diff --git a/.gitignore b/.gitignore index 2932ca4..3d8f466 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /cryptsetup-2.4.3.tar.xz /tests.tar.xz /cryptsetup-2.6.0.tar.xz +/cryptsetup-2.7.2.tar.xz diff --git a/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch b/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch deleted file mode 100644 index bc50c82..0000000 --- a/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch +++ /dev/null @@ -1,161 +0,0 @@ -From c18dcfaa0b91eb48006232fbfadce9e6a9b4a790 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Fri, 2 Dec 2022 15:39:36 +0100 -Subject: [PATCH 2/2] Abort encryption when header and data devices are same. - -If data device reduction is not requsted this led -to data corruption since LUKS metadata was written -over the data device. ---- - src/utils_reencrypt.c | 42 ++++++++++++++++++++++++++++++---- - tests/luks2-reencryption-test | 16 +++++++++++++ - tests/reencryption-compat-test | 20 +++++++++++++--- - 3 files changed, 70 insertions(+), 8 deletions(-) - -diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c -index 87ead680..73e0bca8 100644 ---- a/src/utils_reencrypt.c -+++ b/src/utils_reencrypt.c -@@ -467,6 +467,26 @@ static int reencrypt_check_active_device_sb_block_size(const char *active_device - return reencrypt_check_data_sb_block_size(dm_device, new_sector_size); - } - -+static int reencrypt_is_header_detached(const char *header_device, const char *data_device) -+{ -+ int r; -+ struct stat st; -+ struct crypt_device *cd; -+ -+ if (!header_device) -+ return 0; -+ -+ if (header_device && stat(header_device, &st) < 0 && errno == ENOENT) -+ return 1; -+ -+ if ((r = crypt_init_data_device(&cd, header_device, data_device))) -+ return r; -+ -+ r = crypt_header_is_detached(cd); -+ crypt_free(cd); -+ return r; -+} -+ - static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device, const char *device_name) - { - int keyslot, r, fd; -@@ -490,9 +510,14 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device, - - _set_reencryption_flags(¶ms.flags); - -- if (!data_shift && !ARG_SET(OPT_HEADER_ID)) { -- log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size).")); -- return -ENOTSUP; -+ if (!data_shift) { -+ r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), data_device); -+ if (r < 0) -+ return r; -+ if (!r) { -+ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size).")); -+ return -ENOTSUP; -+ } - } - - if (!ARG_SET(OPT_HEADER_ID) && ARG_UINT64(OPT_OFFSET_ID) && -@@ -1358,9 +1383,16 @@ static int _encrypt(struct crypt_device *cd, const char *type, enum device_statu - if (!type) - type = crypt_get_default_type(); - -- if (dev_st == DEVICE_LUKS1_UNUSABLE || isLUKS1(type)) -+ if (dev_st == DEVICE_LUKS1_UNUSABLE || isLUKS1(type)) { -+ r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), action_argv[0]); -+ if (r < 0) -+ return r; -+ if (!r && !ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID)) { -+ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size).")); -+ return -ENOTSUP; -+ } - return reencrypt_luks1(action_argv[0]); -- else if (dev_st == DEVICE_NOT_LUKS) { -+ } else if (dev_st == DEVICE_NOT_LUKS) { - r = encrypt_luks2_init(&encrypt_cd, action_argv[0], action_argc > 1 ? action_argv[1] : NULL); - if (r < 0 || ARG_SET(OPT_INIT_ONLY_ID)) { - crypt_free(encrypt_cd); -diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test -index bab54353..a647a8c2 100755 ---- a/tests/luks2-reencryption-test -+++ b/tests/luks2-reencryption-test -@@ -1080,6 +1080,22 @@ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail - $CRYPTSETUP close $DEV_NAME - echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail - -+# Encrypt without size reduction must not allow header device same as data device -+wipe_dev_head $DEV 1 -+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV -q $FAST_PBKDF_ARGON 2>/dev/null && fail -+$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail -+ln -s $DEV $DEV_LINK || fail -+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail -+$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail -+rm -f $DEV_LINK || fail -+ -+dd if=/dev/zero of=$IMG bs=4k count=1 >/dev/null 2>&1 -+echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail -+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail -+ln -s $IMG $DEV_LINK || fail -+echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail -+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail -+ - echo "[4] Reencryption with detached header" - wipe $PWD1 $IMG_HDR - echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail -diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test -index f6a84137..453831d1 100755 ---- a/tests/reencryption-compat-test -+++ b/tests/reencryption-compat-test -@@ -15,6 +15,7 @@ IMG=reenc-data - IMG_HDR=$IMG.hdr - HEADER_LUKS2_PV=blkid-luks2-pv.img - ORIG_IMG=reenc-data-orig -+DEV_LINK="reenc-test-link" - KEY1=key1 - PWD1="93R4P4pIqAH8" - PWD2="1cND4319812f" -@@ -40,7 +41,7 @@ function remove_mapping() - [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2 - [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME - [ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1 -- rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV >/dev/null 2>&1 -+ rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV $DEV_LINK >/dev/null 2>&1 - umount $MNT_DIR > /dev/null 2>&1 - rmdir $MNT_DIR > /dev/null 2>&1 - LOOPDEV1="" -@@ -302,12 +303,25 @@ check_slot 0 || fail "Only keyslot 0 expected to be enabled" - $REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail - # FIXME echo $PWD1 | $REENC ... - --if [ ! fips_mode ]; then - echo "[4] Encryption of not yet encrypted device" -+# Encrypt without size reduction must not allow header device same as data device -+wipe_dev $LOOPDEV1 -+echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $LOOPDEV1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail -+$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail -+ln -s $LOOPDEV1 $DEV_LINK || fail -+echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail -+$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail -+rm -f $DEV_LINK || fail -+echo $PWD1 | $REENC $IMG --type luks1 --new --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail -+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail -+ln -s $IMG $DEV_LINK || fail -+echo $PWD1 | $REENC $IMG --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail -+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail -+ -+if [ ! fips_mode ]; then - # well, movin' zeroes :-) - OFFSET=2048 - SIZE=$(blockdev --getsz $LOOPDEV1) --wipe_dev $LOOPDEV1 - dmsetup create $DEV_NAME2 --table "0 $(($SIZE - $OFFSET)) linear $LOOPDEV1 0" || fail - check_hash_dev /dev/mapper/$DEV_NAME2 $HASH3 - dmsetup remove --retry $DEV_NAME2 || fail --- -2.38.1 - diff --git a/cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch b/cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch deleted file mode 100644 index 6a401f2..0000000 --- a/cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch +++ /dev/null @@ -1,662 +0,0 @@ -From e7a1f18d976771efc06987107da12ccae4d0b360 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Fri, 2 Dec 2022 11:40:24 +0100 -Subject: [PATCH 2/3] Change tests to use passphrases with minimal 8 chars - length. - -Skip tests that can not satisfy minimal test passphrase length: - -- empty passphrase -- LUKS1 cipher_null tests (empty passphrase is mandatory) -- LUKS1 encryption ---- - tests/Makefile.am | 3 +- - tests/align-test | 10 +++ - tests/api-test-2.c | 117 +++++++++++++++++---------------- - tests/api-test.c | 14 ++-- - tests/compat-test | 8 ++- - tests/compat-test2 | 16 +++-- - tests/keyring-compat-test | 2 +- - tests/reencryption-compat-test | 10 +++ - tests/ssh-test-plugin | 2 +- - 9 files changed, 110 insertions(+), 72 deletions(-) - -diff --git a/tests/align-test b/tests/align-test -index eedf8b77..5941cde2 100755 ---- a/tests/align-test -+++ b/tests/align-test -@@ -10,9 +10,16 @@ PWD1="93R4P4pIqAH8" - PWD2="mymJeD8ivEhE" - FAST_PBKDF="--pbkdf-force-iterations 1000" - -+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) -+ - CRYPTSETUP_VALGRIND=../.libs/cryptsetup - CRYPTSETUP_LIB_VALGRIND=../.libs - -+function fips_mode() -+{ -+ [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] -+} -+ - cleanup() { - udevadm settle >/dev/null 2>&1 - if [ -d "$MNT_DIR" ] ; then -@@ -276,6 +283,8 @@ format_plain_fail 2048 - format_plain_fail 4096 - cleanup - -+# skip tests using empty passphrase (LUKS1 cipher_null) -+if [ ! fips_mode ]; then - echo "# Offset check: 512B sector drive" - add_device dev_size_mb=16 sector_size=512 num_tgts=1 - # |k| expO reqO expected slot offsets -@@ -314,6 +323,7 @@ format_null 512 4040 8 - format_null 512 4096 128 - format_null 512 4096 2048 - cleanup -+fi - - echo "# Create enterprise-class 4K drive with fs and LUKS images." - # loop device here presents 512 block but images have 4k block -diff --git a/tests/api-test-2.c b/tests/api-test-2.c -index b7c762d9..2c39191b 100644 ---- a/tests/api-test-2.c -+++ b/tests/api-test-2.c -@@ -74,8 +74,8 @@ typedef int32_t key_serial_t; - #define KEYFILE2 "key2.file" - #define KEY2 "0123456789abcdef" - --#define PASSPHRASE "blabla" --#define PASSPHRASE1 "albalb" -+#define PASSPHRASE "blablabl" -+#define PASSPHRASE1 "albalbal" - - #define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc" - -@@ -107,15 +107,15 @@ typedef int32_t key_serial_t; - #define CONV_L2_512_DET_FULL "l2_512b_det_full" - #define CONV_L1_256_LEGACY "l1_256b_legacy_offset" - #define CONV_L1_256_UNMOVABLE "l1_256b_unmovable" --#define PASS0 "aaa" --#define PASS1 "hhh" --#define PASS2 "ccc" --#define PASS3 "ddd" --#define PASS4 "eee" --#define PASS5 "fff" --#define PASS6 "ggg" --#define PASS7 "bbb" --#define PASS8 "iii" -+#define PASS0 "aaablabl" -+#define PASS1 "hhhblabl" -+#define PASS2 "cccblabl" -+#define PASS3 "dddblabl" -+#define PASS4 "eeeblabl" -+#define PASS5 "fffblabl" -+#define PASS6 "gggblabl" -+#define PASS7 "bbbblabl" -+#define PASS8 "iiiblabl" - - static int _fips_mode = 0; - -@@ -429,11 +429,11 @@ static int _setup(void) - - _system("dd if=/dev/zero of=" IMAGE_EMPTY_SMALL_2 " bs=512 count=2050 2>/dev/null", 1); - -- _system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && xz -dk " NO_REQS_LUKS2_HEADER ".xz", 1); -+ _system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1); - fd = loop_attach(&DEVICE_4, NO_REQS_LUKS2_HEADER, 0, 0, &ro); - close(fd); - -- _system(" [ ! -e " REQS_LUKS2_HEADER " ] && xz -dk " REQS_LUKS2_HEADER ".xz", 1); -+ _system(" [ ! -e " REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1); - fd = loop_attach(&DEVICE_5, REQS_LUKS2_HEADER, 0, 0, &ro); - close(fd); - -@@ -709,7 +709,7 @@ static void AddDeviceLuks2(void) - }; - char key[128], key2[128], key3[128]; - -- const char *tmp_buf, *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd"; -+ const char *tmp_buf, *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd"; - const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; - const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e"; - size_t key_size = strlen(vk_hex) / 2; -@@ -1056,7 +1056,6 @@ static void Luks2MetadataSize(void) - }; - char key[128], tmp[128]; - -- const char *passphrase = "blabla"; - const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; - size_t key_size = strlen(vk_hex) / 2; - const char *cipher = "aes"; -@@ -1103,7 +1102,7 @@ static void Luks2MetadataSize(void) - OK_(crypt_init(&cd, DMDIR H_DEVICE)); - OK_(crypt_set_metadata_size(cd, 0x080000, 0x080000)); - OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, ¶ms)); -- EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, passphrase, strlen(passphrase)), 7); -+ EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7); - CRYPT_FREE(cd); - OK_(crypt_init(&cd, DMDIR H_DEVICE)); - OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); -@@ -3306,8 +3305,8 @@ static void Luks2Requirements(void) - .key_description = KEY_DESC_TEST0 - }; - -- OK_(prepare_keyfile(KEYFILE1, "aaa", 3)); -- OK_(prepare_keyfile(KEYFILE2, "xxx", 3)); -+ OK_(prepare_keyfile(KEYFILE1, PASSPHRASE, strlen(PASSPHRASE))); -+ OK_(prepare_keyfile(KEYFILE2, PASSPHRASE1, strlen(PASSPHRASE1))); - - /* crypt_load (unrestricted) */ - OK_(crypt_init(&cd, DEVICE_5)); -@@ -3361,11 +3360,11 @@ static void Luks2Requirements(void) - OK_(crypt_repair(cd, CRYPT_LUKS2, NULL)); - - /* crypt_keyslot_add_passphrase (restricted) */ -- FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, "aaa", 3, "bbb", 3)), "Unmet requirements detected"); -+ FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected"); - EQ_(r, -ETXTBSY); - - /* crypt_keyslot_change_by_passphrase (restricted) */ -- FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, "aaa", 3, "bbb", 3)), "Unmet requirements detected"); -+ FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected"); - EQ_(r, -ETXTBSY); - - /* crypt_keyslot_add_by_keyfile (restricted) */ -@@ -3377,18 +3376,18 @@ static void Luks2Requirements(void) - EQ_(r, -ETXTBSY); - - /* crypt_volume_key_get (unrestricted, but see below) */ -- OK_(crypt_volume_key_get(cd, 0, key, &key_size, "aaa", 3)); -+ OK_(crypt_volume_key_get(cd, 0, key, &key_size, PASSPHRASE, strlen(PASSPHRASE))); - - /* crypt_keyslot_add_by_volume_key (restricted) */ -- FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3)), "Unmet requirements detected"); -+ FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1))), "Unmet requirements detected"); - EQ_(r, -ETXTBSY); - - /* crypt_keyslot_add_by_key (restricted) */ -- FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, "xxx", 3, CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected"); -+ FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected"); - EQ_(r, -ETXTBSY); - - /* crypt_keyslot_add_by_key (restricted) */ -- FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3, 0)), "Unmet requirements detected"); -+ FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1), 0)), "Unmet requirements detected"); - EQ_(r, -ETXTBSY); - - /* crypt_persistent_flasgs_set (restricted) */ -@@ -3400,10 +3399,10 @@ static void Luks2Requirements(void) - EQ_(flags, CRYPT_REQUIREMENT_UNKNOWN); - - /* crypt_activate_by_passphrase (restricted for activation only) */ -- FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0)), "Unmet requirements detected"); -+ FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0)), "Unmet requirements detected"); - EQ_(r, -ETXTBSY); -- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, 0)); -- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0)); -+ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), 0)); -+ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0)); - EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE); - - /* crypt_activate_by_keyfile (restricted for activation only) */ -@@ -3420,7 +3419,7 @@ static void Luks2Requirements(void) - - #ifdef KERNEL_KEYRING - if (t_dm_crypt_keyring_support()) { -- kid = add_key("user", KEY_DESC_TEST0, "aaa", 3, KEY_SPEC_THREAD_KEYRING); -+ kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING); - NOTFAIL_(kid, "Test or kernel keyring are broken."); - - /* crypt_activate_by_keyring (restricted for activation only) */ -@@ -3428,6 +3427,8 @@ static void Luks2Requirements(void) - EQ_(r, t_dm_crypt_keyring_support() ? -ETXTBSY : -EINVAL); - OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, 0)); - OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, CRYPT_ACTIVATE_KEYRING_KEY)); -+ -+ NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken."); - } - #endif - -@@ -3513,10 +3514,15 @@ static void Luks2Requirements(void) - /* crypt_activate_by_token (restricted for activation only) */ - #ifdef KERNEL_KEYRING - if (t_dm_crypt_keyring_support()) { -+ kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING); -+ NOTFAIL_(kid, "Test or kernel keyring are broken."); -+ - FAIL_((r = crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0)), ""); // supposed to be silent - EQ_(r, -ETXTBSY); - OK_(crypt_activate_by_token(cd, NULL, 1, NULL, 0)); - OK_(crypt_activate_by_token(cd, NULL, 1, NULL, CRYPT_ACTIVATE_KEYRING_KEY)); -+ -+ NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken."); - } - #endif - OK_(get_luks2_offsets(0, 8192, 0, NULL, &r_payload_offset)); -@@ -3528,7 +3534,7 @@ static void Luks2Requirements(void) - CRYPT_FREE(cd); - OK_(crypt_init(&cd, DMDIR L_DEVICE_OK)); - OK_(crypt_load(cd, CRYPT_LUKS, NULL)); -- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0)); -+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0)); - OK_(crypt_header_backup(cd, CRYPT_LUKS2, BACKUP_FILE)); - /* replace header with no requirements */ - OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1)); -@@ -3566,7 +3572,7 @@ static void Luks2Requirements(void) - OK_(crypt_init_by_name(&cd, CDEVICE_1)); - - /* crypt_resume_by_passphrase (restricted) */ -- FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3)), "Unmet requirements detected"); -+ FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE))), "Unmet requirements detected"); - EQ_(r, -ETXTBSY); - - /* crypt_resume_by_keyfile (restricted) */ -@@ -3580,13 +3586,13 @@ static void Luks2Requirements(void) - - OK_(_system("dd if=" NO_REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1)); - OK_(crypt_init_by_name(&cd, CDEVICE_1)); -- OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3)); -+ OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE))); - CRYPT_FREE(cd); - OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1)); - - OK_(crypt_init_by_name(&cd, CDEVICE_1)); - /* load VK in keyring */ -- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0)); -+ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0)); - /* crypt_resize (restricted) */ - FAIL_((r = crypt_resize(cd, CDEVICE_1, 1)), "Unmet requirements detected"); - EQ_(r, -ETXTBSY); -@@ -3622,7 +3628,6 @@ static void Luks2Integrity(void) - .integrity = "hmac(sha256)" - }; - size_t key_size = 32 + 32; -- const char *passphrase = "blabla"; - const char *cipher = "aes"; - const char *cipher_mode = "xts-random"; - int ret; -@@ -3636,8 +3641,8 @@ static void Luks2Integrity(void) - return; - } - -- EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, passphrase, strlen(passphrase)), 7); -- EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, passphrase, strlen(passphrase) ,0), 7); -+ EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7); -+ EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, PASSPHRASE, strlen(PASSPHRASE) ,0), 7); - GE_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE); - CRYPT_FREE(cd); - -@@ -3689,36 +3694,36 @@ static void Luks2Refresh(void) - OK_(crypt_init(&cd, DMDIR L_DEVICE_OK)); - OK_(set_fast_pbkdf(cd)); - OK_(crypt_format(cd, CRYPT_LUKS2, cipher, mode, NULL, key, 32, NULL)); -- OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, "aaa", 3)); -- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0)); -+ OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE))); -+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0)); - - /* check we can refresh significant flags */ - if (t_dm_crypt_discard_support()) { -- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS)); -+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS)); - OK_(crypt_get_active_device(cd, CDEVICE_1, &cad)); - OK_(check_flag(cad.flags, CRYPT_ACTIVATE_ALLOW_DISCARDS)); - cad.flags = 0; - } - - if (t_dm_crypt_cpu_switch_support()) { -- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT)); -+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT)); - OK_(crypt_get_active_device(cd, CDEVICE_1, &cad)); - OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SAME_CPU_CRYPT)); - cad.flags = 0; - -- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS)); -+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS)); - OK_(crypt_get_active_device(cd, CDEVICE_1, &cad)); - OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS)); - cad.flags = 0; - -- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS)); -+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS)); - OK_(crypt_get_active_device(cd, CDEVICE_1, &cad)); - OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS)); - cad.flags = 0; - } - - OK_(crypt_volume_key_keyring(cd, 0)); -- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH)); -+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH)); - OK_(crypt_get_active_device(cd, CDEVICE_1, &cad)); - FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY), "Unexpected flag raised."); - cad.flags = 0; -@@ -3726,7 +3731,7 @@ static void Luks2Refresh(void) - #ifdef KERNEL_KEYRING - if (t_dm_crypt_keyring_support()) { - OK_(crypt_volume_key_keyring(cd, 1)); -- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH)); -+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH)); - OK_(crypt_get_active_device(cd, CDEVICE_1, &cad)); - OK_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY)); - cad.flags = 0; -@@ -3735,26 +3740,26 @@ static void Luks2Refresh(void) - - /* multiple flags at once */ - if (t_dm_crypt_discard_support() && t_dm_crypt_cpu_switch_support()) { -- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS)); -+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS)); - OK_(crypt_get_active_device(cd, CDEVICE_1, &cad)); - OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS)); - cad.flags = 0; - } - - /* do not allow reactivation with read-only (and drop flag silently because activation behaves exactly same) */ -- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY)); -+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY)); - OK_(crypt_get_active_device(cd, CDEVICE_1, &cad)); - FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY), "Reactivated with read-only flag."); - cad.flags = 0; - - /* reload flag is dropped silently */ - OK_(crypt_deactivate(cd, CDEVICE_1)); -- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH)); -+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH)); - - /* check read-only flag is not lost after reload */ - OK_(crypt_deactivate(cd, CDEVICE_1)); -- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_READONLY)); -- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH)); -+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_READONLY)); -+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH)); - OK_(crypt_get_active_device(cd, CDEVICE_1, &cad)); - OK_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY)); - cad.flags = 0; -@@ -3762,7 +3767,7 @@ static void Luks2Refresh(void) - /* check LUKS2 with auth. enc. reload */ - OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG)); - if (!crypt_format(cd2, CRYPT_LUKS2, "aes", "gcm-random", crypt_get_uuid(cd), key, 32, ¶ms)) { -- OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, "aaa", 3)); -+ OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, PASSPHRASE, strlen(PASSPHRASE))); - OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, 0)); - OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_NO_JOURNAL)); - OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad)); -@@ -3772,11 +3777,11 @@ static void Luks2Refresh(void) - OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad)); - OK_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS)); - cad.flags = 0; -- OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH)); -+ OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH)); - OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad)); - FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL), ""); - FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS), ""); -- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context"); -+ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context"); - OK_(crypt_deactivate(cd2, CDEVICE_2)); - } else { - printf("WARNING: cannot format integrity device, skipping few reload tests.\n"); -@@ -3786,8 +3791,8 @@ static void Luks2Refresh(void) - /* Use LUKS1 context on LUKS2 device */ - OK_(crypt_init(&cd2, DMDIR L_DEVICE_1S)); - OK_(crypt_format(cd2, CRYPT_LUKS1, cipher, mode, crypt_get_uuid(cd), key, 32, NULL)); -- OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, "aaa", 3)); -- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context"); -+ OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, PASSPHRASE, strlen(PASSPHRASE))); -+ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context"); - CRYPT_FREE(cd2); - - /* Use PLAIN context on LUKS2 device */ -@@ -3803,8 +3808,8 @@ static void Luks2Refresh(void) - OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG)); - OK_(set_fast_pbkdf(cd2)); - OK_(crypt_format(cd2, CRYPT_LUKS2, cipher, mode, crypt_get_uuid(cd), key, 32, NULL)); -- OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, "aaa", 3)); -- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device"); -+ OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE))); -+ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device"); - - OK_(crypt_deactivate(cd, CDEVICE_1)); - -@@ -4825,7 +4830,7 @@ static void LuksKeyslotAdd(void) - crypt_keyslot_context_free(um2); - - // generate new unbound key -- OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, 1, &um1)); -+ OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, 9, &um1)); - OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um2)); - EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 10, um2, CRYPT_VOLUME_KEY_NO_SEGMENT), 10); - EQ_(crypt_keyslot_status(cd, 10), CRYPT_SLOT_UNBOUND); -diff --git a/tests/api-test.c b/tests/api-test.c -index 2b2f0813..9bb6d2f1 100644 ---- a/tests/api-test.c -+++ b/tests/api-test.c -@@ -65,8 +65,8 @@ - #define KEYFILE2 "key2.file" - #define KEY2 "0123456789abcdef" - --#define PASSPHRASE "blabla" --#define PASSPHRASE1 "albalb" -+#define PASSPHRASE "blablabl" -+#define PASSPHRASE1 "albalbal" - - #define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc" - -@@ -327,7 +327,7 @@ static void AddDevicePlain(void) - char key[128], key2[128], path[128]; - struct crypt_keyslot_context *kc = NULL; - -- const char *passphrase = PASSPHRASE; -+ const char *passphrase = "blabla"; - // hashed hex version of PASSPHRASE - const char *vk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea"; - size_t key_size = strlen(vk_hex) / 2; -@@ -772,6 +772,10 @@ static void SuspendDevice(void) - OK_(crypt_deactivate(cd, CDEVICE_1)); - CRYPT_FREE(cd); - -+ /* skip tests using empty passphrase */ -+ if(_fips_mode) -+ return; -+ - OK_(get_luks_offsets(0, key_size, 1024*2, 0, NULL, &r_payload_offset)); - OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1)); - -@@ -806,7 +810,7 @@ static void AddDeviceLuks(void) - }; - char key[128], key2[128], key3[128]; - -- const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd"; -+ const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd"; - const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; - const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e"; - size_t key_size = strlen(vk_hex) / 2; -@@ -2105,7 +2109,7 @@ static void LuksKeyslotAdd(void) - }; - char key[128], key3[128]; - -- const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd"; -+ const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd"; - const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; - const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e"; - size_t key_size = strlen(vk_hex) / 2; -diff --git a/tests/compat-test b/tests/compat-test -index 356b7283..6dc80041 100755 ---- a/tests/compat-test -+++ b/tests/compat-test -@@ -450,10 +450,13 @@ if [ -d /dev/disk/by-uuid ] ; then - $CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail - $CRYPTSETUP -q luksClose $DEV_NAME || fail - fi -+# skip tests using empty passphrase -+if [ ! fips_mode ]; then - # empty keyfile - $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEYE || fail - $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail - $CRYPTSETUP -q luksClose $DEV_NAME || fail -+fi - # open by volume key - echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 $LOOPDEV || fail - $CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail -@@ -503,7 +506,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV -- - echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail - $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail - # keyfile/passphrase --echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail -+echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail - $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail - - prepare "[18] RemoveKey passphrase and keyfile" reuse -@@ -728,12 +731,15 @@ echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail - [ $? -ne 2 ] && fail "luksResume should return EPERM exit code" - echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail - $CRYPTSETUP -q luksClose $DEV_NAME || fail -+# skip tests using empty passphrase -+if [ ! fips_mode ]; then - echo | $CRYPTSETUP -q luksFormat -c null $FAST_PBKDF_OPT --type luks1 $LOOPDEV || fail - echo | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail - $CRYPTSETUP luksSuspend $DEV_NAME || fail - $CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail - echo | $CRYPTSETUP luksResume $DEV_NAME || fail - $CRYPTSETUP -q luksClose $DEV_NAME || fail -+fi - - prepare "[27] luksOpen/luksResume with specified key slot number" wipe - # first, let's try passphrase option -diff --git a/tests/compat-test2 b/tests/compat-test2 -index 2f18d7b6..c54dc7ea 100755 ---- a/tests/compat-test2 -+++ b/tests/compat-test2 -@@ -427,10 +427,14 @@ if [ -d /dev/disk/by-uuid ] ; then - $CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail - $CRYPTSETUP -q luksClose $DEV_NAME || fail - fi -+# skip tests using empty passphrases -+if [ ! fips_mode ]; then - # empty keyfile - $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEYE || fail - $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail - $CRYPTSETUP -q luksClose $DEV_NAME || fail -+fi -+ - # open by volume key - echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 --type luks2 $LOOPDEV || fail - $CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail -@@ -477,7 +481,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV -- - echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail - $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail - # keyfile/passphrase --echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail -+echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail - $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail - - prepare "[18] RemoveKey passphrase and keyfile" reuse -@@ -1001,14 +1005,14 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail - $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail - echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips - $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || can_fail_fips --echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 16 $LOOPDEV || fail -+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 72 $LOOPDEV || fail - echo $PWD3 | $CRYPTSETUP luksConvertKey --pbkdf-force-iterations 1001 --pbkdf pbkdf2 -S 21 $LOOPDEV || fail - - prepare "[38] luksAddKey unbound tests" wipe - $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail - # unbound key may have arbitrary size --echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 16 $LOOPDEV || fail --echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 32 -S 2 $LOOPDEV || fail -+echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 72 $LOOPDEV || fail -+echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 72 -S 2 $LOOPDEV || fail - $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2 (unbound)" || fail - dd if=/dev/urandom of=$KEY_FILE0 bs=64 count=1 > /dev/null 2>&1 || fail - echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 512 -S 3 --volume-key-file $KEY_FILE0 $LOOPDEV || fail -@@ -1100,10 +1104,10 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 2 - - [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail - [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail - # unbound keyslot --echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 32 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail -+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 72 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail - [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail - [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail --echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 32 $LOOPDEV || fail -+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 72 $LOOPDEV || fail - echo $PWD3 | $CRYPTSETUP luksConvertKey --key-slot 22 $LOOPDEV --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail - [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail - [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail -diff --git a/tests/keyring-compat-test b/tests/keyring-compat-test -index 57c7fd98..ea88c210 100755 ---- a/tests/keyring-compat-test -+++ b/tests/keyring-compat-test -@@ -21,7 +21,7 @@ NAME=testcryptdev - CHKS_DMCRYPT=vk_in_dmcrypt.chk - CHKS_KEYRING=vk_in_keyring.chk - --PWD="aaa" -+PWD="aaablabl" - - [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." - CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup -diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test -index 433f4d4c..f6a84137 100755 ---- a/tests/reencryption-compat-test -+++ b/tests/reencryption-compat-test -@@ -22,6 +22,12 @@ PWD3="1-9Qu5Ejfnqv" - - MNT_DIR=./mnt_luks - START_DIR=$(pwd) -+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) -+ -+function fips_mode() -+{ -+ [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] -+} - - function del_scsi_device() - { -@@ -296,6 +302,7 @@ check_slot 0 || fail "Only keyslot 0 expected to be enabled" - $REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail - # FIXME echo $PWD1 | $REENC ... - -+if [ ! fips_mode ]; then - echo "[4] Encryption of not yet encrypted device" - # well, movin' zeroes :-) - OFFSET=2048 -@@ -323,6 +330,7 @@ OFFSET=4096 - echo fake | $REENC $LOOPDEV1 -d $KEY1 --new --type luks1 --reduce-device-size "$OFFSET"S -q $FAST_PBKDF || fail - $CRYPTSETUP open --test-passphrase $LOOPDEV1 -d $KEY1 || fail - wipe_dev $LOOPDEV1 -+fi - - echo "[5] Reencryption using specific keyslot" - echo $PWD2 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail -@@ -396,6 +404,7 @@ add_scsi_device sector_size=512 dev_size_mb=32 physblk_exp=3 - test_logging "[4096/512 sector]" || fail - test_logging_tmpfs || fail - -+if [ ! fips_mode ]; then - echo "[10] Removal of encryption" - prepare 8192 - echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail -@@ -460,6 +469,7 @@ if [ "$HAVE_BLKID" -gt 0 ]; then - echo $PWD1 | $REENC --header $IMG_HDR $HEADER_LUKS2_PV -q $FAST_PBKDF --new --type luks1 2>/dev/null && fail - test -f $IMG_HDR && fail - fi -+fi # if [ ! fips_mode ] - - remove_mapping - exit 0 -diff --git a/tests/ssh-test-plugin b/tests/ssh-test-plugin -index 0a440b93..5b3966e7 100755 ---- a/tests/ssh-test-plugin -+++ b/tests/ssh-test-plugin -@@ -11,7 +11,7 @@ CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh - IMG="ssh_test.img" - MAP="sshtest" - USER="sshtest" --PASSWD="sshtest" -+PASSWD="sshtest1" - PASSWD2="sshtest2" - SSH_OPTIONS="-o StrictHostKeyChecking=no" - --- -2.38.1 - diff --git a/cryptsetup-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch b/cryptsetup-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch deleted file mode 100644 index cfbd36a..0000000 --- a/cryptsetup-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch +++ /dev/null @@ -1,55 +0,0 @@ -From be088b8de8d636993767a42f195ffd3bf915e567 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Mon, 12 Dec 2022 17:33:12 +0100 -Subject: [PATCH 1/2] Enable crypt_header_is_detached for empty contexts. - -Also changes few tests now expecting crypt_header_is_detached -works with empty contexts. ---- - lib/setup.c | 2 +- - tests/api-test-2.c | 2 +- - tests/api-test.c | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/lib/setup.c b/lib/setup.c -index f169942c..3263578b 100644 ---- a/lib/setup.c -+++ b/lib/setup.c -@@ -3242,7 +3242,7 @@ int crypt_header_is_detached(struct crypt_device *cd) - { - int r; - -- if (!cd || !isLUKS(cd->type)) -+ if (!cd || (cd->type && !isLUKS(cd->type))) - return -EINVAL; - - r = device_is_identical(crypt_data_device(cd), crypt_metadata_device(cd)); -diff --git a/tests/api-test-2.c b/tests/api-test-2.c -index 2c39191b..c7e930ca 100644 ---- a/tests/api-test-2.c -+++ b/tests/api-test-2.c -@@ -889,7 +889,7 @@ static void AddDeviceLuks2(void) - FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active"); - EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE); - OK_(crypt_deactivate(cd, CDEVICE_1)); -- FAIL_(crypt_header_is_detached(cd), "no header for mismatched device"); -+ EQ_(crypt_header_is_detached(cd), 1); - CRYPT_FREE(cd); - - params.data_device = NULL; -diff --git a/tests/api-test.c b/tests/api-test.c -index 9bb6d2f1..f6e33a40 100644 ---- a/tests/api-test.c -+++ b/tests/api-test.c -@@ -960,7 +960,7 @@ static void AddDeviceLuks(void) - FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active"); - EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE); - OK_(crypt_deactivate(cd, CDEVICE_1)); -- FAIL_(crypt_header_is_detached(cd), "no