Compare commits
No commits in common. "c8" and "c9-beta" have entirely different histories.
|
|
@ -1,2 +1,2 @@
|
|||
3ce643e82d52b0c0282c2754c4bfa8c15c1f567e SOURCES/cryptsetup-2.3.7.tar.xz
|
||||
ec3ce9960bd536f7500e0d767a973672037c13e6 SOURCES/tests.tar.xz
|
||||
8098a06269c4268b0446b34f7b20e8fa6032e006 SOURCES/cryptsetup-2.6.0.tar.xz
|
||||
c8976bd232ae6716f97d29390895dddb63e04d1f SOURCES/tests.tar.xz
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
SOURCES/cryptsetup-2.3.7.tar.xz
|
||||
SOURCES/cryptsetup-2.6.0.tar.xz
|
||||
SOURCES/tests.tar.xz
|
||||
|
|
|
|||
|
|
@ -1,53 +0,0 @@
|
|||
From a76310b53fbb117e620f2c37350b68dd267f1088 Mon Sep 17 00:00:00 2001
|
||||
From: Milan Broz <gmazyland@gmail.com>
|
||||
Date: Mon, 20 Sep 2021 17:42:20 +0200
|
||||
Subject: [PATCH] Do not try to set compiler optimization flag if wipe is
|
||||
implemented in libc.
|
||||
|
||||
If zeroing memory is implemented through libc call (like memset_bzero),
|
||||
compiler should never remove such call. It is not needed to set O0
|
||||
optimization flag explicitly.
|
||||
|
||||
Various checkers like annocheck causes problems with these flags,
|
||||
just remove it where it makes no sense.
|
||||
|
||||
(Moreover, we use the same pattern without compiler magic
|
||||
in crypt_backend_memzero() already.)
|
||||
---
|
||||
lib/crypto_backend/argon2/core.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/crypto_backend/argon2/core.c b/lib/crypto_backend/argon2/core.c
|
||||
index b204ba98..db9a7741 100644
|
||||
--- a/lib/crypto_backend/argon2/core.c
|
||||
+++ b/lib/crypto_backend/argon2/core.c
|
||||
@@ -120,18 +120,24 @@ void free_memory(const argon2_context *context, uint8_t *memory,
|
||||
}
|
||||
}
|
||||
|
||||
-void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) {
|
||||
#if defined(_MSC_VER) && VC_GE_2005(_MSC_VER)
|
||||
+void secure_wipe_memory(void *v, size_t n) {
|
||||
SecureZeroMemory(v, n);
|
||||
+}
|
||||
#elif defined memset_s
|
||||
+void secure_wipe_memory(void *v, size_t n) {
|
||||
memset_s(v, n, 0, n);
|
||||
+}
|
||||
#elif defined(HAVE_EXPLICIT_BZERO)
|
||||
+void secure_wipe_memory(void *v, size_t n) {
|
||||
explicit_bzero(v, n);
|
||||
+}
|
||||
#else
|
||||
+void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) {
|
||||
static void *(*const volatile memset_sec)(void *, int, size_t) = &memset;
|
||||
memset_sec(v, 0, n);
|
||||
-#endif
|
||||
}
|
||||
+#endif
|
||||
|
||||
/* Memory clear flag defaults to true. */
|
||||
int FLAG_clear_internal_memory = 1;
|
||||
--
|
||||
2.27.0
|
||||
|
||||
|
|
@ -1,295 +0,0 @@
|
|||
From 9576549fee9228cabd9ceee27739a30caab5a7f6 Mon Sep 17 00:00:00 2001
|
||||
From: Milan Broz <gmazyland@gmail.com>
|
||||
Date: Tue, 9 Nov 2021 11:54:27 +0100
|
||||
Subject: [PATCH] Fix bogus memory allocation if LUKS2 header size is invalid.
|
||||
|
||||
LUKS2 code read the whole header to buffer to verify checksum,
|
||||
so malloc is called on unvalidated input size parameter.
|
||||
|
||||
This can cause out of memory or unintentional device reads.
|
||||
(Header validation will fail later anyway - the size is unsupported.)
|
||||
|
||||
Just do not allow too small and too big allocations here and fail quickly.
|
||||
|
||||
Fixes: #683.
|
||||
---
|
||||
lib/luks2/luks2_disk_metadata.c | 20 +++-
|
||||
...ks2-metadata-size-invalid-secondary.img.sh | 96 +++++++++++++++++++
|
||||
...enerate-luks2-metadata-size-invalid.img.sh | 94 ++++++++++++++++++
|
||||
tests/luks2-validation-test | 2 +
|
||||
4 files changed, 208 insertions(+), 4 deletions(-)
|
||||
create mode 100755 tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
|
||||
create mode 100755 tests/generators/generate-luks2-metadata-size-invalid.img.sh
|
||||
|
||||
diff --git a/lib/luks2/luks2_disk_metadata.c b/lib/luks2/luks2_disk_metadata.c
|
||||
index 502b0226..0500d5c7 100644
|
||||
--- a/lib/luks2/luks2_disk_metadata.c
|
||||
+++ b/lib/luks2/luks2_disk_metadata.c
|
||||
@@ -195,6 +195,8 @@ static int hdr_disk_sanity_check_pre(struct crypt_device *cd,
|
||||
size_t *hdr_json_size, int secondary,
|
||||
uint64_t offset)
|
||||
{
|
||||
+ uint64_t hdr_size;
|
||||
+
|
||||
if (memcmp(hdr->magic, secondary ? LUKS2_MAGIC_2ND : LUKS2_MAGIC_1ST, LUKS2_MAGIC_L))
|
||||
return -EINVAL;
|
||||
|
||||
@@ -209,19 +211,26 @@ static int hdr_disk_sanity_check_pre(struct crypt_device *cd,
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
- if (secondary && (offset != be64_to_cpu(hdr->hdr_size))) {
|
||||
+ hdr_size = be64_to_cpu(hdr->hdr_size);
|
||||
+
|
||||
+ if (hdr_size < LUKS2_HDR_16K_LEN || hdr_size > LUKS2_HDR_OFFSET_MAX) {
|
||||
+ log_dbg(cd, "LUKS2 header has bogus size 0x%04x.", (unsigned)hdr_size);
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ if (secondary && (offset != hdr_size)) {
|
||||
log_dbg(cd, "LUKS2 offset 0x%04x in secondary header does not match size 0x%04x.",
|
||||
- (unsigned)offset, (unsigned)be64_to_cpu(hdr->hdr_size));
|
||||
+ (unsigned)offset, (unsigned)hdr_size);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
/* FIXME: sanity check checksum alg. */
|
||||
|
||||
log_dbg(cd, "LUKS2 header version %u of size %u bytes, checksum %s.",
|
||||
- (unsigned)be16_to_cpu(hdr->version), (unsigned)be64_to_cpu(hdr->hdr_size),
|
||||
+ (unsigned)be16_to_cpu(hdr->version), (unsigned)hdr_size,
|
||||
hdr->checksum_alg);
|
||||
|
||||
- *hdr_json_size = be64_to_cpu(hdr->hdr_size) - LUKS2_HDR_BIN_LEN;
|
||||
+ *hdr_json_size = hdr_size - LUKS2_HDR_BIN_LEN;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -252,6 +261,9 @@ static int hdr_read_disk(struct crypt_device *cd,
|
||||
return -EIO;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * hdr_json_size is validated if this call succeeds
|
||||
+ */
|
||||
r = hdr_disk_sanity_check_pre(cd, hdr_disk, &hdr_json_size, secondary, offset);
|
||||
if (r < 0) {
|
||||
return r;
|
||||
diff --git a/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh b/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
|
||||
new file mode 100755
|
||||
index 00000000..4dd484e9
|
||||
--- /dev/null
|
||||
+++ b/tests/generators/generate-luks2-metadata-size-invalid-secondary.img.sh
|
||||
@@ -0,0 +1,96 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. lib.sh
|
||||
+
|
||||
+#
|
||||
+# *** Description ***
|
||||
+#
|
||||
+# generate primary with predefined json_size. There's only limited
|
||||
+# set of values allowed as json size in config section of LUKS2
|
||||
+# metadata
|
||||
+#
|
||||
+# secondary header is corrupted on purpose as well
|
||||
+#
|
||||
+
|
||||
+# $1 full target dir
|
||||
+# $2 full source luks2 image
|
||||
+
|
||||
+function prepare()
|
||||
+{
|
||||
+ cp $SRC_IMG $TGT_IMG
|
||||
+ test -d $TMPDIR || mkdir $TMPDIR
|
||||
+ read_luks2_json0 $TGT_IMG $TMPDIR/json0
|
||||
+ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
|
||||
+ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
|
||||
+}
|
||||
+
|
||||
+function generate()
|
||||
+{
|
||||
+ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
|
||||
+
|
||||
+ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
|
||||
+ TEST_MDA_SIZE_BOGUS_BYTES=$((TEST_MDA_SIZE*512*2*1024))
|
||||
+ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
|
||||
+ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
|
||||
+ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
|
||||
+ JSON_SIZE=$((TEST_JSN_SIZE*512))
|
||||
+ DATA_OFFSET=16777216
|
||||
+
|
||||
+ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
|
||||
+ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
|
||||
+ .config.json_size = $jsize |
|
||||
+ .segments."0".offset = $off' $TMPDIR/json0)
|
||||
+ test -n "$json_str" || exit 2
|
||||
+ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
|
||||
+
|
||||
+ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
|
||||
+
|
||||
+ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES
|
||||
+ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BOGUS_BYTES
|
||||
+
|
||||
+ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES
|
||||
+
|
||||
+ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
|
||||
+ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
|
||||
+
|
||||
+ erase_checksum $TMPDIR/area0
|
||||
+ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
|
||||
+ write_checksum $chks0 $TMPDIR/area0
|
||||
+
|
||||
+ erase_checksum $TMPDIR/area1
|
||||
+ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
|
||||
+ write_checksum $chks0 $TMPDIR/area1
|
||||
+
|
||||
+ kill_bin_hdr $TMPDIR/area0
|
||||
+
|
||||
+ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
|
||||
+ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
|
||||
+}
|
||||
+
|
||||
+function check()
|
||||
+{
|
||||
+ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE
|
||||
+ local str_res0=$(head -c 6 $TMPDIR/hdr_res0)
|
||||
+ test "$str_res0" = "VACUUM" || exit 2
|
||||
+ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE
|
||||
+ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
|
||||
+ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
|
||||
+ (.config.json_size != $jsize)
|
||||
+ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5
|
||||
+}
|
||||
+
|
||||
+function cleanup()
|
||||
+{
|
||||
+ rm -f $TMPDIR/*
|
||||
+ rm -fd $TMPDIR
|
||||
+}
|
||||
+
|
||||
+test $# -eq 2 || exit 1
|
||||
+
|
||||
+TGT_IMG=$1/$(test_img_name $0)
|
||||
+SRC_IMG=$2
|
||||
+
|
||||
+prepare
|
||||
+generate
|
||||
+check
|
||||
+cleanup
|
||||
diff --git a/tests/generators/generate-luks2-metadata-size-invalid.img.sh b/tests/generators/generate-luks2-metadata-size-invalid.img.sh
|
||||
new file mode 100755
|
||||
index 00000000..6b9c0cf7
|
||||
--- /dev/null
|
||||
+++ b/tests/generators/generate-luks2-metadata-size-invalid.img.sh
|
||||
@@ -0,0 +1,94 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+. lib.sh
|
||||
+
|
||||
+#
|
||||
+# *** Description ***
|
||||
+#
|
||||
+# generate primary with predefined json_size. There's only limited
|
||||
+# set of values allowed as json size in config section of LUKS2
|
||||
+# metadata
|
||||
+#
|
||||
+# secondary header is corrupted on purpose as well
|
||||
+#
|
||||
+
|
||||
+# $1 full target dir
|
||||
+# $2 full source luks2 image
|
||||
+
|
||||
+function prepare()
|
||||
+{
|
||||
+ cp $SRC_IMG $TGT_IMG
|
||||
+ test -d $TMPDIR || mkdir $TMPDIR
|
||||
+ read_luks2_json0 $TGT_IMG $TMPDIR/json0
|
||||
+ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0
|
||||
+ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1
|
||||
+}
|
||||
+
|
||||
+function generate()
|
||||
+{
|
||||
+ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M
|
||||
+
|
||||
+ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512))
|
||||
+ TEST_MDA_SIZE_BOGUS_BYTES=$((TEST_MDA_SIZE*512*2*1024))
|
||||
+ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE))
|
||||
+ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024))
|
||||
+ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024))
|
||||
+ JSON_SIZE=$((TEST_JSN_SIZE*512))
|
||||
+ DATA_OFFSET=16777216
|
||||
+
|
||||
+ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \
|
||||
+ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) |
|
||||
+ .config.json_size = $jsize |
|
||||
+ .segments."0".offset = $off' $TMPDIR/json0)
|
||||
+ test -n "$json_str" || exit 2
|
||||
+ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2
|
||||
+
|
||||
+ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE
|
||||
+
|
||||
+ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BOGUS_BYTES
|
||||
+ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BOGUS_BYTES
|
||||
+
|
||||
+ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE
|
||||
+ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE
|
||||
+
|
||||
+ erase_checksum $TMPDIR/area0
|
||||
+ chks0=$(calc_sha256_checksum_file $TMPDIR/area0)
|
||||
+ write_checksum $chks0 $TMPDIR/area0
|
||||
+
|
||||
+ erase_checksum $TMPDIR/area1
|
||||
+ chks0=$(calc_sha256_checksum_file $TMPDIR/area1)
|
||||
+ write_checksum $chks0 $TMPDIR/area1
|
||||
+
|
||||
+ kill_bin_hdr $TMPDIR/area1
|
||||
+
|
||||
+ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE
|
||||
+ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE
|
||||
+}
|
||||
+
|
||||
+function check()
|
||||
+{
|
||||
+ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE
|
||||
+ local str_res1=$(head -c 6 $TMPDIR/hdr_res1)
|
||||
+ test "$str_res1" = "VACUUM" || exit 2
|
||||
+ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE
|
||||
+ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \
|
||||
+ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or
|
||||
+ (.config.json_size != $jsize)
|
||||
+ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5
|
||||
+}
|
||||
+
|
||||
+function cleanup()
|
||||
+{
|
||||
+ rm -f $TMPDIR/*
|
||||
+ rm -fd $TMPDIR
|
||||
+}
|
||||
+
|
||||
+test $# -eq 2 || exit 1
|
||||
+
|
||||
+TGT_IMG=$1/$(test_img_name $0)
|
||||
+SRC_IMG=$2
|
||||
+
|
||||
+prepare
|
||||
+generate
|
||||
+check
|
||||
+cleanup
|
||||
diff --git a/tests/luks2-validation-test b/tests/luks2-validation-test
|
||||
index 04183fbc..f771e1f9 100755
|
||||
--- a/tests/luks2-validation-test
|
||||
+++ b/tests/luks2-validation-test
|
||||
@@ -229,6 +229,8 @@ RUN luks2-metadata-size-512k-secondary.img "R" "Valid 512KiB metadata size in s
|
||||
RUN luks2-metadata-size-1m-secondary.img "R" "Valid 1MiB metadata size in secondary hdr failed to validate"
|
||||
RUN luks2-metadata-size-2m-secondary.img "R" "Valid 2MiB metadata size in secondary hdr failed to validate"
|
||||
RUN luks2-metadata-size-4m-secondary.img "R" "Valid 4MiB metadata size in secondary hdr failed to validate"
|
||||
+RUN luks2-metadata-size-invalid.img "F" "Invalid metadata size in secondary hdr not rejected"
|
||||
+RUN luks2-metadata-size-invalid-secondary.img "F" "Invalid metadata size in secondary hdr not rejected"
|
||||
|
||||
remove_mapping
|
||||
|
||||
--
|
||||
2.27.0
|
||||
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
From f671febe64d8f40cdcb1677a08436a8907ccbb7e Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Wed, 23 Feb 2022 12:27:57 +0100
|
||||
Subject: [PATCH 2/3] Add more tests for --test-passphrase parameter.
|
||||
|
||||
---
|
||||
tests/compat-test-args | 4 ++++
|
||||
tests/luks2-reencryption-test | 18 ++++++++++++++++++
|
||||
2 files changed, 22 insertions(+)
|
||||
|
||||
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
|
||||
index 6f156016..73818b5d 100755
|
||||
--- a/tests/luks2-reencryption-test
|
||||
+++ b/tests/luks2-reencryption-test
|
||||
@@ -1606,5 +1606,23 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
|
||||
reencrypt_recover_online 4096 journal $HASH1
|
||||
fi
|
||||
|
||||
+echo "[27] Verify test passphrase mode works with reencryption metadata"
|
||||
+echo $PWD1 | $CRYPTSETUP -S5 -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV || fail
|
||||
+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $DEV || fail
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt --init-only $DEV || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
|
||||
+
|
||||
+echo $PWD1 | $CRYPTSETUP -q luksFormat -S5 --header $IMG_HDR --type luks2 $FAST_PBKDF_ARGON $DEV || fail
|
||||
+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $IMG_HDR || fail
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --init-only --header $IMG_HDR $DEV || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
|
||||
+
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --init-only --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail
|
||||
+
|
||||
+wipe_dev $DEV
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 8M $FAST_PBKDF_ARGON $DEV || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail
|
||||
+
|
||||
remove_mapping
|
||||
exit 0
|
||||
--
|
||||
2.27.0
|
||||
|
||||
|
|
@ -1,103 +0,0 @@
|
|||
diff -rupN cryptsetup-2.3.7.old/man/cryptsetup.8 cryptsetup-2.3.7/man/cryptsetup.8
|
||||
--- cryptsetup-2.3.7.old/man/cryptsetup.8 2022-02-24 15:58:37.968167423 +0100
|
||||
+++ cryptsetup-2.3.7/man/cryptsetup.8 2022-02-24 17:06:25.326217548 +0100
|
||||
@@ -321,7 +321,7 @@ the command prompts for it interactively
|
||||
\-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
|
||||
\-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
|
||||
\-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks, \-\-type, \-\-refresh,
|
||||
-\-\-serialize\-memory\-hard\-pbkdf].
|
||||
+\-\-serialize\-memory\-hard\-pbkdf, \-\-unbound].
|
||||
.PP
|
||||
\fIluksSuspend\fR <name>
|
||||
.IP
|
||||
@@ -1409,10 +1409,14 @@ aligned to page size and page-cache init
|
||||
integrity tag.
|
||||
.TP
|
||||
.B "\-\-unbound"
|
||||
-
|
||||
Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or
|
||||
\fIluksDump\fR actions for more details.
|
||||
|
||||
+When used in \fIluksOpen\fR action (allowed only together with
|
||||
+\-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2
|
||||
+keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific
|
||||
+keyslot is selected via \-\-key\-slot parameter.
