Don't use empty key when checking if cipher is usable (!24) · Merge requests · cryptsetup / cryptsetup · GitLab

Do not update/delete: Banner broadcast message test data

Do not update/delete: Notification broadcast message test data

username-removed-1345292 requested to merge civz/cryptsetup:fips-xts into master May 22, 2017

Since kernel commit 28856a9e52c7cac712af6c143de04766617535dc (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/diff/include/crypto/xts.h?id=28856a9e52c7cac712af6c143de04766617535dc), aes-xts-plain64 cipher is unusable in FIPS mode. FIPS now requires AES XTS key to be composed of two non-equal parts. The zero-filled empty_key as used in LUKS_check_cipher() doesn't match the new criteria and is rejected by the kernel, resulting in a failed cipher check. Use a different dummy key.