From 42c9648451c7ed648a8a693bbc4c0bc942cd6f93 Mon Sep 17 00:00:00 2001
From: Daniel Zatovic <dzatovic@redhat.com>
Date: Tue, 30 Apr 2024 16:53:32 +0200
Subject: [PATCH] Rebase to 2.7.2

- Resolves: RHEL-33395
---
 ...gon2-OpenSSL-detection-to-not-compil.patch | 61 -------------------
 ...ed-error-message-in-keyslot-add-code.patch | 40 ++++++++++++
 cryptsetup.spec                               | 11 +++-
 sources                                       |  2 +-
 4 files changed, 49 insertions(+), 65 deletions(-)
 delete mode 100644 cryptsetup-2.7.1-Fix-configure-Argon2-OpenSSL-detection-to-not-compil.patch
 create mode 100644 cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch

diff --git a/cryptsetup-2.7.1-Fix-configure-Argon2-OpenSSL-detection-to-not-compil.patch b/cryptsetup-2.7.1-Fix-configure-Argon2-OpenSSL-detection-to-not-compil.patch
deleted file mode 100644
index a3556fa..0000000
--- a/cryptsetup-2.7.1-Fix-configure-Argon2-OpenSSL-detection-to-not-compil.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From b417154e71b571607513a768b3cb8e4587f00ba8 Mon Sep 17 00:00:00 2001
-From: Milan Broz <gmazyland@gmail.com>
-Date: Fri, 9 Feb 2024 12:37:10 +0100
-Subject: [PATCH] Fix configure Argon2 OpenSSL detection to not compile
- internal Argon2.
-
-Code is not called anyway, but should be completely disabled.
-Note: there is intentionally no way to disable OpenSSL Argon2 if present.
----
- configure.ac | 4 ++--
- meson.build  | 5 ++++-
- 2 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 84cef4ba..2e2f7d9e 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -346,7 +346,7 @@ AC_DEFUN([CONFIGURE_OPENSSL], [
- 
- 	saved_LIBS=$LIBS
- 	AC_CHECK_DECLS([OSSL_get_max_threads], [], [], [#include <openssl/thread.h>])
--	AC_CHECK_DECLS([OSSL_KDF_PARAM_ARGON2_VERSION], [], [], [#include <openssl/core_names.h>])
-+	AC_CHECK_DECLS([OSSL_KDF_PARAM_ARGON2_VERSION], [use_internal_argon2=0], [], [#include <openssl/core_names.h>])
- 	LIBS=$saved_LIBS
- ])
- 
-@@ -523,7 +523,7 @@ AC_ARG_ENABLE([libargon2],
- 
- if test $use_internal_argon2 = 0 -o "x$enable_internal_argon2" = "xno" ; then
- 	if test "x$enable_internal_argon2" = "xyes" -o "x$enable_libargon" = "xyes"; then
--		AC_MSG_WARN([Argon2 in $with_crypto_backend lib is used; internal Argon2 options are ignored.])
-+		AC_MSG_NOTICE([Argon2 in $with_crypto_backend lib is used; internal Argon2 options are ignored.])
- 	fi
- 	enable_internal_argon2=no
- 	enable_internal_sse_argon2=no
-diff --git a/meson.build b/meson.build
-index b26c71c4..2aba2f28 100644
---- a/meson.build
-+++ b/meson.build
-@@ -512,6 +512,9 @@ elif get_option('crypto-backend') == 'openssl'
-     conf.set10('HAVE_DECL_OSSL_KDF_PARAM_ARGON2_VERSION',
-         cc.has_header_symbol('openssl/core_names.h', 'OSSL_KDF_PARAM_ARGON2_VERSION',
-             dependencies: crypto_backend_library))
-+    if conf.get('HAVE_DECL_OSSL_KDF_PARAM_ARGON2_VERSION') == 1
-+        use_internal_argon2 = false
-+    endif
- elif get_option('crypto-backend') == 'nss'
-     if get_option('fips')
-         error('nss crypto backend is not supported with FIPS enabled')
-@@ -560,7 +563,7 @@ threads = []
- use_internal_sse_argon2 = false
- if not use_internal_argon2 or get_option('argon-implementation') == 'none'
-     if get_option('argon-implementation') == 'internal' or get_option('argon-implementation') == 'libargon2'
--        warning('Argon2 in crypto library is used; internal Argon2 options are ignored.')
-+        message('Argon2 in crypto library is used; internal Argon2 options are ignored.')
-     endif
-     conf.set10('USE_INTERNAL_ARGON2', false,
-         description: 'Use internal Argon2.')
--- 
-2.43.0
-
diff --git a/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch b/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch
new file mode 100644
index 0000000..9c303e4
--- /dev/null
+++ b/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch
@@ -0,0 +1,40 @@
+From 293abb5435e2b4bec7f8333fb11c88d5c1f45800 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 5 Dec 2022 13:35:24 +0100
+Subject: [PATCH 3/3] Add FIPS related error message in keyslot add code.
+
+Add hints on what went wrong when creating new LUKS
+keyslots. The hint is printed only in FIPS mode and
+when pbkdf2 failed with passphrase shorter than 8
+bytes.
+---
+ lib/luks1/keymanage.c           | 5 ++++-
+ lib/luks2/luks2_keyslot_luks2.c | 2 ++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+Index: cryptsetup-2.7.2/lib/luks1/keymanage.c
+===================================================================
+--- cryptsetup-2.7.2.orig/lib/luks1/keymanage.c
++++ cryptsetup-2.7.2/lib/luks1/keymanage.c
+@@ -926,6 +926,8 @@ int LUKS_set_key(unsigned int keyIndex,
+ 			derived_key->key, hdr->keyBytes,
+ 			hdr->keyblock[keyIndex].passwordIterations, 0, 0);
+ 	if (r < 0) {
++		if (crypt_fips_mode() && passwordLen < 8)
++			log_err(ctx, _("Invalid passphrase for PBKDF2 in FIPS mode."));
+ 		if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
+ 		     hdr->keyblock[keyIndex].passwordIterations > INT_MAX)
+ 			log_err(ctx, _("PBKDF2 iteration value overflow."));
+Index: cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
+===================================================================
+--- cryptsetup-2.7.2.orig/lib/luks2/luks2_keyslot_luks2.c
++++ cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
+@@ -269,6 +269,8 @@ static int luks2_keyslot_set_key(struct
+ 		     pbkdf.iterations > INT_MAX)
+ 			log_err(cd, _("PBKDF2 iteration value overflow."));
+ 		crypt_free_volume_key(derived_key);
++		if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2"))
++			log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode."));
+ 		return r;
+ 	}
+ 
diff --git a/cryptsetup.spec b/cryptsetup.spec
index 7249785..d9192db 100644
--- a/cryptsetup.spec
+++ b/cryptsetup.spec
@@ -1,7 +1,7 @@
 Summary: Utility for setting up encrypted disks
 Name: cryptsetup
-Version: 2.7.0
-Release: 2%{?dist}
+Version: 2.7.2
+Release: 1%{?dist}
 License: GPL-2.0-or-later WITH cryptsetup-OpenSSL-exception AND LGPL-2.1-or-later WITH cryptsetup-OpenSSL-exception
 URL: https://gitlab.com/cryptsetup/cryptsetup
 BuildRequires: autoconf, automake, libtool, gettext-devel,
@@ -18,7 +18,8 @@ Provides: %{name}-reencrypt = %{version}
 %global upstream_version %{version_no_tilde}
 Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-%{upstream_version}.tar.xz
 
