rpms/cryptsetup
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to 2.7.2

Browse Source 
- Resolves: RHEL-32377
This commit is contained in:
Daniel Zatovic 2024-04-30 11:14:05 +02:00
parent 149624426e
commit 204d19aac1
14 changed files with 34 additions and 1297 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
/cryptsetup-2.4.3.tar.xz /cryptsetup-2.4.3.tar.xz
/tests.tar.xz /tests.tar.xz
/cryptsetup-2.6.0.tar.xz /cryptsetup-2.6.0.tar.xz
/cryptsetup-2.7.2.tar.xz

161
cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
View File

@ -1,161 +0,0 @@
From c18dcfaa0b91eb48006232fbfadce9e6a9b4a790 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Fri, 2 Dec 2022 15:39:36 +0100
Subject: [PATCH 2/2] Abort encryption when header and data devices are same.
If data device reduction is not requsted this led
to data corruption since LUKS metadata was written
over the data device.
---
src/utils_reencrypt.c | 42 ++++++++++++++++++++++++++++++----
tests/luks2-reencryption-test | 16 +++++++++++++
tests/reencryption-compat-test | 20 +++++++++++++---
3 files changed, 70 insertions(+), 8 deletions(-)
diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c
index 87ead680..73e0bca8 100644
--- a/src/utils_reencrypt.c
+++ b/src/utils_reencrypt.c
@@ -467,6 +467,26 @@ static int reencrypt_check_active_device_sb_block_size(const char *active_device
return reencrypt_check_data_sb_block_size(dm_device, new_sector_size);
}
+static int reencrypt_is_header_detached(const char *header_device, const char *data_device)
+{
+ int r;
+ struct stat st;
+ struct crypt_device *cd;
+
+ if (!header_device)
+ return 0;
+
+ if (header_device && stat(header_device, &st) < 0 && errno == ENOENT)
+ return 1;
+
+ if ((r = crypt_init_data_device(&cd, header_device, data_device)))
+ return r;
+
+ r = crypt_header_is_detached(cd);
+ crypt_free(cd);
+ return r;
+}
+
static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device, const char *device_name)
{
int keyslot, r, fd;
@@ -490,9 +510,14 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device,
_set_reencryption_flags(&params.flags);
- if (!data_shift && !ARG_SET(OPT_HEADER_ID)) {
- log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
- return -ENOTSUP;
+ if (!data_shift) {
+ r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), data_device);
+ if (r < 0)
+ return r;
+ if (!r) {
+ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
+ return -ENOTSUP;
+ }
}
if (!ARG_SET(OPT_HEADER_ID) && ARG_UINT64(OPT_OFFSET_ID) &&
@@ -1358,9 +1383,16 @@ static int _encrypt(struct crypt_device *cd, const char *type, enum device_statu
if (!type)
type = crypt_get_default_type();
- if (dev_st == DEVICE_LUKS1_UNUSABLE || isLUKS1(type))
+ if (dev_st == DEVICE_LUKS1_UNUSABLE || isLUKS1(type)) {
+ r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), action_argv[0]);
+ if (r < 0)
+ return r;
+ if (!r && !ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID)) {
+ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
+ return -ENOTSUP;
+ }
return reencrypt_luks1(action_argv[0]);
- else if (dev_st == DEVICE_NOT_LUKS) {
+ } else if (dev_st == DEVICE_NOT_LUKS) {
r = encrypt_luks2_init(&encrypt_cd, action_argv[0], action_argc > 1 ? action_argv[1] : NULL);
if (r < 0 || ARG_SET(OPT_INIT_ONLY_ID)) {
crypt_free(encrypt_cd);
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
index bab54353..a647a8c2 100755
--- a/tests/luks2-reencryption-test
+++ b/tests/luks2-reencryption-test
@@ -1080,6 +1080,22 @@ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
$CRYPTSETUP close $DEV_NAME
echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail
+# Encrypt without size reduction must not allow header device same as data device
+wipe_dev_head $DEV 1
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
+ln -s $DEV $DEV_LINK || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
+rm -f $DEV_LINK || fail
+
+dd if=/dev/zero of=$IMG bs=4k count=1 >/dev/null 2>&1
+echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
+ln -s $IMG $DEV_LINK || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
+
echo "[4] Reencryption with detached header"
wipe $PWD1 $IMG_HDR
echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
index f6a84137..453831d1 100755
--- a/tests/reencryption-compat-test
+++ b/tests/reencryption-compat-test
@@ -15,6 +15,7 @@ IMG=reenc-data
IMG_HDR=$IMG.hdr
HEADER_LUKS2_PV=blkid-luks2-pv.img
ORIG_IMG=reenc-data-orig
+DEV_LINK="reenc-test-link"
KEY1=key1
PWD1="93R4P4pIqAH8"
PWD2="1cND4319812f"
@@ -40,7 +41,7 @@ function remove_mapping()
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
[ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1
- rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV >/dev/null 2>&1
+ rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV $DEV_LINK >/dev/null 2>&1
umount $MNT_DIR > /dev/null 2>&1
rmdir $MNT_DIR > /dev/null 2>&1
LOOPDEV1=""
@@ -302,12 +303,25 @@ check_slot 0 || fail "Only keyslot 0 expected to be enabled"
$REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail
# FIXME echo $PWD1 | $REENC ...
-if [ ! fips_mode ]; then
echo "[4] Encryption of not yet encrypted device"
+# Encrypt without size reduction must not allow header device same as data device
+wipe_dev $LOOPDEV1
+echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $LOOPDEV1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
+ln -s $LOOPDEV1 $DEV_LINK || fail
+echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
+rm -f $DEV_LINK || fail
+echo $PWD1 | $REENC $IMG --type luks1 --new --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
+ln -s $IMG $DEV_LINK || fail
+echo $PWD1 | $REENC $IMG --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
+
+if [ ! fips_mode ]; then
# well, movin' zeroes :-)
OFFSET=2048
SIZE=$(blockdev --getsz $LOOPDEV1)
-wipe_dev $LOOPDEV1
dmsetup create $DEV_NAME2 --table "0 $(($SIZE - $OFFSET)) linear $LOOPDEV1 0" || fail
check_hash_dev /dev/mapper/$DEV_NAME2 $HASH3
dmsetup remove --retry $DEV_NAME2 || fail
--
2.38.1

