From 2dd5a3fbfd29bcfa1ed7f2b7b81193f377dc9796 Mon Sep 17 00:00:00 2001 From: Tomas Bzatek Date: Fri, 2 Jun 2023 17:14:09 +0200 Subject: [PATCH] * Fri Jun 02 2023 Tomas Bzatek - 2.9.0-14 - iscsi: CHAP auth algorithm selection fixes (#2188991) - tests: Use stronger passphrases for LUKS tests - lvm2: Improve uevent processing (#2039772) Resolves: #2188991,#2039772 --- udisks-2.10.0-iscsi-CHAP-auth-algs.patch | 161 +++++++ udisks-2.10.0-iscsi_test_01_badauth.patch | 75 ++++ ...2.10.0-iscsi_test_02_lio_target_conf.patch | 51 +++ ...csi_test_04_fix_test_login_chap_auth.patch | 37 ++ udisks-2.10.0-lvm2_update_epoch.patch | 113 +++++ udisks-2.10.0-lvm2_vgcreate_uevent_sync.patch | 26 ++ udisks-2.9.4-FIPS_LUKS_fixes-2.patch | 405 ++++++++++++++++++ udisks2.spec | 25 +- 8 files changed, 891 insertions(+), 2 deletions(-) create mode 100644 udisks-2.10.0-iscsi-CHAP-auth-algs.patch create mode 100644 udisks-2.10.0-iscsi_test_01_badauth.patch create mode 100644 udisks-2.10.0-iscsi_test_02_lio_target_conf.patch create mode 100644 udisks-2.10.0-iscsi_test_04_fix_test_login_chap_auth.patch create mode 100644 udisks-2.10.0-lvm2_update_epoch.patch create mode 100644 udisks-2.10.0-lvm2_vgcreate_uevent_sync.patch create mode 100644 udisks-2.9.4-FIPS_LUKS_fixes-2.patch diff --git a/udisks-2.10.0-iscsi-CHAP-auth-algs.patch b/udisks-2.10.0-iscsi-CHAP-auth-algs.patch new file mode 100644 index 0000000..be7f96c --- /dev/null +++ b/udisks-2.10.0-iscsi-CHAP-auth-algs.patch @@ -0,0 +1,161 @@ +From 26fcef727d68af97b1187d2ac3cad19acc3d97c8 Mon Sep 17 00:00:00 2001 +From: Tomas Bzatek +Date: Tue, 16 May 2023 18:33:59 +0200 +Subject: [PATCH 1/2] iscsi: Set node parameters before the Login/Logout action + +This allows to properly pass required arguments like the CHAP +auth algorithms, etc. +--- + modules/iscsi/udisksiscsiutil.c | 54 ++++++++++++++++++--------------- + 1 file changed, 29 insertions(+), 25 deletions(-) + +diff --git a/modules/iscsi/udisksiscsiutil.c b/modules/iscsi/udisksiscsiutil.c +index 78890106f0..b279442876 100644 +--- a/modules/iscsi/udisksiscsiutil.c ++++ b/modules/iscsi/udisksiscsiutil.c +@@ -186,9 +186,10 @@ iscsi_perform_login_action (UDisksLinuxModuleISCSI *module, + } + + static gint +-iscsi_node_set_parameters (struct libiscsi_context *ctx, +- struct libiscsi_node *node, +- GVariant *params) ++iscsi_node_set_parameters (struct libiscsi_context *ctx, ++ struct libiscsi_node *node, ++ GVariant *params, ++ gchar **errorstr) + { + GVariantIter iter; + GVariant *value; +@@ -207,9 +208,11 @@ iscsi_node_set_parameters (struct libiscsi_context *ctx, + + /* Update the node parameter value. */ + err = libiscsi_node_set_parameter (ctx, node, key, param_value); ++ if (errorstr && err != 0) ++ *errorstr = g_strdup (libiscsi_get_error_string (ctx)); + + g_variant_unref (value); +- g_free ((gpointer) key); ++ g_free (key); + } + + return 0; +@@ -279,7 +282,7 @@ iscsi_login (UDisksLinuxModuleISCSI *module, + const gchar *password = NULL; + const gchar *reverse_username = NULL; + const gchar *reverse_password = NULL; +- gint err; ++ gint err = 0; + + g_return_val_if_fail (UDISKS_IS_LINUX_MODULE_ISCSI (module), 1); + +@@ -304,17 +307,18 @@ iscsi_login (UDisksLinuxModuleISCSI *module, + /* Get iscsi context. */ + ctx = udisks_linux_module_iscsi_get_libiscsi_context (module); + +- /* Login */ +- err = iscsi_perform_login_action (module, +- ACTION_LOGIN, +- &node, +- &auth_info, +- errorstr); ++ /* Update node parameters. */ ++ if (params) ++ err = iscsi_node_set_parameters (ctx, &node, params_without_chap, errorstr); + +- if (err == 0 && params) ++ /* Login */ ++ if (err == 0) + { +- /* Update node parameters. */ +- err = iscsi_node_set_parameters (ctx, &node, params_without_chap); ++ err = iscsi_perform_login_action (module, ++ ACTION_LOGIN, ++ &node, ++ &auth_info, ++ errorstr); + } + + g_variant_unref (params_without_chap); +@@ -334,7 +338,7 @@ iscsi_logout (UDisksLinuxModuleISCSI *module, + { + struct libiscsi_context *ctx; + struct libiscsi_node node = {0,}; +- gint err; ++ gint err = 0; + + g_return_val_if_fail (UDISKS_IS_LINUX_MODULE_ISCSI (module), 1); + +@@ -344,18 +348,18 @@ iscsi_logout (UDisksLinuxModuleISCSI *module, + /* Get iscsi context. */ + ctx = udisks_linux_module_iscsi_get_libiscsi_context (module); + +- /* Logout */ +- err = iscsi_perform_login_action (module, +- ACTION_LOGOUT, +- &node, +- NULL, +- errorstr); ++ /* Update node parameters. */ ++ if (params) ++ err = iscsi_node_set_parameters (ctx, &node, params, errorstr); + +- if (err == 0 && params) ++ /* Logout */ ++ if (err == 0) + { +- /* Update node parameters. */ +- err = iscsi_node_set_parameters (ctx, &node, params); +- ++ err = iscsi_perform_login_action (module, ++ ACTION_LOGOUT, ++ &node, ++ NULL, ++ errorstr); + } + + return err; + +From 749812784abcc4c0492bda0703bff5d3dae052f9 Mon Sep 17 00:00:00 2001 +From: Tomas Bzatek +Date: Tue, 16 May 2023 18:35:42 +0200 +Subject: [PATCH 2/2] tests: Disallow MD5 for iscsi CHAP login + +MD5 is unavailable in FIPS mode: + + iscsid[82167]: iscsid: Ignoring CHAP algorthm request for MD5 due to crypto lib configuration + iscsid[82167]: iscsid: Couldn't set CHAP algorithm list + kernel: rx_data returned 0, expecting 48. + kernel: iSCSI Login negotiation failed. +--- + src/tests/dbus-tests/test_30_iscsi.