Version 2.6.0.

This information is really not needed in debug log.

.github/workflows/cibuild-setup-ubuntu.sh

@@ -4,7 +4,7 @@ set -ex
 
 PACKAGES=(
 	git make autoconf automake autopoint pkg-config libtool libtool-bin
-	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol1-dev
+	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev
 	libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev
 	sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
 	asciidoctor

.gitlab/ci/cibuild-setup-ubuntu.sh

@@ -4,7 +4,7 @@ set -ex
 
 PACKAGES=(
 	git make autoconf automake autopoint pkg-config libtool libtool-bin
-	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol1-dev
+	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev
 	libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev
 	sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
 	asciidoctor

.gitlab/ci/debian.yml

@@ -9,7 +9,7 @@
     - >
       sudo apt-get -y install -y -qq git gcc make autoconf automake autopoint
       pkgconf libtool libtool-bin gettext libssl-dev libdevmapper-dev
-      libpopt-dev uuid-dev libsepol1-dev libjson-c-dev libssh-dev libblkid-dev
+      libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev
       tar libargon2-0-dev libpwquality-dev sharutils dmsetup jq xxd expect
       keyutils netcat passwd openssh-client sshpass asciidoctor
     - sudo apt-get -y build-dep cryptsetup

README.md

@@ -45,22 +45,16 @@ Download
 --------
 All release tarballs and release notes are hosted on [kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
 
-**The latest stable cryptsetup release candidate version is 2.6.0-rc0**
-  * [cryptsetup-2.6.0-rc0.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.0-rc0.tar.xz)
-  * Signature [cryptsetup-2.6.0-rc0.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.0-rc0.tar.sign)
+**The latest stable cryptsetup release version is 2.6.0**
+  * [cryptsetup-2.6.0.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.0.tar.xz)
+  * Signature [cryptsetup-2.6.0.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.0.tar.sign)
     _(You need to decompress file first to check signature.)_
-  * [Cryptsetup 2.6.0-rc0 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/v2.6.0-rc0-ReleaseNotes).
-
-**The latest stable cryptsetup version is 2.5.0**
-  * [cryptsetup-2.5.0.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-2.5.0.tar.xz)
-  * Signature [cryptsetup-2.5.0.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-2.5.0.tar.sign)
-    _(You need to decompress file first to check signature.)_
-  * [Cryptsetup 2.5.0 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/v2.5.0-ReleaseNotes).
+  * [Cryptsetup 2.6.0 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/v2.6.0-ReleaseNotes).
 
 Previous versions
- * [Version 2.4.3](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-2.4.3.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-2.4.3.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/v2.4.3-ReleaseNotes).
+ * [Version 2.5.0](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-2.5.0.tar.xz) -
+   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-2.5.0.tar.sign) -
+   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/v2.5.0-ReleaseNotes).
  * [Version 1.7.5](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.xz) -
    [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.sign) -
    [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.5-ReleaseNotes).

configure.ac

@@ -1,5 +1,5 @@
 AC_PREREQ([2.67])
-AC_INIT([cryptsetup],[2.6.0-rc0])
+AC_INIT([cryptsetup],[2.6.0])
 
 dnl library version from <major>.<minor>.<release>[-<suffix>]
 LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)

docs/v2.6.0-ReleaseNotes

@@ -1,6 +1,6 @@
-Cryptsetup 2.6.0-rc0 Release Notes
-==================================
-Stable release candidate with new features and bug fixes.
+Cryptsetup 2.6.0 Release Notes
+==============================
+Stable release with new features and bug fixes.
 
 Changes since version 2.5.0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -31,9 +31,9 @@ Changes since version 2.5.0
   $ lsblk -o NAME,FSTYPE,LABEL /dev/sda
     NAME   FSTYPE  LABEL
     sda
-    ├─sda1 vfat    EFI
-    ├─sda2
-    └─sda3 hfsplus Boot OS X
+    |-sda1 vfat    EFI
+    |-sda2
+    `-sda3 hfsplus Boot OS X
 
   Note: blkid does not recognize FileVault2 format yet.
 
@@ -114,6 +114,9 @@ Changes since version 2.5.0
   volume key in a new keyslot.
   Previously the options were limited to key files and passphrases.
 
+  Newly available methods (keyslot contexts) are passphrase, keyfile,
+  key (binary representation), and LUKS2 token.
+
   To unlock a keyslot user may:
     - provide existing passphrase via interactive prompt (default method)
     - use --key-file option to provide a file with a valid passphrase
@@ -129,13 +132,10 @@ Changes since version 2.5.0
       for new keyslot. The new keyslot is assigned to the selected token
       id if the operation is successful.
 
-  The volume key may now be extracted using a passphrase, keyfile, or
+* The volume key may now be extracted using a passphrase, keyfile, or
   token. For LUKS devices, it also returns the volume key after
   a successful crypt_format call.
 
-  The available methods (keyslot contexts) are passphrase, keyfile,
-  key (binary representation), and LUKS2 token.
-
 * Fix --disable-luks2-reencryption configuration option.
 
