packages/cryptsetup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Package init

Browse Source
This commit is contained in:
overweight 2019-09-30 10:36:13 -04:00
commit b337351dac
16 changed files with 938 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
0000-cryptsetup-add-system-library-paths.patch Normal file
View File

@ -0,0 +1,22 @@
diff -rupN cryptsetup-2.0.4.old/configure cryptsetup-2.0.4/configure
--- cryptsetup-2.0.4.old/configure 2018-08-03 12:31:52.000000000 +0200
+++ cryptsetup-2.0.4/configure 2018-08-03 13:42:50.605275535 +0200
@@ -12300,6 +12300,9 @@ fi
# before this can be enabled.
hardcode_into_libs=yes
+ # Add ABI-specific directories to the system library path.
+ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
+
# Ideally, we could use ldconfig to report *all* directores which are
# searched for libraries, however this is still not possible. Aside from not
# being certain /sbin/ldconfig is available, command
@@ -12308,7 +12311,7 @@ fi
# appending ld.so.conf contents (and includes) to the search path.
if test -f /etc/ld.so.conf; then
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
fi
# We used to test for /lib/ld.so.1 and disable shared libraries on

30
6000-Emit-error-message-for-converting-inactive-keyslot.patch Normal file
View File

@ -0,0 +1,30 @@
From 1c6d66fccc91ff37d7f991a3213bc33f5f6426b6 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Fri, 14 Sep 2018 11:18:48 +0200
Subject: [PATCH 040/324] Emit error message for converting inactive keyslot.
Fixes: #416.
---
src/cryptsetup.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 52efd71..cc3520c 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -1535,6 +1535,12 @@ static int action_luksConvertKey(void)
if ((r = crypt_load(cd, CRYPT_LUKS2, NULL)))
goto out;
+ if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_INACTIVE) {
+ r = -EINVAL;
+ log_err(_("Keyslot %d is not active."), opt_key_slot);
+ goto out;
+ }
+
r = set_pbkdf_params(cd, crypt_get_type(cd));
if (r) {
log_err(_("Failed to set pbkdf parameters."));
--
2.19.1

103
6001-Move-blkid-scan-after-device-context-initialization.patch Normal file
View File

@ -0,0 +1,103 @@
From b93b67633676e4b9ae627532774c60661e3a1613 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Mon, 24 Sep 2018 14:58:16 +0200
Subject: [PATCH 041/324] Move blkid scan after device context initialization.
Fixes bug with misleading error message when target device
does not exist.
---
src/cryptsetup.c | 30 ++++++++++++++++--------------
src/integritysetup.c | 20 +++++++++++---------
2 files changed, 27 insertions(+), 23 deletions(-)
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index cc3520c..371948f 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -987,20 +987,6 @@ static int action_luksFormat(void)
header_device = opt_header_device ?: action_argv[0];
- /* Print all present signatures in read-only mode */
- r = tools_detect_signatures(header_device, 0, &signatures);
- if (r < 0)
- return r;
-
- r = asprintf(&msg, _("This will overwrite data on %s irrevocably."), header_device);
- if (r == -1)
- return -ENOMEM;
-
- r = yesDialog(msg, _("Operation aborted.\n")) ? 0 : -EINVAL;
- free(msg);
- if (r < 0)
- return r;
-
r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
cipher, NULL, cipher_mode);
if (r < 0) {
@@ -1028,6 +1014,22 @@ static int action_luksFormat(void)
return r;
}
+ /* Print all present signatures in read-only mode */
+ r = tools_detect_signatures(header_device, 0, &signatures);
+ if (r < 0)
+ goto out;
+
+ r = asprintf(&msg, _("This will overwrite data on %s irrevocably."), header_device);
+ if (r == -1) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ r = yesDialog(msg, _("Operation aborted.\n")) ? 0 : -EINVAL;
+ free(msg);
+ if (r < 0)
+ goto out;
+
keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8 + integrity_keysize;
if (opt_random)
diff --git a/src/integritysetup.c b/src/integritysetup.c
index c1c31ee..a3b382f 100644
--- a/src/integritysetup.c
+++ b/src/integritysetup.c
@@ -209,24 +209,26 @@ static int action_format(int arg)
params.journal_crypt = journal_crypt;
}
- r = tools_detect_signatures(action_argv[0], 0, &signatures);
+ r = _read_keys(&integrity_key, &params);
+ if (r)
+ goto out;
+
+ r = crypt_init(&cd, action_argv[0]);
if (r < 0)
- return r;
+ goto out;
r = asprintf(&msg, _("This will overwrite data on %s irrevocably."), action_argv[0]);
- if (r == -1)
- return -ENOMEM;
+ if (r == -1) {
+ r = -ENOMEM;
+ goto out;
+ }
r = yesDialog(msg, _("Operation aborted.\n")) ? 0 : -EINVAL;
free(msg);
if (r < 0)
- return r;
-
- r = _read_keys(&integrity_key, &params);
- if (r)
goto out;
- r = crypt_init(&cd, action_argv[0]);
+ r = tools_detect_signatures(action_argv[0], 0, &signatures);
if (r < 0)
goto out;
--
2.19.1

