diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata deleted file mode 100644 index 74cec14..0000000 --- a/.cryptsetup.metadata +++ /dev/null @@ -1,2 +0,0 @@ -3ce643e82d52b0c0282c2754c4bfa8c15c1f567e SOURCES/cryptsetup-2.3.7.tar.xz -ec3ce9960bd536f7500e0d767a973672037c13e6 SOURCES/tests.tar.xz diff --git a/.gitignore b/.gitignore index 3374721..baac207 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ -SOURCES/cryptsetup-2.3.7.tar.xz -SOURCES/tests.tar.xz +cryptsetup-2.7.3.tar.xz diff --git a/SOURCES/cryptsetup-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch b/SOURCES/cryptsetup-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch deleted file mode 100644 index ea52c96..0000000 --- a/SOURCES/cryptsetup-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch +++ /dev/null @@ -1,53 +0,0 @@ -From a76310b53fbb117e620f2c37350b68dd267f1088 Mon Sep 17 00:00:00 2001 -From: Milan Broz -Date: Mon, 20 Sep 2021 17:42:20 +0200 -Subject: [PATCH] Do not try to set compiler optimization flag if wipe is - implemented in libc. - -If zeroing memory is implemented through libc call (like memset_bzero), -compiler should never remove such call. It is not needed to set O0 -optimization flag explicitly. - -Various checkers like annocheck causes problems with these flags, -just remove it where it makes no sense. - -(Moreover, we use the same pattern without compiler magic -in crypt_backend_memzero() already.) ---- - lib/crypto_backend/argon2/core.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/lib/crypto_backend/argon2/core.c b/lib/crypto_backend/argon2/core.c -index b204ba98..db9a7741 100644 ---- a/lib/crypto_backend/argon2/core.c -+++ b/lib/crypto_backend/argon2/core.c -@@ -120,18 +120,24 @@ void free_memory(const argon2_context *context, uint8_t *memory, - } - } - --void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) { - #if defined(_MSC_VER) && VC_GE_2005(_MSC_VER) -+void secure_wipe_memory(void *v, size_t n) { - SecureZeroMemory(v, n); -+} - #elif defined memset_s -+void secure_wipe_memory(void *v, size_t n) { - memset_s(v, n, 0, n); -+} - #elif defined(HAVE_EXPLICIT_BZERO) -+void secure_wipe_memory(void *v, size_t n) { - explicit_bzero(v, n); -+} - #else -+void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) { - static void *(*const volatile memset_sec)(void *, int, size_t) = &memset; - memset_sec(v, 0, n); --#endif - } -+#endif - - /* Memory clear flag defaults to true. */ - int FLAG_clear_internal_memory = 1; --- -2.27.0 - diff --git a/SOURCES/cryptsetup-2.4.2-Fix-bogus-memory-allocation-if-LUKS2-header-size-is-.patch b/SOURCES/cryptsetup-2.4.2-Fix-bogus-memory-allocation-if-LUKS2-header-size-is-.patch deleted file mode 100644 index f07fb32..0000000 --- a/SOURCES/cryptsetup-2.4.2-Fix-bogus-memory-allocation-if-LUKS2-header-size-is-.patch +++ /dev/null @@ -1,295 +0,0 @@ -From 9576549fee9228cabd9ceee27739a30caab5a7f6 Mon Sep 17 00:00:00 2001 -From: Milan Broz -Date: Tue, 9 Nov 2021 11:54:27 +0100 -Subject: [PATCH] Fix bogus memory allocation if LUKS2 header size is invalid. - -LUKS2 code read the whole header to buffer to verify checksum, -so malloc is called on unvalidated input size parameter. - -This can cause out of memory or unintentional device reads. -(Header validation will fail later anyway - the size is unsupported.) - -Just do not allow too small and too big allocations here and fail quickly. - -Fixes: #683. ---- - lib/luks2/luks2_disk_metadata.c | 20 +++- - ...ks2-metadata-size-invalid-secondary.img.sh | 96 +++++++++++++++++++ - ...enerate-luks2-metadata-size-invalid.img.sh | 94 ++++++++++++++++++ - tests/luks2-validation-test | 2 + - 4 files changed, 208 insertions(+), 4 deletions(-) - create mode 100755 tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh - create mode 100755 tests/generators/generate-luks2-metadata-size-invalid.img.sh - -diff --git a/lib/luks2/luks2_disk_metadata.c b/lib/luks2/luks2_disk_metadata.c -index 502b0226..0500d5c7 100644 ---- a/lib/luks2/luks2_disk_metadata.c -+++ b/lib/luks2/luks2_disk_metadata.c -@@ -195,6 +195,8 @@ static int hdr_disk_sanity_check_pre(struct crypt_device *cd, - size_t *hdr_json_size, int secondary, - uint64_t offset) - { -+ uint64_t hdr_size; -+ - if (memcmp(hdr->magic, secondary ? LUKS2_MAGIC_2ND : LUKS2_MAGIC_1ST, LUKS2_MAGIC_L)) - return -EINVAL; - -@@ -209,19 +211,26 @@ static int hdr_disk_sanity_check_pre(struct crypt_device *cd, - return -EINVAL; - } - -- if (secondary && (offset != be64_to_cpu(hdr->hdr_size))) { -+ hdr_size = be64_to_cpu(hdr->hdr_size); -+ -+ if (hdr_size < LUKS2_HDR_16K_LEN || hdr_size > LUKS2_HDR_OFFSET_MAX) { -+ log_dbg(cd, "LUKS2 header has bogus size 0x%04x.", (unsigned)hdr_size); -+ return -EINVAL; -+ } -+ -+ if (secondary && (offset != hdr_size)) { - log_dbg(cd, "LUKS2 offset 0x%04x in secondary header does not match size 0x%04x.", -- (unsigned)offset, (unsigned)be64_to_cpu(hdr->hdr_size)); -+ (unsigned)offset, (unsigned)hdr_size); - return -EINVAL; - } - - /* FIXME: sanity check checksum alg. */ - - log_dbg(cd, "LUKS2 header version %u of size %u bytes, checksum %s.", -- (unsigned)be16_to_cpu(hdr->version), (unsigned)be64_to_cpu(hdr->hdr_size), -+ (unsigned)be16_to_cpu(hdr->version), (unsigned)hdr_size, - hdr->checksum_alg); - -- *hdr_json_size = be64_to_cpu(hdr->hdr_size) - LUKS2_HDR_BIN_LEN; -+ *hdr_json_size = hdr_size - LUKS2_HDR_BIN_LEN; - return 0; - } - -@@ -252,6 +261,9 @@ static int hdr_read_disk(struct crypt_device *cd, - return -EIO; - } - -+ /* -+ * hdr_json_size is validated if this call succeeds -+ */ - r = hdr_disk_sanity_check_pre(cd, hdr_disk, &hdr_json_size, secondary, offset); - if (r < 0) { - return r; -diff --git a/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh -new file mode 100755 -index 00000000..4dd484e9 ---- /dev/null -+++ b/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh -@@ -0,0 +1,96 @@ -+#!/bin/bash -+ -+. lib.sh -+ -+# -+# *** Description *** -+# -+# generate primary with predefined json_size. There's only limited -+# set of values allowed as json size in config section of LUKS2 -+# metadata -+# -+# secondary header is corrupted on purpose as well -+# -+ -+# $1 full target dir -+# $2 full source luks2 image -+ -+function prepare() -+{ -+ cp $SRC_IMG $TGT_IMG -+ test -d $TMPDIR || mkdir $TMPDIR -+ read_luks2_json0 $TGT_IMG $TMPDIR/json0 -+ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 -+ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 -+} -+ -+function generate() -+{ -+ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M -+ -+ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) -+ TEST_MDA_SIZE_BOGUS_BYTES=$((TEST_MDA_SIZE*512*2*1024)) -+ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) -+ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) -+ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) -+ JSON_SIZE=$((TEST_JSN_SIZE*512)) -+ DATA_OFFSET=16777216 -+ -+ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ -+ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | -+ .config.json_size = $jsize | -+ .segments."0".offset = $off' $TMPDIR/json0) -+ test -n "$json_str" || exit 2 -+ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 -+ -+ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE -+ -+ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES -+ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BOGUS_BYTES -+ -+ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES -+ -+ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE -+ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE -+ -+ erase_checksum $TMPDIR/area0 -+ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) -+ write_checksum $chks0 $TMPDIR/area0 -+ -+ erase_checksum $TMPDIR/area1 -+ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) -+ write_checksum $chks0 $TMPDIR/area1 -+ -+ kill_bin_hdr $TMPDIR/area0 -+ -+ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE -+ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE -+} -+ -+function check() -+{ -+ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE -+ local str_res0=$(head -c 6 $TMPDIR/hdr_res0) -+ test "$str_res0" = "VACUUM" || exit 2 -+ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE -+ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ -+ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or -+ (.config.json_size != $jsize) -+ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5 -+} -+ -+function cleanup() -+{ -+ rm -f $TMPDIR/* -+ rm -fd $TMPDIR -+} -+ -+test $# -eq 2 || exit 1 -+ -+TGT_IMG=$1/$(test_img_name $0) -+SRC_IMG=$2 -+ -+prepare -+generate -+check -+cleanup -diff --git a/tests/generators/generate-luks2-metadata-size-invalid.img.sh b/tests/generators/generate-luks2-metadata-size-invalid.img.sh -new file mode 100755 -index 00000000..6b9c0cf7 ---- /dev/null -+++ b/tests/generators/generate-luks2-metadata-size-invalid.img.sh -@@ -0,0 +1,94 @@ -+#!/bin/bash -+ -+. lib.sh -+ -+# -+# *** Description *** -+# -+# generate primary with predefined json_size. There's only limited -+# set of values allowed as json size in config section of LUKS2 -+# metadata -+# -+# secondary header is corrupted on purpose as well -+# -+ -+# $1 full target dir -+# $2 full source luks2 image -+ -+function prepare() -+{ -+ cp $SRC_IMG $TGT_IMG -+ test -d $TMPDIR || mkdir $TMPDIR -+ read_luks2_json0 $TGT_IMG $TMPDIR/json0 -+ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 -+ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 -+} -+ -+function generate() -+{ -+ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M -+ -+ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) -+ TEST_MDA_SIZE_BOGUS_BYTES=$((TEST_MDA_SIZE*512*2*1024)) -+ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) -+ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) -+ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) -+ JSON_SIZE=$((TEST_JSN_SIZE*512)) -+ DATA_OFFSET=16777216 -+ -+ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ -+ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | -+ .config.json_size = $jsize | -+ .segments."0".offset = $off' $TMPDIR/json0) -+ test -n "$json_str" || exit 2 -+ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 -+ -+ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE -+ -+ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BOGUS_BYTES -+ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BOGUS_BYTES -+ -+ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE -+ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE -+ -+ erase_checksum $TMPDIR/area0 -+ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) -+ write_checksum $chks0 $TMPDIR/area0 -+ -+ erase_checksum $TMPDIR/area1 -+ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) -+ write_checksum $chks0 $TMPDIR/area1 -+ -+ kill_bin_hdr $TMPDIR/area1 -+ -+ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE -+ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE -+} -+ -+function check() -+{ -+ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE -+ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) -+ test "$str_res1" = "VACUUM" || exit 2 -+ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE -+ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ -+ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or -+ (.config.json_size != $jsize) -+ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 -+} -+ -+function cleanup() -+{ -+ rm -f $TMPDIR/* -+ rm -fd $TMPDIR -+} -+ -+test $# -eq 2 || exit 1 -+ -+TGT_IMG=$1/$(test_img_name $0) -+SRC_IMG=$2 -+ -+prepare -+generate -+check -+cleanup -diff --git a/tests/luks2-validation-test b/tests/luks2-validation-test -index 04183fbc..f771e1f9 100755 ---- a/tests/luks2-validation-test -+++ b/tests/luks2-validation-test -@@ -229,6 +229,8 @@ RUN luks2-metadata-size-512k-secondary.img "R" "Valid 512KiB metadata size in s - RUN luks2-metadata-size-1m-secondary.img "R" "Valid 1MiB metadata size in secondary hdr failed to validate" - RUN luks2-metadata-size-2m-secondary.img "R" "Valid 2MiB metadata size in secondary hdr failed to validate" - RUN luks2-metadata-size-4m-secondary.img "R" "Valid 4MiB metadata size in secondary hdr failed to validate" -+RUN luks2-metadata-size-invalid.img "F" "Invalid metadata size in secondary hdr not rejected" -+RUN luks2-metadata-size-invalid-secondary.img "F" "Invalid metadata size in secondary hdr not rejected" - - remove_mapping - --- -2.27.0 - diff --git a/SOURCES/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch b/SOURCES/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch deleted file mode 100644 index 023666a..0000000 --- a/SOURCES/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch +++ /dev/null @@ -1,41 +0,0 @@ -From f671febe64d8f40cdcb1677a08436a8907ccbb7e Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Wed, 23 Feb 2022 12:27:57 +0100 -Subject: [PATCH 2/3] Add more tests for --test-passphrase parameter. - ---- - tests/compat-test-args | 4 ++++ - tests/luks2-reencryption-test | 18 ++++++++++++++++++ - 2 files changed, 22 insertions(+) - -diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test -index 6f156016..73818b5d 100755 ---- a/tests/luks2-reencryption-test -+++ b/tests/luks2-reencryption-test -@@ -1606,5 +1606,23 @@ if [ -n "$DM_SECTOR_SIZE" ]; then - reencrypt_recover_online 4096 journal $HASH1 - fi - -+echo "[27] Verify test passphrase mode works with reencryption metadata" -+echo $PWD1 | $CRYPTSETUP -S5 -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV || fail -+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $DEV || fail -+echo $PWD1 | $CRYPTSETUP reencrypt --init-only $DEV || fail -+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail -+ -+echo $PWD1 | $CRYPTSETUP -q luksFormat -S5 --header $IMG_HDR --type luks2 $FAST_PBKDF_ARGON $DEV || fail -+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $IMG_HDR || fail -+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --init-only --header $IMG_HDR $DEV || fail -+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail -+ -+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --init-only --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail -+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail -+ -+wipe_dev $DEV -+echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 8M $FAST_PBKDF_ARGON $DEV || fail -+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail -+ - remove_mapping - exit 0 --- -2.27.0 - diff --git a/SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch b/SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch deleted file mode 100644 index 5566c54..0000000 --- a/SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch +++ /dev/null @@ -1,103 +0,0 @@ -diff -rupN cryptsetup-2.3.7.old/man/cryptsetup.8 cryptsetup-2.3.7/man/cryptsetup.8 ---- cryptsetup-2.3.7.old/man/cryptsetup.8 2022-02-24 15:58:37.968167423 +0100 -+++ cryptsetup-2.3.7/man/cryptsetup.8 2022-02-24 17:06:25.326217548 +0100 -@@ -321,7 +321,7 @@ the command prompts for it interactively - \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase, - \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id, - \-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks, \-\-type, \-\-refresh, --\-\-serialize\-memory\-hard\-pbkdf]. -+\-\-serialize\-memory\-hard\-pbkdf, \-\-unbound]. - .PP - \fIluksSuspend\fR - .IP -@@ -1409,10 +1409,14 @@ aligned to page size and page-cache init - integrity tag. - .TP - .B "\-\-unbound" -- - Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or - \fIluksDump\fR actions for more details. - -+When used in \fIluksOpen\fR action (allowed only together with -+\-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2 -+keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific -+keyslot is selected via \-\-key\-slot parameter. -+ - .TP - .B "\-\-tcrypt\-hidden" - .B "\-\-tcrypt\-system" -diff -rupN cryptsetup-2.3.7.old/src/cryptsetup.c cryptsetup-2.3.7/src/cryptsetup.c ---- cryptsetup-2.3.7.old/src/cryptsetup.c 2022-02-24 15:58:37.969167429 +0100 -+++ cryptsetup-2.3.7/src/cryptsetup.c 2022-02-24 17:10:30.947561638 +0100 -@@ -230,7 +230,7 @@ static void _set_activation_flags(uint32 - *flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT; - - /* Only for LUKS2 but ignored elsewhere */ -- if (opt_test_passphrase) -+ if (opt_test_passphrase && (opt_unbound || (opt_key_slot != CRYPT_ANY_SLOT))) - *flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY; - - if (opt_serialize_memory_hard_pbkdf) -@@ -4021,6 +4021,17 @@ int main(int argc, const char **argv) - _("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."), - poptGetInvocationName(popt_context)); - -+ if (opt_unbound && !strcmp(aname, "open") && device_type && -+ strncmp(device_type, "luks", 4)) -+ usage(popt_context, EXIT_FAILURE, -+ _("Option --unbound is allowed only for open of luks device."), -+ poptGetInvocationName(popt_context)); -+ -+ if (opt_unbound && !opt_test_passphrase && !strcmp(aname, "open")) -+ usage(popt_context, EXIT_FAILURE, -+ _("Option --unbound cannot be used without --test-passphrase."), -+ poptGetInvocationName(popt_context)); -+ - if (opt_tcrypt_hidden && opt_allow_discards) - usage(popt_context, EXIT_FAILURE, - _("Option --tcrypt-hidden cannot be combined with --allow-discards."), -@@ -4103,9 +4114,9 @@ int main(int argc, const char **argv) - _("Keyslot specification is required."), - poptGetInvocationName(popt_context)); - -- if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump")) -+ if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump") && strcmp(aname, "open")) - usage(popt_context, EXIT_FAILURE, -- _("Option --unbound may be used only with luksAddKey and luksDump actions."), -+ _("Option --unbound may be used only with luksAddKey, luksDump and open actions."), - poptGetInvocationName(popt_context)); - - if (opt_refresh && strcmp(aname, "open")) -diff -rupN cryptsetup-2.3.7.old/tests/compat-test2 cryptsetup-2.3.7/tests/compat-test2 ---- cryptsetup-2.3.7.old/tests/compat-test2 2022-02-24 15:58:38.013167680 +0100 -+++ cryptsetup-2.3.7/tests/compat-test2 2022-02-24 17:23:23.035760517 +0100 -@@ -696,7 +696,7 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOP - # otoh it should be allowed to test for proper passphrase - prepare "" new - echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail --echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail -+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail - echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail - [ -b /dev/mapper/$DEV_NAME ] && fail - echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail -@@ -705,7 +705,7 @@ echo $PWD0 | $CRYPTSETUP open -S1 --test - $CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0 - $CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail - echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail --echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail -+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail - echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail - - prepare "[28] Detached LUKS header" wipe -@@ -952,11 +952,9 @@ echo $PWD3 | $CRYPTSETUP -q luksAddKey - - # do not allow to replace keyslot by unbound slot - echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail - echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail --echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail - echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail - echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail - echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail --echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail - # check we're able to change passphrase for unbound keyslot - echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail - echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail diff --git a/SOURCES/cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch b/SOURCES/cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch deleted file mode 100644 index a34329b..0000000 --- a/SOURCES/cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -rupN cryptsetup-2.3.7.old/src/cryptsetup.c cryptsetup-2.3.7/src/cryptsetup.c ---- cryptsetup-2.3.7.old/src/cryptsetup.c 2022-01-20 14:47:13.198475734 +0100 -+++ cryptsetup-2.3.7/src/cryptsetup.c 2022-01-20 14:47:24.186505625 +0100 -@@ -1137,7 +1137,7 @@ static int reencrypt_metadata_repair(str - _("Operation aborted.\n"))) - return -EINVAL; - -- r = tools_get_key(_("Enter passphrase to protect and uppgrade reencryption metadata: "), -+ r = tools_get_key(_("Enter passphrase to protect and upgrade reencryption metadata: "), - &password, &passwordLen, opt_keyfile_offset, - opt_keyfile_size, opt_key_file, opt_timeout, - _verify_passphrase(0), 0, cd); diff --git a/SOURCES/cryptsetup-2.5.0-Remove-LUKS2-encryption-data-size-restriction.patch b/SOURCES/cryptsetup-2.5.0-Remove-LUKS2-encryption-data-size-restriction.patch deleted file mode 100644 index bf522bf..0000000 --- a/SOURCES/cryptsetup-2.5.0-Remove-LUKS2-encryption-data-size-restriction.patch +++ /dev/null @@ -1,206 +0,0 @@ -From 6bc1378ddb5bbcc6ba592177c996576b0b3505f9 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Fri, 22 Oct 2021 13:06:48 +0200 -Subject: [PATCH] Remove LUKS2 encryption data size restriction. - -LUKS2 encryption with data shift required remaining -data size (size remaining after substracting --reduce-data-size value) -to be at least --reduce-data-size. This was wrong. Remaining -data size restriction should be correctly at least single sector -(whatever sector size is selected or auto-detected). ---- - lib/luks2/luks2_reencrypt.c | 31 ++++++++++++----------- - tests/api-test-2.c | 6 ++--- - tests/luks2-reencryption-test | 46 +++++++++++++++++++++++++++++------ - 3 files changed, 57 insertions(+), 26 deletions(-) - -diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c -index b45327ad..d0e0dc40 100644 ---- a/lib/luks2/luks2_reencrypt.c -+++ b/lib/luks2/luks2_reencrypt.c -@@ -825,7 +825,7 @@ static int reencrypt_offset_backward_moved(struct luks2_hdr *hdr, json_object *j - linear_length += LUKS2_segment_size(hdr, sg, 0); - - /* all active linear segments length */ -- if (linear_length) { -+ if (linear_length && segs > 1) { - if (linear_length < data_shift) - return -EINVAL; - tmp = linear_length - data_shift; -@@ -1745,7 +1745,8 @@ static int reencrypt_set_encrypt_segments(struct crypt_device *cd, struct luks2_ - int r; - uint64_t first_segment_offset, first_segment_length, - second_segment_offset, second_segment_length, -- data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT; -+ data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT, -+ data_size = dev_size - data_shift; - json_object *jobj_segment_first = NULL, *jobj_segment_second = NULL, *jobj_segments; - - if (dev_size < data_shift) -@@ -1760,9 +1761,14 @@ static int reencrypt_set_encrypt_segments(struct crypt_device *cd, struct luks2_ - * [future LUKS2 header (data shift size)][second data segment][gap (data shift size)][first data segment (data shift size)] - */ - first_segment_offset = dev_size; -- first_segment_length = data_shift; -- second_segment_offset = data_shift; -- second_segment_length = dev_size - 2 * data_shift; -+ if (data_size < data_shift) { -+ first_segment_length = data_size; -+ second_segment_length = second_segment_offset = 0; -+ } else { -+ first_segment_length = data_shift; -+ second_segment_offset = data_shift; -+ second_segment_length = data_size - data_shift; -+ } - } else if (data_shift) { - first_segment_offset = data_offset; - first_segment_length = dev_size; -@@ -2163,17 +2169,10 @@ static int reencrypt_move_data(struct crypt_device *cd, int devfd, uint64_t data - - log_dbg(cd, "Going to move data from head of data device."); - -- buffer_len = data_shift; -- if (!buffer_len) -- return -EINVAL; -- - offset = json_segment_get_offset(LUKS2_get_segment_jobj(hdr, 0), 0); -- -- /* this is nonsense anyway */ -- if (buffer_len != json_segment_get_size(LUKS2_get_segment_jobj(hdr, 0), 0)) { -- log_dbg(cd, "buffer_len %" PRIu64", segment size %" PRIu64, buffer_len, json_segment_get_size(LUKS2_get_segment_jobj(hdr, 0), 0)); -+ buffer_len = json_segment_get_size(LUKS2_get_segment_jobj(hdr, 0), 0); -+ if (!buffer_len || buffer_len > data_shift) - return -EINVAL; -- } - - if (posix_memalign(&buffer, device_alignment(crypt_data_device(cd)), buffer_len)) - return -ENOMEM; -@@ -2447,7 +2446,7 @@ static int reencrypt_init(struct crypt_device *cd, - * encryption initialization (or mount) - */ - if (move_first_segment) { -- if (dev_size < 2 * (params->data_shift << SECTOR_SHIFT)) { -+ if (dev_size < (params->data_shift << SECTOR_SHIFT)) { - log_err(cd, _("Device %s is too small."), device_path(crypt_data_device(cd))); - return -EINVAL; - } -@@ -3484,7 +3483,7 @@ int LUKS2_reencrypt_check_device_size(struct crypt_device *cd, struct luks2_hdr - check_size, check_size >> SECTOR_SHIFT, real_size, real_size >> SECTOR_SHIFT, - real_size - data_offset, (real_size - data_offset) >> SECTOR_SHIFT); - -- if (real_size < data_offset || (check_size && (real_size - data_offset) < check_size)) { -+ if (real_size < data_offset || (check_size && real_size < check_size)) { - log_err(cd, _("Device %s is too small."), device_path(crypt_data_device(cd))); - return -EINVAL; - } -diff --git a/tests/api-test-2.c b/tests/api-test-2.c -index a01a7a72..05ee8f94 100644 ---- a/tests/api-test-2.c -+++ b/tests/api-test-2.c -@@ -4238,7 +4238,7 @@ static void Luks2Reencryption(void) - - _cleanup_dmdevices(); - OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size)); -- OK_(create_dmdevice_over_loop(L_DEVICE_OK, 12*1024*2+1)); -+ OK_(create_dmdevice_over_loop(L_DEVICE_OK, 8*1024*2+1)); - - /* encryption with datashift and moved segment (data shift + 1 sector) */ - OK_(crypt_init(&cd, DMDIR H_DEVICE)); -@@ -4258,11 +4258,11 @@ static void Luks2Reencryption(void) - - _cleanup_dmdevices(); - OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size)); -- OK_(create_dmdevice_over_loop(L_DEVICE_OK, 12*1024*2)); -+ OK_(create_dmdevice_over_loop(L_DEVICE_OK, 2*8200)); - - OK_(crypt_init(&cd, DMDIR H_DEVICE)); - -- /* encryption with datashift and moved segment (data shift + data offset > device size) */ -+ /* encryption with datashift and moved segment (data shift + data offset <= device size) */ - memset(&rparams, 0, sizeof(rparams)); - params2.sector_size = 512; - params2.data_device = DMDIR L_DEVICE_OK; -diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test -index 8efb2707..bf711c15 100755 ---- a/tests/luks2-reencryption-test -+++ b/tests/luks2-reencryption-test -@@ -152,14 +152,30 @@ function open_crypt() # $1 pwd, $2 hdr - fi - } - -+function wipe_dev_head() # $1 dev, $2 length (in MiBs) -+{ -+ dd if=/dev/zero of=$1 bs=1M count=$2 conv=notrunc >/dev/null 2>&1 -+} -+ - function wipe_dev() # $1 dev - { - if [ -b $1 ] ; then - blkdiscard --zeroout $1 2>/dev/null || dd if=/dev/zero of=$1 bs=1M conv=notrunc >/dev/null 2>&1 -+ if [ $# -gt 2 ]; then -+ dd if=/dev/urandom of=$1 bs=1M seek=$2 conv=notrunc >/dev/null 2>&1 -+ fi - else - local size=$(stat --printf="%s" $1) - truncate -s 0 $1 -- truncate -s $size $1 -+ if [ $# -gt 2 ]; then -+ local diff=$((size-$2*1024*1024)) -+ echo "size: $size, diff: $diff" -+ truncate -s $diff $1 -+ # wipe_dev_head $1 $((diff/(1024*1024))) -+ dd if=/dev/urandom of=$1 bs=1M seek=$2 size=$((diff/(1024*1024))) conv=notrunc >/dev/null 2>&1 -+ else -+ truncate -s $size $1 -+ fi - fi - } - -@@ -214,15 +230,16 @@ function check_hash() # $1 pwd, $2 hash, $3 hdr - $CRYPTSETUP remove $DEV_NAME || fail - } - -+function check_hash_dev_head() # $1 dev, $2 len, $3 hash -+{ -+ local hash=$(dd if=$1 bs=512 count=$2 2>/dev/null | sha256sum | cut -d' ' -f1) -+ [ $hash != "$3" ] && fail "HASH differs (expected: $3) (result $hash)" -+} -+ - function check_hash_head() # $1 pwd, $2 len, $3 hash, $4 hdr - { - open_crypt $1 $4 -- if [ -n "$4" ]; then -- echo $1 | $CRYPTSETUP resize $DEV_NAME --size $2 --header $4 || fail -- else -- echo $1 | $CRYPTSETUP resize $DEV_NAME --size $2 || fail -- fi -- check_hash_dev /dev/mapper/$DEV_NAME $3 -+ check_hash_dev_head /dev/mapper/$DEV_NAME $2 $3 - $CRYPTSETUP remove $DEV_NAME || fail - } - -@@ -865,6 +882,21 @@ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail - $CRYPTSETUP close $DEV_NAME - echo $PWD1 | $CRYPTSETUP open $DEV --test-passphrase || fail - -+# Small device encryption test -+preparebig 65 -+# wipe only 1st MiB (final data size after encryption) -+wipe_dev $DEV 1 -+check_hash_dev_head $DEV 2048 $HASH2 -+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M -q $FAST_PBKDF_ARGON || fail -+check_hash_head $PWD1 2048 $HASH2 -+ -+wipe_dev_head $DEV 1 -+check_hash_dev_head $DEV 2048 $HASH2 -+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M --init-only -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail -+check_hash_dev_head /dev/mapper/$DEV_NAME 2048 $HASH2 -+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q || fail -+check_hash_dev_head /dev/mapper/$DEV_NAME 2048 $HASH2 -+ - echo "[3] Encryption with detached header" - preparebig 256 - wipe_dev $DEV --- -2.38.1 - diff --git a/SOURCES/cryptsetup-2.6.0-Code-cleanup.patch b/SOURCES/cryptsetup-2.6.0-Code-cleanup.patch deleted file mode 100644 index 718abef..0000000 --- a/SOURCES/cryptsetup-2.6.0-Code-cleanup.