|
||||
+
|
||||
.TP
|
||||
.B "\-\-tcrypt\-hidden"
|
||||
.B "\-\-tcrypt\-system"
|
||||
diff -rupN cryptsetup-2.3.7.old/src/cryptsetup.c cryptsetup-2.3.7/src/cryptsetup.c
|
||||
--- cryptsetup-2.3.7.old/src/cryptsetup.c 2022-02-24 15:58:37.969167429 +0100
|
||||
+++ cryptsetup-2.3.7/src/cryptsetup.c 2022-02-24 17:10:30.947561638 +0100
|
||||
@@ -230,7 +230,7 @@ static void _set_activation_flags(uint32
|
||||
*flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT;
|
||||
|
||||
/* Only for LUKS2 but ignored elsewhere */
|
||||
- if (opt_test_passphrase)
|
||||
+ if (opt_test_passphrase && (opt_unbound || (opt_key_slot != CRYPT_ANY_SLOT)))
|
||||
*flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
|
||||
|
||||
if (opt_serialize_memory_hard_pbkdf)
|
||||
@@ -4021,6 +4021,17 @@ int main(int argc, const char **argv)
|
||||
_("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."),
|
||||
poptGetInvocationName(popt_context));
|
||||
|
||||
+ if (opt_unbound && !strcmp(aname, "open") && device_type &&
|
||||
+ strncmp(device_type, "luks", 4))
|
||||
+ usage(popt_context, EXIT_FAILURE,
|
||||
+ _("Option --unbound is allowed only for open of luks device."),
|
||||
+ poptGetInvocationName(popt_context));
|
||||
+
|
||||
+ if (opt_unbound && !opt_test_passphrase && !strcmp(aname, "open"))
|
||||
+ usage(popt_context, EXIT_FAILURE,
|
||||
+ _("Option --unbound cannot be used without --test-passphrase."),
|
||||
+ poptGetInvocationName(popt_context));
|
||||
+
|
||||
if (opt_tcrypt_hidden && opt_allow_discards)
|
||||
usage(popt_context, EXIT_FAILURE,
|
||||
_("Option --tcrypt-hidden cannot be combined with --allow-discards."),
|
||||
@@ -4103,9 +4114,9 @@ int main(int argc, const char **argv)
|
||||
_("Keyslot specification is required."),
|
||||
poptGetInvocationName(popt_context));
|
||||
|
||||
- if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump"))
|
||||
+ if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump") && strcmp(aname, "open"))
|
||||
usage(popt_context, EXIT_FAILURE,
|
||||
- _("Option --unbound may be used only with luksAddKey and luksDump actions."),
|
||||
+ _("Option --unbound may be used only with luksAddKey, luksDump and open actions."),
|
||||
poptGetInvocationName(popt_context));
|
||||
|
||||
if (opt_refresh && strcmp(aname, "open"))
|
||||
diff -rupN cryptsetup-2.3.7.old/tests/compat-test2 cryptsetup-2.3.7/tests/compat-test2
|
||||
--- cryptsetup-2.3.7.old/tests/compat-test2 2022-02-24 15:58:38.013167680 +0100
|
||||
+++ cryptsetup-2.3.7/tests/compat-test2 2022-02-24 17:23:23.035760517 +0100
|
||||
@@ -696,7 +696,7 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOP
|
||||
# otoh it should be allowed to test for proper passphrase
|
||||
prepare "" new
|
||||
echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
|
||||
-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
|
||||
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
|
||||
[ -b /dev/mapper/$DEV_NAME ] && fail
|
||||
echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
|
||||
@@ -705,7 +705,7 @@ echo $PWD0 | $CRYPTSETUP open -S1 --test
|
||||
$CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0
|
||||
$CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail
|
||||
echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
|
||||
-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
|
||||
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
|
||||
|
||||
prepare "[28] Detached LUKS header" wipe
|
||||
@@ -952,11 +952,9 @@ echo $PWD3 | $CRYPTSETUP -q luksAddKey -
|
||||
# do not allow to replace keyslot by unbound slot
|
||||
echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail
|
||||
echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
|
||||
-echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
|
||||
echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
|
||||
echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail
|
||||
echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
|
||||
-echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
|
||||
# check we're able to change passphrase for unbound keyslot
|
||||
echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
|
||||
echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
diff -rupN cryptsetup-2.3.7.old/src/cryptsetup.c cryptsetup-2.3.7/src/cryptsetup.c
|
||||
--- cryptsetup-2.3.7.old/src/cryptsetup.c 2022-01-20 14:47:13.198475734 +0100
|
||||
+++ cryptsetup-2.3.7/src/cryptsetup.c 2022-01-20 14:47:24.186505625 +0100
|
||||
@@ -1137,7 +1137,7 @@ static int reencrypt_metadata_repair(str
|
||||
_("Operation aborted.\n")))
|
||||
return -EINVAL;
|
||||
|
||||
- r = tools_get_key(_("Enter passphrase to protect and uppgrade reencryption metadata: "),
|
||||
+ r = tools_get_key(_("Enter passphrase to protect and upgrade reencryption metadata: "),
|
||||
&password, &passwordLen, opt_keyfile_offset,
|
||||
opt_keyfile_size, opt_key_file, opt_timeout,
|
||||
_verify_passphrase(0), 0, cd);
|
||||
|
|
@ -1,206 +0,0 @@
|
|||
From 6bc1378ddb5bbcc6ba592177c996576b0b3505f9 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Fri, 22 Oct 2021 13:06:48 +0200
|
||||
Subject: [PATCH] Remove LUKS2 encryption data size restriction.
|
||||
|
||||
LUKS2 encryption with data shift required remaining
|
||||
data size (size remaining after substracting --reduce-data-size value)
|
||||
to be at least --reduce-data-size. This was wrong. Remaining
|
||||
data size restriction should be correctly at least single sector
|
||||
(whatever sector size is selected or auto-detected).
|
||||
---
|
||||
lib/luks2/luks2_reencrypt.c | 31 ++++++++++++-----------
|
||||
tests/api-test-2.c | 6 ++---
|
||||
tests/luks2-reencryption-test | 46 +++++++++++++++++++++++++++++------
|
||||
3 files changed, 57 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c
|
||||
index b45327ad..d0e0dc40 100644
|
||||
--- a/lib/luks2/luks2_reencrypt.c
|
||||
+++ b/lib/luks2/luks2_reencrypt.c
|
||||
@@ -825,7 +825,7 @@ static int reencrypt_offset_backward_moved(struct luks2_hdr *hdr, json_object *j
|
||||
linear_length += LUKS2_segment_size(hdr, sg, 0);
|
||||
|
||||
/* all active linear segments length */
|
||||
- if (linear_length) {
|
||||
+ if (linear_length && segs > 1) {
|
||||
if (linear_length < data_shift)
|
||||
return -EINVAL;
|
||||
tmp = linear_length - data_shift;
|
||||
@@ -1745,7 +1745,8 @@ static int reencrypt_set_encrypt_segments(struct crypt_device *cd, struct luks2_
|
||||
int r;
|
||||
uint64_t first_segment_offset, first_segment_length,
|
||||
second_segment_offset, second_segment_length,
|
||||
- data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT;
|
||||
+ data_offset = LUKS2_get_data_offset(hdr) << SECTOR_SHIFT,
|
||||
+ data_size = dev_size - data_shift;
|
||||
json_object *jobj_segment_first = NULL, *jobj_segment_second = NULL, *jobj_segments;
|
||||
|
||||
if (dev_size < data_shift)
|
||||
@@ -1760,9 +1761,14 @@ static int reencrypt_set_encrypt_segments(struct crypt_device *cd, struct luks2_
|
||||
* [future LUKS2 header (data shift size)][second data segment][gap (data shift size)][first data segment (data shift size)]
|
||||
*/
|
||||
first_segment_offset = dev_size;
|
||||
- first_segment_length = data_shift;
|
||||
- second_segment_offset = data_shift;
|
||||
- second_segment_length = dev_size - 2 * data_shift;
|
||||
+ if (data_size < data_shift) {
|
||||
+ first_segment_length = data_size;
|
||||
+ second_segment_length = second_segment_offset = 0;
|
||||
+ } else {
|
||||
+ first_segment_length = data_shift;
|
||||
+ second_segment_offset = data_shift;
|
||||
+ second_segment_length = data_size - data_shift;
|
||||
+ }
|
||||
} else if (data_shift) {
|
||||
first_segment_offset = data_offset;
|
||||
first_segment_length = dev_size;
|
||||
@@ -2163,17 +2169,10 @@ static int reencrypt_move_data(struct crypt_device *cd, int devfd, uint64_t data
|
||||
|
||||
log_dbg(cd, "Going to move data from head of data device.");
|
||||
|
||||
- buffer_len = data_shift;
|
||||
- if (!buffer_len)
|
||||
- return -EINVAL;
|
||||
-
|
||||
offset = json_segment_get_offset(LUKS2_get_segment_jobj(hdr, 0), 0);
|
||||
-
|
||||
- /* this is nonsense anyway */
|
||||
- if (buffer_len != json_segment_get_size(LUKS2_get_segment_jobj(hdr, 0), 0)) {
|
||||
- log_dbg(cd, "buffer_len %" PRIu64", segment size %" PRIu64, buffer_len, json_segment_get_size(LUKS2_get_segment_jobj(hdr, 0), 0));
|
||||
+ buffer_len = json_segment_get_size(LUKS2_get_segment_jobj(hdr, 0), 0);
|
||||
+ if (!buffer_len || buffer_len > data_shift)
|
||||
return -EINVAL;
|
||||
- }
|
||||
|
||||
if (posix_memalign(&buffer, device_alignment(crypt_data_device(cd)), buffer_len))
|
||||
return -ENOMEM;
|
||||
@@ -2447,7 +2446,7 @@ static int reencrypt_init(struct crypt_device *cd,
|
||||
* encryption initialization (or mount)
|
||||
*/
|
||||
if (move_first_segment) {
|
||||
- if (dev_size < 2 * (params->data_shift << SECTOR_SHIFT)) {
|
||||
+ if (dev_size < (params->data_shift << SECTOR_SHIFT)) {
|
||||
log_err(cd, _("Device %s is too small."), device_path(crypt_data_device(cd)));
|
||||
return -EINVAL;
|
||||
}
|
||||
@@ -3484,7 +3483,7 @@ int LUKS2_reencrypt_check_device_size(struct crypt_device *cd, struct luks2_hdr
|
||||
check_size, check_size >> SECTOR_SHIFT, real_size, real_size >> SECTOR_SHIFT,
|
||||
real_size - data_offset, (real_size - data_offset) >> SECTOR_SHIFT);
|
||||
|
||||
- if (real_size < data_offset || (check_size && (real_size - data_offset) < check_size)) {
|
||||
+ if (real_size < data_offset || (check_size && real_size < check_size)) {
|
||||
log_err(cd, _("Device %s is too small."), device_path(crypt_data_device(cd)));
|
||||
return -EINVAL;
|
||||
}
|
||||
diff --git a/tests/api-test-2.c b/tests/api-test-2.c
|
||||
index a01a7a72..05ee8f94 100644
|
||||
--- a/tests/api-test-2.c
|
||||
+++ b/tests/api-test-2.c
|
||||
@@ -4238,7 +4238,7 @@ static void Luks2Reencryption(void)
|
||||
|
||||
_cleanup_dmdevices();
|
||||
OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size));
|
||||
- OK_(create_dmdevice_over_loop(L_DEVICE_OK, 12*1024*2+1));
|
||||
+ OK_(create_dmdevice_over_loop(L_DEVICE_OK, 8*1024*2+1));
|
||||
|
||||
/* encryption with datashift and moved segment (data shift + 1 sector) */
|
||||
OK_(crypt_init(&cd, DMDIR H_DEVICE));
|
||||
@@ -4258,11 +4258,11 @@ static void Luks2Reencryption(void)
|
||||
|
||||
_cleanup_dmdevices();
|
||||
OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size));
|
||||
- OK_(create_dmdevice_over_loop(L_DEVICE_OK, 12*1024*2));
|
||||
+ OK_(create_dmdevice_over_loop(L_DEVICE_OK, 2*8200));
|
||||
|
||||
OK_(crypt_init(&cd, DMDIR H_DEVICE));
|
||||
|
||||
- /* encryption with datashift and moved segment (data shift + data offset > device size) */
|
||||
+ /* encryption with datashift and moved segment (data shift + data offset <= device size) */
|
||||
memset(&rparams, 0, sizeof(rparams));
|
||||
params2.sector_size = 512;
|
||||
params2.data_device = DMDIR L_DEVICE_OK;
|
||||
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
|
||||
index 8efb2707..bf711c15 100755
|
||||
--- a/tests/luks2-reencryption-test
|
||||
+++ b/tests/luks2-reencryption-test
|
||||
@@ -152,14 +152,30 @@ function open_crypt() # $1 pwd, $2 hdr
|
||||
fi
|
||||
}
|
||||
|
||||
+function wipe_dev_head() # $1 dev, $2 length (in MiBs)
|
||||
+{
|
||||
+ dd if=/dev/zero of=$1 bs=1M count=$2 conv=notrunc >/dev/null 2>&1
|
||||
+}
|
||||
+
|
||||
function wipe_dev() # $1 dev
|
||||
{
|
||||
if [ -b $1 ] ; then
|
||||
blkdiscard --zeroout $1 2>/dev/null || dd if=/dev/zero of=$1 bs=1M conv=notrunc >/dev/null 2>&1
|
||||
+ if [ $# -gt 2 ]; then
|
||||
+ dd if=/dev/urandom of=$1 bs=1M seek=$2 conv=notrunc >/dev/null 2>&1
|
||||
+ fi
|
||||
else
|
||||
local size=$(stat --printf="%s" $1)
|
||||
truncate -s 0 $1
|
||||
- truncate -s $size $1
|
||||
+ if [ $# -gt 2 ]; then
|
||||
+ local diff=$((size-$2*1024*1024))
|
||||
+ echo "size: $size, diff: $diff"
|
||||
+ truncate -s $diff $1
|
||||
+ # wipe_dev_head $1 $((diff/(1024*1024)))
|
||||
+ dd if=/dev/urandom of=$1 bs=1M seek=$2 size=$((diff/(1024*1024))) conv=notrunc >/dev/null 2>&1
|
||||
+ else
|
||||
+ truncate -s $size $1
|
||||
+ fi
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -214,15 +230,16 @@ function check_hash() # $1 pwd, $2 hash, $3 hdr
|
||||
$CRYPTSETUP remove $DEV_NAME || fail
|
||||
}
|
||||
|
||||
+function check_hash_dev_head() # $1 dev, $2 len, $3 hash
|
||||
+{
|
||||
+ local hash=$(dd if=$1 bs=512 count=$2 2>/dev/null | sha256sum | cut -d' ' -f1)
|
||||
+ [ $hash != "$3" ] && fail "HASH differs (expected: $3) (result $hash)"
|
||||
+}
|
||||
+
|
||||
function check_hash_head() # $1 pwd, $2 len, $3 hash, $4 hdr
|
||||
{
|
||||
open_crypt $1 $4
|
||||
- if [ -n "$4" ]; then
|
||||
- echo $1 | $CRYPTSETUP resize $DEV_NAME --size $2 --header $4 || fail
|
||||
- else
|
||||
- echo $1 | $CRYPTSETUP resize $DEV_NAME --size $2 || fail
|
||||
- fi
|
||||
- check_hash_dev /dev/mapper/$DEV_NAME $3
|
||||
+ check_hash_dev_head /dev/mapper/$DEV_NAME $2 $3
|
||||
$CRYPTSETUP remove $DEV_NAME || fail
|
||||
}
|
||||
|
||||
@@ -865,6 +882,21 @@ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
|
||||
$CRYPTSETUP close $DEV_NAME
|
||||
echo $PWD1 | $CRYPTSETUP open $DEV --test-passphrase || fail
|
||||
|
||||
+# Small device encryption test
|
||||
+preparebig 65
|
||||
+# wipe only 1st MiB (final data size after encryption)
|
||||
+wipe_dev $DEV 1
|
||||
+check_hash_dev_head $DEV 2048 $HASH2
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M -q $FAST_PBKDF_ARGON || fail
|
||||
+check_hash_head $PWD1 2048 $HASH2
|
||||
+
|
||||
+wipe_dev_head $DEV 1
|
||||
+check_hash_dev_head $DEV 2048 $HASH2
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --reduce-device-size 64M --init-only -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
|
||||
+check_hash_dev_head /dev/mapper/$DEV_NAME 2048 $HASH2
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV -q || fail
|
||||
+check_hash_dev_head /dev/mapper/$DEV_NAME 2048 $HASH2
|
||||
+
|
||||
echo "[3] Encryption with detached header"
|
||||
preparebig 256
|
||||
wipe_dev $DEV
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
From 23903951505cd4ad9f3469e037278494c14a7791 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Wed, 12 Oct 2022 12:05:00 +0200
|
||||
Subject: [PATCH 3/5] Code cleanup.
|
||||
|
||||
Type cast is not needed here.
|
||||
---
|
||||
lib/libdevmapper.c | 4 +---
|
||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
|
||||
index 7fcf843f..6a239e14 100644
|
||||
--- a/lib/libdevmapper.c
|
||||
+++ b/lib/libdevmapper.c
|
||||
@@ -1992,9 +1992,7 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags,
|
||||
|
||||
/* cipher */
|
||||
if (get_flags & DM_ACTIVE_CRYPT_CIPHER) {
|
||||
- r = crypt_capi_to_cipher(CONST_CAST(char**)&cipher,
|
||||
- CONST_CAST(char**)&integrity,
|
||||
- rcipher, rintegrity);
|
||||
+ r = crypt_capi_to_cipher(&cipher, &integrity, rcipher, rintegrity);
|
||||
if (r < 0)
|
||||
goto err;
|
||||
}
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From 19c15a652f878458493f0ac335110e2779f3cbe3 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Wed, 12 Oct 2022 11:59:09 +0200
|
||||
Subject: [PATCH 4/5] Copy also integrity string in legacy mode.
|
||||
|
||||
So that it handles integrity string same as it does
|
||||
with cipher string.
|
||||
---
|
||||
lib/utils_crypt.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
|
||||
index 4f4dbba8..93f846d7 100644
|
||||
--- a/lib/utils_crypt.c
|
||||
+++ b/lib/utils_crypt.c
|
||||
@@ -284,7 +284,14 @@ int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const cha
|
||||
if (strncmp(c_dm, "capi:", 4)) {
|
||||
if (!(*org_c = strdup(c_dm)))
|
||||
return -ENOMEM;
|
||||
- *org_i = NULL;
|
||||
+ if (i_dm) {
|
||||
+ if (!(*org_i = strdup(i_dm))) {
|
||||
+ free(*org_c);
|
||||
+ *org_c = NULL;
|
||||
+ return -ENOMEM;
|
||||
+ }
|
||||
+ } else
|
||||
+ *org_i = NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
|
@ -1,316 +0,0 @@
|
|||
From 5b001b7962744b1bdaeb60b7c8cb9c682f907e03 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Tue, 28 Jun 2022 16:23:34 +0200
|
||||
Subject: [PATCH] Delegate FIPS mode detection to configured crypto backend.
|
||||
|
||||
System FIPS mode check is no longer dependent on /etc/system-fips
|
||||
file. The change should be compatible with older distributions since
|
||||
we now depend on crypto backend internal routine.
|
||||
|
||||
This commit affects only FIPS enabled systems (with FIPS enabled
|
||||
builds). In case this causes any regression in current distributions
|
||||
feel free to drop the patch.
