commit b337351dac0ccd01b66abb900b4eef7b51ebfffe Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 10:36:13 2019 -0400 Package init diff --git a/0000-cryptsetup-add-system-library-paths.patch b/0000-cryptsetup-add-system-library-paths.patch new file mode 100644 index 0000000..cc22adf --- /dev/null +++ b/0000-cryptsetup-add-system-library-paths.patch @@ -0,0 +1,22 @@ +diff -rupN cryptsetup-2.0.4.old/configure cryptsetup-2.0.4/configure +--- cryptsetup-2.0.4.old/configure 2018-08-03 12:31:52.000000000 +0200 ++++ cryptsetup-2.0.4/configure 2018-08-03 13:42:50.605275535 +0200 +@@ -12300,6 +12300,9 @@ fi + # before this can be enabled. + hardcode_into_libs=yes + ++ # Add ABI-specific directories to the system library path. ++ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" ++ + # Ideally, we could use ldconfig to report *all* directores which are + # searched for libraries, however this is still not possible. Aside from not + # being certain /sbin/ldconfig is available, command +@@ -12308,7 +12311,7 @@ fi + # appending ld.so.conf contents (and includes) to the search path. + if test -f /etc/ld.so.conf; then + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` +- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" ++ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" + fi + + # We used to test for /lib/ld.so.1 and disable shared libraries on diff --git a/6000-Emit-error-message-for-converting-inactive-keyslot.patch b/6000-Emit-error-message-for-converting-inactive-keyslot.patch new file mode 100644 index 0000000..5dacf45 --- /dev/null +++ b/6000-Emit-error-message-for-converting-inactive-keyslot.patch @@ -0,0 +1,30 @@ +From 1c6d66fccc91ff37d7f991a3213bc33f5f6426b6 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Fri, 14 Sep 2018 11:18:48 +0200 +Subject: [PATCH 040/324] Emit error message for converting inactive keyslot. + +Fixes: #416. +--- + src/cryptsetup.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/cryptsetup.c b/src/cryptsetup.c +index 52efd71..cc3520c 100644 +--- a/src/cryptsetup.c ++++ b/src/cryptsetup.c +@@ -1535,6 +1535,12 @@ static int action_luksConvertKey(void) + if ((r = crypt_load(cd, CRYPT_LUKS2, NULL))) + goto out; + ++ if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_INACTIVE) { ++ r = -EINVAL; ++ log_err(_("Keyslot %d is not active."), opt_key_slot); ++ goto out; ++ } ++ + r = set_pbkdf_params(cd, crypt_get_type(cd)); + if (r) { + log_err(_("Failed to set pbkdf parameters.")); +-- +2.19.1 + diff --git a/6001-Move-blkid-scan-after-device-context-initialization.patch b/6001-Move-blkid-scan-after-device-context-initialization.patch new file mode 100644 index 0000000..a7742d7 --- /dev/null +++ b/6001-Move-blkid-scan-after-device-context-initialization.patch @@ -0,0 +1,103 @@ +From b93b67633676e4b9ae627532774c60661e3a1613 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Mon, 24 Sep 2018 14:58:16 +0200 +Subject: [PATCH 041/324] Move blkid scan after device context initialization. + +Fixes bug with misleading error message when target device +does not exist. +--- + src/cryptsetup.c | 30 ++++++++++++++++-------------- + src/integritysetup.c | 20 +++++++++++--------- + 2 files changed, 27 insertions(+), 23 deletions(-) + +diff --git a/src/cryptsetup.c b/src/cryptsetup.c +index cc3520c..371948f 100644 +--- a/src/cryptsetup.c ++++ b/src/cryptsetup.c +@@ -987,20 +987,6 @@ static int action_luksFormat(void) + + header_device = opt_header_device ?: action_argv[0]; + +- /* Print all present signatures in read-only mode */ +- r = tools_detect_signatures(header_device, 0, &signatures); +- if (r < 0) +- return r; +- +- r = asprintf(&msg, _("This will overwrite data on %s irrevocably."), header_device); +- if (r == -1) +- return -ENOMEM; +- +- r = yesDialog(msg, _("Operation aborted.\n")) ? 