Adding debian version 2:2.1.0-5+deb10u2.debian/2%2.1.0-5+deb10u2debian

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

5 files changed, 317 insertions, 0 deletions

diff --git a/debian/patches/Fix-getting-default-LUKS2-keyslot-encryption-paramet.patch b/debian/patches/Fix-getting-default-LUKS2-keyslot-encryption-paramet.patch
new file mode 100644
index 0000000..0a16127
--- /dev/null
+++ b/debian/patches/Fix-getting-default-LUKS2-keyslot-encryption-paramet.patch
@@ -0,0 +1,56 @@
+From c03e3fe88a9761f34b22d2b4d4654353783e2d4f Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Tue, 26 Feb 2019 11:49:58 +0100
+Subject: Fix getting default LUKS2 keyslot encryption parameters.
+
+When information about original keyslot size is missing (no active
+keyslot assigned to default segment) we have to fallback to
+default luks2 encryption parameters even though we know default
+segment cipher and mode.
+
+Fixes: #442.
+---
+ lib/setup.c        |    3 ++-
+ tests/api-test-2.c |   19 +++++++++++++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -4632,7 +4632,8 @@ const char *crypt_keyslot_get_encryption
+ 	cipher =  LUKS2_get_cipher(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT);
+ 	if (!LUKS2_keyslot_cipher_incompatible(cd, cipher)) {
+ 		*key_size = crypt_get_volume_key_size(cd);
+-		return cipher;
++		if (*key_size)
++			return cipher;
+ 	}
+ 
+ 	/* Fallback to default LUKS2 keyslot encryption */
+--- a/tests/api-test-2.c
++++ b/tests/api-test-2.c
+@@ -914,6 +914,25 @@ static void AddDeviceLuks2(void)
+ 	FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key3, key_size, 0), "VK doesn't match any digest assigned to segment 0");
+ 	crypt_free(cd);
+ 
++	/*
++	 * Check regression in getting keyslot encryption parameters when
++	 * volume key size is unknown (no active keyslots).
++	 */
++	if (!_fips_mode) {
++		OK_(crypt_init(&cd, DMDIR L_DEVICE_1S));
++		crypt_set_iteration_time(cd, 1);
++		OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, NULL));
++		EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, key_size, PASSPHRASE, strlen(PASSPHRASE)), 0);
++		/* drop context copy of volume key */
++		crypt_free(cd);
++		OK_(crypt_init(&cd, DMDIR L_DEVICE_1S));
++		OK_(crypt_load(cd, CRYPT_LUKS, NULL));
++		EQ_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, PASSPHRASE, strlen(PASSPHRASE)), 0);
++		OK_(crypt_keyslot_destroy(cd, 0));
++		EQ_(crypt_keyslot_add_by_volume_key(cd, 0, key, key_size, PASSPHRASE, strlen(PASSPHRASE)), 0);
++		crypt_free(cd);
++	}
++
+ 	_cleanup_dmdevices();
+ }
+ 
diff --git a/debian/patches/Fix-mapped-segments-overflow-on-32bit-architectures.patch b/debian/patches/Fix-mapped-segments-overflow-on-32bit-architectures.patch
new file mode 100644
index 0000000..0cb53cf
--- /dev/null
+++ b/debian/patches/Fix-mapped-segments-overflow-on-32bit-architectures.patch
@@ -0,0 +1,151 @@
+From 8f8f0b3258152a260c6a40be89b485f943f81484 Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Mon, 26 Aug 2019 10:01:17 +0200
+Subject: Fix mapped segments overflow on 32bit architectures.
+
+All set_segment functions must use uin64_t everywhere,
+not size_t that is platform dependent.
+
+The code later uses it correctly, it is just wrong function
+prototype definitions.
+
+Reported in
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935702
+
+(TODO: add a test for other segment types.)
