rpms/cryptsetup
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI cryptsetup-2.3.7-7.el8

Browse Source
This commit is contained in:
eabdullin 2023-11-14 19:06:07 +00:00
parent 6b1d7a18a0
commit 94add16c46
9 changed files with 732 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.cryptsetup.metadata
View File

@ -1 +1,2 @@
3ce643e82d52b0c0282c2754c4bfa8c15c1f567e SOURCES/cryptsetup-2.3.7.tar.xz
ec3ce9960bd536f7500e0d767a973672037c13e6 SOURCES/tests.tar.xz

1
.gitignore vendored
View File

@ -1 +1,2 @@
SOURCES/cryptsetup-2.3.7.tar.xz
SOURCES/tests.tar.xz

316
SOURCES/cryptsetup-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch Normal file
View File

@ -0,0 +1,316 @@
From 5b001b7962744b1bdaeb60b7c8cb9c682f907e03 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Tue, 28 Jun 2022 16:23:34 +0200
Subject: [PATCH] Delegate FIPS mode detection to configured crypto backend.
System FIPS mode check is no longer dependent on /etc/system-fips
file. The change should be compatible with older distributions since
we now depend on crypto backend internal routine.
This commit affects only FIPS enabled systems (with FIPS enabled
builds). In case this causes any regression in current distributions
feel free to drop the patch.
For reference see https://bugzilla.redhat.com/show_bug.cgi?id=2080516
---
lib/crypto_backend/crypto_backend.h | 3 ++
lib/crypto_backend/crypto_gcrypt.c | 17 +++++++++
lib/crypto_backend/crypto_kernel.c | 5 +++
lib/crypto_backend/crypto_nettle.c | 5 +++
lib/crypto_backend/crypto_nss.c | 5 +++
lib/crypto_backend/crypto_openssl.c | 26 ++++++++++++++
lib/internal.h | 1 -
lib/utils_fips.c | 55 -----------------------------
lib/utils_fips.h | 28 ---------------
po/POTFILES.in | 1 -
src/cryptsetup.h | 1 -
tests/compat-test | 2 +-
tests/compat-test2 | 2 +-
tests/keyring-compat-test | 2 +-
tests/luks2-reencryption-test | 2 +-
16 files changed, 65 insertions(+), 92 deletions(-)
delete mode 100644 lib/utils_fips.c
delete mode 100644 lib/utils_fips.h
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_backend.h
===================================================================
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_backend.h
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_backend.h
@@ -135,4 +135,7 @@ static inline void crypt_backend_memzero
#endif
}
+/* crypto backend running in FIPS mode */
+bool crypt_fips_mode(void);
+
#endif /* _CRYPTO_BACKEND_H */
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_gcrypt.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_gcrypt.c
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_gcrypt.c
@@ -550,3 +550,20 @@ out:
return -ENOTSUP;
#endif
}
+
+#if !ENABLE_FIPS
+bool crypt_fips_mode(void) { return false; }
+#else
+bool crypt_fips_mode(void)
+{
+ static bool fips_mode = false, fips_checked = false;
+
+ if (fips_checked)
+ return fips_mode;
+
+ fips_mode = gcry_fips_mode_active();
+ fips_checked = true;
+
+ return fips_mode;
+}
+#endif /* ENABLE FIPS */
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_kernel.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_kernel.c
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_kernel.c
@@ -416,3 +416,8 @@ int crypt_bitlk_decrypt_key(const void *
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
iv, iv_length, tag, tag_length);
}
+
+bool crypt_fips_mode(void)
+{
+ return false;
+}
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_nettle.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_nettle.c
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_nettle.c
@@ -442,3 +442,8 @@ int crypt_bitlk_decrypt_key(const void *
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
iv, iv_length, tag, tag_length);
}
+
+bool crypt_fips_mode(void)
+{
+ return false;
+}
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_nss.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_nss.c
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_nss.c
@@ -395,3 +395,8 @@ int crypt_bitlk_decrypt_key(const void *
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
iv, iv_length, tag, tag_length);
}
+
+bool crypt_fips_mode(void)
+{
+ return false;
+}
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_openssl.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_openssl.c
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_openssl.c
@@ -574,3 +574,29 @@ out:
return -ENOTSUP;
