diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata new file mode 100644 index 0000000..ff5999b --- /dev/null +++ b/.cryptsetup.metadata @@ -0,0 +1,4 @@ +1f06d268aee0adff931a39fe6709af7804e4f4f6 SOURCES/cryptsetup-1.7.4.tar.xz +d24bdd0d55be8b27769b07531950ffe60589274b SOURCES/cryptsetup-2.0.3.tar.xz +4da4e0728f59b42ac7ca7645c483ee554f0da821 SOURCES/luks2_mda_images.tar.xz +839899b3821d4a5d8a8196c8fdd2dd0bd1f582f7 SOURCES/luks2_valid_hdr.tar.xz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..7c79481 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +SOURCES/cryptsetup-1.7.4.tar.xz +SOURCES/cryptsetup-2.0.3.tar.xz +SOURCES/luks2_mda_images.tar.xz +SOURCES/luks2_valid_hdr.tar.xz diff --git a/SOURCES/cryptsetup-1.7.5-fix-luksformat-in-fips-mode.patch b/SOURCES/cryptsetup-1.7.5-fix-luksformat-in-fips-mode.patch new file mode 100644 index 0000000..c321d4a --- /dev/null +++ b/SOURCES/cryptsetup-1.7.5-fix-luksformat-in-fips-mode.patch @@ -0,0 +1,35 @@ +From 3c2135b36bbc52d052e4ced7c94dc4981eb07a53 Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Fri, 21 Apr 2017 08:16:14 +0200 +Subject: [PATCH] Fix luksFormat if running in FIPS mode on recent kernel. + +Recently introduced check for weak keys for XTS mode makes +zeroed key for algorithm check unusable. + +Use random key for the test instead. +--- + lib/luks1/keymanage.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c +index b700bab..5b1421b 100644 +--- a/lib/luks1/keymanage.c ++++ b/lib/luks1/keymanage.c +@@ -631,9 +631,11 @@ static int LUKS_check_cipher(struct luks_phdr *hdr, struct crypt_device *ctx) + if (!empty_key) + return -ENOMEM; + +- r = LUKS_decrypt_from_storage(buf, sizeof(buf), +- hdr->cipherName, hdr->cipherMode, +- empty_key, 0, ctx); ++ /* No need to get KEY quality random but it must avoid known weak keys. */ ++ r = crypt_random_get(ctx, empty_key->key, empty_key->keylength, CRYPT_RND_NORMAL); ++ if (!r) ++ r = LUKS_decrypt_from_storage(buf, sizeof(buf), hdr->cipherName, ++ hdr->cipherMode, empty_key, 0, ctx); + + crypt_free_volume_key(empty_key); + crypt_memzero(buf, sizeof(buf)); +-- +2.7.4 + diff --git a/SOURCES/cryptsetup-1.7.5-fix-unaligned-access-to-hidden-truecrypt.patch b/SOURCES/cryptsetup-1.7.5-fix-unaligned-access-to-hidden-truecrypt.patch new file mode 100644 index 0000000..874a851 --- /dev/null +++ b/SOURCES/cryptsetup-1.7.5-fix-unaligned-access-to-hidden-truecrypt.patch @@ -0,0 +1,376 @@ +From a117f431179a2747f2b1d5293f43d9e198f1bac9 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Mon, 30 Nov 2015 16:44:15 +0100 +Subject: [PATCH] Fix access to unaligned hidden TrueCrypt header. + +backport all changes needed to fix unaligned access +to hidden TrueCrypt hedaer. +--- + lib/internal.h | 7 ++- + lib/luks1/keymanage.c | 6 +- + lib/tcrypt/tcrypt.c | 24 ++++---- + lib/utils.c | 155 +++++++++++++++++++++++++++++++++++++++++++------- + 4 files changed, 152 insertions(+), 40 deletions(-) + +diff --git a/lib/internal.h b/lib/internal.h +index 382a600..f1525f2 100644 +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -101,9 +101,12 @@ char *crypt_get_partition_device(const char *dev_path, uint64_t offset, uint64_t + char *crypt_get_base_device(const char *dev_path); + uint64_t crypt_dev_partition_offset(const char *dev_path); + ++ssize_t write_buffer(int fd, const void *buf, size_t count); ++ssize_t read_buffer(int fd, void *buf, size_t count); + ssize_t write_blockwise(int fd, int bsize, void *buf, size_t count); +-ssize_t read_blockwise(int fd, int bsize, void *_buf, size_t count); +-ssize_t write_lseek_blockwise(int fd, int bsize, char *buf, size_t count, off_t offset); ++ssize_t read_blockwise(int fd, int bsize, void *buf, size_t count); ++ssize_t write_lseek_blockwise(int fd, int bsize, void *buf, size_t count, off_t offset); ++ssize_t read_lseek_blockwise(int fd, int bsize, void *buf, size_t count, off_t offset); + + unsigned crypt_getpagesize(void); + int init_crypto(struct crypt_device *ctx); +diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c +index 23e3fe2..b193ee9 100644 +--- a/lib/luks1/keymanage.c ++++ b/lib/luks1/keymanage.c +@@ -201,7 +201,7 @@ int LUKS_hdr_backup(const char *backup_file, struct crypt_device *ctx) + r = -EINVAL; + goto out; + } +- if (write(devfd, buffer, buffer_size) < buffer_size) { ++ if (write_buffer(devfd, buffer, buffer_size) < buffer_size) { + log_err(ctx, _("Cannot write header backup file %s.\n"), backup_file); + r = -EIO; + goto out; +@@ -253,7 +253,7 @@ int LUKS_hdr_restore( + goto out; + } + +- if (read(devfd, buffer, buffer_size) < buffer_size) { ++ if (read_buffer(devfd, buffer, buffer_size) < buffer_size) { + log_err(ctx, _("Cannot read header backup file %s.\n"), backup_file); + r = -EIO; + goto out; +@@ -498,7 +498,7 @@ int LUKS_read_phdr_backup(const char *backup_file, + return -ENOENT; + } + +- if (read(devfd, hdr, hdr_size) < hdr_size) ++ if (read_buffer(devfd, hdr, hdr_size) < hdr_size) + r = -EIO; + else { + LUKS_fix_header_compatible(hdr); +diff --git a/lib/tcrypt/tcrypt.c b/lib/tcrypt/tcrypt.c +index 45154ed..9ff7157 100644 +--- a/lib/tcrypt/tcrypt.c ++++ b/lib/tcrypt/tcrypt.c +@@ -469,8 +469,7 @@ static int TCRYPT_pool_keyfile(struct crypt_device *cd, + return -EIO; + } + +- /* FIXME: add while */ +- data_size = read(fd, data, TCRYPT_KEYFILE_LEN); ++ data_size = read_buffer(fd, data, TCRYPT_KEYFILE_LEN); + close(fd); + if (data_size < 0) { + log_err(cd, _("Error reading keyfile %s.\n"), keyfile); +@@ -628,27 +627,26 @@ int TCRYPT_read_phdr(struct crypt_device *cd, + + r = -EIO; + if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) { +- if (lseek(devfd, TCRYPT_HDR_SYSTEM_OFFSET, SEEK_SET) >= 0 && +- read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size) { ++ if (read_lseek_blockwise(devfd, bs, hdr, hdr_size, ++ TCRYPT_HDR_SYSTEM_OFFSET) == hdr_size) { + r = TCRYPT_init_hdr(cd, hdr, params); + } + } else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) { + if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) { +- if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_BCK, SEEK_END) >= 0 && +- read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size) ++ if (read_lseek_blockwise(devfd, bs, hdr, hdr_size, ++ TCRYPT_HDR_HIDDEN_OFFSET_BCK) == hdr_size) + r = TCRYPT_init_hdr(cd, hdr, params); + } else { +- if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET, SEEK_SET) >= 0 && +- read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size) ++ if (read_lseek_blockwise(devfd, bs, hdr, hdr_size, ++ TCRYPT_HDR_HIDDEN_OFFSET) == hdr_size) + r = TCRYPT_init_hdr(cd, hdr, params); +- if (r && +- lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_OLD, SEEK_END) >= 0 && +- read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size) ++ if (r && read_lseek_blockwise(devfd, bs, hdr, hdr_size, ++ TCRYPT_HDR_HIDDEN_OFFSET_OLD) == hdr_size) + r = TCRYPT_init_hdr(cd, hdr, params); + } + } else if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) { +- if (lseek(devfd, TCRYPT_HDR_OFFSET_BCK, SEEK_END) >= 0 && +- read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size) ++ if (read_lseek_blockwise(devfd, bs, hdr, hdr_size, ++ TCRYPT_HDR_OFFSET_BCK) == hdr_size) + r = TCRYPT_init_hdr(cd, hdr, params); + } else if (read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size) + r = TCRYPT_init_hdr(cd, hdr, params); +diff --git a/lib/utils.c b/lib/utils.c +index 2dcf753..802ba55 100644 +--- a/lib/utils.c ++++ b/lib/utils.c +@@ -56,22 +56,70 @@ static void *aligned_malloc(void **base, int size, int alignment) + /* Credits go to Michal's padlock patches for this alignment code */ + char *ptr; + +- ptr = malloc(size + alignment); +- if(ptr == NULL) return NULL; ++ ptr = malloc(size + alignment); ++ if (!ptr) ++ return NULL; + + *base = ptr; +- if(alignment > 1 && ((long)ptr & (alignment - 1))) { ++ if (alignment > 1 && ((long)ptr & (alignment - 1))) + ptr += alignment - ((long)(ptr) & (alignment - 1)); +- } ++ + return ptr; + #endif + } + ++ssize_t read_buffer(int fd, void *buf, size_t count) ++{ ++ size_t read_size = 0; ++ ssize_t r; ++ ++ if (fd < 0 || !buf) ++ return -EINVAL; ++ ++ do { ++ r = read(fd, buf, count - read_size); ++ if (r == -1 && errno != EINTR) ++ return r; ++ if (r == 0) ++ return (ssize_t)read_size; ++ if (r > 0) { ++ read_size += (size_t)r; ++ buf = (uint8_t*)buf + r; ++ } ++ } while (read_size != count); ++ ++ return (ssize_t)count; ++} ++ ++ssize_t write_buffer(int fd, const void *buf, size_t count) ++{ ++ size_t write_size = 0; ++ ssize_t w; ++ ++ if (fd < 0 || !buf || !count) ++ return -EINVAL; ++ ++ do { ++ w = write(fd, buf, count - write_size); ++ if (w < 0 && errno != EINTR) ++ return w; ++ if (w == 0) ++ return (ssize_t)write_size; ++ if (w > 0) { ++ write_size += (size_t) w; ++ buf = (const uint8_t*)buf + w; ++ } ++ } while (write_size != count); ++ ++ return (ssize_t)write_size; ++} ++ + ssize_t write_blockwise(int fd, int bsize, void *orig_buf, size_t count) + { + void *hangover_buf, *hangover_buf_base = NULL; + void *buf, *buf_base = NULL; +- int r, hangover, solid, alignment; ++ int r, alignment; ++ size_t hangover, solid; + ssize_t ret = -1; + + if (fd == -1 || !orig_buf || bsize <= 0) +@@ -89,17 +137,19 @@ ssize_t write_blockwise(int fd, int bsize, void *orig_buf, size_t count) + } else + buf = orig_buf; + +- r = write(fd, buf, solid); +- if (r < 0 || r != solid) +- goto out; ++ if (solid) { ++ r = write_buffer(fd, buf, solid); ++ if (r < 0 || r != (ssize_t)solid) ++ goto out; ++ } + + if (hangover) { + hangover_buf = aligned_malloc(&hangover_buf_base, bsize, alignment); + if (!hangover_buf) + goto out; + +- r = read(fd, hangover_buf, bsize); +- if (r < 0 || r < hangover) ++ r = read_buffer(fd, hangover_buf, bsize); ++ if (r < 0 || r < (ssize_t)hangover) + goto out; + + if (r < bsize) +@@ -110,8 +160,8 @@ ssize_t write_blockwise(int fd, int bsize, void *orig_buf, size_t count) + + memcpy(hangover_buf, (char*)buf + solid, hangover); + +- r = write(fd, hangover_buf, bsize); +- if (r < 0 || r < hangover) ++ r = write_buffer(fd, hangover_buf, bsize); ++ if (r < 0 || r < (ssize_t)hangover) + goto out; + } + ret = count; +@@ -122,10 +172,12 @@ out: + return ret; + } + +-ssize_t read_blockwise(int fd, int bsize, void *orig_buf, size_t count) { ++ssize_t read_blockwise(int fd, int bsize, void *orig_buf, size_t count) ++{ + void *hangover_buf, *hangover_buf_base = NULL; + void *buf, *buf_base = NULL; +- int r, hangover, solid, alignment; ++ int r, alignment; ++ size_t hangover, solid; + ssize_t ret = -1; + + if (fd == -1 || !orig_buf || bsize <= 0) +@@ -142,16 +194,16 @@ ssize_t read_blockwise(int fd, int bsize, void *orig_buf, size_t count) { + } else + buf = orig_buf; + +- r = read(fd, buf, solid); +- if(r < 0 || r != solid) ++ r = read_buffer(fd, buf, solid); ++ if (r < 0 || r != (ssize_t)solid) + goto out; + + if (hangover) { + hangover_buf = aligned_malloc(&hangover_buf_base, bsize, alignment); + if (!hangover_buf) + goto out; +- r = read(fd, hangover_buf, bsize); +- if (r < 0 || r < hangover) ++ r = read_buffer(fd, hangover_buf, bsize); ++ if (r < 0 || r < (ssize_t)hangover) + goto out; + + memcpy((char *)buf + solid, hangover_buf, hangover); +@@ -172,7 +224,8 @@ out: + * is implicitly included in the read/write offset, which can not be set to non-aligned + * boundaries. Hence, we combine llseek with write. + */ +-ssize_t write_lseek_blockwise(int fd, int bsize, char *buf, size_t count, off_t offset) { ++ssize_t write_lseek_blockwise(int fd, int bsize, void *buf, size_t count, off_t offset) ++{ + char *frontPadBuf; + void *frontPadBuf_base = NULL; + int r, frontHang; +@@ -182,6 +235,12 @@ ssize_t write_lseek_blockwise(int fd, int bsize, char *buf, size_t count, off_t + if (fd == -1 || !buf || bsize <= 0) + return -1; + ++ if (offset < 0) ++ offset = lseek(fd, offset, SEEK_END); ++ ++ if (offset < 0) ++ return -1; ++ + frontHang = offset % bsize; + + if (lseek(fd, offset - frontHang, SEEK_SET) < 0) +@@ -193,7 +252,7 @@ ssize_t write_lseek_blockwise(int fd, int bsize, char *buf, size_t count, off_t + if (!frontPadBuf) + goto out; + +- r = read(fd, frontPadBuf, bsize); ++ r = read_buffer(fd, frontPadBuf, bsize); + if (r < 0 || r != bsize) + goto out; + +@@ -206,11 +265,11 @@ ssize_t write_lseek_blockwise(int fd, int bsize, char *buf, size_t count, off_t + if (lseek(fd, offset - frontHang, SEEK_SET) < 0) + goto out; + +- r = write(fd, frontPadBuf, bsize); ++ r = write_buffer(fd, frontPadBuf, bsize); + if (r < 0 || r != bsize) + goto out; + +- buf += innerCount; ++ buf = (char*)buf + innerCount; + count -= innerCount; + } + +@@ -223,6 +282,58 @@ out: + return ret; + } + ++ssize_t read_lseek_blockwise(int fd, int bsize, void *buf, size_t count, off_t offset) ++{ ++ char *frontPadBuf; ++ void *frontPadBuf_base = NULL; ++ int r, frontHang; ++ size_t innerCount = 0; ++ ssize_t ret = -1; ++ ++ if (fd == -1 || !buf || bsize <= 0) ++ return -1; ++ ++ if (offset < 0) ++ offset = lseek(fd, offset, SEEK_END); ++ ++ if (offset < 0) ++ return -1; ++ ++ frontHang = offset % bsize; ++ ++ if (lseek(fd, offset - frontHang, SEEK_SET) < 0) ++ return ret; ++ ++ if (frontHang) { ++ frontPadBuf = aligned_malloc(&frontPadBuf_base, ++ bsize, get_alignment(fd)); ++ ++ if (!frontPadBuf) ++ return ret; ++ ++ r = read_buffer(fd, frontPadBuf, bsize); ++ if (r < 0 || r != bsize) ++ goto out; ++ ++ innerCount = bsize - frontHang; ++ if (innerCount > count) ++ innerCount = count; ++ ++ memcpy(buf, frontPadBuf + frontHang, innerCount); ++ ++ buf = (char*)buf + innerCount; ++ count -= innerCount; ++ } ++ ++ ret = read_blockwise(fd, bsize, buf, count); ++ if (ret >= 0) ++ ret += innerCount; ++out: ++ free(frontPadBuf_base); ++ ++ return ret; ++} ++ + /* MEMLOCK */ + #define DEFAULT_PROCESS_PRIORITY -18 + +-- +2.7.4 + diff --git a/SOURCES/cryptsetup-1.7.6-crypt_deactivate-fail-earlier-when-holders-detected.patch b/SOURCES/cryptsetup-1.7.6-crypt_deactivate-fail-earlier-when-holders-detected.patch new file mode 100644 index 0000000..df91689 --- /dev/null +++ b/SOURCES/cryptsetup-1.7.6-crypt_deactivate-fail-earlier-when-holders-detected.patch @@ -0,0 +1,150 @@ +From 2e4aaa1adad2d0838593b13efbf5efe79f58255c Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Mon, 16 Oct 2017 16:41:43 +0200 +Subject: [PATCH] crypt_deactivate: fail earlier when holders detected + +crypt_deactivate fails earlier without noisy dm retries +when other device holders detected. The early detection +works if: + +a) other device-mapper device has a hold reference on the + device + +- or - + +b) mounted fs is detected on the device + +diff -rupN cryptsetup-1.7.4.old/config.h.in cryptsetup-1.7.4/config.h.in +--- cryptsetup-1.7.4.old/config.h.in 2017-03-15 10:43:26.000000000 +0100 ++++ cryptsetup-1.7.4/config.h.in 2017-10-19 09:37:17.000000000 +0200 +@@ -97,6 +97,14 @@ + */ + #undef HAVE_DCGETTEXT + ++/* Define to 1 if you have the declaration of `dm_device_has_holders', and to ++ 0 if you don't. */ ++#undef HAVE_DECL_DM_DEVICE_HAS_HOLDERS ++ ++/* Define to 1 if you have the declaration of `dm_device_has_mounted_fs', and ++ to 0 if you don't. */ ++#undef HAVE_DECL_DM_DEVICE_HAS_MOUNTED_FS ++ + /* Define to 1 if you have the declaration of `dm_task_retry_remove', and to 0 + if you don't. */ + #undef HAVE_DECL_DM_TASK_RETRY_REMOVE +diff -rupN cryptsetup-1.7.4.old/configure cryptsetup-1.7.4/configure +--- cryptsetup-1.7.4.old/configure 2017-03-15 10:43:13.000000000 +0100 ++++ cryptsetup-1.7.4/configure 2017-10-19 09:37:18.590530138 +0200 +@@ -16735,6 +16735,30 @@ cat >>confdefs.h <<_ACEOF + #define HAVE_DECL_DM_TASK_RETRY_REMOVE $ac_have_decl + _ACEOF + ++ac_fn_c_check_decl "$LINENO" "dm_device_has_mounted_fs" "ac_cv_have_decl_dm_device_has_mounted_fs" "#include ++" ++if test "x$ac_cv_have_decl_dm_device_has_mounted_fs" = xyes; then : ++ ac_have_decl=1 ++else ++ ac_have_decl=0 ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_DECL_DM_DEVICE_HAS_MOUNTED_FS $ac_have_decl ++_ACEOF ++ ++ac_fn_c_check_decl "$LINENO" "dm_device_has_holders" "ac_cv_have_decl_dm_device_has_holders" "#include ++" ++if test "x$ac_cv_have_decl_dm_device_has_holders" = xyes; then : ++ ac_have_decl=1 ++else ++ ac_have_decl=0 ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_DECL_DM_DEVICE_HAS_HOLDERS $ac_have_decl ++_ACEOF ++ + ac_fn_c_check_decl "$LINENO" "DM_UDEV_DISABLE_DISK_RULES_FLAG" "ac_cv_have_decl_DM_UDEV_DISABLE_DISK_RULES_FLAG" "#include + " + if test "x$ac_cv_have_decl_DM_UDEV_DISABLE_DISK_RULES_FLAG" = xyes; then : +diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c +index a0d6872..d6017b1 100644 +--- a/lib/libdevmapper.c ++++ b/lib/libdevmapper.c +@@ -1181,6 +1181,13 @@ int dm_query_device(struct crypt_device *cd, const char *name, + dmd->uuid = strdup(tmp_uuid + DM_UUID_PREFIX_LEN); + } + ++ dmd->holders = 0; ++#if (HAVE_DECL_DM_DEVICE_HAS_HOLDERS && HAVE_DECL_DM_DEVICE_HAS_MOUNTED_FS) ++ if (get_flags & DM_ACTIVE_HOLDERS) ++ dmd->holders = (dm_device_has_mounted_fs(dmi.major, dmi.minor) || ++ dm_device_has_holders(dmi.major, dmi.minor)); ++#endif ++ + r = (dmi.open_count > 0); + out: + if (dmt) +diff --git a/lib/setup.c b/lib/setup.c +index b2e4396..93e8079 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -2249,6 +2249,7 @@ int crypt_activate_by_volume_key(struct crypt_device *cd, + int crypt_deactivate(struct crypt_device *cd, const char *name) + { + struct crypt_device *fake_cd = NULL; ++ struct crypt_dm_active_device dmd = {}; + int r; + + if (!name) +@@ -2266,6 +2267,13 @@ int crypt_deactivate(struct crypt_device *cd, const char *name) + switch (crypt_status(cd, name)) { + case CRYPT_ACTIVE: + case CRYPT_BUSY: ++ r = dm_query_device(cd, name, DM_ACTIVE_HOLDERS, &dmd); ++ if (r >= 0 && dmd.holders) { ++ log_err(cd, _("Device %s is still in use.\n"), name); ++ r = -EBUSY; ++ break; ++ } ++ + if (isTCRYPT(cd->type)) + r = TCRYPT_deactivate(cd, name); + else +diff --git a/lib/utils_dm.h b/lib/utils_dm.h +index c87e9aa..cf22e12 100644 +--- a/lib/utils_dm.h ++++ b/lib/utils_dm.h +@@ -48,14 +48,16 @@ uint32_t dm_flags(void); + + #define DM_ACTIVE_DEVICE (1 << 0) + #define DM_ACTIVE_UUID (1 << 1) ++#define DM_ACTIVE_HOLDERS (1 << 2) + +-#define DM_ACTIVE_CRYPT_CIPHER (1 << 2) +-#define DM_ACTIVE_CRYPT_KEYSIZE (1 << 3) +-#define DM_ACTIVE_CRYPT_KEY (1 << 4) ++#define DM_ACTIVE_CRYPT_CIPHER (1 << 3) ++#define DM_ACTIVE_CRYPT_KEYSIZE (1 << 4) ++#define DM_ACTIVE_CRYPT_KEY (1 << 5) ++ ++#define DM_ACTIVE_VERITY_ROOT_HASH (1 << 6) ++#define DM_ACTIVE_VERITY_HASH_DEVICE (1 << 7) ++#define DM_ACTIVE_VERITY_PARAMS (1 << 8) + +-#define DM_ACTIVE_VERITY_ROOT_HASH (1 << 5) +-#define DM_ACTIVE_VERITY_HASH_DEVICE (1 << 6) +-#define DM_ACTIVE_VERITY_PARAMS (1 << 7) + + struct crypt_dm_active_device { + enum { DM_CRYPT = 0, DM_VERITY } target; +@@ -63,6 +65,7 @@ struct crypt_dm_active_device { + uint32_t flags; /* activation flags */ + const char *uuid; + struct device *data_device; ++ unsigned holders:1; + union { + struct { + const char *cipher; +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-1.7.6-fix-blockwise-access-functions-for-64k-page-size.patch b/SOURCES/cryptsetup-1.7.6-fix-blockwise-access-functions-for-64k-page-size.patch new file mode 100644 index 0000000..2c82dff --- /dev/null +++ b/SOURCES/cryptsetup-1.7.6-fix-blockwise-access-functions-for-64k-page-size.patch @@ -0,0 +1,50 @@ +diff -rupN cryptsetup-1.7.4.bcp/lib/utils.c cryptsetup-1.7.4/lib/utils.c +--- cryptsetup-1.7.4.bcp/lib/utils.c 2017-10-18 11:39:01.694902755 +0200 ++++ cryptsetup-1.7.4/lib/utils.c 2017-10-18 11:48:16.584868357 +0200 +@@ -252,21 +252,21 @@ ssize_t write_lseek_blockwise(int fd, in + if (!frontPadBuf) + goto out; + +- r = read_buffer(fd, frontPadBuf, bsize); +- if (r < 0 || r != bsize) +- goto out; +- + innerCount = bsize - frontHang; + if (innerCount > count) + innerCount = count; + ++ r = read_buffer(fd, frontPadBuf, bsize); ++ if (r < (frontHang + innerCount)) ++ goto out; ++ + memcpy(frontPadBuf + frontHang, buf, innerCount); + + if (lseek(fd, offset - frontHang, SEEK_SET) < 0) + goto out; + +- r = write_buffer(fd, frontPadBuf, bsize); +- if (r < 0 || r != bsize) ++ r = write_buffer(fd, frontPadBuf, frontHang + innerCount); ++ if (r != (frontHang + innerCount)) + goto out; + + buf = (char*)buf + innerCount; +@@ -311,14 +311,14 @@ ssize_t read_lseek_blockwise(int fd, int + if (!frontPadBuf) + return ret; + +- r = read_buffer(fd, frontPadBuf, bsize); +- if (r < 0 || r != bsize) +- goto out; +- + innerCount = bsize - frontHang; + if (innerCount > count) + innerCount = count; + ++ r = read_buffer(fd, frontPadBuf, bsize); ++ if (r < (frontHang + innerCount)) ++ goto out; ++ + memcpy(buf, frontPadBuf + frontHang, innerCount); + + buf = (char*)buf + innerCount; diff --git a/SOURCES/cryptsetup-2.0.4-add-blkid-utilities-for-fast-detection-of-device-sig.patch b/SOURCES/cryptsetup-2.0.4-add-blkid-utilities-for-fast-detection-of-device-sig.patch new file mode 100644 index 0000000..16a3ed6 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-add-blkid-utilities-for-fast-detection-of-device-sig.patch @@ -0,0 +1,306 @@ +From 12d00da84239c3dcc4560dc60a0c36d534908cc0 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Wed, 4 Jul 2018 15:39:11 +0200 +Subject: [PATCH 1/6] Add blkid utilities for fast detection of device + signatures. + +--- + configure.ac | 21 ++++++++ + lib/Makemodule.am | 5 +- + lib/utils_blkid.c | 158 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + lib/utils_blkid.h | 48 +++++++++++++++++ + 4 files changed, 231 insertions(+), 1 deletion(-) + create mode 100644 lib/utils_blkid.c + create mode 100644 lib/utils_blkid.h + +diff --git a/configure.ac b/configure.ac +index 05da6d6..31508d0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -415,6 +415,26 @@ if test x$enable_internal_argon2 = xyes ; then + fi + AM_CONDITIONAL(CRYPTO_INTERNAL_ARGON2, test x$enable_internal_argon2 = xyes) + ++dnl Link with blkid to check for other device types ++AC_ARG_ENABLE(blkid, AS_HELP_STRING([--disable-blkid], ++ [disable use of blkid for device signature detection and wiping.]), [], [enable_blkid=yes]) ++ ++if test x$enable_blkid = xyes ; then ++ PKG_CHECK_MODULES([BLKID], [blkid],[AC_DEFINE([HAVE_BLKID], 1, [Define to 1 to use blkid for detection of disk signatures.])],[LIBBLKID_LIBS="-lblkid"]) ++ ++ AC_CHECK_HEADERS(blkid/blkid.h,,[AC_MSG_ERROR([You need blkid development library installed.])]) ++ AC_CHECK_DECLS([ blkid_reset_probe, ++ blkid_probe_set_device, ++ blkid_probe_filter_superblocks_type, ++ blkid_do_safeprobe, ++ blkid_do_probe, ++ blkid_probe_lookup_value ++ ],, ++ [AC_MSG_ERROR([Can not compile with blkid support, disable it by --disable-blkid.])], ++ [#include ]) ++fi ++AM_CONDITIONAL(HAVE_BLKID, test x$enable_blkid = xyes) ++ + dnl Magic for cryptsetup.static build. + if test x$enable_static_cryptsetup = xyes; then + saved_PKG_CONFIG=$PKG_CONFIG +@@ -465,6 +485,7 @@ AC_SUBST([CRYPTO_STATIC_LIBS]) + + AC_SUBST([JSON_C_LIBS]) + AC_SUBST([LIBARGON2_LIBS]) ++AC_SUBST([BLKID_LIBS]) + + AC_SUBST([LIBCRYPTSETUP_VERSION]) + AC_SUBST([LIBCRYPTSETUP_VERSION_INFO]) +diff --git a/lib/Makemodule.am b/lib/Makemodule.am +index 5e20039..26178b8 100644 +--- a/lib/Makemodule.am ++++ b/lib/Makemodule.am +@@ -30,6 +30,7 @@ libcryptsetup_la_LIBADD = \ + @CRYPTO_LIBS@ \ + @LIBARGON2_LIBS@ \ + @JSON_C_LIBS@ \ ++ @BLKID_LIBS@ \ + libcrypto_backend.la + + libcryptsetup_la_SOURCES = \ +@@ -92,4 +93,6 @@ libcryptsetup_la_SOURCES = \ + lib/luks2/luks2_token_keyring.c \ + lib/luks2/luks2_token.c \ + lib/luks2/luks2_internal.h \ +- lib/luks2/luks2.h ++ lib/luks2/luks2.h \ ++ lib/utils_blkid.c \ ++ lib/utils_blkid.h +diff --git a/lib/utils_blkid.c b/lib/utils_blkid.c +new file mode 100644 +index 0000000..7425bc5 +--- /dev/null ++++ b/lib/utils_blkid.c +@@ -0,0 +1,158 @@ ++/* ++ * blkid probe utilities ++ * ++ * Copyright (C) 2018, Red Hat, Inc. All rights reserved. ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2 ++ * of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include "utils_blkid.h" ++ ++#ifdef HAVE_BLKID ++#include ++struct blkid_handle { ++ int fd; ++ blkid_probe pr; ++}; ++#endif ++ ++void blk_set_chains_for_fast_detection(struct blkid_handle *h) ++{ ++#ifdef HAVE_BLKID ++ blkid_probe_enable_partitions(h->pr, 1); ++ blkid_probe_set_partitions_flags(h->pr, 0); ++ ++ blkid_probe_enable_superblocks(h->pr, 1); ++ blkid_probe_set_superblocks_flags(h->pr, BLKID_SUBLKS_TYPE); ++#endif ++} ++ ++int blk_init_by_path(struct blkid_handle **h, const char *path) ++{ ++ int r = -ENOTSUP; ++#ifdef HAVE_BLKID ++ struct blkid_handle *tmp = malloc(sizeof(*tmp)); ++ if (!tmp) ++ return -ENOMEM; ++ ++ tmp->fd = -1; ++ ++ tmp->pr = blkid_new_probe_from_filename(path); ++ if (!tmp->pr) { ++ free(tmp); ++ return -EINVAL; ++ } ++ ++ *h = tmp; ++ ++ r = 0; ++#endif ++ return r; ++} ++ ++int blk_superblocks_filter_luks(struct blkid_handle *h) ++{ ++ int r = -ENOTSUP; ++#ifdef HAVE_BLKID ++ char *luks_filter[] = { ++ "crypto_LUKS", ++ NULL ++ }; ++ r = blkid_probe_filter_superblocks_type(h->pr, BLKID_FLTR_NOTIN, luks_filter); ++#endif ++ return r; ++} ++ ++blk_probe_status blk_safeprobe(struct blkid_handle *h) ++{ ++ int r = -1; ++#ifdef HAVE_BLKID ++ r = blkid_do_safeprobe(h->pr); ++#endif ++ switch (r) { ++ case -2: ++ return PRB_AMBIGUOUS; ++ case 1: ++ return PRB_EMPTY; ++ case 0: ++ return PRB_OK; ++ default: ++ return PRB_FAIL; ++ } ++} ++ ++int blk_is_partition(struct blkid_handle *h) ++{ ++ int r = 0; ++#ifdef HAVE_BLKID ++ r = blkid_probe_has_value(h->pr, "PTTYPE"); ++#endif ++ return r; ++} ++ ++int blk_is_superblock(struct blkid_handle *h) ++{ ++ int r = 0; ++#ifdef HAVE_BLKID ++ r = blkid_probe_has_value(h->pr, "TYPE"); ++#endif ++ return r; ++} ++ ++const char *blk_get_partition_type(struct blkid_handle *h) ++{ ++ const char *value = NULL; ++#ifdef HAVE_BLKID ++ (void) blkid_probe_lookup_value(h->pr, "PTTYPE", &value, NULL); ++#endif ++ return value; ++} ++ ++const char *blk_get_superblock_type(struct blkid_handle *h) ++{ ++ const char *value = NULL; ++#ifdef HAVE_BLKID ++ (void) blkid_probe_lookup_value(h->pr, "TYPE", &value, NULL); ++#endif ++ return value; ++} ++ ++void blk_free(struct blkid_handle *h) ++{ ++#ifdef HAVE_BLKID ++ if (!h) ++ return; ++ ++ if (h->pr) ++ blkid_free_probe(h->pr); ++ ++ free(h); ++#endif ++} ++ ++int blk_supported(void) ++{ ++ int r = 0; ++#ifdef HAVE_BLKID ++ r = 1; ++#endif ++ return r; ++} +diff --git a/lib/utils_blkid.h b/lib/utils_blkid.h +new file mode 100644 +index 0000000..d18b0a0 +--- /dev/null ++++ b/lib/utils_blkid.h +@@ -0,0 +1,48 @@ ++/* ++ * blkid probe utilities ++ * ++ * Copyright (C) 2018, Red Hat, Inc. All rights reserved. ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2 ++ * of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++ */ ++ ++#ifndef _UTILS_BLKID_H ++#define _UTILS_BLKID_H ++ ++struct blkid_handle; ++ ++typedef enum { PRB_OK = 0, PRB_EMPTY, PRB_AMBIGUOUS, PRB_FAIL } blk_probe_status; ++ ++int blk_init_by_path(struct blkid_handle **h, const char *path); ++ ++void blk_free(struct blkid_handle *h); ++ ++void blk_set_chains_for_fast_detection(struct blkid_handle *h); ++ ++int blk_superblocks_filter_luks(struct blkid_handle *h); ++ ++blk_probe_status blk_safeprobe(struct blkid_handle *h); ++ ++int blk_is_partition(struct blkid_handle *h); ++ ++int blk_is_superblock(struct blkid_handle *h); ++ ++const char *blk_get_partition_type(struct blkid_handle *h); ++ ++const char *blk_get_superblock_type(struct blkid_handle *h); ++ ++int blk_supported(void); ++ ++#endif +-- +1.8.3.1 + +--- cryptsetup-2.0.3.old/aclocal.m4 2018-05-03 21:36:53.000000000 +0200 ++++ cryptsetup-2.0.3/aclocal.m4 2018-07-16 15:37:34.935817650 +0200 +@@ -31,7 +31,7 @@ To do so, use the procedure documented b + # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the + # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + # +-# Last-changed: 2014-10-02 ++# Last-changed: 2018-07-16 + + + dnl AM_PATH_LIBGCRYPT([MINIMUM-VERSION, diff --git a/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-to-override-blkid-checks.patch b/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-to-override-blkid-checks.patch new file mode 100644 index 0000000..31737aa --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-to-override-blkid-checks.patch @@ -0,0 +1,131 @@ +From b82eaf14f7a01cfd542cb95fe97b8d3a22d5ba8f Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Thu, 28 Jun 2018 15:48:13 +0200 +Subject: [PATCH 3/6] Allow LUKS2 repair to override blkid checks. + +Allow user to run cryptsetup repair command and explicitly do +repair on corrupted LUKS2 headers where blkid decides it's no longer +a LUKS2 device. +--- + lib/luks2/luks2.h | 2 +- + lib/luks2/luks2_json_metadata.c | 13 +++++++------ + lib/setup.c | 10 +++++----- + 3 files changed, 13 insertions(+), 12 deletions(-) + +diff --git a/lib/luks2/luks2.h b/lib/luks2/luks2.h +index ee57b41..c431e8f 100644 +--- a/lib/luks2/luks2.h ++++ b/lib/luks2/luks2.h +@@ -131,7 +131,7 @@ struct luks2_keyslot_params { + int LUKS2_hdr_version_unlocked(struct crypt_device *cd, + const char *backup_file); + +-int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr); ++int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, int repair); + int LUKS2_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr); + int LUKS2_hdr_dump(struct crypt_device *cd, struct luks2_hdr *hdr); + +diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c +index 125cad9..0fd6340 100644 +--- a/lib/luks2/luks2_json_metadata.c ++++ b/lib/luks2/luks2_json_metadata.c +@@ -842,7 +842,8 @@ int LUKS2_hdr_validate(json_object *hdr_jobj) + return 0; + } + +-int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr) ++/* FIXME: should we expose do_recovery parameter explicitly? */ ++int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, int repair) + { + int r; + +@@ -853,7 +854,7 @@ int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr) + return r; + } + +- r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, 1); ++ r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, !repair); + if (r == -EAGAIN) { + /* unlikely: auto-recovery is required and failed due to read lock being held */ + device_read_unlock(crypt_metadata_device(cd)); +@@ -865,7 +866,7 @@ int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr) + return r; + } + +- r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, 1); ++ r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, !repair); + + device_write_unlock(crypt_metadata_device(cd)); + } else +@@ -1050,7 +1051,7 @@ int LUKS2_hdr_restore(struct crypt_device *cd, struct luks2_hdr *hdr, + return r; + } + +- r = LUKS2_disk_hdr_read(cd, &hdr_file, backup_device, 0); ++ r = LUKS2_disk_hdr_read(cd, &hdr_file, backup_device, 0, 0); + device_read_unlock(backup_device); + device_free(backup_device); + +@@ -1089,7 +1090,7 @@ int LUKS2_hdr_restore(struct crypt_device *cd, struct luks2_hdr *hdr, + close(devfd); + devfd = -1; + +- r = LUKS2_hdr_read(cd, &tmp_hdr); ++ r = LUKS2_hdr_read(cd, &tmp_hdr, 0); + if (r == 0) { + log_dbg("Device %s already contains LUKS2 header, checking UUID and requirements.", device_path(device)); + r = LUKS2_config_get_requirements(cd, &tmp_hdr, &reqs); +@@ -1176,7 +1177,7 @@ out: + + if (!r) { + LUKS2_hdr_free(hdr); +- r = LUKS2_hdr_read(cd, hdr); ++ r = LUKS2_hdr_read(cd, hdr, 1); + } + + return r; +diff --git a/lib/setup.c b/lib/setup.c +index fddbe7e..a9b2eba 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -644,16 +644,16 @@ struct crypt_pbkdf_type *crypt_get_pbkdf(struct crypt_device *cd) + /* + * crypt_load() helpers + */ +-static int _crypt_load_luks2(struct crypt_device *cd, int reload) ++static int _crypt_load_luks2(struct crypt_device *cd, int reload, int repair) + { + int r; + char tmp_cipher[MAX_CIPHER_LEN], tmp_cipher_mode[MAX_CIPHER_LEN], + *cipher = NULL, *cipher_mode = NULL, *type = NULL; + struct luks2_hdr hdr2 = {}; + +- log_dbg("%soading LUKS2 header.", reload ? "Rel" : "L"); ++ log_dbg("%soading LUKS2 header (repair %sabled).", reload ? "Rel" : "L", repair ? "en" : "dis"); + +- r = LUKS2_hdr_read(cd, &hdr2); ++ r = LUKS2_hdr_read(cd, &hdr2, repair); + if (r) + return r; + +@@ -713,7 +713,7 @@ static void _luks2_reload(struct crypt_device *cd) + if (!cd || !isLUKS2(cd->type)) + return; + +- (void) _crypt_load_luks2(cd, 1); ++ (void) _crypt_load_luks2(cd, 1, 0); + } + + static int _crypt_load_luks(struct crypt_device *cd, const char *requested_type, +@@ -768,7 +768,7 @@ static int _crypt_load_luks(struct crypt_device *cd, const char *requested_type, + return -EINVAL; + } + +- r = _crypt_load_luks2(cd, cd->type != NULL); ++ r = _crypt_load_luks2(cd, cd->type != NULL, repair); + } else + r = -EINVAL; + out: +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-with-disabled-locks.patch b/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-with-disabled-locks.patch new file mode 100644 index 0000000..a5d5258 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-with-disabled-locks.patch @@ -0,0 +1,26 @@ +From c6dc8dd86c797b982d47ebb918367b4575d59dad Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Mon, 9 Jul 2018 18:43:02 +0200 +Subject: [PATCH 6/6] Allow LUKS2 repair with disabled locks. + +--- + lib/luks2/luks2_disk_metadata.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/luks2/luks2_disk_metadata.c b/lib/luks2/luks2_disk_metadata.c +index 6ca9d5e..bd5223f 100644 +--- a/lib/luks2/luks2_disk_metadata.c ++++ b/lib/luks2/luks2_disk_metadata.c +@@ -592,7 +592,8 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, + int i, r; + uint64_t hdr_size; + +- if (do_recovery && !crypt_metadata_locking_enabled()) { ++ /* Skip auto-recovery if locks are disabled and we're not doing LUKS2 explicit repair */ ++ if (do_recovery && do_blkprobe && !crypt_metadata_locking_enabled()) { + do_recovery = 0; + log_dbg("Disabling header auto-recovery due to locking being disabled."); + } +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-allow-explicit-LUKS2-repair.patch b/SOURCES/cryptsetup-2.0.4-allow-explicit-LUKS2-repair.patch new file mode 100644 index 0000000..5dc1782 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-allow-explicit-LUKS2-repair.patch @@ -0,0 +1,44 @@ +From 4b3b6b07ad42ebab346f0fe343aab2a14cd5a9da Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Mon, 9 Jul 2018 17:18:17 +0200 +Subject: [PATCH 4/6] Allow explicit LUKS2 repair. + +Also moves FIXME comment lower to LUKS2 code with note that currently it's +safe to do crypt_repair on LUKS2 format without paying attention to LUKS2 +requirements. +--- + lib/setup.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/lib/setup.c b/lib/setup.c +index a9b2eba..952fa0e 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -768,6 +768,14 @@ static int _crypt_load_luks(struct crypt_device *cd, const char *requested_type, + return -EINVAL; + } + ++ /* ++ * Current LUKS2 repair just overrides blkid probes ++ * and perform auto-recovery if possible. This is safe ++ * unless future LUKS2 repair code do something more ++ * sophisticated. In such case we would need to check ++ * for LUKS2 requirements and decide if it's safe to ++ * perform repair. ++ */ + r = _crypt_load_luks2(cd, cd->type != NULL, repair); + } else + r = -EINVAL; +@@ -2023,8 +2031,7 @@ int crypt_repair(struct crypt_device *cd, + if (!crypt_metadata_device(cd)) + return -EINVAL; + +- /* FIXME LUKS2 (if so it also must respect LUKS2 requirements) */ +- if (requested_type && !isLUKS1(requested_type)) ++ if (requested_type && !isLUKS(requested_type)) + return -EINVAL; + + /* Load with repair */ +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-dracut-reencrypt.patch b/SOURCES/cryptsetup-2.0.4-dracut-reencrypt.patch new file mode 100644 index 0000000..abca3a3 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-dracut-reencrypt.patch @@ -0,0 +1,106 @@ +From 1b9148f12f85f326cb8127665ecfc2136c9822d5 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Wed, 18 Oct 2017 09:57:03 +0200 +Subject: [PATCH] dracut-reencrypt: add --progress-frequency parameter + +--- + misc/dracut_90reencrypt/reencrypt.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh +index e6f87e0..b4960d7 100755 +--- a/misc/dracut_90reencrypt/reencrypt.sh ++++ b/misc/dracut_90reencrypt/reencrypt.sh +@@ -18,7 +18,7 @@ else + device="$1" + fi + +-PARAMS="$device -T 1 --use-fsync -B 32" ++PARAMS="$device -T 1 --use-fsync --progress-frequency 5 -B 32" + if [ "$3" != "any" ]; then + PARAMS="$PARAMS -S $3" + fi +-- +1.8.3.1 + +From cda0a8ac7f30f120cdf5fadf16484715e8f9a040 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Thu, 19 Jul 2018 17:33:58 +0200 +Subject: [PATCH 2/2] Indicate running in initrd phase. + +--- + misc/dracut_90reencrypt/reencrypt.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh +index e6f87e0..24c7716 100755 +--- a/misc/dracut_90reencrypt/reencrypt.sh ++++ b/misc/dracut_90reencrypt/reencrypt.sh +@@ -11,6 +11,8 @@ + + . /lib/dracut-lib.sh + ++export CRYPT_REENCRYPT_IN_INITRD=1 ++ + # if device name is /dev/dm-X, convert to /dev/mapper/name + if [ "${1##/dev/dm-}" != "$1" ]; then + device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")" +-- +1.8.3.1 + +From 5da5e7f095e09c9501179864f6a20293dd9cada5 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Mon, 16 Jul 2018 17:17:45 +0200 +Subject: [PATCH] Redirect stdout to stderr during reencryption in initrd. + +Stdout is not printed in initrd unless user invokes debug mode. +It's inconvenient to have users waiting for reencryption to +finish with no input at all. +--- + misc/dracut_90reencrypt/module-setup.sh | 1 + + misc/dracut_90reencrypt/reencrypt-verbose.sh | 5 +++++ + misc/dracut_90reencrypt/reencrypt.sh | 4 ++-- + 3 files changed, 8 insertions(+), 2 deletions(-) + create mode 100755 misc/dracut_90reencrypt/reencrypt-verbose.sh + +diff --git a/misc/dracut_90reencrypt/module-setup.sh b/misc/dracut_90reencrypt/module-setup.sh +index 2ec9953..fcd7c92 100755 +--- a/misc/dracut_90reencrypt/module-setup.sh ++++ b/misc/dracut_90reencrypt/module-setup.sh +@@ -28,4 +28,5 @@ install() { + # shellcheck disable=SC2154 + inst_hook cmdline 30 "$moddir/parse-reencrypt.sh" + inst_simple "$moddir"/reencrypt.sh /sbin/reencrypt ++ inst_simple "$moddir"/reencrypt-verbose.sh /sbin/cryptsetup-reencrypt-verbose + } +diff --git a/misc/dracut_90reencrypt/reencrypt-verbose.sh b/misc/dracut_90reencrypt/reencrypt-verbose.sh +new file mode 100755 +index 0000000..5db75d5 +--- /dev/null ++++ b/misc/dracut_90reencrypt/reencrypt-verbose.sh +@@ -0,0 +1,5 @@ ++#!/bin/sh ++ ++# Route stdout to stderr in initrd. Otherwise output is invisible ++# unless we run in debug mode. ++/sbin/cryptsetup-reencrypt $@ 1>&2 +diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh +index b4960d7..4243773 100755 +--- a/misc/dracut_90reencrypt/reencrypt.sh ++++ b/misc/dracut_90reencrypt/reencrypt.sh +@@ -50,10 +50,10 @@ reenc_run() { + fi + /bin/plymouth ask-for-password \ + --prompt "$_prompt" \ +- --command="/sbin/cryptsetup-reencrypt $PARAMS" ++ --command="/sbin/cryptsetup-reencrypt-verbose $PARAMS" + else + info "REENCRYPT using key $1" +- reenc_readkey "$1" | /sbin/cryptsetup-reencrypt -d - $PARAMS ++ reenc_readkey "$1" | /sbin/cryptsetup-reencrypt-verbose -d - $PARAMS + fi + _ret=$? + cd $cwd +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-fix-LUKS2-api-test.patch b/SOURCES/cryptsetup-2.0.4-fix-LUKS2-api-test.patch new file mode 100644 index 0000000..1c80967 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-fix-LUKS2-api-test.patch @@ -0,0 +1,14 @@ +diff -rupN cryptsetup-2.0.3.old/tests/api-test-2.c cryptsetup-2.0.3/tests/api-test-2.c +--- cryptsetup-2.0.3.old/tests/api-test-2.c 2019-03-27 21:31:18.684160803 +0100 ++++ cryptsetup-2.0.3/tests/api-test-2.c 2019-03-27 21:32:14.762630391 +0100 +@@ -2514,8 +2514,8 @@ static void Luks2Requirements(void) + FAIL_((r = crypt_set_label(cd, "label", "subsystem")), "Unmet requirements detected"); + EQ_(r, -ETXTBSY); + +- /* crypt_repair (not implemented for luks2) */ +- FAIL_(crypt_repair(cd, CRYPT_LUKS2, NULL), "Not implemented"); ++ /* crypt_repair (with current repair capabilities it's unrestricted) */ ++ OK_(crypt_repair(cd, CRYPT_LUKS2, NULL)); + + /* crypt_keyslot_add_passphrase (restricted) */ + FAIL_((r = crypt_keyslot_add_by_passphrase(cd, CRYPT_ANY_SLOT, "aaa", 3, "bbb", 3)), "Unmet requirements detected"); diff --git a/SOURCES/cryptsetup-2.0.4-fix-write_blockwise-on-short-files.patch b/SOURCES/cryptsetup-2.0.4-fix-write_blockwise-on-short-files.patch new file mode 100644 index 0000000..8821a14 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-fix-write_blockwise-on-short-files.patch @@ -0,0 +1,40 @@ +From 63d66e7a3356da4bca77f521fd93df7cdf09b41a Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Tue, 19 Jun 2018 15:10:33 +0200 +Subject: [PATCH 3/4] Fix write_blockwise on short files. + +see unit test write_blockwise(length=2097153, bsize=4096), on x86 +with original test file size=2097152. + +The test is trying to write_blockwise 1 more byte than actual file +size. +--- + lib/utils_io.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/lib/utils_io.c b/lib/utils_io.c +index 8336b18..e0c2381 100644 +--- a/lib/utils_io.c ++++ b/lib/utils_io.c +@@ -105,15 +105,13 @@ ssize_t write_blockwise(int fd, size_t bsize, size_t alignment, + if (hangover) { + if (posix_memalign(&hangover_buf, alignment, bsize)) + goto out; ++ memset(hangover_buf, 0, bsize); + + r = read_buffer(fd, hangover_buf, bsize); +- if (r < 0 || r < (ssize_t)hangover) ++ if (r < 0) + goto out; + +- if (r < (ssize_t)bsize) +- bsize = r; +- +- if (lseek(fd, -(off_t)bsize, SEEK_CUR) < 0) ++ if (lseek(fd, -(off_t)r, SEEK_CUR) < 0) + goto out; + + memcpy(hangover_buf, (char*)buf + solid, hangover); +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-fix-write_lseek_blockwise-for-in-the-middle-of-secto.patch b/SOURCES/cryptsetup-2.0.4-fix-write_lseek_blockwise-for-in-the-middle-of-secto.patch new file mode 100644 index 0000000..92f889b --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-fix-write_lseek_blockwise-for-in-the-middle-of-secto.patch @@ -0,0 +1,32 @@ +From 6392be68c4d481148e20dbc2a8380cc246f27ad1 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Tue, 19 Jun 2018 14:45:45 +0200 +Subject: [PATCH 2/4] Fix write_lseek_blockwise for in the middle of sector + case. + +See unit test write_lseek_blockwise(bsize=512, offset=1, length=1). + +The test tries to modify single byte at offset 1 of device with +bsize=512. +--- + lib/utils_io.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/utils_io.c b/lib/utils_io.c +index 94c4ef6..8336b18 100644 +--- a/lib/utils_io.c ++++ b/lib/utils_io.c +@@ -216,8 +216,8 @@ ssize_t write_lseek_blockwise(int fd, size_t bsize, size_t alignment, + if (lseek(fd, offset - frontHang, SEEK_SET) < 0) + goto out; + +- r = write_buffer(fd, frontPadBuf, frontHang + innerCount); +- if (r < 0 || r != (ssize_t)(frontHang + innerCount)) ++ r = write_buffer(fd, frontPadBuf, bsize); ++ if (r < 0 || r != (ssize_t)bsize) + goto out; + + buf = (char*)buf + innerCount; +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-make-LUKS2-auto-recovery-aware-of-device-signatures.patch b/SOURCES/cryptsetup-2.0.4-make-LUKS2-auto-recovery-aware-of-device-signatures.patch new file mode 100644 index 0000000..c472424 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-make-LUKS2-auto-recovery-aware-of-device-signatures.patch @@ -0,0 +1,164 @@ +From 078ed81d14904f48a6237646050ba5eb74d702b7 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Wed, 4 Jul 2018 15:58:09 +0200 +Subject: [PATCH 2/6] Make LUKS2 auto-recovery aware of device signatures. + +auto-recovery triggers any time when only single correct LUKS2 +header instance was found. That may be dangerous. + +We should suppress auto-recovery in case blkid decided the +device is no longer LUKS device. For example if secondary (intact) +LUKS2 header was left behind and blkid declares the device is LVM2 +member. + +Moreover if at least one header instance is corrupted and blkid +declares device non-empty and non-LUKS in the same time, header load +operation will be aborted with error. +--- + lib/internal.h | 1 + + lib/luks2/luks2_disk_metadata.c | 61 ++++++++++++++++++++++++++++++++++++++++- + lib/luks2/luks2_internal.h | 2 +- + lib/luks2/luks2_json_metadata.c | 4 +-- + 4 files changed, 64 insertions(+), 4 deletions(-) + +diff --git a/lib/internal.h b/lib/internal.h +index 07a1a08..e6d2323 100644 +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -32,6 +32,7 @@ + + #include "nls.h" + #include "bitops.h" ++#include "utils_blkid.h" + #include "utils_crypt.h" + #include "utils_loop.h" + #include "utils_dm.h" +diff --git a/lib/luks2/luks2_disk_metadata.c b/lib/luks2/luks2_disk_metadata.c +index 4d9bce2..6ca9d5e 100644 +--- a/lib/luks2/luks2_disk_metadata.c ++++ b/lib/luks2/luks2_disk_metadata.c +@@ -531,12 +531,59 @@ static json_object *parse_and_validate_json(const char *json_area, int length) + return jobj; + } + ++static int detect_device_signatures(const char *path) ++{ ++ blk_probe_status prb_state; ++ int r; ++ struct blkid_handle *h; ++ ++ if (!blk_supported()) { ++ log_dbg("Blkid probing of device signatures disabled."); ++ return 0; ++ } ++ ++ if ((r = blk_init_by_path(&h, path))) { ++ log_dbg("Failed to initialize blkid_handle by path."); ++ return -EINVAL; ++ } ++ ++ /* We don't care about details. Be fast. */ ++ blk_set_chains_for_fast_detection(h); ++ ++ /* Filter out crypto_LUKS. we don't care now */ ++ blk_superblocks_filter_luks(h); ++ ++ prb_state = blk_safeprobe(h); ++ ++ switch (prb_state) { ++ case PRB_AMBIGUOUS: ++ log_dbg("Blkid probe couldn't decide device type unambiguously."); ++ /* fall through */ ++ case PRB_FAIL: ++ log_dbg("Blkid probe failed."); ++ r = -EINVAL; ++ break; ++ case PRB_OK: /* crypto_LUKS type is filtered out */ ++ r = -EINVAL; ++ ++ if (blk_is_partition(h)) ++ log_dbg("Blkid probe detected partition type '%s'", blk_get_partition_type(h)); ++ else if (blk_is_superblock(h)) ++ log_dbg("blkid probe detected superblock type '%s'", blk_get_superblock_type(h)); ++ break; ++ case PRB_EMPTY: ++ log_dbg("Blkid probe detected no foreign device signature."); ++ } ++ blk_free(h); ++ return r; ++} ++ + /* + * Read and convert on-disk LUKS2 header to in-memory representation.. + * Try to do recovery if on-disk state is not consistent. + */ + int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, +- struct device *device, int do_recovery) ++ struct device *device, int do_recovery, int do_blkprobe) + { + enum { HDR_OK, HDR_OBSOLETE, HDR_FAIL, HDR_FAIL_IO } state_hdr1, state_hdr2; + struct luks2_hdr_disk hdr_disk1, hdr_disk2; +@@ -616,6 +663,12 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, + if (state_hdr1 == HDR_OK && state_hdr2 != HDR_OK) { + log_dbg("Secondary LUKS2 header requires recovery."); + ++ if (do_blkprobe && (r = detect_device_signatures(device_path(device)))) { ++ log_err(cd, _("Device contains ambiguous signatures, cannot auto-recover LUKS2.