diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata index cc81fac..3eba3f7 100644 --- a/.cryptsetup.metadata +++ b/.cryptsetup.metadata @@ -1,3 +1,2 @@ -1597b4642a9ef6b73ad191516f26bd2292055680 SOURCES/cryptsetup-2.4.3.tar.xz -23cea5fef57d512c9e80c01c9ff76c641cb356b0 SOURCES/tests.tar.xz -ae06fbc13edb47b59ba17eb8faff9959b5eefe93 SOURCES/tests_fips.tar.xz +8098a06269c4268b0446b34f7b20e8fa6032e006 SOURCES/cryptsetup-2.6.0.tar.xz +ae06fbc13edb47b59ba17eb8faff9959b5eefe93 SOURCES/tests.tar.xz diff --git a/.gitignore b/.gitignore index b7ba209..d1221a6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,2 @@ -SOURCES/cryptsetup-2.4.3.tar.xz +SOURCES/cryptsetup-2.6.0.tar.xz SOURCES/tests.tar.xz -SOURCES/tests_fips.tar.xz diff --git a/SOURCES/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch b/SOURCES/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch deleted file mode 100644 index fa075eb..0000000 --- a/SOURCES/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch +++ /dev/null @@ -1,56 +0,0 @@ -From f671febe64d8f40cdcb1677a08436a8907ccbb7e Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Wed, 23 Feb 2022 12:27:57 +0100 -Subject: [PATCH 2/3] Add more tests for --test-passphrase parameter. - ---- - tests/compat-test-args | 4 ++++ - tests/luks2-reencryption-test | 18 ++++++++++++++++++ - 2 files changed, 22 insertions(+) - -diff --git a/tests/compat-test-args b/tests/compat-test-args -index faeddd00..8bbe5563 100755 ---- a/tests/compat-test-args -+++ b/tests/compat-test-args -@@ -258,6 +258,10 @@ exp_fail luksAddKey DEV --unbound --key-size 0 - exp_pass luksAddKey DEV --unbound --key-size 8 - exp_pass luksDump DEV --unbound -S5 - exp_fail luksDump DEV --unbound -+exp_pass open DEV --unbound --test-passphrase -+exp_pass open DEV --unbound --test-passphrase -S5 -+exp_fail open DEV --unbound NAME -+exp_fail open DEV --unbound -S5 NAME - - exp_fail resize NAME --refresh - exp_fail open DEV NAME --test-passphrase --refresh -diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test -index 6f156016..73818b5d 100755 ---- a/tests/luks2-reencryption-test -+++ b/tests/luks2-reencryption-test -@@ -1606,5 +1606,23 @@ if [ -n "$DM_SECTOR_SIZE" ]; then - reencrypt_recover_online 4096 journal $HASH1 - fi - -+echo "[27] Verify test passphrase mode works with reencryption metadata" -+echo $PWD1 | $CRYPTSETUP -S5 -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV || fail -+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $DEV || fail -+echo $PWD1 | $CRYPTSETUP reencrypt --init-only $DEV || fail -+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail -+ -+echo $PWD1 | $CRYPTSETUP -q luksFormat -S5 --header $IMG_HDR --type luks2 $FAST_PBKDF_ARGON $DEV || fail -+echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $IMG_HDR || fail -+echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --init-only --header $IMG_HDR $DEV || fail -+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail -+ -+echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --init-only --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail -+echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail -+ -+wipe_dev_head $DEV 1 -+echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 8M $FAST_PBKDF_ARGON $DEV || fail -+echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail -+ - remove_mapping - exit 0 --- -2.27.0 - diff --git a/SOURCES/cryptsetup-2.5.0-Do-not-use-too-small-key-in-tests.patch b/SOURCES/cryptsetup-2.5.0-Do-not-use-too-small-key-in-tests.patch deleted file mode 100644 index 40f7269..0000000 --- a/SOURCES/cryptsetup-2.5.0-Do-not-use-too-small-key-in-tests.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 34f033b2549d95833270d657cf099ee4f6faff37 Mon Sep 17 00:00:00 2001 -From: Milan Broz -Date: Fri, 21 Jan 2022 09:55:34 +0100 -Subject: [PATCH 3/3] Do not use too small key in tests. - -Apparently FIPS mode enforces somewhere minimal key size. -As 64bit key is no longer useful anyway, just remove it. - -Apparently cipher_null is now more safer with the longer key, -isn't? :-) ---- - tests/align-test | 10 ---------- - 1 file changed, 10 deletions(-) - -diff --git a/tests/align-test b/tests/align-test -index 9ae606ca..a00103c2 100755 ---- a/tests/align-test -+++ b/tests/align-test -@@ -262,11 +262,6 @@ cleanup - echo "# Offset check: 512B sector drive" - add_device dev_size_mb=16 sector_size=512 num_tgts=1 - # |k| expO reqO expected slot offsets --format_null 64 2048 0 8:72:136:200:264:328:392:456 --format_null 64 520 1 --format_null 64 520 8 --format_null 64 640 128 --format_null 64 2048 2048 - format_null 128 2048 0 8:136:264:392:520:648:776:904 - format_null 128 1032 1 - format_null 128 1032 8 -@@ -286,11 +281,6 @@ cleanup - - echo "# Offset check: 4096B sector drive" - add_device dev_size_mb=16 sector_size=4096 num_tgts=1 opt_blks=64 --format_null 64 2048 0 8:72:136:200:264:328:392:456 --format_null 64 520 1 --format_null 64 520 8 --format_null 64 640 128 --format_null 64 2048 2048 - format_null 128 2048 0 8:136:264:392:520:648:776:904 - format_null 128 1032 1 - format_null 128 1032 8 --- -2.27.0 - diff --git a/SOURCES/cryptsetup-2.5.0-Fix-PBKDF-benchmark-in-OpenSSL3-FIPS-mode.patch b/SOURCES/cryptsetup-2.5.0-Fix-PBKDF-benchmark-in-OpenSSL3-FIPS-mode.patch deleted file mode 100644 index aebf06e..0000000 --- a/SOURCES/cryptsetup-2.5.0-Fix-PBKDF-benchmark-in-OpenSSL3-FIPS-mode.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 05a237be2a6c7a342fb5aba4433aec487a08317f Mon Sep 17 00:00:00 2001 -From: Milan Broz -Date: Fri, 21 Jan 2022 09:47:13 +0100 -Subject: [PATCH 1/3] Fix PBKDF benchmark in OpenSSL3 FIPS mode. - -OpenSSL now enforces minimal parameters for PBKDF2 according to SP 800-132 -key length (112 bits), minimal salt length (128 bits) and minimal number -of iterations (1000). - -Our benchmark violates this, causeing cryptsetup misbehave for luksFormat. - -Just inrease tet salt to 16 bytes here, it will little bit influence benchmark, -but there is no way back. ---- - lib/utils_benchmark.c | 2 +- - src/cryptsetup.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/utils_benchmark.c b/lib/utils_benchmark.c -index 7a9736d8..24e7bccc 100644 ---- a/lib/utils_benchmark.c -+++ b/lib/utils_benchmark.c -@@ -184,7 +184,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd, - pbkdf->parallel_threads = 0; /* N/A in PBKDF2 */ - pbkdf->max_memory_kb = 0; /* N/A in PBKDF2 */ - -- r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3, "bar", 3, -+ r = crypt_benchmark_pbkdf(cd, pbkdf, "foo", 3, "01234567890abcdef", 16, - volume_key_size, &benchmark_callback, &u); - pbkdf->time_ms = ms_tmp; - if (r < 0) { -diff --git a/src/cryptsetup.c b/src/cryptsetup.c -index e529b7ac..37d35c92 100644 ---- a/src/cryptsetup.c -+++ b/src/cryptsetup.c -@@ -860,7 +860,7 @@ static int action_benchmark_kdf(const char *kdf, const char *hash, size_t key_si - .time_ms = 1000, - }; - -- r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3, "bar", 3, key_size, -+ r = crypt_benchmark_pbkdf(NULL, &pbkdf, "foo", 3, "0123456789abcdef", 16, key_size, - &benchmark_callback, &pbkdf); - if (r < 0) - log_std(_("PBKDF2-%-9s N/A\n"), hash); --- -2.27.0 - diff --git a/SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch b/SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch deleted file mode 100644 index 4aaa5a4..0000000 --- a/SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch +++ /dev/null @@ -1,106 +0,0 @@ -diff -rupN cryptsetup-2.4.3.old/man/cryptsetup.8 cryptsetup-2.4.3/man/cryptsetup.8 ---- cryptsetup-2.4.3.old/man/cryptsetup.8 2022-02-23 16:33:42.449525744 +0100 -+++ cryptsetup-2.4.3/man/cryptsetup.8 2022-02-24 08:57:43.036396289 +0100 -@@ -321,7 +321,8 @@ the command prompts for it interactively - \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase, - \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id, - \-\-token\-only, \-\-token-type, \-\-disable\-external\-tokens, \-\-disable\-keyring, --\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf]. -+\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf, -+\-\-unbound]. - .PP - \fIluksSuspend\fR - .IP -@@ -1465,10 +1466,14 @@ aligned to page size and page-cache init - integrity tag. - .TP - .B "\-\-unbound" -- - Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or - \fIluksDump\fR actions for more details. - -+When used in \fIluksOpen\fR action (allowed only together with -+\-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2 -+keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific -+keyslot is selected via \-\-key\-slot parameter. -+ - .TP - .B "\-\-tcrypt\-hidden" - .B "\-\-tcrypt\-system" -diff -rupN cryptsetup-2.4.3.old/src/cryptsetup_args.h cryptsetup-2.4.3/src/cryptsetup_args.h ---- cryptsetup-2.4.3.old/src/cryptsetup_args.h 2022-02-23 16:33:42.450525749 +0100 -+++ cryptsetup-2.4.3/src/cryptsetup_args.h 2022-02-24 08:57:43.036396289 +0100 -@@ -75,7 +75,7 @@ - #define OPT_TCRYPT_HIDDEN_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION } - #define OPT_TCRYPT_SYSTEM_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION } - #define OPT_TEST_PASSPHRASE_ACTIONS { OPEN_ACTION } --#define OPT_UNBOUND_ACTIONS { ADDKEY_ACTION, LUKSDUMP_ACTION } -+#define OPT_UNBOUND_ACTIONS { ADDKEY_ACTION, LUKSDUMP_ACTION, OPEN_ACTION } - #define OPT_USE_RANDOM_ACTIONS { FORMAT_ACTION } - #define OPT_USE_URANDOM_ACTIONS { FORMAT_ACTION } - #define OPT_UUID_ACTIONS { FORMAT_ACTION, UUID_ACTION } -diff -rupN cryptsetup-2.4.3.old/src/cryptsetup.c cryptsetup-2.4.3/src/cryptsetup.c ---- cryptsetup-2.4.3.old/src/cryptsetup.c 2022-02-23 16:33:42.450525749 +0100 -+++ cryptsetup-2.4.3/src/cryptsetup.c 2022-02-24 08:57:43.036396289 +0100 -@@ -140,7 +140,8 @@ static void _set_activation_flags(uint32 - *flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT; - - /* Only for LUKS2 but ignored elsewhere */ -- if (ARG_SET(OPT_TEST_PASSPHRASE_ID)) -+ if (ARG_SET(OPT_TEST_PASSPHRASE_ID) && -+ (ARG_SET(OPT_KEY_SLOT_ID) || ARG_SET(OPT_UNBOUND_ID))) - *flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY; - - if (ARG_SET(OPT_SERIALIZE_MEMORY_HARD_PBKDF_ID)) -@@ -3982,6 +3983,18 @@ int main(int argc, const char **argv) - _("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."), - poptGetInvocationName(popt_context)); - -+ if (ARG_SET(OPT_UNBOUND_ID) && !strcmp(aname, OPEN_ACTION) && device_type && -+ strncmp(device_type, "luks", 4)) -+ usage(popt_context, EXIT_FAILURE, -+ _("Option --unbound is allowed only for open of luks device."), -+ poptGetInvocationName(popt_context)); -+ -+ if (ARG_SET(OPT_UNBOUND_ID) && !ARG_SET(OPT_TEST_PASSPHRASE_ID) && -+ !strcmp(aname, OPEN_ACTION)) -+ usage(popt_context, EXIT_FAILURE, -+ _("Option --unbound cannot be used without --test-passphrase."), -+ poptGetInvocationName(popt_context)); -+ - if (ARG_SET(OPT_TCRYPT_HIDDEN_ID) && ARG_SET(OPT_ALLOW_DISCARDS_ID)) - usage(popt_context, EXIT_FAILURE, - _("Option --tcrypt-hidden cannot be combined with --allow-discards."), -diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2 ---- cryptsetup-2.4.3.old/tests/compat-test2 2022-02-23 16:33:42.444525716 +0100 -+++ cryptsetup-2.4.3/tests/compat-test2 2022-02-24 09:05:38.716422307 +0100 -@@ -699,7 +699,7 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOP - # otoh it should be allowed to test for proper passphrase - prepare "" new - echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail --echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail -+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail - echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail - [ -b /dev/mapper/$DEV_NAME ] && fail - echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail -@@ -708,7 +708,7 @@ echo $PWD0 | $CRYPTSETUP open -S1 --test - $CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0 - $CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail - echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail --echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail -+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail - echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail - - prepare "[28] Detached LUKS header" wipe -@@ -967,11 +967,9 @@ echo $PWD3 | $CRYPTSETUP -q luksAddKey - - # do not allow to replace keyslot by unbound slot - echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail - echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail --echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail - echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail - echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail - echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail --echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail - # check we're able to change passphrase for unbound keyslot - echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail - echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail diff --git a/SOURCES/cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch b/SOURCES/cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch deleted file mode 100644 index 5bf54fb..0000000 --- a/SOURCES/cryptsetup-2.5.0-Fix-typo-in-repair-prompt.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -rupN cryptsetup-2.4.3.old/src/cryptsetup.c cryptsetup-2.4.3/src/cryptsetup.c ---- cryptsetup-2.4.3.old/src/cryptsetup.c 2022-01-21 13:14:56.864817351 +0100 -+++ cryptsetup-2.4.3/src/cryptsetup.c 2022-01-21 13:15:15.579947027 +0100 -@@ -1188,7 +1188,7 @@ static int reencrypt_metadata_repair(str - _("Operation aborted.\n"))) - return -EINVAL; - -- r = tools_get_key(_("Enter passphrase to protect and uppgrade reencryption metadata: "), -+ r = tools_get_key(_("Enter passphrase to protect and upgrade reencryption metadata: "), - &password, &passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID), - ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID), ARG_UINT32(OPT_TIMEOUT_ID), - _verify_passphrase(0), 0, cd); diff --git a/SOURCES/cryptsetup-2.5.0-Get-rid-of-SHA1-in-tests.patch b/SOURCES/cryptsetup-2.5.0-Get-rid-of-SHA1-in-tests.patch deleted file mode 100644 index 4708329..0000000 --- a/SOURCES/cryptsetup-2.5.0-Get-rid-of-SHA1-in-tests.patch +++ /dev/null @@ -1,441 +0,0 @@ -diff -rupN cryptsetup-2.4.3.old/tests/api-test.c cryptsetup-2.4.3/tests/api-test.c ---- cryptsetup-2.4.3.old/tests/api-test.c 2022-02-17 16:37:09.535345938 +0100 -+++ cryptsetup-2.4.3/tests/api-test.c 2022-02-17 16:37:29.156459763 +0100 -@@ -312,7 +312,7 @@ static int _setup(void) - static void AddDevicePlain(void) - { - struct crypt_params_plain params = { -- .hash = "sha1", -+ .hash = "sha256", - .skip = 0, - .offset = 0, - .size = 0 -@@ -322,7 +322,7 @@ static void AddDevicePlain(void) - - const char *passphrase = PASSPHRASE; - // hashed hex version of PASSPHRASE -- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; -+ const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea"; - size_t key_size = strlen(mk_hex) / 2; - const char *cipher = "aes"; - const char *cipher_mode = "cbc-essiv:sha256"; -@@ -438,7 +438,7 @@ static void AddDevicePlain(void) - OK_(crypt_deactivate(cd,CDEVICE_1)); - - CRYPT_FREE(cd); -- params.hash = "sha1"; -+ params.hash = "sha256"; - params.offset = 0; - params.size = 0; - params.skip = 0; -@@ -620,7 +620,7 @@ static void new_log(int level, const cha - static void CallbacksTest(void) - { - struct crypt_params_plain params = { -- .hash = "sha1", -+ .hash = "sha256", - .skip = 0, - .offset = 0, - }; -@@ -1116,7 +1116,7 @@ static void LuksHeaderRestore(void) - .data_alignment = 2048, // 4M, data offset will be 4096 - }; - struct crypt_params_plain pl_params = { -- .hash = "sha1", -+ .hash = "sha256", - .skip = 0, - .offset = 0, - .size = 0 -@@ -1203,7 +1203,7 @@ static void LuksHeaderLoad(void) - .data_alignment = 2048, - }; - struct crypt_params_plain pl_params = { -- .hash = "sha1", -+ .hash = "sha256", - .skip = 0, - .offset = 0, - .size = 0 -diff -rupN cryptsetup-2.4.3.old/tests/api-test-2.c cryptsetup-2.4.3/tests/api-test-2.c ---- cryptsetup-2.4.3.old/tests/api-test-2.c 2022-02-17 16:37:09.535345938 +0100 -+++ cryptsetup-2.4.3/tests/api-test-2.c 2022-02-17 16:37:29.155459758 +0100 -@@ -1232,7 +1232,7 @@ static void Luks2HeaderRestore(void) - .sector_size = 512 - }; - struct crypt_params_plain pl_params = { -- .hash = "sha1", -+ .hash = "sha256", - .skip = 0, - .offset = 0, - .size = 0 -@@ -1242,7 +1242,7 @@ static void Luks2HeaderRestore(void) - }; - uint32_t flags = 0; - -- const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; -+ const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea"; - size_t key_size = strlen(mk_hex) / 2; - const char *cipher = "aes"; - const char *cipher_mode = "cbc-essiv:sha256"; -@@ -1337,7 +1337,7 @@ static void Luks2HeaderLoad(void) - .sector_size = 512 - }; - struct crypt_params_plain pl_params = { -- .hash = "sha1", -+ .hash = "sha256", - .skip = 0, - .offset = 0, - .size = 0 -@@ -2142,7 +2142,7 @@ static void LuksConvert(void) - .parallel_threads = 1 - }, pbkdf2 = { - .type = CRYPT_KDF_PBKDF2, -- .hash = "sha1", -+ .hash = "sha256", - .time_ms = 1 - }; - -@@ -2675,7 +2675,7 @@ static void Pbkdf(void) - .hash = default_luks1_hash - }; - struct crypt_params_plain params = { -- .hash = "sha1", -+ .hash = "sha256", - .skip = 0, - .offset = 0, - .size = 0 -@@ -2874,11 +2874,11 @@ static void Pbkdf(void) - pbkdf2.time_ms = 9; - pbkdf2.hash = NULL; - FAIL_(crypt_set_pbkdf_type(cd, &pbkdf2), "Hash is mandatory for pbkdf2"); -- pbkdf2.hash = "sha1"; -+ pbkdf2.hash = "sha256"; - OK_(crypt_set_pbkdf_type(cd, &pbkdf2)); - - argon2.time_ms = 9; -- argon2.hash = "sha1"; // will be ignored -+ argon2.hash = "sha256"; // will be ignored - OK_(crypt_set_pbkdf_type(cd, &argon2)); - argon2.hash = NULL; - OK_(crypt_set_pbkdf_type(cd, &argon2)); -@@ -3839,7 +3839,7 @@ static void Luks2Reencryption(void) - struct crypt_params_reencrypt retparams = {}, rparams = { - .direction = CRYPT_REENCRYPT_FORWARD, - .resilience = "checksum", -- .hash = "sha1", -+ .hash = "sha256", - .luks2 = ¶ms2, - }; - dev_t devno; -@@ -3983,7 +3983,7 @@ static void Luks2Reencryption(void) - rparams.hash = "hamSter"; - FAIL_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams), "Invalid resilience hash."); - -- rparams.hash = "sha1"; -+ rparams.hash = "sha256"; - OK_(crypt_reencrypt_init_by_passphrase(cd, NULL, PASSPHRASE, strlen(PASSPHRASE), 21, 9, "aes", "xts-plain64", &rparams)); - OK_(crypt_reencrypt_run(cd, NULL, NULL)); - -diff -rupN cryptsetup-2.4.3.old/tests/compat-test cryptsetup-2.4.3/tests/compat-test ---- cryptsetup-2.4.3.old/tests/compat-test 2022-02-17 16:37:09.541345973 +0100 -+++ cryptsetup-2.4.3/tests/compat-test 2022-02-17 16:37:29.157459769 +0100 -@@ -302,8 +302,8 @@ $CRYPTSETUP -q luksUUID $IMG | grep -q $ - prepare "[1] open - compat image - acceptance check" new - echo $PWD0 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail - check_exists --ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ') --[ "$ORG_SHA1" = 676062b66ebf36669dab705442ea0762dfc091b0 ] || fail -+ORG_SHA256=$(sha256sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ') -+[ "$ORG_SHA256" = 7428e8f2436882a07eb32765086f5c899474c08b5576f556b573d2aabdf923e8 ] || fail - $CRYPTSETUP -q luksClose $DEV_NAME || fail - - # Check it can be opened from header backup as well -@@ -315,6 +315,7 @@ $CRYPTSETUP -q luksClose $DEV_NAME || f - $CRYPTSETUP luksHeaderRestore -q $IMG --header-backup-file $HEADER_IMG || fail - - # Repeat for V1.0 header - not aligned first keyslot -+if [ ! fips_mode ] ; then - echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME || fail - check_exists - ORG_SHA1=$(sha1sum -b /dev/mapper/$DEV_NAME | cut -f 1 -d' ') -@@ -326,6 +327,7 @@ $CRYPTSETUP luksHeaderBackup $IMG10 --he - echo $PWD0 | $CRYPTSETUP luksOpen $IMG10 $DEV_NAME --header $HEADER_IMG || fail - check_exists - $CRYPTSETUP -q luksClose $DEV_NAME || fail -+fi - - prepare "[2] open - compat image - denial check" new - echo $PWDW | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail -@@ -526,7 +528,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q - - prepare "[19] create & status & resize" wipe - echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash xxx 2>/dev/null && fail --echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail -+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --cipher aes-cbc-essiv:sha256 --offset 3 --skip 4 --readonly || fail - $CRYPTSETUP -q status $DEV_NAME | grep "offset:" | grep -q "3 sectors" || fail - $CRYPTSETUP -q status $DEV_NAME | grep "skipped:" | grep -q "4 sectors" || fail - $CRYPTSETUP -q status $DEV_NAME | grep "mode:" | grep -q "readonly" || fail -@@ -546,15 +548,15 @@ $CRYPTSETUP -q resize $DEV_NAME || fail - $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "32765 sectors" || fail - $CRYPTSETUP -q remove $DEV_NAME || fail - $CRYPTSETUP -q status $DEV_NAME >/dev/null && fail --echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail -+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail - $CRYPTSETUP -q remove $DEV_NAME || fail --echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 $LOOPDEV || fail -+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 $LOOPDEV || fail - $CRYPTSETUP -q remove $DEV_NAME || fail --echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha1 --size 100 $LOOPDEV || fail -+echo $PWD1 | $CRYPTSETUP -q create $DEV_NAME --hash sha256 --size 100 $LOOPDEV || fail - $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail - $CRYPTSETUP -q remove $DEV_NAME || fail - # 4k sector resize (if kernel supports it) --echo $PWD1 | $CRYPTSETUP -q open --type plain $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1 -+echo $PWD1 | $CRYPTSETUP -q open --type plain --hash sha256 $LOOPDEV $DEV_NAME --sector-size 4096 --size 8 >/dev/null 2>&1 - if [ $? -eq 0 ] ; then - $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "8 sectors" || fail - $CRYPTSETUP -q resize $DEV_NAME --size 16 || fail -@@ -567,7 +569,7 @@ if [ $? -eq 0 ] ; then - fi - # Resize not aligned to logical block size - add_scsi_device dev_size_mb=32 sector_size=4096 --echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV || fail -+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV || fail - OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/') - $CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail - dmsetup info $DEV_NAME | grep -q SUSPENDED && fail -@@ -575,10 +577,10 @@ NEW_SIZE=$($CRYPTSETUP status $DEV_NAME - test $OLD_SIZE -eq $NEW_SIZE || fail - $CRYPTSETUP close $DEV_NAME || fail - # Add check for unaligned plain crypt activation --echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV -b 7 2>/dev/null && fail -+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $DEV -b 7 2>/dev/null && fail - $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail - # verify is ignored on non-tty input --echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase 2>/dev/null || fail -+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --verify-passphrase 2>/dev/null || fail - $CRYPTSETUP -q remove $DEV_NAME || fail - $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail - $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail -@@ -695,15 +697,15 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST - dmsetup remove --retry $DEV_NAME2 - - prepare "[25] Create shared segments" wipe --echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --offset 0 --size 256 || fail --echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 2>/dev/null && fail --echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha1 --offset 512 --size 256 --shared || fail -+echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha256 --offset 0 --size 256 || fail -+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 2>/dev/null && fail -+echo $PWD1 | $CRYPTSETUP create $DEV_NAME2 $LOOPDEV --hash sha256 --offset 512 --size 256 --shared || fail - $CRYPTSETUP -q remove $DEV_NAME2 || fail - $CRYPTSETUP -q remove $DEV_NAME || fail - - prepare "[26] Suspend/Resume" wipe - # only LUKS is supported --echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $LOOPDEV || fail -+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha256 $LOOPDEV || fail - $CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail - $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail - $CRYPTSETUP -q remove $DEV_NAME || fail -diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2 ---- cryptsetup-2.4.3.old/tests/compat-test2 2022-02-17 16:37:09.541345973 +0100 -+++ cryptsetup-2.4.3/tests/compat-test2 2022-02-17 16:37:29.158459775 +0100 -@@ -774,7 +774,7 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q - $CRYPTSETUP luksDump $LOOPDEV | grep -q "5: luks2" || fail - $CRYPTSETUP -q convert --type luks1 $LOOPDEV || fail - # hash test --$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha1 || fail -+$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 512 $LOOPDEV $KEY5 -S 0 --hash sha512 || fail - $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 1 -d $KEY5 $LOOPDEV $KEY1 --hash sha256 || fail - $CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail - $CRYPTSETUP -q luksKillSlot $LOOPDEV 1 || fail -diff -rupN cryptsetup-2.4.3.old/tests/discards-test cryptsetup-2.4.3/tests/discards-test ---- cryptsetup-2.4.3.old/tests/discards-test 2022-02-17 16:37:09.541345973 +0100 -+++ cryptsetup-2.4.3/tests/discards-test 2022-02-17 16:37:29.158459775 +0100 -@@ -80,7 +80,7 @@ dmsetup table $DEV_NAME | grep allow_dis - $CRYPTSETUP luksClose $DEV_NAME || fail - - echo "[2] Allowing discards for plain device" --echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha1 --allow-discards || fail -+echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha256 --allow-discards || fail - $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail - $CRYPTSETUP resize $DEV_NAME --size 100 || fail - $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail -diff -rupN cryptsetup-2.4.3.old/tests/integrity-compat-test cryptsetup-2.4.3/tests/integrity-compat-test ---- cryptsetup-2.4.3.old/tests/integrity-compat-test 2022-02-17 16:37:09.542345979 +0100 -+++ cryptsetup-2.4.3/tests/integrity-compat-test 2022-02-17 16:37:29.159459781 +0100 -@@ -168,7 +168,7 @@ intformat() # alg alg_out tagsize outtag - echo -n "[FORMAT]" - $INTSETUP format --integrity-legacy-padding -q --integrity $1 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV >/dev/null 2>&1 - if [ $? -ne 0 ] ; then -- if [[ $1 =~ "sha" || $1 =~ "crc" ]] ; then -+ if [[ $1 =~ "sha2" || $1 =~ "crc" ]] ; then - fail "Cannot format device." - fi - echo "[N/A]" -@@ -214,7 +214,14 @@ int_error_detection() # mode alg tagsize - - echo -n "[INTEGRITY:$1:$2:$4:$5]" - echo -n "[FORMAT]" -- $INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null || fail "Cannot format device." -+ $INTSETUP format -q --integrity $2 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV $INT_MODE >/dev/null 2>&1 -+ if [ $? -ne 0 ] ; then -+ if [[ $2 =~ "sha2" || $2 =~ "crc" ]] ; then -+ fail "Cannot format device." -+ fi -+ echo "[N/A]" -+ return -+ fi - echo -n "[ACTIVATE]" - $INTSETUP open $DEV $DEV_NAME --integrity $2 --integrity-no-journal $KEY_PARAMS $INT_MODE || fail "Cannot activate device." - -diff -rupN cryptsetup-2.4.3.old/tests/keyring-compat-test cryptsetup-2.4.3/tests/keyring-compat-test ---- cryptsetup-2.4.3.old/tests/keyring-compat-test 2022-02-17 16:37:09.542345979 +0100 -+++ cryptsetup-2.4.3/tests/keyring-compat-test 2022-02-17 16:39:07.132028140 +0100 -@@ -119,7 +119,7 @@ add_device() { - which dmsetup >/dev/null 2>&1 || skip "Cannot find dmsetup, test skipped" - which keyctl >/dev/null 2>&1 || skip "Cannot find keyctl, test skipped" - which xxd >/dev/null 2>&1 || skip "Cannot find xxd, test skipped" --which sha1sum > /dev/null 2>&1 || skip "Cannot find sha1sum, test skipped" -+which sha256sum >/dev/null 2>&1 || skip "Cannot find sha256sum, test skipped" - modprobe dm-crypt >/dev/null 2>&1 || fail "dm-crypt failed to load" - dm_crypt_keyring_support || skip "dm-crypt doesn't support kernel keyring, test skipped." - -@@ -132,23 +132,23 @@ dd if=/dev/urandom of=$DEV bs=1M count=$ - #test aes cipher with xts mode, plain IV - echo -n "Testing $CIPHER_XTS_PLAIN..." - dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail --sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail -+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail - dmsetup remove --retry $NAME || fail - load_key "$HEXKEY_32" logon $LOGON_KEY_32_OK "$TEST_KEYRING" || fail "Cannot load 32 byte logon key type" - dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN :32:logon:$LOGON_KEY_32_OK 0 $DEV 0" || fail --sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail -+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail - dmsetup remove --retry $NAME || fail - diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)" - # same test using message - dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail --sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail -+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail - dmsetup remove --retry $NAME || fail - dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_XTS_PLAIN $HEXKEY_32 0 $DEV 0" || fail - dmsetup suspend $NAME || fail - dmsetup message $NAME 0 key wipe || fail - dmsetup message $NAME 0 "key set :32:logon:$LOGON_KEY_32_OK" || fail - dmsetup resume $NAME || fail --sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail -+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail - dmsetup remove --retry $NAME || fail - diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)" - echo "OK" -@@ -156,23 +156,23 @@ echo "OK" - #test aes cipher, xts mode, essiv IV - echo -n "Testing $CIPHER_CBC_ESSIV..." - dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail --sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail -+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail - dmsetup remove --retry $NAME || fail - load_key "$HEXKEY_16" logon $LOGON_KEY_16_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type" - dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV :16:logon:$LOGON_KEY_16_OK 0 $DEV 0" || fail --sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail -+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail - dmsetup remove --retry $NAME || fail - diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)" - # same test using message - dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail --sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail -+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail - dmsetup remove --retry $NAME || fail - dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_ESSIV $HEXKEY_16 0 $DEV 0" || fail - dmsetup suspend $NAME || fail - dmsetup message $NAME 0 key wipe || fail - dmsetup message $NAME 0 "key set :16:logon:$LOGON_KEY_16_OK" || fail - dmsetup resume $NAME || fail --sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail -+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail - dmsetup remove --retry $NAME || fail - diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)" - echo "OK" -@@ -181,23 +181,23 @@ echo "OK" - fips_mode || { - echo -n "Testing $CIPHER_CBC_TCW..." - dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail --sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail -+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail - dmsetup remove --retry $NAME || fail - load_key "$HEXKEY_64" logon $LOGON_KEY_64_OK "$TEST_KEYRING" || fail "Cannot load 16 byte logon key type" - dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW :64:logon:$LOGON_KEY_64_OK 0 $DEV 0" || fail --sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail -+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail - dmsetup remove --retry $NAME || fail - diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)" - # same test using message - dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail --sha1sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail -+sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail - dmsetup remove --retry $NAME || fail - dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail - dmsetup suspend $NAME || fail - dmsetup message $NAME 0 key wipe || fail - dmsetup message $NAME 0 "key set :64:logon:$LOGON_KEY_64_OK" || fail - dmsetup resume $NAME || fail --sha1sum /dev/mapper/$NAME > $CHKS_KEYRING || fail -+sha256sum /dev/mapper/$NAME > $CHKS_KEYRING || fail - dmsetup remove --retry $NAME || fail - diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corruption)" - echo "OK" -@@ -207,10 +207,10 @@ echo -n "Test LUKS2 key refresh..." - echo $PWD | $CRYPTSETUP luksFormat --type luks2 --luks2-metadata-size 16k --luks2-keyslots-size 4064k --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --force-password $DEV || fail - echo $PWD | $CRYPTSETUP open $DEV $NAME || fail - $CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" || skip "LUKS2 can't use keyring. Test skipped." --dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_KEYRING || fail -+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_KEYRING || fail - echo $PWD | $CRYPTSETUP refresh $NAME --disable-keyring || fail - $CRYPTSETUP status $NAME | grep -q -i "location:.*keyring" && fail "Key is still in keyring" --dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha1sum > $CHKS_DMCRYPT || fail -+dd if=/dev/mapper/$NAME bs=1M iflag=direct status=none | sha256sum > $CHKS_DMCRYPT || fail - diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksum mismatch (corruption)" - echo "OK" - -diff -rupN cryptsetup-2.4.3.old/tests/password-hash-test cryptsetup-2.4.3/tests/password-hash-test ---- cryptsetup-2.4.3.old/tests/password-hash-test 2022-02-17 16:37:09.541345973 +0100 -+++ cryptsetup-2.4.3/tests/password-hash-test 2022-02-17 16:37:29.160459787 +0100 -@@ -75,7 +75,7 @@ crypt_key() # hash keysize pwd/file name - esac - - # ignore these cases, not all libs/kernel supports it -- if [ "$1" != "sha1" -a "$1" != "sha256" ] || [ $2 -gt 256 ] ; then -+ if [ "$1" != "sha256" ] || [ $2 -gt 256 ] ; then - if [ $ret -ne 0 ] ; then - echo " [N/A] ($ret, SKIPPED)" - return -diff -rupN cryptsetup-2.4.3.old/tests/reencryption-compat-test cryptsetup-2.4.3/tests/reencryption-compat-test ---- cryptsetup-2.4.3.old/tests/reencryption-compat-test 2022-02-17 16:37:09.541345973 +0100 -+++ cryptsetup-2.4.3/tests/reencryption-compat-test 2022-02-17 16:37:29.160459787 +0100 -@@ -338,7 +338,7 @@ simple_scsi_reenc "[4096/512 sector]" - echo "[OK]" - - echo "[8] Header only reencryption (hash and iteration time)" --echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha1 $FAST_PBKDF $LOOPDEV1 || fail -+echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 --hash sha512 $FAST_PBKDF $LOOPDEV1 || fail - wipe $PWD1 - check_hash $PWD1 $HASH1 - echo $PWD1 | $REENC $LOOPDEV1 -q --keep-key || fail -diff -rupN cryptsetup-2.4.3.old/tests/verity-compat-test cryptsetup-2.4.3/tests/verity-compat-test ---- cryptsetup-2.4.3.old/tests/verity-compat-test 2022-02-17 16:37:09.541345973 +0100 -+++ cryptsetup-2.4.3/tests/verity-compat-test 2022-02-17 16:37:29.161459793 +0100 -@@ -148,7 +148,13 @@ function check_root_hash() # $1 size, $2 - for fail in data hash; do - wipe - echo -n "V$4(sb=$sb root_hash_as_file=$root_hash_as_file) $5 block size $1: " -- $VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT || fail -+ $VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >$DEV_OUT -+ if [ $? -ne 0 ] ; then -+ if [[ $1 =~ "sha2" ]] ; then -+ fail "Cannot format device." -+ fi -+ return -+ fi - - echo -n "[root hash]" - compare_out "root hash" $2 diff --git a/SOURCES/cryptsetup-2.5.1-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch b/SOURCES/cryptsetup-2.5.1-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch deleted file mode 100644 index 2cd9115..0000000 --- a/SOURCES/cryptsetup-2.5.1-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch +++ /dev/null @@ -1,364 +0,0 @@ -diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_backend.h cryptsetup-2.4.3/lib/crypto_backend/crypto_backend.h ---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_backend.h 2022-01-13 10:14:51.000000000 +0100 -+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_backend.h 2022-08-10 17:04:13.727162964 +0200 -@@ -134,5 +134,8 @@ static inline void crypt_backend_memzero - while(n--) *p++ = 0; - #endif - } -+ -+/* crypto backend running in FIPS mode */ -+bool crypt_fips_mode(void); - - #endif /* _CRYPTO_BACKEND_H */ -diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_gcrypt.c cryptsetup-2.4.3/lib/crypto_backend/crypto_gcrypt.c ---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_gcrypt.c 2022-01-13 10:14:51.000000000 +0100 -+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_gcrypt.c 2022-08-10 17:06:28.163895662 +0200 -@@ -550,3 +550,20 @@ out: - return -ENOTSUP; - #endif - } -+ -+#if !ENABLE_FIPS -+bool crypt_fips_mode(void) { return false; } -+#else -+bool crypt_fips_mode(void) -+{ -+ static bool fips_mode = false, fips_checked = false; -+ -+ if (fips_checked) -+ return fips_mode; -+ -+ fips_mode = gcry_fips_mode_active(); -+ fips_checked = true; -+ -+ return fips_mode; -+} -+#endif /* ENABLE FIPS */ -diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_kernel.c cryptsetup-2.4.3/lib/crypto_backend/crypto_kernel.c ---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_kernel.c 2022-01-13 10:14:51.000000000 +0100 -+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_kernel.c 2022-08-10 17:07:06.720105794 +0200 -@@ -416,3 +416,8 @@ int crypt_bitlk_decrypt_key(const void * - return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length, - iv, iv_length, tag, tag_length); - } -+ -+bool crypt_fips_mode(void) -+{ -+ return false; -+} -diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nettle.c cryptsetup-2.4.3/lib/crypto_backend/crypto_nettle.c ---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nettle.c 2022-01-13 10:14:51.000000000 +0100 -+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_nettle.c 2022-08-10 17:07:18.127167962 +0200 -@@ -446,3 +446,8 @@ int crypt_bitlk_decrypt_key(const void * - return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length, - iv, iv_length, tag, tag_length); - } -+ -+bool crypt_fips_mode(void) -+{ -+ return false; -+} -diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nss.c cryptsetup-2.4.3/lib/crypto_backend/crypto_nss.c ---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nss.c 2022-01-13 10:14:51.000000000 +0100 -+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_nss.c 2022-08-10 17:07:24.547202954 +0200 -@@ -395,3 +395,8 @@ int crypt_bitlk_decrypt_key(const void * - return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length, - iv, iv_length, tag, tag_length); - } -+ -+bool crypt_fips_mode(void) -+{ -+ return false; -+} -diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_openssl.c cryptsetup-2.4.3/lib/crypto_backend/crypto_openssl.c ---- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_openssl.c 2022-01-13 10:14:51.000000000 +0100 -+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_openssl.c 2022-08-10 17:05:51.483695770 +0200 -@@ -809,3 +809,29 @@ out: - return -ENOTSUP; - #endif - } -+ -+#if !ENABLE_FIPS -+bool crypt_fips_mode(void) { return false; } -+#else -+static bool openssl_fips_mode(void) -+{ -+#if OPENSSL_VERSION_MAJOR >= 3 -+ return EVP_default_properties_is_fips_enabled(NULL); -+#else -+ return FIPS_mode(); -+#endif -+} -+ -+bool crypt_fips_mode(void) -+{ -+ static bool fips_mode = false, fips_checked = false; -+ -+ if (fips_checked) -+ return fips_mode; -+ -+ fips_mode = openssl_fips_mode(); -+ fips_checked = true; -+ -+ return fips_mode; -+} -+#endif /* ENABLE FIPS */ -diff -rupN cryptsetup-2.4.3.old/lib/internal.h cryptsetup-2.4.3/lib/internal.h ---- cryptsetup-2.4.3.old/lib/internal.h 2022-01-13 10:14:51.000000000 +0100 -+++ cryptsetup-2.4.3/lib/internal.h 2022-08-10 17:03:00.348765820 +0200 -@@ -38,7 +38,6 @@ - #include "utils_crypt.h" - #include "utils_loop.h" - #include "utils_dm.h" --#include "utils_fips.h" - #include "utils_keyring.h" - #include "utils_io.h" - #include "crypto_backend/crypto_backend.h" -diff -rupN cryptsetup-2.4.3.old/lib/Makemodule.am cryptsetup-2.4.3/lib/Makemodule.am ---- cryptsetup-2.4.3.old/lib/Makemodule.am 2022-01-13 10:14:51.000000000 +0100 -+++ cryptsetup-2.4.3/lib/Makemodule.am 2022-08-10 17:03:00.342765787 +0200 -@@ -54,8 +54,6 @@ libcryptsetup_la_SOURCES = \ - lib/utils_loop.h \ - lib/utils_devpath.c \ - lib/utils_wipe.c \ -- lib/utils_fips.c \ -- lib/utils_fips.h \ - lib/utils_device.c \ - lib/utils_keyring.c \ - lib/utils_keyring.h \ -diff -rupN cryptsetup-2.4.3.old/lib/utils_fips.c cryptsetup-2.4.3/lib/utils_fips.c ---- cryptsetup-2.4.3.old/lib/utils_fips.c 2022-01-13 10:14:51.000000000 +0100 -+++ cryptsetup-2.4.3/lib/utils_fips.c 1970-01-01 01:00:00.000000000 +0100 -@@ -1,55 +0,0 @@ --/* -- * FIPS mode utilities -- * -- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved. -- * -- * This program is free software; you can redistribute it and/or -- * modify it under the terms of the GNU General Public License -- * as published by the Free Software Foundation; either version 2 -- * of the License, or (at your option) any later version. -- * -- * This program is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this program; if not, write to the Free Software -- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -- */ -- --#include --#include --#include --#include "utils_fips.h" -- --#if !ENABLE_FIPS --bool crypt_fips_mode(void) { return false; } --#else --static bool fips_checked = false; --static bool fips_mode = false; -- --static bool kernel_fips_mode(void) --{ -- int fd; -- char buf[1] = ""; -- -- if ((fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY)) >= 0) { -- while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR); -- close(fd); -- } -- -- return (buf[0] == '1'); --} -- --bool crypt_fips_mode(void) --{ -- if (fips_checked) -- return fips_mode; -- -- fips_mode = kernel_fips_mode() && !access("/etc/system-fips", F_OK); -- fips_checked = true; -- -- return fips_mode; --} --#endif /* ENABLE_FIPS */ -diff -rupN cryptsetup-2.4.3.old/lib/utils_fips.h cryptsetup-2.4.3/lib/utils_fips.h ---- cryptsetup-2.4.3.old/lib/utils_fips.h 2022-01-13 10:14:51.000000000 +0100 -+++ cryptsetup-2.4.3/lib/utils_fips.h 1970-01-01 01:00:00.000000000 +0100 -@@ -1,28 +0,0 @@ --/* -- * FIPS mode utilities -- * -- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved. -- * -- * This program is free software; you can redistribute it and/or -- * modify it under the terms of the GNU General Public License -- * as published by the Free Software Foundation; either version 2 -- * of the License, or (at your option) any later version. -- * -- * This program is distributed in the hope that it will be useful, -- * but WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -- * GNU General Public License for more details. -- * -- * You should have received a copy of the GNU General Public License -- * along with this program; if not, write to the Free Software -- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -- */ -- --#ifndef _UTILS_FIPS_H --#define _UTILS_FIPS_H -- --#include -- --bool crypt_fips_mode(void); -- --#endif /* _UTILS_FIPS_H */ -diff -rupN cryptsetup-2.4.3.old/Makefile.in cryptsetup-2.4.3/Makefile.in ---- cryptsetup-2.4.3.old/Makefile.in 2022-01-13 10:24:33.000000000 +0100 -+++ cryptsetup-2.4.3/Makefile.in 2022-08-10 17:28:09.508914077 +0200 -@@ -281,7 +281,6 @@ am_libcryptsetup_la_OBJECTS = lib/libcry - lib/libcryptsetup_la-utils_loop.lo \ - lib/libcryptsetup_la-utils_devpath.lo \ - lib/libcryptsetup_la-utils_wipe.lo \ -- lib/libcryptsetup_la-utils_fips.lo \ - lib/libcryptsetup_la-utils_device.lo \ - lib/libcryptsetup_la-utils_keyring.lo \ - lib/libcryptsetup_la-utils_device_locking.lo \ -@@ -547,7 +546,6 @@ am__depfiles_remade = lib/$(DEPDIR)/cryp - lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo \ - lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo \ - lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo \ -- lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo \ - lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo \ - lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo \ - lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo \ -@@ -1036,8 +1034,6 @@ libcryptsetup_la_SOURCES = \ - lib/utils_loop.h \ - lib/utils_devpath.c \ - lib/utils_wipe.c \ -- lib/utils_fips.c \ -- lib/utils_fips.h \ - lib/utils_device.c \ - lib/utils_keyring.c \ - lib/utils_keyring.h \ -@@ -1551,8 +1547,6 @@ lib/libcryptsetup_la-utils_devpath.lo: l - lib/$(DEPDIR)/$(am__dirstamp) - lib/libcryptsetup_la-utils_wipe.lo: lib/$(am__dirstamp) \ - lib/$(DEPDIR)/$(am__dirstamp) --lib/libcryptsetup_la-utils_fips.lo: lib/$(am__dirstamp) \ -- lib/$(DEPDIR)/$(am__dirstamp) - lib/libcryptsetup_la-utils_device.lo: lib/$(am__dirstamp) \ - lib/$(DEPDIR)/$(am__dirstamp) - lib/libcryptsetup_la-utils_keyring.lo: lib/$(am__dirstamp) \ -@@ -1811,7 +1805,6 @@ distclean-compile: - @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo@am__quote@ # am--include-marker - @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo@am__quote@ # am--include-marker - @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo@am__quote@ # am--include-marker --@AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo@am__quote@ # am--include-marker - @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo@am__quote@ # am--include-marker - @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo@am__quote@ # am--include-marker - @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo@am__quote@ # am--include-marker -@@ -2105,13 +2098,6 @@ lib/libcryptsetup_la-utils_wipe.lo: lib/ - @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ - @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/libcryptsetup_la-utils_wipe.lo `test -f 'lib/utils_wipe.c' || echo '$(srcdir)/'`lib/utils_wipe.c - --lib/libcryptsetup_la-utils_fips.lo: lib/utils_fips.c --@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -MT lib/libcryptsetup_la-utils_fips.lo -MD -MP -MF lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Tpo -c -o lib/libcryptsetup_la-utils_fips.lo `test -f 'lib/utils_fips.c' || echo '$(srcdir)/'`lib/utils_fips.c --@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Tpo lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo --@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='lib/utils_fips.c' object='lib/libcryptsetup_la-utils_fips.lo' libtool=yes @AMDEPBACKSLASH@ --@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ --@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/libcryptsetup_la-utils_fips.lo `test -f 'lib/utils_fips.c' || echo '$(srcdir)/'`lib/utils_fips.c -- - lib/libcryptsetup_la-utils_device.lo: lib/utils_device.c - @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -MT lib/libcryptsetup_la-utils_device.lo -MD -MP -MF lib/$(DEPDIR)/libcryptsetup_la-utils_device.Tpo -c -o lib/libcryptsetup_la-utils_device.lo `test -f 'lib/utils_device.c' || echo '$(srcdir)/'`lib/utils_device.c - @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) lib/$(DEPDIR)/libcryptsetup_la-utils_device.Tpo lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo -@@ -2987,7 +2973,6 @@ distclean: distclean-recursive - -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo - -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo - -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo -- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo - -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo - -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo - -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo -@@ -3124,7 +3109,6 @@ maintainer-clean: maintainer-clean-recur - -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo - -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo - -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo -- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo - -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo - -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo - -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo -diff -rupN cryptsetup-2.4.3.old/po/POTFILES.in cryptsetup-2.4.3/po/POTFILES.in ---- cryptsetup-2.4.3.old/po/POTFILES.in 2022-01-13 10:23:53.000000000 +0100 -+++ cryptsetup-2.4.3/po/POTFILES.in 2022-08-10 17:03:30.306926994 +0200 -@@ -6,7 +6,6 @@ lib/volumekey.c - lib/crypt_plain.c - lib/utils_crypt.c - lib/utils_loop.c --lib/utils_fips.c - lib/utils_device.c - lib/utils_devpath.c - lib/utils_pbkdf.c -diff -rupN cryptsetup-2.4.3.old/src/cryptsetup.h cryptsetup-2.4.3/src/cryptsetup.h ---- cryptsetup-2.4.3.old/src/cryptsetup.h 2022-01-13 10:14:51.000000000 +0100 -+++ cryptsetup-2.4.3/src/cryptsetup.h 2022-08-10 17:03:30.307926999 +0200 -@@ -44,7 +44,6 @@ - #include "lib/bitops.h" - #include "lib/utils_crypt.h" - #include "lib/utils_loop.h" --#include "lib/utils_fips.h" - #include "lib/utils_io.h" - #include "lib/utils_blkid.h" - #include "lib/libcryptsetup_macros.h" -diff -rupN cryptsetup-2.4.3.old/tests/compat-test cryptsetup-2.4.3/tests/compat-test ---- cryptsetup-2.4.3.old/tests/compat-test 2022-08-10 16:36:36.593578847 +0200 -+++ cryptsetup-2.4.3/tests/compat-test 2022-08-10 17:03:30.308927004 +0200 -@@ -44,7 +44,7 @@ KEY_MATERIAL5_EXT="S331776-395264" - TEST_UUID="12345678-1234-1234-1234-123456789abc" - - LOOPDEV=$(losetup -f 2>/dev/null) --[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) -+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) - - function remove_mapping() - { -diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2 ---- cryptsetup-2.4.3.old/tests/compat-test2 2022-08-10 16:36:57.610677161 +0200 -+++ cryptsetup-2.4.3/tests/compat-test2 2022-08-10 17:03:30.308927004 +0200 -@@ -42,7 +42,7 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-f - TEST_UUID="12345678-1234-1234-1234-123456789abc" - - LOOPDEV=$(losetup -f 2>/dev/null) --[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) -+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) - - function remove_mapping() - { -diff -rupN cryptsetup-2.4.3.old/tests/keyring-compat-test cryptsetup-2.4.3/tests/keyring-compat-test ---- cryptsetup-2.4.3.old/tests/keyring-compat-test 2022-08-10 16:36:36.594578852 +0200 -+++ cryptsetup-2.4.3/tests/keyring-compat-test 2022-08-10 17:09:55.062022004 +0200 -@@ -26,7 +26,7 @@ PWD="aaa" - [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." - CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup - --[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) -+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) - - function remove_mapping() - { -diff -rupN cryptsetup-2.4.3.old/tests/luks2-reencryption-test cryptsetup-2.4.3/tests/luks2-reencryption-test ---- cryptsetup-2.4.3.old/tests/luks2-reencryption-test 2022-08-10 16:37:14.711757148 +0200 -+++ cryptsetup-2.4.3/tests/luks2-reencryption-test 2022-08-10 17:03:30.310927015 +0200 -@@ -25,7 +25,7 @@ PWD2="1cND4319812f" - PWD3="1-9Qu5Ejfnqv" - DEV_LINK="reenc-test-link" - --[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) -+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) - - function dm_crypt_features() - { diff --git a/SOURCES/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch b/SOURCES/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch new file mode 100644 index 0000000..bc50c82 --- /dev/null +++ b/SOURCES/cryptsetup-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch @@ -0,0 +1,161 @@ +From c18dcfaa0b91eb48006232fbfadce9e6a9b4a790 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Fri, 2 Dec 2022 15:39:36 +0100 +Subject: [PATCH 2/2] Abort encryption when header and data devices are same. + +If data device reduction is not requsted this led +to data corruption since LUKS metadata was written +over the data device. +--- + src/utils_reencrypt.c | 42 ++++++++++++++++++++++++++++++---- + tests/luks2-reencryption-test | 16 +++++++++++++ + tests/reencryption-compat-test | 20 +++++++++++++--- + 3 files changed, 70 insertions(+), 8 deletions(-) + +diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c +index 87ead680..73e0bca8 100644 +--- a/src/utils_reencrypt.c ++++ b/src/utils_reencrypt.c +@@ -467,6 +467,26 @@ static int reencrypt_check_active_device_sb_block_size(const char *active_device + return reencrypt_check_data_sb_block_size(dm_device, new_sector_size); + } + ++static int reencrypt_is_header_detached(const char *header_device, const char *data_device) ++{ ++ int r; ++ struct stat st; ++ struct crypt_device *cd; ++ ++ if (!header_device) ++ return 0; ++ ++ if (header_device && stat(header_device, &st) < 0 && errno == ENOENT) ++ return 1; ++ ++ if ((r = crypt_init_data_device(&cd, header_device, data_device))) ++ return r; ++ ++ r = crypt_header_is_detached(cd); ++ crypt_free(cd); ++ return r; ++} ++ + static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device, const char *device_name) + { + int keyslot, r, fd; +@@ -490,9 +510,14 @@ static int encrypt_luks2_init(struct crypt_device **cd, const char *data_device, + + _set_reencryption_flags(¶ms.flags); + +- if (!data_shift && !ARG_SET(OPT_HEADER_ID)) { +- log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size).")); +- return -ENOTSUP; ++ if (!data_shift) { ++ r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), data_device); ++ if (r < 0) ++ return r; ++ if (!r) { ++ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size).")); ++ return -ENOTSUP; ++ } + } + + if (!ARG_SET(OPT_HEADER_ID) && ARG_UINT64(OPT_OFFSET_ID) && +@@ -1358,9 +1383,16 @@ static int _encrypt(struct crypt_device *cd, const char *type, enum device_statu + if (!type) + type = crypt_get_default_type(); + +- if (dev_st == DEVICE_LUKS1_UNUSABLE || isLUKS1(type)) ++ if (dev_st == DEVICE_LUKS1_UNUSABLE || isLUKS1(type)) { ++ r = reencrypt_is_header_detached(ARG_STR(OPT_HEADER_ID), action_argv[0]); ++ if (r < 0) ++ return r; ++ if (!r && !ARG_SET(OPT_REDUCE_DEVICE_SIZE_ID)) { ++ log_err(_("Encryption without detached header (--header) is not possible without data device size reduction (--reduce-device-size).")); ++ return -ENOTSUP; ++ } + return reencrypt_luks1(action_argv[0]); +- else if (dev_st == DEVICE_NOT_LUKS) { ++ } else if (dev_st == DEVICE_NOT_LUKS) { + r = encrypt_luks2_init(&encrypt_cd, action_argv[0], action_argc > 1 ? action_argv[1] : NULL); + if (r < 0 || ARG_SET(OPT_INIT_ONLY_ID)) { + crypt_free(encrypt_cd); +diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test +index bab54353..a647a8c2 100755 +--- a/tests/luks2-reencryption-test ++++ b/tests/luks2-reencryption-test +@@ -1080,6 +1080,22 @@ $CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail + $CRYPTSETUP close $DEV_NAME + echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail + ++# Encrypt without size reduction must not allow header device same as data device ++wipe_dev_head $DEV 1 ++echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV -q $FAST_PBKDF_ARGON 2>/dev/null && fail ++$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail ++ln -s $DEV $DEV_LINK || fail ++echo $PWD1 | $CRYPTSETUP reencrypt $DEV --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail ++$CRYPTSETUP isLUKS $DEV 2>/dev/null && fail ++rm -f $DEV_LINK || fail ++ ++dd if=/dev/zero of=$IMG bs=4k count=1 >/dev/null 2>&1 ++echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail ++$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail ++ln -s $IMG $DEV_LINK || fail ++echo $PWD1 | $CRYPTSETUP reencrypt $IMG --type luks2 --encrypt --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail ++$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail ++ + echo "[4] Reencryption with detached header" + wipe $PWD1 $IMG_HDR + echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail +diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test +index f6a84137..453831d1 100755 +--- a/tests/reencryption-compat-test ++++ b/tests/reencryption-compat-test +@@ -15,6 +15,7 @@ IMG=reenc-data + IMG_HDR=$IMG.hdr + HEADER_LUKS2_PV=blkid-luks2-pv.img + ORIG_IMG=reenc-data-orig ++DEV_LINK="reenc-test-link" + KEY1=key1 + PWD1="93R4P4pIqAH8" + PWD2="1cND4319812f" +@@ -40,7 +41,7 @@ function remove_mapping() + [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2 + [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME + [ ! -z "$LOOPDEV1" ] && losetup -d $LOOPDEV1 >/dev/null 2>&1 +- rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV >/dev/null 2>&1 ++ rm -f $IMG $IMG_HDR $ORIG_IMG $KEY1 $HEADER_LUKS2_PV $DEV_LINK >/dev/null 2>&1 + umount $MNT_DIR > /dev/null 2>&1 + rmdir $MNT_DIR > /dev/null 2>&1 + LOOPDEV1="" +@@ -302,12 +303,25 @@ check_slot 0 || fail "Only keyslot 0 expected to be enabled" + $REENC $LOOPDEV1 -d $KEY1 $FAST_PBKDF -q || fail + # FIXME echo $PWD1 | $REENC ... + +-if [ ! fips_mode ]; then + echo "[4] Encryption of not yet encrypted device" ++# Encrypt without size reduction must not allow header device same as data device ++wipe_dev $LOOPDEV1 ++echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $LOOPDEV1 -q $FAST_PBKDF_ARGON 2>/dev/null && fail ++$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail ++ln -s $LOOPDEV1 $DEV_LINK || fail ++echo $PWD1 | $REENC $LOOPDEV1 --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail ++$CRYPTSETUP isLUKS $LOOPDEV1 2>/dev/null && fail ++rm -f $DEV_LINK || fail ++echo $PWD1 | $REENC $IMG --type luks1 --new --header $IMG -q $FAST_PBKDF_ARGON 2>/dev/null && fail ++$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail ++ln -s $IMG $DEV_LINK || fail ++echo $PWD1 | $REENC $IMG --type luks1 --new --header $DEV_LINK -q $FAST_PBKDF_ARGON 2>/dev/null && fail ++$CRYPTSETUP isLUKS $IMG 2>/dev/null && fail ++ ++if [ ! fips_mode ]; then + # well, movin' zeroes :-) + OFFSET=2048 + SIZE=$(blockdev --getsz $LOOPDEV1) +-wipe_dev $LOOPDEV1 + dmsetup create $DEV_NAME2 --table "0 $(($SIZE - $OFFSET)) linear $LOOPDEV1 0" || fail + check_hash_dev /dev/mapper/$DEV_NAME2 $HASH3 + dmsetup remove --retry $DEV_NAME2 || fail +-- +2.38.1 + diff --git a/SOURCES/cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch b/SOURCES/cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch index 566526e..6a401f2 100644 --- a/SOURCES/cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch +++ b/SOURCES/cryptsetup-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch @@ -18,19 +18,22 @@ Skip tests that can not satisfy minimal test passphrase length: tests/compat-test2 | 16 +++-- tests/keyring-compat-test | 2 +- tests/reencryption-compat-test | 10 +++ - tests/ssh-plugin-test | 2 +- + tests/ssh-test-plugin | 2 +- 9 files changed, 110 insertions(+), 72 deletions(-) diff --git a/tests/align-test b/tests/align-test index eedf8b77..5941cde2 100755 --- a/tests/align-test +++ b/tests/align-test -@@ -10,6 +10,13 @@ PWD1="93R4P4pIqAH8" +@@ -10,9 +10,16 @@ PWD1="93R4P4pIqAH8" PWD2="mymJeD8ivEhE" FAST_PBKDF="--pbkdf-force-iterations 1000" +FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) + + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs + +function fips_mode() +{ + [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] @@ -116,16 +119,16 @@ index b7c762d9..2c39191b 100644 - const char *tmp_buf, *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd"; + const char *tmp_buf, *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd"; - const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; - const char *mk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e"; - size_t key_size = strlen(mk_hex) / 2; + const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; + const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e"; + size_t key_size = strlen(vk_hex) / 2; @@ -1056,7 +1056,6 @@ static void Luks2MetadataSize(void) }; char key[128], tmp[128]; - const char *passphrase = "blabla"; - const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; - size_t key_size = strlen(mk_hex) / 2; + const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; + size_t key_size = strlen(vk_hex) / 2; const char *cipher = "aes"; @@ -1103,7 +1102,7 @@ static void Luks2MetadataSize(void) OK_(crypt_init(&cd, DMDIR H_DEVICE)); @@ -184,8 +187,8 @@ index b7c762d9..2c39191b 100644 EQ_(r, -ETXTBSY); /* crypt_persistent_flasgs_set (restricted) */ -@@ -3364,10 +3363,10 @@ static void Luks2Requirements(void) - EQ_(flags, (uint32_t) CRYPT_REQUIREMENT_UNKNOWN); +@@ -3400,10 +3399,10 @@ static void Luks2Requirements(void) + EQ_(flags, CRYPT_REQUIREMENT_UNKNOWN); /* crypt_activate_by_passphrase (restricted for activation only) */ - FAIL_((r = crypt_activate_by_passphrase(cd, CDEVICE_1, 0, "aaa", 3, 0)), "Unmet requirements detected"); @@ -415,6 +418,15 @@ index b7c762d9..2c39191b 100644 OK_(crypt_deactivate(cd, CDEVICE_1)); +@@ -4825,7 +4830,7 @@ static void LuksKeyslotAdd(void) + crypt_keyslot_context_free(um2); + + // generate new unbound key +- OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, 1, &um1)); ++ OK_(crypt_keyslot_context_init_by_volume_key(cd, NULL, 9, &um1)); + OK_(crypt_keyslot_context_init_by_keyfile(cd, KEYFILE1, 0, 0, &um2)); + EQ_(crypt_keyslot_add_by_keyslot_context(cd, CRYPT_ANY_SLOT, um1, 10, um2, CRYPT_VOLUME_KEY_NO_SEGMENT), 10); + EQ_(crypt_keyslot_status(cd, 10), CRYPT_SLOT_UNBOUND); diff --git a/tests/api-test.c b/tests/api-test.c index 2b2f0813..9bb6d2f1 100644 --- a/tests/api-test.c @@ -430,14 +442,15 @@ index 2b2f0813..9bb6d2f1 100644 #define DEVICE_TEST_UUID "12345678-1234-1234-1234-123456789abc" -@@ -321,6 +321,6 @@ static void AddDevicePlain(void) +@@ -327,7 +327,7 @@ static void AddDevicePlain(void) char key[128], key2[128], path[128]; + struct crypt_keyslot_context *kc = NULL; - const char *passphrase = PASSPHRASE; + const char *passphrase = "blabla"; // hashed hex version of PASSPHRASE - const char *mk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea"; - size_t key_size = strlen(mk_hex) / 2; + const char *vk_hex = "ccadd99b16cd3d200c22d6db45d8b6630ef3d936767127347ec8a76ab992c2ea"; + size_t key_size = strlen(vk_hex) / 2; @@ -772,6 +772,10 @@ static void SuspendDevice(void) OK_(crypt_deactivate(cd, CDEVICE_1)); CRYPT_FREE(cd); @@ -449,15 +462,24 @@ index 2b2f0813..9bb6d2f1 100644 OK_(get_luks_offsets(0, key_size, 1024*2, 0, NULL, &r_payload_offset)); OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1)); -@@ -795,7 +799,7 @@ static void AddDeviceLuks(void) +@@ -806,7 +810,7 @@ static void AddDeviceLuks(void) }; char key[128], key2[128], key3[128]; - const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd"; + const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd"; - const char *mk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; - const char *mk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e"; - size_t key_size = strlen(mk_hex) / 2; + const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; + const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e"; + size_t key_size = strlen(vk_hex) / 2; +@@ -2105,7 +2109,7 @@ static void LuksKeyslotAdd(void) + }; + char key[128], key3[128]; + +- const char *passphrase = "blabla", *passphrase2 = "nsdkFI&Y#.sd"; ++ const char *passphrase = PASSPHRASE, *passphrase2 = "nsdkFI&Y#.sd"; + const char *vk_hex = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a"; + const char *vk_hex2 = "bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1e"; + size_t key_size = strlen(vk_hex) / 2; diff --git a/tests/compat-test b/tests/compat-test index 356b7283..6dc80041 100755 --- a/tests/compat-test @@ -474,18 +496,18 @@ index 356b7283..6dc80041 100755 $CRYPTSETUP -q luksClose $DEV_NAME || fail +fi # open by volume key - echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 256 --master-key-file $KEY1 $LOOPDEV || fail - $CRYPTSETUP luksOpen --master-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail -@@ -498,7 +501,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV -- + echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 $LOOPDEV || fail + $CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail +@@ -503,7 +506,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV -- echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail # keyfile/passphrase --echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail +-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail +echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail prepare "[18] RemoveKey passphrase and keyfile" reuse -@@ -723,12 +726,15 @@ echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail +@@ -728,12 +731,15 @@ echo $PWDW | $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail [ $? -ne 2 ] && fail "luksResume should return EPERM exit code" echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME || fail $CRYPTSETUP -q luksClose $DEV_NAME || fail @@ -499,13 +521,13 @@ index 356b7283..6dc80041 100755 $CRYPTSETUP -q luksClose $DEV_NAME || fail +fi - prepare "[27] luksOpen with specified key slot number" wipe + prepare "[27] luksOpen/luksResume with specified key slot number" wipe # first, let's try passphrase option diff --git a/tests/compat-test2 b/tests/compat-test2 index 2f18d7b6..c54dc7ea 100755 --- a/tests/compat-test2 +++ b/tests/compat-test2 -@@ -421,10 +421,14 @@ if [ -d /dev/disk/by-uuid ] ; then +@@ -427,10 +427,14 @@ if [ -d /dev/disk/by-uuid ] ; then $CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail $CRYPTSETUP -q luksClose $DEV_NAME || fail fi @@ -518,22 +540,22 @@ index 2f18d7b6..c54dc7ea 100755 +fi + # open by volume key - echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -s 256 --master-key-file $KEY1 --type luks2 $LOOPDEV || fail - $CRYPTSETUP luksOpen --master-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail -@@ -471,7 +475,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV -- + echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -s 256 --volume-key-file $KEY1 --type luks2 $LOOPDEV || fail + $CRYPTSETUP luksOpen --volume-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail +@@ -477,7 +481,7 @@ echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV -- echo $PWD2 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 1 || fail $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail # keyfile/passphrase --echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail +-echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 3 || fail +echo -e "$PWD2\n" | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT $LOOPDEV $KEY1 --key-slot 2 --new-keyfile-size 8 || fail $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2" || fail prepare "[18] RemoveKey passphrase and keyfile" reuse -@@ -949,14 +953,14 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail +@@ -1001,14 +1005,14 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || can_fail_fips $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || can_fail_fips --echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 21 --unbound -s 16 $LOOPDEV || fail +-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 16 $LOOPDEV || fail +echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT -S 21 --unbound -s 72 $LOOPDEV || fail echo $PWD3 | $CRYPTSETUP luksConvertKey --pbkdf-force-iterations 1001 --pbkdf pbkdf2 -S 21 $LOOPDEV || fail @@ -541,21 +563,21 @@ index 2f18d7b6..c54dc7ea 100755 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail # unbound key may have arbitrary size -echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 16 $LOOPDEV || fail --echo $PWD2 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 32 -S 2 $LOOPDEV || fail +-echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 32 -S 2 $LOOPDEV || fail +echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 72 $LOOPDEV || fail +echo $PWD2 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 72 -S 2 $LOOPDEV || fail $CRYPTSETUP luksDump $LOOPDEV | grep -q "2: luks2 (unbound)" || fail dd if=/dev/urandom of=$KEY_FILE0 bs=64 count=1 > /dev/null 2>&1 || fail - echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --unbound -s 512 -S 3 --master-key-file $KEY_FILE0 $LOOPDEV || fail -@@ -1048,10 +1052,10 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 2 - + echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --unbound -s 512 -S 3 --volume-key-file $KEY_FILE0 $LOOPDEV || fail +@@ -1100,10 +1104,10 @@ $CRYPTSETUP luksChangeKey $LOOPDEV $FAST_PBKDF_OPT -d $KEY2 $KEY1 --key-slot 2 - [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "2: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail # unbound keyslot --echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --key-slot 21 --unbound -s 32 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail +-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 32 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail +echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 21 --unbound -s 72 --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "21: luks2" | grep "Cipher key:"| sed -e 's/[[:space:]]\+Cipher\ key:\ \+//g')" = "128 bits" ] || fail --echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --key-slot 22 --unbound -s 32 $LOOPDEV || fail +-echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 32 $LOOPDEV || fail +echo $PWD3 | $CRYPTSETUP luksAddKey -q $FAST_PBKDF_OPT --key-slot 22 --unbound -s 72 $LOOPDEV || fail echo $PWD3 | $CRYPTSETUP luksConvertKey --key-slot 22 $LOOPDEV --keyslot-cipher $KEYSLOT_CIPHER --keyslot-key-size 128 $LOOPDEV || fail [ "$($CRYPTSETUP luksDump $IMG | grep -A8 -m1 "22: luks2" | grep "Cipher:" | sed -e 's/[[:space:]]\+Cipher:\ \+//g')" = $KEYSLOT_CIPHER ] || fail @@ -614,27 +636,27 @@ index 433f4d4c..f6a84137 100755 echo "[10] Removal of encryption" prepare 8192 echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF $LOOPDEV1 || fail -@@ -405,6 +405,7 @@ echo $PWD1 | $REENC $LOOPDEV1 -q $FAST_P - check_hash $PWD1 $HASH4 $IMG_HDR - $CRYPTSETUP isLuks $LOOPDEV1 && fail - $CRYPTSETUP isLuks $IMG_HDR || fail +@@ -460,6 +469,7 @@ if [ "$HAVE_BLKID" -gt 0 ]; then + echo $PWD1 | $REENC --header $IMG_HDR $HEADER_LUKS2_PV -q $FAST_PBKDF --new --type luks1 2>/dev/null && fail + test -f $IMG_HDR && fail + fi +fi # if [ ! fips_mode ] remove_mapping exit 0 -diff --git a/tests/ssh-plugin-test b/tests/ssh-plugin-test +diff --git a/tests/ssh-test-plugin b/tests/ssh-test-plugin index 0a440b93..5b3966e7 100755 ---- a/tests/ssh-plugin-test -+++ b/tests/ssh-plugin-test -@@ -9,7 +9,7 @@ CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh +--- a/tests/ssh-test-plugin ++++ b/tests/ssh-test-plugin +@@ -11,7 +11,7 @@ CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh IMG="ssh_test.img" MAP="sshtest" USER="sshtest" -PASSWD="sshtest" +PASSWD="sshtest1" PASSWD2="sshtest2" - LOOPDEV=$(losetup -f 2>/dev/null) SSH_OPTIONS="-o StrictHostKeyChecking=no" + -- 2.38.1 diff --git a/SOURCES/cryptsetup-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch b/SOURCES/cryptsetup-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch new file mode 100644 index 0000000..cfbd36a --- /dev/null +++ b/SOURCES/cryptsetup-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch @@ -0,0 +1,55 @@ +From be088b8de8d636993767a42f195ffd3bf915e567 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Mon, 12 Dec 2022 17:33:12 +0100 +Subject: [PATCH 1/2] Enable crypt_header_is_detached for empty contexts. + +Also changes few tests now expecting crypt_header_is_detached +works with empty contexts. +--- + lib/setup.c | 2 +- + tests/api-test-2.c | 2 +- + tests/api-test.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/setup.c b/lib/setup.c +index f169942c..3263578b 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -3242,7 +3242,7 @@ int crypt_header_is_detached(struct crypt_device *cd) + { + int r; + +- if (!cd || !isLUKS(cd->type)) ++ if (!cd || (cd->type && !isLUKS(cd->type))) + return -EINVAL; + + r = device_is_identical(crypt_data_device(cd), crypt_metadata_device(cd)); +diff --git a/tests/api-test-2.c b/tests/api-test-2.c +index 2c39191b..c7e930ca 100644 +--- a/tests/api-test-2.c ++++ b/tests/api-test-2.c +@@ -889,7 +889,7 @@ static void AddDeviceLuks2(void) + FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active"); + EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE); + OK_(crypt_deactivate(cd, CDEVICE_1)); +- FAIL_(crypt_header_is_detached(cd), "no header for mismatched device"); ++ EQ_(crypt_header_is_detached(cd), 1); + CRYPT_FREE(cd); + + params.data_device = NULL; +diff --git a/tests/api-test.c b/tests/api-test.c +index 9bb6d2f1..f6e33a40 100644 +--- a/tests/api-test.c ++++ b/tests/api-test.c +@@ -960,7 +960,7 @@ static void AddDeviceLuks(void) + FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_2, key, key_size, 0), "Device is active"); + EQ_(crypt_status(cd, CDEVICE_2), CRYPT_INACTIVE); + OK_(crypt_deactivate(cd, CDEVICE_1)); +- FAIL_(crypt_header_is_detached(cd), "no header for mismatched device"); ++ EQ_(crypt_header_is_detached(cd), 1); + CRYPT_FREE(cd); + + params.data_device = NULL; +-- +2.38.1 + diff --git a/SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch b/SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch index d072e8d..59db57f 100644 --- a/SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch +++ b/SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch @@ -16,7 +16,7 @@ diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c index de97b73c..225e84b8 100644 --- a/lib/luks1/keymanage.c +++ b/lib/luks1/keymanage.c -@@ -922,8 +922,11 @@ int LUKS_set_key(unsigned int keyIndex, +@@ -924,8 +924,11 @@ int LUKS_set_key(unsigned int keyIndex, hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE, derived_key->key, hdr->keyBytes, hdr->keyblock[keyIndex].passwordIterations, 0, 0); @@ -28,13 +28,13 @@ index de97b73c..225e84b8 100644 + } /* - * AF splitting, the masterkey stored in vk->key is split to AfKey + * AF splitting, the volume key stored in vk->key is split to AfKey diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c index 78f74242..f480bcab 100644 --- a/lib/luks2/luks2_keyslot_luks2.c +++ b/lib/luks2/luks2_keyslot_luks2.c -@@ -256,6 +256,8 @@ static int luks2_keyslot_set_key(struct crypt_device *cd, - pbkdf.parallel_threads); +@@ -265,6 +265,8 @@ static int luks2_keyslot_set_key(struct crypt_device *cd, + free(salt); if (r < 0) { crypt_free_volume_key(derived_key); + if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2")) diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec index f9fa98d..fce51de 100644 --- a/SPECS/cryptsetup.spec +++ b/SPECS/cryptsetup.spec @@ -1,32 +1,31 @@ Summary: Utility for setting up encrypted disks Name: cryptsetup -Version: 2.4.3 -Release: 5%{?dist}.1 +Version: 2.6.0 +Release: 2%{?dist} License: GPLv2+ and LGPLv2+ URL: https://gitlab.com/cryptsetup/cryptsetup BuildRequires: openssl-devel, popt-devel, device-mapper-devel BuildRequires: libuuid-devel, gcc, json-c-devel BuildRequires: libpwquality-devel, libblkid-devel BuildRequires: make +BuildRequires: asciidoctor Requires: cryptsetup-libs = %{version}-%{release} Requires: libpwquality >= 1.2.0 +Obsoletes: %{name}-reencrypt <= %{version} +Provides: %{name}-reencrypt = %{version} %global upstream_version %{version} -Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-%{upstream_version}.tar.xz -# binary archive with updated compatimage.img.xz for testing (can not be patched via rpmbuild) +Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-%{upstream_version}.tar.xz + +# binary archive with updated tests/conversion_imgs.tar.xz and tests/luks2_header_requirements.tar.xz +# for testing (can not be patched via rpmbuild) Source1: tests.tar.xz -Source2: tests_fips.tar.xz # Following patch has to applied last -Patch0000: %{name}-2.5.0-Fix-typo-in-repair-prompt.patch -Patch0001: %{name}-2.5.0-Fix-PBKDF-benchmark-in-OpenSSL3-FIPS-mode.patch -Patch0002: %{name}-2.5.0-Get-rid-of-SHA1-in-tests.patch -Patch0003: %{name}-2.5.0-Do-not-use-too-small-key-in-tests.patch -Patch0004: %{name}-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch -Patch0005: %{name}-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch -Patch0006: %{name}-2.5.1-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch -Patch0007: %{name}-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch -Patch0008: %{name}-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch +Patch0000: %{name}-2.6.1-Run-PBKDF-benchmark-with-8-bytes-long-well-known-pas.patch +Patch0001: %{name}-2.6.1-Change-tests-to-use-passphrases-with-minimal-8-chars.patch +Patch0002: %{name}-2.6.1-Enable-crypt_header_is_detached-for-empty-contexts.patch +Patch0003: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch Patch9998: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch Patch9999: %{name}-add-system-library-paths.patch @@ -65,24 +64,12 @@ Requires: cryptsetup-libs = %{version}-%{release} The integritysetup package contains a utility for setting up disk integrity protection using dm-integrity kernel module. -%package reencrypt -Summary: A utility for offline reencryption of LUKS encrypted disks -Requires: cryptsetup-libs = %{version}-%{release} - -%description reencrypt -This package contains cryptsetup-reencrypt utility which -can be used for offline reencryption of disk in situ. - %prep %autosetup -n cryptsetup-%{upstream_version} -p 1 -a 1 -# workaround, since autosetup doesn't support multiple -a options (last one wins) -# https://github.com/rpm-software-management/rpm/issues/462 -%autosetup -D -T -a 2 -N -chmod -x misc/dracut_90reencrypt/* - %build -%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token +rm -f man/*.8 +%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token --enable-asciidoc %make_build %install @@ -95,8 +82,9 @@ rm -rf %{buildroot}%{_libdir}/*.la %files %license COPYING -%doc AUTHORS FAQ docs/*ReleaseNotes +%doc AUTHORS FAQ.md docs/*ReleaseNotes %{_mandir}/man8/cryptsetup.8.gz +%{_mandir}/man8/cryptsetup-*.8.gz %{_sbindir}/cryptsetup %files -n veritysetup @@ -109,12 +97,6 @@ rm -rf %{buildroot}%{_libdir}/*.la %{_mandir}/man8/integritysetup.8.gz %{_sbindir}/integritysetup -%files reencrypt -%license COPYING -%doc misc/dracut_90reencrypt -%{_mandir}/man8/cryptsetup-reencrypt.8.gz -%{_sbindir}/cryptsetup-reencrypt - %files devel %doc docs/examples/* %{_includedir}/libcryptsetup.h @@ -129,11 +111,14 @@ rm -rf %{buildroot}%{_libdir}/*.la %ghost %attr(700, -, -) %dir /run/cryptsetup %changelog -* Wed Dec 21 2022 Daniel Zatovic - 2.4.3-5.1 -- patch: Run PBKDF benchmark with 8 bytes long well-known passphrase. -- patch: Change tests to use passphrases with minimal 8 chars length. -- patch: Add FIPS related error message in keyslot add code. -- Resolves: #2151576 +* Wed Dec 14 2022 Daniel Zatovic - 2.6.0-2 +- Fix FIPS related bugs. +- Abort encryption when header and data devices are same. +- Resolves: #2150251 #2148841 + +* Wed Nov 30 2022 Daniel Zatovic - 2.6.0-1 +- Update to cryptsetup 2.6.0. +- Resolves: #2003748 #2108404 #1862173 * Wed Aug 10 2022 Ondrej Kozina - 2.4.3-5 - patch: Delegate FIPS mode detection to crypto backend.