#endif
}
+
+#if !ENABLE_FIPS
+bool crypt_fips_mode(void) { return false; }
+#else
+static bool openssl_fips_mode(void)
+{
+#if OPENSSL_VERSION_MAJOR >= 3
+ return EVP_default_properties_is_fips_enabled(NULL);
+#else
+ return FIPS_mode();
+#endif
+}
+
+bool crypt_fips_mode(void)
+{
+ static bool fips_mode = false, fips_checked = false;
+
+ if (fips_checked)
+ return fips_mode;
+
+ fips_mode = openssl_fips_mode();
+ fips_checked = true;
+
+ return fips_mode;
+}
+#endif /* ENABLE FIPS */
Index: cryptsetup-2.3.7/lib/internal.h
===================================================================
--- cryptsetup-2.3.7.orig/lib/internal.h
+++ cryptsetup-2.3.7/lib/internal.h
@@ -38,7 +38,6 @@
#include "utils_crypt.h"
#include "utils_loop.h"
#include "utils_dm.h"
-#include "utils_fips.h"
#include "utils_keyring.h"
#include "utils_io.h"
#include "crypto_backend.h"
Index: cryptsetup-2.3.7/po/POTFILES.in
===================================================================
--- cryptsetup-2.3.7.orig/po/POTFILES.in
+++ cryptsetup-2.3.7/po/POTFILES.in
@@ -6,7 +6,6 @@ lib/volumekey.c
lib/crypt_plain.c
lib/utils_crypt.c
lib/utils_loop.c
-lib/utils_fips.c
lib/utils_device.c
lib/utils_devpath.c
lib/utils_pbkdf.c
Index: cryptsetup-2.3.7/src/cryptsetup.h
===================================================================
--- cryptsetup-2.3.7.orig/src/cryptsetup.h
+++ cryptsetup-2.3.7/src/cryptsetup.h
@@ -43,7 +43,6 @@
#include "lib/nls.h"
#include "lib/utils_crypt.h"
#include "lib/utils_loop.h"
-#include "lib/utils_fips.h"
#include "lib/utils_io.h"
#include "lib/utils_blkid.h"
Index: cryptsetup-2.3.7/tests/compat-test
===================================================================
--- cryptsetup-2.3.7.orig/tests/compat-test
+++ cryptsetup-2.3.7/tests/compat-test
@@ -44,7 +44,7 @@ KEY_MATERIAL5_EXT="S331776-395264"
TEST_UUID="12345678-1234-1234-1234-123456789abc"
LOOPDEV=$(losetup -f 2>/dev/null)
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function remove_mapping()
{
Index: cryptsetup-2.3.7/tests/compat-test2
===================================================================
--- cryptsetup-2.3.7.orig/tests/compat-test2
+++ cryptsetup-2.3.7/tests/compat-test2
@@ -42,7 +42,7 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-f
TEST_UUID="12345678-1234-1234-1234-123456789abc"
LOOPDEV=$(losetup -f 2>/dev/null)
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function remove_mapping()
{
Index: cryptsetup-2.3.7/tests/keyring-compat-test
===================================================================
--- cryptsetup-2.3.7.orig/tests/keyring-compat-test
+++ cryptsetup-2.3.7/tests/keyring-compat-test
@@ -26,7 +26,7 @@ PWD="aaa"
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function remove_mapping()
{
Index: cryptsetup-2.3.7/tests/luks2-reencryption-test
===================================================================
--- cryptsetup-2.3.7.orig/tests/luks2-reencryption-test
+++ cryptsetup-2.3.7/tests/luks2-reencryption-test
@@ -24,7 +24,7 @@ PWD1="93R4P4pIqAH8"
PWD2="1cND4319812f"
PWD3="1-9Qu5Ejfnqv"
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function dm_crypt_features()
{
Index: cryptsetup-2.3.7/lib/utils_fips.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/utils_fips.c
+++ cryptsetup-2.3.7/lib/utils_fips.c
@@ -1,46 +1 @@
-/*
- * FIPS mode utilities
- *
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include "utils_fips.h"
-
-#if !ENABLE_FIPS
-int crypt_fips_mode(void) { return 0; }
-#else
-static int kernel_fips_mode(void)
-{
- int fd;
- char buf[1] = "";
-
- if ((fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY)) >= 0) {
- while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
- close(fd);
- }
-
- return (buf[0] == '1') ? 1 : 0;
-}
-
-int crypt_fips_mode(void)
-{
- return kernel_fips_mode() && !access("/etc/system-fips", F_OK);
-}
-#endif /* ENABLE_FIPS */
+/* keep an empty file to avoid running autogen.sh */
Index: cryptsetup-2.3.7/lib/utils_fips.h
===================================================================
--- cryptsetup-2.3.7.orig/lib/utils_fips.h
+++ cryptsetup-2.3.7/lib/utils_fips.h
@@ -1,26 +1 @@
-/*
- * FIPS mode utilities
- *
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#ifndef _UTILS_FIPS_H
-#define _UTILS_FIPS_H
-
-int crypt_fips_mode(void);
-
-#endif /* _UTILS_FIPS_H */
+/* keep an empty file to avoid running autogen.sh */