header for mismatched device"); -+ EQ_(crypt_header_is_detached(cd), 1); - CRYPT_FREE(cd); - - params.data_device = NULL; --- -2.38.1 - diff --git a/cryptsetup-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch b/cryptsetup-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch deleted file mode 100644 index 28dc504..0000000 --- a/cryptsetup-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch +++ /dev/null @@ -1,58 +0,0 @@ -From a33f7bf5ca33587ddb05f2acac42f93068022458 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Fri, 2 Dec 2022 11:39:59 +0100 -Subject: [PATCH 1/3] Run PBKDF benchmark with 8 bytes long well-known - passphrase. - ---- - lib/utils_benchmark.c | 4 ++-- - src/cryptsetup.c | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/lib/utils_benchmark.c b/lib/utils_benchmark.c -index 0a0c438e..d8976fb2 100644 ---- a/lib/utils_benchmark.c -+++ b/lib/utils_benchmark.c -@@ -187,7 +187,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd, - pbkdf->parallel_threads = 0; /* N/A in PBKDF2 */ - pbkdf->max_memory_kb = 0; /* N/A in PBKDF2 */ - -- r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3, "01234567890abcdef", 16, -+ r = crypt_benchmark_pbkdf(cd, pbkdf, "foobarfo", 8, "01234567890abcdef", 16, - volume_key_size, &benchmark_callback, &u); - pbkdf->time_ms = ms_tmp; - if (r < 0) { -@@ -207,7 +207,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd, - return 0; - } - -- r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3, -+ r = crypt_benchmark_pbkdf(cd, pbkdf, "foobarfo", 8, - "0123456789abcdef0123456789abcdef", 32, - volume_key_size, &benchmark_callback, &u); - if (r < 0) -diff --git a/src/cryptsetup.c b/src/cryptsetup.c -index c2e23c6e..dfaf7682 100644 ---- a/src/cryptsetup.c -+++ b/src/cryptsetup.c -@@ -997,7 +997,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si - .time_ms = 1000, - }; - -- r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3, "0123456789abcdef", 16, key_size, -+ r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8, "0123456789abcdef", 16, key_size, - &benchmark_callback, &pbkdf); - if (r < 0) - log_std(_("PBKDF2-%-9s N/A\n"), hash); -@@ -1012,7 +1012,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si - .parallel_threads = ARG_UINT32(OPT_PBKDF_PARALLEL_ID) - }; - -- r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3, -+ r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8, - "0123456789abcdef0123456789abcdef", 32, - key_size, &benchmark_callback, &pbkdf); - if (r < 0) --- -2.38.1 - diff --git a/cryptsetup-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch b/cryptsetup-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch deleted file mode 100644 index c0fc831..0000000 --- a/cryptsetup-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch +++ /dev/null @@ -1,81 +0,0 @@ -From dff9ee8c8cb68432e96261b87aabb7aaa51215e7 Mon Sep 17 00:00:00 2001 -From: Milan Broz -Date: Tue, 2 May 2023 15:42:21 +0200 -Subject: [PATCH] Also disallow active devices with internal kernel names. - -The same problem fixed in commit 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605 -is present in libdevmapper wrapper when parsing active device table. - -The whole point of conversion was that non-authenticated modes -can be always represented in the old cipher-mode-iv format. -As the internal names contains dash, these are unsupported. - -That said, the libdevmapper backend now correctly returns -full cipher specification including capi prefix for this case. - -Init_by_name call now fails with incomplatible cipher definition error. ---- - lib/setup.c | 2 +- - lib/utils_crypt.c | 9 +++++++++ - tests/mode-test | 5 +++++ - 3 files changed, 15 insertions(+), 1 deletion(-) - -diff --git a/lib/setup.c b/lib/setup.c -index 4bc3f6fb..57435475 100644 ---- a/lib/setup.c -+++ b/lib/setup.c -@@ -1258,7 +1258,7 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name) - r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher, - &key_nums, cipher_mode); - if (r < 0) { -- log_dbg(cd, "Cannot parse cipher and mode from active device."); -+ log_err(cd, _("No known cipher specification pattern detected for active device %s."), name); - goto out; - } - -diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c -index c1bde000..9232a91d 100644 ---- a/lib/utils_crypt.c -+++ b/lib/utils_crypt.c -@@ -306,6 +306,15 @@ int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const cha - if (i != 2) - return -EINVAL; - -+ /* non-cryptsetup compatible mode (generic driver with dash?) */ -+ if (strrchr(iv, ')')) { -+ if (i_dm) -+ return -EINVAL; -+ if (!(*org_c = strdup(c_dm))) -+ return -ENOMEM; -+ return 0; -+ } -+ - len = strlen(tmp); - if (len < 2) - return -EINVAL; -diff --git a/tests/mode-test b/tests/mode-test -index fe61880a..4775751e 100755 ---- a/tests/mode-test -+++ b/tests/mode-test -@@ -8,6 +8,7 @@ DEV_NAME=dmc_test - HEADER_IMG=mode-test.img - PASSWORD=3xrododenron - PASSWORD1=$PASSWORD -+KEY="7c0dc5dfd0c9191381d92e6ebb3b29e7f0dba53b0de132ae23f5726727173540" - FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" - - # cipher-chainmode-ivopts:ivmode -@@ -188,6 +189,10 @@ echo -n "CAPI format:" - echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail - $CRYPTSETUP close "$DEV_NAME"_tstdev || fail - echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail -+dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail -+$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail -+$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail -+dmsetup remove "$DEV_NAME"_tstdev || fail - echo [OK] - - cleanup --- -2.41.0 - diff --git a/cryptsetup-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch b/cryptsetup-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch deleted file mode 100644 index 5c50f55..0000000 --- a/cryptsetup-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605 Mon Sep 17 00:00:00 2001 -From: Milan Broz -Date: Mon, 24 Apr 2023 21:19:03 +0200 -Subject: [PATCH] Disallow use of internal kenrel crypto driver names in "capi" - specification. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The common way to specify cipher mode in cryptsetup -is to use cipher-mode-iv notation (like aes-xts-plain64). -With introduction of authenticated ciphers we also allow "capi:" -notation that is directly used by dm-crypt (e.g. capi:xts(aes)-plain64). - -CAPI specification was never intended to be used with internal -kernel crypto api names (with dash in algorithm name), actually the -whole parsing routine wrongly parses mode here now. - -The code not checks if parsing wrongly separated the full cipher -string and effectively allowing only proper cipher names -(example of no longer supported string is capi:xts(ecb(aes-generic))-plain64). - -Thanks to Jan Wichelmann, Luca Wilke and Thomas Eisenbarth from -University of Lübeck for noticing the problems with this code. - -Fixes: #809 ---- - lib/utils_crypt.c | 8 +++++++- - tests/mode-test | 6 ++++++ - 2 files changed, 13 insertions(+), 1 deletion(-) - -diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c -index 0b7dc378..c1bde000 100644 ---- a/lib/utils_crypt.c -+++ b/lib/utils_crypt.c -@@ -43,7 +43,13 @@ int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums, - cipher, cipher_mode) == 2) { - if (!strcmp(cipher_mode, "plain")) - strcpy(cipher_mode, "cbc-plain"); -- if (key_nums) { -+ if (!strncmp(cipher, "capi:", 5)) { -+ /* CAPI must not use internal cipher driver names with dash */ -+ if (strchr(cipher_mode, ')')) -+ return -EINVAL; -+ if (key_nums) -+ *key_nums = 1; -+ } else if (key_nums) { - char *tmp = strchr(cipher, ':'); - *key_nums = tmp ? atoi(++tmp) : 1; - if (!