From dff9ee8c8cb68432e96261b87aabb7aaa51215e7 Mon Sep 17 00:00:00 2001 From: Milan Broz Date: Tue, 2 May 2023 15:42:21 +0200 Subject: [PATCH] Also disallow active devices with internal kernel names. The same problem fixed in commit 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605 is present in libdevmapper wrapper when parsing active device table. The whole point of conversion was that non-authenticated modes can be always represented in the old cipher-mode-iv format. As the internal names contains dash, these are unsupported. That said, the libdevmapper backend now correctly returns full cipher specification including capi prefix for this case. Init_by_name call now fails with incomplatible cipher definition error. --- lib/setup.c | 2 +- lib/utils_crypt.c | 9 +++++++++ tests/mode-test | 5 +++++ 3 files changed, 15 insertions(+), 1 deletion(-) Index: cryptsetup-2.3.7/lib/setup.c =================================================================== --- cryptsetup-2.3.7.orig/lib/setup.c +++ cryptsetup-2.3.7/lib/setup.c @@ -1188,7 +1188,7 @@ static int _init_by_name_crypt(struct cr r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher, &key_nums, cipher_mode); if (r < 0) { - log_dbg(cd, "Cannot parse cipher and mode from active device."); + log_err(cd, _("No known cipher specification pattern detected for active device %s."), name); goto out; } Index: cryptsetup-2.3.7/lib/utils_crypt.c =================================================================== --- cryptsetup-2.3.7.orig/lib/utils_crypt.c +++ cryptsetup-2.3.7/lib/utils_crypt.c @@ -224,6 +224,15 @@ int crypt_capi_to_cipher(char **org_c, c if (i != 2) return -EINVAL; + /* non-cryptsetup compatible mode (generic driver with dash?) */ + if (strrchr(iv, ')')) { + if (i_dm) + return -EINVAL; + if (!(*org_c = strdup(c_dm))) + return -ENOMEM; + return 0; + } + len = strlen(tmp); if (len < 2) return -EINVAL; Index: cryptsetup-2.3.7/tests/mode-test =================================================================== --- cryptsetup-2.3.7.orig/tests/mode-test +++ cryptsetup-2.3.7/tests/mode-test @@ -8,6 +8,8 @@ DEV_NAME=dmc_test HEADER_IMG=mode-test.img PASSWORD=3xrododenron PASSWORD1=$PASSWORD +KEY="7c0dc5dfd0c9191381d92e6ebb3b29e7f0dba53b0de132ae23f5726727173540" +FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" # cipher-chainmode-ivopts:ivmode CIPHERS="aes twofish serpent" @@ -172,6 +174,10 @@ echo -n "CAPI format:" echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail $CRYPTSETUP close "$DEV_NAME"_tstdev || fail echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail +dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail +$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail +$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail +dmsetup remove "$DEV_NAME"_tstdev || fail echo [OK] cleanup