import cryptsetup-2.3.7-2.el8
This commit is contained in:
CentOS Sources
Stepan Oksanichenko
parent
c4763617c9
commit
6507406ead
@ -0,0 +1,41 @@
|
||||
From f671febe64d8f40cdcb1677a08436a8907ccbb7e Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Wed, 23 Feb 2022 12:27:57 +0100
|
||||
Subject: [PATCH 2/3] Add more tests for --test-passphrase parameter.
|
||||
|
||||
---
|
||||
tests/compat-test-args | 4 ++++
|
||||
tests/luks2-reencryption-test | 18 ++++++++++++++++++
|
||||
2 files changed, 22 insertions(+)
|
||||
|
||||
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
|
||||
index 6f156016..73818b5d 100755
|
||||
--- a/tests/luks2-reencryption-test
|
||||
+++ b/tests/luks2-reencryption-test
|
||||
@@ -1606,5 +1606,23 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
|
||||
reencrypt_recover_online 4096 journal $HASH1
|
||||
fi
|
||||
|
||||
+echo "[27] Verify test passphrase mode works with reencryption metadata"
|
||||
+echo $PWD1 | $CRYPTSETUP -S5 -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV || fail
|
||||
+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $DEV || fail
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt --init-only $DEV || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
|
||||
+
|
||||
+echo $PWD1 | $CRYPTSETUP -q luksFormat -S5 --header $IMG_HDR --type luks2 $FAST_PBKDF_ARGON $DEV || fail
|
||||
+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $IMG_HDR || fail
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --init-only --header $IMG_HDR $DEV || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
|
||||
+
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --init-only --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
|
||||
+
|
||||
+wipe_dev $DEV
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 8M $FAST_PBKDF_ARGON $DEV || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
|
||||
+
|
||||
remove_mapping
|
||||
exit 0
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -0,0 +1,103 @@
|
||||
diff -rupN cryptsetup-2.3.7.old/man/cryptsetup.8 cryptsetup-2.3.7/man/cryptsetup.8
|
||||
--- cryptsetup-2.3.7.old/man/cryptsetup.8 2022-02-24 15:58:37.968167423 +0100
|
||||
+++ cryptsetup-2.3.7/man/cryptsetup.8 2022-02-24 17:06:25.326217548 +0100
|
||||
@@ -321,7 +321,7 @@ the command prompts for it interactively
|
||||
\-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
|
||||
\-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
|
||||
\-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks, \-\-type, \-\-refresh,
|
||||
-\-\-serialize\-memory\-hard\-pbkdf].
|
||||
+\-\-serialize\-memory\-hard\-pbkdf, \-\-unbound].
|
||||
.PP
|
||||
\fIluksSuspend\fR <name>
|
||||
.IP
|
||||
@@ -1409,10 +1409,14 @@ aligned to page size and page-cache init
|
||||
integrity tag.
|
||||
.TP
|
||||
.B "\-\-unbound"
|
||||
-
|
||||
Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or
|
||||
\fIluksDump\fR actions for more details.
|
||||
|
||||
+When used in \fIluksOpen\fR action (allowed only together with
|
||||
+\-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2
|
||||
+keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific
|
||||
+keyslot is selected via \-\-key\-slot parameter.
|
||||
+
|
||||
.TP
|
||||
.B "\-\-tcrypt\-hidden"
|
||||
.B "\-\-tcrypt\-system"
|
||||
diff -rupN cryptsetup-2.3.7.old/src/cryptsetup.c cryptsetup-2.3.7/src/cryptsetup.c
|
||||
--- cryptsetup-2.3.7.old/src/cryptsetup.c 2022-02-24 15:58:37.969167429 +0100
|
||||
+++ cryptsetup-2.3.7/src/cryptsetup.c 2022-02-24 17:10:30.947561638 +0100
|
||||
@@ -230,7 +230,7 @@ static void _set_activation_flags(uint32
|
||||
*flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT;
|
||||
|
||||
/* Only for LUKS2 but ignored elsewhere */
|
||||
- if (opt_test_passphrase)
|
||||
+ if (opt_test_passphrase && (opt_unbound || (opt_key_slot != CRYPT_ANY_SLOT)))
|
||||
*flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
|
||||
|
||||
if (opt_serialize_memory_hard_pbkdf)
|
||||
@@ -4021,6 +4021,17 @@ int main(int argc, const char **argv)
|
||||
_("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."),
|
||||
poptGetInvocationName(popt_context));
|
||||
|
||||
+ if (opt_unbound && !strcmp(aname, "open") && device_type &&
|
||||
+ strncmp(device_type, "luks", 4))
|
||||
+ usage(popt_context, EXIT_FAILURE,
|
||||
+ _("Option --unbound is allowed only for open of luks device."),
|
||||
+ poptGetInvocationName(popt_context));
|
||||
+
|
||||
