diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata index b45bee0..65fb1bd 100644 --- a/.cryptsetup.metadata +++ b/.cryptsetup.metadata @@ -1 +1 @@ -a2590635ff89a7c2fdb2fbbaaecfb2a27617efef SOURCES/cryptsetup-2.0.6.tar.xz +bb89099b839b962a13efacdd52d6ce6e408ca971 SOURCES/cryptsetup-2.2.0.tar.xz diff --git a/.gitignore b/.gitignore index 8ee04b7..51ae054 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/cryptsetup-2.0.6.tar.xz +SOURCES/cryptsetup-2.2.0.tar.xz diff --git a/SOURCES/cryptsetup-2.2.1-add-opt-io-size-parameter-to-LUKS2-reencrypt-test-de.patch b/SOURCES/cryptsetup-2.2.1-add-opt-io-size-parameter-to-LUKS2-reencrypt-test-de.patch new file mode 100644 index 0000000..c95ca7e --- /dev/null +++ b/SOURCES/cryptsetup-2.2.1-add-opt-io-size-parameter-to-LUKS2-reencrypt-test-de.patch @@ -0,0 +1,70 @@ +From 4862e22cd0ac9ed8395003c209d048889a009969 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Fri, 23 Aug 2019 16:34:33 +0200 +Subject: [PATCH 2/5] Add opt-io size parameter to LUKS2 reencrypt test device. + +So that we can test recovery is not broken for optimal io size +optimization added to reencryption code. +--- + tests/luks2-reencryption-test | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test +index f88e7f1..558b8dd 100755 +--- a/tests/luks2-reencryption-test ++++ b/tests/luks2-reencryption-test +@@ -244,15 +244,16 @@ function fix_writes() { # $1 dmdev, $2 data dev + } + + function prepare_linear_dev() { +- if [ "$1" -gt 32 ]; then +- preparebig $1 ++ local _sizemb=$1 ++ shift ++ ++ if [ "$_sizemb" -gt 32 ]; then ++ preparebig $_sizemb + else +- prepare dev_size_mb=$1 ++ prepare dev_size_mb=$_sizemb $@ + fi + +- local _size=$(blockdev --getsz $DEV) +- +- dmsetup create $OVRDEV --table "0 $_size linear $DEV 0" || fail ++ dmsetup create $OVRDEV --table "0 $((_sizemb*1024*2)) linear $DEV 0" || fail + + OLD_DEV=$DEV + DEV=/dev/mapper/$OVRDEV +@@ -875,7 +876,9 @@ if ! dm_delay_features; then + fi + + echo "[6] Reencryption recovery" +-prepare_linear_dev 32 ++# (check opt-io size optimization in reencryption code does not affect recovery) ++# device with opt-io size 32k ++prepare_linear_dev 32 opt_blks=64 opt_xferlen_exp=6 + OFFSET=8192 + + echo "sector size 512->512" +@@ -957,7 +960,7 @@ if [ -n "$DM_SECTOR_SIZE" ]; then + fi + + echo "[8] Reencryption with detached header recovery" +-prepare_linear_dev 31 ++prepare_linear_dev 31 opt_blks=64 opt_xferlen_exp=6 + + echo "sector size 512->512" + +@@ -1076,7 +1079,7 @@ if [ -n "$DM_SECTOR_SIZE" ]; then + fi + + echo "[12] Encryption with detached header recovery" +-prepare_linear_dev 31 ++prepare_linear_dev 31 opt_blks=64 opt_xferlen_exp=6 + + get_error_offsets 31 0 + +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.2.1-fix-mapped-segments-overflow-on-32bit-architectures.patch b/SOURCES/cryptsetup-2.2.1-fix-mapped-segments-overflow-on-32bit-architectures.patch new file mode 100644 index 0000000..2a54dd5 --- /dev/null +++ b/SOURCES/cryptsetup-2.2.1-fix-mapped-segments-overflow-on-32bit-architectures.patch @@ -0,0 +1,158 @@ +From 8f8f0b3258152a260c6a40be89b485f943f81484 Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Mon, 26 Aug 2019 10:01:17 +0200 +Subject: [PATCH] Fix mapped segments overflow on 32bit architectures. + +All set_segment funcions must use uin64_t everywhere, +not size_t that is platform dependent. + +The code later uses it correctly, it is just wrong function +prototype definitions. + +Reported in +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935702 + +(TODO: add a test for other segment types.) +--- + lib/libdevmapper.c | 12 ++++++------ + lib/utils_dm.h | 12 ++++++------ + tests/integrity-compat-test | 26 ++++++++++++++++++++++++++ + 3 files changed, 38 insertions(+), 12 deletions(-) + +diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c +index e92ceda..9c40bb1 100644 +--- a/lib/libdevmapper.c ++++ b/lib/libdevmapper.c +@@ -2759,9 +2759,9 @@ int dm_is_dm_kernel_name(const char *name) + return strncmp(name, "dm-", 3) ? 0 : 1; + } + +-int dm_crypt_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size, ++int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size, + struct device *data_device, struct volume_key *vk, const char *cipher, +- size_t iv_offset, size_t data_offset, const char *integrity, uint32_t tag_size, ++ uint64_t iv_offset, uint64_t data_offset, const char *integrity, uint32_t tag_size, + uint32_t sector_size) + { + int r = -EINVAL; +@@ -2800,7 +2800,7 @@ err: + return r; + } + +-int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size, ++int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size, + struct device *data_device, struct device *hash_device, struct device *fec_device, + const char *root_hash, uint32_t root_hash_size, uint64_t hash_offset_block, + uint64_t hash_blocks, struct crypt_params_verity *vp) +@@ -2826,7 +2826,7 @@ int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_si + return 0; + } + +-int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size, ++int dm_integrity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size, + struct device *meta_device, + struct device *data_device, uint64_t tag_size, uint64_t offset, + uint32_t sector_size, struct volume_key *vk, +@@ -2865,8 +2865,8 @@ int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg + return 0; + } + +-int dm_linear_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size, +- struct device *data_device, size_t data_offset) ++int dm_linear_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size, ++ struct device *data_device, uint64_t