|
||||
|
||||
For reference see https://bugzilla.redhat.com/show_bug.cgi?id=2080516
|
||||
---
|
||||
lib/crypto_backend/crypto_backend.h | 3 ++
|
||||
lib/crypto_backend/crypto_gcrypt.c | 17 +++++++++
|
||||
lib/crypto_backend/crypto_kernel.c | 5 +++
|
||||
lib/crypto_backend/crypto_nettle.c | 5 +++
|
||||
lib/crypto_backend/crypto_nss.c | 5 +++
|
||||
lib/crypto_backend/crypto_openssl.c | 26 ++++++++++++++
|
||||
lib/internal.h | 1 -
|
||||
lib/utils_fips.c | 55 -----------------------------
|
||||
lib/utils_fips.h | 28 ---------------
|
||||
po/POTFILES.in | 1 -
|
||||
src/cryptsetup.h | 1 -
|
||||
tests/compat-test | 2 +-
|
||||
tests/compat-test2 | 2 +-
|
||||
tests/keyring-compat-test | 2 +-
|
||||
tests/luks2-reencryption-test | 2 +-
|
||||
16 files changed, 65 insertions(+), 92 deletions(-)
|
||||
delete mode 100644 lib/utils_fips.c
|
||||
delete mode 100644 lib/utils_fips.h
|
||||
|
||||
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_backend.h
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_backend.h
|
||||
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_backend.h
|
||||
@@ -135,4 +135,7 @@ static inline void crypt_backend_memzero
|
||||
#endif
|
||||
}
|
||||
|
||||
+/* crypto backend running in FIPS mode */
|
||||
+bool crypt_fips_mode(void);
|
||||
+
|
||||
#endif /* _CRYPTO_BACKEND_H */
|
||||
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_gcrypt.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_gcrypt.c
|
||||
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_gcrypt.c
|
||||
@@ -550,3 +550,20 @@ out:
|
||||
return -ENOTSUP;
|
||||
#endif
|
||||
}
|
||||
+
|
||||
+#if !ENABLE_FIPS
|
||||
+bool crypt_fips_mode(void) { return false; }
|
||||
+#else
|
||||
+bool crypt_fips_mode(void)
|
||||
+{
|
||||
+ static bool fips_mode = false, fips_checked = false;
|
||||
+
|
||||
+ if (fips_checked)
|
||||
+ return fips_mode;
|
||||
+
|
||||
+ fips_mode = gcry_fips_mode_active();
|
||||
+ fips_checked = true;
|
||||
+
|
||||
+ return fips_mode;
|
||||
+}
|
||||
+#endif /* ENABLE FIPS */
|
||||
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_kernel.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_kernel.c
|
||||
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_kernel.c
|
||||
@@ -416,3 +416,8 @@ int crypt_bitlk_decrypt_key(const void *
|
||||
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
|
||||
iv, iv_length, tag, tag_length);
|
||||
}
|
||||
+
|
||||
+bool crypt_fips_mode(void)
|
||||
+{
|
||||
+ return false;
|
||||
+}
|
||||
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_nettle.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_nettle.c
|
||||
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_nettle.c
|
||||
@@ -442,3 +442,8 @@ int crypt_bitlk_decrypt_key(const void *
|
||||
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
|
||||
iv, iv_length, tag, tag_length);
|
||||
}
|
||||
+
|
||||
+bool crypt_fips_mode(void)
|
||||
+{
|
||||
+ return false;
|
||||
+}
|
||||
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_nss.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_nss.c
|
||||
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_nss.c
|
||||
@@ -395,3 +395,8 @@ int crypt_bitlk_decrypt_key(const void *
|
||||
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
|
||||
iv, iv_length, tag, tag_length);
|
||||
}
|
||||
+
|
||||
+bool crypt_fips_mode(void)
|
||||
+{
|
||||
+ return false;
|
||||
+}
|
||||
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_openssl.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_openssl.c
|
||||
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_openssl.c
|
||||
@@ -574,3 +574,29 @@ out:
|
||||
return -ENOTSUP;
|
||||
#endif
|
||||
}
|
||||
+
|
||||
+#if !ENABLE_FIPS
|
||||
+bool crypt_fips_mode(void) { return false; }
|
||||
+#else
|
||||
+static bool openssl_fips_mode(void)
|
||||
+{
|
||||
+#if OPENSSL_VERSION_MAJOR >= 3
|
||||
+ return EVP_default_properties_is_fips_enabled(NULL);
|
||||
+#else
|
||||
+ return FIPS_mode();
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+bool crypt_fips_mode(void)
|
||||
+{
|
||||
+ static bool fips_mode = false, fips_checked = false;
|
||||
+
|
||||
+ if (fips_checked)
|
||||
+ return fips_mode;
|
||||
+
|
||||
+ fips_mode = openssl_fips_mode();
|
||||
+ fips_checked = true;
|
||||
+
|
||||
+ return fips_mode;
|
||||
+}
|
||||
+#endif /* ENABLE FIPS */
|
||||
Index: cryptsetup-2.3.7/lib/internal.h
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/internal.h
|
||||
+++ cryptsetup-2.3.7/lib/internal.h
|
||||
@@ -38,7 +38,6 @@
|
||||
#include "utils_crypt.h"
|
||||
#include "utils_loop.h"
|
||||
#include "utils_dm.h"
|
||||
-#include "utils_fips.h"
|
||||
#include "utils_keyring.h"
|
||||
#include "utils_io.h"
|
||||
#include "crypto_backend.h"
|
||||
Index: cryptsetup-2.3.7/po/POTFILES.in
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/po/POTFILES.in
|
||||
+++ cryptsetup-2.3.7/po/POTFILES.in
|
||||
@@ -6,7 +6,6 @@ lib/volumekey.c
|
||||
lib/crypt_plain.c
|
||||
lib/utils_crypt.c
|
||||
lib/utils_loop.c
|
||||
-lib/utils_fips.c
|
||||
lib/utils_device.c
|
||||
lib/utils_devpath.c
|
||||
lib/utils_pbkdf.c
|
||||
Index: cryptsetup-2.3.7/src/cryptsetup.h
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/src/cryptsetup.h
|
||||
+++ cryptsetup-2.3.7/src/cryptsetup.h
|
||||
@@ -43,7 +43,6 @@
|
||||
#include "lib/nls.h"
|
||||
#include "lib/utils_crypt.h"
|
||||
#include "lib/utils_loop.h"
|
||||
-#include "lib/utils_fips.h"
|
||||
#include "lib/utils_io.h"
|
||||
#include "lib/utils_blkid.h"
|
||||
|
||||
Index: cryptsetup-2.3.7/tests/compat-test
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/tests/compat-test
|
||||
+++ cryptsetup-2.3.7/tests/compat-test
|
||||
@@ -44,7 +44,7 @@ KEY_MATERIAL5_EXT="S331776-395264"
|
||||
TEST_UUID="12345678-1234-1234-1234-123456789abc"
|
||||
|
||||
LOOPDEV=$(losetup -f 2>/dev/null)
|
||||
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
|
||||
function remove_mapping()
|
||||
{
|
||||
Index: cryptsetup-2.3.7/tests/compat-test2
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/tests/compat-test2
|
||||
+++ cryptsetup-2.3.7/tests/compat-test2
|
||||
@@ -42,7 +42,7 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-f
|
||||
TEST_UUID="12345678-1234-1234-1234-123456789abc"
|
||||
|
||||
LOOPDEV=$(losetup -f 2>/dev/null)
|
||||
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
|
||||
function remove_mapping()
|
||||
{
|
||||
Index: cryptsetup-2.3.7/tests/keyring-compat-test
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/tests/keyring-compat-test
|
||||
+++ cryptsetup-2.3.7/tests/keyring-compat-test
|
||||
@@ -26,7 +26,7 @@ PWD="aaa"
|
||||
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
|
||||
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
|
||||
|
||||
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
|
||||
function remove_mapping()
|
||||
{
|
||||
Index: cryptsetup-2.3.7/tests/luks2-reencryption-test
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/tests/luks2-reencryption-test
|
||||
+++ cryptsetup-2.3.7/tests/luks2-reencryption-test
|
||||
@@ -24,7 +24,7 @@ PWD1="93R4P4pIqAH8"
|
||||
PWD2="1cND4319812f"
|
||||
PWD3="1-9Qu5Ejfnqv"
|
||||
|
||||
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
|
||||
function dm_crypt_features()
|
||||
{
|
||||
Index: cryptsetup-2.3.7/lib/utils_fips.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/utils_fips.c
|
||||
+++ cryptsetup-2.3.7/lib/utils_fips.c
|
||||
@@ -1,46 +1 @@
|
||||
-/*
|
||||
- * FIPS mode utilities
|
||||
- *
|
||||
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
|
||||
- *
|
||||
- * This program is free software; you can redistribute it and/or
|
||||
- * modify it under the terms of the GNU General Public License
|
||||
- * as published by the Free Software Foundation; either version 2
|
||||
- * of the License, or (at your option) any later version.
|
||||
- *
|
||||
- * This program is distributed in the hope that it will be useful,
|
||||
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
- * GNU General Public License for more details.
|
||||
- *
|
||||
- * You should have received a copy of the GNU General Public License
|
||||
- * along with this program; if not, write to the Free Software
|
||||
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
- */
|
||||
-
|
||||
-#include <unistd.h>
|
||||
-#include <fcntl.h>
|
||||
-#include <errno.h>
|
||||
-#include "utils_fips.h"
|
||||
-
|
||||
-#if !ENABLE_FIPS
|
||||
-int crypt_fips_mode(void) { return 0; }
|
||||
-#else
|
||||
-static int kernel_fips_mode(void)
|
||||
-{
|
||||
- int fd;
|
||||
- char buf[1] = "";
|
||||
-
|
||||
- if ((fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY)) >= 0) {
|
||||
- while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
|
||||
- close(fd);
|
||||
- }
|
||||
-
|
||||
- return (buf[0] == '1') ? 1 : 0;
|
||||
-}
|
||||
-
|
||||
-int crypt_fips_mode(void)
|
||||
-{
|
||||
- return kernel_fips_mode() && !access("/etc/system-fips", F_OK);
|
||||
-}
|
||||
-#endif /* ENABLE_FIPS */
|
||||
+/* keep an empty file to avoid running autogen.sh */
|
||||
Index: cryptsetup-2.3.7/lib/utils_fips.h
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/utils_fips.h
|
||||
+++ cryptsetup-2.3.7/lib/utils_fips.h
|
||||
@@ -1,26 +1 @@
|
||||
-/*
|
||||
- * FIPS mode utilities
|
||||
- *
|
||||
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
|
||||
- *
|
||||
- * This program is free software; you can redistribute it and/or
|
||||
- * modify it under the terms of the GNU General Public License
|
||||
- * as published by the Free Software Foundation; either version 2
|
||||
- * of the License, or (at your option) any later version.
|
||||
- *
|
||||
- * This program is distributed in the hope that it will be useful,
|
||||
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
- * GNU General Public License for more details.
|
||||
- *
|
||||
- * You should have received a copy of the GNU General Public License
|
||||
- * along with this program; if not, write to the Free Software
|
||||
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
- */
|
||||
-
|
||||
-#ifndef _UTILS_FIPS_H
|
||||
-#define _UTILS_FIPS_H
|
||||
-
|
||||
-int crypt_fips_mode(void);
|
||||
-
|
||||
-#endif /* _UTILS_FIPS_H */
|
||||
+/* keep an empty file to avoid running autogen.sh */
|
||||
|
|
@ -1,53 +0,0 @@
|
|||
From 3616da631f83a004a13a575a54df8123f0d65c29 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Mon, 17 Oct 2022 15:18:42 +0200
|
||||
Subject: [PATCH 1/5] Fix cipher convert routines naming confusion.
|
||||
|
||||
The function names were in fact swaped.
|
||||
---
|
||||
lib/libdevmapper.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
|
||||
index 6c2eab78..0e45a789 100644
|
||||
--- a/lib/libdevmapper.c
|
||||
+++ b/lib/libdevmapper.c
|
||||
@@ -481,7 +481,7 @@ static size_t int_log10(uint64_t x)
|
||||
#define CAPIL 144 /* should be enough to fit whole capi string */
|
||||
#define CAPIS "143" /* for sscanf of crypto API string + 16 + \0 */
|
||||
|
||||
-static int cipher_c2dm(const char *org_c, const char *org_i, unsigned tag_size,
|
||||
+static int cipher_dm2c(const char *org_c, const char *org_i, unsigned tag_size,
|
||||
char *c_dm, int c_dm_size,
|
||||
char *i_dm, int i_dm_size)
|
||||
{
|
||||
@@ -543,7 +543,7 @@ static int cipher_c2dm(const char *org_c, const char *org_i, unsigned tag_size,
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static int cipher_dm2c(char **org_c, char **org_i, const char *c_dm, const char *i_dm)
|
||||
+static int cipher_c2dm(char **org_c, char **org_i, const char *c_dm, const char *i_dm)
|
||||
{
|
||||
char cipher[CLEN], mode[CLEN], iv[CLEN], auth[CLEN];
|
||||
char tmp[CAPIL], dmcrypt_tmp[CAPIL*2], capi[CAPIL+1];
|
||||
@@ -629,7 +629,7 @@ static char *get_dm_crypt_params(const struct dm_target *tgt, uint32_t flags)
|
||||
if (!tgt)
|
||||
return NULL;
|
||||
|
||||
- r = cipher_c2dm(tgt->u.crypt.cipher, tgt->u.crypt.integrity, tgt->u.crypt.tag_size,
|
||||
+ r = cipher_dm2c(tgt->u.crypt.cipher, tgt->u.crypt.integrity, tgt->u.crypt.tag_size,
|
||||
cipher_dm, sizeof(cipher_dm), integrity_dm, sizeof(integrity_dm));
|
||||
if (r < 0)
|
||||
return NULL;
|
||||
@@ -2066,7 +2066,7 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags,
|
||||
|
||||
/* cipher */
|
||||
if (get_flags & DM_ACTIVE_CRYPT_CIPHER) {
|
||||
- r = cipher_dm2c(CONST_CAST(char**)&cipher,
|
||||
+ r = cipher_c2dm(CONST_CAST(char**)&cipher,
|
||||
CONST_CAST(char**)&integrity,
|
||||
rcipher, rintegrity);
|
||||
if (r < 0)
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
|
@ -1,130 +0,0 @@
|
|||
From 3e4c69a01709d35322ffa17c5360608907a207d7 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Tue, 11 Oct 2022 11:48:13 +0200
|
||||
Subject: [PATCH 5/5] Fix internal crypt segment compare routine.
|
||||
|
||||
The function is supposed to check if manipulated
|
||||
active dm-crypt device matches the on-disk metadata.
|
||||
Unfortunately it did not take into account differences
|
||||
between normal cipher specification (aes-xts-plain64)
|
||||
and capi format specification (capi:xts(aes)-plain64).
|
||||
The internal query function always converted capi format
|
||||
in normal format and therefor failed if capi format was
|
||||
used in metadata.
|
||||
|
||||
Fixes: #759.
|
||||
---
|
||||
lib/setup.c | 36 ++++++++++++++++++++++++++----------
|
||||
tests/api-test-2.c | 14 ++++++++++++--
|
||||
2 files changed, 38 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/lib/setup.c b/lib/setup.c
|
||||
index 6d7411b5..809049b9 100644
|
||||
--- a/lib/setup.c
|
||||
+++ b/lib/setup.c
|
||||
@@ -2458,6 +2458,9 @@ static int _compare_crypt_devices(struct crypt_device *cd,
|
||||
const struct dm_target *src,
|
||||
const struct dm_target *tgt)
|
||||
{
|
||||
+ char *src_cipher = NULL, *src_integrity = NULL;
|
||||
+ int r = -EINVAL;
|
||||
+
|
||||
/* for crypt devices keys are mandatory */
|
||||
if (!src->u.crypt.vk || !tgt->u.crypt.vk)
|
||||
return -EINVAL;
|
||||
@@ -2465,21 +2468,30 @@ static int _compare_crypt_devices(struct crypt_device *cd,
|
||||
/* CIPHER checks */
|
||||
if (!src->u.crypt.cipher || !tgt->u.crypt.cipher)
|
||||
return -EINVAL;
|
||||
- if (strcmp(src->u.crypt.cipher, tgt->u.crypt.cipher)) {
|
||||
- log_dbg(cd, "Cipher specs do not match.");
|
||||
+
|
||||
+ /*
|
||||
+ * dm_query_target converts capi cipher specification to dm-crypt format.
|
||||
+ * We need to do same for cipher specification requested in source
|
||||
+ * device.
|
||||
+ */
|
||||
+ if (crypt_capi_to_cipher(&src_cipher, &src_integrity, src->u.crypt.cipher, src->u.crypt.integrity))
|
||||
return -EINVAL;
|
||||
+
|
||||
+ if (strcmp(src_cipher, tgt->u.crypt.cipher)) {
|
||||
+ log_dbg(cd, "Cipher specs do not match.");
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
if (tgt->u.crypt.vk->keylength == 0 && crypt_is_cipher_null(tgt->u.crypt.cipher))
|
||||
log_dbg(cd, "Existing device uses cipher null. Skipping key comparison.");
|
||||
else if (_compare_volume_keys(src->u.crypt.vk, 0, tgt->u.crypt.vk, tgt->u.crypt.vk->key_description != NULL)) {
|
||||
log_dbg(cd, "Keys in context and target device do not match.");
|
||||
- return -EINVAL;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
- if (crypt_strcmp(src->u.crypt.integrity, tgt->u.crypt.integrity)) {
|
||||
+ if (crypt_strcmp(src_integrity, tgt->u.crypt.integrity)) {
|
||||
log_dbg(cd, "Integrity parameters do not match.");
|
||||
- return -EINVAL;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
if (src->u.crypt.offset != tgt->u.crypt.offset ||
|
||||
@@ -2487,15 +2499,19 @@ static int _compare_crypt_devices(struct crypt_device *cd,
|
||||
src->u.crypt.iv_offset != tgt->u.crypt.iv_offset ||
|
||||
src->u.crypt.tag_size != tgt->u.crypt.tag_size) {
|
||||
log_dbg(cd, "Integer parameters do not match.");
|
||||
- return -EINVAL;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
- if (device_is_identical(src->data_device, tgt->data_device) <= 0) {
|
||||
+ if (device_is_identical(src->data_device, tgt->data_device) <= 0)
|
||||
log_dbg(cd, "Data devices do not match.");
|
||||
- return -EINVAL;
|
||||
- }
|
||||
+ else
|
||||
+ r = 0;
|
||||
|
||||
- return 0;
|
||||
+out:
|
||||
+ free(src_cipher);
|
||||
+ free(src_integrity);
|
||||
+
|
||||
+ return r;
|
||||
}
|
||||
|
||||
static int _compare_integrity_devices(struct crypt_device *cd,
|
||||
diff --git a/tests/api-test-2.c b/tests/api-test-2.c
|
||||
index 0534677a..34002d1a 100644
|
||||
--- a/tests/api-test-2.c
|
||||
+++ b/tests/api-test-2.c
|
||||
@@ -1585,8 +1585,8 @@ static void ResizeDeviceLuks2(void)
|
||||
|
||||
const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
|
||||
size_t key_size = strlen(mk_hex) / 2;
|
||||
- const char *cipher = "aes";
|
||||
- const char *cipher_mode = "cbc-essiv:sha256";
|
||||
+ const char *cipher = "aes", *capi_cipher = "capi:cbc(aes)";
|
||||
+ const char *cipher_mode = "cbc-essiv:sha256", *capi_cipher_mode = "essiv:sha256";
|
||||
uint64_t r_payload_offset, r_header_size, r_size;
|
||||
|
||||
/* Cannot use Argon2 in FIPS */
|
||||
@@ -1728,6 +1728,16 @@ static void ResizeDeviceLuks2(void)
|
||||
OK_(crypt_deactivate(cd, CDEVICE_1));
|
||||
CRYPT_FREE(cd);
|
||||
|
||||
+ OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
|
||||
+ OK_(crypt_set_pbkdf_type(cd, &pbkdf));
|
||||
+ OK_(crypt_format(cd, CRYPT_LUKS2, capi_cipher, capi_cipher_mode, NULL, key, key_size, NULL));
|
||||
+ OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
|
||||
+ OK_(crypt_resize(cd, CDEVICE_1, 8));
|
||||
+ if (!t_device_size(DMDIR CDEVICE_1, &r_size))
|
||||
+ EQ_(8, r_size >> SECTOR_SHIFT);
|
||||
+ OK_(crypt_deactivate(cd, CDEVICE_1));
|
||||
+ CRYPT_FREE(cd);
|
||||
+
|
||||
_cleanup_dmdevices();
|
||||
}
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
|
@ -1,250 +0,0 @@
|
|||
From 9a9ddc7d22e14e14c9a6e97860cffada406adac3 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Tue, 11 Oct 2022 10:50:17 +0200
|
||||
Subject: [PATCH 2/5] Move cipher_dm2c to crypto utilities.
