From 0a9f14c658027169ea15f3b2579fe0a792682bf7 Mon Sep 17 00:00:00 2001 From: Ondrej Kozina Date: Wed, 23 Feb 2022 12:18:35 +0100 Subject: [PATCH] Fix --test-passphrase when device in reencryption. Commit 0113ac2d broke test passphrase mode when device was in LUKS2 reencryption. Previously --test-passphrase parameter automatically raised CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY flag. It did not make sense when users mostly want to test whether device can be activated by provided passphrase or not. Raise the aforementioned flag only if user requested it either by --unbound parameter or when specific keyslot was selected. Reported in: https://bugzilla.redhat.com/show_bug.cgi?id=2056439 Fixes: #716. --- man/cryptsetup.8 | 9 +++++++-- src/cryptsetup.c | 6 ++++++ src/cryptsetup_args.h | 2 +- src/utils_luks.c | 3 ++- tests/compat-test2 | 6 ++---- 5 files changed, 18 insertions(+), 8 deletions(-) diff --git a/man/cryptsetup.8 b/man/cryptsetup.8 index 6ee37b97..8935bfcd 100644 --- a/man/cryptsetup.8 +++ b/man/cryptsetup.8 @@ -322,7 +322,8 @@ the command prompts for it interactively. \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase, \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id, \-\-token\-only, \-\-token-type, \-\-disable\-external\-tokens, \-\-disable\-keyring, -\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf]. +\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf, +\-\-unbound]. .PP \fIluksSuspend\fR .IP @@ -1483,10 +1484,14 @@ aligned to page size and page-cache initiates read of a sector with invalid integrity tag. .TP .B "\-\-unbound" - Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or \fIluksDump\fR actions for more details. +When used in \fIluksOpen\fR action (allowed only together with +\-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2 +keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific +keyslot is selected via \-\-key\-slot parameter. + .TP .B "\-\-tcrypt\-hidden" .B "\-\-tcrypt\-system" diff --git a/src/cryptsetup.c b/src/cryptsetup.c index 5d48e2a4..b9437a42 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -2745,6 +2745,12 @@ static const char * verify_open(void) if (ARG_SET(OPT_DEVICE_SIZE_ID) && ARG_SET(OPT_SIZE_ID)) return _("Options --device-size and --size cannot be combined."); + if (ARG_SET(OPT_UNBOUND_ID) && device_type && strncmp(device_type, "luks", 4)) + return _("Option --unbound is allowed only for open of luks device."); + + if (ARG_SET(OPT_UNBOUND_ID) && !ARG_SET(OPT_TEST_PASSPHRASE_ID)) + return _("Option --unbound cannot be used without --test-passphrase."); + /* "open --type tcrypt" and "tcryptDump" checks are identical */ return verify_tcryptdump(); } diff --git a/src/cryptsetup_args.h b/src/cryptsetup_args.h index 73454d3f..05254da1 100644 --- a/src/cryptsetup_args.h +++ b/src/cryptsetup_args.h @@ -88,7 +88,7 @@ #define OPT_TCRYPT_SYSTEM_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION } #define OPT_TEST_PASSPHRASE_ACTIONS { OPEN_ACTION } #define OPT_TOKEN_REPLACE_ACTIONS { TOKEN_ACTION } -#define OPT_UNBOUND_ACTIONS { ADDKEY_ACTION, LUKSDUMP_ACTION } +#define OPT_UNBOUND_ACTIONS { ADDKEY_ACTION, LUKSDUMP_ACTION, OPEN_ACTION } #define OPT_USE_RANDOM_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION } #define OPT_USE_URANDOM_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION } #define OPT_UUID_ACTIONS { FORMAT_ACTION, UUID_ACTION, REENCRYPT_ACTION } diff --git a/src/utils_luks.c b/src/utils_luks.c index d750600c..bcda4646 100644 --- a/src/utils_luks.c +++ b/src/utils_luks.c @@ -99,7 +99,8 @@ void set_activation_flags(uint32_t *flags) *flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT; /* Only for LUKS2 but ignored elsewhere */ - if (ARG_SET(OPT_TEST_PASSPHRASE_ID)) + if (ARG_SET(OPT_TEST_PASSPHRASE_ID) && + (ARG_SET(OPT_KEY_SLOT_ID) || ARG_SET(OPT_UNBOUND_ID))) *flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY; if (ARG_SET(OPT_SERIALIZE_MEMORY_HARD_PBKDF_ID)) diff --git a/tests/compat-test2 b/tests/compat-test2 index e96ed291..217ae0ea 100755 --- a/tests/compat-test2 +++ b/tests/compat-test2 @@ -700,7 +700,7 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOPDEV $DEV_NAME 2>/dev/null && fail # otoh it should be allowed to test for proper passphrase prepare "" new echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail -echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail +echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail [ -b /dev/mapper/$DEV_NAME ] && fail echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail @@ -709,7 +709,7 @@ echo $PWD0 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU $DEV_NAME 2>/de $CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0 $CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail -echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail +echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail prepare "[28] Detached LUKS header" wipe @@ -973,11 +973,9 @@ echo $PWD3 | $CRYPTSETUP -q luksAddKey --unbound --master-key-file /dev/urandom # do not allow to replace keyslot by unbound slot echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail -echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail -echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail # check we're able to change passphrase for unbound keyslot echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail echo $PWD3 | $CRYPTSETUP open --test-passphrase -S 2 $LOOPDEV || fail