+---
+ lib/libdevmapper.c          |   12 ++++++------
+ lib/utils_dm.h              |   12 ++++++------
+ tests/integrity-compat-test |   26 ++++++++++++++++++++++++++
+ 3 files changed, 38 insertions(+), 12 deletions(-)
+
+--- a/lib/libdevmapper.c
++++ b/lib/libdevmapper.c
+@@ -2592,9 +2592,9 @@ int dm_is_dm_kernel_name(const char *nam
+ 	return strncmp(name, "dm-", 3) ? 0 : 1;
+ }
+ 
+-int dm_crypt_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ 	struct device *data_device, struct volume_key *vk, const char *cipher,
+-	size_t iv_offset, size_t data_offset, const char *integrity, uint32_t tag_size,
++	uint64_t iv_offset, uint64_t data_offset, const char *integrity, uint32_t tag_size,
+ 	uint32_t sector_size)
+ {
+ 	int r = -EINVAL;
+@@ -2632,7 +2632,7 @@ err:
+ 	return r;
+ }
+ 
+-int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ 	struct device *data_device, struct device *hash_device, struct device *fec_device,
+ 	const char *root_hash, uint32_t root_hash_size, uint64_t hash_offset_block,
+ 	uint64_t hash_blocks, struct crypt_params_verity *vp)
+@@ -2658,7 +2658,7 @@ int dm_verity_target_set(struct dm_targe
+ 	return 0;
+ }
+ 
+-int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_integrity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ 			struct device *meta_device,
+ 		        struct device *data_device, uint64_t tag_size, uint64_t offset,
+ 			uint32_t sector_size, struct volume_key *vk,
+@@ -2697,8 +2697,8 @@ int dm_integrity_target_set(struct dm_ta
+ 	return 0;
+ }
+ 
+-int dm_linear_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
+-	struct device *data_device, size_t data_offset)
++int dm_linear_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
++	struct device *data_device, uint64_t data_offset)
+ {
+ 	if (!data_device)
+ 		return -EINVAL;
+--- a/lib/utils_dm.h
++++ b/lib/utils_dm.h
+@@ -156,22 +156,22 @@ void dm_backend_exit(struct crypt_device
+ int dm_targets_allocate(struct dm_target *first, unsigned count);
+ void dm_targets_free(struct crypt_device *cd, struct crypt_dm_active_device *dmd);
+ 
+-int dm_crypt_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ 	struct device *data_device, struct volume_key *vk, const char *cipher,
+-	size_t iv_offset, size_t data_offset, const char *integrity,
++	uint64_t iv_offset, uint64_t data_offset, const char *integrity,
+ 	uint32_t tag_size, uint32_t sector_size);
+-int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ 	struct device *data_device, struct device *hash_device, struct device *fec_device,
+ 	const char *root_hash, uint32_t root_hash_size, uint64_t hash_offset_block,
+ 	uint64_t hash_blocks, struct crypt_params_verity *vp);
+-int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_integrity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ 	struct device *meta_device,
+ 	struct device *data_device, uint64_t tag_size, uint64_t offset, uint32_t sector_size,
+ 	struct volume_key *vk,
+ 	struct volume_key *journal_crypt_key, struct volume_key *journal_mac_key,
+ 	const struct crypt_params_integrity *ip);
+-int dm_linear_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
+-	struct device *data_device, size_t data_offset);
++int dm_linear_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
++	struct device *data_device, uint64_t data_offset);
+ 
+ int dm_remove_device(struct crypt_device *cd, const char *name, uint32_t flags);
+ int dm_status_device(struct crypt_device *cd, const char *name);
+--- a/tests/integrity-compat-test
++++ b/tests/integrity-compat-test
+@@ -7,6 +7,8 @@ INTSETUP_VALGRIND=../.libs/integritysetu
+ INTSETUP_LIB_VALGRIND=../.libs
+ 
+ DEV_NAME=dmc_test
++DEV_NAME_BIG=dmc_fake
++DEV_LOOP=""
+ DEV=test123.img
+ DEV2=test124.img
+ KEY_FILE=key.img
+@@ -18,6 +20,9 @@ dmremove() { # device
+ 
+ cleanup() {
+ 	[ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME
++	[ -b /dev/mapper/$DEV_NAME_BIG ] && dmremove $DEV_NAME_BIG
++	[ -n "$DEV_LOOP" ] && losetup -d "$DEV_LOOP"
++	DEV_LOOP=""
+ 	rm -f $DEV $DEV2 $KEY_FILE >/dev/null 2>&1
+ }
+ 
+@@ -282,6 +287,7 @@ int_mode() # alg tag_size sector_size [k
+ 
+ [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
+ [ ! -x "$INTSETUP" ] && skip "Cannot find $INTSETUP, test skipped."