|
||||
|
||||
(Gets renamed to crypt_capi_to_cipher)
|
||||
---
|
||||
lib/libdevmapper.c | 84 +++-------------------------------------------
|
||||
lib/utils_crypt.c | 72 +++++++++++++++++++++++++++++++++++++++
|
||||
lib/utils_crypt.h | 11 ++++--
|
||||
3 files changed, 85 insertions(+), 82 deletions(-)
|
||||
|
||||
diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
|
||||
index 0e45a789..7fcf843f 100644
|
||||
--- a/lib/libdevmapper.c
|
||||
+++ b/lib/libdevmapper.c
|
||||
@@ -476,27 +476,22 @@ static size_t int_log10(uint64_t x)
|
||||
return r;
|
||||
}
|
||||
|
||||
-#define CLEN 64 /* 2*MAX_CIPHER_LEN */
|
||||
-#define CLENS "63" /* for sscanf length + '\0' */
|
||||
-#define CAPIL 144 /* should be enough to fit whole capi string */
|
||||
-#define CAPIS "143" /* for sscanf of crypto API string + 16 + \0 */
|
||||
-
|
||||
static int cipher_dm2c(const char *org_c, const char *org_i, unsigned tag_size,
|
||||
char *c_dm, int c_dm_size,
|
||||
char *i_dm, int i_dm_size)
|
||||
{
|
||||
int c_size = 0, i_size = 0, i;
|
||||
- char cipher[CLEN], mode[CLEN], iv[CLEN+1], tmp[CLEN];
|
||||
- char capi[CAPIL];
|
||||
+ char cipher[MAX_CAPI_ONE_LEN], mode[MAX_CAPI_ONE_LEN], iv[MAX_CAPI_ONE_LEN+1],
|
||||
+ tmp[MAX_CAPI_ONE_LEN], capi[MAX_CAPI_LEN];
|
||||
|
||||
if (!c_dm || !c_dm_size || !i_dm || !i_dm_size)
|
||||
return -EINVAL;
|
||||
|
||||
- i = sscanf(org_c, "%" CLENS "[^-]-%" CLENS "s", cipher, tmp);
|
||||
+ i = sscanf(org_c, "%" MAX_CAPI_ONE_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", cipher, tmp);
|
||||
if (i != 2)
|
||||
return -EINVAL;
|
||||
|
||||
- i = sscanf(tmp, "%" CLENS "[^-]-%" CLENS "s", mode, iv);
|
||||
+ i = sscanf(tmp, "%" MAX_CAPI_ONE_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", mode, iv);
|
||||
if (i == 1) {
|
||||
memset(iv, 0, sizeof(iv));
|
||||
strncpy(iv, mode, sizeof(iv)-1);
|
||||
@@ -543,75 +538,6 @@ static int cipher_dm2c(const char *org_c, const char *org_i, unsigned tag_size,
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static int cipher_c2dm(char **org_c, char **org_i, const char *c_dm, const char *i_dm)
|
||||
-{
|
||||
- char cipher[CLEN], mode[CLEN], iv[CLEN], auth[CLEN];
|
||||
- char tmp[CAPIL], dmcrypt_tmp[CAPIL*2], capi[CAPIL+1];
|
||||
- size_t len;
|
||||
- int i;
|
||||
-
|
||||
- if (!c_dm)
|
||||
- return -EINVAL;
|
||||
-
|
||||
- /* legacy mode */
|
||||
- if (strncmp(c_dm, "capi:", 4)) {
|
||||
- if (!(*org_c = strdup(c_dm)))
|
||||
- return -ENOMEM;
|
||||
- *org_i = NULL;
|
||||
- return 0;
|
||||
- }
|
||||
-
|
||||
- /* modes with capi: prefix */
|
||||
- i = sscanf(c_dm, "capi:%" CAPIS "[^-]-%" CLENS "s", tmp, iv);
|
||||
- if (i != 2)
|
||||
- return -EINVAL;
|
||||
-
|
||||
- len = strlen(tmp);
|
||||
- if (len < 2)
|
||||
- return -EINVAL;
|
||||
-
|
||||
- if (tmp[len-1] == ')')
|
||||
- tmp[len-1] = '\0';
|
||||
-
|
||||
- if (sscanf(tmp, "rfc4309(%" CAPIS "s", capi) == 1) {
|
||||
- if (!(*org_i = strdup("aead")))
|
||||
- return -ENOMEM;
|
||||
- } else if (sscanf(tmp, "rfc7539(%" CAPIS "[^,],%" CLENS "s", capi, auth) == 2) {
|
||||
- if (!(*org_i = strdup(auth)))
|
||||
- return -ENOMEM;
|
||||
- } else if (sscanf(tmp, "authenc(%" CLENS "[^,],%" CAPIS "s", auth, capi) == 2) {
|
||||
- if (!(*org_i = strdup(auth)))
|
||||
- return -ENOMEM;
|
||||
- } else {
|
||||
- if (i_dm) {
|
||||
- if (!(*org_i = strdup(i_dm)))
|
||||
- return -ENOMEM;
|
||||
- } else
|
||||
- *org_i = NULL;
|
||||
- memset(capi, 0, sizeof(capi));
|
||||
- strncpy(capi, tmp, sizeof(capi)-1);
|
||||
- }
|
||||
-
|
||||
- i = sscanf(capi, "%" CLENS "[^(](%" CLENS "[^)])", mode, cipher);
|
||||
- if (i == 2)
|
||||
- i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s-%s", cipher, mode, iv);
|
||||
- else
|
||||
- i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s", capi, iv);
|
||||
- if (i < 0 || (size_t)i >= sizeof(dmcrypt_tmp)) {
|
||||
- free(*org_i);
|
||||
- *org_i = NULL;
|
||||
- return -EINVAL;
|
||||
- }
|
||||
-
|
||||
- if (!(*org_c = strdup(dmcrypt_tmp))) {
|
||||
- free(*org_i);
|
||||
- *org_i = NULL;
|
||||
- return -ENOMEM;
|
||||
- }
|
||||
-
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
static char *_uf(char *buf, size_t buf_size, const char *s, unsigned u)
|
||||
{
|
||||
size_t r = snprintf(buf, buf_size, " %s:%u", s, u);
|
||||
@@ -2066,7 +1992,7 @@ static int _dm_target_query_crypt(struct crypt_device *cd, uint32_t get_flags,
|
||||
|
||||
/* cipher */
|
||||
if (get_flags & DM_ACTIVE_CRYPT_CIPHER) {
|
||||
- r = cipher_c2dm(CONST_CAST(char**)&cipher,
|
||||
+ r = crypt_capi_to_cipher(CONST_CAST(char**)&cipher,
|
||||
CONST_CAST(char**)&integrity,
|
||||
rcipher, rintegrity);
|
||||
if (r < 0)
|
||||
diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
|
||||
index 83d0a2c5..4f4dbba8 100644
|
||||
--- a/lib/utils_crypt.c
|
||||
+++ b/lib/utils_crypt.c
|
||||
@@ -31,6 +31,8 @@
|
||||
#include "libcryptsetup.h"
|
||||
#include "utils_crypt.h"
|
||||
|
||||
+#define MAX_CAPI_LEN_STR "143" /* for sscanf of crypto API string + 16 + \0 */
|
||||
+
|
||||
int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums,
|
||||
char *cipher_mode)
|
||||
{
|
||||
@@ -266,3 +268,73 @@ bool crypt_is_cipher_null(const char *cipher_spec)
|
||||
return false;
|
||||
return (strstr(cipher_spec, "cipher_null") || !strcmp(cipher_spec, "null"));
|
||||
}
|
||||
+
|
||||
+int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const char *i_dm)
|
||||
+{
|
||||
+ char cipher[MAX_CAPI_ONE_LEN], mode[MAX_CAPI_ONE_LEN], iv[MAX_CAPI_ONE_LEN],
|
||||
+ auth[MAX_CAPI_ONE_LEN], tmp[MAX_CAPI_LEN], dmcrypt_tmp[MAX_CAPI_LEN*2],
|
||||
+ capi[MAX_CAPI_LEN+1];
|
||||
+ size_t len;
|
||||
+ int i;
|
||||
+
|
||||
+ if (!c_dm)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ /* legacy mode */
|
||||
+ if (strncmp(c_dm, "capi:", 4)) {
|
||||
+ if (!(*org_c = strdup(c_dm)))
|
||||
+ return -ENOMEM;
|
||||
+ *org_i = NULL;
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ /* modes with capi: prefix */
|
||||
+ i = sscanf(c_dm, "capi:%" MAX_CAPI_LEN_STR "[^-]-%" MAX_CAPI_ONE_LEN_STR "s", tmp, iv);
|
||||
+ if (i != 2)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ len = strlen(tmp);
|
||||
+ if (len < 2)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ if (tmp[len-1] == ')')
|
||||
+ tmp[len-1] = '\0';
|
||||
+
|
||||
+ if (sscanf(tmp, "rfc4309(%" MAX_CAPI_LEN_STR "s", capi) == 1) {
|
||||
+ if (!(*org_i = strdup("aead")))
|
||||
+ return -ENOMEM;
|
||||
+ } else if (sscanf(tmp, "rfc7539(%" MAX_CAPI_LEN_STR "[^,],%" MAX_CAPI_ONE_LEN_STR "s", capi, auth) == 2) {
|
||||
+ if (!(*org_i = strdup(auth)))
|
||||
+ return -ENOMEM;
|
||||
+ } else if (sscanf(tmp, "authenc(%" MAX_CAPI_ONE_LEN_STR "[^,],%" MAX_CAPI_LEN_STR "s", auth, capi) == 2) {
|
||||
+ if (!(*org_i = strdup(auth)))
|
||||
+ return -ENOMEM;
|
||||
+ } else {
|
||||
+ if (i_dm) {
|
||||
+ if (!(*org_i = strdup(i_dm)))
|
||||
+ return -ENOMEM;
|
||||
+ } else
|
||||
+ *org_i = NULL;
|
||||
+ memset(capi, 0, sizeof(capi));
|
||||
+ strncpy(capi, tmp, sizeof(capi)-1);
|
||||
+ }
|
||||
+
|
||||
+ i = sscanf(capi, "%" MAX_CAPI_ONE_LEN_STR "[^(](%" MAX_CAPI_ONE_LEN_STR "[^)])", mode, cipher);
|
||||
+ if (i == 2)
|
||||
+ i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s-%s", cipher, mode, iv);
|
||||
+ else
|
||||
+ i = snprintf(dmcrypt_tmp, sizeof(dmcrypt_tmp), "%s-%s", capi, iv);
|
||||
+ if (i < 0 || (size_t)i >= sizeof(dmcrypt_tmp)) {
|
||||
+ free(*org_i);
|
||||
+ *org_i = NULL;
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ if (!(*org_c = strdup(dmcrypt_tmp))) {
|
||||
+ free(*org_i);
|
||||
+ *org_i = NULL;
|
||||
+ return -ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/lib/utils_crypt.h b/lib/utils_crypt.h
|
||||
index 5922350a..a4a9b6ca 100644
|
||||
--- a/lib/utils_crypt.h
|
||||
+++ b/lib/utils_crypt.h
|
||||
@@ -27,9 +27,12 @@
|
||||
#include <stdbool.h>
|
||||
#include <unistd.h>
|
||||
|
||||
-#define MAX_CIPHER_LEN 32
|
||||
-#define MAX_CIPHER_LEN_STR "31"
|
||||
-#define MAX_KEYFILES 32
|
||||
+#define MAX_CIPHER_LEN 32
|
||||
+#define MAX_CIPHER_LEN_STR "31"
|
||||
+#define MAX_KEYFILES 32
|
||||
+#define MAX_CAPI_ONE_LEN 2 * MAX_CIPHER_LEN
|
||||
+#define MAX_CAPI_ONE_LEN_STR "63" /* for sscanf length + '\0' */
|
||||
+#define MAX_CAPI_LEN 144 /* should be enough to fit whole capi string */
|
||||
|
||||
int crypt_parse_name_and_mode(const char *s, char *cipher,
|
||||
int *key_nums, char *cipher_mode);
|
||||
@@ -46,4 +49,6 @@ void crypt_log_hex(struct crypt_device *cd,
|
||||
|
||||
bool crypt_is_cipher_null(const char *cipher_spec);
|
||||
|
||||
+int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const char *i_dm);
|
||||
+
|
||||
#endif /* _UTILS_CRYPT_H */
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
|
@ -12,15 +12,15 @@ over the data device.
|
|||
tests/reencryption-compat-test | 20 +++++++++++++---
|
||||
3 files changed, 70 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/utils_tools.c b/src/utils_tools.c
|
||||
--- a/src/utils_tools.c
|
||||
+++ b/src/utils_tools.c
|
||||
@@ -624,3 +624,23 @@ int tools_reencrypt_progress(uint64_t si
|
||||
|
||||
return r;
|
||||
diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c
|
||||
index 87ead680..73e0bca8 100644
|
||||
--- a/src/utils_reencrypt.c
|
||||
+++ b/src/utils_reencrypt.c
|
||||
@@ -467,6 +467,26 @@ static int reencrypt_check_active_device_sb_block_size(const char *active_device
|
||||
return reencrypt_check_data_sb_block_size(dm_device, new_sector_size);
|
||||
}
|
||||
+
|
||||
+int reencrypt_is_header_detached(const char *header_device, const char *data_device)
|
||||
|
||||
+static int reencrypt_is_header_detached(const char *header_device, const char *data_device)
|
||||
+{
|
||||
+ int r;
|
||||
+ struct stat st;
|
||||
|
|
@ -35,67 +35,56 @@ diff --git a/src/utils_tools.c b/src/utils_tools.c
|
|||
+ if ((r = crypt_init_data_device(&cd, header_device, data_device)))
|
||||
+ return r;
|
||||
+
|
||||
+ r = crypt_get_metadata_device_name(cd) && crypt_get_device_name(cd) && strcmp(crypt_get_metadata_device_name(cd), crypt_get_device_name(cd));
|
||||
+ r = crypt_header_is_detached(cd);
|
||||
+ crypt_free(cd);
|
||||
+ return r;
|
||||
+}
|
||||
diff --git a/src/cryptsetup.h b/src/cryptsetup.h
|
||||
--- a/src/cryptsetup.h
|
||||
+++ b/src/cryptsetup.h
|
||||
@@ -103,6 +103,7 @@ void tools_clear_line(void);
|
||||
|
||||
int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr);
|
||||
int tools_reencrypt_progress(uint64_t size, uint64_t offset, void *usrptr);
|
||||
+int reencrypt_is_header_detached(const char *header_device, const char *data_device);
|
||||
|
||||
int tools_read_mk(const char *file, char **key, int keysize);
|
||||
int tools_write_mk(const char *file, const char *key, int keysize);
|
||||
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
|
||||
--- a/src/cryptsetup.c
|
||||
+++ b/src/cryptsetup.c
|
||||
@@ -2892,6 +2892,16 @@ static int action_encrypt_luks2(struct c
|
||||
return -ENOTSUP;
|
||||
}
|
||||
|
||||
+ if (!opt_data_shift) {
|
||||
+ r = reencrypt_is_header_detached(opt_header_device, action_argv[0]);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+ if (!r) {
|
||||
+ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
|
||||
+ return -ENOTSUP;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (!opt_header_device && opt_offset && opt_data_shift && (opt_offset > (imaxabs(opt_data_shift) / (2 * SECTOR_SIZE)))) {
|
||||
log_err(_("Requested data offset must be less than or equal to half of --reduce-device-size parameter."));
|
||||
return -EINVAL;
|
||||
diff --git a/src/cryptsetup_reencrypt.c b/src/cryptsetup_reencrypt.c
|
||||
--- a/src/cryptsetup_reencrypt.c
|
||||
+++ b/src/cryptsetup_reencrypt.c
|
||||
@@ -1553,6 +1553,17 @@ static int run_reencrypt(const char *dev
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ if (rc.reencrypt_mode == ENCRYPT) {
|
||||
+ r = reencrypt_is_header_detached(opt_header_device, action_argv[0]);
|
||||
static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device, const char *device_name)
|
||||
{
|
||||
int keyslot, r, fd;
|
||||
@@ -490,9 +510,14 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device,
|
||||
|
||||
_set_reencryption_flags(¶ms.flags);
|
||||
|
||||
- if (!data_shift && !ARG_SET(OPT_HEADER_ID)) {
|
||||
- log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
|
||||
- return -ENOTSUP;
|
||||
+ if (!data_shift) {
|
||||
+ r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), data_device);
|
||||
+ if (r < 0)
|
||||
+ goto out;
|
||||
+ if (!r && !opt_reduce_size) {
|
||||
+ return r;
|
||||
+ if (!r) {
|
||||
+ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
|
||||
+ r = -ENOTSUP;
|
||||
+ goto out;
|
||||
+ return -ENOTSUP;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
log_dbg("Running reencryption.");
|
||||
|
||||
if (!rc.in_progress) {
|
||||
}
|
||||
|
||||
if (!ARG_SET(OPT_HEADER_ID) && ARG_UINT64(OPT_OFFSET_ID) &&
|
||||
@@ -1358,9 +1383,16 @@ static int _encrypt(struct crypt_device *cd, const char *type, enum device_statu
|
||||
if (!type)
|
||||
type = crypt_get_default_type();
|
||||
|
||||
- if (dev_st == DEVICE_LUKS1_UNUSABLE || isLUKS1(type))
|
||||
+ if (dev_st == DEVICE_LUKS1_UNUSABLE || isLUKS1(type)) {
|
||||
+ r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), action_argv[0]);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+ if (!r && !ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID)) {
|
||||
+ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size)."));
|
||||
+ return -ENOTSUP;
|
||||
+ }
|
||||
return reencrypt_luks1(action_argv[0]);
|
||||
- else if (dev_st == DEVICE_NOT_LUKS) {
|
||||
+ } else if (dev_st == DEVICE_NOT_LUKS) {
|
||||
r = encrypt_luks2_init(&encrypt_cd, action_argv[0], action_argc > 1 ? action_argv[1] : NULL);
|
||||
if (r < 0 || ARG_SET(OPT_INIT_ONLY_ID)) {
|
||||
crypt_free(encrypt_cd);
|
||||
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
|
||||
index bab54353..a647a8c2 100755
|
||||
--- a/tests/luks2-reencryption-test
|
||||
+++ b/tests/luks2-reencryption-test
|
||||
@@ -1080,6 +1080,15 @@ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
|
||||
@@ -1080,6 +1080,22 @@ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
|
||||
$CRYPTSETUP close $DEV_NAME
|
||||
echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail
|
||||
|
||||
|
|
@ -103,10 +92,17 @@ index bab54353..a647a8c2 100755
|
|||
+wipe_dev_head $DEV 1
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV -q $FAST_PBKDF_ARGON 2>/dev/null && fail
|
||||
+$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
|
||||
+ln -s $DEV $DEV_LINK || fail
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
|
||||
+$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail
|
||||
+rm -f $DEV_LINK || fail
|
||||
+
|
||||
+dd if=/dev/zero of=$IMG bs=4k count=1 >/dev/null 2>&1
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
|
||||
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
|
||||
+ln -s $IMG $DEV_LINK || fail
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
|
||||
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
|
||||
+
|
||||
echo "[4] Reencryption with detached header"
|
||||
wipe $PWD1 $IMG_HDR
|
||||
|
|
@ -115,8 +111,9 @@ diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
|
|||
index f6a84137..453831d1 100755
|
||||
--- a/tests/reencryption-compat-test
|
||||
+++ b/tests/reencryption-compat-test
|
||||
@@ -11,5 +11,6 @@ IMG=reenc-data
|
||||
@@ -15,6 +15,7 @@ IMG=reenc-data
|
||||
IMG_HDR=$IMG.hdr
|
||||
HEADER_LUKS2_PV=blkid-luks2-pv.img
|
||||
ORIG_IMG=reenc-data-orig
|
||||
+DEV_LINK="reenc-test-link"
|
||||
KEY1=key1
|
||||
|
|
@ -126,22 +123,32 @@ index f6a84137..453831d1 100755
|
|||
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
|
||||
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
|
||||
[ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1
|
||||
- rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 >/dev/null 2>&1
|
||||
+ rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $DEV_LINK >/dev/null 2>&1
|
||||
- rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV >/dev/null 2>&1
|
||||
+ rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV $DEV_LINK >/dev/null 2>&1
|
||||
umount $MNT_DIR > /dev/null 2>&1
|
||||
rmdir $MNT_DIR > /dev/null 2>&1
|
||||
LOOPDEV1=""
|
||||
@@ -265,10 +265,16 @@ $REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q
|
||||
@@ -302,12 +303,25 @@ check_slot 0 || fail "Only keyslot 0 expected to be enabled"
|
||||
$REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail
|
||||
# FIXME echo $PWD1 | $REENC ...
|
||||
|
||||
-if [ ! fips_mode ]; then
|
||||
echo "[4] Encryption of not yet encrypted device"
|
||||
+# Encrypt without size reduction must not allow header device same as data device
|
||||
+wipe_dev $LOOPDEV1
|
||||
+echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $LOOPDEV1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail
|
||||
+$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
|
||||
+ln -s $LOOPDEV1 $DEV_LINK || fail
|
||||
+echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
|
||||
+$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail
|
||||
+rm -f $DEV_LINK || fail
|
||||
+echo $PWD1 | $REENC $IMG --type luks1 --new --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail
|
||||
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
|
||||
+ln -s $IMG $DEV_LINK || fail
|
||||
+echo $PWD1 | $REENC $IMG --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail
|
||||
+$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail
|
||||
+
|
||||
+if [ ! fips_mode ]; then
|
||||
# well, movin' zeroes :-)
|
||||
OFFSET=2048
|
||||
SIZE=$(blockdev --getsz $LOOPDEV1)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,662 @@
|
|||
From e7a1f18d976771efc06987107da12ccae4d0b360 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Fri, 2 Dec 2022 11:40:24 +0100
|
||||
Subject: [PATCH 2/3] Change tests to use passphrases with minimal 8 chars
|
||||
length.