110
6002-Add-blkid-scan-when-attemting-to-open-plain-device.patch Normal file
View File

@ -0,0 +1,110 @@
From ee689d88b4bd9584272e01f1c467aa4648280004 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Mon, 24 Sep 2018 15:38:05 +0200
Subject: [PATCH 042/324] Add blkid scan when attemting to open plain device.
Warn user about existing device signatures on candidate ciphertext
device and prompt for action confirmation.
Fixes #411.
---
src/cryptsetup.c | 27 ++++++++++++++++++++++++---
tests/device-test | 6 +++---
tests/discards-test | 2 +-
3 files changed, 28 insertions(+), 7 deletions(-)
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 371948f..90fc703 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -166,7 +166,7 @@ static void _set_activation_flags(uint32_t *flags)
static int action_open_plain(void)
{
struct crypt_device *cd = NULL;
- char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
+ char *msg, cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
struct crypt_params_plain params = {
.hash = opt_hash ?: DEFAULT_PLAIN_HASH,
.skip = opt_skip,
@@ -175,8 +175,8 @@ static int action_open_plain(void)
.sector_size = opt_sector_size,
};
char *password = NULL;
- size_t passwordLen, key_size_max;
- size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
+ size_t passwordLen, key_size_max, signatures,
+ key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
uint32_t activate_flags = 0;
int r;
@@ -205,6 +205,27 @@ static int action_open_plain(void)
if ((r = crypt_init(&cd, action_argv[0])))
goto out;
+ /* Skip blkid scan when activating plain device with offset */
+ if (!opt_offset) {
+ /* Print all present signatures in read-only mode */
+ r = tools_detect_signatures(action_argv[0], 0, &signatures);
+ if (r < 0)
+ goto out;
+ }
+
+ if (signatures) {
+ r = asprintf(&msg, _("Detected device signature(s) on %s. Proceeding further may damage existing data."), action_argv[0]);
+ if (r == -1) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ r = yesDialog(msg, _("Operation aborted.\n")) ? 0 : -EINVAL;
+ free(msg);
+ if (r < 0)
+ goto out;
+ }
+
r = crypt_format(cd, CRYPT_PLAIN,
cipher, cipher_mode,
NULL, NULL,
diff --git a/tests/device-test b/tests/device-test
index b9ba98d..c49eb84 100755
--- a/tests/device-test
+++ b/tests/device-test
@@ -97,11 +97,11 @@ if [ -z "$DM_PERF_CPU" ]; then
SKIP_COUNT=$((SKIP_COUNT+1))
else
# plain
- echo -e "$PWD1" | $CRYPTSETUP open --type plain $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail
+ echo -e "$PWD1" | $CRYPTSETUP open -q --type plain $DEV $DEV_NAME --perf-same_cpu_crypt --perf-submit_from_crypt_cpus || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q submit_from_crypt_cpus || fail
$CRYPTSETUP close $DEV_NAME || fail
- echo -e "$PWD1" | $CRYPTSETUP open --type plain $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail
+ echo -e "$PWD1" | $CRYPTSETUP open -q --type plain $DEV $DEV_NAME --perf-same_cpu_crypt --allow-discards || fail
$CRYPTSETUP status $DEV_NAME | grep -q same_cpu_crypt || fail
$CRYPTSETUP status $DEV_NAME | grep -q discards || fail
$CRYPTSETUP close $DEV_NAME || fail
@@ -152,7 +152,7 @@ else
echo -e "$PWD1" | $CRYPTSETUP open --type plain $DEV $DEV_NAME --sector-size 1234 >/dev/null 2>&1 && fail
for S in 512 1024 2048 4096; do
echo -n "[$S]"
- echo -e "$PWD1" | $CRYPTSETUP open --type plain $DEV $DEV_NAME --sector-size $S || fail
+ echo -e "$PWD1" | $CRYPTSETUP open -q --type plain $DEV $DEV_NAME --sector-size $S || fail
check_sector_size $S
$CRYPTSETUP close $DEV_NAME || fail
done
diff --git a/tests/discards-test b/tests/discards-test
index 5ffe7ab..476c04d 100755
--- a/tests/discards-test
+++ b/tests/discards-test
@@ -74,7 +74,7 @@ dmsetup table $DEV_NAME | grep allow_discards >/dev/null || fail
$CRYPTSETUP luksClose $DEV_NAME || fail
echo "[2] Allowing discards for plain device"
-echo $PWD1 | $CRYPTSETUP create $DEV_NAME $DEV --hash sha1 --allow-discards || fail
+echo $PWD1 | $CRYPTSETUP create -q $DEV_NAME $DEV --hash sha1 --allow-discards || fail
$CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
$CRYPTSETUP resize $DEV_NAME --size 100 || fail
$CRYPTSETUP status $DEV_NAME | grep flags | grep discards >/dev/null || fail
--
2.19.1

