rpms/cryptsetup
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI cryptsetup-2.7.2-3.el9_5

Browse Source
This commit is contained in:
eabdullin 2024-11-12 10:49:46 +00:00
parent f4261d88fc
commit af4d3dcdac
21 changed files with 349 additions and 1299 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.cryptsetup.metadata
View File

@ -1,2 +1 @@
8098a06269c4268b0446b34f7b20e8fa6032e006 SOURCES/cryptsetup-2.6.0.tar.xz
c8976bd232ae6716f97d29390895dddb63e04d1f SOURCES/tests.tar.xz
db48bcfaf135b627d9d5f0447d746e253a190843 SOURCES/cryptsetup-2.7.2.tar.xz

3
.gitignore vendored
View File

@ -1,2 +1 @@
SOURCES/cryptsetup-2.6.0.tar.xz
SOURCES/tests.tar.xz
SOURCES/cryptsetup-2.7.2.tar.xz

161
SOURCES/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
View File

@ -1,161 +0,0 @@
From c18dcfaa0b91eb48006232fbfadce9e6a9b4a790 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Fri, 2 Dec 2022 15:39:36 +0100
Subject: [PATCH 2/2] Abort encryption when header and data devices are same.
If data device reduction is not requsted this led
to data corruption since LUKS metadata was written
over the data device.
---
src/utils_reencrypt.c | 42 ++++++++++++++++++++++++++++++----
tests/luks2-reencryption-test | 16 +++++++++++++
tests/reencryption-compat-test | 20 +++++++++++++---
3 files changed, 70 insertions(+), 8 deletions(-)
diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c
index 87ead680..73e0bca8 100644
--- a/src/utils_reencrypt.c
+++ b/src/utils_reencrypt.c
@@ -467,6 +467,26 @@ static int reencrypt_check_active_device_sb_block_size(const char *active_device
return reencrypt_check_data_sb_block_size(dm_device, new_sector_size);
}
+static int reencrypt_is_header_detached(const char *header_device, const char *data_device)
+{
+ int r;
+ struct stat st;
+ struct crypt_device *cd;
+
+ if (!header_device)
+ return 0;
+
+ if (header_device && stat(header_device, &st) < 0 && errno == ENOENT)
+ return 1;
+
+ if ((r = crypt_init_data_device(&cd, header_device, data_device)))
+ return r;
+
+ r = crypt_header_is_detached(cd);
+ crypt_free(cd);
+ return r;
+}
+
static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device, const char *device_name)
{
int keyslot, r, fd;
@@ -490,9 +510,14 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device,
_set_reencryption_flags(&params.flags);
- if (!data_shift && !ARG_SET(OPT_HEADER_ID)) {
- log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
- return -ENOTSUP;
+ if (!data_shift) {
+ r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), data_device);
+ if (r < 0)
+ return r;
+ if (!r) {
+ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
+ return -ENOTSUP;
+ }
}
if (!ARG_SET(OPT_HEADER_ID) && ARG_UINT64(OPT_OFFSET_ID) &&
@@ -1358,9 +1383,16 @@ static int _encrypt(struct crypt_device *cd, const char *type, enum device_statu
if (!type)
type = crypt_get_default_type();
- if (dev_st == DEVICE_LUKS1_UNUSABLE || isLUKS1(type))
+ if (dev_st == DEVICE_LUKS1_UNUSABLE || isLUKS1(type)) {
+ r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), action_argv[0]);
+ if (r < 0)
+ return r;
+ if (!r && !ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID)) {
+ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
+ return -ENOTSUP;
+ }
return reencrypt_luks1(action_argv[0]);
- else if (dev_st == DEVICE_NOT_LUKS) {
+ } else if (dev_st == DEVICE_NOT_LUKS) {
r = encrypt_luks2_init(&encrypt_cd, action_argv[0], action_argc > 1 ? action_argv[1] : NULL);
if (r < 0 || ARG_SET(OPT_INIT_ONLY_ID)) {
crypt_free(encrypt_cd);
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
index bab54353..a647a8c2 100755
--- a/tests/luks2-reencryption-test
+++ b/tests/luks2-reencryption-test
@@ -1080,6 +1080,22 @@ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
$CRYPTSETUP close $DEV_NAME
echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail
+# Encrypt without size reduction must not allow header device same as data device
+wipe_dev_head $DEV 1
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
+ln -s $DEV $DEV_LINK || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
+rm -f $DEV_LINK || fail
+
+dd if=/dev/zero of=$IMG bs=4k count=1 >/dev/null 2>&1
+echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
+ln -s $IMG $DEV_LINK || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
+
echo "[4] Reencryption with detached header"
wipe $PWD1 $IMG_HDR
echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
index f6a84137..453831d1 100755
--- a/tests/reencryption-compat-test
+++ b/tests/reencryption-compat-test
@@ -15,6 +15,7 @@ IMG=reenc-data
IMG_HDR=$IMG.hdr
HEADER_LUKS2_PV=blkid-luks2-pv.img
ORIG_IMG=reenc-data-orig
+DEV_LINK="reenc-test-link"
KEY1=key1
PWD1="93R4P4pIqAH8"
PWD2="1cND4319812f"
@@ -40,7 +41,7 @@ function remove_mapping()
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
[ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1
- rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV >/dev/null 2>&1
+ rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV $DEV_LINK >/dev/null 2>&1
umount $MNT_DIR > /dev/null 2>&1
rmdir $MNT_DIR > /dev/null 2>&1
LOOPDEV1=""
@@ -302,12 +303,25 @@ check_slot 0 || fail "Only keyslot 0 expected to be enabled"
$REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail
# FIXME echo $PWD1 | $REENC ...
-if [ ! fips_mode ]; then
echo "[4] Encryption of not yet encrypted device"
+# Encrypt without size reduction must not allow header device same as data device
+wipe_dev $LOOPDEV1
+echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $LOOPDEV1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
+ln -s $LOOPDEV1 $DEV_LINK || fail
+echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
+rm -f $DEV_LINK || fail
+echo $PWD1 | $REENC $IMG --type luks1 --new --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
+ln -s $IMG $DEV_LINK || fail
+echo $PWD1 | $REENC $IMG --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
+
+if [ ! fips_mode ]; then
# well, movin' zeroes :-)
OFFSET=2048
SIZE=$(blockdev --getsz $LOOPDEV1)
-wipe_dev $LOOPDEV1
dmsetup create $DEV_NAME2 --table "0 $(($SIZE - $OFFSET)) linear $LOOPDEV1 0" || fail
check_hash_dev /dev/mapper/$DEV_NAME2 $HASH3
dmsetup remove --retry $DEV_NAME2 || fail
--
2.38.1