662
cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch
View File

@ -1,662 +0,0 @@
From e7a1f18d976771efc06987107da12ccae4d0b360 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Fri, 2 Dec 2022 11:40:24 +0100
Subject: [PATCH 2/3] Change tests to use passphrases with minimal 8 chars
length.
Skip tests that can not satisfy minimal test passphrase length:
- empty passphrase
- LUKS1 cipher_null tests (empty passphrase is mandatory)
- LUKS1 encryption
---
tests/Makefile.am | 3 +-
tests/align-test | 10 +++
tests/api-test-2.c | 117 +++++++++++++++++----------------
tests/api-test.c | 14 ++--
tests/compat-test | 8 ++-
tests/compat-test2 | 16 +++--
tests/keyring-compat-test | 2 +-
tests/reencryption-compat-test | 10 +++
tests/ssh-test-plugin | 2 +-
9 files changed, 110 insertions(+), 72 deletions(-)
diff --git a/tests/align-test b/tests/align-test
index eedf8b77..5941cde2 100755
--- a/tests/align-test
+++ b/tests/align-test
@@ -10,9 +10,16 @@ PWD1="93R4P4pIqAH8"
PWD2="mymJeD8ivEhE"
FAST_PBKDF="--pbkdf-force-iterations 1000"
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+
CRYPTSETUP_VALGRIND=../.libs/cryptsetup
CRYPTSETUP_LIB_VALGRIND=../.libs
+function fips_mode()
+{
+ [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+}
+
cleanup() {
udevadm settle >/dev/null 2>&1
if [ -d "$MNT_DIR" ] ; then
@@ -276,6 +283,8 @@ format_plain_fail 2048
format_plain_fail 4096
cleanup
+# skip tests using empty passphrase (LUKS1 cipher_null)
+if [ ! fips_mode ]; then
echo "# Offset check: 512B sector drive"
add_device dev_size_mb=16 sector_size=512 num_tgts=1
# |k| expO reqO expected slot offsets
@@ -314,6 +323,7 @@ format_null 512 4040 8
format_null 512 4096 128
format_null 512 4096 2048
cleanup
+fi
echo "# Create enterprise-class 4K drive with fs and LUKS images."
# loop device here presents 512 block but images have 4k block
diff --git a/tests/api-test-2.c b/tests/api-test-2.c
index b7c762d9..2c39191b 100644
--- a/tests/api-test-2.c
+++ b/tests/api-test-2.c
@@ -74,8 +74,8 @@ typedef int32_t key_serial_t;
#define KEYFILE2 "key2.file"
#define KEY2 "0123456789abcdef"
-#define PASSPHRASE "blabla"
-#define PASSPHRASE1 "albalb"
+#define PASSPHRASE "blablabl"
+#define PASSPHRASE1 "albalbal"
#define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
@@ -107,15 +107,15 @@ typedef int32_t key_serial_t;
#define CONV_L2_512_DET_FULL "l2_512b_det_full"
#define CONV_L1_256_LEGACY "l1_256b_legacy_offset"
#define CONV_L1_256_UNMOVABLE "l1_256b_unmovable"
-#define PASS0 "aaa"
-#define PASS1 "hhh"
-#define PASS2 "ccc"
-#define PASS3 "ddd"
-#define PASS4 "eee"
-#define PASS5 "fff"
-#define PASS6 "ggg"
-#define PASS7 "bbb"
-#define PASS8 "iii"
+#define PASS0 "aaablabl"
+#define PASS1 "hhhblabl"
+#define PASS2 "cccblabl"
+#define PASS3 "dddblabl"
+#define PASS4 "eeeblabl"
+#define PASS5 "fffblabl"
+#define PASS6 "gggblabl"
+#define PASS7 "bbbblabl"
+#define PASS8 "iiiblabl"
static int _fips_mode = 0;
@@ -429,11 +429,11 @@ static int _setup(void)
_system("dd if=/dev/zero of=" IMAGE_EMPTY_SMALL_2 " bs=512 count=2050 2>/dev/null", 1);
- _system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && xz -dk " NO_REQS_LUKS2_HEADER ".xz", 1);
+ _system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1);
fd = loop_attach(&DEVICE_4, NO_REQS_LUKS2_HEADER, 0, 0, &ro);
close(fd);
- _system(" [ ! -e " REQS_LUKS2_HEADER " ] && xz -dk " REQS_LUKS2_HEADER ".xz", 1);
+ _system(" [ ! -e " REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1);
fd = loop_attach(&DEVICE_5, REQS_LUKS2_HEADER, 0, 0, &ro);
close(fd);
@@ -709,7 +709,7 @@ static void AddDeviceLuks2(void)
};
char key[128], key2[128], key3[128];
- const char *tmp_buf, *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
+ const char *tmp_buf, *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
size_t key_size = strlen(vk_hex) / 2;
@@ -1056,7 +1056,6 @@ static void Luks2MetadataSize(void)
};
char key[128], tmp[128];
- const char *passphrase = "blabla";
const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
size_t key_size = strlen(vk_hex) / 2;
const char *cipher = "aes";
@@ -1103,7 +1102,7 @@ static void Luks2MetadataSize(void)
OK_(crypt_init(&cd, DMDIR H_DEVICE));
OK_(crypt_set_metadata_size(cd, 0x080000, 0x080000));
OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, &params));
- EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, passphrase, strlen(passphrase)), 7);
+ EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7);
CRYPT_FREE(cd);
OK_(crypt_init(&cd, DMDIR H_DEVICE));
OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
@@ -3306,8 +3305,8 @@ static void Luks2Requirements(void)
.key_description = KEY_DESC_TEST0
};
- OK_(prepare_keyfile(KEYFILE1, "aaa", 3));
- OK_(prepare_keyfile(KEYFILE2, "xxx", 3));
+ OK_(prepare_keyfile(KEYFILE1, PASSPHRASE, strlen(PASSPHRASE)));
+ OK_(prepare_keyfile(KEYFILE2, PASSPHRASE1, strlen(PASSPHRASE1)));
/* crypt_load (unrestricted) */
OK_(crypt_init(&cd, DEVICE_5));
@@ -3361,11 +3360,11 @@ static void Luks2Requirements(void)
OK_(crypt_repair(cd, CRYPT_LUKS2, NULL));
/* crypt_keyslot_add_passphrase (restricted) */
- FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, "aaa", 3, "bbb", 3)), "Unmet requirements detected");
+ FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_keyslot_change_by_passphrase (restricted) */
- FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, "aaa", 3, "bbb", 3)), "Unmet requirements detected");
+ FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_keyslot_add_by_keyfile (restricted) */
@@ -3377,18 +3376,18 @@ static void Luks2Requirements(void)
EQ_(r, -ETXTBSY);
/* crypt_volume_key_get (unrestricted, but see below) */
- OK_(crypt_volume_key_get(cd, 0, key, &key_size, "aaa", 3));
+ OK_(crypt_volume_key_get(cd, 0, key, &key_size, PASSPHRASE, strlen(PASSPHRASE)));
/* crypt_keyslot_add_by_volume_key (restricted) */
- FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3)), "Unmet requirements detected");
+ FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1))), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_keyslot_add_by_key (restricted) */
- FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, "xxx", 3, CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected");
+ FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_keyslot_add_by_key (restricted) */
- FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3, 0)), "Unmet requirements detected");
+ FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1), 0)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_persistent_flasgs_set (restricted) */
@@ -3400,10 +3399,10 @@ static void Luks2Requirements(void)
EQ_(flags, CRYPT_REQUIREMENT_UNKNOWN);
/* crypt_activate_by_passphrase (restricted for activation only) */
- FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0)), "Unmet requirements detected");
+ FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, 0));
- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
+ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
+ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
/* crypt_activate_by_keyfile (restricted for activation only) */
@@ -3420,7 +3419,7 @@ static void Luks2Requirements(void)
#ifdef KERNEL_KEYRING
if (t_dm_crypt_keyring_support()) {
- kid = add_key("user", KEY_DESC_TEST0, "aaa", 3, KEY_SPEC_THREAD_KEYRING);
+ kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
NOTFAIL_(kid, "Test or kernel keyring are broken.");
/* crypt_activate_by_keyring (restricted for activation only) */
@@ -3428,6 +3427,8 @@ static void Luks2Requirements(void)
EQ_(r, t_dm_crypt_keyring_support() ? -ETXTBSY : -EINVAL);
OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, 0));
OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, CRYPT_ACTIVATE_KEYRING_KEY));
+
+ NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
}
#endif
@@ -3513,10 +3514,15 @@ static void Luks2Requirements(void)
/* crypt_activate_by_token (restricted for activation only) */
#ifdef KERNEL_KEYRING
if (t_dm_crypt_keyring_support()) {
+ kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
+ NOTFAIL_(kid, "Test or kernel keyring are broken.");
+
FAIL_((r = crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0)), ""); // supposed to be silent
EQ_(r, -ETXTBSY);
OK_(crypt_activate_by_token(cd, NULL, 1, NULL, 0));
OK_(crypt_activate_by_token(cd, NULL, 1, NULL, CRYPT_ACTIVATE_KEYRING_KEY));
+
+ NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
}
#endif
OK_(get_luks2_offsets(0, 8192, 0, NULL, &r_payload_offset));
@@ -3528,7 +3534,7 @@ static void Luks2Requirements(void)
CRYPT_FREE(cd);
OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
OK_(crypt_load(cd, CRYPT_LUKS, NULL));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
OK_(crypt_header_backup(cd, CRYPT_LUKS2, BACKUP_FILE));
/* replace header with no requirements */
OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
@@ -3566,7 +3572,7 @@ static void Luks2Requirements(void)
OK_(crypt_init_by_name(&cd, CDEVICE_1));
/* crypt_resume_by_passphrase (restricted) */
- FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3)), "Unmet requirements detected");
+ FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE))), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_resume_by_keyfile (restricted) */
@@ -3580,13 +3586,13 @@ static void Luks2Requirements(void)
OK_(_system("dd if=" NO_REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
OK_(crypt_init_by_name(&cd, CDEVICE_1));
- OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3));
+ OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE)));
CRYPT_FREE(cd);
OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
OK_(crypt_init_by_name(&cd, CDEVICE_1));
/* load VK in keyring */
- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
+ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
/* crypt_resize (restricted) */
FAIL_((r = crypt_resize(cd, CDEVICE_1, 1)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
@@ -3622,7 +3628,6 @@ static void Luks2Integrity(void)
.integrity = "hmac(sha256)"
};
size_t key_size = 32 + 32;
- const char *passphrase = "blabla";
const char *cipher = "aes";
const char *cipher_mode = "xts-random";
int ret;
@@ -3636,8 +3641,8 @@ static void Luks2Integrity(void)
return;
}
- EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, passphrase, strlen(passphrase)), 7);
- EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, passphrase, strlen(passphrase) ,0), 7);
+ EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7);
+ EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, PASSPHRASE, strlen(PASSPHRASE) ,0), 7);
GE_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE);
CRYPT_FREE(cd);
@@ -3689,36 +3694,36 @@ static void Luks2Refresh(void)
OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
OK_(set_fast_pbkdf(cd));
OK_(crypt_format(cd, CRYPT_LUKS2, cipher, mode, NULL, key, 32, NULL));
- OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, "aaa", 3));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0));
+ OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
/* check we can refresh significant flags */
if (t_dm_crypt_discard_support()) {
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_ALLOW_DISCARDS));
cad.flags = 0;
}
if (t_dm_crypt_cpu_switch_support()) {
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SAME_CPU_CRYPT));
cad.flags = 0;
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
cad.flags = 0;
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
cad.flags = 0;
}
OK_(crypt_volume_key_keyring(cd, 0));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY), "Unexpected flag raised.");
cad.flags = 0;
@@ -3726,7 +3731,7 @@ static void Luks2Refresh(void)
#ifdef KERNEL_KEYRING
if (t_dm_crypt_keyring_support()) {
OK_(crypt_volume_key_keyring(cd, 1));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY));
cad.flags = 0;
@@ -3735,26 +3740,26 @@ static void Luks2Refresh(void)
/* multiple flags at once */
if (t_dm_crypt_discard_support() && t_dm_crypt_cpu_switch_support()) {
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
cad.flags = 0;
}
/* do not allow reactivation with read-only (and drop flag silently because activation behaves exactly same) */
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY), "Reactivated with read-only flag.");
cad.flags = 0;
/* reload flag is dropped silently */
OK_(crypt_deactivate(cd, CDEVICE_1));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
/* check read-only flag is not lost after reload */
OK_(crypt_deactivate(cd, CDEVICE_1));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_READONLY));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_READONLY));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY));
cad.flags = 0;
@@ -3762,7 +3767,7 @@ static void Luks2Refresh(void)
/* check LUKS2 with auth. enc. reload */
OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG));
if (!crypt_format(cd2, CRYPT_LUKS2, "aes", "gcm-random", crypt_get_uuid(cd), key, 32, &params)) {
- OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, "aaa", 3));
+ OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, 0));
OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_NO_JOURNAL));
OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
@@ -3772,11 +3777,11 @@ static void Luks2Refresh(void)
OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
cad.flags = 0;
- OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL), "");
FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS), "");
- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context");
+ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context");
OK_(crypt_deactivate(cd2, CDEVICE_2));
} else {
printf("WARNING: cannot format integrity device, skipping few reload tests.\n");
@@ -3786,8 +3791,8 @@ static void Luks2Refresh(void)
/* Use LUKS1 context on LUKS2 device */
OK_(crypt_init(&cd2, DMDIR L_DEVICE_1S));
OK_(crypt_format(cd2, CRYPT_LUKS1, cipher, mode, crypt_get_uuid(cd), key, 32, NULL));
- OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, "aaa", 3));
- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context");
+ OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)));
+ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context");
CRYPT_FREE(cd2);
/* Use PLAIN context on LUKS2 device */
@@ -3803,8 +3808,8 @@ static void Luks2Refresh(void)
OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG));
OK_(set_fast_pbkdf(cd2));
OK_(crypt_format(cd2, CRYPT_LUKS2, cipher, mode, crypt_get_uuid(cd), key, 32, NULL));
- OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, "aaa", 3));
- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device");
+ OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
+ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device");
OK_(crypt_deactivate(cd, CDEVICE_1));
@@ -4825,7 +4830,7 @@ static void LuksKeyslotAdd(void)
crypt_keyslot_context_free(um2);
// generate new unbound key
- OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, 1, &um1));
+ OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, 9, &um1));
OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um2));
EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 10, um2, CRYPT_VOLUME_KEY_NO_SEGMENT), 10);
EQ_(crypt_keyslot_status(cd, 10), CRYPT_SLOT_UNBOUND);
diff --git a/tests/api-test.c b/tests/api-test.c
index 2b2f0813..9bb6d2f1 100644
