aboutsummaryrefslogtreecommitdiff
path: root/crypto
diff options
context:
space:
mode:
Diffstat (limited to 'crypto')
-rw-r--r--crypto/block-luks.c21
1 files changed, 21 insertions, 0 deletions
diff --git a/crypto/block-luks.c b/crypto/block-luks.c
index 63649f1091..fcf3b040e4 100644
--- a/crypto/block-luks.c
+++ b/crypto/block-luks.c
@@ -776,6 +776,11 @@ qcrypto_block_luks_open(QCryptoBlock *block,
}
if (ivalg == QCRYPTO_IVGEN_ALG_ESSIV) {
+ if (!ivhash_name) {
+ ret = -EINVAL;
+ error_setg(errp, "Missing IV generator hash specification");
+ goto fail;
+ }
ivcipheralg = qcrypto_block_luks_essiv_cipher(cipheralg,
ivhash,
&local_err);
@@ -785,6 +790,13 @@ qcrypto_block_luks_open(QCryptoBlock *block,
goto fail;
}
} else {
+ /* Note we parsed the ivhash_name earlier in the cipher_mode
+ * spec string even with plain/plain64 ivgens, but we
+ * will ignore it, since it is irrelevant for these ivgens.
+ * This is for compat with dm-crypt which will silently
+ * ignore hash names with these ivgens rather than report
+ * an error about the invalid usage
+ */
ivcipheralg = cipheralg;
}
@@ -904,6 +916,15 @@ qcrypto_block_luks_create(QCryptoBlock *block,
if (!luks_opts.has_hash_alg) {
luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256;
}
+ if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
+ if (!luks_opts.has_ivgen_hash_alg) {
+ luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALG_SHA256;
+ luks_opts.has_ivgen_hash_alg = true;
+ }
+ }
+ /* Note we're allowing ivgen_hash_alg to be set even for
+ * non-essiv iv generators that don't need a hash. It will
+ * be silently ignored, for compatibility with dm-crypt */
if (!options->u.luks.key_secret) {
error_setg(errp, "Parameter 'key-secret' is required for cipher");