 * cryptsetup: Print a better error message and warning if the format
@@ -205,7 +205,7 @@ New symbols:
 New defines:
   CRYPT_FVAULT2 "FVAULT2" (FileVault2 compatible mode)
 
-  CRYPT_KC_TYPE_UNDEFINED (keyslot context types)
+Keyslot context types:
   CRYPT_KC_TYPE_PASSPHRASE
   CRYPT_KC_TYPE_KEYFILE
   CRYPT_KC_TYPE_TOKEN

lib/fvault2/fvault2.c

@@ -546,7 +546,7 @@ static int _read_volume_header(
 
 	r = _check_crc(vol_header, FVAULT2_VOL_HEADER_SIZE);
 	if (r < 0) {
-		log_dbg(cd, _("CRC mismatch."));
+		log_dbg(cd, "CRC mismatch.");
 		goto out;
 	}
 
@@ -558,13 +558,13 @@ static int _read_volume_header(
 	}
 
 	if (be16_to_cpu(vol_header->magic) != FVAULT2_CORE_STORAGE_MAGIC) {
-		log_dbg(cd, _("Invalid Core Storage magic bytes."));
+		log_dbg(cd, "Invalid Core Storage magic bytes.");
 		r = -EINVAL;
 		goto out;
 	}
 
 	if (le32_to_cpu(vol_header->key_data_size) != FVAULT2_AES_KEY_SIZE) {
-		log_dbg(cd, _("Unsupported AES key size: %" PRIu32 " bytes."),
+		log_dbg(cd, "Unsupported AES key size: %" PRIu32 " bytes.",
 			le32_to_cpu(vol_header->key_data_size));
 		r = -EINVAL;
 		goto out;
@@ -620,7 +620,7 @@ static int _read_disklabel(
 
 	if (uint64_mult_overflow(&off, disklbl_blkoff, block_size) ||
 	    off > FVAULT2_MAX_OFF) {
-		log_dbg(cd, _("Device offset overflow."));
+		log_dbg(cd, "Device offset overflow.");
 		r = -EINVAL;
 		goto out;
 	}
@@ -634,7 +634,7 @@ static int _read_disklabel(
 
 	r = _check_crc(md_block, FVAULT2_MD_BLOCK_SIZE);
 	if (r < 0) {
-		log_dbg(cd, _("CRC mismatch."));
+		log_dbg(cd, "CRC mismatch.");
 		goto out;
 	}
 
@@ -647,7 +647,7 @@ static int _read_disklabel(
 	md_block_11 = md_block;
 	off += le32_to_cpu(md_block_11->vol_gr_des_off);
 	if (off > FVAULT2_MAX_OFF) {
-		log_dbg(cd, _("Device offset overflow."));
+		log_dbg(cd, "Device offset overflow.");
 		r = -EINVAL;
 		goto out;
 	}
@@ -723,7 +723,7 @@ static int _read_encrypted_metadata(
 
 	if (uint64_mult_overflow(&start_off, start_blkoff, block_size) ||
 	    start_off > FVAULT2_MAX_OFF) {
-		log_dbg(cd, _("Device offset overflow."));
+		log_dbg(cd, "Device offset overflow.");
 		r = -EINVAL;
 		goto out;
 	}
@@ -732,7 +732,7 @@ static int _read_encrypted_metadata(
 	for (i = 0; i < blocks_n; i++) {
 		off = start_off + i * FVAULT2_MD_BLOCK_SIZE;
 		if (off > FVAULT2_MAX_OFF) {
-			log_dbg(cd, _("Device offset overflow."));
+			log_dbg(cd, "Device offset overflow.");
 			r = -EINVAL;
 			goto out;
 		}
@@ -755,7 +755,7 @@ static int _read_encrypted_metadata(
 
 		r = _check_crc(md_block, FVAULT2_MD_BLOCK_SIZE);
 		if (r < 0) {
-			log_dbg(cd, _("CRC mismatch."));
+			log_dbg(cd, "CRC mismatch.");
 			goto out;
 		}
 
@@ -792,7 +792,7 @@ static int _read_encrypted_metadata(
 				goto out;
 			if (uint64_mult_overflow(&params->log_vol_off,
 			    log_vol_blkoff, block_size)) {
-				log_dbg(cd, _("Device offset overflow."));
+				log_dbg(cd, "Device offset overflow.");
 				r = -EINVAL;
 				goto out;
 			}
@@ -802,7 +802,7 @@ static int _read_encrypted_metadata(
 	}
 
 	if (status != FVAULT2_ENC_MD_PARSED_ALL) {
-		log_dbg(cd, _("Necessary FVAULT2 metadata blocks not found."));
+		log_dbg(cd, "Necessary FVAULT2 metadata blocks not found.");
 		r = -EINVAL;
 		goto out;
 	}
@@ -917,7 +917,7 @@ int FVAULT2_get_volume_key(
 	*vol_key = NULL;
 
