eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-13 03:40:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add paes to ciphers that cannot be used for LUKS2 keyslot encryption.

Browse Source 
And use AES-XTS for keyslot in this case.
This commit is contained in:
Milan Broz
2018-03-31 17:42:30 +02:00
parent fef5121cee
commit ed2968e3e8
1 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
lib/luks2/luks2_keyslot.c
View File

@@ -117,6 +117,21 @@ int LUKS2_keyslot_active_count(struct luks2_hdr *hdr, int segment)
return num;
}
static int LUKS2_keyslot_cipher_incompatible(struct crypt_device *cd)
{
const char *cipher = crypt_get_cipher(cd);
/* Keyslot is already authenticated; we cannot use integrity tags here */
if (crypt_get_integrity_tag_size(cd) || !cipher)
return 1;
/* protected AES (PAES) is a wrapped key scheme, not a block cipher */
if (!strncmp("paes", cipher, 4))
return 1;
return 0;
}
int LUKS2_keyslot_params_default(struct crypt_device *cd, struct luks2_hdr *hdr,
size_t key_size, struct luks2_keyslot_params *params)
{
@@ -140,7 +155,7 @@ int LUKS2_keyslot_params_default(struct crypt_device *cd, struct luks2_hdr *hdr,
/* set keyslot area encryption parameters */
/* short circuit authenticated encryption hardcoded defaults */
if (crypt_get_integrity_tag_size(cd) || key_size == 0) {
if (LUKS2_keyslot_cipher_incompatible(cd) || key_size == 0) {
// FIXME: fixed cipher and key size can be wrong
snprintf(params->area.raw.encryption, sizeof(params->area.raw.encryption),
"aes-xts-plain64");