1 files changed, 86 insertions, 0 deletions

diff --git a/debian/patches/Fix-volume-key-file-if-no-LUKS2-keyslots-are-present.patch b/debian/patches/Fix-volume-key-file-if-no-LUKS2-keyslots-are-present.patch
new file mode 100644
index 0000000..3b7f1b2
--- /dev/null
+++ b/debian/patches/Fix-volume-key-file-if-no-LUKS2-keyslots-are-present.patch
@@ -0,0 +1,86 @@
+From 725720dfc31ff26c4a60089a478fe5e882925ef3 Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Wed, 14 Aug 2019 12:31:40 +0200
+Subject: Fix volume key file if no LUKS2 keyslots are present.
+
+If all keyslots are removed, LUKS2 has no longer information about
+the volume key size (there is only key digest present).
+
+If user wants to open or add new keyslot, it must get information
+about key size externally.
+
+We do not want to guess key size from the file size (it does not
+work for block devices for example), so require explicit --keyfil
+option in these cases.
+
+Fixes #470.
+---
+ src/cryptsetup.c   |   18 ++++++++++++++++--
+ tests/compat-test2 |    7 ++++++-
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+--- a/src/cryptsetup.c
++++ b/src/cryptsetup.c
+@@ -1249,6 +1249,13 @@ static int action_open_luks(void)
+ 
+ 	if (opt_master_key_file) {
+ 		keysize = crypt_get_volume_key_size(cd);
++		if (!keysize && !opt_key_size) {
++			log_err(_("Cannot dermine volume key size for LUKS without keyslots, please use --key-size option."));
++			r = -EINVAL;
++			goto out;
++		} else if (!keysize)
++			keysize = opt_key_size / 8;
++
+ 		r = tools_read_mk(opt_master_key_file, &key, keysize);
+ 		if (r < 0)
+ 			goto out;
+@@ -1553,6 +1560,13 @@ static int action_luksAddKey(void)
+ 	}
+ 
+ 	if (opt_master_key_file) {
++		if (!keysize && !opt_key_size) {
++			log_err(_("Cannot dermine volume key size for LUKS without keyslots, please use --key-size option."));
++			r = -EINVAL;
++			goto out;
++		} else if (!keysize)
++			keysize = opt_key_size / 8;
++
+ 		r = tools_read_mk(opt_master_key_file, &key, keysize);
+ 		if (r < 0)
+ 			goto out;
+@@ -2752,9 +2766,9 @@ int main(int argc, const char **argv)
+ 	   strcmp(aname, "luksFormat") &&
+ 	   strcmp(aname, "open") &&
+ 	   strcmp(aname, "benchmark") &&
+-	   (strcmp(aname, "luksAddKey") || !opt_unbound))
++	   strcmp(aname, "luksAddKey"))
+ 		usage(popt_context, EXIT_FAILURE,
+-		      _("Option --key-size is allowed only for luksFormat, luksAddKey (with --unbound),\n"
++		      _("Option --key-size is allowed only for luksFormat, luksAddKey,\n"
+ 			"open and benchmark actions. To limit read from keyfile use --keyfile-size=(bytes)."),
+ 		      poptGetInvocationName(popt_context));
+ 
+--- a/tests/compat-test2
++++ b/tests/compat-test2
+@@ -492,7 +492,7 @@ echo $PWD1 | $CRYPTSETUP luksOpen $LOOPD
+ $CRYPTSETUP  luksClose  $DEV_NAME || fail
+ 
+ prepare "[21] luksDump" wipe
+-echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --uuid $TEST_UUID --type luks2 $LOOPDEV $KEY1 || fail
++echo $PWD1 | $CRYPTSETUP -q luksFormat --key-size 256 $FAST_PBKDF_OPT --uuid $TEST_UUID --type luks2 $LOOPDEV $KEY1 || fail
+ echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
+@@ -504,6 +504,11 @@ echo $PWD1 | $CRYPTSETUP luksDump -q $LO
+ fips_mode || {
+ 	echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE $LOOPDEV || fail
+ }
++# Use volume key file without keyslots
++$CRYPTSETUP luksErase -q $LOOPDEV || fail
++$CRYPTSETUP luksOpen --master-key-file $VK_FILE --key-size 256 --test-passphrase $LOOPDEV || fail
++echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE --key-size 256 $LOOPDEV || fail
++echo $PWD1 | $CRYPTSETUP luksOpen --test-passphrase $LOOPDEV || fail
+ 
+ prepare "[22] remove disappeared device" wipe
+ dmsetup create $DEV_NAME --table "0 39998 linear $LOOPDEV 2" || fail