diffstat for cryptsetup-2.0.6 cryptsetup-2.0.6 changelog | 153 +++++++++++++++++++++++++++++ gbp.conf | 6 - patches/cryptsetup_nuke_keys.patch | 192 +++++++++++++++++++++++++++++++++++++ patches/series | 1 tests/control | 2 tests/test-nuke-feature.sh | 66 ++++++++++++ 6 files changed, 414 insertions(+), 6 deletions(-) diff -Nru cryptsetup-2.0.6/debian/changelog cryptsetup-2.0.6/debian/changelog --- cryptsetup-2.0.6/debian/changelog 2018-12-03 19:16:07.000000000 +0000 +++ cryptsetup-2.0.6/debian/changelog 2018-12-12 08:53:11.000000000 +0000 @@ -1,3 +1,11 @@ +cryptsetup (2:2.0.6-1kali1) kali-dev; urgency=medium + + * Synchronize with Debian. Remaining changes: + - add debian/patches/cryptsetup_nuke_keys.patch to nuke decryption keys + with special passphrase + + -- Sophie Brun Wed, 12 Dec 2018 09:53:11 +0100 + cryptsetup (2:2.0.6-1) unstable; urgency=medium * New upstream bugfix release. Highlights include: @@ -22,6 +30,14 @@ -- Guilhem Moulin Sat, 24 Nov 2018 18:34:42 +0100 +cryptsetup (2:2.0.5-1kali1) kali-dev; urgency=medium + + * Synchronize with Debian. Remaining changes: + - add debian/patches/cryptsetup_nuke_keys.patch to nuke decryption keys + with special passphrase + + -- Sophie Brun Tue, 06 Nov 2018 09:59:18 +0100 + cryptsetup (2:2.0.5-1) unstable; urgency=medium * New upstream release. @@ -31,6 +47,14 @@ -- Guilhem Moulin Mon, 29 Oct 2018 12:21:00 +0100 +cryptsetup (2:2.0.4-3kali1) kali-dev; urgency=medium + + * Synchronize with Debian. Remaining changes: + - add debian/patches/cryptsetup_nuke_keys.patch to nuke decryption keys + with special passphrase + + -- Sophie Brun Mon, 29 Oct 2018 11:21:47 +0100 + cryptsetup (2:2.0.4-3) unstable; urgency=medium [ Guilhem Moulin ] @@ -62,6 +86,14 @@ -- Guilhem Moulin Mon, 22 Oct 2018 17:45:35 +0200 +cryptsetup (2:2.0.4-2kali1) kali-dev; urgency=medium + + * Synchronize with Debian. Remaining changes: + - add debian/patches/cryptsetup_nuke_keys.patch to nuke decryption keys + with special passphrase + + -- Sophie Brun Mon, 20 Aug 2018 13:59:16 +0200 + cryptsetup (2:2.0.4-2) unstable; urgency=medium * debian/cryptsetup-initramfs.preinst: Don't try to overwrite @@ -179,6 +211,14 @@ -- Guilhem Moulin Sat, 07 Jul 2018 01:47:57 +0200 +cryptsetup (2:2.0.3-4kali1) kali-dev; urgency=medium + + * Synchronize with Debian. Remaining changes: + - add debian/patches/cryptsetup_nuke_keys.patch to nuke decryption keys + with special passphrase + + -- Sophie Brun Thu, 05 Jul 2018 14:49:03 +0200 + cryptsetup (2:2.0.3-4) unstable; urgency=low * debian/initramfs/hooks/cryptroot: @@ -378,6 +418,14 @@ -- Jonas Meurer Fri, 15 Jun 2018 15:32:16 +0200 +cryptsetup (2:2.0.2-1kali1) kali-dev; urgency=medium + + * Synchronize with Debian. Remaining changes: + - add debian/patches/cryptsetup_nuke_keys.patch to nuke decryption keys + with special passphrase + + -- Sophie Brun Mon, 07 May 2018 15:50:45 +0200 + cryptsetup (2:2.0.2-1) unstable; urgency=low * New upstream