Version 2.4.1.

The code did not account for data offset when
set via --offset when creating new header in-before
LUKS2 encryption took place.

.github/workflows/coverity.yml

@@ -0,0 +1,48 @@
+name: Coverity test
+on:
+  push:
+    branches:
+      - 'coverity_scan'
+    paths-ignore:
+      - 'docs/**'
+
+jobs:
+  latest:
+    runs-on: ubuntu-latest
+    if: github.repository == 'mbroz/cryptsetup'
+    steps:
+      - name: Repository checkout
+        uses: actions/checkout@v1
+      - name: Ubuntu setup
+        run: sudo -E .github/workflows/cibuild-setup-ubuntu.sh
+        env:
+          COMPILER: "gcc"
+          COMPILER_VERSION: "11"
+      - name: Install Coverity
+        run: |
+          wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=mbroz/cryptsetup" -O cov-analysis-linux64.tar.gz
+          mkdir cov-analysis-linux64
+          tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
+        env:
+          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+      - name: Run autoconf & configure
+        run: |
+          ./autogen.sh
+          ./configure
+      - name: Run cov-build
+        run: |
+          export PATH=`pwd`/cov-analysis-linux64/bin:$PATH
+          cov-build --dir cov-int make
+      - name: Submit to Coverity Scan
+        run: |
+          tar czvf cryptsetup.tgz cov-int
+          curl \
+            --form project=mbroz/cryptsetup \
+            --form token=$TOKEN \
+            --form email=gmazyland@gmail.com \
+            --form file=@cryptsetup.tgz \
+            --form version=trunk \
+            --form description="`./cryptsetup --version`" \
+            https://scan.coverity.com/builds?project=mbroz/cryptsetup
+        env:
+          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}

FAQ

@@ -51,7 +51,7 @@ A. Contributors
   security model BEFORE you face such a disaster!  In particular, make
   sure you have a current header backup before doing any potentially
   dangerous operations.  The LUKS2 header should be a bit more resilient
-  as critical data starts later and is stored twice, but you can decidedly
+  as critical data starts later and is stored twice, but you can decidely
   still destroy it or a keyslot permanently by accident.
 
   DEBUG COMMANDS: While the --debug and --debug-json options should not
@@ -235,7 +235,6 @@ A. Contributors
   nothing and are sure you did not confirm, then you should look into a
   possible compromise of your email account.
 
-
   * 1.9 What can I do if cryptsetup is running out of memory?
 
   Memory issues are generally related to the key derivation function.  You may
@@ -262,7 +261,6 @@ A. Contributors
   Also, device mapper requires root access.  cryptsetup uses device mapper to 
   manage the decrypted container.
 
-
 2. Setup
 
   * 2.1 LUKS Container Setup mini-HOWTO
@@ -426,6 +424,14 @@ A. Contributors
   it in some other way.  The PC is just not set-up for a really secure
   boot-chain (whatever some people may claim).
 
+  That said, if you want an encrypted root partition, you have to store 
+  an initrd with cryptsetup somewhere else. The traditional approach is
+  to have a separate partition under /boot for that. You can also put that 
+  initrd on a bootable memory stick, bootable CD or bootable external
+  drive as well. The kernel and Grub typically go to the same location 
+  as that initrd. A minimal example what such an initrd can look like is 
+  given in Section 9.
+  
   (2) Fully encrypted raw block device: For this, put LUKS on the raw
   device (e.g.  /dev/sdb) and put a filesystem into the LUKS container, no
   partitioning whatsoever involved.  This is very suitable for things like
@@ -845,7 +851,7 @@ A. Contributors
 
 
   * 2.20 How do I wipe only the LUKS header?
-
+ 
   This does _not_ describe an emergency wipe procedure, see Item 5.4 for
   that.  This procedure here is intended to be used when the data should
   stay intact, e.g.  when you change your LUKS container to use a detached
@@ -858,20 +864,26 @@ A. Contributors
      cryptsetup luksDump <device with LUKS container>
 
 ->   ...
-     Payload offset: <number>
+     Payload offset: <number> [of 512 byte sectors]
      ...
 
   02) Take the result number, multiply by 512 zeros and write to 
-      the start of the device, e.g. like this:
+      the start of the device, e.g. using one of the following alternatives:
 
      dd bs=512 count=<number> if=/dev/zero of=<device>
 
 
-  LUKS2:  (warning, untested!  Remember that backup?) This assumes the
+     head -c <number * 512> /dev/zero > /dev/<device>
+
+
+  LUKS2:  
+  (warning, untested!  Remember that backup?) This assumes the
   LUKS2 container uses the defaults, in particular there is only one data
-  segment.  01) Determine the data-segment offset using luksDump, same
+  segment.  
+  01) Determine the data-segment offset using luksDump, same
       as above for LUKS1:
 
+     cryptsetup luksDump <device with LUKS container>
 ->   ...  
      Data segments:
         0: crypt
@@ -881,7 +893,7 @@ A. Contributors
   02) Overwrite the stated number of bytes from the start of the device.
       Just to give yet another way to get a defined number of zeros:
 
-    head -c /dev/zero > /dev/<device>
+     head -c <number> /dev/zero > /dev/<device>
 
 
 3. Common Problems
@@ -996,7 +1008,7 @@ A. Contributors
   that is intact.
 
   In order to find out whether a key-slot is damaged one has to look for
-  "non-random looking" data in it.  There is a tool that automates this
+  "non-random looking" data in it.  There is a tool that automatizes this
   for LUKS1 in the cryptsetup distribution from version 1.6.0 onwards.  It
   is located in misc/keyslot_checker/.  Instructions how to use and how to
   interpret results are in the README file.  Note that this tool requires
@@ -1234,6 +1246,17 @@ A. Contributors
   countries like the US or the UK are not civilized and do not have fair
   laws.
 
+  As a side-note, standards for biometrics (fingerprint, retina, 
+  vein-pattern, etc.) are often different and much lower. If you put
+  your LUKS passphrase into a device that can be unlocked using biometrics,
+  they may force a biometric sample in many countries where they could not
+  force you to give them a passphrase you solely have in your memory and
+  can claim to have forgotten if needed (it happens). If you need protection
+  on this level, make sure you know what the respective legal situation is,
+  also while traveling, and make sure you decide beforehand what you
+  will do if push comes to shove as they will definitely put you under
+  as much pressure as they can legally apply. 
+
   This means that if you have a large set of random-looking data, they can
   already lock you up.  Hidden containers (encryption hidden within
   encryption), as possible with Truecrypt, do not help either.  They will
@@ -1635,9 +1658,8 @@ A. Contributors
 
     cryptsetup -c aes-xts-plain64 luksFormat <device>
 
-  There is a potential security issue with XTS mode and blocks larger
-  than 2^20 bytes or so. LUKS and dm-crypt always use smaller blocks 
-  and the issue does not apply.
+  There is a potential security issue with XTS mode and large blocks. 
+  LUKS and dm-crypt always use 512B blocks and the issue does not apply.
 
 
   * 5.17 Is LUKS FIPS-140-2 certified?
@@ -2656,7 +2678,7 @@ offset  length  name                  data type  description
   safe under these circumstances, then you have bigger problems than this
   somewhat expected behavior.
 
-  The CVE was exaggerated and should not be assigned to upstream
+  The CVE was exagerrated and should not be assigned to upstream
   cryptsetup in the first place (it is a distro specific initrd issue). 
   It was driven more by a try to make a splash for self-aggrandizement,
   than by any actual security concerns.  Ignore it.
@@ -2980,9 +3002,24 @@ offset  length  name                  data type  description
   start of the device, nothing gets stored somewhere in the middle or at 
   the end. 
   
+  * 10.12 What is a LUKS2 Token?
+
+  A LUKS2 token is an object that describes "how to get a passphrase or 
+  key" to unlock particular keyslot. A LUKS2 token is stored as json data 
+  in the LUKS2 header. The token can be related to all keyslots or a 
+  specific one. As the token is stored in JSON formay it is text by 
+  default but binary data can be encoded into it according to the JSON 
+  conventions.
+ 
+  Documentation on the last changes to LUKS2 tokens can be found in the 
+  release notes. As of version 2.4 of cryptsetup, there are significant 
+  features. The standard documentation for working with tokens is 
+  in the luks2 reference available as PDF on the project page.
+
 
 11. References and Further Reading
 
+
   * Purpose of this Section
 
   The purpose of this section is to collect references to all materials

README.md

@@ -20,6 +20,8 @@ LUKS Design
 only facilitate compatibility among distributions, but also provides secure management of multiple user passwords.  
 LUKS stores all necessary setup information in the partition header, enabling to transport or migrate data seamlessly.
 
+### Specifications
+
 Last version of the LUKS2 format specification is
 [available here](https://gitlab.com/cryptsetup/LUKS2-docs).
 
@@ -44,11 +46,11 @@ Download
 --------
 All release tarballs and release notes are hosted on [kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
 
-**The latest stable cryptsetup version is 2.4.0**
-  * [cryptsetup-2.4.0.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-2.4.0.tar.xz)
-  * Signature [cryptsetup-2.4.0.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-2.4.0.tar.sign)
+**The latest stable cryptsetup version is 2.4.1**
+  * [cryptsetup-2.4.1.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-2.4.1.tar.xz)
+  * Signature [cryptsetup-2.4.1.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-2.4.1.tar.sign)
     _(You need to decompress file first to check signature.)_
-  * [Cryptsetup 2.4.0 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/v2.4.0-ReleaseNotes).
+  * [Cryptsetup 2.4.1 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/v2.4.1-ReleaseNotes).
 
 Previous versions
  * [Version 2.3.6](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-2.3.6.tar.xz) -
@@ -83,11 +85,23 @@ Note that the list could change as distributions evolve.
 
 Help!
 -----
-Please read the [FAQ](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions) and search the manuals (man page, man-page) before posting questions in the mailing list.   You will be able to ask better questions and better understand the answers.  The FAQ is online and in the source code.  The man pages are in source and should be available after installation using standard man commands.  e.g.  man cryptsetup
 
-For cryptsetup and LUKS related questions, please use the dm-crypt mailing list, [dm-crypt@saout.de](mailto:dm-crypt@saout.de).
+### Documentation
 
-If you want to subscribe just send an empty mail to [dm-crypt-subscribe@saout.de](mailto:dm-crypt-subscribe@saout.de).
+Please read the following documentation before posting questions in the mailing list.   You will be able to ask better questions and better understand the answers.  
 