662
SOURCES/cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch
View File

@ -1,662 +0,0 @@
From e7a1f18d976771efc06987107da12ccae4d0b360 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Fri, 2 Dec 2022 11:40:24 +0100
Subject: [PATCH 2/3] Change tests to use passphrases with minimal 8 chars
length.
Skip tests that can not satisfy minimal test passphrase length:
- empty passphrase
- LUKS1 cipher_null tests (empty passphrase is mandatory)
- LUKS1 encryption
---
tests/Makefile.am | 3 +-
tests/align-test | 10 +++
tests/api-test-2.c | 117 +++++++++++++++++----------------
tests/api-test.c | 14 ++--
tests/compat-test | 8 ++-
tests/compat-test2 | 16 +++--
tests/keyring-compat-test | 2 +-
tests/reencryption-compat-test | 10 +++
tests/ssh-test-plugin | 2 +-
9 files changed, 110 insertions(+), 72 deletions(-)
diff --git a/tests/align-test b/tests/align-test
index eedf8b77..5941cde2 100755
--- a/tests/align-test
+++ b/tests/align-test
@@ -10,9 +10,16 @@ PWD1="93R4P4pIqAH8"
PWD2="mymJeD8ivEhE"
FAST_PBKDF="--pbkdf-force-iterations 1000"
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+
CRYPTSETUP_VALGRIND=../.libs/cryptsetup
CRYPTSETUP_LIB_VALGRIND=../.libs
+function fips_mode()
+{
+ [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+}
+
cleanup() {
udevadm settle >/dev/null 2>&1
if [ -d "$MNT_DIR" ] ; then
@@ -276,6 +283,8 @@ format_plain_fail 2048
format_plain_fail 4096
cleanup
+# skip tests using empty passphrase (LUKS1 cipher_null)
+if [ ! fips_mode ]; then
echo "# Offset check: 512B sector drive"
add_device dev_size_mb=16 sector_size=512 num_tgts=1
# |k| expO reqO expected slot offsets
@@ -314,6 +323,7 @@ format_null 512 4040 8
format_null 512 4096 128
format_null 512 4096 2048
cleanup
+fi
echo "# Create enterprise-class 4K drive with fs and LUKS images."
# loop device here presents 512 block but images have 4k block
diff --git a/tests/api-test-2.c b/tests/api-test-2.c
index b7c762d9..2c39191b 100644
--- a/tests/api-test-2.c
+++ b/tests/api-test-2.c
@@ -74,8 +74,8 @@ typedef int32_t key_serial_t;
#define KEYFILE2 "key2.file"
#define KEY2 "0123456789abcdef"
-#define PASSPHRASE "blabla"
-#define PASSPHRASE1 "albalb"
+#define PASSPHRASE "blablabl"
+#define PASSPHRASE1 "albalbal"
#define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
@@ -107,15 +107,15 @@ typedef int32_t key_serial_t;
#define CONV_L2_512_DET_FULL "l2_512b_det_full"
#define CONV_L1_256_LEGACY "l1_256b_legacy_offset"
#define CONV_L1_256_UNMOVABLE "l1_256b_unmovable"
-#define PASS0 "aaa"
-#define PASS1 "hhh"
-#define PASS2 "ccc"
-#define PASS3 "ddd"
-#define PASS4 "eee"
-#define PASS5 "fff"
-#define PASS6 "ggg"
-#define PASS7 "bbb"
-#define PASS8 "iii"
+#define PASS0 "aaablabl"
+#define PASS1 "hhhblabl"
+#define PASS2 "cccblabl"
+#define PASS3 "dddblabl"
+#define PASS4 "eeeblabl"
+#define PASS5 "fffblabl"
+#define PASS6 "gggblabl"
+#define PASS7 "bbbblabl"
+#define PASS8 "iiiblabl"
static int _fips_mode = 0;
@@ -429,11 +429,11 @@ static int _setup(void)
_system("dd if=/dev/zero of=" IMAGE_EMPTY_SMALL_2 " bs=512 count=2050 2>/dev/null", 1);
- _system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && xz -dk " NO_REQS_LUKS2_HEADER ".xz", 1);
+ _system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1);
fd = loop_attach(&DEVICE_4, NO_REQS_LUKS2_HEADER, 0, 0, &ro);
close(fd);
- _system(" [ ! -e " REQS_LUKS2_HEADER " ] && xz -dk " REQS_LUKS2_HEADER ".xz", 1);
+ _system(" [ ! -e " REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1);
fd = loop_attach(&DEVICE_5, REQS_LUKS2_HEADER, 0, 0, &ro);
close(fd);
@@ -709,7 +709,7 @@ static void AddDeviceLuks2(void)
};
char key[128], key2[128], key3[128];
- const char *tmp_buf, *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
+ const char *tmp_buf, *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
size_t key_size = strlen(vk_hex) / 2;
@@ -1056,7 +1056,6 @@ static void Luks2MetadataSize(void)
};
char key[128], tmp[128];
- const char *passphrase = "blabla";
const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
size_t key_size = strlen(vk_hex) / 2;
const char *cipher = "aes";
@@ -1103,7 +1102,7 @@ static void Luks2MetadataSize(void)
OK_(crypt_init(&cd, DMDIR H_DEVICE));
OK_(crypt_set_metadata_size(cd, 0x080000, 0x080000));
OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, &params));
- EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, passphrase, strlen(passphrase)), 7);
+ EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7);
CRYPT_FREE(cd);
OK_(crypt_init(&cd, DMDIR H_DEVICE));
OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
@@ -3306,8 +3305,8 @@ static void Luks2Requirements(void)
.key_description = KEY_DESC_TEST0
};
- OK_(prepare_keyfile(KEYFILE1, "aaa", 3));
- OK_(prepare_keyfile(KEYFILE2, "xxx", 3));
+ OK_(prepare_keyfile(KEYFILE1, PASSPHRASE, strlen(PASSPHRASE)));
+ OK_(prepare_keyfile(KEYFILE2, PASSPHRASE1, strlen(PASSPHRASE1)));
/* crypt_load (unrestricted) */
OK_(crypt_init(&cd, DEVICE_5));
@@ -3361,11 +3360,11 @@ static void Luks2Requirements(void)
OK_(crypt_repair(cd, CRYPT_LUKS2, NULL));
/* crypt_keyslot_add_passphrase (restricted) */
- FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, "aaa", 3, "bbb", 3)), "Unmet requirements detected");
+ FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_keyslot_change_by_passphrase (restricted) */
- FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, "aaa", 3, "bbb", 3)), "Unmet requirements detected");
+ FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_keyslot_add_by_keyfile (restricted) */
@@ -3377,18 +3376,18 @@ static void Luks2Requirements(void)
EQ_(r, -ETXTBSY);
/* crypt_volume_key_get (unrestricted, but see below) */
- OK_(crypt_volume_key_get(cd, 0, key, &key_size, "aaa", 3));
+ OK_(crypt_volume_key_get(cd, 0, key, &key_size, PASSPHRASE, strlen(PASSPHRASE)));
/* crypt_keyslot_add_by_volume_key (restricted) */
- FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3)), "Unmet requirements detected");
+ FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1))), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_keyslot_add_by_key (restricted) */
- FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, "xxx", 3, CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected");
+ FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_keyslot_add_by_key (restricted) */
- FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3, 0)), "Unmet requirements detected");
+ FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1), 0)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_persistent_flasgs_set (restricted) */
@@ -3400,10 +3399,10 @@ static void Luks2Requirements(void)
EQ_(flags, CRYPT_REQUIREMENT_UNKNOWN);
/* crypt_activate_by_passphrase (restricted for activation only) */
- FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0)), "Unmet requirements detected");
+ FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, 0));
- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
+ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
+ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
/* crypt_activate_by_keyfile (restricted for activation only) */
@@ -3420,7 +3419,7 @@ static void Luks2Requirements(void)
#ifdef KERNEL_KEYRING
if (t_dm_crypt_keyring_support()) {
- kid = add_key("user", KEY_DESC_TEST0, "aaa", 3, KEY_SPEC_THREAD_KEYRING);
+ kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
NOTFAIL_(kid, "Test or kernel keyring are broken.");
/* crypt_activate_by_keyring (restricted for activation only) */
@@ -3428,6 +3427,8 @@ static void Luks2Requirements(void)
EQ_(r, t_dm_crypt_keyring_support() ? -ETXTBSY : -EINVAL);
OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, 0));
OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, CRYPT_ACTIVATE_KEYRING_KEY));
+
+ NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
}
#endif
@@ -3513,10 +3514,15 @@ static void Luks2Requirements(void)
/* crypt_activate_by_token (restricted for activation only) */
#ifdef KERNEL_KEYRING
if (t_dm_crypt_keyring_support()) {
+ kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
+ NOTFAIL_(kid, "Test or kernel keyring are broken.");
+
FAIL_((r = crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0)), ""); // supposed to be silent
EQ_(r, -ETXTBSY);
OK_(crypt_activate_by_token(cd, NULL, 1, NULL, 0));
OK_(crypt_activate_by_token(cd, NULL, 1, NULL, CRYPT_ACTIVATE_KEYRING_KEY));
+
+ NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
}
#endif
OK_(get_luks2_offsets(0, 8192, 0, NULL, &r_payload_offset));
@@ -3528,7 +3534,7 @@ static void Luks2Requirements(void)
CRYPT_FREE(cd);
OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
OK_(crypt_load(cd, CRYPT_LUKS, NULL));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
OK_(crypt_header_backup(cd, CRYPT_LUKS2, BACKUP_FILE));
/* replace header with no requirements */
OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
@@ -3566,7 +3572,7 @@ static void Luks2Requirements(void)
OK_(crypt_init_by_name(&cd, CDEVICE_1));
/* crypt_resume_by_passphrase (restricted) */
- FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3)), "Unmet requirements detected");
+ FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE))), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
/* crypt_resume_by_keyfile (restricted) */
@@ -3580,13 +3586,13 @@ static void Luks2Requirements(void)
OK_(_system("dd if=" NO_REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
OK_(crypt_init_by_name(&cd, CDEVICE_1));
- OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3));
+ OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE)));
CRYPT_FREE(cd);
OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
OK_(crypt_init_by_name(&cd, CDEVICE_1));
/* load VK in keyring */
- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
+ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
/* crypt_resize (restricted) */
FAIL_((r = crypt_resize(cd, CDEVICE_1, 1)), "Unmet requirements detected");
EQ_(r, -ETXTBSY);
@@ -3622,7 +3628,6 @@ static void Luks2Integrity(void)
.integrity = "hmac(sha256)"
};
size_t key_size = 32 + 32;
- const char *passphrase = "blabla";
const char *cipher = "aes";
const char *cipher_mode = "xts-random";
int ret;
@@ -3636,8 +3641,8 @@ static void Luks2Integrity(void)
return;
}
- EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, passphrase, strlen(passphrase)), 7);
- EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, passphrase, strlen(passphrase) ,0), 7);
+ EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7);
+ EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, PASSPHRASE, strlen(PASSPHRASE) ,0), 7);
GE_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE);
CRYPT_FREE(cd);
@@ -3689,36 +3694,36 @@ static void Luks2Refresh(void)
OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
OK_(set_fast_pbkdf(cd));
OK_(crypt_format(cd, CRYPT_LUKS2, cipher, mode, NULL, key, 32, NULL));
- OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, "aaa", 3));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0));
+ OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
/* check we can refresh significant flags */
if (t_dm_crypt_discard_support()) {
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_ALLOW_DISCARDS));
cad.flags = 0;
}
if (t_dm_crypt_cpu_switch_support()) {
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SAME_CPU_CRYPT));
cad.flags = 0;
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
cad.flags = 0;
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
cad.flags = 0;
}
