From a8e8825ee1b7ebb1c8af2bc95c64ed10c056414e Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Sun, 18 Dec 2022 14:02:20 -0800
Subject: cryptsetup: Upgrade to 2.6.0

- Disable documentation as it needs asciidoctor which is not available
- Rename cryptsetup-reencrypt packageconfig to luks2-reencryption to match
  the relevant configure option.
- Add a patch to enable 64bit off_t and lfs64

Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 .../0001-Replace-off64_t-with-off_t.patch          | 101 +++++++++++++++++
 .../recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb  | 116 --------------------
 .../recipes-crypto/cryptsetup/cryptsetup_2.6.0.bb  | 119 +++++++++++++++++++++
 3 files changed, 220 insertions(+), 116 deletions(-)
 create mode 100644 meta-oe/recipes-crypto/cryptsetup/cryptsetup/0001-Replace-off64_t-with-off_t.patch
 delete mode 100644 meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb
 create mode 100644 meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.6.0.bb

(limited to 'meta-oe')

diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup/0001-Replace-off64_t-with-off_t.patch b/meta-oe/recipes-crypto/cryptsetup/cryptsetup/0001-Replace-off64_t-with-off_t.patch
new file mode 100644
index 0000000000..23aa86c0fb
--- /dev/null
+++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup/0001-Replace-off64_t-with-off_t.patch
@@ -0,0 +1,101 @@
+From 683d0c525765415be34c269edf9cc066276f9f65 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sun, 18 Dec 2022 13:53:51 -0800
+Subject: [PATCH] Replace off64_t with off_t
+
+AC_SYS_LARGEFILE autoconf macro is in use in configure script which will
+add needed feature macros on commandline to enable 64bit off_t.
+
+Also replace lseek64 with lseek, since it will be same when
+_FILE_OFFSET_BITS=64 is defined on relevant platforms via AC_SYS_LARGEFILE
+
+Upstream-Status: Submitted [https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/467]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ lib/utils.c                 |  4 ++--
+ lib/utils_wipe.c            |  4 ++--
+ src/utils_reencrypt_luks1.c | 12 ++++++------
+ 3 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/lib/utils.c b/lib/utils.c
+index 9d79ee29..be5f5287 100644
+--- a/lib/utils.c
++++ b/lib/utils.c
+@@ -102,9 +102,9 @@ static int keyfile_seek(int fd, uint64_t bytes)
+ 	char tmp[BUFSIZ];
+ 	size_t next_read;
+ 	ssize_t bytes_r;
+-	off64_t r;
++	off_t r;
+ 
+-	r = lseek64(fd, bytes, SEEK_CUR);
++	r = lseek(fd, bytes, SEEK_CUR);
+ 	if (r > 0)
+ 		return 0;
+ 	if (r < 0 && errno != ESPIPE)
+diff --git a/lib/utils_wipe.c b/lib/utils_wipe.c
+index 285a9e77..0c376f44 100644
+--- a/lib/utils_wipe.c
++++ b/lib/utils_wipe.c
+@@ -150,7 +150,7 @@ static int wipe_block(struct crypt_device *cd, int devfd, crypt_wipe_pattern pat
+ 	if (blockdev && pattern == CRYPT_WIPE_ZERO &&
+ 	    !wipe_zeroout(cd, devfd, offset, wipe_block_size)) {
+ 		/* zeroout ioctl does not move offset */
+-		if (lseek64(devfd, offset + wipe_block_size, SEEK_SET) < 0) {
++		if (lseek(devfd, offset + wipe_block_size, SEEK_SET) < 0) {
+ 			log_err(cd, _("Cannot seek to device offset."));
+ 			return -EINVAL;
+ 		}
+@@ -221,7 +221,7 @@ int crypt_wipe_device(struct crypt_device *cd,
+ 	if (r)
+ 		goto out;
+ 
+-	if (lseek64(devfd, offset, SEEK_SET) < 0) {
++	if (lseek(devfd, offset, SEEK_SET) < 0) {
+ 		log_err(cd, _("Cannot seek to device offset."));
+ 		r = -EINVAL;
+ 		goto out;
+diff --git a/src/utils_reencrypt_luks1.c b/src/utils_reencrypt_luks1.c
+index 96368bdb..d83a1da4 100644
+--- a/src/utils_reencrypt_luks1.c
++++ b/src/utils_reencrypt_luks1.c
+@@ -729,8 +729,8 @@ static int copy_data_forward(struct reenc_ctx *rc, int fd_old, int fd_new,
+ 
+ 	log_dbg("Reencrypting in forward direction.");