0 : -EINVAL; +- free(msg); +- if (r < 0) +- return r; +- + r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1), + cipher, NULL, cipher_mode); + if (r < 0) { +@@ -1028,6 +1014,22 @@ static int action_luksFormat(void) + return r; + } + ++ /* Print all present signatures in read-only mode */ ++ r = tools_detect_signatures(header_device, 0, &signatures); ++ if (r < 0) ++ goto out; ++ ++ r = asprintf(&msg, _("This will overwrite data on %s irrevocably."), header_device); ++ if (r == -1) { ++ r = -ENOMEM; ++ goto out; ++ } ++ ++ r = yesDialog(msg, _("Operation aborted.\n")) ? 0 : -EINVAL; ++ free(msg); ++ if (r < 0) ++ goto out; ++ + keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8 + integrity_keysize; + + if (opt_random) +diff --git a/src/integritysetup.c b/src/integritysetup.c +index c1c31ee..a3b382f 100644 +--- a/src/integritysetup.c ++++ b/src/integritysetup.c +@@ -209,24 +209,26 @@ static int action_format(int arg) + params.journal_crypt = journal_crypt; + } + +- r = tools_detect_signatures(action_argv[0], 0, &signatures); ++ r = _read_keys(&integrity_key, ¶ms); ++ if (r) ++ goto out; ++ ++ r = crypt_init(&cd, action_argv[0]); + if (r < 0) +- return r; ++ goto out; + + r = asprintf(&msg, _("This will overwrite data on %s irrevocably."), action_argv[0]); +- if (r == -1) +- return -ENOMEM; ++ if (r == -1) { ++ r = -ENOMEM; ++ goto out; ++ } + + r = yesDialog(msg, _("Operation aborted.\n")) ? 0 : -EINVAL; + free(msg); + if (r < 0) +- return r; +- +- r = _read_keys(&integrity_key, ¶ms); +- if (r) + goto out; + +- r = crypt_init(&cd, action_argv[0]); ++ r = tools_detect_signatures(action_argv[0], 0, &signatures); + if (r < 0) + goto out; + +-- +2.19.1 + diff --git a/6002-Add-blkid-scan-when-attemting-to-open-plain-device.patch b/6002-Add-blkid-scan-when-attemting-to-open-plain-device.patch new file mode 100644 index 0000000..d49ee82 --- /dev/null +++ b/6002-Add-blkid-scan-when-attemting-to-open-plain-device.patch @@ -0,0 +1,110 @@ +From ee689d88b4bd9584272e01f1c467aa4648280004 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Mon, 24 Sep 2018 15:38:05 +0200 +Subject: [PATCH 042/324] Add blkid scan when attemting to open plain device. + +Warn user about existing device signatures on candidate ciphertext +device and prompt for action confirmation. + +Fixes #411. +--- + src/cryptsetup.c | 27 ++++++++++++++++++++++++--- + tests/device-test | 6 +++--- + tests/discards-test | 2 +- + 3 files changed, 28 insertions(+), 7 deletions(-) + +diff --git a/src/cryptsetup.c b/src/cryptsetup.c +index 371948f..90fc703 100644 +--- a/src/cryptsetup.c ++++ b/src/cryptsetup.c +@@ -166,7 +166,7 @@ static void _set_activation_flags(uint32_t *flags) + static int action_open_plain(void) + { + struct crypt_device *cd = NULL; +- char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN]; ++ char *msg, cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN]; + struct crypt_params_plain params = { + .hash = opt_hash ?: DEFAULT_PLAIN_HASH, + .skip = opt_skip, +@@ -175,8 +175,8 @@ static int action_open_plain(void) + .sector_size = opt_sector_size, + }; + char *password = NULL; +- size_t passwordLen, key_size_max; +- size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8; ++ size_t passwordLen, key_size_max, signatures, ++ key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8; + uint32_t activate_flags = 0; + int r; + +@@ -205,6 +205,27 @@ static int action_open_plain(void) + if ((r = crypt_init(&cd, action_argv[0]))) + goto out; + ++ /* Skip blkid scan when activating plain device with offset */ ++ if (!opt_offset) { ++ /* Print all present signatures in read-only mode */ ++ r = tools_detect_signatures(action_argv[0], 0, &signatures); ++ if (r < 0) ++ goto out; ++ } ++ ++ if (signatures) { ++ r = asprintf(&msg, _("Detected device signature(s) on %s. Proceeding further may damage existing data."), action_argv[0]); ++ if (r == -1) { ++ r = -ENOMEM; ++ goto out; ++ } ++ ++ r = yesDialog(msg, _("Operation aborted.\n")) ? 