OK_(crypt_volume_key_keyring(cd, 0));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY), "Unexpected flag raised.");
cad.flags = 0;
@@ -3726,7 +3731,7 @@ static void Luks2Refresh(void)
#ifdef KERNEL_KEYRING
if (t_dm_crypt_keyring_support()) {
OK_(crypt_volume_key_keyring(cd, 1));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY));
cad.flags = 0;
@@ -3735,26 +3740,26 @@ static void Luks2Refresh(void)
/* multiple flags at once */
if (t_dm_crypt_discard_support() && t_dm_crypt_cpu_switch_support()) {
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
cad.flags = 0;
}
/* do not allow reactivation with read-only (and drop flag silently because activation behaves exactly same) */
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY), "Reactivated with read-only flag.");
cad.flags = 0;
/* reload flag is dropped silently */
OK_(crypt_deactivate(cd, CDEVICE_1));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
/* check read-only flag is not lost after reload */
OK_(crypt_deactivate(cd, CDEVICE_1));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_READONLY));
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_READONLY));
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY));
cad.flags = 0;
@@ -3762,7 +3767,7 @@ static void Luks2Refresh(void)
/* check LUKS2 with auth. enc. reload */
OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG));
if (!crypt_format(cd2, CRYPT_LUKS2, "aes", "gcm-random", crypt_get_uuid(cd), key, 32, &params)) {
- OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, "aaa", 3));
+ OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, 0));
OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_NO_JOURNAL));
OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
@@ -3772,11 +3777,11 @@ static void Luks2Refresh(void)
OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
cad.flags = 0;
- OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
+ OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL), "");
FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS), "");
- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context");
+ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context");
OK_(crypt_deactivate(cd2, CDEVICE_2));
} else {
printf("WARNING: cannot format integrity device, skipping few reload tests.\n");
@@ -3786,8 +3791,8 @@ static void Luks2Refresh(void)
/* Use LUKS1 context on LUKS2 device */
OK_(crypt_init(&cd2, DMDIR L_DEVICE_1S));
OK_(crypt_format(cd2, CRYPT_LUKS1, cipher, mode, crypt_get_uuid(cd), key, 32, NULL));
- OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, "aaa", 3));
- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context");
+ OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)));
+ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context");
CRYPT_FREE(cd2);
/* Use PLAIN context on LUKS2 device */
@@ -3803,8 +3808,8 @@ static void Luks2Refresh(void)
OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG));
OK_(set_fast_pbkdf(cd2));
OK_(crypt_format(cd2, CRYPT_LUKS2, cipher, mode, crypt_get_uuid(cd), key, 32, NULL));
- OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, "aaa", 3));
- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device");
+ OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
+ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device");
OK_(crypt_deactivate(cd, CDEVICE_1));
@@ -4825,7 +4830,7 @@ static void LuksKeyslotAdd(void)
crypt_keyslot_context_free(um2);
// generate new unbound key
- OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, 1, &um1));
+ OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, 9, &um1));
OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um2));
EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 10, um2, CRYPT_VOLUME_KEY_NO_SEGMENT), 10);
EQ_(crypt_keyslot_status(cd, 10), CRYPT_SLOT_UNBOUND);
diff --git a/tests/api-test.c b/tests/api-test.c
index 2b2f0813..9bb6d2f1 100644
--- a/tests/api-test.c
+++ b/tests/api-test.c
@@ -65,8 +65,8 @@
#define KEYFILE2 "key2.file"
#define KEY2 "0123456789abcdef"
-#define PASSPHRASE "blabla"
-#define PASSPHRASE1 "albalb"
+#define PASSPHRASE "blablabl"
+#define PASSPHRASE1 "albalbal"
#define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
@@ -327,7 +327,7 @@ static void AddDevicePlain(void)
char key[128], key2[128], path[128];
struct crypt_keyslot_context *kc = NULL;
- const char *passphrase = PASSPHRASE;
+ const char *passphrase = "blabla";
// hashed hex version of PASSPHRASE
const char *vk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
size_t key_size = strlen(vk_hex) / 2;
@@ -772,6 +772,10 @@ static void SuspendDevice(void)
OK_(crypt_deactivate(cd, CDEVICE_1));
CRYPT_FREE(cd);
+ /* skip tests using empty passphrase */
+ if(_fips_mode)
+ return;
+
OK_(get_luks_offsets(0, key_size, 1024*2, 0, NULL, &r_payload_offset));
OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1));
@@ -806,7 +810,7 @@ static void AddDeviceLuks(void)
};
char key[128], key2[128], key3[128];
- const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
+ const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
size_t key_size = strlen(vk_hex) / 2;
@@ -2105,7 +2109,7 @@ static void LuksKeyslotAdd(void)
};
char key[128], key3[128];
- const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
+ const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
size_t key_size = strlen(vk_hex) / 2;
diff --git a/tests/compat-test b/tests/compat-test
index 356b7283..6dc80041 100755
--- a/tests/compat-test
+++ b/tests/compat-test
@@ -450,10 +450,13 @@ if [ -d /dev/disk/by-uuid ] ; then
$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
fi
+# skip tests using empty passphrase
+if [ ! fips_mode ]; then
# empty keyfile
$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEYE || fail
$CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
+fi
# open by volume key
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 $LOOPDEV || fail
$CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
@@ -503,7 +506,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
# keyfile/passphrase
-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
+echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail
prepare "[18] RemoveKey passphrase and keyfile" reuse
@@ -728,12 +731,15 @@ echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
[ $? -ne 2 ] && fail "luksResume should return EPERM exit code"
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
+# skip tests using empty passphrase
+if [ ! fips_mode ]; then
echo | $CRYPTSETUP -q luksFormat -c null $FAST_PBKDF_OPT --type luks1 $LOOPDEV || fail
echo | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP luksSuspend $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
echo | $CRYPTSETUP luksResume $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
+fi
prepare "[27] luksOpen/luksResume with specified key slot number" wipe
# first, let's try passphrase option
diff --git a/tests/compat-test2 b/tests/compat-test2
index 2f18d7b6..c54dc7ea 100755
--- a/tests/compat-test2
+++ b/tests/compat-test2
@@ -427,10 +427,14 @@ if [ -d /dev/disk/by-uuid ] ; then
$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
fi
+# skip tests using empty passphrases
+if [ ! fips_mode ]; then
# empty keyfile
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEYE || fail
$CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
+fi
+
# open by volume key
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 --type luks2 $LOOPDEV || fail
$CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
@@ -477,7 +481,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
# keyfile/passphrase
-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
+echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail
prepare "[18] RemoveKey passphrase and keyfile" reuse
@@ -1001,14 +1005,14 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || can_fail_fips
-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 16 $LOOPDEV || fail
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 72 $LOOPDEV || fail
echo $PWD3 | $CRYPTSETUP luksConvertKey --pbkdf-force-iterations 1001 --pbkdf pbkdf2 -S 21 $LOOPDEV || fail
prepare "[38] luksAddKey unbound tests" wipe
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail
# unbound key may have arbitrary size
-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 16 $LOOPDEV || fail
-echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 32 -S 2 $LOOPDEV || fail
+echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 72 $LOOPDEV || fail
+echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 72 -S 2 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2 (unbound)" || fail
dd if=/dev/urandom of=$KEY_FILE0 bs=64 count=1 > /dev/null 2>&1 || fail
echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 512 -S 3 --volume-key-file $KEY_FILE0 $LOOPDEV || fail
@@ -1100,10 +1104,10 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 2 -
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
# unbound keyslot
-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 32 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 72 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 32 $LOOPDEV || fail
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 72 $LOOPDEV || fail
echo $PWD3 | $CRYPTSETUP luksConvertKey --key-slot 22 $LOOPDEV --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
diff --git a/tests/keyring-compat-test b/tests/keyring-compat-test
index 57c7fd98..ea88c210 100755
--- a/tests/keyring-compat-test
+++ b/tests/keyring-compat-test
@@ -21,7 +21,7 @@ NAME=testcryptdev
CHKS_DMCRYPT=vk_in_dmcrypt.chk
CHKS_KEYRING=vk_in_keyring.chk
-PWD="aaa"
+PWD="aaablabl"
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
index 433f4d4c..f6a84137 100755
--- a/tests/reencryption-compat-test
+++ b/tests/reencryption-compat-test
@@ -22,6 +22,12 @@ PWD3="1-9Qu5Ejfnqv"
MNT_DIR=./mnt_luks
START_DIR=$(pwd)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+
+function fips_mode()
+{
+ [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+}
function del_scsi_device()
{
@@ -296,6 +302,7 @@ check_slot 0 || fail "Only keyslot 0 expected to be enabled"
$REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail
# FIXME echo $PWD1 | $REENC ...
+if [ ! fips_mode ]; then
echo "[4] Encryption of not yet encrypted device"
# well, movin' zeroes :-)
OFFSET=2048
@@ -323,6 +330,7 @@ OFFSET=4096
echo fake | $REENC $LOOPDEV1 -d $KEY1 --new --type luks1 --reduce-device-size "$OFFSET"S -q $FAST_PBKDF || fail
$CRYPTSETUP open --test-passphrase $LOOPDEV1 -d $KEY1 || fail
wipe_dev $LOOPDEV1
+fi
echo "[5] Reencryption using specific keyslot"
echo $PWD2 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
@@ -396,6 +404,7 @@ add_scsi_device sector_size=512 dev_size_mb=32 physblk_exp=3
test_logging "[4096/512 sector]" || fail
test_logging_tmpfs || fail
+if [ ! fips_mode ]; then
echo "[10] Removal of encryption"
prepare 8192
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
@@ -460,6 +469,7 @@ if [ "$HAVE_BLKID" -gt 0 ]; then
echo $PWD1 | $REENC --header $IMG_HDR $HEADER_LUKS2_PV -q $FAST_PBKDF --new --type luks1 2>/dev/null && fail
test -f $IMG_HDR && fail
fi
+fi # if [ ! fips_mode ]
remove_mapping
exit 0
diff --git a/tests/ssh-test-plugin b/tests/ssh-test-plugin
index 0a440b93..5b3966e7 100755
--- a/tests/ssh-test-plugin
+++ b/tests/ssh-test-plugin
@@ -11,7 +11,7 @@ CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh
IMG="ssh_test.img"
MAP="sshtest"
USER="sshtest"
-PASSWD="sshtest"
+PASSWD="sshtest1"
PASSWD2="sshtest2"
SSH_OPTIONS="-o StrictHostKeyChecking=no"
--
2.38.1