|
||||
|
||||
Skip tests that can not satisfy minimal test passphrase length:
|
||||
|
||||
- empty passphrase
|
||||
- LUKS1 cipher_null tests (empty passphrase is mandatory)
|
||||
- LUKS1 encryption
|
||||
---
|
||||
tests/Makefile.am | 3 +-
|
||||
tests/align-test | 10 +++
|
||||
tests/api-test-2.c | 117 +++++++++++++++++----------------
|
||||
tests/api-test.c | 14 ++--
|
||||
tests/compat-test | 8 ++-
|
||||
tests/compat-test2 | 16 +++--
|
||||
tests/keyring-compat-test | 2 +-
|
||||
tests/reencryption-compat-test | 10 +++
|
||||
tests/ssh-test-plugin | 2 +-
|
||||
9 files changed, 110 insertions(+), 72 deletions(-)
|
||||
|
||||
diff --git a/tests/align-test b/tests/align-test
|
||||
index eedf8b77..5941cde2 100755
|
||||
--- a/tests/align-test
|
||||
+++ b/tests/align-test
|
||||
@@ -10,9 +10,16 @@ PWD1="93R4P4pIqAH8"
|
||||
PWD2="mymJeD8ivEhE"
|
||||
FAST_PBKDF="--pbkdf-force-iterations 1000"
|
||||
|
||||
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
+
|
||||
CRYPTSETUP_VALGRIND=../.libs/cryptsetup
|
||||
CRYPTSETUP_LIB_VALGRIND=../.libs
|
||||
|
||||
+function fips_mode()
|
||||
+{
|
||||
+ [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
|
||||
+}
|
||||
+
|
||||
cleanup() {
|
||||
udevadm settle >/dev/null 2>&1
|
||||
if [ -d "$MNT_DIR" ] ; then
|
||||
@@ -276,6 +283,8 @@ format_plain_fail 2048
|
||||
format_plain_fail 4096
|
||||
cleanup
|
||||
|
||||
+# skip tests using empty passphrase (LUKS1 cipher_null)
|
||||
+if [ ! fips_mode ]; then
|
||||
echo "# Offset check: 512B sector drive"
|
||||
add_device dev_size_mb=16 sector_size=512 num_tgts=1
|
||||
# |k| expO reqO expected slot offsets
|
||||
@@ -314,6 +323,7 @@ format_null 512 4040 8
|
||||
format_null 512 4096 128
|
||||
format_null 512 4096 2048
|
||||
cleanup
|
||||
+fi
|
||||
|
||||
echo "# Create enterprise-class 4K drive with fs and LUKS images."
|
||||
# loop device here presents 512 block but images have 4k block
|
||||
diff --git a/tests/api-test-2.c b/tests/api-test-2.c
|
||||
index b7c762d9..2c39191b 100644
|
||||
--- a/tests/api-test-2.c
|
||||
+++ b/tests/api-test-2.c
|
||||
@@ -74,8 +74,8 @@ typedef int32_t key_serial_t;
|
||||
#define KEYFILE2 "key2.file"
|
||||
#define KEY2 "0123456789abcdef"
|
||||
|
||||
-#define PASSPHRASE "blabla"
|
||||
-#define PASSPHRASE1 "albalb"
|
||||
+#define PASSPHRASE "blablabl"
|
||||
+#define PASSPHRASE1 "albalbal"
|
||||
|
||||
#define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
|
||||
|
||||
@@ -107,15 +107,15 @@ typedef int32_t key_serial_t;
|
||||
#define CONV_L2_512_DET_FULL "l2_512b_det_full"
|
||||
#define CONV_L1_256_LEGACY "l1_256b_legacy_offset"
|
||||
#define CONV_L1_256_UNMOVABLE "l1_256b_unmovable"
|
||||
-#define PASS0 "aaa"
|
||||
-#define PASS1 "hhh"
|
||||
-#define PASS2 "ccc"
|
||||
-#define PASS3 "ddd"
|
||||
-#define PASS4 "eee"
|
||||
-#define PASS5 "fff"
|
||||
-#define PASS6 "ggg"
|
||||
-#define PASS7 "bbb"
|
||||
-#define PASS8 "iii"
|
||||
+#define PASS0 "aaablabl"
|
||||
+#define PASS1 "hhhblabl"
|
||||
+#define PASS2 "cccblabl"
|
||||
+#define PASS3 "dddblabl"
|
||||
+#define PASS4 "eeeblabl"
|
||||
+#define PASS5 "fffblabl"
|
||||
+#define PASS6 "gggblabl"
|
||||
+#define PASS7 "bbbblabl"
|
||||
+#define PASS8 "iiiblabl"
|
||||
|
||||
static int _fips_mode = 0;
|
||||
|
||||
@@ -429,11 +429,11 @@ static int _setup(void)
|
||||
|
||||
_system("dd if=/dev/zero of=" IMAGE_EMPTY_SMALL_2 " bs=512 count=2050 2>/dev/null", 1);
|
||||
|
||||
- _system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && xz -dk " NO_REQS_LUKS2_HEADER ".xz", 1);
|
||||
+ _system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1);
|
||||
fd = loop_attach(&DEVICE_4, NO_REQS_LUKS2_HEADER, 0, 0, &ro);
|
||||
close(fd);
|
||||
|
||||
- _system(" [ ! -e " REQS_LUKS2_HEADER " ] && xz -dk " REQS_LUKS2_HEADER ".xz", 1);
|
||||
+ _system(" [ ! -e " REQS_LUKS2_HEADER " ] && tar xJf " REQS_LUKS2_HEADER ".tar.xz", 1);
|
||||
fd = loop_attach(&DEVICE_5, REQS_LUKS2_HEADER, 0, 0, &ro);
|
||||
close(fd);
|
||||
|
||||
@@ -709,7 +709,7 @@ static void AddDeviceLuks2(void)
|
||||
};
|
||||
char key[128], key2[128], key3[128];
|
||||
|
||||
- const char *tmp_buf, *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
|
||||
+ const char *tmp_buf, *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
|
||||
const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
|
||||
const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
|
||||
size_t key_size = strlen(vk_hex) / 2;
|
||||
@@ -1056,7 +1056,6 @@ static void Luks2MetadataSize(void)
|
||||
};
|
||||
char key[128], tmp[128];
|
||||
|
||||
- const char *passphrase = "blabla";
|
||||
const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
|
||||
size_t key_size = strlen(vk_hex) / 2;
|
||||
const char *cipher = "aes";
|
||||
@@ -1103,7 +1102,7 @@ static void Luks2MetadataSize(void)
|
||||
OK_(crypt_init(&cd, DMDIR H_DEVICE));
|
||||
OK_(crypt_set_metadata_size(cd, 0x080000, 0x080000));
|
||||
OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, ¶ms));
|
||||
- EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, passphrase, strlen(passphrase)), 7);
|
||||
+ EQ_(crypt_keyslot_add_by_volume_key(cd, 7, key, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7);
|
||||
CRYPT_FREE(cd);
|
||||
OK_(crypt_init(&cd, DMDIR H_DEVICE));
|
||||
OK_(crypt_load(cd, CRYPT_LUKS2, NULL));
|
||||
@@ -3306,8 +3305,8 @@ static void Luks2Requirements(void)
|
||||
.key_description = KEY_DESC_TEST0
|
||||
};
|
||||
|
||||
- OK_(prepare_keyfile(KEYFILE1, "aaa", 3));
|
||||
- OK_(prepare_keyfile(KEYFILE2, "xxx", 3));
|
||||
+ OK_(prepare_keyfile(KEYFILE1, PASSPHRASE, strlen(PASSPHRASE)));
|
||||
+ OK_(prepare_keyfile(KEYFILE2, PASSPHRASE1, strlen(PASSPHRASE1)));
|
||||
|
||||
/* crypt_load (unrestricted) */
|
||||
OK_(crypt_init(&cd, DEVICE_5));
|
||||
@@ -3361,11 +3360,11 @@ static void Luks2Requirements(void)
|
||||
OK_(crypt_repair(cd, CRYPT_LUKS2, NULL));
|
||||
|
||||
/* crypt_keyslot_add_passphrase (restricted) */
|
||||
- FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, "aaa", 3, "bbb", 3)), "Unmet requirements detected");
|
||||
+ FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected");
|
||||
EQ_(r, -ETXTBSY);
|
||||
|
||||
/* crypt_keyslot_change_by_passphrase (restricted) */
|
||||
- FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, "aaa", 3, "bbb", 3)), "Unmet requirements detected");
|
||||
+ FAIL_((r = crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 9, PASSPHRASE, strlen(PASSPHRASE), "bbb", 3)), "Unmet requirements detected");
|
||||
EQ_(r, -ETXTBSY);
|
||||
|
||||
/* crypt_keyslot_add_by_keyfile (restricted) */
|
||||
@@ -3377,18 +3376,18 @@ static void Luks2Requirements(void)
|
||||
EQ_(r, -ETXTBSY);
|
||||
|
||||
/* crypt_volume_key_get (unrestricted, but see below) */
|
||||
- OK_(crypt_volume_key_get(cd, 0, key, &key_size, "aaa", 3));
|
||||
+ OK_(crypt_volume_key_get(cd, 0, key, &key_size, PASSPHRASE, strlen(PASSPHRASE)));
|
||||
|
||||
/* crypt_keyslot_add_by_volume_key (restricted) */
|
||||
- FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3)), "Unmet requirements detected");
|
||||
+ FAIL_((r = crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1))), "Unmet requirements detected");
|
||||
EQ_(r, -ETXTBSY);
|
||||
|
||||
/* crypt_keyslot_add_by_key (restricted) */
|
||||
- FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, "xxx", 3, CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected");
|
||||
+ FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, NULL, key_size, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT)), "Unmet requirements detected");
|
||||
EQ_(r, -ETXTBSY);
|
||||
|
||||
/* crypt_keyslot_add_by_key (restricted) */
|
||||
- FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, "xxx", 3, 0)), "Unmet requirements detected");
|
||||
+ FAIL_((r = crypt_keyslot_add_by_key(cd, CRYPT_ANY_SLOT, key, key_size, PASSPHRASE1, strlen(PASSPHRASE1), 0)), "Unmet requirements detected");
|
||||
EQ_(r, -ETXTBSY);
|
||||
|
||||
/* crypt_persistent_flasgs_set (restricted) */
|
||||
@@ -3400,10 +3399,10 @@ static void Luks2Requirements(void)
|
||||
EQ_(flags, CRYPT_REQUIREMENT_UNKNOWN);
|
||||
|
||||
/* crypt_activate_by_passphrase (restricted for activation only) */
|
||||
- FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0)), "Unmet requirements detected");
|
||||
+ FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0)), "Unmet requirements detected");
|
||||
EQ_(r, -ETXTBSY);
|
||||
- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, 0));
|
||||
- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
|
||||
+ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
|
||||
+ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
|
||||
EQ_(crypt_status(cd, CDEVICE_1), CRYPT_INACTIVE);
|
||||
|
||||
/* crypt_activate_by_keyfile (restricted for activation only) */
|
||||
@@ -3420,7 +3419,7 @@ static void Luks2Requirements(void)
|
||||
|
||||
#ifdef KERNEL_KEYRING
|
||||
if (t_dm_crypt_keyring_support()) {
|
||||
- kid = add_key("user", KEY_DESC_TEST0, "aaa", 3, KEY_SPEC_THREAD_KEYRING);
|
||||
+ kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
|
||||
NOTFAIL_(kid, "Test or kernel keyring are broken.");
|
||||
|
||||
/* crypt_activate_by_keyring (restricted for activation only) */
|
||||
@@ -3428,6 +3427,8 @@ static void Luks2Requirements(void)
|
||||
EQ_(r, t_dm_crypt_keyring_support() ? -ETXTBSY : -EINVAL);
|
||||
OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, 0));
|
||||
OK_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, CRYPT_ACTIVATE_KEYRING_KEY));
|
||||
+
|
||||
+ NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -3513,10 +3514,15 @@ static void Luks2Requirements(void)
|
||||
/* crypt_activate_by_token (restricted for activation only) */
|
||||
#ifdef KERNEL_KEYRING
|
||||
if (t_dm_crypt_keyring_support()) {
|
||||
+ kid = add_key("user", KEY_DESC_TEST0, PASSPHRASE, strlen(PASSPHRASE), KEY_SPEC_THREAD_KEYRING);
|
||||
+ NOTFAIL_(kid, "Test or kernel keyring are broken.");
|
||||
+
|
||||
FAIL_((r = crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0)), ""); // supposed to be silent
|
||||
EQ_(r, -ETXTBSY);
|
||||
OK_(crypt_activate_by_token(cd, NULL, 1, NULL, 0));
|
||||
OK_(crypt_activate_by_token(cd, NULL, 1, NULL, CRYPT_ACTIVATE_KEYRING_KEY));
|
||||
+
|
||||
+ NOTFAIL_(keyctl_unlink(kid, KEY_SPEC_THREAD_KEYRING), "Test or kernel keyring are broken.");
|
||||
}
|
||||
#endif
|
||||
OK_(get_luks2_offsets(0, 8192, 0, NULL, &r_payload_offset));
|
||||
@@ -3528,7 +3534,7 @@ static void Luks2Requirements(void)
|
||||
CRYPT_FREE(cd);
|
||||
OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
|
||||
OK_(crypt_load(cd, CRYPT_LUKS, NULL));
|
||||
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0));
|
||||
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
|
||||
OK_(crypt_header_backup(cd, CRYPT_LUKS2, BACKUP_FILE));
|
||||
/* replace header with no requirements */
|
||||
OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
|
||||
@@ -3566,7 +3572,7 @@ static void Luks2Requirements(void)
|
||||
OK_(crypt_init_by_name(&cd, CDEVICE_1));
|
||||
|
||||
/* crypt_resume_by_passphrase (restricted) */
|
||||
- FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3)), "Unmet requirements detected");
|
||||
+ FAIL_((r = crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE))), "Unmet requirements detected");
|
||||
EQ_(r, -ETXTBSY);
|
||||
|
||||
/* crypt_resume_by_keyfile (restricted) */
|
||||
@@ -3580,13 +3586,13 @@ static void Luks2Requirements(void)
|
||||
|
||||
OK_(_system("dd if=" NO_REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
|
||||
OK_(crypt_init_by_name(&cd, CDEVICE_1));
|
||||
- OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3));
|
||||
+ OK_(crypt_resume_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE)));
|
||||
CRYPT_FREE(cd);
|
||||
OK_(_system("dd if=" REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1));
|
||||
|
||||
OK_(crypt_init_by_name(&cd, CDEVICE_1));
|
||||
/* load VK in keyring */
|
||||
- OK_(crypt_activate_by_passphrase(cd, NULL, 0, "aaa", 3, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
|
||||
+ OK_(crypt_activate_by_passphrase(cd, NULL, 0, PASSPHRASE, strlen(PASSPHRASE), t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0));
|
||||
/* crypt_resize (restricted) */
|
||||
FAIL_((r = crypt_resize(cd, CDEVICE_1, 1)), "Unmet requirements detected");
|
||||
EQ_(r, -ETXTBSY);
|
||||
@@ -3622,7 +3628,6 @@ static void Luks2Integrity(void)
|
||||
.integrity = "hmac(sha256)"
|
||||
};
|
||||
size_t key_size = 32 + 32;
|
||||
- const char *passphrase = "blabla";
|
||||
const char *cipher = "aes";
|
||||
const char *cipher_mode = "xts-random";
|
||||
int ret;
|
||||
@@ -3636,8 +3641,8 @@ static void Luks2Integrity(void)
|
||||
return;
|
||||
}
|
||||
|
||||
- EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, passphrase, strlen(passphrase)), 7);
|
||||
- EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, passphrase, strlen(passphrase) ,0), 7);
|
||||
+ EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, key_size, PASSPHRASE, strlen(PASSPHRASE)), 7);
|
||||
+ EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 7, PASSPHRASE, strlen(PASSPHRASE) ,0), 7);
|
||||
GE_(crypt_status(cd, CDEVICE_2), CRYPT_ACTIVE);
|
||||
CRYPT_FREE(cd);
|
||||
|
||||
@@ -3689,36 +3694,36 @@ static void Luks2Refresh(void)
|
||||
OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
|
||||
OK_(set_fast_pbkdf(cd));
|
||||
OK_(crypt_format(cd, CRYPT_LUKS2, cipher, mode, NULL, key, 32, NULL));
|
||||
- OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, "aaa", 3));
|
||||
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0));
|
||||
+ OK_(crypt_keyslot_add_by_volume_key(cd, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
|
||||
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), 0));
|
||||
|
||||
/* check we can refresh significant flags */
|
||||
if (t_dm_crypt_discard_support()) {
|
||||
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS));
|
||||
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_ALLOW_DISCARDS));
|
||||
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
|
||||
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_ALLOW_DISCARDS));
|
||||
cad.flags = 0;
|
||||
}
|
||||
|
||||
if (t_dm_crypt_cpu_switch_support()) {
|
||||
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT));
|
||||
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SAME_CPU_CRYPT));
|
||||
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
|
||||
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SAME_CPU_CRYPT));
|
||||
cad.flags = 0;
|
||||
|
||||
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
|
||||
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
|
||||
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
|
||||
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
|
||||
cad.flags = 0;
|
||||
|
||||
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
|
||||
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
|
||||
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
|
||||
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
|
||||
cad.flags = 0;
|
||||
}
|
||||
|
||||
OK_(crypt_volume_key_keyring(cd, 0));
|
||||
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
|
||||
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
|
||||
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
|
||||
FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY), "Unexpected flag raised.");
|
||||
cad.flags = 0;
|
||||
@@ -3726,7 +3731,7 @@ static void Luks2Refresh(void)
|
||||
#ifdef KERNEL_KEYRING
|
||||
if (t_dm_crypt_keyring_support()) {
|
||||
OK_(crypt_volume_key_keyring(cd, 1));
|
||||
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
|
||||
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
|
||||
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
|
||||
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_KEYRING_KEY));
|
||||
cad.flags = 0;
|
||||
@@ -3735,26 +3740,26 @@ static void Luks2Refresh(void)
|
||||
|
||||
/* multiple flags at once */
|
||||
if (t_dm_crypt_discard_support() && t_dm_crypt_cpu_switch_support()) {
|
||||
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
|
||||
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
|
||||
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
|
||||
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS | CRYPT_ACTIVATE_ALLOW_DISCARDS));
|
||||
cad.flags = 0;
|
||||
}
|
||||
|
||||
/* do not allow reactivation with read-only (and drop flag silently because activation behaves exactly same) */
|
||||
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY));
|
||||
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_READONLY));
|
||||
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
|
||||
FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY), "Reactivated with read-only flag.");
|
||||
cad.flags = 0;
|
||||
|
||||
/* reload flag is dropped silently */
|
||||
OK_(crypt_deactivate(cd, CDEVICE_1));
|
||||
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
|
||||
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
|
||||
|
||||
/* check read-only flag is not lost after reload */
|
||||
OK_(crypt_deactivate(cd, CDEVICE_1));
|
||||
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_READONLY));