25
6003-Wiping-empty-device-should-not-fail.patch Normal file
View File

@ -0,0 +1,25 @@
From 879e06db39cb2d1113bb64a9ec0b5480cb837fca Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Thu, 11 Oct 2018 15:38:56 +0200
Subject: [PATCH 061/324] Wiping empty device should not fail.
---
lib/utils_wipe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/utils_wipe.c b/lib/utils_wipe.c
index 77550c7..04cc531 100644
--- a/lib/utils_wipe.c
+++ b/lib/utils_wipe.c
@@ -161,7 +161,7 @@ int crypt_wipe_device(struct crypt_device *cd,
return errno ? -errno : -EINVAL;
r = device_size(device, &dev_size);
- if (r)
+ if (r || dev_size == 0)
goto out;
if (length) {
--
2.19.1

26
6004-Do-not-copy-buffer-if-read-fails.patch Normal file
View File

@ -0,0 +1,26 @@
From 31532adf8636f9795ab5f077ace4e3f00148d399 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Thu, 11 Oct 2018 15:39:31 +0200
Subject: [PATCH 062/324] Do not copy buffer if read fails.
---
lib/utils_io.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/utils_io.c b/lib/utils_io.c
index 1facac0..d7e1cbe 100644
--- a/lib/utils_io.c
+++ b/lib/utils_io.c
@@ -184,7 +184,8 @@ ssize_t read_blockwise(int fd, size_t bsize, size_t alignment,
out:
free(hangover_buf);
if (buf != orig_buf) {
- memcpy(orig_buf, buf, length);
+ if (ret == length)
+ memcpy(orig_buf, buf, length);
free(buf);
}
return ret;
--
2.19.1

27
6005-Do-not-fail-if-device-is-smaller-than-requested-wipe.patch Normal file
View File

@ -0,0 +1,27 @@
From 36e883967538069d81634bd2e6fa188732f0a77a Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Thu, 11 Oct 2018 21:19:35 +0200
Subject: [PATCH 066/324] Do not fail if device is smaller than requested wipe
size.
---
lib/utils_wipe.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/utils_wipe.c b/lib/utils_wipe.c
index 04cc531..b1afc0f 100644
--- a/lib/utils_wipe.c
+++ b/lib/utils_wipe.c
@@ -164,6 +164,9 @@ int crypt_wipe_device(struct crypt_device *cd,
if (r || dev_size == 0)
goto out;
+ if (dev_size < length)
+ length = 0;
+
if (length) {
if ((dev_size <= offset) || (dev_size - offset) < length) {
r = -EINVAL;
--
2.19.1