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 23903951505cd4ad9f3469e037278494c14a7791 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Wed, 12 Oct 2022 12:05:00 +0200 -Subject: [PATCH 3/5] Code cleanup. - -Type cast is not needed here. ---- - lib/libdevmapper.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c -index 7fcf843f..6a239e14 100644 ---- a/lib/libdevmapper.c -+++ b/lib/libdevmapper.c -@@ -1992,9 +1992,7 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags, - - /* cipher */ - if (get_flags & DM_ACTIVE_CRYPT_CIPHER) { -- r = crypt_capi_to_cipher(CONST_CAST(char**)&cipher, -- CONST_CAST(char**)&integrity, -- rcipher, rintegrity); -+ r = crypt_capi_to_cipher(&cipher, &integrity, rcipher, rintegrity); - if (r < 0) - goto err; - } --- -2.38.1 - diff --git a/SOURCES/cryptsetup-2.6.0-Copy-also-integrity-string-in-legacy-mode.patch b/SOURCES/cryptsetup-2.6.0-Copy-also-integrity-string-in-legacy-mode.patch deleted file mode 100644 index 9a6bdcc..0000000 --- a/SOURCES/cryptsetup-2.6.0-Copy-also-integrity-string-in-legacy-mode.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 19c15a652f878458493f0ac335110e2779f3cbe3 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Wed, 12 Oct 2022 11:59:09 +0200 -Subject: [PATCH 4/5] Copy also integrity string in legacy mode. - -So that it handles integrity string same as it does -with cipher string. ---- - lib/utils_crypt.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c -index 4f4dbba8..93f846d7 100644 ---- a/lib/utils_crypt.c -+++ b/lib/utils_crypt.c -@@ -284,7 +284,14 @@ int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const cha - if (strncmp(c_dm, "capi:", 4)) { - if (!(*org_c = strdup(c_dm))) - return -ENOMEM; -- *org_i = NULL; -+ if (i_dm) { -+ if (!(*org_i = strdup(i_dm))) { -+ free(*org_c); -+ *org_c = NULL; -+ return -ENOMEM; -+ } -+ } else -+ *org_i = NULL; - return 0; - } - --- -2.38.1 - diff --git a/SOURCES/cryptsetup-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch b/SOURCES/cryptsetup-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch deleted file mode 100644 index 350a863..0000000 --- a/SOURCES/cryptsetup-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch +++ /dev/null @@ -1,316 +0,0 @@ -From 5b001b7962744b1bdaeb60b7c8cb9c682f907e03 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Tue, 28 Jun 2022 16:23:34 +0200 -Subject: [PATCH] Delegate FIPS mode detection to configured crypto backend. - -System FIPS mode check is no longer dependent on /etc/system-fips -file. The change should be compatible with older distributions since -we now depend on crypto backend internal routine. - -This commit affects only FIPS enabled systems (with FIPS enabled -builds). In case this causes any regression in current distributions -feel free to drop the patch. - -For reference see https://bugzilla.redhat.com/show_bug.cgi?id=2080516 ---- - lib/crypto_backend/crypto_backend.h | 3 ++ - lib/crypto_backend/crypto_gcrypt.c | 17 +++++++++ - lib/crypto_backend/crypto_kernel.c | 5 +++ - lib/crypto_backend/crypto_nettle.c | 5 +++ - lib/crypto_backend/crypto_nss.c | 5 +++ - lib/crypto_backend/crypto_openssl.c | 26 ++++++++++++++ - lib/internal.h | 1 - - lib/utils_fips.c | 55 ----------------------------- - lib/utils_fips.h | 28 --------------- - po/POTFILES.in | 1 - - src/cryptsetup.h | 1 - - tests/compat-test | 2 +- - tests/compat-test2 | 2 +- - tests/keyring-compat-test | 2 +- - tests/luks2-reencryption-test | 2 +- - 16 files changed, 65 insertions(+), 92 deletions(-) - delete mode 100644 lib/utils_fips.c - delete mode 100644 lib/utils_fips.h - -Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_backend.h -=================================================================== ---- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_backend.h -+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_backend.h -@@ -135,4 +135,7 @@ static inline void crypt_backend_memzero - #endif - } - -+/* crypto backend running in FIPS mode */ -+bool crypt_fips_mode(void); -+ - #endif /* _CRYPTO_BACKEND_H */ -Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_gcrypt.c -=================================================================== ---- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_gcrypt.c -+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_gcrypt.c -@@ -550,3 +550,20 @@ out: - return -ENOTSUP; - #endif - } -+ -+#if !ENABLE_FIPS -+bool crypt_fips_mode(void) { return false; } -+#else -+bool crypt_fips_mode(void) -+{ -+ static bool fips_mode = false, fips_checked = false; -+ -+ if (fips_checked) -+ return fips_mode; -+ -+ fips_mode = gcry_fips_mode_active(); -+ fips_checked = true; -+ -+ return fips_mode; -+} -+#endif /* ENABLE FIPS */ -Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_kernel.c -=================================================================== ---- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_kernel.c -+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_kernel.c -@@ -416,3 +416,8 @@ int crypt_bitlk_decrypt_key(const void * - return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length, - iv, iv_length, tag, tag_length); - } -+ -+bool crypt_fips_mode(void) -+{ -+ return false; -+} -Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_nettle.c -=================================================================== ---- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_nettle.c -+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_nettle.c -@@ -442,3 +442,8 @@ int crypt_bitlk_decrypt_key(const void * - return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length, - iv, iv_length, tag, tag_length); - } -+ -+bool crypt_fips_mode(void) -+{ -+ return false; -+} -Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_nss.c -=================================================================== ---- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_nss.c -+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_nss.c -@@ -395,3 +395,8 @@ int crypt_bitlk_decrypt_key(const void * - return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length, - iv, iv_length, tag, tag_length); - } -+ -+bool crypt_fips_mode(void) -+{ -+ return false; -+} -Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_openssl.c -=================================================================== ---- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_openssl.c -+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_openssl.c -@@ -574,3 +574,29 @@ out: - return -ENOTSUP; - #endif - } -+ -+#if !ENABLE_FIPS -+bool crypt_fips_mode(void) { return false; } -+#else -+static bool openssl_fips_mode(void) -+{ -+#if OPENSSL_VERSION_MAJOR >= 3 -+ return EVP_default_properties_is_fips_enabled(NULL); -+#else -+ return FIPS_mode(); -+#endif -+} -+ -+bool crypt_fips_mode(void) -+{ -+ static bool fips_mode = false, fips_checked = false; -+ -+ if (fips_checked) -+ return fips_mode; -+ -+ fips_mode = openssl_fips_mode(); -+ fips_checked = true; -+ -+ return fips_mode; -+} -+#endif /* ENABLE FIPS */ -Index: cryptsetup-2.3.7/lib/internal.h -=================================================================== ---- cryptsetup-2.3.7.orig/lib/internal.h -+++ cryptsetup-2.3.7/lib/internal.h -@@ -38,7 +38,6 @@ - #include "utils_crypt.h" - #include "utils_loop.h" - #include "utils_dm.h" --#include "utils_fips.h" - #include "utils_keyring.h" - #include "utils_io.h" - #include "crypto_backend.h" -Index: cryptsetup-2.3.7/po/POTFILES.in -=================================================================== ---- cryptsetup-2.3.7.orig/po/POTFILES.in -+++ cryptsetup-2.3.7/po/POTFILES.in -@@ -6,7 +6,6 @@ lib/volumekey.c - lib/crypt_plain.c - lib/utils_crypt.c - lib/utils_loop.c --lib/utils_fips.c - lib/utils_device.c - lib/utils_devpath.c - lib/utils_pbkdf.c -Index: cryptsetup-2.3.7/src/cryptsetup.h -=================================================================== ---- cryptsetup-2.3.7.orig/src/cryptsetup.h -+++ cryptsetup-2.3.7/src/cryptsetup.h -@@ -43,7 +43,6 @@ - #include "lib/nls.h" - #include "lib/utils_crypt.h" - #include "lib/utils_loop.h" --#include "lib/utils_fips.h" - #include "lib/utils_io.h" - #include "lib/utils_blkid.h" - -Index: cryptsetup-2.3.7/tests/compat-test -=================================================================== ---- cryptsetup-2.3.7.orig/tests/compat-test -+++ cryptsetup-2.3.7/tests/compat-test -@@ -44,7 +44,7 @@ KEY_MATERIAL5_EXT="S331776-395264" - TEST_UUID="12345678-1234-1234-1234-123456789abc" - - LOOPDEV=$(losetup -f 2>/dev/null) --[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) -+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) - - function remove_mapping() - { -Index: cryptsetup-2.3.7/tests/compat-test2 -=================================================================== ---- cryptsetup-2.3.7.orig/tests/compat-test2 -+++ cryptsetup-2.3.7/tests/compat-test2 -@@ -42,7 +42,7 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-f - TEST_UUID="12345678-1234-1234-1234-123456789abc" - - LOOPDEV=$(losetup -f 2>/dev/null) --[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) -+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) - - function remove_mapping() - { -Index: cryptsetup-2.3.7/tests/keyring-compat-test -=================================================================== ---- cryptsetup-2.3.7.orig/tests/keyring-compat-test -+++ cryptsetup-2.3.7/tests/keyring-compat-test -@@ -26,7 +26,7 @@ PWD="aaa" - [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." - CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup - --[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) -+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) - - function remove_mapping() - { -Index: cryptsetup-2.3.7/tests/luks2-reencryption-test -=================================================================== ---- cryptsetup-2.3.7.orig/tests/luks2-reencryption-test -+++ cryptsetup-2.3.7/tests/luks2-reencryption-test -@@ -24,7 +24,7 @@ PWD1="93R4P4pIqAH8" - PWD2="1cND4319812f" - PWD3="1-9Qu5Ejfnqv" - --[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) -+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) - - function dm_crypt_features() - { -Index: cryptsetup-2.3.7/lib/utils_fips.c -=================================================================== ---- cryptsetup-2.3.7.orig/lib/utils_fips.c -+++ cryptsetup-2.3.7/lib/utils_fips.c -@@ -1,46 +1 @@ --/* -- * FIPS mode utilities -- * -- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved. -- * -- * This program is free software; you can redistribute it and/or -- * modify it under the terms of the GNU General Public License -- * as published by the Free Software Foundation; either version 2 -- * of the License, or (at your option) any later version. -- * -- * This program is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this program; if not, write to the Free Software -- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -- */ -- --#include --#include --#include --#include "utils_fips.h" -- --#if !ENABLE_FIPS --int crypt_fips_mode(void) { return 0; } --#else --static int kernel_fips_mode(void) --{ -- int fd; -- char buf[1] = ""; -- -- if ((fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY)) >= 0) { -- while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR); -- close(fd); -- } -- -- return (buf[0] == '1') ? 1 : 0; --} -- --int crypt_fips_mode(void) --{ -- return kernel_fips_mode() && !access("/etc/system-fips", F_OK); --} --#endif /* ENABLE_FIPS */ -+/* keep an empty file to avoid running autogen.sh */ -Index: cryptsetup-2.3.7/lib/utils_fips.h -=================================================================== ---- cryptsetup-2.3.7.orig/lib/utils_fips.h -+++ cryptsetup-2.3.7/lib/utils_fips.h -@@ -1,26 +1 @@ --/* -- * FIPS mode utilities -- * -- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved. -- * -- * This program is free software; you can redistribute it and/or -- * modify it under the terms of the GNU General Public License -- * as published by the Free Software Foundation; either version 2 -- * of the License, or (at your option) any later version. -- * -- * This program is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this program; if not, write to the Free Software -- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -- */ -- --#ifndef _UTILS_FIPS_H --#define _UTILS_FIPS_H -- --int crypt_fips_mode(void); -- --#endif /* _UTILS_FIPS_H */ -+/* keep an empty file to avoid running autogen.sh */ diff --git a/SOURCES/cryptsetup-2.6.0-Fix-cipher-convert-routines-naming-confusion.patch b/SOURCES/cryptsetup-2.6.0-Fix-cipher-convert-routines-naming-confusion.patch deleted file mode 100644 index 27108bc..0000000 --- a/SOURCES/cryptsetup-2.6.0-Fix-cipher-convert-routines-naming-confusion.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 3616da631f83a004a13a575a54df8123f0d65c29 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Mon, 17 Oct 2022 15:18:42 +0200 -Subject: [PATCH 1/5] Fix cipher convert routines naming confusion. - -The function names were in fact swaped. ---- - lib/libdevmapper.