_object *jobj_keyslot)
 {
-	json_object *jobj_mode, *jobj_area, *jobj_type, *jobj_shift_size, *jobj_hash, *jobj_sector_size, *jobj_direction;
+	json_object *jobj_mode, *jobj_area, *jobj_type, *jobj_shift_size, *jobj_hash, *jobj_sector_size, *jobj_direction, *jobj_key_size;
 	const char *mode, *type, *direction;
 	uint32_t sector_size;
 	uint64_t shift_size;
@@ -276,12 +250,18 @@ static int reenc_keyslot_validate(struct crypt_device *cd, json_object *jobj_key
 	    !json_object_object_get_ex(jobj_area, "type", &jobj_type))
 		return -EINVAL;
 
+	jobj_key_size = json_contains(cd, jobj_keyslot, "", "reencrypt keyslot", "key_size", json_type_int);
 	jobj_mode = json_contains(cd, jobj_keyslot, "", "reencrypt keyslot", "mode", json_type_string);
 	jobj_direction = json_contains(cd, jobj_keyslot, "", "reencrypt keyslot", "direction", json_type_string);
 
-	if (!jobj_mode || !jobj_direction)
+	if (!jobj_mode || !jobj_direction || !jobj_key_size)
 		return -EINVAL;
 
+	if (!validate_json_uint32(jobj_key_size) || crypt_jobj_get_uint32(jobj_key_size) != 1) {
+		log_dbg(cd, "Illegal reencrypt key size.");
+		return -EINVAL;
+	}
+
 	mode = json_object_get_string(jobj_mode);
 	type = json_object_get_string(jobj_type);
 	direction = json_object_get_string(jobj_direction);

lib/luks2/luks2_luks1_convert.c

@@ -573,7 +573,7 @@ int LUKS2_luks1_to_luks2(struct crypt_device *cd, struct luks_phdr *hdr1, struct
 	 * It duplicates check in LUKS2_hdr_write() but we don't want to move
 	 * keyslot areas in case it would fail later
 	 */
-	if (max_size < LUKS2_hdr_and_areas_size(hdr2->jobj)) {
+	if (max_size < LUKS2_hdr_and_areas_size(hdr2)) {
 		r = -EINVAL;
 		goto out;
 	}
@@ -595,7 +595,7 @@ int LUKS2_luks1_to_luks2(struct crypt_device *cd, struct luks_phdr *hdr1, struct
 	buf_size   = luks1_size - LUKS_ALIGN_KEYSLOTS;
 
 	/* check future LUKS2 keyslots area is at least as large as LUKS1 keyslots area */
-	if (buf_size > LUKS2_keyslots_size(hdr2->jobj)) {
+	if (buf_size > LUKS2_keyslots_size(hdr2)) {
 		log_err(cd, _("Unable to move keyslot area. LUKS2 keyslots area too small."));
 		r = -EINVAL;
 		goto out;
@@ -883,7 +883,7 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
 
 	// move keyslots 32k -> 4k offset
 	buf_offset = 2 * LUKS2_HDR_16K_LEN;
-	buf_size   = LUKS2_keyslots_size(hdr2->jobj);
+	buf_size   = LUKS2_keyslots_size(hdr2);
 	r = move_keyslot_areas(cd, buf_offset, 8 * SECTOR_SIZE, buf_size);
 	if (r < 0) {
 		log_err(cd, _("Unable to move keyslot area."));

lib/luks2/luks2_reencrypt.c

@@ -22,6 +22,116 @@
 #include "luks2_internal.h"
 #include "utils_device_locking.h"
 
+struct reenc_protection {
+	enum { REENC_PROTECTION_NONE = 0, /* none should be 0 always */
+	       REENC_PROTECTION_CHECKSUM,
+	       REENC_PROTECTION_JOURNAL,
+               REENC_PROTECTION_DATASHIFT } type;
+
+	union {
+	struct {
+	} none;
+	struct {
+		char hash[LUKS2_CHECKSUM_ALG_L]; // or include luks.h
+		struct crypt_hash *ch;
+		size_t hash_size;
+		/* buffer for checksums */
+		void *checksums;
+		size_t checksums_len;
+	} csum;
+	struct {
+	} ds;
+	} p;
+};
+
+struct luks2_reencrypt {
+	/* reencryption window attributes */
+	uint64_t offset;
+	uint64_t progress;
+	uint64_t length;
+	uint64_t data_shift;
+	size_t alignment;
+	uint64_t device_size;
+	bool online;
+	bool fixed_length;
+	crypt_reencrypt_direction_info direction;
+	crypt_reencrypt_mode_info mode;
+
+	char *device_name;
+	char *hotzone_name;
+	char *overlay_name;
+	uint32_t flags;
+
+	/* reencryption window persistence attributes */
+	struct reenc_protection rp;
+
+	int reenc_keyslot;
+
+	/* already running reencryption */
+	json_object *jobj_segs_hot;
+	struct json_object *jobj_segs_post;
+
+	/* backup segments */
+	json_object *jobj_segment_new;
+	int digest_new;
+	json_object *jobj_segment_old;
+	int digest_old;
+	json_object *jobj_segment_moved;
+
+	struct volume_key *vks;
+
+	void *reenc_buffer;
+	ssize_t read;
+
+	struct crypt_storage_wrapper *cw1;
+	struct crypt_storage_wrapper *cw2;
+
+	uint32_t wflags1;
+	uint32_t wflags2;
+
+	struct crypt_lock_handle *reenc_lock;
+};
+#if USE_LUKS2_REENCRYPTION
+static int reencrypt_keyslot_update(struct crypt_device *cd,
+	const struct luks2_reencrypt *rh)
+{
+	int r;
+	json_object *jobj_keyslot, *jobj_area, *jobj_area_type;
+	struct luks2_hdr *hdr;
+
+	if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
+		return -EINVAL;
+
+	jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, rh->reenc_keyslot);
+	if (!jobj_keyslot)
+		return -EINVAL;
+
+	json_object_object_get_ex(jobj_keyslot, "area", &jobj_area);
+	json_object_object_get_ex(jobj_area, "type", &jobj_area_type);
+
+	if (rh->rp.type == REENC_PROTECTION_CHECKSUM) {
+		log_dbg(cd, "Updating reencrypt keyslot for checksum protection.");
+		json_object_object_add(jobj_area, "type", json_object_new_string("checksum"));
+		json_object_object_add(jobj_area, "hash", json_object_new_string(rh->rp.p.csum.hash));
+		json_object_object_add(jobj_area, "sector_size", json_object_new_int64(rh->alignment));
+	} else if (rh->rp.type == REENC_PROTECTION_NONE) {
+		log_dbg(cd, "Updating reencrypt keyslot for none protection.");
+		json_object_object_add(jobj_area, "type", json_object_new_string("none"));
+		json_object_object_del(jobj_area, "hash");
+	} else if (rh->rp.type == REENC_PROTECTION_JOURNAL) {
+		log_dbg(cd, "Updating reencrypt keyslot for journal protection.");
+		json_object_object_add(jobj_area, "type", json_object_new_string("journal"));
+		json_object_object_del(jobj_area, "hash");
+	} else
+		log_dbg(cd, "No update of reencrypt keyslot needed.");
+
+	r = LUKS2_keyslot_reencrypt_digest_create(cd, hdr, rh->vks);
+	if (r < 0)
+		log_err(cd, "Failed to refresh reencryption verification digest.");
+
+	return r;
+}
+
 static json_object *reencrypt_segment(struct luks2_hdr *hdr, unsigned new)
 {
 	return LUKS2_get_segment_by_flag(hdr, new ? "backup-final" : "backup-previous");
@@ -85,7 +195,7 @@ static uint64_t reencrypt_get_data_offset_old(struct luks2_hdr *hdr)
 {
 	return reencrypt_data_offset(hdr, 0);
 }
-
+#endif
 static int reencrypt_digest(struct luks2_hdr *hdr, unsigned new)
 {
 	int segment = LUKS2_get_segment_id_by_flag(hdr, new ? "backup-final" : "backup-previous");
@@ -144,7 +254,7 @@ static const char *reencrypt_resilience_hash(struct luks2_hdr *hdr)
 
 	return json_object_get_string(jobj_hash);
 }
-
+#if USE_LUKS2_REENCRYPTION
 static uint32_t reencrypt_alignment(struct luks2_hdr *hdr)
 {
 	json_object *jobj_keyslot, *jobj_area, *jobj_type, *jobj_hash, *jobj_sector_size;
@@ -170,7 +280,7 @@ static uint32_t reencrypt_alignment(struct luks2_hdr *hdr)
 
 static json_object *_enc_create_segments_shift_after(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
-	struct luks2_reenc_context *rh,
+	struct luks2_reencrypt *rh,
 	uint64_t data_offset)
 {
 	int reenc_seg, i = 0;
@@ -217,7 +327,7 @@ err:
 
 static json_object *reencrypt_make_hot_segments_encrypt_shift(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
-	struct luks2_reenc_context *rh,
+	struct luks2_reencrypt *rh,
 	uint64_t data_offset)
 {
 	int sg, crypt_seg, i = 0;
@@ -281,7 +391,7 @@ err:
 
 static json_object *reencrypt_make_segment_new(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
-		const struct luks2_reenc_context *rh,
+		const struct luks2_reencrypt *rh,
 		uint64_t data_offset,
 		uint64_t segment_offset,
 		uint64_t iv_offset,
@@ -304,7 +414,7 @@ static json_object *reencrypt_make_segment_new(struct crypt_device *cd,
 
 static json_object *reencrypt_make_post_segments_forward(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
-	struct luks2_reenc_context *rh,
+	struct luks2_reencrypt *rh,
 	uint64_t data_offset)
 {
 	int reenc_seg;
@@ -350,7 +460,7 @@ err:
 
 static json_object *reencrypt_make_post_segments_backward(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
-	struct luks2_reenc_context *rh,
+	struct luks2_reencrypt *rh,
 	uint64_t data_offset)
 {
 	int reenc_seg;
@@ -386,7 +496,7 @@ err:
 
 static json_object *reencrypt_make_segment_reencrypt(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
-		const struct luks2_reenc_context *rh,
+		const struct luks2_reencrypt *rh,
 		uint64_t data_offset,
 		uint64_t segment_offset,
 		uint64_t iv_offset,
@@ -409,7 +519,7 @@ static json_object *reencrypt_make_segment_reencrypt(struct crypt_device *cd,
 
 static json_object *reencrypt_make_segment_old(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
-		const struct luks2_reenc_context *rh,
+		const struct luks2_reencrypt *rh,
 		uint64_t data_offset,
 		uint64_t segment_offset,
 		const uint64_t *segment_length)
@@ -435,7 +545,7 @@ static json_object *reencrypt_make_segment_old(struct crypt_device *cd,
 
 static json_object *reencrypt_make_hot_segments_forward(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
-		struct luks2_reenc_context *rh,
+		struct luks2_reencrypt *rh,
 		uint64_t device_size,
 		uint64_t data_offset)
 {
@@ -476,7 +586,7 @@ err:
 
 static json_object *reencrypt_make_hot_segments_backward(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
-		struct luks2_reenc_context *rh,
+		struct luks2_reencrypt *rh,
 		uint64_t device_size,
 		uint64_t data_offset)
 {
@@ -518,7 +628,7 @@ err:
 
 static int reencrypt_make_hot_segments(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
-		struct luks2_reenc_context *rh,
+		struct luks2_reencrypt *rh,
 		uint64_t device_size,
 		uint64_t data_offset)
 {
@@ -541,7 +651,7 @@ static int reencrypt_make_hot_segments(struct crypt_device *cd,
 
 static int reencrypt_make_post_segments(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
-		struct luks2_reenc_context *rh,
+		struct luks2_reencrypt *rh,
 		uint64_t data_offset)
 {
 	rh->jobj_segs_post = NULL;
@@ -560,7 +670,7 @@ static int reencrypt_make_post_segments(struct crypt_device *cd,
 
 	return rh->jobj_segs_post ? 0 : -EINVAL;
 }
-
+#endif
 static uint64_t reencrypt_data_shift(struct luks2_hdr *hdr)
 {
 	json_object *jobj_keyslot, *jobj_area, *jobj_data_shift;
@@ -622,7 +732,7 @@ static crypt_reencrypt_direction_info reencrypt_direction(struct luks2_hdr *hdr)
 
 typedef enum { REENC_OK = 0, REENC_ERR, REENC_ROLLBACK, REENC_FATAL } reenc_status_t;
 