30
6006-Do-not-print-error-for-used-device-twice.patch Normal file
View File

@ -0,0 +1,30 @@
From bebd2fe7e7ca0d70981e50b919b3d230e9c945de Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Fri, 12 Oct 2018 09:44:28 +0200
Subject: [PATCH 067/324] Do not print error for used device twice.
---
lib/setup.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/lib/setup.c b/lib/setup.c
index e8ba704..9607bed 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -1540,12 +1540,8 @@ static int _crypt_format_luks2(struct crypt_device *cd,
}
r = device_check_access(cd, crypt_metadata_device(cd), DEV_EXCL);
- if (r < 0) {
- log_err(cd, _("Cannot use device %s which is in use "
- "(already mapped or mounted)."),
- device_path(crypt_metadata_device(cd)));
+ if (r < 0)
return r;
- }
if (!(cd->type = strdup(CRYPT_LUKS2)))
return -ENOMEM;
--
2.19.1

29
6007-Fix-issues-found-by-Coverity-scan.patch Normal file
View File

@ -0,0 +1,29 @@
From 27eaf46c8a4e512588792725a2a27afd4648700d Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Sun, 14 Oct 2018 21:47:11 +0200
Subject: [PATCH 077/324] Fix issues found by Coverity scan.
- possible overflow of data offset calculation in wipe and
- dereferencing of pointer in a keyring error path.
---
lib/luks1/keymanage.c | 2 +-
lib/utils_keyring.c | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/utils_keyring.c b/lib/utils_keyring.c
index 2631405..35bf32b 100644
--- a/lib/utils_keyring.c
+++ b/lib/utils_keyring.c
@@ -133,7 +133,8 @@ int keyring_get_passphrase(const char *key_desc,
if (ret < 0) {
err = errno;
- crypt_memzero(buf, len);
+ if (buf)
+ crypt_memzero(buf, len);
free(buf);
return -err;
}
--
2.19.1

104
6008-Properly-propagate-error-from-AF-diffuse-function.patch Normal file
View File

@ -0,0 +1,104 @@
From 36c26b690370ce9a9fcf274bc97a5a50a3fd0e33 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Tue, 20 Nov 2018 15:25:53 +0100
Subject: [PATCH 101/324] Properly propagate error from AF diffuse function.
---
lib/luks1/af.c | 38 ++++++++++++++++++++++----------------
1 file changed, 22 insertions(+), 16 deletions(-)
diff --git a/lib/luks1/af.c b/lib/luks1/af.c
index af6c1af..3d7cf0b 100644
--- a/lib/luks1/af.c
+++ b/lib/luks1/af.c
@@ -64,31 +64,34 @@ out:
/* diffuse: Information spreading over the whole dataset with
* the help of hash function.
*/
-
static int diffuse(char *src, char *dst, size_t size, const char *hash_name)
{
int hash_size = crypt_hash_size(hash_name);
unsigned int digest_size;
- unsigned int i, blocks, padding;
+ unsigned int i, r, blocks, padding;
if (hash_size <= 0)
- return 1;
+ return -EINVAL;
digest_size = hash_size;
blocks = size / digest_size;
padding = size % digest_size;
- for (i = 0; i < blocks; i++)
- if(hash_buf(src + digest_size * i,
+ for (i = 0; i < blocks; i++) {
+ r = hash_buf(src + digest_size * i,
dst + digest_size * i,
- i, (size_t)digest_size, hash_name))
- return 1;
+ i, (size_t)digest_size, hash_name);
+ if (r < 0)
+ return r;
+ }
- if(padding)
- if(hash_buf(src + digest_size * i,
+ if (padding) {
+ r = hash_buf(src + digest_size * i,
dst + digest_size * i,
- i, (size_t)padding, hash_name))
- return 1;
+ i, (size_t)padding, hash_name);
+ if (r < 0)
+ return r;
+ }
return 0;
}
@@ -104,17 +107,19 @@ int AF_split(const char *src, char *dst, size_t blocksize,
{
unsigned int i;
char *bufblock;
- int r = -EINVAL;
+ int r;
if((bufblock = calloc(blocksize, 1)) == NULL) return -ENOMEM;
/* process everything except the last block */
for(i=0; i<blocknumbers-1; i++) {
r = crypt_random_get(NULL, dst+(blocksize*i), blocksize, CRYPT_RND_NORMAL);
- if(r < 0) goto out;
+ if (r < 0)
+ goto out;
XORblock(dst+(blocksize*i),bufblock,bufblock,blocksize);
- if(diffuse(bufblock, bufblock, blocksize, hash))
+ r = diffuse(bufblock, bufblock, blocksize, hash);
+ if (r < 0)
goto out;
}
/* the last block is computed */
@@ -130,7 +135,7 @@ int AF_merge(const char *src, char *dst, size_t blocksize,
{
unsigned int i;
char *bufblock;
- int r = -EINVAL;
+ int r;
if((bufblock = calloc(blocksize, 1)) == NULL)
return -ENOMEM;
@@ -138,7 +143,8 @@ int AF_merge(const char *src, char *dst, size_t blocksize,
memset(bufblock,0,blocksize);
for(i=0; i<blocknumbers-1; i++) {
XORblock(src+(blocksize*i),bufblock,bufblock,blocksize);
- if(diffuse(bufblock, bufblock, blocksize, hash))
+ r = diffuse(bufblock, bufblock, blocksize, hash);
+ if (r < 0)
goto out;
}
XORblock(src + blocksize * i, bufblock, dst, blocksize);
--
2.19.1