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c -index 6c2eab78..0e45a789 100644 ---- a/lib/libdevmapper.c -+++ b/lib/libdevmapper.c -@@ -481,7 +481,7 @@ static size_t int_log10(uint64_t x) - #define CAPIL 144 /* should be enough to fit whole capi string */ - #define CAPIS "143" /* for sscanf of crypto API string + 16 + \0 */ - --static int cipher_c2dm(const char *org_c, const char *org_i, unsigned tag_size, -+static int cipher_dm2c(const char *org_c, const char *org_i, unsigned tag_size, - char *c_dm, int c_dm_size, - char *i_dm, int i_dm_size) - { -@@ -543,7 +543,7 @@ static int cipher_c2dm(const char *org_c, const char *org_i, unsigned tag_size, - return 0; - } - --static int cipher_dm2c(char **org_c, char **org_i, const char *c_dm, const char *i_dm) -+static int cipher_c2dm(char **org_c, char **org_i, const char *c_dm, const char *i_dm) - { - char cipher[CLEN], mode[CLEN], iv[CLEN], auth[CLEN]; - char tmp[CAPIL], dmcrypt_tmp[CAPIL*2], capi[CAPIL+1]; -@@ -629,7 +629,7 @@ static char *get_dm_crypt_params(const struct dm_target *tgt, uint32_t flags) - if (!tgt) - return NULL; - -- r = cipher_c2dm(tgt->u.crypt.cipher, tgt->u.crypt.integrity, tgt->u.crypt.tag_size, -+ r = cipher_dm2c(tgt->u.crypt.cipher, tgt->u.crypt.integrity, tgt->u.crypt.tag_size, - cipher_dm, sizeof(cipher_dm), integrity_dm, sizeof(integrity_dm)); - if (r < 0) - return NULL; -@@ -2066,7 +2066,7 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags, - - /* cipher */ - if (get_flags & DM_ACTIVE_CRYPT_CIPHER) { -- r = cipher_dm2c(CONST_CAST(char**)&cipher, -+ r = cipher_c2dm(CONST_CAST(char**)&cipher, - CONST_CAST(char**)&integrity, - rcipher, rintegrity); - if (r < 0) --- -2.38.1 - diff --git a/SOURCES/cryptsetup-2.6.0-Fix-internal-crypt-segment-compare-routine.patch b/SOURCES/cryptsetup-2.6.0-Fix-internal-crypt-segment-compare-routine.patch deleted file mode 100644 index 94b4bdc..0000000 --- a/SOURCES/cryptsetup-2.6.0-Fix-internal-crypt-segment-compare-routine.patch +++ /dev/null @@ -1,130 +0,0 @@ -From 3e4c69a01709d35322ffa17c5360608907a207d7 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Tue, 11 Oct 2022 11:48:13 +0200 -Subject: [PATCH 5/5] Fix internal crypt segment compare routine. - -The function is supposed to check if manipulated -active dm-crypt device matches the on-disk metadata. -Unfortunately it did not take into account differences -between normal cipher specification (aes-xts-plain64) -and capi format specification (capi:xts(aes)-plain64). -The internal query function always converted capi format -in normal format and therefor failed if capi format was -used in metadata. - -Fixes: #759. ---- - lib/setup.c | 36 ++++++++++++++++++++++++++---------- - tests/api-test-2.c | 14 ++++++++++++-- - 2 files changed, 38 insertions(+), 12 deletions(-) - -diff --git a/lib/setup.c b/lib/setup.c -index 6d7411b5..809049b9 100644 ---- a/lib/setup.c -+++ b/lib/setup.c -@@ -2458,6 +2458,9 @@ static int _compare_crypt_devices(struct crypt_device *cd, - const struct dm_target *src, - const struct dm_target *tgt) - { -+ char *src_cipher = NULL, *src_integrity = NULL; -+ int r = -EINVAL; -+ - /* for crypt devices keys are mandatory */ - if (!src->u.crypt.vk || !tgt->u.crypt.vk) - return -EINVAL; -@@ -2465,21 +2468,30 @@ static int _compare_crypt_devices(struct crypt_device *cd, - /* CIPHER checks */ - if (!src->u.crypt.cipher || !tgt->u.crypt.cipher) - return -EINVAL; -- if (strcmp(src->u.crypt.cipher, tgt->u.crypt.cipher)) { -- log_dbg(cd, "Cipher specs do not match."); -+ -+ /* -+ * dm_query_target converts capi cipher specification to dm-crypt format. -+ * We need to do same for cipher specification requested in source -+ * device. -+ */ -+ if (crypt_capi_to_cipher(&src_cipher, &src_integrity, src->u.crypt.cipher, src->u.crypt.integrity)) - return -EINVAL; -+ -+ if (strcmp(src_cipher, tgt->u.crypt.cipher)) { -+ log_dbg(cd, "Cipher specs do not match."); -+ goto out; - } - - if (tgt->u.crypt.vk->keylength == 0 && crypt_is_cipher_null(tgt->u.crypt.cipher)) - log_dbg(cd, "Existing device uses cipher null. Skipping key comparison."); - else if (_compare_volume_keys(src->u.crypt.vk, 0, tgt->u.crypt.vk, tgt->u.crypt.vk->key_description != NULL)) { - log_dbg(cd, "Keys in context and target device do not match."); -- return -EINVAL; -+ goto out; - } - -- if (crypt_strcmp(src->u.crypt.integrity, tgt->u.crypt.integrity)) { -+ if (crypt_strcmp(src_integrity, tgt->u.crypt.integrity)) { - log_dbg(cd, "Integrity parameters do not match."); -- return -EINVAL; -+ goto out; - } - - if (src->u.crypt.offset != tgt->u.crypt.offset || -@@ -2487,15 +2499,19 @@ static int _compare_crypt_devices(struct crypt_device *cd, - src->u.crypt.iv_offset != tgt->u.crypt.iv_offset || - src->u.crypt.tag_size != tgt->u.crypt.tag_size) { - log_dbg(cd, "Integer parameters do not match."); -- return -EINVAL; -+ goto out; - } - -- if (device_is_identical(src->data_device, tgt->data_device) <= 0) { -+ if (device_is_identical(src->data_device, tgt->data_device) <= 0) - log_dbg(cd, "Data devices do not match."); -- return -EINVAL; -- } -+ else -+ r = 0; - -- return 0; -+out: -+ free(src_cipher); -+ free(src_integrity); -+ -+ return r; - } - - static int _compare_integrity_devices(struct crypt_device *cd, -diff --git a/tests/api-test-2.c b/tests/api-test-2.c -index 0534677a..34002d1a 100644 ---- a/tests/api-test-2.c -+++ b/tests/api-test-2.c -@@ -1585,8 +1585,8 @@ static void ResizeDeviceLuks2(void) - - const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; - size_t key_size = strlen(mk_hex) / 2; -- const char *cipher = "aes"; -- const char *cipher_mode = "cbc-essiv:sha256"; -+ const char *cipher = "aes", *capi_cipher = "capi:cbc(aes)"; -+ const char *cipher_mode = "cbc-essiv:sha256", *capi_cipher_mode = "essiv:sha256"; - uint64_t r_payload_offset, r_header_size, r_size; - - /* Cannot use Argon2 in FIPS */ -@@ -1728,6 +1728,16 @@ static void ResizeDeviceLuks2(void) - OK_(crypt_deactivate(cd, CDEVICE_1)); - CRYPT_FREE(cd); - -+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK)); -+ OK_(crypt_set_pbkdf_type(cd, &pbkdf)); -+ OK_(crypt_format(cd, CRYPT_LUKS2, capi_cipher, capi_cipher_mode, NULL, key, key_size, NULL)); -+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0)); -+ OK_(crypt_resize(cd, CDEVICE_1, 8)); -+ if (!t_device_size(DMDIR CDEVICE_1, &r_size)) -+ EQ_(8, r_size >> SECTOR_SHIFT); -+ OK_(crypt_deactivate(cd, CDEVICE_1)); -+ CRYPT_FREE(cd); -+ - _cleanup_dmdevices(); - } - --- -2.38.1 - diff --git a/SOURCES/cryptsetup-2.6.0-Move-cipher_dm2c-to-crypto-utilities.patch b/SOURCES/cryptsetup-2.6.0-Move-cipher_dm2c-to-crypto-utilities.patch deleted file mode 100644 index 35909ee..0000000 --- a/SOURCES/cryptsetup-2.6.0-Move-cipher_dm2c-to-crypto-utilities.patch +++ /dev/null @@ -1,250 +0,0 @@ -From 9a9ddc7d22e14e14c9a6e97860cffada406adac3 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Tue, 11 Oct 2022 10:50:17 +0200 -Subject: [PATCH 2/5] Move cipher_dm2c to crypto utilities. - -(Gets renamed to crypt_capi_to_cipher) ---- - lib/libdevmapper.c | 84 +++------------------------------------------- - lib/utils_crypt.c | 72 +++++++++++++++++++++++++++++++++++++++ - lib/utils_crypt.h | 11 ++++-- - 3 files changed, 85 insertions(+), 82 deletions(-) - -diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c -index 0e45a789..7fcf843f 100644 ---- a/lib/libdevmapper.c -+++ b/lib/libdevmapper.c -@@ -476,27 +476,22 @@ static size_t int_log10(uint64_t x) - return r; - } - --#define CLEN 64 /* 2*MAX_CIPHER_LEN */ --#define CLENS "63" /* for sscanf length + '\0' */ --#define CAPIL 144 /* should be enough to fit whole capi string */ --#define CAPIS "143" /* for sscanf of crypto API string + 16 + \0 */ -- - static int cipher_dm2c(const char *org_c, const char *org_i, unsigned tag_size, - char *c_dm, int c_dm_size, - char *i_dm, int i_dm_size) - { - int c_size = 0, i_size = 0, i; -- char cipher[CLEN], mode[CLEN], iv[CLEN+1], tmp[CLEN]; -- char capi[CAPIL]; -+ char cipher[MAX_CAPI_ONE_LEN], mode[MAX_CAPI_ONE_LEN], iv[MAX_CAPI_ONE_LEN+1], -+ tmp[MAX_CAPI_ONE_LEN], capi[MAX_CAPI_LEN]; - - if (!c_dm || !c_dm_size || !i_dm || !i_dm_size) - return -EINVAL; - -- i = sscanf(org_c, "%" CLENS "[^-]-%" CLENS "s", cipher, tmp); -+ i = sscanf(org_c, "%" MAX_CAPI_ONE_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", cipher, tmp); - if (i != 2) - return -EINVAL; - -- i = sscanf(tmp, "%" CLENS "[^-]-%" CLENS "s", mode, iv); -+ i = sscanf(tmp, "%" MAX_CAPI_ONE_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", mode, iv); - if (i == 1) { - memset(iv, 0, sizeof(iv)); - strncpy(iv, mode, sizeof(iv)-1); -@@ -543,75 +538,6 @@ static int cipher_dm2c(const char *org_c, const char *org_i, unsigned tag_size, - return 0; - } - --static int cipher_c2dm(char **org_c, char **org_i, const char *c_dm, const char *i_dm) --{ -- char cipher[CLEN], mode[CLEN], iv[CLEN], auth[CLEN]; -- char tmp[CAPIL], dmcrypt_tmp[CAPIL*2], capi[CAPIL+1]; -- size_t len; -- int i; -- -- if (!c_dm) -- return -EINVAL; -- -- /* legacy mode */ -- if (strncmp(c_dm, "capi:", 4)) { -- if (!(*org_c = strdup(c_dm))) -- return -ENOMEM; -- *org_i = NULL; -- return 0; -- } -- -- /* modes with capi: prefix */ -- i = sscanf(c_dm, "capi:%" CAPIS "[^-]-%" CLENS "s", tmp, iv); -- if (i != 2) -- return -EINVAL; -- -- len = strlen(tmp); -- if (len < 2) -- return -EINVAL; -- -- if (tmp[len-1] == ')') -- tmp[len-1] = '\0'; -- -- if (sscanf(tmp, "rfc4309(%" CAPIS "s", capi) == 1) { -- if (!(*org_i = strdup("aead"))) -- return -ENOMEM; -- } else if (sscanf(tmp, "rfc7539(%" CAPIS "[^,],%" CLENS "s", capi, auth) == 2) { -- if (!(*org_i = strdup(auth))) -- return -ENOMEM; -- } else if (sscanf(tmp, "authenc(%" CLENS "[^,],%" CAPIS "s", auth, capi) == 2) { -- if (!(*org_i = strdup(auth))) -- return -ENOMEM; -- } else { -- if (i_dm) { -- if (!(*org_i = strdup(i_dm))) -- return -ENOMEM; -- } else -- *org_i = NULL; -- memset(capi, 0, sizeof(capi)); -- strncpy(capi, tmp, sizeof(capi)-1); -- } -- -- i = sscanf(capi, "%" CLENS "[^(](%" CLENS "[^)])", mode, cipher); -- if (i == 2) -- i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s-%s", cipher, mode, iv); -- else -- i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s", capi, iv); -- if (i < 0 || (size_t)i >= sizeof(dmcrypt_tmp)) { -- free(*org_i); -- *org_i = NULL; -- return -EINVAL; -- } -- -- if (!(*org_c = strdup(dmcrypt_tmp))) { -- free(*org_i); -- *org_i = NULL; -- return -ENOMEM; -- } -- -- return 0; --} -- - static char *_uf(char *buf, size_t buf_size, const char *s, unsigned u) - { - size_t r = snprintf(buf, buf_size, " %s:%u", s, u); -@@ -2066,7 +1992,7 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags, - - /* cipher */ - if (get_flags & DM_ACTIVE_CRYPT_CIPHER) { -- r = cipher_c2dm(CONST_CAST(char**)&cipher, -+ r = crypt_capi_to_cipher(CONST_CAST(char**)&cipher, - CONST_CAST(char**)&integrity, - rcipher, rintegrity); - if (r < 0) -diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c -index 83d0a2c5..4f4dbba8 100644 ---- a/lib/utils_crypt.c -+++ b/lib/utils_crypt.c -@@ -31,6 +31,8 @@ - #include "libcryptsetup.h" - #include "utils_crypt.h" - -+#define MAX_CAPI_LEN_STR "143" /* for sscanf of crypto API string + 16 + \0 */ -+ - int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums, - char *cipher_mode) - { -@@ -266,3 +268,73 @@ bool crypt_is_cipher_null(const char *cipher_spec) - return false; - return (strstr(cipher_spec, "cipher_null") || !strcmp(cipher_spec, "null")); - } -+ -+int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const char *i_dm) -+{ -+ char cipher[MAX_CAPI_ONE_LEN], mode[MAX_CAPI_ONE_LEN], iv[MAX_CAPI_ONE_LEN], -+ auth[MAX_CAPI_ONE_LEN], tmp[MAX_CAPI_LEN], dmcrypt_tmp[MAX_CAPI_LEN*2], -+ capi[MAX_CAPI_LEN+1]; -+ size_t len; -+ int i; -+ -+ if (!c_dm) -+ return -EINVAL; -+ -+ /* legacy mode */ -+ if (strncmp(c_dm, "capi:", 4)) { -+ if (!(*org_c = strdup(c_dm))) -+ return -ENOMEM; -+ *org_i = NULL; -+ return 0; -+ } -+ -+ /* modes with capi: prefix */ -+ i = sscanf(c_dm, "capi:%" MAX_CAPI_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", tmp, iv); -+ if (i != 2) -+ return -EINVAL; -+ -+ len = strlen(tmp); -+ if (len < 2) -+ return -EINVAL; -+ -+ if (tmp[len-1] == ')') -+ tmp[len-1] = '\0'; -+ -+ if (sscanf(tmp, "rfc4309(%" MAX_CAPI_LEN_STR "s", capi) == 1) { -+ if (!(*org_i = strdup("aead"))) -+ return -ENOMEM; -+ } else if (sscanf(tmp, "rfc7539(%" MAX_CAPI_LEN_STR "[^,],%" MAX_CAPI_ONE_LEN_STR "s", capi, auth) == 2) { -+ if (!(*org_i = strdup(auth))) -+ return -ENOMEM; -+ } else if (sscanf(tmp, "authenc(%" MAX_CAPI_ONE_LEN_STR "[^,],%" MAX_CAPI_LEN_STR "s", auth, capi) == 2) { -+ if (!(*org_i = strdup(auth))) -+ return -ENOMEM; -+ } else { -+ if (i_dm) { -+ if (!(*org_i = strdup(i_dm))) -+ return -ENOMEM; -+ } else -+ *org_i = NULL; -+ memset(capi, 0, sizeof(capi)); -+ strncpy(capi, tmp, sizeof(capi)-1); -+ } -+ -+ i = sscanf(capi, "%" MAX_CAPI_ONE_LEN_STR "[^(](%" MAX_CAPI_ONE_LEN_STR "[^)])", mode, cipher); -+ if (i == 2) -+ i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s-%s", cipher, mode, iv); -+ else -+ i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s", capi, iv); -+ if (i < 0 || (size_t)i >= sizeof(dmcrypt_tmp)) { -+ free(*org_i); -+ *org_i = NULL; -+ return -EINVAL; -+ } -+ -+ if (!(*org_c = strdup(dmcrypt_tmp))) { -+ free(*org_i); -+ *org_i = NULL; -+ return -ENOMEM; -+ } -+ -+ return 0; -+} -diff --git a/lib/utils_crypt.h b/lib/utils_crypt.h -index 5922350a..a4a9b6ca 100644 ---- a/lib/utils_crypt.h -+++ b/lib/utils_crypt.h -@@ -27,9 +27,12 @@ - #include - #include - --#define MAX_CIPHER_LEN 32 --#define MAX_CIPHER_LEN_STR "31" --#define MAX_KEYFILES 32 -+#define MAX_CIPHER_LEN 32 -+#define MAX_CIPHER_LEN_STR "31" -+#define MAX_KEYFILES 32 -+#define MAX_CAPI_ONE_LEN 2 * MAX_CIPHER_LEN -+#define MAX_CAPI_ONE_LEN_STR "63" /* for sscanf length + '\0' */ -+#define MAX_CAPI_LEN 144 /* should be enough to fit whole capi string */ - - int crypt_parse_name_and_mode(const char *s, char *cipher, - int *key_nums, char *cipher_mode); -@@ -46,4 +49,6 @@ void crypt_log_hex(struct crypt_device *cd, - - bool crypt_is_cipher_null(const char *cipher_spec); - -+int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const char *i_dm); -+ - #endif /* _UTILS_CRYPT_H */ --- -2.38.1 - diff --git a/SOURCES/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch b/SOURCES/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch deleted file mode 100644 index b8c056d..0000000 --- a/SOURCES/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch +++ /dev/null @@ -1,154 +0,0 @@ -From c18dcfaa0b91eb48006232fbfadce9e6a9b4a790 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Fri, 2 Dec 2022 15:39:36 +0100 -Subject: [PATCH 2/2] Abort encryption when header and data devices are same. - -If data device reduction is not requsted this led -to data corruption since LUKS metadata was written -over the data device. ---- - src/utils_reencrypt.c | 42 ++++++++++++++++++++++++++++++---- - tests/luks2-reencryption-test | 16 +++++++++++++ - tests/reencryption-compat-test | 20 +++++++++++++--- - 3 files changed, 70 insertions(+), 8 deletions(-) - -diff --git a/src/utils_tools.c b/src/utils_tools.c ---- a/src/utils_tools.c -+++ b/src/utils_tools.c -@@ -624,3 +624,23 @@ int tools_reencrypt_progress(uint64_t si - - return r; - } -+ -+int reencrypt_is_header_detached(const char *header_device, const char *data_device) -+{ -+ int r; -+ struct stat st; -+ struct crypt_device *cd; -+ -+ if (!header_device) -+ return 0; -+ -+ if (header_device && stat(header_device, &st) < 0 && errno == ENOENT) -+ return 1; -+ -+ if ((r = crypt_init_data_device(&cd, header_device, data_device))) -+ return r; -+ -+ r = crypt_get_metadata_device_name(cd) && crypt_get_device_name(cd) && strcmp(crypt_get_metadata_device_name(cd), crypt_get_device_name(cd)); -+ crypt_free(cd); -+ return r; -+} -diff --git a/src/cryptsetup.h b/src/cryptsetup.h ---- a/src/cryptsetup.h -+++ b/src/cryptsetup.h -@@ -103,6 +103,7 @@ void tools_clear_line(void); - - int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr); - int tools_reencrypt_progress(uint64_t size, uint64_t offset, void *usrptr); -+int reencrypt_is_header_detached(const char *header_device, const char *data_device); - - int tools_read_mk(const char *file, char **key, int keysize); - int tools_write_mk(const char *file, const char *key, int keysize); -diff --git a/src/cryptsetup.c b/src/cryptsetup.c ---- a/src/cryptsetup.c -+++ b/src/cryptsetup.c -@@ -2892,6 +2892,16 @@ static int action_encrypt_luks2(struct c - return -ENOTSUP; - } - -+ if (!opt_data_shift) { -+ r = reencrypt_is_header_detached(opt_header_device, action_argv[0]); -+ if (r < 0) -+ return r; -+ if (!r) { -+ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size).")); -+ return -ENOTSUP; -+ } -+ } -+ - if (!opt_header_device && opt_offset && opt_data_shift && (opt_offset > (imaxabs(opt_data_shift) / (2 * SECTOR_SIZE)))) { - log_err(_("Requested data offset must be less than or equal to half of --reduce-device-size parameter.")); - return -EINVAL; -diff --git a/src/cryptsetup_reencrypt.c b/src/cryptsetup_reencrypt.c ---- a/src/cryptsetup_reencrypt.c -+++ b/src/cryptsetup_reencrypt.c -@@ -1553,6 +1553,17 @@ static int run_reencrypt(const char *dev - goto out; - } - -+ if (rc.reencrypt_mode == ENCRYPT) { -+ r = reencrypt_is_header_detached(opt_header_device, action_argv[0]); -+ if (r < 0) -+ goto out; -+ if (!r && !opt_reduce_size) { -+ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size).")); -+ r = -ENOTSUP; -+ goto out; -+ } -+ } -+ - log_dbg("Running reencryption."); - - if (!rc.in_progress) { -diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test -index bab54353..a647a8c2 100755 ---- a/tests/luks2-reencryption-test -+++ b/tests/luks2-reencryption-test -@@ -1080,6 +1080,15 @@ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail - $CRYPTSETUP close $DEV_NAME - echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail - -+# Encrypt without size reduction must not allow header device same as data device -+wipe_dev_head $DEV 1 -+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV -q $FAST_PBKDF_ARGON 2>/dev/null && fail -+$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail -+ -+dd if=/dev/zero of=$IMG bs=4k count=1 >/dev/null 2>&1 -+echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail -+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail -+ - echo "[4] Reencryption with detached header" - wipe $PWD1 $IMG_HDR - echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail -diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test -index f6a84137..453831d1 100755 ---- a/tests/reencryption-compat-test -+++ b/tests/reencryption-compat-test -@@ -11,5 +11,6 @@ IMG=reenc-data - IMG_HDR=$IMG.hdr - ORIG_IMG=reenc-data-orig -+DEV_LINK="reenc-test-link" - KEY1=key1 - PWD1="93R4P4pIqAH8" - PWD2="1cND4319812f" -@@ -40,7 +41,7 @@ function remove_mapping() - [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2 - [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME - [ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1 -- rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 >/dev/null 2>&1 -+ rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $DEV_LINK >/dev/null 2>&1 - umount $MNT_DIR > /dev/null 2>&1 - rmdir $MNT_DIR > /dev/null 2>&1 - LOOPDEV1="" -@@ -265,10 +265,16 @@ $REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q - # FIXME echo $PWD1 | $REENC ... - - echo "[4] Encryption of not yet encrypted device" -+# Encrypt without size reduction must not allow header device same as data device -+wipe_dev $LOOPDEV1 -+echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $LOOPDEV1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail -+$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail -+echo $PWD1 | $REENC $IMG --type luks1 --new --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail -+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail -+ - # well, movin' zeroes :-) - OFFSET=2048 - SIZE=$(blockdev --getsz $LOOPDEV1) --wipe_dev $LOOPDEV1 - dmsetup create $DEV_NAME2 --table "0 $(($SIZE - $OFFSET)) linear $LOOPDEV1 0" || fail - check_hash_dev /dev/mapper/$DEV_NAME2 $HASH3 - dmsetup remove --retry $DEV_NAME2 || fail --- -2.38.1 - diff --git a/SOURCES/cryptsetup-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch b/SOURCES/cryptsetup-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch deleted file mode 100644 index 31dc60c..0000000 --- a/SOURCES/cryptsetup-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch +++ /dev/null @@ -1,79 +0,0 @@ -From dff9ee8c8cb68432e96261b87aabb7aaa51215e7 Mon Sep 17 00:00:00 2001 -From: Milan Broz -Date: Tue, 2 May 2023 15:42:21 +0200 -Subject: [PATCH] Also disallow active devices with internal kernel names. - -The same problem fixed in commit 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605 -is present in libdevmapper wrapper when parsing active device table. - -The whole point of conversion was that non-authenticated modes -can be always represented in the old cipher-mode-iv format. -As the internal names contains dash, these are unsupported. - -That said, the libdevmapper backend now correctly returns -full cipher specification including capi prefix for this case. - -Init_by_name call now fails with incomplatible cipher definition error. ---- - lib/setup.c | 2 +- - lib/utils_crypt.c | 9 +++++++++ - tests/mode-test | 5 +++++ - 3 files changed, 15 insertions(+), 1 deletion(-) - -Index: cryptsetup-2.3.7/lib/setup.c -=================================================================== ---- cryptsetup-2.3.7.orig/lib/setup.c -+++ cryptsetup-2.3.7/lib/setup.c -@@ -1188,7 +1188,7 @@ static int _init_by_name_crypt(struct cr - r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher, - &key_nums, cipher_mode); - if (r < 0) { -- log_dbg(cd, "Cannot parse cipher and mode from active device."); -+ log_err(cd, _("No known cipher specification pattern detected for active device %s."), name); - goto out; - } - -Index: cryptsetup-2.3.7/lib/utils_crypt.c -=================================================================== ---- cryptsetup-2.3.7.orig/lib/utils_crypt.c -+++ cryptsetup-2.3.7/lib/utils_crypt.c -@@ -224,6 +224,15 @@ int crypt_capi_to_cipher(char **org_c, c - if (i != 2) - return -EINVAL; - -+ /* non-cryptsetup compatible mode (generic driver with dash?) */ -+ if (strrchr(iv, ')')) { -+ if (i_dm) -+ return -EINVAL; -+ if (!(*org_c = strdup(c_dm))) -+ return -ENOMEM; -+ return 0; -+ } -+ - len = strlen(tmp); - if (len < 2) - return -EINVAL; -Index: cryptsetup-2.3.7/tests/mode-test -=================================================================== ---- cryptsetup-2.3.7.orig/tests/mode-test -+++ cryptsetup-2.3.7/tests/mode-test -@@ -8,6 +8,8 @@ DEV_NAME=dmc_test - HEADER_IMG=mode-test.img - PASSWORD=3xrododenron - PASSWORD1=$PASSWORD -+KEY="7c0dc5dfd0c9191381d92e6ebb3b29e7f0dba53b0de132ae23f5726727173540" -+FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" - - # cipher-chainmode-ivopts:ivmode - CIPHERS="aes twofish serpent" -@@ -172,6 +174,10 @@ echo -n "CAPI format:" - echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail - $CRYPTSETUP close "$DEV_NAME"_tstdev || fail - echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail -+dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail -+$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail -+$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail -+dmsetup remove "$DEV_NAME"_tstdev || fail - echo [OK] - - cleanup diff --git a/SOURCES/cryptsetup-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch b/SOURCES/cryptsetup-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch deleted file mode 100644 index d689213..0000000 --- a/SOURCES/cryptsetup-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605 Mon Sep 17 00:00:00 2001 -From: Milan Broz -Date: Mon, 24 Apr 2023 21:19:03 +0200 -Subject: [PATCH] Disallow use of internal kenrel crypto driver names in "capi" - specification. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The common way to specify cipher mode in cryptsetup -is to use cipher-mode-iv notation (like aes-xts-plain64). -With introduction of authenticated ciphers we also allow "capi:" -notation that is directly used by dm-crypt (e.g. capi:xts(aes)-plain64). - -CAPI specification was never intended to be used with internal -kernel crypto api names (with dash in algorithm name), actually the -whole parsing routine wrongly parses mode here now. - -The code not checks if parsing wrongly separated the full cipher -string and effectively allowing only proper cipher names -(example of no longer supported string is capi:xts(ecb(aes-generic))-plain64). - -Thanks to Jan Wichelmann, Luca Wilke and Thomas Eisenbarth from -University of Lübeck for noticing the problems with this code. - -Fixes: #809 ---- - lib/utils_crypt.c | 8 +++++++- - tests/mode-test | 6 ++++++ - 2 files changed, 13 insertions(+), 1 deletion(-) - -diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c -index 0b7dc378..c1bde000 100644 ---- a/lib/utils_crypt.c -+++ b/lib/utils_crypt.c -@@ -43,7 +43,13 @@ int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums, - cipher, cipher_mode) == 2) { - if (!strcmp(cipher_mode, "plain")) - strcpy(cipher_mode, "cbc-plain"); -- if (key_nums) { -+ if (!strncmp(cipher, "capi:", 5)) { -+ /* CAPI must not use internal cipher driver names with dash */ -+ if (strchr(cipher_mode, ')')) -+ return -EINVAL; -+ if (key_nums) -+ *key_nums = 1; -+ } else if (key_nums) { - char *tmp = strchr(cipher, ':'); - *key_nums = tmp ? atoi(++tmp) : 1; - if (!*key_nums) -diff --git a/tests/mode-test b/tests/mode-test -index 82171fbd..fe61880a 100755 ---- a/tests/mode-test -+++ b/tests/mode-test -@@ -184,4 +184,10 @@ done - dmcrypt xchacha12,aes-adiantum-plain64 - dmcrypt xchacha20,aes-adiantum-plain64 - -+echo -n "CAPI format:" -+echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail -+$CRYPTSETUP close "$DEV_NAME"_tstdev || fail -+echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail -+echo [OK] -+ - cleanup --- -2.40.1 - diff --git a/SOURCES/cryptsetup-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch b/SOURCES/cryptsetup-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch deleted file mode 100644 index 97c83d7..0000000 --- a/SOURCES/cryptsetup-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch +++ /dev/null @@ -1,103 +0,0 @@ -From b8711faf92868dc82b1a64e7673740444199b2ca Mon Sep 17 00:00:00 2001 -From: Milan Broz -Date: Sun, 25 Jun 2023 23:32:13 +0200 -Subject: [PATCH 2/2] Fix activation of LUKS2 with capi format cipher and - kernel crypt name. - -While activation of internal cipher algorithms (like aes-generic) -is disallowed, some old LUKS2 images can still use it. - -Check the cipher in activate call, but allow to load LUKS2 metadata. -This can allow to add repair code easily and also allow luksDump. - -Also fix segfault in reencrypt code for such a header. - -Fixes: #820 ---- - lib/luks2/luks2_json_metadata.c | 5 +++++ - tests/Makefile.am | 4 +++- - tests/compat-test2 | 17 ++++++++++++++++- - tests/luks2_invalid_cipher.img.xz | Bin 0 -> 135372 bytes - tests/meson.build | 1 + - 5 files changed, 25 insertions(+), 2 deletions(-) - create mode 100644 tests/luks2_invalid_cipher.img.xz - -Index: cryptsetup-2.3.7/lib/luks2/luks2_json_metadata.c -=================================================================== ---- cryptsetup-2.3.7.orig/lib/luks2/luks2_json_metadata.c -+++ cryptsetup-2.3.7/lib/luks2/luks2_json_metadata.c -@@ -2324,6 +2324,11 @@ int LUKS2_activate(struct crypt_device * - if ((r = LUKS2_unmet_requirements(cd, hdr, 0, 0))) - return r; - -+ /* Check that cipher is in compatible format */ -+ if (!crypt_get_cipher(cd)) { -+ log_err(cd, _("No known cipher specification pattern detected in LUKS2 header.")); -+ return -EINVAL; -+ } - r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd), - vk, crypt_get_cipher_spec(cd), crypt_get_iv_offset(cd), - crypt_get_data_offset(cd), crypt_get_integrity(cd) ?: "none", -Index: cryptsetup-2.3.7/tests/compat-test2 -=================================================================== ---- cryptsetup-2.3.7.orig/tests/compat-test2 -+++ cryptsetup-2.3.7/tests/compat-test2 -@@ -3,6 +3,7 @@ - PS4='$LINENO:' - [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." - CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup -+CRYPTSETUP_REENCRYPT=$CRYPTSETUP_PATH/cryptsetup-reencrypt - - CRYPTSETUP_VALGRIND=../.libs/cryptsetup - CRYPTSETUP_LIB_VALGRIND=../.libs -@@ -16,6 +17,7 @@ IMG10=luks-test-v10 - HEADER_IMG=luks-header - HEADER_KEYU=luks2_keyslot_unassigned.img - HEADER_LUKS2_PV=blkid-luks2-pv.img -+HEADER_LUKS2_INV=luks2_invalid_cipher.img - KEY1=key1 - KEY2=key2 - KEY5=key5 -@@ -50,7 +52,9 @@ function remove_mapping() - [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2 - [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME - losetup -d $LOOPDEV >/dev/null 2>&1 -- rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE $HEADER_LUKS2_PV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1 -+ rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE \ -+ $HEADER_LUKS2_PV $HEADER_LUKS2_INV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* \ -+ $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1 - - # unlink whole test keyring - [ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null -@@ -1049,5 +1053,19 @@ for cipher in $CIPHERS ; do - done - echo - -+prepare "[44] LUKS2 invalid cipher (kernel cipher driver name)" wipe -+xz -dk $HEADER_LUKS2_INV.xz -+dd if=$HEADER_LUKS2_INV of=$IMG conv=notrunc >/dev/null 2>&1 -+$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "capi:xts(ecb(aes-generic))-plain64" || fail -+echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail -+echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME 2>&1 | grep -q "No known cipher specification pattern" || fail -+echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV >/dev/null 2>&1 && fail -+echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV 2>&1 | grep -q "No known cipher specification pattern" || fail -+echo $PWD1 | $CRYPTSETUP_REENCRYPT $LOOPDEV 2>&1 | grep -q "No known cipher specification pattern" || fail -+dmsetup create $DEV_NAME --uuid CRYPT-LUKS2-3d20686f551748cb89911ad32379821b-test --table \ -+ "0 8 crypt capi:xts(ecb(aes-generic))-plain64 edaa40709797973715e572bf7d86fcbb9cfe2051083c33c28d58fe4e1e7ff642 0 $LOOPDEV 32768" -+$CRYPTSETUP status $DEV_NAME | grep -q "n/a" || fail -+$CRYPTSETUP close $DEV_NAME ||fail -+ - remove_mapping - exit 0 -Index: cryptsetup-2.3.7/src/cryptsetup.h -=================================================================== ---- cryptsetup-2.3.7.orig/src/cryptsetup.h -+++ cryptsetup-2.3.7/src/cryptsetup.h -@@ -103,6 +103,7 @@ void tools_clear_line(void); - int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr); - int tools_reencrypt_progress(uint64_t size, uint64_t offset, void *usrptr); - int reencrypt_is_header_detached(const char *header_device, const char *data_device); -+bool luks2_reencrypt_eligible(struct crypt_device *cd); - - int tools_read_mk(const char *file, char **key, int keysize); - int tools_write_mk(const char *file, const char *key, int keysize); diff --git a/SOURCES/cryptsetup-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch b/SOURCES/cryptsetup-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch deleted file mode 100644 index fdbc060..0000000 --- a/SOURCES/cryptsetup-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 53aa5f6c4f7439db1b25846597fb5603870ba55e Mon Sep 17 00:00:00 2001 -From: Milan Broz -Date: Mon, 5 Jun 2023 16:02:06 +0200 -Subject: [PATCH] Fix init_by_name to allow unknown cipher format in dm-crypt - as null context. - -Deactivation code should deactivate dm-crypt device even if it is unknown -for libcryptsetup. Previous fix for cipher specification was too strict. - -Let's allow initialization as null context, that allow status and -deactivate to be usable again. ---- - lib/setup.c | 6 ++++++ - tests/mode-test | 5 ++--- - 2 files changed, 8 insertions(+), 3 deletions(-) - -diff --git a/lib/setup.c b/lib/setup.c -index fd17be8c..786aa900 100644 ---- a/lib/setup.c -+++ b/lib/setup.c -@@ -1276,6 +1276,12 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name) - r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher, - &key_nums, cipher_mode); - if (r < 0) { -+ /* Allow crypt null context with unknown cipher string */ -+ if (tgt->type == DM_CRYPT && !tgt->u.crypt.integrity) { -+ crypt_set_null_type(cd); -+ r = 0; -+ goto out; -+ } - log_err(cd, _("No known cipher specification pattern detected for active device %s."), name); - goto out; - } -diff --git a/tests/mode-test b/tests/mode-test -index 4775751e..7f7f20a1 100755 ---- a/tests/mode-test -+++ b/tests/mode-test -@@ -190,9 +190,8 @@ echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 - $CRYPTSETUP close "$DEV_NAME"_tstdev || fail - echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail - dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail --$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail --$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail --dmsetup remove "$DEV_NAME"_tstdev || fail -+$CRYPTSETUP status "$DEV_NAME"_tstdev 2>/dev/null | grep "type:" | grep -q "n/a" || fail -+$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null || fail - echo [OK] - - cleanup --- -2.40.1 - diff --git a/SOURCES/cryptsetup-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch b/SOURCES/cryptsetup-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch deleted file mode 100644 index 19752ac..0000000 --- a/SOURCES/cryptsetup-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 1f01eea60e38ac92aa05e4b95372d54b7b9095df Mon Sep 17 00:00:00 2001 -From: Milan Broz -Date: Mon, 26 Jun 2023 13:25:59 +0200 -Subject: [PATCH 1/2] Fix reencryption to fail properly for unknown cipher. - -crypt_get_cipher and crypt_get_cipher mode can return NULL, -check it in advance. ---- - src/utils_reencrypt.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -Index: cryptsetup-2.3.7/src/cryptsetup.c -=================================================================== ---- cryptsetup-2.3.7.orig/src/cryptsetup.c -+++ cryptsetup-2.3.7/src/cryptsetup.c -@@ -2999,6 +2999,12 @@ static int action_encrypt_luks2(struct c - if (r < 0) - goto err; - -+ if (!crypt_get_cipher(*cd)) { -+ log_err(_("No known cipher specification pattern detected in LUKS2 header.")); -+ r = -EINVAL; -+ goto err; -+ } -+ - if (opt_data_shift) { - params.data_shift = imaxabs(opt_data_shift) / SECTOR_SIZE, - params.resilience = "datashift"; -@@ -3068,6 +3074,11 @@ static int action_decrypt_luks2(struct c - }; - size_t passwordLen; - -+ if (!crypt_get_cipher(cd)) { -+ log_err(_("No known cipher specification pattern detected in LUKS2 header.")); -+ return -EINVAL; -+ } -+ - if (!crypt_get_metadata_device_name(cd) || !crypt_get_device_name(cd) || - !strcmp(crypt_get_metadata_device_name(cd), crypt_get_device_name(cd))) { - log_err(_("LUKS2 decryption is supported with detached header device only.")); -@@ -3289,6 +3300,11 @@ static int action_reencrypt_luks2(struct - .luks2 = &luks2_params, - }; - -+ if (!crypt_get_cipher(cd)) { -+ log_err(_("No known cipher specification pattern detected in LUKS2 header.")); -+ return -EINVAL; -+ } -+ - _set_reencryption_flags(¶ms.flags); - - if (!opt_cipher && crypt_is_cipher_null(crypt_get_cipher(cd))) { -Index: cryptsetup-2.3.7/src/cryptsetup_reencrypt.c -=================================================================== ---- cryptsetup-2.3.7.orig/src/cryptsetup_reencrypt.c -+++ cryptsetup-2.3.7/src/cryptsetup_reencrypt.c -@@ -185,6 +185,11 @@ static int set_reencrypt_requirement(con - crypt_persistent_flags_get(cd, CRYPT_FLAGS_REQUIREMENTS, &reqs)) - goto out; - -+ if (!crypt_get_cipher(cd)) { -+ log_err(_("No known cipher specification pattern detected in LUKS2 header.")); -+ goto out; -+ } -+ - /* reencrypt already in-progress */ - if (reqs & CRYPT_REQUIREMENT_OFFLINE_REENCRYPT) { - log_err(_("Reencryption already in-progress.")); -@@ -709,6 +714,12 @@ static int backup_luks_headers(struct re - (r = crypt_load(cd, CRYPT_LUKS, NULL))) - goto out; - -+ if (!crypt_get_cipher(cd)) { -+ log_err(_("No known cipher specification pattern detected in LUKS2 header.")); -+ r = -EINVAL; -+ goto out; -+ } -+ - if ((r = crypt_header_backup(cd, CRYPT_LUKS, rc->header_file_org))) - goto out; - if (isLUKS2(rc->type)) { diff --git a/SOURCES/cryptsetup-add-system-library-paths.patch b/SOURCES/cryptsetup-add-system-library-paths.patch deleted file mode 100644 index cc22adf..0000000 --- a/SOURCES/cryptsetup-add-system-library-paths.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -rupN cryptsetup-2.0.4.old/configure cryptsetup-2.0.4/configure ---- cryptsetup-2.0.4.old/configure 2018-08-03 12:31:52.000000000 +0200 -+++ cryptsetup-2.0.4/configure 2018-08-03 13:42:50.605275535 +0200 -@@ -12300,6 +12300,9 @@ fi - # before this can be enabled. - hardcode_into_libs=yes - -+ # Add ABI-specific directories to the system library path. -+ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" -+ - # Ideally, we could use ldconfig to report *all* directores which are - # searched for libraries, however this is still not possible. Aside from not - # being certain /sbin/ldconfig is available, command -@@ -12308,7 +12311,7 @@ fi - # appending ld.so.conf contents (and includes) to the search path. - if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` -- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" -+ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" - fi - - # We used to test for /lib/ld.so.1 and disable shared libraries on diff --git a/SOURCES/cryptsetup-disable-verity-compat-test.patch b/SOURCES/cryptsetup-disable-verity-compat-test.patch deleted file mode 100644 index efc3363..0000000 --- a/SOURCES/cryptsetup-disable-verity-compat-test.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/tests/Makefile.localtest b/tests/Makefile.localtest -index 29a62f3..da2183e 100644 ---- a/tests/Makefile.localtest -+++ b/tests/Makefile.localtest -@@ -5,7 +5,7 @@ - CPPFLAGS=-I../lib/ -I../lib/luks1 -DHAVE_DECL_DM_TASK_RETRY_REMOVE -DKERNEL_KEYRING -DHAVE_SYS_SYSMACROS_H -DNO_CRYPTSETUP_PATH - CFLAGS=-O2 -g -Wall - LDLIBS=-lcryptsetup -ldevmapper --TESTS=$(wildcard *-test *-test2) api-test api-test-2 -+TESTS=$(filter-out verity-compat-test, $(wildcard *-test *-test2)) api-test api-test-2 - - differ: differ.o - $(CC) -o $@ $^ diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec deleted file mode 100644 index 9baa81b..0000000 --- a/SPECS/cryptsetup.spec +++ /dev/null @@ -1,297 +0,0 @@ -Obsoletes: python2-cryptsetup -Obsoletes: cryptsetup-python -Obsoletes: cryptsetup-python3 - -Summary: A utility for setting up encrypted disks -Name: cryptsetup -Version: 2.3.7 -Release: 7%{?dist} -License: GPLv2+ and LGPLv2+ -Group: Applications/System -URL: https://gitlab.com/cryptsetup/cryptsetup -BuildRequires: openssl-devel, popt-devel, device-mapper-devel -BuildRequires: libuuid-devel, gcc, libblkid-devel -BuildRequires: libpwquality-devel, json-c-devel -Provides: cryptsetup-luks = %{version}-%{release} -Obsoletes: cryptsetup-luks < 1.4.0 -Requires: cryptsetup-libs = %{version}-%{release} -Requires: libpwquality >= 1.2.0 - -%global upstream_version %{version} -Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{upstream_version}.tar.xz -# binary archive with updated tests/conversion_imgs.tar.xz and tests/luks2_header_requirements.tar.xz -# for testing (can not be patched via rpmbuild) -Source1: tests.tar.xz -# Following patch has to applied last -Patch0: %{name}-add-system-library-paths.patch -# Remove the patch when (if ever) osci infrastructure gets stable enough -Patch1: %{name}-disable-verity-compat-test.patch -Patch2: %{name}-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch -Patch3: %{name}-2.4.2-Fix-bogus-memory-allocation-if-LUKS2-header-size-is-.patch -Patch4: %{name}-2.5.0-Fix-typo-in-repair-prompt.patch -Patch5: %{name}-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch -Patch6: %{name}-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch -Patch7: %{name}-2.5.0-Remove-LUKS2-encryption-data-size-restriction.patch -Patch8: %{name}-2.6.0-Fix-cipher-convert-routines-naming-confusion.patch -Patch9: %{name}-2.6.0-Move-cipher_dm2c-to-crypto-utilities.patch -Patch10: %{name}-2.6.0-Code-cleanup.patch -Patch11: %{name}-2.6.0-Copy-also-integrity-string-in-legacy-mode.patch -Patch12: %{name}-2.6.0-Fix-internal-crypt-segment-compare-routine.patch -Patch13: %{name}-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch -Patch14: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch -Patch15: %{name}-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch -Patch16: %{name}-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch -Patch17: %{name}-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch -Patch18: %{name}-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch -Patch19: %{name}-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch - -%description -The cryptsetup package contains a utility for setting up -disk encryption using dm-crypt kernel module. - -%package devel -Group: Development/Libraries -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Requires: pkgconfig -Summary: Headers and libraries for using encrypted file systems -Provides: cryptsetup-luks-devel = %{version}-%{release} -Obsoletes: cryptsetup-luks-devel < 1.4.0 - -%description devel -The cryptsetup-devel package contains libraries and header files -used for writing code that makes use of disk encryption. - -%package libs -Group: System Environment/Libraries -Summary: Cryptsetup shared library -Provides: cryptsetup-luks-libs = %{version}-%{release} -Obsoletes: cryptsetup-luks-libs < 1.4.0 - -%description libs -This package contains the cryptsetup shared library, libcryptsetup. - -%package -n veritysetup -Group: Applications/System -Summary: A utility for setting up dm-verity volumes -Requires: cryptsetup-libs = %{version}-%{release} - -%description -n veritysetup -The veritysetup package contains a utility for setting up -disk verification using dm-verity kernel module. - -%package -n integritysetup -Group: Applications/System -Summary: A utility for setting up dm-integrity volumes -Requires: cryptsetup-libs = %{version}-%{release} - -%description -n integritysetup -The integritysetup package contains a utility for setting up -disk integrity protection using dm-integrity kernel module. - -%package reencrypt -Group: Applications/System -Summary: A utility for offline reencryption of LUKS encrypted disks. -Requires: cryptsetup-libs = %{version}-%{release} - -%description reencrypt -This package contains cryptsetup-reencrypt utility which -can be used for offline reencryption of disk in situ. - -%prep -%setup -q -n cryptsetup-%{upstream_version} -a 1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch0 -p1 -chmod -x misc/dracut_90reencrypt/* - -%build -%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --with-crypto_backend=openssl --with-default-luks-format=LUKS2 -make %{?_smp_mflags} - -%install -make install DESTDIR=%{buildroot} -rm -rf %{buildroot}/%{_libdir}/*.la - -%find_lang cryptsetup - -%post -n cryptsetup-libs -p /sbin/ldconfig - -%postun -n cryptsetup-libs -p /sbin/ldconfig - -%files -%{!?_licensedir:%global license %%doc} -%license COPYING -%doc AUTHORS FAQ docs/*ReleaseNotes -%{_mandir}/man8/cryptsetup.8.gz -%{_sbindir}/cryptsetup - -%files -n veritysetup -%{!?_licensedir:%global license %%doc} -%license COPYING -%{_mandir}/man8/veritysetup.8.gz -%{_sbindir}/veritysetup - -%files -n integritysetup -%{!?_licensedir:%global license %%doc} -%license COPYING -%{_mandir}/man8/integritysetup.8.gz -%{_sbindir}/integritysetup - -%files reencrypt -%{!?_licensedir:%global license %%doc} -%license COPYING -%doc misc/dracut_90reencrypt -%{_mandir}/man8/cryptsetup-reencrypt.8.gz -%{_sbindir}/cryptsetup-reencrypt - -%files devel -%doc docs/examples/* -%{_includedir}/libcryptsetup.h -%{_libdir}/libcryptsetup.so -%{_libdir}/pkgconfig/libcryptsetup.pc - -%files libs -f cryptsetup.lang -%{!?_licensedir:%global license %%doc} -%license COPYING COPYING.LGPL -%{_libdir}/libcryptsetup.so.