|
||||
- OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
|
||||
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_READONLY));
|
||||
+ OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
|
||||
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
|
||||
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_READONLY));
|
||||
cad.flags = 0;
|
||||
@@ -3762,7 +3767,7 @@ static void Luks2Refresh(void)
|
||||
/* check LUKS2 with auth. enc. reload */
|
||||
OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG));
|
||||
if (!crypt_format(cd2, CRYPT_LUKS2, "aes", "gcm-random", crypt_get_uuid(cd), key, 32, ¶ms)) {
|
||||
- OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, "aaa", 3));
|
||||
+ OK_(crypt_keyslot_add_by_volume_key(cd2, 0, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
|
||||
OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, 0));
|
||||
OK_(crypt_activate_by_volume_key(cd2, CDEVICE_2, key, 32, CRYPT_ACTIVATE_REFRESH | CRYPT_ACTIVATE_NO_JOURNAL));
|
||||
OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
|
||||
@@ -3772,11 +3777,11 @@ static void Luks2Refresh(void)
|
||||
OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
|
||||
OK_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS));
|
||||
cad.flags = 0;
|
||||
- OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH));
|
||||
+ OK_(crypt_activate_by_passphrase(cd2, CDEVICE_2, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH));
|
||||
OK_(crypt_get_active_device(cd2, CDEVICE_2, &cad));
|
||||
FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_NO_JOURNAL), "");
|
||||
FAIL_(check_flag(cad.flags, CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS), "");
|
||||
- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context");
|
||||
+ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS2/aead context");
|
||||
OK_(crypt_deactivate(cd2, CDEVICE_2));
|
||||
} else {
|
||||
printf("WARNING: cannot format integrity device, skipping few reload tests.\n");
|
||||
@@ -3786,8 +3791,8 @@ static void Luks2Refresh(void)
|
||||
/* Use LUKS1 context on LUKS2 device */
|
||||
OK_(crypt_init(&cd2, DMDIR L_DEVICE_1S));
|
||||
OK_(crypt_format(cd2, CRYPT_LUKS1, cipher, mode, crypt_get_uuid(cd), key, 32, NULL));
|
||||
- OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, "aaa", 3));
|
||||
- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context");
|
||||
+ OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)));
|
||||
+ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed LUKS2 device with LUKS1 context");
|
||||
CRYPT_FREE(cd2);
|
||||
|
||||
/* Use PLAIN context on LUKS2 device */
|
||||
@@ -3803,8 +3808,8 @@ static void Luks2Refresh(void)
|
||||
OK_(crypt_init(&cd2, DMDIR L_DEVICE_WRONG));
|
||||
OK_(set_fast_pbkdf(cd2));
|
||||
OK_(crypt_format(cd2, CRYPT_LUKS2, cipher, mode, crypt_get_uuid(cd), key, 32, NULL));
|
||||
- OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, "aaa", 3));
|
||||
- FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, "aaa", 3, CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device");
|
||||
+ OK_(crypt_keyslot_add_by_volume_key(cd2, CRYPT_ANY_SLOT, key, 32, PASSPHRASE, strlen(PASSPHRASE)));
|
||||
+ FAIL_(crypt_activate_by_passphrase(cd2, CDEVICE_1, 0, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_REFRESH), "Refreshed dm-crypt mapped over mismatching data device");
|
||||
|
||||
OK_(crypt_deactivate(cd, CDEVICE_1));
|
||||
|
||||
@@ -4825,7 +4830,7 @@ static void LuksKeyslotAdd(void)
|
||||
crypt_keyslot_context_free(um2);
|
||||
|
||||
// generate new unbound key
|
||||
- OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, 1, &um1));
|
||||
+ OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, 9, &um1));
|
||||
OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um2));
|
||||
EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 10, um2, CRYPT_VOLUME_KEY_NO_SEGMENT), 10);
|
||||
EQ_(crypt_keyslot_status(cd, 10), CRYPT_SLOT_UNBOUND);
|
||||
diff --git a/tests/api-test.c b/tests/api-test.c
|
||||
index 2b2f0813..9bb6d2f1 100644
|
||||
--- a/tests/api-test.c
|
||||
+++ b/tests/api-test.c
|
||||
@@ -65,8 +65,8 @@
|
||||
#define KEYFILE2 "key2.file"
|
||||
#define KEY2 "0123456789abcdef"
|
||||
|
||||
-#define PASSPHRASE "blabla"
|
||||
-#define PASSPHRASE1 "albalb"
|
||||
+#define PASSPHRASE "blablabl"
|
||||
+#define PASSPHRASE1 "albalbal"
|
||||
|
||||
#define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc"
|
||||
|
||||
@@ -327,7 +327,7 @@ static void AddDevicePlain(void)
|
||||
char key[128], key2[128], path[128];
|
||||
struct crypt_keyslot_context *kc = NULL;
|
||||
|
||||
- const char *passphrase = PASSPHRASE;
|
||||
+ const char *passphrase = "blabla";
|
||||
// hashed hex version of PASSPHRASE
|
||||
const char *vk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea";
|
||||
size_t key_size = strlen(vk_hex) / 2;
|
||||
@@ -772,6 +772,10 @@ static void SuspendDevice(void)
|
||||
OK_(crypt_deactivate(cd, CDEVICE_1));
|
||||
CRYPT_FREE(cd);
|
||||
|
||||
+ /* skip tests using empty passphrase */
|
||||
+ if(_fips_mode)
|
||||
+ return;
|
||||
+
|
||||
OK_(get_luks_offsets(0, key_size, 1024*2, 0, NULL, &r_payload_offset));
|
||||
OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1));
|
||||
|
||||
@@ -806,7 +810,7 @@ static void AddDeviceLuks(void)
|
||||
};
|
||||
char key[128], key2[128], key3[128];
|
||||
|
||||
- const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
|
||||
+ const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
|
||||
const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
|
||||
const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
|
||||
size_t key_size = strlen(vk_hex) / 2;
|
||||
@@ -2105,7 +2109,7 @@ static void LuksKeyslotAdd(void)
|
||||
};
|
||||
char key[128], key3[128];
|
||||
|
||||
- const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd";
|
||||
+ const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd";
|
||||
const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
|
||||
const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e";
|
||||
size_t key_size = strlen(vk_hex) / 2;
|
||||
diff --git a/tests/compat-test b/tests/compat-test
|
||||
index 356b7283..6dc80041 100755
|
||||
--- a/tests/compat-test
|
||||
+++ b/tests/compat-test
|
||||
@@ -450,10 +450,13 @@ if [ -d /dev/disk/by-uuid ] ; then
|
||||
$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
|
||||
$CRYPTSETUP -q luksClose $DEV_NAME || fail
|
||||
fi
|
||||
+# skip tests using empty passphrase
|
||||
+if [ ! fips_mode ]; then
|
||||
# empty keyfile
|
||||
$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEYE || fail
|
||||
$CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
|
||||
$CRYPTSETUP -q luksClose $DEV_NAME || fail
|
||||
+fi
|
||||
# open by volume key
|
||||
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 $LOOPDEV || fail
|
||||
$CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
||||
@@ -503,7 +506,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --
|
||||
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
|
||||
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
|
||||
# keyfile/passphrase
|
||||
-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
|
||||
+echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
|
||||
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail
|
||||
|
||||
prepare "[18] RemoveKey passphrase and keyfile" reuse
|
||||
@@ -728,12 +731,15 @@ echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
|
||||
[ $? -ne 2 ] && fail "luksResume should return EPERM exit code"
|
||||
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail
|
||||
$CRYPTSETUP -q luksClose $DEV_NAME || fail
|
||||
+# skip tests using empty passphrase
|
||||
+if [ ! fips_mode ]; then
|
||||
echo | $CRYPTSETUP -q luksFormat -c null $FAST_PBKDF_OPT --type luks1 $LOOPDEV || fail
|
||||
echo | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
|
||||
$CRYPTSETUP luksSuspend $DEV_NAME || fail
|
||||
$CRYPTSETUP -q status $DEV_NAME | grep -q "(suspended)" || fail
|
||||
echo | $CRYPTSETUP luksResume $DEV_NAME || fail
|
||||
$CRYPTSETUP -q luksClose $DEV_NAME || fail
|
||||
+fi
|
||||
|
||||
prepare "[27] luksOpen/luksResume with specified key slot number" wipe
|
||||
# first, let's try passphrase option
|
||||
diff --git a/tests/compat-test2 b/tests/compat-test2
|
||||
index 2f18d7b6..c54dc7ea 100755
|
||||
--- a/tests/compat-test2
|
||||
+++ b/tests/compat-test2
|
||||
@@ -427,10 +427,14 @@ if [ -d /dev/disk/by-uuid ] ; then
|
||||
$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
|
||||
$CRYPTSETUP -q luksClose $DEV_NAME || fail
|
||||
fi
|
||||
+# skip tests using empty passphrases
|
||||
+if [ ! fips_mode ]; then
|
||||
# empty keyfile
|
||||
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEYE || fail
|
||||
$CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
|
||||
$CRYPTSETUP -q luksClose $DEV_NAME || fail
|
||||
+fi
|
||||
+
|
||||
# open by volume key
|
||||
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 --type luks2 $LOOPDEV || fail
|
||||
$CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
||||
@@ -477,7 +481,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV --
|
||||
echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail
|
||||
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
|
||||
# keyfile/passphrase
|
||||
-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail
|
||||
+echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail
|
||||
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail
|
||||
|
||||
prepare "[18] RemoveKey passphrase and keyfile" reuse
|
||||
@@ -1001,14 +1005,14 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
|
||||
$CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
|
||||
echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips
|
||||
$CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || can_fail_fips
|
||||
-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 16 $LOOPDEV || fail
|
||||
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 72 $LOOPDEV || fail
|
||||
echo $PWD3 | $CRYPTSETUP luksConvertKey --pbkdf-force-iterations 1001 --pbkdf pbkdf2 -S 21 $LOOPDEV || fail
|
||||
|
||||
prepare "[38] luksAddKey unbound tests" wipe
|
||||
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail
|
||||
# unbound key may have arbitrary size
|
||||
-echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 16 $LOOPDEV || fail
|
||||
-echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 32 -S 2 $LOOPDEV || fail
|
||||
+echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 72 $LOOPDEV || fail
|
||||
+echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 72 -S 2 $LOOPDEV || fail
|
||||
$CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2 (unbound)" || fail
|
||||
dd if=/dev/urandom of=$KEY_FILE0 bs=64 count=1 > /dev/null 2>&1 || fail
|
||||
echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 512 -S 3 --volume-key-file $KEY_FILE0 $LOOPDEV || fail
|
||||
@@ -1100,10 +1104,10 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 2 -
|
||||
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
|
||||
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
|
||||
# unbound keyslot
|
||||
-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 32 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
|
||||
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 72 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
|
||||
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
|
||||
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
|
||||
-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 32 $LOOPDEV || fail
|
||||
+echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 72 $LOOPDEV || fail
|
||||
echo $PWD3 | $CRYPTSETUP luksConvertKey --key-slot 22 $LOOPDEV --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail
|
||||
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail
|
||||
[ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail
|
||||
diff --git a/tests/keyring-compat-test b/tests/keyring-compat-test
|
||||
index 57c7fd98..ea88c210 100755
|
||||
--- a/tests/keyring-compat-test
|
||||
+++ b/tests/keyring-compat-test
|
||||
@@ -21,7 +21,7 @@ NAME=testcryptdev
|
||||
CHKS_DMCRYPT=vk_in_dmcrypt.chk
|
||||
CHKS_KEYRING=vk_in_keyring.chk
|
||||
|
||||
-PWD="aaa"
|
||||
+PWD="aaablabl"
|
||||
|
||||
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
|
||||
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
|
||||
diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
|
||||
index 433f4d4c..f6a84137 100755
|
||||
--- a/tests/reencryption-compat-test
|
||||
+++ b/tests/reencryption-compat-test
|
||||
@@ -22,6 +22,12 @@ PWD3="1-9Qu5Ejfnqv"
|
||||
|
||||
MNT_DIR=./mnt_luks
|
||||
START_DIR=$(pwd)
|
||||
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
||||
+
|
||||
+function fips_mode()
|
||||
+{
|
||||
+ [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
|
||||
+}
|
||||
|
||||
function del_scsi_device()
|
||||
{
|
||||
@@ -296,6 +302,7 @@ check_slot 0 || fail "Only keyslot 0 expected to be enabled"
|
||||
$REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail
|
||||
# FIXME echo $PWD1 | $REENC ...
|
||||
|
||||
+if [ ! fips_mode ]; then
|
||||
echo "[4] Encryption of not yet encrypted device"
|
||||
# well, movin' zeroes :-)
|
||||
OFFSET=2048
|
||||
@@ -323,6 +330,7 @@ OFFSET=4096
|
||||
echo fake | $REENC $LOOPDEV1 -d $KEY1 --new --type luks1 --reduce-device-size "$OFFSET"S -q $FAST_PBKDF || fail
|
||||
$CRYPTSETUP open --test-passphrase $LOOPDEV1 -d $KEY1 || fail
|
||||
wipe_dev $LOOPDEV1
|
||||
+fi
|
||||
|
||||
echo "[5] Reencryption using specific keyslot"
|
||||
echo $PWD2 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
|
||||
@@ -396,6 +404,7 @@ add_scsi_device sector_size=512 dev_size_mb=32 physblk_exp=3
|
||||
test_logging "[4096/512 sector]" || fail
|
||||
test_logging_tmpfs || fail
|
||||
|
||||
+if [ ! fips_mode ]; then
|
||||
echo "[10] Removal of encryption"
|
||||
prepare 8192
|
||||
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail
|
||||
@@ -460,6 +469,7 @@ if [ "$HAVE_BLKID" -gt 0 ]; then
|
||||
echo $PWD1 | $REENC --header $IMG_HDR $HEADER_LUKS2_PV -q $FAST_PBKDF --new --type luks1 2>/dev/null && fail
|
||||
test -f $IMG_HDR && fail
|
||||
fi
|
||||
+fi # if [ ! fips_mode ]
|
||||
|
||||
remove_mapping
|
||||
exit 0
|
||||
diff --git a/tests/ssh-test-plugin b/tests/ssh-test-plugin
|
||||
index 0a440b93..5b3966e7 100755
|
||||
--- a/tests/ssh-test-plugin
|
||||
+++ b/tests/ssh-test-plugin
|
||||
@@ -11,7 +11,7 @@ CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh
|
||||
IMG="ssh_test.img"
|
||||
MAP="sshtest"
|
||||
USER="sshtest"
|
||||
-PASSWD="sshtest"
|
||||
+PASSWD="sshtest1"
|
||||
PASSWD2="sshtest2"
|
||||
SSH_OPTIONS="-o StrictHostKeyChecking=no"
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
|
@ -0,0 +1,55 @@
|
|||
From be088b8de8d636993767a42f195ffd3bf915e567 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Mon, 12 Dec 2022 17:33:12 +0100
|
||||
Subject: [PATCH 1/2] Enable crypt_header_is_detached for empty contexts.
|
||||
|
||||
Also changes few tests now expecting crypt_header_is_detached
|
||||
works with empty contexts.
|
||||
---
|
||||
lib/setup.c | 2 +-
|
||||
tests/api-test-2.c | 2 +-
|
||||
tests/api-test.c | 2 +-
|
||||
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/setup.c b/lib/setup.c
|
||||
index f169942c..3263578b 100644
|
||||
--- a/lib/setup.c
|
||||
+++ b/lib/setup.c
|
||||
@@ -3242,7 +3242,7 @@ int crypt_header_is_detached(struct crypt_device *cd)
|
||||
{
|
||||
int r;
|
||||
|
||||
- if (!cd || !isLUKS(cd->type))
|
||||
+ if (!cd || (cd->type && !isLUKS(cd->type)))
|
||||
return -EINVAL;
|
||||
|
||||
r = device_is_identical(crypt_data_device(cd), crypt_metadata_device(cd));
|
||||
diff --git a/tests/api-test-2.c b/tests/api-test-2.c
|
||||
index 2c39191b..c7e930ca 100644
|
||||
--- a/tests/api-test-2.c
|
||||
+++ b/tests/api-test-2.c
|
||||
@@ -889,7 +889,7 @@ static void AddDeviceLuks2(void)
|
||||
FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active");
|
||||
EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE);
|
||||
OK_(crypt_deactivate(cd, CDEVICE_1));
|
||||
- FAIL_(crypt_header_is_detached(cd), "no header for mismatched device");
|
||||
+ EQ_(crypt_header_is_detached(cd), 1);
|
||||
CRYPT_FREE(cd);
|
||||
|
||||
params.data_device = NULL;
|
||||
diff --git a/tests/api-test.c b/tests/api-test.c
|
||||
index 9bb6d2f1..f6e33a40 100644
|
||||
--- a/tests/api-test.c
|
||||
+++ b/tests/api-test.c
|
||||
@@ -960,7 +960,7 @@ static void AddDeviceLuks(void)
|
||||
FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active");
|
||||
EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE);
|
||||
OK_(crypt_deactivate(cd, CDEVICE_1));
|
||||
- FAIL_(crypt_header_is_detached(cd), "no header for mismatched device");
|
||||
+ EQ_(crypt_header_is_detached(cd), 1);
|
||||
CRYPT_FREE(cd);
|
||||
|
||||
params.data_device = NULL;
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
|
@ -0,0 +1,58 @@
|
|||
From a33f7bf5ca33587ddb05f2acac42f93068022458 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Fri, 2 Dec 2022 11:39:59 +0100
|
||||
Subject: [PATCH 1/3] Run PBKDF benchmark with 8 bytes long well-known
|
||||
passphrase.