74
6009-Check-for-device-size-and-sector-size-misalignment.patch Normal file
View File

@ -0,0 +1,74 @@
From 18c92103423ffb312a49509881da4692eb98d9e9 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Sat, 24 Nov 2018 17:47:55 +0100
Subject: [PATCH 106/324] Check for device size and sector size misalignment.
Kernel prevents activation of device that is not aligned
to requested sector size.
Add early check to plain and LUKS2 formats to disallow
creation of such a device.
(Activation will fail in kernel later anyway.)
Fixes #390.
---
lib/setup.c | 20 ++++++++++++
tests/align-test | 53 +++++++++++++++++++++++++++---
tests/align-test2 | 83 +++++++++++++++++++++++++++++++++--------------
3 files changed, 127 insertions(+), 29 deletions(-)
diff --git a/lib/setup.c b/lib/setup.c
index a07c29c..ef4d453 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -1321,6 +1321,7 @@ static int _crypt_format_plain(struct crypt_device *cd,
struct crypt_params_plain *params)
{
unsigned int sector_size = params ? params->sector_size : SECTOR_SIZE;
+ uint64_t dev_size;
if (!cipher || !cipher_mode) {
log_err(cd, _("Invalid plain crypt parameters."));
@@ -1347,6 +1348,15 @@ static int _crypt_format_plain(struct crypt_device *cd,
return -EINVAL;
}
+ if (sector_size > SECTOR_SIZE && !device_size(cd->device, &dev_size)) {
+ if (params && params->offset)
+ dev_size -= (params->offset * SECTOR_SIZE);
+ if (dev_size % sector_size) {
+ log_err(cd, _("Device size is not aligned to requested sector size."));
+ return -EINVAL;
+ }
+ }
+
if (!(cd->type = strdup(CRYPT_PLAIN)))
return -ENOMEM;
@@ -1472,6 +1482,7 @@ static int _crypt_format_luks2(struct crypt_device *cd,
unsigned long alignment_offset = 0;
unsigned int sector_size = params ? params->sector_size : SECTOR_SIZE;
const char *integrity = params ? params->integrity : NULL;
+ uint64_t dev_size;
cd->u.luks2.hdr.jobj = NULL;
@@ -1578,6 +1589,15 @@ static int _crypt_format_luks2(struct crypt_device *cd,
if (r < 0)
goto out;
+ if (!integrity && sector_size > SECTOR_SIZE && !device_size(crypt_data_device(cd), &dev_size)) {
+ dev_size -= (crypt_get_data_offset(cd) * SECTOR_SIZE);
+ if (dev_size % sector_size) {
+ log_err(cd, _("Device size is not aligned to requested sector size."));
+ r = -EINVAL;
+ goto out;
+ }
+ }
+
if (params && (params->label || params->subsystem)) {
r = LUKS2_hdr_labels(cd, &cd->u.luks2.hdr,
params->label, params->subsystem, 0);
--
2.19.1

25
6010-Fix-a-possible-NULL-pointer-in-opt_type.patch Normal file
View File

@ -0,0 +1,25 @@
From 6dc2f7231b5f03d1b9322725798de16cadd99330 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 21 Jan 2019 14:07:33 +0100
Subject: [PATCH 208/324] Fix a possible NULL pointer in opt_type.
---
src/cryptsetup.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 13461b2..f140136 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -2609,7 +2609,7 @@ int main(int argc, const char **argv)
poptGetInvocationName(popt_context));
if ((opt_tcrypt_hidden || opt_tcrypt_system || opt_tcrypt_backup) && strcmp(aname, "tcryptDump") &&
- (strcmp(aname, "open") || strcmp(opt_type, "tcrypt")))
+ (strcmp(aname, "open") || !opt_type || strcmp(opt_type, "tcrypt")))
usage(popt_context, EXIT_FAILURE,
_("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"),
poptGetInvocationName(popt_context));
--
2.19.1