-You can also browse [list archive](https://www.saout.de/pipermail/dm-crypt/) or read and search it through
-[web interface on lore.kernel.org](https://lore.kernel.org/dm-crypt/) or alternatively on [marc.info](https://marc.info/?l=dm-crypt).
+* [FAQ](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions) 
+* LUKS Specifications
+* manuals (aka man page, man pages, man-page) 
+
+The FAQ is online and in the source code for the project.  The Specifications are referenced above in this document.  The man pages are in source and should be available after installation using standard man commands.  e.g.  man cryptsetup
+
+### Mailing List
+
+For cryptsetup and LUKS related questions, please use the dm-crypt mailing list, [dm-crypt@saout.de](mailto:dm-crypt@saout.de).  To subscribe send an empty mail to [dm-crypt-subscribe@saout.de](mailto:dm-crypt-subscribe@saout.de).
+
+You can also browse and/or search the mailing list archives using the following resources:
+
+* [list archive](https://www.saout.de/pipermail/dm-crypt/) 
+* [web interface on lore.kernel.org](https://lore.kernel.org/dm-crypt/) 
+* [marc.info](https://marc.info/?l=dm-crypt).

configure.ac

@@ -1,5 +1,5 @@
 AC_PREREQ([2.67])
-AC_INIT([cryptsetup],[2.4.0])
+AC_INIT([cryptsetup],[2.4.1])
 
 dnl library version from <major>.<minor>.<release>[-<suffix>]
 LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
@@ -58,7 +58,6 @@ dnl ==========================================================================
 AC_C_RESTRICT
 
 AC_HEADER_DIRENT
-AC_HEADER_STDC
 AC_CHECK_HEADERS(fcntl.h malloc.h inttypes.h sys/ioctl.h sys/mman.h \
 	sys/sysmacros.h sys/statvfs.h ctype.h unistd.h locale.h byteswap.h endian.h stdint.h)
 AC_CHECK_DECLS([O_CLOEXEC],,[AC_DEFINE([O_CLOEXEC],[0], [Defined to 0 if not provided])],
@@ -124,6 +123,12 @@ AC_ARG_ENABLE([external-tokens],
 	[], [enable_external_tokens=yes])
 if test "x$enable_external_tokens" = "xyes"; then
 	AC_DEFINE(USE_EXTERNAL_TOKENS, 1, [Use external tokens])
+	dnl we need dynamic library loading here
+	saved_LIBS=$LIBS
+	AC_SEARCH_LIBS([dlsym],[dl])
+	AC_CHECK_FUNCS([dlvsym])
+	AC_SUBST(DL_LIBS, $LIBS)
+	LIBS=$saved_LIBS
 fi
 
 AC_ARG_ENABLE([ssh-token],
@@ -400,10 +405,15 @@ PKG_CHECK_MODULES([JSON_C], [json-c])
 AC_CHECK_DECLS([json_object_object_add_ex], [], [], [#include <json-c/json.h>])
 AC_CHECK_DECLS([json_object_deep_copy], [], [], [#include <json-c/json.h>])
 
-dnl Check for libssh for SSH plugin
+dnl Check for libssh and argp for SSH plugin
 if test "x$enable_ssh_token" = "xyes"; then
 	PKG_CHECK_MODULES([LIBSSH], [libssh])
 	AC_CHECK_DECLS([ssh_session_is_known_server], [], [], [#include <libssh/libssh.h>])
+	AC_CHECK_HEADER([argp.h], [], AC_MSG_ERROR([You need argp library.]))
+	saved_LIBS=$LIBS
+	AC_SEARCH_LIBS([argp_usage],[argp])
+	AC_SUBST(ARGP_LIBS, $LIBS)
+	LIBS=$saved_LIBS
 fi
 
 dnl Crypto backend configuration.

docs/doxyfile

@@ -1,4 +1,4 @@
-# Doxyfile 1.8.8
+# Doxyfile 1.9.1
 
 #---------------------------------------------------------------------------
 # Project related configuration options
@@ -12,6 +12,7 @@ OUTPUT_DIRECTORY       = doxygen_api_docs
 CREATE_SUBDIRS         = NO
 ALLOW_UNICODE_NAMES    = NO
 OUTPUT_LANGUAGE        = English
+OUTPUT_TEXT_DIRECTION  = None
 BRIEF_MEMBER_DESC      = YES
 REPEAT_BRIEF           = YES
 ABBREVIATE_BRIEF       =
@@ -22,40 +23,47 @@ STRIP_FROM_PATH        =
 STRIP_FROM_INC_PATH    =
 SHORT_NAMES            = NO
 JAVADOC_AUTOBRIEF      = NO
+JAVADOC_BANNER         = NO
 QT_AUTOBRIEF           = NO
 MULTILINE_CPP_IS_BRIEF = NO
+PYTHON_DOCSTRING       = YES
 INHERIT_DOCS           = YES
 SEPARATE_MEMBER_PAGES  = NO
 TAB_SIZE               = 8
 ALIASES                =
-TCL_SUBST              =
 OPTIMIZE_OUTPUT_FOR_C  = YES
 OPTIMIZE_OUTPUT_JAVA   = NO
 OPTIMIZE_FOR_FORTRAN   = NO
 OPTIMIZE_OUTPUT_VHDL   = NO
+OPTIMIZE_OUTPUT_SLICE  = NO
 EXTENSION_MAPPING      =
 MARKDOWN_SUPPORT       = YES
+TOC_INCLUDE_HEADINGS   = 5
 AUTOLINK_SUPPORT       = YES
 BUILTIN_STL_SUPPORT    = NO
 CPP_CLI_SUPPORT        = NO
 SIP_SUPPORT            = NO
 IDL_PROPERTY_SUPPORT   = YES
 DISTRIBUTE_GROUP_DOC   = NO
+GROUP_NESTED_COMPOUNDS = NO
 SUBGROUPING            = YES
 INLINE_GROUPED_CLASSES = NO
 INLINE_SIMPLE_STRUCTS  = NO
 TYPEDEF_HIDES_STRUCT   = YES
 LOOKUP_CACHE_SIZE      = 0
+NUM_PROC_THREADS       = 1
 #---------------------------------------------------------------------------
 # Build related configuration options
 #---------------------------------------------------------------------------
 EXTRACT_ALL            = NO
 EXTRACT_PRIVATE        = NO
+EXTRACT_PRIV_VIRTUAL   = NO
 EXTRACT_PACKAGE        = NO
 EXTRACT_STATIC         = NO
 EXTRACT_LOCAL_CLASSES  = YES
 EXTRACT_LOCAL_METHODS  = NO
 EXTRACT_ANON_NSPACES   = NO
+RESOLVE_UNNAMED_PARAMS = YES
 HIDE_UNDOC_MEMBERS     = NO
 HIDE_UNDOC_CLASSES     = NO
 HIDE_FRIEND_COMPOUNDS  = NO
@@ -63,6 +71,7 @@ HIDE_IN_BODY_DOCS      = NO
 INTERNAL_DOCS          = NO
 CASE_SENSE_NAMES       = YES
 HIDE_SCOPE_NAMES       = NO
+HIDE_COMPOUND_REFERENCE= NO
 SHOW_INCLUDE_FILES     = YES
 SHOW_GROUPED_MEMB_INC  = NO
 FORCE_LOCAL_INCLUDES   = NO
@@ -93,13 +102,14 @@ WARNINGS               = YES
 WARN_IF_UNDOCUMENTED   = YES
 WARN_IF_DOC_ERROR      = YES
 WARN_NO_PARAMDOC       = NO
+WARN_AS_ERROR          = NO
 WARN_FORMAT            = "$file:$line: $text"
 WARN_LOGFILE           =
 #---------------------------------------------------------------------------
 # Configuration options related to the input files
 #---------------------------------------------------------------------------
-INPUT                  = "doxygen_index.h" \
-                         "../lib/libcryptsetup.h"
+INPUT                  = doxygen_index.h \
+                         ../lib/libcryptsetup.h
 INPUT_ENCODING         = UTF-8
 FILE_PATTERNS          =
 RECURSIVE              = NO
@@ -107,7 +117,7 @@ EXCLUDE                =
 EXCLUDE_SYMLINKS       = NO
 EXCLUDE_PATTERNS       =
 EXCLUDE_SYMBOLS        =
-EXAMPLE_PATH           = "examples"
+EXAMPLE_PATH           = examples
 EXAMPLE_PATTERNS       =
 EXAMPLE_RECURSIVE      = NO
 IMAGE_PATH             =
@@ -129,12 +139,13 @@ SOURCE_TOOLTIPS        = YES
 USE_HTAGS              = NO
 VERBATIM_HEADERS       = YES
 CLANG_ASSISTED_PARSING = NO
+CLANG_ADD_INC_PATHS    = YES
 CLANG_OPTIONS          =
+CLANG_DATABASE_PATH    =
 #---------------------------------------------------------------------------
 # Configuration options related to the alphabetical class index
 #---------------------------------------------------------------------------
 ALPHABETICAL_INDEX     = YES
-COLS_IN_ALPHA_INDEX    = 5
 IGNORE_PREFIX          =
 #---------------------------------------------------------------------------
 # Configuration options related to the HTML output
@@ -151,6 +162,7 @@ HTML_COLORSTYLE_HUE    = 220
 HTML_COLORSTYLE_SAT    = 100
 HTML_COLORSTYLE_GAMMA  = 80
 HTML_TIMESTAMP         = YES
+HTML_DYNAMIC_MENUS     = YES
 HTML_DYNAMIC_SECTIONS  = NO
 HTML_INDEX_NUM_ENTRIES = 100
 GENERATE_DOCSET        = NO
@@ -180,8 +192,10 @@ GENERATE_TREEVIEW      = NO
 ENUM_VALUES_PER_LINE   = 4
 TREEVIEW_WIDTH         = 250
 EXT_LINKS_IN_WINDOW    = NO
+HTML_FORMULA_FORMAT    = png
 FORMULA_FONTSIZE       = 10
 FORMULA_TRANSPARENT    = YES
+FORMULA_MACROFILE      =
 USE_MATHJAX            = NO
 MATHJAX_FORMAT         = HTML-CSS
 MATHJAX_RELPATH        = http://www.mathjax.org/mathjax
@@ -201,11 +215,13 @@ GENERATE_LATEX         = YES
 LATEX_OUTPUT           = latex
 LATEX_CMD_NAME         = latex
 MAKEINDEX_CMD_NAME     = makeindex
+LATEX_MAKEINDEX_CMD    = makeindex
 COMPACT_LATEX          = NO
 PAPER_TYPE             = a4
 EXTRA_PACKAGES         =
 LATEX_HEADER           =
 LATEX_FOOTER           =
+LATEX_EXTRA_STYLESHEET =
 LATEX_EXTRA_FILES      =
 PDF_HYPERLINKS         = YES
 USE_PDFLATEX           = YES
@@ -213,6 +229,8 @@ LATEX_BATCHMODE        = NO
 LATEX_HIDE_INDICES     = NO
 LATEX_SOURCE_CODE      = NO
 LATEX_BIB_STYLE        = plain
+LATEX_TIMESTAMP        = NO
+LATEX_EMOJI_DIRECTORY  =
 #---------------------------------------------------------------------------
 # Configuration options related to the RTF output
 #---------------------------------------------------------------------------
@@ -222,6 +240,7 @@ COMPACT_RTF            = NO
 RTF_HYPERLINKS         = NO
 RTF_STYLESHEET_FILE    =
 RTF_EXTENSIONS_FILE    =
+RTF_SOURCE_CODE        = NO
 #---------------------------------------------------------------------------
 # Configuration options related to the man page output
 #---------------------------------------------------------------------------
@@ -236,6 +255,7 @@ MAN_LINKS              = NO
 GENERATE_XML           = NO
 XML_OUTPUT             = xml
 XML_PROGRAMLISTING     = YES
+XML_NS_MEMB_FILE_SCOPE = NO
 #---------------------------------------------------------------------------
 # Configuration options related to the DOCBOOK output
 #---------------------------------------------------------------------------
@@ -273,12 +293,10 @@ GENERATE_TAGFILE       =
 ALLEXTERNALS           = NO
 EXTERNAL_GROUPS        = YES
 EXTERNAL_PAGES         = YES
-PERL_PATH              =
 #---------------------------------------------------------------------------
 # Configuration options related to the dot tool
 #---------------------------------------------------------------------------
 CLASS_DIAGRAMS         = YES
-MSCGEN_PATH            =
 DIA_PATH               =
 HIDE_UNDOC_RELATIONS   = YES
 HAVE_DOT               = NO
@@ -291,6 +309,8 @@ COLLABORATION_GRAPH    = YES
 GROUP_GRAPHS           = YES
 UML_LOOK               = NO
 UML_LIMIT_NUM_FIELDS   = 10
+DOT_UML_DETAILS        = NO
+DOT_WRAP_THRESHOLD     = 17
 TEMPLATE_RELATIONS     = NO
 INCLUDE_GRAPH          = YES
 INCLUDED_BY_GRAPH      = YES
@@ -305,6 +325,8 @@ DOTFILE_DIRS           =
 MSCFILE_DIRS           =
 DIAFILE_DIRS           =
 PLANTUML_JAR_PATH      =
+PLANTUML_CFG_FILE      =
+PLANTUML_INCLUDE_PATH  =
 DOT_GRAPH_MAX_NODES    = 50
 MAX_DOT_GRAPH_DEPTH    = 0
 DOT_TRANSPARENT        = NO