79
SOURCES/cryptsetup-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch Normal file
View File

@ -0,0 +1,79 @@
From dff9ee8c8cb68432e96261b87aabb7aaa51215e7 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Tue, 2 May 2023 15:42:21 +0200
Subject: [PATCH] Also disallow active devices with internal kernel names.
The same problem fixed in commit 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605
is present in libdevmapper wrapper when parsing active device table.
The whole point of conversion was that non-authenticated modes
can be always represented in the old cipher-mode-iv format.
As the internal names contains dash, these are unsupported.
That said, the libdevmapper backend now correctly returns
full cipher specification including capi prefix for this case.
Init_by_name call now fails with incomplatible cipher definition error.
---
lib/setup.c | 2 +-
lib/utils_crypt.c | 9 +++++++++
tests/mode-test | 5 +++++
3 files changed, 15 insertions(+), 1 deletion(-)
Index: cryptsetup-2.3.7/lib/setup.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/setup.c
+++ cryptsetup-2.3.7/lib/setup.c
@@ -1188,7 +1188,7 @@ static int _init_by_name_crypt(struct cr
r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher,
&key_nums, cipher_mode);
if (r < 0) {
- log_dbg(cd, "Cannot parse cipher and mode from active device.");
+ log_err(cd, _("No known cipher specification pattern detected for active device %s."), name);
goto out;
}
Index: cryptsetup-2.3.7/lib/utils_crypt.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/utils_crypt.c
+++ cryptsetup-2.3.7/lib/utils_crypt.c
@@ -224,6 +224,15 @@ int crypt_capi_to_cipher(char **org_c, c
if (i != 2)
return -EINVAL;
+ /* non-cryptsetup compatible mode (generic driver with dash?) */
+ if (strrchr(iv, ')')) {
+ if (i_dm)
+ return -EINVAL;
+ if (!(*org_c = strdup(c_dm)))
+ return -ENOMEM;
+ return 0;
+ }
+
len = strlen(tmp);
if (len < 2)
return -EINVAL;
Index: cryptsetup-2.3.7/tests/mode-test
===================================================================
--- cryptsetup-2.3.7.orig/tests/mode-test
+++ cryptsetup-2.3.7/tests/mode-test
@@ -8,6 +8,8 @@ DEV_NAME=dmc_test
HEADER_IMG=mode-test.img
PASSWORD=3xrododenron
PASSWORD1=$PASSWORD
+KEY="7c0dc5dfd0c9191381d92e6ebb3b29e7f0dba53b0de132ae23f5726727173540"
+FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
# cipher-chainmode-ivopts:ivmode
CIPHERS="aes twofish serpent"
@@ -172,6 +174,10 @@ echo -n "CAPI format:"
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail
$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
+dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail
+$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail
+$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail
+dmsetup remove "$DEV_NAME"_tstdev || fail
echo [OK]
cleanup