--- a/tests/api-test.c
+++ b/tests/api-test.c
@@ -65,8 +65,8 @@
#define KEYFILE2 "key2.file"
#define KEY2 "0123456789abcdef"
-#define PASSPHRASE "blabla"
-#define PASSPHRASE1 "albalb"
+#define PASSPHRASE "blablabl"
+#define PASSPHRASE1 "albalbal"
#define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
@@ -327,7 +327,7 @@ static void AddDevicePlain(void)
char key[128], key2[128], path[128];
struct crypt_keyslot_context *kc = NULL;
- const char *passphrase = PASSPHRASE;
+ const char *passphrase = "blabla";
// hashed hex version of PASSPHRASE
const char *vk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
size_t key_size = strlen(vk_hex) / 2;
@@ -772,6 +772,10 @@ static void SuspendDevice(void)
OK_(crypt_deactivate(cd, CDEVICE_1));
CRYPT_FREE(cd);
+ /* skip tests using empty passphrase */
+ if(_fips_mode)
+ return;
+
OK_(get_luks_offsets(0, key_size, 1024*2, 0, NULL, &r_payload_offset));
OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1));
@@ -806,7 +810,7 @@ static void AddDeviceLuks(void)
};
char key[128], key2[128], key3[128];
- const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
+ const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
size_t key_size = strlen(vk_hex) / 2;
@@ -2105,7 +2109,7 @@ static void LuksKeyslotAdd(void)
};
char key[128], key3[128];
- const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
+ const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
size_t key_size = strlen(vk_hex) / 2;
diff --git a/tests/compat-test b/tests/compat-test
index 356b7283..6dc80041 100755
--- a/tests/compat-test
+++ b/tests/compat-test
@@ -450,10 +450,13 @@ if [ -d /dev/disk/by-uuid ] ; then
$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
fi
+# skip tests using empty passphrase
+if [ ! fips_mode ]; then
# empty keyfile
$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEYE || fail
$CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
+fi
# open by volume key
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 $LOOPDEV || fail
$CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
@@ -503,7 +506,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
# keyfile/passphrase
-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
+echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail
prepare "[18] RemoveKey passphrase and keyfile" reuse
@@ -728,12 +731,15 @@ echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
[ $? -ne 2 ] && fail "luksResume should return EPERM exit code"
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
+# skip tests using empty passphrase
+if [ ! fips_mode ]; then
echo | $CRYPTSETUP -q luksFormat -c null $FAST_PBKDF_OPT --type luks1 $LOOPDEV || fail
echo | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP luksSuspend $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
echo | $CRYPTSETUP luksResume $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
+fi
prepare "[27] luksOpen/luksResume with specified key slot number" wipe
# first, let's try passphrase option
diff --git a/tests/compat-test2 b/tests/compat-test2
index 2f18d7b6..c54dc7ea 100755
--- a/tests/compat-test2
+++ b/tests/compat-test2
@@ -427,10 +427,14 @@ if [ -d /dev/disk/by-uuid ] ; then
$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
fi
+# skip tests using empty passphrases
+if [ ! fips_mode ]; then
# empty keyfile
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEYE || fail
$CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
+fi
+
# open by volume key
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 --type luks2 $LOOPDEV || fail
$CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
@@ -477,7 +481,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
# keyfile/passphrase
-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
+echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail
prepare "[18] RemoveKey passphrase and keyfile" reuse
@@ -1001,14 +1005,14 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || can_fail_fips
-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 16 $LOOPDEV || fail
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 72 $LOOPDEV || fail
echo $PWD3 | $CRYPTSETUP luksConvertKey --pbkdf-force-iterations 1001 --pbkdf pbkdf2 -S 21 $LOOPDEV || fail
prepare "[38] luksAddKey unbound tests" wipe
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail
# unbound key may have arbitrary size
-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 16 $LOOPDEV || fail
-echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 32 -S 2 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 72 $LOOPDEV || fail
+echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 72 -S 2 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2 (unbound)" || fail
dd if=/dev/urandom of=$KEY_FILE0 bs=64 count=1 > /dev/null 2>&1 || fail
echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 512 -S 3 --volume-key-file $KEY_FILE0 $LOOPDEV || fail
@@ -1100,10 +1104,10 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 2 -
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
# unbound keyslot
-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 32 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 72 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 32 $LOOPDEV || fail
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 72 $LOOPDEV || fail
echo $PWD3 | $CRYPTSETUP luksConvertKey --key-slot 22 $LOOPDEV --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
diff --git a/tests/keyring-compat-test b/tests/keyring-compat-test
index 57c7fd98..ea88c210 100755
--- a/tests/keyring-compat-test
+++ b/tests/keyring-compat-test
@@ -21,7 +21,7 @@ NAME=testcryptdev
CHKS_DMCRYPT=vk_in_dmcrypt.chk
CHKS_KEYRING=vk_in_keyring.chk
-PWD="aaa"
+PWD="aaablabl"
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
index 433f4d4c..f6a84137 100755
--- a/tests/reencryption-compat-test
+++ b/tests/reencryption-compat-test
@@ -22,6 +22,12 @@ PWD3="1-9Qu5Ejfnqv"
MNT_DIR=./mnt_luks
START_DIR=$(pwd)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+
+function fips_mode()
+{
+ [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+}
function del_scsi_device()
{
@@ -296,6 +302,7 @@ check_slot 0 || fail "Only keyslot 0 expected to be enabled"
$REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail
# FIXME echo $PWD1 | $REENC ...
+if [ ! fips_mode ]; then
echo "[4] Encryption of not yet encrypted device"
# well, movin' zeroes :-)
OFFSET=2048
@@ -323,6 +330,7 @@ OFFSET=4096
echo fake | $REENC $LOOPDEV1 -d $KEY1 --new --type luks1 --reduce-device-size "$OFFSET"S -q $FAST_PBKDF || fail
$CRYPTSETUP open --test-passphrase $LOOPDEV1 -d $KEY1 || fail
wipe_dev $LOOPDEV1
+fi
echo "[5] Reencryption using specific keyslot"
echo $PWD2 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
@@ -396,6 +404,7 @@ add_scsi_device sector_size=512 dev_size_mb=32 physblk_exp=3
test_logging "[4096/512 sector]" || fail
test_logging_tmpfs || fail
+if [ ! fips_mode ]; then
echo "[10] Removal of encryption"
prepare 8192
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
@@ -460,6 +469,7 @@ if [ "$HAVE_BLKID" -gt 0 ]; then
echo $PWD1 | $REENC --header $IMG_HDR $HEADER_LUKS2_PV -q $FAST_PBKDF --new --type luks1 2>/dev/null && fail
test -f $IMG_HDR && fail
fi
+fi # if [ ! fips_mode ]
remove_mapping
exit 0
diff --git a/tests/ssh-test-plugin b/tests/ssh-test-plugin
index 0a440b93..5b3966e7 100755
--- a/tests/ssh-test-plugin
+++ b/tests/ssh-test-plugin
@@ -11,7 +11,7 @@ CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh
IMG="ssh_test.img"
MAP="sshtest"
USER="sshtest"
-PASSWD="sshtest"
+PASSWD="sshtest1"
PASSWD2="sshtest2"
SSH_OPTIONS="-o StrictHostKeyChecking=no"
--
2.38.1