-void LUKS2_reenc_context_free(struct crypt_device *cd, struct luks2_reenc_context *rh)
+void LUKS2_reencrypt_free(struct crypt_device *cd, struct luks2_reencrypt *rh)
 {
 	if (!rh)
 		return;
@@ -666,7 +776,7 @@ void LUKS2_reenc_context_free(struct crypt_device *cd, struct luks2_reenc_contex
 	crypt_unlock_internal(cd, rh->reenc_lock);
 	free(rh);
 }
-
+#if USE_LUKS2_REENCRYPTION
 static size_t reencrypt_get_alignment(struct crypt_device *cd,
 		struct luks2_hdr *hdr)
 {
@@ -685,7 +795,7 @@ static size_t reencrypt_get_alignment(struct crypt_device *cd,
 
 /* returns void because it must not fail on valid LUKS2 header */
 static void _load_backup_segments(struct luks2_hdr *hdr,
-		struct luks2_reenc_context *rh)
+		struct luks2_reencrypt *rh)
 {
 	int segment = LUKS2_get_segment_id_by_flag(hdr, "backup-final");
 
@@ -819,7 +929,7 @@ static int reencrypt_offset(struct luks2_hdr *hdr,
 
 static uint64_t reencrypt_length(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
-		struct luks2_reenc_context *rh,
+		struct luks2_reencrypt *rh,
 		uint64_t keyslot_area_length,
 		uint64_t length_max)
 {
@@ -867,7 +977,7 @@ static uint64_t reencrypt_length(struct crypt_device *cd,
 	return length;
 }
 
-static int reencrypt_context_init(struct crypt_device *cd, struct luks2_hdr *hdr, struct luks2_reenc_context *rh, uint64_t device_size, const struct crypt_params_reencrypt *params)
+static int reencrypt_context_init(struct crypt_device *cd, struct luks2_hdr *hdr, struct luks2_reencrypt *rh, uint64_t device_size, const struct crypt_params_reencrypt *params)
 {
 	int r;
 	uint64_t dummy, area_length;
@@ -987,7 +1097,7 @@ static int reencrypt_context_init(struct crypt_device *cd, struct luks2_hdr *hdr
 	return rh->length < 512 ? -EINVAL : 0;
 }
 
-static size_t reencrypt_buffer_length(struct luks2_reenc_context *rh)
+static size_t reencrypt_buffer_length(struct luks2_reencrypt *rh)
 {
 	if (rh->data_shift)
 		return rh->data_shift;
@@ -997,7 +1107,7 @@ static size_t reencrypt_buffer_length(struct luks2_reenc_context *rh)
 static int reencrypt_load_clean(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	uint64_t device_size,
-	struct luks2_reenc_context **rh,
+	struct luks2_reencrypt **rh,
 	const struct crypt_params_reencrypt *params)
 {
 	int r;
@@ -1006,7 +1116,7 @@ static int reencrypt_load_clean(struct crypt_device *cd,
 		.hash = reencrypt_resilience_hash(hdr),
 		.device_size = params ? params->device_size : 0
 	};
-	struct luks2_reenc_context *tmp = crypt_zalloc(sizeof (*tmp));
+	struct luks2_reencrypt *tmp = crypt_zalloc(sizeof (*tmp));
 
 	if (!tmp)
 		return -ENOMEM;
@@ -1038,14 +1148,14 @@ static int reencrypt_load_clean(struct crypt_device *cd,
 
 	return 0;
 err:
-	LUKS2_reenc_context_free(cd, tmp);
+	LUKS2_reencrypt_free(cd, tmp);
 
 	return r;
 }
 
 static int reencrypt_make_segments(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
-	struct luks2_reenc_context *rh,
+	struct luks2_reencrypt *rh,
 	uint64_t device_size)
 {
 	int r;
@@ -1068,7 +1178,7 @@ static int reencrypt_make_segments(struct crypt_device *cd,
 
 static int reencrypt_make_segments_crashed(struct crypt_device *cd,
 				struct luks2_hdr *hdr,
-			        struct luks2_reenc_context *rh)
+			        struct luks2_reencrypt *rh)
 {
 	int r;
 	uint64_t data_offset = crypt_get_data_offset(cd) << SECTOR_SHIFT;
@@ -1096,7 +1206,7 @@ static int reencrypt_make_segments_crashed(struct crypt_device *cd,
 }
 
 static int reencrypt_load_crashed(struct crypt_device *cd,
-	struct luks2_hdr *hdr, uint64_t device_size, struct luks2_reenc_context **rh)
+	struct luks2_hdr *hdr, uint64_t device_size, struct luks2_reencrypt **rh)
 {
 	bool dynamic;
 	uint64_t minimal_size;
@@ -1132,7 +1242,7 @@ static int reencrypt_load_crashed(struct crypt_device *cd,
 		r = reencrypt_make_segments_crashed(cd, hdr, *rh);
 
 	if (r) {
-		LUKS2_reenc_context_free(cd, *rh);
+		LUKS2_reencrypt_free(cd, *rh);
 		*rh = NULL;
 	}
 	return r;
@@ -1140,7 +1250,7 @@ static int reencrypt_load_crashed(struct crypt_device *cd,
 
 static int reencrypt_init_storage_wrappers(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
-		struct luks2_reenc_context *rh,
+		struct luks2_reencrypt *rh,
 		struct volume_key *vks)
 {
 	int r;
@@ -1178,7 +1288,7 @@ static int reencrypt_init_storage_wrappers(struct crypt_device *cd,
 	return 0;
 }
 
-static int reencrypt_context_set_names(struct luks2_reenc_context *rh, const char *name)
+static int reencrypt_context_set_names(struct luks2_reencrypt *rh, const char *name)
 {
 	if (!rh | !name)
 		return -EINVAL;
@@ -1251,7 +1361,7 @@ static int reencrypt_update_flag(struct crypt_device *cd, int enable, bool commi
 
 static int reencrypt_recover_segment(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
-	struct luks2_reenc_context *rh,
+	struct luks2_reencrypt *rh,
 	struct volume_key *vks)
 {
 	struct volume_key *vk_old, *vk_new;
@@ -1467,7 +1577,7 @@ out:
 
 static int reencrypt_add_moved_segment(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
-		struct luks2_reenc_context *rh)
+		struct luks2_reencrypt *rh)
 {
 	int s = LUKS2_segment_first_unused_id(hdr);
 
@@ -1487,7 +1597,7 @@ static int reencrypt_add_moved_segment(struct crypt_device *cd,
 
 static int reencrypt_add_backup_segment(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
-		struct luks2_reenc_context *rh,
+		struct luks2_reencrypt *rh,
 		unsigned final)
 {
 	int digest, s = LUKS2_segment_first_unused_id(hdr);
@@ -1512,7 +1622,7 @@ static int reencrypt_add_backup_segment(struct crypt_device *cd,
 
 static int reencrypt_assign_segments_simple(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
-	struct luks2_reenc_context *rh,
+	struct luks2_reencrypt *rh,
 	unsigned hot,
 	unsigned commit)
 {
@@ -1570,7 +1680,7 @@ static int reencrypt_assign_segments_simple(struct crypt_device *cd,
 
 static int reencrypt_assign_segments(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
-		struct luks2_reenc_context *rh,
+		struct luks2_reencrypt *rh,
 		unsigned hot,
 		unsigned commit)
 {
@@ -1955,7 +2065,7 @@ err:
 }
 
 static int reencrypt_init_device_stack(struct crypt_device *cd,
-		                     const struct luks2_reenc_context *rh)
+		                     const struct luks2_reencrypt *rh)
 {
 	int r;
 
@@ -2377,7 +2487,7 @@ static int reencrypt_init(struct crypt_device *cd,
 			goto err;
 	}
 
-	r = LUKS2_keyslot_reencrypt_create(cd, hdr, reencrypt_keyslot,
+	r = LUKS2_keyslot_reencrypt_allocate(cd, hdr, reencrypt_keyslot,
 					   params);
 	if (r < 0)
 		goto err;
@@ -2392,6 +2502,10 @@ static int reencrypt_init(struct crypt_device *cd,
 	if (r < 0)
 		goto err;
 
+	r = LUKS2_keyslot_reencrypt_digest_create(cd, hdr, *vks);
+	if (r < 0)
+		goto err;
+
 	if (name && params->mode != CRYPT_REENCRYPT_ENCRYPT) {
 		r = reencrypt_verify_and_upload_keys(cd, hdr, LUKS2_reencrypt_digest_old(hdr), LUKS2_reencrypt_digest_new(hdr), *vks);
 		if (r)
@@ -2439,7 +2553,7 @@ err:
 }
 
 static int reencrypt_hotzone_protect_final(struct crypt_device *cd,
-	struct luks2_hdr *hdr, struct luks2_reenc_context *rh,
+	struct luks2_hdr *hdr, struct luks2_reencrypt *rh,
 	const void *buffer, size_t buffer_len)
 {
 	const void *pbuffer;
@@ -2481,7 +2595,7 @@ static int reencrypt_hotzone_protect_final(struct crypt_device *cd,
 }
 
 static int reencrypt_context_update(struct crypt_device *cd,
-	struct luks2_reenc_context *rh)
+	struct luks2_reencrypt *rh)
 {
 	if (rh->read < 0)
 		return -EINVAL;
@@ -2522,20 +2636,28 @@ static int reencrypt_context_update(struct crypt_device *cd,
 static int reencrypt_load(struct crypt_device *cd, struct luks2_hdr *hdr,
 		uint64_t device_size,
 		const struct crypt_params_reencrypt *params,
-		struct luks2_reenc_context **rh)
+		struct volume_key *vks,
+		struct luks2_reencrypt **rh)
 {
 	int r;
-	struct luks2_reenc_context *tmp = NULL;
-	crypt_reencrypt_info ri = LUKS2_reenc_status(hdr);
+	struct luks2_reencrypt *tmp = NULL;
+	crypt_reencrypt_info ri = LUKS2_reencrypt_status(hdr);
+
+	if (ri == CRYPT_REENCRYPT_NONE) {
+		log_err(cd, _("Device not marked for LUKS2 reencryption."));
+		return -EINVAL;
+	} else if (ri == CRYPT_REENCRYPT_INVALID)
+		return -EINVAL;
+
+	r = LUKS2_reencrypt_digest_verify(cd, hdr, vks);
+	if (r < 0)
+		return r;
 
 	if (ri == CRYPT_REENCRYPT_CLEAN)
 		r = reencrypt_load_clean(cd, hdr, device_size, &tmp, params);
 	else if (ri == CRYPT_REENCRYPT_CRASH)
 		r = reencrypt_load_crashed(cd, hdr, device_size, &tmp);
-	else if (ri == CRYPT_REENCRYPT_NONE) {
-		log_err(cd, _("Device not marked for LUKS2 reencryption."));
-		return -EINVAL;
-	} else
+	else
 		r = -EINVAL;
 
 	if (r < 0 || !tmp) {
@@ -2547,7 +2669,7 @@ static int reencrypt_load(struct crypt_device *cd, struct luks2_hdr *hdr,
 
 	return 0;
 }
-
+#endif
 static int reencrypt_lock_internal(struct crypt_device *cd, const char *uuid, struct crypt_lock_handle **reencrypt_lock)
 {
 	int r;
@@ -2574,7 +2696,8 @@ out:
 }
 
 /* internal only */
-int crypt_reencrypt_lock_by_dm_uuid(struct crypt_device *cd, const char *dm_uuid, struct crypt_lock_handle **reencrypt_lock)
+int LUKS2_reencrypt_lock_by_dm_uuid(struct crypt_device *cd, const char *dm_uuid,
+	struct crypt_lock_handle **reencrypt_lock)
 {
 	int r;
 	char hdr_uuid[37];
@@ -2595,7 +2718,7 @@ int crypt_reencrypt_lock_by_dm_uuid(struct crypt_device *cd, const char *dm_uuid
 }
 
 /* internal only */
-int crypt_reencrypt_lock(struct crypt_device *cd, struct crypt_lock_handle **reencrypt_lock)
+int LUKS2_reencrypt_lock(struct crypt_device *cd, struct crypt_lock_handle **reencrypt_lock)
 {
 	if (!cd || !crypt_get_type(cd) || strcmp(crypt_get_type(cd), CRYPT_LUKS2))
 		return -EINVAL;
@@ -2604,11 +2727,11 @@ int crypt_reencrypt_lock(struct crypt_device *cd, struct crypt_lock_handle **ree
 }
 
 /* internal only */
-void crypt_reencrypt_unlock(struct crypt_device *cd, struct crypt_lock_handle *reencrypt_lock)
+void LUKS2_reencrypt_unlock(struct crypt_device *cd, struct crypt_lock_handle *reencrypt_lock)
 {
 	crypt_unlock_internal(cd, reencrypt_lock);
 }
-
+#if USE_LUKS2_REENCRYPTION
 static int reencrypt_lock_and_verify(struct crypt_device *cd, struct luks2_hdr *hdr,
 		struct crypt_lock_handle **reencrypt_lock)
 {
@@ -2616,7 +2739,7 @@ static int reencrypt_lock_and_verify(struct crypt_device *cd, struct luks2_hdr *
 	crypt_reencrypt_info ri;
 	struct crypt_lock_handle *h;
 
