eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-05 16:00:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add the same cipher_null restriction to LUKS2 keyslot as in LUKS1.

Browse Source 
LUKS2 keyslot cannot be created with cipher_null using standard
tools, but activation of such a keyslot is allowed.

As this can be confusing and create a false sense of security,
let's apply the same restriction as in LUKS1 - such a keyslot
is used only with an empty passphrase.

This will reject activation with a real password, avoiding
possible activation of insecure LUKS containers.

Fixes: #954
This commit is contained in:
Milan Broz
2025-08-17 00:07:30 +02:00
parent 098d2122e5
commit b0821b11a5
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/luks2/luks2_keyslot_luks2.c
View File

@@ -336,6 +336,10 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
if (r < 0)
return r;
/* Allow only empty passphrase with null cipher */
if (crypt_is_cipher_null(cipher) && passwordLen)
return -EPERM;
if (!json_object_object_get_ex(jobj_area, "key_size", &jobj2))
return -EINVAL;
keyslot_key_len = json_object_get_int(jobj2);