Fix passphrase test mode for devices in reencryption.

- Resolves: #2056439

cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch

@@ -0,0 +1,56 @@
+From f671febe64d8f40cdcb1677a08436a8907ccbb7e Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Wed, 23 Feb 2022 12:27:57 +0100
+Subject: [PATCH 2/3] Add more tests for --test-passphrase parameter.
+
+---
+ tests/compat-test-args        |  4 ++++
+ tests/luks2-reencryption-test | 18 ++++++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/tests/compat-test-args b/tests/compat-test-args
+index faeddd00..8bbe5563 100755
+--- a/tests/compat-test-args
++++ b/tests/compat-test-args
+@@ -258,6 +258,10 @@ exp_fail luksAddKey DEV --unbound --key-size 0
+ exp_pass luksAddKey DEV --unbound --key-size 8
+ exp_pass luksDump DEV --unbound -S5
+ exp_fail luksDump DEV --unbound
++exp_pass open DEV --unbound --test-passphrase
++exp_pass open DEV --unbound --test-passphrase -S5
++exp_fail open DEV --unbound NAME
++exp_fail open DEV --unbound -S5 NAME
+ 
+ exp_fail resize NAME --refresh
+ exp_fail open DEV NAME --test-passphrase --refresh
+diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
+index 6f156016..73818b5d 100755
+--- a/tests/luks2-reencryption-test
++++ b/tests/luks2-reencryption-test
+@@ -1606,5 +1606,23 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
+ 	reencrypt_recover_online 4096 journal $HASH1
+ fi
+ 
++echo "[27] Verify test passphrase mode works with reencryption metadata"
++echo $PWD1 | $CRYPTSETUP -S5 -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV || fail
++echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $DEV || fail
++echo $PWD1 | $CRYPTSETUP reencrypt --init-only $DEV || fail
++echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
++
++echo $PWD1 | $CRYPTSETUP -q luksFormat -S5 --header $IMG_HDR --type luks2 $FAST_PBKDF_ARGON $DEV || fail
++echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $IMG_HDR || fail
++echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --init-only --header $IMG_HDR $DEV || fail
++echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
++
++echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --init-only --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
++echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
++
++wipe_dev_head $DEV 1
++echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 8M $FAST_PBKDF_ARGON $DEV || fail
++echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
++
+ remove_mapping
+ exit 0
+-- 
+2.27.0
+

cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch

@@ -0,0 +1,73 @@
+diff -rupN cryptsetup-2.4.3.old/man/cryptsetup.8 cryptsetup-2.4.3/man/cryptsetup.8
+--- cryptsetup-2.4.3.old/man/cryptsetup.8	2022-02-23 16:33:42.449525744 +0100
++++ cryptsetup-2.4.3/man/cryptsetup.8	2022-02-23 16:34:02.624636076 +0100
+@@ -321,7 +321,8 @@ the command prompts for it interactively
+ \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
+ \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
+ \-\-token\-only, \-\-token-type, \-\-disable\-external\-tokens, \-\-disable\-keyring,
+-\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf].
++\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf,
++\-\-unbound].
+ .PP
+ \fIluksSuspend\fR <name>
+ .IP
+@@ -1465,10 +1466,14 @@ aligned to page size and page-cache init
+ integrity tag.
+ .TP
+ .B "\-\-unbound"
+-
+ Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or
+ \fIluksDump\fR actions for more details.
+ 
++When used in \fIluksOpen\fR action (allowed only together with
++\-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2
++keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific
++keyslot is selected via \-\-key\-slot parameter.
++
+ .TP
+ .B "\-\-tcrypt\-hidden"
+ .B "\-\-tcrypt\-system"
+diff -rupN cryptsetup-2.4.3.old/src/cryptsetup_args.h cryptsetup-2.4.3/src/cryptsetup_args.h
+--- cryptsetup-2.4.3.old/src/cryptsetup_args.h	2022-02-23 16:33:42.450525749 +0100
++++ cryptsetup-2.4.3/src/cryptsetup_args.h	2022-02-23 16:43:53.418866968 +0100
+@@ -75,7 +75,7 @@
+ #define OPT_TCRYPT_HIDDEN_ACTIONS		{ OPEN_ACTION, TCRYPTDUMP_ACTION }
+ #define OPT_TCRYPT_SYSTEM_ACTIONS		{ OPEN_ACTION, TCRYPTDUMP_ACTION }
+ #define OPT_TEST_PASSPHRASE_ACTIONS		{ OPEN_ACTION }
+-#define OPT_UNBOUND_ACTIONS			{ ADDKEY_ACTION, LUKSDUMP_ACTION }
++#define OPT_UNBOUND_ACTIONS			{ ADDKEY_ACTION, LUKSDUMP_ACTION, OPEN_ACTION }
+ #define OPT_USE_RANDOM_ACTIONS			{ FORMAT_ACTION }
+ #define OPT_USE_URANDOM_ACTIONS			{ FORMAT_ACTION }
+ #define OPT_UUID_ACTIONS			{ FORMAT_ACTION, UUID_ACTION }
+diff -rupN cryptsetup-2.4.3.old/src/cryptsetup.c cryptsetup-2.4.3/src/cryptsetup.c
+--- cryptsetup-2.4.3.old/src/cryptsetup.c	2022-02-23 16:33:42.450525749 +0100
++++ cryptsetup-2.4.3/src/cryptsetup.c	2022-02-23 16:47:36.893089087 +0100
+@@ -140,7 +140,8 @@ static void _set_activation_flags(uint32
+ 		*flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT;
+ 
+ 	/* Only for LUKS2 but ignored elsewhere */
+-	if (ARG_SET(OPT_TEST_PASSPHRASE_ID))
++	if (ARG_SET(OPT_TEST_PASSPHRASE_ID) &&
++	    (ARG_SET(OPT_KEY_SLOT_ID) || ARG_SET(OPT_UNBOUND_ID)))
+ 		*flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
+ 
+ 	if (ARG_SET(OPT_SERIALIZE_MEMORY_HARD_PBKDF_ID))
+@@ -3982,6 +3983,18 @@ int main(int argc, const char **argv)
+ 		_("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."),
+ 		poptGetInvocationName(popt_context));
+ 
++	if (ARG_SET(OPT_UNBOUND_ID) && !strcmp(aname, OPEN_ACTION) && device_type &&
++	    strncmp(device_type, "luks", 4))
++		usage(popt_context, EXIT_FAILURE,
++		_("Option --unbound is allowed only for open of luks device."),
++		poptGetInvocationName(popt_context));
++
++	if (ARG_SET(OPT_UNBOUND_ID) && !ARG_SET(OPT_TEST_PASSPHRASE_ID) &&
++	    !strcmp(aname, OPEN_ACTION))
++		usage(popt_context, EXIT_FAILURE,
++		_("Option --unbound cannot be used without --test-passphrase."),
++		poptGetInvocationName(popt_context));
++
+ 	if (ARG_SET(OPT_TCRYPT_HIDDEN_ID) && ARG_SET(OPT_ALLOW_DISCARDS_ID))
+ 		usage(popt_context, EXIT_FAILURE,
+ 		_("Option --tcrypt-hidden cannot be combined with --allow-discards."),

cryptsetup.spec

@@ -1,7 +1,7 @@
 Summary: Utility for setting up encrypted disks
 Name: cryptsetup
 Version: 2.4.3
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://gitlab.com/cryptsetup/cryptsetup
 BuildRequires: openssl-devel, popt-devel, device-mapper-devel
@@ -21,6 +21,8 @@ Patch0000: %{name}-2.5.0-Fix-typo-in-repair-prompt.patch
 Patch0001: %{name}-2.5.0-Fix-PBKDF-benchmark-in-OpenSSL3-FIPS-mode.patch
 Patch0002: %{name}-2.5.0-Get-rid-of-SHA1-in-tests.patch
 Patch0003: %{name}-2.5.0-Do-not-use-too-small-key-in-tests.patch
+Patch0004: %{name}-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch
+Patch0005: %{name}-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch
 Patch9999: %{name}-add-system-library-paths.patch
 
 %description
@@ -118,6 +120,11 @@ rm -rf %{buildroot}%{_libdir}/*.la
 %ghost %attr(700, -, -) %dir /run/cryptsetup
 
 %changelog
+* Wed Feb 23 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-3
+- patch: Fix cryptsetup --test-passphrase when device in
+  reencryption
+- Resolves: #2056439
+
 * Thu Feb 17 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-2
 - Various FIPS related fixes.
 - Resolves: #2051630