* -%{_tmpfilesdir}/cryptsetup.conf -%ghost %attr(700, -, -) %dir /run/cryptsetup - -%clean - -%changelog -* Tue Jul 11 2023 Ondrej Kozina - 2.3.7-7 -- Rebuild due to missing CI environment -- Resolves: #2212772 #2193342 - -* Thu Jun 28 2023 Daniel Zatovic - 2.3.7-6 -- patch: Delegate FIPS mode detection to configured crypto backend -- patch: Disallow use of internal kenrel crypto driver names in "capi" -- patch: Also disallow active devices with internal kernel names -- patch: Fix init_by_name to allow unknown cipher format in dm-crypt -- patch: Fix reencryption to fail properly for unknown cipher -- patch: Fix activation of LUKS2 with capi format cipher and kernel -- Resolves: #2212772 #2193342 - -* Tue Jan 10 2023 Daniel Zatovic - 2.3.7-5 -- change cryptsetup-devel dependency from cryptsetup to cryptsetup-libs -- Resolves: #2150254 - -* Wed Dec 21 2022 Daniel Zatovic - 2.3.7-4 -- patch: Remove LUKS2 encryption data size restriction. -- patch: Abort encryption when header and data devices are same. -- Resolves: #2150254 - -* Fri Nov 4 2022 Daniel Zatovic - 2.3.7-3 -- patch: Fix internal crypt segment compare routine -- Resolves: #2110810 - -* Thu Feb 24 2022 Ondrej Kozina - 2.3.7-2 -- patch: Fix cryptsetup --test-passphrase when device in - reencryption -- Resolves: #2058009 - -* Thu Jan 20 2022 Ondrej Kozina - 2.3.7-1 -- update to cryptsetup 2.3.7 -- fixes CVE-2021-4122 -- patch: Fix suboptimal optimization in bundled argon2. -- patch: Fix bogus memory allocation/device read with - invalid LUKS2 headers -- patch: Fix typo in luksRepair prompt. -- Resolves: #2021815 #2022301 #2031859 - -* Wed Feb 17 2021 Ondrej Kozina - 2.3.3-4 -- patch: Fix reencryption for custom devices with data segments - set to use cipher_null. -- Resolves: #1927409 - -* Wed Feb 03 2021 Ondrej Kozina - 2.3.3-3 -- patch: Fix crypto backend to properly handle ECB mode. -- Resolves: #1859091 - -* Thu Aug 27 2020 Ondrej Kozina - 2.3.3-2 -- patch: Fix possible memory corruption in LUKS2 validation - code in 32bit library. -- Resolves: #1872294 - -* Thu May 28 2020 Ondrej Kozina - 2.3.3-1 -- Update to cryptsetup 2.3.3 -- Resolves: #1796826 #1743891 #1785748 - -* Fri Apr 03 2020 Ondrej Kozina - 2.3.1-1 -- Update to cryptsetup 2.3.1 -- Resolves: #1796826 #1743891 #1785748 - -* Mon Nov 18 2019 Ondrej Kozina - 2.2.2-1 -- Update to cryptsetup 2.2.2 -- LUKS2 reencryption honors activation flags (one time and persistent). -- LUKS2 reencryption works also without volume keys put in kernel - keyring service. -- Resolves: #1757783 #1750680 #1753597 #1743399 - -* Fri Aug 30 2019 Ondrej Kozina - 2.2.0-2 -- patch: Fix mapped segments overflow on 32bit architectures. -- patch: Take optimal io size in account with LUKS2 reencryption. -- Resolves: #1742815 #1746532 - -* Thu Aug 15 2019 Ondrej Kozina - 2.2.0-1 -- Update to cryptsetup 2.2.0 (final) -- Resolves: #1738263 #1740342 #1733391 #1729600 #1733390 - -* Fri Jun 14 2019 Ondrej Kozina - 2.2.0-0.2 -- Updates to reencryption feature. -- Resolves: #1676622 - -* Fri May 03 2019 Ondrej Kozina - 2.2.0-0.1 -- Update to cryptsetup 2.2.0 -- remove python bits from spec file. -- Resolves: #1676622 - -* Thu Mar 21 2019 Milan Broz - 2.0.6-2 -- Add gating tests. -- Resolves: #1682539 - -* Mon Dec 03 2018 Ondrej Kozina - 2.0.6-1 -- Update to cryptsetup 2.0.6 -- Enables all supported metadata sizes in LUKS2 validation code. -- Resolves: #1653383 - -* Fri Aug 10 2018 Ondrej Kozina - 2.0.4-2 -- patch: fix device alignment bug when processing hinted - value by device topology info. -- Resolves: #1614219 - -* Wed Aug 08 2018 Ondrej Kozina - 2.0.4-1 -- Update to cryptsetup 2.0.4. -- patch: Add RHEL system library paths in configure. -- patch: Increase default LUKS2 header size to 8 MiBs. -- patch: update tests to be compatible with larger headers. -- Set default format to LUKS2. -- Cleanup changelog. -- Resolves: #1564540 #1595257 #1595266 #1595881 #1600164 - -* Fri May 04 2018 Ondrej Kozina - 2.0.3-1 -- Update to cryptsetup 2.0.3. - -* Tue Mar 27 2018 Björn Esser - 2.0.2-2 -- Rebuilt for libjson-c.so.4 (json-c v0.13.1) on fc28 - -* Wed Mar 07 2018 Milan Broz - 2.0.2-1 -- Update to cryptsetup 2.0.2. diff --git a/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch b/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch new file mode 100644 index 0000000..9c303e4 --- /dev/null +++ b/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch @@ -0,0 +1,40 @@ +From 293abb5435e2b4bec7f8333fb11c88d5c1f45800 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Mon, 5 Dec 2022 13:35:24 +0100 +Subject: [PATCH 3/3] Add FIPS related error message in keyslot add code. + +Add hints on what went wrong when creating new LUKS +keyslots. The hint is printed only in FIPS mode and +when pbkdf2 failed with passphrase shorter than 8 +bytes. +--- + lib/luks1/keymanage.c | 5 ++++- + lib/luks2/luks2_keyslot_luks2.c | 2 ++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +Index: cryptsetup-2.7.2/lib/luks1/keymanage.c +=================================================================== +--- cryptsetup-2.7.2.orig/lib/luks1/keymanage.c ++++ cryptsetup-2.7.2/lib/luks1/keymanage.c +@@ -926,6 +926,8 @@ int LUKS_set_key(unsigned int keyIndex, + derived_key->key, hdr->keyBytes, + hdr->keyblock[keyIndex].passwordIterations, 0, 0); + if (r < 0) { ++ if (crypt_fips_mode() && passwordLen < 8) ++ log_err(ctx, _("Invalid passphrase for PBKDF2 in FIPS mode.")); + if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) && + hdr->keyblock[keyIndex].passwordIterations > INT_MAX) + log_err(ctx, _("PBKDF2 iteration value overflow.")); +Index: cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c +=================================================================== +--- cryptsetup-2.7.2.orig/lib/luks2/luks2_keyslot_luks2.c ++++ cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c +@@ -269,6 +269,8 @@ static int luks2_keyslot_set_key(struct + pbkdf.iterations > INT_MAX) + log_err(cd, _("PBKDF2 iteration value overflow.")); + crypt_free_volume_key(derived_key); ++ if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2")) ++ log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode.")); + return r; + } + diff --git a/cryptsetup.spec b/cryptsetup.spec new file mode 100644 index 0000000..c3dcfcd --- /dev/null +++ b/cryptsetup.spec @@ -0,0 +1,752 @@ +Summary: Utility for setting up encrypted disks +Name: cryptsetup +Version: 2.7.3 +Release: 2%{?dist} +License: GPL-2.0-or-later WITH cryptsetup-OpenSSL-exception AND LGPL-2.1-or-later WITH cryptsetup-OpenSSL-exception +URL: https://gitlab.com/cryptsetup/cryptsetup +BuildRequires: autoconf, automake, libtool, gettext-devel, +BuildRequires: openssl-devel, popt-devel, device-mapper-devel +BuildRequires: libuuid-devel, gcc, json-c-devel +BuildRequires: libpwquality-devel, libblkid-devel +BuildRequires: make +BuildRequires: asciidoctor +Requires: cryptsetup-libs = %{version}-%{release} +Requires: libpwquality >= 1.2.0 +Obsoletes: %{name}-reencrypt <= %{version} +Provides: %{name}-reencrypt = %{version} + +%global upstream_version %{version_no_tilde} +Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-%{upstream_version}.tar.xz + +# Following patch has to applied last +Patch9999: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch + +%description +The cryptsetup package contains a utility for setting up +disk encryption using dm-crypt kernel module. + +%package devel +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: pkgconfig +Summary: Headers and libraries for using encrypted file systems + +%description devel +The cryptsetup-devel package contains libraries and header files +used for writing code that makes use of disk encryption. + +%package libs +Summary: Cryptsetup shared library + +%description libs +This package contains the cryptsetup shared library, libcryptsetup. + +%package -n veritysetup +Summary: A utility for setting up dm-verity volumes +Requires: cryptsetup-libs = %{version}-%{release} + +%description -n veritysetup +The veritysetup package contains a utility for setting up +disk verification using dm-verity kernel module. + +%package -n integritysetup +Summary: A utility for setting up dm-integrity volumes +Requires: cryptsetup-libs = %{version}-%{release} + +%description -n integritysetup +The integritysetup package contains a utility for setting up +disk integrity protection using dm-integrity kernel module. + +%prep +%autosetup -n cryptsetup-%{upstream_version} -p 1 + +%build +# force regeneration of manual pages from AsciiDoc +rm -f man/*.8 + +./autogen.sh +%configure --enable-fips --enable-pwquality --enable-asciidoc --enable-internal-sse-argon2 --disable-ssh-token +%make_build + +%install +%make_install +rm -rf %{buildroot}%{_libdir}/*.la +rm -rf %{buildroot}%{_libdir}/%{name}/*.la + +%find_lang cryptsetup + +%ldconfig_scriptlets -n cryptsetup-libs + +%files +%license COPYING +%doc AUTHORS FAQ.md docs/*ReleaseNotes +%{_mandir}/man8/cryptsetup.8.gz +%{_mandir}/man8/cryptsetup-*.8.gz +%{_sbindir}/cryptsetup + +%files -n veritysetup +%license COPYING +%{_mandir}/man8/veritysetup.8.gz +%{_sbindir}/veritysetup + +%files -n integritysetup +%license COPYING +%{_mandir}/man8/integritysetup.8.gz +%{_sbindir}/integritysetup + +%files devel +%doc docs/examples/* +%{_includedir}/libcryptsetup.h +%{_libdir}/libcryptsetup.so +%{_libdir}/pkgconfig/libcryptsetup.pc + +%files libs -f cryptsetup.lang +%license COPYING COPYING.LGPL +%{_libdir}/libcryptsetup.so.* +%dir %{_libdir}/%{name}/ +%{_tmpfilesdir}/cryptsetup.conf +%ghost %attr(700, -, -) %dir /run/cryptsetup + +%changelog +* Mon Jun 24 2024 Troy Dawson - 2.7.3-2 +- Bump release for June 2024 mass rebuild + +* Tue Jun 18 2024 Daniel Zatovic - 2.7.3-1 +- Update to cryptsetup 2.7.3 +- Remove libssh dependency +- Resolves: RHEL-40123 + +* Mon May 06 2024 Daniel Zatovic - 2.7.2-2 +- Remove SSH token and fix tests +- Resolves: RHEL-33395 + +* Tue Apr 30 2024 Daniel Zatovic - 2.7.2-1 +- Update to cryptsetup 2.7.2 +- Resolves: RHEL-33395 + +* Fri Feb 09 2024 Ondrej Kozina - 2.7.0-2 +- Rebuild for OpenSSL Argon2 implementation (OpenSSL 3.2) +- patch: Do not compile unused internal argon2 implementation + +* Wed Jan 24 2024 Ondrej Kozina - 2.7.0-1 +- Update to cryptsetup 2.7.0. + +* Wed Jan 24 2024 Fedora Release Engineering - 2.7.0~rc1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 2.7.0~rc1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Dec 20 2023 Milan Broz - 2.7.0~rc1-1 +- Update to cryptsetup 2.7.0-rc1. + +* Wed Nov 29 2023 Ondrej Kozina - 2.7.0~rc0-1 +- Update to cryptsetup 2.7.0-rc0. + +* Wed Jul 19 2023 Fedora Release Engineering - 2.6.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jun 15 2023 Yaakov Selkowitz - 2.6.1-2 +- Drop libargon2 dependency in RHEL builds + +* Fri Feb 10 2023 Ondrej Kozina - 2.6.1-1 +- Update to cryptsetup 2.6.1. + +* Thu Jan 19 2023 Fedora Release Engineering - 2.6.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Mon Nov 28 2022 Ondrej Kozina - 2.6.0-1 +- Update to cryptsetup 2.6.0. + +* Mon Nov 21 2022 Ondrej Kozina - 2.6.0~rc0-1 +- Update to cryptsetup 2.6.0-rc0. + +* Thu Jul 28 2022 Ondrej Kozina - 2.5.0-1 +- Update to cryptsetup 2.5.0. + +* Wed Jul 20 2022 Fedora Release Engineering - 2.5.0~rc1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jul 14 2022 Ondrej Kozina - 2.5.0~rc1-1 +- Update to cryptsetup 2.5.0-rc1. + +* Thu Jan 20 2022 Fedora Release Engineering - 2.4.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Wed Jan 12 2022 Ondrej Kozina - 2.4.3-1 +- Update to cryptsetup 2.4.3. + +* Thu Nov 18 2021 Milan Broz - 2.4.2-1 +- Update to cryptsetup 2.4.2. + +* Fri Sep 17 2021 Ondrej Kozina - 2.4.1-1 +- Update to cryptsetup 2.4.1. + +* Tue Sep 14 2021 Sahana Prasad - 2.4.0-2 +- Rebuilt with OpenSSL 3.0.0 + +* Wed Aug 18 2021 Ondrej Kozina - 2.4.0-1 +- Update to cryptsetup 2.4.0. + +* Fri Jul 30 2021 Milan Broz - 2.4.0~rc1-1 +- Update to cryptsetup 2.4.0-rc1. + +* Wed Jul 21 2021 Fedora Release Engineering - 2.4.0~rc0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Sat Jul 10 2021 Björn Esser - 2.4.0~rc0-2 +- Rebuild for versioned symbols in json-c + +* Fri Jul 02 2021 Ondrej Kozina - 2.4.0~rc0-1 +- Update to cryptsetup 2.4.0-rc0. +- add experimental cryptsetup-ssh token subpackage +- spec file cleanup + +* Fri May 28 2021 Milan Broz - 2.3.6-1 +- Update to cryptsetup 2.3.6. + +* Thu Mar 11 2021 Milan Broz - 2.3.5-2 +- Update to cryptsetup 2.3.5. + +* Tue Jan 26 2021 Fedora Release Engineering - 2.3.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Sep 03 2020 Milan Broz - 2.3.4-1 +- Update to cryptsetup 2.3.4. +- Fix for CVE-2020-14382 (#1874712) + +* Mon Jul 27 2020 Fedora Release Engineering - 2.3.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu May 28 2020 Ondrej Kozina - 2.3.3-1 +- Update to cryptsetup 2.3.3. + +* Thu Apr 30 2020 Milan Broz - 2.3.2-1 +- Update to cryptsetup 2.3.2. + +* Tue Apr 21 2020 Björn Esser - 2.3.1-4 +- Rebuild (json-c) + +* Thu Apr 16 2020 Milan Broz - 2.3.1-3 +- Fix broken json-c patch (#1824878). + +* Tue Apr 14 2020 Björn Esser - 2.3.1-2 +- Add support for upcoming json-c 0.14.0 +- Use %%make_build, %%make_install and %%autosetup macros + +* Thu Mar 12 2020 Ondrej Kozina - 2.3.1-1 +- Update to cryptsetup 2.3.1. + +* Sun Feb 02 2020 Milan Broz - 2.3.0-1 +- Update to cryptsetup 2.3.0. + +* Tue Jan 28 2020 Fedora Release Engineering - 2.3.0-0.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sun Jan 12 2020 Milan Broz - 2.3.0-0.1 +- Update to cryptsetup 2.3.0-rc0. + +* Fri Nov 01 2019 Ondrej Kozina - 2.2.2-1 +- Update to cryptsetup 2.2.2. + +* Fri Sep 06 2019 Ondrej Kozina - 2.2.1-1 +- Update to cryptsetup 2.2.1. + +* Thu Aug 15 2019 Milan Broz - 2.2.0-1 +- Update to cryptsetup 2.2.0. + +* Wed Jul 24 2019 Fedora Release Engineering - 2.2.0-0.3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Jun 14 2019 Ondrej Kozina - 2.2.0-0.2 +- Update to cryptsetup 2.2.0-rc1. + +* Fri May 03 2019 Ondrej Kozina - 2.2.0-0.1 +- Update to cryptsetup 2.2.0-rc0. + +* Thu Apr 04 2019 Kalev Lember - 2.1.0-3 +- Add back python2-cryptsetup and cryptsetup-python3 obsoletes + +* Mon Mar 18 2019 Milan Broz - 2.1.0-2 +- Rebuild for new libargon2 soname. + +* Fri Feb 08 2019 Ondrej Kozina - 2.1.0-1 +- Update to cryptsetup 2.1.0. +- Drop python specific bits from spec file (python was removed + from upstream project) + +* Thu Jan 31 2019 Fedora Release Engineering - 2.0.