cryptsetup: Adjust XTS keys size also if cipher is specified with capi: prefix.

mbroz · mbroz · commit e5c2892cd577 · 2025-05-20T16:58:14.000+02:00
Fixes: #776
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
@@ -1589,7 +1589,7 @@ int luksFormat(struct crypt_device **r_cd, struct crypt_keyslot_context **r_kc)
 			goto out;
 	}
 
-	keysize = get_adjusted_key_size(cipher_mode, ARG_UINT32(OPT_KEY_SIZE_ID),
+	keysize = get_adjusted_key_size(cipher, cipher_mode, ARG_UINT32(OPT_KEY_SIZE_ID),
 					DEFAULT_LUKS1_KEYBITS, integrity_keysize);
 
 	if (ARG_SET(OPT_HW_OPAL_ONLY_ID))
diff --git a/src/utils_luks.c b/src/utils_luks.c
@@ -139,11 +139,11 @@ int set_tries_tty(bool keyring)
 	return (tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)) && isatty(STDIN_FILENO)) ? ARG_UINT32(OPT_TRIES_ID) : 1;
 }
 
-int get_adjusted_key_size(const char *cipher_mode, uint32_t keysize_bits,
+int get_adjusted_key_size(const char *cipher, const char *cipher_mode, uint32_t keysize_bits,
 			  uint32_t default_size_bits, int integrity_keysize)
 {
 #if ENABLE_LUKS_ADJUST_XTS_KEYSIZE
-	if (!keysize_bits && !strncmp(cipher_mode, "xts-", 4)) {
+	if (!keysize_bits && (!strncmp(cipher_mode, "xts-", 4) || !strncmp(cipher, "capi:xts(", 9))) {
 		if (default_size_bits == 128)
 			keysize_bits = 256;
 		else if (default_size_bits == 256)
diff --git a/src/utils_luks.h b/src/utils_luks.h
@@ -27,7 +27,7 @@ int set_pbkdf_params(struct crypt_device *cd, const char *dev_type);
 
 int set_tries_tty(bool keyring);
 
-int get_adjusted_key_size(const char *cipher_mode, uint32_t keysize_bits,
+int get_adjusted_key_size(const char *cipher, const char *cipher_mode, uint32_t keysize_bits,
 			  uint32_t default_size_bits, int integrity_keysize);
 
 int luksFormat(struct crypt_device **r_cd, struct crypt_keyslot_context **r_kc);
diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c
@@ -1910,7 +1910,7 @@ static int reencrypt_luks2_init(struct crypt_device *cd, const char *data_device
 			new_key_size = ARG_UINT32(OPT_NEW_KEY_SIZE_ID);
 
 		if (new_key_size || new_cipher)
-			new_key_size = get_adjusted_key_size(mode, new_key_size,
+			new_key_size = get_adjusted_key_size(cipher, mode, new_key_size,
 							 DEFAULT_LUKS1_KEYBITS, 0);
 		else
 			new_key_size = key_size;

Original file line number	Diff line number	Diff line change
`@@ -1589,7 +1589,7 @@ int luksFormat(struct crypt_device r_cd, struct crypt_keyslot_context r_kc)`
`1589`	`1589`	`goto out;`
`1590`	`1590`	`}`
`1591`	`1591`
`1592`		`- keysize = get_adjusted_key_size(cipher_mode, ARG_UINT32(OPT_KEY_SIZE_ID),`
	`1592`	`+ keysize = get_adjusted_key_size(cipher, cipher_mode, ARG_UINT32(OPT_KEY_SIZE_ID),`
`1593`	`1593`	`DEFAULT_LUKS1_KEYBITS, integrity_keysize);`
`1594`	`1594`
`1595`	`1595`	`if (ARG_SET(OPT_HW_OPAL_ONLY_ID))`
Original file line number	Diff line number	Diff line change
`@@ -139,11 +139,11 @@ int set_tries_tty(bool keyring)`
`139`	`139`	`return (tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)) && isatty(STDIN_FILENO)) ? ARG_UINT32(OPT_TRIES_ID) : 1;`
`140`	`140`	`}`
`141`	`141`
`142`		`-int get_adjusted_key_size(const char *cipher_mode, uint32_t keysize_bits,`
	`142`	`+int get_adjusted_key_size(const char cipher, const char cipher_mode, uint32_t keysize_bits,`
`143`	`143`	`uint32_t default_size_bits, int integrity_keysize)`
`144`	`144`	`{`
`145`	`145`	`#if ENABLE_LUKS_ADJUST_XTS_KEYSIZE`
`146`		`- if (!keysize_bits && !strncmp(cipher_mode, "xts-", 4)) {`
	`146`	`+ if (!keysize_bits && (!strncmp(cipher_mode, "xts-", 4) \|\| !strncmp(cipher, "capi:xts(", 9))) {`
`147`	`147`	`if (default_size_bits == 128)`
`148`	`148`	`keysize_bits = 256;`
`149`	`149`	`else if (default_size_bits == 256)`