\n" ++ "Please run \"cryptsetup repair\" for recovery.")); ++ goto err; ++ } ++ + if (do_recovery) { + memcpy(&hdr_disk2, &hdr_disk1, LUKS2_HDR_BIN_LEN); + r = crypt_random_get(NULL, (char*)hdr_disk2.salt, sizeof(hdr_disk2.salt), CRYPT_RND_SALT); +@@ -631,6 +684,12 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, + } else if (state_hdr1 != HDR_OK && state_hdr2 == HDR_OK) { + log_dbg("Primary LUKS2 header requires recovery."); + ++ if (do_blkprobe && (r = detect_device_signatures(device_path(device)))) { ++ log_err(cd, _("Device contains ambiguous signatures, cannot auto-recover LUKS2.\n" ++ "Please run \"cryptsetup repair\" for recovery.")); ++ goto err; ++ } ++ + if (do_recovery) { + memcpy(&hdr_disk1, &hdr_disk2, LUKS2_HDR_BIN_LEN); + r = crypt_random_get(NULL, (char*)hdr_disk1.salt, sizeof(hdr_disk1.salt), CRYPT_RND_SALT); +diff --git a/lib/luks2/luks2_internal.h b/lib/luks2/luks2_internal.h +index e9beab8..dcabed7 100644 +--- a/lib/luks2/luks2_internal.h ++++ b/lib/luks2/luks2_internal.h +@@ -42,7 +42,7 @@ + * On-disk access function prototypes + */ + int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, +- struct device *device, int do_recovery); ++ struct device *device, int do_recovery, int do_blkprobe); + int LUKS2_disk_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr, + struct device *device); + +diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c +index 362388e..125cad9 100644 +--- a/lib/luks2/luks2_json_metadata.c ++++ b/lib/luks2/luks2_json_metadata.c +@@ -853,7 +853,7 @@ int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr) + return r; + } + +- r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1); ++ r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, 1); + if (r == -EAGAIN) { + /* unlikely: auto-recovery is required and failed due to read lock being held */ + device_read_unlock(crypt_metadata_device(cd)); +@@ -865,7 +865,7 @@ int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr) + return r; + } + +- r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1); ++ r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, 1); + + device_write_unlock(crypt_metadata_device(cd)); + } else +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-rephrase-error-message-for-invalid-type-param-in-con.patch b/SOURCES/cryptsetup-2.0.4-rephrase-error-message-for-invalid-type-param-in-con.patch new file mode 100644 index 0000000..6c34ab8 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-rephrase-error-message-for-invalid-type-param-in-con.patch @@ -0,0 +1,25 @@ +From b60e856087db77abbc5aa62a7f980e62b8b75029 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Tue, 17 Jul 2018 10:53:13 +0200 +Subject: [PATCH] Rephrase error message for invalid --type param in convert. + +--- + src/cryptsetup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cryptsetup.c b/src/cryptsetup.c +index fc3481d..5f8df37 100644 +--- a/src/cryptsetup.c ++++ b/src/cryptsetup.c +@@ -1851,7 +1851,7 @@ static int action_luksConvert(void) + } else if (!strcmp(opt_type, "luks1")) { + to_type = CRYPT_LUKS1; + } else { +- log_err(_("Missing LUKS target type, option --type is required.")); ++ log_err(_("Invalid LUKS type, only luks1 and luks2 are supported.")); + return -EINVAL; + } + +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-update-crypt_repair-API-documentation-for-LUKS2.patch b/SOURCES/cryptsetup-2.0.4-update-crypt_repair-API-documentation-for-LUKS2.patch new file mode 100644 index 0000000..a2f9d2e --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-update-crypt_repair-API-documentation-for-LUKS2.patch @@ -0,0 +1,40 @@ +From 167da99eaa9708289492e8fca2ebe4964cf5baa7 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Mon, 9 Jul 2018 17:27:55 +0200 +Subject: [PATCH 5/6] Update crypt_repair API documentation for LUKS2. + +--- + lib/libcryptsetup.h | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h +index 0a7ebdb..2d959fa 100644 +--- a/lib/libcryptsetup.h ++++ b/lib/libcryptsetup.h +@@ -624,7 +624,7 @@ int crypt_load(struct crypt_device *cd, + void *params); + + /** +- * Try to repair crypt device LUKS1 on-disk header if invalid. ++ * Try to repair crypt device LUKS on-disk header if invalid. + * + * @param cd crypt device handle + * @param requested_type @link crypt-type @endlink or @e NULL for all known +@@ -632,9 +632,11 @@ int crypt_load(struct crypt_device *cd, + * + * @returns 0 on success or negative errno value otherwise. + * +- * @note Does not support LUKS2 devices explicitly. LUKS2 header is auto-repaired +- * (if exactly one header checksum does not match) automatically on +- * crypt_load(). ++ * @note For LUKS2 device crypt_repair bypass blkid checks and ++ * perform auto-recovery even though there're third party device ++ * signatures found by blkid probes. Currently the crypt_repair on LUKS2 ++ * works only if exactly one header checksum does not match or exactly ++ * one header is missing. + */ + int crypt_repair(struct crypt_device *cd, + const char *requested_type, +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-update-cryptsetup-man-page-for-type-option-usage.patch b/SOURCES/cryptsetup-2.0.4-update-cryptsetup-man-page-for-type-option-usage.patch new file mode 100644 index 0000000..d21d220 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-update-cryptsetup-man-page-for-type-option-usage.patch @@ -0,0 +1,110 @@ +From 3f0f7acbc0dd72f1d98feb7af214cf12eb9bc47e Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Tue, 10 Jul 2018 14:36:45 +0200 +Subject: [PATCH] Update cryptsetup man page for --type option usage. + +Fixes #394. +--- + man/cryptsetup.8 | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/man/cryptsetup.8 b/man/cryptsetup.8 +index b2ef8cd..96d4fef 100644 +--- a/man/cryptsetup.8 ++++ b/man/cryptsetup.8 +@@ -70,8 +70,8 @@ The following are valid actions for all supported device types. + .IP + Opens (creates a mapping with) backed by device . + +-Device type can be \fIplain\fR, \fIluks\fR (default), \fIloopaes\fR +-or \fItcrypt\fR. ++Device type can be \fIplain\fR, \fIluks\fR (default), \fIluks1\fR, \fIluks2\fR, ++\fIloopaes\fR or \fItcrypt\fR. + + For backward compatibility there are \fBopen\fR command aliases: + +@@ -243,7 +243,7 @@ the command prompts for it interactively. + \fB\fR can be [\-\-key\-file, \-\-keyfile\-offset, + \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase, + \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id, +-\-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks]. ++\-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks, \-\-type]. + .PP + \fIluksSuspend\fR + .IP +@@ -266,7 +266,7 @@ Resumes a suspended device and reinstates the encryption key. + Prompts interactively for a passphrase if \-\-key-file is not given. + + \fB\fR can be [\-\-key\-file, \-\-keyfile\-size, \-\-header, +-\-\-disable\-keyring,\-\-disable\-locks] ++\-\-disable\-keyring, \-\-disable\-locks, \-\-type] + .PP + \fIluksAddKey\fR [] + .IP +@@ -285,7 +285,7 @@ is not required. + \-\-keyfile\-size, \-\-new\-keyfile\-offset, + \-\-new\-keyfile\-size, \-\-key\-slot, \-\-master\-key\-file, + \-\-iter\-time, \-\-force\-password, \-\-header, \-\-disable\-locks, +-\-\-unbound]. ++\-\-unbound, \-\-type]. + .PP + \fIluksRemoveKey\fR [] + .IP +@@ -294,7 +294,7 @@ passphrase to be removed can be specified interactively, + as the positional argument or via \-\-key-file. + + \fB\fR can be [\-\-key\-file, \-\-keyfile\-offset, +-\-\-keyfile\-size, \-\-header, \-\-disable\-locks] ++\-\-keyfile\-size, \-\-header, \-\-disable\-locks, \-\-type] + + \fBWARNING:\fR If you read the passphrase from stdin + (without further argument or with '-' as an argument +@@ -328,7 +328,7 @@ inaccessible. + \fB\fR can be [\-\-key\-file, \-\-keyfile\-offset, + \-\-keyfile\-size, \-\-new\-keyfile\-offset, + \-\-new\-keyfile\-size, \-\-key\-slot, \-\-force\-password, \-\-header, +-\-\-disable\-locks]. ++\-\-disable\-locks, \-\-type]. + .PP + .PP + \fIluksConvertKey\fR +@@ -364,7 +364,7 @@ an interactive confirmation when doing so. Removing the last + passphrase makes a LUKS container permanently inaccessible. + + \fB\fR can be [\-\-key\-file, \-\-keyfile\-offset, +-\-\-keyfile\-size, \-\-header, \-\-disable\-locks]. ++\-\-keyfile\-size, \-\-header, \-\-disable\-locks, \-\-type]. + + \fBWARNING:\fR If you read the passphrase from stdin + (without further argument or with '-' as an argument +@@ -399,6 +399,8 @@ Set new UUID if \fI\-\-uuid\fR option is specified. + Returns true, if is a LUKS device, false otherwise. + Use option \-v to get human-readable feedback. 'Command successful.' + means the device is a LUKS device. ++ ++By specifying \-\-type you may query for specific LUKS version. + .PP + \fIluksDump\fR + .IP +@@ -417,7 +419,7 @@ either interactively or via \-\-key\-file. + + \fB\fR can be [\-\-dump\-master\-key, \-\-key\-file, + \-\-keyfile\-offset, \-\-keyfile\-size, \-\-header, \-\-disable\-locks, +-\-\-master\-key\-file]. ++\-\-master\-key\-file, \-\-type]. + + \fBWARNING:\fR If \-\-dump\-master\-key is used with \-\-key\-file + and the argument to \-\-key\-file is '-', no validation question +@@ -663,7 +665,8 @@ for LUKS device type. + This command is useful to fix some known benign LUKS metadata + header corruptions. Only basic corruptions of unused keyslot + are fixable. This command will only change the LUKS header, not +-any key-slot data. ++any key-slot data. You may enforce LUKS version by adding \-\-type ++option. + + \fBWARNING:\fR Always create a binary backup of the original + header before calling this command. +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-zero-length-lseek-blockwise-i-o-should-return-zero.patch b/SOURCES/cryptsetup-2.0.4-zero-length-lseek-blockwise-i-o-should-return-zero.patch new file mode 100644 index 0000000..6d4d7e3 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-zero-length-lseek-blockwise-i-o-should-return-zero.patch @@ -0,0 +1,39 @@ +From 685bcc56351b3e46b69d46118d23268b69052097 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Tue, 19 Jun 2018 14:07:20 +0200 +Subject: [PATCH 1/4] Zero length lseek blockwise i/o should return zero. + +Note that both functions perform seek operations aligned to sector +boundary if possible before returning. + +Unaligned input offset gets aligned on first preceding sector +boundary. +--- + lib/utils_io.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/utils_io.c b/lib/utils_io.c +index 0f671d6..94c4ef6 100644 +--- a/lib/utils_io.c ++++ b/lib/utils_io.c +@@ -199,7 +199,7 @@ ssize_t write_lseek_blockwise(int fd, size_t bsize, size_t alignment, + if (lseek(fd, offset - frontHang, SEEK_SET) < 0) + return -1; + +- if (frontHang) { ++ if (frontHang && length) { + if (posix_memalign(&frontPadBuf, alignment, bsize)) + return -1; + +@@ -253,7 +253,7 @@ ssize_t read_lseek_blockwise(int fd, size_t bsize, size_t alignment, + if (lseek(fd, offset - frontHang, SEEK_SET) < 0) + return -1; + +- if (frontHang) { ++ if (frontHang && length) { + if (posix_memalign(&frontPadBuf, alignment, bsize)) + return -1; + +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.5-fix-miscalculation-of-device-alignment-offset.patch b/SOURCES/cryptsetup-2.0.5-fix-miscalculation-of-device-alignment-offset.patch new file mode 100644 index 0000000..d3caad8 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.5-fix-miscalculation-of-device-alignment-offset.patch @@ -0,0 +1,28 @@ +From dd36d56d472e1ea1db74d64d2e6a8d8ece2e7a76 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Thu, 9 Aug 2018 10:26:38 +0200 +Subject: [PATCH] Fix miscalculation of device alignment offset. + +device_topology_alignment routine already returns alignment offset +in bytes. There's no need to divide it by sector size, since LUKS2 +format have all offsets and sizes stored in bytes. +--- + lib/setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/setup.c b/lib/setup.c +index ff944c9..1a78d2e 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -1602,7 +1602,7 @@ static int _crypt_format_luks2(struct crypt_device *cd, + integrity, uuid, + sector_size, + required_alignment / sector_size, +- alignment_offset / sector_size, ++ alignment_offset, + cd->metadata_device ? 1 : 0); + if (r < 0) + goto out; +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.5-remove-useless-division-followed-by-multiplication-b.patch b/SOURCES/cryptsetup-2.0.5-remove-useless-division-followed-by-multiplication-b.patch new file mode 100644 index 0000000..a03d842 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.5-remove-useless-division-followed-by-multiplication-b.patch @@ -0,0 +1,58 @@ +From d2f0773eb8482f754d9a7599d26697efcdd25cd6 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Thu, 9 Aug 2018 10:34:17 +0200 +Subject: [PATCH] Remove useless division followed by multiplication by same + base. + +--- + lib/luks2/luks2_json_format.c | 10 +++++----- + lib/setup.c | 2 +- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/lib/luks2/luks2_json_format.c b/lib/luks2/luks2_json_format.c +index a0b72ab..4b50f89 100644 +--- a/lib/luks2/luks2_json_format.c ++++ b/lib/luks2/luks2_json_format.c +@@ -122,9 +122,9 @@ int LUKS2_generate_hdr( + const char *cipherMode, + const char *integrity, + const char *uuid, +- unsigned int sector_size, +- unsigned int alignPayload, +- unsigned int alignOffset, ++ unsigned int sector_size, /* in bytes */ ++ unsigned int alignPayload, /* in bytes */ ++ unsigned int alignOffset, /* in bytes */ + int detached_metadata_device) + { + struct json_object *jobj_segment, *jobj_integrity, *jobj_keyslots, *jobj_segments, *jobj_config; +@@ -182,11 +182,11 @@ int LUKS2_generate_hdr( + jobj_segment = json_object_new_object(); + json_object_object_add(jobj_segment, "type", json_object_new_string("crypt")); + if (detached_metadata_device) +- offset = (uint64_t)alignPayload * sector_size; ++ offset = (uint64_t)alignPayload; + else { + //FIXME + //offset = size_round_up(areas[7].offset + areas[7].length, alignPayload * SECTOR_SIZE); +- offset = size_round_up(LUKS2_HDR_DEFAULT_LEN, (size_t)alignPayload * sector_size); ++ offset = size_round_up(LUKS2_HDR_DEFAULT_LEN, (size_t)alignPayload); + offset += alignOffset; + } + +diff --git a/lib/setup.c b/lib/setup.c +index 1a78d2e..61bf3da 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -1601,7 +1601,7 @@ static int _crypt_format_luks2(struct crypt_device *cd, + cipher, cipher_mode, + integrity, uuid, + sector_size, +- required_alignment / sector_size, ++ required_alignment, + alignment_offset, + cd->metadata_device ? 1 : 0); + if (r < 0) +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.6-LUKS2-metadata-variation-fixes.patch b/SOURCES/cryptsetup-2.0.6-LUKS2-metadata-variation-fixes.patch new file mode 100644 index 0000000..d78bd28 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.6-LUKS2-metadata-variation-fixes.patch @@ -0,0 +1,202 @@ +diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c +--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c 2019-04-03 18:55:44.392182454 +0200 ++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c 2019-04-03 18:56:22.567106063 +0200 +@@ -429,6 +429,7 @@ int LUKS2_token_validate(json_object *hd + { + json_object *jarr, *jobj_keyslots; + ++ /* keyslots are not yet validated, but we need to know token doesn't reference missing keyslot */ + if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots)) + return 1; + +@@ -505,12 +506,57 @@ static int hdr_validate_tokens(json_obje + return 0; + } + +-static int hdr_validate_segments(json_object *hdr_jobj) ++static int hdr_validate_crypt_segment(json_object *jobj, const char *key, json_object *jobj_digests, ++ uint64_t offset, uint64_t size) + { +- json_object *jobj, *jobj_digests, *jobj_offset, *jobj_ivoffset, +- *jobj_length, *jobj_sector_size, *jobj_type, *jobj_integrity; ++ json_object *jobj_ivoffset, *jobj_sector_size, *jobj_integrity; + uint32_t sector_size; +- uint64_t ivoffset, offset, length; ++ uint64_t ivoffset; ++ ++ if (!(jobj_ivoffset = json_contains(jobj, key, "Segment", "iv_tweak", json_type_string)) || ++ !json_contains(jobj, key, "Segment", "encryption", json_type_string) || ++ !(jobj_sector_size = json_contains(jobj, key, "Segment", "sector_size", json_type_int))) ++ return 1; ++ ++ /* integrity */ ++ if (json_object_object_get_ex(jobj, "integrity", &jobj_integrity)) { ++ if (!json_contains(jobj, key, "Segment", "integrity", json_type_object) || ++ !json_contains(jobj_integrity, key, "Segment integrity", "type", json_type_string) || ++ !json_contains(jobj_integrity, key, "Segment integrity", "journal_encryption", json_type_string) || ++ !json_contains(jobj_integrity, key, "Segment integrity", "journal_integrity", json_type_string)) ++ return 1; ++ } ++ ++ /* enforce uint32_t type */ ++ if (!validate_json_uint32(jobj_sector_size)) { ++ log_dbg("Illegal field \"sector_size\":%s.", ++ json_object_get_string(jobj_sector_size)); ++ return 1; ++ } ++ ++ sector_size = json_object_get_uint32(jobj_sector_size); ++ if (!sector_size || sector_size % SECTOR_SIZE) { ++ log_dbg("Illegal sector size: %" PRIu32, sector_size); ++ return 1; ++ } ++ ++ if (!numbered("iv_tweak", json_object_get_string(jobj_ivoffset)) || ++ !json_str_to_uint64(jobj_ivoffset, &ivoffset)) ++ return 1; ++ ++ if (size % sector_size) { ++ log_dbg("Size field has to be aligned to sector size: %" PRIu32, sector_size); ++ return 1; ++ } ++ ++ return !segment_has_digest(key, jobj_digests); ++} ++ ++static int hdr_validate_segments(json_object *hdr_jobj) ++{ ++ json_object *jobj, *jobj_digests, *jobj_offset, *jobj_size, *jobj_type, *jobj_flags; ++ int i; ++ uint64_t offset, size; + + if (!json_object_object_get_ex(hdr_jobj, "segments", &jobj)) { + log_dbg("Missing segments section."); +@@ -530,70 +576,46 @@ static int hdr_validate_segments(json_ob + if (!numbered("Segment", key)) + return 1; + +- if (!json_contains(val, key, "Segment", "type", json_type_string) || ++ /* those fields are mandatory for all segment types */ ++ if (!(jobj_type = json_contains(val, key, "Segment", "type", json_type_string)) || + !(jobj_offset = json_contains(val, key, "Segment", "offset", json_type_string)) || +- !(jobj_ivoffset = json_contains(val, key, "Segment", "iv_tweak", json_type_string)) || +- !(jobj_length = json_contains(val, key, "Segment", "size", json_type_string)) || +- !json_contains(val, key, "Segment", "encryption", json_type_string) || +- !(jobj_sector_size = json_contains(val, key, "Segment", "sector_size", json_type_int))) +- return 1; +- +- /* integrity */ +- if (json_object_object_get_ex(val, "integrity", &jobj_integrity)) { +- if (!json_contains(val, key, "Segment", "integrity", json_type_object) || +- !json_contains(jobj_integrity, key, "Segment integrity", "type", json_type_string) || +- !json_contains(jobj_integrity, key, "Segment integrity", "journal_encryption", json_type_string) || +- !json_contains(jobj_integrity, key, "Segment integrity", "journal_integrity", json_type_string)) +- return 1; +- } +- +- /* enforce uint32_t type */ +- if (!validate_json_uint32(jobj_sector_size)) { +- log_dbg("Illegal field \"sector_size\":%s.", +- json_object_get_string(jobj_sector_size)); +- return 1; +- } +- +- sector_size = json_object_get_uint32(jobj_sector_size); +- if (!sector_size || sector_size % 512) { +- log_dbg("Illegal sector size: %" PRIu32, sector_size); ++ !(jobj_size = json_contains(val, key, "Segment", "size", json_type_string))) + return 1; +- } + + if (!numbered("offset", json_object_get_string(jobj_offset)) || +- !numbered("iv_tweak", json_object_get_string(jobj_ivoffset))) ++ !json_str_to_uint64(jobj_offset, &offset)) + return 1; + +- /* rule out values > UINT64_MAX */ +- if (!json_str_to_uint64(jobj_offset, &offset) || +- !json_str_to_uint64(jobj_ivoffset, &ivoffset)) +- return 1; ++ /* size "dynamic" means whole device starting at 'offset' */ ++ if (strcmp(json_object_get_string(jobj_size), "dynamic")) { ++ if (!numbered("size", json_object_get_string(jobj_size)) || ++ !json_str_to_uint64(jobj_size, &size) || !size) ++ return 1; ++ } else ++ size = 0; + +- if (offset % sector_size) { +- log_dbg("Offset field has to be aligned to sector size: %" PRIu32, sector_size); ++ /* all device-mapper devices are aligned to 512 sector size */ ++ if (offset % SECTOR_SIZE) { ++ log_dbg("Offset field has to be aligned to sector size: %" PRIu32, SECTOR_SIZE); + return 1; + } +- +- if (ivoffset % sector_size) { +- log_dbg("IV offset field has to be aligned to sector size: %" PRIu32, sector_size); ++ if (size % SECTOR_SIZE) { ++ log_dbg("Size field has to be aligned to sector size: %" PRIu32, SECTOR_SIZE); + return 1; + } + +- /* length "dynamic" means whole device starting at 'offset' */ +- if (strcmp(json_object_get_string(jobj_length), "dynamic")) { +- if (!numbered("size", json_object_get_string(jobj_length)) || +- !json_str_to_uint64(jobj_length, &length)) ++ /* flags array is optional and must contain strings */ ++ if (json_object_object_get_ex(val, "flags", NULL)) { ++ if (!