Auto sync2gitlab import of cryptsetup-2.3.7-2.el8.src.rpm

.gitignore

@@ -0,0 +1 @@
+/cryptsetup-2.3.7.tar.xz

EMPTY

@@ -1 +0,0 @@
- 

cryptsetup-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch

@@ -0,0 +1,53 @@
+From a76310b53fbb117e620f2c37350b68dd267f1088 Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Mon, 20 Sep 2021 17:42:20 +0200
+Subject: [PATCH] Do not try to set compiler optimization flag if wipe is
+ implemented in libc.
+
+If zeroing memory is implemented through libc call (like memset_bzero),
+compiler should never remove such call. It is not needed to set O0
+optimization flag explicitly.
+
+Various checkers like annocheck causes problems with these flags,
+just remove it where it makes no sense.
+
+(Moreover, we use the same pattern without compiler magic
+in crypt_backend_memzero() already.)
+---
+ lib/crypto_backend/argon2/core.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/lib/crypto_backend/argon2/core.c b/lib/crypto_backend/argon2/core.c
+index b204ba98..db9a7741 100644
+--- a/lib/crypto_backend/argon2/core.c
++++ b/lib/crypto_backend/argon2/core.c
+@@ -120,18 +120,24 @@ void free_memory(const argon2_context *context, uint8_t *memory,
+     }
+ }
+ 
+-void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) {
+ #if defined(_MSC_VER) && VC_GE_2005(_MSC_VER)
++void secure_wipe_memory(void *v, size_t n) {
+     SecureZeroMemory(v, n);
++}
+ #elif defined memset_s
++void secure_wipe_memory(void *v, size_t n) {
+     memset_s(v, n, 0, n);
++}
+ #elif defined(HAVE_EXPLICIT_BZERO)
++void secure_wipe_memory(void *v, size_t n) {
+     explicit_bzero(v, n);
++}
+ #else
++void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) {
+     static void *(*const volatile memset_sec)(void *, int, size_t) = &memset;
+     memset_sec(v, 0, n);
+-#endif
+ }
++#endif
+ 
+ /* Memory clear flag defaults to true. */
+ int FLAG_clear_internal_memory = 1;
+-- 
+2.27.0
+

