diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata index 6107d6a..c725069 100644 --- a/.cryptsetup.metadata +++ b/.cryptsetup.metadata @@ -1 +1,2 @@ 1f06d268aee0adff931a39fe6709af7804e4f4f6 SOURCES/cryptsetup-1.7.4.tar.xz +d24bdd0d55be8b27769b07531950ffe60589274b SOURCES/cryptsetup-2.0.3.tar.xz diff --git a/.gitignore b/.gitignore index 83bb1c4..3eb9f13 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ SOURCES/cryptsetup-1.7.4.tar.xz +SOURCES/cryptsetup-2.0.3.tar.xz diff --git a/SOURCES/cryptsetup-1.7.6-cryptsetup-reencrypt-progress-frequency-parameter.patch b/SOURCES/cryptsetup-1.7.6-cryptsetup-reencrypt-progress-frequency-parameter.patch deleted file mode 100644 index 75ac6b3..0000000 --- a/SOURCES/cryptsetup-1.7.6-cryptsetup-reencrypt-progress-frequency-parameter.patch +++ /dev/null @@ -1,78 +0,0 @@ -diff -rupN cryptsetup-1.7.4.bcp/man/cryptsetup-reencrypt.8 cryptsetup-1.7.4/man/cryptsetup-reencrypt.8 ---- cryptsetup-1.7.4.bcp/man/cryptsetup-reencrypt.8 2017-10-18 11:39:01.697902733 +0200 -+++ cryptsetup-1.7.4/man/cryptsetup-reencrypt.8 2017-10-18 13:31:15.944930492 +0200 -@@ -38,7 +38,7 @@ To start (or continue) re-encryption for - \-\-device-size, \-\-hash, \-\-iter-time, \-\-use-random | \-\-use-urandom, - \-\-keep-key, \-\-key-size, \-\-key-file, \-\-key-slot, \-\-keyfile-offset, - \-\-keyfile-size, \-\-tries, \-\-use-directio, \-\-use-fsync, \-\-verbose, \-\-write-log, --\-\-uuid] -+\-\-uuid, \-\-progress-frequency] - - To encrypt data on (not yet encrypted) device, use \fI\-\-new\fR with combination - with \fI\-\-reduce-device-size\fR. -@@ -190,6 +190,9 @@ of the interrupted decryption process. - .B "\-\-batch-mode, \-q" - Suppresses all warnings and reencryption progress output. - .TP -+.B "\-\-progress-frequency " -+Print separate line every with reencryption progress. -+.TP - .B "\-\-version" - Show the program version. - .SH RETURN CODES -diff -rupN cryptsetup-1.7.4.bcp/src/cryptsetup_reencrypt.c cryptsetup-1.7.4/src/cryptsetup_reencrypt.c ---- cryptsetup-1.7.4.bcp/src/cryptsetup_reencrypt.c 2017-10-18 11:39:01.697902733 +0200 -+++ cryptsetup-1.7.4/src/cryptsetup_reencrypt.c 2017-10-18 15:10:24.219013071 +0200 -@@ -51,6 +51,7 @@ static int opt_key_size = 0; - static int opt_new = 0; - static int opt_keep_key = 0; - static int opt_decrypt = 0; -+static int opt_progress_frequency = 0; - - static const char *opt_reduce_size_str = NULL; - static uint64_t opt_reduce_size = 0; -@@ -665,10 +666,18 @@ static void print_progress(struct reenc_ - { - unsigned long long mbytes, eta; - struct timeval now_time; -- double tdiff, mib; -+ double tdiff, mib, frequency; -+ char *eol = ""; - - gettimeofday(&now_time, NULL); -- if (!final && time_diff(rc->end_time, now_time) < 0.5) -+ if (opt_progress_frequency) -+ frequency = (double)opt_progress_frequency; -+ else -+ frequency = 0.5; -+ if (final || opt_progress_frequency) -+ eol = "\n"; -+ -+ if (!final && time_diff(rc->end_time, now_time) < frequency) - return; - - rc->end_time = now_time; -@@ -689,12 +698,12 @@ static void print_progress(struct reenc_ - eta = (unsigned long long)(rc->device_size / 1024 / 1024 / mib - tdiff); - - /* vt100 code clear line */ -- log_err("\33[2K\r"); -+ if (!opt_progress_frequency) -+ log_err("\33[2K\r"); - log_err(_("Progress: %5.1f%%, ETA %02llu:%02llu, " - "%4llu MiB written, speed %5.1f MiB/s%s"), - (double)bytes / rc->device_size * 100, -- eta / 60, eta % 60, mbytes, mib, -- final ? "\n" :""); -+ eta / 60, eta % 60, mbytes, mib, eol); - } - - static ssize_t read_buf(int fd, void *buf, size_t count) -@@ -1316,6 +1325,7 @@ int main(int argc, const char **argv) - { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL }, - { "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") }, - { "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL }, -+ { "progress-frequency",'\0', POPT_ARG_INT, &opt_progress_frequency, 0, N_("Progress line update (in seconds)"), N_("secs") }, - { "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL }, - { "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL }, - { "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL }, diff --git a/SOURCES/cryptsetup-1.7.6-dracut-reencrypt-add-progress-frequency.patch b/SOURCES/cryptsetup-1.7.6-dracut-reencrypt-add-progress-frequency.patch deleted file mode 100644 index 39cf514..0000000 --- a/SOURCES/cryptsetup-1.7.6-dracut-reencrypt-add-progress-frequency.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 4e275e6da4b61e1d5c978c9726d695476629cb94 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Wed, 18 Oct 2017 09:57:03 +0200 -Subject: [PATCH] dracut-reencrypt: add --progress-frequency parameter - ---- - misc/dracut_90reencrypt/reencrypt.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh -index e6f87e0..b4960d7 100755 ---- a/misc/dracut_90reencrypt/reencrypt.sh -+++ b/misc/dracut_90reencrypt/reencrypt.sh -@@ -18,7 +18,7 @@ else - device="$1" - fi - --PARAMS="$device -T 1 --use-fsync -B 32" -+PARAMS="$device -T 1 --use-fsync --progress-frequency 5 -B 32" - if [ "$3" != "any" ]; then - PARAMS="$PARAMS -S $3" - fi --- -1.8.3.1 - diff --git a/SOURCES/cryptsetup-2.0.4-add-blkid-utilities-for-fast-detection-of-device-sig.patch b/SOURCES/cryptsetup-2.0.4-add-blkid-utilities-for-fast-detection-of-device-sig.patch new file mode 100644 index 0000000..16a3ed6 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-add-blkid-utilities-for-fast-detection-of-device-sig.patch @@ -0,0 +1,306 @@ +From 12d00da84239c3dcc4560dc60a0c36d534908cc0 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Wed, 4 Jul 2018 15:39:11 +0200 +Subject: [PATCH 1/6] Add blkid utilities for fast detection of device + signatures. + +--- + configure.ac | 21 ++++++++ + lib/Makemodule.am | 5 +- + lib/utils_blkid.c | 158 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + lib/utils_blkid.h | 48 +++++++++++++++++ + 4 files changed, 231 insertions(+), 1 deletion(-) + create mode 100644 lib/utils_blkid.c + create mode 100644 lib/utils_blkid.h + +diff --git a/configure.ac b/configure.ac +index 05da6d6..31508d0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -415,6 +415,26 @@ if test x$enable_internal_argon2 = xyes ; then + fi + AM_CONDITIONAL(CRYPTO_INTERNAL_ARGON2, test x$enable_internal_argon2 = xyes) + ++dnl Link with blkid to check for other device types ++AC_ARG_ENABLE(blkid, AS_HELP_STRING([--disable-blkid], ++ [disable use of blkid for device signature detection and wiping.]), [], [enable_blkid=yes]) ++ ++if test x$enable_blkid = xyes ; then ++ PKG_CHECK_MODULES([BLKID], [blkid],[AC_DEFINE([HAVE_BLKID], 1, [Define to 1 to use blkid for detection of disk signatures.])],[LIBBLKID_LIBS="-lblkid"]) ++ ++ AC_CHECK_HEADERS(blkid/blkid.h,,[AC_MSG_ERROR([You need blkid development library installed.])]) ++ AC_CHECK_DECLS([ blkid_reset_probe, ++ blkid_probe_set_device, ++ blkid_probe_filter_superblocks_type, ++ blkid_do_safeprobe, ++ blkid_do_probe, ++ blkid_probe_lookup_value ++ ],, ++ [AC_MSG_ERROR([Can not compile with blkid support, disable it by --disable-blkid.])], ++ [#include ]) ++fi ++AM_CONDITIONAL(HAVE_BLKID, test x$enable_blkid = xyes) ++ + dnl Magic for cryptsetup.static build. + if test x$enable_static_cryptsetup = xyes; then + saved_PKG_CONFIG=$PKG_CONFIG +@@ -465,6 +485,7 @@ AC_SUBST([CRYPTO_STATIC_LIBS]) + + AC_SUBST([JSON_C_LIBS]) + AC_SUBST([LIBARGON2_LIBS]) ++AC_SUBST([BLKID_LIBS]) + + AC_SUBST([LIBCRYPTSETUP_VERSION]) + AC_SUBST([LIBCRYPTSETUP_VERSION_INFO]) +diff --git a/lib/Makemodule.am b/lib/Makemodule.am +index 5e20039..26178b8 100644 +--- a/lib/Makemodule.am ++++ b/lib/Makemodule.am +@@ -30,6 +30,7 @@ libcryptsetup_la_LIBADD = \ + @CRYPTO_LIBS@ \ + @LIBARGON2_LIBS@ \ + @JSON_C_LIBS@ \ ++ @BLKID_LIBS@ \ + libcrypto_backend.la + + libcryptsetup_la_SOURCES = \ +@@ -92,4 +93,6 @@ libcryptsetup_la_SOURCES = \ + lib/luks2/luks2_token_keyring.c \ + lib/luks2/luks2_token.c \ + lib/luks2/luks2_internal.h \ +- lib/luks2/luks2.h ++ lib/luks2/luks2.h \ ++ lib/utils_blkid.c \ ++ lib/utils_blkid.h +diff --git a/lib/utils_blkid.c b/lib/utils_blkid.c +new file mode 100644 +index 0000000..7425bc5 +--- /dev/null ++++ b/lib/utils_blkid.c +@@ -0,0 +1,158 @@ ++/* ++ * blkid probe utilities ++ * ++ * Copyright (C) 2018, Red Hat, Inc. All rights reserved. ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2 ++ * of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include "utils_blkid.h" ++ ++#ifdef HAVE_BLKID ++#include ++struct blkid_handle { ++ int fd; ++ blkid_probe pr; ++}; ++#endif ++ ++void blk_set_chains_for_fast_detection(struct blkid_handle *h) ++{ ++#ifdef HAVE_BLKID ++ blkid_probe_enable_partitions(h->pr, 1); ++ blkid_probe_set_partitions_flags(h->pr, 0); ++ ++ blkid_probe_enable_superblocks(h->pr, 1); ++ blkid_probe_set_superblocks_flags(h->pr, BLKID_SUBLKS_TYPE); ++#endif ++} ++ ++int blk_init_by_path(struct blkid_handle **h, const char *path) ++{ ++ int r = -ENOTSUP; ++#ifdef HAVE_BLKID ++ struct blkid_handle *tmp = malloc(sizeof(*tmp)); ++ if (!tmp) ++ return -ENOMEM; ++ ++ tmp->fd = -1; ++ ++ tmp->pr = blkid_new_probe_from_filename(path); ++ if (!tmp->pr) { ++ free(tmp); ++ return -EINVAL; ++ } ++ ++ *h = tmp; ++ ++ r = 0; ++#endif ++ return r; ++} ++ ++int blk_superblocks_filter_luks(struct blkid_handle *h) ++{ ++ int r = -ENOTSUP; ++#ifdef HAVE_BLKID ++ char *luks_filter[] = { ++ "crypto_LUKS", ++ NULL ++ }; ++ r = blkid_probe_filter_superblocks_type(h->pr, BLKID_FLTR_NOTIN, luks_filter); ++#endif ++ return r; ++} ++ ++blk_probe_status blk_safeprobe(struct blkid_handle *h) ++{ ++ int r = -1; ++#ifdef HAVE_BLKID ++ r = blkid_do_safeprobe(h->pr); ++#endif ++ switch (r) { ++ case -2: ++ return PRB_AMBIGUOUS; ++ case 1: ++ return PRB_EMPTY; ++ case 0: ++ return PRB_OK; ++ default: ++ return PRB_FAIL; ++ } ++} ++ ++int blk_is_partition(struct blkid_handle *h) ++{ ++ int r = 0; ++#ifdef HAVE_BLKID ++ r = blkid_probe_has_value(h->pr, "PTTYPE"); ++#endif ++ return r; ++} ++ ++int blk_is_superblock(struct blkid_handle *h) ++{ ++ int r = 0; ++#ifdef HAVE_BLKID ++ r = blkid_probe_has_value(h->pr, "TYPE"); ++#endif ++ return r; ++} ++ ++const char *blk_get_partition_type(struct blkid_handle *h) ++{ ++ const char *value = NULL; ++#ifdef HAVE_BLKID ++ (void) blkid_probe_lookup_value(h->pr, "PTTYPE", &value, NULL); ++#endif ++ return value; ++} ++ ++const char *blk_get_superblock_type(struct blkid_handle *h) ++{ ++ const char *value = NULL; ++#ifdef HAVE_BLKID ++ (void) blkid_probe_lookup_value(h->pr, "TYPE", &value, NULL); ++#endif ++ return value; ++} ++ ++void blk_free(struct blkid_handle *h) ++{ ++#ifdef HAVE_BLKID ++ if (!h) ++ return; ++ ++ if (h->pr) ++ blkid_free_probe(h->pr); ++ ++ free(h); ++#endif ++} ++ ++int blk_supported(void) ++{ ++ int r = 0; ++#ifdef HAVE_BLKID ++ r = 1; ++#endif ++ return r; ++} +diff --git a/lib/utils_blkid.h b/lib/utils_blkid.h +new file mode 100644 +index 0000000..d18b0a0 +--- /dev/null ++++ b/lib/utils_blkid.h +@@ -0,0 +1,48 @@ ++/* ++ * blkid probe utilities ++ * ++ * Copyright (C) 2018, Red Hat, Inc. All rights reserved. ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2 ++ * of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++ */ ++ ++#ifndef _UTILS_BLKID_H ++#define _UTILS_BLKID_H ++ ++struct blkid_handle; ++ ++typedef enum { PRB_OK = 0, PRB_EMPTY, PRB_AMBIGUOUS, PRB_FAIL } blk_probe_status; ++ ++int blk_init_by_path(struct blkid_handle **h, const char *path); ++ ++void blk_free(struct blkid_handle *h); ++ ++void blk_set_chains_for_fast_detection(struct blkid_handle *h); ++ ++int blk_superblocks_filter_luks(struct blkid_handle *h); ++ ++blk_probe_status blk_safeprobe(struct blkid_handle *h); ++ ++int blk_is_partition(struct blkid_handle *h); ++ ++int blk_is_superblock(struct blkid_handle *h); ++ ++const char *blk_get_partition_type(struct blkid_handle *h); ++ ++const char *blk_get_superblock_type(struct blkid_handle *h); ++ ++int blk_supported(void); ++ ++#endif +-- +1.8.3.1 + +--- cryptsetup-2.0.3.old/aclocal.m4 2018-05-03 21:36:53.000000000 +0200 ++++ cryptsetup-2.0.3/aclocal.m4 2018-07-16 15:37:34.935817650 +0200 +@@ -31,7 +31,7 @@ To do so, use the procedure documented b + # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the + # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + # +-# Last-changed: 2014-10-02 ++# Last-changed: 2018-07-16 + + + dnl AM_PATH_LIBGCRYPT([MINIMUM-VERSION, diff --git a/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-to-override-blkid-checks.patch b/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-to-override-blkid-checks.patch new file mode 100644 index 0000000..31737aa --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-to-override-blkid-checks.patch @@ -0,0 +1,131 @@ +From b82eaf14f7a01cfd542cb95fe97b8d3a22d5ba8f Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Thu, 28 Jun 2018 15:48:13 +0200 +Subject: [PATCH 3/6] Allow LUKS2 repair to override blkid checks. + +Allow user to run cryptsetup repair command and explicitly do +repair on corrupted LUKS2 headers where blkid decides it's no longer +a LUKS2 device. +--- + lib/luks2/luks2.h | 2 +- + lib/luks2/luks2_json_metadata.c | 13 +++++++------ + lib/setup.c | 10 +++++----- + 3 files changed, 13 insertions(+), 12 deletions(-) + +diff --git a/lib/luks2/luks2.h b/lib/luks2/luks2.h +index ee57b41..c431e8f 100644 +--- a/lib/luks2/luks2.h ++++ b/lib/luks2/luks2.h +@@ -131,7 +131,7 @@ struct luks2_keyslot_params { + int LUKS2_hdr_version_unlocked(struct crypt_device *cd, + const char *backup_file); + +-int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr); ++int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, int repair); + int LUKS2_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr); + int LUKS2_hdr_dump(struct crypt_device *cd, struct luks2_hdr *hdr); + +diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c +index 125cad9..0fd6340 100644 +--- a/lib/luks2/luks2_json_metadata.c ++++ b/lib/luks2/luks2_json_metadata.c +@@ -842,7 +842,8 @@ int LUKS2_hdr_validate(json_object *hdr_jobj) + return 0; + } + +-int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr) ++/* FIXME: should we expose do_recovery parameter explicitly? */ ++int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, int repair) + { + int r; + +@@ -853,7 +854,7 @@ int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr) + return r; + } + +- r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, 1); ++ r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, !repair); + if (r == -EAGAIN) { + /* unlikely: auto-recovery is required and failed due to read lock being held */ + device_read_unlock(crypt_metadata_device(cd)); +@@ -865,7 +866,7 @@ int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr) + return r; + } + +- r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, 1); ++ r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, !repair); + + device_write_unlock(crypt_metadata_device(cd)); + } else +@@ -1050,7 +1051,7 @@ int LUKS2_hdr_restore(struct crypt_device *cd, struct luks2_hdr *hdr, + return r; + } + +- r = LUKS2_disk_hdr_read(cd, &hdr_file, backup_device, 0); ++ r = LUKS2_disk_hdr_read(cd, &hdr_file, backup_device, 0, 0); + device_read_unlock(backup_device); + device_free(backup_device); + +@@ -1089,7 +1090,7 @@ int LUKS2_hdr_restore(struct crypt_device *cd, struct luks2_hdr *hdr, + close(devfd); + devfd = -1; + +- r = LUKS2_hdr_read(cd, &tmp_hdr); ++ r = LUKS2_hdr_read(cd, &tmp_hdr, 0); + if (r == 0) { + log_dbg("Device %s already contains LUKS2 header, checking UUID and requirements.", device_path(device)); + r = LUKS2_config_get_requirements(cd, &tmp_hdr, &reqs); +@@ -1176,7 +1177,7 @@ out: + + if (!r) { + LUKS2_hdr_free(hdr); +- r = LUKS2_hdr_read(cd, hdr); ++ r = LUKS2_hdr_read(cd, hdr, 1); + } + + return r; +diff --git a/lib/setup.c b/lib/setup.c +index fddbe7e..a9b2eba 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -644,16 +644,16 @@ struct crypt_pbkdf_type *crypt_get_pbkdf(struct crypt_device *cd) + /* + * crypt_load() helpers + */ +-static int _crypt_load_luks2(struct crypt_device *cd, int reload) ++static int _crypt_load_luks2(struct crypt_device *cd, int reload, int repair) + { + int r; + char tmp_cipher[MAX_CIPHER_LEN], tmp_cipher_mode[MAX_CIPHER_LEN], + *cipher = NULL, *cipher_mode = NULL, *type = NULL; + struct luks2_hdr hdr2 = {}; + +- log_dbg("%soading LUKS2 header.", reload ? "Rel" : "L"); ++ log_dbg("%soading LUKS2 header (repair %sabled).", reload ? "Rel" : "L", repair ? "en" : "dis"); + +- r = LUKS2_hdr_read(cd, &hdr2); ++ r = LUKS2_hdr_read(cd, &hdr2, repair); + if (r) + return r; + +@@ -713,7 +713,7 @@ static void _luks2_reload(struct crypt_device *cd) + if (!cd || !isLUKS2(cd->type)) + return; + +- (void) _crypt_load_luks2(cd, 1); ++ (void) _crypt_load_luks2(cd, 1, 0); + } + + static int _crypt_load_luks(struct crypt_device *cd, const char *requested_type, +@@ -768,7 +768,7 @@ static int _crypt_load_luks(struct crypt_device *cd, const char *requested_type, + return -EINVAL; + } + +- r = _crypt_load_luks2(cd, cd->type != NULL); ++ r = _crypt_load_luks2(cd, cd->type != NULL, repair); + } else + r = -EINVAL; + out: +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-with-disabled-locks.patch b/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-with-disabled-locks.patch new file mode 100644 index 0000000..a5d5258 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-with-disabled-locks.patch @@ -0,0 +1,26 @@ +From c6dc8dd86c797b982d47ebb918367b4575d59dad Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Mon, 9 Jul 2018 18:43:02 +0200 +Subject: [PATCH 6/6] Allow LUKS2 repair with disabled locks. + +--- + lib/luks2/luks2_disk_metadata.