(jobj_flags = json_contains(val, key, "Segment", "flags", json_type_array))) + return 1; +- +- if (length % sector_size) { +- log_dbg("Length field has to be aligned to sector size: %" PRIu32, sector_size); +- return 1; +- } ++ for (i = 0; i < (int) json_object_array_length(jobj_flags); i++) ++ if (!json_object_is_type(json_object_array_get_idx(jobj_flags, i), json_type_string)) ++ return 1; + } + +- json_object_object_get_ex(val, "type", &jobj_type); ++ /* crypt */ + if (!strcmp(json_object_get_string(jobj_type), "crypt") && +- !segment_has_digest(key, jobj_digests)) ++ hdr_validate_crypt_segment(val, key, jobj_digests, offset, size)) + return 1; + } + +@@ -610,6 +632,7 @@ static int hdr_validate_areas(json_objec + if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots)) + return 1; + ++ /* segments are already validated */ + if (!json_object_object_get_ex(hdr_jobj, "segments", &jobj_segments)) + return 1; + +@@ -674,11 +697,11 @@ static int hdr_validate_digests(json_obj + return 1; + } + +- /* keyslots should already be validated */ ++ /* keyslots are not yet validated, but we need to know digest doesn't reference missing keyslot */ + if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots)) + return 1; + +- /* segments are not validated atm, but we need to know digest doesn't reference missing segment */ ++ /* segments are not yet validated, but we need to know digest doesn't reference missing segment */ + if (!json_object_object_get_ex(hdr_jobj, "segments", &jobj_segments)) + return 1; + +@@ -813,10 +836,10 @@ int LUKS2_hdr_validate(json_object *hdr_ + struct { + int (*validate)(json_object *); + } checks[] = { +- { hdr_validate_keyslots }, + { hdr_validate_tokens }, + { hdr_validate_digests }, + { hdr_validate_segments }, ++ { hdr_validate_keyslots }, + { hdr_validate_areas }, + { hdr_validate_config }, + { NULL } diff --git a/SOURCES/cryptsetup-2.0.6-check-json-size-matches-value-from-binary-LUKS2-head.patch b/SOURCES/cryptsetup-2.0.6-check-json-size-matches-value-from-binary-LUKS2-head.patch new file mode 100644 index 0000000..6862f4e --- /dev/null +++ b/SOURCES/cryptsetup-2.0.6-check-json-size-matches-value-from-binary-LUKS2-head.patch @@ -0,0 +1,139 @@ +diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_disk_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_disk_metadata.c +--- cryptsetup-2.0.3.old/lib/luks2/luks2_disk_metadata.c 2019-03-27 21:06:52.048172644 +0100 ++++ cryptsetup-2.0.3/lib/luks2/luks2_disk_metadata.c 2019-03-27 21:07:12.068978543 +0100 +@@ -204,6 +204,12 @@ static int hdr_disk_sanity_check_pre(str + return -EINVAL; + } + ++ if (secondary && (offset != be64_to_cpu(hdr->hdr_size))) { ++ log_dbg("LUKS2 offset 0x%04x in secondary header doesn't match size 0x%04x.", ++ (unsigned)offset, (unsigned)be64_to_cpu(hdr->hdr_size)); ++ return -EINVAL; ++ } ++ + /* FIXME: sanity check checksum alg. */ + + log_dbg("LUKS2 header version %u of size %u bytes, checksum %s.", +@@ -476,7 +482,7 @@ static int validate_json_area(const char + return 0; + } + +-static int validate_luks2_json_object(json_object *jobj_hdr) ++static int validate_luks2_json_object(json_object *jobj_hdr, uint64_t length) + { + int r; + +@@ -487,14 +493,14 @@ static int validate_luks2_json_object(js + return r; + } + +- r = LUKS2_hdr_validate(jobj_hdr); ++ r = LUKS2_hdr_validate(jobj_hdr, length); + if (r) { + log_dbg("Repairing JSON metadata."); + /* try to correct known glitches */ + LUKS2_hdr_repair(jobj_hdr); + + /* run validation again */ +- r = LUKS2_hdr_validate(jobj_hdr); ++ r = LUKS2_hdr_validate(jobj_hdr, length); + } + + if (r) +@@ -516,7 +522,7 @@ static json_object *parse_and_validate_j + + r = validate_json_area(json_area, offset, length); + if (!r) +- r = validate_luks2_json_object(jobj); ++ r = validate_luks2_json_object(jobj, length); + + if (r) { + json_object_put(jobj); +diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_internal.h cryptsetup-2.0.3/lib/luks2/luks2_internal.h +--- cryptsetup-2.0.3.old/lib/luks2/luks2_internal.h 2019-03-27 21:06:52.048172644 +0100 ++++ cryptsetup-2.0.3/lib/luks2/luks2_internal.h 2019-03-27 21:07:12.070978524 +0100 +@@ -73,7 +73,7 @@ void JSON_DBG(json_object *jobj, const c + json_object *json_contains(json_object *jobj, const char *name, const char *section, + const char *key, json_type type); + +-int LUKS2_hdr_validate(json_object *hdr_jobj); ++int LUKS2_hdr_validate(json_object *hdr_jobj, uint64_t length); + int LUKS2_keyslot_validate(json_object *hdr_jobj, json_object *hdr_keyslot, const char *key); + int LUKS2_check_json_size(const struct luks2_hdr *hdr); + int LUKS2_token_validate(json_object *hdr_jobj, json_object *jobj_token, const char *key); +diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c +--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c 2019-03-27 21:06:52.049172634 +0100 ++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c 2019-03-27 21:07:44.937659885 +0100 +@@ -446,7 +446,7 @@ int LUKS2_token_validate(json_object *hd + return 0; + } + +-static int hdr_validate_json_size(json_object *hdr_jobj) ++static int hdr_validate_json_size(json_object *hdr_jobj, uint64_t hdr_json_size) + { + json_object *jobj, *jobj1; + const char *json; +@@ -460,12 +460,22 @@ static int hdr_validate_json_size(json_o + json_area_size = json_object_get_uint64(jobj1); + json_size = (uint64_t)strlen(json); + +- return json_size > json_area_size ? 1 : 0; ++ if (hdr_json_size != json_area_size) { ++ log_dbg("JSON area size doesn't match value in binary header."); ++ return 1; ++ } ++ ++ if (json_size > json_area_size) { ++ log_dbg("JSON doesn't fit in the designated area."); ++ return 1; ++ } ++ ++ return 0; + } + + int LUKS2_check_json_size(const struct luks2_hdr *hdr) + { +- return hdr_validate_json_size(hdr->jobj); ++ return hdr_validate_json_size(hdr->jobj, hdr->hdr_size - LUKS2_HDR_BIN_LEN); + } + + static int hdr_validate_keyslots(json_object *hdr_jobj) +@@ -830,7 +840,7 @@ static int hdr_validate_config(json_obje + return 0; + } + +-int LUKS2_hdr_validate(json_object *hdr_jobj) ++int LUKS2_hdr_validate(json_object *hdr_jobj, uint64_t json_size) + { + struct { + int (*validate)(json_object *); +@@ -852,10 +862,8 @@ int LUKS2_hdr_validate(json_object *hdr_ + if (checks[i].validate && checks[i].validate(hdr_jobj)) + return 1; + +- if (hdr_validate_json_size(hdr_jobj)) { +- log_dbg("Json header is too large."); ++ if (hdr_validate_json_size(hdr_jobj, json_size)) + return 1; +- } + + /* validate keyslot implementations */ + if (LUKS2_keyslots_validate(hdr_jobj)) +@@ -903,7 +911,7 @@ int LUKS2_hdr_write(struct crypt_device + /* erase unused digests (no assigned keyslot or segment) */ + LUKS2_digests_erase_unused(cd, hdr); + +- if (LUKS2_hdr_validate(hdr->jobj)) ++ if (LUKS2_hdr_validate(hdr->jobj, hdr->hdr_size - LUKS2_HDR_BIN_LEN)) + return -EINVAL; + + return LUKS2_disk_hdr_write(cd, hdr, crypt_metadata_device(cd)); +@@ -1650,7 +1658,7 @@ const char *LUKS2_get_cipher(struct luks + return NULL; + + if (!json_object_object_get_ex(jobj2, "encryption", &jobj3)) +- return NULL; ++ return "null"; + + return json_object_get_string(jobj3); + } diff --git a/SOURCES/cryptsetup-2.0.6-do-not-validate-keyslot-areas-so-frantically.patch b/SOURCES/cryptsetup-2.0.6-do-not-validate-keyslot-areas-so-frantically.patch new file mode 100644 index 0000000..3730909 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.6-do-not-validate-keyslot-areas-so-frantically.patch @@ -0,0 +1,21 @@ +diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c +--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c 2019-03-27 15:10:10.869610792 +0100 ++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c 2019-03-27 15:32:38.202382332 +0100 +@@ -402,7 +402,6 @@ static json_bool validate_intervals(int + return TRUE; + } + +-static int hdr_validate_areas(json_object *hdr_jobj); + int LUKS2_keyslot_validate(json_object *hdr_jobj, json_object *hdr_keyslot, const char *key) + { + json_object *jobj_key_size; +@@ -419,9 +418,6 @@ int LUKS2_keyslot_validate(json_object * + return 1; + } + +- if (hdr_validate_areas(hdr_jobj)) +- return 1; +- + return 0; + } + diff --git a/SOURCES/cryptsetup-2.0.6-enable-all-supported-metadata-sizes-in-LUKS2-validat.patch b/SOURCES/cryptsetup-2.0.6-enable-all-supported-metadata-sizes-in-LUKS2-validat.patch new file mode 100644 index 0000000..5a5b065 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.6-enable-all-supported-metadata-sizes-in-LUKS2-validat.patch @@ -0,0 +1,142 @@ +diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_disk_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_disk_metadata.c +--- cryptsetup-2.0.3.old/lib/luks2/luks2_disk_metadata.c 2019-03-27 15:48:28.316632526 +0100 ++++ cryptsetup-2.0.3/lib/luks2/luks2_disk_metadata.c 2019-03-27 15:48:48.093594565 +0100 +@@ -387,11 +387,6 @@ int LUKS2_disk_hdr_write(struct crypt_de + return -EINVAL; + } + +- if (hdr->hdr_size != LUKS2_HDR_16K_LEN) { +- log_dbg("Unsupported LUKS2 header size (%zu).", hdr->hdr_size); +- return -EINVAL; +- } +- + r = LUKS2_check_device_size(cd, crypt_metadata_device(cd), LUKS2_hdr_and_areas_size(hdr->jobj), 1); + if (r) + return r; +diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2.h cryptsetup-2.0.3/lib/luks2/luks2.h +--- cryptsetup-2.0.3.old/lib/luks2/luks2.h 2019-03-27 15:48:28.316632526 +0100 ++++ cryptsetup-2.0.3/lib/luks2/luks2.h 2019-03-27 15:49:37.033500625 +0100 +@@ -326,6 +326,9 @@ int LUKS2_generate_hdr( + unsigned int alignOffset, + int detached_metadata_device); + ++int LUKS2_check_metadata_area_size(uint64_t metadata_size); ++int LUKS2_check_keyslots_area_size(uint64_t keyslots_size); ++ + uint64_t LUKS2_get_data_offset(struct luks2_hdr *hdr); + int LUKS2_get_sector_size(struct luks2_hdr *hdr); + const char *LUKS2_get_cipher(struct luks2_hdr *hdr, int segment); +diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_format.c cryptsetup-2.0.3/lib/luks2/luks2_json_format.c +--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_format.c 2019-03-27 15:48:28.317632524 +0100 ++++ cryptsetup-2.0.3/lib/luks2/luks2_json_format.c 2019-03-27 15:48:48.094594563 +0100 +@@ -114,6 +114,22 @@ int LUKS2_find_area_gap(struct crypt_dev + return 0; + } + ++int LUKS2_check_metadata_area_size(uint64_t metadata_size) ++{ ++ /* see LUKS2_HDR2_OFFSETS */ ++ return (metadata_size != 0x004000 && ++ metadata_size != 0x008000 && metadata_size != 0x010000 && ++ metadata_size != 0x020000 && metadata_size != 0x040000 && ++ metadata_size != 0x080000 && metadata_size != 0x100000 && ++ metadata_size != 0x200000 && metadata_size != 0x400000); ++} ++ ++int LUKS2_check_keyslots_area_size(uint64_t keyslots_size) ++{ ++ return (!keyslots_size || (keyslots_size % 4096) || ++ keyslots_size > LUKS2_MAX_KEYSLOTS_SIZE); ++} ++ + int LUKS2_generate_hdr( + struct crypt_device *cd, + struct luks2_hdr *hdr, +diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c +--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c 2019-03-27 15:48:28.317632524 +0100 ++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c 2019-03-27 15:57:44.322526763 +0100 +@@ -701,30 +701,18 @@ static int hdr_validate_digests(json_obj + } + + /* requires keyslots and segments sections being already validated */ +-static int validate_keyslots_size(json_object *hdr_jobj, json_object *jobj_keyslots_size) ++static int validate_keyslots_size(json_object *hdr_jobj, uint64_t metadata_size, uint64_t keyslots_size) + { + json_object *jobj_keyslots, *jobj, *jobj1; +- uint64_t keyslots_size, segment_offset, keyslots_area_sum = 0; +- +- if (!json_str_to_uint64(jobj_keyslots_size, &keyslots_size)) +- return 1; +- +- if (keyslots_size % 4096) { +- log_dbg("keyslots_size is not 4 KiB aligned"); +- return 1; +- } +- +- if (keyslots_size > LUKS2_MAX_KEYSLOTS_SIZE) { +- log_dbg("keyslots_size is too large. The cap is %" PRIu64 " bytes", (uint64_t) LUKS2_MAX_KEYSLOTS_SIZE); +- return 1; +- } ++ uint64_t segment_offset, keyslots_area_sum = 0; + + json_object_object_get_ex(hdr_jobj, "segments", &jobj); + segment_offset = get_first_data_offset(jobj, "crypt"); + if (segment_offset && + (segment_offset < keyslots_size || +- (segment_offset - keyslots_size) < (2 * LUKS2_HDR_16K_LEN))) { +- log_dbg("keyslots_size is too large %" PRIu64 " (bytes). Data offset: %" PRIu64 ", keyslots offset: %d", keyslots_size, segment_offset, 2 * LUKS2_HDR_16K_LEN); ++ (segment_offset - keyslots_size) < (2 * metadata_size))) { ++ log_dbg("keyslots_size is too large %" PRIu64 " (bytes). Data offset: %" PRIu64 ++ ", keyslots offset: %" PRIu64, keyslots_size, segment_offset, 2 * metadata_size); + return 1; + } + +@@ -738,7 +726,8 @@ static int validate_keyslots_size(json_o + } + + if (keyslots_area_sum > keyslots_size) { +- log_dbg("Sum of all keyslot area sizes (%" PRIu64 ") is greater than value in config section %" PRIu64, keyslots_area_sum, keyslots_size); ++ log_dbg("Sum of all keyslot area sizes (%" PRIu64 ") is greater than value in config section %" ++ PRIu64, keyslots_area_sum, keyslots_size); + return 1; + } + +@@ -749,7 +738,7 @@ static int hdr_validate_config(json_obje + { + json_object *jobj_config, *jobj, *jobj1; + int i; +- uint64_t json_size; ++ uint64_t json_size, keyslots_size; + + if (!json_object_object_get_ex(hdr_jobj, "config", &jobj_config)) { + log_dbg("Missing config section."); +@@ -760,21 +749,21 @@ static int hdr_validate_config(json_obje + !json_str_to_uint64(jobj, &json_size)) + return 1; + +- /* currently it's hardcoded */ +- if (json_size != (LUKS2_HDR_16K_LEN - LUKS2_HDR_BIN_LEN)) { +- log_dbg("Invalid json_size %" PRIu64, json_size); ++ if (!(jobj = json_contains(jobj_config, "section", "Config", "keyslots_size", json_type_string)) || ++ !json_str_to_uint64(jobj, &keyslots_size)) + return 1; +- } + +- if (json_size % 4096) { +- log_dbg("Json area is not properly aligned to 4 KiB."); ++ if (LUKS2_check_metadata_area_size(json_size + LUKS2_HDR_BIN_LEN)) { ++ log_dbg("Unsupported LUKS2 header size (%" PRIu64 ").", json_size + LUKS2_HDR_BIN_LEN); + return 1; + } + +- if (!(jobj = json_contains(jobj_config, "section", "Config", "keyslots_size", json_type_string))) ++ if (LUKS2_check_keyslots_area_size(keyslots_size)) { ++ log_dbg("Unsupported LUKS2 keyslots size (%" PRIu64 ").", keyslots_size); + return 1; ++ } + +- if (validate_keyslots_size(hdr_jobj, jobj)) ++ if (validate_keyslots_size(hdr_jobj, json_size + LUKS2_HDR_BIN_LEN, keyslots_size)) + return 1; + + /* Flags array is optional */ diff --git a/SOURCES/cryptsetup-2.0.6-fix-keyslot-areas-validation.patch b/SOURCES/cryptsetup-2.0.6-fix-keyslot-areas-validation.patch new file mode 100644 index 0000000..03f6519 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.6-fix-keyslot-areas-validation.patch @@ -0,0 +1,94 @@ +diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c +--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c 2019-03-27 16:14:49.790420791 +0100 ++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c 2019-03-27 16:23:50.499187212 +0100 +@@ -363,12 +363,13 @@ static json_bool segment_has_digest(cons + return FALSE; + } + +-static json_bool validate_intervals(int length, const struct interval *ix, uint64_t *data_offset) ++static json_bool validate_intervals(int length, const struct interval *ix, ++ uint64_t metadata_size, uint64_t keyslots_area_end) + { + int j, i = 0; + + while (i < length) { +- if (ix[i].offset < 2 * LUKS2_HDR_16K_LEN) { ++ if (ix[i].offset < 2 * metadata_size) { + log_dbg("Illegal area offset: %" PRIu64 ".", ix[i].offset); + return FALSE; + } +@@ -378,10 +379,9 @@ static json_bool validate_intervals(int + return FALSE; + } + +- /* first segment at offset 0 means we have detached header. Do not check then. */ +- if (*data_offset && (ix[i].offset + ix[i].length) > *data_offset) { +- log_dbg("Area [%" PRIu64 ", %" PRIu64 "] intersects with segment starting at offset: %" PRIu64, +- ix[i].offset, ix[i].offset + ix[i].length, *data_offset); ++ if ((ix[i].offset + ix[i].length) > keyslots_area_end) { ++ log_dbg("Area [%" PRIu64 ", %" PRIu64 "] overflows binary keyslots area (ends at offset: %" PRIu64 ").", ++ ix[i].offset, ix[i].offset + ix[i].length, keyslots_area_end); + return FALSE; + } + +@@ -596,12 +596,24 @@ static int hdr_validate_segments(json_ob + return 0; + } + ++static uint64_t LUKS2_metadata_size(json_object *jobj) ++{ ++ json_object *jobj1, *jobj2; ++ uint64_t json_size; ++ ++ json_object_object_get_ex(jobj, "config", &jobj1); ++ json_object_object_get_ex(jobj1, "json_size", &jobj2); ++ json_str_to_uint64(jobj2, &json_size); ++ ++ return json_size + LUKS2_HDR_BIN_LEN; ++} ++ + static int hdr_validate_areas(json_object *hdr_jobj) + { + struct interval *intervals; + json_object *jobj_keyslots, *jobj_offset, *jobj_length, *jobj_segments, *jobj_area; + int length, ret, i = 0; +- uint64_t first_offset, keyslots_size, keyslots_area_sum = 0; ++ uint64_t keyslots_size, metadata_size, keyslots_area_sum = 0; + + if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots)) + return 1; +@@ -611,6 +623,7 @@ static int hdr_validate_areas(json_objec + + /* config is already validated */ + keyslots_size = LUKS2_keyslots_size(hdr_jobj); ++ metadata_size = LUKS2_metadata_size(hdr_jobj); + + length = json_object_object_length(jobj_keyslots); + +@@ -663,9 +676,7 @@ static int hdr_validate_areas(json_objec + return 1; + } + +- first_offset = get_first_data_offset(jobj_segments, NULL); +- +- ret = validate_intervals(length, intervals, &first_offset) ? 0 : 1; ++ ret = validate_intervals(length, intervals, metadata_size, LUKS2_hdr_and_areas_size(hdr_jobj)) ? 0 : 1; + + free(intervals); + +@@ -918,14 +929,7 @@ uint64_t LUKS2_keyslots_size(json_object + + uint64_t LUKS2_hdr_and_areas_size(json_object *jobj) + { +- json_object *jobj1, *jobj2; +- uint64_t json_size; +- +- json_object_object_get_ex(jobj, "config", &jobj1); +- json_object_object_get_ex(jobj1, "json_size", &jobj2); +- json_str_to_uint64(jobj2, &json_size); +- +- return 2 * (json_size + LUKS2_HDR_BIN_LEN) + LUKS2_keyslots_size(jobj); ++ return 2 * LUKS2_metadata_size(jobj) + LUKS2_keyslots_size(jobj); + } + + int LUKS2_hdr_backup(struct crypt_device *cd, struct luks2_hdr *hdr, diff --git a/SOURCES/cryptsetup-2.0.6-reshuffle-config-and-keyslots-areas-validation-code.patch b/SOURCES/cryptsetup-2.0.6-reshuffle-config-and-keyslots-areas-validation-code.patch new file mode 100644 index 0000000..775b59a --- /dev/null +++ b/SOURCES/cryptsetup-2.0.6-reshuffle-config-and-keyslots-areas-validation-code.patch @@ -0,0 +1,147 @@ +diff -rupN cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c +--- cryptsetup-2.0.3.old/lib/luks2/luks2_json_metadata.c 2019-03-28 11:32:18.850058719 +0100 ++++ cryptsetup-2.0.3/lib/luks2/luks2_json_metadata.c 2019-03-28 11:33:07.610800041 +0100 +@@ -643,7 +643,7 @@ static int hdr_validate_areas(json_objec + struct interval *intervals; + json_object *jobj_keyslots, *jobj_offset, *jobj_length, *jobj_segments, *jobj_area; + int length, ret, i = 0; +- uint64_t first_offset; ++ uint64_t first_offset, keyslots_size, keyslots_area_sum = 0; + + if (!json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots)) + return 1; +@@ -652,6 +652,9 @@ static int hdr_validate_areas(json_objec + if (!json_object_object_get_ex(hdr_jobj, "segments", &jobj_segments)) + return 1; + ++ /* config is already validated */ ++ keyslots_size = LUKS2_keyslots_size(hdr_jobj); ++ + length = json_object_object_length(jobj_keyslots); + + /* Empty section */ +@@ -687,6 +690,8 @@ static int hdr_validate_areas(json_objec + return 1; + } + ++ keyslots_area_sum += intervals[i].length; ++ + i++; + } + +@@ -694,6 +699,13 @@ static int hdr_validate_areas(json_objec + free(intervals); + return 1; + } ++ ++ if (keyslots_area_sum > keyslots_size) { ++ log_dbg("Sum of all keyslot area sizes (%" PRIu64 ") is greater than value in config section %" ++ PRIu64, keyslots_area_sum, keyslots_size); ++ free(intervals); ++ return 1; ++ } + + first_offset = get_first_data_offset(jobj_segments, NULL); + +@@ -739,45 +751,11 @@ static int hdr_validate_digests(json_obj + return 0; + } + +-/* requires keyslots and segments sections being already validated */ +-static int validate_keyslots_size(json_object *hdr_jobj, uint64_t metadata_size, uint64_t keyslots_size) +-{ +- json_object *jobj_keyslots, *jobj, *jobj1; +- uint64_t segment_offset, keyslots_area_sum = 0; +- +- json_object_object_get_ex(hdr_jobj, "segments", &jobj); +- segment_offset = get_first_data_offset(jobj, "crypt"); +- if (segment_offset && +- (segment_offset < keyslots_size || +- (segment_offset - keyslots_size) < (2 * metadata_size))) { +- log_dbg("keyslots_size is too large %" PRIu64 " (bytes). Data offset: %" PRIu64 +- ", keyslots offset: %" PRIu64, keyslots_size, segment_offset, 2 * metadata_size); +- return 1; +- } +- +- json_object_object_get_ex(hdr_jobj, "keyslots", &jobj_keyslots); +- +- json_object_object_foreach(jobj_keyslots, key, val) { +- UNUSED(key); +- json_object_object_get_ex(val, "area", &jobj); +- json_object_object_get_ex(jobj, "size", &jobj1); +- keyslots_area_sum += json_object_get_uint64(jobj1); +- } +- +- if (keyslots_area_sum > keyslots_size) { +- log_dbg("Sum of all keyslot area sizes (%" PRIu64 ") is greater than value in config section %" +- PRIu64, keyslots_area_sum, keyslots_size); +- return 1; +- } +- +- return 0; +-} +- + static int hdr_validate_config(json_object *hdr_jobj) + { + json_object *jobj_config, *jobj, *jobj1; + int i; +- uint64_t json_size, keyslots_size; ++ uint64_t keyslots_size, metadata_size, segment_offset; + + if (!json_object_object_get_ex(hdr_jobj, "config", &jobj_config)) { + log_dbg("Missing config section."); +@@ -785,15 +763,19 @@ static int hdr_validate_config(json_obje + } + + if (!(jobj = json_contains(jobj_config, "section", "Config", "json_size", json_type_string)) || +- !json_str_to_uint64(jobj, &json_size)) ++ !json_str_to_uint64(jobj, &metadata_size)) + return 1; + ++ /* single metadata instance is assembled from json area size plus ++ * binary header size */ ++ metadata_size += LUKS2_HDR_BIN_LEN; ++ + if (!(jobj = json_contains(jobj_config, "section", "Config", "keyslots_size", json_type_string)) || + !json_str_to_uint64(jobj, &keyslots_size)) + return 1; + +- if (LUKS2_check_metadata_area_size(json_size + LUKS2_HDR_BIN_LEN)) { +- log_dbg("Unsupported LUKS2 header size (%" PRIu64 ").", json_size + LUKS2_HDR_BIN_LEN); ++ if (LUKS2_check_metadata_area_size(metadata_size)) { ++ log_dbg("Unsupported LUKS2 header size (%" PRIu64 ").", metadata_size); + return 1; + } + +@@ -802,8 +784,19 @@ static int hdr_validate_config(json_obje + return 1; + } + +- if (validate_keyslots_size(hdr_jobj, json_size + LUKS2_HDR_BIN_LEN, keyslots_size)) +- return 1; ++ /* ++ * validate keyslots_size fits in between (2 * metadata_size) and first ++ * segment_offset (except detached header) ++ */ ++ json_object_object_get_ex(hdr_jobj, "segments", &jobj); ++ segment_offset = get_first_data_offset(jobj, "crypt"); ++ if (segment_offset && ++ (segment_offset < keyslots_size || ++ (segment_offset - keyslots_size) < (2 * metadata_size))) { ++ log_dbg("keyslots_size is too large %" PRIu64 " (bytes). Data offset: %" PRIu64 ++ ", keyslots offset: %" PRIu64, keyslots_size, segment_offset, 2 * metadata_size); ++ return 1; ++ } + + /* Flags array is optional */ + if (json_object_object_get_ex(jobj_config, "flags", &jobj)) { +@@ -845,8 +838,8 @@ int LUKS2_hdr_validate(json_object *hdr_ + { hdr_validate_digests }, + { hdr_validate_segments }, + { hdr_validate_keyslots }, +- { hdr_validate_areas }, + { hdr_validate_config }, ++ { hdr_validate_areas }, + { NULL } + }; + int i; diff --git a/SOURCES/cryptsetup-2.0.6-test-cryptsetup-can-handle-all-LUKS2-metadata-varian.patch b/SOURCES/cryptsetup-2.0.6-test-cryptsetup-can-handle-all-LUKS2-metadata-varian.patch new file mode 100644 index 0000000..d612bb5 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.6-test-cryptsetup-can-handle-all-LUKS2-metadata-varian.patch @@ -0,0 +1,39 @@ +diff -rupN cryptsetup-2.0.3.old/tests/compat-test2 cryptsetup-2.0.3/tests/compat-test2 +--- cryptsetup-2.0.3.old/tests/compat-test2 2019-03-27 17:03:58.788037100 +0100 ++++ cryptsetup-2.0.3/tests/compat-test2 2019-03-27 17:14:19.432280547 +0100 +@@ -22,6 +22,7 @@ PWD0="compatkey" + PWD1="93R4P4pIqAH8" + PWD2="mymJeD8ivEhE" + PWD3="ocMakf3fAcQO" ++PWD4="Qx3qn46vq0v" + PWDW="rUkL4RUryBom" + TEST_KEYRING_NAME="compattest2_keyring" + TEST_TOKEN0="compattest2_desc0" +@@ -46,7 +47,7 @@ function remove_mapping() + [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove $DEV_NAME2 + [ -b /dev/mapper/$DEV_NAME ] && dmsetup remove $DEV_NAME + losetup -d $LOOPDEV >/dev/null 2>&1 +- rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE >/dev/null 2>&1 ++ rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $HEADER_KEYU $VK_FILE copy_test_image* >/dev/null 2>&1 + + # unlink whole test keyring + [ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null +@@ -817,5 +818,18 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q + $CRYPTSETUP luksKillSlot -q $LOOPDEV 3 + $CRYPTSETUP luksDump $LOOPDEV | grep -q "3: luks2 (unbound)" && fail + ++prepare "[39] LUKS2 metadata variants" wipe ++for mda in 16 32 64 128 256 512 1024 2048 4096 ; do ++ cp test_image_$mda copy_test_image_$mda || fail ++ echo -n "[$mda KiB]" ++ echo $PWD4 | $CRYPTSETUP open copy_test_image_$mda $DEV_NAME || fail ++ $CRYPTSETUP close $DEV_NAME || fail ++ echo -e "$PWD4\n$PWD3" | $CRYPTSETUP luksAddKey -S9 $FAST_PBKDF_OPT copy_test_image_$mda || fail ++ echo $PWD4 | $CRYPTSETUP open --test-passphrase copy_test_image_$mda || fail ++ echo $PWD3 | $CRYPTSETUP open -S9 --test-passphrase copy_test_image_$mda || fail ++ echo -n "[OK]" ++done ++echo ++ + remove_mapping + exit 0 diff --git a/SOURCES/cryptsetup-2.1.0-sync-LUKS2-validation-tests.patch b/SOURCES/cryptsetup-2.1.0-sync-LUKS2-validation-tests.patch new file mode 100644 index 0000000..746d7a7 --- /dev/null +++ b/SOURCES/cryptsetup-2.1.0-sync-LUKS2-validation-tests.patch @@ -0,0 +1,3818 @@ +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-invalid-json-size-c2.