data_offset) + { + if (!data_device) + return -EINVAL; +diff --git a/lib/utils_dm.h b/lib/utils_dm.h +index 4a1e1d3..124a1c7 100644 +--- a/lib/utils_dm.h ++++ b/lib/utils_dm.h +@@ -168,22 +168,22 @@ void dm_backend_exit(struct crypt_device *cd); + int dm_targets_allocate(struct dm_target *first, unsigned count); + void dm_targets_free(struct crypt_device *cd, struct crypt_dm_active_device *dmd); + +-int dm_crypt_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size, ++int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size, + struct device *data_device, struct volume_key *vk, const char *cipher, +- size_t iv_offset, size_t data_offset, const char *integrity, ++ uint64_t iv_offset, uint64_t data_offset, const char *integrity, + uint32_t tag_size, uint32_t sector_size); +-int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size, ++int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size, + struct device *data_device, struct device *hash_device, struct device *fec_device, + const char *root_hash, uint32_t root_hash_size, uint64_t hash_offset_block, + uint64_t hash_blocks, struct crypt_params_verity *vp); +-int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size, ++int dm_integrity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size, + struct device *meta_device, + struct device *data_device, uint64_t tag_size, uint64_t offset, uint32_t sector_size, + struct volume_key *vk, + struct volume_key *journal_crypt_key, struct volume_key *journal_mac_key, + const struct crypt_params_integrity *ip); +-int dm_linear_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size, +- struct device *data_device, size_t data_offset); ++int dm_linear_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size, ++ struct device *data_device, uint64_t data_offset); + + int dm_remove_device(struct crypt_device *cd, const char *name, uint32_t flags); + int dm_status_device(struct crypt_device *cd, const char *name); +diff --git a/tests/integrity-compat-test b/tests/integrity-compat-test +index 5f2c14e..836975d 100755 +--- a/tests/integrity-compat-test ++++ b/tests/integrity-compat-test +@@ -9,6 +9,8 @@ INTSETUP_VALGRIND=../.libs/integritysetup + INTSETUP_LIB_VALGRIND=../.libs + + DEV_NAME=dmc_test ++DEV_NAME_BIG=dmc_fake ++DEV_LOOP="" + DEV=test123.img + DEV2=test124.img + KEY_FILE=key.img +@@ -20,6 +22,9 @@ dmremove() { # device + + cleanup() { + [ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME ++ [ -b /dev/mapper/$DEV_NAME_BIG ] && dmremove $DEV_NAME_BIG ++ [ -n "$DEV_LOOP" ] && losetup -d "$DEV_LOOP" ++ DEV_LOOP="" + rm -f $DEV $DEV2 $KEY_FILE >/dev/null 2>&1 + } + +@@ -292,6 +297,7 @@ int_mode() # alg tag_size sector_size [keyfile keysize] + + [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped." + [ ! -x "$INTSETUP" ] && skip "Cannot find $INTSETUP, test skipped." ++which blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped." + + [ -n "$VALG" ] && valgrind_setup && INTSETUP=valgrind_run + which hexdump >/dev/null 2>&1 || skip "WARNING: hexdump tool required." +@@ -389,4 +395,24 @@ else + echo "[N/A]" + fi + ++echo -n "Big device:" ++add_device ++DEV_LOOP=$(losetup -f $DEV --show) ++if [ -n "$DEV_LOOP" ] ; then ++dmsetup create $DEV_NAME_BIG < +Date: Thu, 22 Aug 2019 17:05:43 +0200 +Subject: [PATCH 1/5] Take optimal io size in account with LUKS2 reencryption. + +If device properly exposes optimal io size, let's align +reencryption hotzone to it. Otherwise device-mapper driver +complaints about misaligned tables and reencryption performance +is not optimal. +--- + lib/luks2/luks2_reencrypt.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c +index 1d70aaf..1f5eb5f 100644 +--- a/lib/luks2/luks2_reencrypt.c ++++ b/lib/luks2/luks2_reencrypt.c +@@ -817,8 +817,13 @@ static int reencrypt_offset(struct luks2_hdr *hdr, + return -EINVAL; + } + +-static uint64_t reencrypt_length(struct luks2_hdr *hdr, struct luks2_reenc_context *rh, uint64_t keyslot_area_length, uint64_t length_max) ++static uint64_t reencrypt_length(struct crypt_device *cd, ++ struct luks2_hdr *hdr, ++ struct luks2_reenc_context *rh, ++ uint64_t keyslot_area_length, ++ uint64_t length_max) + { ++ unsigned long dummy, optimal_alignment; + uint64_t length; + + if (rh->rp.type == REENC_PROTECTION_NONE) +@@ -835,6 +840,20 @@ static uint64_t reencrypt_length(struct luks2_hdr *hdr, struct luks2_reenc_conte + + length -= (length % rh->alignment); + ++ /* Emits error later */ ++ if (!length) ++ return length; ++ ++ device_topology_alignment(cd, crypt_data_device(cd), &optimal_alignment, &dummy, length); ++ ++ /* we have to stick with encryption sector size alignment */ ++ if (optimal_alignment % rh->alignment) ++ return length; ++ ++ /* align to opt-io size only if remaining size allows it */ ++ if (length > optimal_alignment) ++ length -= (length % optimal_alignment); ++ + return length; + } + +@@ -920,7 +939,7 @@ static int reencrypt_context_init(struct crypt_device *cd, struct luks2_hdr *hdr + } else + rh->fixed_length = false; + +- rh->length = reencrypt_length(hdr, rh, area_length, params->max_hotzone_size << SECTOR_SHIFT); ++ rh->length = reencrypt_length(cd, hdr, rh, area_length, params->max_hotzone_size << SECTOR_SHIFT); + if (reencrypt_offset(hdr, rh->direction, device_size, &rh->length, &rh->offset)) { + log_dbg(cd, "Failed to get reencryption offset."); + return -EINVAL; +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-disable-luks2-integrity-test-until-next-usptream-rel.patch b/SOURCES/cryptsetup-disable-luks2-integrity-test-until-next-usptream-rel.patch deleted file mode 100644 index aed5fc9..0000000 --- a/SOURCES/cryptsetup-disable-luks2-integrity-test-until-next-usptream-rel.