From 1b51b538ad04097a605f0705d5ff63e11606c700 Mon Sep 17 00:00:00 2001 From: James Antill Date: Thu, 26 May 2022 01:16:18 -0400 Subject: [PATCH] Auto sync2gitlab import of cryptsetup-2.3.7-2.el8.src.rpm --- .gitignore | 1 + EMPTY | 1 - ...t-compiler-optimization-flag-if-wipe.patch | 53 ++++ ...-allocation-if-LUKS2-header-size-is-.patch | 295 ++++++++++++++++++ ...-tests-for-test-passphrase-parameter.patch | 41 +++ ...ssphrase-when-device-in-reencryption.patch | 103 ++++++ ...etup-2.5.0-Fix-typo-in-repair-prompt.patch | 12 + cryptsetup-add-system-library-paths.patch | 22 ++ cryptsetup-disable-verity-compat-test.patch | 13 + cryptsetup.spec | 242 ++++++++++++++ sources | 1 + 11 files changed, 783 insertions(+), 1 deletion(-) create mode 100644 .gitignore delete mode 100644 EMPTY create mode 100644 cryptsetup-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch create mode 100644 cryptsetup-2.4.2-Fix-bogus-memory-allocation-if-LUKS2-header-size-is-.patch create mode 100644 cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch create mode 100644 cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch create mode 100644 cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch create mode 100644 cryptsetup-add-system-library-paths.patch create mode 100644 cryptsetup-disable-verity-compat-test.patch create mode 100644 cryptsetup.spec create mode 100644 sources diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..efb6be3 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/cryptsetup-2.3.7.tar.xz diff --git a/EMPTY b/EMPTY deleted file mode 100644 index 0519ecb..0000000 --- a/EMPTY +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/cryptsetup-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch b/cryptsetup-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch new file mode 100644 index 0000000..ea52c96 --- /dev/null +++ b/cryptsetup-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch @@ -0,0 +1,53 @@ +From a76310b53fbb117e620f2c37350b68dd267f1088 Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Mon, 20 Sep 2021 17:42:20 +0200 +Subject: [PATCH] Do not try to set compiler optimization flag if wipe is + implemented in libc. + +If zeroing memory is implemented through libc call (like memset_bzero), +compiler should never remove such call. It is not needed to set O0 +optimization flag explicitly. + +Various checkers like annocheck causes problems with these flags, +just remove it where it makes no sense. + +(Moreover, we use the same pattern without compiler magic +in crypt_backend_memzero() already.) +--- + lib/crypto_backend/argon2/core.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/lib/crypto_backend/argon2/core.c b/lib/crypto_backend/argon2/core.c +index b204ba98..db9a7741 100644 +--- a/lib/crypto_backend/argon2/core.c ++++ b/lib/crypto_backend/argon2/core.c +@@ -120,18 +120,24 @@ void free_memory(const argon2_context *context, uint8_t *memory, + } + } + +-void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) { + #if defined(_MSC_VER) && VC_GE_2005(_MSC_VER) ++void secure_wipe_memory(void *v, size_t n) { + SecureZeroMemory(v, n); ++} + #elif defined memset_s ++void secure_wipe_memory(void *v, size_t n) { + memset_s(v, n, 0, n); ++} + #elif defined(HAVE_EXPLICIT_BZERO) ++void secure_wipe_memory(void *v, size_t n) { + explicit_bzero(v, n); ++} + #else ++void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) { + static void *(*const volatile memset_sec)(void *, int, size_t) = &memset; + memset_sec(v, 0, n); +-#endif + } ++#endif + + /* Memory clear flag defaults to true. */ + int FLAG_clear_internal_memory = 1; +-- +2.27.0 + diff --git a/cryptsetup-2.4.2-Fix-bogus-memory-allocation-if-LUKS2-header-size-is-.patch b/cryptsetup-2.4.2-Fix-bogus-memory-allocation-if-LUKS2-header-size-is-.patch new file mode 100644 index 0000000..f07fb32 --- /dev/null +++ b/cryptsetup-2.4.2-Fix-bogus-memory-allocation-if-LUKS2-header-size-is-.patch @@ -0,0 +1,295 @@ +From 9576549fee9228cabd9ceee27739a30caab5a7f6 Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Tue, 9 Nov 2021 11:54:27 +0100 +Subject: [PATCH] Fix bogus memory allocation if LUKS2 header size is invalid. + +LUKS2 code read the whole header to buffer to verify checksum, +so malloc is called on unvalidated input size parameter. + +This can cause out of memory or unintentional device reads. +(Header validation will fail later anyway - the size is unsupported.) + +Just do not allow too small and too big allocations here and fail quickly. + +Fixes: #683. +--- + lib/luks2/luks2_disk_metadata.c | 20 +++- + ...ks2-metadata-size-invalid-secondary.img.sh | 96 +++++++++++++++++++ + ...enerate-luks2-metadata-size-invalid.img.sh | 94 ++++++++++++++++++ + tests/luks2-validation-test | 2 + + 4 files changed, 208 insertions(+), 4 deletions(-) + create mode 100755 tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh + create mode 100755 tests/generators/generate-luks2-metadata-size-invalid.img.sh + +diff --git a/lib/luks2/luks2_disk_metadata.c b/lib/luks2/luks2_disk_metadata.c +index 502b0226..0500d5c7 100644 +--- a/lib/luks2/luks2_disk_metadata.c ++++ b/lib/luks2/luks2_disk_metadata.c +@@ -195,6 +195,8 @@ static int hdr_disk_sanity_check_pre(struct crypt_device *cd, + size_t *hdr_json_size, int secondary, + uint64_t offset) + { ++ uint64_t hdr_size; ++ + if (memcmp(hdr->magic, secondary ? LUKS2_MAGIC_2ND : LUKS2_MAGIC_1ST, LUKS2_MAGIC_L)) + return -EINVAL; + +@@ -209,19 +211,26 @@ static int hdr_disk_sanity_check_pre(struct crypt_device *cd, + return -EINVAL; + } + +- if (secondary && (offset != be64_to_cpu(hdr->hdr_size))) { ++ hdr_size = be64_to_cpu(hdr->hdr_size); ++ ++ if (hdr_size < LUKS2_HDR_16K_LEN || hdr_size > LUKS2_HDR_OFFSET_MAX) { ++ log_dbg(cd, "LUKS2 header has bogus size 0x%04x.", (unsigned)hdr_size); ++ return -EINVAL; ++ } ++ ++ if (secondary && (offset != hdr_size)) { + log_dbg(cd, "LUKS2 offset 0x%04x in secondary header does not match size 0x%04x.", +- (unsigned)offset, (unsigned)be64_to_cpu(hdr->hdr_size)); ++ (unsigned)offset, (unsigned)hdr_size); + return -EINVAL; + } + + /* FIXME: sanity check checksum alg. */ + + log_dbg(cd, "LUKS2 header version %u of size %u bytes, checksum %s.", +- (unsigned)be16_to_cpu(hdr->version), (unsigned)be64_to_cpu(hdr->hdr_size), ++ (unsigned)be16_to_cpu(hdr->version), (unsigned)hdr_size, + hdr->checksum_alg); + +- *hdr_json_size = be64_to_cpu(hdr->hdr_size) - LUKS2_HDR_BIN_LEN; ++ *hdr_json_size = hdr_size - LUKS2_HDR_BIN_LEN; + return 0; + } + +@@ -252,6 +261,9 @@ static int hdr_read_disk(struct crypt_device *cd, + return -EIO; + } + ++ /* ++ * hdr_json_size is validated if this call succeeds ++ */ + r = hdr_disk_sanity_check_pre(cd, hdr_disk, &hdr_json_size, secondary, offset); + if (r < 0) { + return r; +diff --git a/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh +new file mode 100755 +index 00000000..4dd484e9 +--- /dev/null ++++ b/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh +@@ -0,0 +1,96 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary with predefined json_size. There's only limited ++# set of values allowed as json size in config section of LUKS2 ++# metadata ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_MDA_SIZE_BOGUS_BYTES=$((TEST_MDA_SIZE*512*2*1024)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BOGUS_BYTES ++ ++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area0 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE ++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0) ++ test "$str_res0" = "VACUUM" || exit 2 ++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff --git a/tests/generators/generate-luks2-metadata-size-invalid.img.sh b/tests/generators/generate-luks2-metadata-size-invalid.img.sh +new file mode 100755 +index 00000000..6b9c0cf7 +--- /dev/null ++++ b/tests/generators/generate-luks2-metadata-size-invalid.img.sh +@@ -0,0 +1,94 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary with predefined json_size. There's only limited ++# set of values allowed as json size in config section of LUKS2 ++# metadata ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_MDA_SIZE_BOGUS_BYTES=$((TEST_MDA_SIZE*512*2*1024)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BOGUS_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BOGUS_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area1 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff --git a/tests/luks2-validation-test b/tests/luks2-validation-test +index 04183fbc..f771e1f9 100755 +--- a/tests/luks2-validation-test ++++ b/tests/luks2-validation-test +@@ -229,6 +229,8 @@ RUN luks2-metadata-size-512k-secondary.img "R" "Valid 512KiB metadata size in s + RUN luks2-metadata-size-1m-secondary.img "R" "Valid 1MiB metadata size in secondary hdr failed to validate" + RUN luks2-metadata-size-2m-secondary.img "R" "Valid 2MiB metadata size in secondary hdr failed to validate" + RUN luks2-metadata-size-4m-secondary.img "R" "Valid 4MiB metadata size in secondary hdr failed to validate" ++RUN luks2-metadata-size-invalid.img "F" "Invalid metadata size in secondary hdr not rejected" ++RUN luks2-metadata-size-invalid-secondary.img "F" "Invalid metadata size in secondary hdr not rejected" + + remove_mapping + +-- +2.27.0 + diff --git a/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch b/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch new file mode 100644 index 0000000..023666a --- /dev/null +++ b/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch @@ -0,0 +1,41 @@ +From f671febe64d8f40cdcb1677a08436a8907ccbb7e Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Wed, 23 Feb 2022 12:27:57 +0100 +Subject: [PATCH 2/3] Add more tests for --test-passphrase parameter. + +--- + tests/compat-test-args | 4 ++++ + tests/luks2-reencryption-test | 18 ++++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test +index 6f156016..73818b5d 100755 +--- a/tests/luks2-reencryption-test ++++ b/tests/luks2-reencryption-test +@@ -1606,5 +1606,23 @@ if [ -n "$DM_SECTOR_SIZE" ]; then + reencrypt_recover_online 4096 journal $HASH1 + fi + ++echo "[27] Verify test passphrase mode works with reencryption metadata" ++echo $PWD1 | $CRYPTSETUP -S5 -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV || fail ++echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $DEV || fail ++echo $PWD1 | $CRYPTSETUP reencrypt --init-only $DEV || fail ++echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail ++ ++echo $PWD1 | $CRYPTSETUP -q luksFormat -S5 --header $IMG_HDR --type luks2 $FAST_PBKDF_ARGON $DEV || fail ++echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $IMG_HDR || fail ++echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --init-only --header $IMG_HDR $DEV || fail ++echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail ++ ++echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --init-only --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail ++echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail ++ ++wipe_dev $DEV ++echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 8M $FAST_PBKDF_ARGON $DEV || fail ++echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail ++ + remove_mapping + exit 0 +-- +2.27.0 + diff --git a/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch b/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch new file mode 100644 index 0000000..5566c54 --- /dev/null +++ b/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch @@ -0,0 +1,103 @@ +diff -rupN cryptsetup-2.3.7.old/man/cryptsetup.8 cryptsetup-2.3.7/man/cryptsetup.8 +--- cryptsetup-2.3.7.old/man/cryptsetup.8 2022-02-24 15:58:37.968167423 +0100 ++++ cryptsetup-2.3.7/man/cryptsetup.8 2022-02-24 17:06:25.326217548 +0100 +@@ -321,7 +321,7 @@ the command prompts for it interactively + \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase, + \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id, + \-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks, \-\-type, \-\-refresh, +-\-\-serialize\-memory\-hard\-pbkdf]. ++\-\-serialize\-memory\-hard\-pbkdf, \-\-unbound]. + .PP + \fIluksSuspend\fR + .IP +@@ -1409,10 +1409,14 @@ aligned to page size and page-cache init + integrity tag. + .TP + .B "\-\-unbound" +- + Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or + \fIluksDump\fR actions for more details. + ++When used in \fIluksOpen\fR action (allowed only together with ++\-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2 ++keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific ++keyslot is selected via \-\-key\-slot parameter. ++ + .TP + .B "\-\-tcrypt\-hidden" + .B "\-\-tcrypt\-system" +diff -rupN cryptsetup-2.3.7.old/src/cryptsetup.c cryptsetup-2.3.7/src/cryptsetup.c +--- cryptsetup-2.3.7.old/src/cryptsetup.c 2022-02-24 15:58:37.969167429 +0100 ++++ cryptsetup-2.3.7/src/cryptsetup.c 2022-02-24 17:10:30.947561638 +0100 +@@ -230,7 +230,7 @@ static void _set_activation_flags(uint32 + *flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT; + + /* Only for LUKS2 but ignored elsewhere */ +- if (opt_test_passphrase) ++ if (opt_test_passphrase && (opt_unbound || (opt_key_slot != CRYPT_ANY_SLOT))) + *flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY; + + if (opt_serialize_memory_hard_pbkdf) +@@ -4021,6 +4021,17 @@ int main(int argc, const char **argv) + _("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."), + poptGetInvocationName(popt_context)); + ++ if (opt_unbound && !strcmp(aname, "open") && device_type && ++ strncmp(device_type, "luks", 4)) ++ usage(popt_context, EXIT_FAILURE, ++ _("Option --unbound is allowed only for open of luks device."), ++ poptGetInvocationName(popt_context)); ++ ++ if (opt_unbound && !opt_test_passphrase && !strcmp(aname, "open")) ++ usage(popt_context, EXIT_FAILURE, ++ _("Option --unbound cannot be used without --test-passphrase."), ++ poptGetInvocationName(popt_context)); ++ + if (opt_tcrypt_hidden && opt_allow_discards) + usage(popt_context, EXIT_FAILURE, + _("Option --tcrypt-hidden cannot be combined with --allow-discards."), +@@ -4103,9 +4114,9 @@ int main(int argc, const char **argv) + _("Keyslot specification is required."), + poptGetInvocationName(popt_context)); + +- if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump")) ++ if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump") && strcmp(aname, "open")) + usage(popt_context, EXIT_FAILURE, +- _("Option --unbound may be used only with luksAddKey and luksDump actions."), ++ _("Option --unbound may be used only with luksAddKey, luksDump and open actions."), + poptGetInvocationName(popt_context)); + + if (opt_refresh && strcmp(aname, "open")) +diff -rupN cryptsetup-2.3.7.old/tests/compat-test2 cryptsetup-2.3.7/tests/compat-test2 +--- cryptsetup-2.3.7.old/tests/compat-test2 2022-02-24 15:58:38.013167680 +0100 ++++ cryptsetup-2.3.7/tests/compat-test2 2022-02-24 17:23:23.035760517 +0100 +@@ -696,7 +696,7 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOP + # otoh it should be allowed to test for proper passphrase + prepare "" new + echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail +-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail ++echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail + echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail + [ -b /dev/mapper/$DEV_NAME ] && fail + echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail +@@ -705,7 +705,7 @@ echo $PWD0 | $CRYPTSETUP open -S1 --test + $CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0 + $CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail + echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail +-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail ++echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail + echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail + + prepare "[28] Detached LUKS header" wipe +@@ -952,11 +952,9 @@ echo $PWD3 | $CRYPTSETUP -q luksAddKey - + # do not allow to replace keyslot by unbound slot + echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail + echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail +-echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail + echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail + echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail + echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail +-echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail + # check we're able to change passphrase for unbound keyslot + echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail + echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail diff --git a/cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch b/cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch new file mode 100644 index 0000000..a34329b --- /dev/null +++ b/cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch @@ -0,0 +1,12 @@ +diff -rupN cryptsetup-2.3.7.old/src/cryptsetup.c cryptsetup-2.3.7/src/cryptsetup.c +--- cryptsetup-2.3.7.old/src/cryptsetup.c 2022-01-20 14:47:13.198475734 +0100 ++++ cryptsetup-2.3.7/src/cryptsetup.c 2022-01-20 14:47:24.186505625 +0100 +@@ -1137,7 +1137,7 @@ static int reencrypt_metadata_repair(str + _("Operation aborted.\n"))) + return -EINVAL; + +- r = tools_get_key(_("Enter passphrase to protect and uppgrade reencryption metadata: "), ++ r = tools_get_key(_("Enter passphrase to protect and upgrade reencryption metadata: "), + &password, &passwordLen, opt_keyfile_offset, + opt_keyfile_size, opt_key_file, opt_timeout, + _verify_passphrase(0), 0, cd); diff --git a/cryptsetup-add-system-library-paths.patch b/cryptsetup-add-system-library-paths.patch new file mode 100644 index 0000000..cc22adf --- /dev/null +++ b/cryptsetup-add-system-library-paths.patch @@ -0,0 +1,22 @@ +diff -rupN cryptsetup-2.0.4.old/configure cryptsetup-2.0.4/configure +--- cryptsetup-2.0.4.old/configure 2018-08-03 12:31:52.000000000 +0200 ++++ cryptsetup-2.0.4/configure 2018-08-03 13:42:50.605275535 +0200 +@@ -12300,6 +12300,9 @@ fi + # before this can be enabled. + hardcode_into_libs=yes + ++ # Add ABI-specific directories to the system library path. ++ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" ++ + # Ideally, we could use ldconfig to report *all* directores which are + # searched for libraries, however this is still not possible. Aside from not + # being certain /sbin/ldconfig is available, command +@@ -12308,7 +12311,7 @@ fi + # appending ld.so.conf contents (and includes) to the search path. + if test -f /etc/ld.so.conf; then + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` +- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" ++ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" + fi + + # We used to test for /lib/ld.so.1 and disable shared libraries on diff --git a/cryptsetup-disable-verity-compat-test.patch b/cryptsetup-disable-verity-compat-test.patch new file mode 100644 index 0000000..efc3363 --- /dev/null +++ b/cryptsetup-disable-verity-compat-test.patch @@ -0,0 +1,13 @@ +diff --git a/tests/Makefile.localtest b/tests/Makefile.localtest +index 29a62f3..da2183e 100644 +--- a/tests/Makefile.localtest ++++ b/tests/Makefile.localtest +@@ -5,7 +5,7 @@ + CPPFLAGS=-I../lib/ -I../lib/luks1 -DHAVE_DECL_DM_TASK_RETRY_REMOVE -DKERNEL_KEYRING -DHAVE_SYS_SYSMACROS_H -DNO_CRYPTSETUP_PATH + CFLAGS=-O2 -g -Wall + LDLIBS=-lcryptsetup -ldevmapper +-TESTS=$(wildcard *-test *-test2) api-test api-test-2 ++TESTS=$(filter-out verity-compat-test, $(wildcard *-test *-test2)) api-test api-test-2 + + differ: differ.o + $(CC) -o $@ $^ diff --git a/cryptsetup.spec b/cryptsetup.spec new file mode 100644 index 0000000..eb9fd98 --- /dev/null +++ b/cryptsetup.spec @@ -0,0 +1,242 @@ +Obsoletes: python2-cryptsetup +Obsoletes: cryptsetup-python +Obsoletes: cryptsetup-python3 + +Summary: A utility for setting up encrypted disks +Name: cryptsetup +Version: 2.3.7 +Release: 2%{?dist} +License: GPLv2+ and LGPLv2+ +Group: Applications/System +URL: https://gitlab.com/cryptsetup/cryptsetup +BuildRequires: openssl-devel, popt-devel, device-mapper-devel +BuildRequires: libuuid-devel, gcc, libblkid-devel +BuildRequires: libpwquality-devel, json-c-devel +Provides: cryptsetup-luks = %{version}-%{release} +Obsoletes: cryptsetup-luks < 1.4.0 +Requires: cryptsetup-libs = %{version}-%{release} +Requires: libpwquality >= 1.2.0 + +%global upstream_version %{version} +Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{upstream_version}.tar.xz +# Following patch has to applied last +Patch0: %{name}-add-system-library-paths.patch +# Remove the patch when (if ever) osci infrastructure gets stable enough +Patch1: %{name}-disable-verity-compat-test.patch +Patch2: %{name}-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch +Patch3: %{name}-2.4.2-Fix-bogus-memory-allocation-if-LUKS2-header-size-is-.patch +Patch4: %{name}-2.5.0-Fix-typo-in-repair-prompt.patch +Patch5: %{name}-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch +Patch6: %{name}-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch + +%description +The cryptsetup package contains a utility for setting up +disk encryption using dm-crypt kernel module. + +%package devel +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} +Requires: pkgconfig +Summary: Headers and libraries for using encrypted file systems +Provides: cryptsetup-luks-devel = %{version}-%{release} +Obsoletes: cryptsetup-luks-devel < 1.4.0 + +%description devel +The cryptsetup-devel package contains libraries and header files +used for writing code that makes use of disk encryption. + +%package libs +Group: System Environment/Libraries +Summary: Cryptsetup shared library +Provides: cryptsetup-luks-libs = %{version}-%{release} +Obsoletes: cryptsetup-luks-libs < 1.4.0 + +%description libs +This package contains the cryptsetup shared library, libcryptsetup. + +%package -n veritysetup +Group: Applications/System +Summary: A utility for setting up dm-verity volumes +Requires: cryptsetup-libs = %{version}-%{release} + +%description -n veritysetup +The veritysetup package contains a utility for setting up +disk verification using dm-verity kernel module. + +%package -n integritysetup +Group: Applications/System +Summary: A utility for setting up dm-integrity volumes +Requires: cryptsetup-libs = %{version}-%{release} + +%description -n integritysetup +The integritysetup package contains a utility for setting up +disk integrity protection using dm-integrity kernel module. + +%package reencrypt +Group: Applications/System +Summary: A utility for offline reencryption of LUKS encrypted disks. +Requires: cryptsetup-libs = %{version}-%{release} + +%description reencrypt +This package contains cryptsetup-reencrypt utility which +can be used for offline reencryption of disk in situ. + +%prep +%setup -q -n cryptsetup-%{upstream_version} +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch0 -p1 +chmod -x misc/dracut_90reencrypt/* + +%build +%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --with-crypto_backend=openssl --with-default-luks-format=LUKS2 +make %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} +rm -rf %{buildroot}/%{_libdir}/*.la + +%find_lang cryptsetup + +%post -n cryptsetup-libs -p /sbin/ldconfig + +%postun -n cryptsetup-libs -p /sbin/ldconfig + +%files +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc AUTHORS FAQ docs/*ReleaseNotes +%{_mandir}/man8/cryptsetup.8.gz +%{_sbindir}/cryptsetup + +%files -n veritysetup +%{!?_licensedir:%global license %%doc} +%license COPYING +%{_mandir}/man8/veritysetup.8.gz +%{_sbindir}/veritysetup + +%files -n integritysetup +%{!?