rpms/cryptsetup
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import RHEL 10 Beta cryptsetup-2.7.3-2.el10

Browse Source
This commit is contained in:
eabdullin 2024-11-20 13:37:41 +00:00
parent 94add16c46
commit 86bcfff75f
26 changed files with 794 additions and 2394 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.cryptsetup.metadata
View File

@ -1,2 +0,0 @@
3ce643e82d52b0c0282c2754c4bfa8c15c1f567e SOURCES/cryptsetup-2.3.7.tar.xz
ec3ce9960bd536f7500e0d767a973672037c13e6 SOURCES/tests.tar.xz

3
.gitignore vendored
View File

@ -1,2 +1 @@
SOURCES/cryptsetup-2.3.7.tar.xz
SOURCES/tests.tar.xz
cryptsetup-2.7.3.tar.xz

53
SOURCES/cryptsetup-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch
View File

@ -1,53 +0,0 @@
From a76310b53fbb117e620f2c37350b68dd267f1088 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 20 Sep 2021 17:42:20 +0200
Subject: [PATCH] Do not try to set compiler optimization flag if wipe is
implemented in libc.
If zeroing memory is implemented through libc call (like memset_bzero),
compiler should never remove such call. It is not needed to set O0
optimization flag explicitly.
Various checkers like annocheck causes problems with these flags,
just remove it where it makes no sense.
(Moreover, we use the same pattern without compiler magic
in crypt_backend_memzero() already.)
---
lib/crypto_backend/argon2/core.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/lib/crypto_backend/argon2/core.c b/lib/crypto_backend/argon2/core.c
index b204ba98..db9a7741 100644
--- a/lib/crypto_backend/argon2/core.c
+++ b/lib/crypto_backend/argon2/core.c
@@ -120,18 +120,24 @@ void free_memory(const argon2_context *context, uint8_t *memory,
}
}
-void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) {
#if defined(_MSC_VER) && VC_GE_2005(_MSC_VER)
+void secure_wipe_memory(void *v, size_t n) {
SecureZeroMemory(v, n);
+}
#elif defined memset_s
+void secure_wipe_memory(void *v, size_t n) {
memset_s(v, n, 0, n);
+}
#elif defined(HAVE_EXPLICIT_BZERO)
+void secure_wipe_memory(void *v, size_t n) {
explicit_bzero(v, n);
+}
#else
+void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) {
static void *(*const volatile memset_sec)(void *, int, size_t) = &memset;
memset_sec(v, 0, n);
-#endif
}
+#endif
/* Memory clear flag defaults to true. */
int FLAG_clear_internal_memory = 1;
--
2.27.0

295
SOURCES/cryptsetup-2.4.2-Fix-bogus-memory-allocation-if-LUKS2-header-size-is-.patch
View File

@ -1,295 +0,0 @@
From 9576549fee9228cabd9ceee27739a30caab5a7f6 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Tue, 9 Nov 2021 11:54:27 +0100
Subject: [PATCH] Fix bogus memory allocation if LUKS2 header size is invalid.
LUKS2 code read the whole header to buffer to verify checksum,
so malloc is called on unvalidated input size parameter.
This can cause out of memory or unintentional device reads.
(Header validation will fail later anyway - the size is unsupported.)
Just do not allow too small and too big allocations here and fail quickly.
Fixes: #683.
---
lib/luks2/luks2_disk_metadata.c | 20 +++-
...ks2-metadata-size-invalid-secondary.img.sh | 96 +++++++++++++++++++
...enerate-luks2-metadata-size-invalid.img.sh | 94 ++++++++++++++++++
tests/luks2-validation-test | 2 +
4 files changed, 208 insertions(+), 4 deletions(-)
create mode 100755 tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
create mode 100755 tests/generators/generate-luks2-metadata-size-invalid.img.sh
diff --git a/lib/luks2/luks2_disk_metadata.c b/lib/luks2/luks2_disk_metadata.c
index 502b0226..0500d5c7 100644
--- a/lib/luks2/luks2_disk_metadata.c
+++ b/lib/luks2/luks2_disk_metadata.c
@@ -195,6 +195,8 @@ static int hdr_disk_sanity_check_pre(struct crypt_device *cd,
size_t *hdr_json_size, int secondary,
uint64_t offset)
{
+ uint64_t hdr_size;
+
if (memcmp(hdr->magic, secondary ? LUKS2_MAGIC_2ND : LUKS2_MAGIC_1ST, LUKS2_MAGIC_L))
return -EINVAL;
@@ -209,19 +211,26 @@ static int hdr_disk_sanity_check_pre(struct crypt_device *cd,
return -EINVAL;
}
- if (secondary && (offset != be64_to_cpu(hdr->hdr_size))) {
+ hdr_size = be64_to_cpu(hdr->hdr_size);
+
+ if (hdr_size < LUKS2_HDR_16K_LEN || hdr_size > LUKS2_HDR_OFFSET_MAX) {
+ log_dbg(cd, "LUKS2 header has bogus size 0x%04x.", (unsigned)hdr_size);
+ return -EINVAL;
+ }
+
+ if (secondary && (offset != hdr_size)) {
log_dbg(cd, "LUKS2 offset 0x%04x in secondary header does not match size 0x%04x.",
- (unsigned)offset, (unsigned)be64_to_cpu(hdr->hdr_size));
+ (unsigned)offset, (unsigned)hdr_size);
return -EINVAL;
}
/* FIXME: sanity check checksum alg. */
log_dbg(cd, "LUKS2 header version %u of size %u bytes, checksum %s.",
- (unsigned)be16_to_cpu(hdr->version), (unsigned)be64_to_cpu(hdr->hdr_size),
+ (unsigned)be16_to_cpu(hdr->version), (unsigned)hdr_size,
hdr->checksum_alg);
- *hdr_json_size = be64_to_cpu(hdr->hdr_size) - LUKS2_HDR_BIN_LEN;
+ *hdr_json_size = hdr_size - LUKS2_HDR_BIN_LEN;
return 0;
}
@@ -252,6 +261,9 @@ static int hdr_read_disk(struct crypt_device *cd,
return -EIO;
}
+ /*
+ * hdr_json_size is validated if this call succeeds
+ */
r = hdr_disk_sanity_check_pre(cd, hdr_disk, &hdr_json_size, secondary, offset);
if (r < 0) {
return r;
diff --git a/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
new file mode 100755
index 00000000..4dd484e9
--- /dev/null
+++ b/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
@@ -0,0 +1,96 @@
+#!/bin/bash
+
+. lib.sh
+
+#
+# *** Description ***
+#
+# generate primary with predefined json_size. There's only limited
+# set of values allowed as json size in config section of LUKS2
+# metadata
+#
+# secondary header is corrupted on purpose as well
+#
+
+# $1 full target dir
+# $2 full source luks2 image
+
+function prepare()
+{
+ cp $SRC_IMG $TGT_IMG
+ test -d $TMPDIR || mkdir $TMPDIR
+ read_luks2_json0 $TGT_IMG $TMPDIR/json0
+ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
+ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
+}
+
+function generate()
+{
+ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
+
+ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
+ TEST_MDA_SIZE_BOGUS_BYTES=$((TEST_MDA_SIZE*512*2*1024))
+ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
+ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
+ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
+ JSON_SIZE=$((TEST_JSN_SIZE*512))
+ DATA_OFFSET=16777216
+
+ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
+ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
+ .config.json_size = $jsize |
+ .segments."0".offset = $off' $TMPDIR/json0)
+ test -n "$json_str" || exit 2
+ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
+
+ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+
+ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
+ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BOGUS_BYTES
+
+ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
+
+ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
+ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
+
+ erase_checksum $TMPDIR/area0
+ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
+ write_checksum $chks0 $TMPDIR/area0
+
+ erase_checksum $TMPDIR/area1
+ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
+ write_checksum $chks0 $TMPDIR/area1
+
+ kill_bin_hdr $TMPDIR/area0
+
+ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
+ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+}
+
+function check()
+{
+ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
+ local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
+ test "$str_res0" = "VACUUM" || exit 2
+ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
+ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
+ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
+ (.config.json_size != $jsize)
+ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
+}
+
+function cleanup()
+{
+ rm -f $TMPDIR/*
+ rm -fd $TMPDIR
+}
+
+test $# -eq 2 || exit 1
+
+TGT_IMG=$1/$(test_img_name $0)
+SRC_IMG=$2
+
+prepare
+generate
+check
+cleanup
diff --git a/tests/generators/generate-luks2-metadata-size-invalid.img.sh b/tests/generators/generate-luks2-metadata-size-invalid.img.sh
new file mode 100755
index 00000000..6b9c0cf7
--- /dev/null
+++ b/tests/generators/generate-luks2-metadata-size-invalid.img.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+
+. lib.sh
+
+#
+# *** Description ***
+#
+# generate primary with predefined json_size. There's only limited
+# set of values allowed as json size in config section of LUKS2
+# metadata
+#
+# secondary header is corrupted on purpose as well
+#
+
+# $1 full target dir
+# $2 full source luks2 image
+
+function prepare()
+{
+ cp $SRC_IMG $TGT_IMG
+ test -d $TMPDIR || mkdir $TMPDIR
+ read_luks2_json0 $TGT_IMG $TMPDIR/json0
+ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
+ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
+}
+
+function generate()
+{
+ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
+
+ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
+ TEST_MDA_SIZE_BOGUS_BYTES=$((TEST_MDA_SIZE*512*2*1024))
+ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
+ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
+ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
+ JSON_SIZE=$((TEST_JSN_SIZE*512))
+ DATA_OFFSET=16777216
+
+ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
+ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
+ .config.json_size = $jsize |
+ .segments."0".offset = $off' $TMPDIR/json0)
+ test -n "$json_str" || exit 2
+ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
+
+ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
+
+ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BOGUS_BYTES
+ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BOGUS_BYTES
+
+ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
+ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
+
+ erase_checksum $TMPDIR/area0
+ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
+ write_checksum $chks0 $TMPDIR/area0
+
+ erase_checksum $TMPDIR/area1
+ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
+ write_checksum $chks0 $TMPDIR/area1
+
+ kill_bin_hdr $TMPDIR/area1
+
+ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
+ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
+}
+
+function check()
+{
+ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
+ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
+ test "$str_res1" = "VACUUM" || exit 2
+ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
+ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
+ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
+ (.config.json_size != $jsize)
+ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
+}
+
+function cleanup()
+{
+ rm -f $TMPDIR/*
+ rm -fd $TMPDIR
+}
+
+test $# -eq 2 || exit 1
+
+TGT_IMG=$1/$(test_img_name $0)
+SRC_IMG=$2
+
+prepare
+generate
+check
+cleanup
diff --git a/tests/luks2-validation-test b/tests/luks2-validation-test
index 04183fbc..f771e1f9 100755
--- a/tests/luks2-validation-test
+++ b/tests/luks2-validation-test
@@ -229,6 +229,8 @@ RUN luks2-metadata-size-512k-secondary.img "R" "Valid 512KiB metadata size in s
RUN luks2-metadata-size-1m-secondary.img "R" "Valid 1MiB metadata size in secondary hdr failed to validate"
RUN luks2-metadata-size-2m-secondary.img "R" "Valid 2MiB metadata size in secondary hdr failed to validate"
RUN luks2-metadata-size-4m-secondary.img "R" "Valid 4MiB metadata size in secondary hdr failed to validate"
+RUN luks2-metadata-size-invalid.img "F" "Invalid metadata size in secondary hdr not rejected"
+RUN luks2-metadata-size-invalid-secondary.img "F" "Invalid metadata size in secondary hdr not rejected"
remove_mapping
--
2.27.0

41
SOURCES/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch
View File

@ -1,41 +0,0 @@
From f671febe64d8f40cdcb1677a08436a8907ccbb7e Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Wed, 23 Feb 2022 12:27:57 +0100
Subject: [PATCH 2/3] Add more tests for --test-passphrase parameter.
---
tests/compat-test-args | 4 ++++
tests/luks2-reencryption-test | 18 ++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
index 6f156016..73818b5d 100755
--- a/tests/luks2-reencryption-test
+++ b/tests/luks2-reencryption-test
@@ -1606,5 +1606,23 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
reencrypt_recover_online 4096 journal $HASH1
fi
+echo "[27] Verify test passphrase mode works with reencryption metadata"
+echo $PWD1 | $CRYPTSETUP -S5 -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV || fail
+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $DEV || fail
+echo $PWD1 | $CRYPTSETUP reencrypt --init-only $DEV || fail
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
+
+echo $PWD1 | $CRYPTSETUP -q luksFormat -S5 --header $IMG_HDR --type luks2 $FAST_PBKDF_ARGON $DEV || fail
+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $IMG_HDR || fail
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --init-only --header $IMG_HDR $DEV || fail
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
+
+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --init-only --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
+
+wipe_dev $DEV
+echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 8M $FAST_PBKDF_ARGON $DEV || fail
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
+
remove_mapping
exit 0
--
2.27.0