55
SOURCES/cryptsetup-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch
View File

@ -1,55 +0,0 @@
From be088b8de8d636993767a42f195ffd3bf915e567 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Mon, 12 Dec 2022 17:33:12 +0100
Subject: [PATCH 1/2] Enable crypt_header_is_detached for empty contexts.
Also changes few tests now expecting crypt_header_is_detached
works with empty contexts.
---
lib/setup.c | 2 +-
tests/api-test-2.c | 2 +-
tests/api-test.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/setup.c b/lib/setup.c
index f169942c..3263578b 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -3242,7 +3242,7 @@ int crypt_header_is_detached(struct crypt_device *cd)
{
int r;
- if (!cd || !isLUKS(cd->type))
+ if (!cd || (cd->type && !isLUKS(cd->type)))
return -EINVAL;
r = device_is_identical(crypt_data_device(cd), crypt_metadata_device(cd));
diff --git a/tests/api-test-2.c b/tests/api-test-2.c
index 2c39191b..c7e930ca 100644
--- a/tests/api-test-2.c
+++ b/tests/api-test-2.c
@@ -889,7 +889,7 @@ static void AddDeviceLuks2(void)
FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active");
EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE);
OK_(crypt_deactivate(cd, CDEVICE_1));
- FAIL_(crypt_header_is_detached(cd), "no header for mismatched device");
+ EQ_(crypt_header_is_detached(cd), 1);
CRYPT_FREE(cd);
params.data_device = NULL;
diff --git a/tests/api-test.c b/tests/api-test.c
index 9bb6d2f1..f6e33a40 100644
--- a/tests/api-test.c
+++ b/tests/api-test.c
@@ -960,7 +960,7 @@ static void AddDeviceLuks(void)
FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active");
EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE);
OK_(crypt_deactivate(cd, CDEVICE_1));
- FAIL_(crypt_header_is_detached(cd), "no header for mismatched device");
+ EQ_(crypt_header_is_detached(cd), 1);
CRYPT_FREE(cd);
params.data_device = NULL;
--
2.38.1

