Compare commits
No commits in common. "c8" and "c9-beta" have entirely different histories.
@ -1,2 +1 @@
|
||||
3ce643e82d52b0c0282c2754c4bfa8c15c1f567e SOURCES/cryptsetup-2.3.7.tar.xz
|
||||
ec3ce9960bd536f7500e0d767a973672037c13e6 SOURCES/tests.tar.xz
|
||||
d58dc9bd56ae27ff895dfca51712d2f54a29dd9e SOURCES/cryptsetup-2.8.1.tar.xz
|
||||
|
||||
3
.gitignore
vendored
3
.gitignore
vendored
@ -1,2 +1 @@
|
||||
SOURCES/cryptsetup-2.3.7.tar.xz
|
||||
SOURCES/tests.tar.xz
|
||||
SOURCES/cryptsetup-2.8.1.tar.xz
|
||||
|
||||
@ -1,53 +0,0 @@
|
||||
From a76310b53fbb117e620f2c37350b68dd267f1088 Mon Sep 17 00:00:00 2001
|
||||
From: Milan Broz <gmazyland@gmail.com>
|
||||
Date: Mon, 20 Sep 2021 17:42:20 +0200
|
||||
Subject: [PATCH] Do not try to set compiler optimization flag if wipe is
|
||||
implemented in libc.
|
||||
|
||||
If zeroing memory is implemented through libc call (like memset_bzero),
|
||||
compiler should never remove such call. It is not needed to set O0
|
||||
optimization flag explicitly.
|
||||
|
||||
Various checkers like annocheck causes problems with these flags,
|
||||
just remove it where it makes no sense.
|
||||
|
||||
(Moreover, we use the same pattern without compiler magic
|
||||
in crypt_backend_memzero() already.)
|
||||
---
|
||||
lib/crypto_backend/argon2/core.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/crypto_backend/argon2/core.c b/lib/crypto_backend/argon2/core.c
|
||||
index b204ba98..db9a7741 100644
|
||||
--- a/lib/crypto_backend/argon2/core.c
|
||||
+++ b/lib/crypto_backend/argon2/core.c
|
||||
@@ -120,18 +120,24 @@ void free_memory(const argon2_context *context, uint8_t *memory,
|
||||
}
|
||||
}
|
||||
|
||||
-void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) {
|
||||
#if defined(_MSC_VER) && VC_GE_2005(_MSC_VER)
|
||||
+void secure_wipe_memory(void *v, size_t n) {
|
||||
SecureZeroMemory(v, n);
|
||||
+}
|
||||
#elif defined memset_s
|
||||
+void secure_wipe_memory(void *v, size_t n) {
|
||||
memset_s(v, n, 0, n);
|
||||
+}
|
||||
#elif defined(HAVE_EXPLICIT_BZERO)
|
||||
+void secure_wipe_memory(void *v, size_t n) {
|
||||
explicit_bzero(v, n);
|
||||
+}
|
||||
#else
|
||||
+void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) {
|
||||
static void *(*const volatile memset_sec)(void *, int, size_t) = &memset;
|
||||
memset_sec(v, 0, n);
|
||||
-#endif
|
||||
}
|
||||
+#endif
|
||||
|
||||
/* Memory clear flag defaults to true. */
|
||||
int FLAG_clear_internal_memory = 1;
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -1,295 +0,0 @@
|
||||
From 9576549fee9228cabd9ceee27739a30caab5a7f6 Mon Sep 17 00:00:00 2001
|
||||
From: Milan Broz <gmazyland@gmail.com>
|
||||
Date: Tue, 9 Nov 2021 11:54:27 +0100
|
||||
Subject: [PATCH] Fix bogus memory allocation if LUKS2 header size is invalid.
|
||||
|
||||
LUKS2 code read the whole header to buffer to verify checksum,
|
||||
so malloc is called on unvalidated input size parameter.
|
||||
|
||||
This can cause out of memory or unintentional device reads.
|
||||
(Header validation will fail later anyway - the size is unsupported.)
|
||||
|
||||
Just do not allow too small and too big allocations here and fail quickly.
|
||||
|
||||
Fixes: #683.
|
||||
---
|
||||
lib/luks2/luks2_disk_metadata.c | 20 +++-
|
||||
...ks2-metadata-size-invalid-secondary.img.sh | 96 +++++++++++++++++++
|
||||
...enerate-luks2-metadata-size-invalid.img.sh | 94 ++++++++++++++++++
|
||||
tests/luks2-validation-test | 2 +
|
||||
4 files changed, 208 insertions(+), 4 deletions(-)
|
||||
create mode 100755 tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
|
||||
create mode 100755 tests/generators/generate-luks2-metadata-size-invalid.img.sh
|
||||
|
||||
diff --git a/lib/luks2/luks2_disk_metadata.c b/lib/luks2/luks2_disk_metadata.c
|
||||
index 502b0226..0500d5c7 100644
|
||||
--- a/lib/luks2/luks2_disk_metadata.c
|
||||
+++ b/lib/luks2/luks2_disk_metadata.c
|
||||
@@ -195,6 +195,8 @@ static int hdr_disk_sanity_check_pre(struct crypt_device *cd,
|
||||
size_t *hdr_json_size, int secondary,
|
||||
uint64_t offset)
|
||||
{
|
||||
+ uint64_t hdr_size;
|
||||
+
|
||||
if (memcmp(hdr->magic, secondary ? LUKS2_MAGIC_2ND : LUKS2_MAGIC_1ST, LUKS2_MAGIC_L))
|
||||
return -EINVAL;
|
||||
|
||||
@@ -209,19 +211,26 @@ static int hdr_disk_sanity_check_pre(struct crypt_device *cd,
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
- if (secondary && (offset != be64_to_cpu(hdr->hdr_size))) {
|
||||
+ hdr_size = be64_to_cpu(hdr->hdr_size);
|
||||
+
|
||||
+ if (hdr_size < LUKS2_HDR_16K_LEN || hdr_size > LUKS2_HDR_OFFSET_MAX) {
|
||||
+ log_dbg(cd, "LUKS2 header has bogus size 0x%04x.", (unsigned)hdr_size);
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ if (secondary && (offset != hdr_size)) {
|
||||
log_dbg(cd, "LUKS2 offset 0x%04x in secondary header does not match size 0x%04x.",
|
||||
- (unsigned)offset, (unsigned)be64_to_cpu(hdr->hdr_size));
|
||||
+ (unsigned)offset, (unsigned)hdr_size);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
/* FIXME: sanity check checksum alg. */
|
||||
|
||||
log_dbg(cd, "LUKS2 header version %u of size %u bytes, checksum %s.",
|
||||
- (unsigned)be16_to_cpu(hdr->version), (unsigned)be64_to_cpu(hdr->hdr_size),
|
||||
+ (unsigned)be16_to_cpu(hdr->version), (unsigned)hdr_size,
|
||||
hdr->checksum_alg);
|
||||
|
||||
- *hdr_json_size = be64_to_cpu(hdr->hdr_size) - LUKS2_HDR_BIN_LEN;
|
||||
+ *hdr_json_size = hdr_size - LUKS2_HDR_BIN_LEN;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -252,6 +261,9 @@ static int hdr_read_disk(struct crypt_device *cd,
|
||||
return -EIO;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * hdr_json_size is validated if this call succeeds
|
||||
+ */
|
||||
r = hdr_disk_sanity_check_pre(cd, hdr_disk, &hdr_json_size, secondary, offset);
|
||||
if (r < 0) {
|
||||
return r;
|
||||
diff --git a/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
|
||||
new file mode 100755
|
||||
index 00000000..4dd484e9
|
||||
--- /dev/null
|
||||
+++ b/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
|
||||
@@ -0,0 +1,96 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. lib.sh
|
||||
+
|
||||
+#
|
||||
+# *** Description ***
|
||||
+#
|
||||
+# generate primary with predefined json_size. There's only limited
|
||||
+# set of values allowed as json size in config section of LUKS2
|
||||
+# metadata
|
||||
+#
|
||||
+# secondary header is corrupted on purpose as well
|
||||
+#
|
||||
+
|
||||
+# $1 full target dir
|
||||
+# $2 full source luks2 image
|
||||
+
|
||||
+function prepare()
|
||||
+{
|
||||
+ cp $SRC_IMG $TGT_IMG
|
||||
+ test -d $TMPDIR || mkdir $TMPDIR
|
||||
+ read_luks2_json0 $TGT_IMG $TMPDIR/json0
|
||||
+ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
|
||||
+ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
|
||||
+}
|
||||
+
|
||||
+function generate()
|
||||
+{
|
||||
+ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
|
||||
+
|
||||
+ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
|
||||
+ TEST_MDA_SIZE_BOGUS_BYTES=$((TEST_MDA_SIZE*512*2*1024))
|
||||
+ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
|
||||
+ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
|
||||
+ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
|
||||
+ JSON_SIZE=$((TEST_JSN_SIZE*512))
|
||||
+ DATA_OFFSET=16777216
|
||||
+
|
||||
+ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
|
||||
+ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
|
||||
+ .config.json_size = $jsize |
|
||||
+ .segments."0".offset = $off' $TMPDIR/json0)
|
||||
+ test -n "$json_str" || exit 2
|
||||
+ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
|
||||
+
|
||||
+ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
|
||||
+
|
||||
+ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
|
||||
+ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BOGUS_BYTES
|
||||
+
|
||||
+ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
|
||||
+
|
||||
+ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
|
||||
+ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
|
||||
+
|
||||
+ erase_checksum $TMPDIR/area0
|
||||
+ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
|
||||
+ write_checksum $chks0 $TMPDIR/area0
|
||||
+
|
||||
+ erase_checksum $TMPDIR/area1
|
||||
+ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
|
||||
+ write_checksum $chks0 $TMPDIR/area1
|
||||
+
|
||||
+ kill_bin_hdr $TMPDIR/area0
|
||||
+
|
||||
+ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
|
||||
+ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
|
||||
+}
|
||||
+
|
||||
+function check()
|
||||
+{
|
||||
+ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
|
||||
+ local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
|
||||
+ test "$str_res0" = "VACUUM" || exit 2
|
||||
+ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
|
||||
+ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
|
||||
+ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
|
||||
+ (.config.json_size != $jsize)
|
||||
+ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
|
||||
+}
|
||||
+
|
||||
+function cleanup()
|
||||
+{
|
||||
+ rm -f $TMPDIR/*
|
||||
+ rm -fd $TMPDIR
|
||||
+}
|
||||
+
|
||||
+test $# -eq 2 || exit 1
|
||||
+
|
||||
+TGT_IMG=$1/$(test_img_name $0)
|
||||
+SRC_IMG=$2
|
||||
+
|
||||
+prepare
|
||||
+generate
|
||||
+check
|
||||
+cleanup
|
||||
diff --git a/tests/generators/generate-luks2-metadata-size-invalid.img.sh b/tests/generators/generate-luks2-metadata-size-invalid.img.sh
|
||||
new file mode 100755
|
||||
index 00000000..6b9c0cf7
|
||||
--- /dev/null
|
||||
+++ b/tests/generators/generate-luks2-metadata-size-invalid.img.sh
|
||||
@@ -0,0 +1,94 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. lib.sh
|
||||
+
|
||||
+#
|
||||
+# *** Description ***
|
||||
+#
|
||||
+# generate primary with predefined json_size. There's only limited
|
||||
+# set of values allowed as json size in config section of LUKS2
|
||||
+# metadata
|
||||
+#
|
||||
+# secondary header is corrupted on purpose as well
|
||||
+#
|
||||
+
|
||||
+# $1 full target dir
|
||||
+# $2 full source luks2 image
|
||||
+
|
||||
+function prepare()
|
||||
+{
|
||||
+ cp $SRC_IMG $TGT_IMG
|
||||
+ test -d $TMPDIR || mkdir $TMPDIR
|
||||
+ read_luks2_json0 $TGT_IMG $TMPDIR/json0
|
||||
+ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
|
||||
+ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
|
||||
+}
|
||||
+
|
||||
+function generate()
|
||||
+{
|
||||
+ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
|
||||
+
|
||||
+ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
|
||||
+ TEST_MDA_SIZE_BOGUS_BYTES=$((TEST_MDA_SIZE*512*2*1024))
|
||||
+ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
|
||||
+ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
|
||||
+ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
|
||||
+ JSON_SIZE=$((TEST_JSN_SIZE*512))
|
||||
+ DATA_OFFSET=16777216
|
||||
+
|
||||
+ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
|
||||
+ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
|
||||
+ .config.json_size = $jsize |
|
||||
+ .segments."0".offset = $off' $TMPDIR/json0)
|
||||
+ test -n "$json_str" || exit 2
|
||||
+ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
|
||||
+
|
||||
+ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
|
||||
+
|
||||
+ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BOGUS_BYTES
|
||||
+ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BOGUS_BYTES
|
||||
+
|
||||
+ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
|
||||
+ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
|
||||
+
|
||||
+ erase_checksum $TMPDIR/area0
|
||||
+ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
|
||||
+ write_checksum $chks0 $TMPDIR/area0
|
||||
+
|
||||
+ erase_checksum $TMPDIR/area1
|
||||
+ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
|
||||
+ write_checksum $chks0 $TMPDIR/area1
|
||||
+
|
||||
+ kill_bin_hdr $TMPDIR/area1
|
||||
+
|
||||
+ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
|
||||
+ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
|
||||
+}
|
||||
+
|
||||
+function check()
|
||||
+{
|
||||
+ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
|
||||
+ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
|
||||
+ test "$str_res1" = "VACUUM" || exit 2
|
||||
+ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
|
||||
+ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
|
||||
+ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
|
||||
+ (.config.json_size != $jsize)
|
||||
+ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
|
||||
+}
|
||||
+
|
||||
+function cleanup()
|
||||
+{
|
||||
+ rm -f $TMPDIR/*
|
||||
+ rm -fd $TMPDIR
|
||||
+}
|
||||
+
|
||||
+test $# -eq 2 || exit 1
|
||||
+
|
||||
+TGT_IMG=$1/$(test_img_name $0)
|
||||
+SRC_IMG=$2
|
||||
+
|
||||
+prepare
|
||||
+generate
|
||||
+check
|
||||
+cleanup
|
||||
diff --git a/tests/luks2-validation-test b/tests/luks2-validation-test
|
||||
index 04183fbc..f771e1f9 100755
|
||||
--- a/tests/luks2-validation-test
|
||||
+++ b/tests/luks2-validation-test
|
||||
@@ -229,6 +229,8 @@ RUN luks2-metadata-size-512k-secondary.img "R" "Valid 512KiB metadata size in s
|
||||
RUN luks2-metadata-size-1m-secondary.img "R" "Valid 1MiB metadata size in secondary hdr failed to validate"
|
||||
RUN luks2-metadata-size-2m-secondary.img "R" "Valid 2MiB metadata size in secondary hdr failed to validate"
|
||||
RUN luks2-metadata-size-4m-secondary.img "R" "Valid 4MiB metadata size in secondary hdr failed to validate"
|
||||
+RUN luks2-metadata-size-invalid.img "F" "Invalid metadata size in secondary hdr not rejected"
|
||||
+RUN luks2-metadata-size-invalid-secondary.img "F" "Invalid metadata size in secondary hdr not rejected"
|
||||
|
||||
remove_mapping
|
||||
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -1,41 +0,0 @@
|
||||
From f671febe64d8f40cdcb1677a08436a8907ccbb7e Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Wed, 23 Feb 2022 12:27:57 +0100
|
||||
Subject: [PATCH 2/3] Add more tests for --test-passphrase parameter.
|
||||
|
||||
---
|
||||
tests/compat-test-args | 4 ++++
|
||||
tests/luks2-reencryption-test | 18 ++++++++++++++++++
|
||||
2 files changed, 22 insertions(+)
|
||||
|
||||
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
|
||||
index 6f156016..73818b5d 100755
|
||||
--- a/tests/luks2-reencryption-test
|
||||
+++ b/tests/luks2-reencryption-test
|
||||
@@ -1606,5 +1606,23 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
|
||||
reencrypt_recover_online 4096 journal $HASH1
|
||||
fi
|
||||
|
||||
+echo "[27] Verify test passphrase mode works with reencryption metadata"
|
||||
+echo $PWD1 | $CRYPTSETUP -S5 -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV || fail
|
||||
+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $DEV || fail
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt --init-only $DEV || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
|
||||
+
|
||||
+echo $PWD1 | $CRYPTSETUP -q luksFormat -S5 --header $IMG_HDR --type luks2 $FAST_PBKDF_ARGON $DEV || fail
|
||||
+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $IMG_HDR || fail
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --init-only --header $IMG_HDR $DEV || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
|
||||
+
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --init-only --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
|
||||
+
|
||||
+wipe_dev $DEV
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 8M $FAST_PBKDF_ARGON $DEV || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
|
||||
+
|
||||
remove_mapping
|
||||
exit 0
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -1,103 +0,0 @@
|
||||
diff -rupN cryptsetup-2.3.7.old/man/cryptsetup.8 cryptsetup-2.3.7/man/cryptsetup.8
|
||||
--- cryptsetup-2.3.7.old/man/cryptsetup.8 2022-02-24 15:58:37.968167423 +0100
|
||||
+++ cryptsetup-2.3.7/man/cryptsetup.8 2022-02-24 17:06:25.326217548 +0100
|
||||
@@ -321,7 +321,7 @@ the command prompts for it interactively
|
||||
\-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
|
||||
\-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
|
||||
\-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks, \-\-type, \-\-refresh,
|
||||
-\-\-serialize\-memory\-hard\-pbkdf].
|
||||
+\-\-serialize\-memory\-hard\-pbkdf, \-\-unbound].
|
||||
.PP
|
||||
\fIluksSuspend\fR <name>
|
||||
.IP
|
||||
@@ -1409,10 +1409,14 @@ aligned to page size and page-cache init
|
||||
integrity tag.
|
||||
.TP
|
||||
.B "\-\-unbound"
|
||||
-
|
||||
Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or
|
||||
\fIluksDump\fR actions for more details.
|
||||
|
||||
+When used in \fIluksOpen\fR action (allowed only together with
|
||||
+\-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2
|
||||
+keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific
|
||||
+keyslot is selected via \-\-key\-slot parameter.
