Blame SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch

a743d1
diff -rupN cryptsetup-2.3.7.old/man/cryptsetup.8 cryptsetup-2.3.7/man/cryptsetup.8
a743d1
--- cryptsetup-2.3.7.old/man/cryptsetup.8	2022-02-24 15:58:37.968167423 +0100
a743d1
+++ cryptsetup-2.3.7/man/cryptsetup.8	2022-02-24 17:06:25.326217548 +0100
a743d1
@@ -321,7 +321,7 @@ the command prompts for it interactively
a743d1
 \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
a743d1
 \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
a743d1
 \-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks, \-\-type, \-\-refresh,
a743d1
-\-\-serialize\-memory\-hard\-pbkdf].
a743d1
+\-\-serialize\-memory\-hard\-pbkdf, \-\-unbound].
a743d1
 .PP
a743d1
 \fIluksSuspend\fR <name>
a743d1
 .IP
a743d1
@@ -1409,10 +1409,14 @@ aligned to page size and page-cache init
a743d1
 integrity tag.
a743d1
 .TP
a743d1
 .B "\-\-unbound"
a743d1
-
a743d1
 Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or
a743d1
 \fIluksDump\fR actions for more details.
a743d1
 
a743d1
+When used in \fIluksOpen\fR action (allowed only together with
a743d1
+\-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2
a743d1
+keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific
a743d1
+keyslot is selected via \-\-key\-slot parameter.
a743d1
+
a743d1
 .TP
a743d1
 .B "\-\-tcrypt\-hidden"
a743d1
 .B "\-\-tcrypt\-system"
a743d1
diff -rupN cryptsetup-2.3.7.old/src/cryptsetup.c cryptsetup-2.3.7/src/cryptsetup.c
a743d1
--- cryptsetup-2.3.7.old/src/cryptsetup.c	2022-02-24 15:58:37.969167429 +0100
a743d1
+++ cryptsetup-2.3.7/src/cryptsetup.c	2022-02-24 17:10:30.947561638 +0100
a743d1
@@ -230,7 +230,7 @@ static void _set_activation_flags(uint32
a743d1
 		*flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT;
a743d1
 
a743d1
 	/* Only for LUKS2 but ignored elsewhere */
a743d1
-	if (opt_test_passphrase)
a743d1
+	if (opt_test_passphrase && (opt_unbound || (opt_key_slot != CRYPT_ANY_SLOT)))
a743d1
 		*flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
a743d1
 
a743d1
 	if (opt_serialize_memory_hard_pbkdf)
a743d1
@@ -4021,6 +4021,17 @@ int main(int argc, const char **argv)
a743d1
 		_("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."),
a743d1
 		poptGetInvocationName(popt_context));
a743d1
 
a743d1
+	if (opt_unbound && !strcmp(aname, "open") && device_type &&
a743d1
+	    strncmp(device_type, "luks", 4))
a743d1
+		usage(popt_context, EXIT_FAILURE,
a743d1
+		_("Option --unbound is allowed only for open of luks device."),
a743d1
+		poptGetInvocationName(popt_context));
a743d1
+
a743d1
+	if (opt_unbound && !opt_test_passphrase && !strcmp(aname, "open"))
a743d1
+		usage(popt_context, EXIT_FAILURE,
a743d1
+		_("Option --unbound cannot be used without --test-passphrase."),
a743d1
+		poptGetInvocationName(popt_context));
a743d1
+
a743d1
 	if (opt_tcrypt_hidden && opt_allow_discards)
a743d1
 		usage(popt_context, EXIT_FAILURE,
a743d1
 		_("Option --tcrypt-hidden cannot be combined with --allow-discards."),
a743d1
@@ -4103,9 +4114,9 @@ int main(int argc, const char **argv)
a743d1
 		      _("Keyslot specification is required."),
a743d1
 		      poptGetInvocationName(popt_context));
a743d1
 
a743d1
-	if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump"))
a743d1
+	if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump") && strcmp(aname, "open"))
a743d1
 		usage(popt_context, EXIT_FAILURE,
a743d1
-		      _("Option --unbound may be used only with luksAddKey and luksDump actions."),
a743d1
+		      _("Option --unbound may be used only with luksAddKey, luksDump and open actions."),
a743d1
 		      poptGetInvocationName(popt_context));
a743d1
 
a743d1
 	if (opt_refresh && strcmp(aname, "open"))
a743d1
diff -rupN cryptsetup-2.3.7.old/tests/compat-test2 cryptsetup-2.3.7/tests/compat-test2
a743d1
--- cryptsetup-2.3.7.old/tests/compat-test2	2022-02-24 15:58:38.013167680 +0100
a743d1
+++ cryptsetup-2.3.7/tests/compat-test2	2022-02-24 17:23:23.035760517 +0100
a743d1
@@ -696,7 +696,7 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOP
a743d1
 # otoh it should be allowed to test for proper passphrase
a743d1
 prepare "" new
a743d1
 echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
a743d1
-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
a743d1
+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
a743d1
 echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
a743d1
 [ -b /dev/mapper/$DEV_NAME ] && fail
a743d1
 echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
a743d1
@@ -705,7 +705,7 @@ echo $PWD0 | $CRYPTSETUP open -S1 --test
a743d1
 $CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0
a743d1
 $CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail
a743d1
 echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
a743d1
-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
a743d1
+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
a743d1
 echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
a743d1
 
a743d1
 prepare "[28] Detached LUKS header" wipe
a743d1
@@ -952,11 +952,9 @@ echo $PWD3 | $CRYPTSETUP -q luksAddKey -
a743d1
 # do not allow to replace keyslot by unbound slot
a743d1
 echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail
a743d1
 echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
a743d1
-echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
a743d1
 echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
a743d1
 echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail
a743d1
 echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
a743d1
-echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
a743d1
 # check we're able to change passphrase for unbound keyslot
a743d1
 echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
a743d1
 echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail