From 464cf81f4159ca707d76a9abf451b1d48130b93e Mon Sep 17 00:00:00 2001
From: Daniel Zatovic <daniel.zatovic@gmail.com>
Date: Tue, 27 Jun 2023 10:21:09 +0200
Subject: [PATCH] Add upstream patches disallowing activation of invalid
 images.

---
 ...f-LUKS2-with-capi-format-cipher-and-.patch | 118 ++++++++++++++++++
 ...-to-fail-properly-for-unknown-cipher.patch |  31 +++++
 2 files changed, 149 insertions(+)
 create mode 100644 cryptsetup-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch
 create mode 100644 cryptsetup-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch

diff --git a/cryptsetup-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch b/cryptsetup-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch
new file mode 100644
index 0000000..02d1405
--- /dev/null
+++ b/cryptsetup-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch
@@ -0,0 +1,118 @@
+From b8711faf92868dc82b1a64e7673740444199b2ca Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Sun, 25 Jun 2023 23:32:13 +0200
+Subject: [PATCH 2/2] Fix activation of LUKS2 with capi format cipher and
+ kernel crypt name.
+
+While activation of internal cipher algorithms (like aes-generic)
+is disallowed, some old LUKS2 images can still use it.
+
+Check the cipher in activate call, but allow to load LUKS2 metadata.
+This can allow to add repair code easily and also allow luksDump.
+
+Also fix segfault in reencrypt code for such a header.
+
+Fixes: #820
+---
+ lib/luks2/luks2_json_metadata.c   |   5 +++++
+ tests/Makefile.am                 |   4 +++-
+ tests/compat-test2                |  17 ++++++++++++++++-
+ tests/luks2_invalid_cipher.img.xz | Bin 0 -> 135372 bytes
+ tests/meson.build                 |   1 +
+ 5 files changed, 25 insertions(+), 2 deletions(-)
+ create mode 100644 tests/luks2_invalid_cipher.img.xz
+
+diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c
+index 2fcc8aa6..b1d0c05d 100644
+--- a/lib/luks2/luks2_json_metadata.c
++++ b/lib/luks2/luks2_json_metadata.c
+@@ -2605,6 +2605,11 @@ int LUKS2_activate(struct crypt_device *cd,
+ 	if ((r = LUKS2_unmet_requirements(cd, hdr, 0, 0)))
+ 		return r;
+ 
++	/* Check that cipher is in compatible format */
++	if (!crypt_get_cipher(cd)) {
++		log_err(cd, _("No known cipher specification pattern detected in LUKS2 header."));
++		return -EINVAL;
++	}
+ 	r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
+ 			vk, crypt_get_cipher_spec(cd), crypt_get_iv_offset(cd),
+ 			crypt_get_data_offset(cd), crypt_get_integrity(cd) ?: "none",
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index c8a46a85..6feaef3b 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -68,6 +68,7 @@ EXTRA_DIST = compatimage.img.xz compatv10image.img.xz \
+ 	luks2_valid_hdr.img.xz \
+ 	luks2_header_requirements.tar.xz \
+ 	luks2_mda_images.tar.xz \
++	luks2_invalid_cipher.img.xz \
+ 	evil_hdr-payload_overwrite.xz \
+ 	evil_hdr-stripes_payload_dmg.xz \
+ 	evil_hdr-luks_hdr_damage.xz \
+@@ -110,7 +111,8 @@ EXTRA_DIST = compatimage.img.xz compatv10image.img.xz \
+ 
+ CLEANFILES = cryptsetup-tst* valglog* *-fail-*.log test-symbols-list.h fake_token_path.so fake_systemd_tpm_path.so
+ clean-local:
+-	-rm -rf tcrypt-images luks1-images luks2-images bitlk-images fvault2-images conversion_imgs luks2_valid_hdr.img blkid-luks2-pv-img blkid-luks2-pv-img.bcp external-tokens
++	-rm -rf tcrypt-images luks1-images luks2-images bitlk-images fvault2-images conversion_imgs \
++	luks2_valid_hdr.img blkid-luks2-pv-img blkid-luks2-pv-img.bcp external-tokens luks2_invalid_cipher.img
+ 
+ differ_SOURCES = differ.c
+ differ_CFLAGS = $(AM_CFLAGS) -Wall -O2
