commit: dd6c85c1f38d96be1694e12bd43c52241598b445 Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> AuthorDate: Thu Jan 22 17:27:29 2026 +0000 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> CommitDate: Thu Jan 22 17:27:29 2026 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd6c85c1
sys-fs/cryptsetup: backport bitlocker fix Closes: https://bugs.gentoo.org/969153 Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> ...tup-2.8.3.ebuild => cryptsetup-2.8.3-r1.ebuild} | 4 ++ .../files/cryptsetup-2.8.3-bitlocker.patch | 45 ++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/sys-fs/cryptsetup/cryptsetup-2.8.3.ebuild b/sys-fs/cryptsetup/cryptsetup-2.8.3-r1.ebuild similarity index 98% rename from sys-fs/cryptsetup/cryptsetup-2.8.3.ebuild rename to sys-fs/cryptsetup/cryptsetup-2.8.3-r1.ebuild index 688b1d8096df..0c0908160273 100644 --- a/sys-fs/cryptsetup/cryptsetup-2.8.3.ebuild +++ b/sys-fs/cryptsetup/cryptsetup-2.8.3-r1.ebuild @@ -70,6 +70,10 @@ BDEPEND=" verify-sig? ( sec-keys/openpgp-keys-milanbroz ) " +PATCHES=( + "${FILESDIR}/cryptsetup-2.8.3-bitlocker.patch" +) + pkg_setup() { local CONFIG_CHECK="~DM_CRYPT ~CRYPTO ~CRYPTO_CBC ~CRYPTO_SHA256" local WARNING_DM_CRYPT="CONFIG_DM_CRYPT:\tis not set (required for cryptsetup)\n" diff --git a/sys-fs/cryptsetup/files/cryptsetup-2.8.3-bitlocker.patch b/sys-fs/cryptsetup/files/cryptsetup-2.8.3-bitlocker.patch new file mode 100644 index 000000000000..a6ca2652cd82 --- /dev/null +++ b/sys-fs/cryptsetup/files/cryptsetup-2.8.3-bitlocker.patch @@ -0,0 +1,45 @@ +https://bugs.gentoo.org/969153 +https://gitlab.com/cryptsetup/cryptsetup/-/issues/973 +https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/883 + +From 4eb729da3f46642d6fe1fabbbedb127078eccb95 Mon Sep 17 00:00:00 2001 +From: Vojtech Trefny <[email protected]> +Date: Sun, 11 Jan 2026 14:31:29 +0100 +Subject: [PATCH] bitlk: Do not try to use empty password for password keyslots + +Passing empty password means we want to try to open the device +using the clear key so we can skip all other keyslots in this case. + +This also fixes unlocking a BitLocker device where recovery +passphrase is in the first keyslot where we try to use the empty +passhrase first, hoping for a clear key, and never actually prompt +user for an actual (recovery) passphrase after. + +Fixes: #973 +--- + lib/bitlk/bitlk.c | 11 +++++++++++ + tests/bitlk-images.tar.xz | Bin 355720 -> 376840 bytes + 2 files changed, 11 insertions(+) + +diff --git a/lib/bitlk/bitlk.c b/lib/bitlk/bitlk.c +index 3b7b093d..0e8f9d1d 100644 +--- a/lib/bitlk/bitlk.c ++++ b/lib/bitlk/bitlk.c +@@ -1300,6 +1300,17 @@ int BITLK_get_volume_key(struct crypt_device *cd, + next_vmk = params->vmks; + while (next_vmk) { + bool is_decrypted = false; ++ ++ if (password == NULL && next_vmk->protection != BITLK_PROTECTION_CLEAR_KEY) { ++ /* ++ * Clearkey is the only slot that doesn't require password so no password ++ * means we are trying to use clearkey and we can skip all other key slots. ++ */ ++ r = -EPERM; ++ next_vmk = next_vmk->next; ++ continue; ++ } ++ + if (next_vmk->protection == BITLK_PROTECTION_PASSPHRASE) { + r = bitlk_kdf(password, passwordLen, false, next_vmk->salt, &vmk_dec_key); + if (r) {