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/luks2/luks2_disk_metadata.c b/lib/luks2/luks2_disk_metadata.c +index 6ca9d5e..bd5223f 100644 +--- a/lib/luks2/luks2_disk_metadata.c ++++ b/lib/luks2/luks2_disk_metadata.c +@@ -592,7 +592,8 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, + int i, r; + uint64_t hdr_size; + +- if (do_recovery && !crypt_metadata_locking_enabled()) { ++ /* Skip auto-recovery if locks are disabled and we're not doing LUKS2 explicit repair */ ++ if (do_recovery && do_blkprobe && !crypt_metadata_locking_enabled()) { + do_recovery = 0; + log_dbg("Disabling header auto-recovery due to locking being disabled."); + } +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-allow-explicit-LUKS2-repair.patch b/SOURCES/cryptsetup-2.0.4-allow-explicit-LUKS2-repair.patch new file mode 100644 index 0000000..5dc1782 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-allow-explicit-LUKS2-repair.patch @@ -0,0 +1,44 @@ +From 4b3b6b07ad42ebab346f0fe343aab2a14cd5a9da Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Mon, 9 Jul 2018 17:18:17 +0200 +Subject: [PATCH 4/6] Allow explicit LUKS2 repair. + +Also moves FIXME comment lower to LUKS2 code with note that currently it's +safe to do crypt_repair on LUKS2 format without paying attention to LUKS2 +requirements. +--- + lib/setup.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/lib/setup.c b/lib/setup.c +index a9b2eba..952fa0e 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -768,6 +768,14 @@ static int _crypt_load_luks(struct crypt_device *cd, const char *requested_type, + return -EINVAL; + } + ++ /* ++ * Current LUKS2 repair just overrides blkid probes ++ * and perform auto-recovery if possible. This is safe ++ * unless future LUKS2 repair code do something more ++ * sophisticated. In such case we would need to check ++ * for LUKS2 requirements and decide if it's safe to ++ * perform repair. ++ */ + r = _crypt_load_luks2(cd, cd->type != NULL, repair); + } else + r = -EINVAL; +@@ -2023,8 +2031,7 @@ int crypt_repair(struct crypt_device *cd, + if (!crypt_metadata_device(cd)) + return -EINVAL; + +- /* FIXME LUKS2 (if so it also must respect LUKS2 requirements) */ +- if (requested_type && !isLUKS1(requested_type)) ++ if (requested_type && !isLUKS(requested_type)) + return -EINVAL; + + /* Load with repair */ +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-configure.patch b/SOURCES/cryptsetup-2.0.4-configure.patch new file mode 100644 index 0000000..17b28da --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-configure.patch @@ -0,0 +1,397 @@ +--- cryptsetup-2.0.3.old/config.h.in 2018-05-03 21:37:10.000000000 +0200 ++++ cryptsetup-2.0.3/config.h.in 2018-07-16 09:58:36.283929571 +0200 +@@ -106,6 +106,12 @@ + /* Define to 1 if you have the header file. */ + #undef HAVE_ARGON2_H + ++/* Define to 1 to use blkid for detection of disk signatures. */ ++#undef HAVE_BLKID ++ ++/* Define to 1 if you have the header file. */ ++#undef HAVE_BLKID_BLKID_H ++ + /* Define to 1 if you have the header file. */ + #undef HAVE_BYTESWAP_H + +@@ -127,6 +133,30 @@ + */ + #undef HAVE_DCGETTEXT + ++/* Define to 1 if you have the declaration of `blkid_do_probe', and to 0 if ++ you don't. */ ++#undef HAVE_DECL_BLKID_DO_PROBE ++ ++/* Define to 1 if you have the declaration of `blkid_do_safeprobe', and to 0 ++ if you don't. */ ++#undef HAVE_DECL_BLKID_DO_SAFEPROBE ++ ++/* Define to 1 if you have the declaration of ++ `blkid_probe_filter_superblocks_type', and to 0 if you don't. */ ++#undef HAVE_DECL_BLKID_PROBE_FILTER_SUPERBLOCKS_TYPE ++ ++/* Define to 1 if you have the declaration of `blkid_probe_lookup_value ', and ++ to 0 if you don't. */ ++#undef HAVE_DECL_BLKID_PROBE_LOOKUP_VALUE__________ ++ ++/* Define to 1 if you have the declaration of `blkid_probe_set_device', and to ++ 0 if you don't. */ ++#undef HAVE_DECL_BLKID_PROBE_SET_DEVICE ++ ++/* Define to 1 if you have the declaration of `blkid_reset_probe', and to 0 if ++ you don't. */ ++#undef HAVE_DECL_BLKID_RESET_PROBE ++ + /* Define to 1 if you have the declaration of `dm_device_has_holders', and to + 0 if you don't. */ + #undef HAVE_DECL_DM_DEVICE_HAS_HOLDERS +--- cryptsetup-2.0.3.old/Makefile.in 2018-05-03 21:36:55.000000000 +0200 ++++ cryptsetup-2.0.3/Makefile.in 2018-07-16 09:58:36.240929810 +0200 +@@ -270,7 +270,8 @@ am_libcryptsetup_la_OBJECTS = lib/libcry + lib/luks2/libcryptsetup_la-luks2_keyslot.lo \ + lib/luks2/libcryptsetup_la-luks2_keyslot_luks2.lo \ + lib/luks2/libcryptsetup_la-luks2_token_keyring.lo \ +- lib/luks2/libcryptsetup_la-luks2_token.lo ++ lib/luks2/libcryptsetup_la-luks2_token.lo \ ++ lib/libcryptsetup_la-utils_blkid.lo + libcryptsetup_la_OBJECTS = $(am_libcryptsetup_la_OBJECTS) + libcryptsetup_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ +@@ -591,6 +592,8 @@ AUTOCONF = @AUTOCONF@ + AUTOHEADER = @AUTOHEADER@ + AUTOMAKE = @AUTOMAKE@ + AWK = @AWK@ ++BLKID_CFLAGS = @BLKID_CFLAGS@ ++BLKID_LIBS = @BLKID_LIBS@ + CC = @CC@ + CCDEPMODE = @CCDEPMODE@ + CFLAGS = @CFLAGS@ +@@ -846,6 +849,7 @@ libcryptsetup_la_LIBADD = \ + @CRYPTO_LIBS@ \ + @LIBARGON2_LIBS@ \ + @JSON_C_LIBS@ \ ++ @BLKID_LIBS@ \ + libcrypto_backend.la + + libcryptsetup_la_SOURCES = \ +@@ -908,7 +912,9 @@ libcryptsetup_la_SOURCES = \ + lib/luks2/luks2_token_keyring.c \ + lib/luks2/luks2_token.c \ + lib/luks2/luks2_internal.h \ +- lib/luks2/luks2.h ++ lib/luks2/luks2.h \ ++ lib/utils_blkid.c \ ++ lib/utils_blkid.h + + + # cryptsetup +@@ -1351,6 +1357,8 @@ lib/luks2/libcryptsetup_la-luks2_token_k + lib/luks2/$(am__dirstamp) lib/luks2/$(DEPDIR)/$(am__dirstamp) + lib/luks2/libcryptsetup_la-luks2_token.lo: lib/luks2/$(am__dirstamp) \ + lib/luks2/$(DEPDIR)/$(am__dirstamp) ++lib/libcryptsetup_la-utils_blkid.lo: lib/$(am__dirstamp) \ ++ lib/$(DEPDIR)/$(am__dirstamp) + + libcryptsetup.la: $(libcryptsetup_la_OBJECTS) $(libcryptsetup_la_DEPENDENCIES) $(EXTRA_libcryptsetup_la_DEPENDENCIES) + $(AM_V_CCLD)$(libcryptsetup_la_LINK) -rpath $(libdir) $(libcryptsetup_la_OBJECTS) $(libcryptsetup_la_LIBADD) $(LIBS) +@@ -1507,6 +1515,7 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-setup.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_benchmark.Plo@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_blkid.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_crypt.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo@am__quote@ +@@ -1991,6 +2000,13 @@ lib/luks2/libcryptsetup_la-luks2_token.l + @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ + @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/luks2/libcryptsetup_la-luks2_token.lo `test -f 'lib/luks2/luks2_token.c' || echo '$(srcdir)/'`lib/luks2/luks2_token.c + ++lib/libcryptsetup_la-utils_blkid.lo: lib/utils_blkid.c ++@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -MT lib/libcryptsetup_la-utils_blkid.lo -MD -MP -MF lib/$(DEPDIR)/libcryptsetup_la-utils_blkid.Tpo -c -o lib/libcryptsetup_la-utils_blkid.lo `test -f 'lib/utils_blkid.c' || echo '$(srcdir)/'`lib/utils_blkid.c ++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) lib/$(DEPDIR)/libcryptsetup_la-utils_blkid.Tpo lib/$(DEPDIR)/libcryptsetup_la-utils_blkid.Plo ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='lib/utils_blkid.c' object='lib/libcryptsetup_la-utils_blkid.lo' libtool=yes @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/libcryptsetup_la-utils_blkid.lo `test -f 'lib/utils_blkid.c' || echo '$(srcdir)/'`lib/utils_blkid.c ++ + python/pycryptsetup_la-pycryptsetup.lo: python/pycryptsetup.c + @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(pycryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT python/pycryptsetup_la-pycryptsetup.lo -MD -MP -MF python/$(DEPDIR)/pycryptsetup_la-pycryptsetup.Tpo -c -o python/pycryptsetup_la-pycryptsetup.lo `test -f 'python/pycryptsetup.c' || echo '$(srcdir)/'`python/pycryptsetup.c + @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) python/$(DEPDIR)/pycryptsetup_la-pycryptsetup.Tpo