-	ri = LUKS2_reenc_status(hdr);
+	ri = LUKS2_reencrypt_status(hdr);
 	if (ri == CRYPT_REENCRYPT_INVALID) {
 		log_err(cd, _("Failed to get reencryption state."));
 		return -EINVAL;
@@ -2626,7 +2749,7 @@ static int reencrypt_lock_and_verify(struct crypt_device *cd, struct luks2_hdr *
 		return -EINVAL;
 	}
 
-	r = crypt_reencrypt_lock(cd, &h);
+	r = LUKS2_reencrypt_lock(cd, &h);
 	if (r < 0) {
 		if (r == -EBUSY)
 			log_err(cd, _("Reencryption process is already running."));
@@ -2638,17 +2761,17 @@ static int reencrypt_lock_and_verify(struct crypt_device *cd, struct luks2_hdr *
 	/* With reencryption lock held, reload device context and verify metadata state */
 	r = crypt_load(cd, CRYPT_LUKS2, NULL);
 	if (r) {
-		crypt_reencrypt_unlock(cd, h);
+		LUKS2_reencrypt_unlock(cd, h);
 		return r;
 	}
 
-	ri = LUKS2_reenc_status(hdr);
+	ri = LUKS2_reencrypt_status(hdr);
 	if (ri == CRYPT_REENCRYPT_CLEAN) {
 		*reencrypt_lock = h;
 		return 0;
 	}
 
-	crypt_reencrypt_unlock(cd, h);
+	LUKS2_reencrypt_unlock(cd, h);
 	log_err(cd, _("Cannot proceed with reencryption. Run reencryption recovery first."));
 	return -EINVAL;
 }
@@ -2665,7 +2788,7 @@ static int reencrypt_load_by_passphrase(struct crypt_device *cd,
 	int r, old_ss, new_ss;
 	struct luks2_hdr *hdr;
 	struct crypt_lock_handle *reencrypt_lock;
-	struct luks2_reenc_context *rh;
+	struct luks2_reencrypt *rh;
 	const struct volume_key *vk;
 	struct crypt_dm_active_device dmd_target, dmd_source = {
 		.uuid = crypt_get_uuid(cd),
@@ -2683,10 +2806,10 @@ static int reencrypt_load_by_passphrase(struct crypt_device *cd,
 
 	log_dbg(cd, "Loading LUKS2 reencryption context.");
 
-	rh = crypt_get_reenc_context(cd);
+	rh = crypt_get_luks2_reencrypt(cd);
 	if (rh) {
-		LUKS2_reenc_context_free(cd, rh);
-		crypt_set_reenc_context(cd, NULL);
+		LUKS2_reencrypt_free(cd, rh);
+		crypt_set_luks2_reencrypt(cd, NULL);
 		rh = NULL;
 	}
 
@@ -2702,7 +2825,7 @@ static int reencrypt_load_by_passphrase(struct crypt_device *cd,
 		return -EINVAL;
 
 	/* some configurations provides fixed device size */
-	r = luks2_check_device_size(cd, hdr, minimal_size, &device_size, false, dynamic);
+	r = LUKS2_reencrypt_check_device_size(cd, hdr, minimal_size, &device_size, false, dynamic);
 	if (r) {
 		r = -EINVAL;
 		goto err;
@@ -2783,7 +2906,7 @@ static int reencrypt_load_by_passphrase(struct crypt_device *cd,
 		rparams.device_size = required_size;
 	}
 
-	r = reencrypt_load(cd, hdr, device_size, &rparams, &rh);
+	r = reencrypt_load(cd, hdr, device_size, &rparams, *vks, &rh);
 	if (r < 0 || !rh)
 		goto err;
 
@@ -2824,12 +2947,12 @@ static int reencrypt_load_by_passphrase(struct crypt_device *cd,
 	MOVE_REF(rh->vks, *vks);
 	MOVE_REF(rh->reenc_lock, reencrypt_lock);
 
-	crypt_set_reenc_context(cd, rh);
+	crypt_set_luks2_reencrypt(cd, rh);
 
 	return 0;
 err:
-	crypt_reencrypt_unlock(cd, reencrypt_lock);
-	LUKS2_reenc_context_free(cd, rh);
+	LUKS2_reencrypt_unlock(cd, reencrypt_lock);
+	LUKS2_reencrypt_free(cd, rh);
 	return r;
 }
 
@@ -2844,7 +2967,7 @@ static int reencrypt_recovery_by_passphrase(struct crypt_device *cd,
 	crypt_reencrypt_info ri;
 	struct crypt_lock_handle *reencrypt_lock;
 
-	r = crypt_reencrypt_lock(cd, &reencrypt_lock);
+	r = LUKS2_reencrypt_lock(cd, &reencrypt_lock);
 	if (r) {
 		if (r == -EBUSY)
 			log_err(cd, _("Reencryption in-progress. Cannot perform recovery."));
@@ -2854,13 +2977,13 @@ static int reencrypt_recovery_by_passphrase(struct crypt_device *cd,
 	}
 
 	if ((r = crypt_load(cd, CRYPT_LUKS2, NULL))) {
-		crypt_reencrypt_unlock(cd, reencrypt_lock);
+		LUKS2_reencrypt_unlock(cd, reencrypt_lock);
 		return r;
 	}
 
-	ri = LUKS2_reenc_status(hdr);
+	ri = LUKS2_reencrypt_status(hdr);
 	if (ri == CRYPT_REENCRYPT_INVALID) {
-		crypt_reencrypt_unlock(cd, reencrypt_lock);
+		LUKS2_reencrypt_unlock(cd, reencrypt_lock);
 		return -EINVAL;
 	}
 
@@ -2874,10 +2997,89 @@ static int reencrypt_recovery_by_passphrase(struct crypt_device *cd,
 		r = 0;
 	}
 
-	crypt_reencrypt_unlock(cd, reencrypt_lock);
+	LUKS2_reencrypt_unlock(cd, reencrypt_lock);
 	return r;
 }
 
+static int reencrypt_repair_by_passphrase(
+		struct crypt_device *cd,
+		struct luks2_hdr *hdr,
+		int keyslot_old,
+		int keyslot_new,
+		const char *passphrase,
+		size_t passphrase_size)
+{
+	int r;
+	struct crypt_lock_handle *reencrypt_lock;
+	struct luks2_reencrypt *rh;
+	crypt_reencrypt_info ri;
+	struct volume_key *vks = NULL;
+
+	log_dbg(cd, "Loading LUKS2 reencryption context for metadata repair.");
+
+	rh = crypt_get_luks2_reencrypt(cd);
+	if (rh) {
+		LUKS2_reencrypt_free(cd, rh);
+		crypt_set_luks2_reencrypt(cd, NULL);
+		rh = NULL;
+	}
+
+	ri = LUKS2_reencrypt_status(hdr);
+	if (ri == CRYPT_REENCRYPT_INVALID)
+		return -EINVAL;
+
+	if (ri < CRYPT_REENCRYPT_CLEAN) {
+		log_err(cd, _("Device is not in reencryption."));
+		return -EINVAL;
+	}
+
+	r = LUKS2_reencrypt_lock(cd, &reencrypt_lock);
+	if (r < 0) {
+		if (r == -EBUSY)
+			log_err(cd, _("Reencryption process is already running."));
+		else
+			log_err(cd, _("Failed to acquire reencryption lock."));
+		return r;
+	}
+
+	/* With reencryption lock held, reload device context and verify metadata state */
+	r = crypt_load(cd, CRYPT_LUKS2, NULL);
+	if (r)
+		goto out;
+
+	ri = LUKS2_reencrypt_status(hdr);
+	if (ri == CRYPT_REENCRYPT_INVALID) {
+		r = -EINVAL;
+		goto out;
+	}
+	if (ri == CRYPT_REENCRYPT_NONE) {
+		r = 0;
+		goto out;
+	}
+
+	r = LUKS2_keyslot_open_all_segments(cd, keyslot_old, keyslot_new, passphrase, passphrase_size, &vks);
+	if (r < 0)
+		goto out;
+
+	r = LUKS2_keyslot_reencrypt_digest_create(cd, hdr, vks);
+	crypt_free_volume_key(vks);
+	vks = NULL;
+	if (r < 0)
+		goto out;
+
+	/* removes online-reencrypt flag v1 */
+	if ((r = reencrypt_update_flag(cd, 0, false)))
+		goto out;
+
+	/* adds online-reencrypt flag v2 and commits metadata */
+	r = reencrypt_update_flag(cd, 1, true);
+out:
+	LUKS2_reencrypt_unlock(cd, reencrypt_lock);
+	crypt_free_volume_key(vks);
+	return r;
+
+}
+#endif
 static int reencrypt_init_by_passphrase(struct crypt_device *cd,
 	const char *name,
 	const char *passphrase,
@@ -2888,12 +3090,17 @@ static int reencrypt_init_by_passphrase(struct crypt_device *cd,
 	const char *cipher_mode,
 	const struct crypt_params_reencrypt *params)
 {
+#if USE_LUKS2_REENCRYPTION
 	int r;
 	crypt_reencrypt_info ri;
 	struct volume_key *vks = NULL;
 	uint32_t flags = params ? params->flags : 0;
 	struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
 
+	/* short-circuit in reencryption metadata update and finish immediately. */
+	if (flags & CRYPT_REENCRYPT_REPAIR_NEEDED)
+		return reencrypt_repair_by_passphrase(cd, hdr, keyslot_old, keyslot_new, passphrase, passphrase_size);
+
 	/* short-circuit in recovery and finish immediately. */
 	if (flags & CRYPT_REENCRYPT_RECOVERY)
 		return reencrypt_recovery_by_passphrase(cd, hdr, keyslot_old, keyslot_new, passphrase, passphrase_size);
@@ -2911,7 +3118,7 @@ static int reencrypt_init_by_passphrase(struct crypt_device *cd,
 	if (r)
 		return r;
 
-	ri = LUKS2_reenc_status(hdr);
+	ri = LUKS2_reencrypt_status(hdr);
 	if (ri == CRYPT_REENCRYPT_INVALID) {
 		device_write_unlock(cd, crypt_metadata_device(cd));
 		return -EINVAL;
@@ -2943,6 +3150,10 @@ out:
 		crypt_drop_keyring_key(cd, vks);
 	crypt_free_volume_key(vks);
 	return r < 0 ? r : LUKS2_find_keyslot(hdr, "reencrypt");
+#else
+	log_err(cd, _("This operation is not supported for this device type."));
+	return -ENOTSUP;
+#endif
 }
 
 int crypt_reencrypt_init_by_keyring(struct crypt_device *cd,
@@ -2995,21 +3206,15 @@ int crypt_reencrypt_init_by_passphrase(struct crypt_device *cd,
 	return reencrypt_init_by_passphrase(cd, name, passphrase, passphrase_size, keyslot_old, keyslot_new, cipher, cipher_mode, params);
 }
 
+#if USE_LUKS2_REENCRYPTION
 static reenc_status_t reencrypt_step(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
-		struct luks2_reenc_context *rh,
+		struct luks2_reencrypt *rh,
 		uint64_t device_size,
 		bool online)
 {
 	int r;
 
-	/* update reencrypt keyslot protection parameters in memory only */
-	r = reenc_keyslot_update(cd, rh);
-	if (r < 0) {
-		log_dbg(cd, "Keyslot update failed.");
-		return REENC_ERR;
-	}
-
 	/* in memory only */
 	r = reencrypt_make_segments(cd, hdr, rh, device_size);
 	if (r)
@@ -3126,7 +3331,7 @@ static int reencrypt_erase_backup_segments(struct crypt_device *cd,
 	return 0;
 }
 
-static int reencrypt_wipe_moved_segment(struct crypt_device *cd, struct luks2_hdr *hdr, struct luks2_reenc_context *rh)
+static int reencrypt_wipe_moved_segment(struct crypt_device *cd, struct luks2_hdr *hdr, struct luks2_reencrypt *rh)
 {
 	int r = 0;
 	uint64_t offset, length;
@@ -3143,7 +3348,7 @@ static int reencrypt_wipe_moved_segment(struct crypt_device *cd, struct luks2_hd
 	return r;
 }
 
