summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/Fix-getting-default-LUKS2-keyslot-encryption-paramet.patch56
-rw-r--r--debian/patches/Fix-mapped-segments-overflow-on-32bit-architectures.patch151
-rw-r--r--debian/patches/Fix-volume-key-file-if-no-LUKS2-keyslots-are-present.patch86
-rw-r--r--debian/patches/Mention-limitation-of-crypt_get_volume_key_size.patch20
-rw-r--r--debian/patches/series4
5 files changed, 317 insertions, 0 deletions
diff --git a/debian/patches/Fix-getting-default-LUKS2-keyslot-encryption-paramet.patch b/debian/patches/Fix-getting-default-LUKS2-keyslot-encryption-paramet.patch
new file mode 100644
index 0000000..0a16127
--- /dev/null
+++ b/debian/patches/Fix-getting-default-LUKS2-keyslot-encryption-paramet.patch
@@ -0,0 +1,56 @@
+From c03e3fe88a9761f34b22d2b4d4654353783e2d4f Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Tue, 26 Feb 2019 11:49:58 +0100
+Subject: Fix getting default LUKS2 keyslot encryption parameters.
+
+When information about original keyslot size is missing (no active
+keyslot assigned to default segment) we have to fallback to
+default luks2 encryption parameters even though we know default
+segment cipher and mode.
+
+Fixes: #442.
+---
+ lib/setup.c | 3 ++-
+ tests/api-test-2.c | 19 +++++++++++++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -4632,7 +4632,8 @@ const char *crypt_keyslot_get_encryption
+ cipher = LUKS2_get_cipher(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT);
+ if (!LUKS2_keyslot_cipher_incompatible(cd, cipher)) {
+ *key_size = crypt_get_volume_key_size(cd);
+- return cipher;
++ if (*key_size)
++ return cipher;
+ }
+
+ /* Fallback to default LUKS2 keyslot encryption */
+--- a/tests/api-test-2.c
++++ b/tests/api-test-2.c
+@@ -914,6 +914,25 @@ static void AddDeviceLuks2(void)
+ FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key3, key_size, 0), "VK doesn't match any digest assigned to segment 0");
+ crypt_free(cd);
+
++ /*
++ * Check regression in getting keyslot encryption parameters when
++ * volume key size is unknown (no active keyslots).
++ */
++ if (!_fips_mode) {
++ OK_(crypt_init(&cd, DMDIR L_DEVICE_1S));
++ crypt_set_iteration_time(cd, 1);
++ OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, NULL));
++ EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, key_size, PASSPHRASE, strlen(PASSPHRASE)), 0);
++ /* drop context copy of volume key */
++ crypt_free(cd);
++ OK_(crypt_init(&cd, DMDIR L_DEVICE_1S));
++ OK_(crypt_load(cd, CRYPT_LUKS, NULL));
++ EQ_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, PASSPHRASE, strlen(PASSPHRASE)), 0);
++ OK_(crypt_keyslot_destroy(cd, 0));
++ EQ_(crypt_keyslot_add_by_volume_key(cd, 0, key, key_size, PASSPHRASE, strlen(PASSPHRASE)), 0);
++ crypt_free(cd);
++ }
++
+ _cleanup_dmdevices();
+ }
+
diff --git a/debian/patches/Fix-mapped-segments-overflow-on-32bit-architectures.patch b/debian/patches/Fix-mapped-segments-overflow-on-32bit-architectures.patch
new file mode 100644
index 0000000..0cb53cf
--- /dev/null
+++ b/debian/patches/Fix-mapped-segments-overflow-on-32bit-architectures.patch
@@ -0,0 +1,151 @@
+From 8f8f0b3258152a260c6a40be89b485f943f81484 Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Mon, 26 Aug 2019 10:01:17 +0200
+Subject: Fix mapped segments overflow on 32bit architectures.
+
+All set_segment functions must use uin64_t everywhere,
+not size_t that is platform dependent.
+
+The code later uses it correctly, it is just wrong function
+prototype definitions.
