From 1249ee77234715b751d12079bb5d1fac6bac8dd2 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Mon, 30 Mar 2026 11:12:46 -0400 Subject: [PATCH] import CS volume_key-0.3.12-17.el9 --- SOURCES/volume_key-0.3.12-fips2.patch | 207 ++++++++++++++++++++++++++ SPECS/volume_key.spec | 8 +- 2 files changed, 214 insertions(+), 1 deletion(-) create mode 100644 SOURCES/volume_key-0.3.12-fips2.patch diff --git a/SOURCES/volume_key-0.3.12-fips2.patch b/SOURCES/volume_key-0.3.12-fips2.patch new file mode 100644 index 0000000..c8894e2 --- /dev/null +++ b/SOURCES/volume_key-0.3.12-fips2.patch @@ -0,0 +1,207 @@ +diff --git a/lib/crypto.c b/lib/crypto.c +index 7554f19..7b8dc39 100644 +--- a/lib/crypto.c ++++ b/lib/crypto.c +@@ -179,6 +179,150 @@ import_sym_key (PK11SlotInfo *slot, CK_MECHANISM_TYPE type, PK11Origin origin, + } + + /* LIBVK_PACKET_FORMAT_ASYMMETRIC */ ++/* ++ * FIPS compliant implementation of PK11_ExtractKeyValue() + PK11_GetKeyData(). ++ * Instead of directly extracting the key value (which is not allowed in FIPS mode), ++ * we wrap the symmetric key with a temporary wrapping key, then decrypt the ++ * wrapped data to get the raw key bytes. ++ * Returns a newly allocated SECItem with the key data on success, NULL on failure. ++ * The caller must free the result with SECITEM_FreeItem(result, PR_TRUE). ++ */ ++static SECItem * ++extract_sym_key (PK11SymKey *sym_key) ++{ ++ CK_MECHANISM_TYPE wrap_mechanism = 0UL; ++ PK11SlotInfo *slot = NULL; ++ PK11SymKey *wrapping_key = NULL; ++ SECItem tmp_sec_item, wrapped_key_item; ++ PK11Context *wrap_key_crypt_context = NULL; ++ int block_size = 0; ++ size_t wrapped_key_size = 0; ++ unsigned char *wrapped_key = NULL; ++ SECItem *clear_key = NULL; ++ int out_len = 0; ++ unsigned int final_len = 0; ++ SECStatus ret = 0; ++ int key_len = 0; ++ ++ /* Fall back to PK11_ExtractKeyValue() + PK11_GetKeyData() if FIPS mode is disabled. */ ++ if (PK11_IsFIPS () == PR_FALSE) ++ { ++ SECItem *key_data; ++ ++ if (PK11_ExtractKeyValue (sym_key) != SECSuccess) ++ return NULL; ++ key_data = PK11_GetKeyData (sym_key); ++ if (key_data == NULL) ++ return NULL; ++ return SECITEM_DupItem (key_data); ++ } ++ ++ slot = PK11_GetSlotFromKey (sym_key); ++ if (slot == NULL) ++ return NULL; ++ ++ /* Get the best mechanism for the wrapping operation. */ ++ wrap_mechanism = PK11_GetBestWrapMechanism (slot); ++ ++ /* Generate a symmetric wrapping key. */ ++ wrapping_key = PK11_KeyGen (slot, wrap_mechanism, NULL, ++ PK11_GetBestKeyLength (slot, wrap_mechanism), ++ NULL); ++ PK11_FreeSlot (slot); ++ if (wrapping_key == NULL) ++ return NULL; ++ ++ /* Get block size and key length. */ ++ block_size = PK11_GetBlockSize (wrap_mechanism, NULL); ++ if (block_size == 0) ++ block_size = 1; ++ key_len = PK11_GetKeyLength (sym_key); ++ if (key_len <= 0) ++ { ++ PK11_FreeSymKey (wrapping_key); ++ return NULL; ++ } ++ ++ /* Allocate space for the wrapped key. ++ * Add extra space for padding (up to one block size). ++ */ ++ wrapped_key_size = key_len + block_size; ++ wrapped_key = g_try_malloc0 (wrapped_key_size); ++ if (wrapped_key == NULL) ++ { ++ PK11_FreeSymKey (wrapping_key); ++ return NULL; ++ } ++ ++ memset (&tmp_sec_item, 0, sizeof (tmp_sec_item)); ++ memset (&wrapped_key_item, 0, sizeof (wrapped_key_item)); ++ wrapped_key_item.data = wrapped_key; ++ wrapped_key_item.len = wrapped_key_size; ++ ++ /* Wrap the symmetric key using the wrapping key. */ ++ ret = PK11_WrapSymKey (wrap_mechanism, &tmp_sec_item, wrapping_key, sym_key, ++ &wrapped_key_item); ++ if (ret != SECSuccess) ++ { ++ g_free (wrapped_key); ++ PK11_FreeSymKey (wrapping_key); ++ return NULL; ++ } ++ ++ /* Now decrypt the wrapped key to get the raw bytes. ++ * Create a decryption context with the wrapping key. ++ */ ++ wrap_key_crypt_context = PK11_CreateContextBySymKey (wrap_mechanism, ++ CKA_DECRYPT, ++ wrapping_key, ++ &tmp_sec_item); ++ if (wrap_key_crypt_context == NULL) ++ { ++ g_free (wrapped_key); ++ PK11_FreeSymKey (wrapping_key); ++ return NULL; ++ } ++ ++ /* Allocate space