55
cryptsetup-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch
View File

@ -1,55 +0,0 @@
From be088b8de8d636993767a42f195ffd3bf915e567 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Mon, 12 Dec 2022 17:33:12 +0100
Subject: [PATCH 1/2] Enable crypt_header_is_detached for empty contexts.
Also changes few tests now expecting crypt_header_is_detached
works with empty contexts.
---
lib/setup.c | 2 +-
tests/api-test-2.c | 2 +-
tests/api-test.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/setup.c b/lib/setup.c
index f169942c..3263578b 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -3242,7 +3242,7 @@ int crypt_header_is_detached(struct crypt_device *cd)
{
int r;
- if (!cd || !isLUKS(cd->type))
+ if (!cd || (cd->type && !isLUKS(cd->type)))
return -EINVAL;
r = device_is_identical(crypt_data_device(cd), crypt_metadata_device(cd));
diff --git a/tests/api-test-2.c b/tests/api-test-2.c
index 2c39191b..c7e930ca 100644
--- a/tests/api-test-2.c
+++ b/tests/api-test-2.c
@@ -889,7 +889,7 @@ static void AddDeviceLuks2(void)
FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active");
EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE);
OK_(crypt_deactivate(cd, CDEVICE_1));
- FAIL_(crypt_header_is_detached(cd), "no header for mismatched device");
+ EQ_(crypt_header_is_detached(cd), 1);
CRYPT_FREE(cd);
params.data_device = NULL;
diff --git a/tests/api-test.c b/tests/api-test.c
index 9bb6d2f1..f6e33a40 100644
--- a/tests/api-test.c
+++ b/tests/api-test.c
@@ -960,7 +960,7 @@ static void AddDeviceLuks(void)
FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active");
EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE);
OK_(crypt_deactivate(cd, CDEVICE_1));
- FAIL_(crypt_header_is_detached(cd), "no header for mismatched device");
+ EQ_(crypt_header_is_detached(cd), 1);
CRYPT_FREE(cd);
params.data_device = NULL;
--
2.38.1

58
cryptsetup-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch
View File

@ -1,58 +0,0 @@
From a33f7bf5ca33587ddb05f2acac42f93068022458 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Fri, 2 Dec 2022 11:39:59 +0100
Subject: [PATCH 1/3] Run PBKDF benchmark with 8 bytes long well-known
passphrase.
---
lib/utils_benchmark.c | 4 ++--
src/cryptsetup.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/lib/utils_benchmark.c b/lib/utils_benchmark.c
index 0a0c438e..d8976fb2 100644
--- a/lib/utils_benchmark.c
+++ b/lib/utils_benchmark.c
@@ -187,7 +187,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
pbkdf->parallel_threads = 0; /* N/A in PBKDF2 */
pbkdf->max_memory_kb = 0; /* N/A in PBKDF2 */
- r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3, "01234567890abcdef", 16,
+ r = crypt_benchmark_pbkdf(cd, pbkdf, "foobarfo", 8, "01234567890abcdef", 16,
volume_key_size, &benchmark_callback, &u);
pbkdf->time_ms = ms_tmp;
if (r < 0) {
@@ -207,7 +207,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
return 0;
}
- r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3,
+ r = crypt_benchmark_pbkdf(cd, pbkdf, "foobarfo", 8,
"0123456789abcdef0123456789abcdef", 32,
volume_key_size, &benchmark_callback, &u);
if (r < 0)
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index c2e23c6e..dfaf7682 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -997,7 +997,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si
.time_ms = 1000,
};
- r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3, "0123456789abcdef", 16, key_size,
+ r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8, "0123456789abcdef", 16, key_size,
&benchmark_callback, &pbkdf);
if (r < 0)
log_std(_("PBKDF2-%-9s N/A\n"), hash);
@@ -1012,7 +1012,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si
.parallel_threads = ARG_UINT32(OPT_PBKDF_PARALLEL_ID)
};
- r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3,
+ r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8,
"0123456789abcdef0123456789abcdef", 32,
key_size, &benchmark_callback, &pbkdf);
if (r < 0)
--
2.38.1

