|
 |
64d505 |
From 3c2135b36bbc52d052e4ced7c94dc4981eb07a53 Mon Sep 17 00:00:00 2001
|
|
|
64d505 |
From: Milan Broz <gmazyland@gmail.com>
|
|
|
64d505 |
Date: Fri, 21 Apr 2017 08:16:14 +0200
|
|
|
64d505 |
Subject: [PATCH] Fix luksFormat if running in FIPS mode on recent kernel.
|
|
|
64d505 |
|
|
|
64d505 |
Recently introduced check for weak keys for XTS mode makes
|
|
|
64d505 |
zeroed key for algorithm check unusable.
|
|
|
64d505 |
|
|
|
64d505 |
Use random key for the test instead.
|
|
|
64d505 |
---
|
|
|
64d505 |
lib/luks1/keymanage.c | 8 +++++---
|
|
|
64d505 |
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
|
64d505 |
|
|
|
64d505 |
diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
|
|
|
64d505 |
index b700bab..5b1421b 100644
|
|
|
64d505 |
--- a/lib/luks1/keymanage.c
|
|
|
64d505 |
+++ b/lib/luks1/keymanage.c
|
|
|
64d505 |
@@ -631,9 +631,11 @@ static int LUKS_check_cipher(struct luks_phdr *hdr, struct crypt_device *ctx)
|
|
|
64d505 |
if (!empty_key)
|
|
|
64d505 |
return -ENOMEM;
|
|
|
64d505 |
|
|
|
64d505 |
- r = LUKS_decrypt_from_storage(buf, sizeof(buf),
|
|
|
64d505 |
- hdr->cipherName, hdr->cipherMode,
|
|
|
64d505 |
- empty_key, 0, ctx);
|
|
|
64d505 |
+ /* No need to get KEY quality random but it must avoid known weak keys. */
|
|
|
64d505 |
+ r = crypt_random_get(ctx, empty_key->key, empty_key->keylength, CRYPT_RND_NORMAL);
|
|
|
64d505 |
+ if (!r)
|
|
|
64d505 |
+ r = LUKS_decrypt_from_storage(buf, sizeof(buf), hdr->cipherName,
|
|
|
64d505 |
+ hdr->cipherMode, empty_key, 0, ctx);
|
|
|
64d505 |
|
|
|
64d505 |
crypt_free_volume_key(empty_key);
|
|
|
64d505 |
crypt_memzero(buf, sizeof(buf));
|
|
|
64d505 |
--
|
|
|
64d505 |
2.7.4
|
|
|
64d505 |
|