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 620f0cc8c0b69f9c9c56b5d13f3411f217ae9925 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Wed, 8 Aug 2018 11:40:55 +0200 -Subject: [PATCH 6/7] Disable luks2-integrity-test until next usptream release. - ---- - tests/luks2-integrity-test | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tests/luks2-integrity-test b/tests/luks2-integrity-test -index 0b7ddf0..d69df1c 100755 ---- a/tests/luks2-integrity-test -+++ b/tests/luks2-integrity-test -@@ -114,6 +114,7 @@ intformat() # alg integrity integrity_out key_size int_key_size sector_size csum - } - - -+skip "WARNING: This test can't be run with current build due to some hard coded values bound to old LUKS2 header size." - [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped." - [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped." - modprobe dm-integrity >/dev/null 2>&1 --- -1.8.3.1 - diff --git a/SOURCES/cryptsetup-disable-verity-compat-test.patch b/SOURCES/cryptsetup-disable-verity-compat-test.patch new file mode 100644 index 0000000..efc3363 --- /dev/null +++ b/SOURCES/cryptsetup-disable-verity-compat-test.patch @@ -0,0 +1,13 @@ +diff --git a/tests/Makefile.localtest b/tests/Makefile.localtest +index 29a62f3..da2183e 100644 +--- a/tests/Makefile.localtest ++++ b/tests/Makefile.localtest +@@ -5,7 +5,7 @@ + CPPFLAGS=-I../lib/ -I../lib/luks1 -DHAVE_DECL_DM_TASK_RETRY_REMOVE -DKERNEL_KEYRING -DHAVE_SYS_SYSMACROS_H -DNO_CRYPTSETUP_PATH + CFLAGS=-O2 -g -Wall + LDLIBS=-lcryptsetup -ldevmapper +-TESTS=$(wildcard *-test *-test2) api-test api-test-2 ++TESTS=$(filter-out verity-compat-test, $(wildcard *-test *-test2)) api-test api-test-2 + + differ: differ.o + $(CC) -o $@ $^ diff --git a/SOURCES/cryptsetup-increase-default-LUKS2-header-size-to-8MiBs.patch b/SOURCES/cryptsetup-increase-default-LUKS2-header-size-to-8MiBs.patch deleted file mode 100644 index 76e86a7..0000000 --- a/SOURCES/cryptsetup-increase-default-LUKS2-header-size-to-8MiBs.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 18ec689f77a66f4d0632ee2829efccb542ba5f3b Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Fri, 3 Aug 2018 15:42:00 +0200 -Subject: [PATCH 7/7] Increase default LUKS2 header size to 8MiBs. - ---- - lib/luks2/luks2.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/luks2/luks2.h b/lib/luks2/luks2.h -index 2a49618..892e847 100644 ---- a/lib/luks2/luks2.h -+++ b/lib/luks2/luks2.h -@@ -124,7 +124,7 @@ struct luks2_keyslot_params { - - #define LUKS2_HDR_BIN_LEN sizeof(struct luks2_hdr_disk) - --#define LUKS2_HDR_DEFAULT_LEN 0x400000 /* 4 MiB */ -+#define LUKS2_HDR_DEFAULT_LEN 0x800000 /* 8 MiB */ - - #define LUKS2_MAX_KEYSLOTS_SIZE 0x8000000 /* 128 MiB */ - --- -1.8.3.1 - diff --git a/SOURCES/cryptsetup-make-align-test-ready-for-larger-LUKS2-hdr.patch b/SOURCES/cryptsetup-make-align-test-ready-for-larger-LUKS2-hdr.patch deleted file mode 100644 index 735c608..0000000 --- a/SOURCES/cryptsetup-make-align-test-ready-for-larger-LUKS2-hdr.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -rupN cryptsetup-2.0.6.old/tests/align-test2 cryptsetup-2.0.6/tests/align-test2 ---- cryptsetup-2.0.6.old/tests/align-test2 2018-12-03 12:53:41.293185399 +0100 -+++ cryptsetup-2.0.6/tests/align-test2 2018-12-03 12:54:27.821936718 +0100 -@@ -9,7 +9,9 @@ PWD1="93R4P4pIqAH8" - PWD2="mymJeD8ivEhE" - FAST_PBKDF="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" - --EXPCT=8192 -+# FIXME: we need some sane API to get this information. This is hack. -+LUKS2_HDR_DEFAULT_LEN=$(grep -e "#define LUKS2_HDR_DEFAULT_LEN" ../lib/luks2/luks2.h | cut -d ' ' -f 3) -+EXPCT=$((LUKS2_HDR_DEFAULT_LEN/512)) - - cleanup() { - udevadm settle >/dev/null 2>&1 diff --git a/SOURCES/cryptsetup-make-api-test-2-default-LUKS2-hdr-size-aware.patch b/SOURCES/cryptsetup-make-api-test-2-default-LUKS2-hdr-size-aware.patch deleted file mode 100644 index 67192f7..0000000 --- a/SOURCES/cryptsetup-make-api-test-2-default-LUKS2-hdr-size-aware.patch +++ /dev/null @@ -1,439 +0,0 @@ -diff -rupN cryptsetup-2.0.4.old/tests/api-test-2.c cryptsetup-2.0.4/tests/api-test-2.c ---- cryptsetup-2.0.4.old/tests/api-test-2.c 2018-08-08 14:05:02.000387826 +0200 -+++ cryptsetup-2.0.4/tests/api-test-2.c 2018-08-08 14:05:35.946311814 +0200 -@@ -41,6 +41,7 @@ typedef int32_t key_serial_t; - - #include "api_test.h" - #include "luks.h" -+#include "luks2.h" - #include "libcryptsetup.h" - - #define DMDIR "/dev/mapper/" -@@ -165,31 +166,18 @@ static unsigned _min(unsigned a, unsigne - return a < b ? a : b; - } - --/* FIXME: will fail with various LUKS2 header sizes */ --static int get_luks2_offsets(int metadata_device, -- unsigned int alignpayload_sec, -- unsigned int alignoffset_sec, /* unused in LUKS2, bug? */ -- unsigned int sector_size, -+static int get_luks2_offsets(unsigned int alignpayload_sec, - uint64_t *r_header_size, - uint64_t *r_payload_offset) - { -- if (!sector_size) -- sector_size = 512; /* default? */ -- -- if ((sector_size % 512) && (sector_size % 4096)) -- return -1; -- - if (r_payload_offset) { -- if (metadata_device) -- *r_payload_offset = DIV_ROUND_UP_MODULO(4*1024*1024, (alignpayload_sec ?: 1) * sector_size); -- else -- *r_payload_offset = alignpayload_sec * sector_size; -+ *r_payload_offset = DIV_ROUND_UP_MODULO(LUKS2_HDR_DEFAULT_LEN, (alignpayload_sec ?: 1) * SECTOR_SIZE); - -- *r_payload_offset /= sector_size; -+ *r_payload_offset >>= SECTOR_SHIFT; - } - - if (r_header_size) -- *r_header_size = (4*1024*1024) / sector_size; -+ *r_header_size = LUKS2_HDR_DEFAULT_LEN >> SECTOR_SHIFT; - - return 0; - } -@@ -585,7 +573,7 @@ static void AddDeviceLuks2(void) - crypt_decode_key(key3, mk_hex2, key_size); - - // init test devices -- OK_(get_luks2_offsets(1, 0, 0, 0, &r_header_size, &r_payload_offset)); -+ OK_(get_luks2_offsets(0, &r_header_size, &r_payload_offset)); - OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size)); - OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, r_header_size - 1)); - -@@ -613,8 +601,8 @@ static void AddDeviceLuks2(void) - /* - * test limit values for backing device size - */ -- params.data_alignment = 8192; -- OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, NULL, &r_payload_offset)); -+ params.data_alignment = LUKS2_HDR_DEFAULT_LEN >> SECTOR_SHIFT; -+ OK_(get_luks2_offsets(params.data_alignment, NULL, &r_payload_offset)); - OK_(create_dmdevice_over_loop(L_DEVICE_0S, r_payload_offset)); - OK_(create_dmdevice_over_loop(L_DEVICE_1S, r_payload_offset + 1)); - OK_(create_dmdevice_over_loop(L_DEVICE_WRONG, r_payload_offset - 1)); -@@ -767,7 +755,7 @@ static void AddDeviceLuks2(void) - OK_(strcmp(cipher, crypt_get_cipher(cd))); - OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd))); - EQ_((int)key_size, crypt_get_volume_key_size(cd)); -- EQ_(8192, crypt_get_data_offset(cd)); -+ EQ_((LUKS2_HDR_DEFAULT_LEN >> SECTOR_SHIFT), crypt_get_data_offset(cd)); - OK_(strcmp(DEVICE_2, crypt_get_device_name(cd))); - - reset_log(); -@@ -809,7 +797,7 @@ static void AddDeviceLuks2(void) - FAIL_(crypt_keyslot_add_by_volume_key(cd, 1, key, key_size, PASSPHRASE, strlen(PASSPHRASE)), "VK doesn't match any digest"); - crypt_free(cd); - -- OK_(create_dmdevice_over_loop(L_DEVICE_1S, 8193)); -+ OK_(create_dmdevice_over_loop(L_DEVICE_1S, (LUKS2_HDR_DEFAULT_LEN >> SECTOR_SHIFT) + 1)); - OK_(crypt_init(&cd, DMDIR L_DEVICE_1S)); - crypt_set_iteration_time(cd, 1); - OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, NULL)); -@@ -900,7 +888,7 @@ static void Luks2HeaderRestore(void) - - crypt_decode_key(key, mk_hex, key_size); - -- OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, NULL, &r_payload_offset)); -+ OK_(get_luks2_offsets(params.data_alignment, NULL, &r_payload_offset)); - OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 5000)); - - // do not restore header over plain device -@@ -976,18 +964,20 @@ static void Luks2HeaderLoad(void) - size_t key_size = strlen(mk_hex) / 2; - const char *cipher = "aes"; - const char *cipher_mode = "cbc-essiv:sha256"; -- uint64_t r_payload_offset, r_header_size; -+ uint64_t r_payload_offset, r_header_size, r_header_size_compat; - - crypt_decode_key(key, mk_hex, key_size); - - // prepare test env -- OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, &r_header_size, &r_payload_offset)); -+ OK_(t_device_size(IMAGE1, &r_header_size_compat)); -+ r_header_size_compat >>= SECTOR_SHIFT; -+ OK_(get_luks2_offsets(params.data_alignment, &r_header_size, &r_payload_offset)); - // external header device - OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size)); - // prepared header on a device too small to contain header and payload -- //OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, r_payload_offset - 1)); -- OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, r_header_size - 1)); -- snprintf(cmd, sizeof(cmd), "dd if=" IMAGE1 " of=" DMDIR H_DEVICE_WRONG " bs=%" PRIu32 " count=%" PRIu64 " 2>/dev/null", params.sector_size, r_header_size - 1); -+ // compatimage2.img contains one sector of data. to create wrong device we need one sector less than the header size -+ OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, r_header_size_compat - 2)); -+ snprintf(cmd, sizeof(cmd), "dd if=" IMAGE1 " of=" DMDIR H_DEVICE_WRONG " bs=%" PRIu32 " count=%" PRIu64 " 2>/dev/null", params.sector_size, r_header_size_compat - 2); - OK_(_system(cmd, 1)); - // some device - OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1000)); -@@ -1092,7 +1082,7 @@ static void Luks2HeaderBackup(void) - - crypt_decode_key(key, mk_hex, key_size); - -- OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, NULL, &r_payload_offset)); -+ OK_(get_luks2_offsets(params.data_alignment, NULL, &r_payload_offset)); - OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1)); - - // create LUKS device and backup the header -@@ -1180,8 +1170,8 @@ static void ResizeDeviceLuks2(void) - crypt_decode_key(key, mk_hex, key_size); - - // prepare env -- OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, NULL, &r_payload_offset)); -- OK_(get_luks2_offsets(1, 0, 0, 0, &r_header_size, NULL)); -+ OK_(get_luks2_offsets(params.data_alignment, NULL, &r_payload_offset)); -+ OK_(get_luks2_offsets(0, &r_header_size, NULL)); - OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size)); - OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1000)); - OK_(create_dmdevice_over_loop(L_DEVICE_0S, 1000)); -@@ -1303,7 +1293,7 @@ static void TokenActivationByKeyring(voi - } - - // prepare the device -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - crypt_set_iteration_time(cd, 1); - OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL)); - EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0); -@@ -1312,7 +1302,7 @@ static void TokenActivationByKeyring(voi - crypt_free(cd); - - // test thread keyring key in token 0 -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); - EQ_(crypt_activate_by_token(cd, CDEVICE_1, 3, NULL, 0), 0); - FAIL_(crypt_activate_by_token(cd, CDEVICE_1, 