Version 2.7.5.

We use common libcryptsetup-token.sym version script that contain
all symbols, but some of them are optional.

As clang linker treats missing symbols as errors, the linker
phase for ssh token fails as optional cryptsetup_token_buffer_free
is not defined.
(Most of distros has this option still disabled, though).

As the sym file is also example for token authors, removing symbols
there is not an option. For clang, we can use --undefined-version option,
but it is not supported by other linkers, so it requires non-trivial
checks for usable LDFLAGS (for both autoconf and meson).

Instead, fix it by simply defining the symbol in ssh token, which
duplicates the internal libcryptsetup functionality.

Fixes: #830

.gitlab-ci.yml

@@ -1,5 +1,6 @@
 stages:
   - test
+  - test-opal
 
 .fail_if_coredump_generated:
   after_script:
@@ -20,3 +21,4 @@ include:
   - local: .gitlab/ci/alpinelinux.yml
   - local: .gitlab/ci/debian-i686.yml
   - local: .gitlab/ci/cifuzz.yml
+  - local: .gitlab/ci/ubuntu.yml

.gitlab/ci/cibuild-setup-ubuntu.sh

@@ -5,7 +5,7 @@ set -ex
 PACKAGES=(
 	git make autoconf automake autopoint pkg-config libtool libtool-bin
 	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev
-	libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev
+	libjson-c-dev libssh-dev libblkid-dev tar libargon2-dev libpwquality-dev
 	sharutils dmsetup jq xxd expect keyutils netcat-openbsd passwd openssh-client
 	sshpass asciidoctor
 )
@@ -13,9 +13,12 @@ PACKAGES=(
 COMPILER="${COMPILER:?}"
 COMPILER_VERSION="${COMPILER_VERSION:?}"
 
-grep -E '^deb' /etc/apt/sources.list > /etc/apt/sources.list~
-sed -Ei 's/^deb /deb-src /' /etc/apt/sources.list~
-cat /etc/apt/sources.list~ >> /etc/apt/sources.list
+sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/ubuntu.sources
+
+# use this on older Ubuntu
+# grep -E '^deb' /etc/apt/sources.list > /etc/apt/sources.list~
+# sed -Ei 's/^deb /deb-src /' /etc/apt/sources.list~
+# cat /etc/apt/sources.list~ >> /etc/apt/sources.list
 
 apt-get -y update --fix-missing
 DEBIAN_FRONTEND=noninteractive apt-get -yq install software-properties-common wget lsb-release

.gitlab/ci/compilation-clang.gitlab-ci.yml

@@ -28,3 +28,30 @@ test-scan-build:
     - make clean
     - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j
     - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j check-programs
+
+test-scan-build-backends:
+  extends:
+    - .gitlab-shared-clang
+  parallel:
+    matrix:
+      - BACKENDS: [
+          "openssl",
+          "gcrypt",
+          "nss",
+          "kernel",
+          "nettle"
+      ]
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+      changes:
+        - lib/crypto_backend/*
+  script:
+    - DEBIAN_FRONTEND=noninteractive apt-get -yq install libgcrypt20-dev libnss3-dev nettle-dev
+    - ./autogen.sh
+    - echo "Configuring with crypto backend $BACKENDS"
+    - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} -V ./configure CFLAGS="-g -O0" --with-crypto_backend=$BACKENDS
+    - make clean
+    - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j
+    - scan-build${COMPILER_VERSION:+-$COMPILER_VERSION} --status-bugs -maxloop 10 make -j check-programs

.gitlab/ci/compilation-gcc.gitlab-ci.yml

@@ -23,8 +23,33 @@ test-gcc-fanalyzer:
   extends:
     - .gitlab-shared-gcc
   script:
-    - export CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events"
     - ./autogen.sh
-    - ./configure
+    - ./configure CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events" --host=x86_64
+    - make -j
+    - make -j check-programs
+
+test-gcc-fanalyzer-backends:
+  extends:
+    - .gitlab-shared-gcc
+  parallel:
+    matrix:
+      - BACKENDS: [
+          "openssl",
+          "gcrypt",
+          "nss",
+          "kernel",
+          "nettle"
+      ]
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+      changes:
+        - lib/crypto_backend/*
+  script:
+    - DEBIAN_FRONTEND=noninteractive apt-get -yq install libgcrypt20-dev libnss3-dev nettle-dev
+    - ./autogen.sh
+    - echo "Configuring with crypto backend $BACKENDS"
+    - ./configure CFLAGS="-Wall -Werror -g -O0 -fanalyzer -fdiagnostics-path-format=separate-events" --host=x86_64 --with-crypto_backend=$BACKENDS
     - make -j
     - make -j check-programs

.gitlab/ci/compilation-various-disables.yml

@@ -11,7 +11,8 @@ test-gcc-disable-compiles:
           "kernel_crypto",
           "udev",
           "internal-argon2",
-          "blkid"
+          "blkid",
+          "hw-opal"
       ]
   artifacts:
     name: "meson-build-logs-$CI_COMMIT_REF_NAME"

.gitlab/ci/fedora-opal.yml

@@ -1,34 +1,11 @@
-.dnf-openssl-backend:
-  variables:
-    DISTRO: cryptsetup-fedora-rawhide
-  extends:
-    - .fail_if_coredump_generated
-  before_script:
-    - >
-      [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] ||
-      sudo dnf -y -q install
-      swtpm meson ninja-build python3-jinja2 gperf libcap-devel tpm2-tss-devel
-      libmount-devel swtpm-tools
-    - >
-      sudo dnf -y -q install
-      autoconf automake device-mapper-devel gcc gettext-devel json-c-devel
-      libargon2-devel libblkid-devel libpwquality-devel libselinux-devel
-      libssh-devel libtool libuuid-devel make popt-devel
-      libsepol-devel.x86_64 netcat openssh-clients passwd pkgconfig sharutils
-      sshpass tar uuid-devel vim-common device-mapper expect gettext git jq
-      keyutils openssl-devel openssl asciidoctor
-    - sudo -E git clean -xdf
-    - ./autogen.sh
-    - ./configure --enable-fips --enable-pwquality --enable-libargon2 --with-crypto_backend=openssl --enable-asciidoc
-
 .opal-template-fedora:
   extends:
     - .dnf-openssl-backend
   tags:
     - libvirt
     - cryptsetup-fedora-rawhide
-  stage: test
-  interruptible: true
+  stage: test-opal
+  interruptible: false
   variables:
     OPAL2_DEV: "/dev/nvme0n1"
     OPAL2_PSID_FILE: "/home/gitlab-runner/psid.txt"
@@ -50,8 +27,8 @@ test-commit-rawhide-samsung980:
     - .opal-template-fedora
   tags:
     - tiber
-  stage: test
-  interruptible: true
+  resource_group: samsung980-on-tiber
+  interruptible: false
   variables:
     PCI_PASSTHROUGH_VENDOR_ID: "144d"
     PCI_PASSTHROUGH_DEVICE_ID: "a809"
@@ -65,43 +42,74 @@ test-mergerq-rawhide-samsung980:
     - .opal-template-fedora
   tags:
     - tiber
-  stage: test
-  interruptible: true
+  resource_group: samsung980-on-tiber
+  interruptible: false
   variables:
     PCI_PASSTHROUGH_VENDOR_ID: "144d"
     PCI_PASSTHROUGH_DEVICE_ID: "a809"
 
-# # WD PC SN740 SDDQNQD-512G-1014 (on tiber machine)
-# test-commit-rawhide-sn740:
-#   rules:
-#     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
-#       when: never
-#     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
-#   extends:
-#     - .opal-template-fedora
-#   tags:
-#     - tiber
-#   stage: test
-#   interruptible: true
-#   variables:
-#     PCI_PASSTHROUGH_VENDOR_ID: "15b7"
-#     PCI_PASSTHROUGH_DEVICE_ID: "5017"
-#
-# test-mergerq-rawhide-sn740:
-#   rules:
-#     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
-#       when: never
-#     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-#   extends:
-#     - .opal-template-fedora
-#   tags:
-#     - tiber
-#   stage: test
-#   interruptible: true
-#   variables:
-#     PCI_PASSTHROUGH_VENDOR_ID: "15b7"
-#     PCI_PASSTHROUGH_DEVICE_ID: "5017"
-#
+# WD PC SN740 SDDQNQD-512G-1014 (on tiber machine)
+test-commit-rawhide-sn740:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  extends:
+    - .opal-template-fedora
+  tags:
+    - tiber
+  resource_group: sn740-on-tiber
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "15b7"
+    PCI_PASSTHROUGH_DEVICE_ID: "5017"
+
+test-mergerq-rawhide-sn740:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  extends:
+    - .opal-template-fedora
+  tags:
+    - tiber
+  resource_group: sn740-on-tiber
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "15b7"
+    PCI_PASSTHROUGH_DEVICE_ID: "5017"
+
+# Samsung SSD 980 PRO 1TB (on trantor machine)
+test-commit-rawhide-samsung980pro:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  extends:
+    - .opal-template-fedora
+  tags:
+    - trantor
+  resource_group: samsung980pro-on-trantor
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "144d"
+    PCI_PASSTHROUGH_DEVICE_ID: "a80a"
+
+test-mergerq-rawhide-samsung980pro:
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  extends:
+    - .opal-template-fedora
+  tags:
+    - trantor
+  resource_group: samsung980pro-on-trantor
+  interruptible: false
+  variables:
+    PCI_PASSTHROUGH_VENDOR_ID: "144d"
+    PCI_PASSTHROUGH_DEVICE_ID: "a80a"
+
 # # UMIS RPETJ256MGE2MDQ (on tiber machine)
 # test-commit-rawhide-umis:
 #   rules:
@@ -112,8 +120,9 @@ test-mergerq-rawhide-samsung980:
 #     - .opal-template-fedora
 #   tags:
 #     - tiber
+#   resource_group: umis-on-tiber
 #   stage: test
-#   interruptible: true
+#   interruptible: false
 #   variables:
 #     PCI_PASSTHROUGH_VENDOR_ID: "1cc4"
 #     PCI_PASSTHROUGH_DEVICE_ID: "6302"
@@ -127,8 +136,9 @@ test-mergerq-rawhide-samsung980:
 #     - .opal-template-fedora
 #   tags:
 #     - tiber
+#   resource_group: umis-on-tiber
 #   stage: test
-#   interruptible: true
+#   interruptible: false
 #   variables:
 #     PCI_PASSTHROUGH_VENDOR_ID: "1cc4"
 #     PCI_PASSTHROUGH_DEVICE_ID: "6302"

.gitlab/ci/gitlab-shared-docker.yml

@@ -1,5 +1,5 @@
 .gitlab-shared-docker:
-  image: ubuntu:lunar
+  image: ubuntu:noble
   tags:
     - gitlab-org-docker
   stage: test
@@ -18,7 +18,8 @@
     - .gitlab-shared-docker
   variables:
     COMPILER: "gcc"
-    COMPILER_VERSION: "11"
+    COMPILER_VERSION: "13"
+    CC: "gcc-13"
     RUN_SSH_PLUGIN_TEST: "1"
 
 .gitlab-shared-clang:
@@ -26,5 +27,6 @@
     - .gitlab-shared-docker
   variables:
     COMPILER: "clang"
-    COMPILER_VERSION: "17"
+    COMPILER_VERSION: "18"
+    CC: "clang-18"
     RUN_SSH_PLUGIN_TEST: "1"

.gitlab/ci/rhel.yml

@@ -80,7 +80,7 @@ test-main-commit-rhel8-fips:
       when: never
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
   script:
-    - fips-mode-setup --check || exit 1
+    - sudo fips-mode-setup --check || exit 1
     - make -j
     - make -j -C tests check-programs
     - sudo -E make check
@@ -104,7 +104,7 @@ test-main-commit-rhel9-fips:
       when: never
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
   script:
-    - fips-mode-setup --check || exit 1
+    - sudo fips-mode-setup --check || exit 1
     - make -j
     - make -j -C tests check-programs
     - sudo -E make check

