Debian Bug report logs - #513596
cryptsetup: Cannot delete a Keyslot from itselfs

version graph

Package: cryptsetup; Maintainer for cryptsetup is Debian Cryptsetup Team <pkg-cryptsetup-devel@lists.alioth.debian.org>; Source for cryptsetup is src:cryptsetup.

Reported by: Pierre Dinh-van <pierre@qsdf.org>

Date: Fri, 30 Jan 2009 15:21:02 UTC

Severity: normal

Found in version cryptsetup/2:1.0.6-7

Fixed in version cryptsetup/2:1.0.6+20090405.svn49-1

Done: Jonas Meurer <mejo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Cryptsetup Team <pkg-cryptsetup-devel@lists.alioth.debian.org>:
Bug#513596; Package cryptsetup. (Fri, 30 Jan 2009 15:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Pierre Dinh-van <pierre@qsdf.org>:
New Bug report received and forwarded. Copy sent to Debian Cryptsetup Team <pkg-cryptsetup-devel@lists.alioth.debian.org>. (Fri, 30 Jan 2009 15:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Pierre Dinh-van <pierre@qsdf.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cryptsetup: Cannot delete a Keyslot from itselfs
Date: Fri, 30 Jan 2009 16:18:45 +0100
Package: cryptsetup
Version: 2:1.0.6-7
Severity: normal


I noticed that it is impossible to remove a keyslot with the key of this slot.
Problem occurs either with passphrase and with key-file.

I guess it's not a feature, since it should be possible to delete all key-slots to make
access to the data quite-impossible. There is also a warning message while trying to do it,
so I'm sure it should be possible (and in the case we have to delete the last keyslot, the 
only possibility is to use the same key).

Example :

root@pierre:/tmp# ls -sh keyslot*
4.0K keyslot0.rand  4.0K keyslot1.rand
root@pierre:/tmp# cryptsetup luksFormat -s256 /dev/mapper/pierre-testluks /tmp/keyslot0.rand

WARNING!
========
This will overwrite data on /dev/mapper/pierre-testluks irrevocably.

Are you sure? (Type uppercase yes): YES
Command successful.
root@pierre:/tmp# cryptsetup luksAddKey --key-file /tmp/keyslot0.rand /dev/mapper/pierre-testluks /tmp/keyslot1.rand
key slot 0 unlocked.
Command successful.
root@pierre:/tmp# cryptsetup luksDump /dev/mapper/pierre-testluks
LUKS header information for /dev/mapper/pierre-testluks

Version:        1
Cipher name:    aes
Cipher mode:    cbc-essiv:sha256
Hash spec:      sha1
Payload offset: 2056
MK bits:        256
MK digest:      84 b0 9a 7e 56 98 ed c0 01 56 cd a8 ab 6a be 25 e6 22 e4 4b 
MK salt:        a5 4f 46 09 9e 1d 9e 3b 08 d9 5b 35 8b ea 99 41 
                fb ae 4c 17 f1 03 32 4a af b0 76 c5 06 ed e1 e5 
MK iterations:  10
UUID:           b6bf43f9-6de5-4290-945f-65faaa8a188d

Key Slot 0: ENABLED
        Iterations:             128887
        Salt:                   e3 70 ff b6 d2 94 c0 a7 89 aa 97 33 6a 20 b2 c7 
                                32 9f 65 6d 95 78 48 6b f2 52 3e c0 f8 04 27 34 
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: ENABLED
        Iterations:             236321
        Salt:                   ba 18 91 42 b7 de 3f d0 db 96 0a 09 9e 9e 1c fb 
                                06 e7 17 73 e6 8b e5 f7 9a c4 4d a7 3c e1 40 d4 
        Key material offset:    264
        AF stripes:             4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
root@pierre:/tmp# cryptsetup luksKillSlot --key-file /tmp/keyslot1.rand /dev/mapper/pierre-testluks 1
No remaining key available with this passphrase.
Command failed.
root@pierre:/tmp# cryptsetup luksKillSlot --key-file /tmp/keyslot0.rand /dev/mapper/pierre-testluks 0
No remaining key available with this passphrase.
Command failed.
root@pierre:/tmp# cryptsetup luksKillSlot --key-file /tmp/keyslot0.rand /dev/mapper/pierre-testluks 1
key slot 1 verified.
Command successful.
root@pierre:/tmp# cryptsetup luksKillSlot --key-file /tmp/keyslot0.rand /dev/mapper/pierre-testluks 0

WARNING!
========
This is the last keyslot. Device will become unusable after purging this key.