 	if (uuid_parse(params->family_uuid, family_uuid_bin) < 0) {
-		log_dbg(cd, _("Could not parse logical volume family UUID: %s."),
+		log_dbg(cd, "Could not parse logical volume family UUID: %s.",
 			params->family_uuid);
 		r = -EINVAL;
 		goto out;

lib/libcryptsetup.h

@@ -1229,8 +1229,6 @@ int crypt_keyslot_context_set_pin(struct crypt_device *cd,
  * @addtogroup crypt-keyslot-context-types
  * @{
  */
-/** keyslot context is not properly initialized */
-#define CRYPT_KC_TYPE_UNDEFINED  INT16_C(0)
 /** keyslot context initialized by passphrase (@link crypt_keyslot_context_init_by_passphrase @endlink) */
 #define CRYPT_KC_TYPE_PASSPHRASE INT16_C(1)
 /** keyslot context initialized by keyfile (@link crypt_keyslot_context_init_by_keyfile @endlink) */

lib/luks1/keymanage.c

@@ -236,6 +236,7 @@ int LUKS_hdr_backup(const char *backup_file, struct crypt_device *ctx)
 		r = -ENOMEM;
 		goto out;
 	}
+	memset(buffer, 0, buffer_size);
 
 	log_dbg(ctx, "Storing backup of header (%zu bytes) and keyslot area (%zu bytes).",
 		sizeof(hdr), hdr_size - LUKS_ALIGN_KEYSLOTS);

lib/luks2/luks2_internal.h

@@ -189,6 +189,8 @@ void keyring_dump(struct crypt_device *cd, const char *json);
 
 int keyring_validate(struct crypt_device *cd, const char *json);
 
+void keyring_buffer_free(void *buffer, size_t buffer_size);
+
 struct crypt_token_handler_v2 {
 	const char *name;
 	crypt_token_open_func open;

lib/luks2/luks2_token.c

@@ -37,6 +37,7 @@ static struct crypt_token_handler_internal token_handlers[LUKS2_TOKENS_MAX] = {
 	  .u = {
 		  .v1 = { .name = LUKS2_TOKEN_KEYRING,
 			  .open = keyring_open,
+			  .buffer_free = keyring_buffer_free,
 			  .validate = keyring_validate,
 			  .dump = keyring_dump }
 	       }

lib/luks2/luks2_token_keyring.c

@@ -137,3 +137,8 @@ int LUKS2_token_keyring_get(struct luks2_hdr *hdr,
 
 	return token;
 }
+
+void keyring_buffer_free(void *buffer, size_t buffer_len __attribute__((unused)))
+{
+	crypt_safe_free(buffer);
+}

lib/setup.c

@@ -4897,10 +4897,10 @@ int crypt_volume_key_get_by_keyslot_context(struct crypt_device *cd,
 		return -ENOMEM;
 	}
 
-	if (kc && !kc->get_passphrase)
+	if (kc && (!kc->get_passphrase || kc->type == CRYPT_KC_TYPE_KEY))
 		return -EINVAL;
 
-	if (kc && kc->get_passphrase) {
+	if (kc) {
 		r = kc->get_passphrase(cd, kc, &passphrase, &passphrase_size);
 		if (r < 0)
 			return r;
@@ -6491,8 +6491,7 @@ int crypt_activate_by_keyring(struct crypt_device *cd,
 
 	r = _activate_by_passphrase(cd, name, keyslot, passphrase, passphrase_size, flags);
 
-	crypt_safe_memzero(passphrase, passphrase_size);
-	free(passphrase);
+	crypt_safe_free(passphrase);
 
 	return r;
 }

lib/utils_benchmark.c

@@ -47,6 +47,7 @@ int crypt_benchmark(struct crypt_device *cd,
 	r = -ENOMEM;
 	if (posix_memalign(&buffer, crypt_getpagesize(), buffer_size))
 		goto out;
+	memset(buffer, 0, buffer_size);
 
 	r = crypt_cipher_ivsize(cipher, cipher_mode);
 	if (r >= 0 && iv_size != (size_t)r) {

lib/utils_device_locking.c

@@ -105,7 +105,7 @@ static int open_lock_dir(struct crypt_device *cd, const char *dir, const char *b
 	lockdfd = openat(dirfd, base, O_RDONLY | O_NOFOLLOW | O_DIRECTORY | O_CLOEXEC);
 	if (lockdfd < 0) {
 		if (errno == ENOENT) {
-			log_dbg(cd, _("Locking directory %s/%s will be created with default compiled-in permissions."), dir, base);
+			log_dbg(cd, "Locking directory %s/%s will be created with default compiled-in permissions.", dir, base);
 
 			/* success or failure w/ errno == EEXIST either way just try to open the 'base' directory again */
 			if (mkdirat(dirfd, base, DEFAULT_LUKS2_LOCK_DIR_PERMS) && errno != EEXIST)

lib/utils_keyring.c

@@ -163,7 +163,7 @@ int keyring_get_passphrase(const char *key_desc,
 	ret = keyctl_read(kid, NULL, 0);
 	if (ret > 0) {
 		len = ret;
-		buf = malloc(len);
+		buf = crypt_safe_alloc(len);
 		if (!buf)
 			return -ENOMEM;
 