.gitlab/ci/ubuntu.yml

@@ -0,0 +1,102 @@
+.ubuntu-prep:
+  extends:
+    - .fail_if_coredump_generated
+  before_script:
+    - sudo apt-get -y update
+    - >
+      [ -z "$RUN_SYSTEMD_PLUGIN_TEST" ] ||
+      sudo apt-get -y install -y -qq swtpm meson ninja-build python3-jinja2
+      gperf libcap-dev libtss2-dev libmount-dev swtpm-tools
+    - >
+      sudo apt-get -y install -y -qq git gcc make autoconf automake autopoint
+      pkgconf libtool libtool-bin gettext libssl-dev libdevmapper-dev
+      libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev
+      tar libargon2-dev libpwquality-dev sharutils dmsetup jq xxd expect
+      keyutils netcat-openbsd passwd openssh-client sshpass asciidoctor
+    - sudo apt-get -y build-dep cryptsetup
+    - sudo -E git clean -xdf
+    - ./autogen.sh
+    - ./configure --enable-libargon2 --enable-asciidoc
+
+test-mergerq-job-ubuntu:
+  extends:
+    - .ubuntu-prep
+  tags:
+    - libvirt
+    - cryptsetup-ubuntu-2404
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-ubuntu-2404
+    RUN_SSH_PLUGIN_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  script:
+    - make -j
+    - make -j -C tests check-programs
+    - sudo -E make check
+
+test-main-commit-job-ubuntu:
+  extends:
+    - .ubuntu-prep
+  tags:
+    - libvirt
+    - cryptsetup-ubuntu-2404
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-ubuntu-2404
+    RUN_SSH_PLUGIN_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  script:
+    - make -j
+    - make -j -C tests check-programs
+    - sudo -E make check
+
+# meson tests
+test-mergerq-job-ubuntu-meson:
+  extends:
+    - .ubuntu-prep
+  tags:
+    - libvirt
+    - cryptsetup-ubuntu-2404
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-ubuntu-2404
+    RUN_SSH_PLUGIN_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  script:
+    - sudo apt-get -y install -y -qq meson ninja-build
+    - meson setup build
+    - ninja -C build
+    - cd build && sudo -E meson test --verbose --print-errorlogs
+
+test-main-commit-job-ubuntu-meson:
+  extends:
+    - .ubuntu-prep
+  tags:
+    - libvirt
+    - cryptsetup-ubuntu-2404
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-ubuntu-2404
+    RUN_SSH_PLUGIN_TEST: "1"
+  rules:
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  script:
+    - sudo apt-get -y install -y -qq meson ninja-build
+    - meson setup build
+    - ninja -C build
+    - cd build && sudo -E meson test --verbose --print-errorlogs

CONTRIBUTING.md

@@ -0,0 +1,157 @@
+Contributing to cryptsetup
+==========================
+For basic information about the cryptsetup project, please read [README](README.md).
+
+The Cryptsetup project uses free, open-source licenses; details are described in [licensing](README.licensing).
+
+For contribution code or documentation to the cryptsetup project, you must have the necessary rights to the content, and your contribution must be provided under the required license.
+
+We welcome contributions from everyone.
+
+Cryptsetup is an independent project with much volunteer effort, and our resources are limited.
+Following the guidelines specified in this file makes it easier for us to process your issue.
+
+Project maintainers can remove or reject abusive or otherwise unacceptable comments or code.
+
+Git repository
+--------------
+The primary repository is located at [gitlab.com/cryptsetup/cryptsetup](https://gitlab.com/cryptsetup/cryptsetup).
+The development branch is ``main``; minor stable releases can use their branches with cherry-picked or backported patches.
+
+There are backup mirrors located at [github.com/mbroz/cryptsetup](https://github.com/mbroz/cryptsetup) and [git.kernel.org/pub/scm/utils/cryptsetup/cryptsetup.git](https://git.kernel.org/pub/scm/utils/cryptsetup/cryptsetup.git).
+
+How to make a bug report
+------------------------
+To report an issue or feature request, please use GitLab [cryptsetup issue tracker](https://gitlab.com/cryptsetup/cryptsetup/-/issues).
+
+Before reporting an issue, please try to search documentation and existing issues. Always try to reproduce the problem on the latest supported release.
+Please *always* collect and attach ``--debug`` log and other information as instructed in the issue template.
+Even if you think the problem is obvious, we need logged information about the environment (like versions of kernel modules, etc.).
+
+Please do not report distribution-specific issues if they are not present in the latest upstream release.
+For such reports, please use downstream distribution-specific trackers.
+If the issue is related to upstream, downstream maintainers will redirect you here, or upstream maintainers will join the discussion.
+
+If you think that you found some security bug, please follow the instructions in the [SECURITY](SECURITY.md) file.
+
+How to contribute changes to cryptsetup
+---------------------------------------
+The following notes are a very short introduction to cryptsetup internal processes and an overview of generic rules that should be followed for all changes.
+
+Changes from developers and external contributors should go through the GitLab repository [merge reguests](https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests).
+Alternatively (for trivial changes), you can send a patch to [cryptsetup mailing list](mailto:cryptsetup@lists.linux.dev).
+
+Please do not write personal emails with questions or patches to maintainers and developers.
+
+### Project structure
+Cryptsetup projects include a libcryptsetup library, tools, token plugins, documentation, and a test suite.
+
+Cryptsetup library (libcryptsetup) exports [versioned symbols](lib/libcryptsetup.sym).
+Tools (cryptsetup, veritysetup, integritysetup) use libcryptsetup shared library.
+Some isolated parts in the lib directory can be reused for tools (the source is recompiled).
+
+The basic directory structure in the repository is
+```
+├── docs - Documentation and release notes.
+├── lib  - libcryptsetup implementation
+│   ├── bitlk           - Bitlocker format
+│   ├── crypto_backend  - Cryptography backend
+│   ├── fvault2         - FileVault2 format
+│   ├── integrity       - Linux dm-integrity interface
+│   ├── loopaes         - Linux LoopAES format
+│   ├── luks1           - LUKS1 format
+│   ├── luks2           - LUKS2 format including OPAL2 SED
+│   ├── tcrypt          - TrueCrypt / VeraCrypt format
+│   └── verity          - Linux dm-verity interface
+├── man - Manual pages (in AsciiDoc format)
+├── misc - Miscellaneous additions
+├── po - Translation files
+├── scripts - Scripts for system configuration
+├── src - Tools implementation
+├── tests - Testsuite (test units, regression tests, fuzzing)
+└── tokens - Token plugins
+```
+### Coordination with other projects
+The cryptsetup tools and library use low-level functions that depend on many other subsystems.
+Currently, the project is supported only for Linux (it will not work on Android or other systems).
+
+Cryptsetup project requires some parts of the Linux kernel, notably the *Device Mapper* (dm-crypt, dm-integrity, dm-verity, dm-zero modules) and kernel *userspace cryptographic interface*.
+Missing kernel interface can significantly limit (or even disallow) cryptsetup functionality.
+
+Integration in operating systems also depends on several other projects, most notably *systemd* (that implements its own tooling using libcryptsetup) and *util-Linux* (*blkid* parsing of supported format metadata). Some changes must be synchronized in all needed places (kernel, blkid, libcryptsetup).
+
+Several other projects implement their own token metadata (either through binary token plugins or through generic libcryptsetup JSON token access functions).
+
+### Used cryptography algorithms
+Cryptsetup avoids implementing cryptographic primitives but uses cryptographic libraries.
+Exceptions were PBKDF internal implementations - PBKDF2 and Argon2 until these were integrated into major cryptographic libraries.
+
+Cryptsetup can be compiled with several cryptographic libraries backend (OpenSSL, libgcrypt, Nettle, NSS, and Linux kernel userspace API).
+OpenSSL is the default and strongly recommended configuration.
+
+If the cryptographic library does not implement some cryptographic primitive (for example, if running in a FIPS-140 environment or just
+because it does not include it at all), functionality could be limited.
+
+### Configuration and versioning
+Cryptsetup can be configured using *Autoconf* or *Meson*. Autoconf support is being deprecated in the long term.
+Currently, all new configuration options must be implemented in both systems.
+
+Cryptsetup intentionally does not use a system configuration file (located in /etc).
+All functionality must be determined dynamically.
+
+All related /etc configuration files (crypttab, fstab and others) are maintained by systemd (in some legacy distributions by cryptsetup downstream).
+
+Cryptsetup uses [semantic versioning](https://semver.org/).
+Major and minor releases are always based on the main git branch; the minor stable (patch) versions can have some specific branch with backported or cherry-picked patches (from the main branch).
+Usually, minor releases happen twice per year and stable patch updates according to reported bugs (in 1-3 month intervals).
+
+### Compilation and debugging
+The library and tools are written in C language; we require C99 and support gcc and Clang compilers.
+Manual pages are generated from AsciiDoc sources and libcryptsetup API documentation by Doxygen (from libcryptsetup.h comments).
+Testsuite is a combination of local C utilities, fuzzing implementation in C++, bash scripts, and uses many other system utilities.
+
+All tools contain compiled-in debug messages that are available through --debug options.
+
+With Autoconf and libtool, you can run the cryptsetup tool in the debugger without installation using this one-line script:
+```
+libtool --mode=execute gdb --args ./cryptsetup --debug $@
+```
+This will ensure that a properly compiled libcryptsetup file is used.
+
+### Coding style
+Cryptsetup uses [Linux kernel coding style](https://www.kernel.org/doc/html/latest/process/coding-style.html) for libcryptsetup and tools (where applicable) with some additional notes:
+- Use tabulators for indentation; the line should not exceed 100 characters with an 8-character tabulator. Otherwise, use a tab of any length. :-).
+- The minimal C standard required is C99.
+- The ``goto`` use is allowed only for error path (``goto out`` for common code path, ``goto err`` for specific error code path).
+- Split patches per change; do not submit huge patches combining several changes.
+- Use an elaborative description in the patch header.
+- No need to use sign-off-by lines.
+- Use name prefixes (``crypt_``, ``LUKS2_`` and similar).
+- Avoid extensive preprocessor use (specifically ``#ifdef`` sections).
+- Use output only through ``log_err, log_std, log_verbose, log_dbg`` macros.
+  The ``log_dbg`` is always in English; the others should be wrapped in the ``_()`` macro for translation.
+- Use ``assert()`` but only for simple invariants and variables (avoid calling functions).
+  Do not use assert for user-defined input (this should be a normal error path).
+- The code style is quite relaxed in testing scripts (code there is not intended for production use).
+
+### General rules and testing
+- Cryptsetup should work on all architectures supported by the Linux kernel.
+Only very few functionalities require specific hardware (notably Opal SED support).
+If you want to introduce some specific hardware support, please discuss it with the maintainers first.
+
+- All code changes should go through merge requests and reviews.
+Code can be merged after review approval (done by someone with the commit right to the development repository), but reviews from external people are very welcome, too.
+
+- All new functionality must come with at least rudimentary coverage in the test suite.
+Always run the test suite before opening the merge request (``make check`` with root privilege).
+
+- We have continuous integration (CI) that runs many tests automatically, but the output is not directly visible for external merge request authors (for security reasons).
+All CI scripts are available in .gitlab and .github folders in the project repository.
+
+  Maintainers will provide you log files if anything fails. Your code must produce no warnings before it is merged.
+
+- We run compilation with many extended [gcc](.gitlab/ci/gcc-Wall) and [Clang](.gitlab/ci/clang-Wall) warnings and include some analyzers, notably
+  - [Coverity](https://scan.coverity.com), GitHub CodeQL, Clang scan-build, and gcc static analyzer, and
+  - fuzzing integrated in [OSS-fuzz project](https://github.com/google/oss-fuzz/tree/master/projects/cryptsetup).
+
+- Testsuite can also partially run under Valgrind dynamic analyzer with ``make valgrind-check``.

FAQ.md

@@ -169,17 +169,12 @@
   me write the section.  Please note that by contributing to this FAQ,
   you accept the license described below.
 
-  This work is under the "Attribution-Share Alike 3.0 Unported" license,
-  which means distribution is unlimited, you may create derived works, but
+  This work is licensed under a Creative Commons CC-BY-SA-4.0
+  "Attribution-ShareAlike 4.0 International" license which means
+  distribution is unlimited, you may create derived works, but
   attributions to original authors and this license statement must be
-  retained and the derived work must be under the same license.  See
-  https://creativecommons.org/licenses/by-sa/3.0/ for more details of the
-  license.
-
-  Side note: I did text license research some time ago and I think this
-  license is best suited for the purpose at hand and creates the least
-  problems.
-
+  retained and the derived work must be under the same license.
+  See https://creativecommons.org/licenses/by-sa/4.0/ for more details.
 
   * **1.6 Where is the project website?**
 

Makefile.am

@@ -1,4 +1,4 @@
-EXTRA_DIST = README.md SECURITY.md COPYING.LGPL FAQ.md docs misc autogen.sh
+EXTRA_DIST = README.md SECURITY.md COPYING.LGPL CONTRIBUTING.md FAQ.md docs misc autogen.sh
 EXTRA_DIST += meson_options.txt \
 	meson.build \
 	lib/crypto_backend/argon2/meson.build \

README.md

@@ -39,11 +39,11 @@ Download
 Release notes and tarballs are available at
 [kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
 
-**The latest stable cryptsetup release version is 2.7.0**
-  * [cryptsetup-2.7.0.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.0.tar.xz)
-  * Signature [cryptsetup-2.7.0.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.0.tar.sign)
+**The latest stable cryptsetup release version is 2.7.5**
+  * [cryptsetup-2.7.5.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.5.tar.xz)
+  * Signature [cryptsetup-2.7.5.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-2.7.5.tar.sign)
     _(You need to decompress file first to check signature.)_
-  * [Cryptsetup 2.7.0 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.0-ReleaseNotes).
+  * [Cryptsetup 2.7.5 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.5-ReleaseNotes).
 