|
||||
|
||||
---
|
||||
lib/utils_benchmark.c | 4 ++--
|
||||
src/cryptsetup.c | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/lib/utils_benchmark.c b/lib/utils_benchmark.c
|
||||
index 0a0c438e..d8976fb2 100644
|
||||
--- a/lib/utils_benchmark.c
|
||||
+++ b/lib/utils_benchmark.c
|
||||
@@ -187,7 +187,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
|
||||
pbkdf->parallel_threads = 0; /* N/A in PBKDF2 */
|
||||
pbkdf->max_memory_kb = 0; /* N/A in PBKDF2 */
|
||||
|
||||
- r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3, "01234567890abcdef", 16,
|
||||
+ r = crypt_benchmark_pbkdf(cd, pbkdf, "foobarfo", 8, "01234567890abcdef", 16,
|
||||
volume_key_size, &benchmark_callback, &u);
|
||||
pbkdf->time_ms = ms_tmp;
|
||||
if (r < 0) {
|
||||
@@ -207,7 +207,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
|
||||
return 0;
|
||||
}
|
||||
|
||||
- r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3,
|
||||
+ r = crypt_benchmark_pbkdf(cd, pbkdf, "foobarfo", 8,
|
||||
"0123456789abcdef0123456789abcdef", 32,
|
||||
volume_key_size, &benchmark_callback, &u);
|
||||
if (r < 0)
|
||||
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
|
||||
index c2e23c6e..dfaf7682 100644
|
||||
--- a/src/cryptsetup.c
|
||||
+++ b/src/cryptsetup.c
|
||||
@@ -997,7 +997,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si
|
||||
.time_ms = 1000,
|
||||
};
|
||||
|
||||
- r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3, "0123456789abcdef", 16, key_size,
|
||||
+ r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8, "0123456789abcdef", 16, key_size,
|
||||
&benchmark_callback, &pbkdf);
|
||||
if (r < 0)
|
||||
log_std(_("PBKDF2-%-9s N/A\n"), hash);
|
||||
@@ -1012,7 +1012,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si
|
||||
.parallel_threads = ARG_UINT32(OPT_PBKDF_PARALLEL_ID)
|
||||
};
|
||||
|
||||
- r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3,
|
||||
+ r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foobarfo", 8,
|
||||
"0123456789abcdef0123456789abcdef", 32,
|
||||
key_size, &benchmark_callback, &pbkdf);
|
||||
if (r < 0)
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
|
@ -20,11 +20,11 @@ Init_by_name call now fails with incomplatible cipher definition error.
|
|||
tests/mode-test | 5 +++++
|
||||
3 files changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
Index: cryptsetup-2.3.7/lib/setup.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/setup.c
|
||||
+++ cryptsetup-2.3.7/lib/setup.c
|
||||
@@ -1188,7 +1188,7 @@ static int _init_by_name_crypt(struct cr
|
||||
diff --git a/lib/setup.c b/lib/setup.c
|
||||
index 4bc3f6fb..57435475 100644
|
||||
--- a/lib/setup.c
|
||||
+++ b/lib/setup.c
|
||||
@@ -1258,7 +1258,7 @@ static int _init_by_name_crypt(struct crypt_device *cd, const char *name)
|
||||
r = crypt_parse_name_and_mode(tgt->type == DM_LINEAR ? "null" : tgt->u.crypt.cipher, cipher,
|
||||
&key_nums, cipher_mode);
|
||||
if (r < 0) {
|
||||
|
|
@ -33,11 +33,11 @@ Index: cryptsetup-2.3.7/lib/setup.c
|
|||
goto out;
|
||||
}
|
||||
|
||||
Index: cryptsetup-2.3.7/lib/utils_crypt.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/utils_crypt.c
|
||||
+++ cryptsetup-2.3.7/lib/utils_crypt.c
|
||||
@@ -224,6 +224,15 @@ int crypt_capi_to_cipher(char **org_c, c
|
||||
diff --git a/lib/utils_crypt.c b/lib/utils_crypt.c
|
||||
index c1bde000..9232a91d 100644
|
||||
--- a/lib/utils_crypt.c
|
||||
+++ b/lib/utils_crypt.c
|
||||
@@ -306,6 +306,15 @@ int crypt_capi_to_cipher(char **org_c, char **org_i, const char *c_dm, const cha
|
||||
if (i != 2)
|
||||
return -EINVAL;
|
||||
|
||||
|
|
@ -53,20 +53,19 @@ Index: cryptsetup-2.3.7/lib/utils_crypt.c
|
|||
len = strlen(tmp);
|
||||
if (len < 2)
|
||||
return -EINVAL;
|
||||
Index: cryptsetup-2.3.7/tests/mode-test
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/tests/mode-test
|
||||
+++ cryptsetup-2.3.7/tests/mode-test
|
||||
@@ -8,6 +8,8 @@ DEV_NAME=dmc_test
|
||||
diff --git a/tests/mode-test b/tests/mode-test
|
||||
index fe61880a..4775751e 100755
|
||||
--- a/tests/mode-test
|
||||
+++ b/tests/mode-test
|
||||
@@ -8,6 +8,7 @@ DEV_NAME=dmc_test
|
||||
HEADER_IMG=mode-test.img
|
||||
PASSWORD=3xrododenron
|
||||
PASSWORD1=$PASSWORD
|
||||
+KEY="7c0dc5dfd0c9191381d92e6ebb3b29e7f0dba53b0de132ae23f5726727173540"
|
||||
+FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||
FAST_PBKDF2="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||
|
||||
# cipher-chainmode-ivopts:ivmode
|
||||
CIPHERS="aes twofish serpent"
|
||||
@@ -172,6 +174,10 @@ echo -n "CAPI format:"
|
||||
@@ -188,6 +189,10 @@ echo -n "CAPI format:"
|
||||
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(aes)-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME || fail
|
||||
$CRYPTSETUP close "$DEV_NAME"_tstdev || fail
|
||||
echo $PASSWORD | $CRYPTSETUP create -h sha256 -c 'capi:xts(ecb(aes-generic))-plain64' -s 256 "$DEV_NAME"_tstdev /dev/mapper/$DEV_NAME 2>/dev/null && fail
|
||||
|
|
@ -77,3 +76,6 @@ Index: cryptsetup-2.3.7/tests/mode-test
|
|||
echo [OK]
|
||||
|
||||
cleanup
|
||||
--
|
||||
2.41.0
|
||||
|
||||
|
|
|
|||
|
|
@ -64,5 +64,5 @@ index 82171fbd..fe61880a 100755
|
|||
+
|
||||
cleanup
|
||||
--
|
||||
2.40.1
|
||||
2.41.0
|
||||
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
From b8711faf92868dc82b1a64e7673740444199b2ca Mon Sep 17 00:00:00 2001
|
||||
From: Milan Broz <gmazyland@gmail.com>
|
||||
Date: Sun, 25 Jun 2023 23:32:13 +0200
|
||||
Subject: [PATCH 2/2] Fix activation of LUKS2 with capi format cipher and
|
||||
kernel crypt name.
|
||||
Subject: [PATCH] Fix activation of LUKS2 with capi format cipher and kernel
|
||||
crypt name.
|
||||
|
||||
While activation of internal cipher algorithms (like aes-generic)
|
||||
is disallowed, some old LUKS2 images can still use it.
|
||||
|
|
@ -22,11 +22,11 @@ Fixes: #820
|
|||
5 files changed, 25 insertions(+), 2 deletions(-)
|
||||
create mode 100644 tests/luks2_invalid_cipher.img.xz
|
||||
|
||||
Index: cryptsetup-2.3.7/lib/luks2/luks2_json_metadata.c
|
||||
Index: cryptsetup-2.6.0/lib/luks2/luks2_json_metadata.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/lib/luks2/luks2_json_metadata.c
|
||||
+++ cryptsetup-2.3.7/lib/luks2/luks2_json_metadata.c
|
||||
@@ -2324,6 +2324,11 @@ int LUKS2_activate(struct crypt_device *
|
||||
--- cryptsetup-2.6.0.orig/lib/luks2/luks2_json_metadata.c
|
||||
+++ cryptsetup-2.6.0/lib/luks2/luks2_json_metadata.c
|
||||
@@ -2597,6 +2597,11 @@ int LUKS2_activate(struct crypt_device *
|
||||
if ((r = LUKS2_unmet_requirements(cd, hdr, 0, 0)))
|
||||
return r;
|
||||
|
||||
|
|
@ -38,19 +38,11 @@ Index: cryptsetup-2.3.7/lib/luks2/luks2_json_metadata.c
|
|||
r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
|
||||
vk, crypt_get_cipher_spec(cd), crypt_get_iv_offset(cd),
|
||||
crypt_get_data_offset(cd), crypt_get_integrity(cd) ?: "none",
|
||||
Index: cryptsetup-2.3.7/tests/compat-test2
|
||||
Index: cryptsetup-2.6.0/tests/compat-test2
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/tests/compat-test2
|
||||
+++ cryptsetup-2.3.7/tests/compat-test2
|
||||
@@ -3,6 +3,7 @@
|
||||
PS4='$LINENO:'
|
||||
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
|
||||
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
|
||||
+CRYPTSETUP_REENCRYPT=$CRYPTSETUP_PATH/cryptsetup-reencrypt
|
||||
|
||||
CRYPTSETUP_VALGRIND=../.libs/cryptsetup
|
||||
CRYPTSETUP_LIB_VALGRIND=../.libs
|
||||
@@ -16,6 +17,7 @@ IMG10=luks-test-v10
|
||||
--- cryptsetup-2.6.0.orig/tests/compat-test2
|
||||
+++ cryptsetup-2.6.0/tests/compat-test2
|
||||
@@ -16,6 +16,7 @@ IMG10=luks-test-v10
|
||||
HEADER_IMG=luks-header
|
||||
HEADER_KEYU=luks2_keyslot_unassigned.img
|
||||
HEADER_LUKS2_PV=blkid-luks2-pv.img
|
||||
|
|
@ -58,7 +50,7 @@ Index: cryptsetup-2.3.7/tests/compat-test2
|
|||
KEY1=key1
|
||||
KEY2=key2
|
||||
KEY5=key5
|
||||
@@ -50,7 +52,9 @@ function remove_mapping()
|
||||
@@ -50,7 +51,9 @@ function remove_mapping()
|
||||
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
|
||||
[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME
|
||||
losetup -d $LOOPDEV >/dev/null 2>&1
|
||||
|
|
@ -69,9 +61,9 @@ Index: cryptsetup-2.3.7/tests/compat-test2
|
|||
|
||||
# unlink whole test keyring
|
||||
[ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
|
||||
@@ -1049,5 +1053,19 @@ for cipher in $CIPHERS ; do
|
||||
done
|
||||
echo
|
||||
@@ -1200,5 +1203,17 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys
|
||||
$CRYPTSETUP open -q --test-passphrase --token-only --token-id 0 -q $IMG || fail
|
||||
fi
|
||||
|
||||
+prepare "[44] LUKS2 invalid cipher (kernel cipher driver name)" wipe
|
||||
+xz -dk $HEADER_LUKS2_INV.xz
|
||||
|
|
@ -80,8 +72,6 @@ Index: cryptsetup-2.3.7/tests/compat-test2
|
|||
+echo $PWD1 | $CRYPTSETUP open $LOOPDEV --test-passphrase || fail
|
||||
+echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME 2>&1 | grep -q "No known cipher specification pattern" || fail
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV >/dev/null 2>&1 && fail
|
||||
+echo $PWD1 | $CRYPTSETUP reencrypt $LOOPDEV 2>&1 | grep -q "No known cipher specification pattern" || fail
|
||||
+echo $PWD1 | $CRYPTSETUP_REENCRYPT $LOOPDEV 2>&1 | grep -q "No known cipher specification pattern" || fail
|
||||
+dmsetup create $DEV_NAME --uuid CRYPT-LUKS2-3d20686f551748cb89911ad32379821b-test --table \
|
||||
+ "0 8 crypt capi:xts(ecb(aes-generic))-plain64 edaa40709797973715e572bf7d86fcbb9cfe2051083c33c28d58fe4e1e7ff642 0 $LOOPDEV 32768"
|
||||
+$CRYPTSETUP status $DEV_NAME | grep -q "n/a" || fail
|
||||
|
|
@ -89,15 +79,3 @@ Index: cryptsetup-2.3.7/tests/compat-test2
|
|||
+
|
||||
remove_mapping
|
||||
exit 0
|
||||
Index: cryptsetup-2.3.7/src/cryptsetup.h
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/src/cryptsetup.h
|
||||
+++ cryptsetup-2.3.7/src/cryptsetup.h
|
||||
@@ -103,6 +103,7 @@ void tools_clear_line(void);
|
||||
int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr);
|
||||
int tools_reencrypt_progress(uint64_t size, uint64_t offset, void *usrptr);
|
||||
int reencrypt_is_header_detached(const char *header_device, const char *data_device);
|
||||
+bool luks2_reencrypt_eligible(struct crypt_device *cd);
|
||||
|
||||
int tools_read_mk(const char *file, char **key, int keysize);
|
||||
int tools_write_mk(const char *file, const char *key, int keysize);
|
||||
|
|
|
|||
|
|
@ -48,5 +48,5 @@ index 4775751e..7f7f20a1 100755
|
|||
|
||||
cleanup
|
||||
--
|
||||
2.40.1
|
||||
2.41.0
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
From 1f01eea60e38ac92aa05e4b95372d54b7b9095df Mon Sep 17 00:00:00 2001
|
||||
From: Milan Broz <gmazyland@gmail.com>
|
||||
Date: Mon, 26 Jun 2023 13:25:59 +0200
|
||||
Subject: [PATCH 1/2] Fix reencryption to fail properly for unknown cipher.
|
||||
Subject: [PATCH] Fix reencryption to fail properly for unknown cipher.
|
||||
|
||||
crypt_get_cipher and crypt_get_cipher mode can return NULL,
|
||||
check it in advance.
|
||||
|
|
@ -9,73 +9,23 @@ check it in advance.
|
|||
src/utils_reencrypt.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
Index: cryptsetup-2.3.7/src/cryptsetup.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/src/cryptsetup.c
|
||||
+++ cryptsetup-2.3.7/src/cryptsetup.c
|
||||
@@ -2999,6 +2999,12 @@ static int action_encrypt_luks2(struct c
|
||||
if (r < 0)
|
||||
goto err;
|
||||
|
||||
+ if (!crypt_get_cipher(*cd)) {
|
||||
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
|
||||
+ r = -EINVAL;
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
if (opt_data_shift) {
|
||||
params.data_shift = imaxabs(opt_data_shift) / SECTOR_SIZE,
|
||||
params.resilience = "datashift";
|
||||
@@ -3068,6 +3074,11 @@ static int action_decrypt_luks2(struct c
|
||||
};
|
||||
size_t passwordLen;
|
||||
diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c
|
||||
index a78557cb..8ffceb36 100644
|
||||
--- a/src/utils_reencrypt.c
|
||||
+++ b/src/utils_reencrypt.c
|
||||
@@ -419,6 +419,12 @@ static bool luks2_reencrypt_eligible(struct crypt_device *cd)
|
||||
return false;
|
||||
}
|
||||
|
||||
+ /* Check that cipher is in compatible format */
|
||||
+ if (!crypt_get_cipher(cd)) {
|
||||
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
|
||||
+ return -EINVAL;
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
if (!crypt_get_metadata_device_name(cd) || !crypt_get_device_name(cd) ||
|
||||
!strcmp(crypt_get_metadata_device_name(cd), crypt_get_device_name(cd))) {
|
||||
log_err(_("LUKS2 decryption is supported with detached header device only."));
|
||||
@@ -3289,6 +3300,11 @@ static int action_reencrypt_luks2(struct
|
||||
.luks2 = &luks2_params,
|
||||
};
|
||||
return true;
|
||||
}
|
||||
|
||||
+ if (!crypt_get_cipher(cd)) {
|
||||
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
_set_reencryption_flags(¶ms.flags);
|
||||
|
||||
if (!opt_cipher && crypt_is_cipher_null(crypt_get_cipher(cd))) {
|
||||
Index: cryptsetup-2.3.7/src/cryptsetup_reencrypt.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.3.7.orig/src/cryptsetup_reencrypt.c
|
||||
+++ cryptsetup-2.3.7/src/cryptsetup_reencrypt.c
|
||||
@@ -185,6 +185,11 @@ static int set_reencrypt_requirement(con
|
||||
crypt_persistent_flags_get(cd, CRYPT_FLAGS_REQUIREMENTS, &reqs))
|
||||
goto out;
|
||||
|
||||
+ if (!crypt_get_cipher(cd)) {
|
||||
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
/* reencrypt already in-progress */
|
||||
if (reqs & CRYPT_REQUIREMENT_OFFLINE_REENCRYPT) {
|
||||
log_err(_("Reencryption already in-progress."));
|
||||
@@ -709,6 +714,12 @@ static int backup_luks_headers(struct re
|
||||
(r = crypt_load(cd, CRYPT_LUKS, NULL)))
|
||||
goto out;
|
||||
|
||||
+ if (!crypt_get_cipher(cd)) {
|
||||
+ log_err(_("No known cipher specification pattern detected in LUKS2 header."));
|
||||
+ r = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
if ((r = crypt_header_backup(cd, CRYPT_LUKS, rc->header_file_org)))
|
||||
goto out;
|
||||
if (isLUKS2(rc->type)) {
|
||||
--
|
||||
2.41.0
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,47 @@
|
|||
From 293abb5435e2b4bec7f8333fb11c88d5c1f45800 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Mon, 5 Dec 2022 13:35:24 +0100
|
||||
Subject: [PATCH 3/3] Add FIPS related error message in keyslot add code.
|
||||
|
||||
Add hints on what went wrong when creating new LUKS
|
||||
keyslots. The hint is printed only in FIPS mode and
|
||||
when pbkdf2 failed with passphrase shorter than 8
|
||||
bytes.
|
||||
---
|
||||
lib/luks1/keymanage.c | 5 ++++-
|
||||
lib/luks2/luks2_keyslot_luks2.c | 2 ++
|
||||
2 files changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
|
||||
index de97b73c..225e84b8 100644
|
||||
--- a/lib/luks1/keymanage.c
|
||||
+++ b/lib/luks1/keymanage.c
|
||||
@@ -924,8 +924,11 @@ int LUKS_set_key(unsigned int keyIndex,
|
||||
hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE,
|
||||
derived_key->key, hdr->keyBytes,
|
||||
hdr->keyblock[keyIndex].passwordIterations, 0, 0);
|
||||
- if (r < 0)
|
||||
+ if (r < 0) {
|
||||
+ if (crypt_fips_mode() && passwordLen < 8)
|
||||
+ log_err(ctx, _("Invalid passphrase for PBKDF2 in FIPS mode."));
|
||||
goto out;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* AF splitting, the volume key stored in vk->key is split to AfKey
|
||||
diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
|
||||
index 78f74242..f480bcab 100644
|
||||
--- a/lib/luks2/luks2_keyslot_luks2.c
|
||||
+++ b/lib/luks2/luks2_keyslot_luks2.c
|
||||
@@ -265,6 +265,8 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
|
||||
free(salt);
|
||||
if (r < 0) {
|
||||
crypt_free_volume_key(derived_key);
|
||||
+ if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2"))
|
||||
+ log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode."));
|
||||
return r;
|
||||
}
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
diff -rupN cryptsetup-2.0.4.old/configure cryptsetup-2.0.4/configure
|
||||
--- cryptsetup-2.0.4.old/configure 2018-08-03 12:31:52.000000000 +0200
|
||||
+++ cryptsetup-2.0.4/configure 2018-08-03 13:42:50.605275535 +0200
|
||||
@@ -12300,6 +12300,9 @@ fi
|
||||
diff -rupN cryptsetup-2.2.0.old/configure cryptsetup-2.2.0/configure
|
||||
--- cryptsetup-2.2.0.old/configure 2019-08-14 20:45:07.000000000 +0200
|
||||
+++ cryptsetup-2.2.0/configure 2019-08-15 09:11:14.775184005 +0200
|
||||
@@ -12294,6 +12294,9 @@ fi
|
||||
# before this can be enabled.
|
||||
hardcode_into_libs=yes
|
||||
|
||||
|
|
@ -11,7 +11,7 @@ diff -rupN cryptsetup-2.0.4.old/configure cryptsetup-2.0.4/configure
