Explicitly disallow capi format for LUKS2 keyslot encryption

NO functional change as it fails in IV check anyway, but the code should not reach this funtion at all.
2025-12-05 16:00:05 +01:00 · 2025-05-29 10:32:35 +02:00
parent c3414b8221
commit 5b3ff3c0a7
1 changed files with 7 additions and 0 deletions
--- a/lib/luks2/luks2_keyslot.c
+++ b/lib/luks2/luks2_keyslot.c
@@ -168,6 +168,13 @@ int LUKS2_keyslot_cipher_incompatible(struct crypt_device *cd, const char *ciphe
 	if (!cipher_spec || crypt_is_cipher_null(cipher_spec))
 		return 1;

+	/*
+	 * Do not allow capi format for keyslots
+	 * Note: It always failed in ivsize check later anyway.
+	 */
+	if (!strncmp(cipher_spec, "capi:", 5))
+		return 1;
+
 	if (crypt_parse_name_and_mode(cipher_spec, cipher, NULL, cipher_mode) < 0)
 		return 1;