+
+Reported in
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935702
+
+(TODO: add a test for other segment types.)
+---
+ lib/libdevmapper.c | 12 ++++++------
+ lib/utils_dm.h | 12 ++++++------
+ tests/integrity-compat-test | 26 ++++++++++++++++++++++++++
+ 3 files changed, 38 insertions(+), 12 deletions(-)
+
+--- a/lib/libdevmapper.c
++++ b/lib/libdevmapper.c
+@@ -2592,9 +2592,9 @@ int dm_is_dm_kernel_name(const char *nam
+ return strncmp(name, "dm-", 3) ? 0 : 1;
+ }
+
+-int dm_crypt_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ struct device *data_device, struct volume_key *vk, const char *cipher,
+- size_t iv_offset, size_t data_offset, const char *integrity, uint32_t tag_size,
++ uint64_t iv_offset, uint64_t data_offset, const char *integrity, uint32_t tag_size,
+ uint32_t sector_size)
+ {
+ int r = -EINVAL;
+@@ -2632,7 +2632,7 @@ err:
+ return r;
+ }
+
+-int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ struct device *data_device, struct device *hash_device, struct device *fec_device,
+ const char *root_hash, uint32_t root_hash_size, uint64_t hash_offset_block,
+ uint64_t hash_blocks, struct crypt_params_verity *vp)
+@@ -2658,7 +2658,7 @@ int dm_verity_target_set(struct dm_targe
+ return 0;
+ }
+
+-int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_integrity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ struct device *meta_device,
+ struct device *data_device, uint64_t tag_size, uint64_t offset,
+ uint32_t sector_size, struct volume_key *vk,
+@@ -2697,8 +2697,8 @@ int dm_integrity_target_set(struct dm_ta
+ return 0;
+ }
+
+-int dm_linear_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
+- struct device *data_device, size_t data_offset)
++int dm_linear_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
++ struct device *data_device, uint64_t data_offset)
+ {
+ if (!data_device)
+ return -EINVAL;
+--- a/lib/utils_dm.h
++++ b/lib/utils_dm.h
+@@ -156,22 +156,22 @@ void dm_backend_exit(struct crypt_device
+ int dm_targets_allocate(struct dm_target *first, unsigned count);
+ void dm_targets_free(struct crypt_device *cd, struct crypt_dm_active_device *dmd);
+
+-int dm_crypt_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ struct device *data_device, struct volume_key *vk, const char *cipher,
+- size_t iv_offset, size_t data_offset, const char *integrity,
++ uint64_t iv_offset, uint64_t data_offset, const char *integrity,
+ uint32_t tag_size, uint32_t sector_size);
+-int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ struct device *data_device, struct device *hash_device, struct device *fec_device,
+ const char *root_hash, uint32_t root_hash_size, uint64_t hash_offset_block,
+ uint64_t hash_blocks, struct crypt_params_verity *vp);
+-int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
++int dm_integrity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ struct device *meta_device,
+ struct device *data_device, uint64_t tag_size, uint64_t offset, uint32_t sector_size,
+ struct volume_key *vk,
+ struct volume_key *journal_crypt_key, struct volume_key *journal_mac_key,
+ const struct crypt_params_integrity *ip);
+-int dm_linear_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
+- struct device *data_device, size_t data_offset);
++int dm_linear_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
++ struct device *data_device, uint64_t data_offset);
+
+ int dm_remove_device(struct crypt_device *cd, const char *name, uint32_t flags);
+ int dm_status_device(struct crypt_device *cd, const char *name);
+--- a/tests/integrity-compat-test
++++ b/tests/integrity-compat-test
+@@ -7,6 +7,8 @@ INTSETUP_VALGRIND=../.libs/integritysetu
+ INTSETUP_LIB_VALGRIND=../.libs
+
+ DEV_NAME=dmc_test
++DEV_NAME_BIG=dmc_fake
++DEV_LOOP=""
+ DEV=test123.img
+ DEV2=test124.img
+ KEY_FILE=key.img
+@@ -18,6 +20,9 @@ dmremove() { # device
+
+ cleanup() {
+ [ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME
++ [ -b /dev/mapper/$DEV_NAME_BIG ] && dmremove $DEV_NAME_BIG
++ [ -n "$DEV_LOOP" ] && losetup -d "$DEV_LOOP"
++ DEV_LOOP=""
+ rm -f $DEV $DEV2 $KEY_FILE >/dev/null 2>&1
+ }
+
+@@ -282,6 +287,7 @@ int_mode() # alg tag_size sector_size [k
+
+ [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
+ [ ! -x "$INTSETUP" ] && skip "Cannot find $INTSETUP, test skipped."