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/tests/dbus-tests/test_30_iscsi.py b/src/tests/dbus-tests/test_30_iscsi.py +index 09e975f30c..02ba6c92b0 100644 +--- a/src/tests/dbus-tests/test_30_iscsi.py ++++ b/src/tests/dbus-tests/test_30_iscsi.py +@@ -161,6 +161,7 @@ def test_login_chap_auth(self): + self.assertEqual(port, self.port) + + options = dbus.Dictionary(signature='sv') ++ options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1' # disallow MD5 + options['username'] = self.initiator + + msg = 'Login failed: initiator reported error \(24 - iSCSI login failed due to authorization failure\)' +@@ -227,6 +228,7 @@ def test_login_mutual_auth(self): + self.assertEqual(port, self.port) + + options = dbus.Dictionary(signature='sv') ++ options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1' # disallow MD5 + options['username'] = self.initiator + options['password'] = self.password + options['reverse-username'] = self.mutual_iqn +@@ -335,6 +337,7 @@ def test_login_noauth_badauth(self): + + # first attempt - wrong password + options = dbus.Dictionary(signature='sv') ++ options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1' # disallow MD5 + options['username'] = self.initiator + msg = r'Login failed: initiator reported error \((19 - encountered non-retryable iSCSI login failure|24 - iSCSI login failed due to authorization failure)\)' + with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg): diff --git a/udisks-2.10.0-iscsi_test_01_badauth.patch b/udisks-2.10.0-iscsi_test_01_badauth.patch new file mode 100644 index 0000000..48a41ff --- /dev/null +++ b/udisks-2.10.0-iscsi_test_01_badauth.patch @@ -0,0 +1,75 @@ +commit fab797fcf5e4c8e09e4cde45647951acd764415e +Author: Tomas Bzatek +Date: Mon Oct 10 13:58:15 2022 +0200 + + tests: Add bad auth test for iscsi + + This tests that the auth info is properly set for each login call, + overriding previously set auth info with no trace. + +diff --git a/src/tests/dbus-tests/test_30_iscsi.py b/src/tests/dbus-tests/test_30_iscsi.py +index 34bdfc4b..6ac8386b 100644 +--- a/src/tests/dbus-tests/test_30_iscsi.py ++++ b/src/tests/dbus-tests/test_30_iscsi.py +@@ -284,3 +284,61 @@ class UdisksISCSITest(udiskstestcase.UdisksTestCase): + # make sure the session object is no longer on dbus + objects = udisks.GetManagedObjects(dbus_interface='org.freedesktop.DBus.ObjectManager') + self.assertNotIn(session_path, objects.keys()) ++ ++ def test_login_noauth_badauth(self): ++ """ ++ Test auth info override ++ """ ++ manager = self.get_object('/Manager') ++ nodes, _ = manager.DiscoverSendTargets(self.address, self.port, self.no_options, ++ dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator', ++ timeout=self.iscsi_timeout) ++ ++ node = next((node for node in nodes if node[0] == self.noauth_iqn), None) ++ self.assertIsNotNone(node) ++ ++ (iqn, tpg, host, port, iface) = node ++ self.assertEqual(iqn, self.noauth_iqn) ++ self.assertEqual(host, self.address) ++ self.assertEqual(port, self.port) ++ ++ self.addCleanup(self._force_lougout, self.noauth_iqn) ++ ++ # first attempt - wrong password ++ options = dbus.Dictionary(signature='sv') ++ options['username'] = self.initiator ++ msg = 'Login failed: initiator reported error' ++ with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg): ++ options['password'] = '12345' ++ manager.Login(iqn, tpg, host, port, iface, options, ++ dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator', ++ timeout=self.iscsi_timeout) ++ ++ # second atttempt - no password ++ manager.Login(iqn, tpg, host, port, iface, self.no_options, ++ dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator', ++ timeout=self.iscsi_timeout) ++ ++ devs = glob.glob('/dev/disk/by-path/*%s*' % iqn) ++ self.assertEqual(len(devs), 1) ++ ++ # check if the block device have 'Symlinks' property updated ++ disk_name = os.path.realpath(devs[0]).split('/')[-1] ++ disk_obj = self.get_object('/block_devices/' + disk_name) ++ dbus_path = str(disk_obj.object_path) ++ self.assertIsNotNone(disk_obj) ++ ++ symlinks = self.get_property_raw(disk_obj, '.Block', 'Symlinks') ++ self.assertIn(self.str_to_ay(devs[0]), symlinks) ++ ++ manager.Logout(iqn, tpg, host, port, iface, self.no_options, ++ dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator', ++ timeout=self.iscsi_timeout) ++ ++ devs = glob.glob('/dev/disk/by-path/*%s*' % iqn) ++ self.assertEqual(len(devs), 0) ++ ++ # make sure the disk is no longer on dbus ++ udisks = self.get_object('') ++ objects = udisks.GetManagedObjects(dbus_interface='org.freedesktop.DBus.ObjectManager') ++ self.assertNotIn(dbus_path, objects.keys()) diff --git a/udisks-2.10.0-iscsi_test_02_lio_target_conf.patch b/udisks-2.10.0-iscsi_test_02_lio_target_conf.patch new file mode 100644 index 0000000..cf269a5 --- /dev/null +++ b/udisks-2.10.0-iscsi_test_02_lio_target_conf.patch @@ -0,0 +1,51 @@ +commit 13a6a27eecdd1fb527b9151309366970b182a58d +Author: Tomas Bzatek +Date: Thu Oct 20 17:17:10 2022 +0200 + + tests: Fix LIO target config auth + + Linux kernel 6.0 brought number of the LIO target changes related to authentication + that made our tests fail. Turned out our target config was incorrect, e.g. + not requiring auth for CHAP tests, etc. The kernel 6.0 looks to be more strict + in this regard. + +diff --git a/src/tests/dbus-tests/targetcli_config.json b/src/tests/dbus-tests/targetcli_config.json +index 25d506b6..3be9eac2 100644 +--- a/src/tests/dbus-tests/targetcli_config.json ++++ b/src/tests/dbus-tests/targetcli_config.json +@@ -385,7 +385,7 @@ + "tpgs": [ + { + "attributes": { +- "authentication": 0, ++ "authentication": 1, + "cache_dynamic_acls": 0, + "default_cmdsn_depth": 64, + "default_erl": 0, +@@ -432,7 +432,7 @@ + } + ], + "parameters": { +- "AuthMethod": "CHAP,None", ++ "AuthMethod": "CHAP", + "DataDigest": "CRC32C,None", + "DataPDUInOrder": "Yes", + "DataSequenceInOrder": "Yes", +@@ -471,7 +471,7 @@ + "tpgs": [ + { + "attributes": { +- "authentication": 0, ++ "authentication": 1, + "cache_dynamic_acls": 0, + "default_cmdsn_depth": 64, + "default_erl": 0, +@@ -520,7 +520,7 @@ + } + ], + "parameters": { +- "AuthMethod": "CHAP,None", ++ "AuthMethod": "CHAP", + "DataDigest": "CRC32C,None", + "DataPDUInOrder": "Yes", + "DataSequenceInOrder": "Yes", diff --git a/udisks-2.10.0-iscsi_test_04_fix_test_login_chap_auth.patch b/udisks-2.10.0-iscsi_test_04_fix_test_login_chap_auth.patch new file mode 100644 index 0000000..bf759fe --- /dev/null +++ b/udisks-2.10.0-iscsi_test_04_fix_test_login_chap_auth.patch @@ -0,0 +1,37 @@ +commit 1bf172603e4cc77da70d8fd13b6ba6c8b8c91600 +Author: Tomas Bzatek +Date: Thu Oct 20 17:53:20 2022 +0200 + + tests: Test iscsi noauth in test_login_chap_auth + + The other way is already tested in test_login_noauth_badauth. + +diff --git a/src/tests/dbus-tests/test_30_iscsi.py b/src/tests/dbus-tests/test_30_iscsi.py +index 2b75462a..f2594d99 100644 +--- a/src/tests/dbus-tests/test_30_iscsi.py ++++ b/src/tests/dbus-tests/test_30_iscsi.py +@@ -151,8 +151,14 @@ class UdisksISCSITest(udiskstestcase.UdisksTestCase): + options = dbus.Dictionary(signature='sv') + options['username'] = self.initiator + ++ msg = 'Login failed: initiator reported error \(24 - iSCSI login failed due to authorization failure\)' ++ # missing auth info ++ with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg): ++ manager.Login(iqn, tpg, host, port, iface, self.no_options, ++ dbus_interface=self.iface_prefix + '.Manager.ISCSI.Initiator', ++ timeout=self.iscsi_timeout) ++ + # wrong password +- msg = 'Login failed: initiator reported error' + with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg): + options['password'] = '12345' + manager.Login(iqn, tpg, host, port, iface, options, +@@ -318,7 +324,7 @@ class UdisksISCSITest(udiskstestcase.UdisksTestCase): + # first attempt - wrong password + options = dbus.Dictionary(signature='sv') + options['username'] = self.initiator +- msg = 'Login failed: initiator reported error' ++ msg = r'Login failed: initiator reported error \((19 - encountered non-retryable iSCSI login failure|24 - iSCSI login failed due to authorization failure)\)' + with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg): + options['password'] = '12345' + manager.Login(iqn, tpg, host, port, iface, options, diff --git a/udisks-2.10.0-lvm2_update_epoch.patch b/udisks-2.10.0-lvm2_update_epoch.patch new file mode 100644 index 0000000..0bd70a7 --- /dev/null +++ b/udisks-2.10.0-lvm2_update_epoch.patch @@ -0,0 +1,113 @@ +From 28c39786927ad683f56c031d80a5c06f5b5b9aea Mon Sep 17 00:00:00 2001 +From: Marius Vollmer +Date: Tue, 5 Apr 2022 11:23:23 +0300 +Subject: [PATCH] lvm2: Only install results of most recently started udpates + +Fixes #966 +--- + modules/lvm2/udiskslinuxmodulelvm2.c | 13 ++++++++++++- + modules/lvm2/udiskslinuxvolumegroupobject.c | 12 ++++++++++++ + 2 files changed, 24 insertions(+), 1 deletion(-) + +diff --git a/modules/lvm2/udiskslinuxmodulelvm2.c