103
SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch
View File

@ -1,103 +0,0 @@
diff -rupN cryptsetup-2.3.7.old/man/cryptsetup.8 cryptsetup-2.3.7/man/cryptsetup.8
--- cryptsetup-2.3.7.old/man/cryptsetup.8 2022-02-24 15:58:37.968167423 +0100
+++ cryptsetup-2.3.7/man/cryptsetup.8 2022-02-24 17:06:25.326217548 +0100
@@ -321,7 +321,7 @@ the command prompts for it interactively
\-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
\-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
\-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks, \-\-type, \-\-refresh,
-\-\-serialize\-memory\-hard\-pbkdf].
+\-\-serialize\-memory\-hard\-pbkdf, \-\-unbound].
.PP
\fIluksSuspend\fR <name>
.IP
@@ -1409,10 +1409,14 @@ aligned to page size and page-cache init
integrity tag.
.TP
.B "\-\-unbound"
-
Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or
\fIluksDump\fR actions for more details.
+When used in \fIluksOpen\fR action (allowed only together with
+\-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2
+keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific
+keyslot is selected via \-\-key\-slot parameter.
+
.TP
.B "\-\-tcrypt\-hidden"
.B "\-\-tcrypt\-system"
diff -rupN cryptsetup-2.3.7.old/src/cryptsetup.c cryptsetup-2.3.7/src/cryptsetup.c
--- cryptsetup-2.3.7.old/src/cryptsetup.c 2022-02-24 15:58:37.969167429 +0100
+++ cryptsetup-2.3.7/src/cryptsetup.c 2022-02-24 17:10:30.947561638 +0100
@@ -230,7 +230,7 @@ static void _set_activation_flags(uint32
*flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT;
/* Only for LUKS2 but ignored elsewhere */
- if (opt_test_passphrase)
+ if (opt_test_passphrase && (opt_unbound || (opt_key_slot != CRYPT_ANY_SLOT)))
*flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
if (opt_serialize_memory_hard_pbkdf)
@@ -4021,6 +4021,17 @@ int main(int argc, const char **argv)
_("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."),
poptGetInvocationName(popt_context));
+ if (opt_unbound && !strcmp(aname, "open") && device_type &&
+ strncmp(device_type, "luks", 4))
+ usage(popt_context, EXIT_FAILURE,
+ _("Option --unbound is allowed only for open of luks device."),
+ poptGetInvocationName(popt_context));
+
+ if (opt_unbound && !opt_test_passphrase && !strcmp(aname, "open"))
+ usage(popt_context, EXIT_FAILURE,
+ _("Option --unbound cannot be used without --test-passphrase."),
+ poptGetInvocationName(popt_context));
+
if (opt_tcrypt_hidden && opt_allow_discards)
usage(popt_context, EXIT_FAILURE,
_("Option --tcrypt-hidden cannot be combined with --allow-discards."),
@@ -4103,9 +4114,9 @@ int main(int argc, const char **argv)
_("Keyslot specification is required."),
poptGetInvocationName(popt_context));
- if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump"))
+ if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump") && strcmp(aname, "open"))
usage(popt_context, EXIT_FAILURE,
- _("Option --unbound may be used only with luksAddKey and luksDump actions."),
+ _("Option --unbound may be used only with luksAddKey, luksDump and open actions."),
poptGetInvocationName(popt_context));
if (opt_refresh && strcmp(aname, "open"))
diff -rupN cryptsetup-2.3.7.old/tests/compat-test2 cryptsetup-2.3.7/tests/compat-test2
--- cryptsetup-2.3.7.old/tests/compat-test2 2022-02-24 15:58:38.013167680 +0100
+++ cryptsetup-2.3.7/tests/compat-test2 2022-02-24 17:23:23.035760517 +0100
@@ -696,7 +696,7 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOP
# otoh it should be allowed to test for proper passphrase
prepare "" new
echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
@@ -705,7 +705,7 @@ echo $PWD0 | $CRYPTSETUP open -S1 --test
$CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0
$CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail
echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
prepare "[28] Detached LUKS header" wipe
@@ -952,11 +952,9 @@ echo $PWD3 | $CRYPTSETUP -q luksAddKey -
# do not allow to replace keyslot by unbound slot
echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail
echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
-echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail
echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
-echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
# check we're able to change passphrase for unbound keyslot
echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail

12
SOURCES/cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch
View File

@ -1,12 +0,0 @@
diff -rupN cryptsetup-2.3.7.old/src/cryptsetup.c cryptsetup-2.3.7/src/cryptsetup.c
--- cryptsetup-2.3.7.old/src/cryptsetup.c 2022-01-20 14:47:13.198475734 +0100
+++ cryptsetup-2.3.7/src/cryptsetup.c 2022-01-20 14:47:24.186505625 +0100
@@ -1137,7 +1137,7 @@ static int reencrypt_metadata_repair(str
_("Operation aborted.\n")))
return -EINVAL;
- r = tools_get_key(_("Enter passphrase to protect and uppgrade reencryption metadata: "),
+ r = tools_get_key(_("Enter passphrase to protect and upgrade reencryption metadata: "),
&password, &passwordLen, opt_keyfile_offset,
opt_keyfile_size, opt_key_file, opt_timeout,
_verify_passphrase(0), 0, cd);

206
SOURCES/cryptsetup-2.5.0-Remove-LUKS2-encryption-data-size-restriction.patch
View File

@ -1,206 +0,0 @@
From 6bc1378ddb5bbcc6ba592177c996576b0b3505f9 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Fri, 22 Oct 2021 13:06:48 +0200
Subject: [PATCH] Remove LUKS2 encryption data size restriction.
LUKS2 encryption with data shift required remaining
data size (size remaining after substracting --reduce-data-size value)
to be at least --reduce-data-size. This was wrong. Remaining
data size restriction should be correctly at least single sector
(whatever sector size is selected or auto-detected).
---
lib/luks2/luks2_reencrypt.c | 31 ++++++++++++-----------
tests/api-test-2.c | 6 ++---
tests/luks2-reencryption-test | 46 +++++++++++++++++++++++++++++------
3 files changed, 57 insertions(+), 26 deletions(-)
diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c
index b45327ad..d0e0dc40 100644
--- a/lib/luks2/luks2_reencrypt.c
+++ b/lib/luks2/luks2_reencrypt.c
@@ -825,7 +825,7 @@ static int reencrypt_offset_backward_moved(struct luks2_hdr *hdr, json_object *j
linear_length += LUKS2_segment_size(hdr, sg, 0);
/* all active linear segments length */
- if (linear_length) {
+ if (linear_length && segs > 1) {
if (linear_length < data_shift)
return -EINVAL;
tmp = linear_length - data_shift;
@@ -1745,7 +1745,8 @@ static int reencrypt_set_encrypt_segments(struct crypt_device *cd, struct luks2_
int r;
uint64_t first_segment_offset, first_segment_length,
second_segment_offset, second_segment_length,
- data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT;
+ data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT,
+ data_size = dev_size - data_shift;
json_object *jobj_segment_first = NULL, *jobj_segment_second = NULL, *jobj_segments;
if (dev_size < data_shift)
@@ -1760,9 +1761,14 @@ static int reencrypt_set_encrypt_segments(struct crypt_device *cd, struct luks2_
* [future LUKS2 header (data shift size)][second data segment][gap (data shift size)][first data segment (data shift size)]
*/
first_segment_offset = dev_size;
- first_segment_length = data_shift;
- second_segment_offset = data_shift;
- second_segment_length = dev_size - 2 * data_shift;
+ if (data_size < data_shift) {
+ first_segment_length = data_size;
+ second_segment_length = second_segment_offset = 0;
+ } else {
+ first_segment_length = data_shift;
+ second_segment_offset = data_shift;
+ second_segment_length = data_size - data_shift;
+ }
} else if (data_shift) {
first_segment_offset = data_offset;
first_segment_length = dev_size;
@@ -2163,17 +2169,10 @@ static int reencrypt_move_data(struct crypt_device *cd, int devfd, uint64_t data
log_dbg(cd, "Going to move data from head of data device.");
- buffer_len = data_shift;
- if (!buffer_len)
- return -EINVAL;
-
offset = json_segment_get_offset(LUKS2_get_segment_jobj(hdr, 0), 0);
-
- /* this is nonsense anyway */
- if (buffer_len != json_segment_get_size(LUKS2_get_segment_jobj(hdr, 0), 0)) {
- log_dbg(cd, "buffer_len %" PRIu64", segment size %" PRIu64, buffer_len, json_segment_get_size(LUKS2_get_segment_jobj(hdr, 0), 0));
+ buffer_len = json_segment_get_size(LUKS2_get_segment_jobj(hdr, 0), 0);
+ if (!buffer_len || buffer_len > data_shift)
return -EINVAL;
- }
if (posix_memalign(&buffer, device_alignment(crypt_data_device(cd)), buffer_len))
return -ENOMEM;
@@ -2447,7 +2446,7 @@ static int reencrypt_init(struct crypt_device *cd,
* encryption initialization (or mount)
*/
if (move_first_segment) {
- if (dev_size < 2 * (params->data_shift << SECTOR_SHIFT)) {
+ if (dev_size < (params->data_shift << SECTOR_SHIFT)) {
log_err(cd, _("Device %s is too small."), device_path(crypt_data_device(cd)));
return -EINVAL;
}
@@ -3484,7 +3483,7 @@ int LUKS2_reencrypt_check_device_size(struct crypt_device *cd, struct luks2_hdr
check_size, check_size >> SECTOR_SHIFT, real_size, real_size >> SECTOR_SHIFT,
real_size - data_offset, (real_size - data_offset) >> SECTOR_SHIFT);
- if (real_size < data_offset || (check_size && (real_size - data_offset) < check_size)) {
+ if (real_size < data_offset || (check_size && real_size < check_size)) {
log_err(cd, _("Device %s is too small."), device_path(crypt_data_device(cd)));
return -EINVAL;
}
diff --git a/tests/api-test-2.c b/tests/api-test-2.c
index a01a7a72..05ee8f94 100644
--- a/tests/api-test-2.c
+++ b/tests/api-test-2.c
@@ -4238,7 +4238,7 @@ static void Luks2Reencryption(void)
_cleanup_dmdevices();
OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size));
- OK_(create_dmdevice_over_loop(L_DEVICE_OK, 12*1024*2+1));
+ OK_(create_dmdevice_over_loop(L_DEVICE_OK, 8*1024*2+1));
/* encryption with datashift and moved segment (data shift + 1 sector) */
OK_(crypt_init(&cd, DMDIR H_DEVICE));
@@ -4258,11 +4258,11 @@ static void Luks2Reencryption(void)
_cleanup_dmdevices();
OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size));
- OK_(create_dmdevice_over_loop(L_DEVICE_OK, 12*1024*2));
+ OK_(create_dmdevice_over_loop(L_DEVICE_OK, 2*8200));
OK_(crypt_init(&cd, DMDIR H_DEVICE));
- /* encryption with datashift and moved segment (data shift + data offset > device size) */
+ /* encryption with datashift and moved segment (data shift + data offset <= device size) */
memset(&rparams, 0, sizeof(rparams));
params2.sector_size = 512;
params2.data_device = DMDIR L_DEVICE_OK;
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
index 8efb2707..bf711c15 100755
--- a/tests/luks2-reencryption-test
+++ b/tests/luks2-reencryption-test
@@ -152,14 +152,30 @@ function open_crypt() # $1 pwd, $2 hdr
fi
}
+function wipe_dev_head() # $1 dev, $2 length (in MiBs)
+{
+ dd if=/dev/zero of=$1 bs=1M count=$2 conv=notrunc >/dev/null 2>&1
+}
+
function wipe_dev() # $1 dev
{
if [ -b $1 ] ; then
blkdiscard --zeroout $1 2>/dev/null || dd if=/dev/zero of=$1 bs=1M conv=notrunc >/dev/null 2>&1
+ if [ $# -gt 2 ]; then
+ dd if=/dev/urandom of=$1 bs=1M seek=$2 conv=notrunc >/dev/null 2>&1
+ fi
else
local size=$(stat --printf="%s" $1)
truncate -s 0 $1
- truncate -s $size $1
+ if [ $# -gt 2 ]; then
+ local diff=$((size-$2*1024*1024))
+ echo "size: $size, diff: $diff"
+ truncate -s $diff $1
+ # wipe_dev_head $1 $((diff/(1024*1024)))
+ dd if=/dev/urandom of=$1 bs=1M seek=$2 size=$((diff/(1024*1024))) conv=notrunc >/dev/null 2>&1
+ else
+ truncate -s $size $1
+ fi
fi
}
@@ -214,15 +230,16 @@ function check_hash() # $1 pwd, $2 hash, $3 hdr
$CRYPTSETUP remove $DEV_NAME || fail
}
+function check_hash_dev_head() # $1 dev, $2 len, $3 hash
+{
+ local hash=$(dd if=$1 bs=512 count=$2 2>/dev/null | sha256sum | cut -d' ' -f1)
+ [ $hash != "$3" ] && fail "HASH differs (expected: $3) (result $hash)"
+}
+
function check_hash_head() # $1 pwd, $2 len, $3 hash, $4 hdr
{
open_crypt $1 $4
- if [ -n "$4" ]; then
- echo $1 | $CRYPTSETUP resize $DEV_NAME --size $2 --header $4 || fail
- else
- echo $1 | $CRYPTSETUP resize $DEV_NAME --size $2 || fail
- fi
- check_hash_dev /dev/mapper/$DEV_NAME $3
+ check_hash_dev_head /dev/mapper/$DEV_NAME $2 $3
$CRYPTSETUP remove $DEV_NAME || fail
}
@@ -865,6 +882,21 @@ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
$CRYPTSETUP close $DEV_NAME
echo $PWD1 | $CRYPTSETUP open $DEV --test-passphrase || fail
+# Small device encryption test
+preparebig 65
+# wipe only 1st MiB (final data size after encryption)
+wipe_dev $DEV 1
+check_hash_dev_head $DEV 2048 $HASH2
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M -q $FAST_PBKDF_ARGON || fail
+check_hash_head $PWD1 2048 $HASH2
+
+wipe_dev_head $DEV 1
+check_hash_dev_head $DEV 2048 $HASH2
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M --init-only -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
+check_hash_dev_head /dev/mapper/$DEV_NAME 2048 $HASH2
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q || fail
+check_hash_dev_head /dev/mapper/$DEV_NAME 2048 $HASH2
+
echo "[3] Encryption with detached header"
preparebig 256
wipe_dev $DEV
--
2.38.1

28
SOURCES/cryptsetup-2.6.0-Code-cleanup.patch
View File

@ -1,28 +0,0 @@
From 23903951505cd4ad9f3469e037278494c14a7791 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Wed, 12 Oct 2022 12:05:00 +0200
Subject: [PATCH 3/5] Code cleanup.
Type cast is not needed here.
---
lib/libdevmapper.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
index 7fcf843f..6a239e14 100644
--- a/lib/libdevmapper.c
+++ b/lib/libdevmapper.c
@@ -1992,9 +1992,7 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags,
/* cipher */
if (get_flags & DM_ACTIVE_CRYPT_CIPHER) {
- r = crypt_capi_to_cipher(CONST_CAST(char**)&cipher,
- CONST_CAST(char**)&integrity,
- rcipher, rintegrity);
+ r = crypt_capi_to_cipher(&cipher, &integrity, rcipher, rintegrity);
if (r < 0)
goto err;
}
--
2.38.1

34
SOURCES/cryptsetup-2.6.0-Copy-also-integrity-string-in-legacy-mode.patch
View File

@ -1,34 +0,0 @@
From 19c15a652f878458493f0ac335110e2779f3cbe3 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Wed, 12 Oct 2022 11:59:09 +0200
Subject: [PATCH 4/5] Copy also integrity string in legacy mode.
So that it handles integrity string same as it does
with cipher string.
---
lib/utils_crypt.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
index 4f4dbba8..93f846d7 100644
--- a/lib/utils_crypt.c
+++ b/lib/utils_crypt.c
@@ -284,7 +284,14 @@ int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const cha
if (strncmp(c_dm, "capi:", 4)) {
if (!(*org_c = strdup(c_dm)))
return -ENOMEM;
- *org_i = NULL;
+ if (i_dm) {
+ if (!(*org_i = strdup(i_dm))) {
+ free(*org_c);
+ *org_c = NULL;
+ return -ENOMEM;
+ }
+ } else
+ *org_i = NULL;
return 0;
}
--
2.38.1