 Previous versions
  * [Version 2.6.1](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-2.6.1.tar.xz) -
@@ -89,7 +89,7 @@ sharutils device-mapper jq vim-common expect keyutils netcat shadow-utils openss
 **For Debian and Ubuntu**:
 ```
 git gcc make autoconf automake autopoint pkg-config libtool gettext libssl-dev libdevmapper-dev
-libpopt-dev uuid-dev libsepol1-dev libjson-c-dev libssh-dev libblkid-dev tar
+libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev tar
 
 Optionally: libargon2-0-dev libpwquality-dev
 ```

configure.ac

@@ -1,5 +1,5 @@
 AC_PREREQ([2.67])
-AC_INIT([cryptsetup],[2.7.0])
+AC_INIT([cryptsetup],[2.7.5])
 
 dnl library version from <major>.<minor>.<release>[-<suffix>]
 LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
@@ -132,7 +132,6 @@ AC_C_BIGENDIAN
 AC_TYPE_OFF_T
 AC_SYS_LARGEFILE
 AC_FUNC_FSEEKO
-AC_PROG_GCC_TRADITIONAL
 AC_FUNC_STRERROR_R
 
 dnl ==========================================================================

docs/examples/crypt_log_usage.c

@@ -1,21 +1,8 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * libcryptsetup API log example
  *
  * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <stdio.h>

docs/examples/crypt_luks_usage.c

@@ -1,21 +1,8 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  *  libcryptsetup API - using LUKS device example
  *
  * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <stdio.h>

docs/v2.7.1-ReleaseNotes

@@ -0,0 +1,30 @@
+Cryptsetup 2.7.1 Release Notes
+==============================
+Stable bug-fix release with minor extensions.
+
+All users of cryptsetup 2.7.0 should upgrade to this version.
+
+Changes since version 2.7.0
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Fix interrupted LUKS1 decryption resume.
+  With the replacement of the cryptsetup-reencrypt tool by the cryptsetup
+  reencrypt command, resuming the interrupted LUKS1 decryption operation
+  could fail. LUKS2 was not affected.
+
+* Allow --link-vk-to-keyring with --test-passphrase option.
+  This option allows uploading the volume key in a user-specified kernel
+  keyring without activating the device.
+
+* Fix crash when --active-name was used in decryption initialization.
+
+* Updates and changes to man pages, including indentation, sorting options
+  alphabetically, fixing mistakes in crypt_set_keyring_to_link, and fixing
+  some typos.
+
+* Fix compilation with libargon2 when --disable-internal-argon2 was used.
+
+* Do not require installed argon2.h header and never compile internal
+  libargon2 code if the crypto library directly supports Argon2.
+
+* Fixes to regression tests to support older Linux distributions.

docs/v2.7.2-ReleaseNotes

@@ -0,0 +1,31 @@
+Cryptsetup 2.7.2 Release Notes
+==============================
+Stable bug-fix release.
+
+All users of cryptsetup 2.7 should upgrade to this version.
+
+Changes since version 2.7.1
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+* Fix activation of OPAL-only encrypted LUKS device with tokens.
+  The issue was caused by an invalid volume key check (assert)
+  that is impossible without software encryption.
+
+* Fix formatting of OPAL devices with 4096-byte sector size.
+
+* Fix incorrect OPAL locking range alignment calculation if used
+  over an unaligned device partition.
+
+* Add --hw-opal-factory-reset option description to the manual page.
+
+* Do not check the passphrase quality for OPAL Admin PIN,
+  as this passphrase already exists.
+
+* Update license for FAQ document to CC BY-SA 4.0.
+
+NOTE: Please note that with OPAL-only (--hw-opal-only) encryption,
+the configured OPAL administrator PIN (passphrase) allows unlocking
+all configured locking ranges without LUKS keyslot decryption
+(without knowledge of LUKS passphrase).
+Because of many observed problems with compatibility, cryptsetup
+currently DOES NOT use OPAL single-user mode, which would allow such
+decoupling of OPAL admin PIN access.

docs/v2.7.3-ReleaseNotes

@@ -0,0 +1,114 @@
+Cryptsetup 2.7.3 Release Notes
+==============================
+Stable bug-fix release with security fixes.
+
+All users of cryptsetup 2.7 must upgrade to this version.
+
+Changes since version 2.7.2
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Do not allow formatting LUKS2 with Opal SED (hardware encryption)
+  if the reported logical sector size for the block device and Opal
+  encryption logical block differs.
+
+  Such a configuration can lead to a partially encrypted Opal locking
+  range or data destruction following the expected locking range.
+
+  Some NVMe drives support multiple LBAF profiles (typically supporting
+  512-byte and 4096-byte sector size). Some broken Opal NVMe firmware can
+  report bogus encryption size that disagrees with real used sector size.
+  This usually happens after low-level NVMe reformatting (LBAF profile
+  change with nvme utility) to different sector size.
+  Moreover, some firmware versions do not properly reset this even after
+  explicit PSID revert.
+
+  Cryptsetup calculates the Opal locking range using the reported block
+  size in Opal geometry ioctl.  Unfortunately, the broken firmware drive
+  internally uses the logical block size of the block device, which can
+  differ. This can lead to two possible situations:
+
+  - Opal reports a smaller block size (512-byte) while the drive uses
+  a 4096-byte sector. The configured locking range is then much larger,
+  destroying data following the expected locking range setting.
+
+  - Opal reports a larger block size (4096-byte) while the drive uses
+  a 512-byte sector. The configured locking range is then much smaller,
+  leaving the remaining space in the locking range unencrypted (violating
+  the confidentiality of data).
+
+  Cryptsetup now detects this discrepancy and disallows LUKS2 format with
+  Opal hardware encryption in such a case.
+
+  For already formatted devices, you will see this warning:
+    "Bogus OPAL logical block size differs from device block size."
+
+  If you also used software encryption (dm-crypt over Opal), data will
+  still be fully encrypted with software dm-crypt.
+  With hw-only encryption,  your configuration is probably already broken
+  (insecure or accessing data beyond the assigned area).
+
+  Note that this is caused by bad firmware (seen with multiple vendors),
+  and the problem was reported, at least for drives we have access to.
+
+* Fixes to wiping LUKS2 headers after Opal locking area erase.
+
+  As the hardware locking range is destroyed (cryptsetup erase command),
+  the LUKS2 header is no longer usable and was partially wiped.
+  Now the code fully wipes also the secondary header, as the previous
+  code wiped only the primary LUKS area.
+
+  Note that this is an exception, as the normal erase command wipes only
+  the keyslots, keeping the LUKS2 header in place.  With Opal encryption,
+  the data segment is no longer valid, so the whole LUKS2 header is no
+  longer usable.
+
+* Mention the need for possible PSID revert before Opal format for some
+  drives (man page).
+
+* Fix Bitlocker-compatible code to ignore newly seen metadata entries.
+
+  Recent Windows OS versions started to include new (undocumented)
+  metadata entries in Bitlocker. These entries are now quietly ignored,
+  allowing Bitlocker images to open with cryptsetup again.
+
+* Fix interactive query retry if LUKS2 unbound keyslot is present.
+
+  If an unbound keyslot is present, the password query retry count is
+  now properly applied.
+
+* Detect unsupported zoned devices for LUKS header devices.
+
+  Zoned devices cannot be written with direct-io and used for LUKS header
+  logic in general. Code now rejects placing the LUKS header on a zoned
+  device, while you can still create a detached header and use a zoned
+  device for encrypted data.
+
+* Allow "capi" cipher format for benchmark command and fix parsing
+  of plain IV in "capi" format.
+
+  Some ciphers can be specified only in Linux kernel crypto notation
+  (in short, "capi"). Code now allows this format also for benchmark,
+  for example, "benchmark -c capi:xts\(aes\)-plain64"
+  (that is equivalent to -c aes-xts-plain64).
+
+* Add support for HCTR2 encryption mode.
+
+  The HCTR2 encryption mode was added to the Linux kernel for fscrypt,
+  but as it is a length-preserving mode (with sector tweak), it can be
+  easily used for disk encryption, too.
+  The mode has the same property as wide modes (any change is propagated
+  to the whole sector instead of only one block as in XTS mode).
+
+  As it needs a larger initialization vector (32 bytes), we need to add
+  an exception in the userspace format code.
+  You can now use --cipher aes-hctr2-plain64 for the format operation.
+
+* Source code now uses SPDX license identifiers instead of full
+  license preambles.
+
+* Fix missing includes for cryptographic backend that could cause
+  compilation errors for some systems.
+
+* Fix tests to work correctly in FIPS mode with recent OpenSSL 3.2.
+
+* Fix various (mostly false positive) issues detected by Coverity.

docs/v2.7.4-ReleaseNotes

@@ -0,0 +1,62 @@
+Cryptsetup 2.7.4 Release Notes
+==============================
+Stable bug-fix release.
+
+All users of cryptsetup 2.7 should upgrade to this version.
+
+Changes since version 2.7.3
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Detect device busy failure for device-mapper table-referenced devices.
+
+  Some device-mapper ioctl failures can disappear in libdevmapper,
+  causing the libcryptsetup wrapper to return an invalid error (EINVAL)
+  instead of EEXIST or EBUSY. One such case is when there is a device
+  creation race, and the device-mapper device name is created, but
+  the following mapping table load fails. This can happen because some
+  block devices used in table mapping have already been claimed by
+  another process (the kernel needs exclusive access).
+
+  The kernel ioctl properly returns EBUSY; this errno is lost in
+  libdevmapper (dm_task_get_errno returns 0). It should be fixed by
+  libdevmapper in the future.
+
+  Such behavior was seen in the systemd way of handling dm-verity
+  devices. With these changes, the code should react for EEXIST and
+  EBUSY, as another process has already activated the device.
+
+  Code calling libcryptsetup also must not check the underlying device
+  with an exclusive open flag (O_EXCL). Otherwise, it could cause a race
+  in the kernel device-mapper, resulting in no process succeeding device
+  activation (see also CRYPT_ACTIVATE_SHARED flag below).
+
+* Fix shared activation for dm-verity devices.
+
+  The CRYPT_ACTIVATE_SHARED flag was silently ignored when activating
+  dm-verity devices. Dm-verity shared activation is generally safe
+  since all verity devices are read-only.
+
+  The shared flag is a way to skip the exclusive access check for the
+  device, allowing it to create multiple mappings with the same device or
+  properly handle a racy concurrent activation of devices with the same
+  name from different processes.
+
+* Add --shared option for veritysetup open action.
+
+  The option allows the data device to be used in multiple device-mapper
+  table mappings (skip exclusive access check) or to allow concurrent
+  dm-verity device activation of the same device (only one process
+  succeeds in this case; the other will return EEXIST or EBUSY).
+
+* Do not use exclusive flag for the allocated backing loop files.
+
+  Using this flag is an undefined operation for opening an existing file.
+  The flag should be used only for allocated loop (block) devices.
+
+* Fixes for problems found by static analyzers and Valgrind.
+
+  These include fixes for non-default libgcrypt, NSS, and Nettle
+  cryptographic backends, buffer operations to avoid partial read/write,
+  and several other workarounds for mostly false positive warnings.
+
+* Fixes to tests and CI scripts.

docs/v2.7.5-ReleaseNotes

@@ -0,0 +1,23 @@
+Cryptsetup 2.7.5 Release Notes
+==============================
+Stable bug-fix release.
+
+All users of cryptsetup 2.7 must upgrade to this version.
+
+Changes since version 2.7.4
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+* Fix possible online reencryption data corruption (only in 2.7.x).
+
+  In some situations (initializing a suspended device-mapper device),
+  cryptsetup disabled direct-io device access. This caused unsafe
+  online reencryption operations that could lead to data corruption.
+  The code now adds strict checks (and aborts the operation) and
+  changes direct-io detection code to prevent data corruption.
+
+* Fix a clang compilation error in SSH token plugin.
+
+  As clang linker treats missing symbols as errors, the linker phase
+  for the SSH token failed as the optional cryptsetup_token_buffer_free
+  was not defined.
+
+* Fix crypto backend initialization in crypt_format_luks2_opal API call.