b/modules/lvm2/udiskslinuxmodulelvm2.c +index 8e1ea13aec..77ecf94a6d 100644 +--- a/modules/lvm2/udiskslinuxmodulelvm2.c ++++ b/modules/lvm2/udiskslinuxmodulelvm2.c +@@ -59,6 +59,8 @@ struct _UDisksLinuxModuleLVM2 { + + gint delayed_update_id; + gboolean coldplug_done; ++ ++ guint32 update_epoch; + }; + + typedef struct _UDisksLinuxModuleLVM2Class UDisksLinuxModuleLVM2Class; +@@ -86,6 +88,7 @@ udisks_linux_module_lvm2_constructed (GObject *object) + + module->name_to_volume_group = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, (GDestroyNotify) g_object_unref); + module->coldplug_done = FALSE; ++ module->update_epoch = 0; + + if (G_OBJECT_CLASS (udisks_linux_module_lvm2_parent_class)->constructed) + G_OBJECT_CLASS (udisks_linux_module_lvm2_parent_class)->constructed (object); +@@ -221,6 +224,12 @@ lvm_update_vgs (GObject *source_obj, + gpointer key, value; + const gchar *vg_name; + ++ if (GPOINTER_TO_UINT (user_data) != module->update_epoch) ++ { ++ vgs_pvs_data_free (data); ++ return; ++ } ++ + if (! data) + { + if (error) +@@ -303,11 +312,13 @@ lvm_update (UDisksLinuxModuleLVM2 *module) + { + GTask *task; + ++ module->update_epoch++; ++ + /* the callback (lvm_update_vgs) is called in the default main loop (context) */ + task = g_task_new (module, + NULL /* cancellable */, + lvm_update_vgs, +- NULL /* callback_data */); ++ GUINT_TO_POINTER (module->update_epoch)); + + /* holds a reference to 'task' until it is finished */ + g_task_run_in_thread (task, (GTaskThreadFunc) vgs_task_func); +diff --git a/modules/lvm2/udiskslinuxvolumegroupobject.c b/modules/lvm2/udiskslinuxvolumegroupobject.c +index ce941cb250..ead08de7b1 100644 +--- a/modules/lvm2/udiskslinuxvolumegroupobject.c ++++ b/modules/lvm2/udiskslinuxvolumegroupobject.c +@@ -66,6 +66,7 @@ struct _UDisksLinuxVolumeGroupObject + gchar *name; + + GHashTable *logical_volumes; ++ guint32 update_epoch; + guint32 poll_epoch; + guint poll_timeout_id; + gboolean poll_requested; +@@ -99,6 +100,7 @@ static void crypttab_changed (UDisksCrypttabMonitor *monitor, + typedef struct { + BDLVMVGdata *vg_info; + GSList *vg_pvs; ++ guint32 epoch; + } VGUpdateData; + + static void +@@ -183,6 +185,7 @@ udisks_linux_volume_group_object_set_property (GObject *__object, + static void + udisks_linux_volume_group_object_init (UDisksLinuxVolumeGroupObject *object) + { ++ object->update_epoch = 0; + object->poll_epoch = 0; + object->poll_timeout_id = 0; + object->poll_requested = FALSE; +@@ -575,6 +578,12 @@ update_vg (GObject *source_obj, + BDLVMVGdata *vg_info = data->vg_info; + GSList *vg_pvs = data->vg_pvs; + ++ if (data->epoch != object->update_epoch) ++ { ++ lv_list_free (lvs); ++ return; ++ } ++ + /* free the data container (but not 'vg_info' and 'vg_pvs') */ + g_free (data); + +@@ -711,8 +720,11 @@ udisks_linux_volume_group_object_update (UDisksLinuxVolumeGroupObject *object, B + gchar *vg_name = g_strdup (vg_info->name); + GTask *task = NULL; + ++ object->update_epoch++; ++ + data->vg_info = vg_info; + data->vg_pvs = pvs; ++ data->epoch = object->update_epoch; + + /* the callback (update_vg) is called in the default main loop (context) */ + task = g_task_new (g_object_ref (object), NULL /* cancellable */, update_vg, data /* callback_data */); diff --git a/udisks-2.10.0-lvm2_vgcreate_uevent_sync.patch b/udisks-2.10.0-lvm2_vgcreate_uevent_sync.patch new file mode 100644 index 0000000..ae9e001 --- /dev/null +++ b/udisks-2.10.0-lvm2_vgcreate_uevent_sync.patch @@ -0,0 +1,26 @@ +From f24601b1d1302350fff15f326bfe3cfabde05f4c Mon Sep 17 00:00:00 2001 +From: Tomas Bzatek +Date: Fri, 19 May 2023 17:17:56 +0200 +Subject: [PATCH] lvm2: Trigger uevent sync on block devices when creating new + VG + +This will likely slow down processing with the hope that +more objects have their properties updated properly. +--- + modules/lvm2/udiskslinuxmanagerlvm2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/modules/lvm2/udiskslinuxmanagerlvm2.c b/modules/lvm2/udiskslinuxmanagerlvm2.c +index b0c62fdcd6..5c06b921df 100644 +--- a/modules/lvm2/udiskslinuxmanagerlvm2.c ++++ b/modules/lvm2/udiskslinuxmanagerlvm2.c +@@ -384,7 +384,8 @@ handle_volume_group_create (UDisksManagerLVM2 *_object, + UDisksObject *object_for_block; + object_for_block = udisks_daemon_util_dup_object (block, &error); + if (object_for_block != NULL) +- udisks_linux_block_object_trigger_uevent (UDISKS_LINUX_BLOCK_OBJECT (object_for_block)); ++ udisks_linux_block_object_trigger_uevent_sync (UDISKS_LINUX_BLOCK_OBJECT (object_for_block), ++ UDISKS_DEFAULT_WAIT_TIMEOUT); + g_object_unref (object_for_block); + } + diff --git a/udisks-2.9.4-FIPS_LUKS_fixes-2.patch b/udisks-2.9.4-FIPS_LUKS_fixes-2.patch new file mode 100644 index 0000000..1ff92fb --- /dev/null +++ b/udisks-2.9.4-FIPS_LUKS_fixes-2.patch @@ -0,0 +1,405 @@ +diff -up udisks-2.9.0/src/tests/dbus-tests/test_50_block.py.bak udisks-2.9.0/src/tests/dbus-tests/test_50_block.py +--- udisks-2.9.0/src/tests/dbus-tests/test_50_block.py.bak 2020-05-26 14:59:20.000000000 +0200 ++++ udisks-2.9.0/src/tests/dbus-tests/test_50_block.py 2023-06-02 17:08:45.203845819 +0200 +@@ -11,6 +11,8 @@ import udiskstestcase + class UdisksBlockTest(udiskstestcase.UdisksTestCase): + '''This is a basic block device test suite''' + ++ LUKS_PASSPHRASE = 'shouldnotseeme' ++ + def _close_luks(self, disk): + disk.Lock(self.no_options, dbus_interface=self.iface_prefix + '.Encrypted') + +@@ -201,7 +203,7 @@ class UdisksBlockTest(udiskstestcase.Udi + + # format the disk + disk = self.get_object('/block_devices/' + os.path.basename(self.vdevs[0])) +- disk.Format('xfs', {'encrypt.passphrase': 'test'}, dbus_interface=self.iface_prefix + '.Block') ++ disk.Format('xfs', {'encrypt.passphrase': self.LUKS_PASSPHRASE}, dbus_interface=self.iface_prefix + '.Block') + + # cleanup -- close the luks and remove format + self.addCleanup(self.wipe_fs, self.vdevs[0]) +@@ -209,7 +211,7 @@ class UdisksBlockTest(udiskstestcase.Udi + + # configuration items as arrays of dbus.Byte + opts = self.str_to_ay('verify') +- passwd = self.str_to_ay('test') ++ passwd = self.str_to_ay(self.LUKS_PASSPHRASE) + + # set the new configuration + conf = dbus.Dictionary({'passphrase-contents': passwd, +@@ -254,7 +256,7 @@ class UdisksBlockTest(udiskstestcase.Udi + + # format the disk + disk = self.get_object('/block_devices/' + os.path.basename(self.vdevs[0])) +- disk.Format('xfs', {'encrypt.passphrase': 'test'}, dbus_interface=self.iface_prefix + '.Block') ++ disk.Format('xfs', {'encrypt.passphrase': self.LUKS_PASSPHRASE}, dbus_interface=self.iface_prefix + '.Block') + + # cleanup -- close the luks and remove format + self.addCleanup(self.wipe_fs, self.vdevs[0]) +diff -up udisks-2.9.0/src/tests/dbus-tests/test_70_encrypted.py.bak udisks-2.9.0/src/tests/dbus-tests/test_70_encrypted.py +--- udisks-2.9.0/src/tests/dbus-tests/test_70_encrypted.py.bak 2020-05-26 14:59:20.000000000 +0200 ++++ udisks-2.9.0/src/tests/dbus-tests/test_70_encrypted.py 2023-06-02 17:07:33.828531988 +0200 +@@ -40,6 +40,9 @@ def _get_blkid_version(): + class UdisksEncryptedTest(udiskstestcase.UdisksTestCase): + '''This is an encrypted device test suite''' + ++ PASSPHRASE = 'shouldnotseeme' ++ LUKS_NAME = 'myshinylittleluks' ++ + def _create_luks(self, device, passphrase, binary=False): + raise NotImplementedError() + +@@ -60,7 +63,7 @@ class UdisksEncryptedTest(udiskstestcase + disk_name = os.path.basename(self.vdevs[0]) + disk = self.get_object('/block_devices/' + disk_name) + +- self._create_luks(disk, 'test') ++ self._create_luks(disk, self.PASSPHRASE) + self.addCleanup(self._remove_luks, disk) + self.udev_settle() + +@@ -124,7 +127,7 @@ class UdisksEncryptedTest(udiskstestcase + disk_name = os.path.basename(self.vdevs[0]) + disk = self.get_object('/block_devices/' + disk_name) + +- self._create_luks(disk, 'test') ++ self._create_luks(disk, self.PASSPHRASE) + self.addCleanup(self._remove_luks, disk) + self.udev_settle() + +@@ -160,11 +163,11 @@ class UdisksEncryptedTest(udiskstestcase + # wrong password + msg = 'org.freedesktop.UDisks2.Error.Failed: Error unlocking %s *' % self.vdevs[0] + with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg): +- disk.Unlock('shbdkjaf', self.no_options, ++ disk.Unlock('abcdefghijklmn', self.no_options, + dbus_interface=self.iface_prefix + '.Encrypted') + + # right password +- luks = disk.Unlock('test', self.no_options, ++ luks = disk.Unlock(self.PASSPHRASE, self.no_options, + dbus_interface=self.iface_prefix + '.Encrypted') + self.assertIsNotNone(luks) + self.assertTrue(os.path.exists('/dev/disk/by-uuid/%s' % luks_uuid)) +@@ -180,7 +183,7 @@ class UdisksEncryptedTest(udiskstestcase + + # read-only + ro_opts = dbus.Dictionary({'read-only': dbus.Boolean(True)}, signature=dbus.Signature('sv')) +- luks = disk.Unlock('test', ro_opts, ++ luks = disk.Unlock(self.PASSPHRASE, ro_opts, + dbus_interface=self.iface_prefix + '.Encrypted') + self.assertIsNotNone(luks) + self.assertTrue(os.path.exists('/dev/disk/by-uuid/%s' % luks_uuid)) +@@ -196,13 +199,10 @@ class UdisksEncryptedTest(udiskstestcase + crypttab = self.read_file('/etc/crypttab') + self.addCleanup(self.write_file, '/etc/crypttab', crypttab) + +- passwd = 'test' +- luks_name = 'myshinylittleluks' +- + disk_name = os.path.basename(self.vdevs[0]) + disk = self.get_object('/block_devices/' + disk_name) + +- self._create_luks(disk, passwd) ++ self._create_luks(disk, self.PASSPHRASE) + self.addCleanup(self._remove_luks, disk) + self.udev_settle() + +@@ -212,22 +212,22 @@ class