docs/v2.4.0-ReleaseNotes

@@ -1,6 +1,6 @@
 Cryptsetup 2.4.0 Release Notes
 ==============================
-Stable release candidate with new features and bug fixes.
+Stable release with new features and bug fixes.
 
 This version introduces support for external libraries
 (plugins) for handling LUKS2 token objects.

docs/v2.4.1-ReleaseNotes

@@ -0,0 +1,47 @@
+Cryptsetup 2.4.1 Release Notes
+==============================
+Stable bug-fix release with minor extensions.
+
+All users of cryptsetup 2.4.0 should upgrade to this version.
+
+Changes since version 2.4.0
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Fix compilation for libc implementations without dlvsym().
+
+  Some alternative libc implementations (like musl) do not provide
+  versioned symbols dlvsym function. Code now fallbacks to dlsym
+  operation for dynamic LUKS2 token load.
+  It is up to maintainers to ensure that LUKS2 token plugins are
+  compiled for the supported version.
+
+* Fix compilation and tests on systems with non-standard libraries
+  (standalone argp library, external gettext library, BusyBox
+  implementations of standard tools).
+
+* Try to workaround some issues on systems without udev support.
+  NOTE: non-udev systems cannot provide all functionality for kernel
+  device-mapper, and some operations can fail.
+
+* Fixes for OpenSSL3 crypto backend (including FIPS mode).
+  Because cryptsetup still requires some hash functions implemented
+  in OpenSSL3 legacy provider, crypto backend now uses its library
+  context and tries to load both default and legacy OpenSSL3 providers.
+
+  If FIPS mode is detected, no library context is used, and it is up
+  to the OpenSSL system-wide policy to load proper providers.
+
+  NOTE: We still use some deprecated API in the OpenSSL3 backend,
+  and there are some known problems in OpenSSL 3.0.0.
+
+* Print error message when assigning a token to an inactive keyslot.
+
+* Fix offset bug in LUKS2 encryption code if --offset option was used.
+
+* Do not allow LUKS2 decryption for devices with data offset.
+  Such devices cannot be used after decryption.
+
+* Fix LUKS1 cryptsetup repair command for some specific problems.
+  Repair code can now fix wrongly used initialization vector
+  specification in ECB mode (that is insecure anyway!) and repair
+  the upper-case hash specification in the LUKS1 header.

lib/Makemodule.am

@@ -32,7 +32,9 @@ libcryptsetup_la_LIBADD = \
 	@LIBARGON2_LIBS@	\
 	@JSON_C_LIBS@		\
 	@BLKID_LIBS@		\
+	@DL_LIBS@		\
 	$(LTLIBICONV)		\
+	$(LTLIBINTL)		\
 	libcrypto_backend.la	\
 	libutils_io.la
 

lib/crypto_backend/crypto_backend.h

@@ -31,7 +31,7 @@ struct crypt_hmac;
 struct crypt_cipher;
 struct crypt_storage;
 
-int crypt_backend_init(void);
+int crypt_backend_init(bool fips);
 void crypt_backend_destroy(void);
 
 #define CRYPT_BACKEND_KERNEL (1 << 0)	/* Crypto uses kernel part, for benchmark */

lib/crypto_backend/crypto_gcrypt.c

@@ -94,7 +94,7 @@ static void crypt_hash_test_whirlpool_bug(void)
 		crypto_backend_whirlpool_bug = 1;
 }
 
-int crypt_backend_init(void)
+int crypt_backend_init(bool fips __attribute__((unused)))
 {
 	int r;
 

lib/crypto_backend/crypto_kernel.c

@@ -117,7 +117,7 @@ static int crypt_kernel_socket_init(struct sockaddr_alg *sa, int *tfmfd, int *op
 	return 0;
 }
 
-int crypt_backend_init(void)
+int crypt_backend_init(bool fips __attribute__((unused)))
 {
 	struct utsname uts;
 	struct sockaddr_alg sa = {

lib/crypto_backend/crypto_nettle.c

@@ -213,7 +213,7 @@ static struct hash_alg *_get_alg(const char *name)
 	return NULL;
 }
 
-int crypt_backend_init(void)
+int crypt_backend_init(bool fips __attribute__((unused)))
 {
 	return 0;
 }

lib/crypto_backend/crypto_nss.c

@@ -75,7 +75,7 @@ static struct hash_alg *_get_alg(const char *name)
 	return NULL;
 }
 
-int crypt_backend_init(void)
+int crypt_backend_init(bool fips __attribute__((unused)))
 {
 	int r;
 

lib/crypto_backend/crypto_openssl.c

@@ -41,8 +41,11 @@
 #include "crypto_backend_internal.h"
 #if OPENSSL_VERSION_MAJOR >= 3
 #include <openssl/provider.h>
+#include <openssl/kdf.h>
 static OSSL_PROVIDER *ossl_legacy = NULL;
 static OSSL_PROVIDER *ossl_default = NULL;
+static OSSL_LIB_CTX  *ossl_ctx = NULL;
+static char backend_version[256] = "OpenSSL";
 #endif
 
 #define CONST_CAST(x) (x)(uintptr_t)
@@ -68,6 +71,7 @@ struct crypt_cipher {
 	struct {
 		EVP_CIPHER_CTX *hd_enc;
 		EVP_CIPHER_CTX *hd_dec;
+		const EVP_CIPHER *cipher_type;
 		size_t iv_length;
 	} lib;
 	} u;
@@ -84,9 +88,10 @@ struct hash_alg {
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
     (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
 
-static void openssl_backend_init(void)
+static int openssl_backend_init(bool fips __attribute__((unused)))
 {
 	OpenSSL_add_all_algorithms();
+	return 0;
 }
 
 static void openssl_backend_exit(void)
@@ -130,46 +135,79 @@ static void HMAC_CTX_free(HMAC_CTX *md)
 	free(md);
 }
 #else
-static void openssl_backend_init(void)
+static void openssl_backend_exit(void)
+{
+#if OPENSSL_VERSION_MAJOR >= 3
+	if (ossl_legacy)
+		OSSL_PROVIDER_unload(ossl_legacy);
+	if (ossl_default)
+		OSSL_PROVIDER_unload(ossl_default);
+	if (ossl_ctx)
+		OSSL_LIB_CTX_free(ossl_ctx);
+
+	ossl_legacy = NULL;
+	ossl_default = NULL;
+	ossl_ctx = NULL;
+#endif
+}
+
+static int openssl_backend_init(bool fips)
 {
 /*
  * OpenSSL >= 3.0.0 provides some algorithms in legacy provider
  */
 #if OPENSSL_VERSION_MAJOR >= 3
-	OPENSSL_init_crypto(OPENSSL_INIT_NO_ATEXIT, NULL);
-	ossl_legacy  = OSSL_PROVIDER_try_load(NULL, "legacy", 0);
-	ossl_default = OSSL_PROVIDER_try_load(NULL, "default", 0);
-#endif
-}
+	int r;
 