*key_nums) -diff --git a/tests/mode-test b/tests/mode-test -index 82171fbd..fe61880a 100755 ---- a/tests/mode-test -+++ b/tests/mode-test -@@ -184,4 +184,10 @@ done - dmcrypt xchacha12,aes-adiantum-plain64 - dmcrypt xchacha20,aes-adiantum-plain64 - -+echo -n "CAPI format:" -+echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail -+$CRYPTSETUP close "$DEV_NAME"_tstdev || fail -+echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail -+echo [OK] -+ - cleanup --- -2.41.0 - diff --git a/cryptsetup-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch b/cryptsetup-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch deleted file mode 100644 index dbac662..0000000 --- a/cryptsetup-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch +++ /dev/null @@ -1,81 +0,0 @@ -From b8711faf92868dc82b1a64e7673740444199b2ca Mon Sep 17 00:00:00 2001 -From: Milan Broz -Date: Sun, 25 Jun 2023 23:32:13 +0200 -Subject: [PATCH] Fix activation of LUKS2 with capi format cipher and kernel - crypt name. - -While activation of internal cipher algorithms (like aes-generic) -is disallowed, some old LUKS2 images can still use it. - -Check the cipher in activate call, but allow to load LUKS2 metadata. -This can allow to add repair code easily and also allow luksDump. - -Also fix segfault in reencrypt code for such a header. - -Fixes: #820 ---- - lib/luks2/luks2_json_metadata.c | 5 +++++ - tests/Makefile.am | 4 +++- - tests/compat-test2 | 17 ++++++++++++++++- - tests/luks2_invalid_cipher.img.xz | Bin 0 -> 135372 bytes - tests/meson.build | 1 + - 5 files changed, 25 insertions(+), 2 deletions(-) - create mode 100644 tests/luks2_invalid_cipher.img.xz - -Index: cryptsetup-2.6.0/lib/luks2/luks2_json_metadata.c -=================================================================== ---- cryptsetup-2.6.0.orig/lib/luks2/luks2_json_metadata.c -+++ cryptsetup-2.6.0/lib/luks2/luks2_json_metadata.c -@@ -2597,6 +2597,11 @@ int LUKS2_activate(struct crypt_device * - if ((r = LUKS2_unmet_requirements(cd, hdr, 0, 0))) - return r; - -+ /* Check that cipher is in compatible format */ -+ if (!crypt_get_cipher(cd)) { -+ log_err(cd, _("No known cipher specification pattern detected in LUKS2 header.")); -+ return -EINVAL; -+ } - r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd), - vk, crypt_get_cipher_spec(cd), crypt_get_iv_offset(cd), - crypt_get_data_offset(cd), crypt_get_integrity(cd) ?: "none", -Index: cryptsetup-2.6.0/tests/compat-test2 -=================================================================== ---- cryptsetup-2.6.0.orig/tests/compat-test2 -+++ cryptsetup-2.6.0/tests/compat-test2 -@@ -16,6 +16,7 @@ IMG10=luks-test-v10 - HEADER_IMG=luks-header - HEADER_KEYU=luks2_keyslot_unassigned.img - HEADER_LUKS2_PV=blkid-luks2-pv.img -+HEADER_LUKS2_INV=luks2_invalid_cipher.img - KEY1=key1 - KEY2=key2 - KEY5=key5 -@@ -50,7 +51,9 @@ function remove_mapping() - [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2 - [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME - losetup -d $LOOPDEV >/dev/null 2>&1 -- rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE $HEADER_LUKS2_PV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1 -+ rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE \ -+ $HEADER_LUKS2_PV $HEADER_LUKS2_INV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* \ -+ $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1 - - # unlink whole test keyring - [ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null -@@ -1200,5 +1203,17 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys - $CRYPTSETUP open -q --test-passphrase --token-only --token-id 0 -q $IMG || fail - fi - -+prepare "[44] LUKS2 invalid cipher (kernel cipher driver name)" wipe -+xz -dk $HEADER_LUKS2_INV.xz -+dd if=$HEADER_LUKS2_INV of=$IMG conv=notrunc >/dev/null 2>&1 -+$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "capi:xts(ecb(aes-generic))-plain64" || fail -+echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail -+echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME 2>&1 | grep -q "No known cipher specification pattern" || fail -+echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV >/dev/null 2>&1 && fail -+dmsetup create $DEV_NAME --uuid CRYPT-LUKS2-3d20686f551748cb89911ad32379821b-test --table \ -+ "0 8 crypt capi:xts(ecb(aes-generic))-plain64 edaa40709797973715e572bf7d86fcbb9cfe2051083c33c28d58fe4e1e7ff642 0 $LOOPDEV 32768" -+$CRYPTSETUP status $DEV_NAME | grep -q "n/a" || fail -+$CRYPTSETUP close $DEV_NAME ||fail -+ - remove_mapping - exit 0 diff --git a/cryptsetup-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch b/cryptsetup-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch deleted file mode 100644 index 7ea25cf..0000000 --- a/cryptsetup-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 53aa5f6c4f7439db1b25846597fb5603870ba55e Mon Sep 17 00:00:00 2001 -From: Milan Broz -Date: Mon, 5 Jun 2023 16:02:06 +0200 -Subject: [PATCH] Fix init_by_name to allow unknown cipher format in dm-crypt - as null context. - -Deactivation code should deactivate dm-crypt device even if it is unknown -for libcryptsetup. Previous fix for cipher specification was too strict. - -Let's allow initialization as null context, that allow status and -deactivate to be usable again. ---- - lib/setup.c | 6 ++++++ - tests/mode-test | 5 ++--- - 2 files changed, 8 insertions(+), 3 deletions(-) - -diff --git a/lib/setup.c b/lib/setup.c -index fd17be8c..786aa900 100644 ---- a/lib/setup.c -+++ b/lib/setup.c -@@ -1276,6 +1276,12 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name) - r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher, - &key_nums, cipher_mode); - if (r < 0) { -+ /* Allow crypt null context with unknown cipher string */ -+ if (tgt->type == DM_CRYPT && !tgt->u.crypt.integrity) { -+ crypt_set_null_type(cd); -+ r = 0; -+ goto out; -+ } - log_err(cd, _("No known cipher specification pattern detected for active device %s."), name); - goto out; - } -diff --git a/tests/mode-test b/tests/mode-test -index 4775751e..7f7f20a1 100755 ---- a/tests/mode-test -+++ b/tests/mode-test -@@ -190,9 +190,8 @@ echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 - $CRYPTSETUP close "$DEV_NAME"_tstdev || fail - echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail - dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail --$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail --$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail --dmsetup remove "$DEV_NAME"_tstdev || fail -+$CRYPTSETUP status "$DEV_NAME"_tstdev 2>/dev/null | grep "type:" | grep -q "n/a" || fail -+$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null || fail - echo [OK] - - cleanup --- -2.41.0 - diff --git a/cryptsetup-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch b/cryptsetup-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch deleted file mode 100644 index 92b1de2..0000000 --- a/cryptsetup-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 1f01eea60e38ac92aa05e4b95372d54b7b9095df Mon Sep 17 00:00:00 2001 -From: Milan Broz -Date: Mon, 26 Jun 2023 13:25:59 +0200 -Subject: [PATCH] Fix reencryption to fail properly for unknown cipher. - -crypt_get_cipher and crypt_get_cipher mode can return NULL, -check it in advance. ---- - src/utils_reencrypt.