316
SOURCES/cryptsetup-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch
View File

@ -1,316 +0,0 @@
From 5b001b7962744b1bdaeb60b7c8cb9c682f907e03 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Tue, 28 Jun 2022 16:23:34 +0200
Subject: [PATCH] Delegate FIPS mode detection to configured crypto backend.
System FIPS mode check is no longer dependent on /etc/system-fips
file. The change should be compatible with older distributions since
we now depend on crypto backend internal routine.
This commit affects only FIPS enabled systems (with FIPS enabled
builds). In case this causes any regression in current distributions
feel free to drop the patch.
For reference see https://bugzilla.redhat.com/show_bug.cgi?id=2080516
---
lib/crypto_backend/crypto_backend.h | 3 ++
lib/crypto_backend/crypto_gcrypt.c | 17 +++++++++
lib/crypto_backend/crypto_kernel.c | 5 +++
lib/crypto_backend/crypto_nettle.c | 5 +++
lib/crypto_backend/crypto_nss.c | 5 +++
lib/crypto_backend/crypto_openssl.c | 26 ++++++++++++++
lib/internal.h | 1 -
lib/utils_fips.c | 55 -----------------------------
lib/utils_fips.h | 28 ---------------
po/POTFILES.in | 1 -
src/cryptsetup.h | 1 -
tests/compat-test | 2 +-
tests/compat-test2 | 2 +-
tests/keyring-compat-test | 2 +-
tests/luks2-reencryption-test | 2 +-
16 files changed, 65 insertions(+), 92 deletions(-)
delete mode 100644 lib/utils_fips.c
delete mode 100644 lib/utils_fips.h
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_backend.h
===================================================================
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_backend.h
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_backend.h
@@ -135,4 +135,7 @@ static inline void crypt_backend_memzero
#endif
}
+/* crypto backend running in FIPS mode */
+bool crypt_fips_mode(void);
+
#endif /* _CRYPTO_BACKEND_H */
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_gcrypt.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_gcrypt.c
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_gcrypt.c
@@ -550,3 +550,20 @@ out:
return -ENOTSUP;
#endif
}
+
+#if !ENABLE_FIPS
+bool crypt_fips_mode(void) { return false; }
+#else
+bool crypt_fips_mode(void)
+{
+ static bool fips_mode = false, fips_checked = false;
+
+ if (fips_checked)
+ return fips_mode;
+
+ fips_mode = gcry_fips_mode_active();
+ fips_checked = true;
+
+ return fips_mode;
+}
+#endif /* ENABLE FIPS */
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_kernel.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_kernel.c
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_kernel.c
@@ -416,3 +416,8 @@ int crypt_bitlk_decrypt_key(const void *
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
iv, iv_length, tag, tag_length);
}
+
+bool crypt_fips_mode(void)
+{
+ return false;
+}
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_nettle.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_nettle.c
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_nettle.c
@@ -442,3 +442,8 @@ int crypt_bitlk_decrypt_key(const void *
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
iv, iv_length, tag, tag_length);
}
+
+bool crypt_fips_mode(void)
+{
+ return false;
+}
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_nss.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_nss.c
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_nss.c
@@ -395,3 +395,8 @@ int crypt_bitlk_decrypt_key(const void *
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
iv, iv_length, tag, tag_length);
}
+
+bool crypt_fips_mode(void)
+{
+ return false;
+}
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_openssl.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_openssl.c
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_openssl.c
@@ -574,3 +574,29 @@ out:
return -ENOTSUP;
#endif
}
+
+#if !ENABLE_FIPS
+bool crypt_fips_mode(void) { return false; }
+#else
+static bool openssl_fips_mode(void)
+{
+#if OPENSSL_VERSION_MAJOR >= 3
+ return EVP_default_properties_is_fips_enabled(NULL);
+#else
+ return FIPS_mode();
+#endif
+}
+
+bool crypt_fips_mode(void)
+{
+ static bool fips_mode = false, fips_checked = false;
+
+ if (fips_checked)
+ return fips_mode;
+
+ fips_mode = openssl_fips_mode();
+ fips_checked = true;
+
+ return fips_mode;
+}
+#endif /* ENABLE FIPS */
Index: cryptsetup-2.3.7/lib/internal.h
===================================================================
--- cryptsetup-2.3.7.orig/lib/internal.h
+++ cryptsetup-2.3.7/lib/internal.h
@@ -38,7 +38,6 @@
#include "utils_crypt.h"
#include "utils_loop.h"
#include "utils_dm.h"
-#include "utils_fips.h"
#include "utils_keyring.h"
#include "utils_io.h"
#include "crypto_backend.h"
Index: cryptsetup-2.3.7/po/POTFILES.in
===================================================================
--- cryptsetup-2.3.7.orig/po/POTFILES.in
+++ cryptsetup-2.3.7/po/POTFILES.in
@@ -6,7 +6,6 @@ lib/volumekey.c
lib/crypt_plain.c
lib/utils_crypt.c
lib/utils_loop.c
-lib/utils_fips.c
lib/utils_device.c
lib/utils_devpath.c
lib/utils_pbkdf.c
Index: cryptsetup-2.3.7/src/cryptsetup.h
===================================================================
--- cryptsetup-2.3.7.orig/src/cryptsetup.h
+++ cryptsetup-2.3.7/src/cryptsetup.h
@@ -43,7 +43,6 @@
#include "lib/nls.h"
#include "lib/utils_crypt.h"
#include "lib/utils_loop.h"
-#include "lib/utils_fips.h"
#include "lib/utils_io.h"
#include "lib/utils_blkid.h"
Index: cryptsetup-2.3.7/tests/compat-test
===================================================================
--- cryptsetup-2.3.7.orig/tests/compat-test
+++ cryptsetup-2.3.7/tests/compat-test
@@ -44,7 +44,7 @@ KEY_MATERIAL5_EXT="S331776-395264"
TEST_UUID="12345678-1234-1234-1234-123456789abc"
LOOPDEV=$(losetup -f 2>/dev/null)
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function remove_mapping()
{
Index: cryptsetup-2.3.7/tests/compat-test2
===================================================================
--- cryptsetup-2.3.7.orig/tests/compat-test2
+++ cryptsetup-2.3.7/tests/compat-test2
@@ -42,7 +42,7 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-f
TEST_UUID="12345678-1234-1234-1234-123456789abc"
LOOPDEV=$(losetup -f 2>/dev/null)
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function remove_mapping()
{
Index: cryptsetup-2.3.7/tests/keyring-compat-test
===================================================================
--- cryptsetup-2.3.7.orig/tests/keyring-compat-test
+++ cryptsetup-2.3.7/tests/keyring-compat-test
@@ -26,7 +26,7 @@ PWD="aaa"
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function remove_mapping()
{
Index: cryptsetup-2.3.7/tests/luks2-reencryption-test
===================================================================
--- cryptsetup-2.3.7.orig/tests/luks2-reencryption-test
+++ cryptsetup-2.3.7/tests/luks2-reencryption-test
@@ -24,7 +24,7 @@ PWD1="93R4P4pIqAH8"
PWD2="1cND4319812f"
PWD3="1-9Qu5Ejfnqv"
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function dm_crypt_features()
{
Index: cryptsetup-2.3.7/lib/utils_fips.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/utils_fips.c
+++ cryptsetup-2.3.7/lib/utils_fips.c
@@ -1,46 +1 @@
-/*
- * FIPS mode utilities
- *
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include "utils_fips.h"
-
-#if !ENABLE_FIPS
-int crypt_fips_mode(void) { return 0; }
-#else
-static int kernel_fips_mode(void)
-{
- int fd;
- char buf[1] = "";
-
- if ((fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY)) >= 0) {
- while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
- close(fd);
- }
-
- return (buf[0] == '1') ? 1 : 0;
-}
-
-int crypt_fips_mode(void)
-{
- return kernel_fips_mode() && !access("/etc/system-fips", F_OK);
-}
-#endif /* ENABLE_FIPS */
+/* keep an empty file to avoid running autogen.sh */
Index: cryptsetup-2.3.7/lib/utils_fips.h
===================================================================
--- cryptsetup-2.3.7.orig/lib/utils_fips.h
+++ cryptsetup-2.3.7/lib/utils_fips.h
@@ -1,26 +1 @@
-/*
- * FIPS mode utilities
- *
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#ifndef _UTILS_FIPS_H
-#define _UTILS_FIPS_H
-
-int crypt_fips_mode(void);
-
-#endif /* _UTILS_FIPS_H */
+/* keep an empty file to avoid running autogen.sh */

53
SOURCES/cryptsetup-2.6.0-Fix-cipher-convert-routines-naming-confusion.patch
View File

@ -1,53 +0,0 @@
From 3616da631f83a004a13a575a54df8123f0d65c29 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Mon, 17 Oct 2022 15:18:42 +0200
Subject: [PATCH 1/5] Fix cipher convert routines naming confusion.
The function names were in fact swaped.
---
lib/libdevmapper.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
index 6c2eab78..0e45a789 100644
--- a/lib/libdevmapper.c
+++ b/lib/libdevmapper.c
@@ -481,7 +481,7 @@ static size_t int_log10(uint64_t x)
#define CAPIL 144 /* should be enough to fit whole capi string */
#define CAPIS "143" /* for sscanf of crypto API string + 16 + \0 */
-static int cipher_c2dm(const char *org_c, const char *org_i, unsigned tag_size,
+static int cipher_dm2c(const char *org_c, const char *org_i, unsigned tag_size,
char *c_dm, int c_dm_size,
char *i_dm, int i_dm_size)
{
@@ -543,7 +543,7 @@ static int cipher_c2dm(const char *org_c, const char *org_i, unsigned tag_size,
return 0;
}
-static int cipher_dm2c(char **org_c, char **org_i, const char *c_dm, const char *i_dm)
+static int cipher_c2dm(char **org_c, char **org_i, const char *c_dm, const char *i_dm)
{
char cipher[CLEN], mode[CLEN], iv[CLEN], auth[CLEN];
char tmp[CAPIL], dmcrypt_tmp[CAPIL*2], capi[CAPIL+1];
@@ -629,7 +629,7 @@ static char *get_dm_crypt_params(const struct dm_target *tgt, uint32_t flags)
if (!tgt)
return NULL;
- r = cipher_c2dm(tgt->u.crypt.cipher, tgt->u.crypt.integrity, tgt->u.crypt.tag_size,
+ r = cipher_dm2c(tgt->u.crypt.cipher, tgt->u.crypt.integrity, tgt->u.crypt.tag_size,
cipher_dm, sizeof(cipher_dm), integrity_dm, sizeof(integrity_dm));
if (r < 0)
return NULL;
@@ -2066,7 +2066,7 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags,
/* cipher */
if (get_flags & DM_ACTIVE_CRYPT_CIPHER) {
- r = cipher_dm2c(CONST_CAST(char**)&cipher,
+ r = cipher_c2dm(CONST_CAST(char**)&cipher,
CONST_CAST(char**)&integrity,
rcipher, rintegrity);
if (r < 0)
--
2.38.1

130
SOURCES/cryptsetup-2.6.0-Fix-internal-crypt-segment-compare-routine.patch
View File

@ -1,130 +0,0 @@
From 3e4c69a01709d35322ffa17c5360608907a207d7 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Tue, 11 Oct 2022 11:48:13 +0200
Subject: [PATCH 5/5] Fix internal crypt segment compare routine.
The function is supposed to check if manipulated
active dm-crypt device matches the on-disk metadata.
Unfortunately it did not take into account differences
between normal cipher specification (aes-xts-plain64)
and capi format specification (capi:xts(aes)-plain64).
The internal query function always converted capi format
in normal format and therefor failed if capi format was
used in metadata.
Fixes: #759.
---
lib/setup.c | 36 ++++++++++++++++++++++++++----------
tests/api-test-2.c | 14 ++++++++++++--
2 files changed, 38 insertions(+), 12 deletions(-)
diff --git a/lib/setup.c b/lib/setup.c
index 6d7411b5..809049b9 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -2458,6 +2458,9 @@ static int _compare_crypt_devices(struct crypt_device *cd,
const struct dm_target *src,
const struct dm_target *tgt)
{
+ char *src_cipher = NULL, *src_integrity = NULL;
+ int r = -EINVAL;
+
/* for crypt devices keys are mandatory */
if (!src->u.crypt.vk || !tgt->u.crypt.vk)
return -EINVAL;
@@ -2465,21 +2468,30 @@ static int _compare_crypt_devices(struct crypt_device *cd,
/* CIPHER checks */
if (!src->u.crypt.cipher || !tgt->u.crypt.cipher)
return -EINVAL;
- if (strcmp(src->u.crypt.cipher, tgt->u.crypt.cipher)) {
- log_dbg(cd, "Cipher specs do not match.");
+
+ /*
+ * dm_query_target converts capi cipher specification to dm-crypt format.
+ * We need to do same for cipher specification requested in source
+ * device.
+ */
+ if (crypt_capi_to_cipher(&src_cipher, &src_integrity, src->u.crypt.cipher, src->u.crypt.integrity))
return -EINVAL;
+
+ if (strcmp(src_cipher, tgt->u.crypt.cipher)) {
+ log_dbg(cd, "Cipher specs do not match.");
+ goto out;
}
if (tgt->u.crypt.vk->keylength == 0 && crypt_is_cipher_null(tgt->u.crypt.cipher))
log_dbg(cd, "Existing device uses cipher null. Skipping key comparison.");
else if (_compare_volume_keys(src->u.crypt.vk, 0, tgt->u.crypt.vk, tgt->u.crypt.vk->key_description != NULL)) {
log_dbg(cd, "Keys in context and target device do not match.");
- return -EINVAL;
+ goto out;
}
- if (crypt_strcmp(src->u.crypt.integrity, tgt->u.crypt.integrity)) {
+ if (crypt_strcmp(src_integrity, tgt->u.crypt.integrity)) {
log_dbg(cd, "Integrity parameters do not match.");
- return -EINVAL;
+ goto out;
}
if (src->u.crypt.offset != tgt->u.crypt.offset ||
@@ -2487,15 +2499,19 @@ static int _compare_crypt_devices(struct crypt_device *cd,
src->u.crypt.iv_offset != tgt->u.crypt.iv_offset ||
src->u.crypt.tag_size != tgt->u.crypt.tag_size) {
log_dbg(cd, "Integer parameters do not match.");
- return -EINVAL;
+ goto out;
}
- if (device_is_identical(src->data_device, tgt->data_device) <= 0) {
+ if (device_is_identical(src->data_device, tgt->data_device) <= 0)
log_dbg(cd, "Data devices do not match.");
- return -EINVAL;
- }
+ else
+ r = 0;
- return 0;
+out:
+ free(src_cipher);
+ free(src_integrity);
+
+ return r;
}
static int _compare_integrity_devices(struct crypt_device *cd,
diff --git a/tests/api-test-2.c b/tests/api-test-2.c
index 0534677a..34002d1a 100644
--- a/tests/api-test-2.c
+++ b/tests/api-test-2.c
@@ -1585,8 +1585,8 @@ static void ResizeDeviceLuks2(void)
const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
size_t key_size = strlen(mk_hex) / 2;
- const char *cipher = "aes";
- const char *cipher_mode = "cbc-essiv:sha256";
+ const char *cipher = "aes", *capi_cipher = "capi:cbc(aes)";
+ const char *cipher_mode = "cbc-essiv:sha256", *capi_cipher_mode = "essiv:sha256";
uint64_t r_payload_offset, r_header_size, r_size;
/* Cannot use Argon2 in FIPS */
@@ -1728,6 +1728,16 @@ static void ResizeDeviceLuks2(void)
OK_(crypt_deactivate(cd, CDEVICE_1));
CRYPT_FREE(cd);
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ OK_(crypt_set_pbkdf_type(cd, &pbkdf));
+ OK_(crypt_format(cd, CRYPT_LUKS2, capi_cipher, capi_cipher_mode, NULL, key, key_size, NULL));
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+ OK_(crypt_resize(cd, CDEVICE_1, 8));
+ if (!t_device_size(DMDIR CDEVICE_1, &r_size))
+ EQ_(8, r_size >> SECTOR_SHIFT);
+ OK_(crypt_deactivate(cd, CDEVICE_1));
+ CRYPT_FREE(cd);
+
_cleanup_dmdevices();
}
--
2.38.1