0 : -EINVAL; ++ free(msg); ++ if (r < 0) ++ goto out; ++ } ++ + r = crypt_format(cd, CRYPT_PLAIN, + cipher, cipher_mode, + NULL, NULL, +diff --git a/tests/device-test b/tests/device-test +index b9ba98d..c49eb84 100755 +--- a/tests/device-test ++++ b/tests/device-test +@@ -97,11 +97,11 @@ if [ -z "$DM_PERF_CPU" ]; then + SKIP_COUNT=$((SKIP_COUNT+1)) + else + # plain +- echo -e "$PWD1" | $CRYPTSETUP open --type plain $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail ++ echo -e "$PWD1" | $CRYPTSETUP open -q --type plain $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail + $CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail + $CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus || fail + $CRYPTSETUP close $DEV_NAME || fail +- echo -e "$PWD1" | $CRYPTSETUP open --type plain $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail ++ echo -e "$PWD1" | $CRYPTSETUP open -q --type plain $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail + $CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail + $CRYPTSETUP status $DEV_NAME | grep -q discards || fail + $CRYPTSETUP close $DEV_NAME || fail +@@ -152,7 +152,7 @@ else + echo -e "$PWD1" | $CRYPTSETUP open --type plain $DEV $DEV_NAME --sector-size 1234 >/dev/null 2>&1 && fail + for S in 512 1024 2048 4096; do + echo -n "[$S]" +- echo -e "$PWD1" | $CRYPTSETUP open --type plain $DEV $DEV_NAME --sector-size $S || fail ++ echo -e "$PWD1" | $CRYPTSETUP open -q --type plain $DEV $DEV_NAME --sector-size $S || fail + check_sector_size $S + $CRYPTSETUP close $DEV_NAME || fail + done +diff --git a/tests/discards-test b/tests/discards-test +index 5ffe7ab..476c04d 100755 +--- a/tests/discards-test ++++ b/tests/discards-test +@@ -74,7 +74,7 @@ dmsetup table $DEV_NAME | grep allow_discards >/dev/null || fail + $CRYPTSETUP luksClose $DEV_NAME || fail + + echo "[2] Allowing discards for plain device" +-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $DEV --hash sha1 --allow-discards || fail ++echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha1 --allow-discards || fail + $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail + $CRYPTSETUP resize $DEV_NAME --size 100 || fail + $CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail +-- +2.19.1 + diff --git a/6003-Wiping-empty-device-should-not-fail.patch b/6003-Wiping-empty-device-should-not-fail.patch new file mode 100644 index 0000000..acb5f4f --- /dev/null +++ b/6003-Wiping-empty-device-should-not-fail.patch @@ -0,0 +1,25 @@ +From 879e06db39cb2d1113bb64a9ec0b5480cb837fca Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Thu, 11 Oct 2018 15:38:56 +0200 +Subject: [PATCH 061/324] Wiping empty device should not fail. + +--- + lib/utils_wipe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/utils_wipe.c b/lib/utils_wipe.c +index 77550c7..04cc531 100644 +--- a/lib/utils_wipe.c ++++ b/lib/utils_wipe.c +@@ -161,7 +161,7 @@ int crypt_wipe_device(struct crypt_device *cd, + return errno ? -errno : -EINVAL; + + r = device_size(device, &dev_size); +- if (r) ++ if (r || dev_size == 0) + goto out; + + if (length) { +-- +2.19.1 + diff --git a/6004-Do-not-copy-buffer-if-read-fails.patch b/6004-Do-not-copy-buffer-if-read-fails.patch new file mode 100644 index 0000000..02f4d1e --- /dev/null +++ b/6004-Do-not-copy-buffer-if-read-fails.patch @@ -0,0 +1,26 @@ +From 31532adf8636f9795ab5f077ace4e3f00148d399 Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Thu, 11 Oct 2018 15:39:31 +0200 +Subject: [PATCH 062/324] Do not copy buffer if read fails. + +--- + lib/utils_io.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/utils_io.c b/lib/utils_io.c +index 1facac0..d7e1cbe 100644 +--- a/lib/utils_io.c ++++ b/lib/utils_io.c +@@ -184,7 +184,8 @@ ssize_t read_blockwise(int fd, size_t bsize, size_t alignment, + out: + free(hangover_buf); + if (buf != orig_buf) { +- memcpy(orig_buf, buf, length); ++ if (ret == length) ++ memcpy(orig_buf, buf, length); + free(buf); + } + return ret; +-- +2.19.1 + diff --git a/6005-Do-not-fail-if-device-is-smaller-than-requested-wipe.patch b/6005-Do-not-fail-if-device-is-smaller-than-requested-wipe.patch new file mode 100644 index 0000000..0b4e92b --- /dev/null +++ b/6005-Do-not-fail-if-device-is-smaller-than-requested-wipe.patch @@ -0,0 +1,27 @@ +From 36e883967538069d81634bd2e6fa188732f0a77a Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Thu, 11 Oct 2018 21:19:35 +0200 +Subject: [PATCH 066/324] Do not fail if device is smaller than requested wipe + size. + +--- + lib/utils_wipe.