cryptsetup-2.4.2-Fix-bogus-memory-allocation-if-LUKS2-header-size-is-.patch

@@ -0,0 +1,295 @@
+From 9576549fee9228cabd9ceee27739a30caab5a7f6 Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Tue, 9 Nov 2021 11:54:27 +0100
+Subject: [PATCH] Fix bogus memory allocation if LUKS2 header size is invalid.
+
+LUKS2 code read the whole header to buffer to verify checksum,
+so malloc is called on unvalidated input size parameter.
+
+This can cause out of memory or unintentional device reads.
+(Header validation will fail later anyway - the size is unsupported.)
+
+Just do not allow too small and too big allocations here and fail quickly.
+
+Fixes: #683.
+---
+ lib/luks2/luks2_disk_metadata.c               | 20 +++-
+ ...ks2-metadata-size-invalid-secondary.img.sh | 96 +++++++++++++++++++
+ ...enerate-luks2-metadata-size-invalid.img.sh | 94 ++++++++++++++++++
+ tests/luks2-validation-test                   |  2 +
+ 4 files changed, 208 insertions(+), 4 deletions(-)
+ create mode 100755 tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
+ create mode 100755 tests/generators/generate-luks2-metadata-size-invalid.img.sh
+
+diff --git a/lib/luks2/luks2_disk_metadata.c b/lib/luks2/luks2_disk_metadata.c
+index 502b0226..0500d5c7 100644
+--- a/lib/luks2/luks2_disk_metadata.c
++++ b/lib/luks2/luks2_disk_metadata.c
+@@ -195,6 +195,8 @@ static int hdr_disk_sanity_check_pre(struct crypt_device *cd,
+ 				     size_t *hdr_json_size, int secondary,
+ 				     uint64_t offset)
+ {
++	uint64_t hdr_size;
++
+ 	if (memcmp(hdr->magic, secondary ? LUKS2_MAGIC_2ND : LUKS2_MAGIC_1ST, LUKS2_MAGIC_L))
+ 		return -EINVAL;
+ 
+@@ -209,19 +211,26 @@ static int hdr_disk_sanity_check_pre(struct crypt_device *cd,
+ 		return -EINVAL;
+ 	}
+ 
+-	if (secondary && (offset != be64_to_cpu(hdr->hdr_size))) {
++	hdr_size = be64_to_cpu(hdr->hdr_size);
++
++	if (hdr_size < LUKS2_HDR_16K_LEN || hdr_size > LUKS2_HDR_OFFSET_MAX) {
++		log_dbg(cd, "LUKS2 header has bogus size 0x%04x.", (unsigned)hdr_size);
++		return -EINVAL;
++	}
++
++	if (secondary && (offset != hdr_size)) {
+ 		log_dbg(cd, "LUKS2 offset 0x%04x in secondary header does not match size 0x%04x.",
+-			(unsigned)offset, (unsigned)be64_to_cpu(hdr->hdr_size));
++			(unsigned)offset, (unsigned)hdr_size);
+ 		return -EINVAL;
+ 	}
+ 
+ 	/* FIXME: sanity check checksum alg. */
+ 
+ 	log_dbg(cd, "LUKS2 header version %u of size %u bytes, checksum %s.",
+-		(unsigned)be16_to_cpu(hdr->version), (unsigned)be64_to_cpu(hdr->hdr_size),
++		(unsigned)be16_to_cpu(hdr->version), (unsigned)hdr_size,
+ 		hdr->checksum_alg);
+ 
+-	*hdr_json_size = be64_to_cpu(hdr->hdr_size) - LUKS2_HDR_BIN_LEN;
++	*hdr_json_size = hdr_size - LUKS2_HDR_BIN_LEN;
+ 	return 0;
+ }
+ 
+@@ -252,6 +261,9 @@ static int hdr_read_disk(struct crypt_device *cd,
+ 		return -EIO;
+ 	}
+ 
++	/*
++	 * hdr_json_size is validated if this call succeeds
++	 */
+ 	r = hdr_disk_sanity_check_pre(cd, hdr_disk, &hdr_json_size, secondary, offset);
+ 	if (r < 0) {
+ 		return r;
+diff --git a/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
+new file mode 100755
+index 00000000..4dd484e9
+--- /dev/null
++++ b/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
+@@ -0,0 +1,96 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary with predefined json_size. There's only limited
++# set of values allowed as json size in config section of LUKS2
++# metadata
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++	cp $SRC_IMG $TGT_IMG
++	test -d $TMPDIR || mkdir $TMPDIR
++	read_luks2_json0 $TGT_IMG $TMPDIR/json0
++	read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++	read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
++
++	TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++	TEST_MDA_SIZE_BOGUS_BYTES=$((TEST_MDA_SIZE*512*2*1024))
++	TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++	KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++	JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++	JSON_SIZE=$((TEST_JSN_SIZE*512))
++	DATA_OFFSET=16777216
++
++	json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++		   '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++		    .config.json_size = $jsize |
++		    .segments."0".offset = $off' $TMPDIR/json0)
++	test -n "$json_str" || exit 2
++	test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++	write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++	write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
++	write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BOGUS_BYTES
++
++	write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
++
++	merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++	merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++	erase_checksum $TMPDIR/area0
++	chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++	write_checksum $chks0 $TMPDIR/area0
++
++	erase_checksum $TMPDIR/area1
++	chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++	write_checksum $chks0 $TMPDIR/area1
++
++	kill_bin_hdr $TMPDIR/area0
++
++	write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++	write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++	read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
++	local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
++	test "$str_res0" = "VACUUM" || exit 2
++	read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
++	jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++		'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++		    (.config.json_size != $jsize)
++		then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
++}
++
++function cleanup()
++{
++	rm -f $TMPDIR/*
++	rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff --git a/tests/generators/generate-luks2-metadata-size-invalid.img.sh b/tests/generators/generate-luks2-metadata-size-invalid.img.sh
+new file mode 100755
+index 00000000..6b9c0cf7
+--- /dev/null
++++ b/tests/generators/generate-luks2-metadata-size-invalid.img.sh
+@@ -0,0 +1,94 @@
++#!/bin/bash
++
++. lib.sh
++
++#
++# *** Description ***
++#
++# generate primary with predefined json_size. There's only limited
++# set of values allowed as json size in config section of LUKS2
++# metadata
++#
++# secondary header is corrupted on purpose as well
++#
++
++# $1 full target dir
++# $2 full source luks2 image
++
++function prepare()
++{
++	cp $SRC_IMG $TGT_IMG
++	test -d $TMPDIR || mkdir $TMPDIR
++	read_luks2_json0 $TGT_IMG $TMPDIR/json0
++	read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
++	read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
++}
++
++function generate()
++{
++	TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
++
++	TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
++	TEST_MDA_SIZE_BOGUS_BYTES=$((TEST_MDA_SIZE*512*2*1024))
++	TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
++	KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
++	JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
++	JSON_SIZE=$((TEST_JSN_SIZE*512))
++	DATA_OFFSET=16777216
++
++	json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
++		   '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
++		    .config.json_size = $jsize |
++		    .segments."0".offset = $off' $TMPDIR/json0)
++	test -n "$json_str" || exit 2
++	test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
++
++	write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
++
++	write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BOGUS_BYTES
++	write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BOGUS_BYTES
++
++	merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
++	merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
++
++	erase_checksum $TMPDIR/area0
++	chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
++	write_checksum $chks0 $TMPDIR/area0
++
++	erase_checksum $TMPDIR/area1
++	chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
++	write_checksum $chks0 $TMPDIR/area1
++
++	kill_bin_hdr $TMPDIR/area1
++
++	write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
++	write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
++}
++
++function check()
++{
++	read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
++	local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
++	test "$str_res1" = "VACUUM" || exit 2
++	read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
++	jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
++		'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
++		    (.config.json_size != $jsize)
++		then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
++}
++
++function cleanup()
++{
++	rm -f $TMPDIR/*
++	rm -fd $TMPDIR
++}
++
++test $# -eq 2 || exit 1
++
++TGT_IMG=$1/$(test_img_name $0)
++SRC_IMG=$2
++
++prepare
++generate
++check
++cleanup
+diff --git a/tests/luks2-validation-test b/tests/luks2-validation-test
+index 04183fbc..f771e1f9 100755
+--- a/tests/luks2-validation-test
++++ b/tests/luks2-validation-test
+@@ -229,6 +229,8 @@ RUN luks2-metadata-size-512k-secondary.img		"R" "Valid 512KiB metadata size in s
+ RUN luks2-metadata-size-1m-secondary.img		"R" "Valid 1MiB metadata size in secondary hdr failed to validate"
+ RUN luks2-metadata-size-2m-secondary.img		"R" "Valid 2MiB metadata size in secondary hdr failed to validate"
+ RUN luks2-metadata-size-4m-secondary.img		"R" "Valid 4MiB metadata size in secondary hdr failed to validate"
++RUN luks2-metadata-size-invalid.img			"F" "Invalid metadata size in secondary hdr not rejected"
++RUN luks2-metadata-size-invalid-secondary.img		"F" "Invalid metadata size in secondary hdr not rejected"
+ 
+ remove_mapping
+ 
+-- 
+2.27.0
+

cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch

@@ -0,0 +1,41 @@
+From f671febe64d8f40cdcb1677a08436a8907ccbb7e Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Wed, 23 Feb 2022 12:27:57 +0100
+Subject: [PATCH 2/3] Add more tests for --test-passphrase parameter.
+
+---
+ tests/compat-test-args        |  4 ++++
+ tests/luks2-reencryption-test | 18 ++++++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
+index 6f156016..73818b5d 100755
+--- a/tests/luks2-reencryption-test
++++ b/tests/luks2-reencryption-test
+@@ -1606,5 +1606,23 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
+ 	reencrypt_recover_online 4096 journal $HASH1
+ fi
+ 
++echo "[27] Verify test passphrase mode works with reencryption metadata"
++echo $PWD1 | $CRYPTSETUP -S5 -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV || fail
++echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $DEV || fail
++echo $PWD1 | $CRYPTSETUP reencrypt --init-only $DEV || fail
++echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
++
++echo $PWD1 | $CRYPTSETUP -q luksFormat -S5 --header $IMG_HDR --type luks2 $FAST_PBKDF_ARGON $DEV || fail
++echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $IMG_HDR || fail
++echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --init-only --header $IMG_HDR $DEV || fail
++echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
++
++echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --init-only --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
++echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
++
++wipe_dev $DEV
++echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 8M $FAST_PBKDF_ARGON $DEV || fail
++echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
++
+ remove_mapping
+ exit 0
+-- 
+2.27.0
+

cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch

@@ -0,0 +1,103 @@
+diff -rupN cryptsetup-2.3.7.old/man/cryptsetup.8 cryptsetup-2.3.7/man/cryptsetup.8
+--- cryptsetup-2.3.7.old/man/cryptsetup.8	2022-02-24 15:58:37.968167423 +0100
++++ cryptsetup-2.3.7/man/cryptsetup.8	2022-02-24 17:06:25.326217548 +0100
+@@ -321,7 +321,7 @@ the command prompts for it interactively
+ \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
+ \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
+ \-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks, \-\-type, \-\-refresh,
+-\-\-serialize\-memory\-hard\-pbkdf].
++\-\-serialize\-memory\-hard\-pbkdf, \-\-unbound].
+ .PP
+ \fIluksSuspend\fR <name>
+ .IP
+@@ -1409,10 +1409,14 @@ aligned to page size and page-cache init
+ integrity tag.
+ .TP
+ .B "\-\-unbound"
+-
+ Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or
+ \fIluksDump\fR actions for more details.
+ 
++When used in \fIluksOpen\fR action (allowed only together with
++\-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2
++keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific
++keyslot is selected via \-\-key\-slot parameter.
++
+ .TP
+ .B "\-\-tcrypt\-hidden"
+ .B "\-\-tcrypt\-system"
+diff -rupN cryptsetup-2.3.7.old/src/cryptsetup.c cryptsetup-2.3.7/src/cryptsetup.c
+--- cryptsetup-2.3.7.old/src/cryptsetup.c	2022-02-24 15:58:37.969167429 +0100
++++ cryptsetup-2.3.7/src/cryptsetup.c	2022-02-24 17:10:30.947561638 +0100
+@@ -230,7 +230,7 @@ static void _set_activation_flags(uint32
+ 		*flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT;
+ 
+ 	/* Only for LUKS2 but ignored elsewhere */
+-	if (opt_test_passphrase)
++	if (opt_test_passphrase && (opt_unbound || (opt_key_slot != CRYPT_ANY_SLOT)))
+ 		*flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
+ 
+ 	if (opt_serialize_memory_hard_pbkdf)
+@@ -4021,6 +4021,17 @@ int main(int argc, const char **argv)
+ 		_("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."),
+ 		poptGetInvocationName(popt_context));
+ 
++	if (opt_unbound && !strcmp(aname, "open") && device_type &&
++	    strncmp(device_type, "luks", 4))
++		usage(popt_context, EXIT_FAILURE,
++		_("Option --unbound is allowed only for open of luks device."),
++		poptGetInvocationName(popt_context));
++
++	if (opt_unbound && !opt_test_passphrase && !strcmp(aname, "open"))
++		usage(popt_context, EXIT_FAILURE,
++		_("Option --unbound cannot be used without --test-passphrase."),
++		poptGetInvocationName(popt_context));
++
+ 	if (opt_tcrypt_hidden && opt_allow_discards)
+ 		usage(popt_context, EXIT_FAILURE,
+ 		_("Option --tcrypt-hidden cannot be combined with --allow-discards."),
+@@ -4103,9 +4114,9 @@ int main(int argc, const char **argv)
+ 		      _("Keyslot specification is required."),
+ 		      poptGetInvocationName(popt_context));
+ 
+-	if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump"))
++	if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump") && strcmp(aname, "open"))
+ 		usage(popt_context, EXIT_FAILURE,
+-		      _("Option --unbound may be used only with luksAddKey and luksDump actions."),
++		      _("Option --unbound may be used only with luksAddKey, luksDump and open actions."),
+ 		      poptGetInvocationName(popt_context));
+ 
+ 	if (opt_refresh && strcmp(aname, "open"))
+diff -rupN cryptsetup-2.3.7.old/tests/compat-test2 cryptsetup-2.3.7/tests/compat-test2
+--- cryptsetup-2.3.7.old/tests/compat-test2	2022-02-24 15:58:38.013167680 +0100
++++ cryptsetup-2.3.7/tests/compat-test2	2022-02-24 17:23:23.035760517 +0100
+@@ -696,7 +696,7 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOP
+ # otoh it should be allowed to test for proper passphrase
+ prepare "" new
+ echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
+-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
++echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
+ echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
+ [ -b /dev/mapper/$DEV_NAME ] && fail
+ echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
+@@ -705,7 +705,7 @@ echo $PWD0 | $CRYPTSETUP open -S1 --test
+ $CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0
+ $CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail
+ echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
+-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
++echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
+ echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
+ 
+ prepare "[28] Detached LUKS header" wipe
+@@ -952,11 +952,9 @@ echo $PWD3 | $CRYPTSETUP -q luksAddKey -
+ # do not allow to replace keyslot by unbound slot
+ echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail
+ echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
+-echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
+ echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
+ echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail
+ echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
+-echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
+ # check we're able to change passphrase for unbound keyslot
+ echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
+ echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail

cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch

@@ -0,0 +1,12 @@
+diff -rupN cryptsetup-2.3.7.old/src/cryptsetup.c cryptsetup-2.3.7/src/cryptsetup.c
+--- cryptsetup-2.3.7.old/src/cryptsetup.c	2022-01-20 14:47:13.198475734 +0100
++++ cryptsetup-2.3.7/src/cryptsetup.c	2022-01-20 14:47:24.186505625 +0100
+@@ -1137,7 +1137,7 @@ static int reencrypt_metadata_repair(str
+ 		       _("Operation aborted.\n")))
+ 		return -EINVAL;
+ 
+-	r = tools_get_key(_("Enter passphrase to protect and uppgrade reencryption metadata: "),
++	r = tools_get_key(_("Enter passphrase to protect and upgrade reencryption metadata: "),
+ 			  &password, &passwordLen, opt_keyfile_offset,
+ 			  opt_keyfile_size, opt_key_file, opt_timeout,
+ 			  _verify_passphrase(0), 0, cd);

cryptsetup-add-system-library-paths.patch

@@ -0,0 +1,22 @@
+diff -rupN cryptsetup-2.0.4.old/configure cryptsetup-2.0.4/configure
+--- cryptsetup-2.0.4.old/configure	2018-08-03 12:31:52.000000000 +0200
++++ cryptsetup-2.0.4/configure	2018-08-03 13:42:50.605275535 +0200
+@@ -12300,6 +12300,9 @@ fi
+   # before this can be enabled.
+   hardcode_into_libs=yes
+ 
++  # Add ABI-specific directories to the system library path.
++  sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
++
+   # Ideally, we could use ldconfig to report *all* directores which are
+   # searched for libraries, however this is still not possible.  Aside from not
+   # being certain /sbin/ldconfig is available, command
+@@ -12308,7 +12311,7 @@ fi
+   # appending ld.so.conf contents (and includes) to the search path.
+   if test -f /etc/ld.so.conf; then
+     lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
+-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
++    sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
+   fi
+ 
+   # We used to test for /lib/ld.so.1 and disable shared libraries on

cryptsetup-disable-verity-compat-test.patch

@@ -0,0 +1,13 @@
+diff --git a/tests/Makefile.localtest b/tests/Makefile.localtest
+index 29a62f3..da2183e 100644
+--- a/tests/Makefile.localtest
++++ b/tests/Makefile.localtest
+@@ -5,7 +5,7 @@
+ CPPFLAGS=-I../lib/ -I../lib/luks1 -DHAVE_DECL_DM_TASK_RETRY_REMOVE -DKERNEL_KEYRING -DHAVE_SYS_SYSMACROS_H -DNO_CRYPTSETUP_PATH
+ CFLAGS=-O2 -g -Wall
+ LDLIBS=-lcryptsetup -ldevmapper
+-TESTS=$(wildcard *-test *-test2) api-test api-test-2
++TESTS=$(filter-out verity-compat-test, $(wildcard *-test *-test2)) api-test api-test-2
+ 
+ differ: differ.o
+ 	$(CC) -o $@ $^