@@ -173,9 +173,7 @@ int keyring_get_passphrase(const char *key_desc,
 
 	if (ret < 0) {
 		err = errno;
-		if (buf)
-			crypt_safe_memzero(buf, len);
-		free(buf);
+		crypt_safe_free(buf);
 		return -err;
 	}
 

po/cryptsetup.pot

@@ -5,9 +5,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: cryptsetup 2.6.0-rc0\n"
+"Project-Id-Version: cryptsetup 2.6.0\n"
 "Report-Msgid-Bugs-To: cryptsetup@lists.linux.dev\n"
-"POT-Creation-Date: 2022-11-18 22:14+0100\n"
+"POT-Creation-Date: 2022-11-28 12:16+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -174,7 +174,7 @@ msgstr ""
 msgid "Failed to rollback LUKS2 metadata in memory."
 msgstr ""
 
-#: lib/setup.c:849 lib/luks1/keymanage.c:247 lib/luks1/keymanage.c:525
+#: lib/setup.c:849 lib/luks1/keymanage.c:248 lib/luks1/keymanage.c:526
 #: lib/luks2/luks2_json_metadata.c:1336 src/cryptsetup.c:1587
 #: src/cryptsetup.c:1727 src/cryptsetup.c:1782 src/cryptsetup.c:1977
 #: src/cryptsetup.c:2133 src/cryptsetup.c:2414 src/cryptsetup.c:2656
@@ -184,7 +184,7 @@ msgstr ""
 msgid "Device %s is not a valid LUKS device."
 msgstr ""
 
-#: lib/setup.c:852 lib/luks1/keymanage.c:528
+#: lib/setup.c:852 lib/luks1/keymanage.c:529
 #, c-format
 msgid "Unsupported LUKS version %d."
 msgstr ""
@@ -607,7 +607,7 @@ msgstr ""
 msgid "Failed to read passphrase from keyring (error %d)."
 msgstr ""
 
-#: lib/setup.c:6512
+#: lib/setup.c:6511
 msgid "Failed to acquire global memory-hard access serialization lock."
 msgstr ""
 
@@ -627,8 +627,8 @@ msgstr ""
 msgid "Cannot seek to requested keyfile offset."
 msgstr ""
 
-#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:227
-#: src/utils_password.c:239
+#: lib/utils.c:202 lib/utils.c:217 src/utils_password.c:225
+#: src/utils_password.c:237
 msgid "Out of memory while reading passphrase."
 msgstr ""
 
@@ -754,16 +754,16 @@ msgstr ""
 msgid "Only PBKDF2 is supported in FIPS mode."
 msgstr ""
 
-#: lib/utils_benchmark.c:174
+#: lib/utils_benchmark.c:175
 msgid "PBKDF benchmark disabled but iterations not set."
 msgstr ""
 
-#: lib/utils_benchmark.c:193
+#: lib/utils_benchmark.c:194
 #, c-format
 msgid "Not compatible PBKDF2 options (using hash algorithm %s)."
 msgstr ""
 
-#: lib/utils_benchmark.c:213
+#: lib/utils_benchmark.c:214
 msgid "Not compatible PBKDF options."
 msgstr ""
 
@@ -774,12 +774,6 @@ msgid ""
 "missing)."
 msgstr ""
 
-#: lib/utils_device_locking.c:108
-#, c-format
-msgid ""
-"Locking directory %s/%s will be created with default compiled-in permissions."
-msgstr ""
-
 #: lib/utils_device_locking.c:118
 #, c-format
 msgid ""
@@ -811,8 +805,8 @@ msgstr ""
 msgid "Cipher specification should be in [cipher]-[mode]-[iv] format."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:364
-#: lib/luks1/keymanage.c:675 lib/luks1/keymanage.c:1126
+#: lib/luks1/keyencryption.c:97 lib/luks1/keymanage.c:365
+#: lib/luks1/keymanage.c:676 lib/luks1/keymanage.c:1127
 #: lib/luks2/luks2_json_metadata.c:1490 lib/luks2/luks2_keyslot.c:714
 #, c-format
 msgid "Cannot write to device %s, permission denied."
@@ -831,8 +825,8 @@ msgstr ""
 msgid "IO error while encrypting keyslot."
 msgstr ""
 
-#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:367
-#: lib/luks1/keymanage.c:628 lib/luks1/keymanage.c:678 lib/tcrypt/tcrypt.c:679
+#: lib/luks1/keyencryption.c:246 lib/luks1/keymanage.c:368
+#: lib/luks1/keymanage.c:629 lib/luks1/keymanage.c:679 lib/tcrypt/tcrypt.c:679
 #: lib/fvault2/fvault2.c:877 lib/verity/verity.c:80 lib/verity/verity.c:196
 #: lib/verity/verity_hash.c:320 lib/verity/verity_hash.c:329
 #: lib/verity/verity_hash.c:349 lib/verity/verity_fec.c:260
@@ -859,184 +853,184 @@ msgstr ""
 msgid "LUKS keyslot %u is invalid."
 msgstr ""
 