3, NULL, 0), "already open"); -@@ -1331,7 +1321,7 @@ static void TokenActivationByKeyring(voi - } - - // add token 1 with process keyring key -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); - EQ_(crypt_token_json_set(cd, 3, NULL), 3); - EQ_(crypt_token_luks2_keyring_set(cd, 1, ¶ms), 1); -@@ -1339,7 +1329,7 @@ static void TokenActivationByKeyring(voi - crypt_free(cd); - - // test process keyring key in token 1 -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); - EQ_(crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0), 0); - FAIL_(crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0), "already open"); -@@ -1364,7 +1354,7 @@ static void TokenActivationByKeyring(voi - exit(1); - } - -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); - EQ_(crypt_token_luks2_keyring_set(cd, 0, ¶ms), 0); - EQ_(crypt_token_assign_keyslot(cd, 0, 0), 0); -@@ -1376,7 +1366,7 @@ static void TokenActivationByKeyring(voi - crypt_free(cd); - - // activate by specific token -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); - EQ_(crypt_activate_by_token(cd, CDEVICE_1, 0, NULL, 0), 0); - OK_(crypt_deactivate(cd, CDEVICE_1)); -@@ -1390,7 +1380,7 @@ static void TokenActivationByKeyring(voi - } - - // activate by any token with token 0 having absent pass from keyring -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); - EQ_(crypt_activate_by_token(cd, CDEVICE_1, CRYPT_ANY_TOKEN, NULL, 0), 1); - OK_(crypt_deactivate(cd, CDEVICE_1)); -@@ -1403,7 +1393,7 @@ static void TokenActivationByKeyring(voi - } - - // replace pass for keyslot 0 making token 0 invalid -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); - OK_(crypt_keyslot_destroy(cd, 0)); - crypt_set_iteration_time(cd, 1); -@@ -1411,7 +1401,7 @@ static void TokenActivationByKeyring(voi - crypt_free(cd); - - // activate by any token with token 0 having wrong pass for keyslot 0 -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); - EQ_(crypt_activate_by_token(cd, CDEVICE_1, CRYPT_ANY_TOKEN, NULL, 0), 1); - OK_(crypt_deactivate(cd, CDEVICE_1)); -@@ -1420,7 +1410,7 @@ static void TokenActivationByKeyring(voi - // create new device, with two tokens: - // 1st token being invalid (missing key in keyring) - // 2nd token can activate keyslot 1 after failing to do so w/ keyslot 0 (wrong pass) -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - crypt_set_iteration_time(cd, 1); - OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL)); - EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0); -@@ -1442,7 +1432,7 @@ static void TokenActivationByKeyring(voi - exit(1); - } - -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); - EQ_(crypt_activate_by_token(cd, CDEVICE_1, CRYPT_ANY_TOKEN, NULL, 0), 1); - OK_(crypt_deactivate(cd, CDEVICE_1)); -@@ -1507,7 +1497,7 @@ static void Tokens(void) - FAIL_(crypt_token_register(&th_reserved), "luks2- is reserved prefix"); - - // basic token API tests -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - crypt_set_iteration_time(cd, 1); - OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL)); - EQ_(crypt_token_status(cd, -1, NULL), CRYPT_TOKEN_INVALID); -@@ -1706,7 +1696,7 @@ static void LuksConvert(void) - crypt_free(cd); - - // exercice non-pbkdf2 LUKSv2 conversion -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL)); - OK_(crypt_set_pbkdf_type(cd, &argon)); - EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0); -@@ -1714,7 +1704,7 @@ static void LuksConvert(void) - crypt_free(cd); - - // exercice non LUKS1 compatible keyslot -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, &luks2)); - EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0); - EQ_(crypt_keyslot_add_by_key(cd, 1, NULL, 32, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT), 1); -@@ -1723,7 +1713,7 @@ static void LuksConvert(void) - crypt_free(cd); - - // exercice LUKSv2 conversion with single pbkdf2 keyslot being active -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL)); - offset = crypt_get_data_offset(cd); - OK_(crypt_set_pbkdf_type(cd, &pbkdf2)); -@@ -1731,13 +1721,13 @@ static void LuksConvert(void) - OK_(crypt_convert(cd, CRYPT_LUKS1, NULL)); - EQ_(crypt_get_data_offset(cd), offset); - crypt_free(cd); -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_load(cd, CRYPT_LUKS, NULL)); - EQ_(crypt_get_data_offset(cd), offset); - crypt_free(cd); - - // do not allow conversion on keyslot No > 7 -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, &luks2)); - EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0); - EQ_(crypt_keyslot_add_by_volume_key(cd, 8, NULL, 32, PASSPHRASE1, strlen(PASSPHRASE1)), 8); -@@ -1745,14 +1735,14 @@ static void LuksConvert(void) - crypt_free(cd); - - // do not allow conversion with token -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, &luks2)); - OK_(crypt_token_json_set(cd, CRYPT_ANY_TOKEN, json)); - FAIL_(crypt_convert(cd, CRYPT_LUKS1, NULL), "Can't convert header with token."); - crypt_free(cd); - - // should be enough for both luks1 and luks2 devices with all vk lengths -- OK_(get_luks2_offsets(1, 0, 0, 0, NULL, &r_payload_offset)); -+ OK_(get_luks2_offsets(0, NULL, &r_payload_offset)); - OK_(create_dmdevice_over_loop(L_DEVICE_1S, r_payload_offset + 1)); - - // do not allow conversion for legacy luks1 device (non-aligned keyslot offset) -@@ -2202,7 +2192,7 @@ static void Pbkdf(void) - - // test LUKSv2 device - // test default values are set -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_format(cd, CRYPT_LUKS2, cipher, mode, NULL, NULL, 32, NULL)); - NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd)); - OK_(strcmp(pbkdf->type, DEFAULT_LUKS2_PBKDF)); -@@ -2259,7 +2249,7 @@ static void Pbkdf(void) - FAIL_(crypt_set_pbkdf_type(cd, &pbkdf2), "Unknown hash member"); - crypt_free(cd); - // test whether crypt_get_pbkdf_type() behaves accordingly after second crypt_load() call -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_load(cd, CRYPT_LUKS, NULL)); - NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd)); - OK_(strcmp(pbkdf->type, DEFAULT_LUKS2_PBKDF)); -@@ -2277,7 +2267,7 @@ static void Pbkdf(void) - crypt_free(cd); - - // test crypt_set_pbkdf_type() overwrites invalid value set by crypt_set_iteration_time() -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - crypt_set_iteration_time(cd, 0); - OK_(crypt_set_pbkdf_type(cd, &argon2)); - NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd)); -@@ -2352,7 +2342,7 @@ static void Luks2KeyslotAdd(void) - crypt_decode_key(key2, mk_hex2, key_size); - - /* test crypt_keyslot_add_by_key */ -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - crypt_set_iteration_time(cd, 1); - OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, NULL)); - EQ_(crypt_keyslot_add_by_key(cd, 1, key2, key_size, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT), 1); -@@ -2432,7 +2422,7 @@ static void Luks2ActivateByKeyring(void) - } - - // prepare the device -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - crypt_set_iteration_time(cd, 1); - OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL)); - EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0); -@@ -2442,7 +2432,7 @@ static void Luks2ActivateByKeyring(void) - - // FIXME: all following tests work as expected but most error messages are missing - // check activate by keyring works exactly same as by passphrase -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); - EQ_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, 0), 0); - EQ_(crypt_activate_by_keyring(cd, CDEVICE_1, KEY_DESC_TEST0, 0, 0), 0); -@@ -2472,7 +2462,7 @@ static void Luks2ActivateByKeyring(void) - exit(1); - } - -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); - FAIL_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, CRYPT_ANY_SLOT, 0), "no such key in keyring"); - FAIL_(crypt_activate_by_keyring(cd, CDEVICE_1, KEY_DESC_TEST0, CRYPT_ANY_SLOT, 0), "no such key in keyring"); -@@ -2718,7 +2708,7 @@ static void Luks2Requirements(void) - OK_(crypt_activate_by_token(cd, NULL, 1, NULL, 0)); - OK_(crypt_activate_by_token(cd, NULL, 1, NULL, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0)); - #endif -- OK_(get_luks2_offsets(1, 8192, 0, 0, NULL, &r_payload_offset)); -+ OK_(get_luks2_offsets(8192, NULL, &r_payload_offset)); - OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 2)); - //OK_(_system("dd if=" NO_REQS_LUKS2_HEADER " of=" NO_REQS_LUKS2_HEADER " bs=4096 2>/dev/null", 1)); - OK_(_system("dd if=" NO_REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1)); -@@ -2863,7 +2853,7 @@ static void Luks2Flags(void) - struct crypt_device *cd; - uint32_t flags = 42; - -- OK_(crypt_init(&cd, DEVICE_1)); -+ OK_(crypt_init(&cd, DEVICE_2)); - OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); - - /* check library erase passed variable on success when no flags set */ -diff -rupN cryptsetup-2.0.4.old/tests/Makefile.am cryptsetup-2.0.4/tests/Makefile.am ---- cryptsetup-2.0.4.old/tests/Makefile.am 2018-08-08 14:05:02.008387808 +0200 -+++ cryptsetup-2.0.4/tests/Makefile.am 2018-08-08 14:05:35.944311818 +0200 -@@ -80,7 +80,7 @@ api_test_CPPFLAGS = $(AM_CPPFLAGS) -incl - api_test_2_SOURCES = api-test-2.c api_test.h test_utils.c - api_test_2_LDADD = ../libcryptsetup.la - api_test_2_LDFLAGS = $(AM_LDFLAGS) -static --api_test_2_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1 -+api_test_2_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1 -I$(top_srcdir)/lib/luks2 - api_test_2_CPPFLAGS = $(AM_CPPFLAGS) -include config.h - - vectors_test_SOURCES = crypto-vectors.c -diff -rupN cryptsetup-2.0.4.old/tests/Makefile.in cryptsetup-2.0.4/tests/Makefile.in ---- cryptsetup-2.0.4.old/tests/Makefile.in 2018-08-08 14:05:02.000387826 +0200 -+++ cryptsetup-2.0.4/tests/Makefile.in 2018-08-08 14:08:28.749924872 +0200 -@@ -466,7 +466,7 @@ api_test_CPPFLAGS = $(AM_CPPFLAGS) -incl - api_test_2_SOURCES = api-test-2.c api_test.h test_utils.c - api_test_2_LDADD = ../libcryptsetup.la - api_test_2_LDFLAGS = $(AM_LDFLAGS) -static --api_test_2_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1 -+api_test_2_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1 -I$(top_srcdir)/lib/luks2 - api_test_2_CPPFLAGS = $(AM_CPPFLAGS) -include config.h - vectors_test_SOURCES = crypto-vectors.c - vectors_test_LDADD = ../libcrypto_backend.la @CRYPTO_LIBS@ @LIBARGON2_LIBS@ -diff -rupN cryptsetup-2.0.4.old/tests/test_utils.c cryptsetup-2.0.4/tests/test_utils.c ---- cryptsetup-2.0.4.old/tests/test_utils.c 2018-08-08 14:05:02.008387808 +0200 -+++ cryptsetup-2.0.4/tests/test_utils.c 2018-08-08 14:05:35.947311812 +0200 -@@ -118,13 +118,21 @@ void xlog(const char *msg, const char *t - - int t_device_size(const char *device, uint64_t *size) - { -+ struct stat st; - int devfd, r = 0; - - devfd = open(device, O_RDONLY); - if(devfd == -1) - return -EINVAL; - -- if (ioctl(devfd, BLKGETSIZE64, size) < 0) -+ if (fstat(devfd, &st) < 0) { -+ close(devfd); -+ return -EINVAL; -+ } -+ -+ if (S_ISREG(st.st_mode)) -+ *size = (uint64_t)st.st_size; -+ else if (ioctl(devfd, BLKGETSIZE64, size) < 0) - r = -EINVAL; - close(devfd); - return r; diff --git a/SOURCES/cryptsetup-make-reencryption-compat-test2-ready-for-different-L.patch b/SOURCES/cryptsetup-make-reencryption-compat-test2-ready-for-different-L.patch deleted file mode 100644 index 2274f2e..0000000 --- a/SOURCES/cryptsetup-make-reencryption-compat-test2-ready-for-different-L.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 619b533bfbb8e6782687eda9e2ba16fc2f73bd15 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Tue, 7 Aug 2018 10:17:31 +0200 -Subject: [PATCH 5/7] Make reencryption-compat-test2 ready for different LUKS2 - hdr size. - ---- - tests/reencryption-compat-test2 | 40 +++++++++++++++++++++++++++++----------- - 1 file changed, 29 insertions(+), 11 deletions(-) - -diff --git a/tests/reencryption-compat-test2 b/tests/reencryption-compat-test2 -index 411df1f..9656c7b 100755 ---- a/tests/reencryption-compat-test2 -+++ b/tests/reencryption-compat-test2 -@@ -19,6 +19,10 @@ PWD3="1-9Qu5Ejfnqv" - MNT_DIR=./mnt_luks - START_DIR=$(pwd) - -+# FIXME: we need some sane API to get this information. This is hack. -+LUKS2_HDR_DEFAULT_LEN=$(grep -e "#define LUKS2_HDR_DEFAULT_LEN" ../lib/luks2/luks2.h | cut -d ' ' -f 3) -+LUKS2_HDR_DEFAULT_LEN_SECTORS=$((LUKS2_HDR_DEFAULT_LEN/512)) -+ - function dm_crypt_features() - { - local VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv) -@@ -48,6 +52,7 @@ function remove_mapping() - umount $MNT_DIR > /dev/null 2>&1 - rmdir $MNT_DIR > /dev/null 2>&1 - del_scsi_device -+ test -z "$TMP_LOOP" || losetup -d "$TMP_LOOP" - } - - function fail() -@@ -113,9 +118,21 @@ function prepare() # $1 dev1_siz - fi - } - --function check_hash_dev() # $1 dev, $2 hash -+function check_hash_dev() # $1 dev, $2 hash, [$3 optional max size in KiBs] - { -- HASH=$(sha256sum $1 | cut -d' ' -f 1) -+ local _dev=$1 -+ if [ $# -gt 2 ]; then -+ _dev=$(losetup -f) -+ losetup -f --sizelimit $3K $1 || fail -+ TMP_LOOP=$_dev -+ test -b $TMP_LOOP || fail -+ fi -+ -+ HASH=$(sha256sum $_dev | cut -d' ' -f 1) -+ test -b "$TMP_LOOP" && { -+ losetup -d "$TMP_LOOP" -+ unset TMP_LOOP -+ } - [ $HASH != "$2" ] && fail "HASH differs ($HASH)" - } - -@@ -218,7 +235,7 @@ HASH5=bb9f8df61474d25e71fa00722318cd387396ca1736605e1248821cc0de3d3af8 - HASH6=4d9cbaf3aa0935a8c113f139691b3daf9c94c8d6c278aedc8eec66a4b9f6c8ae - - echo "[1] Reencryption" --prepare 8192 -+prepare $((4096+LUKS2_HDR_DEFAULT_LEN_SECTORS/2)) - echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-plain $FAST_PBKDF_ARGON --align-payload 4096 $IMG || fail - wipe $PWD1 - check_hash $PWD1 $HASH5 -@@ -260,9 +277,9 @@ $CRYPTSETUP luksDump $IMG | grep -q "luks2" > /dev/null || fail - - echo "[4] Encryption of not yet encrypted device" - # well, movin' zeroes :-) --OFFSET=8192 # default LUKS2 header size --prepare 8192 --check_hash_dev $IMG $HASH4 -+OFFSET=$LUKS2_HDR_DEFAULT_LEN_SECTORS # default LUKS2 header size -+prepare $((4096+$OFFSET/2)) # in KiBs -+check_hash_dev $IMG $HASH4 8192 - echo $PWD1 | $REENC --type luks2 $IMG -c aes-cbc-essiv:sha256 -s 128 --new --reduce-device-size "$OFFSET"S -q $FAST_PBKDF_ARGON - check_hash $PWD1 $HASH5 - $CRYPTSETUP luksDump $IMG | grep -q "luks2" > /dev/null || fail -@@ -299,11 +316,11 @@ echo -e "$PWD2\n$PWD1\n$PWD2\n$PWD1\n$PWD2\n$PWD1\n$PWD2\n$PWD3" | $REENC -q $IM - check_slot 0 1 2 3 4 5 6 22 || fail "All keyslots expected to be enabled" - - echo "[7] Reencryption of block devices with different block size" --add_scsi_device sector_size=512 dev_size_mb=8 -+add_scsi_device sector_size=512 dev_size_mb=16 - simple_scsi_reenc "[512 sector]" --add_scsi_device sector_size=4096 dev_size_mb=8 -+add_scsi_device sector_size=4096 dev_size_mb=16 - simple_scsi_reenc "[4096 sector]" --add_scsi_device sector_size=512 physblk_exp=3 dev_size_mb=8 -+add_scsi_device sector_size=512 physblk_exp=3 dev_size_mb=16 - simple_scsi_reenc "[4096/512 sector]" - echo "[OK]" - -@@ -350,7 +367,7 @@ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG || fa - wipe $PWD1 - check_hash $PWD1 $HASH5 - echo $PWD1 | $REENC $IMG -q --decrypt --check_hash_dev $IMG $HASH4 -+check_hash_dev $IMG $HASH4 8192 - - echo "[11] Reencryption with tokens" - echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG || fail -@@ -403,7 +420,7 @@ $CRYPTSETUP isLuks $IMG_HDR || fail - $CRYPTSETUP luksDump $IMG_HDR | grep -q "0: luks2" || fail - - echo "[14] Reencryption with unbound keyslot" --prepare 8192 -+prepare $((4096+LUKS2_HDR_DEFAULT_LEN_SECTORS/2)) - echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG || fail - echo $PWD2 | $CRYPTSETUP -q luksAddKey -S 3 --unbound --key-size 64 $FAST_PBKDF_ARGON $IMG || fail - wipe $PWD1 -@@ -421,6 +438,7 @@ check_hash $PWD1 $HASH1 - $CRYPTSETUP -q convert --type luks2 $IMG || fail - echo $PWD1 | $REENC $IMG -q $FAST_PBKDF_PBKDF2 || fail - check_hash $PWD1 $HASH1 -+prepare $((4096+LUKS2_HDR_DEFAULT_LEN_SECTORS/2)) - echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_PBKDF2 $IMG || fail - wipe $PWD1 - check_hash $PWD1 $HASH5 --- -1.8.3.1 - diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec index d790f01..5431380 100644 --- a/SPECS/cryptsetup.spec +++ b/SPECS/cryptsetup.spec @@ -1,42 +1,16 @@ -%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} - -%if 0%{?fedora} -%if 0%{?fedora} >= 29 Obsoletes: python2-cryptsetup -Obsoletes: cryptsetup-python3 -%global python2_enable 0 -%global python3_enable 0 -%else -%global python2_enable 1 -%global python3_enable 1 -%endif -%else -Obsoletes: cryptsetup-python3 -%global python3_enable 0 -%if 0%{?rhel} == 7 -%global python2_enable 1 -%else Obsoletes: cryptsetup-python -Obsoletes: python2-cryptsetup -%global python2_enable 