++which blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped."
+ 
+ [ -n "$VALG" ] && valgrind_setup && INTSETUP=valgrind_run
+ which hexdump >/dev/null 2>&1 || skip "WARNING: hexdump tool required."
+@@ -358,6 +364,26 @@ if [ -n "$DM_INTEGRITY_META" ] ; then
+ 	echo "[OK]"
+ else
+ 	echo "[N/A]"
++fi
++
++echo -n "Big device:"
++add_device
++DEV_LOOP=$(losetup -f $DEV --show)
++if [ -n "$DEV_LOOP" ] ; then
++dmsetup create $DEV_NAME_BIG <<EOF
++0 16284 linear $DEV_LOOP 0
++16284 80000000000 zero
++EOF
++	[ ! -b /dev/mapper/$DEV_NAME_BIG ] && fail
++	$INTSETUP format -q -s 512 --no-wipe /dev/mapper/$DEV_NAME_BIG
++	$INTSETUP open /dev/mapper/$DEV_NAME_BIG $DEV_NAME || fail
++	D_SIZE=$($INTSETUP dump /dev/mapper/$DEV_NAME_BIG | grep provided_data_sectors | sed -e 's/.*provided_data_sectors\ \+//g')
++	A_SIZE=$(blockdev --getsz /dev/mapper/$DEV_NAME)
++	# Compare strings (to avoid 64bit integers), not integers
++	[ -n "$A_SIZE" -a "$D_SIZE" != "$A_SIZE" ] && fail
++	echo "[OK]"
++else
++	echo "[N/A]"
+ fi
+ 
+ cleanup
diff --git a/debian/patches/Fix-volume-key-file-if-no-LUKS2-keyslots-are-present.patch b/debian/patches/Fix-volume-key-file-if-no-LUKS2-keyslots-are-present.patch
new file mode 100644
index 0000000..3b7f1b2
--- /dev/null
+++ b/debian/patches/Fix-volume-key-file-if-no-LUKS2-keyslots-are-present.patch
@@ -0,0 +1,86 @@
+From 725720dfc31ff26c4a60089a478fe5e882925ef3 Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Wed, 14 Aug 2019 12:31:40 +0200
+Subject: Fix volume key file if no LUKS2 keyslots are present.
+
+If all keyslots are removed, LUKS2 has no longer information about
+the volume key size (there is only key digest present).
+
+If user wants to open or add new keyslot, it must get information
+about key size externally.
+
+We do not want to guess key size from the file size (it does not
+work for block devices for example), so require explicit --keyfil
+option in these cases.
+
+Fixes #470.