-#: lib/luks1/keymanage.c:265 lib/luks2/luks2_json_metadata.c:1353
+#: lib/luks1/keymanage.c:266 lib/luks2/luks2_json_metadata.c:1353
 #, c-format
 msgid "Requested header backup file %s already exists."
 msgstr ""
 
-#: lib/luks1/keymanage.c:267 lib/luks2/luks2_json_metadata.c:1355
+#: lib/luks1/keymanage.c:268 lib/luks2/luks2_json_metadata.c:1355
 #, c-format
 msgid "Cannot create header backup file %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:274 lib/luks2/luks2_json_metadata.c:1362
+#: lib/luks1/keymanage.c:275 lib/luks2/luks2_json_metadata.c:1362
 #, c-format
 msgid "Cannot write header backup file %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:306 lib/luks2/luks2_json_metadata.c:1399
+#: lib/luks1/keymanage.c:307 lib/luks2/luks2_json_metadata.c:1399
 msgid "Backup file does not contain valid LUKS header."
 msgstr ""
 
-#: lib/luks1/keymanage.c:319 lib/luks1/keymanage.c:591
+#: lib/luks1/keymanage.c:320 lib/luks1/keymanage.c:592
 #: lib/luks2/luks2_json_metadata.c:1420
 #, c-format
 msgid "Cannot open header backup file %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:327 lib/luks2/luks2_json_metadata.c:1428
+#: lib/luks1/keymanage.c:328 lib/luks2/luks2_json_metadata.c:1428
 #, c-format
 msgid "Cannot read header backup file %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:337
+#: lib/luks1/keymanage.c:338
 msgid "Data offset or key size differs on device and backup, restore failed."
 msgstr ""
 
-#: lib/luks1/keymanage.c:345
+#: lib/luks1/keymanage.c:346
 #, c-format
 msgid "Device %s %s%s"
 msgstr ""
 
-#: lib/luks1/keymanage.c:346
+#: lib/luks1/keymanage.c:347
 msgid ""
 "does not contain LUKS header. Replacing header can destroy data on that "
 "device."
 msgstr ""
 
-#: lib/luks1/keymanage.c:347
+#: lib/luks1/keymanage.c:348
 msgid ""
 "already contains LUKS header. Replacing header will destroy existing "
 "keyslots."
 msgstr ""
 
-#: lib/luks1/keymanage.c:348 lib/luks2/luks2_json_metadata.c:1462
+#: lib/luks1/keymanage.c:349 lib/luks2/luks2_json_metadata.c:1462
 msgid ""
 "\n"
 "WARNING: real device header has different UUID than backup!"
 msgstr ""
 
-#: lib/luks1/keymanage.c:396
+#: lib/luks1/keymanage.c:397
 msgid "Non standard key size, manual repair required."
 msgstr ""
 
-#: lib/luks1/keymanage.c:406
+#: lib/luks1/keymanage.c:407
 msgid "Non standard keyslots alignment, manual repair required."
 msgstr ""
 
-#: lib/luks1/keymanage.c:415
+#: lib/luks1/keymanage.c:416
 #, c-format
 msgid "Cipher mode repaired (%s -> %s)."
 msgstr ""
 
-#: lib/luks1/keymanage.c:426
+#: lib/luks1/keymanage.c:427
 #, c-format
 msgid "Cipher hash repaired to lowercase (%s)."
 msgstr ""
 
-#: lib/luks1/keymanage.c:428 lib/luks1/keymanage.c:534
-#: lib/luks1/keymanage.c:790
+#: lib/luks1/keymanage.c:429 lib/luks1/keymanage.c:535
+#: lib/luks1/keymanage.c:791
 #, c-format
 msgid "Requested LUKS hash %s is not supported."
 msgstr ""
 
-#: lib/luks1/keymanage.c:442
+#: lib/luks1/keymanage.c:443
 msgid "Repairing keyslots."
 msgstr ""
 
-#: lib/luks1/keymanage.c:461
+#: lib/luks1/keymanage.c:462
 #, c-format
 msgid "Keyslot %i: offset repaired (%u -> %u)."
 msgstr ""
 
-#: lib/luks1/keymanage.c:469
+#: lib/luks1/keymanage.c:470
 #, c-format
 msgid "Keyslot %i: stripes repaired (%u -> %u)."
 msgstr ""
 
-#: lib/luks1/keymanage.c:478
+#: lib/luks1/keymanage.c:479
 #, c-format
 msgid "Keyslot %i: bogus partition signature."
 msgstr ""
 
-#: lib/luks1/keymanage.c:483
+#: lib/luks1/keymanage.c:484
 #, c-format
 msgid "Keyslot %i: salt wiped."
 msgstr ""
 
-#: lib/luks1/keymanage.c:500
+#: lib/luks1/keymanage.c:501
 msgid "Writing LUKS header to disk."
 msgstr ""
 
-#: lib/luks1/keymanage.c:505
+#: lib/luks1/keymanage.c:506
 msgid "Repair failed."
 msgstr ""
 