-static void openssl_backend_exit(void)
-{
-#if OPENSSL_VERSION_MAJOR >= 3
 	/*
-	 * If Destructor was already called, we must not call it again
+	 * In FIPS mode we keep default OpenSSL context & global config
 	 */
-	if (OPENSSL_init_crypto(0, NULL) != 0) {
-		OSSL_PROVIDER_unload(ossl_legacy);
-		OSSL_PROVIDER_unload(ossl_default);
-		OPENSSL_cleanup();
+	if (!fips) {
+		ossl_ctx = OSSL_LIB_CTX_new();
+		if (!ossl_ctx)
+			return -EINVAL;
+
+		ossl_default = OSSL_PROVIDER_try_load(ossl_ctx, "default", 0);
+		if (!ossl_default) {
+			OSSL_LIB_CTX_free(ossl_ctx);
+			return -EINVAL;
+		}
+
+		/* Optional */
+		ossl_legacy = OSSL_PROVIDER_try_load(ossl_ctx, "legacy", 0);
+	}
+
+	r = snprintf(backend_version, sizeof(backend_version), "%s %s%s%s",
+		OpenSSL_version(OPENSSL_VERSION),
+		ossl_default ? "[default]" : "",
+		ossl_legacy  ? "[legacy]" : "",
+		fips  ? "[fips]" : "");
+
+	if (r < 0 || (size_t)r >= sizeof(backend_version)) {
+		openssl_backend_exit();
+		return -EINVAL;
 	}
-	ossl_legacy = NULL;
-	ossl_default = NULL;
 #endif
+	return 0;
 }
 
 static const char *openssl_backend_version(void)
 {
-    return OpenSSL_version(OPENSSL_VERSION);
+#if OPENSSL_VERSION_MAJOR >= 3
+	return backend_version;
+#else
+	return OpenSSL_version(OPENSSL_VERSION);
+#endif
 }
 #endif
 
-int crypt_backend_init(void)
+int crypt_backend_init(bool fips)
 {
 	if (crypto_backend_initialised)
 		return 0;
 
-	openssl_backend_init();
+	if (openssl_backend_init(fips))
+		return -EINVAL;
 
 	crypto_backend_initialised = 1;
 	return 0;
@@ -177,7 +215,14 @@ int crypt_backend_init(void)
 
 void crypt_backend_destroy(void)
 {
+	/*
+	 * If Destructor was already called, we must not call it again
+	 */
+	if (!crypto_backend_initialised)
+		return;
+
 	crypto_backend_initialised = 0;
+
 	openssl_backend_exit();
 }
 
@@ -215,16 +260,51 @@ static const char *crypt_hash_compat_name(const char *name)
 	return hash_name;
 }
 
+static const EVP_MD *hash_id_get(const char *name)
+{
+#if OPENSSL_VERSION_MAJOR >= 3
+	return EVP_MD_fetch(ossl_ctx, crypt_hash_compat_name(name), NULL);
+#else
+	return EVP_get_digestbyname(crypt_hash_compat_name(name));
+#endif
+}
+
+static void hash_id_free(const EVP_MD *hash_id)
+{
+#if OPENSSL_VERSION_MAJOR >= 3
+	EVP_MD_free(CONST_CAST(EVP_MD*)hash_id);
+#endif
+}
+
+static const EVP_CIPHER *cipher_type_get(const char *name)
+{
+#if OPENSSL_VERSION_MAJOR >= 3
+	return EVP_CIPHER_fetch(ossl_ctx, name, NULL);
+#else
+	return EVP_get_cipherbyname(name);
+#endif
+}
+
+static void cipher_type_free(const EVP_CIPHER *cipher_type)
+{
+#if OPENSSL_VERSION_MAJOR >= 3
+	EVP_CIPHER_free(CONST_CAST(EVP_CIPHER*)cipher_type);
+#endif
+}
+
 /* HASH */
 int crypt_hash_size(const char *name)
 {
+	int size;
 	const EVP_MD *hash_id;
 
-	hash_id = EVP_get_digestbyname(crypt_hash_compat_name(name));
+	hash_id = hash_id_get(name);
 	if (!hash_id)
 		return -EINVAL;
 
-	return EVP_MD_size(hash_id);
+	size = EVP_MD_size(hash_id);
+	hash_id_free(hash_id);
+	return size;
 }
 
 int crypt_hash_init(struct crypt_hash **ctx, const char *name)
@@ -241,7 +321,7 @@ int crypt_hash_init(struct crypt_hash **ctx, const char *name)
 		return -ENOMEM;
 	}
 
-	h->hash_id = EVP_get_digestbyname(crypt_hash_compat_name(name));
+	h->hash_id = hash_id_get(name);
 	if (!h->hash_id) {
 		EVP_MD_CTX_free(h->md);
 		free(h);
@@ -249,6 +329,7 @@ int crypt_hash_init(struct crypt_hash **ctx, const char *name)
 	}
 
 	if (EVP_DigestInit_ex(h->md, h->hash_id, NULL) != 1) {
+		hash_id_free(h->hash_id);
 		EVP_MD_CTX_free(h->md);
 		free(h);
 		return -EINVAL;
@@ -300,6 +381,7 @@ int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
 
 void crypt_hash_destroy(struct crypt_hash *ctx)
 {
+	hash_id_free(ctx->hash_id);
 	EVP_MD_CTX_free(ctx->md);
 	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
@@ -326,7 +408,7 @@ int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
 		return -ENOMEM;
 	}
 
-	h->hash_id = EVP_get_digestbyname(crypt_hash_compat_name(name));
+	h->hash_id = hash_id_get(name);
 	if (!h->hash_id) {
 		HMAC_CTX_free(h->md);
 		free(h);
@@ -374,6 +456,7 @@ int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
 
 void crypt_hmac_destroy(struct crypt_hmac *ctx)
 {
+	hash_id_free(ctx->hash_id);
 	HMAC_CTX_free(ctx->md);
 	memset(ctx, 0, sizeof(*ctx));
 	free(ctx);
@@ -389,6 +472,67 @@ int crypt_backend_rng(char *buffer, size_t length,
 	return 0;
 }
 
+static int pbkdf2(const char *password, size_t password_length,
+		const char *salt, size_t salt_length,
+		uint32_t iterations, const char *hash, size_t key_length,
+		unsigned char *key)
+{
+#if OPENSSL_VERSION_MAJOR >= 3
+	EVP_KDF_CTX *ctx;
+	EVP_KDF *pbkdf2;
+	int r;
+	OSSL_PARAM params[] = {
+		{ .key = "pass",
+		  .data_type = OSSL_PARAM_OCTET_STRING,
+		  .data = CONST_CAST(void*)password,
+		  .data_size = password_length
+		},
+		{ .key = "salt",
+		  .data_type = OSSL_PARAM_OCTET_STRING,
+		  .data = CONST_CAST(void*)salt,
+		  .data_size = salt_length
+		},
+		{ .key = "iter",
+		  .data_type = OSSL_PARAM_UNSIGNED_INTEGER,
+		  .data = &iterations,
+		  .data_size = sizeof(iterations)
+		},
+		{ .key = "digest",
+		  .data_type = OSSL_PARAM_UTF8_STRING,
+		  .data = CONST_CAST(void*)hash,
+		  .data_size = strlen(hash)
+		},
+		{ NULL, 0, NULL, 0, 0 }
+	};
+
+	pbkdf2 = EVP_KDF_fetch(ossl_ctx, "pbkdf2", NULL);
+	if (!pbkdf2)
+		return 0;
+
+	ctx = EVP_KDF_CTX_new(pbkdf2);
+	if (!ctx) {
+		EVP_KDF_free(pbkdf2);
+		return 0;
+	}
+
+	r = EVP_KDF_derive(ctx, key, key_length, params);
+
+	EVP_KDF_CTX_free(ctx);
+	EVP_KDF_free(pbkdf2);
+
+	/* _derive() returns 0 or negative value on error, 1 on success */
+	return r <= 0 ? 0 : 1;
+#else
+	const EVP_MD *hash_id = EVP_get_digestbyname(crypt_hash_compat_name(hash));
+	if (!hash_id)
+		return 0;
+
+	return PKCS5_PBKDF2_HMAC(password, (int)password_length, (const unsigned char *)salt,
+				 (int)salt_length, iterations, hash_id,
+				 (int)key_length, key);
+#endif
+}
+
 /* PBKDF */
 int crypt_pbkdf(const char *kdf, const char *hash,
 		const char *password, size_t password_length,
@@ -397,19 +541,12 @@ int crypt_pbkdf(const char *kdf, const char *hash,
 		uint32_t iterations, uint32_t memory, uint32_t parallel)
 
 {
-	const EVP_MD *hash_id;
-
 	if (!kdf)
 		return -EINVAL;
 
 	if (!strcmp(kdf, "pbkdf2")) {
-		hash_id = EVP_get_digestbyname(crypt_hash_compat_name(hash));
-		if (!hash_id)
-			return -EINVAL;
-
-		if (!PKCS5_PBKDF2_HMAC(password, (int)password_length,
-		    (const unsigned char *)salt, (int)salt_length,
-	            (int)iterations, hash_id, (int)key_length, (unsigned char *)key))
+		if (!pbkdf2(password, password_length,
+		    salt, salt_length, iterations, hash, key_length, (unsigned char *)key))
 			return -EINVAL;
 		return 0;
 	} else if (!strncmp(kdf, "argon2", 6)) {
@@ -421,16 +558,19 @@ int crypt_pbkdf(const char *kdf, const char *hash,
 }
 
 /* Block ciphers */
-static void _cipher_destroy(EVP_CIPHER_CTX **hd_enc, EVP_CIPHER_CTX **hd_dec)
+static void _cipher_destroy(EVP_CIPHER_CTX **hd_enc, EVP_CIPHER_CTX **hd_dec, const EVP_CIPHER **cipher_type)
 {
 	EVP_CIPHER_CTX_free(*hd_enc);
 	*hd_enc = NULL;
 
 	EVP_CIPHER_CTX_free(*hd_dec);
 	*hd_dec = NULL;
+
+	cipher_type_free(*cipher_type);
+	*cipher_type = NULL;
 }
 
-static int _cipher_init(EVP_CIPHER_CTX **hd_enc, EVP_CIPHER_CTX **hd_dec, const char *name,
+static int _cipher_init(EVP_CIPHER_CTX **hd_enc, EVP_CIPHER_CTX **hd_dec, const EVP_CIPHER **cipher_type, const char *name,
 			const char *mode, const void *key, size_t key_length, size_t *iv_length)
 {
 	char cipher_name[256];
@@ -445,32 +585,38 @@ static int _cipher_init(EVP_CIPHER_CTX **hd_enc, EVP_CIPHER_CTX **hd_dec, const
 	if (r < 0 || (size_t)r >= sizeof(cipher_name))
 		return -EINVAL;
 
-	type = EVP_get_cipherbyname(cipher_name);
+	type = cipher_type_get(cipher_name);
 	if (!type)
 		return -ENOENT;
 
