Commit 3c2135b3 authored by Milan Broz's avatar Milan Broz

Fix luksFormat if running in FIPS mode on recent kernel.

Recently introduced check for weak keys for XTS mode makes
zeroed key for algorithm check unusable.

Use random key for the test instead.
parent aad597b9
......@@ -631,9 +631,11 @@ static int LUKS_check_cipher(struct luks_phdr *hdr, struct crypt_device *ctx)
if (!empty_key)
return -ENOMEM;
r = LUKS_decrypt_from_storage(buf, sizeof(buf),
hdr->cipherName, hdr->cipherMode,
empty_key, 0, ctx);
/* No need to get KEY quality random but it must avoid known weak keys. */
r = crypt_random_get(ctx, empty_key->key, empty_key->keylength, CRYPT_RND_NORMAL);
if (!r)
r = LUKS_decrypt_from_storage(buf, sizeof(buf), hdr->cipherName,
hdr->cipherMode, empty_key, 0, ctx);
crypt_free_volume_key(empty_key);
crypt_memzero(buf, sizeof(buf));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment