mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-05 16:00:05 +01:00
68d4749d8a
This commit implements FVE metadata block validation based on: * CRC-32 (to detect random corruption); * AES-CCM-encrypted SHA-256 (to detect malicious manipulations). The hash-based validation requires us to decrypt the VMK first, so it's only performed when obtaining the volume key. This allows us to detect corrupted/altered FVE metadata blocks and pick the valid one (before this commit: the first FVE metadata block is always selected). Fixes: #953 tests: add BitLocker image with corrupted headers The image contains 2 manually corrupted metadata blocks (out of 3), the library should use the third one to correctly load the volume. Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
3.6 KiB
3.6 KiB