68
SOURCES/cryptsetup-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch Normal file
View File

@ -0,0 +1,68 @@
From 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 24 Apr 2023 21:19:03 +0200
Subject: [PATCH] Disallow use of internal kenrel crypto driver names in "capi"
specification.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The common way to specify cipher mode in cryptsetup
is to use cipher-mode-iv notation (like aes-xts-plain64).
With introduction of authenticated ciphers we also allow "capi:<spec>"
notation that is directly used by dm-crypt (e.g. capi:xts(aes)-plain64).
CAPI specification was never intended to be used with internal
kernel crypto api names (with dash in algorithm name), actually the
whole parsing routine wrongly parses mode here now.
The code not checks if parsing wrongly separated the full cipher
string and effectively allowing only proper cipher names
(example of no longer supported string is capi:xts(ecb(aes-generic))-plain64).
Thanks to Jan Wichelmann, Luca Wilke and Thomas Eisenbarth from
University of Lübeck for noticing the problems with this code.
Fixes: #809
---
lib/utils_crypt.c | 8 +++++++-
tests/mode-test | 6 ++++++
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
index 0b7dc378..c1bde000 100644
--- a/lib/utils_crypt.c
+++ b/lib/utils_crypt.c
@@ -43,7 +43,13 @@ int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums,
cipher, cipher_mode) == 2) {
if (!strcmp(cipher_mode, "plain"))
strcpy(cipher_mode, "cbc-plain");
- if (key_nums) {
+ if (!strncmp(cipher, "capi:", 5)) {
+ /* CAPI must not use internal cipher driver names with dash */
+ if (strchr(cipher_mode, ')'))
+ return -EINVAL;
+ if (key_nums)
+ *key_nums = 1;
+ } else if (key_nums) {
char *tmp = strchr(cipher, ':');
*key_nums = tmp ? atoi(++tmp) : 1;
if (!*key_nums)
diff --git a/tests/mode-test b/tests/mode-test
index 82171fbd..fe61880a 100755
--- a/tests/mode-test
+++ b/tests/mode-test
@@ -184,4 +184,10 @@ done
dmcrypt xchacha12,aes-adiantum-plain64
dmcrypt xchacha20,aes-adiantum-plain64
+echo -n "CAPI format:"
+echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail
+$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
+echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
+echo [OK]
+
cleanup
--
2.40.1