250
SOURCES/cryptsetup-2.6.0-Move-cipher_dm2c-to-crypto-utilities.patch
View File

@ -1,250 +0,0 @@
From 9a9ddc7d22e14e14c9a6e97860cffada406adac3 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Tue, 11 Oct 2022 10:50:17 +0200
Subject: [PATCH 2/5] Move cipher_dm2c to crypto utilities.
(Gets renamed to crypt_capi_to_cipher)
---
lib/libdevmapper.c | 84 +++-------------------------------------------
lib/utils_crypt.c | 72 +++++++++++++++++++++++++++++++++++++++
lib/utils_crypt.h | 11 ++++--
3 files changed, 85 insertions(+), 82 deletions(-)
diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
index 0e45a789..7fcf843f 100644
--- a/lib/libdevmapper.c
+++ b/lib/libdevmapper.c
@@ -476,27 +476,22 @@ static size_t int_log10(uint64_t x)
return r;
}
-#define CLEN 64 /* 2*MAX_CIPHER_LEN */
-#define CLENS "63" /* for sscanf length + '\0' */
-#define CAPIL 144 /* should be enough to fit whole capi string */
-#define CAPIS "143" /* for sscanf of crypto API string + 16 + \0 */
-
static int cipher_dm2c(const char *org_c, const char *org_i, unsigned tag_size,
char *c_dm, int c_dm_size,
char *i_dm, int i_dm_size)
{
int c_size = 0, i_size = 0, i;
- char cipher[CLEN], mode[CLEN], iv[CLEN+1], tmp[CLEN];
- char capi[CAPIL];
+ char cipher[MAX_CAPI_ONE_LEN], mode[MAX_CAPI_ONE_LEN], iv[MAX_CAPI_ONE_LEN+1],
+ tmp[MAX_CAPI_ONE_LEN], capi[MAX_CAPI_LEN];
if (!c_dm || !c_dm_size || !i_dm || !i_dm_size)
return -EINVAL;
- i = sscanf(org_c, "%" CLENS "[^-]-%" CLENS "s", cipher, tmp);
+ i = sscanf(org_c, "%" MAX_CAPI_ONE_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", cipher, tmp);
if (i != 2)
return -EINVAL;
- i = sscanf(tmp, "%" CLENS "[^-]-%" CLENS "s", mode, iv);
+ i = sscanf(tmp, "%" MAX_CAPI_ONE_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", mode, iv);
if (i == 1) {
memset(iv, 0, sizeof(iv));
strncpy(iv, mode, sizeof(iv)-1);
@@ -543,75 +538,6 @@ static int cipher_dm2c(const char *org_c, const char *org_i, unsigned tag_size,
return 0;
}
-static int cipher_c2dm(char **org_c, char **org_i, const char *c_dm, const char *i_dm)
-{
- char cipher[CLEN], mode[CLEN], iv[CLEN], auth[CLEN];
- char tmp[CAPIL], dmcrypt_tmp[CAPIL*2], capi[CAPIL+1];
- size_t len;
- int i;
-
- if (!c_dm)
- return -EINVAL;
-
- /* legacy mode */
- if (strncmp(c_dm, "capi:", 4)) {
- if (!(*org_c = strdup(c_dm)))
- return -ENOMEM;
- *org_i = NULL;
- return 0;
- }
-
- /* modes with capi: prefix */
- i = sscanf(c_dm, "capi:%" CAPIS "[^-]-%" CLENS "s", tmp, iv);
- if (i != 2)
- return -EINVAL;
-
- len = strlen(tmp);
- if (len < 2)
- return -EINVAL;
-
- if (tmp[len-1] == ')')
- tmp[len-1] = '\0';
-
- if (sscanf(tmp, "rfc4309(%" CAPIS "s", capi) == 1) {
- if (!(*org_i = strdup("aead")))
- return -ENOMEM;
- } else if (sscanf(tmp, "rfc7539(%" CAPIS "[^,],%" CLENS "s", capi, auth) == 2) {
- if (!(*org_i = strdup(auth)))
- return -ENOMEM;
- } else if (sscanf(tmp, "authenc(%" CLENS "[^,],%" CAPIS "s", auth, capi) == 2) {
- if (!(*org_i = strdup(auth)))
- return -ENOMEM;
- } else {
- if (i_dm) {
- if (!(*org_i = strdup(i_dm)))
- return -ENOMEM;
- } else
- *org_i = NULL;
- memset(capi, 0, sizeof(capi));
- strncpy(capi, tmp, sizeof(capi)-1);
- }
-
- i = sscanf(capi, "%" CLENS "[^(](%" CLENS "[^)])", mode, cipher);
- if (i == 2)
- i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s-%s", cipher, mode, iv);
- else
- i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s", capi, iv);
- if (i < 0 || (size_t)i >= sizeof(dmcrypt_tmp)) {
- free(*org_i);
- *org_i = NULL;
- return -EINVAL;
- }
-
- if (!(*org_c = strdup(dmcrypt_tmp))) {
- free(*org_i);
- *org_i = NULL;
- return -ENOMEM;
- }
-
- return 0;
-}
-
static char *_uf(char *buf, size_t buf_size, const char *s, unsigned u)
{
size_t r = snprintf(buf, buf_size, " %s:%u", s, u);
@@ -2066,7 +1992,7 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags,
/* cipher */
if (get_flags & DM_ACTIVE_CRYPT_CIPHER) {
- r = cipher_c2dm(CONST_CAST(char**)&cipher,
+ r = crypt_capi_to_cipher(CONST_CAST(char**)&cipher,
CONST_CAST(char**)&integrity,
rcipher, rintegrity);
if (r < 0)
diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
index 83d0a2c5..4f4dbba8 100644
--- a/lib/utils_crypt.c
+++ b/lib/utils_crypt.c
@@ -31,6 +31,8 @@
#include "libcryptsetup.h"
#include "utils_crypt.h"
+#define MAX_CAPI_LEN_STR "143" /* for sscanf of crypto API string + 16 + \0 */
+
int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums,
char *cipher_mode)
{
@@ -266,3 +268,73 @@ bool crypt_is_cipher_null(const char *cipher_spec)
return false;
return (strstr(cipher_spec, "cipher_null") || !strcmp(cipher_spec, "null"));
}
+
+int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const char *i_dm)
+{
+ char cipher[MAX_CAPI_ONE_LEN], mode[MAX_CAPI_ONE_LEN], iv[MAX_CAPI_ONE_LEN],
+ auth[MAX_CAPI_ONE_LEN], tmp[MAX_CAPI_LEN], dmcrypt_tmp[MAX_CAPI_LEN*2],
+ capi[MAX_CAPI_LEN+1];
+ size_t len;
+ int i;
+
+ if (!c_dm)
+ return -EINVAL;
+
+ /* legacy mode */
+ if (strncmp(c_dm, "capi:", 4)) {
+ if (!(*org_c = strdup(c_dm)))
+ return -ENOMEM;
+ *org_i = NULL;
+ return 0;
+ }
+
+ /* modes with capi: prefix */
+ i = sscanf(c_dm, "capi:%" MAX_CAPI_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", tmp, iv);
+ if (i != 2)
+ return -EINVAL;
+
+ len = strlen(tmp);
+ if (len < 2)
+ return -EINVAL;
+
+ if (tmp[len-1] == ')')
+ tmp[len-1] = '\0';
+
+ if (sscanf(tmp, "rfc4309(%" MAX_CAPI_LEN_STR "s", capi) == 1) {
+ if (!(*org_i = strdup("aead")))
+ return -ENOMEM;
+ } else if (sscanf(tmp, "rfc7539(%" MAX_CAPI_LEN_STR "[^,],%" MAX_CAPI_ONE_LEN_STR "s", capi, auth) == 2) {
+ if (!(*org_i = strdup(auth)))
+ return -ENOMEM;
+ } else if (sscanf(tmp, "authenc(%" MAX_CAPI_ONE_LEN_STR "[^,],%" MAX_CAPI_LEN_STR "s", auth, capi) == 2) {
+ if (!(*org_i = strdup(auth)))
+ return -ENOMEM;
+ } else {
+ if (i_dm) {
+ if (!(*org_i = strdup(i_dm)))
+ return -ENOMEM;
+ } else
+ *org_i = NULL;
+ memset(capi, 0, sizeof(capi));
+ strncpy(capi, tmp, sizeof(capi)-1);
+ }
+
+ i = sscanf(capi, "%" MAX_CAPI_ONE_LEN_STR "[^(](%" MAX_CAPI_ONE_LEN_STR "[^)])", mode, cipher);
+ if (i == 2)
+ i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s-%s", cipher, mode, iv);
+ else
+ i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s", capi, iv);
+ if (i < 0 || (size_t)i >= sizeof(dmcrypt_tmp)) {
+ free(*org_i);
+ *org_i = NULL;
+ return -EINVAL;
+ }
+
+ if (!(*org_c = strdup(dmcrypt_tmp))) {
+ free(*org_i);
+ *org_i = NULL;
+ return -ENOMEM;
+ }
+
+ return 0;
+}
diff --git a/lib/utils_crypt.h b/lib/utils_crypt.h
index 5922350a..a4a9b6ca 100644
--- a/lib/utils_crypt.h
+++ b/lib/utils_crypt.h
@@ -27,9 +27,12 @@
#include <stdbool.h>
#include <unistd.h>
-#define MAX_CIPHER_LEN 32
-#define MAX_CIPHER_LEN_STR "31"
-#define MAX_KEYFILES 32
+#define MAX_CIPHER_LEN 32
+#define MAX_CIPHER_LEN_STR "31"
+#define MAX_KEYFILES 32
+#define MAX_CAPI_ONE_LEN 2 * MAX_CIPHER_LEN
+#define MAX_CAPI_ONE_LEN_STR "63" /* for sscanf length + '\0' */
+#define MAX_CAPI_LEN 144 /* should be enough to fit whole capi string */
int crypt_parse_name_and_mode(const char *s, char *cipher,
int *key_nums, char *cipher_mode);
@@ -46,4 +49,6 @@ void crypt_log_hex(struct crypt_device *cd,
bool crypt_is_cipher_null(const char *cipher_spec);
+int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const char *i_dm);
+
#endif /* _UTILS_CRYPT_H */
--
2.38.1

154
SOURCES/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
View File

@ -1,154 +0,0 @@
From c18dcfaa0b91eb48006232fbfadce9e6a9b4a790 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Fri, 2 Dec 2022 15:39:36 +0100
Subject: [PATCH 2/2] Abort encryption when header and data devices are same.
If data device reduction is not requsted this led
to data corruption since LUKS metadata was written
over the data device.
---
src/utils_reencrypt.c | 42 ++++++++++++++++++++++++++++++----
tests/luks2-reencryption-test | 16 +++++++++++++
tests/reencryption-compat-test | 20 +++++++++++++---
3 files changed, 70 insertions(+), 8 deletions(-)
diff --git a/src/utils_tools.c b/src/utils_tools.c
--- a/src/utils_tools.c
+++ b/src/utils_tools.c
@@ -624,3 +624,23 @@ int tools_reencrypt_progress(uint64_t si
return r;
}
+
+int reencrypt_is_header_detached(const char *header_device, const char *data_device)
+{
+ int r;
+ struct stat st;
+ struct crypt_device *cd;
+
+ if (!header_device)
+ return 0;
+
+ if (header_device && stat(header_device, &st) < 0 && errno == ENOENT)
+ return 1;
+
+ if ((r = crypt_init_data_device(&cd, header_device, data_device)))
+ return r;
+
+ r = crypt_get_metadata_device_name(cd) && crypt_get_device_name(cd) && strcmp(crypt_get_metadata_device_name(cd), crypt_get_device_name(cd));
+ crypt_free(cd);
+ return r;
+}
diff --git a/src/cryptsetup.h b/src/cryptsetup.h
--- a/src/cryptsetup.h
+++ b/src/cryptsetup.h
@@ -103,6 +103,7 @@ void tools_clear_line(void);
int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr);
int tools_reencrypt_progress(uint64_t size, uint64_t offset, void *usrptr);
+int reencrypt_is_header_detached(const char *header_device, const char *data_device);
int tools_read_mk(const char *file, char **key, int keysize);
int tools_write_mk(const char *file, const char *key, int keysize);
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -2892,6 +2892,16 @@ static int action_encrypt_luks2(struct c
return -ENOTSUP;
}
+ if (!opt_data_shift) {
+ r = reencrypt_is_header_detached(opt_header_device, action_argv[0]);
+ if (r < 0)
+ return r;
+ if (!r) {
+ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
+ return -ENOTSUP;
+ }
+ }
+
if (!opt_header_device && opt_offset && opt_data_shift && (opt_offset > (imaxabs(opt_data_shift) / (2 * SECTOR_SIZE)))) {
log_err(_("Requested data offset must be less than or equal to half of --reduce-device-size parameter."));
return -EINVAL;
diff --git a/src/cryptsetup_reencrypt.c b/src/cryptsetup_reencrypt.c
--- a/src/cryptsetup_reencrypt.c
+++ b/src/cryptsetup_reencrypt.c
@@ -1553,6 +1553,17 @@ static int run_reencrypt(const char *dev
goto out;
}
+ if (rc.reencrypt_mode == ENCRYPT) {
+ r = reencrypt_is_header_detached(opt_header_device, action_argv[0]);
+ if (r < 0)
+ goto out;
+ if (!r && !opt_reduce_size) {
+ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
+ r = -ENOTSUP;
+ goto out;
+ }
+ }
+
log_dbg("Running reencryption.");
if (!rc.in_progress) {
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
index bab54353..a647a8c2 100755
--- a/tests/luks2-reencryption-test
+++ b/tests/luks2-reencryption-test
@@ -1080,6 +1080,15 @@ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
$CRYPTSETUP close $DEV_NAME
echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail
+# Encrypt without size reduction must not allow header device same as data device
+wipe_dev_head $DEV 1
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
+
+dd if=/dev/zero of=$IMG bs=4k count=1 >/dev/null 2>&1
+echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
+
echo "[4] Reencryption with detached header"
wipe $PWD1 $IMG_HDR
echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
index f6a84137..453831d1 100755
--- a/tests/reencryption-compat-test
+++ b/tests/reencryption-compat-test
@@ -11,5 +11,6 @@ IMG=reenc-data
IMG_HDR=$IMG.hdr
ORIG_IMG=reenc-data-orig
+DEV_LINK="reenc-test-link"
KEY1=key1
PWD1="93R4P4pIqAH8"
PWD2="1cND4319812f"
@@ -40,7 +41,7 @@ function remove_mapping()
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
[ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1
- rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 >/dev/null 2>&1
+ rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $DEV_LINK >/dev/null 2>&1
umount $MNT_DIR > /dev/null 2>&1
rmdir $MNT_DIR > /dev/null 2>&1
LOOPDEV1=""
@@ -265,10 +265,16 @@ $REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q
# FIXME echo $PWD1 | $REENC ...
echo "[4] Encryption of not yet encrypted device"
+# Encrypt without size reduction must not allow header device same as data device
+wipe_dev $LOOPDEV1
+echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $LOOPDEV1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
+echo $PWD1 | $REENC $IMG --type luks1 --new --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
+
# well, movin' zeroes :-)
OFFSET=2048
SIZE=$(blockdev --getsz $LOOPDEV1)
-wipe_dev $LOOPDEV1
dmsetup create $DEV_NAME2 --table "0 $(($SIZE - $OFFSET)) linear $LOOPDEV1 0" || fail
check_hash_dev /dev/mapper/$DEV_NAME2 $HASH3
dmsetup remove --retry $DEV_NAME2 || fail
--
2.38.1