lib/bitlk/bitlk.c

@@ -1,23 +1,10 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * BITLK (BitLocker-compatible) volume handling
  *
  * Copyright (C) 2019-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2019-2024 Milan Broz
  * Copyright (C) 2019-2024 Vojtech Trefny
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <errno.h>
@@ -324,6 +311,9 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
 		/* unknown timestamps in recovery protected VMK */
 		} else if (key_entry_value == BITLK_ENTRY_VALUE_RECOVERY_TIME) {
 			;
+		/* optional hint (?) string (masked email?), we can safely ignore it */
+		} else if (key_entry_value == BITLK_ENTRY_VALUE_HINT) {
+			;
 		} else if (key_entry_value == BITLK_ENTRY_VALUE_STRING) {
 			if (key_entry_size < BITLK_ENTRY_HEADER_LEN)
 				return -EINVAL;
@@ -353,6 +343,9 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
 		/* no idea what this is, lets hope it's not important */
 		} else if (key_entry_value == BITLK_ENTRY_VALUE_USE_KEY && (*vmk)->protection == BITLK_PROTECTION_STARTUP_KEY) {
 			;
+		/* quietly ignore unsupported TPM key */
+		} else if (key_entry_value == BITLK_ENTRY_VALUE_TPM_KEY && (*vmk)->protection == BITLK_PROTECTION_TPM) {
+			;
 		} else {
 			if (supported) {
 				log_err(cd, _("Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."), key_entry_value);

lib/bitlk/bitlk.h

@@ -1,23 +1,10 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * BITLK (BitLocker-compatible) header definition
  *
  * Copyright (C) 2019-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2019-2024 Milan Broz
  * Copyright (C) 2019-2024 Vojtech Trefny
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef _CRYPTSETUP_BITLK_H
@@ -78,6 +65,7 @@ typedef enum {
 	BITLK_ENTRY_VALUE_OFFSET_SIZE = 0x000f,
 	BITLK_ENTRY_VALUE_RECOVERY_TIME = 0x015,
 	BITLK_ENTRY_VALUE_GUID = 0x0017,
+	BITLK_ENTRY_VALUE_HINT = 0x0018,
 } BITLKFVEEntryValue;
 
 struct bitlk_vmk {

lib/crypt_plain.c

@@ -1,23 +1,10 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * cryptsetup plain device helper functions
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2010-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <string.h>

lib/crypto_backend/argon2_generic.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * Argon2 PBKDF2 library wrapper
  *
  * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2016-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <errno.h>

lib/crypto_backend/base64.c

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * Base64 "Not encryption" helpers, copied and adapted from systemd project.
  *
@@ -5,20 +6,6 @@
  *
  * cryptsetup related changes
  * Copyright (C) 2021-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <errno.h>

lib/crypto_backend/cipher_check.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * Cipher performance check
  *
  * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2018-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <errno.h>

lib/crypto_backend/cipher_generic.c

@@ -1,27 +1,13 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * Linux kernel cipher generic utilities
  *
  * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2018-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
-#include <string.h>
-#include <stdbool.h>
 #include <errno.h>
+#include <strings.h>
 #include "crypto_backend.h"
 
 struct cipher_alg {
@@ -76,6 +62,9 @@ int crypt_cipher_ivsize(const char *name, const char *mode)
 	if (!ca)
 		return -EINVAL;
 
+	if (mode && !strcasecmp(mode, "hctr2"))
+		return 32;
+
 	if (mode && !strcasecmp(mode, "ecb"))
 		return 0;
 

lib/crypto_backend/crc32.c

@@ -38,8 +38,6 @@
  *
  */
 
-#include <stdio.h>
-
 #include "crypto_backend.h"
 
 static const uint32_t crc32_tab[] = {

lib/crypto_backend/crypto_backend.h

@@ -1,23 +1,11 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * crypto backend implementation
  *
  * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2010-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
+
 #ifndef _CRYPTO_BACKEND_H
 #define _CRYPTO_BACKEND_H
 

lib/crypto_backend/crypto_backend_internal.h

@@ -1,29 +1,17 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * crypto backend implementation
  *
  * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2010-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
+
 #ifndef _CRYPTO_BACKEND_INTERNAL_H
 #define _CRYPTO_BACKEND_INTERNAL_H
 
 #include "crypto_backend.h"
 
-/* internal PBKDF2 implementation */
+/* Internal PBKDF2 implementation */
 int pkcs5_pbkdf2(const char *hash,
 		 const char *P, size_t Plen,
 		 const char *S, size_t Slen,

lib/crypto_backend/crypto_cipher_kernel.c

@@ -1,28 +1,13 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * Linux kernel userspace API crypto backend implementation (skcipher)
  *
  * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2012-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
-#include <string.h>
 #include <stdlib.h>
 #include <stdio.h>
-#include <stdbool.h>
 #include <errno.h>
 #include <unistd.h>
 #include <sys/socket.h>
@@ -101,9 +86,13 @@ int crypt_cipher_init_kernel(struct crypt_cipher_kernel *ctx, const char *name,
 	if (!strcmp(name, "cipher_null"))
 		key_length = 0;
 
-	r = snprintf((char *)sa.salg_name, sizeof(sa.salg_name), "%s(%s)", mode, name);
-	if (r < 0 || (size_t)r >= sizeof(sa.salg_name))
-		return -EINVAL;
+	if (!strncmp(name, "capi:", 5))
+		strncpy((char *)sa.salg_name, &name[5], sizeof(sa.salg_name) - 1);
+	else {
+		r = snprintf((char *)sa.salg_name, sizeof(sa.salg_name), "%s(%s)", mode, name);
+		if (r < 0 || (size_t)r >= sizeof(sa.salg_name))
+			return -EINVAL;
+	}
 
 	return _crypt_cipher_init(ctx, key, key_length, 0, &sa);
 }

lib/crypto_backend/crypto_gcrypt.c

@@ -1,27 +1,14 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * GCRYPT crypto backend implementation
  *
  * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2010-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
-#include <string.h>
 #include <stdio.h>
 #include <errno.h>
+#include <strings.h>
 #include <gcrypt.h>
 #include <pthread.h>
 #include "crypto_backend_internal.h"
@@ -64,7 +51,6 @@ static void crypt_hash_test_whirlpool_bug(void)
 {
 	struct crypt_hash *h;
 	char buf[2] = "\0\0", hash_out1[64], hash_out2[64];
-	int r;
 
 	if (crypto_backend_whirlpool_bug >= 0)
 		return;
@@ -74,16 +60,16 @@ static void crypt_hash_test_whirlpool_bug(void)
 		return;
 
 	/* One shot */
-	if ((r = crypt_hash_write(h, &buf[0], 2)) ||
-	    (r = crypt_hash_final(h, hash_out1, 64))) {
+	if (crypt_hash_write(h, &buf[0], 2) ||
+	    crypt_hash_final(h, hash_out1, 64)) {
 		crypt_hash_destroy(h);
 		return;
 	}
 
 	/* Split buf (crypt_hash_final resets hash state) */
-	if ((r = crypt_hash_write(h, &buf[0], 1)) ||
-	    (r = crypt_hash_write(h, &buf[1], 1)) ||
-	    (r = crypt_hash_final(h, hash_out2, 64))) {
+	if (crypt_hash_write(h, &buf[0], 1) ||
+	    crypt_hash_write(h, &buf[1], 1) ||
+	    crypt_hash_final(h, hash_out2, 64)) {
 		crypt_hash_destroy(h);
 		return;
 	}

lib/crypto_backend/crypto_kernel.c

@@ -1,25 +1,11 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * Linux kernel userspace API crypto backend implementation
  *
  * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2010-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
-#include <string.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <errno.h>

lib/crypto_backend/crypto_nettle.c

@@ -1,26 +1,12 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * Nettle crypto backend implementation
  *
  * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2011-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <stdlib.h>
-#include <string.h>
 #include <errno.h>
 #include <nettle/sha.h>
 #include <nettle/sha3.h>
@@ -298,8 +284,7 @@ int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
 	h = malloc(sizeof(*h));
 	if (!h)
 		return -ENOMEM;
-	memset(ctx, 0, sizeof(*ctx));
-
+	memset(h, 0, sizeof(*h));
 
 	h->hash = _get_alg(name);
 	if (!h->hash) {

lib/crypto_backend/crypto_nss.c

@@ -1,25 +1,12 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * NSS crypto backend implementation
  *
  * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2010-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
-#include <string.h>
+#include <stdio.h>
 #include <errno.h>
 #include <nss.h>
 #include <pk11pub.h>
@@ -220,8 +207,7 @@ int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
 	h = malloc(sizeof(*h));
 	if (!h)
 		return -ENOMEM;
-	memset(ctx, 0, sizeof(*ctx));
-
+	memset(h, 0, sizeof(*h));
 
 	h->hash = _get_alg(name);
 	if (!h->hash)

lib/crypto_backend/crypto_openssl.c

@@ -1,36 +1,15 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later WITH cryptsetup-OpenSSL-exception
 /*
  * OPENSSL crypto backend implementation
  *
  * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2010-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * In addition, as a special exception, the copyright holders give
- * permission to link the code of portions of this program with the
- * OpenSSL library under certain conditions as described in each
- * individual source file, and distribute linked combinations
- * including the two.
- *
- * You must obey the GNU Lesser General Public License in all respects
- * for all of the code used other than OpenSSL.
  */
 
-#include <string.h>
+#include <stdio.h>
 #include <errno.h>
 #include <limits.h>
+#include <strings.h>
 #include <openssl/crypto.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
@@ -645,7 +624,7 @@ static int openssl_argon2(const char *type, const char *password, size_t passwor
 	ctx = EVP_KDF_CTX_new(argon2);
 	if (!ctx) {
 		EVP_KDF_free(argon2);
-		return -EINVAL;;
+		return -EINVAL;
 	}
 
 	if (EVP_KDF_CTX_set_params(ctx, params) != 1) {

lib/crypto_backend/crypto_storage.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * Generic wrapper for storage encryption modes and Initial Vectors
  * (reimplementation of some functions from Linux dm-crypt kernel)
  *
  * Copyright (C) 2014-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <stdlib.h>
@@ -261,7 +248,7 @@ int crypt_storage_init(struct crypt_storage **ctx,
 	}
 
 	s->sector_size = sector_size;
-	s->iv_shift = large_iv ? int_log2(sector_size) - SECTOR_SHIFT : 0;
+	s->iv_shift = large_iv ? (unsigned)int_log2(sector_size) - SECTOR_SHIFT : 0;
 
 	*ctx = s;
 	return 0;

lib/crypto_backend/pbkdf2_generic.c

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * Implementation of Password-Based Cryptography as per PKCS#5
  * Copyright (C) 2002,2003 Simon Josefsson
@@ -6,21 +7,6 @@
  * cryptsetup related changes
  * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2012-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
  */
 
 #include <errno.h>

lib/crypto_backend/pbkdf_check.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * PBKDF performance check
  * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2012-2024 Milan Broz
  * Copyright (C) 2016-2020 Ondrej Mosnacek
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <stdlib.h>

lib/crypto_backend/utf8.c

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * UTF8/16 helpers, copied and adapted from systemd project.
  *
@@ -12,20 +13,6 @@
  *
  * Copyright (C) 1999 Tom Tromey
  * Copyright (C) 2000 Red Hat, Inc.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Library General Public
- * License as published by the Free Software Foundation; either
- * version 2 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Library General Public License for more details.
- *
- * You should have received a copy of the GNU Library General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
  */
 
 #include <errno.h>
@@ -230,6 +217,7 @@ static size_t utf16_encode_unichar(char16_t *out, char32_t c)
 		return 1;
 
 	case 0x10000U ... 0x10ffffU:
+		/* coverity[overflow_const:FALSE] */
 		c -= 0x10000U;
 		out[0] = htole16((c >> 10) + 0xd800U);
 		out[1] = htole16((c & 0x3ffU) + 0xdc00U);

lib/fvault2/fvault2.c

@@ -1,21 +1,8 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * FVAULT2 (FileVault2-compatible) volume handling
  *
  * Copyright (C) 2021-2022 Pavel Tobias
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <errno.h>

lib/fvault2/fvault2.h

@@ -1,21 +1,8 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * FVAULT2 (FileVault2-compatible) volume handling
  *
  * Copyright (C) 2021-2022 Pavel Tobias
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef _CRYPTSETUP_FVAULT2_H

lib/integrity/integrity.c

@@ -1,21 +1,8 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * Integrity volume handling
  *
  * Copyright (C) 2016-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <errno.h>

lib/integrity/integrity.h

@@ -1,21 +1,8 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * Integrity header definition
  *
  * Copyright (C) 2016-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef _CRYPTSETUP_INTEGRITY_H

lib/internal.h

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * libcryptsetup - cryptsetup library internal
  *
@@ -5,20 +6,6 @@
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2009-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef INTERNAL_H
@@ -116,6 +103,7 @@ void device_disable_direct_io(struct device *device);
 int device_is_identical(struct device *device1, struct device *device2);
 int device_is_rotational(struct device *device);
 int device_is_dax(struct device *device);
+int device_is_zoned(struct device *device);
 size_t device_alignment(struct device *device);
 int device_direct_io(const struct device *device);
 int device_fallocate(struct device *device, uint64_t size);
@@ -166,6 +154,7 @@ int crypt_confirm(struct crypt_device *cd, const char *msg);
 char *crypt_lookup_dev(const char *dev_id);
 int crypt_dev_is_rotational(int major, int minor);
 int crypt_dev_is_dax(int major, int minor);
+int crypt_dev_is_zoned(int major, int minor);
 int crypt_dev_is_partition(const char *dev_path);
 char *crypt_get_partition_device(const char *dev_path, uint64_t offset, uint64_t size);
 int crypt_dev_get_partition_number(const char *dev_path);
@@ -266,6 +255,8 @@ static inline void *crypt_zalloc(size_t size) { return calloc(1, size); }
 static inline bool uint64_mult_overflow(uint64_t *u, uint64_t b, size_t size)
 {
 	*u = (uint64_t)b * size;
+	if (size == 0)
+		return true;
 	if ((uint64_t)(*u / size) != b)
 		return true;
 	return false;

lib/keyslot_context.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup, keyslot unlock helpers
  *
  * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2022-2024 Ondrej Kozina
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <errno.h>

lib/keyslot_context.h

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup, keyslot unlock helpers
  *
  * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2022-2024 Ondrej Kozina
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef KEYSLOT_CONTEXT_H

lib/libcryptsetup.h

@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
 /*
  * libcryptsetup - cryptsetup library
  *
@@ -5,20 +6,6 @@
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2009-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 /**
@@ -3032,6 +3019,8 @@ __attribute__((deprecated));
  * @param usrptr progress specific data
  *
  * @return @e 0 on success or negative errno value otherwise.
+ *
+ * @note A @e progress callback can interrupt reencryption process by returning non-zero code.
  */
 int crypt_reencrypt_run(struct crypt_device *cd,
 		    int (*progress)(uint64_t size, uint64_t offset, void *usrptr),

lib/libcryptsetup_macros.h

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * Definitions of common constant and generic macros of libcryptsetup
  *
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2009-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef _LIBCRYPTSETUP_MACROS_H

lib/libcryptsetup_symver.h

@@ -1,21 +1,8 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * Helpers for defining versioned symbols
  *
  * Copyright (C) 2021-2024 Red Hat, Inc. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef _LIBCRYPTSETUP_SYMVER_H

lib/libdevmapper.c

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * libdevmapper - device-mapper backend for cryptsetup
  *
@@ -5,20 +6,6 @@
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2009-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <stdio.h>
@@ -1281,6 +1268,48 @@ err:
 	return r;
 }
 
