Return -ENOENT if digest is missing.

If there is no digest associated with segment,
for example during reencryption mode encrypt initialization,
return -ENOENT in LUKS2_digest_verify_by_segment.

lib/luks2/luks2_digest.c

@@ -160,7 +160,7 @@ int LUKS2_digest_verify_by_segment(struct crypt_device *cd,
 	int segment,
 	const struct volume_key *vk)
 {
-	int r = -EINVAL;
+	int r;
 	unsigned s;
 
 	if (segment == CRYPT_ANY_SEGMENT) {
@@ -172,7 +172,11 @@ int LUKS2_digest_verify_by_segment(struct crypt_device *cd,
 		return -EPERM;
 	}
 
-	return LUKS2_digest_verify_by_digest(cd, LUKS2_digest_by_segment(hdr, segment), vk);
+	r = LUKS2_digest_by_segment(hdr, segment);
+	if (r < 0)
+		return r;
+
+	return LUKS2_digest_verify_by_digest(cd, r, vk);
 }
 
 /* FIXME: segment can have more digests */

lib/luks2/luks2_reencrypt.c

@@ -3125,7 +3125,7 @@ static int reencrypt_init(struct crypt_device *cd,
 
 		/* do not create new digest in case it matches the current one */
 		r = LUKS2_digest_verify_by_segment(cd, hdr, CRYPT_DEFAULT_SEGMENT, vk);
-		if (r == -EPERM)
+		if (r == -EPERM || r == -ENOENT)
 			r = LUKS2_digest_create(cd, "pbkdf2", hdr, vk);
 
 		crypt_free_volume_key(vk);