81
cryptsetup-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch
View File

@ -1,81 +0,0 @@
From dff9ee8c8cb68432e96261b87aabb7aaa51215e7 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Tue, 2 May 2023 15:42:21 +0200
Subject: [PATCH] Also disallow active devices with internal kernel names.
The same problem fixed in commit 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605
is present in libdevmapper wrapper when parsing active device table.
The whole point of conversion was that non-authenticated modes
can be always represented in the old cipher-mode-iv format.
As the internal names contains dash, these are unsupported.
That said, the libdevmapper backend now correctly returns
full cipher specification including capi prefix for this case.
Init_by_name call now fails with incomplatible cipher definition error.
---
lib/setup.c | 2 +-
lib/utils_crypt.c | 9 +++++++++
tests/mode-test | 5 +++++
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/lib/setup.c b/lib/setup.c
index 4bc3f6fb..57435475 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -1258,7 +1258,7 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher,
&key_nums, cipher_mode);
if (r < 0) {
- log_dbg(cd, "Cannot parse cipher and mode from active device.");
+ log_err(cd, _("No known cipher specification pattern detected for active device %s."), name);
goto out;
}
diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
index c1bde000..9232a91d 100644
--- a/lib/utils_crypt.c
+++ b/lib/utils_crypt.c
@@ -306,6 +306,15 @@ int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const cha
if (i != 2)
return -EINVAL;
+ /* non-cryptsetup compatible mode (generic driver with dash?) */
+ if (strrchr(iv, ')')) {
+ if (i_dm)
+ return -EINVAL;
+ if (!(*org_c = strdup(c_dm)))
+ return -ENOMEM;
+ return 0;
+ }
+
len = strlen(tmp);
if (len < 2)
return -EINVAL;
diff --git a/tests/mode-test b/tests/mode-test
index fe61880a..4775751e 100755
--- a/tests/mode-test
+++ b/tests/mode-test
@@ -8,6 +8,7 @@ DEV_NAME=dmc_test
HEADER_IMG=mode-test.img
PASSWORD=3xrododenron
PASSWORD1=$PASSWORD
+KEY="7c0dc5dfd0c9191381d92e6ebb3b29e7f0dba53b0de132ae23f5726727173540"
FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
# cipher-chainmode-ivopts:ivmode
@@ -188,6 +189,10 @@ echo -n "CAPI format:"
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail
$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
+dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail
+$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail
+$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail
+dmsetup remove "$DEV_NAME"_tstdev || fail
echo [OK]
cleanup
--
2.41.0

68
cryptsetup-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch
View File

@ -1,68 +0,0 @@
From 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 24 Apr 2023 21:19:03 +0200
Subject: [PATCH] Disallow use of internal kenrel crypto driver names in "capi"
specification.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The common way to specify cipher mode in cryptsetup
is to use cipher-mode-iv notation (like aes-xts-plain64).
With introduction of authenticated ciphers we also allow "capi:<spec>"
notation that is directly used by dm-crypt (e.g. capi:xts(aes)-plain64).
CAPI specification was never intended to be used with internal
kernel crypto api names (with dash in algorithm name), actually the
whole parsing routine wrongly parses mode here now.
The code not checks if parsing wrongly separated the full cipher
string and effectively allowing only proper cipher names
(example of no longer supported string is capi:xts(ecb(aes-generic))-plain64).
Thanks to Jan Wichelmann, Luca Wilke and Thomas Eisenbarth from
University of Lübeck for noticing the problems with this code.
Fixes: #809
---
lib/utils_crypt.c | 8 +++++++-
tests/mode-test | 6 ++++++
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
index 0b7dc378..c1bde000 100644
--- a/lib/utils_crypt.c
+++ b/lib/utils_crypt.c
@@ -43,7 +43,13 @@ int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums,
cipher, cipher_mode) == 2) {
if (!strcmp(cipher_mode, "plain"))
strcpy(cipher_mode, "cbc-plain");
- if (key_nums) {
+ if (!strncmp(cipher, "capi:", 5)) {
+ /* CAPI must not use internal cipher driver names with dash */
+ if (strchr(cipher_mode, ')'))
+ return -EINVAL;
+ if (key_nums)
+ *key_nums = 1;
+ } else if (key_nums) {
char *tmp = strchr(cipher, ':');
*key_nums = tmp ? atoi(++tmp) : 1;
if (!*key_nums)
diff --git a/tests/mode-test b/tests/mode-test
index 82171fbd..fe61880a 100755
--- a/tests/mode-test
+++ b/tests/mode-test
@@ -184,4 +184,10 @@ done
dmcrypt xchacha12,aes-adiantum-plain64
dmcrypt xchacha20,aes-adiantum-plain64
+echo -n "CAPI format:"
+echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail
+$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
+echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
+echo [OK]
+
cleanup
--
2.41.0

