From dff9ee8c8cb68432e96261b87aabb7aaa51215e7 Mon Sep 17 00:00:00 2001 From: Milan Broz Date: Tue, 2 May 2023 15:42:21 +0200 Subject: [PATCH] Also disallow active devices with internal kernel names. The same problem fixed in commit 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605 is present in libdevmapper wrapper when parsing active device table. The whole point of conversion was that non-authenticated modes can be always represented in the old cipher-mode-iv format. As the internal names contains dash, these are unsupported. That said, the libdevmapper backend now correctly returns full cipher specification including capi prefix for this case. Init_by_name call now fails with incomplatible cipher definition error. --- lib/setup.c | 2 +- lib/utils_crypt.c | 9 +++++++++ tests/mode-test | 5 +++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/lib/setup.c b/lib/setup.c index 4bc3f6fb..57435475 100644 --- a/lib/setup.c +++ b/lib/setup.c @@ -1258,7 +1258,7 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name) r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher, &key_nums, cipher_mode); if (r < 0) { - log_dbg(cd, "Cannot parse cipher and mode from active device."); + log_err(cd, _("No known cipher specification pattern detected for active device %s."), name); goto out; } diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c index c1bde000..9232a91d 100644 --- a/lib/utils_crypt.c +++ b/lib/utils_crypt.c @@ -306,6 +306,15 @@ int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const cha if (i != 2) return -EINVAL; + /* non-cryptsetup compatible mode (generic driver with dash?) */ + if (strrchr(iv, ')')) { + if (i_dm) + return -EINVAL; + if (!(*org_c = strdup(c_dm))) + return -ENOMEM; + return 0; + } + len = strlen(tmp); if (len < 2) return -EINVAL; diff --git a/tests/mode-test b/tests/mode-test index fe61880a..4775751e 100755 --- a/tests/mode-test +++ b/tests/mode-test @@ -8,6 +8,7 @@ DEV_NAME=dmc_test HEADER_IMG=mode-test.img PASSWORD=3xrododenron PASSWORD1=$PASSWORD +KEY="7c0dc5dfd0c9191381d92e6ebb3b29e7f0dba53b0de132ae23f5726727173540" FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" # cipher-chainmode-ivopts:ivmode @@ -188,6 +189,10 @@ echo -n "CAPI format:" echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail $CRYPTSETUP close "$DEV_NAME"_tstdev || fail echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail +dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail +$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail +$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail +dmsetup remove "$DEV_NAME"_tstdev || fail echo [OK] cleanup -- 2.41.0