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-invalid-json-size-c2.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-invalid-json-size-c2.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-invalid-json-size-c2.img.sh 2019-03-27 20:59:49.443269763 +0100 +@@ -0,0 +1,85 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with config json size mismatching ++# value in binary header ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ JS=$(((LUKS2_HDR_SIZE-LUKS2_BIN_HDR_SIZE)*512)) ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_32K ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ ++ json_str=$(jq -c '.' $TMPDIR/json0) ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 ++ local str_res1=$(head -c 4 $TMPDIR/hdr_res0) ++ test "$str_res1" = "LUKS" || exit 2 ++ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE ++ local str_res1=$(head -c 4 $TMPDIR/hdr_res1) ++ test "$str_res1" = "SKUL" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c --arg js $JS 'if .config.json_size != ( $js | tostring ) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-1m.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-1m.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-1m.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-1m.img.sh 2019-03-27 20:59:49.444269753 +0100 +@@ -0,0 +1,94 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary with predefined json_size. There's only limited ++# set of values allowed as json size in config section of LUKS2 ++# metadata ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 1 MiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area1 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-1m-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-1m-secondary.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-1m-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-1m-secondary.img.sh 2019-03-27 20:59:49.444269753 +0100 +@@ -0,0 +1,97 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate secondary header with one of allowed json area ++# size values. Test whether auto-recovery code is able ++# to validate secondary header with non-default json area ++# size. ++# ++# primary header is corrupted on purpose. ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 1 MiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_1M ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area0 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE ++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0) ++ test "$str_res0" = "VACUUM" || exit 2 ++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-128k.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-128k.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-128k.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-128k.img.sh 2019-03-27 20:59:49.445269743 +0100 +@@ -0,0 +1,94 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary with predefined json_size. There's only limited ++# set of values allowed as json size in config section of LUKS2 ++# metadata ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 128KiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_128K ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area1 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-128k-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-128k-secondary.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-128k-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-128k-secondary.img.sh 2019-03-27 20:59:49.445269743 +0100 +@@ -0,0 +1,97 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate secondary header with one of allowed json area ++# size values. Test whether auto-recovery code is able ++# to validate secondary header with non-default json area ++# size. ++# ++# primary header is corrupted on purpose. ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 128 KiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_128K ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area0 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE ++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0) ++ test "$str_res0" = "VACUUM" || exit 2 ++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-16k-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-16k-secondary.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-16k-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-16k-secondary.img.sh 2019-03-27 20:59:49.446269734 +0100 +@@ -0,0 +1,97 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate secondary header with one of allowed json area ++# size values. Test whether auto-recovery code is able ++# to validate secondary header with non-default json area ++# size. ++# ++# primary header is corrupted on purpose. ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 16 KiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area0 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE ++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0) ++ test "$str_res0" = "VACUUM" || exit 2 ++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-2m.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-2m.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-2m.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-2m.img.sh 2019-03-27 20:59:49.446269734 +0100 +@@ -0,0 +1,94 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary with predefined json_size. There's only limited ++# set of values allowed as json size in config section of LUKS2 ++# metadata ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 2 MiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_2M ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area1 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-2m-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-2m-secondary.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-2m-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-2m-secondary.img.sh 2019-03-27 20:59:49.447269724 +0100 +@@ -0,0 +1,96 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary with predefined json_size. There's only limited ++# set of values allowed as json size in config section of LUKS2 ++# metadata ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 2 MiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_2M ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area0 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE ++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0) ++ test "$str_res0" = "VACUUM" || exit 2 ++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-256k.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-256k.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-256k.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-256k.img.sh 2019-03-27 20:59:49.447269724 +0100 +@@ -0,0 +1,94 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary with predefined json_size. There's only limited ++# set of values allowed as json size in config section of LUKS2 ++# metadata ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 256KiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_256K ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area1 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-256k-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-256k-secondary.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-256k-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-256k-secondary.img.sh 2019-03-27 20:59:49.448269714 +0100 +@@ -0,0 +1,97 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate secondary header with one of allowed json area ++# size values. Test whether auto-recovery code is able ++# to validate secondary header with non-default json area ++# size. ++# ++# primary header is corrupted on purpose. ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 256 KiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_256K ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area0 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE ++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0) ++ test "$str_res0" = "VACUUM" || exit 2 ++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-32k.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-32k.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-32k.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-32k.img.sh 2019-03-27 20:59:49.448269714 +0100 +@@ -0,0 +1,94 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with non-default metadata json_size. ++# There's only limited set of values allowed as json size in ++# config section of LUKS2 metadata ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 32KiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_32K ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area1 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-32k-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-32k-secondary.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-32k-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-32k-secondary.img.sh 2019-03-27 20:59:49.449269705 +0100 +@@ -0,0 +1,97 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate secondary header with one of allowed json area ++# size values. Test whether auto-recovery code is able ++# to validate secondary header with non-default json area ++# size. ++# ++# primary header is corrupted on purpose. ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 32 KiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_32K ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area0 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE ++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0) ++ test "$str_res0" = "VACUUM" || exit 2 ++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-4m.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-4m.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-4m.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-4m.img.sh 2019-03-27 20:59:49.449269705 +0100 +@@ -0,0 +1,94 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary with predefined json_size. There's only limited ++# set of values allowed as json size in config section of LUKS2 ++# metadata ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 4 MiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_4M ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area1 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-4m-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-4m-secondary.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-4m-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-4m-secondary.img.sh 2019-03-27 20:59:49.450269695 +0100 +@@ -0,0 +1,96 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary with predefined json_size. There's only limited ++# set of values allowed as json size in config section of LUKS2 ++# metadata ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 4 MiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_4M ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area0 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE ++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0) ++ test "$str_res0" = "VACUUM" || exit 2 ++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-512k.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-512k.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-512k.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-512k.img.sh 2019-03-27 20:59:49.450269695 +0100 +@@ -0,0 +1,94 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary with predefined json_size. There's only limited ++# set of values allowed as json size in config section of LUKS2 ++# metadata ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 512KiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_512K ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area1 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-512k-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-512k-secondary.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-512k-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-512k-secondary.img.sh 2019-03-27 20:59:49.451269685 +0100 +@@ -0,0 +1,97 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate secondary header with one of allowed json area ++# size values. Test whether auto-recovery code is able ++# to validate secondary header with non-default json area ++# size. ++# ++# primary header is corrupted on purpose. ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 512 KiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_512K ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area0 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE ++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0) ++ test "$str_res0" = "VACUUM" || exit 2 ++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k.img.sh 2019-03-27 20:59:49.451269685 +0100 +@@ -0,0 +1,94 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary with predefined json_size. There's only limited ++# set of values allowed as json size in config section of LUKS2 ++# metadata ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 64KiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_64K ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area1 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k-inv-area-c0.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k-inv-area-c0.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k-inv-area-c0.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k-inv-area-c0.img.sh 2019-03-27 20:59:49.452269675 +0100 +@@ -0,0 +1,94 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with non-default metadata json_size ++# and keyslots area trespassing in json area. ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 64KiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_64K ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024-1)) ++ # overlap in json area by exactly one byte ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024-1)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area1 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k-inv-area-c1.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k-inv-area-c1.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k-inv-area-c1.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k-inv-area-c1.img.sh 2019-03-27 20:59:49.452269675 +0100 +@@ -0,0 +1,96 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with non-default metadata json_size ++# and keyslot area overflowing out of keyslots area. ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 64KiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_64K ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ --arg mda $((2*TEST_MDA_SIZE_BYTES)) \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .keyslots."7".area.offset = ( ((.config.keyslots_size | tonumber) + ($mda | tonumber) - (.keyslots."7".area.size | tonumber) + 1) | tostring ) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area1 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE ++# .keyslots.7.area.offset = ( ((.config.keyslots_size | tonumber) + ($mda | tonumber) - (.keyslots.7.area.size | tonumber) + 1) | tostring ) | ++ jq -c --arg mda $((2*TEST_MDA_SIZE_BYTES)) --arg jsize $JSON_SIZE \ ++ 'if (.keyslots."7".area.offset != ( ((.config.keyslots_size | tonumber) + ($mda | tonumber) - (.keyslots."7".area.size | tonumber) + 1) | tostring )) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k-inv-keyslots-size-c0.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k-inv-keyslots-size-c0.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k-inv-keyslots-size-c0.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k-inv-keyslots-size-c0.img.sh 2019-03-27 20:59:49.453269666 +0100 +@@ -0,0 +1,96 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary with predefined json_size where keyslots size ++# overflows in data area (segment offset) ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 64KiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_64K ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ --arg mda $((2*TEST_MDA_SIZE_BYTES)) \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .config.keyslots_size = (((($off | tonumber) - ($mda | tonumber) + 4096)) | tostring ) | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area1 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 $TEST_MDA_SIZE ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE --arg off $DATA_OFFSET --arg mda $((2*TEST_MDA_SIZE_BYTES)) \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) or ++ (.config.keyslots_size != (((($off | tonumber) - ($mda | tonumber) + 4096)) | tostring )) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k-secondary.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k-secondary.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-metadata-size-64k-secondary.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-metadata-size-64k-secondary.img.sh 2019-03-27 20:59:49.453269666 +0100 +@@ -0,0 +1,97 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate secondary header with one of allowed json area ++# size values. Test whether auto-recovery code is able ++# to validate secondary header with non-default json area ++# size. ++# ++# primary header is corrupted on purpose. ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # 64 KiB metadata ++ TEST_MDA_SIZE=$LUKS2_HDR_SIZE_64K ++ ++ TEST_MDA_SIZE_BYTES=$((TEST_MDA_SIZE*512)) ++ TEST_JSN_SIZE=$((TEST_MDA_SIZE-LUKS2_BIN_HDR_SIZE)) ++ KEYSLOTS_OFFSET=$((TEST_MDA_SIZE*1024)) ++ JSON_DIFF=$(((TEST_MDA_SIZE-LUKS2_HDR_SIZE)*1024)) ++ JSON_SIZE=$((TEST_JSN_SIZE*512)) ++ DATA_OFFSET=16777216 ++ ++ json_str=$(jq -c --arg jdiff $JSON_DIFF --arg jsize $JSON_SIZE --arg off $DATA_OFFSET \ ++ '.keyslots[].area.offset |= ( . | tonumber + ($jdiff | tonumber) | tostring) | ++ .config.json_size = $jsize | ++ .segments."0".offset = $off' $TMPDIR/json0) ++ test -n "$json_str" || exit 2 ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 $TEST_JSN_SIZE ++ ++ write_bin_hdr_size $TMPDIR/hdr0 $TEST_MDA_SIZE_BYTES ++ write_bin_hdr_size $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ write_bin_hdr_offset $TMPDIR/hdr1 $TEST_MDA_SIZE_BYTES ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 $TEST_JSN_SIZE ++ merge_bin_hdr_with_json $TMPDIR/hdr1 $TMPDIR/json0 $TMPDIR/area1 $TEST_JSN_SIZE ++ ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ ++ erase_checksum $TMPDIR/area1 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area1) ++ write_checksum $chks0 $TMPDIR/area1 ++ ++ kill_bin_hdr $TMPDIR/area0 ++ ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG $TEST_MDA_SIZE ++ write_luks2_hdr1 $TMPDIR/area1 $TGT_IMG $TEST_MDA_SIZE ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr_res0 $TEST_MDA_SIZE ++ local str_res0=$(head -c 6 $TMPDIR/hdr_res0) ++ test "$str_res0" = "VACUUM" || exit 2 ++ read_luks2_json1 $TGT_IMG $TMPDIR/json_res1 $TEST_JSN_SIZE ++ jq -c --arg koff $KEYSLOTS_OFFSET --arg jsize $JSON_SIZE \ ++ 'if ([.keyslots[].area.offset] | map(tonumber) | min | tostring != $koff) or ++ (.config.json_size != $jsize) ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res1 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-missing-encryption.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-missing-encryption.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-missing-encryption.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-missing-encryption.img.sh 2019-03-27 20:59:49.454269656 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with segment encryption field missing ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c 'del(.segments."0".encryption)' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".encryption ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-missing-ivoffset.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-missing-ivoffset.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-missing-ivoffset.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-missing-ivoffset.img.sh 2019-03-27 20:59:49.454269656 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with segment iv_tweak field missing ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c 'del(.segments."0".iv_tweak)' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".iv_tweak ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-missing-sectorsize.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-missing-sectorsize.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-missing-sectorsize.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-missing-sectorsize.img.sh 2019-03-27 20:59:49.455269646 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with segment sector_size field missing ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c 'del(.segments."0".sector_size)' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".sector_size ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-encryption.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-encryption.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-encryption.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-encryption.img.sh 2019-03-27 20:59:49.455269646 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with segment wrong encryption field ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c '.segments."0".encryption = {}' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".encryption | type != "object" ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-ivoffset.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-ivoffset.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-ivoffset.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-ivoffset.img.sh 2019-03-27 20:59:49.456269637 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with segment iv_tweak field missing ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c '.segments."0".iv_tweak = "dynamic"' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".iv_tweak != "dynamic" ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-0.