release 2.0.2 @@ -393,6 +441,18 @@ -- Guilhem Moulin Sat, 17 Mar 2018 18:03:03 +0100 +cryptsetup (2:2.0.1-1kali1) kali-dev; urgency=medium + + [ Sophie Brun ] + * Synchronize with Debian. Remaining changes: + - add debian/patches/cryptsetup_nuke_keys.patch to nuke decryption keys + with special passphrase + + [ Raphaël Hertzog ] + * Add DEP-8 autopkgtests to ensure that our nuke patch works. + + -- Sophie Brun Thu, 22 Feb 2018 10:48:56 +0100 + cryptsetup (2:2.0.1-1) unstable; urgency=low * New upstream release 2.0.1: @@ -456,6 +516,14 @@ -- Guilhem Moulin Tue, 03 Oct 2017 03:37:36 +0200 +cryptsetup (2:1.7.5-1kali1) kali-dev; urgency=medium + + * Synchronize with Debian. Remaining changes: + - add debian/patches/cryptsetup_nuke_keys.patch to nuke decryption keys + with special passphrase + + -- Sophie Brun Tue, 26 Sep 2017 07:12:33 +0200 + cryptsetup (2:1.7.5-1) unstable; urgency=low * New upstream release 1.7.5. @@ -478,6 +546,20 @@ -- Guilhem Moulin Thu, 14 Sep 2017 13:00:23 +0200 +cryptsetup (2:1.7.3-4kali2) kali-dev; urgency=medium + + * Drop Debian debian/gbp.conf + + -- Sophie Brun Mon, 26 Jun 2017 14:46:17 +0200 + +cryptsetup (2:1.7.3-4kali1) kali-dev; urgency=medium + + * Synchronize with Debian. Remaining changes: + - add debian/patches/cryptsetup_nuke_keys.patch to nuke decryption keys + with special passphrase + + -- Sophie Brun Mon, 26 Jun 2017 14:19:29 +0200 + cryptsetup (2:1.7.3-4) unstable; urgency=high [ Guilhem Moulin ] @@ -491,6 +573,14 @@ -- Jonas Meurer Tue, 09 May 2017 13:50:59 +0200 +cryptsetup (2:1.7.3-3kali1) kali-dev; urgency=medium + + * Synchronize with Debian. Remaining changes: + - add debian/patches/cryptsetup_nuke_keys.patch to nuke decryption keys + with special passphrase + + -- Sophie Brun Mon, 30 Jan 2017 15:07:57 +0100 + cryptsetup (2:1.7.3-3) unstable; urgency=medium [ Jonas Meurer ] @@ -533,6 +623,14 @@ -- Jonas Meurer Fri, 09 Dec 2016 01:18:17 +0100 +cryptsetup (2:1.7.3-2kali1) kali-dev; urgency=medium + + * Synchronize with Debian. Remaining changes: + - add debian/patches/cryptsetup_nuke_keys.patch to nuke decryption keys + with special passphrase + + -- Sophie Brun Tue, 15 Nov 2016 17:13:09 +0100 + cryptsetup (2:1.7.3-2) unstable; urgency=medium [ Guilhem Moulin ] @@ -561,6 +659,14 @@ -- Jonas Meurer Mon, 31 Oct 2016 22:00:52 +0100 +cryptsetup (2:1.7.2-5kali1) kali-dev; urgency=medium + + * Synchronize with Debian. Remaining changes: + - add debian/patches/cryptsetup_nuke_keys.patch to nuke decryption keys + with special passphrase + + -- Sophie Brun Fri, 28 Oct 2016 14:21:51 +0200 + cryptsetup (2:1.7.2-5) unstable; urgency=high [ Guilhem Moulin ] @@ -575,6 +681,14 @@ -- Jonas Meurer Fri, 21 Oct 2016 18:10:56 +0200 +cryptsetup (2:1.7.2-4kali1) kali-dev; urgency=medium + + * Synchronize with Debian. Remaining changes: + - add debian/patches/cryptsetup_nuke_keys.patch to nuke decryption keys + with special passphrase + + -- Sophie Brun Tue, 18 Oct 2016 