UdisksEncryptedTest(udiskstestcase + disk.Lock(self.no_options, dbus_interface=self.iface_prefix + '.Encrypted') + + # add new entry to the crypttab +- new_crypttab = crypttab + '%s UUID=%s none\n' % (luks_name, disk_uuid) ++ new_crypttab = crypttab + '%s UUID=%s none\n' % (self.LUKS_NAME, disk_uuid) + self.write_file('/etc/crypttab', new_crypttab) + + # give udisks time to react to change of the file + time.sleep(5) + dbus_conf = disk.GetSecretConfiguration(self.no_options, dbus_interface=self.iface_prefix + '.Block') + self.assertIsNotNone(dbus_conf) +- self.assertEqual(self.ay_to_str(dbus_conf[0][1]['name']), luks_name) ++ self.assertEqual(self.ay_to_str(dbus_conf[0][1]['name']), self.LUKS_NAME) + + # unlock the device +- luks = disk.Unlock(passwd, self.no_options, ++ luks = disk.Unlock(self.PASSPHRASE, self.no_options, + dbus_interface=self.iface_prefix + '.Encrypted') + self.assertIsNotNone(luks) + + # unlock should use name from crypttab for the /dev/mapper device +- dm_path = '/dev/mapper/%s' % luks_name ++ dm_path = '/dev/mapper/%s' % self.LUKS_NAME + self.assertTrue(os.path.exists(dm_path)) + + # preferred 'device' should be /dev/mapper/name too +@@ -242,8 +242,7 @@ class UdisksEncryptedTest(udiskstestcase + crypttab = self.read_file('/etc/crypttab') + self.addCleanup(self.write_file, '/etc/crypttab', crypttab) + +- passwd = b'test\0test' +- luks_name = 'myshinylittleluks' ++ passwd = b'testtesttest\0testtesttest' + + # create key file + _fd, key_file = tempfile.mkstemp() +@@ -264,14 +263,14 @@ class UdisksEncryptedTest(udiskstestcase + disk.Lock(self.no_options, dbus_interface=self.iface_prefix + '.Encrypted') + + # add new entry to the crypttab +- new_crypttab = crypttab + '%s UUID=%s %s\n' % (luks_name, disk_uuid, key_file) ++ new_crypttab = crypttab + '%s UUID=%s %s\n' % (self.LUKS_NAME, disk_uuid, key_file) + self.write_file('/etc/crypttab', new_crypttab) + + # give udisks time to react to change of the file + time.sleep(5) + dbus_conf = disk.GetSecretConfiguration(self.no_options, dbus_interface=self.iface_prefix + '.Block') + self.assertIsNotNone(dbus_conf) +- self.assertEqual(self.ay_to_str(dbus_conf[0][1]['name']), luks_name) ++ self.assertEqual(self.ay_to_str(dbus_conf[0][1]['name']), self.LUKS_NAME) + self.assertEqual(self.ay_to_str(dbus_conf[0][1]['passphrase-path']), key_file) + + # unlock the device using empty passphrase (should use the key file) +@@ -280,7 +279,7 @@ class UdisksEncryptedTest(udiskstestcase + self.assertIsNotNone(luks) + + # unlock should use name from crypttab for the /dev/mapper device +- dm_path = '/dev/mapper/%s' % luks_name ++ dm_path = '/dev/mapper/%s' % self.LUKS_NAME + self.assertTrue(os.path.exists(dm_path)) + + # preferred 'device' should be /dev/mapper/name too +@@ -293,7 +292,7 @@ class UdisksEncryptedTest(udiskstestcase + disk_name = os.path.basename(self.vdevs[0]) + disk = self.get_object('/block_devices/' + disk_name) + +- self._create_luks(disk, 'test') ++ self._create_luks(disk, self.PASSPHRASE) + self.addCleanup(self._remove_luks, disk) + self.udev_settle() + +@@ -320,11 +319,11 @@ class UdisksEncryptedTest(udiskstestcase + disk_name = os.path.basename(self.vdevs[0]) + disk = self.get_object('/block_devices/' + disk_name) + +- self._create_luks(disk, 'test') ++ self._create_luks(disk, self.PASSPHRASE) + self.addCleanup(self._remove_luks, disk) + self.udev_settle() + +- disk.ChangePassphrase('test', 'password', self.no_options, ++ disk.ChangePassphrase(self.PASSPHRASE, self.PASSPHRASE + '222', self.no_options, + dbus_interface=self.iface_prefix + '.Encrypted') + + disk.Lock(self.no_options, dbus_interface=self.iface_prefix + '.Encrypted') +@@ -332,11 +331,11 @@ class UdisksEncryptedTest(udiskstestcase + # old password, should fail + msg = 'org.freedesktop.UDisks2.Error.Failed: Error unlocking %s *' % self.vdevs[0] + with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg): +- disk.Unlock('test', self.no_options, ++ disk.Unlock(self.PASSPHRASE, self.no_options, + dbus_interface=self.iface_prefix + '.Encrypted') + + # new password +- luks = disk.Unlock('password', self.no_options, ++ luks = disk.Unlock(self.PASSPHRASE + '222', self.no_options, + dbus_interface=self.iface_prefix + '.Encrypted') + self.assertIsNotNone(luks) + +@@ -347,7 +346,7 @@ class UdisksEncryptedTest(udiskstestcase + + def test_resize(self): + device = self.get_device(self.vdevs[0]) +- self._create_luks(device, 'test') ++ self._create_luks(device, self.PASSPHRASE) + self.addCleanup(self._remove_luks, device) + self.udev_settle() + +@@ -376,8 +375,6 @@ class UdisksEncryptedTest(udiskstestcase + fstab = self.read_file('/etc/fstab') + self.addCleanup(self.write_file, '/etc/fstab', fstab) + +- passphrase = 'test' +- + disk_name = os.path.basename(self.vdevs[0]) + disk = self.get_object('/block_devices/' + disk_name) + +@@ -388,7 +385,7 @@ class UdisksEncryptedTest(udiskstestcase + self.assertIsNotNone(part) + + # create LUKS on the partition and add it to crypttab +- self._create_luks(part, passphrase) ++ self._create_luks(part, self.PASSPHRASE) + self.udev_settle() + + conf = dbus.Dictionary({'name': self.str_to_ay('udisks_luks_test'), +@@ -525,10 +522,8 @@ class UdisksEncryptedTestLUKS2(UdisksEnc + super(UdisksEncryptedTestLUKS2, self).setUp() + + def test_resize(self): +- passwd = 'test' +- + device = self.get_device(self.vdevs[0]) +- self._create_luks(device, passwd) ++ self._create_luks(device, self.PASSPHRASE) + self.addCleanup(self._remove_luks, device) + self.udev_settle() + +@@ -554,7 +549,7 @@ class UdisksEncryptedTestLUKS2(UdisksEnc + + # right passphrase + d = dbus.Dictionary(signature='sv') +- d['passphrase'] = passwd ++ d['passphrase'] = self.PASSPHRASE + device.Resize(dbus.UInt64(100*1024*1024), d, + dbus_interface=self.iface_prefix + '.Encrypted') + +@@ -563,7 +558,7 @@ class UdisksEncryptedTestLUKS2(UdisksEnc + + # resize back to the original size (using binary passphrase) + d = dbus.Dictionary(signature='sv') +- d['keyfile_contents'] = self.str_to_ay(passwd, False) ++ d['keyfile_contents'] = self.str_to_ay(self.PASSPHRASE, False) + device.Resize(dbus.UInt64(clear_size), d, + dbus_interface=self.iface_prefix + '.Encrypted') + +@@ -581,7 +576,7 @@ class UdisksEncryptedTestLUKS2(UdisksEnc + + # create LUKS without specifying version + options = dbus.Dictionary(signature='sv') +- options['encrypt.passphrase'] = 'test' ++ options['encrypt.passphrase'] = self.PASSPHRASE + + disk.Format('xfs', options, + dbus_interface=self.iface_prefix + '.Block') +@@ -617,14 +612,12 @@ class UdisksEncryptedTestLUKS2(UdisksEnc + + @udiskstestcase.tag_test(udiskstestcase.TestTags.UNSTABLE) + def test_integrity(self): +- passwd = 'test' +- + cryptsetup_version = _get_cryptsetup_version() + if cryptsetup_version < LooseVersion('2.2.0'): + self.skipTest('Integrity devices are not marked as internal in cryptsetup < 2.2.0') + + device = self.get_device(self.vdevs[0]) +- self._create_luks_integrity(self.vdevs[0], passwd) ++ self._create_luks_integrity(self.vdevs[0], self.PASSPHRASE) + + self.addCleanup(self._remove_luks, device) + self.udev_settle() +@@ -634,7 +627,7 @@ class UdisksEncryptedTestLUKS2(UdisksEnc + # the device is not opened, we need to read the UUID from LUKS metadata + luks_uuid = BlockDev.crypto_luks_uuid(self.vdevs[0]) + +- luks_path = device.Unlock('test', self.no_options, ++ luks_path = device.Unlock(self.PASSPHRASE, self.no_options, + dbus_interface=self.iface_prefix + '.Encrypted') + self.assertIsNotNone(luks_path) + self.assertTrue(os.path.exists('/dev/disk/by-uuid/%s' % luks_uuid)) +diff -up udisks-2.9.0/src/tests/integration-test.bak udisks-2.9.0/src/tests/integration-test +--- udisks-2.9.0/src/tests/integration-test.bak 2020-05-26 14:59:20.000000000 +0200 ++++ udisks-2.9.0/src/tests/integration-test 2023-06-02 16:59:52.841963720 +0200 +@@ -1321,7 +1321,7 @@ class Luks(UDisksTestCase): + + def setup_crypto_device(self): + self.fs_create(None, 'ext4', GLib.Variant('a{sv}', { +- 'encrypt.passphrase': GLib.Variant('s', 's3kr1t'), ++ 'encrypt.passphrase': GLib.Variant('s', 's3kr1ts3kr1t'), + 'label': GLib.Variant('s', 'treasure')})) + self.client.settle() + crypt_obj = self.client.get_object(self.udisks_block().get_object_path()) +@@ -1332,7 +1332,7 @@ class Luks(UDisksTestCase): + @staticmethod + def unlock_crypto_device(encrypted): + return encrypted.call_unlock_sync( +- 's3kr1t', no_options, None) ++ 's3kr1ts3kr1t', no_options, None) + + def tearDown(self): + """clean up behind failed test cases""" +@@ -1400,7 +1400,7 @@ class Luks(UDisksTestCase): + udev_dump = subprocess.Popen(['udevadm', 'info', '--export-db'], + stdout=subprocess.PIPE) + out = udev_dump.communicate()[0] +- self.assertFalse(b's3kr1t' in out, 'password in udev properties') ++ self.assertFalse(b's3kr1ts3kr1t' in out, 'password in udev properties') + self.assertFalse(b'essiv:sha' in out, 'key information in udev properties') + + finally: +@@ -1510,18 +1510,18 @@ class Luks(UDisksTestCase): + encrypted = self.setup_crypto_device() + # wrong password, has bytes after a trailing '\0' + self.assertRaises(GLib.GError, encrypted.call_unlock_sync, +- '', Luks.keyfile_options(b's3kr1t\0X'), None) ++ '', Luks.keyfile_options(b's3kr1ts3kr1t\0X'), None) + self.assertRaises(GLib.GError, encrypted.call_unlock_sync, +- '', Luks.keyfile_options(b's3kr1t\n'), None) ++ '', Luks.keyfile_options(b's3kr1ts3kr1t\n'), None) + # correct password, specified as keyfile +- encrypted.call_unlock_sync('', Luks.keyfile_options(b's3kr1t'), None) ++ encrypted.call_unlock_sync('', Luks.keyfile_options(b's3kr1ts3kr1t'), None) + encrypted.call_lock_sync(no_options, None) + + def test_plaintext_keyfile(self): + """Setup a device using a plaintext keyfile.""" + # Using a plaintext keyfile should be equivalent to passphrase + self.fs_create(None, 'ext4', GLib.Variant('a{sv}', { +- 'encrypt.passphrase': GLib.Variant('ay', _bytes_to_ay(b's3kr1t')), ++ 'encrypt.passphrase': GLib.Variant('ay', _bytes_to_ay(b's3kr1ts3kr1t')), + 'label': GLib.Variant('s', 'treasure')})) + + crypt_obj = self.client.get_object(self.udisks_block().get_object_path()) +@@ -1532,16 +1532,16 @@ class Luks(UDisksTestCase): + self.assertRaises(GLib.GError, encrypted.call_unlock_sync, + 'h4ckpassword', no_options, None) + self.assertRaises(GLib.GError, encrypted.call_unlock_sync, +- '', Luks.keyfile_options(b's3kr1t\0X'), None) ++ '', Luks.keyfile_options(b's3kr1ts3kr1t\0X'), None) + self.assertRaises(GLib.GError, encrypted.call_unlock_sync, +- '', Luks.keyfile_options(b's3kr1t\n'), None) ++ '', Luks.keyfile_options(b's3kr1ts3kr1t\n'), None) + + # correct password +- encrypted.call_unlock_sync('', Luks.keyfile_options(b's3kr1t'), None) ++ encrypted.call_unlock_sync('', Luks.keyfile_options(b's3kr1ts3kr1t'), None) + encrypted.call_lock_sync(no_options, None) + + # correct password, specified as passphrase +- encrypted.call_unlock_sync('s3kr1t', no_options, None) ++ encrypted.call_unlock_sync('s3kr1ts3kr1t', no_options, None) + encrypted.call_lock_sync(no_options, None) + + def test_binary_keyfile(self): +@@ -1607,11 +1607,11 @@ class Luks(UDisksTestCase): + encrypted = self.setup_crypto_device() + + # change: passphrase -> passphrase +- encrypted.call_change_passphrase_sync('s3kr1t', 'passphrase', no_options, None) ++ encrypted.call_change_passphrase_sync('s3kr1ts3kr1t', 'passphrase', no_options, None) + + # verify new password: + self.assertRaises(GLib.GError, encrypted.call_unlock_sync, +- 's3kr1t', no_options, None) ++ 's3kr1ts3kr1t', no_options, None) + encrypted.call_unlock_sync('passphrase', no_options, None) + encrypted.call_lock_sync(no_options, None) + +@@ -1644,7 +1644,7 @@ class Luks(UDisksTestCase): + + # change: keyfile -> passphrase + encrypted.call_change_passphrase_sync( +- '', 's3kr1t', GLib.Variant('a{sv}', { ++ '', 's3kr1ts3kr1t', GLib.Variant('a{sv}', { + 'old_keyfile_contents': GLib.Variant('ay', _bytes_to_ay(key_file_1)), + }), + None) +@@ -1652,7 +1652,7 @@ class Luks(UDisksTestCase): + # verify new password: + self.assertRaises(GLib.GError, encrypted.call_unlock_sync, + '', Luks.keyfile_options(key_file_1), None) +- encrypted.call_unlock_sync('s3kr1t', no_options, None) ++ encrypted.call_unlock_sync('s3kr1ts3kr1t', no_options, None) + encrypted.call_lock_sync(no_options, None) + + diff --git a/udisks2.spec b/udisks2.spec index de9e0ef..9d53f8a 100644 --- a/udisks2.spec +++ b/udisks2.spec @@ -56,7 +56,7 @@ Name: udisks2 Summary: Disk Manager Version: 2.9.0 -Release: 13%{?dist} +Release: 14%{?dist} License: GPLv2+ Group: System Environment/Libraries URL: https://github.com/storaged-project/udisks @@ -91,7 +91,16 @@ Patch25: udisks-2.10.0-udiskslinuxpartition_GError.patch Patch26: udisks-2.10.0-udiskslinuxpartitiontable_GError.patch Patch27: udisks-2.10.0-udiskslinuxfilesystem_GError.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1966460 -Patch28: udisks-2.10.0-iscsi_test_05_restart_iscsid.patch +Patch28: udisks-2.10.0-iscsi_test_01_badauth.patch +Patch29: udisks-2.10.0-iscsi_test_02_lio_target_conf.patch +Patch31: udisks-2.10.0-iscsi_test_04_fix_test_login_chap_auth.patch +Patch32: udisks-2.10.0-iscsi_test_05_restart_iscsid.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2188991 +Patch33: udisks-2.10.0-iscsi-CHAP-auth-algs.patch +Patch34: udisks-2.9.4-FIPS_LUKS_fixes-2.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2039772 +Patch35: udisks-2.10.0-lvm2_update_epoch.patch +Patch36: udisks-2.10.0-lvm2_vgcreate_uevent_sync.patch BuildRequires: glib2-devel >= %{glib2_version} BuildRequires: gobject-introspection-devel >= %{gobject_introspection_version} @@ -318,6 +327,13 @@ This package contains module for VDO management. %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch29 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch34 -p1 +%patch35 -p1 +%patch36 -p1 sed -i udisks/udisks2.conf.in -e "s/encryption=luks1/encryption=%{default_luks_encryption}/" %build @@ -510,6 +526,11 @@ fi %endif %changelog +* Fri Jun 02 2023 Tomas Bzatek - 2.9.0-14 +- iscsi: CHAP auth algorithm selection fixes (#2188991) +- tests: Use stronger passphrases for LUKS tests +- lvm2: Improve uevent processing (#2039772) + * Tue Nov 01 2022 Tomas Bzatek - 2.9.0-13 - Fix iscsi test auth failures (#1966460)