-static int reencrypt_teardown_ok(struct crypt_device *cd, struct luks2_hdr *hdr, struct luks2_reenc_context *rh)
+static int reencrypt_teardown_ok(struct crypt_device *cd, struct luks2_hdr *hdr, struct luks2_reencrypt *rh)
 {
 	int i, r;
 	uint32_t dmt_flags;
@@ -3179,21 +3384,26 @@ static int reencrypt_teardown_ok(struct crypt_device *cd, struct luks2_hdr *hdr,
 			log_dbg(cd, "Failed to set new keyslots area size.");
 		if (rh->digest_old >= 0 && rh->digest_new != rh->digest_old)
 			for (i = 0; i < LUKS2_KEYSLOTS_MAX; i++)
-				if (LUKS2_digest_by_keyslot(hdr, i) == rh->digest_old)
-					crypt_keyslot_destroy(cd, i);
-		crypt_keyslot_destroy(cd, rh->reenc_keyslot);
+				if (LUKS2_digest_by_keyslot(hdr, i) == rh->digest_old && crypt_keyslot_destroy(cd, i))
+					log_err(cd, _("Failed to remove unused (unbound) keyslot %d."), i);
+
 		if (reencrypt_erase_backup_segments(cd, hdr))
 			log_dbg(cd, "Failed to erase backup segments");
 
-		/* do we need atomic erase? */
-		if (reencrypt_update_flag(cd, 0, true))
-			log_err(cd, _("Failed to disable reencryption requirement flag."));
+		if (reencrypt_update_flag(cd, 0, false))
+			log_dbg(cd, "Failed to disable reencryption requirement flag.");
+
+		/* metadata commit point also removing reencryption flag on-disk */
+		if (crypt_keyslot_destroy(cd, rh->reenc_keyslot)) {
+			log_err(cd, _("Failed to remove reencryption keyslot."));
+			return -EINVAL;
+		}
 	}
 
 	return 0;
 }
 
-static void reencrypt_teardown_fatal(struct crypt_device *cd, struct luks2_hdr *hdr, struct luks2_reenc_context *rh)
+static void reencrypt_teardown_fatal(struct crypt_device *cd, struct luks2_hdr *hdr, struct luks2_reencrypt *rh)
 {
 	log_err(cd, _("Fatal error while reencrypting chunk starting at %" PRIu64 ", %" PRIu64 " sectors long."),
 		(rh->offset >> SECTOR_SHIFT) + crypt_get_data_offset(cd), rh->length >> SECTOR_SHIFT);
@@ -3211,7 +3421,7 @@ static void reencrypt_teardown_fatal(struct crypt_device *cd, struct luks2_hdr *
 }
 
 static int reencrypt_teardown(struct crypt_device *cd, struct luks2_hdr *hdr,
-		struct luks2_reenc_context *rh, reenc_status_t rs, bool interrupted,
+		struct luks2_reencrypt *rh, reenc_status_t rs, bool interrupted,
 		int (*progress)(uint64_t size, uint64_t offset, void *usrptr))
 {
 	int r;
@@ -3230,19 +3440,20 @@ static int reencrypt_teardown(struct crypt_device *cd, struct luks2_hdr *hdr,
 	}
 
 	/* this frees reencryption lock */
-	LUKS2_reenc_context_free(cd, rh);
-	crypt_set_reenc_context(cd, NULL);
+	LUKS2_reencrypt_free(cd, rh);
+	crypt_set_luks2_reencrypt(cd, NULL);
 
 	return r;
 }
-
+#endif
 int crypt_reencrypt(struct crypt_device *cd,
 		    int (*progress)(uint64_t size, uint64_t offset, void *usrptr))
 {
+#if USE_LUKS2_REENCRYPTION
 	int r;
 	crypt_reencrypt_info ri;
 	struct luks2_hdr *hdr;
-	struct luks2_reenc_context *rh;
+	struct luks2_reencrypt *rh;
 	reenc_status_t rs;
 	bool quit = false;
 
@@ -3251,13 +3462,13 @@ int crypt_reencrypt(struct crypt_device *cd,
 
 	hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
 
-	ri = LUKS2_reenc_status(hdr);
+	ri = LUKS2_reencrypt_status(hdr);
 	if (ri > CRYPT_REENCRYPT_CLEAN) {
 		log_err(cd, _("Cannot proceed with reencryption. Unexpected reencryption status."));
 		return -EINVAL;
 	}
 
-	rh = crypt_get_reenc_context(cd);
+	rh = crypt_get_luks2_reencrypt(cd);
 	if (!rh || (!rh->reenc_lock && crypt_metadata_locking_enabled())) {
 		log_err(cd, _("Missing or invalid reencrypt context."));
 		return -EINVAL;
@@ -3274,6 +3485,15 @@ int crypt_reencrypt(struct crypt_device *cd,
 
 	rs = REENC_OK;
 
+	/* update reencrypt keyslot protection parameters in memory only */
+	if (!quit && (rh->device_size > rh->progress)) {
+		r = reencrypt_keyslot_update(cd, rh);
+		if (r < 0) {
+			log_dbg(cd, "Keyslot update failed.");
+			return reencrypt_teardown(cd, hdr, rh, REENC_ERR, quit, progress);
+		}
+	}
+
 	while (!quit && (rh->device_size > rh->progress)) {
 		rs = reencrypt_step(cd, hdr, rh, rh->device_size, rh->online);
 		if (rs != REENC_OK)
@@ -3296,17 +3516,22 @@ int crypt_reencrypt(struct crypt_device *cd,
 
 	r = reencrypt_teardown(cd, hdr, rh, rs, quit, progress);
 	return r;
+#else
+	log_err(cd, _("This operation is not supported for this device type."));
+	return -ENOTSUP;
+#endif
 }
 
+#if USE_LUKS2_REENCRYPTION
 static int reencrypt_recovery(struct crypt_device *cd,
 		struct luks2_hdr *hdr,
 		uint64_t device_size,
 		struct volume_key *vks)
 {
 	int r;
-	struct luks2_reenc_context *rh = NULL;
+	struct luks2_reencrypt *rh = NULL;
 
-	r = reencrypt_load(cd, hdr, device_size, NULL, &rh);
+	r = reencrypt_load(cd, hdr, device_size, NULL, vks, &rh);
 	if (r < 0) {
 		log_err(cd, _("Failed to load LUKS2 reencryption context."));
 		return r;
@@ -3329,18 +3554,18 @@ static int reencrypt_recovery(struct crypt_device *cd,
 	if (!r)
 		r = LUKS2_hdr_write(cd, hdr);
 err:
-	LUKS2_reenc_context_free(cd, rh);
+	LUKS2_reencrypt_free(cd, rh);
 
 	return r;
 }
-
+#endif
 /*
  * use only for calculation of minimal data device size.
  * The real data offset is taken directly from segments!
  */
 int LUKS2_reencrypt_data_offset(struct luks2_hdr *hdr, bool blockwise)
 {
-	crypt_reencrypt_info ri = LUKS2_reenc_status(hdr);
+	crypt_reencrypt_info ri = LUKS2_reencrypt_status(hdr);
 	uint64_t data_offset = LUKS2_get_data_offset(hdr);
 
 	if (ri == CRYPT_REENCRYPT_CLEAN && reencrypt_direction(hdr) == CRYPT_REENCRYPT_FORWARD)
@@ -3350,7 +3575,8 @@ int LUKS2_reencrypt_data_offset(struct luks2_hdr *hdr, bool blockwise)
 }
 
 /* internal only */
-int luks2_check_device_size(struct crypt_device *cd, struct luks2_hdr *hdr, uint64_t check_size, uint64_t *dev_size, bool activation, bool dynamic)
+int LUKS2_reencrypt_check_device_size(struct crypt_device *cd, struct luks2_hdr *hdr,
+	uint64_t check_size, uint64_t *dev_size, bool activation, bool dynamic)
 {
 	int r;
 	uint64_t data_offset, real_size = 0;
@@ -3388,7 +3614,7 @@ int luks2_check_device_size(struct crypt_device *cd, struct luks2_hdr *hdr, uint
 
 	return 0;
 }
-
+#if USE_LUKS2_REENCRYPTION
 /* returns keyslot number on success (>= 0) or negative errnor otherwise */
 int LUKS2_reencrypt_locked_recovery_by_passphrase(struct crypt_device *cd,
 	int keyslot_old,
@@ -3424,7 +3650,7 @@ int LUKS2_reencrypt_locked_recovery_by_passphrase(struct crypt_device *cd,
 		vk = crypt_volume_key_next(vk);
 	}
 
-	if (luks2_check_device_size(cd, hdr, minimal_size, &device_size, true, false))
+	if (LUKS2_reencrypt_check_device_size(cd, hdr, minimal_size, &device_size, true, false))
 		goto err;
 
 	r = reencrypt_recovery(cd, hdr, device_size, _vks);
@@ -3438,16 +3664,32 @@ err:
 
 	return r < 0 ? r : keyslot;
 }
-
-crypt_reencrypt_info LUKS2_reencrypt_status(struct crypt_device *cd, struct crypt_params_reencrypt *params)
+#endif
+crypt_reencrypt_info LUKS2_reencrypt_get_params(struct luks2_hdr *hdr,
+	struct crypt_params_reencrypt *params)
 {
 	crypt_reencrypt_info ri;
-	struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
+	int digest;
+	uint32_t version;
 
-	ri = LUKS2_reenc_status(hdr);
+	ri = LUKS2_reencrypt_status(hdr);
 	if (ri == CRYPT_REENCRYPT_NONE || ri == CRYPT_REENCRYPT_INVALID || !params)
 		return ri;
 
+	digest = LUKS2_digest_by_keyslot(hdr, LUKS2_find_keyslot(hdr, "reencrypt"));
+	if (digest < 0 && digest != -ENOENT)
+		return CRYPT_REENCRYPT_INVALID;
+
+	/*
+	 * In case there's an old "online-reencrypt" requirement or reencryption
+	 * keyslot digest is missing inform caller reencryption metadata requires repair.
+	 */
+	if (!LUKS2_config_get_reencrypt_version(hdr, &version) &&
+	    (version < 2 || digest == -ENOENT)) {
+		params->flags |= CRYPT_REENCRYPT_REPAIR_NEEDED;
+		return ri;
+	}
+
 	params->mode = reencrypt_mode(hdr);
 	params->direction = reencrypt_direction(hdr);
 	params->resilience = reencrypt_resilience_type(hdr);