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-0.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-0.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-0.img.sh 2019-03-27 20:59:49.456269637 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with wrong segment sector_size field ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c '.segments."0".sector_size = 1023' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".sector_size != 1023 ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-1.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-1.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-1.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-1.img.sh 2019-03-27 20:59:49.457269627 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with wrong segment sector_size field ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c '.segments."0".sector_size = "4096"' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".sector_size != "4096" ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-2.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-2.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-2.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-crypt-wrong-sectorsize-2.img.sh 2019-03-27 20:59:49.457269627 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with wrong segment sector_size field ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c '.segments."0".sector_size = -1024' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".sector_size != -1024 ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-missing-offset.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-missing-offset.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-missing-offset.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-missing-offset.img.sh 2019-03-27 20:59:49.458269617 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with segment offset field missing ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c 'del(.segments."0".offset)' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".offset ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-missing-size.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-missing-size.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-missing-size.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-missing-size.img.sh 2019-03-27 20:59:49.458269617 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with segment size field missing ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c 'del(.segments."0".size)' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".size ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-missing-type.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-missing-type.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-missing-type.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-missing-type.img.sh 2019-03-27 20:59:49.459269608 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with segment type field missing ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c 'del(.segments."0".type)' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".type ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-two.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-two.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-two.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-two.img.sh 2019-03-27 20:59:49.459269608 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with two segments ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c '.segments."0".size = "512" | .segments."1" = {type:"some", offset: (.segments."0".offset | tonumber + 512 | tostring), size: "dynamic"}' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."1" | type != "object" ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-unknown-type.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-unknown-type.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-unknown-type.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-unknown-type.img.sh 2019-03-27 20:59:49.459269608 +0100 +@@ -0,0 +1,68 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with generic (unknown) segment type. ++# It should pass the validation. ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c '.segments."0" = {type:"some_type", offset: .segments."0".offset, size: .segments."0".size, a_field:0}' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".type != "some_type" ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-flags-element.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-flags-element.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-flags-element.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-flags-element.img.sh 2019-03-27 20:59:49.460269598 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with segment flags containing invalid type ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c '.segments."0".flags = [ "hello", 1 ]' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".flags != [ "hello", 1 ] ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-flags.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-flags.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-flags.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-flags.img.sh 2019-03-27 20:59:49.461269588 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with segment flags field of invalid type ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c '.segments."0".flags = "hello"' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".flags != "hello" ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-offset.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-offset.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-offset.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-offset.img.sh 2019-03-27 20:59:49.461269588 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with wrong segment offset field ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c '.segments."0".offset = "-42"' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".offset != "-42" ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-size-0.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-size-0.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-size-0.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-size-0.img.sh 2019-03-27 20:59:49.462269579 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with wrong segment size field ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c '.segments."0".size = 4096' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".size != 4096 ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-size-1.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-size-1.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-size-1.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-size-1.img.sh 2019-03-27 20:59:49.462269579 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with wrong segment size field ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c '.segments."0".size = "automatic"' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".size != "automatic" ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-size-2.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-size-2.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-size-2.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-size-2.img.sh 2019-03-27 20:59:49.463269569 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with wrong segment size field ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c '.segments."0".size = "511"' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".size != "511" ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-type.img.sh cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-type.img.sh +--- cryptsetup-2.0.3.old/tests/generators/generate-luks2-segment-wrong-type.img.sh 1970-01-01 01:00:00.000000000 +0100 ++++ cryptsetup-2.0.3/tests/generators/generate-luks2-segment-wrong-type.img.sh 2019-03-27 20:59:49.463269569 +0100 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++. lib.sh ++ ++# ++# *** Description *** ++# ++# generate primary header with wrong segment type field ++# ++# secondary header is corrupted on purpose as well ++# ++ ++# $1 full target dir ++# $2 full source luks2 image ++ ++function prepare() ++{ ++ cp $SRC_IMG $TGT_IMG ++ test -d $TMPDIR || mkdir $TMPDIR ++ read_luks2_json0 $TGT_IMG $TMPDIR/json0 ++ read_luks2_bin_hdr0 $TGT_IMG $TMPDIR/hdr0 ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr1 ++} ++ ++function generate() ++{ ++ # remove mandatory encryption field ++ json_str=$(jq -c '.segments."0".type = 42' $TMPDIR/json0) ++ test ${#json_str} -lt $((LUKS2_JSON_SIZE*512)) || exit 2 ++ ++ write_luks2_json "$json_str" $TMPDIR/json0 ++ ++ merge_bin_hdr_with_json $TMPDIR/hdr0 $TMPDIR/json0 $TMPDIR/area0 ++ erase_checksum $TMPDIR/area0 ++ chks0=$(calc_sha256_checksum_file $TMPDIR/area0) ++ write_checksum $chks0 $TMPDIR/area0 ++ write_luks2_hdr0 $TMPDIR/area0 $TGT_IMG ++ kill_bin_hdr $TMPDIR/hdr1 ++ write_luks2_hdr1 $TMPDIR/hdr1 $TGT_IMG ++} ++ ++function check() ++{ ++ read_luks2_bin_hdr1 $TGT_IMG $TMPDIR/hdr_res1 ++ local str_res1=$(head -c 6 $TMPDIR/hdr_res1) ++ test "$str_res1" = "VACUUM" || exit 2 ++ ++ read_luks2_json0 $TGT_IMG $TMPDIR/json_res0 ++ jq -c 'if .segments."0".type != 42 ++ then error("Unexpected value in result json") else empty end' $TMPDIR/json_res0 || exit 5 ++} ++ ++function cleanup() ++{ ++ rm -f $TMPDIR/* ++ rm -fd $TMPDIR ++} ++ ++test $# -eq 2 || exit 1 ++ ++TGT_IMG=$1/$(test_img_name $0) ++SRC_IMG=$2 ++ ++prepare ++generate ++check ++cleanup +diff -rupN cryptsetup-2.0.3.old/tests/generators/lib.sh cryptsetup-2.0.3/tests/generators/lib.sh +--- cryptsetup-2.0.3.old/tests/generators/lib.sh 2019-03-27 20:59:31.664442127 +0100 ++++ cryptsetup-2.0.3/tests/generators/lib.sh 2019-03-27 20:59:49.464269559 +0100 +@@ -1,9 +1,17 @@ + #!/bin/bash + +-# all in 512 bytes blocks +-# LUKS2 with 16KiB header +-LUKS2_HDR_SIZE=32 # 16 KiB +-LUKS2_BIN_HDR_SIZE=8 # 4096 B ++# all in 512 bytes blocks (including binary hdr (4KiB)) ++LUKS2_HDR_SIZE=32 # 16 KiB ++LUKS2_HDR_SIZE_32K=64 # 32 KiB ++LUKS2_HDR_SIZE_64K=128 # 64 KiB ++LUKS2_HDR_SIZE_128K=256 # 128 KiB ++LUKS2_HDR_SIZE_256K=512 # 256 KiB ++LUKS2_HDR_SIZE_512K=1024 # 512 KiB ++LUKS2_HDR_SIZE_1M=2048 # 1 MiB ++LUKS2_HDR_SIZE_2M=4096 # 2 MiB ++LUKS2_HDR_SIZE_4M=8192 # 4 MiB ++ ++LUKS2_BIN_HDR_SIZE=8 # 4 KiB + LUKS2_JSON_SIZE=$((LUKS2_HDR_SIZE-LUKS2_BIN_HDR_SIZE)) + + LUKS2_BIN_HDR_CHKS_OFFSET=0x1C0 +@@ -30,57 +38,88 @@ function test_img_name() + echo $str + } + ++# read primary bin hdr ++# 1:from 2:to + function read_luks2_bin_hdr0() + { + _dd if=$1 of=$2 bs=512 count=$LUKS2_BIN_HDR_SIZE + } + ++# read primary json area ++# 1:from 2:to 3:[json only size (defaults to 12KiB)] + function read_luks2_json0() + { +- _dd if=$1 of=$2 bs=512 skip=$LUKS2_BIN_HDR_SIZE count=$LUKS2_JSON_SIZE ++ local _js=${4:-$LUKS2_JSON_SIZE} ++ local _js=$((_js*512/4096)) ++ _dd if=$1 of=$2 bs=4096 skip=1 count=$_js + } + ++# read secondary bin hdr ++# 1:from 2:to 3:[metadata size (defaults to 16KiB)] + function read_luks2_bin_hdr1() + { +- _dd if=$1 of=$2 skip=$LUKS2_HDR_SIZE bs=512 count=$LUKS2_BIN_HDR_SIZE ++ _dd if=$1 of=$2 skip=${3:-$LUKS2_HDR_SIZE} bs=512 count=$LUKS2_BIN_HDR_SIZE + } + ++# read secondary json area ++# 1:from 2:to 3:[json only size (defaults to 12KiB)] + function read_luks2_json1() + { +- _dd if=$1 of=$2 bs=512 skip=$((LUKS2_BIN_HDR_SIZE+LUKS2_HDR_SIZE)) count=$LUKS2_JSON_SIZE ++ local _js=${3:-$LUKS2_JSON_SIZE} ++ _dd if=$1 of=$2 bs=512 skip=$((2*LUKS2_BIN_HDR_SIZE+_js)) count=$_js + } + ++# read primary metadata area (bin + json) ++# 1:from 2:to 3:[metadata size (defaults to 16KiB)] + function read_luks2_hdr_area0() + { +- _dd if=$1 of=$2 bs=512 count=$LUKS2_HDR_SIZE ++ local _as=${3:-$LUKS2_HDR_SIZE} ++ local _as=$((_as*512)) ++ _dd if=$1 of=$2 bs=$_as count=1 + } + ++# read secondary metadata area (bin + json) ++# 1:from 2:to 3:[metadata size (defaults to 16KiB)] + function read_luks2_hdr_area1() + { +- _dd if=$1 of=$2 bs=512 skip=$LUKS2_HDR_SIZE count=$LUKS2_HDR_SIZE ++ local _as=${3:-$LUKS2_HDR_SIZE} ++ local _as=$((_as*512)) ++ _dd if=$1 of=$2 bs=$_as skip=1 count=1 + } + ++# write secondary bin hdr ++# 1:from 2:to 3:[metadata size (defaults to 16KiB)] + function write_luks2_bin_hdr1() + { +- _dd if=$1 of=$2 bs=512 seek=$LUKS2_HDR_SIZE count=$LUKS2_BIN_HDR_SIZE conv=notrunc ++ _dd if=$1 of=$2 bs=512 seek=${3:-$LUKS2_HDR_SIZE} count=$LUKS2_BIN_HDR_SIZE conv=notrunc + } + ++# write primary metadata area (bin + json) ++# 1:from 2:to 3:[metadata size (defaults to 16KiB)] + function write_luks2_hdr0() + { +- _dd if=$1 of=$2 bs=512 count=$LUKS2_HDR_SIZE conv=notrunc ++ local _as=${3:-$LUKS2_HDR_SIZE} ++ local _as=$((_as*512)) ++ _dd if=$1 of=$2 bs=$_as count=1 conv=notrunc + } + ++# write secondary metadata area (bin + json) ++# 1:from 2:to 3:[metadata size (defaults to 16KiB)] + function write_luks2_hdr1() + { +- _dd if=$1 of=$2 bs=512 seek=$LUKS2_HDR_SIZE count=$LUKS2_HDR_SIZE conv=notrunc ++ local _as=${3:-$LUKS2_HDR_SIZE} ++ local _as=$((_as*512)) ++ _dd if=$1 of=$2 bs=$_as seek=1 count=1 conv=notrunc + } + +-# 1 - json str ++# write json (includes padding) ++# 1:json_string 2:to 3:[json size (defaults to 12KiB)] + function write_luks2_json() + { ++ local _js=${3:-$LUKS2_JSON_SIZE} + local len=${#1} +- printf '%s' "$1" | _dd of=$2 bs=1 count=$len conv=notrunc +- _dd if=/dev/zero of=$2 bs=1 seek=$len count=$((LUKS2_JSON_SIZE*512-len)) ++ echo -n -E "$1" > $2 ++ truncate -s $((_js*512)) $2 + } + + function kill_bin_hdr() +@@ -117,17 +156,25 @@ function calc_sha256_checksum_stdin() + sha256sum - | cut -d ' ' -f 1 + } + +-# 1 - bin +-# 2 - json +-# 3 - luks2_hdr_area ++# merge bin hdr with json to form metadata area ++# 1:bin_hdr 2:json 3:to 4:[json size (defaults to 12KiB)] + function merge_bin_hdr_with_json() + { +- _dd if=$1 of=$3 bs=512 count=$LUKS2_BIN_HDR_SIZE +- _dd if=$2 of=$3 bs=512 seek=$LUKS2_BIN_HDR_SIZE count=$LUKS2_JSON_SIZE ++ local _js=${4:-$LUKS2_JSON_SIZE} ++ local _js=$((_js*512/4096)) ++ _dd if=$1 of=$3 bs=4096 count=1 ++ _dd if=$2 of=$3 bs=4096 seek=1 count=$_js + } + + function _dd() + { +- dd $@ 2>/dev/null +- #dd $@ ++ dd $@ status=none ++} ++ ++function write_bin_hdr_size() { ++ printf '%016x' $2 | xxd -r -p -l 16 | _dd of=$1 bs=8 count=1 seek=1 conv=notrunc ++} ++ ++function write_bin_hdr_offset() { ++ printf '%016x' $2 | xxd -r -p -l 16 | _dd of=$1 bs=8 count=1 seek=32 conv=notrunc + } +diff -rupN cryptsetup-2.0.3.old/tests/luks2-validation-test cryptsetup-2.0.3/tests/luks2-validation-test +--- cryptsetup-2.0.3.old/tests/luks2-validation-test 2019-03-27 20:59:31.654442224 +0100 ++++ cryptsetup-2.0.3/tests/luks2-validation-test 2019-03-27 20:59:49.465269549 +0100 +@@ -3,14 +3,12 @@ + #turn on debug mode by following env. variable _DEBUG=1 + + PS4='$LINENO:' +-CRYPTSETUP=../cryptsetup ++[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." ++CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup + + CRYPTSETUP_VALGRIND=../.libs/cryptsetup + CRYPTSETUP_LIB_VALGRIND=../.libs + +-DM_CRYPT_SECTOR=512 +-LUKS2_HDR_SIZE=2112 # 16 KiB version, stored twice, including luks2 areas with keyslots +- + START_DIR=$(pwd) + + IMG=luks2-backend.img +@@ -19,6 +17,8 @@ TST_IMGS=$START_DIR/luks2-images + + GEN_DIR=generators + ++FAILS=0 ++ + [ -z "$srcdir" ] && srcdir="." + + function remove_mapping() +@@ -29,12 +29,18 @@ function remove_mapping() + function fail() + { + [ -n "$1" ] && echo "$1" +- echo "FAILED" ++ echo "FAILED at line $(caller)" + cd $START_DIR + remove_mapping + exit 2 + } + ++fail_count() ++{ ++ echo "$1" ++ FAILS=$((FAILS+1)) ++} ++ + function skip() + { + [ -n "$1" ] && echo "$1" +@@ -61,23 +67,24 @@ function test_load() + case "$1" in + R) + if [ -n "$_debug" ]; then +- $CRYPTSETUP luksDump $_debug $IMG || fail "$2" ++ $CRYPTSETUP luksDump $_debug $IMG + else +- $CRYPTSETUP luksDump $_debug $IMG > /dev/null || fail "$2" ++ $CRYPTSETUP luksDump $_debug $IMG > /dev/null 2>&1 + fi ++ test $? -eq 0 || return 1 + ;; + F) + if [ -n "$_debug" ]; then +- $CRYPTSETUP luksDump $_debug $IMG && fail "$2" ++ $CRYPTSETUP luksDump $_debug $IMG + else +- $CRYPTSETUP luksDump $_debug $IMG > /dev/null 2>&1 && fail "$2" ++ $CRYPTSETUP luksDump $_debug $IMG > /dev/null 2>&1 + fi ++ test $? -ne 0 || return 1 + ;; + *) + fail "Internal test error" + ;; + esac +- + } + + function RUN() +@@ -85,7 +92,11 @@ function RUN() + echo -n "Test image: $1..." + cp $TST_IMGS/$1 $IMG || fail "Missing test image" + test_load $2 "$3" +- echo "OK" ++ if [ $? -ne 0 ]; then ++ fail_count "$3" ++ else ++ echo "OK" ++ fi + } + + function valgrind_setup() +@@ -158,11 +169,6 @@ RUN luks2-area-in-json-hdr-space-json0.i + RUN luks2-missing-keyslot-referenced-in-digest.img "F" "Failed to detect missing keyslot referenced in digest" + RUN luks2-missing-segment-referenced-in-digest.img "F" "Failed to detect missing segment referenced in digest" + RUN luks2-missing-keyslot-referenced-in-token.img "F" "Failed to detect missing keyslots referenced in token" +-RUN luks2-invalid-keyslots-size-c0.img "F" "Failed to detect too large keyslots_size in config section" +-RUN luks2-invalid-keyslots-size-c1.img "F" "Failed to detect unaligned keyslots_size in config section" +-RUN luks2-invalid-keyslots-size-c2.img "F" "Failed to detect too small keyslots_size config section" +-RUN luks2-invalid-json-size-c0.img "F" "Failed to detect invalid json_size config section" +-RUN luks2-invalid-json-size-c1.img "F" "Failed to detect invalid json_size config section" + RUN luks2-keyslot-missing-digest.img "F" "Failed to detect missing keyslot digest." + RUN luks2-keyslot-too-many-digests.img "F" "Failed to detect keyslot has too many digests." + +@@ -171,4 +177,56 @@ RUN luks2-uint64-max-segment-size.img + RUN luks2-uint64-overflow-segment-size.img "F" "Failed to detect uint64_t overflow" + RUN luks2-uint64-signed-segment-size.img "F" "Failed to detect negative value" + ++echo "[5] Test segments validation" ++RUN luks2-segment-missing-type.img "F" "Failed to detect missing type field" ++RUN luks2-segment-wrong-type.img "F" "Failed to detect invalid type field" ++RUN luks2-segment-missing-offset.img "F" "Failed to detect missing offset field" ++RUN luks2-segment-wrong-offset.img "F" "Failed to detect invalid offset field" ++RUN luks2-segment-missing-size.img "F" "Failed to detect missing size field" ++RUN luks2-segment-wrong-size-0.img "F" "Failed to detect invalid size field" ++RUN luks2-segment-wrong-size-1.img "F" "Failed to detect invalid size field" ++RUN luks2-segment-wrong-size-2.img "F" "Failed to detect invalid size field" ++RUN luks2-segment-crypt-missing-encryption.img "F" "Failed to detect missing encryption field" ++RUN luks2-segment-crypt-wrong-encryption.img "F" "Failed to detect invalid encryption field" ++RUN luks2-segment-crypt-missing-ivoffset.img "F" "Failed to detect missing iv_tweak field" ++RUN luks2-segment-crypt-wrong-ivoffset.img "F" "Failed to detect invalid iv_tweak field" ++RUN luks2-segment-crypt-missing-sectorsize.img "F" "Failed to detect missing sector_size field" ++RUN luks2-segment-crypt-wrong-sectorsize-0.img "F" "Failed to detect invalid sector_size field" ++RUN luks2-segment-crypt-wrong-sectorsize-1.img "F" "Failed to detect invalid sector_size field" ++RUN luks2-segment-crypt-wrong-sectorsize-2.img "F" "Failed to detect invalid sector_size field" ++RUN luks2-segment-unknown-type.img "R" "Validation rejected segment with all mandatory fields correct" ++RUN luks2-segment-two.img "R" "Validation rejected two valid segments" ++RUN luks2-segment-wrong-flags.img "F" "Failed to detect invalid flags field" ++RUN luks2-segment-wrong-flags-element.img "F" "Failed to detect invalid flags content" ++ ++echo "[6] Test metadata size and keyslots size (config section)" ++RUN luks2-invalid-keyslots-size-c0.img "F" "Failed to detect too large keyslots_size in config section" ++RUN luks2-invalid-keyslots-size-c1.img "F" "Failed to detect unaligned keyslots_size in config section" ++RUN luks2-invalid-keyslots-size-c2.img "F" "Failed to detect too small keyslots_size config section" ++RUN luks2-invalid-json-size-c0.img "F" "Failed to detect invalid json_size config section" ++RUN luks2-invalid-json-size-c1.img "F" "Failed to detect invalid json_size config section" ++RUN luks2-invalid-json-size-c2.img "F" "Failed to detect mismatching json size in config and binary hdr" ++RUN luks2-metadata-size-32k.img "R" "Valid 32KiB metadata size failed to validate" ++RUN luks2-metadata-size-64k.img "R" "Valid 64KiB metadata size failed to validate" ++RUN luks2-metadata-size-64k-inv-area-c0.img "F" "Failed to detect keyslot area trespassing in json area" ++RUN luks2-metadata-size-64k-inv-area-c1.img "F" "Failed to detect keyslot area overflowing keyslots area" ++RUN luks2-metadata-size-64k-inv-keyslots-size-c0.img "F" "Failed to detect keyslots size overflowing in data area" ++RUN luks2-metadata-size-128k.img "R" "Valid 128KiB metadata size failed to validate" ++RUN luks2-metadata-size-256k.img "R" "Valid 256KiB metadata size failed to validate" ++RUN luks2-metadata-size-512k.img "R" "Valid 512KiB metadata size failed to validate" ++RUN luks2-metadata-size-1m.img "R" "Valid 1MiB metadata size failed to validate" ++RUN luks2-metadata-size-2m.img "R" "Valid 2MiB metadata size failed to validate" ++RUN luks2-metadata-size-4m.img "R" "Valid 4MiB metadata size failed to validate" ++RUN luks2-metadata-size-16k-secondary.img "R" "Valid 16KiB metadata size in secondary hdr failed to validate" ++RUN luks2-metadata-size-32k-secondary.img "R" "Valid 32KiB metadata size in secondary hdr failed to validate" ++RUN luks2-metadata-size-64k-secondary.img "R" "Valid 64KiB metadata size in secondary hdr failed to validate" ++RUN luks2-metadata-size-128k-secondary.img "R" "Valid 128KiB metadata size in secondary hdr failed to validate" ++RUN luks2-metadata-size-256k-secondary.img "R" "Valid 256KiB metadata size in secondary hdr failed to validate" ++RUN luks2-metadata-size-512k-secondary.img "R" "Valid 512KiB metadata size in secondary hdr failed to validate" ++RUN luks2-metadata-size-1m-secondary.img "R" "Valid 1MiB metadata size in secondary hdr failed to validate" ++RUN luks2-metadata-size-2m-secondary.img "R" "Valid 2MiB metadata size in secondary hdr failed to validate" ++RUN luks2-metadata-size-4m-secondary.img "R" "Valid 4MiB metadata size in secondary hdr failed to validate" ++ + remove_mapping ++ ++test $FAILS -eq 0 || fail "($FAILS wrong result(s) in total)" diff --git a/SOURCES/cryptsetup-2.2.1-reinstate-missing-backing-file-hint-for-loop-device.patch b/SOURCES/cryptsetup-2.2.1-reinstate-missing-backing-file-hint-for-loop-device.patch new file mode 100644 index 0000000..7aa6b76 --- /dev/null +++ b/SOURCES/cryptsetup-2.2.1-reinstate-missing-backing-file-hint-for-loop-device.patch @@ -0,0 +1,149 @@ +diff -rupN cryptsetup-2.0.3.old/src/Makemodule.am cryptsetup-2.0.3.new/src/Makemodule.am +--- cryptsetup-2.0.3.old/src/Makemodule.am 2019-08-27 17:37:25.043999695 +0200 ++++ cryptsetup-2.0.3.new/src/Makemodule.am 2019-08-27 17:39:40.303336254 +0200 +@@ -6,6 +6,7 @@ cryptsetup_SOURCES = \ + lib/utils_loop.c \ + lib/utils_io.c \ + src/utils_tools.c \ ++ lib/utils_loop.c \ + src/utils_password.c \ + src/cryptsetup.c \ + src/cryptsetup.h +diff -rupN cryptsetup-2.0.3.old/src/utils_password.c cryptsetup-2.0.3.new/src/utils_password.c +--- cryptsetup-2.0.3.old/src/utils_password.c 2019-08-27 17:37:25.043999695 +0200 ++++ cryptsetup-2.0.3.new/src/utils_password.c 2019-08-27 17:38:35.354214280 +0200 +@@ -256,7 +256,7 @@ int tools_get_key(const char *prompt, + int timeout, int verify, int pwquality, + struct crypt_device *cd) + { +- char tmp[1024]; ++ char tmp[1024], *backing_file; + int r = -EINVAL, block; + + block = tools_signals_blocked(); +@@ -270,9 +270,11 @@ int tools_get_key(const char *prompt, + } else { + if (!prompt && !crypt_get_device_name(cd)) + snprintf(tmp, sizeof(tmp), _("Enter passphrase: ")); +- else if (!prompt) +- snprintf(tmp, sizeof(tmp), _("Enter passphrase for %s: "), +- crypt_get_device_name(cd)); ++ else if (!prompt) { ++ backing_file = crypt_loop_backing_file(crypt_get_device_name(cd)); ++ snprintf(tmp, sizeof(tmp), _("Enter passphrase for %s: "), backing_file ?: crypt_get_device_name(cd)); ++ free(backing_file); ++ } + r = crypt_get_key_tty(prompt ?: tmp, key, key_size, timeout, verify, cd); + } + } else { +diff -rupN cryptsetup-2.0.3.old/tests/compat-test cryptsetup-2.0.3.new/tests/compat-test +--- cryptsetup-2.0.3.old/tests/compat-test 2019-08-27 17:37:24.942997950 +0200 ++++ cryptsetup-2.0.3.new/tests/compat-test 2019-08-27 17:41:15.868988979 +0200 +@@ -735,15 +735,20 @@ fi + which expect >/dev/null 2>&1 || skip "WARNING: expect tool missing, interactive test will be skipped." 