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/utils_wipe.c b/lib/utils_wipe.c +index 04cc531..b1afc0f 100644 +--- a/lib/utils_wipe.c ++++ b/lib/utils_wipe.c +@@ -164,6 +164,9 @@ int crypt_wipe_device(struct crypt_device *cd, + if (r || dev_size == 0) + goto out; + ++ if (dev_size < length) ++ length = 0; ++ + if (length) { + if ((dev_size <= offset) || (dev_size - offset) < length) { + r = -EINVAL; +-- +2.19.1 + diff --git a/6006-Do-not-print-error-for-used-device-twice.patch b/6006-Do-not-print-error-for-used-device-twice.patch new file mode 100644 index 0000000..4e35209 --- /dev/null +++ b/6006-Do-not-print-error-for-used-device-twice.patch @@ -0,0 +1,30 @@ +From bebd2fe7e7ca0d70981e50b919b3d230e9c945de Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Fri, 12 Oct 2018 09:44:28 +0200 +Subject: [PATCH 067/324] Do not print error for used device twice. + +--- + lib/setup.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/lib/setup.c b/lib/setup.c +index e8ba704..9607bed 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -1540,12 +1540,8 @@ static int _crypt_format_luks2(struct crypt_device *cd, + } + + r = device_check_access(cd, crypt_metadata_device(cd), DEV_EXCL); +- if (r < 0) { +- log_err(cd, _("Cannot use device %s which is in use " +- "(already mapped or mounted)."), +- device_path(crypt_metadata_device(cd))); ++ if (r < 0) + return r; +- } + + if (!(cd->type = strdup(CRYPT_LUKS2))) + return -ENOMEM; +-- +2.19.1 + diff --git a/6007-Fix-issues-found-by-Coverity-scan.patch b/6007-Fix-issues-found-by-Coverity-scan.patch new file mode 100644 index 0000000..893a017 --- /dev/null +++ b/6007-Fix-issues-found-by-Coverity-scan.patch @@ -0,0 +1,29 @@ +From 27eaf46c8a4e512588792725a2a27afd4648700d Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Sun, 14 Oct 2018 21:47:11 +0200 +Subject: [PATCH 077/324] Fix issues found by Coverity scan. + +- possible overflow of data offset calculation in wipe and +- dereferencing of pointer in a keyring error path. +--- + lib/luks1/keymanage.c | 2 +- + lib/utils_keyring.c | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/utils_keyring.c b/lib/utils_keyring.c +index 2631405..35bf32b 100644 +--- a/lib/utils_keyring.c ++++ b/lib/utils_keyring.c +@@ -133,7 +133,8 @@ int keyring_get_passphrase(const char *key_desc, + + if (ret < 0) { + err = errno; +- crypt_memzero(buf, len); ++ if (buf) ++ crypt_memzero(buf, len); + free(buf); + return -err; + } +-- +2.19.1 + diff --git a/6008-Properly-propagate-error-from-AF-diffuse-function.patch b/6008-Properly-propagate-error-from-AF-diffuse-function.patch new file mode 100644 index 0000000..5cd993f --- /dev/null +++ b/6008-Properly-propagate-error-from-AF-diffuse-function.patch @@ -0,0 +1,104 @@ +From 36c26b690370ce9a9fcf274bc97a5a50a3fd0e33 Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Tue, 20 Nov 2018 15:25:53 +0100 +Subject: [PATCH 101/324] Properly propagate error from AF diffuse function. + +--- + lib/luks1/af.c | 38 ++++++++++++++++++++++---------------- + 1 file changed, 22 insertions(+), 16 deletions(-) + +diff --git a/lib/luks1/af.c b/lib/luks1/af.c +index af6c1af..3d7cf0b 100644 +--- a/lib/luks1/af.c ++++ b/lib/luks1/af.c +@@ -64,31 +64,34 @@ out: + /* diffuse: Information spreading over the whole dataset with + * the help of hash function. + */ +- + static int diffuse(char *src, char *dst, size_t size, const char *hash_name) + { + int hash_size = crypt_hash_size(hash_name); + unsigned int digest_size; +- unsigned int i, blocks, padding; ++ unsigned int i, r, blocks, padding; + + if (hash_size <= 0) +- return 1; ++ return -EINVAL; + digest_size = hash_size; + + blocks = size / digest_size; + padding = size % digest_size; + +- for (i = 0; i < blocks; i++) +- if(hash_buf(src + digest_size * i, ++ for (i = 0; i < blocks; i++) { ++ r = hash_buf(src + digest_size * i, + dst + digest_size * i, +- i, (size_t)digest_size, hash_name)) +- return 1; ++ i, (size_t)digest_size, hash_name); ++ if (r < 0) ++ return r; ++ } + +- if(padding) +- if(hash_buf(src + digest_size * i, ++ if (padding) { ++ r = hash_buf(src + digest_size * i, + dst + digest_size * i, +- i, (size_t)padding, hash_name)) +- return 1; ++ i, (size_t)padding, hash_name); ++ if (r < 0) ++ return r; ++ } + + return 0; + } +@@ -104,17 +107,19 @@ int AF_split(const char *src, char *dst, size_t blocksize, + { + unsigned int i; + char *bufblock; +- int r = -EINVAL; ++ int r; + + if((bufblock = calloc(blocksize, 1)) == NULL) return -ENOMEM; + + /* process everything except the last block */ + for(i=0; i +Date: Sat, 24 Nov 2018 17:47:55 +0100 +Subject: [PATCH 106/324] Check for device size and sector size misalignment. + +Kernel prevents activation of device that is not aligned +to requested sector size. + +Add early check to plain and LUKS2 formats to disallow +creation of such a device. +(Activation will fail in kernel later anyway.) + +Fixes #390. +--- + lib/setup.c | 20 ++++++++++++ + tests/align-test | 53 +++++++++++++++++++++++++++--- + tests/align-test2 | 83 +++++++++++++++++++++++++++++++++-------------- + 3 files changed, 127 insertions(+), 29 deletions(-) + +diff --git a/lib/setup.c b/lib/setup.c +index a07c29c..ef4d453 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -1321,6 +1321,7 @@ static int _crypt_format_plain(struct crypt_device *cd, + struct crypt_params_plain *params) + { + unsigned int sector_size = params ? params->sector_size : SECTOR_SIZE; ++ uint64_t dev_size; + + if (!cipher || !cipher_mode) { + log_err(cd, _("Invalid plain crypt parameters.")); +@@ -1347,6 +1348,15 @@ static int _crypt_format_plain(struct crypt_device *cd, + return -EINVAL; + } + ++ if (sector_size > SECTOR_SIZE && !device_size(cd->device, &dev_size)) { ++ if (params && params->offset) ++ dev_size -= (params->offset * SECTOR_SIZE); ++ if (dev_size % sector_size) { ++ log_err(cd, _("Device size is not aligned to requested sector size.")); ++ return -EINVAL; ++ } ++ } ++ + if (!(cd->type = strdup(CRYPT_PLAIN))) + return -ENOMEM; + +@@ -1472,6 +1482,7 @@ static int _crypt_format_luks2(struct crypt_device *cd, + unsigned long alignment_offset = 0; + unsigned int sector_size = params ? params->sector_size : SECTOR_SIZE; + const char *integrity = params ? params->integrity : NULL; ++ uint64_t dev_size; + + cd->u.luks2.hdr.jobj = NULL; + +@@ -1578,6 +1589,15 @@ static int _crypt_format_luks2(struct crypt_device *cd, + if (r < 0) + goto out; + ++ if (!integrity && sector_size > SECTOR_SIZE && !device_size(crypt_data_device(cd), &dev_size)) { ++ dev_size -= (crypt_get_data_offset(cd) * SECTOR_SIZE); ++ if (dev_size % sector_size) { ++ log_err(cd, _("Device size is not aligned to requested sector size.")); ++ r = -EINVAL; ++ goto out; ++ } ++ } ++ + if (params && (params->label || params->subsystem)) { + r = LUKS2_hdr_labels(cd, &cd->u.luks2.hdr, + params->label, params->subsystem, 0); +-- +2.19.1 + diff --git a/6010-Fix-a-possible-NULL-pointer-in-opt_type.patch b/6010-Fix-a-possible-NULL-pointer-in-opt_type.patch new file mode 100644 index 0000000..8e04f28 --- /dev/null +++ b/6010-Fix-a-possible-NULL-pointer-in-opt_type.patch @@ -0,0 +1,25 @@ +From 6dc2f7231b5f03d1b9322725798de16cadd99330 Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Mon, 21 Jan 2019 14:07:33 +0100 +Subject: [PATCH 208/324] Fix a possible NULL pointer in opt_type. + +--- + src/cryptsetup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/cryptsetup.c b/src/cryptsetup.c +index 13461b2..f140136 100644 +--- a/src/cryptsetup.c ++++ b/src/cryptsetup.c +@@ -2609,7 +2609,7 @@ int main(int argc, const char **argv) + poptGetInvocationName(popt_context)); + + if ((opt_tcrypt_hidden || opt_tcrypt_system || opt_tcrypt_backup) && strcmp(aname, "tcryptDump") && +- (strcmp(aname, "open") || strcmp(opt_type, "tcrypt"))) ++ (strcmp(aname, "open") || !opt_type || strcmp(opt_type, "tcrypt"))) + usage(popt_context, EXIT_FAILURE, + _("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"), + poptGetInvocationName(popt_context)); +-- +2.19.1 + diff --git a/6011-Upstream-fixes-to-bundled-Argon2-code.patch b/6011-Upstream-fixes-to-bundled-Argon2-code.patch new file mode 100644 index 0000000..eb577a6 --- /dev/null +++ b/6011-Upstream-fixes-to-bundled-Argon2-code.patch @@ -0,0 +1,49 @@ +From 238b18b8ac339c09e11a913b913dffe03902edb5 Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Wed, 13 Mar 2019 08:24:15 +0100 +Subject: [PATCH 293/324] Upstream fixes to bundled Argon2 code. + +Wait for already running threads if a thread creation failed. +Use explicit_bzero() on recent glibc versions. +(Without fixed logic, we have already macro definition through automake.) + +Fixes #444. +--- + lib/crypto_backend/argon2/core.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/lib/crypto_backend/argon2/core.c b/lib/crypto_backend/argon2/core.c +index 8e0a2a5..f5b0067 100644 +--- a/lib/crypto_backend/argon2/core.c ++++ b/lib/crypto_backend/argon2/core.c +@@ -125,7 +125,7 @@ void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) { + SecureZeroMemory(v, n); + #elif defined memset_s + memset_s(v, n, 0, n); +-#elif defined(__OpenBSD__) ++#elif defined(HAVE_EXPLICIT_BZERO) + explicit_bzero(v, n); + #else + static void *(*const volatile memset_sec)(void *, int, size_t) = &memset; +@@ -299,7 +299,7 @@ static int fill_memory_blocks_mt(argon2_instance_t *instance) { + + for (r = 0; r < instance->passes; ++r) { + for (s = 0; s < ARGON2_SYNC_POINTS; ++s) { +- uint32_t l; ++ uint32_t l, ll; + + /* 2. Calling threads */ + for (l = 0; l < instance->lanes; ++l) { +@@ -324,6 +324,9 @@ static int fill_memory_blocks_mt(argon2_instance_t *instance) { + sizeof(argon2_position_t)); + if (argon2_thread_create(&thread[l], &fill_segment_thr, + (void *)&thr_data[l])) { ++ /* Wait for already running threads */ ++ for (ll = 0; ll < l; ++ll) ++ argon2_thread_join(thread[ll]); + rc = ARGON2_THREAD_FAIL; + goto fail; + } +-- +2.19.1 + diff --git a/9000-fix-blockwise-compat-and-compat-test.patch b/9000-fix-blockwise-compat-and-compat-test.patch new file mode 100644 index 0000000..b849cd5 --- /dev/null +++ b/9000-fix-blockwise-compat-and-compat-test.patch @@ -0,0 +1,76 @@ +From 6787f5239975b9fa65f36dadbd37486246827d1c Mon Sep 17 00:00:00 2001 +From: hanzhijun +Date: Mon, 6 May 2019 16:23:24 +0800 +Subject: [PATCH] Fix blockwise compat and compat test failure + +--- + tests/blockwise-compat | 2 +- + tests/compat-test | 15 ++++++++------- + 2 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/tests/blockwise-compat b/tests/blockwise-compat +index da94ce8..64870dd 100755 +--- a/tests/blockwise-compat ++++ b/tests/blockwise-compat +@@ -65,7 +65,7 @@ + } + + falloc() { +- fallocate -l"$1"m $2 2>/dev/null || dd if=/dev/zero of=$2 bs=1M count=$1 2> /dev/null ++ dd if=/dev/zero of=$2 bs=1M count=$1 2> /dev/null + } + + run_all_in_fs() { +diff --git a/tests/compat-test b/tests/compat-test +--- a/tests/compat-test 2019-04-30 14:21:49.588000000 +0800 ++++ b/tests/compat-test 2019-04-30 15:01:33.524000000 +0800 +@@ -21,6 +21,7 @@ + PWD1="93R4P4pIqAH8" + PWD2="mymJeD8ivEhE" + PWD3="ocMakf3fAcQO" ++PWD4="hkj123HJGS12" + PWDW="rUkL4RUryBom" + VK_FILE="compattest_vkfile" + +@@ -193,17 +194,17 @@ + echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT || fail + echo -e "$PWD0\n$PWD1" | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT 2>/dev/null && fail + echo "[4] change key" +-echo -e "$PWD1\n$PWD0\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $IMG || fail ++echo -e "$PWD1\n$PWD4\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $IMG || fail + echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $IMG 2>/dev/null && fail + [ $? -ne 2 ] && fail "luksChangeKey should return EPERM exit code" + echo "[5] remove key" +-# delete active keys PWD0, PWD2 ++# delete active keys PWD2, PWD4 + echo $PWD1 | $CRYPTSETUP luksRemoveKey $IMG 2>/dev/null && fail + [ $? -ne 2 ] && fail "luksRemove should return EPERM exit code" +-echo $PWD0 | $CRYPTSETUP luksRemoveKey $IMG || fail + echo $PWD2 | $CRYPTSETUP luksRemoveKey $IMG || fail ++echo $PWD4 | $CRYPTSETUP luksRemoveKey $IMG || fail + # check if keys were deleted +-echo $PWD0 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail ++echo $PWD4 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail + [ $? -ne 2 ] && fail "luksOpen should return EPERM exit code" + echo $PWD2 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail + [ $? -ne 2 ] && fail "luksOpen should return EPERM exit code" +@@ -803,16 +804,16 @@ + send "YES\n" + expect timeout abort "Enter passphrase for $LOOPDEV:" + sleep 0.1 +-send "$PWD0\n" ++send "$PWD4\n" + expect timeout abort "Verify passphrase:" + sleep 0.1 +-send "$PWD0\n" ++send "$PWD4\n" + expect timeout abort "Command successful." + expect timeout abort eof + eval spawn $CRYPTSETUP luksOpen -v $LOOPDEV --test-passphrase + expect timeout abort "Enter passphrase for $LOOPDEV:" + sleep 0.1 +-send "$PWD0\n" ++send "$PWD4\n" + expect timeout abort "Command successful." + expect timeout abort eof + exit diff --git a/cryptsetup-2.0.4.tar.xz b/cryptsetup-2.0.4.tar.xz new file mode 100644 index 0000000..315ad13 Binary files /dev/null and b/cryptsetup-2.0.4.tar.xz differ diff --git a/cryptsetup.spec b/cryptsetup.spec new file mode 100644 index 0000000..33ec181 --- /dev/null +++ b/cryptsetup.spec @@ -0,0 +1,208 @@ +Name: cryptsetup +Version: 2.0.4 +Release: 2 +Summary: Utility used to conveniently set up disk encryption +License: GPLv2+ and LGPLv2+ +URL: https://gitlab.com/cryptsetup/cryptsetup +Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{version}.tar.xz + + +Patch0: 0000-cryptsetup-add-system-library-paths.patch + +Patch6000: 6000-Emit-error-message-for-converting-inactive-keyslot.patch +Patch6001: 6001-Move-blkid-scan-after-device-context-initialization.patch +Patch6002: 6002-Add-blkid-scan-when-attemting-to-open-plain-device.patch +Patch6003: 6003-Wiping-empty-device-should-not-fail.patch +Patch6004: 6004-Do-not-copy-buffer-if-read-fails.patch +Patch6005: 6005-Do-not-fail-if-device-is-smaller-than-requested-wipe.patch +Patch6006: 6006-Do-not-print-error-for-used-device-twice.patch +Patch6007: 6007-Fix-issues-found-by-Coverity-scan.patch +Patch6008: 6008-Properly-propagate-error-from-AF-diffuse-function.patch +Patch6009: 6009-Check-for-device-size-and-sector-size-misalignment.patch +Patch6010: 6010-Fix-a-possible-NULL-pointer-in-opt_type.patch +Patch6011: 6011-Upstream-fixes-to-bundled-Argon2-code.patch + +Patch9000: 9000-fix-blockwise-compat-and-compat-test.patch + +BuildRequires: openssl-devel, popt-devel, device-mapper-devel git +BuildRequires: libuuid-devel, json-c-devel, libargon2-devel, libpwquality-devel libblkid-devel +BuildRequires: python2-devel python3-devel +Requires: libpwquality >= 1.2.0 + +Provides: %{name}-luks = %{version}-%{release} +Obsoletes: %{name}-luks < 1.4.0 +Provides: %{name}-libs %{name}-libs%{?_isa} +Obsoletes: %{name}-libs + +%{!?python_sitearch: %global python_sitearch %(%{__python} -c \ +"from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} + +%description +cryptsetup is a utility used to conveniently set up disk encryption based +on the DMCrypt kernel module. + +%package devel +Summary: Including header files and library for the developing of cryptsetup +Requires: %{name} = %{version}-%{release} +Requires: pkgconfig +Provides: cryptsetup-luks-devel = %{version}-%{release} +Obsoletes: cryptsetup-luks-devel < 1.4.0 + +%description devel +This contains dynamic libraries and header files for the developing of cryptsetup. + +%package -n