cryptsetup.spec

@@ -0,0 +1,242 @@
+Obsoletes: python2-cryptsetup
+Obsoletes: cryptsetup-python
+Obsoletes: cryptsetup-python3
+
+Summary: A utility for setting up encrypted disks
+Name: cryptsetup
+Version: 2.3.7
+Release: 2%{?dist}
+License: GPLv2+ and LGPLv2+
+Group: Applications/System
+URL: https://gitlab.com/cryptsetup/cryptsetup
+BuildRequires: openssl-devel, popt-devel, device-mapper-devel
+BuildRequires: libuuid-devel, gcc, libblkid-devel
+BuildRequires: libpwquality-devel, json-c-devel
+Provides: cryptsetup-luks = %{version}-%{release}
+Obsoletes: cryptsetup-luks < 1.4.0
+Requires: cryptsetup-libs = %{version}-%{release}
+Requires: libpwquality >= 1.2.0
+
+%global upstream_version %{version}
+Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{upstream_version}.tar.xz
+# Following patch has to applied last
+Patch0:  %{name}-add-system-library-paths.patch
+# Remove the patch when (if ever) osci infrastructure gets stable enough
+Patch1:  %{name}-disable-verity-compat-test.patch
+Patch2:  %{name}-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch
+Patch3:  %{name}-2.4.2-Fix-bogus-memory-allocation-if-LUKS2-header-size-is-.patch
+Patch4:  %{name}-2.5.0-Fix-typo-in-repair-prompt.patch
+Patch5:  %{name}-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch
+Patch6:  %{name}-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch
+
+%description
+The cryptsetup package contains a utility for setting up
+disk encryption using dm-crypt kernel module.
+
+%package devel
+Group: Development/Libraries
+Requires: %{name} = %{version}-%{release}
+Requires: pkgconfig
+Summary: Headers and libraries for using encrypted file systems
+Provides: cryptsetup-luks-devel = %{version}-%{release}
+Obsoletes: cryptsetup-luks-devel < 1.4.0
+
+%description devel
+The cryptsetup-devel package contains libraries and header files
+used for writing code that makes use of disk encryption.
+
+%package libs
+Group: System Environment/Libraries
+Summary: Cryptsetup shared library
+Provides: cryptsetup-luks-libs = %{version}-%{release}
+Obsoletes: cryptsetup-luks-libs < 1.4.0
+
+%description libs
+This package contains the cryptsetup shared library, libcryptsetup.
+
+%package -n veritysetup
+Group: Applications/System
+Summary: A utility for setting up dm-verity volumes
+Requires: cryptsetup-libs = %{version}-%{release}
+
+%description -n veritysetup
+The veritysetup package contains a utility for setting up
+disk verification using dm-verity kernel module.
+
+%package -n integritysetup
+Group: Applications/System
+Summary: A utility for setting up dm-integrity volumes
+Requires: cryptsetup-libs = %{version}-%{release}
+
+%description -n integritysetup
+The integritysetup package contains a utility for setting up
+disk integrity protection using dm-integrity kernel module.
+
+%package reencrypt
+Group: Applications/System
+Summary: A utility for offline reencryption of LUKS encrypted disks.
+Requires: cryptsetup-libs = %{version}-%{release}
+
+%description reencrypt
+This package contains cryptsetup-reencrypt utility which
+can be used for offline reencryption of disk in situ.
+
+%prep
+%setup -q -n cryptsetup-%{upstream_version}
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch0 -p1
+chmod -x misc/dracut_90reencrypt/*
+
+%build
+%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --with-crypto_backend=openssl --with-default-luks-format=LUKS2
+make %{?_smp_mflags}
+
+%install
+make install DESTDIR=%{buildroot}
+rm -rf %{buildroot}/%{_libdir}/*.la
+
+%find_lang cryptsetup
+
+%post -n cryptsetup-libs -p /sbin/ldconfig
+
+%postun -n cryptsetup-libs -p /sbin/ldconfig
+
+%files
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc AUTHORS FAQ docs/*ReleaseNotes
+%{_mandir}/man8/cryptsetup.8.gz
+%{_sbindir}/cryptsetup
+
+%files -n veritysetup
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%{_mandir}/man8/veritysetup.8.gz
+%{_sbindir}/veritysetup
+
+%files -n integritysetup
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%{_mandir}/man8/integritysetup.8.gz
+%{_sbindir}/integritysetup
+
+%files reencrypt
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc misc/dracut_90reencrypt