for the decrypted (clear) key. */ ++ clear_key = SECITEM_AllocItem (NULL, NULL, wrapped_key_item.len); ++ if (clear_key == NULL) ++ { ++ g_free (wrapped_key); ++ PK11_DestroyContext (wrap_key_crypt_context, PR_TRUE); ++ PK11_FreeSymKey (wrapping_key); ++ return NULL; ++ } ++ ++ /* Decrypt to get the raw key bytes. */ ++ ret = PK11_CipherOp (wrap_key_crypt_context, clear_key->data, &out_len, ++ clear_key->len, wrapped_key_item.data, ++ wrapped_key_item.len); ++ if (ret != SECSuccess) ++ { ++ SECITEM_FreeItem (clear_key, PR_TRUE); ++ g_free (wrapped_key); ++ PK11_DestroyContext (wrap_key_crypt_context, PR_TRUE); ++ PK11_FreeSymKey (wrapping_key); ++ return NULL; ++ } ++ ++ ret = PK11_DigestFinal (wrap_key_crypt_context, clear_key->data + out_len, ++ &final_len, clear_key->len - out_len); ++ g_free (wrapped_key); ++ PK11_DestroyContext (wrap_key_crypt_context, PR_TRUE); ++ PK11_FreeSymKey (wrapping_key); ++ if (ret != SECSuccess) ++ { ++ SECITEM_FreeItem (clear_key, PR_TRUE); ++ return NULL; ++ } ++ ++ /* Adjust the length to the actual key length (remove padding). */ ++ clear_key->len = key_len; ++ ++ return clear_key; ++} ++ + + /* Encrypt DATA of SIZE for CERT. + Return encrypted data (for g_free()), setting RES_SIZE to the size of the +@@ -532,20 +676,19 @@ unwrap_asymmetric (size_t *clear_secret_size, const void *wrapped_secret_data, + error_from_pr (error); + goto err; + } +- if (PK11_ExtractKeyValue (secret_key) != SECSuccess) ++ clear_secret_item = extract_sym_key (secret_key); ++ PK11_FreeSymKey (secret_key); ++ if (clear_secret_item == NULL) + { + error_from_pr (error); +- goto err_secret_key; ++ goto err; + } +- clear_secret_item = PK11_GetKeyData (secret_key); + ret = g_memdup (clear_secret_item->data, clear_secret_item->len); + *clear_secret_size = clear_secret_item->len; +- PK11_FreeSymKey (secret_key); ++ SECITEM_FreeItem (clear_secret_item, PR_TRUE); + + return ret; + +- err_secret_key: +- PK11_FreeSymKey (secret_key); + err: + return NULL; + } +@@ -665,20 +808,19 @@ unwrap_symmetric (size_t *clear_secret_size, PK11SymKey *wrapping_key, + error_from_pr (error); + goto err; + } +- if (PK11_ExtractKeyValue (secret_key) != SECSuccess) ++ clear_secret_item = extract_sym_key (secret_key); ++ PK11_FreeSymKey (secret_key); ++ if (clear_secret_item == NULL) + { + error_from_pr (error); +- goto err_secret_key; ++ goto err; + } +- clear_secret_item = PK11_GetKeyData (secret_key); + ret = g_memdup (clear_secret_item->data, clear_secret_item->len); + *clear_secret_size = clear_secret_item->len; +- PK11_FreeSymKey (secret_key); ++ SECITEM_FreeItem (clear_secret_item, PR_TRUE); + + return ret; + +- err_secret_key: +- PK11_FreeSymKey (secret_key); + err: + return NULL; + } diff --git a/SPECS/volume_key.spec b/SPECS/volume_key.spec index f2a040f..764f0c2 100644 --- a/SPECS/volume_key.spec +++ b/SPECS/volume_key.spec @@ -32,7 +32,7 @@ Summary: An utility for manipulating storage encryption keys and passphrases Name: volume_key Version: 0.3.12 -Release: 16%{?dist} +Release: 17%{?dist} License: GPLv2 URL: https://pagure.io/%{name}/ Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -45,6 +45,8 @@ Patch0: volume_key-0.3.12-support_LUKS2_and_more.patch # - backport of bf6618ec0b09b4e51fc97fa021e687fbd87599ba Patch1: volume_key-0.3.12-fix_resource_leaks.patch Patch2: volume_key-0.3.12-FIPS.patch +# fix getting backup password from secret the FIPS way, RHEL-113757 +Patch3: volume_key-0.3.12-fips2.patch BuildRequires: make BuildRequires: gcc BuildRequires: cryptsetup-devel, gettext-devel, glib2-devel, /usr/bin/gpg2 @@ -122,6 +124,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} %patch -P 0 -p1 %patch -P 1 -p1 %patch -P 2 -p1 -b .FIPS +%patch -P 3 -p1 -b .fips2 %build %configure %{?with_pythons} @@ -172,6 +175,9 @@ exit 1; \ %endif %changelog +* Thu Feb 12 2026 Michal Hlavinka - 0.3.12-17 +- ake getting password from backed up secret FIPS compatible (RHEL-113757) + * Thu Feb 06 2025 Michal Hlavinka - 0.3.12-16 - make volume_key FIPS compliant (RHEL-78044)