-#: lib/luks1/keymanage.c:560
+#: lib/luks1/keymanage.c:561
 #, c-format
 msgid "LUKS cipher mode %s is invalid."
 msgstr ""
 
-#: lib/luks1/keymanage.c:565
+#: lib/luks1/keymanage.c:566
 #, c-format
 msgid "LUKS hash %s is invalid."
 msgstr ""
 
-#: lib/luks1/keymanage.c:572 src/cryptsetup.c:1281
+#: lib/luks1/keymanage.c:573 src/cryptsetup.c:1281
 msgid "No known problems detected for LUKS header."
 msgstr ""
 
-#: lib/luks1/keymanage.c:700
+#: lib/luks1/keymanage.c:701
 #, c-format
 msgid "Error during update of LUKS header on device %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:708
+#: lib/luks1/keymanage.c:709
 #, c-format
 msgid "Error re-reading LUKS header after update on device %s."
 msgstr ""
 
-#: lib/luks1/keymanage.c:784
+#: lib/luks1/keymanage.c:785
 msgid ""
 "Data offset for LUKS header must be either 0 or higher than header size."
 msgstr ""
 
-#: lib/luks1/keymanage.c:795 lib/luks1/keymanage.c:864
+#: lib/luks1/keymanage.c:796 lib/luks1/keymanage.c:865
 #: lib/luks2/luks2_json_format.c:286 lib/luks2/luks2_json_metadata.c:1236
 #: src/utils_reencrypt.c:514
 msgid "Wrong LUKS UUID format provided."
 msgstr ""
 
-#: lib/luks1/keymanage.c:817
+#: lib/luks1/keymanage.c:818
 msgid "Cannot create LUKS header: reading random salt failed."
 msgstr ""
 
-#: lib/luks1/keymanage.c:843
+#: lib/luks1/keymanage.c:844
 #, c-format
 msgid "Cannot create LUKS header: header digest failed (using hash %s)."
 msgstr ""
 
-#: lib/luks1/keymanage.c:887
+#: lib/luks1/keymanage.c:888
 #, c-format
 msgid "Key slot %d active, purge first."
 msgstr ""
 
-#: lib/luks1/keymanage.c:893
+#: lib/luks1/keymanage.c:894
 #, c-format
 msgid "Key slot %d material includes too few stripes. Header manipulation?"
 msgstr ""
 
-#: lib/luks1/keymanage.c:1034
+#: lib/luks1/keymanage.c:1035
 #, c-format
 msgid "Cannot open keyslot (using hash %s)."
 msgstr ""
 
-#: lib/luks1/keymanage.c:1112
+#: lib/luks1/keymanage.c:1113
 #, c-format
 msgid "Key slot %d is invalid, please select keyslot between 0 and %d."
 msgstr ""
 
-#: lib/luks1/keymanage.c:1130 lib/luks2/luks2_keyslot.c:718
+#: lib/luks1/keymanage.c:1131 lib/luks2/luks2_keyslot.c:718
 #, c-format
 msgid "Cannot wipe device %s."
 msgstr ""
@@ -1245,41 +1239,11 @@ msgstr ""
 msgid "Could not read %u bytes of volume header."
 msgstr ""
 
-#: lib/fvault2/fvault2.c:549 lib/fvault2/fvault2.c:637
-#: lib/fvault2/fvault2.c:758
-msgid "CRC mismatch."
-msgstr ""
-
 #: lib/fvault2/fvault2.c:554
 #, c-format
 msgid "Unsupported FVAULT2 version %<PRIu16>."
 msgstr ""
 
-#: lib/fvault2/fvault2.c:561
-msgid "Invalid Core Storage magic bytes."
-msgstr ""
-
-#: lib/fvault2/fvault2.c:567
-#, c-format
-msgid "Unsupported AES key size: %<PRIu32> bytes."
-msgstr ""
-
-#: lib/fvault2/fvault2.c:623 lib/fvault2/fvault2.c:650
-#: lib/fvault2/fvault2.c:726 lib/fvault2/fvault2.c:735
-#: lib/fvault2/fvault2.c:795 lib/verity/verity_hash.c:167
-#: lib/verity/verity_hash.c:300 lib/verity/verity_hash.c:311
-msgid "Device offset overflow."
-msgstr ""
-
-#: lib/fvault2/fvault2.c:805
-msgid "Necessary FVAULT2 metadata blocks not found."
-msgstr ""
-
-#: lib/fvault2/fvault2.c:920
-#, c-format
-msgid "Could not parse logical volume family UUID: %s."
-msgstr ""
-
 #: lib/verity/verity.c:68 lib/verity/verity.c:182
 #, c-format
 msgid "Verity device %s does not use on-disk header."
@@ -1334,6 +1298,11 @@ msgstr ""
 msgid "Spare area is not zeroed at position %<PRIu64>."
 msgstr ""
 
+#: lib/verity/verity_hash.c:167 lib/verity/verity_hash.c:300
+#: lib/verity/verity_hash.c:311
+msgid "Device offset overflow."
+msgstr ""
+
 #: lib/verity/verity_hash.c:218
 #, c-format
 msgid "Verification failed at position %<PRIu64>."
@@ -1926,12 +1895,12 @@ msgstr ""
 