lib/luks2/luks2_reencrypt_digest.c

@@ -0,0 +1,381 @@
+/*
+ * LUKS - Linux Unified Key Setup v2, reencryption digest helpers
+ *
+ * Copyright (C) 2022, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2022, Ondrej Kozina
+ * Copyright (C) 2022, Milan Broz
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "luks2_internal.h"
+#include <assert.h>
+
+#define MAX_STR 64
+
+struct jtype {
+	enum { JNONE = 0, JSTR, JU64, JX64, JU32 } type;
+	json_object *jobj;
+	const char *id;
+};
+
+static size_t sr(struct jtype *j, uint8_t *ptr)
+{
+	json_object *jobj;
+	size_t len = 0;
+	uint64_t u64;
+	uint32_t u32;
+
+	if (!json_object_is_type(j->jobj, json_type_object))
+		return 0;
+
+	if (!json_object_object_get_ex(j->jobj, j->id, &jobj))
+		return 0;
+
+	switch(j->type) {
+	case JSTR: /* JSON string */
+		if (!json_object_is_type(jobj, json_type_string))
+			return 0;
+		len = strlen(json_object_get_string(jobj));
+		if (len > MAX_STR)
+			return 0;
+		if (ptr)
+			memcpy(ptr, json_object_get_string(jobj), len);
+		break;
+	case JU64: /* Unsigned 64bit integer stored as string */
+		if (!json_object_is_type(jobj, json_type_string))
+			break;
+		len = sizeof(u64);
+		if (ptr) {
+			u64 = cpu_to_be64(crypt_jobj_get_uint64(jobj));
+			memcpy(ptr, &u64, len);
+		}
+		break;
+	case JX64: /* Unsigned 64bit segment size (allows "dynamic") */
+		if (!json_object_is_type(jobj, json_type_string))
+			break;
+		if (!strcmp(json_object_get_string(jobj), "dynamic")) {
+			len = strlen("dynamic");
+			if (ptr)
+				memcpy(ptr, json_object_get_string(jobj), len);
+		} else {
+			len = sizeof(u64);
+			u64 = cpu_to_be64(crypt_jobj_get_uint64(jobj));
+			if (ptr)
+				memcpy(ptr, &u64, len);
+		}
+		break;
+	case JU32: /* Unsigned 32bit integer, stored as JSON int */
+		if (!json_object_is_type(jobj, json_type_int))
+			return 0;
+		len =  sizeof(u32);
+		if (ptr) {
+			u32 = cpu_to_be32(crypt_jobj_get_uint32(jobj));
+			memcpy(ptr, &u32, len);
+		}
+		break;
+	case JNONE:
+		return 0;
+	};
+
+	return len;
+}
+
+static size_t srs(struct jtype j[], uint8_t *ptr)
+{
+	size_t l, len = 0;
+
+	while(j->jobj) {
+		l = sr(j, ptr);
+		if (!l)
+			return 0;
+		len += l;
+		if (ptr)
+			ptr += l;
+		j++;
+	}
+	return len;
+}
+
+static size_t segment_linear_serialize(json_object *jobj_segment, uint8_t *buffer)
+{
+	struct jtype j[] = {
+		{ JSTR, jobj_segment, "type" },
+		{ JU64, jobj_segment, "offset" },
+		{ JX64, jobj_segment, "size" },
+		{}
+	};
+	return srs(j, buffer);
+}
+
+static size_t segment_crypt_serialize(json_object *jobj_segment, uint8_t *buffer)
+{
+	struct jtype j[] = {
+		{ JSTR, jobj_segment, "type" },
+		{ JU64, jobj_segment, "offset" },
+		{ JX64, jobj_segment, "size" },
+		{ JU64, jobj_segment, "iv_tweak" },
+		{ JSTR, jobj_segment, "encryption" },
+		{ JU32, jobj_segment, "sector_size" },
+		{}
+	};
+	return srs(j, buffer);
+}
+
+static size_t segment_serialize(json_object *jobj_segment, uint8_t *buffer)
+{
+	json_object *jobj_type;
+	const char *segment_type;
+
+	if (!json_object_object_get_ex(jobj_segment, "type", &jobj_type))
+		return 0;
+
+	if (!(segment_type = json_object_get_string(jobj_type)))
+		return 0;
+
+	if (!strcmp(segment_type, "crypt"))
+		return segment_crypt_serialize(jobj_segment, buffer);
+	else if (!strcmp(segment_type, "linear"))
+		return segment_linear_serialize(jobj_segment, buffer);
+
+	return 0;
+}
+
+static size_t backup_segments_serialize(struct luks2_hdr *hdr, uint8_t *buffer)
+{
+	json_object *jobj_segment;
+	size_t l, len = 0;
+
+	jobj_segment = LUKS2_get_segment_by_flag(hdr, "backup-previous");
+	if (!jobj_segment || !(l = segment_serialize(jobj_segment, buffer)))
+		return 0;
+	len += l;
+	if (buffer)
+		buffer += l;
+
+	jobj_segment = LUKS2_get_segment_by_flag(hdr, "backup-final");
+	if (!jobj_segment || !(l = segment_serialize(jobj_segment, buffer)))
+		return 0;
+	len += l;
+	if (buffer)
+		buffer += l;
+
+	jobj_segment = LUKS2_get_segment_by_flag(hdr, "backup-moved-segment");
+	if (jobj_segment) {
+		if (!(l = segment_serialize(jobj_segment, buffer)))
+			return 0;
+		len += l;
+	}
+
+	return len;
+}
+
+static size_t reenc_keyslot_serialize(struct luks2_hdr *hdr, uint8_t *buffer)
+{
+	json_object *jobj_keyslot, *jobj_area, *jobj_type;
+	const char *area_type;
+	int keyslot_reencrypt;
+
+	keyslot_reencrypt = LUKS2_find_keyslot(hdr, "reencrypt");
+	if (keyslot_reencrypt < 0)
+		return 0;
+
+	if (!(jobj_keyslot = LUKS2_get_keyslot_jobj(hdr, keyslot_reencrypt)))
+		return 0;
+
+	if (!json_object_object_get_ex(jobj_keyslot, "area", &jobj_area))
+		return 0;
+
+	if (!json_object_object_get_ex(jobj_area, "type", &jobj_type))
+		return 0;
+
+	if (!(area_type = json_object_get_string(jobj_type)))
+		return 0;
+
+	struct jtype j[] = {
+		{ JSTR, jobj_keyslot, "mode" },
+		{ JSTR, jobj_keyslot, "direction" },
+		{ JSTR, jobj_area,    "type" },
+		{ JU64, jobj_area,    "offset" },
+		{ JU64, jobj_area,    "size" },
+		{}
+	};
+	struct jtype j_datashift[] = {
+		{ JSTR, jobj_keyslot, "mode" },
+		{ JSTR, jobj_keyslot, "direction" },
+		{ JSTR, jobj_area,    "type" },
+		{ JU64, jobj_area,    "offset" },
+		{ JU64, jobj_area,    "size" },
+		{ JU64, jobj_area,    "shift_size" },
+		{}
+	};
+	struct jtype j_checksum[] = {
+		{ JSTR, jobj_keyslot, "mode" },
+		{ JSTR, jobj_keyslot, "direction" },
+		{ JSTR, jobj_area,    "type" },
+		{ JU64, jobj_area,    "offset" },
+		{ JU64, jobj_area,    "size" },
+		{ JSTR, jobj_area,    "hash" },
+		{ JU32, jobj_area,    "sector_size" },
+		{}
+	};
+
+	if (!strcmp(area_type, "datashift"))
+		return srs(j_datashift, buffer);
+	else if (!strcmp(area_type, "checksum"))
+		return srs(j_checksum, buffer);
+
+	return srs(j, buffer);
+}
+
+static size_t blob_serialize(void *blob, size_t length, uint8_t *buffer)
+{
+	if (buffer)
+		memcpy(buffer, blob, length);
+
+	return length;
+}
+
+static int reencrypt_assembly_verification_data(struct crypt_device *cd,
+	struct luks2_hdr *hdr,
+	struct volume_key *vks,
+	struct volume_key **verification_data)
+{
+	uint8_t *ptr;
+	int digest_new, digest_old;
+	struct volume_key *data = NULL, *vk_old = NULL, *vk_new = NULL;
+	size_t keyslot_data_len, segments_data_len, data_len = 2;
+
+	/* Keys - calculate length */
+	digest_new = LUKS2_reencrypt_digest_new(hdr);
+	digest_old = LUKS2_reencrypt_digest_old(hdr);
+
+	if (digest_old >= 0) {
+		vk_old = crypt_volume_key_by_id(vks, digest_old);
+		if (!vk_old)
+			return -EINVAL;
+		data_len += blob_serialize(vk_old->key, vk_old->keylength, NULL);
+	}
+
+	if (digest_new >= 0 && digest_old != digest_new) {
+		vk_new = crypt_volume_key_by_id(vks, digest_new);
+		if (!vk_new)
+			return -EINVAL;
+		data_len += blob_serialize(vk_new->key, vk_new->keylength, NULL);
+	}
+
+	if (data_len == 2)
+		return -EINVAL;
+
+	/* Metadata - calculate length */
+	if (!(keyslot_data_len = reenc_keyslot_serialize(hdr, NULL)))
+		return -EINVAL;
+	data_len += keyslot_data_len;
+
+	if (!(segments_data_len = backup_segments_serialize(hdr, NULL)))
+		return -EINVAL;
+	data_len += segments_data_len;
+
+	/* Alloc and fill serialization data */
+	data = crypt_alloc_volume_key(data_len, NULL);
+	if (!data)
+		return -ENOMEM;
+
+	ptr = (uint8_t*)data->key;
+
+	/* v2 */
+	*ptr++ = 0x76;
+	*ptr++ = 0x32;
+
+	if (vk_old)
+		ptr += blob_serialize(vk_old->key, vk_old->keylength, ptr);
+
+	if (vk_new)
+		ptr += blob_serialize(vk_new->key, vk_new->keylength, ptr);
+
+	if (!reenc_keyslot_serialize(hdr, ptr))
+		goto bad;
+	ptr += keyslot_data_len;
+
+	if (!backup_segments_serialize(hdr, ptr))
+		goto bad;
+	ptr += segments_data_len;
+
+	assert((size_t)(ptr - (uint8_t*)data->key) == data_len);
+
+	*verification_data = data;
+
+	return 0;
+bad:
+	crypt_free_volume_key(data);
+	return -EINVAL;
+}
+
+int LUKS2_keyslot_reencrypt_digest_create(struct crypt_device *cd,
+	struct luks2_hdr *hdr,
+	struct volume_key *vks)
+{
+	int digest_reencrypt, keyslot_reencrypt, r;
+	struct volume_key *data;
+
+	keyslot_reencrypt = LUKS2_find_keyslot(hdr, "reencrypt");
+	if (keyslot_reencrypt < 0)
+		return keyslot_reencrypt;
+
+	r = reencrypt_assembly_verification_data(cd, hdr, vks, &data);
+	if (r < 0)
+		return r;
+
+	r = LUKS2_digest_create(cd, "pbkdf2", hdr, data);
+	crypt_free_volume_key(data);
+	if (r < 0)
+		return r;
+
+	digest_reencrypt = r;
+
+	r = LUKS2_digest_assign(cd, hdr, keyslot_reencrypt, CRYPT_ANY_DIGEST, 0, 0);
+	if (r < 0)
+		return r;
+
+	return LUKS2_digest_assign(cd, hdr, keyslot_reencrypt, digest_reencrypt, 1, 0);
+}
+
+int LUKS2_reencrypt_digest_verify(struct crypt_device *cd,
+	struct luks2_hdr *hdr,
+	struct volume_key *vks)
+{
+	int r, keyslot_reencrypt;
+	struct volume_key *data;
+
+	keyslot_reencrypt = LUKS2_find_keyslot(hdr, "reencrypt");
+	if (keyslot_reencrypt < 0)
+		return keyslot_reencrypt;
+
+	r = reencrypt_assembly_verification_data(cd, hdr, vks, &data);
+	if (r < 0)
+		return r;
+
+	r = LUKS2_digest_verify(cd, hdr, data, keyslot_reencrypt);
+	crypt_free_volume_key(data);
+
+	if (r < 0) {
+		if (r == -ENOENT)
+			log_dbg(cd, "Reencryption digest is missing.");
+		log_err(cd, _("Reencryption metadata is invalid."));
+	} else
+		log_dbg(cd, "Reencryption metadata verified.");
+
+	return r;
+}

lib/luks2/luks2_segment.c

@@ -123,7 +123,7 @@ static json_object *json_segment_get_flags(json_object *jobj_segment)
 	return jobj;
 }
 
-static bool json_segment_contains_flag(json_object *jobj_segment, const char *flag_str, size_t len)
+bool json_segment_contains_flag(json_object *jobj_segment, const char *flag_str, size_t len)
 {
 	int r, i;
 	json_object *jobj, *jobj_flags = json_segment_get_flags(jobj_segment);
@@ -410,3 +410,23 @@ json_object *LUKS2_get_segment_by_flag(struct luks2_hdr *hdr, const char *flag)
 
 	return jobj_segment;
 }
+
+/* compares key characteristics of both segments */
+bool json_segment_cmp(json_object *jobj_segment_1, json_object *jobj_segment_2)
+{
+	const char *type = json_segment_type(jobj_segment_1);
+	const char *type2 = json_segment_type(jobj_segment_2);
+
+	if (!type || !type2)
+		return false;
+
+	if (strcmp(type, type2))
+		return false;
+
+	if (!strcmp(type, "crypt"))
+		return (json_segment_get_sector_size(jobj_segment_1) == json_segment_get_sector_size(jobj_segment_2) &&
+			!strcmp(json_segment_get_cipher(jobj_segment_1),
+			        json_segment_get_cipher(jobj_segment_2)));
+
+	return true;
+}

lib/setup.c

@@ -78,7 +78,7 @@ struct crypt_device {
 		char cipher_mode[MAX_CIPHER_LEN]; /* only for compatibility */
 		char *keyslot_cipher;
 		unsigned int keyslot_key_size;
-		struct luks2_reenc_context *rh;
+		struct luks2_reencrypt *rh;
 	} luks2;
 	struct { /* used in CRYPT_PLAIN */
 		struct crypt_params_plain hdr;
@@ -662,7 +662,7 @@ int crypt_set_data_device(struct crypt_device *cd, const char *device)
 		return -EINVAL;
 	}
 
-	if (isLUKS2(cd->type) && crypt_get_reenc_context(cd)) {
+	if (isLUKS2(cd->type) && crypt_get_luks2_reencrypt(cd)) {
 		log_err(cd, _("Illegal operation with reencryption in-progress."));
 		return -EINVAL;
 	}
@@ -1113,7 +1113,7 @@ static void crypt_free_type(struct crypt_device *cd)
 		free(cd->u.plain.cipher);
 		free(cd->u.plain.cipher_spec);
 	} else if (isLUKS2(cd->type)) {
-		LUKS2_reenc_context_free(cd, cd->u.luks2.rh);
+		LUKS2_reencrypt_free(cd, cd->u.luks2.rh);
 		LUKS2_hdr_free(cd, &cd->u.luks2.hdr);
 		free(cd->u.luks2.keyslot_cipher);
 	} else if (isLUKS1(cd->type)) {
@@ -1850,13 +1850,13 @@ static int _crypt_format_luks2(struct crypt_device *cd,
 	if (dev_size < (crypt_get_data_offset(cd) * SECTOR_SIZE))
 		log_std(cd, _("WARNING: Data offset is outside of currently available data device.\n"));
 