|
||||
+
|
||||
.TP
|
||||
.B "\-\-tcrypt\-hidden"
|
||||
.B "\-\-tcrypt\-system"
|
||||
diff -rupN cryptsetup-2.3.7.old/src/cryptsetup.c cryptsetup-2.3.7/src/cryptsetup.c
|
||||
--- cryptsetup-2.3.7.old/src/cryptsetup.c 2022-02-24 15:58:37.969167429 +0100
|
||||
+++ cryptsetup-2.3.7/src/cryptsetup.c 2022-02-24 17:10:30.947561638 +0100
|
||||
@@ -230,7 +230,7 @@ static void _set_activation_flags(uint32
|
||||
*flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT;
|
||||
|
||||
/* Only for LUKS2 but ignored elsewhere */
|
||||
- if (opt_test_passphrase)
|
||||
+ if (opt_test_passphrase && (opt_unbound || (opt_key_slot != CRYPT_ANY_SLOT)))
|
||||
*flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
|
||||
|
||||
if (opt_serialize_memory_hard_pbkdf)
|
||||
@@ -4021,6 +4021,17 @@ int main(int argc, const char **argv)
|
||||
_("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."),
|
||||
poptGetInvocationName(popt_context));
|
||||
|
||||
+ if (opt_unbound && !strcmp(aname, "open") && device_type &&
|
||||
+ strncmp(device_type, "luks", 4))
|
||||
+ usage(popt_context, EXIT_FAILURE,
|
||||
+ _("Option --unbound is allowed only for open of luks device."),
|
||||
+ poptGetInvocationName(popt_context));
|
||||
+
|
||||
+ if (opt_unbound && !opt_test_passphrase && !strcmp(aname, "open"))
|
||||
+ usage(popt_context, EXIT_FAILURE,
|
||||
+ _("Option --unbound cannot be used without --test-passphrase."),
|
||||
+ poptGetInvocationName(popt_context));
|
||||
+
|
||||
if (opt_tcrypt_hidden && opt_allow_discards)
|
||||
usage(popt_context, EXIT_FAILURE,
|
||||
_("Option --tcrypt-hidden cannot be combined with --allow-discards."),
|
||||
@@ -4103,9 +4114,9 @@ int main(int argc, const char **argv)
|
||||
_("Keyslot specification is required."),
|
||||
poptGetInvocationName(popt_context));
|
||||
|
||||
- if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump"))
|
||||
+ if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump") && strcmp(aname, "open"))
|
||||
usage(popt_context, EXIT_FAILURE,
|
||||
- _("Option --unbound may be used only with luksAddKey and luksDump actions."),
|
||||
+ _("Option --unbound may be used only with luksAddKey, luksDump and open actions."),
|
||||
poptGetInvocationName(popt_context));
|
||||
|
||||
if (opt_refresh && strcmp(aname, "open"))
|
||||
diff -rupN cryptsetup-2.3.7.old/tests/compat-test2 cryptsetup-2.3.7/tests/compat-test2
|
||||
--- cryptsetup-2.3.7.old/tests/compat-test2 2022-02-24 15:58:38.013167680 +0100
|
||||
+++ cryptsetup-2.3.7/tests/compat-test2 2022-02-24 17:23:23.035760517 +0100
|
||||
@@ -696,7 +696,7 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOP
|
||||
# otoh it should be allowed to test for proper passphrase
|
||||
prepare "" new
|
||||
echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
|
||||
-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
|
||||
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
|
||||
[ -b /dev/mapper/$DEV_NAME ] && fail
|
||||
echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
|
||||
@@ -705,7 +705,7 @@ echo $PWD0 | $CRYPTSETUP open -S1 --test
|
||||
$CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0
|
||||
$CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail
|
||||
echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
|
||||
-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
|
||||
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
|
||||
|
||||
prepare "[28] Detached LUKS header" wipe
|
||||
@@ -952,11 +952,9 @@ echo $PWD3 | $CRYPTSETUP -q luksAddKey -
|
||||
# do not allow to replace keyslot by unbound slot
|
||||
echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail
|
||||
echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
|
||||
-echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
|
||||
echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
|
||||
echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail
|
||||
echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
|
||||
-echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
|
||||
# check we're able to change passphrase for unbound keyslot
|
||||
echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
|
||||
echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
|
||||
@ -1,12 +0,0 @@
|
||||
diff -rupN cryptsetup-2.3.7.old/src/cryptsetup.c cryptsetup-2.3.7/src/cryptsetup.c
|
||||
--- cryptsetup-2.3.7.old/src/cryptsetup.c 2022-01-20 14:47:13.198475734 +0100
|
||||
+++ cryptsetup-2.3.7/src/cryptsetup.c 2022-01-20 14:47:24.186505625 +0100
|
||||
@@ -1137,7 +1137,7 @@ static int reencrypt_metadata_repair(str
|
||||
_("Operation aborted.\n")))
|
||||
return -EINVAL;
|
||||
|
||||
- r = tools_get_key(_("Enter passphrase to protect and uppgrade reencryption metadata: "),
|
||||
+ r = tools_get_key(_("Enter passphrase to protect and upgrade reencryption metadata: "),
|
||||
&password, &passwordLen, opt_keyfile_offset,
|
||||
opt_keyfile_size, opt_key_file, opt_timeout,
|
||||
_verify_passphrase(0), 0, cd);
|
||||
@ -1,206 +0,0 @@
|
||||
From 6bc1378ddb5bbcc6ba592177c996576b0b3505f9 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Fri, 22 Oct 2021 13:06:48 +0200
|
||||
Subject: [PATCH] Remove LUKS2 encryption data size restriction.
|
||||
|
||||
LUKS2 encryption with data shift required remaining
|
||||
data size (size remaining after substracting --reduce-data-size value)
|
||||
to be at least --reduce-data-size. This was wrong. Remaining
|
||||
data size restriction should be correctly at least single sector
|
||||
(whatever sector size is selected or auto-detected).
|
||||
---
|
||||
lib/luks2/luks2_reencrypt.c | 31 ++++++++++++-----------
|
||||
tests/api-test-2.c | 6 ++---
|
||||
tests/luks2-reencryption-test | 46 +++++++++++++++++++++++++++++------
|
||||
3 files changed, 57 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c
|
||||
index b45327ad..d0e0dc40 100644
|
||||
--- a/lib/luks2/luks2_reencrypt.c
|
||||
+++ b/lib/luks2/luks2_reencrypt.c
|
||||
@@ -825,7 +825,7 @@ static int reencrypt_offset_backward_moved(struct luks2_hdr *hdr, json_object *j
|
||||
linear_length += LUKS2_segment_size(hdr, sg, 0);
|
||||
|
||||
/* all active linear segments length */
|
||||
- if (linear_length) {
|
||||
+ if (linear_length && segs > 1) {
|
||||
if (linear_length < data_shift)
|
||||
return -EINVAL;
|
||||
tmp = linear_length - data_shift;
|
||||
@@ -1745,7 +1745,8 @@ static int reencrypt_set_encrypt_segments(struct crypt_device *cd, struct luks2_
|
||||
int r;
|
||||
uint64_t first_segment_offset, first_segment_length,
|
||||
second_segment_offset, second_segment_length,
|
||||
- data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT;
|
||||
+ data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT,
|
||||
+ data_size = dev_size - data_shift;
|
||||
json_object *jobj_segment_first = NULL, *jobj_segment_second = NULL, *jobj_segments;
|
||||
|
||||
if (dev_size < data_shift)
|
||||
@@ -1760,9 +1761,14 @@ static int reencrypt_set_encrypt_segments(struct crypt_device *cd, struct luks2_
|
||||
* [future LUKS2 header (data shift size)][second data segment][gap (data shift size)][first data segment (data shift size)]
|
||||
*/
|
||||
first_segment_offset = dev_size;
|
||||
- first_segment_length = data_shift;
|
||||
- second_segment_offset = data_shift;
|
||||
- second_segment_length = dev_size - 2 * data_shift;
|
||||
+ if (data_size < data_shift) {
|
||||
+ first_segment_length = data_size;
|
||||
+ second_segment_length = second_segment_offset = 0;
|
||||
+ } else {
|
||||
+ first_segment_length = data_shift;
|
||||
+ second_segment_offset = data_shift;
|
||||
+ second_segment_length = data_size - data_shift;
|
||||
+ }
|
||||
} else if (data_shift) {
|
||||
first_segment_offset = data_offset;
|
||||
first_segment_length = dev_size;
|
||||
@@ -2163,17 +2169,10 @@ static int reencrypt_move_data(struct crypt_device *cd, int devfd, uint64_t data
|
||||
|
||||
log_dbg(cd, "Going to move data from head of data device.");
|
||||
|
||||
- buffer_len = data_shift;
|
||||
- if (!buffer_len)
|
||||
- return -EINVAL;
|
||||
-
|
||||
offset = json_segment_get_offset(LUKS2_get_segment_jobj(hdr, 0), 0);
|
||||
-
|
||||
- /* this is nonsense anyway */
|
||||
- if (buffer_len != json_segment_get_size(LUKS2_get_segment_jobj(hdr, 0), 0)) {
|
||||
- log_dbg(cd, "buffer_len %" PRIu64", segment size %" PRIu64, buffer_len, json_segment_get_size(LUKS2_get_segment_jobj(hdr, 0), 0));
|
||||
+ buffer_len = json_segment_get_size(LUKS2_get_segment_jobj(hdr, 0), 0);
|
||||
+ if (!buffer_len || buffer_len > data_shift)
|
||||
return -EINVAL;
|
||||
- }
|
||||
|
||||
if (posix_memalign(&buffer, device_alignment(crypt_data_device(cd)), buffer_len))
|
||||
return -ENOMEM;
|
||||
@@ -2447,7 +2446,7 @@ static int reencrypt_init(struct crypt_device *cd,
|
||||
* encryption initialization (or mount)
|
||||
*/
|
||||
if (move_first_segment) {
|
||||
- if (dev_size < 2 * (params->data_shift << SECTOR_SHIFT)) {
|
||||
+ if (dev_size < (params->data_shift << SECTOR_SHIFT)) {
|
||||
log_err(cd, _("Device %s is too small."), device_path(crypt_data_device(cd)));
|
||||
return -EINVAL;
|
||||
}
|
||||
@@ -3484,7 +3483,7 @@ int LUKS2_reencrypt_check_device_size(struct crypt_device *cd, struct luks2_hdr
|
||||
check_size, check_size >> SECTOR_SHIFT, real_size, real_size >> SECTOR_SHIFT,
|
||||
real_size - data_offset, (real_size - data_offset) >> SECTOR_SHIFT);
|
||||
|
||||
- if (real_size < data_offset || (check_size && (real_size - data_offset) < check_size)) {
|
||||
+ if (real_size < data_offset || (check_size && real_size < check_size)) {
|
||||
log_err(cd, _("Device %s is too small."), device_path(crypt_data_device(cd)));
|
||||
return -EINVAL;
|
||||
}
|
||||
diff --git a/tests/api-test-2.c b/tests/api-test-2.c
|
||||
index a01a7a72..05ee8f94 100644
|
||||
--- a/tests/api-test-2.c
|
||||
+++ b/tests/api-test-2.c
|
||||
@@ -4238,7 +4238,7 @@ static void Luks2Reencryption(void)
|
||||
|
||||
_cleanup_dmdevices();
|
||||
OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size));
|
||||
- OK_(create_dmdevice_over_loop(L_DEVICE_OK, 12*1024*2+1));
|
||||
+ OK_(create_dmdevice_over_loop(L_DEVICE_OK, 8*1024*2+1));
|
||||
|
||||
/* encryption with datashift and moved segment (data shift + 1 sector) */
|
||||
OK_(crypt_init(&cd, DMDIR H_DEVICE));
|
||||
@@ -4258,11 +4258,11 @@ static void Luks2Reencryption(void)
|
||||
|
||||
_cleanup_dmdevices();
|
||||
OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size));
|
||||
- OK_(create_dmdevice_over_loop(L_DEVICE_OK, 12*1024*2));
|
||||
+ OK_(create_dmdevice_over_loop(L_DEVICE_OK, 2*8200));
|
||||
|
||||
OK_(crypt_init(&cd, DMDIR H_DEVICE));
|
||||
|
||||
- /* encryption with datashift and moved segment (data shift + data offset > device size) */
|
||||
+ /* encryption with datashift and moved segment (data shift + data offset <= device size) */
|
||||
memset(&rparams, 0, sizeof(rparams));
|
||||
params2.sector_size = 512;
|
||||
params2.data_device = DMDIR L_DEVICE_OK;
|
||||
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
|
||||
index 8efb2707..bf711c15 100755
|
||||
--- a/tests/luks2-reencryption-test
|
||||
+++ b/tests/luks2-reencryption-test
|
||||
@@ -152,14 +152,30 @@ function open_crypt() # $1 pwd, $2 hdr
|
||||
fi
|
||||
}
|
||||
|
||||
+function wipe_dev_head() # $1 dev, $2 length (in MiBs)
|
||||
+{
|
||||
+ dd if=/dev/zero of=$1 bs=1M count=$2 conv=notrunc >/dev/null 2>&1
|
||||
+}
|
||||
+
|
||||
function wipe_dev() # $1 dev
|
||||
{
|
||||
if [ -b $1 ] ; then
|
||||
blkdiscard --zeroout $1 2>/dev/null || dd if=/dev/zero of=$1 bs=1M conv=notrunc >/dev/null 2>&1
|
||||
+ if [ $# -gt 2 ]; then
|
||||
+ dd if=/dev/urandom of=$1 bs=1M seek=$2 conv=notrunc >/dev/null 2>&1
|
||||
+ fi
|
||||
else
|
||||
local size=$(stat --printf="%s" $1)
|
||||
truncate -s 0 $1
|
||||
- truncate -s $size $1
|
||||
+ if [ $# -gt 2 ]; then
|
||||
+ local diff=$((size-$2*1024*1024))
|
||||
+ echo "size: $size, diff: $diff"
|
||||
+ truncate -s $diff $1
|
||||
+ # wipe_dev_head $1 $((diff/(1024*1024)))
|
||||
+ dd if=/dev/urandom of=$1 bs=1M seek=$2 size=$((diff/(1024*1024))) conv=notrunc >/dev/null 2>&1
|
||||
+ else
|
||||
+ truncate -s $size $1
|
||||
+ fi
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -214,15 +230,16 @@ function check_hash() # $1 pwd, $2 hash, $3 hdr
|
||||
$CRYPTSETUP remove $DEV_NAME || fail
|
||||
}
|
||||
|
||||
+function check_hash_dev_head() # $1 dev, $2 len, $3 hash
|
||||
+{
|
||||
+ local hash=$(dd if=$1 bs=512 count=$2 2>/dev/null | sha256sum | cut -d' ' -f1)
|
||||
+ [ $hash != "$3" ] && fail "HASH differs (expected: $3) (result $hash)"
|
||||
+}
|
||||
+
|
||||
function check_hash_head() # $1 pwd, $2 len, $3 hash, $4 hdr
|
||||
{
|
||||
open_crypt $1 $4
|
||||
- if [ -n "$4" ]; then
|
||||
- echo $1 | $CRYPTSETUP resize $DEV_NAME --size $2 --header $4 || fail
|
||||
- else
|
||||
- echo $1 | $CRYPTSETUP resize $DEV_NAME --size $2 || fail
|
||||
- fi
|
||||
- check_hash_dev /dev/mapper/$DEV_NAME $3
|
||||
+ check_hash_dev_head /dev/mapper/$DEV_NAME $2 $3
|
||||
$CRYPTSETUP remove $DEV_NAME || fail
|
||||
}
|
||||
|
||||
@@ -865,6 +882,21 @@ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
|
||||
$CRYPTSETUP close $DEV_NAME
|
||||
echo $PWD1 | $CRYPTSETUP open $DEV --test-passphrase || fail
|
||||
|
||||
+# Small device encryption test
|
||||
+preparebig 65
|
||||
+# wipe only 1st MiB (final data size after encryption)
|
||||
+wipe_dev $DEV 1
|
||||
+check_hash_dev_head $DEV 2048 $HASH2
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M -q $FAST_PBKDF_ARGON || fail
|
||||
+check_hash_head $PWD1 2048 $HASH2
|
||||
+
|
||||
+wipe_dev_head $DEV 1
|
||||
+check_hash_dev_head $DEV 2048 $HASH2
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M --init-only -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
|
||||
+check_hash_dev_head /dev/mapper/$DEV_NAME 2048 $HASH2
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q || fail
|
||||
+check_hash_dev_head /dev/mapper/$DEV_NAME 2048 $HASH2
|
||||
+
|
||||
echo "[3] Encryption with detached header"
|
||||
preparebig 256
|
||||
wipe_dev $DEV
|
||||
--
|
||||
2.38.1
|
||||
|
||||
@ -1,28 +0,0 @@
|
||||
From 23903951505cd4ad9f3469e037278494c14a7791 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Wed, 12 Oct 2022 12:05:00 +0200
|
||||
Subject: [PATCH 3/5] Code cleanup.
|
||||
|
||||
Type cast is not needed here.
|
||||
---
|
||||
lib/libdevmapper.c | 4 +---
|
||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
|
||||
index 7fcf843f..6a239e14 100644
|
||||
--- a/lib/libdevmapper.c
|
||||
+++ b/lib/libdevmapper.c
|
||||
@@ -1992,9 +1992,7 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags,
|
||||
|
||||
/* cipher */
|
||||
if (get_flags & DM_ACTIVE_CRYPT_CIPHER) {
|
||||
- r = crypt_capi_to_cipher(CONST_CAST(char**)&cipher,
|
||||
- CONST_CAST(char**)&integrity,
|
||||
- rcipher, rintegrity);
|
||||
+ r = crypt_capi_to_cipher(&cipher, &integrity, rcipher, rintegrity);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
}
|
||||
--
|
||||
2.38.1
|
||||
|
||||
@ -1,34 +0,0 @@
|
||||
From 19c15a652f878458493f0ac335110e2779f3cbe3 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Wed, 12 Oct 2022 11:59:09 +0200
|
||||
Subject: [PATCH 4/5] Copy also integrity string in legacy mode.
|
||||
|
||||
So that it handles integrity string same as it does
|
||||
with cipher string.
|
||||
---
|
||||
lib/utils_crypt.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
|
||||
index 4f4dbba8..93f846d7 100644
|
||||
--- a/lib/utils_crypt.c
|
||||
+++ b/lib/utils_crypt.c
|
||||
@@ -284,7 +284,14 @@ int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const cha
|
||||
if (strncmp(c_dm, "capi:", 4)) {
|
||||
if (!(*org_c = strdup(c_dm)))
|
||||
return -ENOMEM;
|
||||
- *org_i = NULL;
|
||||
+ if (i_dm) {
|
||||
+ if (!(*org_i = strdup(i_dm))) {
|
||||
+ free(*org_c);
|
||||
+ *org_c = NULL;
|
||||
+ return -ENOMEM;
|
||||
+ }
|
||||
+ } else
|
||||
+ *org_i = NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
||||
@ -1,316 +0,0 @@
|
||||
From 5b001b7962744b1bdaeb60b7c8cb9c682f907e03 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Tue, 28 Jun 2022 16:23:34 +0200
|
||||
Subject: [PATCH] Delegate FIPS mode detection to configured crypto backend.