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c -index a78557cb..8ffceb36 100644 ---- a/src/utils_reencrypt.c -+++ b/src/utils_reencrypt.c -@@ -419,6 +419,12 @@ static bool luks2_reencrypt_eligible(struct crypt_device *cd) - return false; - } - -+ /* Check that cipher is in compatible format */ -+ if (!crypt_get_cipher(cd)) { -+ log_err(_("No known cipher specification pattern detected in LUKS2 header.")); -+ return false; -+ } -+ - return true; - } - --- -2.41.0 - diff --git a/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch b/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch index 59db57f..9c303e4 100644 --- a/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch +++ b/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch @@ -12,36 +12,29 @@ bytes. lib/luks2/luks2_keyslot_luks2.c | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) -diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c -index de97b73c..225e84b8 100644 ---- a/lib/luks1/keymanage.c -+++ b/lib/luks1/keymanage.c -@@ -924,8 +924,11 @@ int LUKS_set_key(unsigned int keyIndex, - hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE, +Index: cryptsetup-2.7.2/lib/luks1/keymanage.c +=================================================================== +--- cryptsetup-2.7.2.orig/lib/luks1/keymanage.c ++++ cryptsetup-2.7.2/lib/luks1/keymanage.c +@@ -926,6 +926,8 @@ int LUKS_set_key(unsigned int keyIndex, derived_key->key, hdr->keyBytes, hdr->keyblock[keyIndex].passwordIterations, 0, 0); -- if (r < 0) -+ if (r < 0) { + if (r < 0) { + if (crypt_fips_mode() && passwordLen < 8) + log_err(ctx, _("Invalid passphrase for PBKDF2 in FIPS mode.")); - goto out; -+ } - - /* - * AF splitting, the volume key stored in vk->key is split to AfKey -diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c -index 78f74242..f480bcab 100644 ---- a/lib/luks2/luks2_keyslot_luks2.c -+++ b/lib/luks2/luks2_keyslot_luks2.c -@@ -265,6 +265,8 @@ static int luks2_keyslot_set_key(struct crypt_device *cd, - free(salt); - if (r < 0) { + if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) && + hdr->keyblock[keyIndex].passwordIterations > INT_MAX) + log_err(ctx, _("PBKDF2 iteration value overflow.")); +Index: cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c +=================================================================== +--- cryptsetup-2.7.2.orig/lib/luks2/luks2_keyslot_luks2.c ++++ cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c +@@ -269,6 +269,8 @@ static int luks2_keyslot_set_key(struct + pbkdf.iterations > INT_MAX) + log_err(cd, _("PBKDF2 iteration value overflow.")); crypt_free_volume_key(derived_key); + if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2")) + log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode.")); return r; } --- -2.38.1 - diff --git a/cryptsetup-add-system-library-paths.patch b/cryptsetup-add-system-library-paths.patch index 0a5d753..0290c96 100644 --- a/cryptsetup-add-system-library-paths.patch +++ b/cryptsetup-add-system-library-paths.patch @@ -1,7 +1,8 @@ -diff -rupN cryptsetup-2.2.0.old/configure cryptsetup-2.2.0/configure ---- cryptsetup-2.2.0.old/configure 2019-08-14 20:45:07.000000000 +0200 -+++ cryptsetup-2.2.0/configure 2019-08-15 09:11:14.775184005 +0200 -@@ -12294,6 +12294,9 @@ fi +Index: cryptsetup-2.7.0/configure +=================================================================== +--- cryptsetup-2.7.0.orig/configure ++++ cryptsetup-2.7.0/configure +@@ -14161,6 +14161,9 @@ fi # before this can be enabled. hardcode_into_libs=yes @@ -11,7 +12,7 @@ diff -rupN cryptsetup-2.2.0.old/configure cryptsetup-2.2.0/configure # Ideally, we could use ldconfig to report *all* directores which are # searched for libraries, however this is still not possible. Aside from not # being certain /sbin/ldconfig is available, command -@@ -12302,7 +12305,7 @@ fi +@@ -14169,7 +14172,7 @@ fi # appending ld.so.conf contents (and includes) to the search path. if test -f /etc/ld.so.conf; then lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` diff --git a/cryptsetup.spec b/cryptsetup.spec index 7792853..fc13454 100644 --- a/cryptsetup.spec +++ b/cryptsetup.spec @@ -1,7 +1,7 @@ Summary: Utility for setting up encrypted disks Name: cryptsetup -Version: 2.6.0 -Release: 3%{?dist} +Version: 2.7.2 +Release: 1%{?dist} License: GPLv2+ and LGPLv2+ URL: https://gitlab.com/cryptsetup/cryptsetup BuildRequires: openssl-devel, popt-devel, device-mapper-devel @@ -15,22 +15,9 @@ Obsoletes: %{name}-reencrypt <= %{version} Provides: %{name}-reencrypt = %{version} %global upstream_version %{version} -Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-%{upstream_version}.tar.xz - -# binary archive with updated tests/conversion_imgs.tar.xz and tests/luks2_header_requirements.tar.xz -# for testing (can not be patched via rpmbuild) -Source1: tests.tar.xz +Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-%{upstream_version}.tar.xz # Following patch has to applied last -Patch0000: %{name}-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch -Patch0001: %{name}-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch -Patch0002: %{name}-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch -Patch0003: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch -Patch0004: %{name}-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch -Patch0005: %{name}-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch -Patch0006: %{name}-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch -Patch0007: %{name}-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch -Patch0008: %{name}-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch Patch9998: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch Patch9999: %{name}-add-system-library-paths.patch @@ -70,11 +57,11 @@ The integritysetup package contains a utility for setting up disk integrity protection using dm-integrity kernel module. %prep -%autosetup -n cryptsetup-%{upstream_version} -p 1 -a 1 +%autosetup -n cryptsetup-%{upstream_version} -p 1 %build rm -f man/*.8 -%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token --enable-asciidoc +%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token --enable-asciidoc --disable-hw-opal --with-plain-hash=ripemd160 --with-plain-cipher=aes --with-plain-mode=cbc-essiv:sha256 %make_build %install @@ -116,6 +103,11 @@ rm -rf %{buildroot}%{_libdir}/*.la %ghost %attr(700, -, -) %dir /run/cryptsetup %changelog +* Thu May 02 2024 Daniel Zatovic - 2.7.2-1 +- Update to cryptsetup 2.7.2 +- Use OpenSLL Argon implementation instead of the built-in one +- Resolves: RHEL-32377 + * Fri Jun 30 2023 Daniel Zatovic - 2.6.0-3 - patch: Disallow use of internal kenrel crypto driver names in "capi" - patch: Also disallow active devices with internal kernel names diff --git a/sources b/sources index 8c30d3d..feb0483 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (tests.tar.xz) = 6365003e6308c88c68416166fdd9c802c1d47dc3f51692918b941369ff014d4127385821ab1f9cc6ab7cc7f5b9b846c9788f548315350c181619a4a5e47f3355 -SHA512 (cryptsetup-2.6.0.tar.xz) = 64d7b318b58fe96143ac7a12476852a38cc30126ef431b4687d0f3f399d56f6569c716e0311cfc2802e4f025520ee41edc17c82c2421da7cc56788478e646983 +SHA512 (cryptsetup-2.7.2.tar.xz) = 06f42f443b91d1f8af8af999dfedd4051ecb12ba5ef291cf2b44b6a5676e2c5cf1e686e19687f5cb6b1fd524dfc1a208cd25a3798367a480d80eac954aa8d6d4