Are you sure? (Type uppercase yes): YES
No remaining key available with this passphrase.
Command failed.
root@pierre:/tmp# 



-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18-6-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages cryptsetup depends on:
ii  dmsetup                      2:1.02.27-4 The Linux Kernel Device Mapper use
ii  libc6                        2.7-18      GNU C Library: Shared libraries
ii  libdevmapper1.02.1           2:1.02.27-4 The Linux Kernel Device Mapper use
ii  libpopt0                     1.14-4      lib for parsing cmdline parameters
ii  libuuid1                     1.41.3-1    universally unique id library

cryptsetup recommends no packages.

Versions of packages cryptsetup suggests:
ii  dosfstools                    3.0.1-1    utilities for making and checking 
ii  initramfs-tools [linux-initra 0.92o      tools for generating an initramfs
ii  udev                          0.125-7    /dev/ and hotplug management daemo

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Cryptsetup Team <pkg-cryptsetup-devel@lists.alioth.debian.org>:
Bug#513596; Package cryptsetup. (Fri, 30 Jan 2009 16:21:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Pierre Dinh-van <pierre@qsdf.org>:
Extra info received and forwarded to list. Copy sent to Debian Cryptsetup Team <pkg-cryptsetup-devel@lists.alioth.debian.org>. (Fri, 30 Jan 2009 16:21:19 GMT) Full text and rfc822 format available.

Message #10 received at 513596@bugs.debian.org (full text, mbox):

From: Pierre Dinh-van <pierre@qsdf.org>
To: Debian Bug Tracking System <513596@bugs.debian.org>
Subject: cryptsetup: A patch for this issue
Date: Fri, 30 Jan 2009 17:20:42 +0100
[Message part 1 (text/plain, inline)]
Package: cryptsetup
Version: 2:1.0.6-7
Followup-For: Bug #513596


I just looked in the source, and the problem comes from lib/setup.c where
it's explicitly denied to remove a key with itselfs (keyIndex == openedIndex).

The attached patch removes this extra check. I rebuild the package and installed
it, and it seems to work fine, I'm able to have an unusable luks partition :

root@pierre:/tmp# cryptsetup luksDump /dev/mapper/pierre-testluks
LUKS header information for /dev/mapper/pierre-testluks

Version:       	1
Cipher name:   	aes
Cipher mode:   	cbc-essiv:sha256
Hash spec:     	sha1
Payload offset:	2056
MK bits:       	256
MK digest:     	2b ba 0b 5a f9 cb 49 57 f6 db 7e cd 94 a6 21 fb 48 83 e3 02 
MK salt:       	58 89 47 04 76 85 e3 77 75 09 2e eb 41 e2 f7 18 
               	8e 9f 27 03 38 a0 94 87 5e 95 1d fa 98 80 e3 9d 
MK iterations: 	10
UUID:          	1defedc2-a202-46fe-81ca-5ddbf997a891

Key Slot 0: DISABLED
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

I didn't noticed any side effect for now...


-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18-6-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages cryptsetup depends on:
ii  dmsetup                      2:1.02.27-4 The Linux Kernel Device Mapper use
ii  libc6                        2.7-18      GNU C Library: Shared libraries
ii  libdevmapper1.02.1           2:1.02.27-4 The Linux Kernel Device Mapper use
ii  libpopt0                     1.14-4      lib for parsing cmdline parameters
ii  libuuid1                     1.41.3-1    universally unique id library

cryptsetup recommends no packages.

Versions of packages cryptsetup suggests:
ii  dosfstools                    3.0.1-1    utilities for making and checking 
ii  initramfs-tools [linux-initra 0.92o      tools for generating an initramfs
ii  udev                          0.125-7    /dev/ and hotplug management daemo

-- no debconf information
[cryptsetup-1.0.6-bug513596.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Cryptsetup Team <pkg-cryptsetup-devel@lists.alioth.debian.org>:
Bug#513596; Package cryptsetup. (Fri, 30 Jan 2009 17:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Pierre Dinh-van <pierre@qsdf.org>:
Extra info received and forwarded to list. Copy sent to Debian Cryptsetup Team <pkg-cryptsetup-devel@lists.alioth.debian.org>. (Fri, 30 Jan 2009 17:03:05 GMT) Full text and rfc822 format available.

Message #15 received at 513596@bugs.debian.org (full text, mbox):

From: Pierre Dinh-van <pierre@qsdf.org>
To: 513596@bugs.debian.org
Subject: Exists also in Etch
Date: Fri, 30 Jan 2009 18:00:36 +0100
[Message part 1 (text/plain, inline)]
Tags: patch
Version: 2:1.0.4+svn26-1

The version provided in Etch also has the same limitation.