|
||||
|
||||
System FIPS mode check is no longer dependent on /etc/system-fips
|
||||
file. The change should be compatible with older distributions since
|
||||
we now depend on crypto backend internal routine.
|
||||
|
||||
This commit affects only FIPS enabled systems (with FIPS enabled
|
||||
builds). In case this causes any regression in current distributions
|
||||
feel free to drop the patch.
|
||||
|
||||
For reference see https://bugzilla.redhat.com/show_bug.cgi?id=2080516
|
||||
---
|
||||
lib/crypto_backend/crypto_backend.h | 3 ++
|
||||
lib/crypto_backend/crypto_gcrypt.c | 17 +++++++++
|
||||
lib/crypto_backend/crypto_kernel.c | 5 +++
|
||||
lib/crypto_backend/crypto_nettle.c | 5 +++
|
||||
lib/crypto_backend/crypto_nss.c | 5 +++
|
||||
lib/crypto_backend/crypto_openssl.c | 26 ++++++++++++++
|
||||
lib/internal.h | 1 -
|
||||
lib/utils_fips.c | 55 -----------------------------
|
||||
lib/utils_fips.h | 28 ---------------
|
||||
po/POTFILES.in | 1 -
|
||||
src/cryptsetup.h | 1 -
|
||||
tests/compat-test | 2 +-
|
||||
tests/compat-test2 | 2 +-
|
||||
tests/keyring-compat-test | 2 +-
|
||||
tests/luks2-reencryption-test | 2 +-
|
||||
16 files changed, 65 insertions(+), 92 deletions(-)
|
||||
delete mode 100644 lib/utils_fips.c
|
||||
delete mode 100644 lib/utils_fips.h
|
||||
|
||||
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_backend.h
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_backend.h
|
||||
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_backend.h
|
||||
@@ -135,4 +135,7 @@ static inline void crypt_backend_memzero
|
||||
#endif
|
||||
}
|
||||
|
||||
+/* crypto backend running in FIPS mode */
|
||||
+bool crypt_fips_mode(void);
|
||||
+
|
||||
#endif /* _CRYPTO_BACKEND_H */
|
||||
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_gcrypt.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_gcrypt.c
|
||||
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_gcrypt.c
|
||||
@@ -550,3 +550,20 @@ out:
|
||||
return -ENOTSUP;
|
||||
#endif
|
||||
}
|
||||
+
|
||||
+#if !ENABLE_FIPS
|
||||
+bool crypt_fips_mode(void) { return false; }
|
||||
+#else
|
||||
+bool crypt_fips_mode(void)
|
||||
+{
|
||||
+ static bool fips_mode = false, fips_checked = false;
|
||||
+
|
||||
+ if (fips_checked)
|
||||
+ return fips_mode;
|
||||
+
|
||||
+ fips_mode = gcry_fips_mode_active();
|
||||
+ fips_checked = true;
|
||||
+
|
||||
+ return fips_mode;
|
||||
+}
|
||||
+#endif /* ENABLE FIPS */
|
||||
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_kernel.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_kernel.c
|
||||
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_kernel.c
|
||||
@@ -416,3 +416,8 @@ int crypt_bitlk_decrypt_key(const void *
|
||||
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
|
||||
iv, iv_length, tag, tag_length);
|
||||
}
|
||||
+
|
||||
+bool crypt_fips_mode(void)
|
||||
+{
|
||||
+ return false;
|
||||
+}
|
||||
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_nettle.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_nettle.c
|
||||
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_nettle.c
|
||||
@@ -442,3 +442,8 @@ int crypt_bitlk_decrypt_key(const void *
|
||||
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
|
||||
iv, iv_length, tag, tag_length);
|
||||
}
|
||||
+
|
||||
+bool crypt_fips_mode(void)
|
||||
+{
|
||||
+ return false;
|
||||
+}
|
||||
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_nss.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_nss.c
|
||||
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_nss.c
|
||||
@@ -395,3 +395,8 @@ int crypt_bitlk_decrypt_key(const void *
|
||||
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
|
||||
iv, iv_length, tag, tag_length);
|
||||
}
|
||||
+
|
||||
+bool crypt_fips_mode(void)
|
||||
+{
|
||||
+ return false;
|
||||
+}
|
||||
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_openssl.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_openssl.c
|
||||
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_openssl.c
|
||||
@@ -574,3 +574,29 @@ out:
|
||||
return -ENOTSUP;
|
||||
#endif
|
||||
}
|
||||
+
|
||||
+#if !ENABLE_FIPS
|
||||
+bool crypt_fips_mode(void) { return false; }
|
||||
+#else
|
||||
+static bool openssl_fips_mode(void)
|
||||
+{
|
||||
+#if OPENSSL_VERSION_MAJOR >= 3
|
||||
+ return EVP_default_properties_is_fips_enabled(NULL);
|
||||
+#else
|
||||
+ return FIPS_mode();
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+bool crypt_fips_mode(void)
|
||||
+{
|
||||
+ static bool fips_mode = false, fips_checked = false;
|
||||
+
|
||||
+ if (fips_checked)
|
||||
+ return fips_mode;
|
||||
+
|
||||
+ fips_mode = openssl_fips_mode();
|
||||
+ fips_checked = true;
|
||||
+
|
||||
+ return fips_mode;
|
||||
+}
|
||||
+#endif /* ENABLE FIPS */
|
||||
Index: cryptsetup-2.3.7/lib/internal.h
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/internal.h
|
||||
+++ cryptsetup-2.3.7/lib/internal.h
|
||||
@@ -38,7 +38,6 @@
|
||||
#include "utils_crypt.h"
|
||||
#include "utils_loop.h"
|
||||
#include "utils_dm.h"
|
||||
-#include "utils_fips.h"
|
||||
#include "utils_keyring.h"
|
||||
#include "utils_io.h"
|
||||
#include "crypto_backend.h"
|
||||
Index: cryptsetup-2.3.7/po/POTFILES.in
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/po/POTFILES.in
|
||||
+++ cryptsetup-2.3.7/po/POTFILES.in
|
||||
@@ -6,7 +6,6 @@ lib/volumekey.c
|
||||
lib/crypt_plain.c
|
||||
lib/utils_crypt.c
|
||||
lib/utils_loop.c
|
||||
-lib/utils_fips.c
|
||||
lib/utils_device.c
|
||||
lib/utils_devpath.c
|
||||
lib/utils_pbkdf.c
|
||||
Index: cryptsetup-2.3.7/src/cryptsetup.h
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/src/cryptsetup.h
|
||||
+++ cryptsetup-2.3.7/src/cryptsetup.h
|
||||
@@ -43,7 +43,6 @@
|
||||
#include "lib/nls.h"
|
||||
#include "lib/utils_crypt.h"
|
||||
#include "lib/utils_loop.h"
|
||||
-#include "lib/utils_fips.h"
|
||||
#include "lib/utils_io.h"
|
||||
#include "lib/utils_blkid.h"
|
||||
|
||||
Index: cryptsetup-2.3.7/tests/compat-test
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/tests/compat-test
|
||||
+++ cryptsetup-2.3.7/tests/compat-test
|
||||
@@ -44,7 +44,7 @@ KEY_MATERIAL5_EXT="S331776-395264"
|
||||
TEST_UUID="12345678-1234-1234-1234-123456789abc"
|
||||
|
||||
LOOPDEV=$(losetup -f 2>/dev/null)
|
||||
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
|
||||
function remove_mapping()
|
||||
{
|
||||
Index: cryptsetup-2.3.7/tests/compat-test2
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/tests/compat-test2
|
||||
+++ cryptsetup-2.3.7/tests/compat-test2
|
||||
@@ -42,7 +42,7 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-f
|
||||
TEST_UUID="12345678-1234-1234-1234-123456789abc"
|
||||
|
||||
LOOPDEV=$(losetup -f 2>/dev/null)
|
||||
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
|
||||
function remove_mapping()
|
||||
{
|
||||
Index: cryptsetup-2.3.7/tests/keyring-compat-test
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/tests/keyring-compat-test
|
||||
+++ cryptsetup-2.3.7/tests/keyring-compat-test
|
||||
@@ -26,7 +26,7 @@ PWD="aaa"
|
||||
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
|
||||
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
|
||||
|
||||
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
|
||||
function remove_mapping()
|
||||
{
|
||||
Index: cryptsetup-2.3.7/tests/luks2-reencryption-test
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/tests/luks2-reencryption-test
|
||||
+++ cryptsetup-2.3.7/tests/luks2-reencryption-test
|
||||
@@ -24,7 +24,7 @@ PWD1="93R4P4pIqAH8"
|
||||
PWD2="1cND4319812f"
|
||||
PWD3="1-9Qu5Ejfnqv"
|
||||
|
||||
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
|
||||
function dm_crypt_features()
|
||||
{
|
||||
Index: cryptsetup-2.3.7/lib/utils_fips.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/utils_fips.c
|
||||
+++ cryptsetup-2.3.7/lib/utils_fips.c
|
||||
@@ -1,46 +1 @@
|
||||
-/*
|
||||
- * FIPS mode utilities
|
||||
- *
|
||||
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
|
||||
- *
|
||||
- * This program is free software; you can redistribute it and/or
|
||||
- * modify it under the terms of the GNU General Public License
|
||||
- * as published by the Free Software Foundation; either version 2
|
||||
- * of the License, or (at your option) any later version.
|
||||
- *
|
||||
- * This program is distributed in the hope that it will be useful,
|
||||
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
- * GNU General Public License for more details.
|
||||
- *
|
||||
- * You should have received a copy of the GNU General Public License
|
||||
- * along with this program; if not, write to the Free Software
|
||||
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
- */
|
||||
-
|
||||
-#include <unistd.h>
|
||||
-#include <fcntl.h>
|
||||
-#include <errno.h>
|
||||
-#include "utils_fips.h"
|
||||
-
|
||||
-#if !ENABLE_FIPS
|
||||
-int crypt_fips_mode(void) { return 0; }
|
||||
-#else
|
||||
-static int kernel_fips_mode(void)
|
||||
-{
|
||||
- int fd;
|
||||
- char buf[1] = "";
|
||||
-
|
||||
- if ((fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY)) >= 0) {
|
||||
- while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
|
||||
- close(fd);
|
||||
- }
|
||||
-
|
||||
- return (buf[0] == '1') ? 1 : 0;
|
||||
-}
|
||||
-
|
||||
-int crypt_fips_mode(void)
|
||||
-{
|
||||
- return kernel_fips_mode() && !access("/etc/system-fips", F_OK);
|
||||
-}
|
||||
-#endif /* ENABLE_FIPS */
|
||||
+/* keep an empty file to avoid running autogen.sh */
|
||||
Index: cryptsetup-2.3.7/lib/utils_fips.h
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/utils_fips.h
|
||||
+++ cryptsetup-2.3.7/lib/utils_fips.h
|
||||
@@ -1,26 +1 @@
|
||||
-/*
|
||||
- * FIPS mode utilities
|
||||
- *
|
||||
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
|
||||
- *
|
||||
- * This program is free software; you can redistribute it and/or
|
||||
- * modify it under the terms of the GNU General Public License
|
||||
- * as published by the Free Software Foundation; either version 2
|
||||
- * of the License, or (at your option) any later version.
|
||||
- *
|
||||
- * This program is distributed in the hope that it will be useful,
|
||||
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
- * GNU General Public License for more details.
|
||||
- *
|
||||
- * You should have received a copy of the GNU General Public License
|
||||
- * along with this program; if not, write to the Free Software
|
||||
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
- */
|
||||
-
|
||||
-#ifndef _UTILS_FIPS_H
|
||||
-#define _UTILS_FIPS_H
|
||||
-
|
||||
-int crypt_fips_mode(void);
|
||||
-
|
||||
-#endif /* _UTILS_FIPS_H */
|
||||
+/* keep an empty file to avoid running autogen.sh */
|
||||
@ -1,53 +0,0 @@
|
||||
From 3616da631f83a004a13a575a54df8123f0d65c29 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Mon, 17 Oct 2022 15:18:42 +0200
|
||||
Subject: [PATCH 1/5] Fix cipher convert routines naming confusion.
|
||||
|
||||
The function names were in fact swaped.
|
||||
---
|
||||
lib/libdevmapper.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
|
||||
index 6c2eab78..0e45a789 100644
|
||||
--- a/lib/libdevmapper.c
|
||||
+++ b/lib/libdevmapper.c
|
||||
@@ -481,7 +481,7 @@ static size_t int_log10(uint64_t x)
|
||||
#define CAPIL 144 /* should be enough to fit whole capi string */
|
||||
#define CAPIS "143" /* for sscanf of crypto API string + 16 + \0 */
|
||||
|
||||
-static int cipher_c2dm(const char *org_c, const char *org_i, unsigned tag_size,
|
||||
+static int cipher_dm2c(const char *org_c, const char *org_i, unsigned tag_size,
|
||||
char *c_dm, int c_dm_size,
|
||||
char *i_dm, int i_dm_size)
|
||||
{
|
||||
@@ -543,7 +543,7 @@ static int cipher_c2dm(const char *org_c, const char *org_i, unsigned tag_size,
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static int cipher_dm2c(char **org_c, char **org_i, const char *c_dm, const char *i_dm)
|
||||
+static int cipher_c2dm(char **org_c, char **org_i, const char *c_dm, const char *i_dm)
|
||||
{
|
||||
char cipher[CLEN], mode[CLEN], iv[CLEN], auth[CLEN];
|
||||
char tmp[CAPIL], dmcrypt_tmp[CAPIL*2], capi[CAPIL+1];
|
||||
@@ -629,7 +629,7 @@ static char *get_dm_crypt_params(const struct dm_target *tgt, uint32_t flags)
|
||||
if (!tgt)
|
||||
return NULL;
|
||||
|
||||
- r = cipher_c2dm(tgt->u.crypt.cipher, tgt->u.crypt.integrity, tgt->u.crypt.tag_size,
|
||||
+ r = cipher_dm2c(tgt->u.crypt.cipher, tgt->u.crypt.integrity, tgt->u.crypt.tag_size,
|
||||
cipher_dm, sizeof(cipher_dm), integrity_dm, sizeof(integrity_dm));
|
||||
if (r < 0)
|
||||
return NULL;
|
||||
@@ -2066,7 +2066,7 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags,
|
||||
|
||||
/* cipher */
|
||||
if (get_flags & DM_ACTIVE_CRYPT_CIPHER) {
|
||||
- r = cipher_dm2c(CONST_CAST(char**)&cipher,
|
||||
+ r = cipher_c2dm(CONST_CAST(char**)&cipher,
|
||||
CONST_CAST(char**)&integrity,
|
||||
rcipher, rintegrity);
|
||||
if (r < 0)
|
||||
--
|
||||
2.38.1
|
||||
|
||||
@ -1,130 +0,0 @@
|
||||
From 3e4c69a01709d35322ffa17c5360608907a207d7 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Tue, 11 Oct 2022 11:48:13 +0200
|
||||
Subject: [PATCH 5/5] Fix internal crypt segment compare routine.
|
||||
|
||||
The function is supposed to check if manipulated
|
||||
active dm-crypt device matches the on-disk metadata.
|
||||
Unfortunately it did not take into account differences
|
||||
between normal cipher specification (aes-xts-plain64)
|
||||
and capi format specification (capi:xts(aes)-plain64).
|
||||
The internal query function always converted capi format
|
||||
in normal format and therefor failed if capi format was
|
||||
used in metadata.
|
||||
|
||||
Fixes: #759.
|
||||
---
|
||||
lib/setup.c | 36 ++++++++++++++++++++++++++----------
|
||||
tests/api-test-2.c | 14 ++++++++++++--
|
||||
2 files changed, 38 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/lib/setup.c b/lib/setup.c
|
||||
index 6d7411b5..809049b9 100644
|
||||
--- a/lib/setup.c
|
||||
+++ b/lib/setup.c
|
||||
@@ -2458,6 +2458,9 @@ static int _compare_crypt_devices(struct crypt_device *cd,
|
||||
const struct dm_target *src,
|
||||
const struct dm_target *tgt)
|
||||
{
|
||||
+ char *src_cipher = NULL, *src_integrity = NULL;
|
||||
+ int r = -EINVAL;
|
||||
+
|
||||
/* for crypt devices keys are mandatory */
|
||||
if (!src->u.crypt.vk || !tgt->u.crypt.vk)
|
||||
return -EINVAL;
|
||||
@@ -2465,21 +2468,30 @@ static int _compare_crypt_devices(struct crypt_device *cd,
|
||||
/* CIPHER checks */
|
||||
if (!src->u.crypt.cipher || !tgt->u.crypt.cipher)
|
||||
return -EINVAL;
|
||||
- if (strcmp(src->u.crypt.cipher, tgt->u.crypt.cipher)) {
|
||||
- log_dbg(cd, "Cipher specs do not match.");
|
||||
+
|
||||
+ /*
|
||||
+ * dm_query_target converts capi cipher specification to dm-crypt format.
|
||||
+ * We need to do same for cipher specification requested in source
|
||||
+ * device.