+ 
+-	if (lseek64(fd_old, rc->device_offset, SEEK_SET) < 0 ||
+-	    lseek64(fd_new, rc->device_offset, SEEK_SET) < 0) {
++	if (lseek(fd_old, rc->device_offset, SEEK_SET) < 0 ||
++	    lseek(fd_new, rc->device_offset, SEEK_SET) < 0) {
+ 		log_err(_("Cannot seek to device offset."));
+ 		goto out;
+ 	}
+@@ -788,7 +788,7 @@ static int copy_data_backward(struct reenc_ctx *rc, int fd_old, int fd_new,
+ 			      size_t block_size, void *buf, uint64_t *bytes)
+ {
+ 	ssize_t s1, s2, working_block;
+-	off64_t working_offset;
++	off_t working_offset;
+ 	int r = -EIO;
+ 	char *backing_file = NULL;
+ 	struct tools_progress_params prog_parms = {
+@@ -827,8 +827,8 @@ static int copy_data_backward(struct reenc_ctx *rc, int fd_old, int fd_new,
+ 			working_block = block_size;
+ 		}
+ 
+-		if (lseek64(fd_old, working_offset, SEEK_SET) < 0 ||
+-		    lseek64(fd_new, working_offset, SEEK_SET) < 0) {
++		if (lseek(fd_old, working_offset, SEEK_SET) < 0 ||
++		    lseek(fd_new, working_offset, SEEK_SET) < 0) {
+ 			log_err(_("Cannot seek to device offset."));
+ 			goto out;
+ 		}
+@@ -874,7 +874,7 @@ static void zero_rest_of_device(int fd, size_t block_size, void *buf,
+ 
+ 	log_dbg("Zeroing rest of device.");
+ 
+-	if (lseek64(fd, offset, SEEK_SET) < 0) {
++	if (lseek(fd, offset, SEEK_SET) < 0) {
+ 		log_dbg("Cannot seek to device offset.");
+ 		return;
+ 	}
diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb
deleted file mode 100644
index 652fd66614..0000000000
--- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb
+++ /dev/null
@@ -1,116 +0,0 @@
-SUMMARY = "Manage plain dm-crypt and LUKS encrypted volumes"
-DESCRIPTION = "Cryptsetup is used to conveniently setup dm-crypt managed \
-device-mapper mappings. These include plain dm-crypt volumes and \
-LUKS volumes. The difference is that LUKS uses a metadata header \
-and can hence offer more features than plain dm-crypt. On the other \
-hand, the header is visible and vulnerable to damage."
-HOMEPAGE = "https://gitlab.com/cryptsetup/cryptsetup"
-SECTION = "console"
-LICENSE = "GPL-2.0-with-OpenSSL-exception"
-LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326"
-
-DEPENDS = " \
-    json-c \
-    libdevmapper \
-    popt \
-    util-linux-libuuid \
-"
-
-DEPENDS:append:libc-musl = " argp-standalone"
-LDFLAGS:append:libc-musl = " -largp"
-
-SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz"
-SRC_URI[sha256sum] = "fc0df945188172264ec5bf1d0bda08264fadc8a3f856d47eba91f31fe354b507"
-
-inherit autotools gettext pkgconfig
-
-# Use openssl because libgcrypt drops root privileges
-# if libgcrypt is linked with libcap support
-PACKAGECONFIG ??= " \
-    keyring \
-    cryptsetup \
-    veritysetup \
-    cryptsetup-reencrypt \
-    integritysetup \
-    ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \
-    kernel_crypto \
-    internal-argon2 \
-    blkid \
-    luks-adjust-xts-keysize \
-    openssl \
-    ssh-token \
-"
-PACKAGECONFIG:append:class-target = " \
-    udev \
-"
-
-PACKAGECONFIG[keyring] = "--enable-keyring,--disable-keyring"
-PACKAGECONFIG[fips] = "--enable-fips,--disable-fips"
-PACKAGECONFIG[pwquality] = "--enable-pwquality,--disable-pwquality,libpwquality"
-PACKAGECONFIG[passwdqc] = "--enable-passwdqc,--disable-passwdqc,passwdqc"
-PACKAGECONFIG[cryptsetup] = "--enable-cryptsetup,--disable-cryptsetup"
-PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup"
-PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt"
-PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup"
-PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux"
-PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules"
-PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto"
-# gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't
-# recognized.
