Rebase to cryptsetup to 2.7.5.

- Resolves: RHEL-57036 RHEL-57037 RHEL-61581
2024-10-04 17:01:20 +02:00 · 2024-10-04 17:01:20 +02:00 · a4914bdd4c
commit a4914bdd4c
parent 868e946033
7 changed files with 108 additions and 22 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1 @@
-/cryptsetup-2.7.0.tar.xz
-/cryptsetup-2.7.3.tar.xz
+/cryptsetup-2.7.5.tar.xz
--- a/cryptsetup-2.7.0.tar.sign
+++ b/cryptsetup-2.7.0.tar.sign
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAmWw5zoACgkQ2bBXe9k+
-mPztwhAAh8ieUWCcw7WwW4lc00ZH77sLc7Ro5J2/0ZAg/HpowOqGqhzJQZ+KJdeF
-b6mebw7mKq4PHyzUS7Rba4wQiVEUD2kAQuoyXZJljsxegFOc1LxL/DSOCt7IFJyc
-WB+525kPoRrpBWJhGXMn4OcVaelmIJAgDFHcYAccJJTKNgPjDrivpkTAxUsfdTTf
-a1F/4I2o7eP5zkWkPqqQIvXzlwQnfD5ulZvnJ30t8E/07CZJ5Hf9iLRa6vruo7Rg
-8cJHcOu4MhjuMu+oDvuefj8hM4FyfLU+tt0L7Z3iOZXAGffe+iQUQUyChvN/waEI
-R8mpdc89amTHkMTCjYOo2X4sAH9a7mo5L2v+rm5NTZTZn53Gy1Ytbzy2agXY+ebf
-DeKTVL3KTMe6KvQUfIqMSrM9oub6o8JDfO+0La9GSkNU/1VvHU5LK3FIomuP8Top
-BPfdL8IxSgIityBbby1ZQD97aIgzPZkGsC7/5bVY7mj/LUZxJK61p49U0dlolwss
-uzJarjAtDY0iNCfOv/AKZGnVzHAc2cEmVKJ6X243h2NRB5z1snFP8lDtB2AIdcUf
-0vEZz1HcwW1de1C0jjQsf9elkeVJfrsFhRhRrEEiHyplR3/uaVwUtrDGOxPsRE+J
-SE2sSfURqQPuBKeTO/ymVDt7G0iPd8Ts/BOhQYTn94rsjhONiz8=
-=6sya
-----END PGP SIGNATURE-----
--- a/cryptsetup-2.7.5.tar.sign
+++ b/cryptsetup-2.7.5.tar.sign
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAmbW3FUACgkQ2bBXe9k+
+mPwFbA//ZmEE58/+S4mDszoVeBtJAZDpSd0UBm+R6JTqNjwGSQw2KQbRW+qXLWIj
+EUKd/xtW8iSDh+cqKFO12RN7BTHMHePt+qB8aw3L1WWbj2rQfLbEv+dQMg36Rweu
+AZMR69PDhD8JX2xVV2nD/rrQFHoNfKT9od83QHmaK/knwOvd7ZHJ2sOyMmZvCNE8
+N8/454ERiT8W9hnHxWjsGtkzr81ucGpjbZDYlINaeD728QR64HDHnAkReAHegJt8
+uAejzAz+BGNkSkUFeRLP+3zOYUKBW6Ex/OIBQ4m+rrAR/b3TVNwGPUUAbelHZJWN
+jf+aPzo4Vv1v+Hl92CEbq29czpHyaLRrRNdhs57no7XdUkivJ+gdhr51xjaV9Zq
+HnANYLVT+O/PPfFaALg1Qp5hfmhVCaVPLK05ug2qj9jVF0jIahvQsEzq1YfLiZNT
+8UtAnV8ULA83GZlh1MDsuEp5815CKjs5dzpUpobStsVIZ6lkHabEFRfxr2Ae+7lw
+veqmpNLN1K5+yXA1L8e9BtoxRxeczIS3ImPlYvojpCFgkamwXPqCoI4wVOCbG/Pu
+5L1uDk1TAHEgmf4Iy31bPKLDQcv16aLV5S/w4fCWtybbBasax7qNqKTBAIZQp7o2
+C1hkxCcRxaNyMwEoof9myMjv9fn/0xidJ14GlgXpeANbq9jtXQo=
+=S6/S
+-----END PGP SIGNATURE-----
--- a/cryptsetup-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch
+++ b/cryptsetup-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch
@ -0,0 +1,42 @@
+From cfd043f6f0527407c57fb5a2735ee8e22c070cd7 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Wed, 28 Aug 2024 17:06:12 +0200
+Subject: [PATCH 09/10] Enable to use Argon2 in FIPS with openssl backend.
+
+This patch is required to read existing LUKS2
+keyslots created with Argon2 KDF before the system
+got switched in FIPS mode. Creating new keyslots using
+Argon2 was already blocked elsewhere and before this patch.
+---
+ lib/crypto_backend/crypto_openssl.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c
+index 9f1be9e0..07c133b0 100644
+--- a/lib/crypto_backend/crypto_openssl.c
+++ b/lib/crypto_backend/crypto_openssl.c
+@@ -611,13 +611,20 @@ static int openssl_argon2(const char *type, const char *password, size_t passwor
+ 		OSSL_PARAM_uint(OSSL_KDF_PARAM_THREADS, &threads),
+ 		OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_LANES, &parallel),
+ 		OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_MEMCOST, &memory),
+		/* to allow fetching blake2 in FIPS mode in later KDF_derive routine */
+		OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_PROPERTIES, "-fips", 0),
+ 		OSSL_PARAM_END
+ 	};
+ 
+ 	if (OSSL_get_max_threads(ossl_ctx) == 0)
+ 		threads = 1;
+ 
+-	argon2 = EVP_KDF_fetch(ossl_ctx, type, NULL);
+	/*
+	 * '-fips' skips fips provider for Argon2 variants implementations.
+	 * We need it to be able to read existing keyslots in FIPS mode.
+	 * Writing new Argon2 enabled keyslots in FIPS mode is blocked elsewhere.
+	 */
+	argon2 = EVP_KDF_fetch(ossl_ctx, type, "-fips");
+ 	if (!argon2)
+ 		return -EINVAL;
+ 
+-- 
+2.46.0
+
--- a/cryptsetup-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch
+++ b/cryptsetup-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch
@ -0,0 +1,37 @@
+From f903ddcf447474fda1a036584b550d12dd620a73 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Thu, 29 Aug 2024 15:31:08 +0200
+Subject: [PATCH 10/10] Warn if Argon2 keyslot is unlocked in FIPS mode.
+
+---
+ lib/luks2/luks2_keyslot.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/luks2/luks2_keyslot.c b/lib/luks2/luks2_keyslot.c
+index bb9d4537..2f979d81 100644
+--- a/lib/luks2/luks2_keyslot.c
+++ b/lib/luks2/luks2_keyslot.c
+@@ -573,6 +573,7 @@ int LUKS2_keyslot_open(struct crypt_device *cd,
+ {
+ 	struct luks2_hdr *hdr;
+ 	int r_prio, r = -EINVAL;
+	struct crypt_pbkdf_type pbkdf;
+ 
+ 	hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
+ 	if (!hdr)
+@@ -599,7 +600,11 @@ int LUKS2_keyslot_open(struct crypt_device *cd,
+ 			log_err(cd, _("Not enough available memory to open a keyslot."));
+ 		else if (r != -EPERM && r != -ENOENT)
+ 			log_err(cd, _("Keyslot open failed."));
+-	}
+	} else if (crypt_fips_mode() && !LUKS2_keyslot_pbkdf(hdr, r, &pbkdf) &&
+		   !strncmp(pbkdf.type, "argon2", 6))
+		log_err(cd, "The %s KDF used in keyslot %d is not FIPS compliant.\n"
+			    "Please refer to cryptsetup-luksConvertKey(8) man page to switch it to pbkdf2.",
+			    pbkdf.type, r);
+ 
+ 	return r;
+ }
+-- 
+2.46.0
+
--- a/cryptsetup.spec
+++ b/cryptsetup.spec
@ -1,7 +1,7 @@
 Summary: Utility for setting up encrypted disks
 Name: cryptsetup
-Version: 2.7.3
-Release: 2%{?dist}
+Version: 2.7.5
+Release: 1%{?dist}
 License: GPL-2.0-or-later WITH cryptsetup-OpenSSL-exception AND LGPL-2.1-or-later WITH cryptsetup-OpenSSL-exception
 URL: https://gitlab.com/cryptsetup/cryptsetup
 BuildRequires: autoconf, automake, libtool, gettext-devel,
@ -19,7 +19,9 @@ Provides: %{name}-reencrypt = %{version}
 Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-%{upstream_version}.tar.xz