 #: src/cryptsetup.c:108 src/cryptsetup.c:1901
 #, c-format
-msgid "Enter token PIN:"
+msgid "Enter token PIN: "
 msgstr ""
 
 #: src/cryptsetup.c:110 src/cryptsetup.c:1903
 #, c-format
-msgid "Enter token %d PIN:"
+msgid "Enter token %d PIN: "
 msgstr ""
 
 #: src/cryptsetup.c:159 src/cryptsetup.c:1103 src/cryptsetup.c:1430
@@ -2222,7 +2191,7 @@ msgstr ""
 msgid "Device %s is not a valid LUKS2 device."
 msgstr ""
 
-#: src/cryptsetup.c:1867
+#: src/cryptsetup.c:1867 src/cryptsetup.c:2072
 msgid "Enter new passphrase for key slot: "
 msgstr ""
 
@@ -2235,10 +2204,6 @@ msgstr ""
 msgid "Enter any existing passphrase: "
 msgstr ""
 
-#: src/cryptsetup.c:2072
-msgid "Enter new passphrase for key slot:"
-msgstr ""
-
 #: src/cryptsetup.c:2152
 msgid "Enter passphrase to be changed: "
 msgstr ""
@@ -3234,7 +3199,7 @@ msgstr ""
 msgid "Finished, time %s, %s, %s\n"
 msgstr ""
 
-#: src/utils_password.c:41 src/utils_password.c:74
+#: src/utils_password.c:41 src/utils_password.c:72
 #, c-format
 msgid "Cannot check password quality: %s"
 msgstr ""
@@ -3246,42 +3211,42 @@ msgid ""
 " %s"
 msgstr ""
 
-#: src/utils_password.c:81
+#: src/utils_password.c:79
 #, c-format
 msgid "Password quality check failed: Bad passphrase (%s)"
 msgstr ""
 
-#: src/utils_password.c:232 src/utils_password.c:246
+#: src/utils_password.c:230 src/utils_password.c:244
 msgid "Error reading passphrase from terminal."
 msgstr ""
 
-#: src/utils_password.c:244
+#: src/utils_password.c:242
 msgid "Verify passphrase: "
 msgstr ""
 
-#: src/utils_password.c:251
+#: src/utils_password.c:249
 msgid "Passphrases do not match."
 msgstr ""
 
-#: src/utils_password.c:289
+#: src/utils_password.c:287
 msgid "Cannot use offset with terminal input."
 msgstr ""
 
-#: src/utils_password.c:293
+#: src/utils_password.c:291
 #, c-format
 msgid "Enter passphrase: "
 msgstr ""
 
-#: src/utils_password.c:296
+#: src/utils_password.c:294
 #, c-format
 msgid "Enter passphrase for %s: "
 msgstr ""
 
-#: src/utils_password.c:330
+#: src/utils_password.c:328
 msgid "No key available with this passphrase."
 msgstr ""
 
-#: src/utils_password.c:332
+#: src/utils_password.c:330
 msgid "No usable keyslot is available."
 msgstr ""
 

src/cryptsetup.c

@@ -105,9 +105,9 @@ static int _try_token_pin_unlock(struct crypt_device *cd,
 	assert(token_id >= 0 || token_id == CRYPT_ANY_TOKEN);
 
 	if (token_id == CRYPT_ANY_TOKEN)
-		r = snprintf(msg, sizeof(msg), _("Enter token PIN:"));
+		r = snprintf(msg, sizeof(msg), _("Enter token PIN: "));
 	else
-		r = snprintf(msg, sizeof(msg), _("Enter token %d PIN:"), token_id);
+		r = snprintf(msg, sizeof(msg), _("Enter token %d PIN: "), token_id);
 	if (r < 0 || (size_t)r >= sizeof(msg))
 		return -EINVAL;
 
@@ -1898,9 +1898,9 @@ static int _ask_for_pin(struct crypt_device *cd,
 		return -EINVAL;
 
 	if (token_id == CRYPT_ANY_TOKEN)
-		r = snprintf(msg, sizeof(msg), _("Enter token PIN:"));
+		r = snprintf(msg, sizeof(msg), _("Enter token PIN: "));
 	else
-		r = snprintf(msg, sizeof(msg), _("Enter token %d PIN:"), token_id);
+		r = snprintf(msg, sizeof(msg), _("Enter token %d PIN: "), token_id);
 	if (r < 0 || (size_t)r >= sizeof(msg))
 		return -EINVAL;
 