81
cryptsetup-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch
View File

@ -1,81 +0,0 @@
From b8711faf92868dc82b1a64e7673740444199b2ca Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Sun, 25 Jun 2023 23:32:13 +0200
Subject: [PATCH] Fix activation of LUKS2 with capi format cipher and kernel
crypt name.
While activation of internal cipher algorithms (like aes-generic)
is disallowed, some old LUKS2 images can still use it.
Check the cipher in activate call, but allow to load LUKS2 metadata.
This can allow to add repair code easily and also allow luksDump.
Also fix segfault in reencrypt code for such a header.
Fixes: #820
---
lib/luks2/luks2_json_metadata.c | 5 +++++
tests/Makefile.am | 4 +++-
tests/compat-test2 | 17 ++++++++++++++++-
tests/luks2_invalid_cipher.img.xz | Bin 0 -> 135372 bytes
tests/meson.build | 1 +
5 files changed, 25 insertions(+), 2 deletions(-)
create mode 100644 tests/luks2_invalid_cipher.img.xz
Index: cryptsetup-2.6.0/lib/luks2/luks2_json_metadata.c
===================================================================
--- cryptsetup-2.6.0.orig/lib/luks2/luks2_json_metadata.c
+++ cryptsetup-2.6.0/lib/luks2/luks2_json_metadata.c
@@ -2597,6 +2597,11 @@ int LUKS2_activate(struct crypt_device *
if ((r = LUKS2_unmet_requirements(cd, hdr, 0, 0)))
return r;
+ /* Check that cipher is in compatible format */
+ if (!crypt_get_cipher(cd)) {
+ log_err(cd, _("No known cipher specification pattern detected in LUKS2 header."));
+ return -EINVAL;
+ }
r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
vk, crypt_get_cipher_spec(cd), crypt_get_iv_offset(cd),
crypt_get_data_offset(cd), crypt_get_integrity(cd) ?: "none",
Index: cryptsetup-2.6.0/tests/compat-test2
===================================================================
--- cryptsetup-2.6.0.orig/tests/compat-test2
+++ cryptsetup-2.6.0/tests/compat-test2
@@ -16,6 +16,7 @@ IMG10=luks-test-v10
HEADER_IMG=luks-header
HEADER_KEYU=luks2_keyslot_unassigned.img
HEADER_LUKS2_PV=blkid-luks2-pv.img
+HEADER_LUKS2_INV=luks2_invalid_cipher.img
KEY1=key1
KEY2=key2
KEY5=key5
@@ -50,7 +51,9 @@ function remove_mapping()
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
losetup -d $LOOPDEV >/dev/null 2>&1
- rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE $HEADER_LUKS2_PV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
+ rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE \
+ $HEADER_LUKS2_PV $HEADER_LUKS2_INV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* \
+ $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
# unlink whole test keyring
[ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
@@ -1200,5 +1203,17 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys
$CRYPTSETUP open -q --test-passphrase --token-only --token-id 0 -q $IMG || fail
fi
+prepare "[44] LUKS2 invalid cipher (kernel cipher driver name)" wipe
+xz -dk $HEADER_LUKS2_INV.xz
+dd if=$HEADER_LUKS2_INV of=$IMG conv=notrunc >/dev/null 2>&1
+$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "capi:xts(ecb(aes-generic))-plain64" || fail
+echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
+echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME 2>&1 | grep -q "No known cipher specification pattern" || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV >/dev/null 2>&1 && fail
+dmsetup create $DEV_NAME --uuid CRYPT-LUKS2-3d20686f551748cb89911ad32379821b-test --table \
+ "0 8 crypt capi:xts(ecb(aes-generic))-plain64 edaa40709797973715e572bf7d86fcbb9cfe2051083c33c28d58fe4e1e7ff642 0 $LOOPDEV 32768"
+$CRYPTSETUP status $DEV_NAME | grep -q "n/a" || fail
+$CRYPTSETUP close $DEV_NAME ||fail
+
remove_mapping
exit 0

52
cryptsetup-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch
View File

@ -1,52 +0,0 @@
From 53aa5f6c4f7439db1b25846597fb5603870ba55e Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 5 Jun 2023 16:02:06 +0200
Subject: [PATCH] Fix init_by_name to allow unknown cipher format in dm-crypt
as null context.
Deactivation code should deactivate dm-crypt device even if it is unknown
for libcryptsetup. Previous fix for cipher specification was too strict.
Let's allow initialization as null context, that allow status and
deactivate to be usable again.
---
lib/setup.c | 6 ++++++
tests/mode-test | 5 ++---
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/lib/setup.c b/lib/setup.c
index fd17be8c..786aa900 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -1276,6 +1276,12 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher,
&key_nums, cipher_mode);
if (r < 0) {
+ /* Allow crypt null context with unknown cipher string */
+ if (tgt->type == DM_CRYPT && !tgt->u.crypt.integrity) {
+ crypt_set_null_type(cd);
+ r = 0;
+ goto out;
+ }
log_err(cd, _("No known cipher specification pattern detected for active device %s."), name);
goto out;
}
diff --git a/tests/mode-test b/tests/mode-test
index 4775751e..7f7f20a1 100755
--- a/tests/mode-test
+++ b/tests/mode-test
@@ -190,9 +190,8 @@ echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256
$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail
-$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail
-$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail
-dmsetup remove "$DEV_NAME"_tstdev || fail
+$CRYPTSETUP status "$DEV_NAME"_tstdev 2>/dev/null | grep "type:" | grep -q "n/a" || fail
+$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null || fail
echo [OK]
cleanup
--
2.41.0

31
cryptsetup-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch
View File

@ -1,31 +0,0 @@
From 1f01eea60e38ac92aa05e4b95372d54b7b9095df Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 26 Jun 2023 13:25:59 +0200
Subject: [PATCH] Fix reencryption to fail properly for unknown cipher.
crypt_get_cipher and crypt_get_cipher mode can return NULL,
check it in advance.
---
src/utils_reencrypt.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c
index a78557cb..8ffceb36 100644
--- a/src/utils_reencrypt.c
+++ b/src/utils_reencrypt.c
@@ -419,6 +419,12 @@ static bool luks2_reencrypt_eligible(struct crypt_device *cd)
return false;
}
+ /* Check that cipher is in compatible format */
+ if (!crypt_get_cipher(cd)) {
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
+ return false;
+ }
+
return true;
}
--
2.41.0

39
cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch
View File

@ -12,36 +12,29 @@ bytes.
lib/luks2/luks2_keyslot_luks2.c | 2 ++ lib/luks2/luks2_keyslot_luks2.c | 2 ++
2 files changed, 6 insertions(+), 1 deletion(-) 2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c Index: cryptsetup-2.7.2/lib/luks1/keymanage.c
index de97b73c..225e84b8 100644 ===================================================================
--- a/lib/luks1/keymanage.c --- cryptsetup-2.7.2.orig/lib/luks1/keymanage.c
+++ b/lib/luks1/keymanage.c +++ cryptsetup-2.7.2/lib/luks1/keymanage.c
@@ -924,8 +924,11 @@ int LUKS_set_key(unsigned int keyIndex, @@ -926,6 +926,8 @@ int LUKS_set_key(unsigned int keyIndex,
hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE,
derived_key->key, hdr->keyBytes, derived_key->key, hdr->keyBytes,
hdr->keyblock[keyIndex].passwordIterations, 0, 0); hdr->keyblock[keyIndex].passwordIterations, 0, 0);
- if (r < 0) if (r < 0) {
+ if (r < 0) {
+ if (crypt_fips_mode() && passwordLen < 8) + if (crypt_fips_mode() && passwordLen < 8)
+ log_err(ctx, _("Invalid passphrase for PBKDF2 in FIPS mode.")); + log_err(ctx, _("Invalid passphrase for PBKDF2 in FIPS mode."));
goto out; if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
+ } hdr->keyblock[keyIndex].passwordIterations > INT_MAX)
log_err(ctx, _("PBKDF2 iteration value overflow."));
/* Index: cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
* AF splitting, the volume key stored in vk->key is split to AfKey ===================================================================
diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c --- cryptsetup-2.7.2.orig/lib/luks2/luks2_keyslot_luks2.c
index 78f74242..f480bcab 100644 +++ cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
--- a/lib/luks2/luks2_keyslot_luks2.c @@ -269,6 +269,8 @@ static int luks2_keyslot_set_key(struct
+++ b/lib/luks2/luks2_keyslot_luks2.c pbkdf.iterations > INT_MAX)
@@ -265,6 +265,8 @@ static int luks2_keyslot_set_key(struct crypt_device *cd, log_err(cd, _("PBKDF2 iteration value overflow."));
free(salt);
if (r < 0) {
crypt_free_volume_key(derived_key); crypt_free_volume_key(derived_key);
+ if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2")) + if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2"))
+ log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode.")); + log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode."));
return r; return r;
} }
--
2.38.1