+diff --git a/tests/compat-test2 b/tests/compat-test2
+index c54dc7ea..8b6bb073 100755
+--- a/tests/compat-test2
++++ b/tests/compat-test2
+@@ -16,6 +16,7 @@ IMG10=luks-test-v10
+ HEADER_IMG=luks-header
+ HEADER_KEYU=luks2_keyslot_unassigned.img
+ HEADER_LUKS2_PV=blkid-luks2-pv.img
++HEADER_LUKS2_INV=luks2_invalid_cipher.img
+ KEY1=key1
+ KEY2=key2
+ KEY5=key5
+@@ -50,7 +51,9 @@ function remove_mapping()
+ 	[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
+ 	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
+ 	losetup -d $LOOPDEV >/dev/null 2>&1
+-	rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE $HEADER_LUKS2_PV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
++	rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE \
++	$HEADER_LUKS2_PV $HEADER_LUKS2_INV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* \
++	$KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
+ 
+ 	# unlink whole test keyring
+ 	[ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
+@@ -1200,5 +1203,17 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
+ 	$CRYPTSETUP open -q --test-passphrase --token-only --token-id 0 -q $IMG || fail
+ fi
+ 
++prepare "[44] LUKS2 invalid cipher (kernel cipher driver name)" wipe
++xz -dk $HEADER_LUKS2_INV.xz
++dd if=$HEADER_LUKS2_INV of=$IMG conv=notrunc >/dev/null 2>&1
++$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "capi:xts(ecb(aes-generic))-plain64" || fail
++echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
++echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME 2>&1 | grep -q "No known cipher specification pattern" || fail
++echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV >/dev/null 2>&1 && fail
++dmsetup create $DEV_NAME --uuid CRYPT-LUKS2-3d20686f551748cb89911ad32379821b-test --table \
++  "0 8 crypt capi:xts(ecb(aes-generic))-plain64 edaa40709797973715e572bf7d86fcbb9cfe2051083c33c28d58fe4e1e7ff642 0 $LOOPDEV 32768"
++$CRYPTSETUP status $DEV_NAME | grep -q "n/a" || fail
++$CRYPTSETUP close $DEV_NAME ||fail
++
+ remove_mapping
+ exit 0
+diff --git a/tests/meson.build b/tests/meson.build
+index 00f629f5..7bb3f406 100644
+--- a/tests/meson.build
++++ b/tests/meson.build
+@@ -21,6 +21,7 @@ test_files_to_copy = [
+     'luks2_keyslot_unassigned.img.xz',
+     'luks2_mda_images.tar.xz',
+     'luks2_valid_hdr.img.xz',
++    'luks2_invalid_cipher.img.xz',
+     'tcrypt-images.tar.xz',
+     'valid_header_file.xz',
+     'xfs_512_block_size.img.xz',
+-- 
+2.40.1
+
diff --git a/cryptsetup-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch b/cryptsetup-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch
new file mode 100644
index 0000000..06dd9d7
--- /dev/null
+++ b/cryptsetup-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch
@@ -0,0 +1,31 @@
+From 1f01eea60e38ac92aa05e4b95372d54b7b9095df Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Mon, 26 Jun 2023 13:25:59 +0200
+Subject: [PATCH 1/2] Fix reencryption to fail properly for unknown cipher.
+
+crypt_get_cipher and crypt_get_cipher mode can return NULL,
+check it in advance.
+---
+ src/utils_reencrypt.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c
+index a78557cb..8ffceb36 100644
+--- a/src/utils_reencrypt.c
++++ b/src/utils_reencrypt.c
+@@ -419,6 +419,12 @@ static bool luks2_reencrypt_eligible(struct crypt_device *cd)
+ 		return false;
+ 	}
+ 
++	/* Check that cipher is in compatible format */
++	if (!crypt_get_cipher(cd)) {
++		log_err(_("No known cipher specification pattern detected in LUKS2 header."));
++		return false;
++	}
++
+ 	return true;
+ }
+ 
+-- 
+2.40.1
+