79
SOURCES/cryptsetup-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch
View File

@ -1,79 +0,0 @@
From dff9ee8c8cb68432e96261b87aabb7aaa51215e7 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Tue, 2 May 2023 15:42:21 +0200
Subject: [PATCH] Also disallow active devices with internal kernel names.
The same problem fixed in commit 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605
is present in libdevmapper wrapper when parsing active device table.
The whole point of conversion was that non-authenticated modes
can be always represented in the old cipher-mode-iv format.
As the internal names contains dash, these are unsupported.
That said, the libdevmapper backend now correctly returns
full cipher specification including capi prefix for this case.
Init_by_name call now fails with incomplatible cipher definition error.
---
lib/setup.c | 2 +-
lib/utils_crypt.c | 9 +++++++++
tests/mode-test | 5 +++++
3 files changed, 15 insertions(+), 1 deletion(-)
Index: cryptsetup-2.3.7/lib/setup.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/setup.c
+++ cryptsetup-2.3.7/lib/setup.c
@@ -1188,7 +1188,7 @@ static int _init_by_name_crypt(struct cr
r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher,
&key_nums, cipher_mode);
if (r < 0) {
- log_dbg(cd, "Cannot parse cipher and mode from active device.");
+ log_err(cd, _("No known cipher specification pattern detected for active device %s."), name);
goto out;
}
Index: cryptsetup-2.3.7/lib/utils_crypt.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/utils_crypt.c
+++ cryptsetup-2.3.7/lib/utils_crypt.c
@@ -224,6 +224,15 @@ int crypt_capi_to_cipher(char **org_c, c
if (i != 2)
return -EINVAL;
+ /* non-cryptsetup compatible mode (generic driver with dash?) */
+ if (strrchr(iv, ')')) {
+ if (i_dm)
+ return -EINVAL;
+ if (!(*org_c = strdup(c_dm)))
+ return -ENOMEM;
+ return 0;
+ }
+
len = strlen(tmp);
if (len < 2)
return -EINVAL;
Index: cryptsetup-2.3.7/tests/mode-test
===================================================================
--- cryptsetup-2.3.7.orig/tests/mode-test
+++ cryptsetup-2.3.7/tests/mode-test
@@ -8,6 +8,8 @@ DEV_NAME=dmc_test
HEADER_IMG=mode-test.img
PASSWORD=3xrododenron
PASSWORD1=$PASSWORD
+KEY="7c0dc5dfd0c9191381d92e6ebb3b29e7f0dba53b0de132ae23f5726727173540"
+FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
# cipher-chainmode-ivopts:ivmode
CIPHERS="aes twofish serpent"
@@ -172,6 +174,10 @@ echo -n "CAPI format:"
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail
$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
+dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail
+$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail
+$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail
+dmsetup remove "$DEV_NAME"_tstdev || fail
echo [OK]
cleanup

68
SOURCES/cryptsetup-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch
View File

@ -1,68 +0,0 @@
From 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 24 Apr 2023 21:19:03 +0200
Subject: [PATCH] Disallow use of internal kenrel crypto driver names in "capi"
specification.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The common way to specify cipher mode in cryptsetup
is to use cipher-mode-iv notation (like aes-xts-plain64).
With introduction of authenticated ciphers we also allow "capi:<spec>"
notation that is directly used by dm-crypt (e.g. capi:xts(aes)-plain64).
CAPI specification was never intended to be used with internal
kernel crypto api names (with dash in algorithm name), actually the
whole parsing routine wrongly parses mode here now.
The code not checks if parsing wrongly separated the full cipher
string and effectively allowing only proper cipher names
(example of no longer supported string is capi:xts(ecb(aes-generic))-plain64).
Thanks to Jan Wichelmann, Luca Wilke and Thomas Eisenbarth from
University of Lübeck for noticing the problems with this code.
Fixes: #809
---
lib/utils_crypt.c | 8 +++++++-
tests/mode-test | 6 ++++++
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
index 0b7dc378..c1bde000 100644
--- a/lib/utils_crypt.c
+++ b/lib/utils_crypt.c
@@ -43,7 +43,13 @@ int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums,
cipher, cipher_mode) == 2) {
if (!strcmp(cipher_mode, "plain"))
strcpy(cipher_mode, "cbc-plain");
- if (key_nums) {
+ if (!strncmp(cipher, "capi:", 5)) {
+ /* CAPI must not use internal cipher driver names with dash */
+ if (strchr(cipher_mode, ')'))
+ return -EINVAL;
+ if (key_nums)
+ *key_nums = 1;
+ } else if (key_nums) {
char *tmp = strchr(cipher, ':');
*key_nums = tmp ? atoi(++tmp) : 1;
if (!*key_nums)
diff --git a/tests/mode-test b/tests/mode-test
index 82171fbd..fe61880a 100755
--- a/tests/mode-test
+++ b/tests/mode-test
@@ -184,4 +184,10 @@ done
dmcrypt xchacha12,aes-adiantum-plain64
dmcrypt xchacha20,aes-adiantum-plain64
+echo -n "CAPI format:"
+echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail
+$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
+echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
+echo [OK]
+
cleanup
--
2.40.1

103
SOURCES/cryptsetup-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch
View File

@ -1,103 +0,0 @@
From b8711faf92868dc82b1a64e7673740444199b2ca Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Sun, 25 Jun 2023 23:32:13 +0200
Subject: [PATCH 2/2] Fix activation of LUKS2 with capi format cipher and
kernel crypt name.
While activation of internal cipher algorithms (like aes-generic)
is disallowed, some old LUKS2 images can still use it.
Check the cipher in activate call, but allow to load LUKS2 metadata.
This can allow to add repair code easily and also allow luksDump.
Also fix segfault in reencrypt code for such a header.
Fixes: #820
---
lib/luks2/luks2_json_metadata.c | 5 +++++
tests/Makefile.am | 4 +++-
tests/compat-test2 | 17 ++++++++++++++++-
tests/luks2_invalid_cipher.img.xz | Bin 0 -> 135372 bytes
tests/meson.build | 1 +
5 files changed, 25 insertions(+), 2 deletions(-)
create mode 100644 tests/luks2_invalid_cipher.img.xz
Index: cryptsetup-2.3.7/lib/luks2/luks2_json_metadata.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/luks2/luks2_json_metadata.c
+++ cryptsetup-2.3.7/lib/luks2/luks2_json_metadata.c
@@ -2324,6 +2324,11 @@ int LUKS2_activate(struct crypt_device *
if ((r = LUKS2_unmet_requirements(cd, hdr, 0, 0)))
return r;
+ /* Check that cipher is in compatible format */
+ if (!crypt_get_cipher(cd)) {
+ log_err(cd, _("No known cipher specification pattern detected in LUKS2 header."));
+ return -EINVAL;
+ }
r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
vk, crypt_get_cipher_spec(cd), crypt_get_iv_offset(cd),
crypt_get_data_offset(cd), crypt_get_integrity(cd) ?: "none",
Index: cryptsetup-2.3.7/tests/compat-test2
===================================================================
--- cryptsetup-2.3.7.orig/tests/compat-test2
+++ cryptsetup-2.3.7/tests/compat-test2
@@ -3,6 +3,7 @@
PS4='$LINENO:'
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
+CRYPTSETUP_REENCRYPT=$CRYPTSETUP_PATH/cryptsetup-reencrypt
CRYPTSETUP_VALGRIND=../.libs/cryptsetup
CRYPTSETUP_LIB_VALGRIND=../.libs
@@ -16,6 +17,7 @@ IMG10=luks-test-v10
HEADER_IMG=luks-header
HEADER_KEYU=luks2_keyslot_unassigned.img
HEADER_LUKS2_PV=blkid-luks2-pv.img
+HEADER_LUKS2_INV=luks2_invalid_cipher.img
KEY1=key1
KEY2=key2
KEY5=key5
@@ -50,7 +52,9 @@ function remove_mapping()
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
losetup -d $LOOPDEV >/dev/null 2>&1
- rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE $HEADER_LUKS2_PV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
+ rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE \
+ $HEADER_LUKS2_PV $HEADER_LUKS2_INV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* \
+ $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
# unlink whole test keyring
[ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
@@ -1049,5 +1053,19 @@ for cipher in $CIPHERS ; do
done
echo
+prepare "[44] LUKS2 invalid cipher (kernel cipher driver name)" wipe
+xz -dk $HEADER_LUKS2_INV.xz
+dd if=$HEADER_LUKS2_INV of=$IMG conv=notrunc >/dev/null 2>&1
+$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "capi:xts(ecb(aes-generic))-plain64" || fail
+echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
+echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME 2>&1 | grep -q "No known cipher specification pattern" || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV >/dev/null 2>&1 && fail
+echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV 2>&1 | grep -q "No known cipher specification pattern" || fail
+echo $PWD1 | $CRYPTSETUP_REENCRYPT $LOOPDEV 2>&1 | grep -q "No known cipher specification pattern" || fail
+dmsetup create $DEV_NAME --uuid CRYPT-LUKS2-3d20686f551748cb89911ad32379821b-test --table \
+ "0 8 crypt capi:xts(ecb(aes-generic))-plain64 edaa40709797973715e572bf7d86fcbb9cfe2051083c33c28d58fe4e1e7ff642 0 $LOOPDEV 32768"
+$CRYPTSETUP status $DEV_NAME | grep -q "n/a" || fail
+$CRYPTSETUP close $DEV_NAME ||fail
+
remove_mapping
exit 0
Index: cryptsetup-2.3.7/src/cryptsetup.h
===================================================================
--- cryptsetup-2.3.7.orig/src/cryptsetup.h
+++ cryptsetup-2.3.7/src/cryptsetup.h
@@ -103,6 +103,7 @@ void tools_clear_line(void);
int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr);
int tools_reencrypt_progress(uint64_t size, uint64_t offset, void *usrptr);
int reencrypt_is_header_detached(const char *header_device, const char *data_device);
+bool luks2_reencrypt_eligible(struct crypt_device *cd);
int tools_read_mk(const char *file, char **key, int keysize);
int tools_write_mk(const char *file, const char *key, int keysize);

52
SOURCES/cryptsetup-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch
View File

@ -1,52 +0,0 @@
From 53aa5f6c4f7439db1b25846597fb5603870ba55e Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 5 Jun 2023 16:02:06 +0200
Subject: [PATCH] Fix init_by_name to allow unknown cipher format in dm-crypt
as null context.
Deactivation code should deactivate dm-crypt device even if it is unknown
for libcryptsetup. Previous fix for cipher specification was too strict.
Let's allow initialization as null context, that allow status and
deactivate to be usable again.
---
lib/setup.c | 6 ++++++
tests/mode-test | 5 ++---
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/lib/setup.c b/lib/setup.c
index fd17be8c..786aa900 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -1276,6 +1276,12 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher,
&key_nums, cipher_mode);
if (r < 0) {
+ /* Allow crypt null context with unknown cipher string */
+ if (tgt->type == DM_CRYPT && !tgt->u.crypt.integrity) {
+ crypt_set_null_type(cd);
+ r = 0;
+ goto out;
+ }
log_err(cd, _("No known cipher specification pattern detected for active device %s."), name);
goto out;
}
diff --git a/tests/mode-test b/tests/mode-test
index 4775751e..7f7f20a1 100755
--- a/tests/mode-test
+++ b/tests/mode-test
@@ -190,9 +190,8 @@ echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256
$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail
-$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail
-$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail
-dmsetup remove "$DEV_NAME"_tstdev || fail
+$CRYPTSETUP status "$DEV_NAME"_tstdev 2>/dev/null | grep "type:" | grep -q "n/a" || fail
+$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null || fail
echo [OK]
cleanup
--
2.40.1

81
SOURCES/cryptsetup-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch
View File

@ -1,81 +0,0 @@
From 1f01eea60e38ac92aa05e4b95372d54b7b9095df Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 26 Jun 2023 13:25:59 +0200
Subject: [PATCH 1/2] Fix reencryption to fail properly for unknown cipher.
crypt_get_cipher and crypt_get_cipher mode can return NULL,
check it in advance.
---
src/utils_reencrypt.c | 6 ++++++
1 file changed, 6 insertions(+)
Index: cryptsetup-2.3.7/src/cryptsetup.c
===================================================================
--- cryptsetup-2.3.7.orig/src/cryptsetup.c
+++ cryptsetup-2.3.7/src/cryptsetup.c
@@ -2999,6 +2999,12 @@ static int action_encrypt_luks2(struct c
if (r < 0)
goto err;
+ if (!crypt_get_cipher(*cd)) {
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
+ r = -EINVAL;
+ goto err;
+ }
+
if (opt_data_shift) {
params.data_shift = imaxabs(opt_data_shift) / SECTOR_SIZE,
params.resilience = "datashift";
@@ -3068,6 +3074,11 @@ static int action_decrypt_luks2(struct c
};
size_t passwordLen;
+ if (!crypt_get_cipher(cd)) {
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
+ return -EINVAL;
+ }
+
if (!crypt_get_metadata_device_name(cd) || !crypt_get_device_name(cd) ||
!strcmp(crypt_get_metadata_device_name(cd), crypt_get_device_name(cd))) {
log_err(_("LUKS2 decryption is supported with detached header device only."));
@@ -3289,6 +3300,11 @@ static int action_reencrypt_luks2(struct
.luks2 = &luks2_params,
};
+ if (!crypt_get_cipher(cd)) {
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
+ return -EINVAL;
+ }
+
_set_reencryption_flags(&params.flags);
if (!opt_cipher && crypt_is_cipher_null(crypt_get_cipher(cd))) {
Index: cryptsetup-2.3.7/src/cryptsetup_reencrypt.c
===================================================================
--- cryptsetup-2.3.7.orig/src/cryptsetup_reencrypt.c
+++ cryptsetup-2.3.7/src/cryptsetup_reencrypt.c
@@ -185,6 +185,11 @@ static int set_reencrypt_requirement(con
crypt_persistent_flags_get(cd, CRYPT_FLAGS_REQUIREMENTS, &reqs))
goto out;
+ if (!crypt_get_cipher(cd)) {
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
+ goto out;
+ }
+
/* reencrypt already in-progress */
if (reqs & CRYPT_REQUIREMENT_OFFLINE_REENCRYPT) {
log_err(_("Reencryption already in-progress."));
@@ -709,6 +714,12 @@ static int backup_luks_headers(struct re
(r = crypt_load(cd, CRYPT_LUKS, NULL)))
goto out;
+ if (!crypt_get_cipher(cd)) {
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
+ r = -EINVAL;
+ goto out;
+ }
+
if ((r = crypt_header_backup(cd, CRYPT_LUKS, rc->header_file_org)))
goto out;
if (isLUKS2(rc->type)) {