|
||||
+ */
|
||||
+ if (crypt_capi_to_cipher(&src_cipher, &src_integrity, src->u.crypt.cipher, src->u.crypt.integrity))
|
||||
return -EINVAL;
|
||||
+
|
||||
+ if (strcmp(src_cipher, tgt->u.crypt.cipher)) {
|
||||
+ log_dbg(cd, "Cipher specs do not match.");
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
if (tgt->u.crypt.vk->keylength == 0 && crypt_is_cipher_null(tgt->u.crypt.cipher))
|
||||
log_dbg(cd, "Existing device uses cipher null. Skipping key comparison.");
|
||||
else if (_compare_volume_keys(src->u.crypt.vk, 0, tgt->u.crypt.vk, tgt->u.crypt.vk->key_description != NULL)) {
|
||||
log_dbg(cd, "Keys in context and target device do not match.");
|
||||
- return -EINVAL;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
- if (crypt_strcmp(src->u.crypt.integrity, tgt->u.crypt.integrity)) {
|
||||
+ if (crypt_strcmp(src_integrity, tgt->u.crypt.integrity)) {
|
||||
log_dbg(cd, "Integrity parameters do not match.");
|
||||
- return -EINVAL;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
if (src->u.crypt.offset != tgt->u.crypt.offset ||
|
||||
@@ -2487,15 +2499,19 @@ static int _compare_crypt_devices(struct crypt_device *cd,
|
||||
src->u.crypt.iv_offset != tgt->u.crypt.iv_offset ||
|
||||
src->u.crypt.tag_size != tgt->u.crypt.tag_size) {
|
||||
log_dbg(cd, "Integer parameters do not match.");
|
||||
- return -EINVAL;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
- if (device_is_identical(src->data_device, tgt->data_device) <= 0) {
|
||||
+ if (device_is_identical(src->data_device, tgt->data_device) <= 0)
|
||||
log_dbg(cd, "Data devices do not match.");
|
||||
- return -EINVAL;
|
||||
- }
|
||||
+ else
|
||||
+ r = 0;
|
||||
|
||||
- return 0;
|
||||
+out:
|
||||
+ free(src_cipher);
|
||||
+ free(src_integrity);
|
||||
+
|
||||
+ return r;
|
||||
}
|
||||
|
||||
static int _compare_integrity_devices(struct crypt_device *cd,
|
||||
diff --git a/tests/api-test-2.c b/tests/api-test-2.c
|
||||
index 0534677a..34002d1a 100644
|
||||
--- a/tests/api-test-2.c
|
||||
+++ b/tests/api-test-2.c
|
||||
@@ -1585,8 +1585,8 @@ static void ResizeDeviceLuks2(void)
|
||||
|
||||
const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
|
||||
size_t key_size = strlen(mk_hex) / 2;
|
||||
- const char *cipher = "aes";
|
||||
- const char *cipher_mode = "cbc-essiv:sha256";
|
||||
+ const char *cipher = "aes", *capi_cipher = "capi:cbc(aes)";
|
||||
+ const char *cipher_mode = "cbc-essiv:sha256", *capi_cipher_mode = "essiv:sha256";
|
||||
uint64_t r_payload_offset, r_header_size, r_size;
|
||||
|
||||
/* Cannot use Argon2 in FIPS */
|
||||
@@ -1728,6 +1728,16 @@ static void ResizeDeviceLuks2(void)
|
||||
OK_(crypt_deactivate(cd, CDEVICE_1));
|
||||
CRYPT_FREE(cd);
|
||||
|
||||
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
|
||||
+ OK_(crypt_set_pbkdf_type(cd, &pbkdf));
|
||||
+ OK_(crypt_format(cd, CRYPT_LUKS2, capi_cipher, capi_cipher_mode, NULL, key, key_size, NULL));
|
||||
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
|
||||
+ OK_(crypt_resize(cd, CDEVICE_1, 8));
|
||||
+ if (!t_device_size(DMDIR CDEVICE_1, &r_size))
|
||||
+ EQ_(8, r_size >> SECTOR_SHIFT);
|
||||
+ OK_(crypt_deactivate(cd, CDEVICE_1));
|
||||
+ CRYPT_FREE(cd);
|
||||
+
|
||||
_cleanup_dmdevices();
|
||||
}
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
||||
@ -1,250 +0,0 @@
|
||||
From 9a9ddc7d22e14e14c9a6e97860cffada406adac3 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Tue, 11 Oct 2022 10:50:17 +0200
|
||||
Subject: [PATCH 2/5] Move cipher_dm2c to crypto utilities.
|
||||
|
||||
(Gets renamed to crypt_capi_to_cipher)
|
||||
---
|
||||
lib/libdevmapper.c | 84 +++-------------------------------------------
|
||||
lib/utils_crypt.c | 72 +++++++++++++++++++++++++++++++++++++++
|
||||
lib/utils_crypt.h | 11 ++++--
|
||||
3 files changed, 85 insertions(+), 82 deletions(-)
|
||||
|
||||
diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
|
||||
index 0e45a789..7fcf843f 100644
|
||||
--- a/lib/libdevmapper.c
|
||||
+++ b/lib/libdevmapper.c
|
||||
@@ -476,27 +476,22 @@ static size_t int_log10(uint64_t x)
|
||||
return r;
|
||||
}
|
||||
|
||||
-#define CLEN 64 /* 2*MAX_CIPHER_LEN */
|
||||
-#define CLENS "63" /* for sscanf length + '\0' */
|
||||
-#define CAPIL 144 /* should be enough to fit whole capi string */
|
||||
-#define CAPIS "143" /* for sscanf of crypto API string + 16 + \0 */
|
||||
-
|
||||
static int cipher_dm2c(const char *org_c, const char *org_i, unsigned tag_size,
|
||||
char *c_dm, int c_dm_size,
|
||||
char *i_dm, int i_dm_size)
|
||||
{
|
||||
int c_size = 0, i_size = 0, i;
|
||||
- char cipher[CLEN], mode[CLEN], iv[CLEN+1], tmp[CLEN];
|
||||
- char capi[CAPIL];
|
||||
+ char cipher[MAX_CAPI_ONE_LEN], mode[MAX_CAPI_ONE_LEN], iv[MAX_CAPI_ONE_LEN+1],
|
||||
+ tmp[MAX_CAPI_ONE_LEN], capi[MAX_CAPI_LEN];
|
||||
|
||||
if (!c_dm || !c_dm_size || !i_dm || !i_dm_size)
|
||||
return -EINVAL;
|
||||
|
||||
- i = sscanf(org_c, "%" CLENS "[^-]-%" CLENS "s", cipher, tmp);
|
||||
+ i = sscanf(org_c, "%" MAX_CAPI_ONE_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", cipher, tmp);
|
||||
if (i != 2)
|
||||
return -EINVAL;
|
||||
|
||||
- i = sscanf(tmp, "%" CLENS "[^-]-%" CLENS "s", mode, iv);
|
||||
+ i = sscanf(tmp, "%" MAX_CAPI_ONE_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", mode, iv);
|
||||
if (i == 1) {
|
||||
memset(iv, 0, sizeof(iv));
|
||||
strncpy(iv, mode, sizeof(iv)-1);
|
||||
@@ -543,75 +538,6 @@ static int cipher_dm2c(const char *org_c, const char *org_i, unsigned tag_size,
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static int cipher_c2dm(char **org_c, char **org_i, const char *c_dm, const char *i_dm)
|
||||
-{
|
||||
- char cipher[CLEN], mode[CLEN], iv[CLEN], auth[CLEN];
|
||||
- char tmp[CAPIL], dmcrypt_tmp[CAPIL*2], capi[CAPIL+1];
|
||||
- size_t len;
|
||||
- int i;
|
||||
-
|
||||
- if (!c_dm)
|
||||
- return -EINVAL;
|
||||
-
|
||||
- /* legacy mode */
|
||||
- if (strncmp(c_dm, "capi:", 4)) {
|
||||
- if (!(*org_c = strdup(c_dm)))
|
||||
- return -ENOMEM;
|
||||
- *org_i = NULL;
|
||||
- return 0;
|
||||
- }
|
||||
-
|
||||
- /* modes with capi: prefix */
|
||||
- i = sscanf(c_dm, "capi:%" CAPIS "[^-]-%" CLENS "s", tmp, iv);
|
||||
- if (i != 2)
|
||||
- return -EINVAL;
|
||||
-
|
||||
- len = strlen(tmp);
|
||||
- if (len < 2)
|
||||
- return -EINVAL;
|
||||
-
|
||||
- if (tmp[len-1] == ')')
|
||||
- tmp[len-1] = '\0';
|
||||
-
|
||||
- if (sscanf(tmp, "rfc4309(%" CAPIS "s", capi) == 1) {
|
||||
- if (!(*org_i = strdup("aead")))
|
||||
- return -ENOMEM;
|
||||
- } else if (sscanf(tmp, "rfc7539(%" CAPIS "[^,],%" CLENS "s", capi, auth) == 2) {
|
||||
- if (!(*org_i = strdup(auth)))
|
||||
- return -ENOMEM;
|
||||
- } else if (sscanf(tmp, "authenc(%" CLENS "[^,],%" CAPIS "s", auth, capi) == 2) {
|
||||
- if (!(*org_i = strdup(auth)))
|
||||
- return -ENOMEM;
|
||||
- } else {
|
||||
- if (i_dm) {
|
||||
- if (!(*org_i = strdup(i_dm)))
|
||||
- return -ENOMEM;
|
||||
- } else
|
||||
- *org_i = NULL;
|
||||
- memset(capi, 0, sizeof(capi));
|
||||
- strncpy(capi, tmp, sizeof(capi)-1);
|
||||
- }
|
||||
-
|
||||
- i = sscanf(capi, "%" CLENS "[^(](%" CLENS "[^)])", mode, cipher);
|
||||
- if (i == 2)
|
||||
- i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s-%s", cipher, mode, iv);
|
||||
- else
|
||||
- i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s", capi, iv);
|
||||
- if (i < 0 || (size_t)i >= sizeof(dmcrypt_tmp)) {
|
||||
- free(*org_i);
|
||||
- *org_i = NULL;
|
||||
- return -EINVAL;
|
||||
- }
|
||||
-
|
||||
- if (!(*org_c = strdup(dmcrypt_tmp))) {
|
||||
- free(*org_i);
|
||||
- *org_i = NULL;
|
||||
- return -ENOMEM;
|
||||
- }
|
||||
-
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
static char *_uf(char *buf, size_t buf_size, const char *s, unsigned u)
|
||||
{
|
||||
size_t r = snprintf(buf, buf_size, " %s:%u", s, u);
|
||||
@@ -2066,7 +1992,7 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags,
|
||||
|
||||
/* cipher */
|
||||
if (get_flags & DM_ACTIVE_CRYPT_CIPHER) {
|
||||
- r = cipher_c2dm(CONST_CAST(char**)&cipher,
|
||||
+ r = crypt_capi_to_cipher(CONST_CAST(char**)&cipher,
|
||||
CONST_CAST(char**)&integrity,
|
||||
rcipher, rintegrity);
|
||||
if (r < 0)
|
||||
diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
|
||||
index 83d0a2c5..4f4dbba8 100644
|
||||
--- a/lib/utils_crypt.c
|
||||
+++ b/lib/utils_crypt.c
|
||||
@@ -31,6 +31,8 @@
|
||||
#include "libcryptsetup.h"
|
||||
#include "utils_crypt.h"
|
||||
|
||||
+#define MAX_CAPI_LEN_STR "143" /* for sscanf of crypto API string + 16 + \0 */
|
||||
+
|
||||
int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums,
|
||||
char *cipher_mode)
|
||||
{
|
||||
@@ -266,3 +268,73 @@ bool crypt_is_cipher_null(const char *cipher_spec)
|
||||
return false;
|
||||
return (strstr(cipher_spec, "cipher_null") || !strcmp(cipher_spec, "null"));
|
||||
}
|
||||
+
|
||||
+int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const char *i_dm)
|
||||
+{
|
||||
+ char cipher[MAX_CAPI_ONE_LEN], mode[MAX_CAPI_ONE_LEN], iv[MAX_CAPI_ONE_LEN],
|
||||
+ auth[MAX_CAPI_ONE_LEN], tmp[MAX_CAPI_LEN], dmcrypt_tmp[MAX_CAPI_LEN*2],
|
||||
+ capi[MAX_CAPI_LEN+1];
|
||||
+ size_t len;
|
||||
+ int i;
|
||||
+
|
||||
+ if (!c_dm)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ /* legacy mode */
|
||||
+ if (strncmp(c_dm, "capi:", 4)) {
|
||||
+ if (!(*org_c = strdup(c_dm)))
|
||||
+ return -ENOMEM;
|
||||
+ *org_i = NULL;
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ /* modes with capi: prefix */
|
||||
+ i = sscanf(c_dm, "capi:%" MAX_CAPI_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", tmp, iv);
|
||||
+ if (i != 2)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ len = strlen(tmp);
|
||||
+ if (len < 2)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ if (tmp[len-1] == ')')
|
||||
+ tmp[len-1] = '\0';
|
||||
+
|
||||
+ if (sscanf(tmp, "rfc4309(%" MAX_CAPI_LEN_STR "s", capi) == 1) {
|
||||
+ if (!(*org_i = strdup("aead")))
|
||||
+ return -ENOMEM;
|
||||
+ } else if (sscanf(tmp, "rfc7539(%" MAX_CAPI_LEN_STR "[^,],%" MAX_CAPI_ONE_LEN_STR "s", capi, auth) == 2) {
|
||||
+ if (!(*org_i = strdup(auth)))
|
||||
+ return -ENOMEM;
|
||||
+ } else if (sscanf(tmp, "authenc(%" MAX_CAPI_ONE_LEN_STR "[^,],%" MAX_CAPI_LEN_STR "s", auth, capi) == 2) {
|
||||
+ if (!(*org_i = strdup(auth)))
|
||||
+ return -ENOMEM;
|
||||
+ } else {
|
||||
+ if (i_dm) {
|
||||
+ if (!(*org_i = strdup(i_dm)))
|
||||
+ return -ENOMEM;
|
||||
+ } else
|
||||
+ *org_i = NULL;
|
||||
+ memset(capi, 0, sizeof(capi));
|
||||
+ strncpy(capi, tmp, sizeof(capi)-1);
|
||||
+ }
|
||||
+
|
||||
+ i = sscanf(capi, "%" MAX_CAPI_ONE_LEN_STR "[^(](%" MAX_CAPI_ONE_LEN_STR "[^)])", mode, cipher);
|
||||
+ if (i == 2)
|
||||
+ i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s-%s", cipher, mode, iv);
|
||||
+ else
|
||||
+ i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s", capi, iv);
|
||||
+ if (i < 0 || (size_t)i >= sizeof(dmcrypt_tmp)) {
|
||||
+ free(*org_i);
|
||||
+ *org_i = NULL;
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ if (!(*org_c = strdup(dmcrypt_tmp))) {
|
||||
+ free(*org_i);
|
||||
+ *org_i = NULL;
|
||||
+ return -ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/lib/utils_crypt.h b/lib/utils_crypt.h
|
||||
index 5922350a..a4a9b6ca 100644
|
||||
--- a/lib/utils_crypt.h
|
||||
+++ b/lib/utils_crypt.h
|
||||
@@ -27,9 +27,12 @@
|
||||
#include <stdbool.h>
|
||||
#include <unistd.h>
|
||||
|
||||
-#define MAX_CIPHER_LEN 32
|
||||
-#define MAX_CIPHER_LEN_STR "31"
|
||||
-#define MAX_KEYFILES 32
|
||||
+#define MAX_CIPHER_LEN 32
|
||||
+#define MAX_CIPHER_LEN_STR "31"
|
||||
+#define MAX_KEYFILES 32
|
||||
+#define MAX_CAPI_ONE_LEN 2 * MAX_CIPHER_LEN
|
||||
+#define MAX_CAPI_ONE_LEN_STR "63" /* for sscanf length + '\0' */
|
||||
+#define MAX_CAPI_LEN 144 /* should be enough to fit whole capi string */
|
||||
|
||||
int crypt_parse_name_and_mode(const char *s, char *cipher,
|
||||
int *key_nums, char *cipher_mode);
|
||||
@@ -46,4 +49,6 @@ void crypt_log_hex(struct crypt_device *cd,
|
||||
|
||||
bool crypt_is_cipher_null(const char *cipher_spec);
|
||||
|
||||
+int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const char *i_dm);
|
||||
+
|
||||
#endif /* _UTILS_CRYPT_H */
|
||||
--
|
||||
2.38.1
|
||||
|
||||
@ -1,154 +0,0 @@
|
||||
From c18dcfaa0b91eb48006232fbfadce9e6a9b4a790 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Fri, 2 Dec 2022 15:39:36 +0100
|
||||
Subject: [PATCH 2/2] Abort encryption when header and data devices are same.
|
||||
|
||||
If data device reduction is not requsted this led
|
||||
to data corruption since LUKS metadata was written
|
||||
over the data device.
|
||||
---
|
||||
src/utils_reencrypt.c | 42 ++++++++++++++++++++++++++++++----
|
||||
tests/luks2-reencryption-test | 16 +++++++++++++
|
||||
tests/reencryption-compat-test | 20 +++++++++++++---
|
||||
3 files changed, 70 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/utils_tools.c b/src/utils_tools.c
|
||||
--- a/src/utils_tools.c
|
||||
+++ b/src/utils_tools.c
|
||||
@@ -624,3 +624,23 @@ int tools_reencrypt_progress(uint64_t si
|
||||
|
||||
return r;
|
||||
}
|
||||
+
|
||||
+int reencrypt_is_header_detached(const char *header_device, const char *data_device)
|
||||
+{
|
||||
+ int r;
|
||||
+ struct stat st;
|
||||
+ struct crypt_device *cd;
|
||||
+
|
||||
+ if (!header_device)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (header_device && stat(header_device, &st) < 0 && errno == ENOENT)
|
||||
+ return 1;
|
||||
+
|
||||
+ if ((r = crypt_init_data_device(&cd, header_device, data_device)))
|
||||
+ return r;
|
||||
+
|
||||
+ r = crypt_get_metadata_device_name(cd) && crypt_get_device_name(cd) && strcmp(crypt_get_metadata_device_name(cd), crypt_get_device_name(cd));
|
||||
+ crypt_free(cd);
|
||||
+ return r;
|
||||
+}
|
||||
diff --git a/src/cryptsetup.h b/src/cryptsetup.h
|
||||
--- a/src/cryptsetup.h
|
||||
+++ b/src/cryptsetup.h
|
||||
@@ -103,6 +103,7 @@ void tools_clear_line(void);
|
||||
|
||||
int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr);
|
||||
int tools_reencrypt_progress(uint64_t size, uint64_t offset, void *usrptr);
|
||||
+int reencrypt_is_header_detached(const char *header_device, const char *data_device);
|
||||
|
||||
int tools_read_mk(const char *file, char **key, int keysize);
|
||||
int tools_write_mk(const char *file, const char *key, int keysize);
|
||||
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
|
||||
--- a/src/cryptsetup.c
|
||||
+++ b/src/cryptsetup.c
|
||||
@@ -2892,6 +2892,16 @@ static int action_encrypt_luks2(struct c
|
||||
return -ENOTSUP;
|
||||
}
|
||||
|
||||
+ if (!opt_data_shift) {
|
||||
+ r = reencrypt_is_header_detached(opt_header_device, action_argv[0]);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+ if (!r) {
|
||||
+ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
|
||||
+ return -ENOTSUP;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (!opt_header_device && opt_offset && opt_data_shift && (opt_offset > (imaxabs(opt_data_shift) / (2 * SECTOR_SIZE)))) {
|
||||
log_err(_("Requested data offset must be less than or equal to half of --reduce-device-size parameter."));
|
||||
return -EINVAL;
|
||||
diff --git a/src/cryptsetup_reencrypt.c b/src/cryptsetup_reencrypt.c
|
||||
--- a/src/cryptsetup_reencrypt.c
|
||||
+++ b/src/cryptsetup_reencrypt.c
|
||||
@@ -1553,6 +1553,17 @@ static int run_reencrypt(const char *dev
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ if (rc.reencrypt_mode == ENCRYPT) {
|
||||
+ r = reencrypt_is_header_detached(opt_header_device, action_argv[0]);
|
||||
+ if (r < 0)
|
||||
+ goto out;
|
||||
+ if (!r && !opt_reduce_size) {
|
||||
+ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
|
||||
+ r = -ENOTSUP;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
log_dbg("Running reencryption.");
|
||||
|
||||
if (!rc.in_progress) {
|
||||
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
|
||||
index bab54353..a647a8c2 100755
|
||||
--- a/tests/luks2-reencryption-test
|
||||
+++ b/tests/luks2-reencryption-test
|
||||
@@ -1080,6 +1080,15 @@ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
|
||||
$CRYPTSETUP close $DEV_NAME
|
||||
echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail
|
||||
|
||||
+# Encrypt without size reduction must not allow header device same as data device
|
||||
+wipe_dev_head $DEV 1
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV -q $FAST_PBKDF_ARGON 2>/dev/null && fail
|
||||
+$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
|
||||
+
|
||||
+dd if=/dev/zero of=$IMG bs=4k count=1 >/dev/null 2>&1
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
|
||||
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
|
||||
+
|
||||
echo "[4] Reencryption with detached header"
|
||||
wipe $PWD1 $IMG_HDR
|
||||
echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
|
||||
diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
|
||||
index f6a84137..453831d1 100755
|
||||
--- a/tests/reencryption-compat-test
|
||||
+++ b/tests/reencryption-compat-test
|
||||
@@ -11,5 +11,6 @@ IMG=reenc-data
|
||||
IMG_HDR=$IMG.hdr
|
||||
ORIG_IMG=reenc-data-orig
|
||||
+DEV_LINK="reenc-test-link"
|
||||
KEY1=key1
|
||||
PWD1="93R4P4pIqAH8"
|
||||
PWD2="1cND4319812f"
|
||||
@@ -40,7 +41,7 @@ function remove_mapping()
|
||||
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
|
||||
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
|
||||
[ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1
|
||||
- rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 >/dev/null 2>&1
|
||||
+ rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $DEV_LINK >/dev/null 2>&1
|
||||
umount $MNT_DIR > /dev/null 2>&1
|
||||
rmdir $MNT_DIR > /dev/null 2>&1
|
||||
LOOPDEV1=""