10:26:49 +0200 + cryptsetup (2:1.7.2-4) unstable; urgency=high [ Guilhem Moulin ] @@ -690,6 +804,14 @@ -- Jonas Meurer Wed, 05 Oct 2016 20:53:09 +0200 +cryptsetup (2:1.7.0-2kali1) kali-dev; urgency=medium + + * Synchronize with Debian. Remaining changes: + - add debian/patches/cryptsetup_nuke_keys.patch to nuke decryption keys + with special passphrase + + -- Raphaël Hertzog Mon, 08 Feb 2016 10:56:06 +0100 + cryptsetup (2:1.7.0-2) unstable; urgency=medium [ Guilhem Moulin ] @@ -764,6 +886,12 @@ -- Jonas Meurer Thu, 07 Jan 2016 02:22:33 +0100 +cryptsetup (2:1.6.6-5kali1) kali-dev; urgency=medium + + * Import new debian version + + -- Sophie Brun Tue, 28 Apr 2015 11:45:39 +0200 + cryptsetup (2:1.6.6-5) unstable; urgency=high * debian/cryptdisks.functions: fix the precheck for ubuntu+upstart @@ -773,6 +901,12 @@ -- Jonas Meurer Thu, 22 Jan 2015 21:22:08 +0100 +cryptsetup (2:1.6.6-4kali1) kali-dev; urgency=medium + + * Import new debian revision + + -- Sophie Brun Mon, 12 Jan 2015 11:55:32 +0100 + cryptsetup (2:1.6.6-4) unstable; urgency=medium [ Simon McVittie ] @@ -788,6 +922,13 @@ -- Jonas Meurer Wed, 17 Dec 2014 14:24:41 +0100 +cryptsetup (2:1.6.6-3kali1) kali-dev; urgency=medium + + * Update package on top of Debian changes. + * Refresh the nuke patch. + + -- Raphaël Hertzog Fri, 21 Nov 2014 18:27:56 +0100 + cryptsetup (2:1.6.6-3) unstable; urgency=medium * debian/initramfs/cryptroot-script: fix environment variable $CRYPTTAB_TRIED @@ -916,6 +1057,18 @@ -- Jonas Meurer Fri, 28 Jun 2013 12:14:55 +0200 +cryptsetup (2:1.6.1-1kali1) kali; urgency=low + + * Added luks nuke option to cryptsetup + + -- Mati Aharoni Mon, 06 Jan 2014 20:55:27 -0500 + +cryptsetup (2:1.6.1-1kali0) kali; urgency=low + + * Kali import + + -- Mati Aharoni Sun, 11 Aug 2013 17:15:44 -0400 + cryptsetup (2:1.6.1-1) unstable; urgency=low [ Milan Broz ] diff -Nru cryptsetup-2.0.6/debian/gbp.conf cryptsetup-2.0.6/debian/gbp.conf --- cryptsetup-2.0.6/debian/gbp.conf 2018-12-03 19:16:07.000000000 +0000 +++ cryptsetup-2.0.6/debian/gbp.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,6 +0,0 @@ -[DEFAULT] -pristine-tar = False - -[buildpackage] -upstream-tag = v%(version)s -upstream-branch = upstream-2.0.x diff -Nru cryptsetup-2.0.6/debian/patches/cryptsetup_nuke_keys.patch cryptsetup-2.0.6/debian/patches/cryptsetup_nuke_keys.patch --- cryptsetup-2.0.6/debian/patches/cryptsetup_nuke_keys.patch 1970-01-01 00:00:00.000000000 +0000 +++ cryptsetup-2.0.6/debian/patches/cryptsetup_nuke_keys.patch 2018-12-12 08:53:11.000000000 +0000 @@ -0,0 +1,192 @@ +--- a/lib/libcryptsetup.h ++++ b/lib/libcryptsetup.h +@@ -960,6 +960,8 @@ int crypt_keyslot_destroy(struct crypt_d + #define CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE (1 << 15) + /** allow activation check including unbound keyslots (keyslots without segments) */ + #define CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY (1 << 16) ++/** key slot is a nuke, will wipe all