Fix --test-passphrase when device in reencryption.

Commit 0113ac2d broke test passphrase mode when device was in LUKS2 reencryption. Previously --test-passphrase parameter automatically raised CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY flag. It did not make sense when users mostly want to test whether device can be activated by provided passphrase or not. Raise the aforementioned flag only if user requested it either by --unbound parameter or when specific keyslot was selected. Reported in: https://bugzilla.redhat.com/show_bug.cgi?id=2056439 Fixes: #716.
2025-12-16 21:29:59 +01:00 · 2022-02-23 12:18:35 +01:00
parent 6b774e617b
commit 0a9f14c658
5 changed files with 18 additions and 8 deletions
--- a/man/cryptsetup.8
+++ b/man/cryptsetup.8
@@ -322,7 +322,8 @@ the command prompts for it interactively.
 \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
 \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
 \-\-token\-only, \-\-token-type, \-\-disable\-external\-tokens, \-\-disable\-keyring,
-\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf].
+\-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf,
 \-\-unbound].
 .PP
 \fIluksSuspend\fR <name>
 .IP
@@ -1483,10 +1484,14 @@ aligned to page size and page-cache initiates read of a sector with invalid
 integrity tag.
 .TP
 .B "\-\-unbound"
 Creates new or dumps existing LUKS2 unbound keyslot. See \fIluksAddKey\fR or
 \fIluksDump\fR actions for more details.
 When used in \fIluksOpen\fR action (allowed only together with
 \-\-test\-passphrase parameter), it allows to test passphrase for unbound LUKS2
 keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific
 keyslot is selected via \-\-key\-slot parameter.
 .TP
 .B "\-\-tcrypt\-hidden"
 .B "\-\-tcrypt\-system"
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -2745,6 +2745,12 @@ static const char * verify_open(void)
 	if (ARG_SET(OPT_DEVICE_SIZE_ID) && ARG_SET(OPT_SIZE_ID))
 		return _("Options --device-size and --size cannot be combined.");
 	if (ARG_SET(OPT_UNBOUND_ID) && device_type && strncmp(device_type, "luks", 4))
 		return _("Option --unbound is allowed only for open of luks device.");
 	if (ARG_SET(OPT_UNBOUND_ID) && !ARG_SET(OPT_TEST_PASSPHRASE_ID))
 		return _("Option --unbound cannot be used without --test-passphrase.");
 	/* "open --type tcrypt" and "tcryptDump" checks are identical */
 	return verify_tcryptdump();
 }
--- a/src/cryptsetup_args.h
+++ b/src/cryptsetup_args.h
@@ -88,7 +88,7 @@
 #define OPT_TCRYPT_SYSTEM_ACTIONS		{ OPEN_ACTION, TCRYPTDUMP_ACTION }
 #define OPT_TEST_PASSPHRASE_ACTIONS		{ OPEN_ACTION }
 #define OPT_TOKEN_REPLACE_ACTIONS		{ TOKEN_ACTION }
-#define OPT_UNBOUND_ACTIONS			{ ADDKEY_ACTION, LUKSDUMP_ACTION }
+#define OPT_UNBOUND_ACTIONS			{ ADDKEY_ACTION, LUKSDUMP_ACTION, OPEN_ACTION }
 #define OPT_USE_RANDOM_ACTIONS			{ FORMAT_ACTION, REENCRYPT_ACTION }
 #define OPT_USE_URANDOM_ACTIONS			{ FORMAT_ACTION, REENCRYPT_ACTION }
 #define OPT_UUID_ACTIONS			{ FORMAT_ACTION, UUID_ACTION, REENCRYPT_ACTION }
--- a/src/utils_luks.c
+++ b/src/utils_luks.c
@@ -99,7 +99,8 @@ void set_activation_flags(uint32_t *flags)
 		*flags |= CRYPT_ACTIVATE_IGNORE_PERSISTENT;
 	/* Only for LUKS2 but ignored elsewhere */
-	if (ARG_SET(OPT_TEST_PASSPHRASE_ID))
+	if (ARG_SET(OPT_TEST_PASSPHRASE_ID) &&
            (ARG_SET(OPT_KEY_SLOT_ID) || ARG_SET(OPT_UNBOUND_ID)))
 		*flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
 	if (ARG_SET(OPT_SERIALIZE_MEMORY_HARD_PBKDF_ID))
--- a/tests/compat-test2
+++ b/tests/compat-test2
@@ -700,7 +700,7 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOPDEV $DEV_NAME 2>/dev/null && fail
 # otoh it should be allowed to test for proper passphrase
 prepare "" new
 echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
 echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
 [ -b /dev/mapper/$DEV_NAME ] && fail
 echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
@@ -709,7 +709,7 @@ echo $PWD0 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU $DEV_NAME 2>/de
 $CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0
 $CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail
 echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
-echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
+echo $PWD1 | $CRYPTSETUP open --unbound --test-passphrase $HEADER_KEYU || fail
 echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
 prepare "[28] Detached LUKS header" wipe
@@ -973,11 +973,9 @@ echo $PWD3 | $CRYPTSETUP -q luksAddKey --unbound --master-key-file /dev/urandom
 # do not allow to replace keyslot by unbound slot
 echo $PWD1 | $CRYPTSETUP -q luksAddKey -S5 --unbound -s 32 $LOOPDEV 2>/dev/null && fail
 echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
 echo $PWD2 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
 echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
 echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail
 echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
 echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
 # check we're able to change passphrase for unbound keyslot
 echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
 echo $PWD3 | $CRYPTSETUP open --test-passphrase -S 2 $LOOPDEV || fail