80 lines
3.1 KiB
Diff
80 lines
3.1 KiB
Diff
|
From dff9ee8c8cb68432e96261b87aabb7aaa51215e7 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Milan Broz <gmazyland@gmail.com>
|
||
|
|
Date: Tue, 2 May 2023 15:42:21 +0200
|
||
|
|
Subject: [PATCH] Also disallow active devices with internal kernel names.
|
||
|
|
|
||
|
|
The same problem fixed in commit 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605
|
||
|
|
is present in libdevmapper wrapper when parsing active device table.
|
||
|
|
|
||
|
|
The whole point of conversion was that non-authenticated modes
|
||
|
|
can be always represented in the old cipher-mode-iv format.
|
||
|
|
As the internal names contains dash, these are unsupported.
|
||
|
|
|
||
|
|
That said, the libdevmapper backend now correctly returns
|
||
|
|
full cipher specification including capi prefix for this case.
|
||
|
|
|
||
|
|
Init_by_name call now fails with incomplatible cipher definition error.
|
||
|
|
---
|
||
|
|
lib/setup.c | 2 +-
|
||
|
|
lib/utils_crypt.c | 9 +++++++++
|
||
|
|
tests/mode-test | 5 +++++
|
||
|
|
3 files changed, 15 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
Index: cryptsetup-2.3.7/lib/setup.c
|
||
|
|
===================================================================
|
||
|
|
--- cryptsetup-2.3.7.orig/lib/setup.c
|
||
|
|
+++ cryptsetup-2.3.7/lib/setup.c
|
||
|
|
@@ -1188,7 +1188,7 @@ static int _init_by_name_crypt(struct cr
|
||
|
|
r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher,
|
||
|
|
&key_nums, cipher_mode);
|
||
|
|
if (r < 0) {
|
||
|
|
- log_dbg(cd, "Cannot parse cipher and mode from active device.");
|
||
|
|
+ log_err(cd, _("No known cipher specification pattern detected for active device %s."), name);
|
||
|
|
goto out;
|
||
|
|
}
|
||
|
|
|
||
|
|
Index: cryptsetup-2.3.7/lib/utils_crypt.c
|
||
|
|
===================================================================
|
||
|
|
--- cryptsetup-2.3.7.orig/lib/utils_crypt.c
|
||
|
|
+++ cryptsetup-2.3.7/lib/utils_crypt.c
|
||
|
|
@@ -224,6 +224,15 @@ int crypt_capi_to_cipher(char **org_c, c
|
||
|
|
if (i != 2)
|
||
|
|
return -EINVAL;
|
||
|
|
|
||
|
|
+ /* non-cryptsetup compatible mode (generic driver with dash?) */
|
||
|
|
+ if (strrchr(iv, ')')) {
|
||
|
|
+ if (i_dm)
|
||
|
|
+ return -EINVAL;
|
||
|
|
+ if (!(*org_c = strdup(c_dm)))
|
||
|
|
+ return -ENOMEM;
|
||
|
|
+ return 0;
|
||
|
|
+ }
|
||
|
|
+
|
||
|
|
len = strlen(tmp);
|
||
|
|
if (len < 2)
|
||
|
|
return -EINVAL;
|
||
|
|
Index: cryptsetup-2.3.7/tests/mode-test
|
||
|
|
===================================================================
|
||
|
|
--- cryptsetup-2.3.7.orig/tests/mode-test
|
||
|
|
+++ cryptsetup-2.3.7/tests/mode-test
|
||
|
|
@@ -8,6 +8,8 @@ DEV_NAME=dmc_test
|
||
|
|
HEADER_IMG=mode-test.img
|
||
|
|
PASSWORD=3xrododenron
|
||
|
|
PASSWORD1=$PASSWORD
|
||
|
|
+KEY="7c0dc5dfd0c9191381d92e6ebb3b29e7f0dba53b0de132ae23f5726727173540"
|
||
|
|
+FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||
|
|
|
||
|
|
# cipher-chainmode-ivopts:ivmode
|
||
|
|
CIPHERS="aes twofish serpent"
|
||
|
|
@@ -172,6 +174,10 @@ echo -n "CAPI format:"
|
||
|
|
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail
|
||
|
|
$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
|
||
|
|
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
|
||
|
|
+dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail
|
||
|
|
+$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail
|
||
|
|
+$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail
|
||
|
|
+dmsetup remove "$DEV_NAME"_tstdev || fail
|
||
|
|
echo [OK]
|
||
|
|
|
||
|
|
cleanup
|