0 -%endif -%endif +Obsoletes: cryptsetup-python3 Summary: A utility for setting up encrypted disks Name: cryptsetup -Version: 2.0.6 -Release: 1%{?dist} +Version: 2.2.0 +Release: 2%{?dist} License: GPLv2+ and LGPLv2+ Group: Applications/System URL: https://gitlab.com/cryptsetup/cryptsetup BuildRequires: openssl-devel, popt-devel, device-mapper-devel BuildRequires: libuuid-devel, gcc, libblkid-devel -%if %{python2_enable} -BuildRequires: python2-devel -%endif -%if %{python3_enable} -BuildRequires: python3-devel -%endif BuildRequires: libpwquality-devel, json-c-devel Provides: cryptsetup-luks = %{version}-%{release} Obsoletes: cryptsetup-luks < 1.4.0 @@ -45,13 +19,13 @@ Requires: libpwquality >= 1.2.0 %global upstream_version %{version} Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{upstream_version}.tar.xz -Patch0: %{name}-make-api-test-2-default-LUKS2-hdr-size-aware.patch -Patch1: %{name}-make-reencryption-compat-test2-ready-for-different-L.patch -Patch2: %{name}-disable-luks2-integrity-test-until-next-usptream-rel.patch -Patch3: %{name}-increase-default-LUKS2-header-size-to-8MiBs.patch -Patch4: %{name}-make-align-test-ready-for-larger-LUKS2-hdr.patch # Following patch has to applied last -Patch5: %{name}-add-system-library-paths.patch +Patch0: %{name}-add-system-library-paths.patch +# Remove the patch when (if ever) osci infrastructure gets stable enough +Patch1: %{name}-disable-verity-compat-test.patch +Patch2: %{name}-2.2.1-fix-mapped-segments-overflow-on-32bit-architectures.patch +Patch3: %{name}-2.2.1-take-optimal-io-size-in-account-with-LUKS2-reencrypt.patch +Patch4: %{name}-2.2.1-add-opt-io-size-parameter-to-LUKS2-reencrypt-test-de.patch %description The cryptsetup package contains a utility for setting up @@ -105,76 +79,23 @@ Requires: cryptsetup-libs = %{version}-%{release} This package contains cryptsetup-reencrypt utility which can be used for offline reencryption of disk in situ. -%if %{python2_enable} -%package -n python2-cryptsetup -Group: System Environment/Libraries -Summary: Python bindings for libcryptsetup -Requires: %{name}-libs = %{version}-%{release} -%{?python_provide:%python_provide python2-cryptsetup} -# Remove before F30 -Provides: %{name}-python = %{version}-%{release} -Provides: %{name}-python%{?_isa} = %{version}-%{release} -Obsoletes: %{name}-python < %{version}-%{release} -Obsoletes: python-cryptsetup < 1.4.0 - -%description -n python2-cryptsetup -This package provides Python bindings for libcryptsetup, a library -for setting up disk encryption using dm-crypt kernel module. -%endif - -%if %{python3_enable} -%package python3 -Group: System Environment/Libraries -Summary: Python3 bindings for libcryptsetup -Requires: %{name}-libs = %{version}-%{release} -Provides: python3-cryptsetup = %{version}-%{release} - -%description python3 -This package provides Python bindings for libcryptsetup, a library -for setting up disk encryption using dm-crypt kernel module. -%endif - %prep %setup -q -n cryptsetup-%{upstream_version} -%patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch5 -p1 -chmod -x python/pycryptsetup-test.py +%patch0 -p1 chmod -x misc/dracut_90reencrypt/* -# copy the whole directory for the python3 build -%if %{python3_enable} -cp -a . %{py3dir} -%endif - %build -%if %{python2_enable} || %{python3_enable} -%configure --enable-python --enable-fips --enable-pwquality --enable-internal-sse-argon2 --with-crypto_backend=openssl --with-default-luks-format=LUKS2 -%else %configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --with-crypto_backend=openssl --with-default-luks-format=LUKS2 -%endif make %{?_smp_mflags} -%if %{python3_enable} -pushd %{py3dir} -%configure --enable-python --with-python_version=3 --enable-fips --enable-pwquality --enable-internal-sse-argon2 --with-crypto_backend=openssl --with-default-luks-format=LUKS2 -make %{?_smp_mflags} -popd -%endif - %install make install DESTDIR=%{buildroot} rm -rf %{buildroot}/%{_libdir}/*.la -%if %{python3_enable} -pushd %{py3dir} -make install DESTDIR=%{buildroot} -rm -rf %{buildroot}/%{_libdir}/*.la -popd -%endif %find_lang cryptsetup %post -n cryptsetup-libs -p /sbin/ldconfig @@ -220,27 +141,31 @@ popd %{_tmpfilesdir}/cryptsetup.conf %ghost %attr(700, -, -) %dir /run/cryptsetup -%if %{python2_enable} -%files -n python2-cryptsetup -%{!?_licensedir:%global license %%doc} -%license COPYING.LGPL -%doc python/pycryptsetup-test.py -%exclude %{python_sitearch}/pycryptsetup.la -%{python_sitearch}/pycryptsetup.so -%endif - -%if %{python3_enable} -%files python3 -%{!?_licensedir:%global license %%doc} -%license COPYING.LGPL -%doc python/pycryptsetup-test.py -%exclude %{python3_sitearch}/pycryptsetup.la -%{python3_sitearch}/pycryptsetup.so -%endif - %clean %changelog +* Fri Aug 30 2019 Ondrej Kozina - 2.2.0-2 +- patch: Fix mapped segments overflow on 32bit architectures. +- patch: Take optimal io size in account with LUKS2 reencryption. +- Resolves: #1742815 #1746532 + +* Thu Aug 15 2019 Ondrej Kozina - 2.2.0-1 +- Update to cryptsetup 2.2.0 (final) +- Resolves: #1738263 #1740342 #1733391 #1729600 #1733390 + +* Fri Jun 14 2019 Ondrej Kozina - 2.2.0-0.2 +- Updates to reencryption feature. +- Resolves: #1676622 + +* Fri May 03 2019 Ondrej Kozina - 2.2.0-0.1 +- Update to cryptsetup 2.2.0 +- remove python bits from spec file. +- Resolves: #1676622 + +* Thu Mar 21 2019 Milan Broz - 2.0.6-2 +- Add gating tests. +- Resolves: #1682539 + * Mon Dec 03 2018 Ondrej Kozina - 2.0.6-1 - Update to cryptsetup 2.0.6 - Enables all supported metadata sizes in LUKS2 validation code.