++which blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped."
+
+ [ -n "$VALG" ] && valgrind_setup && INTSETUP=valgrind_run
+ which hexdump >/dev/null 2>&1 || skip "WARNING: hexdump tool required."
+@@ -358,6 +364,26 @@ if [ -n "$DM_INTEGRITY_META" ] ; then
+ echo "[OK]"
+ else
+ echo "[N/A]"
++fi
++
++echo -n "Big device:"
++add_device
++DEV_LOOP=$(losetup -f $DEV --show)
++if [ -n "$DEV_LOOP" ] ; then
++dmsetup create $DEV_NAME_BIG <<EOF
++0 16284 linear $DEV_LOOP 0
++16284 80000000000 zero
++EOF
++ [ ! -b /dev/mapper/$DEV_NAME_BIG ] && fail
++ $INTSETUP format -q -s 512 --no-wipe /dev/mapper/$DEV_NAME_BIG
++ $INTSETUP open /dev/mapper/$DEV_NAME_BIG $DEV_NAME || fail
++ D_SIZE=$($INTSETUP dump /dev/mapper/$DEV_NAME_BIG | grep provided_data_sectors | sed -e 's/.*provided_data_sectors\ \+//g')
++ A_SIZE=$(blockdev --getsz /dev/mapper/$DEV_NAME)
++ # Compare strings (to avoid 64bit integers), not integers
++ [ -n "$A_SIZE" -a "$D_SIZE" != "$A_SIZE" ] && fail
++ echo "[OK]"
++else
++ echo "[N/A]"
+ fi
+
+ cleanup
diff --git a/debian/patches/Fix-volume-key-file-if-no-LUKS2-keyslots-are-present.patch b/debian/patches/Fix-volume-key-file-if-no-LUKS2-keyslots-are-present.patch
new file mode 100644
index 0000000..3b7f1b2
--- /dev/null
+++ b/debian/patches/Fix-volume-key-file-if-no-LUKS2-keyslots-are-present.patch
@@ -0,0 +1,86 @@
+From 725720dfc31ff26c4a60089a478fe5e882925ef3 Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Wed, 14 Aug 2019 12:31:40 +0200
+Subject: Fix volume key file if no LUKS2 keyslots are present.
+
+If all keyslots are removed, LUKS2 has no longer information about
+the volume key size (there is only key digest present).
+
+If user wants to open or add new keyslot, it must get information
+about key size externally.
+
+We do not want to guess key size from the file size (it does not
+work for block devices for example), so require explicit --keyfil
+option in these cases.
+
+Fixes #470.