58
SOURCES/cryptsetup-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch
View File

@ -1,58 +0,0 @@
From a33f7bf5ca33587ddb05f2acac42f93068022458 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Fri, 2 Dec 2022 11:39:59 +0100
Subject: [PATCH 1/3] Run PBKDF benchmark with 8 bytes long well-known
passphrase.
---
lib/utils_benchmark.c | 4 ++--
src/cryptsetup.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/lib/utils_benchmark.c b/lib/utils_benchmark.c
index 0a0c438e..d8976fb2 100644
--- a/lib/utils_benchmark.c
+++ b/lib/utils_benchmark.c
@@ -187,7 +187,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
pbkdf->parallel_threads = 0; /* N/A in PBKDF2 */
pbkdf->max_memory_kb = 0; /* N/A in PBKDF2 */
- r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3, "01234567890abcdef", 16,
+ r = crypt_benchmark_pbkdf(cd, pbkdf, "foobarfo", 8, "01234567890abcdef", 16,
volume_key_size, &benchmark_callback, &u);
pbkdf->time_ms = ms_tmp;
if (r < 0) {
@@ -207,7 +207,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
return 0;
}
- r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3,
+ r = crypt_benchmark_pbkdf(cd, pbkdf, "foobarfo", 8,
"0123456789abcdef0123456789abcdef", 32,
volume_key_size, &benchmark_callback, &u);
if (r < 0)
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index c2e23c6e..dfaf7682 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -997,7 +997,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si
.time_ms = 1000,
};
- r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3, "0123456789abcdef", 16, key_size,
+ r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8, "0123456789abcdef", 16, key_size,
&benchmark_callback, &pbkdf);
if (r < 0)
log_std(_("PBKDF2-%-9s N/A\n"), hash);
@@ -1012,7 +1012,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si
.parallel_threads = ARG_UINT32(OPT_PBKDF_PARALLEL_ID)
};
- r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3,
+ r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8,
"0123456789abcdef0123456789abcdef", 32,
key_size, &benchmark_callback, &pbkdf);
if (r < 0)
--
2.38.1

81
SOURCES/cryptsetup-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch
View File

@ -1,81 +0,0 @@
From dff9ee8c8cb68432e96261b87aabb7aaa51215e7 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Tue, 2 May 2023 15:42:21 +0200
Subject: [PATCH] Also disallow active devices with internal kernel names.
The same problem fixed in commit 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605
is present in libdevmapper wrapper when parsing active device table.
The whole point of conversion was that non-authenticated modes
can be always represented in the old cipher-mode-iv format.
As the internal names contains dash, these are unsupported.
That said, the libdevmapper backend now correctly returns
full cipher specification including capi prefix for this case.
Init_by_name call now fails with incomplatible cipher definition error.
---
lib/setup.c | 2 +-
lib/utils_crypt.c | 9 +++++++++
tests/mode-test | 5 +++++
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/lib/setup.c b/lib/setup.c
index 4bc3f6fb..57435475 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -1258,7 +1258,7 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher,
&key_nums, cipher_mode);
if (r < 0) {
- log_dbg(cd, "Cannot parse cipher and mode from active device.");
+ log_err(cd, _("No known cipher specification pattern detected for active device %s."), name);
goto out;
}
diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
index c1bde000..9232a91d 100644
--- a/lib/utils_crypt.c
+++ b/lib/utils_crypt.c
@@ -306,6 +306,15 @@ int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const cha
if (i != 2)
return -EINVAL;
+ /* non-cryptsetup compatible mode (generic driver with dash?) */
+ if (strrchr(iv, ')')) {
+ if (i_dm)
+ return -EINVAL;
+ if (!(*org_c = strdup(c_dm)))
+ return -ENOMEM;
+ return 0;
+ }
+
len = strlen(tmp);
if (len < 2)
return -EINVAL;
diff --git a/tests/mode-test b/tests/mode-test
index fe61880a..4775751e 100755
--- a/tests/mode-test
+++ b/tests/mode-test
@@ -8,6 +8,7 @@ DEV_NAME=dmc_test
HEADER_IMG=mode-test.img
PASSWORD=3xrododenron
PASSWORD1=$PASSWORD
+KEY="7c0dc5dfd0c9191381d92e6ebb3b29e7f0dba53b0de132ae23f5726727173540"
FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
# cipher-chainmode-ivopts:ivmode
@@ -188,6 +189,10 @@ echo -n "CAPI format:"
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail
$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
+dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail
+$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail
+$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail
+dmsetup remove "$DEV_NAME"_tstdev || fail
echo [OK]
cleanup
--
2.41.0

68
SOURCES/cryptsetup-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch
View File

@ -1,68 +0,0 @@
From 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 24 Apr 2023 21:19:03 +0200
Subject: [PATCH] Disallow use of internal kenrel crypto driver names in "capi"
specification.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The common way to specify cipher mode in cryptsetup
is to use cipher-mode-iv notation (like aes-xts-plain64).
With introduction of authenticated ciphers we also allow "capi:<spec>"
notation that is directly used by dm-crypt (e.g. capi:xts(aes)-plain64).
CAPI specification was never intended to be used with internal
kernel crypto api names (with dash in algorithm name), actually the
whole parsing routine wrongly parses mode here now.
The code not checks if parsing wrongly separated the full cipher
string and effectively allowing only proper cipher names
(example of no longer supported string is capi:xts(ecb(aes-generic))-plain64).
Thanks to Jan Wichelmann, Luca Wilke and Thomas Eisenbarth from
University of Lübeck for noticing the problems with this code.
Fixes: #809
---
lib/utils_crypt.c | 8 +++++++-
tests/mode-test | 6 ++++++
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
index 0b7dc378..c1bde000 100644
--- a/lib/utils_crypt.c
+++ b/lib/utils_crypt.c
@@ -43,7 +43,13 @@ int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums,
cipher, cipher_mode) == 2) {
if (!strcmp(cipher_mode, "plain"))
strcpy(cipher_mode, "cbc-plain");
- if (key_nums) {
+ if (!strncmp(cipher, "capi:", 5)) {
+ /* CAPI must not use internal cipher driver names with dash */
+ if (strchr(cipher_mode, ')'))
+ return -EINVAL;
+ if (key_nums)
+ *key_nums = 1;
+ } else if (key_nums) {
char *tmp = strchr(cipher, ':');
*key_nums = tmp ? atoi(++tmp) : 1;
if (!*key_nums)
diff --git a/tests/mode-test b/tests/mode-test
index 82171fbd..fe61880a 100755
--- a/tests/mode-test
+++ b/tests/mode-test
@@ -184,4 +184,10 @@ done
dmcrypt xchacha12,aes-adiantum-plain64
dmcrypt xchacha20,aes-adiantum-plain64
+echo -n "CAPI format:"
+echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail
+$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
+echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
+echo [OK]
+
cleanup
--
2.41.0