python/$(DEPDIR)/pycryptsetup_la-pycryptsetup.Plo +--- cryptsetup-2.0.3.old/configure 2018-05-03 21:36:55.000000000 +0200 ++++ cryptsetup-2.0.3/configure 2018-07-16 09:58:36.283929571 +0200 +@@ -664,6 +664,10 @@ PWQUALITY_STATIC_LIBS + systemd_tmpfilesdir + DEVMAPPER_STATIC_LIBS + DEVMAPPER_STATIC_CFLAGS ++HAVE_BLKID_FALSE ++HAVE_BLKID_TRUE ++BLKID_LIBS ++BLKID_CFLAGS + CRYPTO_INTERNAL_ARGON2_FALSE + CRYPTO_INTERNAL_ARGON2_TRUE + LIBARGON2_LIBS +@@ -878,6 +882,7 @@ enable_gcrypt_pbkdf2 + with_libgcrypt_prefix + enable_internal_argon2 + enable_libargon2 ++enable_blkid + enable_dev_random + enable_python + with_python_version +@@ -935,6 +940,8 @@ NSS_CFLAGS + NSS_LIBS + LIBARGON2_CFLAGS + LIBARGON2_LIBS ++BLKID_CFLAGS ++BLKID_LIBS + DEVMAPPER_STATIC_CFLAGS + DEVMAPPER_STATIC_LIBS + systemd_tmpfilesdir +@@ -1607,6 +1614,8 @@ Optional Features: + disable internal implementation of Argon2 PBKDF + --enable-libargon2 enable external libargon2 (PHC) library (disables + internal bundled version) ++ --disable-blkid disable use of blkid for device signature detection ++ and wiping. + --enable-dev-random use blocking /dev/random by default for key + generator (otherwise use /dev/urandom) + --enable-python enable Python bindings +@@ -1719,6 +1728,9 @@ Some influential environment variables: + C compiler flags for LIBARGON2, overriding pkg-config + LIBARGON2_LIBS + linker flags for LIBARGON2, overriding pkg-config ++ BLKID_CFLAGS ++ C compiler flags for BLKID, overriding pkg-config ++ BLKID_LIBS linker flags for BLKID, overriding pkg-config + DEVMAPPER_STATIC_CFLAGS + C compiler flags for DEVMAPPER_STATIC, overriding pkg-config + DEVMAPPER_STATIC_LIBS +@@ -18580,6 +18592,211 @@ else + fi + + ++# Check whether --enable-blkid was given. ++if test "${enable_blkid+set}" = set; then : ++ enableval=$enable_blkid; ++else ++ enable_blkid=yes ++fi ++ ++ ++if test x$enable_blkid = xyes ; then ++ ++pkg_failed=no ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for BLKID" >&5 ++$as_echo_n "checking for BLKID... " >&6; } ++ ++if test -n "$BLKID_CFLAGS"; then ++ pkg_cv_BLKID_CFLAGS="$BLKID_CFLAGS" ++ elif test -n "$PKG_CONFIG"; then ++ if test -n "$PKG_CONFIG" && \ ++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"blkid\""; } >&5 ++ ($PKG_CONFIG --exists --print-errors "blkid") 2>&5 ++ ac_status=$? ++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ test $ac_status = 0; }; then ++ pkg_cv_BLKID_CFLAGS=`$PKG_CONFIG --cflags "blkid" 2>/dev/null` ++ test "x$?" != "x0" && pkg_failed=yes ++else ++ pkg_failed=yes ++fi ++ else ++ pkg_failed=untried ++fi ++if test -n "$BLKID_LIBS"; then ++ pkg_cv_BLKID_LIBS="$BLKID_LIBS" ++ elif test -n "$PKG_CONFIG"; then ++ if test -n "$PKG_CONFIG" && \ ++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"blkid\""; } >&5 ++ ($PKG_CONFIG --exists --print-errors "blkid") 2>&5 ++ ac_status=$? ++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ test $ac_status = 0; }; then ++ pkg_cv_BLKID_LIBS=`$PKG_CONFIG --libs "blkid" 2>/dev/null` ++ test "x$?" != "x0" && pkg_failed=yes ++else ++ pkg_failed=yes ++fi ++ else ++ pkg_failed=untried ++fi ++ ++ ++ ++if test $pkg_failed = yes; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++ ++if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then ++ _pkg_short_errors_supported=yes ++else ++ _pkg_short_errors_supported=no ++fi ++ if test $_pkg_short_errors_supported = yes; then ++ BLKID_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "blkid" 2>&1` ++ else ++ BLKID_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "blkid" 2>&1` ++ fi ++ # Put the nasty error message in config.log where it belongs ++ echo "$BLKID_PKG_ERRORS" >&5 ++ ++ LIBBLKID_LIBS="-lblkid" ++elif test $pkg_failed = untried; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++ LIBBLKID_LIBS="-lblkid" ++else ++ BLKID_CFLAGS=$pkg_cv_BLKID_CFLAGS ++ BLKID_LIBS=$pkg_cv_BLKID_LIBS ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 ++$as_echo "yes" >&6; } ++ ++$as_echo "#define HAVE_BLKID 1" >>confdefs.h ++ ++fi ++ ++ for ac_header in blkid/blkid.h ++do : ++ ac_fn_c_check_header_mongrel "$LINENO" "blkid/blkid.h" "ac_cv_header_blkid_blkid_h" "$ac_includes_default" ++if test "x$ac_cv_header_blkid_blkid_h" = xyes; then : ++ cat >>confdefs.h <<_ACEOF ++#define HAVE_BLKID_BLKID_H 1 ++_ACEOF ++ ++else ++ as_fn_error $? "You need blkid development library installed." "$LINENO" 5 ++fi ++ ++done ++ ++ ac_fn_c_check_decl "$LINENO" "blkid_reset_probe" "ac_cv_have_decl_blkid_reset_probe" "#include ++" ++if test "x$ac_cv_have_decl_blkid_reset_probe" = xyes; then : ++ ac_have_decl=1 ++else ++ ac_have_decl=0 ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_DECL_BLKID_RESET_PROBE $ac_have_decl ++_ACEOF ++if test $ac_have_decl = 1; then : ++ ++else ++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5 ++fi ++ac_fn_c_check_decl "$LINENO" "blkid_probe_set_device" "ac_cv_have_decl_blkid_probe_set_device" "#include ++" ++if test "x$ac_cv_have_decl_blkid_probe_set_device" = xyes; then : ++ ac_have_decl=1 ++else ++ ac_have_decl=0 ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_DECL_BLKID_PROBE_SET_DEVICE $ac_have_decl ++_ACEOF ++if test $ac_have_decl = 1; then : ++ ++else ++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5 ++fi ++ac_fn_c_check_decl "$LINENO" "blkid_probe_filter_superblocks_type" "ac_cv_have_decl_blkid_probe_filter_superblocks_type" "#include ++" ++if test "x$ac_cv_have_decl_blkid_probe_filter_superblocks_type" = xyes; then : ++ ac_have_decl=1 ++else ++ ac_have_decl=0 ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_DECL_BLKID_PROBE_FILTER_SUPERBLOCKS_TYPE $ac_have_decl ++_ACEOF ++if test $ac_have_decl = 1; then : ++ ++else ++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5 ++fi ++ac_fn_c_check_decl "$LINENO" "blkid_do_safeprobe" "ac_cv_have_decl_blkid_do_safeprobe" "#include ++" ++if test "x$ac_cv_have_decl_blkid_do_safeprobe" = xyes; then : ++ ac_have_decl=1 ++else ++ ac_have_decl=0 ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_DECL_BLKID_DO_SAFEPROBE $ac_have_decl ++_ACEOF ++if test $ac_have_decl = 1; then : ++ ++else ++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5 ++fi ++ac_fn_c_check_decl "$LINENO" "blkid_do_probe" "ac_cv_have_decl_blkid_do_probe" "#include ++" ++if test "x$ac_cv_have_decl_blkid_do_probe" = xyes; then : ++ ac_have_decl=1 ++else ++ ac_have_decl=0 ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_DECL_BLKID_DO_PROBE $ac_have_decl ++_ACEOF ++if test $ac_have_decl = 1; then : ++ ++else ++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5 ++fi ++ac_fn_c_check_decl "$LINENO" "blkid_probe_lookup_value ++ " "ac_cv_have_decl_blkid_probe_lookup_value__________" "#include ++" ++if test "x$ac_cv_have_decl_blkid_probe_lookup_value__________" = xyes; then : ++ ac_have_decl=1 ++else ++ ac_have_decl=0 ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_DECL_BLKID_PROBE_LOOKUP_VALUE__________ $ac_have_decl ++_ACEOF ++if test $ac_have_decl = 1; then : ++ ++else ++ as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5 ++fi ++ ++fi ++ if test x$enable_blkid = xyes; then ++ HAVE_BLKID_TRUE= ++ HAVE_BLKID_FALSE='#' ++else ++ HAVE_BLKID_TRUE='#' ++ HAVE_BLKID_FALSE= ++fi ++ ++ + if test x$enable_static_cryptsetup = xyes; then + saved_PKG_CONFIG=$PKG_CONFIG + PKG_CONFIG="$PKG_CONFIG --static" +@@ -19043,6 +19260,7 @@ $as_echo "$systemd_tmpfilesdir" >&6; } + + + ++ + # Check whether --enable-dev-random was given. + if test "${enable_dev_random+set}" = set; then : + enableval=$enable_dev_random; default_rng=/dev/random +@@ -20146,6 +20364,10 @@ if test -z "${CRYPTO_INTERNAL_ARGON2_TRU + as_fn_error $? "conditional \"CRYPTO_INTERNAL_ARGON2\" was never defined. + Usually this means the macro was only invoked conditionally." "$LINENO" 5 + fi ++if test -z "${HAVE_BLKID_TRUE}" && test -z "${HAVE_BLKID_FALSE}"; then ++ as_fn_error $? "conditional \"HAVE_BLKID\" was never defined. ++Usually this means the macro was only invoked conditionally." "$LINENO" 5 ++fi + if test -z "${PYTHON_CRYPTSETUP_TRUE}" && test -z "${PYTHON_CRYPTSETUP_FALSE}"; then + as_fn_error $? "conditional \"PYTHON_CRYPTSETUP\" was never defined. + Usually this means the macro was only invoked conditionally." "$LINENO" 5 diff --git a/SOURCES/cryptsetup-2.0.4-dracut-reencrypt.patch b/SOURCES/cryptsetup-2.0.4-dracut-reencrypt.patch new file mode 100644 index 0000000..abca3a3 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-dracut-reencrypt.patch @@ -0,0 +1,106 @@ +From 1b9148f12f85f326cb8127665ecfc2136c9822d5 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Wed, 18 Oct 2017 09:57:03 +0200 +Subject: [PATCH] dracut-reencrypt: add --progress-frequency parameter + +--- + misc/dracut_90reencrypt/reencrypt.