+static bool device_disappeared(struct crypt_device *cd, struct device *device, const char *type)
+{
+	struct stat st;
+
+	if (!device)
+		return false;
+
+	/*
+	 * Cannot use device_check_access(cd, device, DEV_OK) as it always accesses block device,
+	 * we want to check for underlying file presence (if device is an image).
+	 */
+	if (stat(device_path(device), &st) < 0) {
+		log_dbg(cd, "%s device %s disappeared.", type, device_path(device));
+		return true;
+	}
+
+	log_dbg(cd, "%s device %s is OK.", type, device_path(device));
+	return false;
+}
+
+static bool dm_table_devices_disappeared(struct crypt_device *cd, struct crypt_dm_active_device *dmd)
+{
+	struct dm_target *tgt = &dmd->segment;
+
+	do {
+		if (device_disappeared(cd, tgt->data_device, "Data"))
+			return true;
+		if (tgt->type == DM_VERITY) {
+			if (device_disappeared(cd, tgt->u.verity.hash_device, "Hash"))
+				return true;
+			if (device_disappeared(cd, tgt->u.verity.fec_device, "FEC"))
+				return true;
+		} else if (tgt->type == DM_INTEGRITY) {
+			if (device_disappeared(cd, tgt->u.integrity.meta_device, "Integrity meta"))
+				return true;
+		}
+		tgt = tgt->next;
+	} while (tgt);
+
+	return false;
+}
+
 static int _dm_create_device(struct crypt_device *cd, const char *name, const char *type,
 			     struct crypt_dm_active_device *dmd)
 {
@@ -1331,8 +1360,8 @@ static int _dm_create_device(struct crypt_device *cd, const char *name, const ch
 		goto out;
 
 	if (!dm_task_run(dmt)) {
-
 		r = -dm_task_get_errno(dmt);
+		log_dbg(cd, "DM create task failed, dm_task errno: %i.", r);
 		if (r == -ENOKEY || r == -EKEYREVOKED || r == -EKEYEXPIRED) {
 			/* propagate DM errors around key management as such */
 			r = -ENOKEY;
@@ -1340,10 +1369,34 @@ static int _dm_create_device(struct crypt_device *cd, const char *name, const ch
 		}
 
 		r = dm_status_device(cd, name);
-		if (r >= 0)
+		log_dbg(cd, "Device status returned %i.", r);
+		if (r >= 0 || r == -EEXIST) {
 			r = -EEXIST;
-		if (r != -EEXIST && r != -ENODEV)
+			goto out;
+		}
+
+		/* EEXIST above has priority */
+		if (dm_task_get_errno(dmt) == EBUSY) {
+			r = -EBUSY;
+			goto out;
+		}
+
+		if (r != -ENODEV) {
 			r = -EINVAL;
+			goto out;
+		}
+
+		/* dm-ioctl failed => -ENODEV */
+		if (dm_task_get_errno(dmt) == ENXIO)
+			goto out;
+
+		/* Some device or file node disappeared => -ENODEV */
+		if (dm_table_devices_disappeared(cd, dmd))
+			goto out;
+
+		/* Bail out with EBUSY better than sleep and retry. */
+		log_dbg(cd, "No referenced device missing, some device in use.");
+		r = -EBUSY;
 		goto out;
 	}
 
@@ -1844,7 +1897,7 @@ int dm_status_suspended(struct crypt_device *cd, const char *name)
 	r = dm_status_dmi(name, &dmi, NULL, NULL);
 	dm_exit_context();
 
-	if (r < 0)
+	if (r < 0 && r != -EEXIST)
 		return r;
 
 	return dmi.suspended ? 1 : 0;

lib/loopaes/loopaes.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * loop-AES compatible volume handling
  *
  * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2011-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <errno.h>
@@ -158,7 +145,7 @@ int LOOPAES_parse_keyfile(struct crypt_device *cd,
 	key_lengths[0] = 0;
 	while (offset < buffer_len && key_index < LOOPAES_KEYS_MAX) {
 		keys[key_index] = &buffer[offset];
-		key_lengths[key_index] = 0;;
+		key_lengths[key_index] = 0;
 		while (offset < buffer_len && buffer[offset]) {
 			offset++;
 			key_lengths[key_index]++;

lib/loopaes/loopaes.h

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * loop-AES compatible volume handling
  *
  * Copyright (C) 2011-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2011-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef _LOOPAES_H

lib/luks1/af.c

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * AFsplitter - Anti forensic information splitter
  *
@@ -6,20 +7,6 @@
  *
  * AFsplitter diffuses information over a large stripe of data,
  * therefore supporting secure data destruction.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Library General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <stddef.h>

lib/luks1/af.h

@@ -1,26 +1,11 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * AFsplitter - Anti forensic information splitter
  *
  * Copyright (C) 2004 Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- *
- * AFsplitter diffuses information over a large stripe of data,
- * therefore supporting secure data destruction.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Library General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
+
 #ifndef INCLUDED_CRYPTSETUP_LUKS_AF_H
 #define INCLUDED_CRYPTSETUP_LUKS_AF_H
 

lib/luks1/keyencryption.c

@@ -1,23 +1,10 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup
  *
  * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2012-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <stdio.h>

lib/luks1/keymanage.c

@@ -1,23 +1,10 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup
  *
  * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2013-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <sys/types.h>

lib/luks1/luks.h

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup
  *
  * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef INCLUDED_CRYPTSETUP_LUKS_LUKS_H

lib/luks2/hw_opal/hw_opal.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * OPAL utilities
  *
  * Copyright (C) 2022-2023 Luca Boccassi <bluca@debian.org>
  *               2023 Ondrej Kozina <okozina@redhat.com>
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <stdio.h>
@@ -41,6 +28,7 @@
 #if HAVE_HW_OPAL
 
 #include <linux/sed-opal.h>
+#include <linux/fs.h>
 
 /* Error codes are defined in the specification:
  * TCG_Storage_Architecture_Core_Spec_v2.01_r1.00
@@ -290,6 +278,7 @@ static int opal_range_check_attributes_fd(struct crypt_device *cd,
 {
 	int r;
 	struct opal_lr_status *lrs;
+	int device_block_bytes;
 	uint32_t opal_block_bytes = 0;
 	uint64_t offset, length;
 	bool read_locked, write_locked;
@@ -297,12 +286,17 @@ static int opal_range_check_attributes_fd(struct crypt_device *cd,
 	assert(fd >= 0);
 	assert(cd);
 	assert(vk);
+	assert(check_offset_sectors);
+	assert(check_length_sectors);
 
-	if (check_offset_sectors || check_length_sectors) {
-		r = opal_geometry_fd(cd, fd, NULL, &opal_block_bytes, NULL, NULL);
-		if (r != OPAL_STATUS_SUCCESS)
-			return -EINVAL;
-	}
+	r = opal_geometry_fd(cd, fd, NULL, &opal_block_bytes, NULL, NULL);
+	if (r != OPAL_STATUS_SUCCESS)
+		return -EINVAL;
+
+	/* Keep this as warning only */
+	if (ioctl(fd, BLKSSZGET, &device_block_bytes) < 0 ||
+	    (uint32_t)device_block_bytes != opal_block_bytes)
+		log_err(cd, _("Bogus OPAL logical block size differs from device block size."));
 
 	lrs = crypt_safe_alloc(sizeof(*lrs));
 	if (!lrs)
@@ -329,22 +323,18 @@ static int opal_range_check_attributes_fd(struct crypt_device *cd,
 
 	r = 0;
 
-	if (check_offset_sectors) {
-		offset = lrs->range_start * opal_block_bytes / SECTOR_SIZE;
-		if (offset != *check_offset_sectors) {
-			log_err(cd, _("OPAL range %d offset %" PRIu64 " does not match expected values %" PRIu64 "."),
-				segment_number, offset, *check_offset_sectors);
-			r = -EINVAL;
-		}
+	offset = lrs->range_start * opal_block_bytes / SECTOR_SIZE;
+	if (offset != *check_offset_sectors) {
+		log_err(cd, _("OPAL range %d offset %" PRIu64 " does not match expected values %" PRIu64 "."),
+			segment_number, offset, *check_offset_sectors);
+		r = -EINVAL;
 	}
 
-	if (check_length_sectors) {
-		length = lrs->range_length * opal_block_bytes / SECTOR_SIZE;
-		if (length != *check_length_sectors) {
-			log_err(cd, _("OPAL range %d length %" PRIu64" does not match device length %" PRIu64 "."),
-				segment_number, length, *check_length_sectors);
-			r = -EINVAL;
-		}
+	length = lrs->range_length * opal_block_bytes / SECTOR_SIZE;
+	if (length != *check_length_sectors) {
+		log_err(cd, _("OPAL range %d length %" PRIu64" does not match device length %" PRIu64 "."),
+			segment_number, length, *check_length_sectors);
+		r = -EINVAL;
 	}
 
 	if (!lrs->RLE || !lrs->WLE) {
@@ -405,8 +395,9 @@ static int opal_enabled(struct crypt_device *cd, struct device *dev)
 int opal_setup_ranges(struct crypt_device *cd,
 		      struct device *dev,
 		      const struct volume_key *vk,
-		      uint64_t range_start,
-		      uint64_t range_length,
+		      uint64_t range_start_blocks,
+		      uint64_t range_length_blocks,
+		      uint32_t opal_block_bytes,
 		      uint32_t segment_number,
 		      const void *admin_key,
 		      size_t admin_key_len)
@@ -423,10 +414,15 @@ int opal_setup_ranges(struct crypt_device *cd,
 	assert(vk);
 	assert(admin_key);
 	assert(vk->keylength <= OPAL_KEY_MAX);
+	assert(opal_block_bytes >= SECTOR_SIZE);
 
 	if (admin_key_len > OPAL_KEY_MAX)
 		return -EINVAL;
 
+	if (((UINT64_MAX / opal_block_bytes) < range_start_blocks) ||
+	    ((UINT64_MAX / opal_block_bytes) < range_length_blocks))
+		return -EINVAL;
+
 	fd = device_open(cd, dev, O_RDONLY);
 	if (fd < 0)
 		return -EIO;
@@ -604,8 +600,8 @@ int opal_setup_ranges(struct crypt_device *cd,
 		goto out;
 	}
 	*setup = (struct opal_user_lr_setup) {
-		.range_start = range_start,
-		.range_length = range_length,
+		.range_start = range_start_blocks,
+		.range_length = range_length_blocks,
 		/* Some drives do not enable Locking Ranges on setup. This have some
 		 * interesting consequences: Lock command called later below will pass,
 		 * but locking range will _not_ be locked at all.
@@ -658,9 +654,10 @@ int opal_setup_ranges(struct crypt_device *cd,
 	}
 