|
|||
# Ideally, we could use ldconfig to report *all* directores which are
|
||||
# searched for libraries, however this is still not possible. Aside from not
|
||||
# being certain /sbin/ldconfig is available, command
|
||||
@@ -12308,7 +12311,7 @@ fi
|
||||
@@ -12302,7 +12305,7 @@ fi
|
||||
# appending ld.so.conf contents (and includes) to the search path.
|
||||
if test -f /etc/ld.so.conf; then
|
||||
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
|
||||
|
|
|
|||
|
|
@ -1,13 +0,0 @@
|
|||
diff --git a/tests/Makefile.localtest b/tests/Makefile.localtest
|
||||
index 29a62f3..da2183e 100644
|
||||
--- a/tests/Makefile.localtest
|
||||
+++ b/tests/Makefile.localtest
|
||||
@@ -5,7 +5,7 @@
|
||||
CPPFLAGS=-I../lib/ -I../lib/luks1 -DHAVE_DECL_DM_TASK_RETRY_REMOVE -DKERNEL_KEYRING -DHAVE_SYS_SYSMACROS_H -DNO_CRYPTSETUP_PATH
|
||||
CFLAGS=-O2 -g -Wall
|
||||
LDLIBS=-lcryptsetup -ldevmapper
|
||||
-TESTS=$(wildcard *-test *-test2) api-test api-test-2
|
||||
+TESTS=$(filter-out verity-compat-test, $(wildcard *-test *-test2)) api-test api-test-2
|
||||
|
||||
differ: differ.o
|
||||
$(CC) -o $@ $^
|
||||
|
|
@ -1,77 +1,59 @@
|
|||
Obsoletes: python2-cryptsetup
|
||||
Obsoletes: cryptsetup-python
|
||||
Obsoletes: cryptsetup-python3
|
||||
|
||||
Summary: A utility for setting up encrypted disks
|
||||
Summary: Utility for setting up encrypted disks
|
||||
Name: cryptsetup
|
||||
Version: 2.3.7
|
||||
Release: 7%{?dist}
|
||||
Version: 2.6.0
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
Group: Applications/System
|
||||
URL: https://gitlab.com/cryptsetup/cryptsetup
|
||||
BuildRequires: openssl-devel, popt-devel, device-mapper-devel
|
||||
BuildRequires: libuuid-devel, gcc, libblkid-devel
|
||||
BuildRequires: libpwquality-devel, json-c-devel
|
||||
Provides: cryptsetup-luks = %{version}-%{release}
|
||||
Obsoletes: cryptsetup-luks < 1.4.0
|
||||
BuildRequires: libuuid-devel, gcc, json-c-devel
|
||||
BuildRequires: libpwquality-devel, libblkid-devel
|
||||
BuildRequires: make
|
||||
BuildRequires: asciidoctor
|
||||
Requires: cryptsetup-libs = %{version}-%{release}
|
||||
Requires: libpwquality >= 1.2.0
|
||||
Obsoletes: %{name}-reencrypt <= %{version}
|
||||
Provides: %{name}-reencrypt = %{version}
|
||||
|
||||
%global upstream_version %{version}
|
||||
Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{upstream_version}.tar.xz
|
||||
Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-%{upstream_version}.tar.xz
|
||||
|
||||
# binary archive with updated tests/conversion_imgs.tar.xz and tests/luks2_header_requirements.tar.xz
|
||||
# for testing (can not be patched via rpmbuild)
|
||||
Source1: tests.tar.xz
|
||||
|
||||
# Following patch has to applied last
|
||||
Patch0: %{name}-add-system-library-paths.patch
|
||||
# Remove the patch when (if ever) osci infrastructure gets stable enough
|
||||
Patch1: %{name}-disable-verity-compat-test.patch
|
||||
Patch2: %{name}-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch
|
||||
Patch3: %{name}-2.4.2-Fix-bogus-memory-allocation-if-LUKS2-header-size-is-.patch
|
||||
Patch4: %{name}-2.5.0-Fix-typo-in-repair-prompt.patch
|
||||
Patch5: %{name}-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch
|
||||
Patch6: %{name}-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch
|
||||
Patch7: %{name}-2.5.0-Remove-LUKS2-encryption-data-size-restriction.patch
|
||||
Patch8: %{name}-2.6.0-Fix-cipher-convert-routines-naming-confusion.patch
|
||||
Patch9: %{name}-2.6.0-Move-cipher_dm2c-to-crypto-utilities.patch
|
||||
Patch10: %{name}-2.6.0-Code-cleanup.patch
|
||||
Patch11: %{name}-2.6.0-Copy-also-integrity-string-in-legacy-mode.patch
|
||||
Patch12: %{name}-2.6.0-Fix-internal-crypt-segment-compare-routine.patch
|
||||
Patch13: %{name}-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch
|
||||
Patch14: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
|
||||
Patch15: %{name}-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch
|
||||
Patch16: %{name}-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch
|
||||
Patch17: %{name}-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch
|
||||
Patch18: %{name}-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch
|
||||
Patch19: %{name}-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch
|
||||
Patch0000: %{name}-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch
|
||||
Patch0001: %{name}-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch
|
||||
Patch0002: %{name}-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch
|
||||
Patch0003: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch
|
||||
Patch0004: %{name}-2.7.0-Disallow-use-of-internal-kenrel-crypto-driver-names-.patch
|
||||
Patch0005: %{name}-2.7.0-Also-disallow-active-devices-with-internal-kernel-na.patch
|
||||
Patch0006: %{name}-2.7.0-Fix-init_by_name-to-allow-unknown-cipher-format-in-d.patch
|
||||
Patch0007: %{name}-2.7.0-Fix-reencryption-to-fail-properly-for-unknown-cipher.patch
|
||||
Patch0008: %{name}-2.7.0-Fix-activation-of-LUKS2-with-capi-format-cipher-and-.patch
|
||||
Patch9998: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch
|
||||
Patch9999: %{name}-add-system-library-paths.patch
|
||||
|
||||
%description
|
||||
The cryptsetup package contains a utility for setting up
|
||||
disk encryption using dm-crypt kernel module.
|
||||
|
||||
%package devel
|
||||
Group: Development/Libraries
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Requires: pkgconfig
|
||||
Summary: Headers and libraries for using encrypted file systems
|
||||
Provides: cryptsetup-luks-devel = %{version}-%{release}
|
||||
Obsoletes: cryptsetup-luks-devel < 1.4.0
|
||||
|
||||
%description devel
|
||||
The cryptsetup-devel package contains libraries and header files
|
||||
used for writing code that makes use of disk encryption.
|
||||
|
||||
%package libs
|
||||
Group: System Environment/Libraries
|
||||
Summary: Cryptsetup shared library
|
||||
Provides: cryptsetup-luks-libs = %{version}-%{release}
|
||||
Obsoletes: cryptsetup-luks-libs < 1.4.0
|
||||
|
||||
%description libs
|
||||
This package contains the cryptsetup shared library, libcryptsetup.
|
||||
|
||||
%package -n veritysetup
|
||||
Group: Applications/System
|
||||
Summary: A utility for setting up dm-verity volumes
|
||||
Requires: cryptsetup-libs = %{version}-%{release}
|
||||
|
||||
|
|
@ -80,7 +62,6 @@ The veritysetup package contains a utility for setting up
|
|||
disk verification using dm-verity kernel module.
|
||||
|
||||
%package -n integritysetup
|
||||
Group: Applications/System
|
||||
Summary: A utility for setting up dm-integrity volumes
|
||||
Requires: cryptsetup-libs = %{version}-%{release}
|
||||
|
||||
|
|
@ -88,79 +69,39 @@ Requires: cryptsetup-libs = %{version}-%{release}
|
|||
The integritysetup package contains a utility for setting up
|
||||
disk integrity protection using dm-integrity kernel module.
|
||||
|
||||
%package reencrypt
|
||||
Group: Applications/System
|
||||
Summary: A utility for offline reencryption of LUKS encrypted disks.
|
||||
Requires: cryptsetup-libs = %{version}-%{release}
|
||||
|
||||
%description reencrypt
|
||||
This package contains cryptsetup-reencrypt utility which
|
||||
can be used for offline reencryption of disk in situ.
|
||||
|
||||
%prep
|
||||
%setup -q -n cryptsetup-%{upstream_version} -a 1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch0 -p1
|
||||
chmod -x misc/dracut_90reencrypt/*
|
||||
%autosetup -n cryptsetup-%{upstream_version} -p 1 -a 1
|
||||
|
||||
%build
|
||||
%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --with-crypto_backend=openssl --with-default-luks-format=LUKS2
|
||||
make %{?_smp_mflags}
|
||||
rm -f man/*.8
|
||||
%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token --enable-asciidoc
|
||||
%make_build
|
||||
|
||||
%install
|
||||
make install DESTDIR=%{buildroot}
|
||||
rm -rf %{buildroot}/%{_libdir}/*.la
|
||||
%make_install
|
||||
rm -rf %{buildroot}%{_libdir}/*.la
|
||||
|
||||
%find_lang cryptsetup
|
||||
|
||||
%post -n cryptsetup-libs -p /sbin/ldconfig
|
||||
|
||||
%postun -n cryptsetup-libs -p /sbin/ldconfig
|
||||
%ldconfig_scriptlets -n cryptsetup-libs
|
||||
|
||||
%files
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license COPYING
|
||||
%doc AUTHORS FAQ docs/*ReleaseNotes
|
||||
%doc AUTHORS FAQ.md docs/*ReleaseNotes
|
||||
%{_mandir}/man8/cryptsetup.8.gz
|
||||
%{_mandir}/man8/cryptsetup-*.8.gz
|
||||
%{_sbindir}/cryptsetup
|
||||
|
||||
%files -n veritysetup
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license COPYING
|
||||
%{_mandir}/man8/veritysetup.8.gz
|
||||
%{_sbindir}/veritysetup
|
||||
|
||||
%files -n integritysetup
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license COPYING
|
||||
%{_mandir}/man8/integritysetup.8.gz
|
||||
%{_sbindir}/integritysetup
|
||||
|
||||
%files reencrypt
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license COPYING
|
||||
%doc misc/dracut_90reencrypt
|
||||
%{_mandir}/man8/cryptsetup-reencrypt.8.gz
|
||||
%{_sbindir}/cryptsetup-reencrypt
|
||||
|
||||
%files devel
|
||||
%doc docs/examples/*
|
||||
%{_includedir}/libcryptsetup.h
|
||||
|
|
@ -168,130 +109,90 @@ rm -rf %{buildroot}/%{_libdir}/*.la
|
|||
%{_libdir}/pkgconfig/libcryptsetup.pc
|
||||
|
||||
%files libs -f cryptsetup.lang
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license COPYING COPYING.LGPL
|
||||
%{_libdir}/libcryptsetup.so.*
|
||||
%dir %{_libdir}/%{name}/
|
||||
%{_tmpfilesdir}/cryptsetup.conf
|
||||
%ghost %attr(700, -, -) %dir /run/cryptsetup
|
||||
|
||||
%clean
|
||||
|
||||
%changelog
|
||||
* Tue Jul 11 2023 Ondrej Kozina <okozina@redhat.com> - 2.3.7-7
|
||||
- Rebuild due to missing CI environment
|
||||
- Resolves: #2212772 #2193342
|
||||
|
||||
* Thu Jun 28 2023 Daniel Zatovic <dzatovic@redhat.com> - 2.3.7-6
|
||||
- patch: Delegate FIPS mode detection to configured crypto backend
|
||||
* Fri Jun 30 2023 Daniel Zatovic <dzatovic@redhat.com> - 2.6.0-3
|
||||
- patch: Disallow use of internal kenrel crypto driver names in "capi"
|
||||
- patch: Also disallow active devices with internal kernel names
|
||||
- patch: Fix init_by_name to allow unknown cipher format in dm-crypt
|
||||
- patch: Fix reencryption to fail properly for unknown cipher
|
||||
- patch: Fix activation of LUKS2 with capi format cipher and kernel
|
||||
- Resolves: #2212772 #2193342
|
||||
- Resolves: #2212771
|
||||
|
||||
* Tue Jan 10 2023 Daniel Zatovic <dzatovic@redhat.com> - 2.3.7-5
|
||||
- change cryptsetup-devel dependency from cryptsetup to cryptsetup-libs
|
||||
- Resolves: #2150254
|
||||
* Wed Dec 14 2022 Daniel Zatovic <dzatovic@redhat.com> - 2.6.0-2
|
||||
- Fix FIPS related bugs.
|
||||
- Abort encryption when header and data devices are same.
|
||||
- Resolves: #2150251 #2148841
|
||||
|
||||
* Wed Dec 21 2022 Daniel Zatovic <dzatovic@redhat.com> - 2.3.7-4
|
||||
- patch: Remove LUKS2 encryption data size restriction.
|
||||
- patch: Abort encryption when header and data devices are same.
|
||||
- Resolves: #2150254
|
||||
* Wed Nov 30 2022 Daniel Zatovic <dzatovic@redhat.com> - 2.6.0-1
|
||||
- Update to cryptsetup 2.6.0.
|
||||
- Resolves: #2003748 #2108404 #1862173
|
||||
|
||||
* Fri Nov 4 2022 Daniel Zatovic <dzatovic@redhat.com> - 2.3.7-3
|
||||
- patch: Fix internal crypt segment compare routine
|
||||
- Resolves: #2110810
|
||||
* Wed Aug 10 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-5
|
||||
- patch: Delegate FIPS mode detection to crypto backend.
|
||||
- Resolves: #2080516
|
||||
|
||||
* Thu Feb 24 2022 Ondrej Kozina <okozina@redhat.com> - 2.3.7-2
|
||||
* Thu Feb 24 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-4
|
||||
- patch: Fix broken upstream test.
|
||||
- Resolves: #2056439
|
||||
|
||||
* Wed Feb 23 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-3
|
||||
- patch: Fix cryptsetup --test-passphrase when device in
|
||||
reencryption
|
||||
- Resolves: #2058009
|
||||
- Resolves: #2056439
|
||||
|
||||
* Thu Jan 20 2022 Ondrej Kozina <okozina@redhat.com> - 2.3.7-1
|
||||
- update to cryptsetup 2.3.7
|
||||
- fixes CVE-2021-4122
|
||||
- patch: Fix suboptimal optimization in bundled argon2.
|
||||
- patch: Fix bogus memory allocation/device read with
|
||||
invalid LUKS2 headers
|
||||
- patch: Fix typo in luksRepair prompt.
|
||||
- Resolves: #2021815 #2022301 #2031859
|
||||
* Thu Feb 17 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-2
|
||||
- Various FIPS related fixes.
|
||||
- Resolves: #2051630
|
||||
|
||||
* Wed Feb 17 2021 Ondrej Kozina <okozina@redhat.com> - 2.3.3-4
|
||||
- patch: Fix reencryption for custom devices with data segments
|
||||
set to use cipher_null.
|
||||
- Resolves: #1927409
|
||||
* Fri Jan 21 2022 Ondrej Kozina <okozina@redhat.com> - 2.4.3-1
|
||||
- Update to cryptsetup 2.4.3.
|
||||
- patch: Fix typo in repair command prompt.
|
||||
Resolves: #2022309 #2023316 #2032782
|
||||
|
||||
* Wed Feb 03 2021 Ondrej Kozina <okozina@redhat.com> - 2.3.3-3
|
||||
- patch: Fix crypto backend to properly handle ECB mode.
|
||||
- Resolves: #1859091
|
||||
* Wed Sep 29 2021 Ondrej Kozina <okozina@redhat.com> - 2.4.1-1
|
||||
- Update to cryptsetup 2.4.1.
|
||||
Resolves: #2005035 #2005877
|
||||
|
||||
* Thu Aug 27 2020 Ondrej Kozina <okozina@redhat.com> - 2.3.3-2
|
||||
- patch: Fix possible memory corruption in LUKS2 validation
|
||||
code in 32bit library.
|
||||
- Resolves: #1872294
|
||||
* Thu Aug 19 2021 Ondrej Kozina <okozina@redhat.com> - 2.4.0-1
|
||||
- Update to cryptsetup 2.4.0.
|
||||
Resolves: #1869553 #1972722 #1974271 #1975799
|
||||
|
||||
* Thu May 28 2020 Ondrej Kozina <okozina@redhat.com> - 2.3.3-1
|
||||
- Update to cryptsetup 2.3.3
|
||||
- Resolves: #1796826 #1743891 #1785748
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.6-3
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Fri Apr 03 2020 Ondrej Kozina <okozina@redhat.com> - 2.3.1-1
|
||||
- Update to cryptsetup 2.3.1
|
||||
- Resolves: #1796826 #1743891 #1785748
|
||||
* Thu Jun 17 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.6-2
|
||||
- Specbump for openssl 3.0
|
||||
Related: rhbz#1971065
|
||||
|
||||
* Mon Nov 18 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.2-1
|
||||
- Update to cryptsetup 2.2.2
|
||||
- LUKS2 reencryption honors activation flags (one time and persistent).
|
||||
- LUKS2 reencryption works also without volume keys put in kernel
|
||||
keyring service.
|
||||
- Resolves: #1757783 #1750680 #1753597 #1743399
|
||||
* Wed Jun 16 2021 Ondrej Kozina <okozina@redhat.com> - 2.3.6-1
|
||||
- Update to cryptsetup 2.3.6.
|
||||
- Resolves: #1961291 #1970932
|
||||
|
||||
* Fri Aug 30 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-2
|
||||
- patch: Fix mapped segments overflow on 32bit architectures.
|
||||
- patch: Take optimal io size in account with LUKS2 reencryption.
|
||||
- Resolves: #1742815 #1746532
|
||||
* Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.5-5
|
||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||
|
||||
* Thu Aug 15 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-1
|
||||
- Update to cryptsetup 2.2.0 (final)
|
||||
- Resolves: #1738263 #1740342 #1733391 #1729600 #1733390
|
||||
Related: rhbz#1971065
|
||||
|
||||
* Fri Jun 14 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-0.2
|
||||
- Updates to reencryption feature.
|
||||
- Resolves: #1676622
|
||||
* Tue Apr 27 2021 Ondrej Kozina <okozina@redhat.com> - 2.3.5-4
|
||||
- Drop dependency on libargon2
|
||||
- Resolves: #1936959
|
||||
|
||||
* Fri May 03 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-0.1
|
||||
- Update to cryptsetup 2.2.0
|
||||
- remove python bits from spec file.
|
||||
- Resolves: #1676622
|
||||
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.5-3
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Thu Mar 21 2019 Milan Broz <mbroz@redhat.com> - 2.0.6-2
|
||||
- Add gating tests.
|
||||
- Resolves: #1682539
|
||||
* Thu Mar 11 2021 Milan Broz <gmazyland@gmail.com> - 2.3.5-1
|
||||
- Update to cryptsetup 2.3.5.
|
||||
|
||||
* Mon Dec 03 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.6-1
|
||||
- Update to cryptsetup 2.0.6
|
||||
- Enables all supported metadata sizes in LUKS2 validation code.
|
||||
- Resolves: #1653383
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.4-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Fri Aug 10 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.4-2
|
||||
- patch: fix device alignment bug when processing hinted
|
||||
value by device topology info.
|
||||
- Resolves: #1614219
|
||||
|
||||
* Wed Aug 08 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.4-1
|
||||
- Update to cryptsetup 2.0.4.
|
||||
- patch: Add RHEL system library paths in configure.
|
||||
- patch: Increase default LUKS2 header size to 8 MiBs.
|
||||
- patch: update tests to be compatible with larger headers.
|
||||
- Set default format to LUKS2.
|
||||
- Cleanup changelog.
|
||||
- Resolves: #1564540 #1595257 #1595266 #1595881 #1600164
|
||||
|
||||
* Fri May 04 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.3-1
|
||||
- Update to cryptsetup 2.0.3.
|
||||
|
||||
* Tue Mar 27 2018 Björn Esser <besser82@fedoraproject.org> - 2.0.2-2
|
||||
- Rebuilt for libjson-c.so.4 (json-c v0.13.1) on fc28
|
||||
|
||||
* Wed Mar 07 2018 Milan Broz <gmazyland@gmail.com> - 2.0.2-1
|
||||
- Update to cryptsetup 2.0.2.
|
||||
* Thu Sep 03 2020 Milan Broz <gmazyland@gmail.com> - 2.3.4-1
|
||||
- Update to cryptsetup 2.3.4.
|
||||
- Fix for CVE-2020-14382 (#1874712)
|
||||
|
|
|
|||
Loading…
Reference in New Issue