-PACKAGECONFIG[gcrypt-pbkdf2] = "--enable-gcrypt-pbkdf2"
-PACKAGECONFIG[internal-argon2] = "--enable-internal-argon2,--disable-internal-argon2"
-PACKAGECONFIG[internal-sse-argon2] = "--enable-internal-sse-argon2,--disable-internal-sse-argon2"
-PACKAGECONFIG[blkid] = "--enable-blkid,--disable-blkid,util-linux"
-PACKAGECONFIG[dev-random] = "--enable-dev-random,--disable-dev-random"
-PACKAGECONFIG[luks-adjust-xts-keysize] = "--enable-luks-adjust-xts-keysize,--disable-luks-adjust-xts-keysize"
-PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl"
-PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt"
-PACKAGECONFIG[nss] = "--with-crypto_backend=nss,,nss"
-PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel"
-PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle"
-PACKAGECONFIG[luks2] = "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1"
-PACKAGECONFIG[ssh-token] = "--enable-ssh-token,--disable-ssh-token,libssh"
-
-EXTRA_OECONF = "--enable-static"
-# Building without largefile is not supported by upstream
-EXTRA_OECONF += "--enable-largefile"
-# Requires a static popt library
-EXTRA_OECONF += "--disable-static-cryptsetup"
-# There's no recipe for libargon2 yet
-EXTRA_OECONF += "--disable-libargon2"
-
-# libcryptsetup default PBKDF algorithm, Argon2 memory cost (KB), parallel threads and iteration time (ms)
-LUKS2_PBKDF ?= "argon2i"
-LUKS2_MEMORYKB ?= "1048576"
-LUKS2_PARALLEL_THREADS ?= "4"
-LUKS2_ITERTIME ?= "2000"
-
-EXTRA_OECONF += "--with-luks2-pbkdf=${LUKS2_PBKDF} \
-    --with-luks2-memory-kb=${LUKS2_MEMORYKB} \
-    --with-luks2-parallel-threads=${LUKS2_PARALLEL_THREADS} \
-    --with-luks2-iter-time=${LUKS2_ITERTIME}"
-
-do_install:append() {
-    # The /usr/lib/cryptsetup directory is always created, even when ssh-token
-    # is disabled. In that case it is empty and causes a packaging error. Since
-    # there is no reason to distribute the empty directory, the easiest solution
-    # is to remove it if it is empty.
-    rmdir -p --ignore-fail-on-non-empty ${D}${libdir}/${BPN}
-}
-
-FILES:${PN} += "${@bb.utils.contains('DISTRO_FEATURES','systemd','${exec_prefix}/lib/tmpfiles.d/cryptsetup.conf', '', d)}"
-
-RDEPENDS:${PN} = " \
-    libdevmapper \
-"
-
-RRECOMMENDS:${PN}:class-target = " \
-    kernel-module-aes-generic \
-    kernel-module-dm-crypt \
-    kernel-module-md5 \
-    kernel-module-cbc \
-    kernel-module-sha256-generic \
-    kernel-module-xts \
-"
-
-BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.6.0.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.6.0.bb
new file mode 100644
index 0000000000..1d4f440871
--- /dev/null
+++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.6.0.bb
@@ -0,0 +1,119 @@
+SUMMARY = "Manage plain dm-crypt and LUKS encrypted volumes"
+DESCRIPTION = "Cryptsetup is used to conveniently setup dm-crypt managed \
+device-mapper mappings. These include plain dm-crypt volumes and \
+LUKS volumes. The difference is that LUKS uses a metadata header \
+and can hence offer more features than plain dm-crypt. On the other \
+hand, the header is visible and vulnerable to damage."
