From cd1c36ef94fd38a5ddfcde9fd3954958f7c5b08f Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Mon, 24 Sep 2018 18:10:02 +0200
Subject: [PATCH] Allow passphrase change for unbound keyslots.

Also fixes small typo in API.

Fixes #409.
---
 lib/libcryptsetup.h | 2 +-
 src/cryptsetup.c    | 2 +-
 tests/compat-test2  | 8 +++++++-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h
index 96cbae3d..62cfaffe 100644
--- a/lib/libcryptsetup.h
+++ b/lib/libcryptsetup.h
@@ -958,7 +958,7 @@ int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot);
 #define CRYPT_ACTIVATE_IGNORE_PERSISTENT (1 << 14)
 /** dm-verity: check_at_most_once - check data blocks only the first time */
 #define CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE (1 << 15)
-/** allow activation check including unbound keyslots (kesylots without segments) */
+/** allow activation check including unbound keyslots (keyslots without segments) */
 #define CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY (1 << 16)
 
 /**
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 90fc703c..8930c508 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -1520,7 +1520,7 @@ static int action_luksChangeKey(void)
 
 	/* Check password before asking for new one */
 	r = crypt_activate_by_passphrase(cd, NULL, opt_key_slot,
-					 password, password_size, 0);
+					 password, password_size, CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY);
 	tools_passphrase_msg(r);
 	check_signal(&r);
 	if (r < 0)
diff --git a/tests/compat-test2 b/tests/compat-test2
index 805463cb..fa05a94f 100755
--- a/tests/compat-test2
+++ b/tests/compat-test2
@@ -817,6 +817,8 @@ $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
 $CRYPTSETUP luksDump $LOOPDEV | grep "PBKDF:" | grep -q "pbkdf2" || fail
 echo $PWD1 | $CRYPTSETUP -q luksConvertKey $LOOPDEV -S 1 --pbkdf argon2i -i1 --pbkdf-memory 32 || fail
 $CRYPTSETUP luksDump $LOOPDEV | grep -q "1: luks2" || fail
+echo $PWD3 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT -S 21 --unbound -s 16 $LOOPDEV || fail
+echo $PWD3 | $CRYPTSETUP luksConvertKey --pbkdf-force-iterations 1001 --pbkdf pbkdf2 -S 21 $LOOPDEV || fail
 
 prepare "[38] luksAddKey unbound tests" wipe
 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEY5 --key-slot 5 || fail
@@ -837,8 +839,12 @@ echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
 echo $PWD2 | $CRYPTSETUP -q open -S2 $LOOPDEV --test-passphrase || fail
 echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV $DEV_NAME 2> /dev/null && fail
 echo $PWD1 | $CRYPTSETUP -q open $LOOPDEV --test-passphrase || fail
+# check we're able to change passphrase for unbound keyslot
+echo -e "$PWD2\n$PWD3" | $CRYPTSETUP luksChangeKey $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
+echo $PWD3 | $CRYPTSETUP open --test-passphrase $FAST_PBKDF_OPT -S 2 $LOOPDEV || fail
+echo $PWD3 | $CRYPTSETUP -q open -S 2 $LOOPDEV $DEV_NAME 2> /dev/null && fail
 # do not allow adding keyslot by unbound keyslot
-echo -e "$PWD2\n$PWD1" | $CRYPTSETUP -q luksAddKey $LOOPDEV 2> /dev/null && fail
+echo -e "$PWD3\n$PWD1" | $CRYPTSETUP -q luksAddKey $LOOPDEV 2> /dev/null && fail
 # check adding keyslot works when there's unbound keyslot
 echo $PWD1 | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $LOOPDEV --key-file $KEY5 -S8 || fail
 echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME || fail