11
cryptsetup-add-system-library-paths.patch
View File

@ -1,7 +1,8 @@
diff -rupN cryptsetup-2.2.0.old/configure cryptsetup-2.2.0/configure Index: cryptsetup-2.7.0/configure
--- cryptsetup-2.2.0.old/configure 2019-08-14 20:45:07.000000000 +0200 ===================================================================
+++ cryptsetup-2.2.0/configure 2019-08-15 09:11:14.775184005 +0200 --- cryptsetup-2.7.0.orig/configure
@@ -12294,6 +12294,9 @@ fi +++ cryptsetup-2.7.0/configure
@@ -14161,6 +14161,9 @@ fi
# before this can be enabled. # before this can be enabled.
hardcode_into_libs=yes hardcode_into_libs=yes
@ -11,7 +12,7 @@ diff -rupN cryptsetup-2.2.0.old/configure cryptsetup-2.2.0/configure
# Ideally, we could use ldconfig to report *all* directores which are # Ideally, we could use ldconfig to report *all* directores which are
# searched for libraries, however this is still not possible. Aside from not # searched for libraries, however this is still not possible. Aside from not
# being certain /sbin/ldconfig is available, command # being certain /sbin/ldconfig is available, command
@@ -12302,7 +12305,7 @@ fi @@ -14169,7 +14172,7 @@ fi
# appending ld.so.conf contents (and includes) to the search path. # appending ld.so.conf contents (and includes) to the search path.
if test -f /etc/ld.so.conf; then if test -f /etc/ld.so.conf; then
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`

28
cryptsetup.spec
View File

@ -1,7 +1,7 @@
Summary: Utility for setting up encrypted disks Summary: Utility for setting up encrypted disks
Name: cryptsetup Name: cryptsetup
Version: 2.6.0 Version: 2.7.2
Release: 3%{?dist} Release: 1%{?dist}
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
URL: https://gitlab.com/cryptsetup/cryptsetup URL: https://gitlab.com/cryptsetup/cryptsetup
BuildRequires: openssl-devel, popt-devel, device-mapper-devel BuildRequires: openssl-devel, popt-devel, device-mapper-devel
@ -15,22 +15,9 @@ Obsoletes: %{name}-reencrypt <= %{version}
Provides: %{name}-reencrypt = %{version} Provides: %{name}-reencrypt = %{version}
%global upstream_version %{version} %global upstream_version %{version}
Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-%{upstream_version}.tar.xz Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-%{upstream_version}.tar.xz
# binary archive with updated tests/conversion_imgs.tar.xz and tests/luks2_header_requirements.tar.xz
# for testing (can not be patched via rpmbuild)
Source1: tests.tar.xz
# Following patch has to applied last # Following patch has to applied last
Patch0000: %{name}-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch
Patch0001: %{name}-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch
Patch0002: %{name}-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch
Patch0003: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
Patch0004: %{name}-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch
Patch0005: %{name}-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch
Patch0006: %{name}-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch
Patch0007: %{name}-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch
Patch0008: %{name}-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch
Patch9998: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch Patch9998: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch
Patch9999: %{name}-add-system-library-paths.patch Patch9999: %{name}-add-system-library-paths.patch
@ -70,11 +57,11 @@ The integritysetup package contains a utility for setting up
disk integrity protection using dm-integrity kernel module. disk integrity protection using dm-integrity kernel module.
%prep %prep
%autosetup -n cryptsetup-%{upstream_version} -p 1 -a 1 %autosetup -n cryptsetup-%{upstream_version} -p 1
%build %build
rm -f man/*.8 rm -f man/*.8
%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token --enable-asciidoc %configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token --enable-asciidoc --disable-hw-opal --with-plain-hash=ripemd160 --with-plain-cipher=aes --with-plain-mode=cbc-essiv:sha256
%make_build %make_build
%install %install
@ -116,6 +103,11 @@ rm -rf %{buildroot}%{_libdir}/*.la
%ghost %attr(700, -, -) %dir /run/cryptsetup %ghost %attr(700, -, -) %dir /run/cryptsetup
%changelog %changelog
* Thu May 02 2024 Daniel Zatovic <dzatovic@redhat.com> - 2.7.2-1
- Update to cryptsetup 2.7.2
- Use OpenSLL Argon implementation instead of the built-in one
- Resolves: RHEL-32377
* Fri Jun 30 2023 Daniel Zatovic <dzatovic@redhat.com> - 2.6.0-3 * Fri Jun 30 2023 Daniel Zatovic <dzatovic@redhat.com> - 2.6.0-3
- patch: Disallow use of internal kenrel crypto driver names in "capi" - patch: Disallow use of internal kenrel crypto driver names in "capi"
- patch: Also disallow active devices with internal kernel names - patch: Also disallow active devices with internal kernel names

3
sources
View File

@ -1,2 +1 @@
SHA512 (tests.tar.xz) = 6365003e6308c88c68416166fdd9c802c1d47dc3f51692918b941369ff014d4127385821ab1f9cc6ab7cc7f5b9b846c9788f548315350c181619a4a5e47f3355 SHA512 (cryptsetup-2.7.2.tar.xz) = 06f42f443b91d1f8af8af999dfedd4051ecb12ba5ef291cf2b44b6a5676e2c5cf1e686e19687f5cb6b1fd524dfc1a208cd25a3798367a480d80eac954aa8d6d4
SHA512 (cryptsetup-2.6.0.tar.xz) = 64d7b318b58fe96143ac7a12476852a38cc30126ef431b4687d0f3f399d56f6569c716e0311cfc2802e4f025520ee41edc17c82c2421da7cc56788478e646983