Do not fail LUKS2 validation by newer online-reencrypt requirement.

Do not invalidate LUKS2 format when future online-reencrypt
requirement flag is encountered (by older releases).
But it must stop device from being activated, reencrypted
or modified.

lib/luks2/luks2.h

@@ -417,6 +417,8 @@ int LUKS2_config_set_requirement_version(struct crypt_device *cd, struct luks2_h
 
 int LUKS2_config_get_reencrypt_version(struct luks2_hdr *hdr, uint8_t *version);
 
+bool LUKS2_reencrypt_requirement_candidate(struct luks2_hdr *hdr);
+
 int LUKS2_unmet_requirements(struct crypt_device *cd, struct luks2_hdr *hdr, uint32_t reqs_mask, int quiet);
 
 int LUKS2_key_description_by_segment(struct crypt_device *cd,

lib/luks2/luks2_json_metadata.c

@@ -1579,6 +1579,29 @@ static json_object *mandatory_requirements_jobj(struct luks2_hdr *hdr)
 	return jobj_mandatory;
 }
 
+bool LUKS2_reencrypt_requirement_candidate(struct luks2_hdr *hdr)
+{
+	json_object *jobj_mandatory;
+	int i, len;
+
+	assert(hdr);
+
+	jobj_mandatory = mandatory_requirements_jobj(hdr);
+	if (!jobj_mandatory)
+		return false;
+
+	len = (int) json_object_array_length(jobj_mandatory);
+	if (len <= 0)
+		return false;
+
+	for (i = 0; i < len; i++) {
+		if (reencrypt_candidate_flag(json_object_get_string(json_object_array_get_idx(jobj_mandatory, i))))
+			return true;
+	}
+
+	return false;
+}
+
 int LUKS2_config_get_reencrypt_version(struct luks2_hdr *hdr, uint8_t *version)
 {
 	json_object *jobj_mandatory, *jobj;

lib/luks2/luks2_keyslot.c

@@ -886,7 +886,7 @@ int LUKS2_keyslots_validate(struct crypt_device *cd, json_object *hdr_jobj)
 		return -EINVAL;
 	}
 
-	if (!(reqs & CRYPT_REQUIREMENT_ONLINE_REENCRYPT) && reencrypt_count) {
+	if (reencrypt_count && !LUKS2_reencrypt_requirement_candidate(&dummy)) {
 		log_dbg(cd, "Missing reencryption requirement flag.");
 		return -EINVAL;
 	}