-Patch0:  %{name}-2.7.1-Fix-configure-Argon2-OpenSSL-detection-to-not-compil.patch
+# Following patch has to applied last
+Patch9999: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch
 
 %description
 The cryptsetup package contains a utility for setting up
@@ -119,6 +120,10 @@ rm -rf %{buildroot}%{_libdir}/%{name}/*.la
 %{_sbindir}/cryptsetup-ssh
 
 %changelog
+* Tue Apr 30 2024 Daniel Zatovic <dzatovic@redhat.com> - 2.7.2-1
+- Update to cryptsetup 2.7.2
+- Resolves: RHEL-33395
+
 * Fri Feb 09 2024 Ondrej Kozina <okozina@redhat.com> - 2.7.0-2
 - Rebuild for OpenSSL Argon2 implementation (OpenSSL 3.2)
 - patch: Do not compile unused internal argon2 implementation
diff --git a/sources b/sources
index 5f5107d..feb0483 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (cryptsetup-2.7.0.tar.xz) = 2654da50920eecbdb3457f8ee2aeed731175574eeb55c1f4b2ddf3c4b3632842b54db1af007057ffd19e6a9bfdc6d471cea77509aec127c07a2f2311e33ab21e
+SHA512 (cryptsetup-2.7.2.tar.xz) = 06f42f443b91d1f8af8af999dfedd4051ecb12ba5ef291cf2b44b6a5676e2c5cf1e686e19687f5cb6b1fd524dfc1a208cd25a3798367a480d80eac954aa8d6d4