49
6011-Upstream-fixes-to-bundled-Argon2-code.patch Normal file
View File

@ -0,0 +1,49 @@
From 238b18b8ac339c09e11a913b913dffe03902edb5 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Wed, 13 Mar 2019 08:24:15 +0100
Subject: [PATCH 293/324] Upstream fixes to bundled Argon2 code.
Wait for already running threads if a thread creation failed.
Use explicit_bzero() on recent glibc versions.
(Without fixed logic, we have already macro definition through automake.)
Fixes #444.
---
lib/crypto_backend/argon2/core.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/lib/crypto_backend/argon2/core.c b/lib/crypto_backend/argon2/core.c
index 8e0a2a5..f5b0067 100644
--- a/lib/crypto_backend/argon2/core.c
+++ b/lib/crypto_backend/argon2/core.c
@@ -125,7 +125,7 @@ void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) {
SecureZeroMemory(v, n);
#elif defined memset_s
memset_s(v, n, 0, n);
-#elif defined(__OpenBSD__)
+#elif defined(HAVE_EXPLICIT_BZERO)
explicit_bzero(v, n);
#else
static void *(*const volatile memset_sec)(void *, int, size_t) = &memset;
@@ -299,7 +299,7 @@ static int fill_memory_blocks_mt(argon2_instance_t *instance) {
for (r = 0; r < instance->passes; ++r) {
for (s = 0; s < ARGON2_SYNC_POINTS; ++s) {
- uint32_t l;
+ uint32_t l, ll;
/* 2. Calling threads */
for (l = 0; l < instance->lanes; ++l) {
@@ -324,6 +324,9 @@ static int fill_memory_blocks_mt(argon2_instance_t *instance) {
sizeof(argon2_position_t));
if (argon2_thread_create(&thread[l], &fill_segment_thr,
(void *)&thr_data[l])) {
+ /* Wait for already running threads */
+ for (ll = 0; ll < l; ++ll)
+ argon2_thread_join(thread[ll]);
rc = ARGON2_THREAD_FAIL;
goto fail;
}
--
2.19.1

76
9000-fix-blockwise-compat-and-compat-test.patch Normal file
View File

@ -0,0 +1,76 @@
From 6787f5239975b9fa65f36dadbd37486246827d1c Mon Sep 17 00:00:00 2001
From: hanzhijun <hanzhijun1@huawei.com>
Date: Mon, 6 May 2019 16:23:24 +0800
Subject: [PATCH] Fix blockwise compat and compat test failure
---
tests/blockwise-compat | 2 +-
tests/compat-test | 15 ++++++++-------
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/tests/blockwise-compat b/tests/blockwise-compat
index da94ce8..64870dd 100755
--- a/tests/blockwise-compat
+++ b/tests/blockwise-compat
@@ -65,7 +65,7 @@
}
falloc() {
- fallocate -l"$1"m $2 2>/dev/null || dd if=/dev/zero of=$2 bs=1M count=$1 2> /dev/null
+ dd if=/dev/zero of=$2 bs=1M count=$1 2> /dev/null
}
run_all_in_fs() {
diff --git a/tests/compat-test b/tests/compat-test
--- a/tests/compat-test 2019-04-30 14:21:49.588000000 +0800
+++ b/tests/compat-test 2019-04-30 15:01:33.524000000 +0800
@@ -21,6 +21,7 @@
PWD1="93R4P4pIqAH8"
PWD2="mymJeD8ivEhE"
PWD3="ocMakf3fAcQO"
+PWD4="hkj123HJGS12"
PWDW="rUkL4RUryBom"
VK_FILE="compattest_vkfile"
@@ -193,17 +194,17 @@
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT || fail
echo -e "$PWD0\n$PWD1" | $CRYPTSETUP luksAddKey $IMG $FAST_PBKDF_OPT 2>/dev/null && fail
echo "[4] change key"
-echo -e "$PWD1\n$PWD0\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $IMG || fail
+echo -e "$PWD1\n$PWD4\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $IMG || fail
echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT $IMG 2>/dev/null && fail
[ $? -ne 2 ] && fail "luksChangeKey should return EPERM exit code"
echo "[5] remove key"
-# delete active keys PWD0, PWD2
+# delete active keys PWD2, PWD4
echo $PWD1 | $CRYPTSETUP luksRemoveKey $IMG 2>/dev/null && fail
[ $? -ne 2 ] && fail "luksRemove should return EPERM exit code"
-echo $PWD0 | $CRYPTSETUP luksRemoveKey $IMG || fail
echo $PWD2 | $CRYPTSETUP luksRemoveKey $IMG || fail
+echo $PWD4 | $CRYPTSETUP luksRemoveKey $IMG || fail
# check if keys were deleted
-echo $PWD0 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
+echo $PWD4 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
[ $? -ne 2 ] && fail "luksOpen should return EPERM exit code"
echo $PWD2 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
[ $? -ne 2 ] && fail "luksOpen should return EPERM exit code"
@@ -803,16 +804,16 @@
send "YES\n"
expect timeout abort "Enter passphrase for $LOOPDEV:"
sleep 0.1
-send "$PWD0\n"
+send "$PWD4\n"
expect timeout abort "Verify passphrase:"
sleep 0.1
-send "$PWD0\n"
+send "$PWD4\n"
expect timeout abort "Command successful."
expect timeout abort eof
eval spawn $CRYPTSETUP luksOpen -v $LOOPDEV --test-passphrase
expect timeout abort "Enter passphrase for $LOOPDEV:"
sleep 0.1
-send "$PWD0\n"
+send "$PWD4\n"
expect timeout abort "Command successful."
expect timeout abort eof
exit