-	if (EVP_CIPHER_key_length(type) != (int)key_length)
+	if (EVP_CIPHER_key_length(type) != (int)key_length) {
+		cipher_type_free(type);
 		return -EINVAL;
+	}
 
 	*hd_enc = EVP_CIPHER_CTX_new();
 	*hd_dec = EVP_CIPHER_CTX_new();
 	*iv_length = EVP_CIPHER_iv_length(type);
 
-	if (!*hd_enc || !*hd_dec)
+	if (!*hd_enc || !*hd_dec) {
+		cipher_type_free(type);
 		return -EINVAL;
+	}
 
 	if (EVP_EncryptInit_ex(*hd_enc, type, NULL, key, NULL) != 1 ||
 	    EVP_DecryptInit_ex(*hd_dec, type, NULL, key, NULL) != 1) {
-		_cipher_destroy(hd_enc, hd_dec);
+		_cipher_destroy(hd_enc, hd_dec, &type);
 		return -EINVAL;
 	}
 
 	if (EVP_CIPHER_CTX_set_padding(*hd_enc, 0) != 1 ||
 	    EVP_CIPHER_CTX_set_padding(*hd_dec, 0) != 1) {
-		_cipher_destroy(hd_enc, hd_dec);
+		_cipher_destroy(hd_enc, hd_dec, &type);
 		return -EINVAL;
 	}
 
+	*cipher_type = type;
+
 	return 0;
 }
 
@@ -484,7 +630,7 @@ int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
 	if (!h)
 		return -ENOMEM;
 
-	if (!_cipher_init(&h->u.lib.hd_enc, &h->u.lib.hd_dec, name, mode, key,
+	if (!_cipher_init(&h->u.lib.hd_enc, &h->u.lib.hd_dec, &h->u.lib.cipher_type, name, mode, key,
 			  key_length, &h->u.lib.iv_length)) {
 		h->use_kernel = false;
 		*ctx = h;
@@ -507,7 +653,7 @@ void crypt_cipher_destroy(struct crypt_cipher *ctx)
 	if (ctx->use_kernel)
 		crypt_cipher_destroy_kernel(&ctx->u.kernel);
 	else
-		_cipher_destroy(&ctx->u.lib.hd_enc, &ctx->u.lib.hd_dec);
+		_cipher_destroy(&ctx->u.lib.hd_enc, &ctx->u.lib.hd_dec, &ctx->u.lib.cipher_type);
 	free(ctx);
 }
 

lib/libcryptsetup.h

@@ -129,9 +129,10 @@ void crypt_free(struct crypt_device *cd);
  * other values mean accepted.
  *
  * @param cd crypt device handle
- * @param confirm user defined confirm callback reference
+ * @param confirm user defined confirm callback reference; use
+ *        @p msg for message for user to confirm and
+ *        @p usrptr for identification in callback
  * @param usrptr provided identification in callback
- * @param msg Message for user to confirm
  *
  * @note Current version of cryptsetup API requires confirmation for UUID change and
  *	 LUKS header restore only.
@@ -196,10 +197,11 @@ int crypt_set_data_offset(struct crypt_device *cd, uint64_t data_offset);
  * Set log function.
  *
  * @param cd crypt device handle (can be @e NULL to set default log function)
- * @param log user defined log function reference
+ * @param log user defined log function reference; use
+ *        @p level for log level,
+ *        @p msg for message, and
+ *        @p usrptr for identification in callback
  * @param usrptr provided identification in callback
- * @param level log level below (debug messages can uses other levels)
- * @param msg log message
  */
 void crypt_set_log_callback(struct crypt_device *cd,
 	void (*log)(int level, const char *msg, void *usrptr),
@@ -2285,15 +2287,20 @@ const char *crypt_token_external_path(void);
  */
 void crypt_token_external_disable(void);
 
-/** ABI version for external token in libcryptsetup-token-<name>.so */
+/** ABI version for external token in libcryptsetup-token-[name].so */
 #define CRYPT_TOKEN_ABI_VERSION1    "CRYPTSETUP_TOKEN_1.0"
 
-/** ABI exported symbol for external token */
-#define CRYPT_TOKEN_ABI_OPEN        "cryptsetup_token_open" /* mandatory */
+/** open by token - ABI exported symbol for external token (mandatory) */
+#define CRYPT_TOKEN_ABI_OPEN        "cryptsetup_token_open"
+/** open by token with PIN - ABI exported symbol for external token */
 #define CRYPT_TOKEN_ABI_OPEN_PIN    "cryptsetup_token_open_pin"
+/** deallocate callback - ABI exported symbol for external token */
 #define CRYPT_TOKEN_ABI_BUFFER_FREE "cryptsetup_token_buffer_free"
+/** validate token metadata - ABI exported symbol for external token */
 #define CRYPT_TOKEN_ABI_VALIDATE    "cryptsetup_token_validate"
+/** dump token metadata - ABI exported symbol for external token */
 #define CRYPT_TOKEN_ABI_DUMP        "cryptsetup_token_dump"
+/** token version - ABI exported symbol for external token */
 #define CRYPT_TOKEN_ABI_VERSION     "cryptsetup_token_version"
 
 /**
@@ -2319,7 +2326,7 @@ void crypt_token_external_disable(void);
  * @note Negative EAGAIN errno means token handler requires additional hardware
  *       not present in the system.
  *
- * @note with @param token set to CRYPT_ANY_TOKEN libcryptsetup runs best effort loop
+ * @note with @e token set to CRYPT_ANY_TOKEN libcryptsetup runs best effort loop
  *       to unlock device using any available token. It may happen that various token handlers
  *       return different error codes. At the end loop returns error codes in the following
  *       order (from the most significant to the least) any negative errno except those
@@ -2357,7 +2364,7 @@ int crypt_activate_by_token(struct crypt_device *cd,
  * @note Negative EAGAIN errno means token handler requires additional hardware
  *       not present in the system.
  *
- * @note with @param token set to CRYPT_ANY_TOKEN libcryptsetup runs best effort loop
+ * @note with @e token set to CRYPT_ANY_TOKEN libcryptsetup runs best effort loop
  *       to unlock device using any available token. It may happen that various token handlers
  *       return different error codes. At the end loop returns error codes in the following
  *       order (from the most significant to the least) any negative errno except those

lib/luks1/keymanage.c

@@ -65,6 +65,27 @@ static void LUKS_sort_keyslots(const struct luks_phdr *hdr, int *array)
 	}
 }
 
+static int _is_not_lower(char *str, unsigned max_len)
+{
+	for(; *str && max_len; str++, max_len--)
+		if (isupper(*str))
+			return 1;
+	return 0;
+}
+
+static int _to_lower(char *str, unsigned max_len)
+{
+	int r = 0;
+
+	for(; *str && max_len; str++, max_len--)
+		if (isupper(*str)) {
+			*str = tolower(*str);
+			r = 1;
+		}
+
+	return r;
+}
+
 size_t LUKS_device_sectors(const struct luks_phdr *hdr)
 {
 	int sorted_areas[LUKS_NUMKEYS] = { 0, 1, 2, 3, 4, 5, 6, 7 };
@@ -385,6 +406,30 @@ static int _keyslot_repair(struct luks_phdr *phdr, struct crypt_device *ctx)
 		return -EINVAL;
 	}
 
+	/*
+	 * ECB mode does not use IV but legacy dmcrypt silently allows it.
+	 * Today device cannot be activated anyway, so we need to fix it here.
+	 */
+	if (!strncmp(phdr->cipherMode, "ecb-", 4)) {
+		log_err(ctx, _("Cipher mode repaired (%s -> %s)."), phdr->cipherMode, "ecb");
+		memset(phdr->cipherMode, 0, LUKS_CIPHERMODE_L);
+		strcpy(phdr->cipherMode, "ecb");
+		need_write = 1;
+	}
+
+	/*
+	 * Old cryptsetup expects "sha1", gcrypt allows case insensitive names,
+	 * so always convert hash to lower case in header
+	 */
+	if (_to_lower(phdr->hashSpec, LUKS_HASHSPEC_L)) {
+		log_err(ctx, _("Cipher hash repaired to lowercase (%s)."), phdr->hashSpec);
+		if (crypt_hmac_size(phdr->hashSpec) < LUKS_DIGESTSIZE) {
+			log_err(ctx, _("Requested LUKS hash %s is not supported."), phdr->hashSpec);
+			return -EINVAL;
+		}
+		need_write = 1;
+	}
+
 	r = LUKS_check_cipher(ctx, phdr->keyBytes, phdr->cipherName, phdr->cipherMode);
 	if (r < 0)
 		return -EINVAL;
@@ -486,7 +531,7 @@ static int _check_and_convert_hdr(const char *device,
 	hdr->hashSpec[LUKS_HASHSPEC_L - 1] = '\0';
 	if (crypt_hmac_size(hdr->hashSpec) < LUKS_DIGESTSIZE) {
 		log_err(ctx, _("Requested LUKS hash %s is not supported."), hdr->hashSpec);
-		return -EINVAL;
+		r = -EINVAL;
 	}
 
 	/* Header detected */
@@ -510,6 +555,16 @@ static int _check_and_convert_hdr(const char *device,
 	hdr->uuid[UUID_STRING_L - 1] = '\0';
 
 	if (repair) {
+		if (!strncmp(hdr->cipherMode, "ecb-", 4)) {
+			log_err(ctx, _("LUKS cipher mode %s is invalid."), hdr->cipherMode);
+			r = -EINVAL;
+		}
+
+		if (_is_not_lower(hdr->hashSpec, LUKS_HASHSPEC_L)) {
+			log_err(ctx, _("LUKS hash %s is invalid."), hdr->hashSpec);
+			r = -EINVAL;
+		}
+
 		if (r == -EINVAL)
 			r = _keyslot_repair(hdr, ctx);
 		else
@@ -519,27 +574,6 @@ static int _check_and_convert_hdr(const char *device,
 	return r;
 }
 