+HOMEPAGE = "https://gitlab.com/cryptsetup/cryptsetup"
+SECTION = "console"
+LICENSE = "GPL-2.0-with-OpenSSL-exception"
+LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326"
+
+DEPENDS = " \
+    json-c \
+    libdevmapper \
+    popt \
+    util-linux-libuuid \
+"
+
+DEPENDS:append:libc-musl = " argp-standalone"
+LDFLAGS:append:libc-musl = " -largp"
+
+SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz \
+           file://0001-Replace-off64_t-with-off_t.patch \
+           "
+SRC_URI[sha256sum] = "44397ba76e75a9cde5b02177bc63cd7af428a785788e3a7067733e7761842735"
+
+inherit autotools gettext pkgconfig
+
+# Use openssl because libgcrypt drops root privileges
+# if libgcrypt is linked with libcap support
+PACKAGECONFIG ??= " \
+    keyring \
+    cryptsetup \
+    veritysetup \
+    luks2-reencryption \
+    integritysetup \
+    ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \
+    kernel_crypto \
+    internal-argon2 \
+    blkid \
+    luks-adjust-xts-keysize \
+    openssl \
+    ssh-token \
+"
+PACKAGECONFIG:append:class-target = " \
+    udev \
+"
+
+PACKAGECONFIG[keyring] = "--enable-keyring,--disable-keyring"
+PACKAGECONFIG[fips] = "--enable-fips,--disable-fips"
+PACKAGECONFIG[pwquality] = "--enable-pwquality,--disable-pwquality,libpwquality"
+PACKAGECONFIG[passwdqc] = "--enable-passwdqc,--disable-passwdqc,passwdqc"
+PACKAGECONFIG[cryptsetup] = "--enable-cryptsetup,--disable-cryptsetup"
+PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup"
+PACKAGECONFIG[luks2-reencryption] = "--enable-luks2-reencryption,--disable-luks2-reencryption"
+PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup"
+PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux"
+PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules"
+PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto"
+# gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't
+# recognized.
+PACKAGECONFIG[gcrypt-pbkdf2] = "--enable-gcrypt-pbkdf2"
+PACKAGECONFIG[internal-argon2] = "--enable-internal-argon2,--disable-internal-argon2"
+PACKAGECONFIG[internal-sse-argon2] = "--enable-internal-sse-argon2,--disable-internal-sse-argon2"
+PACKAGECONFIG[blkid] = "--enable-blkid,--disable-blkid,util-linux"
+PACKAGECONFIG[dev-random] = "--enable-dev-random,--disable-dev-random"
+PACKAGECONFIG[luks-adjust-xts-keysize] = "--enable-luks-adjust-xts-keysize,--disable-luks-adjust-xts-keysize"
+PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl"
+PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt"
+PACKAGECONFIG[nss] = "--with-crypto_backend=nss,,nss"
+PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel"
+PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle"
+PACKAGECONFIG[luks2] = "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1"
+PACKAGECONFIG[ssh-token] = "--enable-ssh-token,--disable-ssh-token,libssh"
+
+EXTRA_OECONF = "--enable-static"
+# Building without largefile is not supported by upstream
+EXTRA_OECONF += "--enable-largefile"
+# Requires a static popt library
+EXTRA_OECONF += "--disable-static-cryptsetup"
+# There's no recipe for libargon2 yet
+EXTRA_OECONF += "--disable-libargon2"
+# Disable documentation, there is no asciidoctor-native available in OE
+EXTRA_OECONF += "--disable-asciidoc"
+# libcryptsetup default PBKDF algorithm, Argon2 memory cost (KB), parallel threads and iteration time (ms)
+LUKS2_PBKDF ?= "argon2i"
+LUKS2_MEMORYKB ?= "1048576"
+LUKS2_PARALLEL_THREADS ?= "4"
+LUKS2_ITERTIME ?= "2000"
+
+EXTRA_OECONF += "--with-luks2-pbkdf=${LUKS2_PBKDF} \
+    --with-luks2-memory-kb=${LUKS2_MEMORYKB} \
+    --with-luks2-parallel-threads=${LUKS2_PARALLEL_THREADS} \
+    --with-luks2-iter-time=${LUKS2_ITERTIME}"
+
+do_install:append() {
+    # The /usr/lib/cryptsetup directory is always created, even when ssh-token
+    # is disabled. In that case it is empty and causes a packaging error. Since
+    # there is no reason to distribute the empty directory, the easiest solution
+    # is to remove it if it is empty.
+    rmdir -p --ignore-fail-on-non-empty ${D}${libdir}/${BPN}
+}
+
+FILES:${PN} += "${@bb.utils.contains('DISTRO_FEATURES','systemd','${exec_prefix}/lib/tmpfiles.d/cryptsetup.conf', '', d)}"
+
+RDEPENDS:${PN} = " \
+    libdevmapper \
+"
+
+RRECOMMENDS:${PN}:class-target = " \
+    kernel-module-aes-generic \
+    kernel-module-dm-crypt \
+    kernel-module-md5 \
+    kernel-module-cbc \
+    kernel-module-sha256-generic \
+    kernel-module-xts \
+"
+
+BBCLASSEXTEND = "native nativesdk"
-- 
cgit v1.2.3-54-g00ecf