81
SOURCES/cryptsetup-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch
View File

@ -1,81 +0,0 @@
From b8711faf92868dc82b1a64e7673740444199b2ca Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Sun, 25 Jun 2023 23:32:13 +0200
Subject: [PATCH] Fix activation of LUKS2 with capi format cipher and kernel
crypt name.
While activation of internal cipher algorithms (like aes-generic)
is disallowed, some old LUKS2 images can still use it.
Check the cipher in activate call, but allow to load LUKS2 metadata.
This can allow to add repair code easily and also allow luksDump.
Also fix segfault in reencrypt code for such a header.
Fixes: #820
---
lib/luks2/luks2_json_metadata.c | 5 +++++
tests/Makefile.am | 4 +++-
tests/compat-test2 | 17 ++++++++++++++++-
tests/luks2_invalid_cipher.img.xz | Bin 0 -> 135372 bytes
tests/meson.build | 1 +
5 files changed, 25 insertions(+), 2 deletions(-)
create mode 100644 tests/luks2_invalid_cipher.img.xz
Index: cryptsetup-2.6.0/lib/luks2/luks2_json_metadata.c
===================================================================
--- cryptsetup-2.6.0.orig/lib/luks2/luks2_json_metadata.c
+++ cryptsetup-2.6.0/lib/luks2/luks2_json_metadata.c
@@ -2597,6 +2597,11 @@ int LUKS2_activate(struct crypt_device *
if ((r = LUKS2_unmet_requirements(cd, hdr, 0, 0)))
return r;
+ /* Check that cipher is in compatible format */
+ if (!crypt_get_cipher(cd)) {
+ log_err(cd, _("No known cipher specification pattern detected in LUKS2 header."));
+ return -EINVAL;
+ }
r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
vk, crypt_get_cipher_spec(cd), crypt_get_iv_offset(cd),
crypt_get_data_offset(cd), crypt_get_integrity(cd) ?: "none",
Index: cryptsetup-2.6.0/tests/compat-test2
===================================================================
--- cryptsetup-2.6.0.orig/tests/compat-test2
+++ cryptsetup-2.6.0/tests/compat-test2
@@ -16,6 +16,7 @@ IMG10=luks-test-v10
HEADER_IMG=luks-header
HEADER_KEYU=luks2_keyslot_unassigned.img
HEADER_LUKS2_PV=blkid-luks2-pv.img
+HEADER_LUKS2_INV=luks2_invalid_cipher.img
KEY1=key1
KEY2=key2
KEY5=key5
@@ -50,7 +51,9 @@ function remove_mapping()
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
losetup -d $LOOPDEV >/dev/null 2>&1
- rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE $HEADER_LUKS2_PV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
+ rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE \
+ $HEADER_LUKS2_PV $HEADER_LUKS2_INV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* \
+ $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
# unlink whole test keyring
[ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
@@ -1200,5 +1203,17 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys
$CRYPTSETUP open -q --test-passphrase --token-only --token-id 0 -q $IMG || fail
fi
+prepare "[44] LUKS2 invalid cipher (kernel cipher driver name)" wipe
+xz -dk $HEADER_LUKS2_INV.xz
+dd if=$HEADER_LUKS2_INV of=$IMG conv=notrunc >/dev/null 2>&1
+$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "capi:xts(ecb(aes-generic))-plain64" || fail
+echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
+echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME 2>&1 | grep -q "No known cipher specification pattern" || fail
+echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV >/dev/null 2>&1 && fail
+dmsetup create $DEV_NAME --uuid CRYPT-LUKS2-3d20686f551748cb89911ad32379821b-test --table \
+ "0 8 crypt capi:xts(ecb(aes-generic))-plain64 edaa40709797973715e572bf7d86fcbb9cfe2051083c33c28d58fe4e1e7ff642 0 $LOOPDEV 32768"
+$CRYPTSETUP status $DEV_NAME | grep -q "n/a" || fail
+$CRYPTSETUP close $DEV_NAME ||fail
+
remove_mapping
exit 0

52
SOURCES/cryptsetup-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch
View File

@ -1,52 +0,0 @@
From 53aa5f6c4f7439db1b25846597fb5603870ba55e Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 5 Jun 2023 16:02:06 +0200
Subject: [PATCH] Fix init_by_name to allow unknown cipher format in dm-crypt
as null context.
Deactivation code should deactivate dm-crypt device even if it is unknown
for libcryptsetup. Previous fix for cipher specification was too strict.
Let's allow initialization as null context, that allow status and
deactivate to be usable again.
---
lib/setup.c | 6 ++++++
tests/mode-test | 5 ++---
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/lib/setup.c b/lib/setup.c
index fd17be8c..786aa900 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -1276,6 +1276,12 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher,
&key_nums, cipher_mode);
if (r < 0) {
+ /* Allow crypt null context with unknown cipher string */
+ if (tgt->type == DM_CRYPT && !tgt->u.crypt.integrity) {
+ crypt_set_null_type(cd);
+ r = 0;
+ goto out;
+ }
log_err(cd, _("No known cipher specification pattern detected for active device %s."), name);
goto out;
}
diff --git a/tests/mode-test b/tests/mode-test
index 4775751e..7f7f20a1 100755
--- a/tests/mode-test
+++ b/tests/mode-test
@@ -190,9 +190,8 @@ echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256
$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail
-$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail
-$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail
-dmsetup remove "$DEV_NAME"_tstdev || fail
+$CRYPTSETUP status "$DEV_NAME"_tstdev 2>/dev/null | grep "type:" | grep -q "n/a" || fail
+$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null || fail
echo [OK]
cleanup
--
2.41.0

31
SOURCES/cryptsetup-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch
View File

@ -1,31 +0,0 @@
From 1f01eea60e38ac92aa05e4b95372d54b7b9095df Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 26 Jun 2023 13:25:59 +0200
Subject: [PATCH] Fix reencryption to fail properly for unknown cipher.
crypt_get_cipher and crypt_get_cipher mode can return NULL,
check it in advance.
---
src/utils_reencrypt.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c
index a78557cb..8ffceb36 100644
--- a/src/utils_reencrypt.c
+++ b/src/utils_reencrypt.c
@@ -419,6 +419,12 @@ static bool luks2_reencrypt_eligible(struct crypt_device *cd)
return false;
}
+ /* Check that cipher is in compatible format */
+ if (!crypt_get_cipher(cd)) {
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
+ return false;
+ }
+
return true;
}
--
2.41.0

39
SOURCES/cryptsetup-2.7.5-Abort-online-reencryption-for-misconfigured-devices.patch Normal file
View File

@ -0,0 +1,39 @@
From 63bb997b41b8e92fe09ce8cb6582e094e00e19a6 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Mon, 26 Aug 2024 10:46:52 +0200
Subject: [PATCH 08/10] Abort online reencryption for misconfigured devices.
Hard abort is justified here. The online reencryption on
data devices that do not support O_DIRECT io flag is
dangerous and leads to data corruption. This should be
impossible to hit due to a patch that handles it
in initialization phase. Better safe than sorry.
---
lib/luks2/luks2_reencrypt.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c
index 6519c1e3..05f69d18 100644
--- a/lib/luks2/luks2_reencrypt.c
+++ b/lib/luks2/luks2_reencrypt.c
@@ -4230,9 +4230,14 @@ int crypt_reencrypt_run(
log_dbg(cd, "Resuming LUKS2 reencryption.");
- if (rh->online && reencrypt_init_device_stack(cd, rh)) {
- log_err(cd, _("Failed to initialize reencryption device stack."));
- return -EINVAL;
+ if (rh->online) {
+ /* This is last resort to avoid data corruption. Abort is justified here. */
+ assert(device_direct_io(crypt_data_device(cd)));
+
+ if (reencrypt_init_device_stack(cd, rh)) {
+ log_err(cd, _("Failed to initialize reencryption device stack."));
+ return -EINVAL;
+ }
}
log_dbg(cd, "Progress %" PRIu64 ", device_size %" PRIu64, rh->progress, rh->device_size);
--
2.46.0

35
SOURCES/cryptsetup-2.7.5-Do-not-handle-device-as-suspended-on-error.patch Normal file
View File

@ -0,0 +1,35 @@
From 53198bdea94e610e1e0378e3aff56e8d9f45ac09 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Thu, 22 Aug 2024 13:39:06 +0200
Subject: [PATCH 01/10] Do not handle device as suspended on error.
Consider device is suspended only if dm_status_suspended return code
is true.
This function returned -EEXIST for dm devices with target types unknown
to libcryptsetup (for example dm-cache) and turned off O_DIRECT flag
for devices unexpectedly.
Turned out ignoring direct-io was a problem after all :).
Fixes: 0f51b5bacbf7 (Do not run sector read check on suspended device.)
---
lib/utils_device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/utils_device.c b/lib/utils_device.c
index 3e2ac4f3..eccaf048 100644
--- a/lib/utils_device.c
+++ b/lib/utils_device.c
@@ -178,7 +178,7 @@ static int device_ready(struct crypt_device *cd, struct device *device)
if (devfd >= 0) {
/* skip check for suspended DM devices */
dm_name = device_dm_name(device);
- if (dm_name && dm_status_suspended(cd, dm_name)) {
+ if (dm_name && dm_status_suspended(cd, dm_name) > 0) {
close(devfd);
devfd = -1;
} else if (device_read_test(devfd) == 0) {
--
2.46.0