|
||||
@@ -265,10 +265,16 @@ $REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q
|
||||
# FIXME echo $PWD1 | $REENC ...
|
||||
|
||||
echo "[4] Encryption of not yet encrypted device"
|
||||
+# Encrypt without size reduction must not allow header device same as data device
|
||||
+wipe_dev $LOOPDEV1
|
||||
+echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $LOOPDEV1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail
|
||||
+$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
|
||||
+echo $PWD1 | $REENC $IMG --type luks1 --new --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
|
||||
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
|
||||
+
|
||||
# well, movin' zeroes :-)
|
||||
OFFSET=2048
|
||||
SIZE=$(blockdev --getsz $LOOPDEV1)
|
||||
-wipe_dev $LOOPDEV1
|
||||
dmsetup create $DEV_NAME2 --table "0 $(($SIZE - $OFFSET)) linear $LOOPDEV1 0" || fail
|
||||
check_hash_dev /dev/mapper/$DEV_NAME2 $HASH3
|
||||
dmsetup remove --retry $DEV_NAME2 || fail
|
||||
--
|
||||
2.38.1
|
||||
|
||||
@ -1,79 +0,0 @@
|
||||
From dff9ee8c8cb68432e96261b87aabb7aaa51215e7 Mon Sep 17 00:00:00 2001
|
||||
From: Milan Broz <gmazyland@gmail.com>
|
||||
Date: Tue, 2 May 2023 15:42:21 +0200
|
||||
Subject: [PATCH] Also disallow active devices with internal kernel names.
|
||||
|
||||
The same problem fixed in commit 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605
|
||||
is present in libdevmapper wrapper when parsing active device table.
|
||||
|
||||
The whole point of conversion was that non-authenticated modes
|
||||
can be always represented in the old cipher-mode-iv format.
|
||||
As the internal names contains dash, these are unsupported.
|
||||
|
||||
That said, the libdevmapper backend now correctly returns
|
||||
full cipher specification including capi prefix for this case.
|
||||
|
||||
Init_by_name call now fails with incomplatible cipher definition error.
|
||||
---
|
||||
lib/setup.c | 2 +-
|
||||
lib/utils_crypt.c | 9 +++++++++
|
||||
tests/mode-test | 5 +++++
|
||||
3 files changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
Index: cryptsetup-2.3.7/lib/setup.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/setup.c
|
||||
+++ cryptsetup-2.3.7/lib/setup.c
|
||||
@@ -1188,7 +1188,7 @@ static int _init_by_name_crypt(struct cr
|
||||
r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher,
|
||||
&key_nums, cipher_mode);
|
||||
if (r < 0) {
|
||||
- log_dbg(cd, "Cannot parse cipher and mode from active device.");
|
||||
+ log_err(cd, _("No known cipher specification pattern detected for active device %s."), name);
|
||||
goto out;
|
||||
}
|
||||
|
||||
Index: cryptsetup-2.3.7/lib/utils_crypt.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/utils_crypt.c
|
||||
+++ cryptsetup-2.3.7/lib/utils_crypt.c
|
||||
@@ -224,6 +224,15 @@ int crypt_capi_to_cipher(char **org_c, c
|
||||
if (i != 2)
|
||||
return -EINVAL;
|
||||
|
||||
+ /* non-cryptsetup compatible mode (generic driver with dash?) */
|
||||
+ if (strrchr(iv, ')')) {
|
||||
+ if (i_dm)
|
||||
+ return -EINVAL;
|
||||
+ if (!(*org_c = strdup(c_dm)))
|
||||
+ return -ENOMEM;
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
len = strlen(tmp);
|
||||
if (len < 2)
|
||||
return -EINVAL;
|
||||
Index: cryptsetup-2.3.7/tests/mode-test
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/tests/mode-test
|
||||
+++ cryptsetup-2.3.7/tests/mode-test
|
||||
@@ -8,6 +8,8 @@ DEV_NAME=dmc_test
|
||||
HEADER_IMG=mode-test.img
|
||||
PASSWORD=3xrododenron
|
||||
PASSWORD1=$PASSWORD
|
||||
+KEY="7c0dc5dfd0c9191381d92e6ebb3b29e7f0dba53b0de132ae23f5726727173540"
|
||||
+FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||
|
||||
# cipher-chainmode-ivopts:ivmode
|
||||
CIPHERS="aes twofish serpent"
|
||||
@@ -172,6 +174,10 @@ echo -n "CAPI format:"
|
||||
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail
|
||||
$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
|
||||
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
|
||||
+dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail
|
||||
+$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail
|
||||
+$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail
|
||||
+dmsetup remove "$DEV_NAME"_tstdev || fail
|
||||
echo [OK]
|
||||
|
||||
cleanup
|
||||
@ -1,68 +0,0 @@
|
||||
From 438cf1d1b3ef6d7405cfbcbe5f631d3d7467a605 Mon Sep 17 00:00:00 2001
|
||||
From: Milan Broz <gmazyland@gmail.com>
|
||||
Date: Mon, 24 Apr 2023 21:19:03 +0200
|
||||
Subject: [PATCH] Disallow use of internal kenrel crypto driver names in "capi"
|
||||
specification.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The common way to specify cipher mode in cryptsetup
|
||||
is to use cipher-mode-iv notation (like aes-xts-plain64).
|
||||
With introduction of authenticated ciphers we also allow "capi:<spec>"
|
||||
notation that is directly used by dm-crypt (e.g. capi:xts(aes)-plain64).
|
||||
|
||||
CAPI specification was never intended to be used with internal
|
||||
kernel crypto api names (with dash in algorithm name), actually the
|
||||
whole parsing routine wrongly parses mode here now.
|
||||
|
||||
The code not checks if parsing wrongly separated the full cipher
|
||||
string and effectively allowing only proper cipher names
|
||||
(example of no longer supported string is capi:xts(ecb(aes-generic))-plain64).
|
||||
|
||||
Thanks to Jan Wichelmann, Luca Wilke and Thomas Eisenbarth from
|
||||
University of Lübeck for noticing the problems with this code.
|
||||
|
||||
Fixes: #809
|
||||
---
|
||||
lib/utils_crypt.c | 8 +++++++-
|
||||
tests/mode-test | 6 ++++++
|
||||
2 files changed, 13 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
|
||||
index 0b7dc378..c1bde000 100644
|
||||
--- a/lib/utils_crypt.c
|
||||
+++ b/lib/utils_crypt.c
|
||||
@@ -43,7 +43,13 @@ int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums,
|
||||
cipher, cipher_mode) == 2) {
|
||||
if (!strcmp(cipher_mode, "plain"))
|
||||
strcpy(cipher_mode, "cbc-plain");
|
||||
- if (key_nums) {
|
||||
+ if (!strncmp(cipher, "capi:", 5)) {
|
||||
+ /* CAPI must not use internal cipher driver names with dash */
|
||||
+ if (strchr(cipher_mode, ')'))
|
||||
+ return -EINVAL;
|
||||
+ if (key_nums)
|
||||
+ *key_nums = 1;
|
||||
+ } else if (key_nums) {
|
||||
char *tmp = strchr(cipher, ':');
|
||||
*key_nums = tmp ? atoi(++tmp) : 1;
|
||||
if (!*key_nums)
|
||||
diff --git a/tests/mode-test b/tests/mode-test
|
||||
index 82171fbd..fe61880a 100755
|
||||
--- a/tests/mode-test
|
||||
+++ b/tests/mode-test
|
||||
@@ -184,4 +184,10 @@ done
|
||||
dmcrypt xchacha12,aes-adiantum-plain64
|
||||
dmcrypt xchacha20,aes-adiantum-plain64
|
||||
|
||||
+echo -n "CAPI format:"
|
||||
+echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail
|
||||
+$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
|
||||
+echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
|
||||
+echo [OK]
|
||||
+
|
||||
cleanup
|
||||
--
|
||||
2.40.1
|
||||
|
||||
@ -1,103 +0,0 @@
|
||||
From b8711faf92868dc82b1a64e7673740444199b2ca Mon Sep 17 00:00:00 2001
|
||||
From: Milan Broz <gmazyland@gmail.com>
|
||||
Date: Sun, 25 Jun 2023 23:32:13 +0200
|
||||
Subject: [PATCH 2/2] Fix activation of LUKS2 with capi format cipher and
|
||||
kernel crypt name.
|
||||
|
||||
While activation of internal cipher algorithms (like aes-generic)
|
||||
is disallowed, some old LUKS2 images can still use it.
|
||||
|
||||
Check the cipher in activate call, but allow to load LUKS2 metadata.
|
||||
This can allow to add repair code easily and also allow luksDump.
|
||||
|
||||
Also fix segfault in reencrypt code for such a header.
|
||||
|
||||
Fixes: #820
|
||||
---
|
||||
lib/luks2/luks2_json_metadata.c | 5 +++++
|
||||
tests/Makefile.am | 4 +++-
|
||||
tests/compat-test2 | 17 ++++++++++++++++-
|
||||
tests/luks2_invalid_cipher.img.xz | Bin 0 -> 135372 bytes
|
||||
tests/meson.build | 1 +
|
||||
5 files changed, 25 insertions(+), 2 deletions(-)
|
||||
create mode 100644 tests/luks2_invalid_cipher.img.xz
|
||||
|
||||
Index: cryptsetup-2.3.7/lib/luks2/luks2_json_metadata.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/luks2/luks2_json_metadata.c
|
||||
+++ cryptsetup-2.3.7/lib/luks2/luks2_json_metadata.c
|
||||
@@ -2324,6 +2324,11 @@ int LUKS2_activate(struct crypt_device *
|
||||
if ((r = LUKS2_unmet_requirements(cd, hdr, 0, 0)))
|
||||
return r;
|
||||
|
||||
+ /* Check that cipher is in compatible format */
|
||||
+ if (!crypt_get_cipher(cd)) {
|
||||
+ log_err(cd, _("No known cipher specification pattern detected in LUKS2 header."));
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
|
||||
vk, crypt_get_cipher_spec(cd), crypt_get_iv_offset(cd),
|
||||
crypt_get_data_offset(cd), crypt_get_integrity(cd) ?: "none",
|
||||
Index: cryptsetup-2.3.7/tests/compat-test2
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/tests/compat-test2
|
||||
+++ cryptsetup-2.3.7/tests/compat-test2
|
||||
@@ -3,6 +3,7 @@
|
||||
PS4='$LINENO:'
|
||||
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
|
||||
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
|
||||
+CRYPTSETUP_REENCRYPT=$CRYPTSETUP_PATH/cryptsetup-reencrypt
|
||||
|
||||
CRYPTSETUP_VALGRIND=../.libs/cryptsetup
|
||||
CRYPTSETUP_LIB_VALGRIND=../.libs
|
||||
@@ -16,6 +17,7 @@ IMG10=luks-test-v10
|
||||
HEADER_IMG=luks-header
|
||||
HEADER_KEYU=luks2_keyslot_unassigned.img
|
||||
HEADER_LUKS2_PV=blkid-luks2-pv.img
|
||||
+HEADER_LUKS2_INV=luks2_invalid_cipher.img
|
||||
KEY1=key1
|
||||
KEY2=key2
|
||||
KEY5=key5
|
||||
@@ -50,7 +52,9 @@ function remove_mapping()
|
||||
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
|
||||
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
|
||||
losetup -d $LOOPDEV >/dev/null 2>&1
|
||||
- rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE $HEADER_LUKS2_PV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
|
||||
+ rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE \
|
||||
+ $HEADER_LUKS2_PV $HEADER_LUKS2_INV missing-file $TOKEN_FILE0 $TOKEN_FILE1 test_image_* \
|
||||
+ $KEY_FILE0 $KEY_FILE1 >/dev/null 2>&1
|
||||
|
||||
# unlink whole test keyring
|
||||
[ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
|
||||
@@ -1049,5 +1053,19 @@ for cipher in $CIPHERS ; do
|
||||
done
|
||||
echo
|
||||
|
||||
+prepare "[44] LUKS2 invalid cipher (kernel cipher driver name)" wipe
|
||||
+xz -dk $HEADER_LUKS2_INV.xz
|
||||
+dd if=$HEADER_LUKS2_INV of=$IMG conv=notrunc >/dev/null 2>&1
|
||||
+$CRYPTSETUP -q luksDump $LOOPDEV | grep -q "capi:xts(ecb(aes-generic))-plain64" || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME 2>&1 | grep -q "No known cipher specification pattern" || fail
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV >/dev/null 2>&1 && fail
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV 2>&1 | grep -q "No known cipher specification pattern" || fail
|
||||
+echo $PWD1 | $CRYPTSETUP_REENCRYPT $LOOPDEV 2>&1 | grep -q "No known cipher specification pattern" || fail
|
||||
+dmsetup create $DEV_NAME --uuid CRYPT-LUKS2-3d20686f551748cb89911ad32379821b-test --table \
|
||||
+ "0 8 crypt capi:xts(ecb(aes-generic))-plain64 edaa40709797973715e572bf7d86fcbb9cfe2051083c33c28d58fe4e1e7ff642 0 $LOOPDEV 32768"
|
||||
+$CRYPTSETUP status $DEV_NAME | grep -q "n/a" || fail
|
||||
+$CRYPTSETUP close $DEV_NAME ||fail
|
||||
+
|
||||
remove_mapping
|
||||
exit 0
|
||||
Index: cryptsetup-2.3.7/src/cryptsetup.h
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/src/cryptsetup.h
|
||||
+++ cryptsetup-2.3.7/src/cryptsetup.h
|
||||
@@ -103,6 +103,7 @@ void tools_clear_line(void);
|
||||
int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr);
|
||||
int tools_reencrypt_progress(uint64_t size, uint64_t offset, void *usrptr);
|
||||
int reencrypt_is_header_detached(const char *header_device, const char *data_device);
|
||||
+bool luks2_reencrypt_eligible(struct crypt_device *cd);
|
||||
|
||||
int tools_read_mk(const char *file, char **key, int keysize);
|
||||
int tools_write_mk(const char *file, const char *key, int keysize);
|
||||
@ -1,52 +0,0 @@
|
||||
From 53aa5f6c4f7439db1b25846597fb5603870ba55e Mon Sep 17 00:00:00 2001
|
||||
From: Milan Broz <gmazyland@gmail.com>
|
||||
Date: Mon, 5 Jun 2023 16:02:06 +0200
|
||||
Subject: [PATCH] Fix init_by_name to allow unknown cipher format in dm-crypt
|
||||
as null context.
|
||||
|
||||
Deactivation code should deactivate dm-crypt device even if it is unknown
|
||||
for libcryptsetup. Previous fix for cipher specification was too strict.
|
||||
|
||||
Let's allow initialization as null context, that allow status and
|
||||
deactivate to be usable again.
|
||||
---
|
||||
lib/setup.c | 6 ++++++
|
||||
tests/mode-test | 5 ++---
|
||||
2 files changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/setup.c b/lib/setup.c
|
||||
index fd17be8c..786aa900 100644
|
||||
--- a/lib/setup.c
|
||||
+++ b/lib/setup.c
|
||||
@@ -1276,6 +1276,12 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
|
||||
r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher,
|
||||
&key_nums, cipher_mode);
|
||||
if (r < 0) {
|
||||
+ /* Allow crypt null context with unknown cipher string */
|
||||
+ if (tgt->type == DM_CRYPT && !tgt->u.crypt.integrity) {
|
||||
+ crypt_set_null_type(cd);
|
||||
+ r = 0;
|
||||
+ goto out;
|
||||
+ }
|
||||
log_err(cd, _("No known cipher specification pattern detected for active device %s."), name);
|
||||
goto out;
|
||||
}
|
||||
diff --git a/tests/mode-test b/tests/mode-test
|
||||
index 4775751e..7f7f20a1 100755
|
||||
--- a/tests/mode-test
|
||||
+++ b/tests/mode-test
|
||||
@@ -190,9 +190,8 @@ echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256
|
||||
$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
|
||||
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
|
||||
dmsetup create "$DEV_NAME"_tstdev --table "0 8 crypt capi:xts(ecb(aes-generic))-plain64 $KEY 0 /dev/mapper/$DEV_NAME 0" || fail
|
||||
-$CRYPTSETUP status "$DEV_NAME"_tstdev >/dev/null 2>&1 && fail
|
||||
-$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null && fail
|
||||
-dmsetup remove "$DEV_NAME"_tstdev || fail
|
||||
+$CRYPTSETUP status "$DEV_NAME"_tstdev 2>/dev/null | grep "type:" | grep -q "n/a" || fail
|
||||
+$CRYPTSETUP close "$DEV_NAME"_tstdev 2>/dev/null || fail
|
||||
echo [OK]
|
||||
|
||||
cleanup
|
||||
--
|
||||
2.40.1
|
||||
|
||||
@ -1,81 +0,0 @@
|
||||
From 1f01eea60e38ac92aa05e4b95372d54b7b9095df Mon Sep 17 00:00:00 2001
|
||||
From: Milan Broz <gmazyland@gmail.com>
|
||||
Date: Mon, 26 Jun 2023 13:25:59 +0200
|
||||
Subject: [PATCH 1/2] Fix reencryption to fail properly for unknown cipher.
|
||||
|
||||
crypt_get_cipher and crypt_get_cipher mode can return NULL,
|
||||
check it in advance.
|
||||
---
|
||||
src/utils_reencrypt.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
Index: cryptsetup-2.3.7/src/cryptsetup.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/src/cryptsetup.c
|
||||
+++ cryptsetup-2.3.7/src/cryptsetup.c
|
||||
@@ -2999,6 +2999,12 @@ static int action_encrypt_luks2(struct c
|
||||
if (r < 0)
|
||||
goto err;
|
||||
|
||||
+ if (!crypt_get_cipher(*cd)) {
|
||||
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
|
||||
+ r = -EINVAL;
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
if (opt_data_shift) {
|
||||
params.data_shift = imaxabs(opt_data_shift) / SECTOR_SIZE,
|
||||
params.resilience = "datashift";
|
||||
@@ -3068,6 +3074,11 @@ static int action_decrypt_luks2(struct c
|
||||
};
|
||||
size_t passwordLen;
|
||||
|
||||
+ if (!crypt_get_cipher(cd)) {
|
||||
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
if (!crypt_get_metadata_device_name(cd) || !crypt_get_device_name(cd) ||
|
||||
!strcmp(crypt_get_metadata_device_name(cd), crypt_get_device_name(cd))) {
|
||||
log_err(_("LUKS2 decryption is supported with detached header device only."));
|
||||
@@ -3289,6 +3300,11 @@ static int action_reencrypt_luks2(struct
|
||||
.luks2 = &luks2_params,
|
||||
};
|
||||
|
||||
+ if (!crypt_get_cipher(cd)) {
|
||||
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
_set_reencryption_flags(¶ms.flags);
|
||||
|
||||
if (!opt_cipher && crypt_is_cipher_null(crypt_get_cipher(cd))) {
|
||||
Index: cryptsetup-2.3.7/src/cryptsetup_reencrypt.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/src/cryptsetup_reencrypt.c
|
||||
+++ cryptsetup-2.3.7/src/cryptsetup_reencrypt.c
|
||||
@@ -185,6 +185,11 @@ static int set_reencrypt_requirement(con
|
||||
crypt_persistent_flags_get(cd, CRYPT_FLAGS_REQUIREMENTS, &reqs))
|
||||
goto out;
|
||||
|
||||
+ if (!crypt_get_cipher(cd)) {
|
||||
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
/* reencrypt already in-progress */
|
||||
if (reqs & CRYPT_REQUIREMENT_OFFLINE_REENCRYPT) {
|
||||
log_err(_("Reencryption already in-progress."));
|
||||
@@ -709,6 +714,12 @@ static int backup_luks_headers(struct re
|
||||
(r = crypt_load(cd, CRYPT_LUKS, NULL)))
|
||||
goto out;
|
||||
|
||||
+ if (!crypt_get_cipher(cd)) {
|
||||
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
|
||||
+ r = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
if ((r = crypt_header_backup(cd, CRYPT_LUKS, rc->header_file_org)))
|
||||
goto out;
|
||||
if (isLUKS2(rc->type)) {
|
||||
@ -0,0 +1,31 @@
|
||||
From 55e0209a4e751e4edb3662827a57cd5d330f30c2 Mon Sep 17 00:00:00 2001
|
||||
Message-ID: <55e0209a4e751e4edb3662827a57cd5d330f30c2.1766066332.git.khanicov@redhat.com>
|
||||
From: Milan Broz <gmazyland@gmail.com>
|
||||
Date: Thu, 11 Dec 2025 23:40:14 +0100
|
||||
Subject: [PATCH] Fix LUKS2 device status in inline HW mode and detached header
|
||||
|
||||
Internal type is not set if detached header is not specified,
|
||||
but inline tag check should be done anyway.
|
||||
---
|
||||
lib/setup.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/setup.c b/lib/setup.c
|
||||
index 3a411733..1ee02db5 100644
|
||||
--- a/lib/setup.c
|
||||
+++ b/lib/setup.c
|
||||
@@ -5838,8 +5838,12 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name,
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
- /* For LUKS2 with integrity we need flags from underlying dm-integrity */
|
||||
- if (isLUKS2(cd->type) && crypt_get_integrity_tag_size(cd) &&
|
||||
+ /*
|
||||
+ * For integrity and LUKS2 (and detached header where context is NULL)
|
||||
+ * we need flags from underlying dm-integrity device.
|
||||
+ * This check must be skipped for non-LUKS2 integrity device.
|
||||
+ */
|
||||
+ if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd) &&
|
||||
(iname = dm_get_active_iname(cd, name))) {
|
||||
if (dm_query_device(cd, iname, 0, &dmdi) >= 0)
|
||||
dmd.flags |= dmdi.flags;
|
||||
@ -0,0 +1,29 @@
|
||||
From a8e8e39007f9a3ab91267ff2b4f0aee45cc48752 Mon Sep 17 00:00:00 2001
|
||||
Message-ID: <a8e8e39007f9a3ab91267ff2b4f0aee45cc48752.1766065101.git.khanicov@redhat.com>
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Thu, 30 Oct 2025 13:59:52 +0100
|
||||
Subject: [PATCH] Fix possible use of uninitialized variable.
|
||||
|
||||
device_tag_size variable was not initialized and used
|
||||
when device_is_nop_dif returned negative error code.
|
||||
---
|
||||
lib/setup.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/setup.c b/lib/setup.c
|
||||
index 37e6f7d9..48b67ce6 100644
|
||||
--- a/lib/setup.c
|
||||
+++ b/lib/setup.c
|
||||
@@ -3045,7 +3045,11 @@ int crypt_format_inline(struct crypt_device *cd,
|
||||
iparams->journal_integrity_key_size))
|
||||
return -EINVAL;
|
||||
|
||||
- if (!device_is_nop_dif(idevice, &device_tag_size)) {
|
||||
+ r = device_is_nop_dif(idevice, &device_tag_size);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+
|
||||
+ if (!r) {
|
||||
log_err(cd, _("Device %s does not provide inline integrity data fields."), mdata_device_path(cd));
|
||||
return -EINVAL;
|
||||
}
|
||||
@ -0,0 +1,97 @@
|
||||
From 3a8feb8be78dabb7024aad2d1c48dcaa145e67dc Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Thu, 11 Sep 2025 11:30:25 +0200
|
||||
Subject: [PATCH] Improve check for a function attribute support.
|
||||
|
||||
The compiler may advertise function attribute support
|
||||
with __has_attribute operator even though it does
|
||||
not implement the feature on some architecture.
|
||||
|
||||
This fixes the issue with GCC 11 on ppc64le with
|
||||
__attribute__((zero_call_used_regs("used"))).
|
||||
|
||||
Fixes: #959.
|
||||
---
|
||||
configure.ac | 21 +++++++++++++++++++++
|
||||
lib/crypto_backend/memutils.c | 4 +---
|
||||
meson.build | 15 +++++++++++++++
|
||||
3 files changed, 37 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 6a6c4dff5..a7485b541 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -680,6 +680,27 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
||||
])
|
||||
CFLAGS=$saved_CFLAGS
|
||||
|
||||
+dnl Force compiler to use zero_call_used_regs("used") to check for the function attribute support.
|
||||
+dnl Otherwise the compiler may falsely advertise it with __has_attribute operator, even though
|
||||
+dnl it does not implement it on some archs.
|
||||
+AC_MSG_CHECKING([for zero_call_used_regs(user)])
|
||||
+saved_CFLAGS=$CFLAGS
|
||||
+CFLAGS="-O0 -Werror"
|
||||
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
||||
+ void _test_function(void);
|
||||
+ __attribute__((zero_call_used_regs("used"))) void _test_function(void) {
|
||||
+ volatile int *i; volatile int j = 0; if (j) *i = 0;
|
||||
+ }
|
||||
+]],
|
||||
+[[ _test_function() ]]
|
||||
+)],[
|
||||
+ AC_DEFINE([HAVE_ATTRIBUTE_ZEROCALLUSEDREGS], 1, [Define to 1 to use __attribute__((zero_call_used_regs("used")))])
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+], [
|
||||
+ AC_MSG_RESULT([no])
|
||||
+])
|
||||
+CFLAGS=$saved_CFLAGS
|
||||
+
|
||||
AC_MSG_CHECKING([for systemd tmpfiles config directory])
|
||||
if test "x$prefix" != "xNONE"; then
|
||||
saved_PKG_CONFIG=$PKG_CONFIG
|
||||
diff --git a/lib/crypto_backend/memutils.c b/lib/crypto_backend/memutils.c
|
||||
index 4e440136d..a041b3e60 100644
|
||||
--- a/lib/crypto_backend/memutils.c
|
||||
+++ b/lib/crypto_backend/memutils.c
|
||||
@@ -9,11 +9,9 @@
|
||||
|
||||
#define ATTR_NOINLINE __attribute__ ((noinline))
|
||||
#define ATTR_ZERO_REGS
|
||||
-#if defined __has_attribute
|
||||
-# if __has_attribute (zero_call_used_regs)
|
||||
+#if HAVE_ATTRIBUTE_ZEROCALLUSEDREGS
|
||||
# undef ATTR_ZERO_REGS
|
||||
# define ATTR_ZERO_REGS __attribute__ ((zero_call_used_regs("used")))
|
||||
-# endif
|
||||
#endif
|
||||
|
||||
/* Workaround for https://github.com/google/sanitizers/issues/1507 */
|
||||
diff --git a/meson.build b/meson.build
|
||||
index 3c17ebca5..2fb6a2492 100644
|
||||
--- a/meson.build
|
||||
+++ b/meson.build
|
||||
@@ -697,6 +697,21 @@ if cc.links(
|
||||
description: 'Define to 1 to use __attribute__((symver))')
|
||||
endif
|
||||
|
||||
+# ==========================================================================
|
||||
+# Check compiler support for zero_called_used_regs("used") function attribute
|
||||
+if cc.links(
|
||||
+ '''void _test_fn(void);
|
||||
+
|
||||
+ __attribute__((zero_call_used_regs("used"))) void _test_fn(void) {
|
||||
+ volatile int *i; volatile int j = 0; if (j) *i = 0;
|
||||
+ }
|
||||
+ int main(void) { _test_fn(); return 0; }''',
|
||||
+ args: ['-O0', '-Werror' ],
|
||||
+ name: 'for zero_call_used_regs("used") attribute support')
|
||||
+ conf.set10('HAVE_ATTRIBUTE_ZEROCALLUSEDREGS', true,
|
||||
+ description: 'Define to 1 to use __attribute__((zero_call_used_regs("used")))')
|
||||
+endif
|
||||
+
|
||||
# ==========================================================================
|
||||
|
||||
if get_option('dev-random')
|
||||
--
|
||||
GitLab
|
||||
|
||||
@ -0,0 +1,49 @@
|
||||
From 9810c6fb2f24073796aa1482680151ddbc668790 Mon Sep 17 00:00:00 2001
|
||||
Message-ID: <9810c6fb2f24073796aa1482680151ddbc668790.1766065092.git.khanicov@redhat.com>
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Fri, 17 Oct 2025 15:13:41 +0200
|
||||
Subject: [PATCH] Read integrity profile info from top level device.
|
||||
|
||||
When formating device with --integrity-inline option
|
||||
there's a check if underlying device properly advertise
|
||||
integrity profile support. The check did not work
|
||||
properly for partition device nodes. We have to read
|
||||
integrity profile info from top level block device.
|
||||
|
||||
Fixes: #964.
|
||||
---
|
||||
lib/utils_device.c | 16 +++++++++++++++-
|
||||
1 file changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/utils_device.c b/lib/utils_device.c
|
||||
index 90ec9de4..1cdbcc65 100644
|
||||
--- a/lib/utils_device.c
|
||||
+++ b/lib/utils_device.c
|
||||
@@ -1004,12 +1004,26 @@ int device_is_zoned(struct device *device)
|
||||
|
||||
int device_is_nop_dif(struct device *device, uint32_t *tag_size)
|
||||
{
|
||||
+ char *base_device_path;
|
||||
+ int r;
|
||||
struct stat st;
|
||||
|
||||
if (!device)
|
||||
return -EINVAL;
|
||||
|
||||
- if (stat(device_path(device), &st) < 0)
|
||||
+ /*
|
||||
+ * For partition devices, check integrity profile on the base device.
|
||||
+ * Partition device nodes don't advertise integrity profile directly
|
||||
+ * via sysfs attributes.
|
||||
+ */
|
||||
+ base_device_path = crypt_get_base_device(device_path(device));
|
||||
+ if (base_device_path) {
|
||||
+ r = stat(base_device_path, &st);
|
||||
+ free(base_device_path);
|
||||
+ } else
|
||||
+ r = stat(device_path(device), &st);
|
||||
+
|
||||
+ if (r < 0)
|
||||
return -EINVAL;
|
||||
|
||||
if (!S_ISBLK(st.st_mode))
|
||||
@ -0,0 +1,41 @@
|
||||
From 5d69c34f59dbe7fce07d76057fc39198666ab44e Mon Sep 17 00:00:00 2001
|
||||
Message-ID: <5d69c34f59dbe7fce07d76057fc39198666ab44e.1766065109.git.khanicov@redhat.com>
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Thu, 27 Nov 2025 10:49:24 +0100
|
||||
Subject: [PATCH] Reinstate pbkdf serialization flag in device activation.
|
||||
|
||||
crypt_activate_by_keyslot_context never respected pbkdf serialation
|
||||
flag (CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF).
|
||||
|
||||
In fact it worked only when device was activated via passphrase or via
|
||||
passphrase file. It was never respected when device was activated
|
||||
by a token for example.
|
||||
|
||||
When the internal code was fully switched to activation via keyslot
|
||||
context the legacy code for passphrase based activation was dropped
|
||||
and we lost track of serialization flag completely.
|
||||
|
||||
This fixes all of the issues so now the serialization flag will be
|
||||
respected also with tokens (and all other activation methods unlocking
|
||||
LUKS2 keyslot with memory hard pbkdf).
|
||||
|
||||
Fixes: 58385d68d8f4 (Allow activation via keyslot context)
|
||||
Fixes: #968.
|
||||
---
|
||||
lib/setup.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/lib/setup.c b/lib/setup.c
|
||||
index f1b2033b..367d2d11 100644
|
||||
--- a/lib/setup.c
|
||||
+++ b/lib/setup.c
|
||||
@@ -5450,6 +5450,9 @@ int crypt_activate_by_keyslot_context(struct crypt_device *cd,
|
||||
return _activate_loopaes(cd, name, passphrase, passphrase_size, flags);
|
||||
}
|
||||
|
||||
+ if (flags & CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF)
|
||||
+ cd->memory_hard_pbkdf_lock_enabled = true;
|
||||
+
|
||||
/* acquire the volume key(s) */
|
||||
r = -EINVAL;
|
||||
if (isLUKS1(cd->type)) {
|
||||
@ -0,0 +1,38 @@
|
||||
From cdb6a5626089a56a7a135042be7c157acda70506 Mon Sep 17 00:00:00 2001
|
||||
Message-ID: <cdb6a5626089a56a7a135042be7c157acda70506.1766065116.git.khanicov@redhat.com>
|
||||
From: Kristina Hanicova <khanicov@redhat.com>
|
||||
Date: Wed, 10 Dec 2025 17:58:36 +0100
|
||||
Subject: [PATCH] Set inline integrity flag if no underlying dm-integrity
|
||||
device
|
||||
|
||||
Cryptsetup status does not report when the hw inline integrity is
|
||||
set without the underlying dm-integrity device.
|
||||
|
||||
Fixes: #965
|
||||
---
|
||||
lib/setup.c | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib/setup.c b/lib/setup.c
|
||||
index 1ee02db5..93c7ef5f 100644
|
||||
--- a/lib/setup.c
|
||||
+++ b/lib/setup.c
|
||||
@@ -5843,11 +5843,13 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name,
|
||||
* we need flags from underlying dm-integrity device.
|
||||
* This check must be skipped for non-LUKS2 integrity device.
|
||||
*/
|
||||
- if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd) &&
|
||||
- (iname = dm_get_active_iname(cd, name))) {
|
||||
- if (dm_query_device(cd, iname, 0, &dmdi) >= 0)
|
||||
- dmd.flags |= dmdi.flags;
|
||||
- free(iname);
|
||||
+ if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd)) {
|
||||
+ if ((iname = dm_get_active_iname(cd, name))) {
|
||||
+ if (dm_query_device(cd, iname, 0, &dmdi) >= 0)
|
||||
+ dmd.flags |= dmdi.flags;
|
||||
+ free(iname);
|
||||
+ } else
|
||||
+ dmd.flags |= (CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_INLINE_MODE);
|
||||
}
|
||||
|
||||
if (cd && isTCRYPT(cd->type)) {
|
||||
@ -0,0 +1,143 @@
|
||||
From 7fa4cd930814073cb8abe997d8fac19a849daecd Mon Sep 17 00:00:00 2001
|
||||
Message-ID: <7fa4cd930814073cb8abe997d8fac19a849daecd.1767967753.git.khanicov@redhat.com>
|
||||
From: Milan Broz <gmazyland@gmail.com>
|
||||
Date: Fri, 2 Jan 2026 20:58:26 +0100
|
||||
Subject: [PATCH] Fix wrong device size status reports in cryptsetup and
|
||||
integritysetup
|
||||
|
||||
In version 2.8.0 the status output was modified to strictly use
|
||||
units and also bytes device size was added.
|
||||
|
||||
Unfortunately, the size was wrongly calculated if sector size was
|
||||
different than 512-byte default.