103
SOURCES/cryptsetup-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch Normal file
View File

@ -0,0 +1,103 @@
From b8711faf92868dc82b1a64e7673740444199b2ca Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Sun, 25 Jun 2023 23:32:13 +0200
Subject: [PATCH 2/2] Fix activation of LUKS2 with capi format cipher and
kernel crypt name.
While activation of internal cipher algorithms (like aes-generic)
is disallowed, some old LUKS2 images can still use it.
Check the cipher in activate call, but allow to load LUKS2 metadata.
This can allow to add repair code easily and also allow luksDump.
Also fix segfault in reencrypt code for such a header.
Fixes: #820
---
lib/luks2/luks2_json_metadata.c | 5 +++++
tests/Makefile.am | 4 +++-
tests/compat-test2 | 17 ++++++++++++++++-
tests/luks2_invalid_cipher.img.xz | Bin 0 -> 135372 bytes
tests/meson.build | 1 +
5 files changed, 25 insertions(+), 2 deletions(-)
create mode 100644 tests/luks2_invalid_cipher.img.xz
Index: cryptsetup-2.3.7/lib/luks2/luks2_json_metadata.c
===================================================================
--- cryptsetup-2.3.7.orig/lib/luks2/luks2_json_metadata.c
+++ cryptsetup-2.3.7/lib/luks2/luks2_json_metadata.c
@@ -2324,6 +2324,11 @@ int LUKS2_activate(struct crypt_device *
if ((r = LUKS2_unmet_requirements(cd, hdr, 0, 0)))
return r;
+ /* Check that cipher is in compatible format */
+ if (!crypt_get_cipher(cd)) {
+ log_err(cd, _("No known cipher specification pattern detected in LUKS2 header."));
+ return -EINVAL;
+ }
r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
vk, crypt_get_cipher_spec(cd), crypt_get_iv_offset(cd),
crypt_get_data_offset(cd), crypt_get_integrity(cd) ?: "none",
Index: cryptsetup-2.3.7/tests/compat-test2
===================================================================
--- cryptsetup-2.3.7.orig/tests/compat-test2
+++ cryptsetup-2.3.7/tests/compat-test2
@@ -3,6 +3,7 @@
PS4='$LINENO:'
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
+CRYPTSETUP_REENCRYPT=$CRYPTSETUP_PATH/cryptsetup-reencrypt
CRYPTSETUP_VALGRIND=../.libs/cryptsetup
CRYPTSETUP_LIB_VALGRIND=../.libs
@@ -16,6 +17,7 @@ IMG10=luks-test-v10
HEADER_IMG=luks-header
HEADER_KEYU=luks2_keyslot_unassigned.img
HEADER_LUKS2_PV=blkid-luks2-pv.img
+HEADER_LUKS2_INV=luks2_invalid_cipher.img
KEY1=key1
KEY2=key2
KEY5=key5
@@ -50,7 +52,9 @@ function remove_mapping()
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
losetup -d $LOOPDEV >/dev/null 2>&1
- rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE $HEADER_LUKS2_PV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
+ rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE \
+ $HEADER_LUKS2_PV $HEADER_LUKS2_INV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* \
+ $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
# unlink whole test keyring
[ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
@@ -1049,5 +1053,19 @@ for cipher in $CIPHERS ; do
done
echo
+prepare "[44] LUKS2 invalid cipher (kernel cipher driver name)" wipe
+xz -dk $HEADER_LUKS2_INV.xz
+dd if=$HEADER_LUKS2_INV of=$IMG conv=notrunc >/dev/null 2>&1
+$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "capi:xts(ecb(aes-generic))-plain64" || fail
+echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
+echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME 2>&1 | grep -q "No known cipher specification pattern" || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV >/dev/null 2>&1 && fail
+echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV 2>&1 | grep -q "No known cipher specification pattern" || fail
+echo $PWD1 | $CRYPTSETUP_REENCRYPT $LOOPDEV 2>&1 | grep -q "No known cipher specification pattern" || fail
+dmsetup create $DEV_NAME --uuid CRYPT-LUKS2-3d20686f551748cb89911ad32379821b-test --table \
+ "0 8 crypt capi:xts(ecb(aes-generic))-plain64 edaa40709797973715e572bf7d86fcbb9cfe2051083c33c28d58fe4e1e7ff642 0 $LOOPDEV 32768"
+$CRYPTSETUP status $DEV_NAME | grep -q "n/a" || fail
+$CRYPTSETUP close $DEV_NAME ||fail
+
remove_mapping
exit 0
Index: cryptsetup-2.3.7/src/cryptsetup.h
===================================================================
--- cryptsetup-2.3.7.orig/src/cryptsetup.h
+++ cryptsetup-2.3.7/src/cryptsetup.h
@@ -103,6 +103,7 @@ void tools_clear_line(void);
int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr);
int tools_reencrypt_progress(uint64_t size, uint64_t offset, void *usrptr);
int reencrypt_is_header_detached(const char *header_device, const char *data_device);
+bool luks2_reencrypt_eligible(struct crypt_device *cd);
int tools_read_mk(const char *file, char **key, int keysize);
int tools_write_mk(const char *file, const char *key, int keysize);

