diff -rupN cryptsetup-2.4.3.old/man/cryptsetup.8 cryptsetup-2.4.3/man/cryptsetup.8 --- cryptsetup-2.4.3.old/man/cryptsetup.8 2022-02-23 16:33:42.449525744 +0100 +++ cryptsetup-2.4.3/man/cryptsetup.8 2022-02-23 16:34:02.624636076 +0100 @@ -321,7 +321,8 @@ the command prompts for it interactively \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase, \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id, \-\-token\-only, \-\-token-type, \-\-disable\-external\-tokens, \-\-disable\-keyring, -\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf]. +\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf, +\-\-unbound]. .PP \fIluksSuspend\fR .IP @@ -1465,10 +1466,14 @@ aligned to page size and page-cache init integrity tag. .TP .B "\-\-unbound" - Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or \fIluksDump\fR actions for more details. +When used in \fIluksOpen\fR action (allowed only together with +\-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2 +keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific +keyslot is selected via \-\-key\-slot parameter. + .TP .B "\-\-tcrypt\-hidden" .B "\-\-tcrypt\-system" diff -rupN cryptsetup-2.4.3.old/src/cryptsetup_args.h cryptsetup-2.4.3/src/cryptsetup_args.h --- cryptsetup-2.4.3.old/src/cryptsetup_args.h 2022-02-23 16:33:42.450525749 +0100 +++ cryptsetup-2.4.3/src/cryptsetup_args.h 2022-02-23 16:43:53.418866968 +0100 @@ -75,7 +75,7 @@ #define OPT_TCRYPT_HIDDEN_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION } #define OPT_TCRYPT_SYSTEM_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION } #define OPT_TEST_PASSPHRASE_ACTIONS { OPEN_ACTION } -#define OPT_UNBOUND_ACTIONS { ADDKEY_ACTION, LUKSDUMP_ACTION } +#define OPT_UNBOUND_ACTIONS { ADDKEY_ACTION, LUKSDUMP_ACTION, OPEN_ACTION } #define OPT_USE_RANDOM_ACTIONS { FORMAT_ACTION } #define OPT_USE_URANDOM_ACTIONS { FORMAT_ACTION } #define OPT_UUID_ACTIONS { FORMAT_ACTION, UUID_ACTION } diff -rupN cryptsetup-2.4.3.old/src/cryptsetup.c cryptsetup-2.4.3/src/cryptsetup.c --- cryptsetup-2.4.3.old/src/cryptsetup.c 2022-02-23 16:33:42.450525749 +0100 +++ cryptsetup-2.4.3/src/cryptsetup.c 2022-02-23 16:47:36.893089087 +0100 @@ -140,7 +140,8 @@ static void _set_activation_flags(uint32 *flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT; /* Only for LUKS2 but ignored elsewhere */ - if (ARG_SET(OPT_TEST_PASSPHRASE_ID)) + if (ARG_SET(OPT_TEST_PASSPHRASE_ID) && + (ARG_SET(OPT_KEY_SLOT_ID) || ARG_SET(OPT_UNBOUND_ID))) *flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY; if (ARG_SET(OPT_SERIALIZE_MEMORY_HARD_PBKDF_ID)) @@ -3982,6 +3983,18 @@ int main(int argc, const char **argv) _("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."), poptGetInvocationName(popt_context)); + if (ARG_SET(OPT_UNBOUND_ID) && !strcmp(aname, OPEN_ACTION) && device_type && + strncmp(device_type, "luks", 4)) + usage(popt_context, EXIT_FAILURE, + _("Option --unbound is allowed only for open of luks device."), + poptGetInvocationName(popt_context)); + + if (ARG_SET(OPT_UNBOUND_ID) && !ARG_SET(OPT_TEST_PASSPHRASE_ID) && + !strcmp(aname, OPEN_ACTION)) + usage(popt_context, EXIT_FAILURE, + _("Option --unbound cannot be used without --test-passphrase."), + poptGetInvocationName(popt_context)); + if (ARG_SET(OPT_TCRYPT_HIDDEN_ID) && ARG_SET(OPT_ALLOW_DISCARDS_ID)) usage(popt_context, EXIT_FAILURE, _("Option --tcrypt-hidden cannot be combined with --allow-discards."),