22
SOURCES/cryptsetup-add-system-library-paths.patch
View File

@ -1,22 +0,0 @@
diff -rupN cryptsetup-2.0.4.old/configure cryptsetup-2.0.4/configure
--- cryptsetup-2.0.4.old/configure 2018-08-03 12:31:52.000000000 +0200
+++ cryptsetup-2.0.4/configure 2018-08-03 13:42:50.605275535 +0200
@@ -12300,6 +12300,9 @@ fi
# before this can be enabled.
hardcode_into_libs=yes
+ # Add ABI-specific directories to the system library path.
+ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
+
# Ideally, we could use ldconfig to report *all* directores which are
# searched for libraries, however this is still not possible. Aside from not
# being certain /sbin/ldconfig is available, command
@@ -12308,7 +12311,7 @@ fi
# appending ld.so.conf contents (and includes) to the search path.
if test -f /etc/ld.so.conf; then
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
fi
# We used to test for /lib/ld.so.1 and disable shared libraries on

13
SOURCES/cryptsetup-disable-verity-compat-test.patch
View File

@ -1,13 +0,0 @@
diff --git a/tests/Makefile.localtest b/tests/Makefile.localtest
index 29a62f3..da2183e 100644
--- a/tests/Makefile.localtest
+++ b/tests/Makefile.localtest
@@ -5,7 +5,7 @@
CPPFLAGS=-I../lib/ -I../lib/luks1 -DHAVE_DECL_DM_TASK_RETRY_REMOVE -DKERNEL_KEYRING -DHAVE_SYS_SYSMACROS_H -DNO_CRYPTSETUP_PATH
CFLAGS=-O2 -g -Wall
LDLIBS=-lcryptsetup -ldevmapper
-TESTS=$(wildcard *-test *-test2) api-test api-test-2
+TESTS=$(filter-out verity-compat-test, $(wildcard *-test *-test2)) api-test api-test-2
differ: differ.o
$(CC) -o $@ $^

297
SPECS/cryptsetup.spec
View File

@ -1,297 +0,0 @@
Obsoletes: python2-cryptsetup
Obsoletes: cryptsetup-python
Obsoletes: cryptsetup-python3
Summary: A utility for setting up encrypted disks
Name: cryptsetup
Version: 2.3.7
Release: 7%{?dist}
License: GPLv2+ and LGPLv2+
Group: Applications/System
URL: https://gitlab.com/cryptsetup/cryptsetup
BuildRequires: openssl-devel, popt-devel, device-mapper-devel
BuildRequires: libuuid-devel, gcc, libblkid-devel
BuildRequires: libpwquality-devel, json-c-devel
Provides: cryptsetup-luks = %{version}-%{release}
Obsoletes: cryptsetup-luks < 1.4.0
Requires: cryptsetup-libs = %{version}-%{release}
Requires: libpwquality >= 1.2.0
%global upstream_version %{version}
Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{upstream_version}.tar.xz
# binary archive with updated tests/conversion_imgs.tar.xz and tests/luks2_header_requirements.tar.xz
# for testing (can not be patched via rpmbuild)
Source1: tests.tar.xz
# Following patch has to applied last
Patch0: %{name}-add-system-library-paths.patch
# Remove the patch when (if ever) osci infrastructure gets stable enough
Patch1: %{name}-disable-verity-compat-test.patch
Patch2: %{name}-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch
Patch3: %{name}-2.4.2-Fix-bogus-memory-allocation-if-LUKS2-header-size-is-.patch
Patch4: %{name}-2.5.0-Fix-typo-in-repair-prompt.patch
Patch5: %{name}-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch
Patch6: %{name}-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch
Patch7: %{name}-2.5.0-Remove-LUKS2-encryption-data-size-restriction.patch
Patch8: %{name}-2.6.0-Fix-cipher-convert-routines-naming-confusion.patch
Patch9: %{name}-2.6.0-Move-cipher_dm2c-to-crypto-utilities.patch
Patch10: %{name}-2.6.0-Code-cleanup.patch
Patch11: %{name}-2.6.0-Copy-also-integrity-string-in-legacy-mode.patch
Patch12: %{name}-2.6.0-Fix-internal-crypt-segment-compare-routine.patch
Patch13: %{name}-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch
Patch14: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
Patch15: %{name}-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch
Patch16: %{name}-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch
Patch17: %{name}-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch
Patch18: %{name}-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch
Patch19: %{name}-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch
%description
The cryptsetup package contains a utility for setting up
disk encryption using dm-crypt kernel module.
%package devel
Group: Development/Libraries
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: pkgconfig
Summary: Headers and libraries for using encrypted file systems
Provides: cryptsetup-luks-devel = %{version}-%{release}
Obsoletes: cryptsetup-luks-devel < 1.4.0
%description devel
The cryptsetup-devel package contains libraries and header files
used for writing code that makes use of disk encryption.
%package libs
Group: System Environment/Libraries
Summary: Cryptsetup shared library
Provides: cryptsetup-luks-libs = %{version}-%{release}
Obsoletes: cryptsetup-luks-libs < 1.4.0
%description libs
This package contains the cryptsetup shared library, libcryptsetup.
%package -n veritysetup
Group: Applications/System
Summary: A utility for setting up dm-verity volumes
Requires: cryptsetup-libs = %{version}-%{release}
%description -n veritysetup
The veritysetup package contains a utility for setting up
disk verification using dm-verity kernel module.
%package -n integritysetup
Group: Applications/System
Summary: A utility for setting up dm-integrity volumes
Requires: cryptsetup-libs = %{version}-%{release}
%description -n integritysetup
The integritysetup package contains a utility for setting up
disk integrity protection using dm-integrity kernel module.
%package reencrypt
Group: Applications/System
Summary: A utility for offline reencryption of LUKS encrypted disks.
Requires: cryptsetup-libs = %{version}-%{release}
%description reencrypt
This package contains cryptsetup-reencrypt utility which
can be used for offline reencryption of disk in situ.
%prep
%setup -q -n cryptsetup-%{upstream_version} -a 1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch0 -p1
chmod -x misc/dracut_90reencrypt/*
%build
%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --with-crypto_backend=openssl --with-default-luks-format=LUKS2
make %{?_smp_mflags}
%install
make install DESTDIR=%{buildroot}
rm -rf %{buildroot}/%{_libdir}/*.la
%find_lang cryptsetup
%post -n cryptsetup-libs -p /sbin/ldconfig
%postun -n cryptsetup-libs -p /sbin/ldconfig
%files
%{!?_licensedir:%global license %%doc}
%license COPYING
%doc AUTHORS FAQ docs/*ReleaseNotes
%{_mandir}/man8/cryptsetup.8.gz
%{_sbindir}/cryptsetup
%files -n veritysetup
%{!?_licensedir:%global license %%doc}
%license COPYING
%{_mandir}/man8/veritysetup.8.gz
%{_sbindir}/veritysetup
%files -n integritysetup
%{!?_licensedir:%global license %%doc}
%license COPYING
%{_mandir}/man8/integritysetup.8.gz
%{_sbindir}/integritysetup
%files reencrypt
%{!?_licensedir:%global license %%doc}
%license COPYING
%doc misc/dracut_90reencrypt
%{_mandir}/man8/cryptsetup-reencrypt.8.gz
%{_sbindir}/cryptsetup-reencrypt
%files devel
%doc docs/examples/*
%{_includedir}/libcryptsetup.h
%{_libdir}/libcryptsetup.so
%{_libdir}/pkgconfig/libcryptsetup.pc
%files libs -f cryptsetup.lang
%{!?_licensedir:%global license %%doc}
%license COPYING COPYING.LGPL
%{_libdir}/libcryptsetup.so.*
%{_tmpfilesdir}/cryptsetup.conf
%ghost %attr(700, -, -) %dir /run/cryptsetup
%clean
%changelog
* Tue Jul 11 2023 Ondrej Kozina <okozina@redhat.com> - 2.3.7-7
- Rebuild due to missing CI environment
- Resolves: #2212772 #2193342
* Thu Jun 28 2023 Daniel Zatovic <dzatovic@redhat.com> - 2.3.7-6
- patch: Delegate FIPS mode detection to configured crypto backend
- patch: Disallow use of internal kenrel crypto driver names in "capi"
- patch: Also disallow active devices with internal kernel names
- patch: Fix init_by_name to allow unknown cipher format in dm-crypt
- patch: Fix reencryption to fail properly for unknown cipher
- patch: Fix activation of LUKS2 with capi format cipher and kernel
- Resolves: #2212772 #2193342
* Tue Jan 10 2023 Daniel Zatovic <dzatovic@redhat.com> - 2.3.7-5
- change cryptsetup-devel dependency from cryptsetup to cryptsetup-libs
- Resolves: #2150254
* Wed Dec 21 2022 Daniel Zatovic <dzatovic@redhat.com> - 2.3.7-4
- patch: Remove LUKS2 encryption data size restriction.
- patch: Abort encryption when header and data devices are same.
- Resolves: #2150254
* Fri Nov 4 2022 Daniel Zatovic <dzatovic@redhat.com> - 2.3.7-3
- patch: Fix internal crypt segment compare routine
- Resolves: #2110810
* Thu Feb 24 2022 Ondrej Kozina <okozina@redhat.com> - 2.3.7-2
- patch: Fix cryptsetup --test-passphrase when device in
reencryption
- Resolves: #2058009
* Thu Jan 20 2022 Ondrej Kozina <okozina@redhat.com> - 2.3.7-1
- update to cryptsetup 2.3.7
- fixes CVE-2021-4122
- patch: Fix suboptimal optimization in bundled argon2.
- patch: Fix bogus memory allocation/device read with
invalid LUKS2 headers
- patch: Fix typo in luksRepair prompt.
- Resolves: #2021815 #2022301 #2031859
* Wed Feb 17 2021 Ondrej Kozina <okozina@redhat.com> - 2.3.3-4
- patch: Fix reencryption for custom devices with data segments
set to use cipher_null.
- Resolves: #1927409
* Wed Feb 03 2021 Ondrej Kozina <okozina@redhat.com> - 2.3.3-3
- patch: Fix crypto backend to properly handle ECB mode.
- Resolves: #1859091
* Thu Aug 27 2020 Ondrej Kozina <okozina@redhat.com> - 2.3.3-2
- patch: Fix possible memory corruption in LUKS2 validation
code in 32bit library.
- Resolves: #1872294
* Thu May 28 2020 Ondrej Kozina <okozina@redhat.com> - 2.3.3-1
- Update to cryptsetup 2.3.3
- Resolves: #1796826 #1743891 #1785748
* Fri Apr 03 2020 Ondrej Kozina <okozina@redhat.com> - 2.3.1-1
- Update to cryptsetup 2.3.1
- Resolves: #1796826 #1743891 #1785748
* Mon Nov 18 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.2-1
- Update to cryptsetup 2.2.2
- LUKS2 reencryption honors activation flags (one time and persistent).
- LUKS2 reencryption works also without volume keys put in kernel
keyring service.
- Resolves: #1757783 #1750680 #1753597 #1743399
* Fri Aug 30 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-2
- patch: Fix mapped segments overflow on 32bit architectures.
- patch: Take optimal io size in account with LUKS2 reencryption.
- Resolves: #1742815 #1746532
* Thu Aug 15 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-1
- Update to cryptsetup 2.2.0 (final)
- Resolves: #1738263 #1740342 #1733391 #1729600 #1733390
* Fri Jun 14 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-0.2
- Updates to reencryption feature.
- Resolves: #1676622
* Fri May 03 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-0.1
- Update to cryptsetup 2.2.0
- remove python bits from spec file.
- Resolves: #1676622
* Thu Mar 21 2019 Milan Broz <mbroz@redhat.com> - 2.0.6-2
- Add gating tests.
- Resolves: #1682539
* Mon Dec 03 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.6-1
- Update to cryptsetup 2.0.6
- Enables all supported metadata sizes in LUKS2 validation code.
- Resolves: #1653383
* Fri Aug 10 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.4-2
- patch: fix device alignment bug when processing hinted
value by device topology info.
- Resolves: #1614219
* Wed Aug 08 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.4-1
- Update to cryptsetup 2.0.4.
- patch: Add RHEL system library paths in configure.
- patch: Increase default LUKS2 header size to 8 MiBs.
- patch: update tests to be compatible with larger headers.
- Set default format to LUKS2.
- Cleanup changelog.
- Resolves: #1564540 #1595257 #1595266 #1595881 #1600164
* Fri May 04 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.3-1
- Update to cryptsetup 2.0.3.
* Tue Mar 27 2018 Björn Esser <besser82@fedoraproject.org> - 2.0.2-2
- Rebuilt for libjson-c.so.4 (json-c v0.13.1) on fc28
* Wed Mar 07 2018 Milan Broz <gmazyland@gmail.com> - 2.0.2-1
- Update to cryptsetup 2.0.2.