52
SOURCES/cryptsetup-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch Normal file
View File

@ -0,0 +1,52 @@
From 53aa5f6c4f7439db1b25846597fb5603870ba55e Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 5 Jun 2023 16:02:06 +0200
Subject: [PATCH] Fix init_by_name to allow unknown cipher format in dm-crypt
as null context.
Deactivation code should deactivate dm-crypt device even if it is unknown
for libcryptsetup. Previous fix for cipher specification was too strict.
Let's allow initialization as null context, that allow status and
deactivate to be usable again.
---
lib/setup.c | 6 ++++++
tests/mode-test | 5 ++---
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/lib/setup.c b/lib/setup.c
index fd17be8c..786aa900 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -1276,6 +1276,12 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher,
&key_nums, cipher_mode);
if (r < 0) {
+ /* Allow crypt null context with unknown cipher string */
+ if (tgt->type == DM_CRYPT && !tgt->u.crypt.integrity) {
+ crypt_set_null_type(cd);
+ r = 0;
+ goto out;
+ }
log_err(cd, _("No known cipher specification pattern detected for active device %s."), name);
goto out;
}
diff --git a/tests/mode-test b/tests/mode-test
index 4775751e..7f7f20a1 100755
--- a/tests/mode-test
+++ b/tests/mode-test
@@ -190,9 +190,8 @@ echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256
$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail
-$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail
-$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail
-dmsetup remove "$DEV_NAME"_tstdev || fail
+$CRYPTSETUP status "$DEV_NAME"_tstdev 2>/dev/null | grep "type:" | grep -q "n/a" || fail
+$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null || fail
echo [OK]
cleanup
--
2.40.1

81
SOURCES/cryptsetup-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch Normal file
View File

@ -0,0 +1,81 @@
From 1f01eea60e38ac92aa05e4b95372d54b7b9095df Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 26 Jun 2023 13:25:59 +0200
Subject: [PATCH 1/2] Fix reencryption to fail properly for unknown cipher.
crypt_get_cipher and crypt_get_cipher mode can return NULL,
check it in advance.
---
src/utils_reencrypt.c | 6 ++++++
1 file changed, 6 insertions(+)
Index: cryptsetup-2.3.7/src/cryptsetup.c
===================================================================
--- cryptsetup-2.3.7.orig/src/cryptsetup.c
+++ cryptsetup-2.3.7/src/cryptsetup.c
@@ -2999,6 +2999,12 @@ static int action_encrypt_luks2(struct c
if (r < 0)
goto err;
+ if (!crypt_get_cipher(*cd)) {
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
+ r = -EINVAL;
+ goto err;
+ }
+
if (opt_data_shift) {
params.data_shift = imaxabs(opt_data_shift) / SECTOR_SIZE,
params.resilience = "datashift";
@@ -3068,6 +3074,11 @@ static int action_decrypt_luks2(struct c
};
size_t passwordLen;
+ if (!crypt_get_cipher(cd)) {
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
+ return -EINVAL;
+ }
+
if (!crypt_get_metadata_device_name(cd) || !crypt_get_device_name(cd) ||
!strcmp(crypt_get_metadata_device_name(cd), crypt_get_device_name(cd))) {
log_err(_("LUKS2 decryption is supported with detached header device only."));
@@ -3289,6 +3300,11 @@ static int action_reencrypt_luks2(struct
.luks2 = &luks2_params,
};
+ if (!crypt_get_cipher(cd)) {
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
+ return -EINVAL;
+ }
+
_set_reencryption_flags(&params.flags);
if (!opt_cipher && crypt_is_cipher_null(crypt_get_cipher(cd))) {
Index: cryptsetup-2.3.7/src/cryptsetup_reencrypt.c
===================================================================
--- cryptsetup-2.3.7.orig/src/cryptsetup_reencrypt.c
+++ cryptsetup-2.3.7/src/cryptsetup_reencrypt.c
@@ -185,6 +185,11 @@ static int set_reencrypt_requirement(con
crypt_persistent_flags_get(cd, CRYPT_FLAGS_REQUIREMENTS, &reqs))
goto out;
+ if (!crypt_get_cipher(cd)) {
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
+ goto out;
+ }
+
/* reencrypt already in-progress */
if (reqs & CRYPT_REQUIREMENT_OFFLINE_REENCRYPT) {
log_err(_("Reencryption already in-progress."));
@@ -709,6 +714,12 @@ static int backup_luks_headers(struct re
(r = crypt_load(cd, CRYPT_LUKS, NULL)))
goto out;
+ if (!crypt_get_cipher(cd)) {
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
+ r = -EINVAL;
+ goto out;
+ }
+
if ((r = crypt_header_backup(cd, CRYPT_LUKS, rc->header_file_org)))
goto out;
if (isLUKS2(rc->type)) {