_licensedir:%global license %%doc} +%license COPYING +%{_mandir}/man8/integritysetup.8.gz +%{_sbindir}/integritysetup + +%files reencrypt +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc misc/dracut_90reencrypt +%{_mandir}/man8/cryptsetup-reencrypt.8.gz +%{_sbindir}/cryptsetup-reencrypt + +%files devel +%doc docs/examples/* +%{_includedir}/libcryptsetup.h +%{_libdir}/libcryptsetup.so +%{_libdir}/pkgconfig/libcryptsetup.pc + +%files libs -f cryptsetup.lang +%{!?_licensedir:%global license %%doc} +%license COPYING COPYING.LGPL +%{_libdir}/libcryptsetup.so.* +%{_tmpfilesdir}/cryptsetup.conf +%ghost %attr(700, -, -) %dir /run/cryptsetup + +%clean + +%changelog +* Thu Feb 24 2022 Ondrej Kozina - 2.3.7-2 +- patch: Fix cryptsetup --test-passphrase when device in + reencryption +- Resolves: #2058009 + +* Thu Jan 20 2022 Ondrej Kozina - 2.3.7-1 +- update to cryptsetup 2.3.7 +- fixes CVE-2021-4122 +- patch: Fix suboptimal optimization in bundled argon2. +- patch: Fix bogus memory allocation/device read with + invalid LUKS2 headers +- patch: Fix typo in luksRepair prompt. +- Resolves: #2021815 #2022301 #2031859 + +* Wed Feb 17 2021 Ondrej Kozina - 2.3.3-4 +- patch: Fix reencryption for custom devices with data segments + set to use cipher_null. +- Resolves: #1927409 + +* Wed Feb 03 2021 Ondrej Kozina - 2.3.3-3 +- patch: Fix crypto backend to properly handle ECB mode. +- Resolves: #1859091 + +* Thu Aug 27 2020 Ondrej Kozina - 2.3.3-2 +- patch: Fix possible memory corruption in LUKS2 validation + code in 32bit library. +- Resolves: #1872294 + +* Thu May 28 2020 Ondrej Kozina - 2.3.3-1 +- Update to cryptsetup 2.3.3 +- Resolves: #1796826 #1743891 #1785748 + +* Fri Apr 03 2020 Ondrej Kozina - 2.3.1-1 +- Update to cryptsetup 2.3.1 +- Resolves: #1796826 #1743891 #1785748 + +* Mon Nov 18 2019 Ondrej Kozina - 2.2.2-1 +- Update to cryptsetup 2.2.2 +- LUKS2 reencryption honors activation flags (one time and persistent). +- LUKS2 reencryption works also without volume keys put in kernel + keyring service. +- Resolves: #1757783 #1750680 #1753597 #1743399 + +* Fri Aug 30 2019 Ondrej Kozina - 2.2.0-2 +- patch: Fix mapped segments overflow on 32bit architectures. +- patch: Take optimal io size in account with LUKS2 reencryption. +- Resolves: #1742815 #1746532 + +* Thu Aug 15 2019 Ondrej Kozina - 2.2.0-1 +- Update to cryptsetup 2.2.0 (final) +- Resolves: #1738263 #1740342 #1733391 #1729600 #1733390 + +* Fri Jun 14 2019 Ondrej Kozina - 2.2.0-0.2 +- Updates to reencryption feature. +- Resolves: #1676622 + +* Fri May 03 2019 Ondrej Kozina - 2.2.0-0.1 +- Update to cryptsetup 2.2.0 +- remove python bits from spec file. +- Resolves: #1676622 + +* Thu Mar 21 2019 Milan Broz - 2.0.6-2 +- Add gating tests. +- Resolves: #1682539 + +* Mon Dec 03 2018 Ondrej Kozina - 2.0.6-1 +- Update to cryptsetup 2.0.6 +- Enables all supported metadata sizes in LUKS2 validation code. +- Resolves: #1653383 + +* Fri Aug 10 2018 Ondrej Kozina - 2.0.4-2 +- patch: fix device alignment bug when processing hinted + value by device topology info. +- Resolves: #1614219 + +* Wed Aug 08 2018 Ondrej Kozina - 2.0.4-1 +- Update to cryptsetup 2.0.4. +- patch: Add RHEL system library paths in configure. +- patch: Increase default LUKS2 header size to 8 MiBs. +- patch: update tests to be compatible with larger headers. +- Set default format to LUKS2. +- Cleanup changelog. +- Resolves: #1564540 #1595257 #1595266 #1595881 #1600164 + +* Fri May 04 2018 Ondrej Kozina - 2.0.3-1 +- Update to cryptsetup 2.0.3. + +* Tue Mar 27 2018 Björn Esser - 2.0.2-2 +- Rebuilt for libjson-c.so.4 (json-c v0.13.1) on fc28 + +* Wed Mar 07 2018 Milan Broz - 2.0.2-1 +- Update to cryptsetup 2.0.2. diff --git a/sources b/sources new file mode 100644 index 0000000..fee5fdf --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (cryptsetup-2.3.7.tar.xz) = d209225c6f195f54c513904b71637bdadd47f3efc6227c61c15434a1467ddb76fe14123683a3d5e943ffa203ef33611f51b7c67bc1aed67d019a6aa552ea15ab