 	/* Double check the locking range is locked and the ranges are set up as configured */
-	r = opal_range_check_attributes_fd(cd, fd, segment_number, vk, &range_start,
-					   &range_length, &(bool) {true}, &(bool){true},
-					   NULL, NULL);
+	r = opal_range_check_attributes_fd(cd, fd, segment_number, vk,
+					   &(uint64_t) {range_start_blocks * opal_block_bytes / SECTOR_SIZE},
+					   &(uint64_t) {range_length_blocks * opal_block_bytes / SECTOR_SIZE},
+					   &(bool) {true}, &(bool){true}, NULL, NULL);
 out:
 	crypt_safe_free(activate);
 	crypt_safe_free(user_session);
@@ -1011,8 +1008,9 @@ void opal_exclusive_unlock(struct crypt_device *cd, struct crypt_lock_handle *op
 int opal_setup_ranges(struct crypt_device *cd,
 		      struct device *dev,
 		      const struct volume_key *vk,
-		      uint64_t range_start,
-		      uint64_t range_length,
+		      uint64_t range_start_blocks,
+		      uint64_t range_length_blocks,
+		      uint32_t opal_block_bytes,
 		      uint32_t segment_number,
 		      const void *admin_key,
 		      size_t admin_key_len)

lib/luks2/hw_opal/hw_opal.h

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * OPAL utilities
  *
  * Copyright (C) 2022-2023 Luca Boccassi <bluca@debian.org>
  *               2023 Ondrej Kozina <okozina@redhat.com>
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef _UTILS_OPAL
@@ -29,8 +16,9 @@ struct crypt_lock_handle;
 int opal_setup_ranges(struct crypt_device *cd,
 		      struct device *dev,
 		      const struct volume_key *vk,
-		      uint64_t range_start,
-		      uint64_t range_length,
+		      uint64_t range_start_blocks,
+		      uint64_t range_length_blocks,
+		      uint32_t opal_block_bytes,
 		      uint32_t segment_number,
 		      const void *admin_key,
 		      size_t admin_key_len);

lib/luks2/luks2.h

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup v2
  *
  * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2015-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef _CRYPTSETUP_LUKS2_ONDISK_H
@@ -158,6 +145,8 @@ struct luks2_keyslot_params {
 
 #define LUKS2_HDR_OFFSET_MAX 0x400000 /* 4 MiB */
 
+#define LUKS2_HDR_MAX_MDA_SIZE 2 * LUKS2_HDR_OFFSET_MAX + LUKS2_MAX_KEYSLOTS_SIZE
+
 /* Offsets for secondary header (for scan if primary header is corrupted). */
 #define LUKS2_HDR2_OFFSETS { 0x04000, 0x008000, 0x010000, 0x020000, \
                              0x40000, 0x080000, 0x100000, 0x200000, LUKS2_HDR_OFFSET_MAX }
@@ -402,7 +391,7 @@ int LUKS2_check_metadata_area_size(uint64_t metadata_size);
 int LUKS2_check_keyslots_area_size(uint64_t keyslots_size);
 
 int LUKS2_wipe_header_areas(struct crypt_device *cd,
-	struct luks2_hdr *hdr, bool detached_header);
+	struct luks2_hdr *hdr);
 
 uint64_t LUKS2_get_data_offset(struct luks2_hdr *hdr);
 int LUKS2_get_data_size(struct luks2_hdr *hdr, uint64_t *size, bool *dynamic);

lib/luks2/luks2_digest.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup v2, digest handling
  *
  * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2015-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include "luks2_internal.h"

lib/luks2/luks2_digest_pbkdf2.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup v2, PBKDF2 digest handler (LUKS1 compatible)
  *
  * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2015-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include "luks2_internal.h"

lib/luks2/luks2_disk_metadata.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup v2
  *
  * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2015-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include "luks2_internal.h"

lib/luks2/luks2_internal.h

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup v2
  *
  * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2015-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef _CRYPTSETUP_LUKS2_INTERNAL_H

lib/luks2/luks2_json_format.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup v2, LUKS2 header format code
  *
  * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2015-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include "luks2_internal.h"
@@ -326,40 +313,43 @@ err:
 }
 
 int LUKS2_wipe_header_areas(struct crypt_device *cd,
-	struct luks2_hdr *hdr, bool detached_header)
+	struct luks2_hdr *hdr)
 {
 	int r;
-	uint64_t offset, length;
-	size_t wipe_block;
+	uint64_t device_size_bytes, length, offset;
+	size_t wipe_block = 1024 * 1024;
 
-	/* Wipe complete header, keyslots and padding areas with zeroes. */
-	offset = 0;
-	length = LUKS2_get_data_offset(hdr) * SECTOR_SIZE;
-	wipe_block = 1024 * 1024;
-
-	if (LUKS2_hdr_validate(cd, hdr->jobj, hdr->hdr_size - LUKS2_HDR_BIN_LEN))
+	if (!hdr || LUKS2_hdr_validate(cd, hdr->jobj, hdr->hdr_size - LUKS2_HDR_BIN_LEN))
 		return -EINVAL;
 
-	/* On detached header wipe at least the first 4k */
-	if (detached_header) {
-		length = 4096;
-		wipe_block = 4096;
-	}
+	r = device_size(crypt_metadata_device(cd), &device_size_bytes);
+	if (r < 0)
+		return -EINVAL;
 
-	r = device_check_size(cd, crypt_metadata_device(cd), length, 1);
-	if (r)
-		return r;
+	/* Wipe up to maximal allowed metadata size, but do not write beyond data offset. */
+	length = LUKS2_get_data_offset(hdr) * SECTOR_SIZE;
+	if (!length || length > LUKS2_HDR_MAX_MDA_SIZE)
+		length = LUKS2_HDR_MAX_MDA_SIZE;
+
+	/* Also do not extend the device size yet (file backends) */
+	if (length > device_size_bytes)
+		length = device_size_bytes;
 
 	log_dbg(cd, "Wiping LUKS areas (0x%06" PRIx64 " - 0x%06" PRIx64") with zeroes.",
-		offset, length + offset);
+		0ULL, length);
 
-	r = crypt_wipe_device(cd, crypt_metadata_device(cd), CRYPT_WIPE_ZERO,
-			      offset, length, wipe_block, NULL, NULL);
+	r = crypt_wipe_device(cd, crypt_metadata_device(cd), CRYPT_WIPE_ZERO, 0,
+			      length, wipe_block, NULL, NULL);
 	if (r < 0)
 		return r;
 
+	/* Allocate at least actual LUKS2 metadata size */
+	r = device_check_size(cd, crypt_metadata_device(cd),
+			      LUKS2_hdr_and_areas_size(hdr), 1);
+	if (r)
+		return r;
+
 	/* Wipe keyslot area */
-	wipe_block = 1024 * 1024;
 	offset = get_min_offset(hdr);
 	length = LUKS2_keyslots_size(hdr);
 

lib/luks2/luks2_json_metadata.c

@@ -1,23 +1,10 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup v2
  *
  * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2015-2024 Milan Broz
  * Copyright (C) 2015-2024 Ondrej Kozina
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include "luks2_internal.h"

lib/luks2/luks2_keyslot.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup v2, keyslot handling
  *
  * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2015-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include "luks2_internal.h"
@@ -428,11 +415,13 @@ static int LUKS2_keyslot_open_priority_digest(struct crypt_device *cd,
 {
 	json_object *jobj_keyslots, *jobj;
 	crypt_keyslot_priority slot_priority;
-	int keyslot, r = -ENOENT;
+	int keyslot, r = -ENOENT, r_old;
 
 	json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots);
 
 	json_object_object_foreach(jobj_keyslots, slot, val) {
+		r_old = r;
+
 		if (!json_object_object_get_ex(val, "priority", &jobj))
 			slot_priority = CRYPT_SLOT_PRIORITY_NORMAL;
 		else
@@ -451,6 +440,9 @@ static int LUKS2_keyslot_open_priority_digest(struct crypt_device *cd,
 		   former meaning password wrong, latter key slot unusable for segment */
 		if ((r != -EPERM) && (r != -ENOENT))
 			break;
+		/* If a previous keyslot failed with EPERM (bad password) prefer it */
+		if (r_old == -EPERM && r == -ENOENT)
+			r = -EPERM;
 	}
 
 	return r;
@@ -466,11 +458,13 @@ static int LUKS2_keyslot_open_priority(struct crypt_device *cd,
 {
 	json_object *jobj_keyslots, *jobj;
 	crypt_keyslot_priority slot_priority;
-	int keyslot, r = -ENOENT;
+	int keyslot, r = -ENOENT, r_old;
 
 	json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots);
 
 	json_object_object_foreach(jobj_keyslots, slot, val) {
+		r_old = r;
+
 		if (!json_object_object_get_ex(val, "priority", &jobj))
 			slot_priority = CRYPT_SLOT_PRIORITY_NORMAL;
 		else
@@ -489,6 +483,9 @@ static int LUKS2_keyslot_open_priority(struct crypt_device *cd,
 		   former meaning password wrong, latter key slot unusable for segment */
 		if ((r != -EPERM) && (r != -ENOENT))
 			break;
+		/* If a previous keyslot failed with EPERM (bad password) prefer it */
+		if (r_old == -EPERM && r == -ENOENT)
+			r = -EPERM;
 	}
 
 	return r;

lib/luks2/luks2_keyslot_luks2.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup v2, LUKS2 type keyslot handler
  *
  * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2015-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <limits.h>

lib/luks2/luks2_keyslot_reenc.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup v2, reencryption keyslot handler
  *
  * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2016-2024 Ondrej Kozina
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include "luks2_internal.h"

lib/luks2/luks2_luks1_convert.c

@@ -1,23 +1,10 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup v2, LUKS1 conversion code
  *
  * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2015-2024 Ondrej Kozina
  * Copyright (C) 2015-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include "luks2_internal.h"
@@ -621,6 +608,10 @@ int LUKS2_luks1_to_luks2(struct crypt_device *cd, struct luks_phdr *hdr1, struct
 	if (max_size < required_size)
 		max_size = required_size;
 
+	/* fix coverity false positive integer underflow */
+	if (max_size < 2 * LUKS2_HDR_16K_LEN)
+		return -EINVAL;
+
 	r = json_luks1_object(hdr1, &jobj, max_size - 2 * LUKS2_HDR_16K_LEN);
 	if (r < 0)
 		return r;

lib/luks2/luks2_reencrypt.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup v2, reencryption helpers
  *
  * Copyright (C) 2015-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2015-2024 Ondrej Kozina
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include "luks2_internal.h"
@@ -3310,7 +3297,7 @@ static int reencrypt_load(struct crypt_device *cd, struct luks2_hdr *hdr,
 
 	if (r < 0 || !tmp) {
 		log_err(cd, _("Failed to load LUKS2 reencryption context."));
-		return r;
+		return r < 0 ? r : -EINVAL;
 	}
 
 	*rh = tmp;
@@ -3801,6 +3788,13 @@ static int reencrypt_init_by_passphrase(struct crypt_device *cd,
 	if (flags & CRYPT_REENCRYPT_RECOVERY)
 		return reencrypt_recovery_by_passphrase(cd, hdr, keyslot_old, keyslot_new, passphrase, passphrase_size);
 
+	if (name && !device_direct_io(crypt_data_device(cd))) {
+		log_dbg(cd, "Device %s does not support direct I/O.", device_path(crypt_data_device(cd)));
+		/* FIXME: Add more specific error mesage for translation later. */
+		log_err(cd, _("Failed to initialize reencryption device stack."));
+		return -EINVAL;
+	}
+
 	if (cipher && !crypt_cipher_wrapped_key(cipher, cipher_mode)) {
 		r = crypt_keyslot_get_key_size(cd, keyslot_new);
 		if (r < 0)
@@ -4236,9 +4230,14 @@ int crypt_reencrypt_run(
 
 	log_dbg(cd, "Resuming LUKS2 reencryption.");
 
-	if (rh->online && reencrypt_init_device_stack(cd, rh)) {
-		log_err(cd, _("Failed to initialize reencryption device stack."));
-		return -EINVAL;
+	if (rh->online) {
+		/* This is last resort to avoid data corruption. Abort is justified here. */
+		assert(device_direct_io(crypt_data_device(cd)));
+
+		if (reencrypt_init_device_stack(cd, rh)) {
+			log_err(cd, _("Failed to initialize reencryption device stack."));
+			return -EINVAL;
+		}
 	}
 
 	log_dbg(cd, "Progress %" PRIu64 ", device_size %" PRIu64, rh->progress, rh->device_size);

lib/luks2/luks2_reencrypt_digest.c

@@ -1,23 +1,10 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup v2, reencryption digest helpers
  *
  * Copyright (C) 2022-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2022-2024 Ondrej Kozina
  * Copyright (C) 2022-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include "luks2_internal.h"

lib/luks2/luks2_segment.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup v2, internal segment handling
  *
  * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2018-2024 Ondrej Kozina
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include "luks2_internal.h"
@@ -239,27 +226,6 @@ unsigned json_segments_count(json_object *jobj_segments)
 	return count;
 }
 
