From 0f7e1632378136b6bf9075cd95baa9960c75ad5a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 17 2022 10:24:17 +0000 Subject: import cryptsetup-2.4.3-4.el9 --- diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata new file mode 100644 index 0000000..f0f9c04 --- /dev/null +++ b/.cryptsetup.metadata @@ -0,0 +1,2 @@ +1597b4642a9ef6b73ad191516f26bd2292055680 SOURCES/cryptsetup-2.4.3.tar.xz +23cea5fef57d512c9e80c01c9ff76c641cb356b0 SOURCES/tests.tar.xz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e48f09c --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/cryptsetup-2.4.3.tar.xz +SOURCES/tests.tar.xz diff --git a/SOURCES/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch b/SOURCES/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch new file mode 100644 index 0000000..fa075eb --- /dev/null +++ b/SOURCES/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch @@ -0,0 +1,56 @@ +From f671febe64d8f40cdcb1677a08436a8907ccbb7e Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Wed, 23 Feb 2022 12:27:57 +0100 +Subject: [PATCH 2/3] Add more tests for --test-passphrase parameter. + +--- + tests/compat-test-args | 4 ++++ + tests/luks2-reencryption-test | 18 ++++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/tests/compat-test-args b/tests/compat-test-args +index faeddd00..8bbe5563 100755 +--- a/tests/compat-test-args ++++ b/tests/compat-test-args +@@ -258,6 +258,10 @@ exp_fail luksAddKey DEV --unbound --key-size 0 + exp_pass luksAddKey DEV --unbound --key-size 8 + exp_pass luksDump DEV --unbound -S5 + exp_fail luksDump DEV --unbound ++exp_pass open DEV --unbound --test-passphrase ++exp_pass open DEV --unbound --test-passphrase -S5 ++exp_fail open DEV --unbound NAME ++exp_fail open DEV --unbound -S5 NAME + + exp_fail resize NAME --refresh + exp_fail open DEV NAME --test-passphrase --refresh +diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test +index 6f156016..73818b5d 100755 +--- a/tests/luks2-reencryption-test ++++ b/tests/luks2-reencryption-test +@@ -1606,5 +1606,23 @@ if [ -n "$DM_SECTOR_SIZE" ]; then + reencrypt_recover_online 4096 journal $HASH1 + fi + ++echo "[27] Verify test passphrase mode works with reencryption metadata" ++echo $PWD1 | $CRYPTSETUP -S5 -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV || fail ++echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $DEV || fail ++echo $PWD1 | $CRYPTSETUP reencrypt --init-only $DEV || fail ++echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail ++ ++echo $PWD1 | $CRYPTSETUP -q luksFormat -S5 --header $IMG_HDR --type luks2 $FAST_PBKDF_ARGON $DEV || fail ++echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $IMG_HDR || fail ++echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --init-only --header $IMG_HDR $DEV || fail ++echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail ++ ++echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --init-only --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail ++echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail ++ ++wipe_dev_head $DEV 1 ++echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 8M $FAST_PBKDF_ARGON $DEV || fail ++echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail ++ + remove_mapping + exit 0 +-- +2.27.0 + diff --git a/SOURCES/cryptsetup-2.5.0-Do-not-use-too-small-key-in-tests.patch b/SOURCES/cryptsetup-2.5.0-Do-not-use-too-small-key-in-tests.patch new file mode 100644 index 0000000..40f7269 --- /dev/null +++ b/SOURCES/cryptsetup-2.5.0-Do-not-use-too-small-key-in-tests.patch @@ -0,0 +1,45 @@ +From 34f033b2549d95833270d657cf099ee4f6faff37 Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Fri, 21 Jan 2022 09:55:34 +0100 +Subject: [PATCH 3/3] Do not use too small key in tests. + +Apparently FIPS mode enforces somewhere minimal key size. +As 64bit key is no longer useful anyway, just remove it. + +Apparently cipher_null is now more safer with the longer key, +isn't? :-) +--- + tests/align-test | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/tests/align-test b/tests/align-test +index 9ae606ca..a00103c2 100755 +--- a/tests/align-test ++++ b/tests/align-test +@@ -262,11 +262,6 @@ cleanup + echo "# Offset check: 512B sector drive" + add_device dev_size_mb=16 sector_size=512 num_tgts=1 + # |k| expO reqO expected slot offsets +-format_null 64 2048 0 8:72:136:200:264:328:392:456 +-format_null 64 520 1 +-format_null 64 520 8 +-format_null 64 640 128 +-format_null 64 2048 2048 + format_null 128 2048 0 8:136:264:392:520:648:776:904 + format_null 128 1032 1 + format_null 128 1032 8 +@@ -286,11 +281,6 @@ cleanup + + echo "# Offset check: 4096B sector drive" + add_device dev_size_mb=16 sector_size=4096 num_tgts=1 opt_blks=64 +-format_null 64 2048 0 8:72:136:200:264:328:392:456 +-format_null 64 520 1 +-format_null 64 520 8 +-format_null 64 640 128 +-format_null 64 2048 2048 + format_null 128 2048 0 8:136:264:392:520:648:776:904 + format_null 128 1032 1 + format_null 128 1032 8 +-- +2.27.0 + diff --git a/SOURCES/cryptsetup-2.5.0-Fix-PBKDF-benchmark-in-OpenSSL3-FIPS-mode.patch b/SOURCES/cryptsetup-2.5.0-Fix-PBKDF-benchmark-in-OpenSSL3-FIPS-mode.patch new file mode 100644 index 0000000..aebf06e --- /dev/null +++ b/SOURCES/cryptsetup-2.5.0-Fix-PBKDF-benchmark-in-OpenSSL3-FIPS-mode.patch @@ -0,0 +1,47 @@ +From 05a237be2a6c7a342fb5aba4433aec487a08317f Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Fri, 21 Jan 2022 09:47:13 +0100 +Subject: [PATCH 1/3] Fix PBKDF benchmark in OpenSSL3 FIPS mode. + +OpenSSL now enforces minimal parameters for PBKDF2 according to SP 800-132 +key length (112 bits), minimal salt length (128 bits) and minimal number +of iterations (1000). + +Our benchmark violates this, causeing cryptsetup misbehave for luksFormat. + +Just inrease tet salt to 16 bytes here, it will little bit influence benchmark, +but there is no way back. +--- + lib/utils_benchmark.c | 2 +- + src/cryptsetup.