+%{_mandir}/man8/cryptsetup-reencrypt.8.gz
+%{_sbindir}/cryptsetup-reencrypt
+
+%files devel
+%doc docs/examples/*
+%{_includedir}/libcryptsetup.h
+%{_libdir}/libcryptsetup.so
+%{_libdir}/pkgconfig/libcryptsetup.pc
+
+%files libs -f cryptsetup.lang
+%{!?_licensedir:%global license %%doc}
+%license COPYING COPYING.LGPL
+%{_libdir}/libcryptsetup.so.*
+%{_tmpfilesdir}/cryptsetup.conf
+%ghost %attr(700, -, -) %dir /run/cryptsetup
+
+%clean
+
+%changelog
+* Thu Feb 24 2022 Ondrej Kozina <okozina@redhat.com> - 2.3.7-2
+- patch: Fix cryptsetup --test-passphrase when device in
+  reencryption
+- Resolves: #2058009
+
+* Thu Jan 20 2022 Ondrej Kozina <okozina@redhat.com> - 2.3.7-1
+- update to cryptsetup 2.3.7
+- fixes CVE-2021-4122
+- patch: Fix suboptimal optimization in bundled argon2.
+- patch: Fix bogus memory allocation/device read with
+         invalid LUKS2 headers
+- patch: Fix typo in luksRepair prompt.
+- Resolves: #2021815 #2022301 #2031859
+
+* Wed Feb 17 2021 Ondrej Kozina <okozina@redhat.com> - 2.3.3-4
+- patch: Fix reencryption for custom devices with data segments
+  set to use cipher_null.
+- Resolves: #1927409
+
+* Wed Feb 03 2021 Ondrej Kozina <okozina@redhat.com> - 2.3.3-3
+- patch: Fix crypto backend to properly handle ECB mode.
+- Resolves: #1859091
+
+* Thu Aug 27 2020 Ondrej Kozina <okozina@redhat.com> - 2.3.3-2
+- patch: Fix possible memory corruption in LUKS2 validation
+	 code in 32bit library.
+- Resolves: #1872294
+
+* Thu May 28 2020 Ondrej Kozina <okozina@redhat.com> - 2.3.3-1
+- Update to cryptsetup 2.3.3
+- Resolves: #1796826 #1743891 #1785748
+
+* Fri Apr 03 2020 Ondrej Kozina <okozina@redhat.com> - 2.3.1-1
+- Update to cryptsetup 2.3.1
+- Resolves: #1796826 #1743891 #1785748
+
+* Mon Nov 18 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.2-1
+- Update to cryptsetup 2.2.2
+- LUKS2 reencryption honors activation flags (one time and persistent).
+- LUKS2 reencryption works also without volume keys put in kernel
+  keyring service.
+- Resolves: #1757783 #1750680 #1753597 #1743399
+
+* Fri Aug 30 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-2
+- patch: Fix mapped segments overflow on 32bit architectures.
+- patch: Take optimal io size in account with LUKS2 reencryption.
+- Resolves: #1742815 #1746532
+
+* Thu Aug 15 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-1
+- Update to cryptsetup 2.2.0 (final)
+- Resolves: #1738263 #1740342 #1733391 #1729600 #1733390
+
+* Fri Jun 14 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-0.2
+- Updates to reencryption feature.
+- Resolves: #1676622
+
+* Fri May 03 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-0.1
+- Update to cryptsetup 2.2.0
+- remove python bits from spec file.
+- Resolves: #1676622
+
+* Thu Mar 21 2019 Milan Broz <mbroz@redhat.com> - 2.0.6-2
+- Add gating tests.
+- Resolves: #1682539
+
+* Mon Dec 03 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.6-1
+- Update to cryptsetup 2.0.6
+- Enables all supported metadata sizes in LUKS2 validation code.
+- Resolves: #1653383
+
+* Fri Aug 10 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.4-2
+- patch: fix device alignment bug when processing hinted
+  value by device topology info.
+- Resolves: #1614219
+
+* Wed Aug 08 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.4-1
+- Update to cryptsetup 2.0.4.
+- patch: Add RHEL system library paths in configure.
+- patch: Increase default LUKS2 header size to 8 MiBs.
+- patch: update tests to be compatible with larger headers.
+- Set default format to LUKS2.
+- Cleanup changelog.
+- Resolves: #1564540 #1595257 #1595266 #1595881 #1600164
+
+* Fri May 04 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.3-1
+- Update to cryptsetup 2.0.3.
+
+* Tue Mar 27 2018 Björn Esser <besser82@fedoraproject.org> - 2.0.2-2
+- Rebuilt for libjson-c.so.4 (json-c v0.13.1) on fc28
+
+* Wed Mar 07 2018 Milan Broz <gmazyland@gmail.com> - 2.0.2-1
+- Update to cryptsetup 2.0.2.

sources

@@ -0,0 +1 @@
+SHA512 (cryptsetup-2.3.7.tar.xz) = d209225c6f195f54c513904b71637bdadd47f3efc6227c61c15434a1467ddb76fe14123683a3d5e943ffa203ef33611f51b7c67bc1aed67d019a6aa552ea15ab