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh +index e6f87e0..b4960d7 100755 +--- a/misc/dracut_90reencrypt/reencrypt.sh ++++ b/misc/dracut_90reencrypt/reencrypt.sh +@@ -18,7 +18,7 @@ else + device="$1" + fi + +-PARAMS="$device -T 1 --use-fsync -B 32" ++PARAMS="$device -T 1 --use-fsync --progress-frequency 5 -B 32" + if [ "$3" != "any" ]; then + PARAMS="$PARAMS -S $3" + fi +-- +1.8.3.1 + +From cda0a8ac7f30f120cdf5fadf16484715e8f9a040 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Thu, 19 Jul 2018 17:33:58 +0200 +Subject: [PATCH 2/2] Indicate running in initrd phase. + +--- + misc/dracut_90reencrypt/reencrypt.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh +index e6f87e0..24c7716 100755 +--- a/misc/dracut_90reencrypt/reencrypt.sh ++++ b/misc/dracut_90reencrypt/reencrypt.sh +@@ -11,6 +11,8 @@ + + . /lib/dracut-lib.sh + ++export CRYPT_REENCRYPT_IN_INITRD=1 ++ + # if device name is /dev/dm-X, convert to /dev/mapper/name + if [ "${1##/dev/dm-}" != "$1" ]; then + device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")" +-- +1.8.3.1 + +From 5da5e7f095e09c9501179864f6a20293dd9cada5 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Mon, 16 Jul 2018 17:17:45 +0200 +Subject: [PATCH] Redirect stdout to stderr during reencryption in initrd. + +Stdout is not printed in initrd unless user invokes debug mode. +It's inconvenient to have users waiting for reencryption to +finish with no input at all. +--- + misc/dracut_90reencrypt/module-setup.sh | 1 + + misc/dracut_90reencrypt/reencrypt-verbose.sh | 5 +++++ + misc/dracut_90reencrypt/reencrypt.sh | 4 ++-- + 3 files changed, 8 insertions(+), 2 deletions(-) + create mode 100755 misc/dracut_90reencrypt/reencrypt-verbose.sh + +diff --git a/misc/dracut_90reencrypt/module-setup.sh b/misc/dracut_90reencrypt/module-setup.sh +index 2ec9953..fcd7c92 100755 +--- a/misc/dracut_90reencrypt/module-setup.sh ++++ b/misc/dracut_90reencrypt/module-setup.sh +@@ -28,4 +28,5 @@ install() { + # shellcheck disable=SC2154 + inst_hook cmdline 30 "$moddir/parse-reencrypt.sh" + inst_simple "$moddir"/reencrypt.sh /sbin/reencrypt ++ inst_simple "$moddir"/reencrypt-verbose.sh /sbin/cryptsetup-reencrypt-verbose + } +diff --git a/misc/dracut_90reencrypt/reencrypt-verbose.sh b/misc/dracut_90reencrypt/reencrypt-verbose.sh +new file mode 100755 +index 0000000..5db75d5 +--- /dev/null ++++ b/misc/dracut_90reencrypt/reencrypt-verbose.sh +@@ -0,0 +1,5 @@ ++#!/bin/sh ++ ++# Route stdout to stderr in initrd. Otherwise output is invisible ++# unless we run in debug mode. ++/sbin/cryptsetup-reencrypt $@ 1>&2 +diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh +index b4960d7..4243773 100755 +--- a/misc/dracut_90reencrypt/reencrypt.sh ++++ b/misc/dracut_90reencrypt/reencrypt.sh +@@ -50,10 +50,10 @@ reenc_run() { + fi + /bin/plymouth ask-for-password \ + --prompt "$_prompt" \ +- --command="/sbin/cryptsetup-reencrypt $PARAMS" ++ --command="/sbin/cryptsetup-reencrypt-verbose $PARAMS" + else + info "REENCRYPT using key $1" +- reenc_readkey "$1" | /sbin/cryptsetup-reencrypt -d - $PARAMS ++ reenc_readkey "$1" | /sbin/cryptsetup-reencrypt-verbose -d - $PARAMS + fi + _ret=$? + cd $cwd +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-fix-write_blockwise-on-short-files.patch b/SOURCES/cryptsetup-2.0.4-fix-write_blockwise-on-short-files.patch new file mode 100644 index 0000000..8821a14 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-fix-write_blockwise-on-short-files.patch @@ -0,0 +1,40 @@ +From 63d66e7a3356da4bca77f521fd93df7cdf09b41a Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Tue, 19 Jun 2018 15:10:33 +0200 +Subject: [PATCH 3/4] Fix write_blockwise on short files. + +see unit test write_blockwise(length=2097153, bsize=4096), on x86 +with original test file size=2097152. + +The test is trying to write_blockwise 1 more byte than actual file +size. +--- + lib/utils_io.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/lib/utils_io.c b/lib/utils_io.c +index 8336b18..e0c2381 100644 +--- a/lib/utils_io.c ++++ b/lib/utils_io.c +@@ -105,15 +105,13 @@ ssize_t write_blockwise(int fd, size_t bsize, size_t alignment, + if (hangover) { + if (posix_memalign(&hangover_buf, alignment, bsize)) + goto out; ++ memset(hangover_buf, 0, bsize); + + r = read_buffer(fd, hangover_buf, bsize); +- if (r < 0 || r < (ssize_t)hangover) ++ if (r < 0) + goto out; + +- if (r < (ssize_t)bsize) +- bsize = r; +- +- if (lseek(fd, -(off_t)bsize, SEEK_CUR) < 0) ++ if (lseek(fd, -(off_t)r, SEEK_CUR) < 0) + goto out; + + memcpy(hangover_buf, (char*)buf + solid, hangover); +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-fix-write_lseek_blockwise-for-in-the-middle-of-secto.patch b/SOURCES/cryptsetup-2.0.4-fix-write_lseek_blockwise-for-in-the-middle-of-secto.patch new file mode 100644 index 0000000..92f889b --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-fix-write_lseek_blockwise-for-in-the-middle-of-secto.patch @@ -0,0 +1,32 @@ +From 6392be68c4d481148e20dbc2a8380cc246f27ad1 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Tue, 19 Jun 2018 14:45:45 +0200 +Subject: [PATCH 2/4] Fix write_lseek_blockwise for in the middle of sector + case. + +See unit test write_lseek_blockwise(bsize=512, offset=1, length=1). + +The test tries to modify single byte at offset 1 of device with +bsize=512. +--- + lib/utils_io.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/utils_io.c b/lib/utils_io.c +index 94c4ef6..8336b18 100644 +--- a/lib/utils_io.c ++++ b/lib/utils_io.c +@@ -216,8 +216,8 @@ ssize_t write_lseek_blockwise(int fd, size_t bsize, size_t alignment, + if (lseek(fd, offset - frontHang, SEEK_SET) < 0) + goto out; + +- r = write_buffer(fd, frontPadBuf, frontHang + innerCount); +- if (r < 0 || r != (ssize_t)(frontHang + innerCount)) ++ r = write_buffer(fd, frontPadBuf, bsize); ++ if (r < 0 || r != (ssize_t)bsize) + goto out; + + buf = (char*)buf + innerCount; +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-make-LUKS2-auto-recovery-aware-of-device-signatures.patch b/SOURCES/cryptsetup-2.0.4-make-LUKS2-auto-recovery-aware-of-device-signatures.patch new file mode 100644 index 0000000..c472424 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-make-LUKS2-auto-recovery-aware-of-device-signatures.patch @@ -0,0 +1,164 @@ +From 078ed81d14904f48a6237646050ba5eb74d702b7 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Wed, 4 Jul 2018 15:58:09 +0200 +Subject: [PATCH 2/6] Make LUKS2 auto-recovery aware of device signatures. + +auto-recovery triggers any time when only single correct LUKS2 +header instance was found. That may be dangerous. + +We should suppress auto-recovery in case blkid decided the +device is no longer LUKS device. For example if secondary (intact) +LUKS2 header was left behind and blkid declares the device is LVM2 +member. + +Moreover if at least one header instance is corrupted and blkid +declares device non-empty and non-LUKS in the same time, header load +operation will be aborted with error. +--- + lib/internal.h | 1 + + lib/luks2/luks2_disk_metadata.c | 61 ++++++++++++++++++++++++++++++++++++++++- + lib/luks2/luks2_internal.h | 2 +- + lib/luks2/luks2_json_metadata.c | 4 +-- + 4 files changed, 64 insertions(+), 4 deletions(-) + +diff --git a/lib/internal.h b/lib/internal.h +index 07a1a08..e6d2323 100644 +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -32,6 +32,7 @@ + + #include "nls.h" + #include "bitops.h" ++#include "utils_blkid.h" + #include "utils_crypt.h" + #include "utils_loop.h" + #include "utils_dm.h" +diff --git a/lib/luks2/luks2_disk_metadata.c b/lib/luks2/luks2_disk_metadata.c +index 4d9bce2..6ca9d5e 100644 +--- a/lib/luks2/luks2_disk_metadata.c ++++ b/lib/luks2/luks2_disk_metadata.c +@@ -531,12 +531,59 @@ static json_object *parse_and_validate_json(const char *json_area, int length) + return jobj; + } + ++static int detect_device_signatures(const char *path) ++{ ++ blk_probe_status prb_state; ++ int r; ++ struct blkid_handle *h; ++ ++ if (!blk_supported()) { ++ log_dbg("Blkid probing of device signatures disabled."); ++ return 0; ++ } ++ ++ if ((r = blk_init_by_path(&h, path))) { ++ log_dbg("Failed to initialize blkid_handle by path."); ++ return -EINVAL; ++ } ++ ++ /* We don't care about details. Be fast. */ ++ blk_set_chains_for_fast_detection(h); ++ ++ /* Filter out crypto_LUKS. we don't care now */ ++ blk_superblocks_filter_luks(h); ++ ++ prb_state = blk_safeprobe(h); ++ ++ switch (prb_state) { ++ case PRB_AMBIGUOUS: ++ log_dbg("Blkid probe couldn't decide device type unambiguously."); ++ /* fall through */ ++ case PRB_FAIL: ++ log_dbg("Blkid probe failed."); ++ r = -EINVAL; ++ break; ++ case PRB_OK: /* crypto_LUKS type is filtered out */ ++ r = -EINVAL; ++ ++ if (blk_is_partition(h)) ++ log_dbg("Blkid probe detected partition type '%s'", blk_get_partition_type(h)); ++ else if (blk_is_superblock(h)) ++ log_dbg("blkid probe detected superblock type '%s'", blk_get_superblock_type(h)); ++ break; ++ case PRB_EMPTY: ++ log_dbg("Blkid probe detected no foreign device signature."); ++ } ++ blk_free(h); ++ return r; ++} ++ + /* + * Read and convert on-disk LUKS2 header to in-memory representation.. + * Try to do recovery if on-disk state is not consistent. + */ + int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, +- struct device *device, int do_recovery) ++ struct device *device, int do_recovery, int do_blkprobe) + { + enum { HDR_OK, HDR_OBSOLETE, HDR_FAIL, HDR_FAIL_IO } state_hdr1, state_hdr2; + struct luks2_hdr_disk hdr_disk1, hdr_disk2; +@@ -616,6 +663,12 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, + if (state_hdr1 == HDR_OK && state_hdr2 != HDR_OK) { + log_dbg("Secondary LUKS2 header requires recovery."); + ++ if (do_blkprobe && (r = detect_device_signatures(device_path(device)))) { ++ log_err(cd, _("Device contains ambiguous signatures, cannot auto-recover LUKS2.\n" ++ "Please run \"cryptsetup repair\" for recovery.")); ++ goto err; ++ } ++ + if (do_recovery) { + memcpy(&hdr_disk2, &hdr_disk1, LUKS2_HDR_BIN_LEN); + r = crypt_random_get(NULL, (char*)hdr_disk2.salt, sizeof(hdr_disk2.salt), CRYPT_RND_SALT); +@@ -631,6 +684,12 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, + } else if (state_hdr1 != HDR_OK && state_hdr2 == HDR_OK) { + log_dbg("Primary LUKS2 header requires recovery."); + ++ if (do_blkprobe && (r = detect_device_signatures(device_path(device)))) { ++ log_err(cd, _("Device contains ambiguous signatures, cannot auto-recover LUKS2.\n" ++ "Please run \"cryptsetup repair\" for recovery.")); ++ goto err; ++ } ++ + if (do_recovery) { + memcpy(&hdr_disk1, &hdr_disk2, LUKS2_HDR_BIN_LEN); + r = crypt_random_get(NULL, (char*)hdr_disk1.salt, sizeof(hdr_disk1.salt), CRYPT_RND_SALT); +diff --git a/lib/luks2/luks2_internal.h b/lib/luks2/luks2_internal.h +index e9beab8..dcabed7 100644 +--- a/lib/luks2/luks2_internal.h ++++ b/lib/luks2/luks2_internal.h +@@ -42,7 +42,7 @@ + * On-disk access function prototypes + */ + int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, +- struct device *device, int do_recovery); ++ struct device *device, int do_recovery, int do_blkprobe); + int LUKS2_disk_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr, + struct device *device); + +diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c +index 362388e..125cad9 100644 +--- a/lib/luks2/luks2_json_metadata.c ++++ b/lib/luks2/luks2_json_metadata.c +@@ -853,7 +853,7 @@ int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr) + return r; + } + +- r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1); ++ r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, 1); + if (r == -EAGAIN) { + /* unlikely: auto-recovery is required and failed due to read lock being held */ + device_read_unlock(crypt_metadata_device(cd)); +@@ -865,7 +865,7 @@ int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr) + return r; + } + +- r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1); ++ r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, 1); + + device_write_unlock(crypt_metadata_device(cd)); + } else +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-rephrase-error-message-for-invalid-type-param-in-con.patch b/SOURCES/cryptsetup-2.0.4-rephrase-error-message-for-invalid-type-param-in-con.patch new file mode 100644 index 0000000..6c34ab8 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-rephrase-error-message-for-invalid-type-param-in-con.patch @@ -0,0 +1,25 @@ +From b60e856087db77abbc5aa62a7f980e62b8b75029 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Tue, 17 Jul 2018 10:53:13 +0200 +Subject: [PATCH] Rephrase error message for invalid --type param in convert. + +--- + src/cryptsetup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cryptsetup.c b/src/cryptsetup.c +index fc3481d..5f8df37 100644 +--- a/src/cryptsetup.c ++++ b/src/cryptsetup.c +@@ -1851,7 +1851,7 @@ static int action_luksConvert(void) + } else if (!strcmp(opt_type, "luks1")) { + to_type = CRYPT_LUKS1; + } else { +- log_err(_("Missing LUKS target type, option --type is required.")); ++ log_err(_("Invalid LUKS type, only luks1 and luks2 are supported.")); + return -EINVAL; + } + +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-update-crypt_repair-API-documentation-for-LUKS2.patch b/SOURCES/cryptsetup-2.0.4-update-crypt_repair-API-documentation-for-LUKS2.patch new file mode 100644 index 0000000..a2f9d2e --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-update-crypt_repair-API-documentation-for-LUKS2.patch @@ -0,0 +1,40 @@ +From 167da99eaa9708289492e8fca2ebe4964cf5baa7 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Mon, 9 Jul 2018 17:27:55 +0200 +Subject: [PATCH 5/6] Update crypt_repair API documentation for LUKS2. + +--- + lib/libcryptsetup.h | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h +index 0a7ebdb..2d959fa 100644 +--- a/lib/libcryptsetup.h ++++ b/lib/libcryptsetup.h +@@ -624,7 +624,7 @@ int crypt_load(struct crypt_device *cd, + void *params); + + /** +- * Try to repair crypt device LUKS1 on-disk header if invalid. ++ * Try to repair crypt device LUKS on-disk header if invalid. + * + * @param cd crypt device handle + * @param requested_type @link crypt-type @endlink or @e NULL for all known +@@ -632,9 +632,11 @@ int crypt_load(struct crypt_device *cd, + * + * @returns 0 on success or negative errno value otherwise. + * +- * @note Does not support LUKS2 devices explicitly. LUKS2 header is auto-repaired +- * (if exactly one header checksum does not match) automatically on +- * crypt_load(). ++ * @note For LUKS2 device crypt_repair bypass blkid checks and ++ * perform auto-recovery even though there're third party device ++ * signatures found by blkid probes. Currently the crypt_repair on LUKS2 ++ * works only if exactly one header checksum does not match or exactly ++ * one header is missing. + */ + int crypt_repair(struct crypt_device *cd, + const char *requested_type, +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-update-cryptsetup-man-page-for-type-option-usage.patch b/SOURCES/cryptsetup-2.0.4-update-cryptsetup-man-page-for-type-option-usage.patch new file mode 100644 index 0000000..d21d220 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-update-cryptsetup-man-page-for-type-option-usage.patch @@ -0,0 +1,110 @@ +From 3f0f7acbc0dd72f1d98feb7af214cf12eb9bc47e Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Tue, 10 Jul 2018 14:36:45 +0200 +Subject: [PATCH] Update cryptsetup man page for --type option usage. + +Fixes #394. +--- + man/cryptsetup.8 | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/man/cryptsetup.8 b/man/cryptsetup.8 +index b2ef8cd..96d4fef 100644 +--- a/man/cryptsetup.8 ++++ b/man/cryptsetup.8 +@@ -70,8 +70,8 @@ The following are valid actions for all supported device types. + .IP + Opens (creates a mapping with) backed by device . + +-Device type can be \fIplain\fR, \fIluks\fR (default), \fIloopaes\fR +-or \fItcrypt\fR. ++Device type can be \fIplain\fR, \fIluks\fR (default), \fIluks1\fR, \fIluks2\fR, ++\fIloopaes\fR or \fItcrypt\fR. + + For backward compatibility there are \fBopen\fR command aliases: + +@@ -243,7 +243,7 @@ the command prompts for it interactively. + \fB\fR can be [\-\-key\-file, \-\-keyfile\-offset, + \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase, + \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id, +-\-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks]. ++\-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks, \-\-type]. + .PP + \fIluksSuspend\fR + .IP +@@ -266,7 +266,7 @@ Resumes a suspended device and reinstates the encryption key. + Prompts interactively for a passphrase if \-\-key-file is not given. + + \fB\fR can be [\-\-key\-file, \-\-keyfile\-size, \-\-header, +-\-\-disable\-keyring,\-\-disable\-locks] ++\-\-disable\-keyring, \-\-disable\-locks, \-\-type] + .PP + \fIluksAddKey\fR [] + .IP +@@ -285,7 +285,7 @@ is not required. + \-\-keyfile\-size, \-\-new\-keyfile\-offset, + \-\-new\-keyfile\-size, \-\-key\-slot, \-\-master\-key\-file, + \-\-iter\-time, \-\-force\-password, \-\-header, \-\-disable\-locks, +-\-\-unbound]. ++\-\-unbound, \-\-type]. + .PP + \fIluksRemoveKey\fR [] + .IP +@@ -294,7 +294,7 @@ passphrase to be removed can be specified interactively, + as the positional argument or via \-\-key-file. + + \fB\fR can be [\-\-key\-file, \-\-keyfile\-offset, +-\-\-keyfile\-size, \-\-header, \-\-disable\-locks] ++\-\-keyfile\-size, \-\-header, \-\-disable\-locks, \-\-type] + + \fBWARNING:\fR If you read the passphrase from stdin + (without further argument or with '-' as an argument +@@ -328,7 +328,7 @@ inaccessible. + \fB\fR can be [\-\-key\-file, \-\-keyfile\-offset, + \-\-keyfile\-size, \-\-new\-keyfile\-offset, + \-\-new\-keyfile\-size, \-\-key\-slot, \-\-force\-password, \-\-header, +-\-\-disable\-locks]. ++\-\-disable\-locks, \-\-type]. + .PP + .PP + \fIluksConvertKey\fR +@@ -364,7 +364,7 @@ an interactive confirmation when doing so. Removing the last + passphrase makes a LUKS container permanently inaccessible. + + \fB\fR can be [\-\-key\-file, \-\-keyfile\-offset, +-\-\-keyfile\-size, \-\-header, \-\-disable\-locks]. ++\-\-keyfile\-size, \-\-header, \-\-disable\-locks, \-\-type]. + + \fBWARNING:\fR If you read the passphrase from stdin + (without further argument or with '-' as an argument +@@ -399,6 +399,8 @@ Set new UUID if \fI\-\-uuid\fR option is specified. + Returns true, if is a LUKS device, false otherwise. + Use option \-v to get human-readable feedback. 'Command successful.' + means the device is a LUKS device. ++ ++By specifying \-\-type you may query for specific LUKS version. + .PP + \fIluksDump\fR + .IP +@@ -417,7 +419,7 @@ either interactively or via \-\-key\-file. + + \fB\fR can be [\-\-dump\-master\-key, \-\-key\-file, + \-\-keyfile\-offset, \-\-keyfile\-size, \-\-header, \-\-disable\-locks, +-\-\-master\-key\-file]. ++\-\-master\-key\-file, \-\-type]. + + \fBWARNING:\fR If \-\-dump\-master\-key is used with \-\-key\-file + and the argument to \-\-key\-file is '-', no validation question +@@ -663,7 +665,8 @@ for LUKS device type. + This command is useful to fix some known benign LUKS metadata + header corruptions. Only basic corruptions of unused keyslot + are fixable. This command will only change the LUKS header, not +-any key-slot data. ++any key-slot data. You may enforce LUKS version by adding \-\-type ++option. + + \fBWARNING:\fR Always create a binary backup of the original + header before calling this command. +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-2.0.4-zero-length-lseek-blockwise-i-o-should-return-zero.patch b/SOURCES/cryptsetup-2.0.4-zero-length-lseek-blockwise-i-o-should-return-zero.patch new file mode 100644 index 0000000..6d4d7e3 --- /dev/null +++ b/SOURCES/cryptsetup-2.0.4-zero-length-lseek-blockwise-i-o-should-return-zero.patch @@ -0,0 +1,39 @@ +From 685bcc56351b3e46b69d46118d23268b69052097 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Tue, 19 Jun 2018 14:07:20 +0200 +Subject: [PATCH 1/4] Zero length lseek blockwise i/o should return zero. + +Note that both functions perform seek operations aligned to sector +boundary if possible before returning. + +Unaligned input offset gets aligned on first preceding sector +boundary. +--- + lib/utils_io.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/utils_io.c b/lib/utils_io.c +index 0f671d6..94c4ef6 100644 +--- a/lib/utils_io.c ++++ b/lib/utils_io.c +@@ -199,7 +199,7 @@ ssize_t write_lseek_blockwise(int fd, size_t bsize, size_t alignment, + if (lseek(fd, offset - frontHang, SEEK_SET) < 0) + return -1; + +- if (frontHang) { ++ if (frontHang && length) { + if (posix_memalign(&frontPadBuf, alignment, bsize)) + return -1; + +@@ -253,7 +253,7 @@ ssize_t read_lseek_blockwise(int fd, size_t bsize, size_t alignment, + if (lseek(fd, offset - frontHang, SEEK_SET) < 0) + return -1; + +- if (frontHang) { ++ if (frontHang && length) { + if (posix_memalign(&frontPadBuf, alignment, bsize)) + return -1; + +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-argon2-fips.patch b/SOURCES/cryptsetup-argon2-fips.patch new file mode 100644 index 0000000..5261c8d --- /dev/null +++ b/SOURCES/cryptsetup-argon2-fips.patch @@ -0,0 +1,33 @@ +diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c +index 3716c26..540915b 100644 +--- a/lib/luks2/luks2_keyslot_luks2.c ++++ b/lib/luks2/luks2_keyslot_luks2.c +@@ -350,6 +350,13 @@ static int luks2_keyslot_get_key(struct crypt_device *cd, + crypt_free_volume_key(derived_key); + return -ENOMEM; + } ++ ++ if (crypt_fips_mode() && ++ (!strcmp(pbkdf.type, CRYPT_KDF_ARGON2I) || ++ !strcmp(pbkdf.type, CRYPT_KDF_ARGON2ID))) ++ log_verbose(cd, _("%s key derivation function is not currently FIPS-compliant."), ++ pbkdf.type); ++ + /* + * Calculate derived key, decrypt keyslot content and merge it. + */ +@@ -406,6 +413,14 @@ static int luks2_keyslot_update_json(struct crypt_device *cd, + if (!pbkdf) + return -EINVAL; + ++ if (crypt_fips_mode() && ++ (!strcmp(pbkdf->type, CRYPT_KDF_ARGON2I) || ++ !strcmp(pbkdf->type, CRYPT_KDF_ARGON2ID))) { ++ log_err(cd, _("%s key derivation function is not allowed in FIPS mode."), ++ pbkdf->type); ++ return -EINVAL; ++ } ++ + r = crypt_benchmark_pbkdf_internal(cd, CONST_CAST(struct crypt_pbkdf_type *)pbkdf, keyslot_key_len); + if (r < 0) + return r; diff --git a/SOURCES/cryptsetup-new-avoid-rh-kernel-bug.patch b/SOURCES/cryptsetup-new-avoid-rh-kernel-bug.patch new file mode 100644 index 0000000..2e9a27f --- /dev/null +++ b/SOURCES/cryptsetup-new-avoid-rh-kernel-bug.patch @@ -0,0 +1,59 @@ +diff -rupN cryptsetup-2.0.3.old/lib/crypto_backend/crypto_cipher_kernel.c cryptsetup-2.0.3/lib/crypto_backend/crypto_cipher_kernel.c +--- cryptsetup-2.0.3.old/lib/crypto_backend/crypto_cipher_kernel.c 2018-04-17 09:20:35.000000000 +0200 ++++ cryptsetup-2.0.3/lib/crypto_backend/crypto_cipher_kernel.c 2018-05-07 14:13:45.176124062 +0200 +@@ -31,6 +31,7 @@ + #ifdef ENABLE_AF_ALG + + #include ++#include + + #ifndef AF_ALG + #define AF_ALG 38 +@@ -44,6 +45,36 @@ struct crypt_cipher { + int opfd; + }; + ++ ++static size_t pagesize(size_t defsize) ++{ ++ long r = sysconf(_SC_PAGESIZE); ++ return r < 0 ? defsize : (size_t)r; ++} ++ ++static int check_rh_kernel_version(void) ++{ ++ unsigned maj, mid, min, rel; ++ static struct utsname uts = {{ 0 }}; ++ size_t ps = pagesize(32768); ++ ++ if (ps < 32768) ++ return 0; ++ ++ if (!*uts.release && uname(&uts) < 0) ++ return -ENOTSUP; ++ /* ++ * RH kernels 3.10.0-185 and lower are affected by a crypto API kernel ++ * socket bug. The bug only manifests on archs with page size >= 32 KiB. ++ * ++ * For reference, see rhbz#1136075 ++ */ ++ if (sscanf(uts.release, "%u.%u.%u-%u", &maj, &mid, &min, &rel) == 4) ++ return (maj == 3 && mid == 10 && min == 0 && rel < 186) ? -ENOTSUP : 0; ++ ++ return -ENOTSUP; ++} ++ + /* + * ciphers + * +@@ -60,6 +91,9 @@ int crypt_cipher_init(struct crypt_ciphe + .salg_type = "skcipher", + }; + ++ if (check_rh_kernel_version()) ++ return -ENOTSUP; ++ + h = malloc(sizeof(*h)); + if (!h) + return -ENOMEM; +Binary files cryptsetup-2.0.3.old/lib/crypto_backend/.crypto_cipher_kernel.c.rej.swp and cryptsetup-2.0.3/lib/crypto_backend/.crypto_cipher_kernel.c.rej.swp differ diff --git a/SOURCES/cryptsetup-sector-size-detection.patch b/SOURCES/cryptsetup-sector-size-detection.patch new file mode 100644 index 0000000..a10bff0 --- /dev/null +++ b/SOURCES/cryptsetup-sector-size-detection.patch @@ -0,0 +1,13 @@ +--- cryptsetup-2.0.3.old/lib/libdevmapper.c 2018-05-03 18:30:59.000000000 +0200 ++++ cryptsetup-2.0.3/lib/libdevmapper.c 2018-06-19 20:01:10.263369754 +0200 +@@ -164,6 +164,10 @@ static void _dm_set_crypt_compat(unsigne + _dm_flags |= DM_CAPI_STRING_SUPPORTED; + } + ++ if (!