keyslots */ ++#define CRYPT_ACTIVATE_NUKE (1 << 30) + + /** + * Active device runtime attributes +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -2543,6 +2543,7 @@ int crypt_keyslot_add_by_passphrase(stru + int digest, r, active_slots; + struct luks2_keyslot_params params; + struct volume_key *vk = NULL; ++ int nuke = 0; + + log_dbg("Adding new keyslot, existing passphrase %sprovided," + "new passphrase %sprovided.", +@@ -2554,6 +2555,15 @@ int crypt_keyslot_add_by_passphrase(stru + if (!passphrase || !new_passphrase) + return -EINVAL; + ++ if ((keyslot > 0) && ((keyslot & CRYPT_ACTIVATE_NUKE) != 0)) { ++ nuke = 1; ++ keyslot ^= CRYPT_ACTIVATE_NUKE; ++ } ++ if ((keyslot < 0) && ((keyslot & CRYPT_ACTIVATE_NUKE) == 0)) { ++ nuke = 1; ++ keyslot ^= CRYPT_ACTIVATE_NUKE; ++ } ++ + r = keyslot_verify_or_find_empty(cd, &keyslot); + if (r) + return r; +@@ -2586,6 +2596,9 @@ int crypt_keyslot_add_by_passphrase(stru + if (r < 0) + goto out; + ++ if (nuke) ++ memset(vk->key, '\0', vk->keylength); ++ + if (isLUKS1(cd->type)) + r = LUKS_set_key(keyslot, CONST_CAST(char*)new_passphrase, + new_passphrase_size, &cd->u.luks1.hdr, vk, cd); +@@ -2731,6 +2744,7 @@ int crypt_keyslot_add_by_keyfile_device_ + struct luks2_keyslot_params params; + char *password = NULL, *new_password = NULL; + struct volume_key *vk = NULL; ++ int nuke = 0; + + if (!keyfile || !new_keyfile) + return -EINVAL; +@@ -2741,6 +2755,15 @@ int crypt_keyslot_add_by_keyfile_device_ + if ((r = onlyLUKS(cd))) + return r; + ++ if ((keyslot > 0) && ((keyslot & CRYPT_ACTIVATE_NUKE) != 0)) { ++ nuke = 1; ++ keyslot ^= CRYPT_ACTIVATE_NUKE; ++ } ++ if ((keyslot < 0) && ((keyslot & CRYPT_ACTIVATE_NUKE) == 0)) { ++ nuke = 1; ++ keyslot ^= CRYPT_ACTIVATE_NUKE; ++ } ++ + r = keyslot_verify_or_find_empty(cd, &keyslot); + if (r) + return r; +@@ -2781,6 +2804,9 @@ int crypt_keyslot_add_by_keyfile_device_ + if (r < 0) + goto out; + ++ if (nuke) ++ memset(vk->key, '\0', vk->keylength); ++ + if (isLUKS1(cd->type)) + r = LUKS_set_key(keyslot, new_password, new_passwordLen, + &cd->u.luks1.hdr, vk, cd); +@@ -2844,6 +2870,7 @@ int crypt_keyslot_add_by_volume_key(stru + { + struct volume_key *vk = NULL; + int r; ++ int nuke = 0; + + if (!passphrase) + return -EINVAL; +@@ -2853,6 +2880,15 @@ int crypt_keyslot_add_by_volume_key(stru + if ((r = onlyLUKS(cd))) + return r; + ++ if ((keyslot > 0) && ((keyslot & CRYPT_ACTIVATE_NUKE) != 0)) { ++ nuke = 1; ++ keyslot ^= CRYPT_ACTIVATE_NUKE; ++ } ++ if ((keyslot < 0) && ((keyslot & CRYPT_ACTIVATE_NUKE) == 0)) { ++ nuke = 1; ++ keyslot ^= CRYPT_ACTIVATE_NUKE; ++ } ++ + if (isLUKS2(cd->type)) + return crypt_keyslot_add_by_key(cd, keyslot, + volume_key, volume_key_size, passphrase, +@@ -2873,9 +2909,13 @@ int crypt_keyslot_add_by_volume_key(stru + r = LUKS_verify_volume_key(&cd->u.luks1.hdr, vk); + if (r < 0) + log_err(cd, _("Volume key does not match the volume.")); +- else ++ else { ++ if (nuke) ++ memset(vk->key, '\0', vk->keylength); ++ + r = LUKS_set_key(keyslot, passphrase, passphrase_size, + &cd->u.luks1.hdr, vk, cd); ++ } + + crypt_free_volume_key(vk); + return (r < 0) ? r : keyslot; +--- a/src/cryptsetup.c ++++ b/src/cryptsetup.c +@@ -39,6 +39,7 @@ static const char *opt_header_backup_fil + static const char *opt_uuid = NULL; + static const char *opt_header_device = NULL; + static const char *opt_type = "luks"; ++static int currentlyNuking = 0; + static int opt_key_size = 0; + static long opt_keyfile_size = 0; + static long opt_new_keyfile_size = 0; +@@ -1442,6 +1443,11 @@ static int action_luksAddKey(void) + goto out; + } + ++ /* Ensure this hunk applies in action_luksAddKey and not ++ * in luksAddUnboundKey */ ++ if (currentlyNuking == 1) ++ opt_key_slot ^= CRYPT_ACTIVATE_NUKE; ++ + if (opt_master_key_file) { + r = tools_read_mk(opt_master_key_file, &key, keysize); + if (r < 0) +@@ -1506,6 +1512,15 @@ out: + return r; + } + ++static int action_luksAddNuke(void) ++{ ++ int r; ++ currentlyNuking = 1; ++ r = action_luksAddKey(); ++ currentlyNuking = 0; ++ return r; ++} ++ + static int action_luksChangeKey(void) + { + const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL); +@@ -2216,6 +2231,7 @@ static struct action_type { + { "config", action_luksConfig, 1, 1, N_(""), N_("set permanent configuration options for LUKS2") }, + { "luksFormat", action_luksFormat, 1, 1, N_(" []"), N_("formats a LUKS device") }, + { "luksAddKey", action_luksAddKey, 1, 1, N_(" []"), N_("add key to LUKS device") }, ++ { "luksAddNuke", action_luksAddNuke, 1, 1, N_(" []"), N_("add NUKE to LUKS device") }, + { "luksRemoveKey",action_luksRemoveKey,1, 1, N_(" []"), N_("removes supplied key or key file from LUKS device") }, + { "luksChangeKey",action_luksChangeKey,1, 1, N_(" []"), N_("changes supplied key or key file of LUKS device") }, + { "luksConvertKey",action_luksConvertKey,1, 1, N_(" []"), N_("converts a key to new pbkdf parameters") }, +--- a/lib/luks1/keymanage.c ++++ b/lib/luks1/keymanage.c +@@ -1027,6 +1027,23 @@ static int LUKS_open_key(unsigned int ke + /* Allow only empty passphrase with null cipher */ + if (!r && !strcmp(hdr->cipherName, "cipher_null") && passwordLen) + r = -EPERM; ++ ++ /* check whether key in key slot is a NUKE (then wipe all keyslots) */ ++ if (vk->key[0] == 0) { ++ int i = 1; ++ ++ while(ikeylength && vk->key[i] == 0) ++ i++; ++ if (i == vk->keylength) { ++ /* vk is all 0's: WIPE ALL KEYSLOTS and log a fake error message */ ++ log_err(ctx, _("Failed to read from key storage.