BIN
cryptsetup-2.0.4.tar.xz Normal file
View File

Binary file not shown.

208
cryptsetup.spec Normal file
View File

@ -0,0 +1,208 @@
Name: cryptsetup
Version: 2.0.4
Release: 2
Summary: Utility used to conveniently set up disk encryption
License: GPLv2+ and LGPLv2+
URL: https://gitlab.com/cryptsetup/cryptsetup
Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{version}.tar.xz
Patch0: 0000-cryptsetup-add-system-library-paths.patch
Patch6000: 6000-Emit-error-message-for-converting-inactive-keyslot.patch
Patch6001: 6001-Move-blkid-scan-after-device-context-initialization.patch
Patch6002: 6002-Add-blkid-scan-when-attemting-to-open-plain-device.patch
Patch6003: 6003-Wiping-empty-device-should-not-fail.patch
Patch6004: 6004-Do-not-copy-buffer-if-read-fails.patch
Patch6005: 6005-Do-not-fail-if-device-is-smaller-than-requested-wipe.patch
Patch6006: 6006-Do-not-print-error-for-used-device-twice.patch
Patch6007: 6007-Fix-issues-found-by-Coverity-scan.patch
Patch6008: 6008-Properly-propagate-error-from-AF-diffuse-function.patch
Patch6009: 6009-Check-for-device-size-and-sector-size-misalignment.patch
Patch6010: 6010-Fix-a-possible-NULL-pointer-in-opt_type.patch
Patch6011: 6011-Upstream-fixes-to-bundled-Argon2-code.patch
Patch9000: 9000-fix-blockwise-compat-and-compat-test.patch
BuildRequires: openssl-devel, popt-devel, device-mapper-devel git
BuildRequires: libuuid-devel, json-c-devel, libargon2-devel, libpwquality-devel libblkid-devel
BuildRequires: python2-devel python3-devel
Requires: libpwquality >= 1.2.0
Provides: %{name}-luks = %{version}-%{release}
Obsoletes: %{name}-luks < 1.4.0
Provides: %{name}-libs %{name}-libs%{?_isa}
Obsoletes: %{name}-libs
%{!?python_sitearch: %global python_sitearch %(%{__python} -c \
"from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
%description
cryptsetup is a utility used to conveniently set up disk encryption based
on the DMCrypt kernel module.
%package devel
Summary: Including header files and library for the developing of cryptsetup
Requires: %{name} = %{version}-%{release}
Requires: pkgconfig
Provides: cryptsetup-luks-devel = %{version}-%{release}
Obsoletes: cryptsetup-luks-devel < 1.4.0
%description devel
This contains dynamic libraries and header files for the developing of cryptsetup.
%package -n veritysetup
Summary: Utility for setting up disk verification
Requires: %{name} = %{version}-%{release}
%description -n veritysetup
It contains a utility for setting up disk verification.
%package -n integritysetup
Summary: Utility for setting up dm-integrity volumes
Requires: %{name} = %{version}-%{release}
%description -n integritysetup
It contains a utility for setting up dm-integrity volumes.
%package reencrypt
Summary: Utility for reencryption encrypted disks
Requires: %{name} = %{version}-%{release}
%description reencrypt
It contains a utility for reencryption encrypted disks.
%package -n python2-cryptsetup
Summary: cryptsetup python2 version
Requires: %{name} = %{version}-%{release}
Provides: %{name}-python = %{version}-%{release}