40
cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch Normal file
View File

@ -0,0 +1,40 @@
From 293abb5435e2b4bec7f8333fb11c88d5c1f45800 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Mon, 5 Dec 2022 13:35:24 +0100
Subject: [PATCH 3/3] Add FIPS related error message in keyslot add code.
Add hints on what went wrong when creating new LUKS
keyslots. The hint is printed only in FIPS mode and
when pbkdf2 failed with passphrase shorter than 8
bytes.
---
lib/luks1/keymanage.c | 5 ++++-
lib/luks2/luks2_keyslot_luks2.c | 2 ++
2 files changed, 6 insertions(+), 1 deletion(-)
Index: cryptsetup-2.7.2/lib/luks1/keymanage.c
===================================================================
--- cryptsetup-2.7.2.orig/lib/luks1/keymanage.c
+++ cryptsetup-2.7.2/lib/luks1/keymanage.c
@@ -926,6 +926,8 @@ int LUKS_set_key(unsigned int keyIndex,
derived_key->key, hdr->keyBytes,
hdr->keyblock[keyIndex].passwordIterations, 0, 0);
if (r < 0) {
+ if (crypt_fips_mode() && passwordLen < 8)
+ log_err(ctx, _("Invalid passphrase for PBKDF2 in FIPS mode."));
if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
hdr->keyblock[keyIndex].passwordIterations > INT_MAX)
log_err(ctx, _("PBKDF2 iteration value overflow."));
Index: cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
===================================================================
--- cryptsetup-2.7.2.orig/lib/luks2/luks2_keyslot_luks2.c
+++ cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
@@ -269,6 +269,8 @@ static int luks2_keyslot_set_key(struct
pbkdf.iterations > INT_MAX)
log_err(cd, _("PBKDF2 iteration value overflow."));
crypt_free_volume_key(derived_key);
+ if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2"))
+ log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode."));
return r;
}