Patch for etch attached.

[cryptsetup-1.0.4+svn26-bug513596.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Cryptsetup Team <pkg-cryptsetup-devel@lists.alioth.debian.org>:
Bug#513596; Package cryptsetup. (Tue, 03 Feb 2009 15:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Pierre Dinh-van <pierre@qsdf.org>:
Extra info received and forwarded to list. Copy sent to Debian Cryptsetup Team <pkg-cryptsetup-devel@lists.alioth.debian.org>. (Tue, 03 Feb 2009 15:39:03 GMT) Full text and rfc822 format available.

Message #20 received at 513596@bugs.debian.org (full text, mbox):

From: Pierre Dinh-van <pierre@qsdf.org>
To: 513596@bugs.debian.org
Subject: Upstream seems to be fixed
Date: Tue, 3 Feb 2009 16:38:18 +0100
[Message part 1 (text/plain, inline)]
It seems, that this issuee was corrected in the trunk of the upstream subversion since revision 41.

http://code.google.com/p/cryptsetup/source/diff?spec=svn47&r=41&format=side&path=/trunk/lib/setup.c&old_path=/trunk/lib/setup.c&old=38

Maybe a better patch could be build from it.

This bug also reported for ubuntu 8.04 :

https://bugs.launchpad.net/cryptsetup/+bug/324871
[signature.asc (application/pgp-signature, inline)]

Tags added: pending Request was from Jonas Meurer <mejo@debian.org> to control@bugs.debian.org. (Thu, 19 Feb 2009 01:03:06 GMT) Full text and rfc822 format available.

Reply sent to Jonas Meurer <mejo@debian.org>:
You have taken responsibility. (Mon, 06 Apr 2009 07:09:13 GMT) Full text and rfc822 format available.

Notification sent to Pierre Dinh-van <pierre@qsdf.org>:
Bug acknowledged by developer. (Mon, 06 Apr 2009 07:09:13 GMT) Full text and rfc822 format available.

Message #27 received at 513596-close@bugs.debian.org (full text, mbox):

From: Jonas Meurer <mejo@debian.org>
To: 513596-close@bugs.debian.org
Subject: Bug#513596: fixed in cryptsetup 2:1.0.6+20090405.svn49-1
Date: Mon, 06 Apr 2009 07:02:04 +0000
Source: cryptsetup
Source-Version: 2:1.0.6+20090405.svn49-1

We believe that the bug you reported is fixed in the latest version of
cryptsetup, which is due to be installed in the Debian FTP archive:

cryptsetup-udeb_1.0.6+20090405.svn49-1_amd64.udeb
  to pool/main/c/cryptsetup/cryptsetup-udeb_1.0.6+20090405.svn49-1_amd64.udeb
cryptsetup_1.0.6+20090405.svn49-1.diff.gz
  to pool/main/c/cryptsetup/cryptsetup_1.0.6+20090405.svn49-1.diff.gz
cryptsetup_1.0.6+20090405.svn49-1.dsc
  to pool/main/c/cryptsetup/cryptsetup_1.0.6+20090405.svn49-1.dsc
cryptsetup_1.0.6+20090405.svn49-1_amd64.deb
  to pool/main/c/cryptsetup/cryptsetup_1.0.6+20090405.svn49-1_amd64.deb
cryptsetup_1.0.6+20090405.svn49.orig.tar.gz
  to pool/main/c/cryptsetup/cryptsetup_1.0.6+20090405.svn49.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 513596@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Meurer <mejo@debian.org> (supplier of updated cryptsetup package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 06 Apr 2009 08:49:14 +0200
Source: cryptsetup
Binary: cryptsetup cryptsetup-udeb
Architecture: source amd64
Version: 2:1.0.6+20090405.svn49-1
Distribution: unstable
Urgency: low
Maintainer: Jonas Meurer <mejo@debian.org>
Changed-By: Jonas Meurer <mejo@debian.org>
Description: 
 cryptsetup - configures encrypted block devices
 cryptsetup-udeb - configures encrypted block devices (udeb)
Closes: 498964 507727 509066 509067 513149 513596 514729 516236 521469 521547 521673 521789 522338 522387
Changes: 
 cryptsetup (2:1.0.6+20090405.svn49-1) unstable; urgency=low
 .
   * New upstream svn snapshot. Highlights include:
     - Uses remapping to error target instead of calling udevsettle for
       temporary crypt device. (closes: #514729, #498964, #521547)
     - Removes lots of autoconf stuff as it's generated by autogen.sh anyway.
     - Uses autopoint in build process, thus needs to Build-Depend on cvs.
     - Fixes signal handler to proper close device.
     - Wipes start of device before LUKS-formatting.
     - Allows deletion of key slot with it's own key. (closes: #513596)
     - Checks device mapper communication and gives proper error message in
       case the communication fails. (closes: #507727)
   * Update debian patches accordingly:
     - Remove obsolete patches 01_gettext_package and 03_check_for_root
     - Update patch 02_manpage
   * Add missing newlines to some error messages in passdev.c. Thanks to
     Christoph Anton Mitterer for bugreport and patch. (closes: #509067)
   * Move keyscripts in initramfs from /keyscripts to /lib/cryptsetup/scripts
     for the sake of consistency between initramfs and normal system. Document
     this change in NEWS.Debian. (closes: #509066)
   * Fix $LOUD in cryptdisks.init and cryptdisks.functions to take effect. Add
     LOUD="yes" to cryptdisks_start. (closes: #513149)
   * cryptdisks_{start,stop}: print error message if no entry is found in
     crypttab for the given name.
   * Actually fix watchfile to work with code.google.com.
   * Update Homepage field to code.google.com URL. (closes: #516236)
   * Fix location of ltmain.sh, build-depend on versioned libtool.
     (closes: #521673, #522338)
   * Some minor changes to make lintian happy:
     - use set -e instead of /bin/sh -e in preinst.
     - link to GPL v2 in debian/copyright
   * Bump standards-version to 3.8.1, no changes needed.
   * Fix a typo in NEWS.Debian. (closes: #522387)
   * Taken from ubuntu:
     - debian/checks/un_vol_id: dynamically build the "unknown volume type"
       string, to allow for encrypted swap, (closes: #521789, #521469). Fix
       sed to replace '/' with '\/' instead of '\\/' in device names.
     - disable error message 'failed to setup lvm device' (LP 151532).
Checksums-Sha1: 
 6b04ba76ebdb0d19451b1eddcc6061a3342d4a19 1574 cryptsetup_1.0.6+20090405.svn49-1.dsc
 4a4cf1765e5148bb9cfc49bf65bbb6d9cfe8cc63 143967 cryptsetup_1.0.6+20090405.svn49.orig.tar.gz
 4c63341a56408ac106c08a3d9bc90c5ce7674bc0 60425 cryptsetup_1.0.6+20090405.svn49-1.diff.gz
 62f93155ff59539dfba430a5d7f80c9f448a3676 339558 cryptsetup_1.0.6+20090405.svn49-1_amd64.deb
 056de544a7c8c919a30b579ddf1fe31b347f5245 277530 cryptsetup-udeb_1.0.6+20090405.svn49-1_amd64.udeb
Checksums-Sha256: 
 c17d571ddf0803d5592a8224f335d36989828e4e225b8d2d2bd5e6db654bef26 1574 cryptsetup_1.0.6+20090405.svn49-1.dsc
 28e2ea63e4bd4ddb79e0536303ed422f507352a4976de4ba6f7bb98590be03b6 143967 cryptsetup_1.0.6+20090405.svn49.orig.tar.gz
 2f736b285ac0c306e43a8da3b9a10bb072f2f2a11cc2d378dde1984a52201090 60425 cryptsetup_1.0.6+20090405.svn49-1.diff.gz
 9df70422cc4634fb963a08775486f5c0a5ae264fd15256ca65da5f1f15c7f2e3 339558 cryptsetup_1.0.6+20090405.svn49-1_amd64.deb
 81686d6a47660c6ec619ffe17ab9852edc4b4bc2c2eadf190b1eff06ce983f15 277530 cryptsetup-udeb_1.0.6+20090405.svn49-1_amd64.udeb
Files: 
 4cb5b75b2b2a55839a0e355191c2f05f 1574 admin optional cryptsetup_1.0.6+20090405.svn49-1.dsc
 884d049422a4bc08f252f2e1f4b4b5d7 143967 admin optional cryptsetup_1.0.6+20090405.svn49.orig.tar.gz
 af95348937599aeb61f7672e34daff25 60425 admin optional cryptsetup_1.0.6+20090405.svn49-1.diff.gz
 3ed034de830ab10dfa86db0b7ded091c 339558 admin optional cryptsetup_1.0.6+20090405.svn49-1_amd64.deb
 55c987d095a56222880772f80138317c 277530 debian-installer optional cryptsetup-udeb_1.0.6+20090405.svn49-1_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknZpyUACgkQd6lUs+JfIQKPRQCcCOyqV3ixgM31XaxOaz0Gskre
tb4AnAuB1vJHZKmmPXozF6+HWXTsLach
=SuSV
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 07 Jul 2009 07:40:02 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:09:49 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.