78
SOURCES/cryptsetup-2.7.5-Fix-detection-of-direct-io-with-suspended-devices.patch Normal file
View File

@ -0,0 +1,78 @@
From 4cdd022ba42df17b027be7c35c7028d01b54cecc Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Tue, 27 Aug 2024 12:13:54 +0200
Subject: [PATCH 06/10] Fix detection of direct-io with suspended devices.
Currently, direct-io is disabled if underlying device is suspended.
This was an unfortunate change, as it is part of data corruption
problem in online reenryption.
Let's relax the test to assume that suspended device
(suspended => must be a device-mapper device) supports direct-io.
The read test is still needed as some network based devices
misbehaves if opened with direct-io flag.
---
lib/utils_device.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/lib/utils_device.c b/lib/utils_device.c
index eccaf048..6b7af6e1 100644
--- a/lib/utils_device.c
+++ b/lib/utils_device.c
@@ -127,11 +127,19 @@ static size_t device_alignment_fd(int devfd)
return (size_t)alignment;
}
-static int device_read_test(int devfd)
+static int device_read_test(struct crypt_device *cd, int devfd, struct device *device)
{
char buffer[512];
int r = -EIO;
size_t minsize = 0, blocksize, alignment;
+ const char *dm_name;
+
+ /* skip check for suspended DM devices */
+ dm_name = device_dm_name(device);
+ if (dm_name && dm_status_suspended(cd, dm_name) > 0) {
+ log_dbg(cd, "Device %s is suspended, assuming direct-io is supported.", dm_name);
+ return 0;
+ }
blocksize = device_block_size_fd(devfd, &minsize);
alignment = device_alignment_fd(devfd);
@@ -148,6 +156,8 @@ static int device_read_test(int devfd)
if (read_blockwise(devfd, blocksize, alignment, buffer, minsize) == (ssize_t)minsize)
r = 0;
+ log_dbg(cd, "Direct-io is supported and works.");
+
crypt_safe_memzero(buffer, sizeof(buffer));
return r;
}
@@ -165,7 +175,6 @@ static int device_ready(struct crypt_device *cd, struct device *device)
int devfd = -1, r = 0;
struct stat st;
size_t tmp_size;
- const char *dm_name;
if (!device)
return -EINVAL;
@@ -176,12 +185,7 @@ static int device_ready(struct crypt_device *cd, struct device *device)
device->o_direct = 0;
devfd = open(device_path(device), O_RDONLY | O_DIRECT);
if (devfd >= 0) {
- /* skip check for suspended DM devices */
- dm_name = device_dm_name(device);
- if (dm_name && dm_status_suspended(cd, dm_name) > 0) {
- close(devfd);
- devfd = -1;
- } else if (device_read_test(devfd) == 0) {
+ if (device_read_test(cd, devfd, device) == 0) {
device->o_direct = 1;
} else {
close(devfd);
--
2.46.0

35
SOURCES/cryptsetup-2.7.5-Harden-online-reencryption-checks-in-initialization-.patch Normal file
View File

@ -0,0 +1,35 @@
From 9991cbc306963c8f03eb6dad82fa6c12f75d3b97 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Mon, 26 Aug 2024 10:44:50 +0200
Subject: [PATCH 07/10] Harden online reencryption checks in initialization
phase.
Verify the data device supports O_DIRECT io flag in
the initialization phase. Online reencryption is not
safe unless we can read and write the data in direct
mode.
---
lib/luks2/luks2_reencrypt.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c
index c77de3f6..6519c1e3 100644
--- a/lib/luks2/luks2_reencrypt.c
+++ b/lib/luks2/luks2_reencrypt.c
@@ -3788,6 +3788,13 @@ static int reencrypt_init_by_passphrase(struct crypt_device *cd,
if (flags & CRYPT_REENCRYPT_RECOVERY)
return reencrypt_recovery_by_passphrase(cd, hdr, keyslot_old, keyslot_new, passphrase, passphrase_size);
+ if (name && !device_direct_io(crypt_data_device(cd))) {
+ log_dbg(cd, "Device %s does not support direct I/O.", device_path(crypt_data_device(cd)));
+ /* FIXME: Add more specific error mesage for translation later. */
+ log_err(cd, _("Failed to initialize reencryption device stack."));
+ return -EINVAL;
+ }
+
if (cipher && !crypt_cipher_wrapped_key(cipher, cipher_mode)) {
r = crypt_keyslot_get_key_size(cd, keyslot_new);
if (r < 0)
--
2.46.0

28
SOURCES/cryptsetup-2.7.5-Return-suspended-status-also-for-unknow-target-types.patch Normal file
View File

@ -0,0 +1,28 @@
From aeada055d19cddeda68661dc929a78b2bee35e25 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Thu, 22 Aug 2024 13:41:03 +0200
Subject: [PATCH 1/9] Return suspended status also for unknow target types.
This patch allows dm_status_suspended() to report if device
is suspended or not also for unknown target types from
libcryptsetup perspective (e.g.: dm-cache).
---
lib/libdevmapper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
index b8592ffa..a562a2d7 100644
--- a/lib/libdevmapper.c
+++ b/lib/libdevmapper.c
@@ -1911,7 +1911,7 @@ int dm_status_suspended(struct crypt_device *cd, const char *name)
r = dm_status_dmi(name, &dmi, NULL, NULL);
dm_exit_context();
- if (r < 0)
+ if (r < 0 && r != -EEXIST)
return r;
return dmi.suspended ? 1 : 0;
--
2.46.0

39
SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch
View File

@ -12,36 +12,29 @@ bytes.
lib/luks2/luks2_keyslot_luks2.c | 2 ++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
index de97b73c..225e84b8 100644
--- a/lib/luks1/keymanage.c
+++ b/lib/luks1/keymanage.c
@@ -924,8 +924,11 @@ int LUKS_set_key(unsigned int keyIndex,
hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE,
Index: cryptsetup-2.7.2/lib/luks1/keymanage.c
===================================================================
--- cryptsetup-2.7.2.orig/lib/luks1/keymanage.c
+++ cryptsetup-2.7.2/lib/luks1/keymanage.c
@@ -926,6 +926,8 @@ int LUKS_set_key(unsigned int keyIndex,
derived_key->key, hdr->keyBytes,
hdr->keyblock[keyIndex].passwordIterations, 0, 0);
- if (r < 0)
+ if (r < 0) {
if (r < 0) {
+ if (crypt_fips_mode() && passwordLen < 8)
+ log_err(ctx, _("Invalid passphrase for PBKDF2 in FIPS mode."));
goto out;
+ }
/*
* AF splitting, the volume key stored in vk->key is split to AfKey
diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
index 78f74242..f480bcab 100644
--- a/lib/luks2/luks2_keyslot_luks2.c
+++ b/lib/luks2/luks2_keyslot_luks2.c
@@ -265,6 +265,8 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
free(salt);
if (r < 0) {
if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
hdr->keyblock[keyIndex].passwordIterations > INT_MAX)
log_err(ctx, _("PBKDF2 iteration value overflow."));
Index: cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
===================================================================
--- cryptsetup-2.7.2.orig/lib/luks2/luks2_keyslot_luks2.c
+++ cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
@@ -269,6 +269,8 @@ static int luks2_keyslot_set_key(struct
pbkdf.iterations > INT_MAX)
log_err(cd, _("PBKDF2 iteration value overflow."));
crypt_free_volume_key(derived_key);
+ if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2"))
+ log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode."));
return r;
}
--
2.38.1