0 + + prepare "[32] Interactive password retry from terminal." new ++if [ "$(pwd)" = "/" ]; then ++ EXPECT_DEV=/$IMG ++else ++ EXPECT_DEV=$(pwd)/$IMG ++fi + expect - >/dev/null </dev/null <type, CRYPT_KDF_ARGON2I) || ++ !strcmp(pbkdf->type, CRYPT_KDF_ARGON2ID))) { ++ log_err(cd, _("%s key derivation function is not allowed in FIPS mode."), ++ pbkdf->type); ++ return -EINVAL; ++ } ++ + r = crypt_benchmark_pbkdf_internal(cd, CONST_CAST(struct crypt_pbkdf_type *)pbkdf, keyslot_key_len); + if (r < 0) + return r; diff --git a/SOURCES/cryptsetup-avoid-rh-kernel-bug.patch b/SOURCES/cryptsetup-avoid-rh-kernel-bug.patch new file mode 100644 index 0000000..c0ca3b2 --- /dev/null +++ b/SOURCES/cryptsetup-avoid-rh-kernel-bug.patch @@ -0,0 +1,56 @@ +--- a/lib/crypto_backend/crypto_cipher_kernel.c ++++ b/lib/crypto_backend/crypto_cipher_kernel.c +@@ -31,6 +31,7 @@ + #ifdef ENABLE_AF_ALG + + #include ++#include + + #ifndef AF_ALG + #define AF_ALG 38 +@@ -88,6 +89,35 @@ int crypt_cipher_blocksize(const char *n + return ca ? ca->blocksize : -EINVAL; + } + ++static size_t pagesize(size_t defsize) ++{ ++ long r = sysconf(_SC_PAGESIZE); ++ return r < 0 ? defsize : (size_t)r; ++} ++ ++static int check_rh_kernel_version(void) ++{ ++ unsigned maj, mid, min, rel; ++ static struct utsname uts = {{ 0 }}; ++ size_t ps = pagesize(32768); ++ ++ if (ps < 32768) ++ return 0; ++ ++ if (!*uts.release && uname(&uts) < 0) ++ return -ENOTSUP; ++ /* ++ * RH kernels 3.10.0-185 and lower are affected by a crypto API kernel ++ * socket bug. The bug only manifests on archs with page size >= 32 KiB. ++ * ++ * For reference, see rhbz#1136075 ++ */ ++ if (sscanf(uts.release, "%u.%u.%u-%u", &maj, &mid, &min, &rel) == 4) ++ return (maj == 3 && mid == 10 && min == 0 && rel < 186) ? -ENOTSUP : 0; ++ ++ return -ENOTSUP; ++} ++ + /* + * ciphers + * +@@ -104,6 +134,9 @@ int crypt_cipher_init(struct crypt_ciphe + .salg_type = "skcipher", + }; + ++ if (check_rh_kernel_version()) ++ return -ENOTSUP; ++ + h = malloc(sizeof(*h)); + if (!h) + return -ENOMEM; diff --git a/SOURCES/cryptsetup-configure.patch b/SOURCES/cryptsetup-configure.patch new file mode 100644 index 0000000..044988e --- /dev/null +++ b/SOURCES/cryptsetup-configure.patch @@ -0,0 +1,417 @@ +diff -rupN cryptsetup-2.0.3.old/config.h.in cryptsetup-2.0.3.new/config.h.in +--- cryptsetup-2.0.3.old/config.h.in 2019-08-27 18:30:14.342521239 +0200 ++++ cryptsetup-2.0.3.new/config.h.in 2019-08-27 18:30:48.212105267 +0200 +@@ -106,6 +106,12 @@ + /* Define to 1 if you have the header file. */ + #undef HAVE_ARGON2_H + ++/* Define to 1 to use blkid for detection of disk signatures. */ ++#undef HAVE_BLKID ++ ++/* Define to 1 if you have the header file. */ ++#undef HAVE_BLKID_BLKID_H ++ + /* Define to 1 if you have the header file. */ + #undef HAVE_BYTESWAP_H + +@@ -127,6 +133,30 @@ + */ + #undef HAVE_DCGETTEXT + ++/* Define to 1 if you have the declaration of `blkid_do_probe', and to 0 if ++ you don't. */ ++#undef HAVE_DECL_BLKID_DO_PROBE ++ ++/* Define to 1 if you have the declaration of `blkid_do_safeprobe', and to 0 ++ if you don't. */ ++#undef HAVE_DECL_BLKID_DO_SAFEPROBE ++ ++/* Define to 1 if you have the declaration of ++ `blkid_probe_filter_superblocks_type', and to 0 if you don't. */ ++#undef HAVE_DECL_BLKID_PROBE_FILTER_SUPERBLOCKS_TYPE ++ ++/* Define to 1 if you have the declaration of `blkid_probe_lookup_value ', and ++ to 0 if you don't. */ ++#undef HAVE_DECL_BLKID_PROBE_LOOKUP_VALUE__________ ++ ++/* Define to 1 if you have the declaration of `blkid_probe_set_device', and to ++ 0 if you don't. */ ++#undef HAVE_DECL_BLKID_PROBE_SET_DEVICE ++ ++/* Define to 1 if you have the declaration of `blkid_reset_probe', and to 0 if ++ you don't. */ ++#undef HAVE_DECL_BLKID_RESET_PROBE ++ + /* Define to 1 if you have the declaration of `dm_device_has_holders', and to + 0 if you don't. */ + #undef HAVE_DECL_DM_DEVICE_HAS_HOLDERS +diff -rupN cryptsetup-2.0.3.old/configure cryptsetup-2.0.3.new/configure +--- cryptsetup-2.0.3.old/configure 2019-08-27 18:30:14.342521239 +0200 ++++ cryptsetup-2.0.3.new/configure 2019-08-27 18:30:48.212105267 +0200 +@@ -664,6 +664,10 @@ PWQUALITY_STATIC_LIBS + systemd_tmpfilesdir + DEVMAPPER_STATIC_LIBS + DEVMAPPER_STATIC_CFLAGS ++HAVE_BLKID_FALSE ++HAVE_BLKID_TRUE ++BLKID_LIBS ++BLKID_CFLAGS + CRYPTO_INTERNAL_ARGON2_FALSE + CRYPTO_INTERNAL_ARGON2_TRUE + LIBARGON2_LIBS +@@ -878,6 +882,7 @@ enable_gcrypt_pbkdf2 + with_libgcrypt_prefix + enable_internal_argon2 + enable_libargon2 ++enable_blkid + enable_dev_random + enable_python + with_python_version +@@ -935,6 +940,8 @@ NSS_CFLAGS + NSS_LIBS + LIBARGON2_CFLAGS + LIBARGON2_LIBS ++BLKID_CFLAGS ++BLKID_LIBS + DEVMAPPER_STATIC_CFLAGS + DEVMAPPER_STATIC_LIBS + systemd_tmpfilesdir +@@ -1607,6 +1614,8 @@ Optional Features: + disable internal implementation of Argon2 PBKDF + --enable-libargon2 enable external libargon2 (PHC) library (disables + internal bundled version) ++ --disable-blkid disable use of blkid for device signature detection ++ and wiping. + --enable-dev-random use blocking /dev/random by default for key + generator (otherwise use /dev/urandom) + --enable-python enable Python bindings +@@ -1719,6 +1728,9 @@ Some influential environment variables: + C compiler flags for LIBARGON2, overriding pkg-config + LIBARGON2_LIBS + linker flags for LIBARGON2, overriding pkg-config ++ BLKID_CFLAGS ++ C compiler flags for BLKID, overriding pkg-config ++ BLKID_LIBS linker flags for BLKID, overriding pkg-config + DEVMAPPER_STATIC_CFLAGS + C compiler flags for DEVMAPPER_STATIC, overriding pkg-config + DEVMAPPER_STATIC_LIBS +@@ -18580,6 +18592,211 @@ else + fi + + ++# Check whether --enable-blkid was given. ++if test "${enable_blkid+set}" = set; then : ++ enableval=$enable_blkid; ++else ++ enable_blkid=yes ++fi ++ ++ ++if test x$enable_blkid = xyes ; then ++ ++pkg_failed=no ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for BLKID" >&5 ++$as_echo_n "checking for BLKID... " >&6; } ++ ++if test -n "$BLKID_CFLAGS"; then ++ pkg_cv_BLKID_CFLAGS="$BLKID_CFLAGS" ++ elif test -n "$PKG_CONFIG"; then ++ if test -n "$PKG_CONFIG" && \ ++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"blkid\""; } >&5 ++ ($PKG_CONFIG --exists --print-errors "blkid") 2>&5 ++ ac_status=$? ++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ test $ac_status = 0; }; then ++ pkg_cv_BLKID_CFLAGS=`$PKG_CONFIG --cflags "blkid" 2>/dev/null` ++ test "x$?" != "x0" && pkg_failed=yes ++else ++ pkg_failed=yes ++fi ++ else ++ pkg_failed=untried ++fi ++if test -n "$BLKID_LIBS"; then ++ pkg_cv_BLKID_LIBS="$BLKID_LIBS" ++ elif test -n "$PKG_CONFIG"; then ++ if test -n "$PKG_CONFIG" && \ ++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"blkid\""; } >&5 ++ ($PKG_CONFIG --exists --print-errors "blkid") 2>&5 ++ ac_status=$? ++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ test $ac_status = 0; }; then ++ pkg_cv_BLKID_LIBS=`$PKG_CONFIG --libs "blkid" 2>/dev/null` ++ test "x$?" != "x0" && pkg_failed=yes ++else ++ pkg_failed=yes ++fi ++ else ++ pkg_failed=untried ++fi ++ ++ ++ ++if test $pkg_failed = yes; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++ ++if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then ++ _pkg_short_errors_supported=yes ++else ++ _pkg_short_errors_supported=no ++fi ++ if test $_pkg_short_errors_supported = yes; then ++ BLKID_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "blkid" 2>&1` ++ else ++ BLKID_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "blkid" 2>&1` ++ fi ++ # Put the nasty error message in config.log where it belongs ++ echo "$BLKID_PKG_ERRORS" >&5 ++ ++ LIBBLKID_LIBS="-lblkid" ++elif test $pkg_failed = untried; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++ LIBBLKID_LIBS="-lblkid" ++else ++ BLKID_CFLAGS=$pkg_cv_BLKID_CFLAGS ++ BLKID_LIBS=$pkg_cv_BLKID_LIBS ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 ++$as_echo "yes" >&6; } ++ ++$as_echo "#define HAVE_BLKID 1" >>confdefs.h ++ ++fi ++ ++ for ac_header in blkid/blkid.h ++do : ++ ac_fn_c_check_header_mongrel "$LINENO" "blkid/blkid.h" "ac_cv_header_blkid_blkid_h" "$ac_includes_default" ++if test "x$ac_cv_header_blkid_blkid_h" = xyes; then : ++ cat >>confdefs.h <<_ACEOF ++#define HAVE_BLKID_BLKID_H 1 ++_ACEOF ++ ++else ++ as_fn_error $? "You need blkid development library installed." "$LINENO" 5 ++fi ++ ++done ++ ++ ac_fn_c_check_decl "$LINENO" "blkid_reset_probe" "ac_cv_have_decl_blkid_reset_probe" "#include ++" ++if test "x$ac_cv_have_decl_blkid_reset_probe" = xyes; then : ++ ac_have_decl=1 ++else ++ ac_have_decl=0 ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_DECL_BLKID_RESET_PROBE $ac_have_decl ++_ACEOF ++if test $ac_have_decl = 1; then : ++ ++else ++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5 ++fi ++ac_fn_c_check_decl "$LINENO" "blkid_probe_set_device" "ac_cv_have_decl_blkid_probe_set_device" "#include ++" ++if test "x$ac_cv_have_decl_blkid_probe_set_device" = xyes; then : ++ ac_have_decl=1 ++else ++ ac_have_decl=0 ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_DECL_BLKID_PROBE_SET_DEVICE $ac_have_decl ++_ACEOF ++if test $ac_have_decl = 1; then : ++ ++else ++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5 ++fi ++ac_fn_c_check_decl "$LINENO" "blkid_probe_filter_superblocks_type" "ac_cv_have_decl_blkid_probe_filter_superblocks_type" "#include ++" ++if test "x$ac_cv_have_decl_blkid_probe_filter_superblocks_type" = xyes; then : ++ ac_have_decl=1 ++else ++ ac_have_decl=0 ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_DECL_BLKID_PROBE_FILTER_SUPERBLOCKS_TYPE $ac_have_decl ++_ACEOF ++if test $ac_have_decl = 1; then : ++ ++else ++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5 ++fi ++ac_fn_c_check_decl "$LINENO" "blkid_do_safeprobe" "ac_cv_have_decl_blkid_do_safeprobe" "#include ++" ++if test "x$ac_cv_have_decl_blkid_do_safeprobe" = xyes; then : ++ ac_have_decl=1 ++else ++ ac_have_decl=0 ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_DECL_BLKID_DO_SAFEPROBE $ac_have_decl ++_ACEOF ++if test $ac_have_decl = 1; then : ++ ++else ++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5 ++fi ++ac_fn_c_check_decl "$LINENO" "blkid_do_probe" "ac_cv_have_decl_blkid_do_probe" "#include ++" ++if test "x$ac_cv_have_decl_blkid_do_probe" = xyes; then : ++ ac_have_decl=1 ++else ++ ac_have_decl=0 ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_DECL_BLKID_DO_PROBE $ac_have_decl ++_ACEOF ++if test $ac_have_decl = 1; then : ++ ++else ++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5 ++fi ++ac_fn_c_check_decl "$LINENO" "blkid_probe_lookup_value ++ " "ac_cv_have_decl_blkid_probe_lookup_value__________" "#include ++" ++if test "x$ac_cv_have_decl_blkid_probe_lookup_value__________" = xyes; then : ++ ac_have_decl=1 ++else ++ ac_have_decl=0 ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_DECL_BLKID_PROBE_LOOKUP_VALUE__________ $ac_have_decl ++_ACEOF ++if test $ac_have_decl = 1; then : ++ ++else ++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5 ++fi ++ ++fi ++ if test x$enable_blkid = xyes; then ++ HAVE_BLKID_TRUE= ++ HAVE_BLKID_FALSE='#' ++else ++ HAVE_BLKID_TRUE='#' ++ HAVE_BLKID_FALSE= ++fi ++ ++ + if test x$enable_static_cryptsetup = xyes; then + saved_PKG_CONFIG=$PKG_CONFIG + PKG_CONFIG="$PKG_CONFIG --static" +@@ -19043,6 +19260,7 @@ $as_echo "$systemd_tmpfilesdir" >&6; } + + + ++ + # Check whether --enable-dev-random was given. + if test "${enable_dev_random+set}" = set; then : + enableval=$enable_dev_random; default_rng=/dev/random +@@ -20146,6 +20364,10 @@ if test -z "${CRYPTO_INTERNAL_ARGON2_TRU + as_fn_error $? "conditional \"CRYPTO_INTERNAL_ARGON2\" was never defined. + Usually this means the macro was only invoked conditionally." "$LINENO" 5 + fi ++if test -z "${HAVE_BLKID_TRUE}" && test -z "${HAVE_BLKID_FALSE}"; then ++ as_fn_error $? "conditional \"HAVE_BLKID\" was never defined. ++Usually this means the macro was only invoked conditionally." "$LINENO" 5 ++fi + if test -z "${PYTHON_CRYPTSETUP_TRUE}" && test -z "${PYTHON_CRYPTSETUP_FALSE}"; then + as_fn_error $? "conditional \"PYTHON_CRYPTSETUP\" was never defined. + Usually this means the macro was only invoked conditionally." "$LINENO" 5 +diff -rupN cryptsetup-2.0.3.old/Makefile.in cryptsetup-2.0.3.new/Makefile.in +--- cryptsetup-2.0.3.old/Makefile.in 2019-08-27 18:30:14.223519187 +0200 ++++ cryptsetup-2.0.3.new/Makefile.in 2019-08-27 18:34:03.679475168 +0200 +@@ -270,7 +270,8 @@ am_libcryptsetup_la_OBJECTS = lib/libcry + lib/luks2/libcryptsetup_la-luks2_keyslot.lo \ + lib/luks2/libcryptsetup_la-luks2_keyslot_luks2.lo \ + lib/luks2/libcryptsetup_la-luks2_token_keyring.lo \ +- lib/luks2/libcryptsetup_la-luks2_token.lo ++ lib/luks2/libcryptsetup_la-luks2_token.lo \ ++ lib/libcryptsetup_la-utils_blkid.lo + libcryptsetup_la_OBJECTS = $(am_libcryptsetup_la_OBJECTS) + libcryptsetup_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ +@@ -308,12 +309,14 @@ am__cryptsetup_SOURCES_DIST = lib/utils_ + cryptsetup_OBJECTS = $(am_cryptsetup_OBJECTS) + @CRYPTSETUP_TRUE@cryptsetup_DEPENDENCIES = libcryptsetup.la + am__cryptsetup_reencrypt_SOURCES_DIST = lib/utils_crypt.c \ +- lib/utils_io.c src/utils_tools.c src/utils_password.c \ +- src/cryptsetup_reencrypt.c src/cryptsetup.h ++ lib/utils_io.c src/utils_tools.c lib/utils_loop.c \ ++ src/utils_password.c src/cryptsetup_reencrypt.c \ ++ src/cryptsetup.h + @REENCRYPT_TRUE@am_cryptsetup_reencrypt_OBJECTS = \ + @REENCRYPT_TRUE@ lib/utils_crypt.$(OBJEXT) \ + @REENCRYPT_TRUE@ lib/utils_io.$(OBJEXT) \ + @REENCRYPT_TRUE@ src/utils_tools.$(OBJEXT) \ ++@REENCRYPT_TRUE@ lib/utils_loop.$(OBJEXT) \ + @REENCRYPT_TRUE@ src/utils_password.$(OBJEXT) \ + @REENCRYPT_TRUE@ src/cryptsetup_reencrypt.$(OBJEXT) + cryptsetup_reencrypt_OBJECTS = $(am_cryptsetup_reencrypt_OBJECTS) +@@ -591,6 +594,8 @@ AUTOCONF = @AUTOCONF@ + AUTOHEADER = @AUTOHEADER@ + AUTOMAKE = @AUTOMAKE@ + AWK = @AWK@ ++BLKID_CFLAGS = @BLKID_CFLAGS@ ++BLKID_LIBS = @BLKID_LIBS@ + CC = @CC@ + CCDEPMODE = @CCDEPMODE@ + CFLAGS = @CFLAGS@ +@@ -846,6 +851,7 @@ libcryptsetup_la_LIBADD = \ + @CRYPTO_LIBS@ \ + @LIBARGON2_LIBS@ \ + @JSON_C_LIBS@ \ ++ @BLKID_LIBS@ \ + libcrypto_backend.la + + libcryptsetup_la_SOURCES = \ +@@ -908,7 +914,9 @@ libcryptsetup_la_SOURCES = \ + lib/luks2/luks2_token_keyring.c \ + lib/luks2/luks2_token.c \ + lib/luks2/luks2_internal.h \ +- lib/luks2/luks2.h ++ lib/luks2/luks2.h \ ++ lib/utils_blkid.c \ ++ lib/utils_blkid.h + + + # cryptsetup +@@ -1351,6 +1359,8 @@ lib/luks2/libcryptsetup_la-luks2_token_k + lib/luks2/$(am__dirstamp) lib/luks2/$(DEPDIR)/$(am__dirstamp) + lib/luks2/libcryptsetup_la-luks2_token.lo: lib/luks2/$(am__dirstamp) \ + lib/luks2/$(DEPDIR)/$(am__dirstamp) ++lib/libcryptsetup_la-utils_blkid.lo: lib/$(am__dirstamp) \ ++ lib/$(DEPDIR)/$(am__dirstamp) + + libcryptsetup.la: $(libcryptsetup_la_OBJECTS) $(libcryptsetup_la_DEPENDENCIES) $(EXTRA_libcryptsetup_la_DEPENDENCIES) + $(AM_V_CCLD)$(libcryptsetup_la_LINK) -rpath $(libdir) $(libcryptsetup_la_OBJECTS) $(libcryptsetup_la_LIBADD) $(LIBS) +@@ -1507,6 +1517,7 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-setup.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_benchmark.Plo@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_blkid.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_crypt.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo@am__quote@ +@@ -1991,6 +2002,13 @@ lib/luks2/libcryptsetup_la-luks2_token.l + @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ + @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/luks2/libcryptsetup_la-luks2_token.lo `test -f 'lib/luks2/luks2_token.c' || echo '$(srcdir)/'`lib/luks2/luks2_token.c + ++lib/libcryptsetup_la-utils_blkid.lo: lib/utils_blkid.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -MT lib/libcryptsetup_la-utils_blkid.lo -MD -MP -MF lib/$(DEPDIR)/libcryptsetup_la-utils_blkid.Tpo -c -o lib/libcryptsetup_la-utils_blkid.lo `test -f 'lib/utils_blkid.c' || echo '$(srcdir)/'`lib/utils_blkid.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) lib/$(DEPDIR)/libcryptsetup_la-utils_blkid.Tpo lib/$(DEPDIR)/libcryptsetup_la-utils_blkid.Plo ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='lib/utils_blkid.c' object='lib/libcryptsetup_la-utils_blkid.lo' libtool=yes @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/libcryptsetup_la-utils_blkid.lo `test -f 'lib/utils_blkid.c' || echo '$(srcdir)/'`lib/utils_blkid.c ++ + python/pycryptsetup_la-pycryptsetup.lo: python/pycryptsetup.c + @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(pycryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT python/pycryptsetup_la-pycryptsetup.lo -MD -MP -MF python/$(DEPDIR)/pycryptsetup_la-pycryptsetup.Tpo -c -o python/pycryptsetup_la-pycryptsetup.lo `test -f 'python/pycryptsetup.c' || echo '$(srcdir)/'`python/pycryptsetup.c + @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) python/$(DEPDIR)/pycryptsetup_la-pycryptsetup.Tpo python/$(DEPDIR)/pycryptsetup_la-pycryptsetup.Plo diff --git a/SOURCES/cryptsetup-new-avoid-rh-kernel-bug.patch b/SOURCES/cryptsetup-new-avoid-rh-kernel-bug.patch new file mode 100644 index 0000000..2e9a27f --- /dev/null +++ b/SOURCES/cryptsetup-new-avoid-rh-kernel-bug.patch @@ -0,0 +1,59 @@ +diff -rupN cryptsetup-2.0.3.old/lib/crypto_backend/crypto_cipher_kernel.c cryptsetup-2.0.3/lib/crypto_backend/crypto_cipher_kernel.c +--- cryptsetup-2.0.3.old/lib/crypto_backend/crypto_cipher_kernel.c 2018-04-17 09:20:35.000000000 +0200 ++++ cryptsetup-2.0.3/lib/crypto_backend/crypto_cipher_kernel.c 2018-05-07 14:13:45.176124062 +0200 +@@ -31,6 +31,7 @@ + #ifdef ENABLE_AF_ALG + + #include ++#include + + #ifndef AF_ALG + #define AF_ALG 38 +@@ -44,6 +45,36 @@ struct crypt_cipher { + int opfd; + }; + ++ ++static size_t pagesize(size_t defsize) ++{ ++ long r = sysconf(_SC_PAGESIZE); ++ return r < 0 ? defsize : (size_t)r; ++} ++ ++static int check_rh_kernel_version(void) ++{ ++ unsigned maj, mid, min, rel; ++ static struct utsname uts = {{ 0 }}; ++ size_t ps = pagesize(32768); ++ ++ if (ps < 32768) ++ return 0; ++ ++ if (!*uts.release && uname(&uts) < 0) ++ return -ENOTSUP; ++ /* ++ * RH kernels 3.10.0-185 and lower are affected by a crypto API kernel ++ * socket bug. The bug only manifests on archs with page size >= 32 KiB. ++ * ++ * For reference, see rhbz#1136075 ++ */ ++ if (sscanf(uts.release, "%u.%u.%u-%u", &maj, &mid, &min, &rel) == 4) ++ return (maj == 3 && mid == 10 && min == 0 && rel < 186) ? -ENOTSUP : 0; ++ ++ return -ENOTSUP; ++} ++ + /* + * ciphers + * +@@ -60,6 +91,9 @@ int crypt_cipher_init(struct crypt_ciphe + .salg_type = "skcipher", + }; + ++ if (check_rh_kernel_version()) ++ return -ENOTSUP; ++ + h = malloc(sizeof(*h)); + if (!h) + return -ENOMEM; +Binary files cryptsetup-2.0.3.old/lib/crypto_backend/.crypto_cipher_kernel.c.rej.swp and cryptsetup-2.0.3/lib/crypto_backend/.crypto_cipher_kernel.c.rej.swp differ diff --git a/SOURCES/cryptsetup-sector-size-detection.patch b/SOURCES/cryptsetup-sector-size-detection.patch new file mode 100644 index 0000000..a10bff0 --- /dev/null +++ b/SOURCES/cryptsetup-sector-size-detection.patch @@ -0,0 +1,13 @@ +--- cryptsetup-2.0.3.old/lib/libdevmapper.c 2018-05-03 18:30:59.000000000 +0200 ++++ cryptsetup-2.0.3/lib/libdevmapper.c 2018-06-19 20:01:10.263369754 +0200 +@@ -164,6 +164,10 @@ static void _dm_set_crypt_compat(unsigne + _dm_flags |= DM_CAPI_STRING_SUPPORTED; + } + ++ if (!_dm_satisfies_version(1, 15, 0, crypt_maj, crypt_min, crypt_patch) && ++ _dm_satisfies_version(1, 14, 5, crypt_maj, crypt_min, crypt_patch)) ++ _dm_flags |= DM_SECTOR_SIZE_SUPPORTED; ++ + _dm_crypt_checked = true; + } + diff --git a/SOURCES/cryptsetup-tests-device-test.patch b/SOURCES/cryptsetup-tests-device-test.patch new file mode 100644 index 0000000..ebc7186 --- /dev/null +++ b/SOURCES/cryptsetup-tests-device-test.patch @@ -0,0 +1,17 @@ +diff -rupN cryptsetup-2.0.3.old/tests/device-test cryptsetup-2.0.3/tests/device-test +--- cryptsetup-2.0.3.old/tests/device-test 2018-06-06 11:00:28.716305843 -0400 ++++ cryptsetup-2.0.3/tests/device-test 2018-06-06 11:00:37.036343168 -0400 +@@ -39,11 +39,12 @@ function dm_crypt_features() + + VER_MAJ=$(echo $VER_STR | cut -f 1 -d.) + VER_MIN=$(echo $VER_STR | cut -f 2 -d.) ++ VER_PAT=$(echo $VER_STR | cut -f 3 -d.) + + [ $VER_MAJ -lt 1 ] && return + [ $VER_MAJ -eq 1 -a $VER_MIN -lt 14 ] && return + DM_PERF_CPU=1 +- [ $VER_MAJ -eq 1 -a $VER_MIN -lt 17 ] && return ++ [ $VER_MAJ -eq 1 -a $VER_MIN -lt 15 -a $VER_PAT -lt 5 ] && return + DM_SECTOR_SIZE=1 + } + diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec new file mode 100644 index 0000000..db7bfdf --- /dev/null +++ b/SPECS/cryptsetup.spec @@ -0,0 +1,757 @@ +%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} + +%if 0%{?fedora} +%if 0%{?fedora} >= 29 +Obsoletes: python2-cryptsetup +Obsoletes: cryptsetup-python3 +%global python2_enable 0 +%global python3_enable 0 +%else +%global python2_enable 1 +%global python3_enable 1 +%endif +%else +Obsoletes: cryptsetup-python3 +%global python3_enable 0 +%if 0%{?rhel} == 7 +%global python2_enable 1 +# Change to 1 when argon2 lands +%global libargon2_enable 0 +# Change to 1 when dm-integrity gets backported +%global integritysetup_enable 0 +%else +Obsoletes: cryptsetup-python +Obsoletes: python2-cryptsetup +%global python2_enable 0 +%endif +%endif + + +Summary: A utility for setting up encrypted disks +Name: cryptsetup +Version: 2.0.3 +Release: 6%{?dist} +License: GPLv2+ and LGPLv2+ +Group: Applications/System +URL: https://gitlab.com/cryptsetup/cryptsetup +BuildRequires: libgcrypt-devel, popt-devel, device-mapper-devel +BuildRequires: libgpg-error-devel, libuuid-devel, libsepol-devel +BuildRequires: libselinux-devel, gcc, libblkid-devel +%if %{python2_enable} +BuildRequires: python-devel +%endif +%if %{python3_enable} +BuildRequires: python3-devel +%endif +BuildRequires: libpwquality-devel, json-c-devel +%if 0%{?libargon2_enable} +BuildRequires: libargon2-devel +%endif +Provides: cryptsetup-luks = %{version}-%{release} +Obsoletes: cryptsetup-luks < 1.4.0 +Requires: cryptsetup-libs%{?