diff --git a/SOURCES/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch b/SOURCES/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch new file mode 100644 index 0000000..023666a --- /dev/null +++ b/SOURCES/cryptsetup-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch @@ -0,0 +1,41 @@ +From f671febe64d8f40cdcb1677a08436a8907ccbb7e Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Wed, 23 Feb 2022 12:27:57 +0100 +Subject: [PATCH 2/3] Add more tests for --test-passphrase parameter. + +--- + tests/compat-test-args | 4 ++++ + tests/luks2-reencryption-test | 18 ++++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test +index 6f156016..73818b5d 100755 +--- a/tests/luks2-reencryption-test ++++ b/tests/luks2-reencryption-test +@@ -1606,5 +1606,23 @@ if [ -n "$DM_SECTOR_SIZE" ]; then + reencrypt_recover_online 4096 journal $HASH1 + fi + ++echo "[27] Verify test passphrase mode works with reencryption metadata" ++echo $PWD1 | $CRYPTSETUP -S5 -q luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV || fail ++echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $DEV || fail ++echo $PWD1 | $CRYPTSETUP reencrypt --init-only $DEV || fail ++echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail ++ ++echo $PWD1 | $CRYPTSETUP -q luksFormat -S5 --header $IMG_HDR --type luks2 $FAST_PBKDF_ARGON $DEV || fail ++echo -e "$PWD1\n$PWD1" | $CRYPTSETUP luksAddKey --unbound -s80 -S0 $FAST_PBKDF_ARGON $IMG_HDR || fail ++echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --init-only --header $IMG_HDR $DEV || fail ++echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail ++ ++echo $PWD1 | $CRYPTSETUP reencrypt -q --encrypt --init-only --header $IMG_HDR $FAST_PBKDF_ARGON $DEV || fail ++echo $PWD1 | $CRYPTSETUP open --test-passphrase $IMG_HDR || fail ++ ++wipe_dev $DEV ++echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only --reduce-device-size 8M $FAST_PBKDF_ARGON $DEV || fail ++echo $PWD1 | $CRYPTSETUP open --test-passphrase $DEV || fail ++ + remove_mapping + exit 0 +-- +2.27.0 + diff --git a/SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch b/SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch new file mode 100644 index 0000000..5566c54 --- /dev/null +++ b/SOURCES/cryptsetup-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch @@ -0,0 +1,103 @@ +diff -rupN cryptsetup-2.3.7.old/man/cryptsetup.8 cryptsetup-2.3.7/man/cryptsetup.8 +--- cryptsetup-2.3.7.old/man/cryptsetup.8 2022-02-24 15:58:37.968167423 +0100 ++++ cryptsetup-2.3.7/man/cryptsetup.8 2022-02-24 17:06:25.326217548 +0100 +@@ -321,7 +321,7 @@ the command prompts for it interactively + \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase, + \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id, + \-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks, \-\-type, \-\-refresh, +-\-\-serialize\-memory\-hard\-pbkdf]. ++\-\-serialize\-memory\-hard\-pbkdf, \-\-unbound]. + .PP + \fIluksSuspend\fR + .IP +@@ -1409,10 +1409,14 @@ aligned to page size and page-cache init + integrity tag. + .TP + .B "\-\-unbound" +- + Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or + \fIluksDump\fR actions for more details. + ++When used in \fIluksOpen\fR action (allowed only together with ++\-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2 ++keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific ++keyslot is selected via \-\-key\-slot parameter. ++ + .TP + .B "\-\-tcrypt\-hidden" + .B "\-\-tcrypt\-system" +diff -rupN cryptsetup-2.3.7.old/src/cryptsetup.c cryptsetup-2.3.7/src/cryptsetup.c +--- cryptsetup-2.3.7.old/src/cryptsetup.c 2022-02-24 15:58:37.969167429 +0100 ++++ cryptsetup-2.3.7/src/cryptsetup.c 2022-02-24 17:10:30.947561638 +0100 +@@ -230,7 +230,7 @@ static void _set_activation_flags(uint32 + *flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT; + + /* Only for LUKS2 but ignored elsewhere */ +- if (opt_test_passphrase) ++ if (opt_test_passphrase && (opt_unbound || (opt_key_slot != CRYPT_ANY_SLOT))) + *flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY; + + if (opt_serialize_memory_hard_pbkdf) +@@ -4021,6 +4021,17 @@ int main(int argc, const char **argv) + _("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device."), + poptGetInvocationName(popt_context)); + ++ if (opt_unbound && !strcmp(aname, "open") && device_type && ++ strncmp(device_type, "luks", 4)) ++ usage(popt_context, EXIT_FAILURE, ++ _("Option --unbound is allowed only for open of luks device."), ++ poptGetInvocationName(popt_context)); ++ ++ if (opt_unbound && !opt_test_passphrase && !strcmp(aname, "open")) ++ usage(popt_context, EXIT_FAILURE, ++ _("Option --unbound cannot be used without --test-passphrase."), ++ poptGetInvocationName(popt_context)); ++ + if (opt_tcrypt_hidden && opt_allow_discards) + usage(popt_context, EXIT_FAILURE, + _("Option --tcrypt-hidden cannot be combined with --allow-discards."), +@@ -4103,9 +4114,9 @@ int main(int argc, const char **argv) + _("Keyslot specification is required."), + poptGetInvocationName(popt_context)); + +- if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump")) ++ if (opt_unbound && strcmp(aname, "luksAddKey") && strcmp(aname, "luksDump") && strcmp(aname, "open")) + usage(popt_context, EXIT_FAILURE, +- _("Option --unbound may be used only with luksAddKey and luksDump actions."), ++ _("Option --unbound may be used only with luksAddKey, luksDump and open actions."), + poptGetInvocationName(popt_context)); + + if (opt_refresh && strcmp(aname, "open")) +diff -rupN cryptsetup-2.3.7.old/tests/compat-test2 cryptsetup-2.3.7/tests/compat-test2 +--- cryptsetup-2.3.7.old/tests/compat-test2 2022-02-24 15:58:38.013167680 +0100 ++++ cryptsetup-2.3.7/tests/compat-test2 2022-02-24 17:23:23.035760517 +0100 +@@ -696,7 +696,7 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOP + # otoh it should be allowed to test for proper passphrase + prepare "" new + echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail +-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail ++echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail + echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail + [ -b /dev/mapper/$DEV_NAME ] && fail + echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail +@@ -705,7 +705,7 @@ echo $PWD0 | $CRYPTSETUP open -S1 --test + $CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0 + $CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail + echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail +-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail ++echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail + echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail + + prepare "[28] Detached LUKS header" wipe +@@ -952,11 +952,9 @@ echo $PWD3 | $CRYPTSETUP -q luksAddKey - + # do not allow to replace keyslot by unbound slot + echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail + echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail +-echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail + echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail + echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail + echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail +-echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail + # check we're able to change passphrase for unbound keyslot + echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail + echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec index 4cad198..eb9fd98 100644 --- a/SPECS/cryptsetup.spec +++ b/SPECS/cryptsetup.spec @@ -5,7 +5,7 @@ Obsoletes: cryptsetup-python3 Summary: A utility for setting up encrypted disks Name: cryptsetup Version: 2.3.7 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ and LGPLv2+ Group: Applications/System URL: https://gitlab.com/cryptsetup/cryptsetup @@ -26,6 +26,8 @@ Patch1: %{name}-disable-verity-compat-test.patch Patch2: %{name}-2.4.2-Do-not-try-to-set-compiler-optimization-flag-if-wipe.patch Patch3: %{name}-2.4.2-Fix-bogus-memory-allocation-if-LUKS2-header-size-is-.patch Patch4: %{name}-2.5.0-Fix-typo-in-repair-prompt.patch +Patch5: %{name}-2.5.0-Fix-test-passphrase-when-device-in-reencryption.patch +Patch6: %{name}-2.5.0-Add-more-tests-for-test-passphrase-parameter.patch %description The cryptsetup package contains a utility for setting up @@ -85,6 +87,8 @@ can be used for offline reencryption of disk in situ. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 %patch0 -p1 chmod -x misc/dracut_90reencrypt/* @@ -144,6 +148,11 @@ rm -rf %{buildroot}/%{_libdir}/*.la %clean %changelog +* Thu Feb 24 2022 Ondrej Kozina - 2.3.7-2 +- patch: Fix cryptsetup --test-passphrase when device in + reencryption +- Resolves: #2058009 + * Thu Jan 20 2022 Ondrej Kozina - 2.3.7-1 - update to cryptsetup 2.3.7 - fixes CVE-2021-4122