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/utils_benchmark.c b/lib/utils_benchmark.c +index 7a9736d8..24e7bccc 100644 +--- a/lib/utils_benchmark.c ++++ b/lib/utils_benchmark.c +@@ -184,7 +184,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd, + pbkdf->parallel_threads = 0; /* N/A in PBKDF2 */ + pbkdf->max_memory_kb = 0; /* N/A in PBKDF2 */ + +- r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3, "bar", 3, ++ r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3, "01234567890abcdef", 16, + volume_key_size, &benchmark_callback, &u); + pbkdf->time_ms = ms_tmp; + if (r < 0) { +diff --git a/src/cryptsetup.c b/src/cryptsetup.c +index e529b7ac..37d35c92 100644 +--- a/src/cryptsetup.c ++++ b/src/cryptsetup.c +@@ -860,7 +860,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si + .time_ms = 1000, + }; + +- r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3, "bar", 3, key_size, ++ r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3, "0123456789abcdef", 16, key_size, + &benchmark_callback, &pbkdf); + if (r < 0) + log_std(_("PBKDF2-%-9s N/A\n"), hash); +-- +2.27.0 + diff --git a/SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch b/SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch new file mode 100644 index 0000000..4aaa5a4 --- /dev/null +++ b/SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch @@ -0,0 +1,106 @@ +diff -rupN cryptsetup-2.4.3.old/man/cryptsetup.8 cryptsetup-2.4.3/man/cryptsetup.8 +--- cryptsetup-2.4.3.old/man/cryptsetup.8 2022-02-23 16:33:42.449525744 +0100 ++++ cryptsetup-2.4.3/man/cryptsetup.8 2022-02-24 08:57:43.036396289 +0100 +@@ -321,7 +321,8 @@ the command prompts for it interactively + \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase, + \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id, + \-\-token\-only, \-\-token-type, \-\-disable\-external\-tokens, \-\-disable\-keyring, +-\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf]. ++\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf, ++\-\-unbound]. + .PP + \fIluksSuspend\fR + .IP +@@ -1465,10 +1466,14 @@ aligned to page size and page-cache init + integrity tag. + .TP + .B "\-\-unbound" +- + Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or + \fIluksDump\fR actions for more details. + ++When used in \fIluksOpen\fR action (allowed only together with ++\-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2 ++keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific ++keyslot is selected via \-\-key\-slot parameter. ++ + .TP + .B "\-\-tcrypt\-hidden" + .B "\-\-tcrypt\-system" +diff -rupN cryptsetup-2.4.3.old/src/cryptsetup_args.h cryptsetup-2.4.3/src/cryptsetup_args.h +--- cryptsetup-2.4.3.old/src/cryptsetup_args.h 2022-02-23 16:33:42.450525749 +0100 ++++ cryptsetup-2.4.3/src/cryptsetup_args.h 2022-02-24 08:57:43.036396289 +0100 +@@ -75,7 +75,7 @@ + #define OPT_TCRYPT_HIDDEN_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION } + #define OPT_TCRYPT_SYSTEM_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION } + #define OPT_TEST_PASSPHRASE_ACTIONS { OPEN_ACTION } +-#define OPT_UNBOUND_ACTIONS { ADDKEY_ACTION, LUKSDUMP_ACTION } ++#define OPT_UNBOUND_ACTIONS { ADDKEY_ACTION, LUKSDUMP_ACTION, OPEN_ACTION } + #define OPT_USE_RANDOM_ACTIONS { FORMAT_ACTION } + #define OPT_USE_URANDOM_ACTIONS { FORMAT_ACTION } + #define OPT_UUID_ACTIONS { FORMAT_ACTION, UUID_ACTION } +diff -rupN cryptsetup-2.4.3.old/src/cryptsetup.c cryptsetup-2.4.3/src/cryptsetup.c +--- cryptsetup-2.4.3.old/src/cryptsetup.c 2022-02-23 16:33:42.450525749 +0100 ++++ cryptsetup-2.4.3/src/cryptsetup.c 2022-02-24 08:57:43.036396289 +0100 +@@ -140,7 +140,8 @@ static void _set_activation_flags(uint32 + *flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT; + + /* Only for LUKS2 but ignored elsewhere */ +- if (ARG_SET(OPT_TEST_PASSPHRASE_ID)) ++ if (ARG_SET(OPT_TEST_PASSPHRASE_ID) && ++ (ARG_SET(OPT_KEY_SLOT_ID) || ARG_SET(OPT_UNBOUND_ID))) + *flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY; + + if (ARG_SET(OPT_SERIALIZE_MEMORY_HARD_PBKDF_ID)) +@@ -3982,6 +3983,18 @@ int main(int argc, const char **argv) + _("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."), + poptGetInvocationName(popt_context)); + ++ if (ARG_SET(OPT_UNBOUND_ID) && !strcmp(aname, OPEN_ACTION) && device_type && ++ strncmp(device_type, "luks", 4)) ++ usage(popt_context, EXIT_FAILURE, ++ _("Option --unbound is allowed only for open of luks device."), ++ poptGetInvocationName(popt_context)); ++ ++ if (ARG_SET(OPT_UNBOUND_ID) && !ARG_SET(OPT_TEST_PASSPHRASE_ID) && ++ !strcmp(aname, OPEN_ACTION)) ++ usage(popt_context, EXIT_FAILURE, ++ _("Option --unbound cannot be used without --test-passphrase."), ++ poptGetInvocationName(popt_context)); ++ + if (ARG_SET(OPT_TCRYPT_HIDDEN_ID) && ARG_SET(OPT_ALLOW_DISCARDS_ID)) + usage(popt_context, EXIT_FAILURE, + _("Option --tcrypt-hidden cannot be combined with --allow-discards."), +diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2 +--- cryptsetup-2.4.3.old/tests/compat-test2 2022-02-23 16:33:42.444525716 +0100 ++++ cryptsetup-2.4.3/tests/compat-test2 2022-02-24 09:05:38.716422307 +0100 +@@ -699,7 +699,7 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOP + # otoh it should be allowed to test for proper passphrase + prepare "" new + echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail +-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail ++echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail + echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail + [ -b /dev/mapper/$DEV_NAME ] && fail + echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail +@@ -708,7 +708,7 @@ echo $PWD0 | $CRYPTSETUP open -S1 --test + $CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0 + $CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail + echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail +-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail ++echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail + echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail + + prepare "[28] Detached LUKS header" wipe +@@ -967,11 +967,9 @@ echo $PWD3 | $CRYPTSETUP -q luksAddKey - + # do not allow to replace keyslot by unbound slot + echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail + echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail +-echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail + echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail + echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail + echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail +-echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail + # check we're able to change passphrase for unbound keyslot + echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail + echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail diff --git a/SOURCES/cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch b/SOURCES/cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch new file mode 100644 index 0000000..5bf54fb --- /dev/null +++ b/SOURCES/cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch @@ -0,0 +1,12 @@ +diff -rupN cryptsetup-2.4.3.old/src/cryptsetup.c cryptsetup-2.4.3/src/cryptsetup.c +--- cryptsetup-2.4.3.old/src/cryptsetup.c 2022-01-21 13:14:56.864817351 +0100 ++++ cryptsetup-2.4.3/src/cryptsetup.c 2022-01-21 13:15:15.579947027 +0100 +@@ -1188,7 +1188,7 @@ static int reencrypt_metadata_repair(str + _("Operation aborted.\n"))) + return -EINVAL; + +- r = tools_get_key(_("Enter passphrase to protect and uppgrade reencryption metadata: "), ++ r = tools_get_key(_("Enter passphrase to protect and upgrade reencryption metadata: "), + &password, &passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID), + ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID), + _verify_passphrase(0), 0, cd); diff --git a/SOURCES/cryptsetup-2.5.0-Get-rid-of-SHA1-in-tests.patch b/SOURCES/cryptsetup-2.5.0-Get-rid-of-SHA1-in-tests.patch new file mode 100644 index 0000000..4708329 --- /dev/null +++ b/SOURCES/cryptsetup-2.5.0-Get-rid-of-SHA1-in-tests.patch @@ -0,0 +1,441 @@ +diff -rupN cryptsetup-2.4.3.old/tests/api-test.c cryptsetup-2.4.3/tests/api-test.c +--- cryptsetup-2.4.3.old/tests/api-test.c 2022-02-17 16:37:09.535345938 +0100 ++++ cryptsetup-2.4.3/tests/api-test.c 2022-02-17 16:37:29.156459763 +0100 +@@ -312,7 +312,7 @@ static int _setup(void) + static void AddDevicePlain(void) + { + struct crypt_params_plain params = { +- .hash = "sha1", ++ .hash = "sha256", + .skip = 0, + .offset = 0, + .size = 0 +@@ -322,7 +322,7 @@ static void AddDevicePlain(void) + + const char *passphrase = PASSPHRASE; + // hashed hex version of PASSPHRASE +- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; ++ const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea"; + size_t key_size = strlen(mk_hex) / 2; + const char *cipher = "aes"; + const char *cipher_mode = "cbc-essiv:sha256"; +@@ -438,7 +438,7 @@ static void AddDevicePlain(void) + OK_(crypt_deactivate(cd,CDEVICE_1)); + + CRYPT_FREE(cd); +- params.hash = "sha1"; ++ params.hash = "sha256"; + params.offset = 0; + params.size = 0; + params.skip = 0; +@@ -620,7 +620,7 @@ static void new_log(int level, const cha + static void CallbacksTest(void) + { + struct crypt_params_plain params = { +- .hash = "sha1", ++ .hash = "sha256", + .skip = 0, + .offset = 0, + }; +@@ -1116,7 +1116,7 @@ static void LuksHeaderRestore(void) + .data_alignment = 2048, // 4M, data offset will be 4096 + }; + struct crypt_params_plain pl_params = { +- .hash = "sha1", ++ .hash = "sha256", + .skip = 0, + .offset = 0, + .size = 0 +@@ -1203,7 +1203,7 @@ static void LuksHeaderLoad(void) + .data_alignment = 2048, + }; + struct crypt_params_plain pl_params = { +- .hash = "sha1", ++ .hash = "sha256", + .skip = 0, + .offset = 0, + .size = 0 +diff -rupN cryptsetup-2.4.3.old/tests/api-test-2.c cryptsetup-2.4.3/tests/api-test-2.c +--- cryptsetup-2.4.3.old/tests/api-test-2.c 2022-02-17 16:37:09.535345938 +0100 ++++ cryptsetup-2.4.3/tests/api-test-2.c 2022-02-17 16:37:29.155459758 +0100 +@@ -1232,7 +1232,7 @@ static void Luks2HeaderRestore(void) + .sector_size = 512 + }; + struct crypt_params_plain pl_params = { +- .hash = "sha1", ++ .hash = "sha256", + .skip = 0, + .offset = 0, + .size = 0 +@@ -1242,7 +1242,7 @@ static void Luks2HeaderRestore(void) + }; + uint32_t flags = 0; + +- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; ++ const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea"; + size_t key_size = strlen(mk_hex) / 2; + const char *cipher = "aes"; + const char *cipher_mode = "cbc-essiv:sha256"; +@@ -1337,7 +1337,7 @@ static void Luks2HeaderLoad(void) + .sector_size = 512 + }; + struct crypt_params_plain pl_params = { +- .hash = "sha1", ++ .hash = "sha256", + .skip = 0, + .offset = 0, + .size = 0 +@@ -2142,7 +2142,7 @@ static void LuksConvert(void) + .parallel_threads = 1 + }, pbkdf2 = { + .type = CRYPT_KDF_PBKDF2, +- .hash = "sha1", ++ .hash = "sha256", + .time_ms = 1 + }; + +@@ -2675,7 +2675,7 @@ static void Pbkdf(void) + .hash = default_luks1_hash + }; + struct crypt_params_plain params = { +- .hash = "sha1", ++ .hash = "sha256", + .skip = 0, + .offset = 0, + .size = 0 +@@ -2874,11 +2874,11 @@ static void Pbkdf(void) + pbkdf2.time_ms = 9; + pbkdf2.hash = NULL; + FAIL_(crypt_set_pbkdf_type(cd, &pbkdf2), "Hash is mandatory for pbkdf2"); +- pbkdf2.hash = "sha1"; ++ pbkdf2.hash = "sha256"; + OK_(crypt_set_pbkdf_type(cd, &pbkdf2)); + + argon2.time_ms = 9; +- argon2.hash = "sha1"; // will be ignored ++ argon2.hash = "sha256"; // will be ignored + OK_(crypt_set_pbkdf_type(cd, &argon2)); + argon2.hash = NULL; + OK_(crypt_set_pbkdf_type(cd, &argon2)); +@@ -3839,7 +3839,7 @@ static void Luks2Reencryption(void) + struct crypt_params_reencrypt retparams = {}, rparams = { + .direction = CRYPT_REENCRYPT_FORWARD, + .resilience = "checksum", +- .hash = "sha1", ++ .hash = "sha256", + .luks2 = ¶ms2, + }; + dev_t devno; +@@ -3983,7 +3983,7 @@ static void Luks2Reencryption(void) + rparams.hash = "hamSter"; + FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams), "Invalid resilience hash."); + +- rparams.hash = "sha1"; ++ rparams.hash = "sha256"; + OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams)); + OK_(crypt_reencrypt_run(cd, NULL, NULL)); + +diff -rupN cryptsetup-2.4.3.old/tests/compat-test cryptsetup-2.4.3/tests/compat-test +--- cryptsetup-2.4.3.old/tests/compat-test 2022-02-17 16:37:09.541345973 +0100 ++++ cryptsetup-2.4.3/tests/compat-test 2022-02-17 16:37:29.157459769 +0100 +@@ -302,8 +302,8 @@ $CRYPTSETUP -q luksUUID $IMG | grep -q $ + prepare "[1] open - compat image - acceptance check" new + echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail + check_exists +-ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ') +-[ "$ORG_SHA1" = 676062b66ebf36669dab705442ea0762dfc091b0 ] || fail ++ORG_SHA256=$(sha256sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ') ++[ "$ORG_SHA256" = 7428e8f2436882a07eb32765086f5c899474c08b5576f556b573d2aabdf923e8 ] || fail + $CRYPTSETUP -q luksClose $DEV_NAME || fail + + # Check it can be opened from header backup as well +@@ -315,6 +315,7 @@ $CRYPTSETUP -q luksClose $DEV_NAME || f + $CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail + + # Repeat for V1.0 header - not aligned first keyslot ++if [ ! fips_mode ] ; then + echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME || fail + check_exists + ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ') +@@ -326,6 +327,7 @@ $CRYPTSETUP luksHeaderBackup $IMG10 --he + echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail + check_exists + $CRYPTSETUP -q luksClose $DEV_NAME || fail ++fi + + prepare "[2] open - compat image - denial check" new + echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail +@@ -526,7 +528,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q + + prepare "[19] create & status & resize" wipe + echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail +-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail ++echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail + $CRYPTSETUP -q status $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail + $CRYPTSETUP -q status $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail + $CRYPTSETUP -q status $DEV_NAME | grep "mode:" | grep -q "readonly" || fail +@@ -546,15 +548,15 @@ $CRYPTSETUP -q resize $DEV_NAME || fail + $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail + $CRYPTSETUP -q remove $DEV_NAME || fail + $CRYPTSETUP -q status $DEV_NAME >/dev/null && fail +-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail ++echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail + $CRYPTSETUP -q remove $DEV_NAME || fail +-echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 $LOOPDEV || fail ++echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 $LOOPDEV || fail + $CRYPTSETUP -q remove $DEV_NAME || fail +-echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 --size 100 $LOOPDEV || fail ++echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 --size 100 $LOOPDEV || fail + $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail + $CRYPTSETUP -q remove $DEV_NAME || fail + # 4k sector resize (if kernel supports it) +-echo $PWD1 | $CRYPTSETUP -q open --type plain $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1 ++echo $PWD1 | $CRYPTSETUP -q open --type plain --hash sha256 $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1 + if [ $? -eq 0 ] ; then + $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "8 sectors" || fail + $CRYPTSETUP -q resize $DEV_NAME --size 16 || fail +@@ -567,7 +569,7 @@ if [ $? -eq 0 ] ; then + fi + # Resize not aligned to logical block size + add_scsi_device dev_size_mb=32 sector_size=4096 +-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV || fail ++echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV || fail + OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/') + $CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail + dmsetup info $DEV_NAME | grep -q SUSPENDED && fail +@@ -575,10 +577,10 @@ NEW_SIZE=$($CRYPTSETUP status $DEV_NAME + test $OLD_SIZE -eq $NEW_SIZE || fail + $CRYPTSETUP close $DEV_NAME || fail + # Add check for unaligned plain crypt activation +-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV -b 7 2>/dev/null && fail ++echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV -b 7 2>/dev/null && fail + $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail + # verify is ignored on non-tty input +-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase 2>/dev/null || fail ++echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --verify-passphrase 2>/dev/null || fail + $CRYPTSETUP -q remove $DEV_NAME || fail + $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail + $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail +@@ -695,15 +697,15 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST + dmsetup remove --retry $DEV_NAME2 + + prepare "[25] Create shared segments" wipe +-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --offset 0 --size 256 || fail +-echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 2>/dev/null && fail +-echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 --shared || fail ++echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --offset 0 --size 256 || fail ++echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 2>/dev/null && fail ++echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 --shared || fail + $CRYPTSETUP -q remove $DEV_NAME2 || fail + $CRYPTSETUP -q remove $DEV_NAME || fail + + prepare "[26] Suspend/Resume" wipe + # only LUKS is supported +-echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail ++echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail + $CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail + $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail + $CRYPTSETUP -q remove $DEV_NAME || fail +diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2 +--- cryptsetup-2.4.3.old/tests/compat-test2 2022-02-17 16:37:09.541345973 +0100 ++++ cryptsetup-2.4.3/tests/compat-test2 2022-02-17 16:37:29.158459775 +0100 +@@ -774,7 +774,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q + $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail + $CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail + # hash test +-$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha1 || fail ++$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha512 || fail + $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 --hash sha256 || fail + $CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail + $CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail +diff -rupN cryptsetup-2.4.3.old/tests/discards-test cryptsetup-2.4.3/tests/discards-test +--- cryptsetup-2.4.3.old/tests/discards-test 2022-02-17 16:37:09.541345973 +0100 ++++ cryptsetup-2.4.3/tests/discards-test 2022-02-17 16:37:29.158459775 +0100 +@@ -80,7 +80,7 @@ dmsetup table $DEV_NAME | grep allow_dis + $CRYPTSETUP luksClose $DEV_NAME || fail + + echo "[2] Allowing discards for plain device" +-echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha1 --allow-discards || fail ++echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha256 --allow-discards || fail + $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail + $CRYPTSETUP resize $DEV_NAME --size 100 || fail + $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail +diff -rupN cryptsetup-2.4.3.old/tests/integrity-compat-test cryptsetup-2.4.3/tests/integrity-compat-test +--- cryptsetup-2.4.3.old/tests/integrity-compat-test 2022-02-17 16:37:09.542345979 +0100 ++++ cryptsetup-2.4.3/tests/integrity-compat-test 2022-02-17 16:37:29.159459781 +0100 +@@ -168,7 +168,7 @@ intformat() # alg alg_out tagsize outtag + echo -n "[FORMAT]" + $INTSETUP format --integrity-legacy-padding -q --integrity $1 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV >/dev/null 2>&1 + if [ $? -ne 0 ] ; then +- if [[ $1 =~ "sha" || $1 =~ "crc" ]] ; then ++ if [[ $1 =~ "sha2" || $1 =~ "crc" ]] ; then + fail "Cannot format device." + fi + echo "[N/A]" +@@ -214,7 +214,14 @@ int_error_detection() # mode alg tagsize + + echo -n "[INTEGRITY:$1:$2:$4:$5]" + echo -n "[FORMAT]" +- $INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null || fail "Cannot format device." ++ $INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null 2>&1 ++ if [ $? -ne 0 ] ; then ++ if [[ $2 =~ "sha2" || $2 =~ "crc" ]] ; then ++ fail "Cannot format device." ++ fi ++ echo "[N/A]" ++ return ++ fi + echo -n "[ACTIVATE]" + $INTSETUP open $DEV $DEV_NAME --integrity $2 --integrity-no-journal $KEY_PARAMS $INT_MODE || fail "Cannot activate device." + +diff -rupN cryptsetup-2.4.3.old/tests/keyring-compat-test cryptsetup-2.4.3/tests/keyring-compat-test +--- cryptsetup-2.4.3.old/tests/keyring-compat-test 2022-02-17 16:37:09.542345979 +0100 ++++ cryptsetup-2.4.3/tests/keyring-compat-test 2022-02-17 16:39:07.132028140 +0100 +@@ -119,7 +119,7 @@ add_device() { + which dmsetup >/dev/null 2>&1 || skip "Cannot find dmsetup, test skipped" + which keyctl >/dev/null 2>&1 || skip "Cannot find keyctl, test skipped" + which xxd >/dev/null 2>&1 || skip "Cannot find xxd, test skipped" +-which sha1sum > /dev/null 2>&1 || skip "Cannot find sha1sum, test skipped" ++which sha256sum >/dev/null 2>&1 || skip "Cannot find sha256sum, test skipped" + modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load" + dm_crypt_keyring_support || skip "dm-crypt doesn't support kernel keyring, test skipped." + +@@ -132,23 +132,23 @@ dd if=/dev/urandom of=$DEV bs=1M count=$ + #test aes cipher with xts mode, plain IV + echo -n "Testing $CIPHER_XTS_PLAIN..." + dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail +-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail ++sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail + dmsetup remove --retry $NAME || fail + load_key "$HEXKEY_32" logon $LOGON_KEY_32_OK "$TEST_KEYRING" || fail "Cannot load 32 byte logon key type" + dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN :32:logon:$LOGON_KEY_32_OK 0 $DEV 0" || fail +-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail ++sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail + dmsetup remove --retry $NAME || fail + diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)" + # same test using message + dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail +-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail ++sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail + dmsetup remove --retry $NAME || fail + dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail + dmsetup suspend $NAME || fail + dmsetup message $NAME 0 key wipe || fail + dmsetup message $NAME 0 "key set :32:logon:$LOGON_KEY_32_OK" || fail + dmsetup resume $NAME || fail +-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail ++sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail + dmsetup remove --retry $NAME || fail + diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)" + echo "OK" +@@ -156,23 +156,23 @@ echo "OK" + #test aes cipher, xts mode, essiv IV + echo -n "Testing $CIPHER_CBC_ESSIV..." + dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail +-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail ++sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail + dmsetup remove --retry $NAME || fail + load_key "$HEXKEY_16" logon $LOGON_KEY_16_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type" + dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV :16:logon:$LOGON_KEY_16_OK 0 $DEV 0" || fail +-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail ++sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail + dmsetup remove --retry $NAME || fail + diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)" + # same test using message + dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail +-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail ++sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail + dmsetup remove --retry $NAME || fail + dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail + dmsetup suspend $NAME || fail + dmsetup message $NAME 0 key wipe || fail + dmsetup message $NAME 0 "key set :16:logon:$LOGON_KEY_16_OK" || fail + dmsetup resume $NAME || fail +-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail ++sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail + dmsetup remove --retry $NAME || fail + diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)" + echo "OK" +@@ -181,23 +181,23 @@ echo "OK" + fips_mode || { + echo -n "Testing $CIPHER_CBC_TCW..." + dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail +-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail ++sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail + dmsetup remove --retry $NAME || fail + load_key "$HEXKEY_64" logon $LOGON_KEY_64_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type" + dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW :64:logon:$LOGON_KEY_64_OK 0 $DEV 0" || fail +-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail ++sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail + dmsetup remove --retry $NAME || fail + diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)" + # same test using message + dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail +-sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail ++sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail + dmsetup remove --retry $NAME || fail + dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail + dmsetup suspend $NAME || fail + dmsetup message $NAME 0 key wipe || fail + dmsetup message $NAME 0 "key set :64:logon:$LOGON_KEY_64_OK" || fail + dmsetup resume $NAME || fail +-sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail ++sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail + dmsetup remove --retry $NAME || fail + diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)" + echo "OK" +@@ -207,10 +207,10 @@ echo -n "Test LUKS2 key refresh..." + echo $PWD | $CRYPTSETUP luksFormat --type luks2 --luks2-metadata-size 16k --luks2-keyslots-size 4064k --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --force-password $DEV || fail + echo $PWD | $CRYPTSETUP open $DEV $NAME || fail + $CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" || skip "LUKS2 can't use keyring. Test skipped." +-dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_KEYRING || fail ++dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_KEYRING || fail + echo $PWD | $CRYPTSETUP refresh $NAME --disable-keyring || fail + $CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" && fail "Key is still in keyring" +-dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_DMCRYPT || fail ++dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_DMCRYPT || fail + diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)" + echo "OK" + +diff -rupN cryptsetup-2.4.3.old/tests/password-hash-test cryptsetup-2.4.3/tests/password-hash-test +--- cryptsetup-2.4.3.old/tests/password-hash-test 2022-02-17 16:37:09.541345973 +0100 ++++ cryptsetup-2.4.3/tests/password-hash-test 2022-02-17 16:37:29.160459787 +0100 +@@ -75,7 +75,7 @@ crypt_key() # hash keysize pwd/file name + esac + + # ignore these cases, not all libs/kernel supports it +- if [ "$1" != "sha1" -a "$1" != "sha256" ] || [ $2 -gt 256 ] ; then ++ if [ "$1" != "sha256" ] || [ $2 -gt 256 ] ; then + if [ $ret -ne 0 ] ; then + echo " [N/A] ($ret, SKIPPED)" + return +diff -rupN cryptsetup-2.4.3.old/tests/reencryption-compat-test cryptsetup-2.4.3/tests/reencryption-compat-test +--- cryptsetup-2.4.3.old/tests/reencryption-compat-test 2022-02-17 16:37:09.541345973 +0100 ++++ cryptsetup-2.4.3/tests/reencryption-compat-test 2022-02-17 16:37:29.160459787 +0100 +@@ -338,7 +338,7 @@ simple_scsi_reenc "[4096/512 sector]" + echo "[OK]" + + echo "[8] Header only reencryption (hash and iteration time)" +-echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha1 $FAST_PBKDF $LOOPDEV1 || fail ++echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha512 $FAST_PBKDF $LOOPDEV1 || fail + wipe $PWD1 + check_hash $PWD1 $HASH1 + echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key || fail +diff -rupN cryptsetup-2.4.3.old/tests/verity-compat-test cryptsetup-2.4.3/tests/verity-compat-test +--- cryptsetup-2.4.3.old/tests/verity-compat-test 2022-02-17 16:37:09.541345973 +0100 ++++ cryptsetup-2.4.3/tests/verity-compat-test 2022-02-17 16:37:29.161459793 +0100 +@@ -148,7 +148,13 @@ function check_root_hash() # $1 size, $2 + for fail in data hash; do + wipe + echo -n "V$4(sb=$sb root_hash_as_file=$root_hash_as_file) $5 block size $1: " +- $VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT || fail ++ $VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT ++ if [ $? -ne 0 ] ; then ++ if [[ $1 =~ "sha2" ]] ; then ++ fail "Cannot format device." ++ fi ++ return ++ fi + + echo -n "[root hash]" + compare_out "root hash" $2 diff --git a/SOURCES/cryptsetup-add-system-library-paths.patch b/SOURCES/cryptsetup-add-system-library-paths.patch new file mode 100644 index 0000000..0a5d753 --- /dev/null +++ b/SOURCES/cryptsetup-add-system-library-paths.patch @@ -0,0 +1,22 @@ +diff -rupN cryptsetup-2.2.0.old/configure cryptsetup-2.2.0/configure +--- cryptsetup-2.2.0.old/configure 2019-08-14 20:45:07.000000000 +0200 ++++ cryptsetup-2.2.0/configure 2019-08-15 09:11:14.775184005 +0200 +@@ -12294,6 +12294,9 @@ fi + # before this can be enabled. + hardcode_into_libs=yes + ++ # Add ABI-specific directories to the system library path. ++ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" ++ + # Ideally, we could use ldconfig to report *all* directores which are + # searched for libraries, however this is still not possible. Aside from not + # being certain /sbin/ldconfig is available, command +@@ -12302,7 +12305,7 @@ fi + # appending ld.so.conf contents (and includes) to the search path. + if test -f /etc/ld.so.conf; then + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` +- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" ++ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" + fi + + # We used to test for /lib/ld.so.1 and disable shared libraries on diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec new file mode 100644 index 0000000..1277cde --- /dev/null +++ b/SPECS/cryptsetup.spec @@ -0,0 +1,181 @@ +Summary: Utility for setting up encrypted disks +Name: cryptsetup +Version: 2.4.3 +Release: 4%{?dist} +License: GPLv2+ and LGPLv2+ +URL: https://gitlab.com/cryptsetup/cryptsetup +BuildRequires: openssl-devel, popt-devel, device-mapper-devel +BuildRequires: libuuid-devel, gcc, json-c-devel +BuildRequires: libpwquality-devel, libblkid-devel +BuildRequires: make +Requires: cryptsetup-libs = %{version}-%{release} +Requires: libpwquality >= 1.2.0 + +%global upstream_version %{version} +Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-%{upstream_version}.tar.xz +# binary archive with updated compatimage.img.xz for testing (can not be patched via rpmbuild) +Source1: tests.tar.xz + +# Following patch has to applied last +Patch0000: %{name}-2.5.0-Fix-typo-in-repair-prompt.patch +Patch0001: %{name}-2.5.0-Fix-PBKDF-benchmark-in-OpenSSL3-FIPS-mode.patch +Patch0002: %{name}-2.5.0-Get-rid-of-SHA1-in-tests.patch +Patch0003: %{name}-2.5.0-Do-not-use-too-small-key-in-tests.patch +Patch0004: %{name}-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch +Patch0005: %{name}-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch +Patch9999: %{name}-add-system-library-paths.patch + +%description +The cryptsetup package contains a utility for setting up +disk encryption using dm-crypt kernel module. + +%package devel +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: pkgconfig +Summary: Headers and libraries for using encrypted file systems + +%description devel +The cryptsetup-devel package contains libraries and header files +used for writing code that makes use of disk encryption. + +%package libs +Summary: Cryptsetup shared library + +%description libs +This package contains the cryptsetup shared library, libcryptsetup. + +%package -n veritysetup +Summary: A utility for setting up dm-verity volumes +Requires: cryptsetup-libs = %{version}-%{release} + +%description -n veritysetup +The veritysetup package contains a utility for setting up +disk verification using dm-verity kernel module. + +%package -n integritysetup +Summary: A utility for setting up dm-integrity volumes +Requires: cryptsetup-libs = %{version}-%{release} + +%description -n integritysetup +The integritysetup package contains a utility for setting up +disk integrity protection using dm-integrity kernel module. + +%package reencrypt +Summary: A utility for offline reencryption of LUKS encrypted disks +Requires: cryptsetup-libs = %{version}-%{release} + +%description reencrypt +This package contains cryptsetup-reencrypt utility which +can be used for offline reencryption of disk in situ. + +%prep +%autosetup -n cryptsetup-%{upstream_version} -p 1 -a 1 +chmod -x misc/dracut_90reencrypt/* + +%build +%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token +%make_build + +%install +%make_install +rm -rf %{buildroot}%{_libdir}/*.la + +%find_lang cryptsetup + +%ldconfig_scriptlets -n cryptsetup-libs + +%files +%license COPYING +%doc AUTHORS FAQ docs/*ReleaseNotes +%{_mandir}/man8/cryptsetup.8.gz +%{_sbindir}/cryptsetup + +%files -n veritysetup +%license COPYING +%{_mandir}/man8/veritysetup.8.gz +%{_sbindir}/veritysetup + +%files -n integritysetup +%license COPYING +%{_mandir}/man8/integritysetup.8.gz +%{_sbindir}/integritysetup + +%files reencrypt +%license COPYING +%doc misc/dracut_90reencrypt +%{_mandir}/man8/cryptsetup-reencrypt.8.gz +%{_sbindir}/cryptsetup-reencrypt + +%files devel +%doc docs/examples/* +%{_includedir}/libcryptsetup.h +%{_libdir}/libcryptsetup.so +%{_libdir}/pkgconfig/libcryptsetup.pc + +%files libs -f cryptsetup.lang +%license COPYING COPYING.LGPL +%{_libdir}/libcryptsetup.so.* +%dir %{_libdir}/%{name}/ +%{_tmpfilesdir}/cryptsetup.conf +%ghost %attr(700, -, -) %dir /run/cryptsetup + +%changelog +* Thu Feb 24 2022 Ondrej Kozina - 2.4.3-4 +- patch: Fix broken upstream test. +- Resolves: #2056439 + +* Wed Feb 23 2022 Ondrej Kozina - 2.4.3-3 +- patch: Fix cryptsetup --test-passphrase when device in + reencryption +- Resolves: #2056439 + +* Thu Feb 17 2022 Ondrej Kozina - 2.4.3-2 +- Various FIPS related fixes. +- Resolves: #2051630 + +* Fri Jan 21 2022 Ondrej Kozina - 2.4.3-1 +- Update to cryptsetup 2.4.3. +- patch: Fix typo in repair command prompt. + Resolves: #2022309 #2023316 #2032782 + +* Wed Sep 29 2021 Ondrej Kozina - 2.4.1-1 +- Update to cryptsetup 2.4.1. + Resolves: #2005035 #2005877 + +* Thu Aug 19 2021 Ondrej Kozina - 2.4.0-1 +- Update to cryptsetup 2.4.0. + Resolves: #1869553 #1972722 #1974271 #1975799 + +* Mon Aug 09 2021 Mohan Boddu - 2.3.6-3 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Thu Jun 17 2021 Mohan Boddu - 2.3.6-2 +- Specbump for openssl 3.0 + Related: rhbz#1971065 + +* Wed Jun 16 2021 Ondrej Kozina - 2.3.6-1 +- Update to cryptsetup 2.3.6. +- Resolves: #1961291 #1970932 + +* Tue Jun 15 2021 Mohan Boddu - 2.3.5-5 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + +Related: rhbz#1971065 + +* Tue Apr 27 2021 Ondrej Kozina - 2.3.5-4 +- Drop dependency on libargon2 +- Resolves: #1936959 + +* Thu Apr 15 2021 Mohan Boddu - 2.3.5-3 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Thu Mar 11 2021 Milan Broz - 2.3.5-1 +- Update to cryptsetup 2.3.5. + +* Tue Jan 26 2021 Fedora Release Engineering - 2.3.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Sep 03 2020 Milan Broz - 2.3.4-1 +- Update to cryptsetup 2.3.4. +- Fix for CVE-2020-14382 (#1874712)