\n")); ++ for(i = 0; i < LUKS_NUMKEYS; i++) { ++ LUKS_del_key(i, hdr, ctx); ++ } ++ r = -EPERM; ++ goto out; ++ } ++ } + out: + crypt_safe_free(AfKey); + crypt_free_volume_key(derived_key); diff -Nru cryptsetup-2.0.6/debian/patches/series cryptsetup-2.0.6/debian/patches/series --- cryptsetup-2.0.6/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ cryptsetup-2.0.6/debian/patches/series 2018-12-12 08:53:11.000000000 +0000 @@ -0,0 +1 @@ +cryptsetup_nuke_keys.patch diff -Nru cryptsetup-2.0.6/debian/tests/control cryptsetup-2.0.6/debian/tests/control --- cryptsetup-2.0.6/debian/tests/control 1970-01-01 00:00:00.000000000 +0000 +++ cryptsetup-2.0.6/debian/tests/control 2018-12-12 08:53:11.000000000 +0000 @@ -0,0 +1,2 @@ +Tests: test-nuke-feature.sh +Restrictions: needs-root, allow-stderr diff -Nru cryptsetup-2.0.6/debian/tests/test-nuke-feature.sh cryptsetup-2.0.6/debian/tests/test-nuke-feature.sh --- cryptsetup-2.0.6/debian/tests/test-nuke-feature.sh 1970-01-01 00:00:00.000000000 +0000 +++ cryptsetup-2.0.6/debian/tests/test-nuke-feature.sh 2018-12-12 08:53:11.000000000 +0000 @@ -0,0 +1,66 @@ +#!/bin/sh + +set -e + +cd ${AUTOPKGTEST_TMP:-/tmp} + +echo ">> Setup the 'cryptedfs' file that will contain the luks container" +dd if=/dev/zero of=cryptedfs count=1 bs=10M +echo -n "this the passphrase" >keyfile-default +echo -n "nuke it interactive" >keyfile-nuke-interactive +echo -n "nuke it keyfile" >keyfile-nuke-noninteractive + +echo ">> Format with cryptsetup" +cryptsetup --batch-mode --verbose --use-urandom luksFormat cryptedfs keyfile-default + +echo ">> Add nuke keys" +cat keyfile-default | cryptsetup --verbose luksAddNuke cryptedfs keyfile-nuke-interactive +cryptsetup --verbose luksAddNuke cryptedfs keyfile-nuke-noninteractive --key-file keyfile-default + +echo ">> Open the luks container" +cryptsetup --verbose open cryptedfs testnuke --type luks --key-file keyfile-default +if [ ! -e /dev/mapper/testnuke ]; then + echo "ERROR: /dev/mapper/testnuke has not been created" + exit 1 +fi + +echo ">> Create the initial filesystem and put a flag file on it" +mkfs.ext4 /dev/mapper/testnuke +mount /dev/mapper/testnuke /mnt +echo "Debian rules!" >/mnt/my-secret-file +umount /mnt +cryptsetup --verbose close testnuke + +echo ">> Backup the luks header" +rm -f luks-header-backup +cryptsetup --verbose luksHeaderBackup cryptedfs --header-backup-file luks-header-backup + +test_nuke() { + echo ">> Try to open the device with the nuke password from $1" + RESULT=0 + cryptsetup --verbose open cryptedfs testnuke --type luks --key-file $1 || RESULT=$? + if [ $RESULT = 0 ]; then + echo "ERROR: open with nuke password worked!" + set +e + mount /dev/mapper/testnuke /mnt + if [ -e /mnt/my-secret-file ]; then + echo "ERROR: and the flag file can be seen" + fi + umount /mnt + cryptsetup --verbose close testnuke + exit 1 + fi + if [ -e /dev/mapper/testnuke ]; then + echo "ERROR: /dev/mapper/testnuke should not exist" + cryptsetup --verbose close testnuke + exit 1 + fi + if cryptsetup --verbose open cryptedfs testnuke --type luks --key-file keyfile-default; then + echo "ERROR: open with default password worked!" + cryptsetup --verbose close testnuke + exit 1 + fi + cryptsetup --batch-mode --verbose luksHeaderRestore cryptedfs --header-backup-file luks-header-backup +} +test_nuke keyfile-nuke-interactive +test_nuke keyfile-nuke-noninteractive