752
cryptsetup.spec Normal file
View File

@ -0,0 +1,752 @@
Summary: Utility for setting up encrypted disks
Name: cryptsetup
Version: 2.7.3
Release: 2%{?dist}
License: GPL-2.0-or-later WITH cryptsetup-OpenSSL-exception AND LGPL-2.1-or-later WITH cryptsetup-OpenSSL-exception
URL: https://gitlab.com/cryptsetup/cryptsetup
BuildRequires: autoconf, automake, libtool, gettext-devel,
BuildRequires: openssl-devel, popt-devel, device-mapper-devel
BuildRequires: libuuid-devel, gcc, json-c-devel
BuildRequires: libpwquality-devel, libblkid-devel
BuildRequires: make
BuildRequires: asciidoctor
Requires: cryptsetup-libs = %{version}-%{release}
Requires: libpwquality >= 1.2.0
Obsoletes: %{name}-reencrypt <= %{version}
Provides: %{name}-reencrypt = %{version}
%global upstream_version %{version_no_tilde}
Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-%{upstream_version}.tar.xz
# Following patch has to applied last
Patch9999: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch
%description
The cryptsetup package contains a utility for setting up
disk encryption using dm-crypt kernel module.
%package devel
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: pkgconfig
Summary: Headers and libraries for using encrypted file systems
%description devel
The cryptsetup-devel package contains libraries and header files
used for writing code that makes use of disk encryption.
%package libs
Summary: Cryptsetup shared library
%description libs
This package contains the cryptsetup shared library, libcryptsetup.
%package -n veritysetup
Summary: A utility for setting up dm-verity volumes
Requires: cryptsetup-libs = %{version}-%{release}
%description -n veritysetup
The veritysetup package contains a utility for setting up
disk verification using dm-verity kernel module.
%package -n integritysetup
Summary: A utility for setting up dm-integrity volumes
Requires: cryptsetup-libs = %{version}-%{release}
%description -n integritysetup
The integritysetup package contains a utility for setting up
disk integrity protection using dm-integrity kernel module.
%prep
%autosetup -n cryptsetup-%{upstream_version} -p 1
%build
# force regeneration of manual pages from AsciiDoc
rm -f man/*.8
./autogen.sh
%configure --enable-fips --enable-pwquality --enable-asciidoc --enable-internal-sse-argon2 --disable-ssh-token
%make_build
%install
%make_install
rm -rf %{buildroot}%{_libdir}/*.la
rm -rf %{buildroot}%{_libdir}/%{name}/*.la
%find_lang cryptsetup
%ldconfig_scriptlets -n cryptsetup-libs
%files
%license COPYING
%doc AUTHORS FAQ.md docs/*ReleaseNotes
%{_mandir}/man8/cryptsetup.8.gz
%{_mandir}/man8/cryptsetup-*.8.gz
%{_sbindir}/cryptsetup
%files -n veritysetup
%license COPYING
%{_mandir}/man8/veritysetup.8.gz
%{_sbindir}/veritysetup
%files -n integritysetup
%license COPYING
%{_mandir}/man8/integritysetup.8.gz
%{_sbindir}/integritysetup
%files devel
%doc docs/examples/*
%{_includedir}/libcryptsetup.h
%{_libdir}/libcryptsetup.so
%{_libdir}/pkgconfig/libcryptsetup.pc
%files libs -f cryptsetup.lang
%license COPYING COPYING.LGPL
%{_libdir}/libcryptsetup.so.*
%dir %{_libdir}/%{name}/
%{_tmpfilesdir}/cryptsetup.conf
%ghost %attr(700, -, -) %dir /run/cryptsetup
%changelog
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.7.3-2
- Bump release for June 2024 mass rebuild
* Tue Jun 18 2024 Daniel Zatovic <dzatovic@redhat.com> - 2.7.3-1
- Update to cryptsetup 2.7.3
- Remove libssh dependency
- Resolves: RHEL-40123
* Mon May 06 2024 Daniel Zatovic <dzatovic@redhat.com> - 2.7.2-2
- Remove SSH token and fix tests
- Resolves: RHEL-33395
* Tue Apr 30 2024 Daniel Zatovic <dzatovic@redhat.com> - 2.7.2-1
- Update to cryptsetup 2.7.2
- Resolves: RHEL-33395
* Fri Feb 09 2024 Ondrej Kozina <okozina@redhat.com> - 2.7.0-2
- Rebuild for OpenSSL Argon2 implementation (OpenSSL 3.2)
- patch: Do not compile unused internal argon2 implementation
* Wed Jan 24 2024 Ondrej Kozina <okozina@redhat.com> - 2.7.0-1
- Update to cryptsetup 2.7.0.
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.0~rc1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.0~rc1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Dec 20 2023 Milan Broz <gmazyland@gmail.com> - 2.7.0~rc1-1
- Update to cryptsetup 2.7.0-rc1.
* Wed Nov 29 2023 Ondrej Kozina <okozina@redhat.com> - 2.7.0~rc0-1
- Update to cryptsetup 2.7.0-rc0.
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jun 15 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 2.6.1-2
- Drop libargon2 dependency in RHEL builds
* Fri Feb 10 2023 Ondrej Kozina <okozina@redhat.com> - 2.6.1-1
- Update to cryptsetup 2.6.1.
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Nov 28 2022 Ondrej Kozina <okozina@redhat.com> - 2.6.0-1
- Update to cryptsetup 2.6.0.
* Mon Nov 21 2022 Ondrej Kozina <okozina@redhat.com> - 2.6.0~rc0-1
- Update to cryptsetup 2.6.0-rc0.
* Thu Jul 28 2022 Ondrej Kozina <okozina@redhat.com> - 2.5.0-1
- Update to cryptsetup 2.5.0.
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.0~rc1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jul 14 2022 Ondrej Kozina <okozina@redhat.com> - 2.5.0~rc1-1
- Update to cryptsetup 2.5.0-rc1.
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Jan 12 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-1
- Update to cryptsetup 2.4.3.
* Thu Nov 18 2021 Milan Broz <gmazyland@gmail.com> - 2.4.2-1
- Update to cryptsetup 2.4.2.
* Fri Sep 17 2021 Ondrej Kozina <okozina@redhat.com> - 2.4.1-1
- Update to cryptsetup 2.4.1.
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.4.0-2
- Rebuilt with OpenSSL 3.0.0
* Wed Aug 18 2021 Ondrej Kozina <okozina@redhat.com> - 2.4.0-1
- Update to cryptsetup 2.4.0.
* Fri Jul 30 2021 Milan Broz <gmazyland@gmail.com> - 2.4.0~rc1-1
- Update to cryptsetup 2.4.0-rc1.
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.0~rc0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 2.4.0~rc0-2
- Rebuild for versioned symbols in json-c
* Fri Jul 02 2021 Ondrej Kozina <okozina@redhat.com> - 2.4.0~rc0-1
- Update to cryptsetup 2.4.0-rc0.
- add experimental cryptsetup-ssh token subpackage
- spec file cleanup
* Fri May 28 2021 Milan Broz <gmazyland@gmail.com> - 2.3.6-1
- Update to cryptsetup 2.3.6.
* Thu Mar 11 2021 Milan Broz <gmazyland@gmail.com> - 2.3.5-2
- Update to cryptsetup 2.3.5.
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Sep 03 2020 Milan Broz <gmazyland@gmail.com> - 2.3.4-1
- Update to cryptsetup 2.3.4.
- Fix for CVE-2020-14382 (#1874712)
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu May 28 2020 Ondrej Kozina <okozina@redhat.com> - 2.3.3-1
- Update to cryptsetup 2.3.3.
* Thu Apr 30 2020 Milan Broz <gmazyland@gmail.com> - 2.3.2-1
- Update to cryptsetup 2.3.2.
* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 2.3.1-4
- Rebuild (json-c)
* Thu Apr 16 2020 Milan Broz <gmazyland@gmail.com> - 2.3.1-3
- Fix broken json-c patch (#1824878).
* Tue Apr 14 2020 Björn Esser <besser82@fedoraproject.org> - 2.3.1-2
- Add support for upcoming json-c 0.14.0
- Use %%make_build, %%make_install and %%autosetup macros
* Thu Mar 12 2020 Ondrej Kozina <okozina@redhat.com> - 2.3.1-1
- Update to cryptsetup 2.3.1.
* Sun Feb 02 2020 Milan Broz <gmazyland@gmail.com> - 2.3.0-1
- Update to cryptsetup 2.3.0.
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.0-0.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Sun Jan 12 2020 Milan Broz <gmazyland@gmail.com> - 2.3.0-0.1
- Update to cryptsetup 2.3.0-rc0.
* Fri Nov 01 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.2-1
- Update to cryptsetup 2.2.2.
* Fri Sep 06 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.1-1
- Update to cryptsetup 2.2.1.
* Thu Aug 15 2019 Milan Broz <gmazyland@gmail.com> - 2.2.0-1
- Update to cryptsetup 2.2.0.
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.0-0.3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Jun 14 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-0.2
- Update to cryptsetup 2.2.0-rc1.
* Fri May 03 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-0.1
- Update to cryptsetup 2.2.0-rc0.
* Thu Apr 04 2019 Kalev Lember <klember@redhat.com> - 2.1.0-3
- Add back python2-cryptsetup and cryptsetup-python3 obsoletes
* Mon Mar 18 2019 Milan Broz <gmazyland@gmail.com> - 2.1.0-2
- Rebuild for new libargon2 soname.
* Fri Feb 08 2019 Ondrej Kozina <okozina@redhat.com> - 2.1.0-1
- Update to cryptsetup 2.1.0.
- Drop python specific bits from spec file (python was removed
from upstream project)
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Jan 22 2019 Ondrej Kozina <okozina@redhat.com> - 2.0.6-2
- Switch default metadata format to LUKS2.
- Resolves: #1668013
* Mon Dec 03 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.6-1
- Update to cryptsetup 2.0.6.
* Mon Oct 29 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.5-1
- Update to cryptsetup 2.0.5.
* Fri Aug 03 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.4-1
- Update to cryptsetup 2.0.4.
- patch: Add Fedora system library paths in configure.
* Tue Jul 17 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.3-6
- Remove libgcrypt dependency from cryptsetup-libs package.
* Tue Jul 17 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.3-5
- Replace sed script with --disable-rpath configure option.
- Switch cryptsetup to openssl crypto backend.
- Spec file cleanup.
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri May 04 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.3-3
- Fix obsolete macro for python3 subpackage.
* Fri May 04 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.3-2
- Add missing 'Obsoletes' macros for python subpackages.
* Fri May 04 2018 Milan Broz <gmazyland@gmail.com> - 2.0.3-1
- Update to cryptsetup 2.0.3.
* Wed Apr 25 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.2-3
- Add conditions for python sub-packages
* Tue Mar 27 2018 Björn Esser <besser82@fedoraproject.org> - 2.0.2-2
- Rebuilt for libjson-c.so.4 (json-c v0.13.1) on fc28
* Wed Mar 07 2018 Milan Broz <gmazyland@gmail.com> - 2.0.2-1
- Update to cryptsetup 2.0.2.
* Tue Mar 06 2018 Björn Esser <besser82@fedoraproject.org> - 2.0.1-3
- Rebuilt for libjson-c.so.4 (json-c v0.13.1)
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sun Jan 21 2018 Milan Broz <gmazyland@gmail.com> - 2.0.1-1
- Update to cryptsetup 2.0.1.
* Thu Jan 04 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.0-3
- Override locking path to /run/cryptsetup (going to be new default)
- Claim ownership of the locking directory
* Fri Dec 15 2017 Iryna Shcherbina <ishcherb@redhat.com> - 2.0.0-2
- Update Python 2 dependency declarations to new packaging standards
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
* Tue Dec 12 2017 Ondrej Kozina <okozina@redhat.com> - 2.0.0-1
- Update to cryptsetup 2.0.0 (final).
* Sun Dec 10 2017 Björn Esser <besser82@fedoraproject.org> - 2.0.0-0.6
- Rebuilt for libjson-c.so.3
* Mon Nov 20 2017 Milan Broz <gmazyland@gmail.com> - 2.0.0-0.5
- Link to system libargon2 instead of using bundled code.
* Thu Nov 09 2017 Ondrej Kozina <okozina@redhat.com> - 2.0.0-0.4
- Drop the legacy library.
* Wed Nov 08 2017 Ondrej Kozina <okozina@redhat.com> - 2.0.0-0.3
- Temporary build providing legacy library.
* Tue Nov 07 2017 Ondrej Kozina <okozina@redhat.com> - 2.0.0-0.2
- Update to cryptsetup 2.0.0-rc1 (with libcryptsetup soname bump).
- Added integritysetup subpackage.
* Sun Aug 20 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.7.5-5
- Add Provides for the old name without %%_isa
* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.7.5-4
- Python 2 binary package renamed to python2-cryptsetup
See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Thu Apr 27 2017 Milan Broz <gmazyland@gmail.com> - 1.7.5-1
- Update to cryptsetup 1.7.5.
* Wed Mar 15 2017 Milan Broz <gmazyland@gmail.com> - 1.7.4-1
- Update to cryptsetup 1.7.4.
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 1.7.3-2
- Rebuild for Python 3.6
* Sun Oct 30 2016 Milan Broz <gmazyland@gmail.com> - 1.7.3-1
- Update to cryptsetup 1.7.3.
* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.2-3
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
* Mon Jun 13 2016 Milan Broz <gmazyland@gmail.com> - 1.7.2-2
- Rebuilt for compatible symbol changes in glibc.
* Sat Jun 04 2016 Milan Broz <gmazyland@gmail.com> - 1.7.2-1
- Update to cryptsetup 1.7.2.
* Sun Feb 28 2016 Milan Broz <gmazyland@gmail.com> - 1.7.1-1
- Update to cryptsetup 1.7.1.
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Tue Nov 10 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5
* Tue Nov 03 2015 Milan Broz <gmazyland@gmail.com> - 1.7.0-1
- Update to cryptsetup 1.7.0.
- Switch to sha256 as default hash.
- Increase default PBKDF2 iteration time to 2 seconds.
* Tue Sep 08 2015 Milan Broz <gmazyland@gmail.com> - 1.6.8-2
- Update to cryptsetup 1.6.8.
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Mon Mar 23 2015 Milan Broz <gmazyland@gmail.com> - 1.6.7-1
- Update to cryptsetup 1.6.7.
- Remove no longer needed fipscheck library dependence.
- Change URL to new homepage.
* Sat Aug 16 2014 Milan Broz <gmazyland@gmail.com> - 1.6.6-1
- Update to cryptsetup 1.6.6.
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Fri Jul 11 2014 Tom Callaway <spot@fedoraproject.org> - 1.6.5-2
- fix license handling
* Sun Jun 29 2014 Milan Broz <gmazyland@gmail.com> - 1.6.5-1
- Update to cryptsetup 1.6.5.
- Add cryptsetup-python3 subpackage.
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sun Mar 02 2014 Milan Broz <gmazyland@gmail.com> - 1.6.4-2
- Require libgcrypt 1.6.1 (with fixed PBKDF2 and Whirlpool hash).
* Thu Feb 27 2014 Milan Broz <gmazyland@gmail.com> - 1.6.4-1
- Update to cryptsetup 1.6.4.
* Tue Jan 07 2014 Ondrej Kozina <okozina@redhat.com> - 1.6.3-2
- remove useless hmac checksum
* Fri Dec 13 2013 Milan Broz <gmazyland@gmail.com> - 1.6.3-1
- Update to cryptsetup 1.6.3.
* Sun Aug 04 2013 Milan Broz <gmazyland@gmail.com> - 1.6.2-1
- Update to cryptsetup 1.6.2.
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Sun Mar 31 2013 Milan Broz <gmazyland@gmail.com> - 1.6.1-1
- Update to cryptsetup 1.6.1.
- Install ReleaseNotes files instead of empty Changelog file.
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Mon Jan 14 2013 Milan Broz <mbroz@redhat.com> - 1.6.0-1
- Update to cryptsetup 1.6.0.
- Change default LUKS encryption mode to aes-xts-plain64 (AES128).
- Force use of gcrypt PBKDF2 instead of internal implementation.
* Sat Dec 29 2012 Milan Broz <mbroz@redhat.com> - 1.6.0-0.1
- Update to cryptsetup 1.6.0-rc1.
- Relax license to GPLv2+ according to new release.
- Compile cryptsetup with libpwquality support.
* Tue Oct 16 2012 Milan Broz <mbroz@redhat.com> - 1.5.1-1
- Update to cryptsetup 1.5.1.
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Tue Jul 10 2012 Milan Broz <mbroz@redhat.com> - 1.5.0-1
- Update to cryptsetup 1.5.0.
* Wed Jun 20 2012 Milan Broz <mbroz@redhat.com> - 1.5.0-0.2
- Update to cryptsetup 1.5.0-rc2.
- Add cryptsetup-reencrypt subpackage.
* Mon Jun 11 2012 Milan Broz <mbroz@redhat.com> - 1.5.0-0.1
- Update to cryptsetup 1.5.0-rc1.
- Add veritysetup subpackage.
- Move localization files to libs subpackage.
* Thu May 31 2012 Milan Broz <mbroz@redhat.com> - 1.4.3-2
- Build with fipscheck (verification in fips mode).
- Clean up spec file, use install to /usr.
* Thu May 31 2012 Milan Broz <mbroz@redhat.com> - 1.4.3-1
- Update to cryptsetup 1.4.3.
* Thu Apr 12 2012 Milan Broz <mbroz@redhat.com> - 1.4.2-1
- Update to cryptsetup 1.4.2.
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Wed Nov 09 2011 Milan Broz <mbroz@redhat.com> - 1.4.1-1
- Update to cryptsetup 1.4.1.
- Add Python cryptsetup bindings.
- Obsolete separate python-cryptsetup package.
* Wed Oct 26 2011 Milan Broz <mbroz@redhat.com> - 1.4.0-1
- Update to cryptsetup 1.4.0.
* Mon Oct 10 2011 Milan Broz <mbroz@redhat.com> - 1.4.0-0.1
- Update to cryptsetup 1.4.0-rc1.
- Rename package back from cryptsetup-luks to cryptsetup.
* Wed Jun 22 2011 Milan Broz <mbroz@redhat.com> - 1.3.1-2
- Fix return code for status command when device doesn't exist.
* Tue May 24 2011 Milan Broz <mbroz@redhat.com> - 1.3.1-1
- Update to cryptsetup 1.3.1.
* Tue Apr 05 2011 Milan Broz <mbroz@redhat.com> - 1.3.0-1
- Update to cryptsetup 1.3.0.
* Tue Mar 22 2011 Milan Broz <mbroz@redhat.com> - 1.3.0-0.2
- Update to cryptsetup 1.3.0-rc2
* Mon Mar 14 2011 Milan Broz <mbroz@redhat.com> - 1.3.0-0.1
- Update to cryptsetup 1.3.0-rc1
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Mon Dec 20 2010 Milan Broz <mbroz@redhat.com> - 1.2.0-1
- Update to cryptsetup 1.2.0
* Thu Nov 25 2010 Milan Broz <mbroz@redhat.com> - 1.2.0-0.2
- Fix crypt_activate_by_keyfile() to work with PLAIN devices.
* Tue Nov 16 2010 Milan Broz <mbroz@redhat.com> - 1.2.0-0.1
- Add FAQ to documentation.
- Update to cryptsetup 1.2.0-rc1
* Sat Jul 03 2010 Milan Broz <mbroz@redhat.com> - 1.1.3-1
- Update to cryptsetup 1.1.3
* Mon Jun 07 2010 Milan Broz <mbroz@redhat.com> - 1.1.2-2
- Fix alignment ioctl use.
- Fix API activation calls to handle NULL device name.
* Sun May 30 2010 Milan Broz <mbroz@redhat.com> - 1.1.2-1
- Update to cryptsetup 1.1.2
- Fix luksOpen handling of new line char on stdin.
* Sun May 23 2010 Milan Broz <mbroz@redhat.com> - 1.1.1-1
- Update to cryptsetup 1.1.1
- Fix luksClose for stacked LUKS/LVM devices.
* Mon May 03 2010 Milan Broz <mbroz@redhat.com> - 1.1.1-0.2
- Update to cryptsetup 1.1.1-rc2.
* Sat May 01 2010 Milan Broz <mbroz@redhat.com> - 1.1.1-0.1
- Update to cryptsetup 1.1.1-rc1.
* Sun Jan 17 2010 Milan Broz <mbroz@redhat.com> - 1.1.0-1
- Update to cryptsetup 1.1.0.
* Fri Jan 15 2010 Milan Broz <mbroz@redhat.com> - 1.1.0-0.6
- Fix gcrypt initialisation.
- Fix backward compatibility for hash algorithm (uppercase).
* Wed Dec 30 2009 Milan Broz <mbroz@redhat.com> - 1.1.0-0.5
- Update to cryptsetup 1.1.0-rc4
* Mon Nov 16 2009 Milan Broz <mbroz@redhat.com> - 1.1.0-0.4
- Update to cryptsetup 1.1.0-rc3
* Thu Oct 01 2009 Milan Broz <mbroz@redhat.com> - 1.1.0-0.3
- Update to cryptsetup 1.1.0-rc2
- Fix libcryptsetup to properly export only versioned symbols.
* Tue Sep 29 2009 Milan Broz <mbroz@redhat.com> - 1.1.0-0.2
- Update to cryptsetup 1.1.0-rc1
- Add luksHeaderBackup and luksHeaderRestore commands.
* Fri Sep 11 2009 Milan Broz <mbroz@redhat.com> - 1.1.0-0.1
- Update to new upstream testing version with new API interface.
- Add luksSuspend and luksResume commands.
- Introduce pkgconfig.
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Wed Jul 22 2009 Milan Broz <mbroz@redhat.com> - 1.0.7-1
- Update to upstream final release.
- Split libs subpackage.
- Remove rpath setting from cryptsetup binary.
* Wed Jul 15 2009 Till Maas <opensource@till.name> - 1.0.7-0.2
- update BR because of libuuid splitout from e2fsprogs
* Mon Jun 22 2009 Milan Broz <mbroz@redhat.com> - 1.0.7-0.1
- Update to new upstream 1.0.7-rc1.
- Wipe old fs headers to not confuse blkid (#468062)
* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.6-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Thu Oct 30 2008 Milan Broz <mbroz@redhat.com> - 1.0.6-6
- Wipe old fs headers to not confuse blkid (#468062)
* Tue Sep 23 2008 Milan Broz <mbroz@redhat.com> - 1.0.6-5
- Change new project home page.
- Print more descriptive messages for initialization errors.
- Refresh patches to versions commited upstream.
* Sat Sep 06 2008 Milan Broz <mbroz@redhat.com> - 1.0.6-4
- Fix close of zero decriptor.
- Fix udevsettle delays - use temporary crypt device remapping.
* Wed May 28 2008 Till Maas <opensource till name> - 1.0.6-3
- remove a duplicate sentence from the manpage (RH #448705)
- add patch metadata about upstream status
* Tue Apr 15 2008 Bill Nottinghm <notting@redhat.com> - 1.0.6-2
- Add the device to the luksOpen prompt (#433406)
- Use iconv, not recode (#442574)
* Thu Mar 13 2008 Till Maas <opensource till name> - 1.0.6-1
- Update to latest version
- remove patches that have been merged upstream
* Mon Mar 03 2008 Till Maas <opensource till name> - 1.0.6-0.1.pre2
- Update to new version with several bugfixes
- remove patches that have been merged upstream
- add patch from cryptsetup newsgroup
- fix typo / missing luksRemoveKey in manpage (patch)
* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 1.0.5-9
- Autorebuild for GCC 4.3
* Sat Jan 19 2008 Peter Jones <pjones@redhat.com> - 1.0.5-8
- Rebuild for broken deps.
* Thu Aug 30 2007 Till Maas <opensource till name> - 1.0.5-7
- update URL
- update license tag
- recode ChangeLog from latin1 to uf8
- add smp_mflags to make
* Fri Aug 24 2007 Till Maas <opensource till name> - 1.0.5-6
- cleanup BuildRequires:
- removed versions, packages in Fedora are new enough
- changed popt to popt-devel
* Thu Aug 23 2007 Till Maas <opensource till name> - 1.0.5-5
- fix devel subpackage requires
- remove empty NEWS README
- remove uneeded INSTALL
- remove uneeded ldconfig requires
- add readonly detection patch
* Wed Aug 08 2007 Till Maas <opensource till name> - 1.0.5-4
- disable patch2, libsepol is now detected by configure
- move libcryptsetup.so to %%{_libdir} instead of /%%{_lib}
* Fri Jul 27 2007 Till Maas <opensource till name> - 1.0.5-3
- Use /%%{_lib} instead of /lib to use /lib64 on 64bit archs
* Thu Jul 26 2007 Till Maas <opensource till name> - 1.0.5-2
- Use /lib as libdir (#243228)
- sync header and library (#215349)
- do not use %%makeinstall (recommended by PackageGuidelines)
- select sbindir with %%configure instead with make
- add TODO
* Wed Jun 13 2007 Jeremy Katz <katzj@redhat.com> - 1.0.5-1
- update to 1.0.5
* Mon Jun 04 2007 Peter Jones <pjones@redhat.com> - 1.0.3-5
- Don't build static any more.
* Mon Feb 05 2007 Alasdair Kergon <agk@redhat.com> - 1.0.3-4
- Add build dependency on new device-mapper-devel package.
- Add preun and post ldconfig requirements.
- Update BuildRoot.
* Wed Nov 1 2006 Peter Jones <pjones@redhat.com> - 1.0.3-3
- Require newer libselinux (#213414)
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.0.3-2.1
- rebuild
* Wed Jun 7 2006 Jeremy Katz <katzj@redhat.com> - 1.0.3-2
- put shared libs in the right subpackages
* Fri Apr 7 2006 Bill Nottingham <notting@redhat.com> 1.0.3-1
- update to final 1.0.3
* Mon Feb 27 2006 Bill Nottingham <notting@redhat.com> 1.0.3-0.rc2
- update to 1.0.3rc2, fixes bug with HAL & encrypted devices (#182658)
* Wed Feb 22 2006 Bill Nottingham <notting@redhat.com> 1.0.3-0.rc1
- update to 1.0.3rc1, reverts changes to default encryption type
* Tue Feb 21 2006 Bill Nottingham <notting@redhat.com> 1.0.2-1
- update to 1.0.2, fix incompatiblity with old cryptsetup (#176726)
* Mon Feb 20 2006 Karsten Hopp <karsten@redhat.de> 1.0.1-5
- BuildRequires: libselinux-devel
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.0.1-4.2.1
- bump again for double-long bug on ppc(64)
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.0.1-4.2
- rebuilt for new gcc4.1 snapshot and glibc changes
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
- rebuilt
* Mon Dec 5 2005 Bill Nottingham <notting@redhat.com> 1.0.1-4
- rebuild against new libdevmapper
* Thu Oct 13 2005 Florian La Roche <laroche@redhat.com>
- add -lsepol to rebuild on current fc5
* Mon Aug 22 2005 Karel Zak <kzak@redhat.com> 1.0.1-2
- fix cryptsetup help for isLuks action
* Fri Jul 1 2005 Bill Nottingham <notting@redhat.com> 1.0.1-1
- update to 1.0.1 - fixes incompatiblity with previous cryptsetup for
piped passwords
* Thu Jun 16 2005 Bill Nottingham <notting@redhat.com> 1.0-2
- add patch for 32/64 bit compatibility (#160445, <redhat@paukstadt.de>)
* Tue Mar 29 2005 Bill Nottingham <notting@redhat.com> 1.0-1
- update to 1.0
* Thu Mar 10 2005 Bill Nottingham <notting@redhat.com> 0.993-1
- switch to cryptsetup-luks, for LUKS support
* Tue Oct 12 2004 Bill Nottingham <notting@redhat.com> 0.1-4
- oops, make that *everything* static (#129926)
* Tue Aug 31 2004 Bill Nottingham <notting@redhat.com> 0.1-3
- link some things static, move to /sbin (#129926)
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Fri Apr 16 2004 Bill Nottingham <notting@redhat.com> 0.1-1
- initial packaging

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (cryptsetup-2.7.3.tar.xz) = 08cff21873aeb7cc5b2561abf5d33cdf0fa814eeaabf6a01f858461726ea9faeef651357da33bce7b347ca2f12d6d02bccdb279893f3749cb781ce1fe5c1571c