From 01f896711ed54bff7c1ccf944d2295929af7c75c Mon Sep 17 00:00:00 2001 From: Ondrej Kozina Date: Thu, 11 Feb 2021 12:17:02 +0100 Subject: [PATCH] Replace bogus cipher_null keyslots before reencryption. By mistake LUKS2 allowed keyslots 'not-so-encrypted' by cipher_null (only explicitly requested by --cipher or --keyslot-cipher parameters). If we encounter such old key during reencryption let's replace the cipher for new keyslot with default LUKS2 keyslot cipher. --- src/cryptsetup.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/cryptsetup.c b/src/cryptsetup.c index 957c24ea..5e222866 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -1091,6 +1091,12 @@ static int set_keyslot_params(struct crypt_device *cd, int keyslot) if (!cipher) return -EINVAL; + if (crypt_is_cipher_null(cipher)) { + log_dbg("Keyslot %d uses cipher_null. Replacing with default encryption in new keyslot.", keyslot); + cipher = DEFAULT_LUKS2_KEYSLOT_CIPHER; + key_size = DEFAULT_LUKS2_KEYSLOT_KEYBITS / 8; + } + if (crypt_keyslot_set_encryption(cd, cipher, key_size)) return -EINVAL;