-	if (cd->metadata_size && (cd->metadata_size != LUKS2_metadata_size(cd->u.luks2.hdr.jobj)))
+	if (cd->metadata_size && (cd->metadata_size != LUKS2_metadata_size(&cd->u.luks2.hdr)))
 		log_std(cd, _("WARNING: LUKS2 metadata size changed to %" PRIu64 " bytes.\n"),
-			LUKS2_metadata_size(cd->u.luks2.hdr.jobj));
+			LUKS2_metadata_size(&cd->u.luks2.hdr));
 
-	if (cd->keyslots_size && (cd->keyslots_size != LUKS2_keyslots_size(cd->u.luks2.hdr.jobj)))
+	if (cd->keyslots_size && (cd->keyslots_size != LUKS2_keyslots_size(&cd->u.luks2.hdr)))
 		log_std(cd, _("WARNING: LUKS2 keyslots area size changed to %" PRIu64 " bytes.\n"),
-			LUKS2_keyslots_size(cd->u.luks2.hdr.jobj));
+			LUKS2_keyslots_size(&cd->u.luks2.hdr));
 
 	if (!integrity && sector_size > SECTOR_SIZE) {
 		dev_size -= (crypt_get_data_offset(cd) * SECTOR_SIZE);
@@ -1878,7 +1878,7 @@ static int _crypt_format_luks2(struct crypt_device *cd,
 	if (r < 0) {
 		log_err(cd, _("Cannot wipe header on device %s."),
 			mdata_device_path(cd));
-		if (dev_size < LUKS2_hdr_and_areas_size(cd->u.luks2.hdr.jobj))
+		if (dev_size < LUKS2_hdr_and_areas_size(&cd->u.luks2.hdr))
 			log_err(cd, _("Device %s is too small."), device_path(crypt_metadata_device(cd)));
 		goto out;
 	}
@@ -3857,21 +3857,6 @@ out:
 	return r;
 }
 
-static int load_all_keys(struct crypt_device *cd, struct luks2_hdr *hdr, struct volume_key *vks)
-{
-	int r;
-	struct volume_key *vk = vks;
-
-	while (vk) {
-		r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk));
-		if (r < 0)
-			return r;
-		vk = crypt_volume_key_next(vk);
-	}
-
-	return 0;
-}
-
 /* See fixmes in _open_and_activate_luks2 */
 int update_reencryption_flag(struct crypt_device *cd, int enable, bool commit);
 
@@ -3919,6 +3904,22 @@ out:
 	return r < 0 ? r : keyslot;
 }
 
+#if USE_LUKS2_REENCRYPTION
+static int load_all_keys(struct crypt_device *cd, struct luks2_hdr *hdr, struct volume_key *vks)
+{
+	int r;
+	struct volume_key *vk = vks;
+
+	while (vk) {
+		r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk));
+		if (r < 0)
+			return r;
+		vk = crypt_volume_key_next(vk);
+	}
+
+	return 0;
+}
+
 static int _open_all_keys(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	int keyslot,
@@ -3929,7 +3930,7 @@ static int _open_all_keys(struct crypt_device *cd,
 {
 	int r, segment;
 	struct volume_key *_vks = NULL;
-	crypt_reencrypt_info ri = LUKS2_reenc_status(hdr);
+	crypt_reencrypt_info ri = LUKS2_reencrypt_status(hdr);
 
 	segment = (flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY) ? CRYPT_ANY_SEGMENT : CRYPT_DEFAULT_SEGMENT;
 
@@ -3985,7 +3986,7 @@ static int _open_and_activate_reencrypt_device(struct crypt_device *cd,
 	if (crypt_use_keyring_for_vk(cd))
 		flags |= CRYPT_ACTIVATE_KEYRING_KEY;
 
-	r = crypt_reencrypt_lock(cd, &reencrypt_lock);
+	r = LUKS2_reencrypt_lock(cd, &reencrypt_lock);
 	if (r) {
 		if (r == -EBUSY)
 			log_err(cd, _("Reencryption in-progress. Cannot activate device."));
@@ -3997,7 +3998,7 @@ static int _open_and_activate_reencrypt_device(struct crypt_device *cd,
 	if ((r = crypt_load(cd, CRYPT_LUKS2, NULL)))
 		goto err;
 
-	ri = LUKS2_reenc_status(hdr);
+	ri = LUKS2_reencrypt_status(hdr);
 
 	if (ri == CRYPT_REENCRYPT_CRASH) {
 		r = LUKS2_reencrypt_locked_recovery_by_passphrase(cd, keyslot,
@@ -4008,14 +4009,14 @@ static int _open_and_activate_reencrypt_device(struct crypt_device *cd,
 		}
 		keyslot = r;
 
-		ri = LUKS2_reenc_status(hdr);
+		ri = LUKS2_reencrypt_status(hdr);
 	}
 
 	/* recovery finished reencryption or it's already finished */
 	if (ri == CRYPT_REENCRYPT_NONE) {
 		crypt_drop_keyring_key(cd, vks);
 		crypt_free_volume_key(vks);
-		crypt_reencrypt_unlock(cd, reencrypt_lock);
+		LUKS2_reencrypt_unlock(cd, reencrypt_lock);
 		return _open_and_activate(cd, keyslot, name, passphrase, passphrase_size, flags);
 	}
 
@@ -4033,15 +4034,21 @@ static int _open_and_activate_reencrypt_device(struct crypt_device *cd,
 			keyslot = r;
 	}
 
+	if (r >= 0) {
+		r = LUKS2_reencrypt_digest_verify(cd, hdr, vks);
+		if (r < 0)
+			goto err;
+	}
+
 	log_dbg(cd, "Entering clean reencryption state mode.");
 
 	if (r >= 0)
-		r = luks2_check_device_size(cd, hdr, minimal_size, &device_size, true, dynamic_size);
+		r = LUKS2_reencrypt_check_device_size(cd, hdr, minimal_size, &device_size, true, dynamic_size);
 
 	if (r >= 0)
 		r = LUKS2_activate_multi(cd, name, vks, device_size >> SECTOR_SHIFT, flags);
 err:
-	crypt_reencrypt_unlock(cd, reencrypt_lock);
+	LUKS2_reencrypt_unlock(cd, reencrypt_lock);
 	if (r < 0)
 		crypt_drop_keyring_key(cd, vks);
 	crypt_free_volume_key(vks);
@@ -4060,10 +4067,11 @@ static int _open_and_activate_luks2(struct crypt_device *cd,
 	uint32_t flags)
 {
 	crypt_reencrypt_info ri;
-	int r;
+	int r, rv;
 	struct luks2_hdr *hdr = &cd->u.luks2.hdr;
+	struct volume_key *vks = NULL;
 
-	ri = LUKS2_reenc_status(hdr);
+	ri = LUKS2_reencrypt_status(hdr);
 	if (ri == CRYPT_REENCRYPT_INVALID)
 		return -EINVAL;
 
@@ -4071,15 +4079,45 @@ static int _open_and_activate_luks2(struct crypt_device *cd,
 		if (name)
 			r = _open_and_activate_reencrypt_device(cd, hdr, keyslot, name, passphrase,
 					passphrase_size, flags);
-		else
+		else {
 			r = _open_all_keys(cd, hdr, keyslot, passphrase,
-					   passphrase_size, flags, NULL);
+					   passphrase_size, flags, &vks);
+			if (r < 0)
+				return r;
+
+			rv = LUKS2_reencrypt_digest_verify(cd, hdr, vks);
+			crypt_free_volume_key(vks);
+			if (rv < 0)
+				return rv;
+		}
 	} else
 		r = _open_and_activate(cd, keyslot, name, passphrase,
 				passphrase_size, flags);
 
 	return r;
 }
+#else
+static int _open_and_activate_luks2(struct crypt_device *cd,
+	int keyslot,
+	const char *name,
+	const char *passphrase,
+	size_t passphrase_size,
+	uint32_t flags)
+{
+	crypt_reencrypt_info ri;
+
+	ri = LUKS2_reencrypt_status(&cd->u.luks2.hdr);
+	if (ri == CRYPT_REENCRYPT_INVALID)
+		return -EINVAL;
+
+	if (ri > CRYPT_REENCRYPT_NONE) {
+		log_err(cd, _("This operation is not supported for this device type."));
+		return -ENOTSUP;
+	}
+
+	return _open_and_activate(cd, keyslot, name, passphrase, passphrase_size, flags);
+}
+#endif
 
 static int _activate_by_passphrase(struct crypt_device *cd,
 	const char *name,
@@ -5258,8 +5296,8 @@ int crypt_get_metadata_size(struct crypt_device *cd,
 		msize = LUKS_ALIGN_KEYSLOTS;
 		ksize = LUKS_device_sectors(&cd->u.luks1.hdr) * SECTOR_SIZE - msize;
 	} else if (isLUKS2(cd->type)) {
-		msize = LUKS2_metadata_size(cd->u.luks2.hdr.jobj);
-		ksize = LUKS2_keyslots_size(cd->u.luks2.hdr.jobj);
+		msize = LUKS2_metadata_size(&cd->u.luks2.hdr);
+		ksize = LUKS2_keyslots_size(&cd->u.luks2.hdr);
 	} else
 		return -EINVAL;
 
@@ -5533,13 +5571,13 @@ void *crypt_get_hdr(struct crypt_device *cd, const char *type)
 }
 
 /* internal only */
-struct luks2_reenc_context *crypt_get_reenc_context(struct crypt_device *cd)
+struct luks2_reencrypt *crypt_get_luks2_reencrypt(struct crypt_device *cd)
 {
 	return cd->u.luks2.rh;
 }
 
 /* internal only */
-void crypt_set_reenc_context(struct crypt_device *cd, struct luks2_reenc_context *rh)
+void crypt_set_luks2_reencrypt(struct crypt_device *cd, struct luks2_reencrypt *rh)
 {
 	cd->u.luks2.rh = rh;
 }
@@ -6062,7 +6100,7 @@ crypt_reencrypt_info crypt_reencrypt_status(struct crypt_device *cd,
 	if (_onlyLUKS2(cd, CRYPT_CD_QUIET, CRYPT_REQUIREMENT_ONLINE_REENCRYPT))
 		return CRYPT_REENCRYPT_INVALID;
 
-	return LUKS2_reencrypt_status(cd, params);
+	return LUKS2_reencrypt_get_params(&cd->u.luks2.hdr, params);
 }
 
 static void __attribute__((destructor)) libcryptsetup_exit(void)

man/cryptsetup.8

@@ -811,6 +811,13 @@ are fixable. This command will only change the LUKS header, not
 any key-slot data. You may enforce LUKS version by adding \-\-type
 option.
 