veritysetup +Summary: Utility for setting up disk verification +Requires: %{name} = %{version}-%{release} + +%description -n veritysetup +It contains a utility for setting up disk verification. + +%package -n integritysetup +Summary: Utility for setting up dm-integrity volumes +Requires: %{name} = %{version}-%{release} + +%description -n integritysetup +It contains a utility for setting up dm-integrity volumes. + +%package reencrypt +Summary: Utility for reencryption encrypted disks +Requires: %{name} = %{version}-%{release} + +%description reencrypt +It contains a utility for reencryption encrypted disks. + +%package -n python2-cryptsetup +Summary: cryptsetup python2 version +Requires: %{name} = %{version}-%{release} +Provides: %{name}-python = %{version}-%{release} +Provides: %{name}-python%{?_isa} = %{version}-%{release} +Obsoletes: %{name}-python < %{version}-%{release} +Obsoletes: python-cryptsetup < 1.4.0 + +%description -n python2-cryptsetup +It contains python2 bindings for libcryptsetup. + + +%package python3 +Summary: cryptsetup python3 version +Requires: %{name} = %{version}-%{release} +%{?python_provide:%python_provide python3-cryptsetup} +Provides: python3-cryptsetup = %{version}-%{release} + +%description python3 +It contains python3 bindings for libcryptsetup. + + +%package help +Summary: Including man files for cryptsetup +BuildArch: noarch +Requires: man + +%description help +This contains man files for the using of cryptsetup. + +%prep +%autosetup -n %{name}-%{version} -p1 -S git + +cp -a . %{py3dir} + +%build +%configure --enable-python --enable-fips --enable-pwquality --enable-libargon2 --with-crypto_backend=openssl +%make_build + +pushd %{py3dir} +%configure --enable-python --with-python_version=3 --enable-fips --enable-pwquality --enable-libargon2 --with-crypto_backend=openssl +%make_build +popd + +%install +%make_install +%make_install -C %{py3dir} + +%find_lang cryptsetup + +%post -n cryptsetup -p /sbin/ldconfig + +%postun -n cryptsetup -p /sbin/ldconfig + +%files -f cryptsetup.lang +%license COPYING COPYING.LGPL AUTHORS +%doc docs/* +%{_sbindir}/cryptsetup +%{_libdir}/libcryptsetup.so.* +%{_tmpfilesdir}/cryptsetup.conf +%ghost %dir /run/cryptsetup +%exclude %{_libdir}/*.la + + +%files devel +%doc docs/examples/* +%{_libdir}/libcryptsetup.so +%{_includedir}/libcryptsetup.h +%{_libdir}/pkgconfig/libcryptsetup.pc + + +%files -n veritysetup +%{_sbindir}/veritysetup + +%files -n integritysetup +%{_sbindir}/integritysetup + +%files reencrypt +%doc %attr(644,-,-)misc/dracut_90reencrypt +%{_sbindir}/cryptsetup-reencrypt + + +%files -n python2-cryptsetup +%doc python/pycryptsetup-test.py +%{python2_sitearch}/pycryptsetup.so +%exclude %{python2_sitearch}/pycryptsetup.la + + +%files python3 +%doc python/pycryptsetup-test.py +%{python3_sitearch}/pycryptsetup.so +%exclude %{python3_sitearch}/pycryptsetup.la + + +%files help +%{_mandir}/man8/* + + +%changelog +* Wed Aug 28 2019 zhanghaibo - 2.0.4-2 +- Type:enhancemnet +- ID:NA +- SUG:NA +- DESC:openEuler Debranding + +* Wed Aug 21 2019 renxudong - 2.0.4-1.h3 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix blockwise-compat and compat-test + +* Mon May 6 2019 hanzhijun - 2.0.4-1.h2 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix blockwise-compat and compat-test + +* Thu Apr 18 2019 wangxiao - 2.0.4-1.h1 +- Type:bugfix +- ID:NA +- SUG:restart +- DESC:Emit error message for converting inactive keyslot. + Move blkid scan after device context initialization. + Add blkid scan when attemting to open plain device. + Wiping empty device should not fail. + Do not copy buffer if read fails. + Do not fail if device is smaller than requested wipe size. + Do not print error for used device twice. + Fix issues found by Coverity scan. + Properly propagate error from AF diffuse function. + Check for device size and sector size misalignment. + Fix a possible NULL pointer in opt_type. + Upstream fixes to bundled Argon2 code. +- Package init