-static void _to_lower(char *str, unsigned max_len)
-{
-	for(; *str && max_len; str++, max_len--)
-		if (isupper(*str))
-			*str = tolower(*str);
-}
-
-static void LUKS_fix_header_compatible(struct luks_phdr *header)
-{
-	/* Old cryptsetup expects "sha1", gcrypt allows case insensitive names,
-	 * so always convert hash to lower case in header */
-	_to_lower(header->hashSpec, LUKS_HASHSPEC_L);
-
-	/* ECB mode does not use IV but dmcrypt silently allows it.
-	 * Drop any IV here if ECB is used (that is not secure anyway).*/
-	if (!strncmp(header->cipherMode, "ecb-", 4)) {
-		memset(header->cipherMode, 0, LUKS_CIPHERMODE_L);
-		strcpy(header->cipherMode, "ecb");
-	}
-}
-
 int LUKS_read_phdr_backup(const char *backup_file,
 			  struct luks_phdr *hdr,
 			  int require_luks_device,
@@ -559,11 +593,9 @@ int LUKS_read_phdr_backup(const char *backup_file,
 
 	if (read_buffer(devfd, hdr, hdr_size) < hdr_size)
 		r = -EIO;
-	else {
-		LUKS_fix_header_compatible(hdr);
+	else
 		r = _check_and_convert_hdr(backup_file, hdr,
 					   require_luks_device, 0, ctx);
-	}
 
 	close(devfd);
 	return r;
@@ -771,11 +803,10 @@ int LUKS_generate_phdr(struct luks_phdr *header,
 	strncpy(header->cipherName,cipherName,LUKS_CIPHERNAME_L-1);
 	strncpy(header->cipherMode,cipherMode,LUKS_CIPHERMODE_L-1);
 	strncpy(header->hashSpec,hashSpec,LUKS_HASHSPEC_L-1);
+	_to_lower(header->hashSpec, LUKS_HASHSPEC_L);
 
 	header->keyBytes=vk->keylength;
 
-	LUKS_fix_header_compatible(header);
-
 	log_dbg(ctx, "Generating LUKS header version %d using hash %s, %s, %s, MK %d bytes",
 		header->version, header->hashSpec ,header->cipherName, header->cipherMode,
 		header->keyBytes);

lib/luks2/luks2_reencrypt.c

@@ -1834,6 +1834,9 @@ static int reencrypt_make_targets(struct crypt_device *cd,
 			return -EINVAL;
 		}
 
+		if (reenc_seg)
+			segment_offset -= crypt_get_data_offset(cd);
+
 		if (!strcmp(json_segment_type(jobj), "crypt")) {
 			vk = crypt_volume_key_by_id(vks, reenc_seg ? LUKS2_reencrypt_digest_new(hdr) : LUKS2_digest_by_segment(hdr, s));
 			if (!vk) {
@@ -1841,9 +1844,6 @@ static int reencrypt_make_targets(struct crypt_device *cd,
 				return -EINVAL;
 			}
 
-			if (reenc_seg)
-				segment_offset -= crypt_get_data_offset(cd);
-
 			r = dm_crypt_target_set(result, segment_start, segment_size,
 						reenc_seg ? hz_device : crypt_data_device(cd),
 						vk,
@@ -2249,7 +2249,11 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd,
 		r = LUKS2_get_data_size(hdr, &tmp, NULL);
 		if (r)
 			goto err;
-		jobj_segment_old = json_segment_create_linear(0, tmp ? &tmp : NULL, 0);
+
+		if (params->flags & CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT)
+			jobj_segment_old = json_segment_create_linear(0, tmp ? &tmp : NULL, 0);
+		else
+			jobj_segment_old = json_segment_create_linear(data_offset, tmp ? &tmp : NULL, 0);
 	}
 
 	if (!jobj_segment_old) {

lib/luks2/luks2_token.c

@@ -63,9 +63,13 @@ static void *token_dlvsym(struct crypt_device *cd,
 	char *error;
 	void *sym;
 
+#ifdef HAVE_DLVSYM
 	log_dbg(cd, "Loading symbol %s@%s.", symbol, version);
-
 	sym = dlvsym(handle, symbol, version);
+#else
+	log_dbg(cd, "Loading default version of symbol %s.", symbol);
+	sym = dlsym(handle, symbol);
+#endif
 	error = dlerror();
 
 	if (error)

lib/setup.c

@@ -227,7 +227,7 @@ int init_crypto(struct crypt_device *ctx)
 		return r;
 	}
 
-	r = crypt_backend_init();
+	r = crypt_backend_init(crypt_fips_mode());
 	if (r < 0)
 		log_err(ctx, _("Cannot initialize crypto backend."));
 

lib/utils_fips.c

@@ -24,9 +24,12 @@
 #include "utils_fips.h"
 
 #if !ENABLE_FIPS
-int crypt_fips_mode(void) { return 0; }
+bool crypt_fips_mode(void) { return false; }
 #else
-static int kernel_fips_mode(void)
+static bool fips_checked = false;
+static bool fips_mode = false;
+
+static bool kernel_fips_mode(void)
 {
 	int fd;
 	char buf[1] = "";
@@ -36,11 +39,17 @@ static int kernel_fips_mode(void)
 		close(fd);
 	}
 
-	return (buf[0] == '1') ? 1 : 0;
+	return (buf[0] == '1');
 }
 
-int crypt_fips_mode(void)
+bool crypt_fips_mode(void)
 {
-	return kernel_fips_mode() && !access("/etc/system-fips", F_OK);
+	if (fips_checked)
+		return fips_mode;
+
+	fips_mode = kernel_fips_mode() && !access("/etc/system-fips", F_OK);
+	fips_checked = true;
+
+	return fips_mode;
 }
 #endif /* ENABLE_FIPS */

lib/utils_fips.h

@@ -21,6 +21,8 @@
 #ifndef _UTILS_FIPS_H
 #define _UTILS_FIPS_H
 
-int crypt_fips_mode(void);
+#include <stdbool.h>
+
+bool crypt_fips_mode(void);
 
 #endif /* _UTILS_FIPS_H */

src/cryptsetup.c

@@ -1235,7 +1235,11 @@ static int action_luksRepair(void)
 	crypt_set_log_callback(cd, quiet_log, &log_parms);
 	r = crypt_load(cd, luksType(device_type), NULL);
 	crypt_set_log_callback(cd, tool_log, &log_parms);
-	if (r == 0) {
+	if (r == 0 && isLUKS2(crypt_get_type(cd))) {
+		/*
+		 * LUKS2 triggers autorepair in crypt_load() above
+		 * LUKS1 need to call crypt_repair() even if crypt_load() is ok
+		 */
 		log_verbose(_("No known problems detected for LUKS header."));
 		goto out;
 	}
@@ -2624,6 +2628,11 @@ static int _token_add(struct crypt_device *cd)
 		}
 	}
 
+	if (crypt_keyslot_status(cd, ARG_INT32(OPT_KEY_SLOT_ID)) == CRYPT_SLOT_INACTIVE) {
+		log_err(_("Keyslot %d is not active."), ARG_INT32(OPT_KEY_SLOT_ID));
+		return -EINVAL;
+	}
+
 	r = crypt_token_luks2_keyring_set(cd, ARG_INT32(OPT_TOKEN_ID_ID), &params);
 	if (r < 0) {
 		log_err(_("Failed to add luks2-keyring token %d."), ARG_INT32(OPT_TOKEN_ID_ID));
@@ -2676,6 +2685,11 @@ static int _token_import(struct crypt_device *cd)
 		}
 	}
 
+	if (crypt_keyslot_status(cd, ARG_INT32(OPT_KEY_SLOT_ID)) == CRYPT_SLOT_INACTIVE) {
+		log_err(_("Keyslot %d is not active."), ARG_INT32(OPT_KEY_SLOT_ID));
+		return -EINVAL;
+	}
+
 	r = tools_read_json_file(ARG_STR(OPT_JSON_FILE_ID), &json, &json_length, ARG_SET(OPT_BATCH_MODE_ID));
 	if (r)
 		return r;
@@ -3036,8 +3050,9 @@ static int action_decrypt_luks2(struct crypt_device *cd)
 	};
 	size_t passwordLen;
 
-	if (!crypt_get_metadata_device_name(cd) || crypt_header_is_detached(cd) <= 0) {
-		log_err(_("LUKS2 decryption is supported with detached header device only."));
+	if (!crypt_get_metadata_device_name(cd) || crypt_header_is_detached(cd) <= 0 ||
+	    crypt_get_data_offset(cd) > 0) {
+		log_err(_("LUKS2 decryption is supported with detached header device only (with data offset set to 0)."));
 		return -ENOTSUP;
 	}
 

tests/00modules-test

@@ -23,7 +23,7 @@ if [ -f /etc/os-release ] ; then
 fi
 
 echo "Memory"
-free -h
+free -m
 
 pversion cryptsetup
 pversion veritysetup

tests/Makefile.am

@@ -95,19 +95,17 @@ CLEANFILES = cryptsetup-tst* valglog* *-fail-*.log test-symbols-list.h fake_toke
 clean-local:
 	-rm -rf tcrypt-images luks1-images luks2-images bitlk-images conversion_imgs luks2_valid_hdr.img blkid-luks2-pv-img blkid-luks2-pv-img.bcp
 
-LDADD = $(LTLIBINTL)
-
 differ_SOURCES = differ.c
 differ_CFLAGS = $(AM_CFLAGS) -Wall -O2
 
 api_test_SOURCES = api-test.c api_test.h test_utils.c
-api_test_LDADD = $(LDADD) ../libcryptsetup.la
+api_test_LDADD = ../libcryptsetup.la
 api_test_LDFLAGS = $(AM_LDFLAGS) -static
 api_test_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib
 api_test_CPPFLAGS = $(AM_CPPFLAGS) -include config.h
 
 api_test_2_SOURCES = api-test-2.c api_test.h test_utils.c
-api_test_2_LDADD = $(LDADD) ../libcryptsetup.la
+api_test_2_LDADD = ../libcryptsetup.la
 api_test_2_LDFLAGS = $(AM_LDFLAGS) -static
 api_test_2_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib
 api_test_2_CPPFLAGS = $(AM_CPPFLAGS) -include config.h

tests/all-symbols-test.c

@@ -68,34 +68,57 @@ static void test_logf(int level, const char *format, ...)
 #define log_std(x...) test_logf(LOG_NORMAL, x)
 #define log_err(x...) test_logf(LOG_ERROR, x)
 