+ if (opt_unbound && !opt_test_passphrase && !strcmp(aname, "open"))
|
||||
+ usage(popt_context, EXIT_FAILURE,
|
||||
+ _("Option --unbound cannot be used without --test-passphrase."),
|
||||
+ poptGetInvocationName(popt_context));
|
||||
+
|
||||
if (opt_tcrypt_hidden && opt_allow_discards)
|
||||
usage(popt_context, EXIT_FAILURE,
|
||||
_("Option --tcrypt-hidden cannot be combined with --allow-discards."),
|
||||
@@ -4103,9 +4114,9 @@ int main(int argc, const char **argv)
|
||||
_("Keyslot specification is required."),
|
||||
poptGetInvocationName(popt_context));
|
||||
|
||||
- if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump"))
|
||||
+ if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump") && strcmp(aname, "open"))
|
||||
usage(popt_context, EXIT_FAILURE,
|
||||
- _("Option --unbound may be used only with luksAddKey and luksDump actions."),
|
||||
+ _("Option --unbound may be used only with luksAddKey, luksDump and open actions."),
|
||||
poptGetInvocationName(popt_context));
|
||||
|
||||
if (opt_refresh && strcmp(aname, "open"))
|
||||
diff -rupN cryptsetup-2.3.7.old/tests/compat-test2 cryptsetup-2.3.7/tests/compat-test2
|
||||
--- cryptsetup-2.3.7.old/tests/compat-test2 2022-02-24 15:58:38.013167680 +0100
|
||||
+++ cryptsetup-2.3.7/tests/compat-test2 2022-02-24 17:23:23.035760517 +0100
|
||||
@@ -696,7 +696,7 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOP
|
||||
# otoh it should be allowed to test for proper passphrase
|
||||
prepare "" new
|
||||
echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
|
||||
-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
|
||||
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
|
||||
[ -b /dev/mapper/$DEV_NAME ] && fail
|
||||
echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
|
||||
@@ -705,7 +705,7 @@ echo $PWD0 | $CRYPTSETUP open -S1 --test
|
||||
$CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0
|
||||
$CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail
|
||||
echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
|
||||
-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
|
||||
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
|
||||
|
||||
prepare "[28] Detached LUKS header" wipe
|
||||
@@ -952,11 +952,9 @@ echo $PWD3 | $CRYPTSETUP -q luksAddKey -
|
||||
# do not allow to replace keyslot by unbound slot
|
||||
echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail
|
||||
echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
|
||||
-echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
|
||||
echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
|
||||
echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail
|
||||
echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
|
||||
-echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
|
||||
# check we're able to change passphrase for unbound keyslot
|
||||
echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
|
||||
echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
|
||||
@ -5,7 +5,7 @@ Obsoletes: cryptsetup-python3
|
||||
Summary: A utility for setting up encrypted disks
|
||||
Name: cryptsetup
|
||||
Version: 2.3.7
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
Group: Applications/System
|
||||
URL: https://gitlab.com/cryptsetup/cryptsetup
|
||||
@ -26,6 +26,8 @@ Patch1: %{name}-disable-verity-compat-test.patch
|
||||
Patch2: %{name}-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch
|
||||
Patch3: %{name}-2.4.2-Fix-bogus-memory-allocation-if-LUKS2-header-size-is-.patch
|
||||
Patch4: %{name}-2.5.0-Fix-typo-in-repair-prompt.patch
|
||||
Patch5: %{name}-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch
|
||||
Patch6: %{name}-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch
|
||||
|
||||
%description
|
||||
The cryptsetup package contains a utility for setting up
|
||||
@ -85,6 +87,8 @@ can be used for offline reencryption of disk in situ.
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch0 -p1
|
||||
chmod -x misc/dracut_90reencrypt/*
|
||||
|
||||
@ -144,6 +148,11 @@ rm -rf %{buildroot}/%{_libdir}/*.la
|
||||
%clean
|
||||
|
||||
%changelog
|
||||
* Thu Feb 24 2022 Ondrej Kozina <okozina@redhat.com> - 2.3.7-2
|
||||
- patch: Fix cryptsetup --test-passphrase when device in
|
||||
reencryption
|
||||
- Resolves: #2058009
|
||||
|
||||
* Thu Jan 20 2022 Ondrej Kozina <okozina@redhat.com> - 2.3.7-1
|
||||
- update to cryptsetup 2.3.7
|
||||
- fixes CVE-2021-4122
|
||||
|
||||
Loading…
Reference in New Issue
Block a user