-static void _get_segment_or_id_by_flag(json_object *jobj_segments, const char *flag, unsigned id, void *retval)
-{
-	json_object *jobj_flags, **jobj_ret = (json_object **)retval;
-	int *ret = (int *)retval;
-
-	if (!flag)
-		return;
-
-	json_object_object_foreach(jobj_segments, key, value) {
-		if (!json_object_object_get_ex(value, "flags", &jobj_flags))
-			continue;
-		if (LUKS2_array_jobj(jobj_flags, flag)) {
-			if (id)
-				*ret = atoi(key);
-			else
-				*jobj_ret = value;
-			return;
-		}
-	}
-}
-
 void json_segment_remove_flag(json_object *jobj_segment, const char *flag)
 {
 	json_object *jobj_flags, *jobj_flags_new;
@@ -587,24 +553,37 @@ int LUKS2_segments_set(struct crypt_device *cd, struct luks2_hdr *hdr,
 
 int LUKS2_get_segment_id_by_flag(struct luks2_hdr *hdr, const char *flag)
 {
-	int ret = -ENOENT;
-	json_object *jobj_segments = LUKS2_get_segments_jobj(hdr);
+	json_object *jobj_flags, *jobj_segments = LUKS2_get_segments_jobj(hdr);
 
-	if (jobj_segments)
-		_get_segment_or_id_by_flag(jobj_segments, flag, 1, &ret);
+	if (!flag || !jobj_segments)
+		return -ENOENT;
 
-	return ret;
+	json_object_object_foreach(jobj_segments, key, value) {
+		if (!json_object_object_get_ex(value, "flags", &jobj_flags))
+			continue;
+		if (LUKS2_array_jobj(jobj_flags, flag))
+			return atoi(key);
+	}
+
+	return -ENOENT;
 }
 
 json_object *LUKS2_get_segment_by_flag(struct luks2_hdr *hdr, const char *flag)
 {
-	json_object *jobj_segment = NULL,
-		    *jobj_segments = LUKS2_get_segments_jobj(hdr);
+	json_object *jobj_flags, *jobj_segments = LUKS2_get_segments_jobj(hdr);
 
-	if (jobj_segments)
-		_get_segment_or_id_by_flag(jobj_segments, flag, 0, &jobj_segment);
+	if (!flag || !jobj_segments)
+		return NULL;
 
-	return jobj_segment;
+	json_object_object_foreach(jobj_segments, key, value) {
+		UNUSED(key);
+		if (!json_object_object_get_ex(value, "flags", &jobj_flags))
+			continue;
+		if (LUKS2_array_jobj(jobj_flags, flag))
+			return value;
+	}
+
+	return NULL;
 }
 
 /* compares key characteristics of both segments */

lib/luks2/luks2_token.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup v2, token handling
  *
  * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2016-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <ctype.h>

lib/luks2/luks2_token_keyring.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * LUKS - Linux Unified Key Setup v2, kernel keyring token
  *
  * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2016-2024 Ondrej Kozina
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include "luks2_internal.h"

lib/random.c

@@ -1,21 +1,8 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * cryptsetup kernel RNG access functions
  *
  * Copyright (C) 2010-2024 Red Hat, Inc. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <stdlib.h>

lib/setup.c

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * libcryptsetup - cryptsetup library
  *
@@ -5,20 +6,6 @@
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2009-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <string.h>
@@ -1790,6 +1777,12 @@ static int _crypt_format_luks1(struct crypt_device *cd,
 		return -EINVAL;
 	}
 
+	if (device_is_zoned(crypt_metadata_device(cd)) > 0) {
+		log_err(cd, _("Zoned device %s cannot be used for LUKS header."),
+			device_path(crypt_metadata_device(cd)));
+		return -EINVAL;
+	}
+
 	if (params && cd->data_offset && params->data_alignment &&
 	   (cd->data_offset % params->data_alignment)) {
 		log_err(cd, _("Requested data alignment is not compatible with data offset."));
@@ -2027,6 +2020,12 @@ static int _crypt_format_luks2(struct crypt_device *cd,
 		return -EINVAL;
 	}
 
+	if (device_is_zoned(crypt_metadata_device(cd)) > 0) {
+		log_err(cd, _("Zoned device %s cannot be used for LUKS header."),
+			device_path(crypt_metadata_device(cd)));
+		return -EINVAL;
+	}
+
 	if (params && cd->data_offset && params->data_alignment &&
 	   (cd->data_offset % params->data_alignment)) {
 		log_err(cd, _("Requested data alignment is not compatible with data offset."));
@@ -2140,7 +2139,7 @@ static int _crypt_format_luks2(struct crypt_device *cd,
 
 	device_set_block_size(crypt_data_device(cd), sector_size);
 
-	r = LUKS2_wipe_header_areas(cd, &cd->u.luks2.hdr, cd->metadata_device != NULL);
+	r = LUKS2_wipe_header_areas(cd, &cd->u.luks2.hdr);
 	if (r < 0) {
 		log_err(cd, _("Cannot wipe header on device %s."),
 			mdata_device_path(cd));
@@ -2220,7 +2219,7 @@ static int opal_topology_alignment(struct crypt_device *cd,
 {
 	bool opal_align;
 	int r;
-	uint32_t opal_block_bytes;
+	uint32_t opal_block_bytes, device_block_bytes;
 	uint64_t opal_alignment_granularity_blocks, opal_lowest_lba_blocks;
 
 	assert(cd);
@@ -2236,15 +2235,23 @@ static int opal_topology_alignment(struct crypt_device *cd,
 		return -EINVAL;
 	}
 
-	log_dbg(cd, "OPAL geometry: alignment: '%c', logical block size: %" PRIu32
+	device_block_bytes = device_block_size(cd, crypt_data_device(cd));
+
+	log_dbg(cd, "OPAL geometry: alignment: '%c', logical block size: %" PRIu32 "/%" PRIu32
 		    ", alignment granularity: %" PRIu64 ", lowest aligned LBA: %" PRIu64,
-	        opal_align ? 'y' : 'n', opal_block_bytes, opal_alignment_granularity_blocks, opal_lowest_lba_blocks);
+		    opal_align ? 'y' : 'n', opal_block_bytes, device_block_bytes,
+		    opal_alignment_granularity_blocks, opal_lowest_lba_blocks);
 
 	if (opal_block_bytes < SECTOR_SIZE || NOTPOW2(opal_block_bytes)) {
 		log_err(cd, _("Bogus OPAL logical block size."));
 		return -EINVAL;
 	}
 
+	if (device_block_bytes != opal_block_bytes) {
+		log_err(cd, _("Bogus OPAL logical block size differs from device block size."));
+		return -EINVAL;
+	}
+
 	if (data_offset_sectors &&
 	    MISALIGNED(data_offset_sectors + partition_offset_sectors, opal_block_bytes / SECTOR_SIZE)) {
 		log_err(cd, _("Requested data offset is not compatible with OPAL block size."));
@@ -2348,6 +2355,10 @@ int crypt_format_luks2_opal(struct crypt_device *cd,
 
 	log_dbg(cd, "Formatting device %s as type LUKS2 with OPAL HW encryption.", mdata_device_path(cd) ?: "(none)");
 
+	r = init_crypto(cd);
+	if (r < 0)
+		return r;
+
 	if (volume_keys_size < opal_params->user_key_size)
 		return -EINVAL;
 
@@ -2496,7 +2507,7 @@ int crypt_format_luks2_opal(struct crypt_device *cd,
 			(device_size_bytes - range_size_bytes) / SECTOR_SIZE);
 
 	if (cipher) {
-		r = LUKS2_check_encryption_sector(cd, device_size_bytes, data_offset_bytes, sector_size,
+		r = LUKS2_check_encryption_sector(cd, range_size_bytes, data_offset_bytes, sector_size,
 						  sector_size_autodetect, integrity == NULL,
 						  &sector_size);
 		if (r < 0)
@@ -2517,7 +2528,7 @@ int crypt_format_luks2_opal(struct crypt_device *cd,
 			       sector_size,
 			       data_offset_bytes,
 			       metadata_size_bytes, keyslots_size_bytes,
-			       device_size_bytes,
+			       range_size_bytes,
 			       opal_segment_number,
 			       opal_params->user_key_size);
 	if (r < 0)
@@ -2537,7 +2548,7 @@ int crypt_format_luks2_opal(struct crypt_device *cd,
 
 	device_set_block_size(crypt_data_device(cd), sector_size);
 
-	r = LUKS2_wipe_header_areas(cd, &cd->u.luks2.hdr, cd->metadata_device != NULL);
+	r = LUKS2_wipe_header_areas(cd, &cd->u.luks2.hdr);
 	if (r < 0) {
 		log_err(cd, _("Cannot wipe header on device %s."),
 			mdata_device_path(cd));
@@ -2556,7 +2567,8 @@ int crypt_format_luks2_opal(struct crypt_device *cd,
 
 	r = opal_setup_ranges(cd, crypt_data_device(cd), user_key ?: cd->volume_key,
 					range_offset_blocks, range_size_bytes / opal_block_bytes,
-					opal_segment_number, opal_params->admin_key, opal_params->admin_key_size);
+					opal_block_bytes, opal_segment_number,
+					opal_params->admin_key, opal_params->admin_key_size);
 	if (r < 0) {
 		if (r == -EPERM)
 			log_err(cd, _("Incorrect OPAL Admin key."));
@@ -4841,7 +4853,7 @@ int create_or_reload_device(struct crypt_device *cd, const char *name,
 	if (dmd->flags & CRYPT_ACTIVATE_REFRESH) {
 		/* Refresh and recalculate means increasing dm-integrity device */
 		if (tgt->type == DM_INTEGRITY && dmd->flags & CRYPT_ACTIVATE_RECALCULATE)
-			dmflags = DM_SUSPEND_SKIP_LOCKFS | DM_SUSPEND_NOFLUSH;;
+			dmflags = DM_SUSPEND_SKIP_LOCKFS | DM_SUSPEND_NOFLUSH;
 		r = _reload_device(cd, name, dmd, dmflags);
 	} else {
 		if (tgt->type == DM_CRYPT || tgt->type == DM_LINEAR) {
@@ -5327,7 +5339,8 @@ static int _activate_luks2_by_volume_key(struct crypt_device *cd,
 		}
 		r = _open_and_activate_reencrypt_device_by_vk(cd, &cd->u.luks2.hdr, name, vk, flags);
 	} else {
-		assert(crypt_volume_key_get_id(vk) == LUKS2_digest_by_segment(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT));
+		/* hw-opal data segment type does not require volume key for activation */
+		assert(!vk || crypt_volume_key_get_id(vk) == LUKS2_digest_by_segment(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT));
 		r = LUKS2_activate(cd, name, vk, external_key, flags);
 	}
 

lib/tcrypt/tcrypt.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * TCRYPT (TrueCrypt-compatible) and VeraCrypt volume handling
  *
  * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2012-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <errno.h>
@@ -1070,7 +1057,7 @@ uint64_t TCRYPT_get_iv_offset(struct crypt_device *cd,
 			      struct tcrypt_phdr *hdr,
 			      struct crypt_params_tcrypt *params)
 {
-	uint64_t iv_offset;
+	uint64_t iv_offset, partition_offset;
 
 	if (params->mode && !strncmp(params->mode, "xts", 3))
 		iv_offset = TCRYPT_get_data_offset(cd, hdr, params);
@@ -1079,8 +1066,14 @@ uint64_t TCRYPT_get_iv_offset(struct crypt_device *cd,
 	else
 		iv_offset = hdr->d.mk_offset / SECTOR_SIZE;
 
-	if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER)
-		iv_offset += crypt_dev_partition_offset(device_path(crypt_data_device(cd)));
+	if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
+		partition_offset = crypt_dev_partition_offset(device_path(crypt_data_device(cd)));
+		/* FIXME: we need to deal with overflow sooner */
+		if (iv_offset > (UINT64_MAX - partition_offset))
+			iv_offset = UINT64_MAX;
+		else
+			iv_offset += partition_offset;
+	}
 
 	return iv_offset;
 }

lib/tcrypt/tcrypt.h

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
 /*
  * TCRYPT (TrueCrypt-compatible)  header definition
  *
  * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2012-2024 Milan Broz
- *
- * This file is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This file is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this file; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef _CRYPTSETUP_TCRYPT_H

lib/utils.c

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * utils - miscellaneous device utilities for cryptsetup
  *
@@ -5,20 +6,6 @@
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2009-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <stdio.h>
@@ -203,6 +190,7 @@ int crypt_keyfile_device_read(struct crypt_device *cd,  const char *keyfile,
 	size_t buflen, i;
 	uint64_t file_read_size;
 	struct stat st;
+	bool close_fd = false;
 
 	if (!key || !key_size_read)
 		return -EINVAL;
@@ -210,11 +198,15 @@ int crypt_keyfile_device_read(struct crypt_device *cd,  const char *keyfile,
 	*key = NULL;
 	*key_size_read = 0;
 