-static int check_all_symbols(void *h)
+static int check_dlvsym(void *h, const char *symbol, const char *version)
+{
+#ifdef HAVE_DLVSYM
+	void *sym;
+	char *err;
+
+	log_dbg("Checking %s@%s...", symbol, version);
+	sym = dlvsym(h, symbol, version);
+	UNUSED(sym);
+	err = dlerror();
+
+	if (err) {
+		log_err("%s.", err);
+		return 1;
+	}
+
+	log_dbg("OK\n");
+#endif
+	return 0;
+}
+
+static int check_dlsym(void *h, const char *symbol)
 {
 	void *sym;
 	char *err;
+
+	log_dbg("Checking %s...", symbol);
+	sym = dlsym(h, symbol);
+	UNUSED(sym);
+	err = dlerror();
+
+	if (err) {
+		log_err("%s", err);
+		return 1;
+	}
+
+	log_dbg("OK\n");
+	return 0;
+}
+
+static int check_all_symbols(void *h)
+{
 	unsigned scount = 0;
 
-#define CHECK_SYMBOL(SYM, VER)								\
-do {											\
-	log_dbg("Checking " #SYM "@" #VER "...");					\
-	sym = dlvsym(h, #SYM, #VER);							\
-	UNUSED(sym);									\
-	err = dlerror();								\
-											\
-	if (err) {									\
-		log_err("%s.", err);							\
-		return 1;								\
-	}										\
-											\
-	log_dbg("OK\nChecking " #SYM "...");						\
-	sym = dlsym(h, #SYM);								\
-	UNUSED(sym);									\
-	err = dlerror();								\
-	if (err) {									\
-		log_err("%s", err);							\
-		return 1;								\
-	}										\
-	log_dbg("OK\n");								\
-	scount++;									\
+#define CHECK_SYMBOL(SYM, VER)			\
+do {						\
+	if (check_dlvsym(h, #SYM, #VER))	\
+		return 1;			\
+	if (check_dlsym(h, #SYM))		\
+		return 1;			\
+	scount++;				\
 } while (0);
 
 #include "test-symbols-list.h"
@@ -106,7 +129,7 @@ do {											\
 		return 1;
 	}
 
-	log_std("Performed %u symbol checks in total\n.", scount);
+	log_std("Performed %u symbol checks in total.\n", scount);
 
 	return 0;
 }

tests/api-test-2.c

@@ -44,8 +44,6 @@ typedef int32_t key_serial_t;
 #include "luks1/luks.h"
 #include "libcryptsetup.h"
 
-#define DMDIR "/dev/mapper/"
-
 #define DEVICE_1_UUID "28632274-8c8a-493f-835b-da802e1c576b"
 #define DEVICE_EMPTY_name "crypt_zero"
 #define DEVICE_EMPTY DMDIR DEVICE_EMPTY_name
@@ -3844,6 +3842,7 @@ static void Luks2Reencryption(void)
 		.hash = "sha1",
 		.luks2 = &params2,
 	};
+	dev_t devno;
 
 	const char *mk_hex = "bb21babe733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a";
 	size_t key_size = strlen(mk_hex) / 2;
@@ -4320,6 +4319,22 @@ static void Luks2Reencryption(void)
 	OK_(crypt_reencrypt_run(cd, NULL, NULL));
 	CRYPT_FREE(cd);
 
+	/* decryption forward (online) */
+	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+	params2.data_device = NULL;
+	OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "cbc-essiv:sha256", NULL, NULL, 32, &params2));
+	OK_(crypt_set_pbkdf_type(cd, &pbkdf));
+	EQ_(crypt_keyslot_add_by_volume_key(cd, 6, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 6);
+	EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 6, PASSPHRASE, strlen(PASSPHRASE), 0), 6);
+	memset(&rparams, 0, sizeof(rparams));
+	rparams.mode = CRYPT_REENCRYPT_DECRYPT;
+	rparams.direction = CRYPT_REENCRYPT_FORWARD;
+	rparams.resilience = "none";
+	rparams.max_hotzone_size = 2048;
+	OK_(crypt_reencrypt_init_by_passphrase(cd, CDEVICE_2, PASSPHRASE, strlen(PASSPHRASE), 6, CRYPT_ANY_SLOT, NULL, NULL, &rparams));
+	OK_(crypt_reencrypt_run(cd, NULL, NULL));
+	CRYPT_FREE(cd);
+
 	/* decryption with data shift */
 	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
 	params2.data_device = NULL;
@@ -4354,6 +4369,8 @@ static void Luks2Reencryption(void)
 	EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 6, PASSPHRASE, strlen(PASSPHRASE), 0), 6);
 	OK_(t_device_size(DMDIR CDEVICE_2, &r_size_1));
 	EQ_(r_size_1, 512);
+	// store devno for later size check
+	OK_(t_get_devno(CDEVICE_2, &devno));
 	// create placeholder device to block automatic deactivation after decryption
 	OK_(_system("dmsetup create " CDEVICE_1 " --table \"0 1 linear " DMDIR CDEVICE_2 " 0\"", 1));
 	remove(BACKUP_FILE);
@@ -4373,7 +4390,7 @@ static void Luks2Reencryption(void)
 	EQ_(crypt_get_data_offset(cd), 0);
 	OK_(crypt_reencrypt_run(cd, NULL, NULL));
 	remove(BACKUP_FILE);
-	OK_(t_device_size(DMDIR CDEVICE_2, &r_size_1));
+	OK_(t_device_size_by_devno(devno, &r_size_1));
 	EQ_(r_size_1, 512);
 	OK_(_system("dmsetup remove " DM_RETRY CDEVICE_1 DM_NOSTDERR, 0));
 	CRYPT_FREE(cd);

tests/api-test.c

@@ -34,8 +34,6 @@
 #include "luks1/luks.h"
 #include "libcryptsetup.h"
 
-#define DMDIR "/dev/mapper/"
-
 #define DEVICE_1_UUID "28632274-8c8a-493f-835b-da802e1c576b"
 #define DEVICE_EMPTY_name "crypt_zero"
 #define DEVICE_EMPTY DMDIR DEVICE_EMPTY_name

tests/api_test.h

@@ -96,6 +96,8 @@ void xlog(const char *msg, const char *tst, const char *func, int line, const ch
 
 #define CRYPT_FREE(x) do { crypt_free(x); x = NULL; } while (0)
 
+#define DMDIR "/dev/mapper/"
+
 #define TST_SECTOR_SHIFT 9L
 #define TST_SECTOR_SIZE 512
 #define TST_LOOP_FILE_SIZE (((1 << 20) * 100) >> TST_SECTOR_SHIFT)
@@ -124,4 +126,7 @@ int loop_attach(char **loop, const char *file, int offset,
 		      int autoclear, int *readonly);
 int loop_detach(const char *loop);
 
+int t_device_size_by_devno(dev_t devno, uint64_t *retval);
+int t_get_devno(const char *dev, dev_t *devno);
+
 #endif

tests/bitlk-compat-test

@@ -94,7 +94,7 @@ function valgrind_run()
 }
 
 export LANG=C
-[ ! -d $TST_DIR ] && tar xJSf $srcdir/bitlk-images.tar.xz --no-same-owner
+[ ! -d $TST_DIR ] && tar xJSf $srcdir/bitlk-images.tar.xz --no-same-owner 2>/dev/null || skip "Incompatible tar."
 
 [ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run
 

tests/compat-test

@@ -434,10 +434,12 @@ $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT --master-key-file /dev/ur
 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
 # open by UUID
-force_uevent # some systems do not update loop by-uuid
-$CRYPTSETUP luksOpen -d $KEY1 UUID=X$TEST_UUID $DEV_NAME 2>/dev/null && fail
-$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
-$CRYPTSETUP -q luksClose  $DEV_NAME || fail
+if [ -d /dev/disk/by-uuid ] ; then
+	force_uevent # some systems do not update loop by-uuid
+	$CRYPTSETUP luksOpen -d $KEY1 UUID=X$TEST_UUID $DEV_NAME 2>/dev/null && fail
+	$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
+	$CRYPTSETUP -q luksClose  $DEV_NAME || fail
+fi
 # empty keyfile
 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEYE || fail
 $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
@@ -788,6 +790,17 @@ $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME >/dev/null 2>&1 && fail
 $CRYPTSETUP -q repair $LOOPDEV >/dev/null 2>&1 || fail
 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
 $CRYPTSETUP luksClose $DEV_NAME || fail
+# fix ecb-plain
+$CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY1 --hash sha256 -c aes-ecb || fail
+echo -n "ecb-xxx" | dd of=$LOOPDEV bs=1 seek=40 >/dev/null 2>&1
+$CRYPTSETUP -q repair $LOOPDEV >/dev/null 2>&1 || fail
+$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP luksClose $DEV_NAME || fail
+# fix uppercase hash
+echo -n "SHA256" | dd of=$LOOPDEV bs=1 seek=72 >/dev/null 2>&1
+$CRYPTSETUP -q repair $LOOPDEV >/dev/null 2>&1 || fail
+$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
+$CRYPTSETUP luksClose $DEV_NAME || fail
 
 prepare "[30] LUKS erase" wipe
 $CRYPTSETUP -q luksFormat --type luks1 $FAST_PBKDF_OPT $LOOPDEV $KEY5 --key-slot 5 || fail

tests/compat-test2

@@ -415,10 +415,12 @@ $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --master-key-file /dev/urandom -s 256
 $CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
 $CRYPTSETUP -q luksClose  $DEV_NAME || fail
 # open by UUID
-force_uevent # some systems do not update loop by-uuid
-$CRYPTSETUP luksOpen -d $KEY1 UUID=X$TEST_UUID $DEV_NAME 2>/dev/null && fail
-$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
-$CRYPTSETUP -q luksClose  $DEV_NAME || fail
+if [ -d /dev/disk/by-uuid ] ; then
+	force_uevent # some systems do not update loop by-uuid
+	$CRYPTSETUP luksOpen -d $KEY1 UUID=X$TEST_UUID $DEV_NAME 2>/dev/null && fail
+	$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
+	$CRYPTSETUP -q luksClose  $DEV_NAME || fail
+fi
 # empty keyfile
 $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV $KEYE || fail
 $CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
@@ -872,9 +874,12 @@ echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 11 --json
 echo -n "$IMPORT_TOKEN" > $TOKEN_FILE0
 $CRYPTSETUP token import $LOOPDEV --token-id 12 --json-file $TOKEN_FILE0 || fail
 $CRYPTSETUP token import $LOOPDEV --token-id 12 --json-file $TOKEN_FILE0 2>/dev/null && fail
-$CRYPTSETUP token export $LOOPDEV --token-id 10 | diff --from-file - $TOKEN_FILE0 || fail
-$CRYPTSETUP token export $LOOPDEV --token-id 11 | diff --from-file - $TOKEN_FILE0 || fail
-$CRYPTSETUP token export $LOOPDEV --token-id 12 | diff --from-file - $TOKEN_FILE0 || fail
+$CRYPTSETUP token export $LOOPDEV --token-id 10 >$TOKEN_FILE1 || fail
+diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
+$CRYPTSETUP token export $LOOPDEV --token-id 11 >$TOKEN_FILE1 || fail
+diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
+$CRYPTSETUP token export $LOOPDEV --token-id 12 >$TOKEN_FILE1 || fail
+diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
 $CRYPTSETUP token export $LOOPDEV --token-id 12 --json-file $TOKEN_FILE1 || fail
 diff $TOKEN_FILE0 $TOKEN_FILE1 || fail
 $CRYPTSETUP token export $LOOPDEV --token-id 12 > $TOKEN_FILE1 || fail
@@ -1002,7 +1007,8 @@ for mda in 16 32 64 128 256 512 1024 2048 4096 ; do
 	echo $PWD4 | $CRYPTSETUP open --test-passphrase test_image_$mda || fail
 	echo $PWD3 | $CRYPTSETUP open -S9 --test-passphrase test_image_$mda || fail
 	echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import test_image_$mda --token-id 10 || fail
-	$CRYPTSETUP token export test_image_$mda --token-id 10 | diff --from-file - $TOKEN_FILE0 || fail
+	$CRYPTSETUP token export test_image_$mda --token-id 10 >$TOKEN_FILE1 || fail
+	diff $TOKEN_FILE1 $TOKEN_FILE0 || fail
 	echo -n "[OK]"
 done
 echo