+It also repairs (upgrades) LUKS2 reencryption metadata by adding
+metadata digest that protects it against malicious changes.
+
+If LUKS2 reencryption was interrupted in the middle of writting
+reencryption segment the repair command can be used to perform
+reencryption recovery so that reencryption can continue later.
+
 \fBWARNING:\fR Always create a binary backup of the original
 header before calling this command.
 .PP

po/POTFILES.in

@@ -37,6 +37,7 @@ lib/luks2/luks2_keyslot_luks2.c
 lib/luks2/luks2_keyslot_reenc.c
 lib/luks2/luks2_luks1_convert.c
 lib/luks2/luks2_reencrypt.c
+lib/luks2/luks2_reencrypt_digest.c
 lib/luks2/luks2_segment.c
 lib/luks2/luks2_token.c
 lib/luks2/luks2_token_keyring.c

src/cryptsetup.c

@@ -1121,24 +1121,63 @@ static int set_keyslot_params(struct crypt_device *cd, int keyslot)
 	return crypt_set_pbkdf_type(cd, &pbkdf);
 }
 
-static int _do_luks2_reencrypt_recovery(struct crypt_device *cd)
+static int reencrypt_metadata_repair(struct crypt_device *cd)
+{
+	char *password;
+	size_t passwordLen;
+	int r;
+	struct crypt_params_reencrypt params = {
+		.flags = CRYPT_REENCRYPT_REPAIR_NEEDED
+	};
+
+	if (!opt_batch_mode &&
+	    !yesDialog(_("Unprotected LUKS2 reencryption metadata detected. "
+			 "Please verify the reencryption operation is desirable (see luksDump output)\n"
+			 "and continue (upgrade metadata) only if you acknowledge the operation as genuine."),
+		       _("Operation aborted.\n")))
+		return -EINVAL;
+
+	r = tools_get_key(_("Enter passphrase to protect and uppgrade reencryption metadata: "),
+			  &password, &passwordLen, opt_keyfile_offset,
+			  opt_keyfile_size, opt_key_file, opt_timeout,
+			  _verify_passphrase(0), 0, cd);
+	if (r < 0)
+		return r;
+
+	r = crypt_reencrypt_init_by_passphrase(cd, NULL, password, passwordLen,
+			opt_key_slot, opt_key_slot, NULL, NULL, &params);
+	tools_passphrase_msg(r);
+	if (r < 0)
+		goto out;
+
+	r = crypt_activate_by_passphrase(cd, NULL, opt_key_slot,
+					 password, passwordLen, 0);
+	tools_passphrase_msg(r);
+	if (r >= 0)
+		r = 0;
+
+out:
+	crypt_safe_free(password);
+	return r;
+}
+
+static int luks2_reencrypt_repair(struct crypt_device *cd)
 {
 	int r;
 	size_t passwordLen;
+	const char *msg;
 	char *password = NULL;
-	struct crypt_params_reencrypt recovery_params = {
-		.flags = CRYPT_REENCRYPT_RECOVERY
-	};
+	struct crypt_params_reencrypt params = {};
+
+	crypt_reencrypt_info ri = crypt_reencrypt_status(cd, &params);
+
+	if (params.flags & CRYPT_REENCRYPT_REPAIR_NEEDED)
+		return reencrypt_metadata_repair(cd);
 
-	crypt_reencrypt_info ri = crypt_reencrypt_status(cd, NULL);
 	switch (ri) {
 	case CRYPT_REENCRYPT_NONE:
-		/* fall through */
+		return 0;
 	case CRYPT_REENCRYPT_CLEAN:
-		r = noDialog(_("Seems device does not require reencryption recovery.\n"
-				"Do you want to proceed anyway?"), NULL);
-		if (!r)
-			return 0;
 		break;
 	case CRYPT_REENCRYPT_CRASH:
 		r = yesDialog(_("Really proceed with LUKS2 reencryption recovery?"),
@@ -1150,8 +1189,12 @@ static int _do_luks2_reencrypt_recovery(struct crypt_device *cd)
 		return -EINVAL;
 	}
 
-	r = tools_get_key(_("Enter passphrase for reencryption recovery: "),
-			  &password, &passwordLen, opt_keyfile_offset,
+	if (ri == CRYPT_REENCRYPT_CLEAN)
+		msg = _("Enter passphrase to verify reencryption metadata digest: ");
+	else
+		msg = _("Enter passphrase for reencryption recovery: ");
+
+	r = tools_get_key(msg, &password, &passwordLen, opt_keyfile_offset,
 			  opt_keyfile_size, opt_key_file, opt_timeout,
 			  _verify_passphrase(0), 0, cd);
 	if (r < 0)
@@ -1162,8 +1205,14 @@ static int _do_luks2_reencrypt_recovery(struct crypt_device *cd)
 	if (r < 0)
 		goto out;
 
+	if (ri == CRYPT_REENCRYPT_CLEAN) {
+		r = 0;
+		goto out;
+	}
+
 	r = crypt_reencrypt_init_by_passphrase(cd, NULL, password, passwordLen,
-			opt_key_slot, opt_key_slot, NULL, NULL, &recovery_params);
+			opt_key_slot, opt_key_slot, NULL, NULL,
+			&(struct crypt_params_reencrypt){ .flags = CRYPT_REENCRYPT_RECOVERY });
 	if (r > 0)
 		r = 0;
 out:
@@ -1198,8 +1247,9 @@ static int action_luksRepair(void)
 	if (r == 0)
 		r = crypt_repair(cd, luksType(device_type), NULL);
 skip_repair:
+	/* Header is ok, check if reencryption metadata needs repair/recovery. */
 	if (!r && crypt_get_type(cd) && !strcmp(crypt_get_type(cd), CRYPT_LUKS2))
-		r = _do_luks2_reencrypt_recovery(cd);
+		r = luks2_reencrypt_repair(cd);
 out:
 	crypt_free(cd);
 	return r;

tests/Makefile.am

@@ -25,7 +25,7 @@ TESTS += verity-compat-test
 endif
 
 if REENCRYPT
-TESTS += reencryption-compat-test reencryption-compat-test2 luks2-reencryption-test
+TESTS += reencryption-compat-test reencryption-compat-test2 luks2-reencryption-test luks2-reencryption-mangle-test
 endif
 
 if INTEGRITYSETUP
@@ -57,6 +57,7 @@ EXTRA_DIST = compatimage.img.xz compatv10image.img.xz \
 	reencryption-compat-test \
 	reencryption-compat-test2 \
 	luks2-reencryption-test \
+	luks2-reencryption-mangle-test \
 	tcrypt-compat-test \
 	luks1-compat-test \
 	luks2-validation-test generators \
@@ -122,6 +123,7 @@ valgrind-check: api-test api-test-2 differ
 	@INFOSTRING="api-test-000" ./valg-api.sh ./api-test
 	@INFOSTRING="api-test-002" ./valg-api.sh ./api-test-2
 	@VALG=1 ./luks2-reencryption-test
+	@VALG=1 ./luks2-reencryption-mangle-test
 	@VALG=1 ./bitlk-compat-test
 	@grep -l "ERROR SUMMARY: [^0] errors" valglog* || echo "No leaks detected."
 

tests/api-test-2.c

@@ -3692,6 +3692,7 @@ static void Luks2Flags(void)
 	CRYPT_FREE(cd);
 }
 
+#if KERNEL_KEYRING && USE_LUKS2_REENCRYPTION
 static int test_progress(uint64_t size, uint64_t offset, void *usrptr)
 {
 	while (--test_progress_steps)
@@ -3702,7 +3703,6 @@ static int test_progress(uint64_t size, uint64_t offset, void *usrptr)
 static void Luks2Reencryption(void)
 {
 /* reencryption currently depends on kernel keyring support */
-#if KERNEL_KEYRING
 	/* NOTES:
 	 *  - reencryption requires luks2 parameters. can we avoid it?
 	 */
@@ -4404,8 +4404,8 @@ static void Luks2Reencryption(void)
 	crypt_free(cd);
 
 	_cleanup_dmdevices();
-#endif
 }
+#endif
 
 static void Luks2Repair(void)
 {
@@ -4521,7 +4521,9 @@ int main(int argc, char *argv[])
 	RUN_(Luks2Integrity, "LUKS2 with data integrity");
 	RUN_(Luks2Refresh, "Active device table refresh");
 	RUN_(Luks2Flags, "LUKS2 persistent flags");
+#if KERNEL_KEYRING && USE_LUKS2_REENCRYPTION
 	RUN_(Luks2Reencryption, "LUKS2 reencryption");
+#endif
 	RUN_(Luks2Repair, "LUKS2 repair"); // test disables metadata locking. Run always last!
 
 	_cleanup();