-	fd = keyfile ? open(keyfile, O_RDONLY) : STDIN_FILENO;
-	if (fd < 0) {
-		log_err(cd, _("Failed to open key file."));
-		return -EINVAL;
-	}
+	if (keyfile) {
+		fd = open(keyfile, O_RDONLY);
+		if (fd < 0) {
+			log_err(cd, _("Failed to open key file."));
+			return -EINVAL;
+		}
+		close_fd = true;
+	} else
+		fd = STDIN_FILENO;
 
 	if (isatty(fd)) {
 		log_err(cd, _("Cannot read keyfile from a terminal."));
@@ -328,7 +320,7 @@ int crypt_keyfile_device_read(struct crypt_device *cd,  const char *keyfile,
 	*key_size_read = i;
 	r = 0;
 out:
-	if (fd != STDIN_FILENO)
+	if (close_fd)
 		close(fd);
 
 	if (r)

lib/utils_benchmark.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * libcryptsetup - cryptsetup library, cipher benchmark
  *
  * Copyright (C) 2012-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2012-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <stdlib.h>

lib/utils_blkid.c

@@ -1,21 +1,8 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * blkid probe utilities
  *
  * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <errno.h>
@@ -183,7 +170,7 @@ int blk_is_partition(struct blkid_handle *h)
 
 int blk_is_superblock(struct blkid_handle *h)
 {
-	return blkid_probe_has_value(h->pr, "TYPE");;
+	return blkid_probe_has_value(h->pr, "TYPE");
 }
 
 const char *blk_get_partition_type(struct blkid_handle *h)

lib/utils_blkid.h

@@ -1,21 +1,8 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * blkid probe utilities
  *
  * Copyright (C) 2018-2024 Red Hat, Inc. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef _UTILS_BLKID_H

lib/utils_crypt.c

@@ -1,23 +1,10 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * utils_crypt - cipher utilities for cryptsetup
  *
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2009-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <stdlib.h>
@@ -41,15 +28,17 @@ int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums,
 
 	if (sscanf(s, "%" MAX_CIPHER_LEN_STR "[^-]-%" MAX_CIPHER_LEN_STR "s",
 		   cipher, cipher_mode) == 2) {
-		if (!strcmp(cipher_mode, "plain"))
-			strcpy(cipher_mode, "cbc-plain");
 		if (!strncmp(cipher, "capi:", 5)) {
 			/* CAPI must not use internal cipher driver names with dash */
 			if (strchr(cipher_mode, ')'))
 				return -EINVAL;
 			if (key_nums)
 				*key_nums = 1;
-		} else if (key_nums) {
+			return 0;
+		}
+		if (!strcmp(cipher_mode, "plain"))
+			strcpy(cipher_mode, "cbc-plain");
+		if (key_nums) {
 			char *tmp = strchr(cipher, ':');
 			*key_nums = tmp ? atoi(++tmp) : 1;
 			if (!*key_nums)
@@ -69,7 +58,10 @@ int crypt_parse_name_and_mode(const char *s, char *cipher, int *key_nums,
 	}
 
 	if (sscanf(s, "%" MAX_CIPHER_LEN_STR "[^-]", cipher) == 1) {
-		strcpy(cipher_mode, "cbc-plain");
+		if (!strncmp(cipher, "capi:", 5))
+			strcpy(cipher_mode, "");
+		else
+			strcpy(cipher_mode, "cbc-plain");
 		if (key_nums)
 			*key_nums = 1;
 		return 0;

lib/utils_crypt.h

@@ -1,23 +1,10 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * utils_crypt - cipher utilities for cryptsetup
  *
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2009-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef _UTILS_CRYPT_H

lib/utils_device.c

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * device backend utilities
  *
@@ -5,20 +6,6 @@
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2009-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <string.h>
@@ -140,11 +127,19 @@ static size_t device_alignment_fd(int devfd)
 	return (size_t)alignment;
 }
 
-static int device_read_test(int devfd)
+static int device_read_test(struct crypt_device *cd, int devfd, struct device *device)
 {
 	char buffer[512];
 	int r = -EIO;
 	size_t minsize = 0, blocksize, alignment;
+	const char *dm_name;
+
+	/* skip check for suspended DM devices */
+	dm_name = device_dm_name(device);
+	if (dm_name && dm_status_suspended(cd, dm_name) > 0) {
+		log_dbg(cd, "Device %s is suspended, assuming direct-io is supported.", dm_name);
+		return 0;
+	}
 
 	blocksize = device_block_size_fd(devfd, &minsize);
 	alignment = device_alignment_fd(devfd);
@@ -161,6 +156,8 @@ static int device_read_test(int devfd)
 	if (read_blockwise(devfd, blocksize, alignment, buffer, minsize) == (ssize_t)minsize)
 		r = 0;
 
+	log_dbg(cd, "Direct-io is supported and works.");
+
 	crypt_safe_memzero(buffer, sizeof(buffer));
 	return r;
 }
@@ -178,7 +175,6 @@ static int device_ready(struct crypt_device *cd, struct device *device)
 	int devfd = -1, r = 0;
 	struct stat st;
 	size_t tmp_size;
-	const char *dm_name;
 
 	if (!device)
 		return -EINVAL;
@@ -189,12 +185,7 @@ static int device_ready(struct crypt_device *cd, struct device *device)
 		device->o_direct = 0;
 		devfd = open(device_path(device), O_RDONLY | O_DIRECT);
 		if (devfd >= 0) {
-			/* skip check for suspended DM devices */
-			dm_name = device_dm_name(device);
-			if (dm_name && dm_status_suspended(cd, dm_name)) {
-				close(devfd);
-				devfd = -1;
-			} else if (device_read_test(devfd) == 0) {
+			if (device_read_test(cd, devfd, device) == 0) {
 				device->o_direct = 1;
 			} else {
 				close(devfd);
@@ -1007,6 +998,22 @@ int device_is_dax(struct device *device)
 	return crypt_dev_is_dax(major(st.st_rdev), minor(st.st_rdev));
 }
 
+int device_is_zoned(struct device *device)
+{
+	struct stat st;
+
+	if (!device)
+		return -EINVAL;
+
+	if (stat(device_path(device), &st) < 0)
+		return -EINVAL;
+
+	if (!S_ISBLK(st.st_mode))
+		return 0;
+
+	return crypt_dev_is_zoned(major(st.st_rdev), minor(st.st_rdev));
+}
+
 size_t device_alignment(struct device *device)
 {
 	int devfd;

lib/utils_device_locking.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * Metadata on-disk locking for processes serialization
  *
  * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2016-2024 Ondrej Kozina
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <errno.h>

lib/utils_device_locking.h

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * Metadata on-disk locking for processes serialization
  *
  * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2016-2024 Ondrej Kozina
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef _CRYPTSETUP_UTILS_LOCKING_H

lib/utils_devpath.c

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * devname - search for device name
  *
@@ -5,20 +6,6 @@
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2009-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <string.h>
@@ -210,6 +197,23 @@ static int _path_get_uint64(const char *sysfs_path, uint64_t *value, const char
 	return _read_uint64(path, value);
 }
 
+static int _sysfs_get_string(int major, int minor, char *buf, size_t buf_size, const char *attr)
+{
+	char path[PATH_MAX];
+	int fd, r;
+
+	if (snprintf(path, sizeof(path), "/sys/dev/block/%d:%d/%s",
+		     major, minor, attr) < 0)
+		return 0;
+
+	if ((fd = open(path, O_RDONLY)) < 0)
+		return 0;
+	r = read(fd, buf, buf_size);
+	close(fd);
+
+	return r < 0 ? 0 : r;
+}
+
 int crypt_dev_get_partition_number(const char *dev_path)
 {
 	uint64_t partno;
@@ -248,6 +252,16 @@ int crypt_dev_is_dax(int major, int minor)
 	return val ? 1 : 0;
 }
 
+int crypt_dev_is_zoned(int major, int minor)
+{
+	char buf[32] = {};
+
+	if (!_sysfs_get_string(major, minor, buf, sizeof(buf), "queue/zoned"))
+		return 0; /* if failed, expect non-zoned device */
+
+	return strncmp(buf, "none", 4) ? 1 : 0;
+}
+
 int crypt_dev_is_partition(const char *dev_path)
 {
 	uint64_t val;

lib/utils_dm.h

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * libdevmapper - device-mapper backend for cryptsetup
  *
@@ -5,20 +6,6 @@
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2009-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef _UTILS_DM_H

lib/utils_io.c

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * utils - miscellaneous I/O utilities for cryptsetup
  *
@@ -5,23 +6,10 @@
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2009-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <errno.h>
+#include <limits.h>
 #include <string.h>
 #include <stdlib.h>
 #include <stdint.h>
@@ -32,10 +20,9 @@
 /* coverity[ -taint_source : arg-1 ] */
 static ssize_t _read_buffer(int fd, void *buf, size_t length, volatile int *quit)
 {
-	size_t read_size = 0;
-	ssize_t r;
+	ssize_t r, read_size = 0;
 
-	if (fd < 0 || !buf)
+	if (fd < 0 || !buf || length > SSIZE_MAX)
 		return -EINVAL;
 
 	do {
@@ -43,12 +30,13 @@ static ssize_t _read_buffer(int fd, void *buf, size_t length, volatile int *quit
 		if (r == -1 && errno != EINTR)
 			return r;
 		if (r > 0) {
-			read_size += (size_t)r;
+			/* coverity[overflow:FALSE] */
+			read_size += r;
 			buf = (uint8_t*)buf + r;
 		}
 		if (r == 0 || (quit && *quit))
-			return (ssize_t)read_size;
-	} while (read_size != length);
+			return read_size;
+	} while ((size_t)read_size != length);
 
 	return (ssize_t)length;
 }
@@ -65,25 +53,25 @@ ssize_t read_buffer_intr(int fd, void *buf, size_t length, volatile int *quit)
 
 static ssize_t _write_buffer(int fd, const void *buf, size_t length, volatile int *quit)
 {
-	size_t write_size = 0;
-	ssize_t w;
+	ssize_t w, write_size = 0;
 
-	if (fd < 0 || !buf || !length)
+	if (fd < 0 || !buf || !length || length > SSIZE_MAX)
 		return -EINVAL;
 
 	do {
-		w = write(fd, buf, length - write_size);
+		w = write(fd, buf, length - (size_t)write_size);
 		if (w < 0 && errno != EINTR)
 			return w;
 		if (w > 0) {
-			write_size += (size_t) w;
+			/* coverity[overflow:FALSE] */
+			write_size += w;
 			buf = (const uint8_t*)buf + w;
 		}
 		if (w == 0 || (quit && *quit))
-			return (ssize_t)write_size;
-	} while (write_size != length);
+			return write_size;
+	} while ((size_t)write_size != length);
 
-	return (ssize_t)write_size;
+	return write_size;
 }
 
 ssize_t write_buffer(int fd, const void *buf, size_t length)

lib/utils_io.h

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * utils - miscellaneous I/O utilities for cryptsetup
  *
@@ -5,20 +6,6 @@
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2009-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef _CRYPTSETUP_UTILS_IO_H

lib/utils_keyring.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * kernel keyring utilities
  *
  * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2016-2024 Ondrej Kozina
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <assert.h>
@@ -158,7 +145,7 @@ static key_serial_t find_key_by_type_and_desc(const char *type, const char *desc
 	char *newline;
 	size_t buffer_len = 0;
 
-	int n;
+	ssize_t n;
 
 	do {
 		id = request_key(type, desc, NULL, 0);
@@ -171,7 +158,8 @@ static key_serial_t find_key_by_type_and_desc(const char *type, const char *desc
 		return 0;
 
 	while ((n = read(f, buf + buffer_len, sizeof(buf) - buffer_len - 1)) > 0) {
-		buffer_len += n;
+		/* coverity[overflow:FALSE] */
+		buffer_len += (size_t)n;
 		buf[buffer_len] = '\0';
 		newline = strchr(buf, '\n');
 		while (newline != NULL && buffer_len != 0) {
@@ -183,7 +171,10 @@ static key_serial_t find_key_by_type_and_desc(const char *type, const char *desc
 			}
 
 			buffer_len -= newline - buf + 1;
-			assert(buffer_len <= sizeof(buf) - 1);
+			if (buffer_len >= sizeof(buf)) {
+				close(f);
+				return 0;
+			}
 			memmove(buf, newline + 1, buffer_len);
 			buf[buffer_len] = '\0';
 			newline = strchr(buf, '\n');

lib/utils_keyring.h

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * kernel keyring syscall wrappers
  *
  * Copyright (C) 2016-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2016-2024 Ondrej Kozina
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef _UTILS_KEYRING

lib/utils_loop.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * loopback block device utilities
  *
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2009-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <stdlib.h>
@@ -125,10 +112,10 @@ int crypt_loop_attach(char **loop, const char *file, int offset,
 
 	*loop = NULL;
 
-	file_fd = open(file, (*readonly ? O_RDONLY : O_RDWR) | O_EXCL);
+	file_fd = open(file, *readonly ? O_RDONLY : O_RDWR);
 	if (file_fd < 0 && (errno == EROFS || errno == EACCES) && !*readonly) {
 		*readonly = 1;
-		file_fd = open(file, O_RDONLY | O_EXCL);
+		file_fd = open(file, O_RDONLY);
 	}
 	if (file_fd < 0)
 		goto out;

lib/utils_loop.h

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * loopback block device utilities
  *
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2009-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifndef _UTILS_LOOP_H

lib/utils_pbkdf.c

@@ -1,22 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * utils_pbkdf - PBKDF settings for libcryptsetup
  *
  * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
  * Copyright (C) 2009-2024 Milan Broz
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #include <stdlib.h>