42
SOURCES/cryptsetup-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch Normal file
View File

@ -0,0 +1,42 @@
From cfd043f6f0527407c57fb5a2735ee8e22c070cd7 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Wed, 28 Aug 2024 17:06:12 +0200
Subject: [PATCH 09/10] Enable to use Argon2 in FIPS with openssl backend.
This patch is required to read existing LUKS2
keyslots created with Argon2 KDF before the system
got switched in FIPS mode. Creating new keyslots using
Argon2 was already blocked elsewhere and before this patch.
---
lib/crypto_backend/crypto_openssl.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c
index 9f1be9e0..07c133b0 100644
--- a/lib/crypto_backend/crypto_openssl.c
+++ b/lib/crypto_backend/crypto_openssl.c
@@ -611,13 +611,20 @@ static int openssl_argon2(const char *type, const char *password, size_t passwor
OSSL_PARAM_uint(OSSL_KDF_PARAM_THREADS, &threads),
OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_LANES, &parallel),
OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_MEMCOST, &memory),
+ /* to allow fetching blake2 in FIPS mode in later KDF_derive routine */
+ OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_PROPERTIES, "-fips", 0),
OSSL_PARAM_END
};
if (OSSL_get_max_threads(ossl_ctx) == 0)
threads = 1;
- argon2 = EVP_KDF_fetch(ossl_ctx, type, NULL);
+ /*
+ * '-fips' skips fips provider for Argon2 variants implementations.
+ * We need it to be able to read existing keyslots in FIPS mode.
+ * Writing new Argon2 enabled keyslots in FIPS mode is blocked elsewhere.
+ */
+ argon2 = EVP_KDF_fetch(ossl_ctx, type, "-fips");
if (!argon2)
return -EINVAL;
--
2.46.0

37
SOURCES/cryptsetup-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch Normal file
View File

@ -0,0 +1,37 @@
From f903ddcf447474fda1a036584b550d12dd620a73 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Thu, 29 Aug 2024 15:31:08 +0200
Subject: [PATCH 10/10] Warn if Argon2 keyslot is unlocked in FIPS mode.
---
lib/luks2/luks2_keyslot.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/luks2/luks2_keyslot.c b/lib/luks2/luks2_keyslot.c
index bb9d4537..2f979d81 100644
--- a/lib/luks2/luks2_keyslot.c
+++ b/lib/luks2/luks2_keyslot.c
@@ -573,6 +573,7 @@ int LUKS2_keyslot_open(struct crypt_device *cd,
{
struct luks2_hdr *hdr;
int r_prio, r = -EINVAL;
+ struct crypt_pbkdf_type pbkdf;
hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
if (!hdr)
@@ -599,7 +600,11 @@ int LUKS2_keyslot_open(struct crypt_device *cd,
log_err(cd, _("Not enough available memory to open a keyslot."));
else if (r != -EPERM && r != -ENOENT)
log_err(cd, _("Keyslot open failed."));
- }
+ } else if (crypt_fips_mode() && !LUKS2_keyslot_pbkdf(hdr, r, &pbkdf) &&
+ !strncmp(pbkdf.type, "argon2", 6))
+ log_err(cd, "The %s KDF used in keyslot %d is not FIPS compliant.\n"
+ "Please refer to cryptsetup-luksConvertKey(8) man page to switch it to pbkdf2.",
+ pbkdf.type, r);
return r;
}
--
2.46.0

11
SOURCES/cryptsetup-add-system-library-paths.patch
View File

@ -1,7 +1,8 @@
diff -rupN cryptsetup-2.2.0.old/configure cryptsetup-2.2.0/configure
--- cryptsetup-2.2.0.old/configure 2019-08-14 20:45:07.000000000 +0200
+++ cryptsetup-2.2.0/configure 2019-08-15 09:11:14.775184005 +0200
@@ -12294,6 +12294,9 @@ fi
Index: cryptsetup-2.7.0/configure
===================================================================
--- cryptsetup-2.7.0.orig/configure
+++ cryptsetup-2.7.0/configure
@@ -14161,6 +14161,9 @@ fi
# before this can be enabled.
hardcode_into_libs=yes
@ -11,7 +12,7 @@ diff -rupN cryptsetup-2.2.0.old/configure cryptsetup-2.2.0/configure
# Ideally, we could use ldconfig to report *all* directores which are
# searched for libraries, however this is still not possible. Aside from not
# being certain /sbin/ldconfig is available, command
@@ -12302,7 +12305,7 @@ fi
@@ -14169,7 +14172,7 @@ fi
# appending ld.so.conf contents (and includes) to the search path.
if test -f /etc/ld.so.conf; then
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`

49
SPECS/cryptsetup.spec
View File

@ -1,6 +1,6 @@
Summary: Utility for setting up encrypted disks
Name: cryptsetup
Version: 2.6.0
Version: 2.7.2
Release: 3%{?dist}
License: GPLv2+ and LGPLv2+
URL: https://gitlab.com/cryptsetup/cryptsetup
@ -15,23 +15,17 @@ Obsoletes: %{name}-reencrypt <= %{version}
Provides: %{name}-reencrypt = %{version}
%global upstream_version %{version}
Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-%{upstream_version}.tar.xz
# binary archive with updated tests/conversion_imgs.tar.xz and tests/luks2_header_requirements.tar.xz
# for testing (can not be patched via rpmbuild)
Source1: tests.tar.xz
Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-%{upstream_version}.tar.xz
Patch0001: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch
Patch0002: %{name}-2.7.5-Do-not-handle-device-as-suspended-on-error.patch
Patch0003: %{name}-2.7.5-Return-suspended-status-also-for-unknow-target-types.patch
Patch0004: %{name}-2.7.5-Fix-detection-of-direct-io-with-suspended-devices.patch
Patch0005: %{name}-2.7.5-Harden-online-reencryption-checks-in-initialization-.patch
Patch0006: %{name}-2.7.5-Abort-online-reencryption-for-misconfigured-devices.patch
Patch0007: %{name}-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch
Patch0008: %{name}-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch
# Following patch has to applied last
Patch0000: %{name}-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch
Patch0001: %{name}-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch
Patch0002: %{name}-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch
Patch0003: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
Patch0004: %{name}-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch
Patch0005: %{name}-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch
Patch0006: %{name}-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch
Patch0007: %{name}-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch
Patch0008: %{name}-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch
Patch9998: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch
Patch9999: %{name}-add-system-library-paths.patch
%description
@ -70,11 +64,11 @@ The integritysetup package contains a utility for setting up
disk integrity protection using dm-integrity kernel module.
%prep
%autosetup -n cryptsetup-%{upstream_version} -p 1 -a 1
%autosetup -n cryptsetup-%{upstream_version} -p 1
%build
rm -f man/*.8
%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token --enable-asciidoc
%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token --enable-asciidoc --disable-hw-opal --with-plain-hash=ripemd160 --with-plain-cipher=aes --with-plain-mode=cbc-essiv:sha256
%make_build
%install
@ -116,6 +110,25 @@ rm -rf %{buildroot}%{_libdir}/*.la
%ghost %attr(700, -, -) %dir /run/cryptsetup
%changelog
* Mon Sep 02 2024 Ondrej Kozina <okozina@redhat.com> - 2.7.2-3
- Specbump for correct target release.
- Resolves: RHEL-39003 RHEL-41238
* Thu Aug 29 2024 Ondrej Kozina <okozina@redhat.com> - 2.7.2-2
- patch: Warn if Argon2 keyslot is unlocked in FIPS mode.
- patch: Enable Argon2 in FIPS with openssl backend.
- patch: Abort online reencryption for misconfigured devices.
- patch: Harden online reencryption checks in initialization phase.
- patch: Fix detection of direct-io with suspended devices.
- patch: Return suspended status also for unknow target types.
- patch: Do not handle device as suspended on error.
- Resolves: RHEL-39003 RHEL-41238
* Thu May 02 2024 Daniel Zatovic <dzatovic@redhat.com> - 2.7.2-1
- Update to cryptsetup 2.7.2
- Use OpenSLL Argon implementation instead of the built-in one
- Resolves: RHEL-32377
* Fri Jun 30 2023 Daniel Zatovic <dzatovic@redhat.com> - 2.6.0-3
- patch: Disallow use of internal kenrel crypto driver names in "capi"
- patch: Also disallow active devices with internal kernel names