 # Following patch has to applied last
-Patch9999: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch
+Patch0001: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch
+Patch0002: %{name}-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch
+Patch0003: %{name}-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch

 %description
 The cryptsetup package contains a utility for setting up
@ -107,6 +109,12 @@ rm -rf %{buildroot}%{_libdir}/%{name}/*.la
 %ghost %attr(700, -, -) %dir /run/cryptsetup

 %changelog
+* Fri Oct 04 2024 Ondrej Kozina <okozina@redhat.com> - 2.7.5-1
+- Update to cryptsetup 2.7.5
+- patch: Warn if Argon2 keyslot is unlocked in FIPS mode.
+- patch: Enable Argon2 in FIPS with openssl backend.
+- Resolves: RHEL-57036 RHEL-57037 RHEL-61581
+
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.7.3-2
 - Bump release for June 2024 mass rebuild

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (cryptsetup-2.7.3.tar.xz) = 08cff21873aeb7cc5b2561abf5d33cdf0fa814eeaabf6a01f858461726ea9faeef651357da33bce7b347ca2f12d6d02bccdb279893f3749cb781ce1fe5c1571c
+SHA512 (cryptsetup-2.7.5.tar.xz) = 13eca93cdb00a143d2ca60b6f66ede5adc4072ca0c4bfebd8454a3541e69d269fcdb4afc97ad799e87a999b2bd46c1f31fa924a3d616d72a3337970b1e718d55