|
||||
|
||||
Fixes: #972
|
||||
---
|
||||
src/cryptsetup.c | 8 +++-----
|
||||
src/integritysetup.c | 6 ++----
|
||||
src/veritysetup.c | 2 +-
|
||||
tests/compat-test2 | 2 ++
|
||||
tests/integrity-compat-test | 6 ++++++
|
||||
tests/verity-compat-test | 4 ++++
|
||||
6 files changed, 18 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
|
||||
index d8b9e508..b9966f84 100644
|
||||
--- a/src/cryptsetup.c
|
||||
+++ b/src/cryptsetup.c
|
||||
@@ -936,7 +936,6 @@ static int action_status(void)
|
||||
char *backing_file;
|
||||
const char *device;
|
||||
int path = 0, r = 0, hw_enc;
|
||||
- uint64_t sector_size;
|
||||
|
||||
/* perhaps a path, not a dm device name */
|
||||
if (strchr(action_argv[0], '/'))
|
||||
@@ -1019,10 +1018,9 @@ static int action_status(void)
|
||||
log_std(" loop: %s\n", backing_file);
|
||||
free(backing_file);
|
||||
}
|
||||
- sector_size = (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE;
|
||||
- log_std(" sector size: %" PRIu64 " [bytes]\n", sector_size);
|
||||
- log_std(" offset: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.offset, cad.offset * sector_size);
|
||||
- log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * sector_size);
|
||||
+ log_std(" sector size: %" PRIu64 " [bytes]\n", (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE);
|
||||
+ log_std(" offset: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.offset, cad.offset * SECTOR_SIZE);
|
||||
+ log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE);
|
||||
if (cad.iv_offset)
|
||||
log_std(" skipped: %" PRIu64 " [512-byte units]\n", cad.iv_offset);
|
||||
log_std(" mode: %s%s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
|
||||
diff --git a/src/integritysetup.c b/src/integritysetup.c
|
||||
index a1d77855..89c3edd3 100644
|
||||
--- a/src/integritysetup.c
|
||||
+++ b/src/integritysetup.c
|
||||
@@ -424,7 +424,6 @@ static int action_status(void)
|
||||
char *backing_file;
|
||||
const char *device, *metadata_device;
|
||||
int path = 0, r = 0;
|
||||
- uint64_t sector_size;
|
||||
|
||||
/* perhaps a path, not a dm device name */
|
||||
if (strchr(action_argv[0], '/'))
|
||||
@@ -482,10 +481,9 @@ static int action_status(void)
|
||||
free(backing_file);
|
||||
}
|
||||
}
|
||||
- sector_size = (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE;
|
||||
- log_std(" sector size: %" PRIu64 " [bytes]\n", sector_size);
|
||||
+ log_std(" sector size: %" PRIu64 " [bytes]\n", (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE);
|
||||
log_std(" interleave sectors: %u\n", ip.interleave_sectors);
|
||||
- log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * sector_size);
|
||||
+ log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE);
|
||||
log_std(" mode: %s%s\n",
|
||||
cad.flags & CRYPT_ACTIVATE_READONLY ? "readonly" : "read/write",
|
||||
cad.flags & CRYPT_ACTIVATE_RECOVERY ? " recovery" : "");
|
||||
diff --git a/src/veritysetup.c b/src/veritysetup.c
|
||||
index 8e666e3f..d95db09b 100644
|
||||
--- a/src/veritysetup.c
|
||||
+++ b/src/veritysetup.c
|
||||
@@ -395,7 +395,7 @@ static int action_status(void)
|
||||
log_std(" data loop: %s\n", backing_file);
|
||||
free(backing_file);
|
||||
}
|
||||
- log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * (uint64_t)SECTOR_SIZE);
|
||||
+ log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE);
|
||||
log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
|
||||
"readonly" : "read/write");
|
||||
|
||||
diff --git a/tests/compat-test2 b/tests/compat-test2
|
||||
index 373461eb..7350455b 100755
|
||||
--- a/tests/compat-test2
|
||||
+++ b/tests/compat-test2
|
||||
@@ -816,9 +816,11 @@ if dm_crypt_sector_size_support; then
|
||||
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
|
||||
echo $PWD1 | $CRYPTSETUP -q resize --device-size 1M $DEV_NAME || fail
|
||||
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
|
||||
+ $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "1048576 \[bytes\]" || fail
|
||||
echo $PWD1 | $CRYPTSETUP -q resize --device-size 2049s $DEV_NAME > /dev/null 2>&1 && fail
|
||||
echo $PWD1 | $CRYPTSETUP -q resize --size 2049 $DEV_NAME > /dev/null 2>&1 && fail
|
||||
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
|
||||
+ $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "1048576 \[bytes\]" || fail
|
||||
fi
|
||||
$CRYPTSETUP close $DEV_NAME || fail
|
||||
# Resize not aligned to logical block size
|
||||
diff --git a/tests/integrity-compat-test b/tests/integrity-compat-test
|
||||
index c40218cd..5aeea5c0 100755
|
||||
--- a/tests/integrity-compat-test
|
||||
+++ b/tests/integrity-compat-test
|
||||
@@ -230,7 +230,13 @@ intformat() # alg alg_out tagsize outtagsize sector_size csum [keyfile keysize]
|
||||
status_check "tag size" "$4 [bytes]"
|
||||
status_check "integrity" $2
|
||||
status_check "sector size" "$5 [bytes]"
|
||||
+
|
||||
+ SIZE_BYTES=$(blockdev --getsize64 /dev/mapper/$DEV_NAME)
|
||||
+ SIZE_512S=$(( $SIZE_BYTES / 512 ))
|
||||
+ status_check " size" "$SIZE_512S [512-byte units] ($SIZE_BYTES [bytes])"
|
||||
+
|
||||
int_check_sum $1 $6 $7 $8
|
||||
+
|
||||
echo -n "[REMOVE]"
|
||||
$INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
|
||||
echo "[OK]"
|
||||
diff --git a/tests/verity-compat-test b/tests/verity-compat-test
|
||||
index 93ac405e..02b3d390 100755
|
||||
--- a/tests/verity-compat-test
|
||||
+++ b/tests/verity-compat-test
|
||||
@@ -188,6 +188,9 @@ check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6 offset]
|
||||
|
||||
$VERITYSETUP create $DEV_NAME $DEV_PARAMS $VERIFY_PARAMS $ROOT_HASH >>$DEV_OUT 2>&1 || fail
|
||||
check_exists
|
||||
+ SIZE_BYTES=$(blockdev --getsize64 /dev/mapper/$DEV_NAME)
|
||||
+ SIZE_512S=$(( $SIZE_BYTES / 512 ))
|
||||
+ $VERITYSETUP status $DEV_NAME 2>/dev/null | grep " size:" | grep -q -F "$SIZE_512S [512-byte units] ($SIZE_BYTES [bytes])" || fail
|
||||
echo -n "[activate]"
|
||||
|
||||
dd if=/dev/mapper/$DEV_NAME of=/dev/null bs=$1 2>/dev/null
|
||||
@@ -474,6 +477,7 @@ export LANG=C
|
||||
[ -n "$VALG" ] && valgrind_setup && VERITYSETUP=valgrind_run
|
||||
modprobe dm-verity >/dev/null 2>&1
|
||||
dmsetup targets | grep verity >/dev/null 2>&1 || skip "Cannot find dm-verity target, test skipped."
|
||||
+command -v blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped."
|
||||
|
||||
# VERITYSETUP tests
|
||||
|
||||
@ -0,0 +1,43 @@
|
||||
From 48af2c543e4bee3dff9bd95529bbf45106aa457e Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Mon, 5 Dec 2022 13:35:24 +0100
|
||||
Subject: [PATCH] Add FIPS related error message in keyslot add code.
|
||||
|
||||
Add hints on what went wrong when creating new LUKS
|
||||
keyslots. The hint is printed only in FIPS mode and
|
||||
when pbkdf2 failed with passphrase shorter than 8
|
||||
bytes.
|
||||
---
|
||||
lib/luks1/keymanage.c | 2 ++
|
||||
lib/luks2/luks2_keyslot_luks2.c | 2 ++
|
||||
2 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
|
||||
index 37929810..a7ef0a25 100644
|
||||
--- a/lib/luks1/keymanage.c
|
||||
+++ b/lib/luks1/keymanage.c
|
||||
@@ -916,6 +916,8 @@ int LUKS_set_key(unsigned int keyIndex,
|
||||
derived_key, hdr->keyBytes,
|
||||
hdr->keyblock[keyIndex].passwordIterations, 0, 0);
|
||||
if (r < 0) {
|
||||
+ if (crypt_fips_mode() && passwordLen < 8)
|
||||
+ log_err(ctx, _("Invalid passphrase for PBKDF2 in FIPS mode."));
|
||||
if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
|
||||
hdr->keyblock[keyIndex].passwordIterations > INT_MAX)
|
||||
log_err(ctx, _("PBKDF2 iteration value overflow."));
|
||||
diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
|
||||
index ec68236c..f309125d 100644
|
||||
--- a/lib/luks2/luks2_keyslot_luks2.c
|
||||
+++ b/lib/luks2/luks2_keyslot_luks2.c
|
||||
@@ -260,6 +260,8 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
|
||||
log_err(cd, _("PBKDF2 iteration value overflow."));
|
||||
if (r == -ENOMEM)
|
||||
log_err(cd, _("Not enough memory for keyslot key derivation."));
|
||||
+ if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2"))
|
||||
+ log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode."));
|
||||
goto out;
|
||||
}
|
||||
|
||||
--
|
||||
2.50.1
|
||||
|
||||
@ -0,0 +1,42 @@
|
||||
From cfd043f6f0527407c57fb5a2735ee8e22c070cd7 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Wed, 28 Aug 2024 17:06:12 +0200
|
||||
Subject: [PATCH 09/10] Enable to use Argon2 in FIPS with openssl backend.
|
||||
|
||||
This patch is required to read existing LUKS2
|
||||
keyslots created with Argon2 KDF before the system
|
||||
got switched in FIPS mode. Creating new keyslots using
|
||||
Argon2 was already blocked elsewhere and before this patch.
|
||||
---
|
||||
lib/crypto_backend/crypto_openssl.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c
|
||||
index 9f1be9e0..07c133b0 100644
|
||||
--- a/lib/crypto_backend/crypto_openssl.c
|
||||
+++ b/lib/crypto_backend/crypto_openssl.c
|
||||
@@ -611,13 +611,20 @@ static int openssl_argon2(const char *type, const char *password, size_t passwor
|
||||
OSSL_PARAM_uint(OSSL_KDF_PARAM_THREADS, &threads),
|
||||
OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_LANES, ¶llel),
|
||||
OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_MEMCOST, &memory),
|
||||
+ /* to allow fetching blake2 in FIPS mode in later KDF_derive routine */
|
||||
+ OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_PROPERTIES, "-fips", 0),
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
|
||||
if (OSSL_get_max_threads(ossl_ctx) == 0)
|
||||
threads = 1;
|
||||
|
||||
- argon2 = EVP_KDF_fetch(ossl_ctx, type, NULL);
|
||||
+ /*
|
||||
+ * '-fips' skips fips provider for Argon2 variants implementations.
|
||||
+ * We need it to be able to read existing keyslots in FIPS mode.
|
||||
+ * Writing new Argon2 enabled keyslots in FIPS mode is blocked elsewhere.
|
||||
+ */
|
||||
+ argon2 = EVP_KDF_fetch(ossl_ctx, type, "-fips");
|
||||
if (!argon2)
|
||||
return -EINVAL;
|
||||
|
||||
--
|
||||
2.46.0
|
||||
|
||||
@ -0,0 +1,37 @@
|
||||
From f903ddcf447474fda1a036584b550d12dd620a73 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Thu, 29 Aug 2024 15:31:08 +0200
|
||||
Subject: [PATCH 10/10] Warn if Argon2 keyslot is unlocked in FIPS mode.
|
||||
|
||||
---
|
||||
lib/luks2/luks2_keyslot.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/luks2/luks2_keyslot.c b/lib/luks2/luks2_keyslot.c
|
||||
index bb9d4537..2f979d81 100644
|
||||
--- a/lib/luks2/luks2_keyslot.c
|
||||
+++ b/lib/luks2/luks2_keyslot.c
|
||||
@@ -573,6 +573,7 @@ int LUKS2_keyslot_open(struct crypt_device *cd,
|
||||
{
|
||||
struct luks2_hdr *hdr;
|
||||
int r_prio, r = -EINVAL;
|
||||
+ struct crypt_pbkdf_type pbkdf;
|
||||
|
||||
hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
|
||||
if (!hdr)
|
||||
@@ -599,7 +600,11 @@ int LUKS2_keyslot_open(struct crypt_device *cd,
|
||||
log_err(cd, _("Not enough available memory to open a keyslot."));
|
||||
else if (r != -EPERM && r != -ENOENT)
|
||||
log_err(cd, _("Keyslot open failed."));
|
||||
- }
|
||||
+ } else if (crypt_fips_mode() && !LUKS2_keyslot_pbkdf(hdr, r, &pbkdf) &&
|
||||
+ !strncmp(pbkdf.type, "argon2", 6))
|
||||
+ log_err(cd, "The %s KDF used in keyslot %d is not FIPS compliant.\n"
|
||||
+ "Please refer to cryptsetup-luksConvertKey(8) man page to switch it to pbkdf2.",
|
||||
+ pbkdf.type, r);
|
||||
|
||||
return r;
|
||||
}
|
||||
--
|
||||
2.46.0
|
||||
|
||||
@ -1,22 +0,0 @@
|
||||
diff -rupN cryptsetup-2.0.4.old/configure cryptsetup-2.0.4/configure
|
||||
--- cryptsetup-2.0.4.old/configure 2018-08-03 12:31:52.000000000 +0200
|
||||
+++ cryptsetup-2.0.4/configure 2018-08-03 13:42:50.605275535 +0200
|
||||
@@ -12300,6 +12300,9 @@ fi
|
||||
# before this can be enabled.
|
||||
hardcode_into_libs=yes
|
||||
|
||||
+ # Add ABI-specific directories to the system library path.
|
||||
+ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
|
||||
+
|
||||
# Ideally, we could use ldconfig to report *all* directores which are
|
||||
# searched for libraries, however this is still not possible. Aside from not
|
||||
# being certain /sbin/ldconfig is available, command
|
||||
@@ -12308,7 +12311,7 @@ fi
|
||||
# appending ld.so.conf contents (and includes) to the search path.
|
||||
if test -f /etc/ld.so.conf; then
|
||||
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
|
||||
- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
|
||||
+ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
|
||||
fi
|
||||
|
||||
# We used to test for /lib/ld.so.1 and disable shared libraries on
|
||||
@ -1,13 +0,0 @@
|
||||
diff --git a/tests/Makefile.localtest b/tests/Makefile.localtest
|
||||
index 29a62f3..da2183e 100644
|
||||
--- a/tests/Makefile.localtest
|
||||
+++ b/tests/Makefile.localtest
|
||||
@@ -5,7 +5,7 @@
|
||||
CPPFLAGS=-I../lib/ -I../lib/luks1 -DHAVE_DECL_DM_TASK_RETRY_REMOVE -DKERNEL_KEYRING -DHAVE_SYS_SYSMACROS_H -DNO_CRYPTSETUP_PATH
|
||||
CFLAGS=-O2 -g -Wall
|
||||
LDLIBS=-lcryptsetup -ldevmapper
|
||||
-TESTS=$(wildcard *-test *-test2) api-test api-test-2
|
||||
+TESTS=$(filter-out verity-compat-test, $(wildcard *-test *-test2)) api-test api-test-2
|
||||
|
||||
differ: differ.o
|
||||
$(CC) -o $@ $^
|
||||
@ -1,77 +1,54 @@
|
||||
Obsoletes: python2-cryptsetup
|
||||
Obsoletes: cryptsetup-python
|
||||
Obsoletes: cryptsetup-python3
|
||||
|
||||
Summary: A utility for setting up encrypted disks
|
||||
Summary: Utility for setting up encrypted disks
|
||||
Name: cryptsetup
|
||||
Version: 2.3.7
|
||||
Release: 7%{?dist}
|
||||
Version: 2.8.1
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
Group: Applications/System
|
||||
URL: https://gitlab.com/cryptsetup/cryptsetup
|
||||
BuildRequires: autoconf, automake, libtool, gettext-devel,
|
||||
BuildRequires: openssl-devel, popt-devel, device-mapper-devel
|
||||
BuildRequires: libuuid-devel, gcc, libblkid-devel
|
||||
BuildRequires: libpwquality-devel, json-c-devel
|
||||
Provides: cryptsetup-luks = %{version}-%{release}
|
||||
Obsoletes: cryptsetup-luks < 1.4.0
|
||||
BuildRequires: libuuid-devel, gcc, json-c-devel
|
||||
BuildRequires: libpwquality-devel, libblkid-devel
|
||||
BuildRequires: make
|
||||
BuildRequires: asciidoctor
|
||||
Requires: cryptsetup-libs = %{version}-%{release}
|
||||
Requires: libpwquality >= 1.2.0
|
||||
Obsoletes: %{name}-reencrypt <= %{version}
|
||||
Provides: %{name}-reencrypt = %{version}
|
||||
|
||||
%global upstream_version %{version}
|
||||
Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{upstream_version}.tar.xz
|
||||
# binary archive with updated tests/conversion_imgs.tar.xz and tests/luks2_header_requirements.tar.xz
|
||||
# for testing (can not be patched via rpmbuild)
|
||||
Source1: tests.tar.xz
|
||||
# Following patch has to applied last
|
||||
Patch0: %{name}-add-system-library-paths.patch
|
||||
# Remove the patch when (if ever) osci infrastructure gets stable enough
|
||||
Patch1: %{name}-disable-verity-compat-test.patch
|
||||
Patch2: %{name}-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch
|
||||
Patch3: %{name}-2.4.2-Fix-bogus-memory-allocation-if-LUKS2-header-size-is-.patch
|
||||
Patch4: %{name}-2.5.0-Fix-typo-in-repair-prompt.patch
|
||||
Patch5: %{name}-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch
|
||||
Patch6: %{name}-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch
|
||||
Patch7: %{name}-2.5.0-Remove-LUKS2-encryption-data-size-restriction.patch
|
||||
Patch8: %{name}-2.6.0-Fix-cipher-convert-routines-naming-confusion.patch
|
||||
Patch9: %{name}-2.6.0-Move-cipher_dm2c-to-crypto-utilities.patch
|
||||
Patch10: %{name}-2.6.0-Code-cleanup.patch
|
||||
Patch11: %{name}-2.6.0-Copy-also-integrity-string-in-legacy-mode.patch
|
||||
Patch12: %{name}-2.6.0-Fix-internal-crypt-segment-compare-routine.patch
|
||||
Patch13: %{name}-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch
|
||||
Patch14: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
|
||||
Patch15: %{name}-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch
|
||||
Patch16: %{name}-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch
|
||||
Patch17: %{name}-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch
|
||||
Patch18: %{name}-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch
|
||||
Patch19: %{name}-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch
|
||||
Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-%{upstream_version}.tar.xz
|
||||
|
||||
Patch0001: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch
|
||||
Patch0002: %{name}-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch
|
||||
Patch0003: %{name}-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch
|
||||
Patch0004: %{name}-2.8.2-Improve-check-for-a-function-attribute-support.patch
|
||||
Patch0005: %{name}-2.8.2-Read-integrity-profile-info-from-top-level-device.patch
|
||||
Patch0006: %{name}-2.8.2-Fix-possible-use-of-uninitialized-variable.patch
|
||||
Patch0007: %{name}-2.8.2-Reinstate-pbkdf-serialization-flag-in-device-activat.patch
|
||||
Patch0008: %{name}-2.8.2-Fix-LUKS2-device-status-in-inline-HW-mode-and-detach.patch
|
||||
Patch0009: %{name}-2.8.2-Set-inline-integrity-flag-if-no-underlying-dm-integr.patch
|
||||
Patch0010: %{name}-2.8.4-Fix-wrong-device-size-status-reports-in-cryptsetup.patch
|
||||
|
||||
%description
|
||||
The cryptsetup package contains a utility for setting up
|
||||
disk encryption using dm-crypt kernel module.