+---
+ src/cryptsetup.c   |   18 ++++++++++++++++--
+ tests/compat-test2 |    7 ++++++-
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+--- a/src/cryptsetup.c
++++ b/src/cryptsetup.c
+@@ -1249,6 +1249,13 @@ static int action_open_luks(void)
+ 
+ 	if (opt_master_key_file) {
+ 		keysize = crypt_get_volume_key_size(cd);
++		if (!keysize && !opt_key_size) {
++			log_err(_("Cannot dermine volume key size for LUKS without keyslots, please use --key-size option."));
++			r = -EINVAL;
++			goto out;
++		} else if (!keysize)
++			keysize = opt_key_size / 8;
++
+ 		r = tools_read_mk(opt_master_key_file, &key, keysize);
+ 		if (r < 0)
+ 			goto out;
+@@ -1553,6 +1560,13 @@ static int action_luksAddKey(void)
+ 	}
+ 
+ 	if (opt_master_key_file) {
++		if (!keysize && !opt_key_size) {
++			log_err(_("Cannot dermine volume key size for LUKS without keyslots, please use --key-size option."));
++			r = -EINVAL;
++			goto out;
++		} else if (!keysize)
++			keysize = opt_key_size / 8;
++
+ 		r = tools_read_mk(opt_master_key_file, &key, keysize);
+ 		if (r < 0)
+ 			goto out;
+@@ -2752,9 +2766,9 @@ int main(int argc, const char **argv)
+ 	   strcmp(aname, "luksFormat") &&
+ 	   strcmp(aname, "open") &&
+ 	   strcmp(aname, "benchmark") &&
+-	   (strcmp(aname, "luksAddKey") || !opt_unbound))
++	   strcmp(aname, "luksAddKey"))
+ 		usage(popt_context, EXIT_FAILURE,
+-		      _("Option --key-size is allowed only for luksFormat, luksAddKey (with --unbound),\n"
++		      _("Option --key-size is allowed only for luksFormat, luksAddKey,\n"
+ 			"open and benchmark actions. To limit read from keyfile use --keyfile-size=(bytes)."),
+ 		      poptGetInvocationName(popt_context));
+ 
+--- a/tests/compat-test2
++++ b/tests/compat-test2
+@@ -492,7 +492,7 @@ echo $PWD1 | $CRYPTSETUP luksOpen $LOOPD
+ $CRYPTSETUP  luksClose  $DEV_NAME || fail
+ 
+ prepare "[21] luksDump" wipe
+-echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --uuid $TEST_UUID --type luks2 $LOOPDEV $KEY1 || fail
++echo $PWD1 | $CRYPTSETUP -q luksFormat --key-size 256 $FAST_PBKDF_OPT --uuid $TEST_UUID --type luks2 $LOOPDEV $KEY1 || fail
+ echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
+@@ -504,6 +504,11 @@ echo $PWD1 | $CRYPTSETUP luksDump -q $LO
+ fips_mode || {
+ 	echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE $LOOPDEV || fail
+ }
++# Use volume key file without keyslots
++$CRYPTSETUP luksErase -q $LOOPDEV || fail
++$CRYPTSETUP luksOpen --master-key-file $VK_FILE --key-size 256 --test-passphrase $LOOPDEV || fail
++echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE --key-size 256 $LOOPDEV || fail
++echo $PWD1 | $CRYPTSETUP luksOpen --test-passphrase $LOOPDEV || fail
+ 
+ prepare "[22] remove disappeared device" wipe
+ dmsetup create $DEV_NAME --table "0 39998 linear $LOOPDEV 2" || fail
diff --git a/debian/patches/Mention-limitation-of-crypt_get_volume_key_size.patch b/debian/patches/Mention-limitation-of-crypt_get_volume_key_size.patch
new file mode 100644
index 0000000..22443f3
--- /dev/null
+++ b/debian/patches/Mention-limitation-of-crypt_get_volume_key_size.patch
@@ -0,0 +1,20 @@
+From fe4e1de56639f1e6851ff8e47729f703a25dece4 Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Mon, 29 Jul 2019 14:32:13 +0200
+Subject: Mention limitation of crypt_get_volume_key_size().
+
+---
+ lib/libcryptsetup.h |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/lib/libcryptsetup.h
++++ b/lib/libcryptsetup.h
+@@ -1448,6 +1448,8 @@ uint64_t crypt_get_iv_offset(struct cryp
+  *
+  * @return volume key size
+  *
++ * @note For LUKS2, this function can be used only if there is at least
++ *       one keyslot assigned to data segment.
+  */
+ int crypt_get_volume_key_size(struct crypt_device *cd);
+ 
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..44a44bd
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,4 @@
+Fix-getting-default-LUKS2-keyslot-encryption-paramet.patch
+Mention-limitation-of-crypt_get_volume_key_size.patch
+Fix-volume-key-file-if-no-LUKS2-keyslots-are-present.patch
+Fix-mapped-segments-overflow-on-32bit-architectures.patch