34
SPECS/cryptsetup.spec
View File

@ -5,7 +5,7 @@ Obsoletes: cryptsetup-python3
Summary: A utility for setting up encrypted disks
Name: cryptsetup
Version: 2.3.7
Release: 5%{?dist}
Release: 7%{?dist}
License: GPLv2+ and LGPLv2+
Group: Applications/System
URL: https://gitlab.com/cryptsetup/cryptsetup
@ -19,6 +19,9 @@ Requires: libpwquality >= 1.2.0
%global upstream_version %{version}
Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{upstream_version}.tar.xz
# binary archive with updated tests/conversion_imgs.tar.xz and tests/luks2_header_requirements.tar.xz
# for testing (can not be patched via rpmbuild)
Source1: tests.tar.xz
# Following patch has to applied last
Patch0: %{name}-add-system-library-paths.patch
# Remove the patch when (if ever) osci infrastructure gets stable enough
@ -34,7 +37,13 @@ Patch9: %{name}-2.6.0-Move-cipher_dm2c-to-crypto-utilities.patch
Patch10: %{name}-2.6.0-Code-cleanup.patch
Patch11: %{name}-2.6.0-Copy-also-integrity-string-in-legacy-mode.patch
Patch12: %{name}-2.6.0-Fix-internal-crypt-segment-compare-routine.patch
Patch13: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
Patch13: %{name}-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch
Patch14: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
Patch15: %{name}-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch
Patch16: %{name}-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch
Patch17: %{name}-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch
Patch18: %{name}-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch
Patch19: %{name}-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch
%description
The cryptsetup package contains a utility for setting up
@ -89,7 +98,7 @@ This package contains cryptsetup-reencrypt utility which
can be used for offline reencryption of disk in situ.
%prep
%setup -q -n cryptsetup-%{upstream_version}
%setup -q -n cryptsetup-%{upstream_version} -a 1
%patch1 -p1
%patch2 -p1
%patch3 -p1
@ -103,6 +112,12 @@ can be used for offline reencryption of disk in situ.
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch0 -p1
chmod -x misc/dracut_90reencrypt/*
@ -162,6 +177,19 @@ rm -rf %{buildroot}/%{_libdir}/*.la
%clean
%changelog
* Tue Jul 11 2023 Ondrej Kozina <okozina@redhat.com> - 2.3.7-7
- Rebuild due to missing CI environment
- Resolves: #2212772 #2193342
* Thu Jun 28 2023 Daniel Zatovic <dzatovic@redhat.com> - 2.3.7-6
- patch: Delegate FIPS mode detection to configured crypto backend
- patch: Disallow use of internal kenrel crypto driver names in "capi"
- patch: Also disallow active devices with internal kernel names
- patch: Fix init_by_name to allow unknown cipher format in dm-crypt
- patch: Fix reencryption to fail properly for unknown cipher
- patch: Fix activation of LUKS2 with capi format cipher and kernel
- Resolves: #2212772 #2193342
* Tue Jan 10 2023 Daniel Zatovic <dzatovic@redhat.com> - 2.3.7-5
- change cryptsetup-devel dependency from cryptsetup to cryptsetup-libs
- Resolves: #2150254