tests/luks2-reencryption-mangle-test

@@ -0,0 +1,506 @@
+#!/bin/bash
+
+PS4='$LINENO:'
+[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
+CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
+CRYPTSETUP_RAW=$CRYPTSETUP
+
+CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+CRYPTSETUP_LIB_VALGRIND=../.libs
+IMG=reenc-mangle-data
+IMG_HDR=$IMG.hdr
+IMG_JSON=$IMG.json
+KEY1=key1
+DEV_NAME=reenc3492834
+
+FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+CS_PWPARAMS="--disable-keyring --key-file $KEY1"
+CS_PARAMS="-q --disable-locks $CS_PWPARAMS"
+JSON_MSIZE=16384
+
+function remove_mapping()
+{
+	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
+	rm -f $IMG $IMG_HDR $IMG_JSON $KEY1 >/dev/null 2>&1
+}
+
+function fail()
+{
+	local frame=0
+	[ -n "$1" ] && echo "$1"
+	echo "FAILED backtrace:"
+	while caller $frame; do	((frame++)); done
+	remove_mapping
+	exit 2
+}
+
+function skip()
+{
+	[ -n "$1" ] && echo "$1"
+	remove_mapping
+	exit 77
+}
+
+function bin_check()
+{
+	which $1 >/dev/null 2>&1 || skip "WARNING: test require $1 binary, test skipped."
+}
+
+function img_json_save()
+{
+	# FIXME: why --json-file cannot be used?
+	#$CRYPTSETUP luksDump --dump-json-metadata $IMG | jq -c -M | tr -d '\n' >$IMG_JSON
+	local LUKS2_JSON_SIZE=$(($JSON_MSIZE - 4096))
+	_dd if=$IMG count=$LUKS2_JSON_SIZE skip=4096 | jq -c -M . | tr -d '\n' >$IMG_JSON
+}
+
+function img_json_dump()
+{
+	img_json_save
+	jq . $IMG_JSON
+}
+
+function img_hash_save()
+{
+	IMG_HASH=$(sha256sum $IMG | cut -d' ' -f 1)
+}
+
+function img_hash_unchanged()
+{
+	local IMG_HASH2=$(sha256sum $IMG | cut -d' ' -f 1)
+	[ "$IMG_HASH" != "$IMG_HASH2" ] && fail "Image changed!"
+}
+
+function img_prepare_raw() # $1 options
+{
+	remove_mapping
+
+	if [ ! -e $KEY1 ]; then
+		dd if=/dev/urandom of=$KEY1 count=1 bs=32 >/dev/null 2>&1
+	fi
+
+	truncate -s 32M $IMG || fail
+	$CRYPTSETUP luksFormat $FAST_PBKDF2 $CS_PARAMS --luks2-metadata-size $JSON_MSIZE $IMG $1 || fail
+}
+
+function img_prepare() # $1 options
+{
+	img_prepare_raw
+	# FIXME: resilience is not saved here (always none)?
+	$CRYPTSETUP reencrypt $IMG $CS_PARAMS -q --init-only --resilience none $1 >/dev/null 2>&1
+	[ $? -ne 0 ] && skip "Reencryption unsupported, test skipped."
+	img_json_save
+	img_hash_save
+}
+
+function _dd()
+{
+	dd $@ status=none conv=notrunc bs=1
+}
+
+# header mangle functions
+function img_update_json()
+{
+	local LUKS2_BIN1_OFFSET=448
+	local LUKS2_BIN2_OFFSET=$((LUKS2_BIN1_OFFSET + $JSON_MSIZE))
+	local LUKS2_JSON_SIZE=$(($JSON_MSIZE - 4096))
+
+	# if present jq script, mangle JSON
+	if [ -n "$1" ]; then
+		local JSON=$(cat $IMG_JSON)
+		echo $JSON | jq -M -c "$1" >$IMG_JSON || fail
+		local JSON=$(cat $IMG_JSON)
+		echo $JSON | tr -d '\n' >$IMG_JSON || fail
+	fi
+
+	# wipe JSON areas
+	_dd if=/dev/zero of=$IMG count=$LUKS2_JSON_SIZE seek=4096
+	_dd if=/dev/zero of=$IMG count=$LUKS2_JSON_SIZE seek=$(($JSON_MSIZE + 4096))
+
+	# write JSON data
+	_dd if=$IMG_JSON of=$IMG count=$LUKS2_JSON_SIZE seek=4096
+	_dd if=$IMG_JSON of=$IMG count=$LUKS2_JSON_SIZE seek=$(($JSON_MSIZE + 4096))
+
+	# erase sha256 checksums
+	_dd if=/dev/zero of=$IMG count=64 seek=$LUKS2_BIN1_OFFSET
+	_dd if=/dev/zero of=$IMG count=64 seek=$LUKS2_BIN2_OFFSET
+
+	# calculate sha256 and write chexksums
+	local SUM1_HEX=$(_dd if=$IMG count=$JSON_MSIZE | sha256sum | cut -d ' ' -f 1)
+	echo $SUM1_HEX | xxd -r -p | _dd of=$IMG seek=$LUKS2_BIN1_OFFSET count=64 || fail
+
+	local SUM2_HEX=$(_dd if=$IMG skip=$JSON_MSIZE count=$JSON_MSIZE | sha256sum | cut -d ' ' -f 1)
+	echo $SUM2_HEX | xxd -r -p | _dd of=$IMG seek=$LUKS2_BIN2_OFFSET count=64 || fail
+
+	img_hash_save
+}
+
+function img_check_ok()
+{
+	if [ $(id -u) == 0 ]; then
+		$CRYPTSETUP open $CS_PWPARAMS $IMG $DEV_NAME || fail
+		$CRYPTSETUP close $DEV_NAME || fail
+	fi
+
+	$CRYPTSETUP repair $IMG $CS_PARAMS || fail
+}
+
+function img_check_fail()
+{
+	if [ $(id -u) == 0 ]; then
+		$CRYPTSETUP open $CS_PWPARAMS $IMG $DEV_NAME 2>/dev/null && fail
+	fi
+
+	$CRYPTSETUP repair $IMG $CS_PARAMS 2>/dev/null && fail
+	img_hash_unchanged
+}
+
+function img_run_reenc_ok()
+{
+local EXPECT_TIMEOUT=5
+[ -n "$VALG" ] && EXPECT_TIMEOUT=60
+# For now, we cannot run reencryption in batch mode for non-block device. Just fake the terminal here.
+expect_run - >/dev/null <<EOF
+proc abort {} { send_error "Timeout. "; exit 2 }
+set timeout $EXPECT_TIMEOUT
+eval spawn $CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS --disable-locks --resilience none
+expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
+send "YES\n"
+expect timeout abort eof
+exit
+EOF
+[ $? -eq 0 ] || fail "Expect script failed."
+}
+
+function img_run_reenc_fail()
+{
+local EXPECT_TIMEOUT=5
+[ -n "$VALG" ] && EXPECT_TIMEOUT=60
+# For now, we cannot run reencryption in batch mode for non-block device. Just fake the terminal here.
+expect_run - >/dev/null <<EOF
+proc abort {} { send_error "Timeout. "; exit 42 }
+set timeout $EXPECT_TIMEOUT
+eval spawn $CRYPTSETUP_RAW reencrypt $IMG $CS_PWPARAMS --disable-locks
+expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
+send "YES\n"
+expect timeout abort eof
+catch wait result
+exit [lindex \$result 3]
+EOF
+local ret=$?
+[ $ret -eq 0 ] &&  fail "Reencryption passed (should have failed)."
+[ $ret -eq 42 ] && fail "Expect script failed."
+img_hash_unchanged
+}
+
+function img_check_fail_repair_ok()
+{
+	if [ $(id -u) == 0 ]; then
+		$CRYPTSETUP open $CS_PWPARAMS $IMG $DEV_NAME 2>/dev/null && fail
+	fi
+
+	img_run_reenc_fail
+
+	# repair metadata
+	$CRYPTSETUP repair $IMG $CS_PARAMS || fail
+
+	img_check_ok
+	img_run_reenc_ok
+}
+
+function valgrind_setup()
+{
+	bin_check valgrind
+	[ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
+	export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+	CRYPTSETUP=valgrind_run
+	CRYPTSETUP_RAW="./valg.sh ${CRYPTSETUP_VALGRIND}"
+}
+
+function valgrind_run()
+{
+	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+}
+
+function expect_run()
+{
+        export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}"
+        expect "$@"
+}
+
+bin_check jq
+bin_check sha256sum
+bin_check xxd
+bin_check expect
+
+export LANG=C
+
+[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
+
+#while false; do
+
+echo "[1] Reencryption with old flag is rejected"
+img_prepare
+img_update_json '.config.requirements.mandatory = ["online-reencryptx"]'
+img_check_fail
+img_update_json '.config.requirements.mandatory = ["online-reencrypt-v2"]'
+img_check_ok
+img_run_reenc_ok
+img_check_ok
+
+# Simulate old reencryption with no digest (repairable)
+img_prepare
+img_update_json 'del(.digests."2") | .config.requirements.mandatory = ["online-reencrypt"]'
+img_check_fail_repair_ok
+
+# This must fail for new releases
+echo "[2] Old reencryption in-progress (journal)"
+img_prepare
+img_update_json '
+	del(.digests."2") |
+	.keyslots."2".area.type = "journal" |
+	.segments = {
+		"0" : (.segments."0" +
+			{"size" : .keyslots."2".area.size} +
+			{"flags" : ["in-reencryption"]}),
+		"1" : (.segments."0" +
+			{"offset" : ((.segments."0".offset|tonumber) +
+			(.keyslots."2".area.size|tonumber))|tostring}),
+		"2" : .segments."1",
+		"3" : .segments."2"
+	} |
+	.digests."0".segments = ["1","2"] |
+	.digests."1".segments = ["0","3"] |
+	.config.requirements.mandatory = ["online-reencrypt"]'
+img_check_fail_repair_ok
+
+echo "[3] Old reencryption in-progress (checksum)"
+img_prepare
+img_update_json '
+	del(.digests."2") |
+	.keyslots."2".area.type = "checksum" |
+	.keyslots."2".area.hash = "sha256" |
+	.keyslots."2".area.sector_size = 4096 |
+	.segments = {
+		"0" : (.segments."0" +
+			{"size" : .keyslots."2".area.size} +
+			{"flags" : ["in-reencryption"]}),
+		"1" : (.segments."0" +
+			{"offset": ((.segments."0".offset|tonumber) +
+			(.keyslots."2".area.size|tonumber))|tostring}),
+		"2" : .segments."1",
+		"3" : .segments."2"
+	} |
+	.digests."0".segments = ["1","2"] |
+	.digests."1".segments = ["0","3"] |
+	.config.requirements.mandatory = ["online-reencrypt"]'
+img_check_fail_repair_ok
+
+# Note: older tools cannot create this from commandline
+echo "[4] Old decryption in-progress (journal)"
+img_prepare
+img_update_json '
+	del(.digests."1") |
+	del(.digests."2") |
+	del(.keyslots."1") |
+	.keyslots."2".mode = "decrypt" |
+	.keyslots."2".area.type = "journal" |
+	.segments = {
+		"0" : {
+			"type" : "linear",
+			"offset" : .segments."0".offset,
+			"size" : .keyslots."2".area.size,
+			"flags" : ["in-reencryption"]
+		},
+		"1" : (.segments."0" +
+			{"offset" : ((.segments."0".offset|tonumber) +
+			(.keyslots."2".area.size|tonumber))|tostring}),
+		"2" : .segments."1",
+		"3" : {
+			"type" : "linear",
+			"offset" : .segments."0".offset,
+			"size" : "dynamic",
+			"flags" : ["backup-final"]
+		}
+	} |
+	.digests."0".segments = ["1","2"] |
+	.config.requirements.mandatory = ["online-reencrypt"]'
+img_check_fail_repair_ok
+
+echo "[5] Old decryption in-progress (checksum)"
+img_prepare
+img_update_json '
+	del(.digests."1") |
+	del(.digests."2") |
+	del(.keyslots."1") |
+	.keyslots."2".mode = "decrypt" |
+	.keyslots."2".area.type = "checksum" |
+	.keyslots."2".area.hash = "sha256" |
+	.keyslots."2".area.sector_size = 4096 |
+	.segments = {
+		"0" : {
+			"type" : "linear",
+			"offset" : .segments."0".offset,
+			"size" : .keyslots."2".area.size,
+			"flags" : ["in-reencryption"]
+		},
+		"1" : (.segments."0" +
+			{"offset" : ((.segments."0".offset|tonumber) +
+			(.keyslots."2".area.size|tonumber))|tostring}),
+		"2" : .segments."1",
+		"3" : {
+			"type" : "linear",
+			"offset" : .segments."0".offset,
+			"size" : "dynamic",
+			"flags" : ["backup-final"]
+		}
+	} |
+	.digests."0".segments = ["1","2"] |
+	.config.requirements.mandatory = ["online-reencrypt"]'
+img_check_fail_repair_ok
+
+# Note - offset is set to work with the old version (with a datashift bug)
+echo "[6] Old reencryption in-progress (datashift)"
+img_prepare
+img_update_json '
+	del(.digests."2") |
+	.keyslots."2".direction = "backward" |
+	.keyslots."2".area.type = "datashift" |
+	.keyslots."2".area.size = "4096" |
+	.keyslots."2".area.shift_size = ((1 * 1024 * 1024)|tostring) |
+	.segments = {
+		"0" : (.segments."0" +
+			{"size" : ((13 * 1024 * 1024)|tostring)}),
+		"1" : (.segments."0" +
+			{"offset" : ((30 * 1024 * 1024)|tostring)}),
+		"2" : .segments."1",
+		"3" : (.segments."2" +
+			{"offset" : ((17 * 1024 * 1024)|tostring)}),
+	} |
+	.digests."0".segments = ["0","2"] |
+	.digests."1".segments = ["1","3"] |
+	.config.requirements.mandatory = ["online-reencrypt"]'
+img_check_fail_repair_ok
+
+#
+# NEW metadata (with reenc digest)
+#
+echo "[7] Reencryption with various mangled metadata"
+
+# Normal situation
+img_prepare
+img_run_reenc_ok
+img_check_ok
+
+# The same in various steps.
+# Repair must validate not only metadata, but also reencryption digest.
+img_prepare
+img_update_json 'del(.digests."2")'
+img_check_fail_repair_ok
+
+img_prepare '--reduce-device-size 2M'
+img_update_json '.keyslots."2".area.shift_size = ((.keyslots."2".area.shift_size|tonumber / 2)|tostring)'
+img_check_fail
+
+#FIXME: cannot check with correct digest for now (--init-only does not store area type)
+img_prepare
+img_update_json '
+	.keyslots."2".area.type = "checksum" |
+	.keyslots."2".area.hash = "sha256" |
+	.keyslots."2".area.sector_size = 4096'
+img_check_fail
+
+img_prepare
+img_update_json '.keyslots."2".area.type = "journal"'
+img_check_fail
+
+img_prepare
+img_update_json '.keyslots."2".mode = "decrypt"'
+img_check_fail
+
+img_prepare
+img_update_json '.keyslots."2".direction = "backward"'
+img_check_fail
+
+# key_size must be 1
+img_prepare
+img_update_json '.keyslots."2".key_size = 16'
+img_check_fail
+
+# Mangling segments
+img_prepare
+img_update_json 'del(.segments."1")'
+img_check_fail
+
+img_prepare
+img_update_json '.segments."0".encryption = "aes-cbc-null"'
+img_check_fail
+
+img_prepare
+img_update_json '.segments."1".encryption = "aes-cbc-null"'
+img_check_fail
+
+img_prepare
+img_update_json '.segments."2".encryption = "aes-cbc-null"'
+img_check_fail
+
+# Mangling digests
+img_prepare
+img_update_json '
+	.digests."2" = .digests."0" |
+	.digests."2".keyslots = ["2"] |
+	.digests."2".segments = []'
+img_check_fail
+
+img_prepare
+img_update_json '.digests."2".iterations = 1111'
+img_check_fail
+
+# Simulate correct progress
+img_prepare
+img_update_json '
+	.segments = {
+		"0" : (.segments."0" +
+			{"size" : ((1 * 1024 * 1024)|tostring)}),
+		"1" : (.segments."0" +
+			{"offset" : ((17 * 1024 * 1024)|tostring)}),
+		"2" : .segments."1",
+		"3" : .segments."2"
+	} |
+	.digests."0".segments = ["1","2"] |
+	.digests."1".segments = ["0","3"]'
+img_check_ok
+
+# Mangling keyslots
+
+# Set reencrypt slot to non-ignore priority
+# This should be benign, just avoid noisy messages
+img_prepare
+img_update_json 'del(.keyslots."2".priority)'
+img_check_ok
+
+# Flags
+
+# Remove mandatory reenc flag, but keep reenc metadata
+img_prepare
+img_update_json '.config.requirements.mandatory = []'
+img_check_fail
+
+# Unknown segment flag, should be ignored
+img_prepare
+img_update_json '.segments."0".flags = ["dead-parrot"]'
+img_check_ok
+
+echo "[8] Reencryption with AEAD is not supported"
+img_prepare_raw
+img_json_save
+img_update_json '
+	.segments."0".integrity = {
+		"type" : "hmac(sha256)",
+		"journal_encryption": "none",
+		"journal_integrity": "none"
+	}'
+$CRYPTSETUP reencrypt $IMG $CS_PARAMS >/dev/null 2>&1 && fail
+
+remove_mapping
+exit 0

tests/luks2-reencryption-test

@@ -115,6 +115,7 @@ function fail()
 function skip()
 {
 	[ -n "$1" ] && echo "$1"
+	remove_mapping
 	exit 77
 }
 
@@ -726,6 +727,7 @@ echo -n "[512 sector]"
 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-essiv:sha256 --offset 8192 $FAST_PBKDF_ARGON $DEV || fail
 wipe $PWD1
 check_hash $PWD1 $HASH1
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON 2>&1 | tail -1 | grep -q "not supported" && skip " No reenryption support, test skipped."
 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q $FAST_PBKDF_ARGON || fail
 check_hash $PWD1 $HASH1
 echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q -s 256 -c twofish-cbc-essiv:sha256 --resilience journal $FAST_PBKDF_ARGON || fail