_isa} = %{version}-%{release} +Requires: libpwquality >= 1.2.0 + +%define dracutmodulesdir %{_prefix}/lib/dracut/modules.d +%define upstream_version %{version} +%define upstream_version_old 1.7.4 +Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{upstream_version}.tar.xz +Source1: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-%{upstream_version_old}.tar.xz +# contains test images only, original commit id 5a7535c +Source2: luks2_mda_images.tar.xz +# contains test images only, original commit id 177cb8b +Source3: luks2_valid_hdr.tar.xz +# version 1.7.4 only (all of it, up to next comment) +Patch0: %{name}-avoid-rh-kernel-bug.patch +Patch1: %{name}-1.7.5-fix-unaligned-access-to-hidden-truecrypt.patch +Patch2: %{name}-1.7.5-fix-luksformat-in-fips-mode.patch +Patch3: %{name}-1.7.6-fix-blockwise-access-functions-for-64k-page-size.patch +Patch4: %{name}-1.7.6-crypt_deactivate-fail-earlier-when-holders-detected.patch +# 2.0.x only +Patch5: %{name}-2.0.4-dracut-reencrypt.patch +Patch6: %{name}-new-avoid-rh-kernel-bug.patch +Patch7: %{name}-sector-size-detection.patch +Patch8: %{name}-tests-device-test.patch +Patch9: %{name}-argon2-fips.patch +Patch10: %{name}-2.0.4-zero-length-lseek-blockwise-i-o-should-return-zero.patch +Patch11: %{name}-2.0.4-fix-write_lseek_blockwise-for-in-the-middle-of-secto.patch +Patch12: %{name}-2.0.4-fix-write_blockwise-on-short-files.patch +Patch13: %{name}-2.0.4-add-blkid-utilities-for-fast-detection-of-device-sig.patch +Patch14: %{name}-2.0.4-make-LUKS2-auto-recovery-aware-of-device-signatures.patch +Patch15: %{name}-2.0.4-allow-LUKS2-repair-to-override-blkid-checks.patch +Patch16: %{name}-2.0.4-allow-explicit-LUKS2-repair.patch +Patch17: %{name}-2.0.4-update-crypt_repair-API-documentation-for-LUKS2.patch +Patch18: %{name}-2.0.4-allow-LUKS2-repair-with-disabled-locks.patch +# the configure patch must be applied last +Patch19: %{name}-configure.patch +Patch20: %{name}-2.0.4-update-cryptsetup-man-page-for-type-option-usage.patch +Patch21: %{name}-2.0.4-rephrase-error-message-for-invalid-type-param-in-con.patch +Patch22: %{name}-2.0.4-fix-LUKS2-api-test.patch +Patch23: %{name}-2.0.5-fix-miscalculation-of-device-alignment-offset.patch +Patch24: %{name}-2.0.5-remove-useless-division-followed-by-multiplication-b.patch +Patch25: %{name}-2.0.6-LUKS2-metadata-variation-fixes.patch +Patch26: %{name}-2.0.6-enable-all-supported-metadata-sizes-in-LUKS2-validat.patch +Patch27: %{name}-2.0.6-check-json-size-matches-value-from-binary-LUKS2-head.patch +Patch28: %{name}-2.0.6-test-cryptsetup-can-handle-all-LUKS2-metadata-varian.patch +Patch29: %{name}-2.0.6-do-not-validate-keyslot-areas-so-frantically.patch +Patch30: %{name}-2.0.6-reshuffle-config-and-keyslots-areas-validation-code.patch +Patch31: %{name}-2.0.6-fix-keyslot-areas-validation.patch +# keep validation tests up to date +Patch32: %{name}-2.1.0-sync-LUKS2-validation-tests.patch +Patch33: %{name}-2.2.1-reinstate-missing-backing-file-hint-for-loop-device.patch + +%if 0%{?fedora} >= 19 || 0%{?rhel} >= 7 +%define configure_cipher --enable-gcrypt-pbkdf2 +%else +%define configure_cipher --with-luks1-cipher=aes --with-luks1-mode=cbc-essiv:sha256 --with-luks1-keybits=256 +%endif + +%if 0%{?libargon2_enable} +%define configure_libargon2 --enable-libargon2 +%endif +%if 0%{?integritysetup_enable} +%define configure_integritysetup --enable-integritysetup +%else +%define configure_integritysetup --disable-integritysetup +%endif + +%description +The cryptsetup package contains a utility for setting up +disk encryption using dm-crypt kernel module. + +%package devel +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} +Requires: libgcrypt-devel > 1.1.42, device-mapper-devel, libuuid-devel +Requires: pkgconfig +Summary: Headers and libraries for using encrypted file systems +Provides: cryptsetup-luks-devel = %{version}-%{release} +Obsoletes: cryptsetup-luks-devel < 1.4.0 + +%description devel +The cryptsetup-devel package contains libraries and header files +used for writing code that makes use of disk encryption. + +%package libs +Group: System Environment/Libraries +Summary: Cryptsetup shared library +Provides: cryptsetup-luks-libs = %{version}-%{release} +Obsoletes: cryptsetup-luks-libs < 1.4.0 +Obsoletes: cryptsetup-reencrypt-libs < 1.6.5 +# Need support for empty password in gcrypt PBKDF2 +%if 0%{?fedora} >= 19 || 0%{?rhel} >= 7 +Requires: libgcrypt >= 1.5.3-3 +%endif + +%description libs +This package contains the cryptsetup shared library, libcryptsetup. + +%package -n veritysetup +Group: Applications/System +Summary: A utility for setting up dm-verity volumes +Requires: cryptsetup-libs = %{version}-%{release} + +%description -n veritysetup +The veritysetup package contains a utility for setting up +disk verification using dm-verity kernel module. + +%package reencrypt +Group: Applications/System +Summary: A utility for offline reencryption of LUKS encrypted disks. +Provides: cryptsetup-reencrypt = %{version}-%{release} +Obsoletes: cryptsetup-reencrypt < 1.6.5 +Requires: cryptsetup-libs = %{version}-%{release} + +%description reencrypt +This package contains cryptsetup-reencrypt utility which +can be used for offline reencryption of disk in situ. +Also includes dracut module required to perform reencryption +of device containing a root filesystem. + +%package python +Group: System Environment/Libraries +Summary: Python bindings for libcryptsetup +Requires: %{name}-libs = %{version}-%{release} +Provides: python-cryptsetup = %{version}-%{release} +Obsoletes: python-cryptsetup < 1.4.0 + +%description python +This package provides Python bindings for libcryptsetup, a library +for setting up disk encryption using dm-crypt kernel module. + +%if %{python3_enable} +%package python3 +Group: System Environment/Libraries +Summary: Python3 bindings for libcryptsetup +Requires: %{name}-libs = %{version}-%{release} +Provides: python3-cryptsetup = %{version}-%{release} + +%description python3 +This package provides Python bindings for libcryptsetup, a library +for setting up disk encryption using dm-crypt kernel module. +%endif + +%prep +%setup -q -n cryptsetup-%{upstream_version} +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 +# the configure patch (always last) +%patch19 -p1 +chmod -x python/pycryptsetup-test.py +chmod -x misc/dracut_90reencrypt/* +chmod +x tests/generators/generate-*.sh +%setup -T -a 2 -D -n cryptsetup-%{upstream_version}/tests +%setup -T -a 3 -D -n cryptsetup-%{upstream_version}/tests + +%if %{python3_enable} +# copy the whole directory for the python3 build +cp -a . %{py3dir} +%endif + +%setup -T -a 1 -D -n cryptsetup-%{upstream_version} +pushd cryptsetup-1.7.4 +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 + +%build +%configure --enable-fips --enable-pwquality --with-default-luks-format=LUKS1 %{?configure_cipher} %{?configure_libargon2} %{?configure_integritysetup} +pushd cryptsetup-1.7.4 +%configure --enable-python --enable-fips --enable-pwquality --disable-cryptsetup-reencrypt --disable-veritysetup %{?configure_cipher} +# remove rpath +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool +make %{?_smp_mflags} +popd +# remove rpath +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool +make %{?_smp_mflags} + +%if %{python3_enable} +pushd %{py3dir} +%configure --enable-python --with-python_version=3 +make %{?_smp_mflags} +popd +%endif + +%install +pushd cryptsetup-1.7.4 +make install DESTDIR=%{buildroot} +popd +make install DESTDIR=%{buildroot} +rm -rf %{buildroot}/%{_libdir}/*.la + +%if %{python3_enable} +pushd %{py3dir} +make install DESTDIR=%{buildroot} +rm -rf %{buildroot}/%{_libdir}/*.la +popd +%endif + +%find_lang cryptsetup + +install -d -m755 %{buildroot}/%{dracutmodulesdir}/90reencrypt +install -m755 misc/dracut_90reencrypt/module-setup.sh %{buildroot}/%{dracutmodulesdir}/90reencrypt +install -m755 misc/dracut_90reencrypt/parse-reencrypt.sh %{buildroot}/%{dracutmodulesdir}/90reencrypt +install -m755 misc/dracut_90reencrypt/reencrypt.sh %{buildroot}/%{dracutmodulesdir}/90reencrypt +install -m755 misc/dracut_90reencrypt/reencrypt-verbose.sh %{buildroot}/%{dracutmodulesdir}/90reencrypt + +%post -n cryptsetup-libs -p /sbin/ldconfig + +%postun -n cryptsetup-libs -p /sbin/ldconfig + +%files +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc AUTHORS FAQ docs/*ReleaseNotes +%{_mandir}/man8/cryptsetup.8.gz +%{_sbindir}/cryptsetup + +%files -n veritysetup +%{!?_licensedir:%global license %%doc} +%license COPYING +%{_mandir}/man8/veritysetup.8.gz +%{_sbindir}/veritysetup + +%if %{integritysetup_enable} +%files -n integritysetup +%{!?_licensedir:%global license %%doc} +%license COPYING +%{_mandir}/man8/integritysetup.8.gz +%{_sbindir}/integritysetup +%endif + +%files reencrypt +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc misc/dracut_90reencrypt/README +%{_mandir}/man8/cryptsetup-reencrypt.8.gz +%{_sbindir}/cryptsetup-reencrypt +%{dracutmodulesdir}/90reencrypt +%{dracutmodulesdir}/90reencrypt/* + +%files devel +%doc docs/examples/* +%{_includedir}/libcryptsetup.h +%{_libdir}/libcryptsetup.so +%{_libdir}/pkgconfig/libcryptsetup.pc + +%files libs -f cryptsetup.lang +%{!?_licensedir:%global license %%doc} +%license COPYING COPYING.LGPL +%{_libdir}/libcryptsetup.so.* +%{_tmpfilesdir}/cryptsetup.conf +%ghost %attr(700, -, -) %dir /run/cryptsetup + +%files python +%{!?_licensedir:%global license %%doc} +%license COPYING.LGPL +%doc python/pycryptsetup-test.py +%exclude %{python_sitearch}/pycryptsetup.la +%{python_sitearch}/pycryptsetup.so + +%if %{python3_enable} +%files python3 +%{!?_licensedir:%global license %%doc} +%license COPYING.LGPL +%doc python/pycryptsetup-test.py +%exclude %{python3_sitearch}/pycryptsetup.la +%{python3_sitearch}/pycryptsetup.so +%endif + +%clean + +%changelog +* Tue Aug 27 2019 Ondrej Kozina - 2.0.3-6 +- patch: Reinstate missing backing file hint for loop device + during unlock. +- Resolves: #1726287 + +* Wed Apr 03 2019 Ondrej Kozina - 2.0.3-5 +- patch: calculate alignment offset correctly for LUKS2 devices. +- patch: fix memory leak in LUKS2 validation. +- Resolves: #1613953 #1693592 + +* Wed Mar 27 2019 Ondrej Kozina - 2.0.3-4 +- patch: Fix broken LUKS2 api test. +- patch: Allow cryptsetup to process all LUKS2 metadata variants + according to LUKS2 specifiation. +- Resolves: #1653388 + +* Tue Jul 31 2018 Ondrej Kozina - 2.0.3-3 +- Add expected permissions explicitly for locking directory. +- Reinstate sed script removing library rpath from libtool + script due to bug in upstream sources distribution. +- Resolves: #1609847 #1610379 + +* Mon Jul 16 2018 Ondrej Kozina - 2.0.3-2 +- patch: stop LUKS2 auto-recovery if device is no longer LUKS + type +- patch: update cryptsetup man page for --type option +- patch: rephrase error message for invalid --type option in + convert action +- Resolves: #1599281 #1601477 #1601481 + +* Wed Jun 20 2018 Ondrej Kozina - 2.0.3-1 +- Update to cryptsetup 2.0.3. +- Resolves: #1475904 #1380347 #1416174 #1536105 #1574239 + +* Thu Oct 19 2017 Ondrej Kozina - 1.7.4-4 +- patch: fix regression in blockwise functions +- patch: avoid repeating error messages when device holders + detected. +- patch: add option to cryptsetup-reencrypt to print progress + log sequentaly +- patch: use --progress-frequency in reencryption dracut module +- Resolves: #1480006 #1447632 #1479857 + +* Tue Apr 25 2017 Ondrej Kozina - 1.7.4-3 +- patch: fix luksFormat failure while running in FIPS mode. +- Resolves: #1444137 + +* Tue Apr 04 2017 Ondrej Kozina - 1.7.4-2 +- patch: fix access to unaligned hidden TrueCrypt header. +- Resolves: #1435543 + +* Wed Mar 15 2017 Ondrej Kozina - 1.7.4-1 +- Update to cryptsetup 1.7.4. +- Resolves: #1381273 + +* Tue Jun 7 2016 Ondrej Kozina - 1.7.2-1 +- Update to cryptsetup 1.7.2. +- Resolves: #1302022 #1070825 + +* Thu Jun 18 2015 Ondrej Kozina - 1.6.7-1 +- Update to cryptsetup 1.6.7. +- patch: avoid use of kernel crypto API socket which is known + to be broken in RHEL7.0 kernel (7.1+ is fine). +- Resolves: #1206170 + +* Thu Dec 18 2014 Ondrej Kozina - 1.6.6-3 +- drop FIPS power on self test and library checksum +- Resolves: #1158897 + +* Mon Sep 29 2014 Ondrej Kozina - 1.6.6-2 +- patch: fix failures related to reencrypt log files +- Resolves: #1140199 + +* Mon Sep 8 2014 Ondrej Kozina - 1.6.6-1 +- Update to cryptsetup 1.6.6. +- Resolves: #1117372 #1038097 + +* Fri Jan 24 2014 Daniel Mach - 1.6.3-2 +- Mass rebuild 2014-01-24 + +* Mon Jan 6 2014 Ondrej Kozina - 1.6.3-1 +- Update to cryptsetup 1.6.3. +- various fixes related to block devices with 4KiB sectors +- enable reencryption using specific keyslot (dracut module) +- fix failure in reading last keyslot from external LUKS header +- update FIPS POST to be complaint with actual requirements +- fix hash limiting if parameter is not numeric +- Resolves: #1028362 #1029032 #1029406 #1030288 #1034388 #1038097 + +* Fri Dec 27 2013 Daniel Mach - 1.6.2-3 +- Mass rebuild 2013-12-27 + +* Tue Nov 5 2013 Ondrej Kozina - 1.6.2-2 +- 90reencrypt: Move conflict with 90crypt to install() section. +- 90reencrypt: Drop to emergency_shell after successful reencryption. +- Resolves: #1021593 + +* Mon Oct 14 2013 Ondrej Kozina - 1.6.2-1 +- Update to cryptsetup 1.6.2. +- Add dracut module for cryptsetup-reencrypt (90reencrypt). +- 90reencrypt: Rename dracut parameteres to be compliant with actual naming guidance. +- 90reencrypt: Install and load loop kernel module. +- 90reencrypt: Fix lock file name. +- 90reencrypt: Add conflict with 90crypt dracut module (more info in #1010287) +- Resolves: #1010278 #1010287 + +* Sun Mar 31 2013 Milan Broz - 1.6.1-1 +- Update to cryptsetup 1.6.1. +- Install ReleaseNotes files instead of empty Changelog file. + +* Wed Feb 13 2013 Fedora Release Engineering - 1.6.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Jan 14 2013 Milan Broz - 1.6.0-1 +- Update to cryptsetup 1.6.0. +- Change default LUKS encryption mode to aes-xts-plain64 (AES128). +- Force use of gcrypt PBKDF2 instead of internal implementation. + +* Sat Dec 29 2012 Milan Broz - 1.6.0-0.1 +- Update to cryptsetup 1.6.0-rc1. +- Relax license to GPLv2+ according to new release. +- Compile cryptsetup with libpwquality support. + +* Tue Oct 16 2012 Milan Broz - 1.5.1-1 +- Update to cryptsetup 1.5.1. + +* Wed Jul 18 2012 Fedora Release Engineering - 1.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jul 10 2012 Milan Broz - 1.5.0-1 +- Update to cryptsetup 1.5.0. + +* Wed Jun 20 2012 Milan Broz - 1.5.0-0.2 +- Update to cryptsetup 1.5.0-rc2. +- Add cryptsetup-reencrypt subpackage. + +* Mon Jun 11 2012 Milan Broz - 1.5.0-0.1 +- Update to cryptsetup 1.5.0-rc1. +- Add veritysetup subpackage. +- Move localization files to libs subpackage. + +* Thu May 31 2012 Milan Broz - 1.4.3-2 +- Build with fipscheck (verification in fips mode). +- Clean up spec file, use install to /usr. + +* Thu May 31 2012 Milan Broz - 1.4.3-1 +- Update to cryptsetup 1.4.3. + +* Thu Apr 12 2012 Milan Broz - 1.4.2-1 +- Update to cryptsetup 1.4.2. + +* Fri Jan 13 2012 Fedora Release Engineering - 1.4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Nov 09 2011 Milan Broz - 1.4.1-1 +- Update to cryptsetup 1.4.1. +- Add Python cryptsetup bindings. +- Obsolete separate python-cryptsetup package. + +* Wed Oct 26 2011 Milan Broz - 1.4.0-1 +- Update to cryptsetup 1.4.0. + +* Mon Oct 10 2011 Milan Broz - 1.4.0-0.1 +- Update to cryptsetup 1.4.0-rc1. +- Rename package back from cryptsetup-luks to cryptsetup. + +* Wed Jun 22 2011 Milan Broz - 1.3.1-2 +- Fix return code for status command when device doesn't exist. + +* Tue May 24 2011 Milan Broz - 1.3.1-1 +- Update to cryptsetup 1.3.1. + +* Tue Apr 05 2011 Milan Broz - 1.3.0-1 +- Update to cryptsetup 1.3.0. + +* Tue Mar 22 2011 Milan Broz - 1.3.0-0.2 +- Update to cryptsetup 1.3.0-rc2 + +* Mon Mar 14 2011 Milan Broz - 1.3.0-0.1 +- Update to cryptsetup 1.3.0-rc1 + +* Tue Feb 08 2011 Fedora Release Engineering - 1.2.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Dec 20 2010 Milan Broz - 1.2.0-1 +- Update to cryptsetup 1.2.0 + +* Thu Nov 25 2010 Milan Broz - 1.2.0-0.2 +- Fix crypt_activate_by_keyfile() to work with PLAIN devices. + +* Tue Nov 16 2010 Milan Broz - 1.2.0-0.1 +- Add FAQ to documentation. +- Update to cryptsetup 1.2.0-rc1 + +* Sat Jul 03 2010 Milan Broz - 1.1.3-1 +- Update to cryptsetup 1.1.3 + +* Mon Jun 07 2010 Milan Broz - 1.1.2-2 +- Fix alignment ioctl use. +- Fix API activation calls to handle NULL device name. + +* Sun May 30 2010 Milan Broz - 1.1.2-1 +- Update to cryptsetup 1.1.2 +- Fix luksOpen handling of new line char on stdin. + +* Sun May 23 2010 Milan Broz - 1.1.1-1 +- Update to cryptsetup 1.1.1 +- Fix luksClose for stacked LUKS/LVM devices. + +* Mon May 03 2010 Milan Broz - 1.1.1-0.2 +- Update to cryptsetup 1.1.1-rc2. + +* Sat May 01 2010 Milan Broz - 1.1.1-0.1 +- Update to cryptsetup 1.1.1-rc1. + +* Sun Jan 17 2010 Milan Broz - 1.1.0-1 +- Update to cryptsetup 1.1.0. + +* Fri Jan 15 2010 Milan Broz - 1.1.0-0.6 +- Fix gcrypt initialisation. +- Fix backward compatibility for hash algorithm (uppercase). + +* Wed Dec 30 2009 Milan Broz - 1.1.0-0.5 +- Update to cryptsetup 1.1.0-rc4 + +* Mon Nov 16 2009 Milan Broz - 1.1.0-0.4 +- Update to cryptsetup 1.1.0-rc3 + +* Thu Oct 01 2009 Milan Broz - 1.1.0-0.3 +- Update to cryptsetup 1.1.0-rc2 +- Fix libcryptsetup to properly export only versioned symbols. + +* Tue Sep 29 2009 Milan Broz - 1.1.0-0.2 +- Update to cryptsetup 1.1.0-rc1 +- Add luksHeaderBackup and luksHeaderRestore commands. + +* Fri Sep 11 2009 Milan Broz - 1.1.0-0.1 +- Update to new upstream testing version with new API interface. +- Add luksSuspend and luksResume commands. +- Introduce pkgconfig. + +* Fri Jul 24 2009 Fedora Release Engineering - 1.0.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jul 22 2009 Milan Broz - 1.0.7-1 +- Update to upstream final release. +- Split libs subpackage. +- Remove rpath setting from cryptsetup binary. + +* Wed Jul 15 2009 Till Maas - 1.0.7-0.2 +- update BR because of libuuid splitout from e2fsprogs + +* Mon Jun 22 2009 Milan Broz - 1.0.7-0.1 +- Update to new upstream 1.0.7-rc1. + +- Wipe old fs headers to not confuse blkid (#468062) +* Tue Feb 24 2009 Fedora Release Engineering - 1.0.6-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Oct 30 2008 Milan Broz - 1.0.6-6 +- Wipe old fs headers to not confuse blkid (#468062) + +* Tue Sep 23 2008 Milan Broz - 1.0.6-5 +- Change new project home page. +- Print more descriptive messages for initialization errors. +- Refresh patches to versions commited upstream. + +* Sat Sep 06 2008 Milan Broz - 1.0.6-4 +- Fix close of zero decriptor. +- Fix udevsettle delays - use temporary crypt device remapping. + +* Wed May 28 2008 Till Maas - 1.0.6-3 +- remove a duplicate sentence from the manpage (RH #448705) +- add patch metadata about upstream status + +* Tue Apr 15 2008 Bill Nottinghm - 1.0.6-2 +- Add the device to the luksOpen prompt (#433406) +- Use iconv, not recode (#442574) + +* Thu Mar 13 2008 Till Maas - 1.0.6-1 +- Update to latest version +- remove patches that have been merged upstream + +* Mon Mar 03 2008 Till Maas - 1.0.6-0.1.pre2 +- Update to new version with several bugfixes +- remove patches that have been merged upstream +- add patch from cryptsetup newsgroup +- fix typo / missing luksRemoveKey in manpage (patch) + +* Tue Feb 19 2008 Fedora Release Engineering - 1.0.5-9 +- Autorebuild for GCC 4.3 + +* Sat Jan 19 2008 Peter Jones - 1.0.5-8 +- Rebuild for broken deps. + +* Thu Aug 30 2007 Till Maas - 1.0.5-7 +- update URL +- update license tag +- recode ChangeLog from latin1 to uf8 +- add smp_mflags to make + +* Fri Aug 24 2007 Till Maas - 1.0.5-6 +- cleanup BuildRequires: +- removed versions, packages in Fedora are new enough +- changed popt to popt-devel + +* Thu Aug 23 2007 Till Maas - 1.0.5-5 +- fix devel subpackage requires +- remove empty NEWS README +- remove uneeded INSTALL +- remove uneeded ldconfig requires +- add readonly detection patch + +* Wed Aug 08 2007 Till Maas - 1.0.5-4 +- disable patch2, libsepol is now detected by configure +- move libcryptsetup.so to %%{_libdir} instead of /%%{_lib} + +* Fri Jul 27 2007 Till Maas - 1.0.5-3 +- Use /%%{_lib} instead of /lib to use /lib64 on 64bit archs + +* Thu Jul 26 2007 Till Maas - 1.0.5-2 +- Use /lib as libdir (#243228) +- sync header and library (#215349) +- do not use %%makeinstall (recommended by PackageGuidelines) +- select sbindir with %%configure instead with make +- add TODO + +* Wed Jun 13 2007 Jeremy Katz - 1.0.5-1 +- update to 1.0.5 + +* Mon Jun 04 2007 Peter Jones - 1.0.3-5 +- Don't build static any more. + +* Mon Feb 05 2007 Alasdair Kergon - 1.0.3-4 +- Add build dependency on new device-mapper-devel package. +- Add preun and post ldconfig requirements. +- Update BuildRoot. + +* Wed Nov 1 2006 Peter Jones - 1.0.3-3 +- Require newer libselinux (#213414) + +* Wed Jul 12 2006 Jesse Keating - 1.0.3-2.1 +- rebuild + +* Wed Jun 7 2006 Jeremy Katz - 1.0.3-2 +- put shared libs in the right subpackages + +* Fri Apr 7 2006 Bill Nottingham 1.0.3-1 +- update to final 1.0.3 + +* Mon Feb 27 2006 Bill Nottingham 1.0.3-0.rc2 +- update to 1.0.3rc2, fixes bug with HAL & encrypted devices (#182658) + +* Wed Feb 22 2006 Bill Nottingham 1.0.3-0.rc1 +- update to 1.0.3rc1, reverts changes to default encryption type + +* Tue Feb 21 2006 Bill Nottingham 1.0.2-1 +- update to 1.0.2, fix incompatiblity with old cryptsetup (#176726) + +* Mon Feb 20 2006 Karsten Hopp 1.0.1-5 +- BuildRequires: libselinux-devel + +* Fri Feb 10 2006 Jesse Keating - 1.0.1-4.2.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 1.0.1-4.2 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Mon Dec 5 2005 Bill Nottingham 1.0.1-4 +- rebuild against new libdevmapper + +* Thu Oct 13 2005 Florian La Roche +- add -lsepol to rebuild on current fc5 + +* Mon Aug 22 2005 Karel Zak 1.0.1-2 +- fix cryptsetup help for isLuks action + +* Fri Jul 1 2005 Bill Nottingham 1.0.1-1 +- update to 1.0.1 - fixes incompatiblity with previous cryptsetup for + piped passwords + +* Thu Jun 16 2005 Bill Nottingham 1.0-2 +- add patch for 32/64 bit compatibility (#160445, ) + +* Tue Mar 29 2005 Bill Nottingham 1.0-1 +- update to 1.0 + +* Thu Mar 10 2005 Bill Nottingham 0.993-1 +- switch to cryptsetup-luks, for LUKS support + +* Tue Oct 12 2004 Bill Nottingham 0.1-4 +- oops, make that *everything* static (#129926) + +* Tue Aug 31 2004 Bill Nottingham 0.1-3 +- link some things static, move to /sbin (#129926) + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Fri Apr 16 2004 Bill Nottingham 0.1-1 +- initial packaging