|
||||
|
||||
%package devel
|
||||
Group: Development/Libraries
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Requires: pkgconfig
|
||||
Summary: Headers and libraries for using encrypted file systems
|
||||
Provides: cryptsetup-luks-devel = %{version}-%{release}
|
||||
Obsoletes: cryptsetup-luks-devel < 1.4.0
|
||||
|
||||
%description devel
|
||||
The cryptsetup-devel package contains libraries and header files
|
||||
used for writing code that makes use of disk encryption.
|
||||
|
||||
%package libs
|
||||
Group: System Environment/Libraries
|
||||
Summary: Cryptsetup shared library
|
||||
Provides: cryptsetup-luks-libs = %{version}-%{release}
|
||||
Obsoletes: cryptsetup-luks-libs < 1.4.0
|
||||
|
||||
%description libs
|
||||
This package contains the cryptsetup shared library, libcryptsetup.
|
||||
|
||||
%package -n veritysetup
|
||||
Group: Applications/System
|
||||
Summary: A utility for setting up dm-verity volumes
|
||||
Requires: cryptsetup-libs = %{version}-%{release}
|
||||
|
||||
@ -80,7 +57,6 @@ The veritysetup package contains a utility for setting up
|
||||
disk verification using dm-verity kernel module.
|
||||
|
||||
%package -n integritysetup
|
||||
Group: Applications/System
|
||||
Summary: A utility for setting up dm-integrity volumes
|
||||
Requires: cryptsetup-libs = %{version}-%{release}
|
||||
|
||||
@ -88,79 +64,40 @@ Requires: cryptsetup-libs = %{version}-%{release}
|
||||
The integritysetup package contains a utility for setting up
|
||||
disk integrity protection using dm-integrity kernel module.
|
||||
|
||||
%package reencrypt
|
||||
Group: Applications/System
|
||||
Summary: A utility for offline reencryption of LUKS encrypted disks.
|
||||
Requires: cryptsetup-libs = %{version}-%{release}
|
||||
|
||||
%description reencrypt
|
||||
This package contains cryptsetup-reencrypt utility which
|
||||
can be used for offline reencryption of disk in situ.
|
||||
|
||||
%prep
|
||||
%setup -q -n cryptsetup-%{upstream_version} -a 1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch0 -p1
|
||||
chmod -x misc/dracut_90reencrypt/*
|
||||
%autosetup -n cryptsetup-%{upstream_version} -p 1
|
||||
|
||||
%build
|
||||
%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --with-crypto_backend=openssl --with-default-luks-format=LUKS2
|
||||
make %{?_smp_mflags}
|
||||
rm -f man/*.8
|
||||
./autogen.sh
|
||||
%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token --enable-asciidoc --disable-hw-opal --with-plain-hash=ripemd160 --with-plain-cipher=aes --with-plain-mode=cbc-essiv:sha256
|
||||
%make_build
|
||||
|
||||
%install
|
||||
make install DESTDIR=%{buildroot}
|
||||
rm -rf %{buildroot}/%{_libdir}/*.la
|
||||
%make_install
|
||||
rm -rf %{buildroot}%{_libdir}/*.la
|
||||
|
||||
%find_lang cryptsetup
|
||||
|
||||
%post -n cryptsetup-libs -p /sbin/ldconfig
|
||||
|
||||
%postun -n cryptsetup-libs -p /sbin/ldconfig
|
||||
%ldconfig_scriptlets -n cryptsetup-libs
|
||||
|
||||
%files
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license COPYING
|
||||
%doc AUTHORS FAQ docs/*ReleaseNotes
|
||||
%doc AUTHORS FAQ.md docs/*ReleaseNotes
|
||||
%{_mandir}/man8/cryptsetup.8.gz
|
||||
%{_mandir}/man8/cryptsetup-*.8.gz
|
||||
%{_sbindir}/cryptsetup
|
||||
|
||||
%files -n veritysetup
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license COPYING
|
||||
%{_mandir}/man8/veritysetup.8.gz
|
||||
%{_sbindir}/veritysetup
|
||||
|
||||
%files -n integritysetup
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license COPYING
|
||||
%{_mandir}/man8/integritysetup.8.gz
|
||||
%{_sbindir}/integritysetup
|
||||
|
||||
%files reencrypt
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license COPYING
|
||||
%doc misc/dracut_90reencrypt
|
||||
%{_mandir}/man8/cryptsetup-reencrypt.8.gz
|
||||
%{_sbindir}/cryptsetup-reencrypt
|
||||
|
||||
%files devel
|
||||
%doc docs/examples/*
|
||||
%{_includedir}/libcryptsetup.h
|
||||
@ -168,130 +105,130 @@ rm -rf %{buildroot}/%{_libdir}/*.la
|
||||
%{_libdir}/pkgconfig/libcryptsetup.pc
|
||||
|
||||
%files libs -f cryptsetup.lang
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license COPYING COPYING.LGPL
|
||||
%license COPYING docs/licenses/COPYING.LGPL-2.1-or-later-WITH-cryptsetup-OpenSSL-exception
|
||||
%{_libdir}/libcryptsetup.so.*
|
||||
%dir %{_libdir}/%{name}/
|
||||
%{_tmpfilesdir}/cryptsetup.conf
|
||||
%ghost %attr(700, -, -) %dir /run/cryptsetup
|
||||
|
||||
%clean
|
||||
|
||||
%changelog
|
||||
* Tue Jul 11 2023 Ondrej Kozina <okozina@redhat.com> - 2.3.7-7
|
||||
- Rebuild due to missing CI environment
|
||||
- Resolves: #2212772 #2193342
|
||||
* Thu Dec 18 2025 Kristina Hanicova <khanicov@redhat.com> - 2.8.1-3
|
||||
- patch: Read integrity profile info from top level device.
|
||||
- patch: Fix possible use of uninitialized variable.
|
||||
- patch: Reinstate pbkdf serialization flag in device activation.
|
||||
- patch: Fix LUKS2 device status in inline HW mode and detached header.
|
||||
- patch: Set inline integrity flag if no underlying dm-integrity device.
|
||||
- patch: Fix wrong device size status reports in cryptsetup and integritysetup.
|
||||
- Resolves: RHEL-122297 RHEL-125152 RHEL-125167 RHEL-132585 RHEL-140106
|
||||
|
||||
* Thu Jun 28 2023 Daniel Zatovic <dzatovic@redhat.com> - 2.3.7-6
|
||||
- patch: Delegate FIPS mode detection to configured crypto backend
|
||||
* Fri Sep 12 2025 Kristina Hanicova <khanicov@redhat.com> - 2.8.1-2
|
||||
- patch: Improve check for a function attribute support.
|
||||
- Resolves: 100089
|
||||
|
||||
* Wed Sep 03 2025 Kristina Hanicova <khanicov@redhat.com> - 2.8.1-1
|
||||
- Update to cryptsetup 2.8.1.
|
||||
- Resolves: 100089
|
||||
|
||||
* Wed Jun 04 2025 Ondrej Kozina <okozina@redhat.com> - 2.7.2-4
|
||||
- patch: Ignore unknown VMK entry 24 in bitlk metadata.
|
||||
- Resolves: RHEL-94860
|
||||
|
||||
* Mon Sep 02 2024 Ondrej Kozina <okozina@redhat.com> - 2.7.2-3
|
||||
- Specbump for correct target release.
|
||||
- Resolves: RHEL-39003 RHEL-41238
|
||||
|
||||
* Thu Aug 29 2024 Ondrej Kozina <okozina@redhat.com> - 2.7.2-2
|
||||
- patch: Warn if Argon2 keyslot is unlocked in FIPS mode.
|
||||
- patch: Enable Argon2 in FIPS with openssl backend.
|
||||
- patch: Abort online reencryption for misconfigured devices.
|
||||
- patch: Harden online reencryption checks in initialization phase.
|
||||
- patch: Fix detection of direct-io with suspended devices.
|
||||
- patch: Return suspended status also for unknow target types.
|
||||
- patch: Do not handle device as suspended on error.
|
||||
- Resolves: RHEL-39003 RHEL-41238
|
||||
|
||||
* Thu May 02 2024 Daniel Zatovic <dzatovic@redhat.com> - 2.7.2-1
|
||||
- Update to cryptsetup 2.7.2
|
||||
- Use OpenSLL Argon implementation instead of the built-in one
|
||||
- Resolves: RHEL-32377
|
||||
|
||||
* Fri Jun 30 2023 Daniel Zatovic <dzatovic@redhat.com> - 2.6.0-3
|
||||
- patch: Disallow use of internal kenrel crypto driver names in "capi"
|
||||
- patch: Also disallow active devices with internal kernel names
|
||||
- patch: Fix init_by_name to allow unknown cipher format in dm-crypt
|
||||
- patch: Fix reencryption to fail properly for unknown cipher
|
||||
- patch: Fix activation of LUKS2 with capi format cipher and kernel
|
||||
- Resolves: #2212772 #2193342
|
||||
- Resolves: #2212771
|
||||
|
||||
* Tue Jan 10 2023 Daniel Zatovic <dzatovic@redhat.com> - 2.3.7-5
|
||||
- change cryptsetup-devel dependency from cryptsetup to cryptsetup-libs
|
||||
- Resolves: #2150254
|
||||
* Wed Dec 14 2022 Daniel Zatovic <dzatovic@redhat.com> - 2.6.0-2
|
||||
- Fix FIPS related bugs.
|
||||
- Abort encryption when header and data devices are same.
|
||||
- Resolves: #2150251 #2148841
|
||||
|
||||
* Wed Dec 21 2022 Daniel Zatovic <dzatovic@redhat.com> - 2.3.7-4
|
||||
- patch: Remove LUKS2 encryption data size restriction.
|
||||
- patch: Abort encryption when header and data devices are same.
|
||||
- Resolves: #2150254
|
||||
* Wed Nov 30 2022 Daniel Zatovic <dzatovic@redhat.com> - 2.6.0-1
|
||||
- Update to cryptsetup 2.6.0.
|
||||
- Resolves: #2003748 #2108404 #1862173
|
||||
|
||||
* Fri Nov 4 2022 Daniel Zatovic <dzatovic@redhat.com> - 2.3.7-3
|
||||
- patch: Fix internal crypt segment compare routine
|
||||
- Resolves: #2110810
|
||||
* Wed Aug 10 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-5
|
||||
- patch: Delegate FIPS mode detection to crypto backend.
|
||||
- Resolves: #2080516
|
||||
|
||||
* Thu Feb 24 2022 Ondrej Kozina <okozina@redhat.com> - 2.3.7-2
|
||||
* Thu Feb 24 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-4
|
||||
- patch: Fix broken upstream test.
|
||||
- Resolves: #2056439
|
||||
|
||||
* Wed Feb 23 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-3
|
||||
- patch: Fix cryptsetup --test-passphrase when device in
|
||||
reencryption
|
||||
- Resolves: #2058009
|
||||
- Resolves: #2056439
|
||||
|
||||
* Thu Jan 20 2022 Ondrej Kozina <okozina@redhat.com> - 2.3.7-1
|
||||
- update to cryptsetup 2.3.7
|
||||
- fixes CVE-2021-4122
|
||||
- patch: Fix suboptimal optimization in bundled argon2.
|
||||
- patch: Fix bogus memory allocation/device read with
|
||||
invalid LUKS2 headers
|
||||
- patch: Fix typo in luksRepair prompt.
|
||||
- Resolves: #2021815 #2022301 #2031859
|
||||
* Thu Feb 17 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-2
|
||||
- Various FIPS related fixes.
|
||||
- Resolves: #2051630
|
||||
|
||||
* Wed Feb 17 2021 Ondrej Kozina <okozina@redhat.com> - 2.3.3-4
|
||||
- patch: Fix reencryption for custom devices with data segments
|
||||
set to use cipher_null.
|
||||
- Resolves: #1927409
|
||||
* Fri Jan 21 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-1
|
||||
- Update to cryptsetup 2.4.3.
|
||||
- patch: Fix typo in repair command prompt.
|
||||
Resolves: #2022309 #2023316 #2032782
|
||||
|
||||
* Wed Feb 03 2021 Ondrej Kozina <okozina@redhat.com> - 2.3.3-3
|
||||
- patch: Fix crypto backend to properly handle ECB mode.
|
||||
- Resolves: #1859091
|
||||
* Wed Sep 29 2021 Ondrej Kozina <okozina@redhat.com> - 2.4.1-1
|
||||
- Update to cryptsetup 2.4.1.
|
||||
Resolves: #2005035 #2005877
|
||||
|
||||
* Thu Aug 27 2020 Ondrej Kozina <okozina@redhat.com> - 2.3.3-2
|
||||
- patch: Fix possible memory corruption in LUKS2 validation
|
||||
code in 32bit library.
|
||||
- Resolves: #1872294
|
||||
* Thu Aug 19 2021 Ondrej Kozina <okozina@redhat.com> - 2.4.0-1
|
||||
- Update to cryptsetup 2.4.0.
|
||||
Resolves: #1869553 #1972722 #1974271 #1975799
|
||||
|
||||
* Thu May 28 2020 Ondrej Kozina <okozina@redhat.com> - 2.3.3-1
|
||||
- Update to cryptsetup 2.3.3
|
||||
- Resolves: #1796826 #1743891 #1785748
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.6-3
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Fri Apr 03 2020 Ondrej Kozina <okozina@redhat.com> - 2.3.1-1
|
||||
- Update to cryptsetup 2.3.1
|
||||
- Resolves: #1796826 #1743891 #1785748
|
||||
* Thu Jun 17 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.6-2
|
||||
- Specbump for openssl 3.0
|
||||
Related: rhbz#1971065
|
||||
|
||||
* Mon Nov 18 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.2-1
|
||||
- Update to cryptsetup 2.2.2
|
||||
- LUKS2 reencryption honors activation flags (one time and persistent).
|
||||
- LUKS2 reencryption works also without volume keys put in kernel
|
||||
keyring service.
|
||||
- Resolves: #1757783 #1750680 #1753597 #1743399
|
||||
* Wed Jun 16 2021 Ondrej Kozina <okozina@redhat.com> - 2.3.6-1
|
||||
- Update to cryptsetup 2.3.6.
|
||||
- Resolves: #1961291 #1970932
|
||||
|
||||
* Fri Aug 30 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-2
|
||||
- patch: Fix mapped segments overflow on 32bit architectures.
|
||||
- patch: Take optimal io size in account with LUKS2 reencryption.
|
||||
- Resolves: #1742815 #1746532
|
||||
* Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.5-5
|
||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||
|
||||
* Thu Aug 15 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-1
|
||||
- Update to cryptsetup 2.2.0 (final)
|
||||
- Resolves: #1738263 #1740342 #1733391 #1729600 #1733390
|
||||
Related: rhbz#1971065
|
||||
|
||||
* Fri Jun 14 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-0.2
|
||||
- Updates to reencryption feature.
|
||||
- Resolves: #1676622
|
||||
* Tue Apr 27 2021 Ondrej Kozina <okozina@redhat.com> - 2.3.5-4
|
||||
- Drop dependency on libargon2
|
||||
- Resolves: #1936959
|
||||
|
||||
* Fri May 03 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-0.1
|
||||
- Update to cryptsetup 2.2.0
|
||||
- remove python bits from spec file.
|
||||
- Resolves: #1676622
|
||||
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.5-3
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Thu Mar 21 2019 Milan Broz <mbroz@redhat.com> - 2.0.6-2
|
||||
- Add gating tests.
|
||||
- Resolves: #1682539
|
||||
* Thu Mar 11 2021 Milan Broz <gmazyland@gmail.com> - 2.3.5-1
|
||||
- Update to cryptsetup 2.3.5.
|
||||
|
||||
* Mon Dec 03 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.6-1
|
||||
- Update to cryptsetup 2.0.6
|
||||
- Enables all supported metadata sizes in LUKS2 validation code.
|
||||
- Resolves: #1653383
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.4-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Fri Aug 10 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.4-2
|
||||
- patch: fix device alignment bug when processing hinted
|
||||
value by device topology info.
|
||||
- Resolves: #1614219
|
||||
|
||||
* Wed Aug 08 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.4-1
|
||||
- Update to cryptsetup 2.0.4.
|
||||
- patch: Add RHEL system library paths in configure.
|
||||
- patch: Increase default LUKS2 header size to 8 MiBs.
|
||||
- patch: update tests to be compatible with larger headers.
|
||||
- Set default format to LUKS2.
|
||||
- Cleanup changelog.
|
||||
- Resolves: #1564540 #1595257 #1595266 #1595881 #1600164
|
||||
|
||||
* Fri May 04 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.3-1
|
||||
- Update to cryptsetup 2.0.3.
|
||||
|
||||
* Tue Mar 27 2018 Björn Esser <besser82@fedoraproject.org> - 2.0.2-2
|
||||
- Rebuilt for libjson-c.so.4 (json-c v0.13.1) on fc28
|
||||
|
||||
* Wed Mar 07 2018 Milan Broz <gmazyland@gmail.com> - 2.0.2-1
|
||||
- Update to cryptsetup 2.0.2.
|
||||
* Thu Sep 03 2020 Milan Broz <gmazyland@gmail.com> - 2.3.4-1
|
||||
- Update to cryptsetup 2.3.4.
|
||||
- Fix for CVE-2020-14382 (#1874712)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user