_dm_satisfies_version(1, 15, 0, crypt_maj, crypt_min, crypt_patch) && ++ _dm_satisfies_version(1, 14, 5, crypt_maj, crypt_min, crypt_patch)) ++ _dm_flags |= DM_SECTOR_SIZE_SUPPORTED; ++ + _dm_crypt_checked = true; + } + diff --git a/SOURCES/cryptsetup-tests-device-test.patch b/SOURCES/cryptsetup-tests-device-test.patch new file mode 100644 index 0000000..ebc7186 --- /dev/null +++ b/SOURCES/cryptsetup-tests-device-test.patch @@ -0,0 +1,17 @@ +diff -rupN cryptsetup-2.0.3.old/tests/device-test cryptsetup-2.0.3/tests/device-test +--- cryptsetup-2.0.3.old/tests/device-test 2018-06-06 11:00:28.716305843 -0400 ++++ cryptsetup-2.0.3/tests/device-test 2018-06-06 11:00:37.036343168 -0400 +@@ -39,11 +39,12 @@ function dm_crypt_features() + + VER_MAJ=$(echo $VER_STR | cut -f 1 -d.) + VER_MIN=$(echo $VER_STR | cut -f 2 -d.) ++ VER_PAT=$(echo $VER_STR | cut -f 3 -d.) + + [ $VER_MAJ -lt 1 ] && return + [ $VER_MAJ -eq 1 -a $VER_MIN -lt 14 ] && return + DM_PERF_CPU=1 +- [ $VER_MAJ -eq 1 -a $VER_MIN -lt 17 ] && return ++ [ $VER_MAJ -eq 1 -a $VER_MIN -lt 15 -a $VER_PAT -lt 5 ] && return + DM_SECTOR_SIZE=1 + } + diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec index 6dce8eb..cdd8c23 100644 --- a/SPECS/cryptsetup.spec +++ b/SPECS/cryptsetup.spec @@ -1,20 +1,52 @@ %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} -%define python3_enable 0 +%if 0%{?fedora} +%if 0%{?fedora} >= 29 +Obsoletes: python2-cryptsetup +Obsoletes: cryptsetup-python3 +%global python2_enable 0 +%global python3_enable 0 +%else +%global python2_enable 1 +%global python3_enable 1 +%endif +%else +Obsoletes: cryptsetup-python3 +%global python3_enable 0 +%if 0%{?rhel} == 7 +%global python2_enable 1 +# Change to 1 when argon2 lands +%global libargon2_enable 0 +# Change to 1 when dm-integrity gets backported +%global integritysetup_enable 0 +%else +Obsoletes: cryptsetup-python +Obsoletes: python2-cryptsetup +%global python2_enable 0 +%endif +%endif + Summary: A utility for setting up encrypted disks Name: cryptsetup -Version: 1.7.4 -Release: 4%{?dist} +Version: 2.0.3 +Release: 3%{?dist} License: GPLv2+ and LGPLv2+ Group: Applications/System URL: https://gitlab.com/cryptsetup/cryptsetup BuildRequires: libgcrypt-devel, popt-devel, device-mapper-devel BuildRequires: libgpg-error-devel, libuuid-devel, libsepol-devel -BuildRequires: libselinux-devel, python-devel, libpwquality-devel +BuildRequires: libselinux-devel, gcc, libblkid-devel +%if %{python2_enable} +BuildRequires: python-devel +%endif %if %{python3_enable} BuildRequires: python3-devel %endif +BuildRequires: libpwquality-devel, json-c-devel +%if 0%{?libargon2_enable} +BuildRequires: libargon2-devel +%endif Provides: cryptsetup-luks = %{version}-%{release} Obsoletes: cryptsetup-luks < 1.4.0 Requires: cryptsetup-libs%{?_isa} = %{version}-%{release} @@ -22,14 +54,34 @@ Requires: libpwquality >= 1.2.0 %define dracutmodulesdir %{_prefix}/lib/dracut/modules.d %define upstream_version %{version} -Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-%{upstream_version}.tar.xz +%define upstream_version_old 1.7.4 +Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{upstream_version}.tar.xz +Source1: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-%{upstream_version_old}.tar.xz +# version 1.7.4 only (all of it, up to next comment) Patch0: %{name}-avoid-rh-kernel-bug.patch Patch1: %{name}-1.7.5-fix-unaligned-access-to-hidden-truecrypt.patch Patch2: %{name}-1.7.5-fix-luksformat-in-fips-mode.patch Patch3: %{name}-1.7.6-fix-blockwise-access-functions-for-64k-page-size.patch Patch4: %{name}-1.7.6-crypt_deactivate-fail-earlier-when-holders-detected.patch -Patch5: %{name}-1.7.6-cryptsetup-reencrypt-progress-frequency-parameter.patch -Patch6: %{name}-1.7.6-dracut-reencrypt-add-progress-frequency.patch +# 2.0.x only +Patch5: %{name}-2.0.4-dracut-reencrypt.patch +Patch6: %{name}-new-avoid-rh-kernel-bug.patch +Patch7: %{name}-sector-size-detection.patch +Patch8: %{name}-tests-device-test.patch +Patch9: %{name}-argon2-fips.patch +Patch10: %{name}-2.0.4-zero-length-lseek-blockwise-i-o-should-return-zero.patch +Patch11: %{name}-2.0.4-fix-write_lseek_blockwise-for-in-the-middle-of-secto.patch +Patch12: %{name}-2.0.4-fix-write_blockwise-on-short-files.patch +Patch13: %{name}-2.0.4-add-blkid-utilities-for-fast-detection-of-device-sig.patch +Patch14: %{name}-2.0.4-make-LUKS2-auto-recovery-aware-of-device-signatures.patch +Patch15: %{name}-2.0.4-allow-LUKS2-repair-to-override-blkid-checks.patch +Patch16: %{name}-2.0.4-allow-explicit-LUKS2-repair.patch +Patch17: %{name}-2.0.4-update-crypt_repair-API-documentation-for-LUKS2.patch +Patch18: %{name}-2.0.4-allow-LUKS2-repair-with-disabled-locks.patch +# the configure patch must be applied last +Patch19: %{name}-2.0.4-configure.patch +Patch20: %{name}-2.0.4-update-cryptsetup-man-page-for-type-option-usage.patch +Patch21: %{name}-2.0.4-rephrase-error-message-for-invalid-type-param-in-con.patch %if 0%{?fedora} >= 19 || 0%{?rhel} >= 7 %define configure_cipher --enable-gcrypt-pbkdf2 @@ -37,6 +89,15 @@ Patch6: %{name}-1.7.6-dracut-reencrypt-add-progress-frequency.patch %define configure_cipher --with-luks1-cipher=aes --with-luks1-mode=cbc-essiv:sha256 --with-luks1-keybits=256 %endif +%if 0%{?libargon2_enable} +%define configure_libargon2 --enable-libargon2 +%endif +%if 0%{?integritysetup_enable} +%define configure_integritysetup --enable-integritysetup +%else +%define configure_integritysetup --disable-integritysetup +%endif + %description The cryptsetup package contains a utility for setting up disk encryption using dm-crypt kernel module. @@ -115,22 +176,49 @@ for setting up disk encryption using dm-crypt kernel module. %prep %setup -q -n cryptsetup-%{upstream_version} -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch20 -p1 +%patch21 -p1 +# the configure patch (always last) +%patch19 -p1 chmod -x python/pycryptsetup-test.py +chmod -x misc/dracut_90reencrypt/* %if %{python3_enable} # copy the whole directory for the python3 build cp -a . %{py3dir} %endif +%setup -T -a 1 -D -n cryptsetup-%{upstream_version} +pushd cryptsetup-1.7.4 +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 + %build -%configure --enable-python --enable-fips --enable-cryptsetup-reencrypt --enable-pwquality %{?configure_cipher} +%configure --enable-fips --enable-pwquality --with-default-luks-format=LUKS1 %{?configure_cipher} %{?configure_libargon2} %{?configure_integritysetup} +pushd cryptsetup-1.7.4 +%configure --enable-python --enable-fips --enable-pwquality --disable-cryptsetup-reencrypt --disable-veritysetup %{?configure_cipher} +# remove rpath +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool +make %{?_smp_mflags} +popd # remove rpath sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool @@ -144,6 +232,9 @@ popd %endif %install +pushd cryptsetup-1.7.4 +make install DESTDIR=%{buildroot} +popd make install DESTDIR=%{buildroot} rm -rf %{buildroot}/%{_libdir}/*.la @@ -160,6 +251,7 @@ install -d -m755 %{buildroot}/%{dracutmodulesdir}/90reencrypt install -m755 misc/dracut_90reencrypt/module-setup.sh %{buildroot}/%{dracutmodulesdir}/90reencrypt install -m755 misc/dracut_90reencrypt/parse-reencrypt.sh %{buildroot}/%{dracutmodulesdir}/90reencrypt install -m755 misc/dracut_90reencrypt/reencrypt.sh %{buildroot}/%{dracutmodulesdir}/90reencrypt +install -m755 misc/dracut_90reencrypt/reencrypt-verbose.sh %{buildroot}/%{dracutmodulesdir}/90reencrypt %post -n cryptsetup-libs -p /sbin/ldconfig @@ -178,6 +270,14 @@ install -m755 misc/dracut_90reencrypt/reencrypt.sh %{buildroot}/%{dracutmodulesd %{_mandir}/man8/veritysetup.8.gz %{_sbindir}/veritysetup +%if %{integritysetup_enable} +%files -n integritysetup +%{!?_licensedir:%global license %%doc} +%license COPYING +%{_mandir}/man8/integritysetup.8.gz +%{_sbindir}/integritysetup +%endif + %files reencrypt %{!?_licensedir:%global license %%doc} %license COPYING @@ -197,6 +297,8 @@ install -m755 misc/dracut_90reencrypt/reencrypt.sh %{buildroot}/%{dracutmodulesd %{!?_licensedir:%global license %%doc} %license COPYING COPYING.LGPL %{_libdir}/libcryptsetup.so.* +%{_tmpfilesdir}/cryptsetup.conf +%ghost %attr(700, -, -) %dir /run/cryptsetup %files python %{!?_licensedir:%global license %%doc} @@ -217,6 +319,24 @@ install -m755 misc/dracut_90reencrypt/reencrypt.sh %{buildroot}/%{dracutmodulesd %clean %changelog +* Tue Jul 31 2018 Ondrej Kozina - 2.0.3-3 +- Add expected permissions explicitly for locking directory. +- Reinstate sed script removing library rpath from libtool + script due to bug in upstream sources distribution. +- Resolves: #1609847 #1610379 + +* Mon Jul 16 2018 Ondrej Kozina - 2.0.3-2 +- patch: stop LUKS2 auto-recovery if device is no longer LUKS + type +- patch: update cryptsetup man page for --type option +- patch: rephrase error message for invalid --type option in + convert action +- Resolves: #1599281 #1601477 #1601481 + +* Wed Jun 20 2018 Ondrej Kozina - 2.0.3-1 +- Update to cryptsetup 2.0.3. +- Resolves: #1475904 #1380347 #1416174 #1536105 #1574239 + * Thu Oct 19 2017 Ondrej Kozina - 1.7.4-4 - patch: fix regression in blockwise functions - patch: avoid repeating error messages when device holders