+---
+ src/cryptsetup.c | 18 ++++++++++++++++--
+ tests/compat-test2 | 7 ++++++-
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+--- a/src/cryptsetup.c
++++ b/src/cryptsetup.c
+@@ -1249,6 +1249,13 @@ static int action_open_luks(void)
+
+ if (opt_master_key_file) {
+ keysize = crypt_get_volume_key_size(cd);
++ if (!keysize && !opt_key_size) {
++ log_err(_("Cannot dermine volume key size for LUKS without keyslots, please use --key-size option."));
++ r = -EINVAL;
++ goto out;
++ } else if (!keysize)
++ keysize = opt_key_size / 8;
++
+ r = tools_read_mk(opt_master_key_file, &key, keysize);
+ if (r < 0)
+ goto out;
+@@ -1553,6 +1560,13 @@ static int action_luksAddKey(void)
+ }
+
+ if (opt_master_key_file) {
++ if (!keysize && !opt_key_size) {
++ log_err(_("Cannot dermine volume key size for LUKS without keyslots, please use --key-size option."));
++ r = -EINVAL;
++ goto out;
++ } else if (!keysize)
++ keysize = opt_key_size / 8;
++
+ r = tools_read_mk(opt_master_key_file, &key, keysize);
+ if (r < 0)
+ goto out;
+@@ -2752,9 +2766,9 @@ int main(int argc, const char **argv)
+ strcmp(aname, "luksFormat") &&
+ strcmp(aname, "open") &&
+ strcmp(aname, "benchmark") &&
+- (strcmp(aname, "luksAddKey") || !opt_unbound))
++ strcmp(aname, "luksAddKey"))
+ usage(popt_context, EXIT_FAILURE,
+- _("Option --key-size is allowed only for luksFormat, luksAddKey (with --unbound),\n"
++ _("Option --key-size is allowed only for luksFormat, luksAddKey,\n"
+ "open and benchmark actions. To limit read from keyfile use --keyfile-size=(bytes)."),
+ poptGetInvocationName(popt_context));
+
+--- a/tests/compat-test2
++++ b/tests/compat-test2
+@@ -492,7 +492,7 @@ echo $PWD1 | $CRYPTSETUP luksOpen $LOOPD
+ $CRYPTSETUP luksClose $DEV_NAME || fail
+
+ prepare "[21] luksDump" wipe
+-echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --uuid $TEST_UUID --type luks2 $LOOPDEV $KEY1 || fail
++echo $PWD1 | $CRYPTSETUP -q luksFormat --key-size 256 $FAST_PBKDF_OPT --uuid $TEST_UUID --type luks2 $LOOPDEV $KEY1 || fail
+ echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV -d $KEY1 || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q "0: luks2" || fail
+ $CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
+@@ -504,6 +504,11 @@ echo $PWD1 | $CRYPTSETUP luksDump -q $LO
+ fips_mode || {
+ echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE $LOOPDEV || fail
+ }
++# Use volume key file without keyslots
++$CRYPTSETUP luksErase -q $LOOPDEV || fail
++$CRYPTSETUP luksOpen --master-key-file $VK_FILE --key-size 256 --test-passphrase $LOOPDEV || fail
++echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT --master-key-file $VK_FILE --key-size 256 $LOOPDEV || fail
++echo $PWD1 | $CRYPTSETUP luksOpen --test-passphrase $LOOPDEV || fail
+
+ prepare "[22] remove disappeared device" wipe
+ dmsetup create $DEV_NAME --table "0 39998 linear $LOOPDEV 2" || fail
diff --git a/debian/patches/Mention-limitation-of-crypt_get_volume_key_size.patch b/debian/patches/Mention-limitation-of-crypt_get_volume_key_size.patch
new file mode 100644
index 0000000..22443f3
--- /dev/null
+++ b/debian/patches/Mention-limitation-of-crypt_get_volume_key_size.patch
@@ -0,0 +1,20 @@
+From fe4e1de56639f1e6851ff8e47729f703a25dece4 Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Mon, 29 Jul 2019 14:32:13 +0200
+Subject: Mention limitation of crypt_get_volume_key_size().
+
+---
+ lib/libcryptsetup.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/lib/libcryptsetup.h
++++ b/lib/libcryptsetup.h
+@@ -1448,6 +1448,8 @@ uint64_t crypt_get_iv_offset(struct cryp
+ *
+ * @return volume key size
+ *
++ * @note For LUKS2, this function can be used only if there is at least
++ * one keyslot assigned to data segment.
+ */
+ int crypt_get_volume_key_size(struct crypt_device *cd);
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..44a44bd
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,4 @@
+Fix-getting-default-LUKS2-keyslot-encryption-paramet.patch
+Mention-limitation-of-crypt_get_volume_key_size.patch
+Fix-volume-key-file-if-no-LUKS2-keyslots-are-present.patch
+Fix-mapped-segments-overflow-on-32bit-architectures.patch