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Tue Jan 22 2019 Ondrej Kozina - 2.0.6-2 +- Switch default metadata format to LUKS2. +- Resolves: #1668013 + +* Mon Dec 03 2018 Ondrej Kozina - 2.0.6-1 +- Update to cryptsetup 2.0.6. + +* Mon Oct 29 2018 Ondrej Kozina - 2.0.5-1 +- Update to cryptsetup 2.0.5. + +* Fri Aug 03 2018 Ondrej Kozina - 2.0.4-1 +- Update to cryptsetup 2.0.4. +- patch: Add Fedora system library paths in configure. + +* Tue Jul 17 2018 Ondrej Kozina - 2.0.3-6 +- Remove libgcrypt dependency from cryptsetup-libs package. + +* Tue Jul 17 2018 Ondrej Kozina - 2.0.3-5 +- Replace sed script with --disable-rpath configure option. +- Switch cryptsetup to openssl crypto backend. +- Spec file cleanup. + +* Thu Jul 12 2018 Fedora Release Engineering - 2.0.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri May 04 2018 Ondrej Kozina - 2.0.3-3 +- Fix obsolete macro for python3 subpackage. + +* Fri May 04 2018 Ondrej Kozina - 2.0.3-2 +- Add missing 'Obsoletes' macros for python subpackages. + +* Fri May 04 2018 Milan Broz - 2.0.3-1 +- Update to cryptsetup 2.0.3. + +* Wed Apr 25 2018 Ondrej Kozina - 2.0.2-3 +- Add conditions for python sub-packages + +* Tue Mar 27 2018 Björn Esser - 2.0.2-2 +- Rebuilt for libjson-c.so.4 (json-c v0.13.1) on fc28 + +* Wed Mar 07 2018 Milan Broz - 2.0.2-1 +- Update to cryptsetup 2.0.2. + +* Tue Mar 06 2018 Björn Esser - 2.0.1-3 +- Rebuilt for libjson-c.so.4 (json-c v0.13.1) + +* Wed Feb 07 2018 Fedora Release Engineering - 2.0.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sun Jan 21 2018 Milan Broz - 2.0.1-1 +- Update to cryptsetup 2.0.1. + +* Thu Jan 04 2018 Ondrej Kozina - 2.0.0-3 +- Override locking path to /run/cryptsetup (going to be new default) +- Claim ownership of the locking directory + +* Fri Dec 15 2017 Iryna Shcherbina - 2.0.0-2 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Tue Dec 12 2017 Ondrej Kozina - 2.0.0-1 +- Update to cryptsetup 2.0.0 (final). + +* Sun Dec 10 2017 Björn Esser - 2.0.0-0.6 +- Rebuilt for libjson-c.so.3 + +* Mon Nov 20 2017 Milan Broz - 2.0.0-0.5 +- Link to system libargon2 instead of using bundled code. + +* Thu Nov 09 2017 Ondrej Kozina - 2.0.0-0.4 +- Drop the legacy library. + +* Wed Nov 08 2017 Ondrej Kozina - 2.0.0-0.3 +- Temporary build providing legacy library. + +* Tue Nov 07 2017 Ondrej Kozina - 2.0.0-0.2 +- Update to cryptsetup 2.0.0-rc1 (with libcryptsetup soname bump). +- Added integritysetup subpackage. + +* Sun Aug 20 2017 Zbigniew Jędrzejewski-Szmek - 1.7.5-5 +- Add Provides for the old name without %%_isa + +* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek - 1.7.5-4 +- Python 2 binary package renamed to python2-cryptsetup + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Wed Aug 02 2017 Fedora Release Engineering - 1.7.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1.7.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Apr 27 2017 Milan Broz - 1.7.5-1 +- Update to cryptsetup 1.7.5. + +* Wed Mar 15 2017 Milan Broz - 1.7.4-1 +- Update to cryptsetup 1.7.4. + +* Fri Feb 10 2017 Fedora Release Engineering - 1.7.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Dec 19 2016 Miro Hrončok - 1.7.3-2 +- Rebuild for Python 3.6 + +* Sun Oct 30 2016 Milan Broz - 1.7.3-1 +- Update to cryptsetup 1.7.3. + +* Tue Jul 19 2016 Fedora Release Engineering - 1.7.2-3 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Mon Jun 13 2016 Milan Broz - 1.7.2-2 +- Rebuilt for compatible symbol changes in glibc. + +* Sat Jun 04 2016 Milan Broz - 1.7.2-1 +- Update to cryptsetup 1.7.2. + +* Sun Feb 28 2016 Milan Broz - 1.7.1-1 +- Update to cryptsetup 1.7.1. + +* Wed Feb 03 2016 Fedora Release Engineering - 1.7.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Nov 10 2015 Fedora Release Engineering - 1.7.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Tue Nov 03 2015 Milan Broz - 1.7.0-1 +- Update to cryptsetup 1.7.0. +- Switch to sha256 as default hash. +- Increase default PBKDF2 iteration time to 2 seconds. + +* Tue Sep 08 2015 Milan Broz - 1.6.8-2 +- Update to cryptsetup 1.6.8. + +* Wed Jun 17 2015 Fedora Release Engineering - 1.6.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Mar 23 2015 Milan Broz - 1.6.7-1 +- Update to cryptsetup 1.6.7. +- Remove no longer needed fipscheck library dependence. +- Change URL to new homepage. + +* Sat Aug 16 2014 Milan Broz - 1.6.6-1 +- Update to cryptsetup 1.6.6. + +* Sat Aug 16 2014 Fedora Release Engineering - 1.6.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jul 11 2014 Tom Callaway - 1.6.5-2 +- fix license handling + +* Sun Jun 29 2014 Milan Broz - 1.6.5-1 +- Update to cryptsetup 1.6.5. +- Add cryptsetup-python3 subpackage. + +* Sat Jun 07 2014 Fedora Release Engineering - 1.6.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sun Mar 02 2014 Milan Broz - 1.6.4-2 +- Require libgcrypt 1.6.1 (with fixed PBKDF2 and Whirlpool hash). + +* Thu Feb 27 2014 Milan Broz - 1.6.4-1 +- Update to cryptsetup 1.6.4. + +* Tue Jan 07 2014 Ondrej Kozina - 1.6.3-2 +- remove useless hmac checksum + +* Fri Dec 13 2013 Milan Broz - 1.6.3-1 +- Update to cryptsetup 1.6.3. + +* Sun Aug 04 2013 Milan Broz - 1.6.2-1 +- Update to cryptsetup 1.6.2. + +* Sat Aug 03 2013 Fedora Release Engineering - 1.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Sun Mar 31 2013 Milan Broz - 1.6.1-1 +- Update to cryptsetup 1.6.1. +- Install ReleaseNotes files instead of empty Changelog file. + +* Wed Feb 13 2013 Fedora Release Engineering - 1.6.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Jan 14 2013 Milan Broz - 1.6.0-1 +- Update to cryptsetup 1.6.0. +- Change default LUKS encryption mode to aes-xts-plain64 (AES128). +- Force use of gcrypt PBKDF2 instead of internal implementation. + +* Sat Dec 29 2012 Milan Broz - 1.6.0-0.1 +- Update to cryptsetup 1.6.0-rc1. +- Relax license to GPLv2+ according to new release. +- Compile cryptsetup with libpwquality support. + +* Tue Oct 16 2012 Milan Broz - 1.5.1-1 +- Update to cryptsetup 1.5.1. + +* Wed Jul 18 2012 Fedora Release Engineering - 1.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jul 10 2012 Milan Broz - 1.5.0-1 +- Update to cryptsetup 1.5.0. + +* Wed Jun 20 2012 Milan Broz - 1.5.0-0.2 +- Update to cryptsetup 1.5.0-rc2. +- Add cryptsetup-reencrypt subpackage. + +* Mon Jun 11 2012 Milan Broz - 1.5.0-0.1 +- Update to cryptsetup 1.5.0-rc1. +- Add veritysetup subpackage. +- Move localization files to libs subpackage. + +* Thu May 31 2012 Milan Broz - 1.4.3-2 +- Build with fipscheck (verification in fips mode). +- Clean up spec file, use install to /usr. + +* Thu May 31 2012 Milan Broz - 1.4.3-1 +- Update to cryptsetup 1.4.3. + +* Thu Apr 12 2012 Milan Broz - 1.4.2-1 +- Update to cryptsetup 1.4.2. + +* Fri Jan 13 2012 Fedora Release Engineering - 1.4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Nov 09 2011 Milan Broz - 1.4.1-1 +- Update to cryptsetup 1.4.1. +- Add Python cryptsetup bindings. +- Obsolete separate python-cryptsetup package. + +* Wed Oct 26 2011 Milan Broz - 1.4.0-1 +- Update to cryptsetup 1.4.0. + +* Mon Oct 10 2011 Milan Broz - 1.4.0-0.1 +- Update to cryptsetup 1.4.0-rc1. +- Rename package back from cryptsetup-luks to cryptsetup. + +* Wed Jun 22 2011 Milan Broz - 1.3.1-2 +- Fix return code for status command when device doesn't exist. + +* Tue May 24 2011 Milan Broz - 1.3.1-1 +- Update to cryptsetup 1.3.1. + +* Tue Apr 05 2011 Milan Broz - 1.3.0-1 +- Update to cryptsetup 1.3.0. + +* Tue Mar 22 2011 Milan Broz - 1.3.0-0.2 +- Update to cryptsetup 1.3.0-rc2 + +* Mon Mar 14 2011 Milan Broz - 1.3.0-0.1 +- Update to cryptsetup 1.3.0-rc1 + +* Tue Feb 08 2011 Fedora Release Engineering - 1.2.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Dec 20 2010 Milan Broz - 1.2.0-1 +- Update to cryptsetup 1.2.0 + +* Thu Nov 25 2010 Milan Broz - 1.2.0-0.2 +- Fix crypt_activate_by_keyfile() to work with PLAIN devices. + +* Tue Nov 16 2010 Milan Broz - 1.2.0-0.1 +- Add FAQ to documentation. +- Update to cryptsetup 1.2.0-rc1 + +* Sat Jul 03 2010 Milan Broz - 1.1.3-1 +- Update to cryptsetup 1.1.3 + +* Mon Jun 07 2010 Milan Broz - 1.1.2-2 +- Fix alignment ioctl use. +- Fix API activation calls to handle NULL device name. + +* Sun May 30 2010 Milan Broz - 1.1.2-1 +- Update to cryptsetup 1.1.2 +- Fix luksOpen handling of new line char on stdin. + +* Sun May 23 2010 Milan Broz - 1.1.1-1 +- Update to cryptsetup 1.1.1 +- Fix luksClose for stacked LUKS/LVM devices. + +* Mon May 03 2010 Milan Broz - 1.1.1-0.2 +- Update to cryptsetup 1.1.1-rc2. + +* Sat May 01 2010 Milan Broz - 1.1.1-0.1 +- Update to cryptsetup 1.1.1-rc1. + +* Sun Jan 17 2010 Milan Broz - 1.1.0-1 +- Update to cryptsetup 1.1.0. + +* Fri Jan 15 2010 Milan Broz - 1.1.0-0.6 +- Fix gcrypt initialisation. +- Fix backward compatibility for hash algorithm (uppercase). + +* Wed Dec 30 2009 Milan Broz - 1.1.0-0.5 +- Update to cryptsetup 1.1.0-rc4 + +* Mon Nov 16 2009 Milan Broz - 1.1.0-0.4 +- Update to cryptsetup 1.1.0-rc3 + +* Thu Oct 01 2009 Milan Broz - 1.1.0-0.3 +- Update to cryptsetup 1.1.0-rc2 +- Fix libcryptsetup to properly export only versioned symbols. + +* Tue Sep 29 2009 Milan Broz - 1.1.0-0.2 +- Update to cryptsetup 1.1.0-rc1 +- Add luksHeaderBackup and luksHeaderRestore commands. + +* Fri Sep 11 2009 Milan Broz - 1.1.0-0.1 +- Update to new upstream testing version with new API interface. +- Add luksSuspend and luksResume commands. +- Introduce pkgconfig. + +* Fri Jul 24 2009 Fedora Release Engineering - 1.0.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jul 22 2009 Milan Broz - 1.0.7-1 +- Update to upstream final release. +- Split libs subpackage. +- Remove rpath setting from cryptsetup binary. + +* Wed Jul 15 2009 Till Maas - 1.0.7-0.2 +- update BR because of libuuid splitout from e2fsprogs + +* Mon Jun 22 2009 Milan Broz - 1.0.7-0.1 +- Update to new upstream 1.0.7-rc1. + +- Wipe old fs headers to not confuse blkid (#468062) +* Tue Feb 24 2009 Fedora Release Engineering - 1.0.6-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Oct 30 2008 Milan Broz - 1.0.6-6 +- Wipe old fs headers to not confuse blkid (#468062) + +* Tue Sep 23 2008 Milan Broz - 1.0.6-5 +- Change new project home page. +- Print more descriptive messages for initialization errors. +- Refresh patches to versions commited upstream. + +* Sat Sep 06 2008 Milan Broz - 1.0.6-4 +- Fix close of zero decriptor. +- Fix udevsettle delays - use temporary crypt device remapping. + +* Wed May 28 2008 Till Maas - 1.0.6-3 +- remove a duplicate sentence from the manpage (RH #448705) +- add patch metadata about upstream status + +* Tue Apr 15 2008 Bill Nottinghm - 1.0.6-2 +- Add the device to the luksOpen prompt (#433406) +- Use iconv, not recode (#442574) + +* Thu Mar 13 2008 Till Maas - 1.0.6-1 +- Update to latest version +- remove patches that have been merged upstream + +* Mon Mar 03 2008 Till Maas - 1.0.6-0.1.pre2 +- Update to new version with several bugfixes +- remove patches that have been merged upstream +- add patch from cryptsetup newsgroup +- fix typo / missing luksRemoveKey in manpage (patch) + +* Tue Feb 19 2008 Fedora Release Engineering - 1.0.5-9 +- Autorebuild for GCC 4.3 + +* Sat Jan 19 2008 Peter Jones - 1.0.5-8 +- Rebuild for broken deps. + +* Thu Aug 30 2007 Till Maas - 1.0.5-7 +- update URL +- update license tag +- recode ChangeLog from latin1 to uf8 +- add smp_mflags to make + +* Fri Aug 24 2007 Till Maas - 1.0.5-6 +- cleanup BuildRequires: +- removed versions, packages in Fedora are new enough +- changed popt to popt-devel + +* Thu Aug 23 2007 Till Maas - 1.0.5-5 +- fix devel subpackage requires +- remove empty NEWS README +- remove uneeded INSTALL +- remove uneeded ldconfig requires +- add readonly detection patch + +* Wed Aug 08 2007 Till Maas - 1.0.5-4 +- disable patch2, libsepol is now detected by configure +- move libcryptsetup.so to %%{_libdir} instead of /%%{_lib} + +* Fri Jul 27 2007 Till Maas - 1.0.5-3 +- Use /%%{_lib} instead of /lib to use /lib64 on 64bit archs + +* Thu Jul 26 2007 Till Maas - 1.0.5-2 +- Use /lib as libdir (#243228) +- sync header and library (#215349) +- do not use %%makeinstall (recommended by PackageGuidelines) +- select sbindir with %%configure instead with make +- add TODO + +* Wed Jun 13 2007 Jeremy Katz - 1.0.5-1 +- update to 1.0.5 + +* Mon Jun 04 2007 Peter Jones - 1.0.3-5 +- Don't build static any more. + +* Mon Feb 05 2007 Alasdair Kergon - 1.0.3-4 +- Add build dependency on new device-mapper-devel package. +- Add preun and post ldconfig requirements. +- Update BuildRoot. + +* Wed Nov 1 2006 Peter Jones - 1.0.3-3 +- Require newer libselinux (#213414) + +* Wed Jul 12 2006 Jesse Keating - 1.0.3-2.1 +- rebuild + +* Wed Jun 7 2006 Jeremy Katz - 1.0.3-2 +- put shared libs in the right subpackages + +* Fri Apr 7 2006 Bill Nottingham 1.0.3-1 +- update to final 1.0.3 + +* Mon Feb 27 2006 Bill Nottingham 1.0.3-0.rc2 +- update to 1.0.3rc2, fixes bug with HAL & encrypted devices (#182658) + +* Wed Feb 22 2006 Bill Nottingham 1.0.3-0.rc1 +- update to 1.0.3rc1, reverts changes to default encryption type + +* Tue Feb 21 2006 Bill Nottingham 1.0.2-1 +- update to 1.0.2, fix incompatiblity with old cryptsetup (#176726) + +* Mon Feb 20 2006 Karsten Hopp 1.0.1-5 +- BuildRequires: libselinux-devel + +* Fri Feb 10 2006 Jesse Keating - 1.0.1-4.2.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 1.0.1-4.2 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Mon Dec 5 2005 Bill Nottingham 1.0.1-4 +- rebuild against new libdevmapper + +* Thu Oct 13 2005 Florian La Roche +- add -lsepol to rebuild on current fc5 + +* Mon Aug 22 2005 Karel Zak 1.0.1-2 +- fix cryptsetup help for isLuks action + +* Fri Jul 1 2005 Bill Nottingham 1.0.1-1 +- update to 1.0.1 - fixes incompatiblity with previous cryptsetup for + piped passwords + +* Thu Jun 16 2005 Bill Nottingham 1.0-2 +- add patch for 32/64 bit compatibility (#160445, ) + +* Tue Mar 29 2005 Bill Nottingham 1.0-1 +- update to 1.0 + +* Thu Mar 10 2005 Bill Nottingham 0.993-1 +- switch to cryptsetup-luks, for LUKS support + +* Tue Oct 12 2004 Bill Nottingham 0.1-4 +- oops, make that *everything* static (#129926) + +* Tue Aug 31 2004 Bill Nottingham 0.1-3 +- link some things static, move to /sbin (#129926) + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Fri Apr 16 2004 Bill Nottingham 0.1-1 +- initial packaging diff --git a/sources b/sources new file mode 100644 index 0000000..e325e6f --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (cryptsetup-2.7.3.tar.xz) = 08cff21873aeb7cc5b2561abf5d33cdf0fa814eeaabf6a01f858461726ea9faeef651357da33bce7b347ca2f12d6d02bccdb279893f3749cb781ce1fe5c1571c