@@ -2069,7 +2069,7 @@ static int action_luksAddKey(void)
 			p_kc_new = kc_new;
 		}
 	} else {
-		r = tools_get_key(_("Enter new passphrase for key slot:"),
+		r = tools_get_key(_("Enter new passphrase for key slot: "),
 			      &password_new, &password_new_size,
 			      ARG_UINT64(OPT_NEW_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_NEW_KEYFILE_SIZE_ID), new_key_file,
 			      ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(1), !ARG_SET(OPT_FORCE_PASSWORD_ID), cd);

src/utils_password.c

@@ -49,10 +49,8 @@ static int tools_check_pwquality(const char *password)
 		log_err(_("Password quality check failed:\n %s"),
 			pwquality_strerror(NULL, 0, r, auxerror));
 		r = -EPERM;
-	} else {
-		log_dbg("New password libpwquality score is %d.", r);
+	} else
 		r = 0;
-	}
 
 	pwquality_free_settings(pwq);
 	return r;

tests/Makefile.am

@@ -198,8 +198,8 @@ valgrind-check: api-test api-test-2 differ
 	@VALG=1 ./mode-test
 	@VALG=1 ./password-hash-test
 	@VALG=1 ./reencryption-compat-test
+	@VALG=1 ./fvault2-compat-test
 	@[ -z "$RUN_SSH_PLUGIN_TEST" ] || VALG=1 ./ssh-test-plugin
-	@[ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] || VALG=1 ./systemd-test-plugin
 	@INFOSTRING="unit-utils-crypt-test" ./valg-api.sh ./unit-utils-crypt-test
 	@INFOSTRING="vectors-test" ./valg-api.sh ./vectors-test
 	@grep -l "ERROR SUMMARY: [^0][0-9]* errors" valglog* || echo "No leaks detected."

tests/Makefile.localtest

@@ -16,6 +16,7 @@ endif
 
 ifneq ($(RUN_SYSTEMD_PLUGIN_TEST),)
 TESTS += systemd-test-plugin
+TESTS_UTILS += fake_systemd_tpm_path.so
 endif
 
 check-programs: $(TESTS_UTILS) $(TESTS)
@@ -47,6 +48,9 @@ all-symbols-test.o: test-symbols-list.h
 all-symbols-test: all-symbols-test.o
 	$(CC) -o $@ $^ -ldl
 
+fake_systemd_tpm_path.so: fake_systemd_tpm_path.c
+	$(CC) -fPIC -shared -D_GNU_SOURCE -o fake_systemd_tpm_path.so fake_systemd_tpm_path.c
+
 tests: $(TESTS_UTILS) $(TESTS)
 	@for test in $(sort $(TESTS)); do \
 		echo [$$test]; \

tests/luks2-reencryption-mangle-test

@@ -217,7 +217,8 @@ function valgrind_setup()
 
 function valgrind_run()
 {
-	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+	export INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}"
+	$CRYPTSETUP_RAW "$@"
 }
 
 [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."

tests/systemd-test-plugin

@@ -54,18 +54,19 @@ function skip()
 [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] && skip "WARNING: Variable RUN_SYSTEMD_PLUGIN_TEST must be defined, test skipped."
 
 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
-bin_check git
 bin_check swtpm
 bin_check swtpm_ioctl
-bin_check meson
-bin_check ninja
-bin_check pkgconf
 
 CRYPTENROLL_LD_PRELOAD=""
 
 # if CRYPTSETUP_PATH is defined, we run against installed binaries,
 # otherwise we compile systemd tokens from source
 [ -z "$CRYPTSETUP_PATH" ] && {
+    bin_check git
+    bin_check meson
+    bin_check ninja
+    bin_check pkgconf
+
     TOKEN_PATH=fake_token_path.so
     [ -f $TOKEN_PATH ] || skip "Please compile $TOKEN_PATH."
     INSTALL_PATH=$(pwd)/external-tokens/install
@@ -108,13 +109,15 @@ CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
     SWTPM_STATE_DIR=$(mktemp -d /tmp/systemd_swtpm_state.XXXXXX)
     modprobe tpm_vtpm_proxy || skip "Failed to load tpm_vtpm_proxy kernel module, required for emulated TPM."
     SWTPM_LOG=$(swtpm chardev --vtpm-proxy --tpm2 --tpmstate dir=$SWTPM_STATE_DIR -d --pid file=$SWTPM_PIDFILE --ctrl type=unixio,path=$SWTPM_STATE_DIR/ctrl.sock)
-    TPM_PATH=$(echo $SWTPM_LOG | grep -Eo '\/dev\/tpm([0-9])+' | sed 's/tpm/tpmrm/')
+    TPM_PATH=$(echo $SWTPM_LOG | grep -Eo '/dev/tpm([0-9])+' | sed 's/tpm/tpmrm/')
     [ -z "$TPM_PATH" ] && skip "No TPM_PATH set and swtpm failed, test skipped."
     sleep 1
     echo "Virtual TPM set up at $TPM_PATH"
 }
 
-export LD_PRELOAD="$LD_PRELOAD:$(pwd)/fake_systemd_tpm_path.so"
+FAKE_TPM_PATH="$(pwd)/fake_systemd_tpm_path.so"
+[ -f $FAKE_TPM_PATH ] || skip "Please compile $FAKE_TPM_PATH."
+export LD_PRELOAD="$LD_PRELOAD:$FAKE_TPM_PATH"
 
 export TPM_PATH=$TPM_PATH
 echo "TPM path is $TPM_PATH"