Unlink second VK after deactivating volume during reencryption
Issue description
After closing a device which is in re-encryption, the second volume key is not unlinked from the thread keyring.
Steps for reproducing the issue
Add api-test-2
like so:
static void ReencryptionUnlink(void)
{
struct crypt_pbkdf_type pbkdf = {
.type = CRYPT_KDF_ARGON2I,
.hash = "sha256",
.parallel_threads = 1,
.max_memory_kb = 128,
.iterations = 4,
.flags = CRYPT_PBKDF_NO_BENCHMARK
};
struct crypt_params_luks2 params2 = {
.pbkdf = &pbkdf,
.sector_size = 4096
};
struct crypt_params_reencrypt retparams = {}, rparams = {
.direction = CRYPT_REENCRYPT_FORWARD,
.resilience = "checksum",
.hash = "sha256",
.luks2 = ¶ms2,
};
uint64_t r_header_size;
OK_(get_luks2_offsets(1, 0, 0, &r_header_size, NULL));
OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_header_size + 16));
OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "cbc-essiv:sha256", NULL, NULL, 32, ¶ms2));
OK_(crypt_set_pbkdf_type(cd, &pbkdf));
EQ_(crypt_keyslot_add_by_volume_key(cd, 1, NULL, 64, PASSPHRASE, strlen(PASSPHRASE)), 1);
EQ_(crypt_keyslot_add_by_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE), CRYPT_VOLUME_KEY_NO_SEGMENT), 0);
rparams.flags = CRYPT_REENCRYPT_INITIALIZE_ONLY;
EQ_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 1, 0, "aes", "xts-plain64", &rparams), 2);
EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), 0), 0);
NOTFAIL_(_kernel_key_by_segment_and_type(cd, 0, "logon"), "dm-crypt VK was not uploaded in thread kernel keyring.");
NOTFAIL_(_kernel_key_by_segment_and_type(cd, 1, "logon"), "dm-crypt VK was not uploaded in thread kernel keyring.");
OK_(crypt_deactivate(cd, CDEVICE_1));
FAIL_(_kernel_key_by_segment_and_type(cd, 0, "logon"), "dm-crypt VK remain linked in thread keyring.");
FAIL_(_kernel_key_by_segment_and_type(cd, 1, "logon"), "dm-crypt VK remain linked in thread keyring.");
CRYPT_FREE(cd);
_cleanup_dmdevices();
}
Edited by Daniel Zaťovič