Provides: %{name}-python%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-python < %{version}-%{release}
Obsoletes: python-cryptsetup < 1.4.0
%description -n python2-cryptsetup
It contains python2 bindings for libcryptsetup.
%package python3
Summary: cryptsetup python3 version
Requires: %{name} = %{version}-%{release}
%{?python_provide:%python_provide python3-cryptsetup}
Provides: python3-cryptsetup = %{version}-%{release}
%description python3
It contains python3 bindings for libcryptsetup.
%package help
Summary: Including man files for cryptsetup
BuildArch: noarch
Requires: man
%description help
This contains man files for the using of cryptsetup.
%prep
%autosetup -n %{name}-%{version} -p1 -S git
cp -a . %{py3dir}
%build
%configure --enable-python --enable-fips --enable-pwquality --enable-libargon2 --with-crypto_backend=openssl
%make_build
pushd %{py3dir}
%configure --enable-python --with-python_version=3 --enable-fips --enable-pwquality --enable-libargon2 --with-crypto_backend=openssl
%make_build
popd
%install
%make_install
%make_install -C %{py3dir}
%find_lang cryptsetup
%post -n cryptsetup -p /sbin/ldconfig
%postun -n cryptsetup -p /sbin/ldconfig
%files -f cryptsetup.lang
%license COPYING COPYING.LGPL AUTHORS
%doc docs/*
%{_sbindir}/cryptsetup
%{_libdir}/libcryptsetup.so.*
%{_tmpfilesdir}/cryptsetup.conf
%ghost %dir /run/cryptsetup
%exclude %{_libdir}/*.la
%files devel
%doc docs/examples/*
%{_libdir}/libcryptsetup.so
%{_includedir}/libcryptsetup.h
%{_libdir}/pkgconfig/libcryptsetup.pc
%files -n veritysetup
%{_sbindir}/veritysetup
%files -n integritysetup
%{_sbindir}/integritysetup
%files reencrypt
%doc %attr(644,-,-)misc/dracut_90reencrypt
%{_sbindir}/cryptsetup-reencrypt
%files -n python2-cryptsetup
%doc python/pycryptsetup-test.py
%{python2_sitearch}/pycryptsetup.so
%exclude %{python2_sitearch}/pycryptsetup.la
%files python3
%doc python/pycryptsetup-test.py
%{python3_sitearch}/pycryptsetup.so
%exclude %{python3_sitearch}/pycryptsetup.la
%files help
%{_mandir}/man8/*
%changelog
* Wed Aug 28 2019 zhanghaibo <ted.zhang@huawei.com> - 2.0.4-2
- Type:enhancemnet
- ID:NA
- SUG:NA
- DESC:openEuler Debranding
* Wed Aug 21 2019 renxudong<renxudong1@huawei.com> - 2.0.4-1.h3
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:fix blockwise-compat and compat-test
* Mon May 6 2019 hanzhijun<hanzhijun1@huawei.com> - 2.0.4-1.h2
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:fix blockwise-compat and compat-test
* Thu Apr 18 2019 wangxiao<wangxiao65@huawei.com> - 2.0.4-1.h1
- Type:bugfix
- ID:NA
- SUG:restart
- DESC:Emit error message for converting inactive keyslot.
Move blkid scan after device context initialization.
Add blkid scan when attemting to open plain device.
Wiping empty device should not fail.
Do not copy buffer if read fails.
Do not fail if device is smaller than requested wipe size.
Do not print error for used device twice.
Fix issues found by Coverity scan.
Properly propagate error from AF diffuse function.
Check for device size and sector size misalignment.
Fix a possible NULL pointer in opt_type.
Upstream fixes to bundled Argon2 code.
- Package init