tests/crypto-vectors.c

@@ -22,6 +22,8 @@
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
+#include <unistd.h>
+#include <fcntl.h>
 
 #include "crypto_backend/crypto_backend.h"
 
@@ -40,6 +42,24 @@ static void printhex(const char *s, const char *buf, size_t len)
 	fflush(stdout);
 }
 
+static bool fips_mode(void)
+{
+	int fd;
+	char buf = 0;
+
+	fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
+
+	if (fd < 0)
+		return false;
+
+	if (read(fd, &buf, 1) != 1)
+		buf = '0';
+
+	close(fd);
+
+	return (buf == '1');
+}
+
 /*
  * KDF tests
  */
@@ -1281,7 +1301,7 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[]
 		exit(77);
 	}
 
-	if (crypt_backend_init())
+	if (crypt_backend_init(fips_mode()))
 		exit_test("Crypto backend init error.", EXIT_FAILURE);
 
 	printf("Test vectors using %s crypto backend.\n", crypt_backend_version());
@@ -1301,8 +1321,12 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[]
 	if (cipher_iv_test())
 		exit_test("IV test failed.", EXIT_FAILURE);
 
-	if (default_alg_test())
-		exit_test("Default compiled-in algorithms test failed.", EXIT_FAILURE);
+	if (default_alg_test()) {
+		if (fips_mode())
+			printf("\nDefault compiled-in algorithms test ignored (FIPS mode on).\n");
+		else
+			exit_test("\nDefault compiled-in algorithms test failed.", EXIT_FAILURE);
+	}
 
 	exit_test(NULL, EXIT_SUCCESS);
 }

tests/integrity-compat-test

@@ -168,12 +168,11 @@ intformat() # alg alg_out tagsize outtagsize sector_size csum [keyfile keysize]
 	echo -n "[FORMAT]"
 	$INTSETUP format --integrity-legacy-padding -q --integrity $1 $TAG_PARAMS --sector-size $5 $KEY_PARAMS $DEV >/dev/null 2>&1
 	if [ $? -ne 0 ] ; then
-		ALG=$(echo $1 | sed -e 's/hmac-//')
-		if ! grep -q $ALG /proc/crypto ; then
-			echo "[N/A]"
-			return
+		if [[ $1 =~ "sha" || $1 =~ "crc" ]] ; then
+			fail "Cannot format device."
 		fi
-		fail "Cannot format device."
+		echo "[N/A]"
+		return
 	fi
 
 	dump_check "tag_size" $4
@@ -335,6 +334,7 @@ which blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped."
 
 [ -n "$VALG" ] && valgrind_setup && INTSETUP=valgrind_run
 which hexdump >/dev/null 2>&1 || skip "WARNING: hexdump tool required."
+which xxd >/dev/null 2>&1 || skip "WARNING: xxd tool required."
 modprobe dm-integrity >/dev/null 2>&1
 dm_integrity_features
 

tests/luks2-reencryption-test

@@ -722,6 +722,8 @@ HASH6=39f7c6d38af574fe2c90ef400dfaba8ef8edccd11bdac998a3f8143a86837331
 HASH7=18a393d1a505e22ccf3e29effe3005ea8627e4c36b7cca0e53f58121f49b67e1
 # 60 MiBs of zeroes
 HASH8=cf5ac69ca412f9b3b1a8b8de27d368c5c05ed4b1b6aa40e6c38d9cbf23711342
+# 240 MiBs of zeroes (256MiBs - 16MiBs default LUKS2 header size)
+HASH9=17088b031491a37e0ee9e1025a3938f55ee94ae27653370ad2fe5b0b32e35334
 
 prepare dev_size_mb=32
 setup_luks2_env
@@ -889,6 +891,12 @@ echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128
 $CRYPTSETUP close $DEV_NAME
 check_hash $PWD1 $HASH3 $IMG_HDR
 
+# Device encryption with data offset set in detached header
+wipe_dev $DEV
+dd if=/dev/urandom of=$DEV bs=512 count=32768 >/dev/null 2>&1
+echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --header $IMG_HDR --offset 32768 -q $FAST_PBKDF_ARGON $DEV || fail
+check_hash $PWD1 $HASH9 $IMG_HDR
+
 # Device activation using key file
 wipe_dev $DEV
 echo -n $PWD1 > $KEY1
@@ -961,6 +969,18 @@ echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --active-name $DEV_NAME --header $D
 $CRYPTSETUP status $DEV_NAME | grep -q "reencryption:  in-progress" && fail
 $CRYPTSETUP close $DEV_NAME
 
+# yet another funny idea
+rm -f $IMG_HDR
+$CRYPTSETUP luksHeaderBackup --header-backup-file $IMG_HDR $DEV || fail
+chmod +w $IMG_HDR || fail
+which wipefs >/dev/null 2>&1 && {
+	wipefs -a $DEV >/dev/null 2>&1  || fail
+}
+open_crypt $PWD1 $IMG_HDR
+echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME --decrypt --header $IMG_HDR -q 2>/dev/null && fail
+$CRYPTSETUP status $DEV_NAME | grep -q "reencryption:  in-progress" && fail
+$CRYPTSETUP close $DEV_NAME || fail
+
 if ! dm_delay_features; then
 	echo "dm-delay target is missing, skipping recovery tests."
 	remove_mapping

tests/test_utils.c

@@ -684,3 +684,60 @@ int loop_detach(const char *loop)
 	close(loop_fd);
 	return r;
 }
+
+int t_get_devno(const char *name, dev_t *devno)
+{
+	char path[PATH_MAX];
+	int r;
+	struct stat st;
+
+	r = snprintf(path, sizeof(path), DMDIR "%s", name);
+	if (r < 0 || (size_t)r >= sizeof(path))
+		return 1;
+
+	if (stat(path, &st) || !S_ISBLK(st.st_mode))
+		return 1;
+
+	*devno = st.st_rdev;
+
+	return 0;
+}
+
+static int _read_uint64(const char *sysfs_path, uint64_t *value)
+{
+        char tmp[64] = {0};
+        int fd, r;
+
+        if ((fd = open(sysfs_path, O_RDONLY)) < 0)
+                return 0;
+        r = read(fd, tmp, sizeof(tmp));
+        close(fd);
+
+        if (r <= 0)
+                return 0;
+
+        if (sscanf(tmp, "%" PRIu64, value) != 1)
+                return 0;
+
+        return 1;
+}
+
+static int _sysfs_get_uint64(int major, int minor, uint64_t *value, const char *attr)
+{
+        char path[PATH_MAX];
+
+        if (snprintf(path, sizeof(path), "/sys/dev/block/%d:%d/%s",
+                     major, minor, attr) < 0)
+                return 0;
+
+        return _read_uint64(path, value);
+}
+
+int t_device_size_by_devno(dev_t devno, uint64_t *retval)
+{
+	if (!_sysfs_get_uint64(major(devno), minor(devno), retval, "size"))
+		return 1;
+
+	*retval *= 512;
+	return 0;
+}

tests/verity-compat-test

@@ -99,11 +99,13 @@ function check_root_hash_fail()
 
 	$VERITYSETUP open $IMG $DEV_NAME $IMG_HASH $ROOT_HASH || fail
 	check_exists
+	dd if=/dev/mapper/$DEV_NAME of=/dev/null bs=4096 count=1 >/dev/null 2>&1
 	dmsetup status $DEV_NAME | grep "verity V" >/dev/null || fail
 	$VERITYSETUP close $DEV_NAME >/dev/null 2>&1 || fail
 
 	$VERITYSETUP open $IMG $DEV_NAME $IMG_HASH $ROOT_HASH_BAD >/dev/null 2>&1 || fail
 	check_exists
+	dd if=/dev/mapper/$DEV_NAME of=/dev/null bs=4096 count=1 >/dev/null 2>&1
 	dmsetup status $DEV_NAME | grep "verity C" >/dev/null || fail
 	$VERITYSETUP close $DEV_NAME >/dev/null 2>&1 || fail
 
@@ -260,7 +262,7 @@ function check_fec()
 		return 3
 	fi
 
-	udevadm settle
+	udevadm settle > /dev/null 2>&1
 
 	dd if=/dev/mapper/$DEV_NAME of=$IMG_TMP > /dev/null 2>&1
 	ARR=(`sha256sum $IMG_TMP`)

tokens/Makemodule.am

@@ -21,7 +21,7 @@ cryptsetup_ssh_SOURCES = tokens/ssh/cryptsetup-ssh.c \
 			 lib/utils_io.c \
 			 lib/utils_loop.c
 cryptsetup_ssh_LDADD = -lm libcryptsetup.la @LIBSSH_LIBS@ @JSON_C_LIBS@ @POPT_LIBS@ \
-		       @PWQUALITY_LIBS@ @PASSWDQC_LIBS@
+		       @PWQUALITY_LIBS@ @PASSWDQC_LIBS@ @ARGP_LIBS@
 
 cryptsetup_ssh_CFLAGS = $(AM_CFLAGS)