crypto: Fix reading keyfile in bd_crypto_luks_change_key

vojtechtrefny · vojtechtrefny · commit 6c29e6b60327 · 2026-01-09T09:19:25.000+01:00
Copy-paste bug, we need to make sure save the new passphrase into
the correct buffer.
diff --git a/src/plugins/crypto.c b/src/plugins/crypto.c
@@ -1734,15 +1734,15 @@ gboolean bd_crypto_luks_change_key (const gchar *device, BDCryptoKeyslotContext
     }
 
     if (ncontext->type == BD_CRYPTO_KEYSLOT_CONTEXT_TYPE_KEYFILE) {
-        ret = crypt_keyfile_device_read (cd, ncontext->u.keyfile.keyfile, &key_buf, &buf_len,
+        ret = crypt_keyfile_device_read (cd, ncontext->u.keyfile.keyfile, &nkey_buf, &nbuf_len,
                                          ncontext->u.keyfile.keyfile_offset, ncontext->u.keyfile.key_size, 0);
         if (ret != 0) {
             g_set_error (&l_error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_KEYFILE_FAILED,
                          "Failed to load key from file '%s': %s", ncontext->u.keyfile.keyfile,
                          strerror_l (-ret, c_locale));
             crypt_free (cd);
             if (context->type == BD_CRYPTO_KEYSLOT_CONTEXT_TYPE_KEYFILE)
-                crypt_safe_free (key_buf);
+                crypt_safe_free (nkey_buf);
             bd_utils_report_finished (progress_id, l_error->message);
             g_propagate_error (error, l_error);
             return FALSE;
diff --git a/tests/crypto_test.py b/tests/crypto_test.py
@@ -631,6 +631,30 @@ def _change_key(self, create_fn):
         succ = BlockDev.crypto_luks_change_key(self.loop_devs[0], ctx, nctx)
         self.assertTrue(succ)
 
+        # old passphrase should no longer work
+        with self.assertRaises(GLib.GError):
+            BlockDev.crypto_luks_remove_key(self.loop_devs[0], ctx)
+
+        # new passphrase should work
+        succ = BlockDev.crypto_luks_open(self.loop_devs[0], "libblockdevTestLUKS", nctx)
+        self.assertTrue(succ)
+
+        succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
+        self.assertTrue(succ)
+
+        # try with keyfile as well
+        kctx = BlockDev.CryptoKeyslotContext(keyfile=self.keyfile)
+        succ = BlockDev.crypto_luks_change_key(self.loop_devs[0], nctx, kctx)
+        self.assertTrue(succ)
+
+        # old passphrase should no longer work
+        with self.assertRaises(GLib.GError):
+            BlockDev.crypto_luks_remove_key(self.loop_devs[0], nctx)
+
+        # keyfile should work
+        succ = BlockDev.crypto_luks_open(self.loop_devs[0], "libblockdevTestLUKS", kctx)
+        self.assertTrue(succ)
+
     @tag_test(TestTags.SLOW)
     def test_luks_change_key(self):
         self._change_key(self._luks_format)
