feat: update cryptsetup to 2:2.8.2-1

.codeql-config.yml

@@ -0,0 +1,31 @@
+name: "Cryptsetup CodeQL config"
+
+query-filters:
+- exclude:
+     id: cpp/fixme-comment
+- exclude:
+     id: cpp/empty-block
+- exclude:
+     id: cpp/poorly-documented-function
+- exclude:
+     id: cpp/loop-variable-changed
+- exclude:
+     id: cpp/empty-if
+- exclude:
+     id: cpp/long-switch
+- exclude:
+     id: cpp/complex-condition
+- exclude:
+     id: cpp/commented-out-code
+
+# These produce many false positives
+- exclude:
+     id: cpp/uninitialized-local
+- exclude:
+     id: cpp/path-injection
+- exclude:
+     id: cpp/missing-check-scanf
+
+# CodeQL should understand coverity [toctou] comments
+- exclude:
+     id: cpp/toctou-race-condition

.gitignore

@@ -1,6 +1,6 @@
 po/*gmo
 *~
-#Makefile
+Makefile
 Makefile.in
 Makefile.in.in
 *.lo
@@ -17,6 +17,7 @@ ABOUT-NLS
 aclocal.m4
 autom4te.cache/
 compile
+compile_commands.json
 config.guess
 config.h
 config.h.in

.gitlab-ci.yml

@@ -1,23 +1,23 @@
 stages:
   - test
+  - test-opal
 
-.dump_kernel_log:
+.fail_if_coredump_generated:
   after_script:
-    - sudo dmesg > /mnt/artifacts/dmesg.log
-    - sudo journalctl > /mnt/artifacts/journalctl.log
     - '[ "$(ls -A /var/coredumps)" ] && exit 1 || true'
 
 include:
   - local: .gitlab/ci/debian.yml
   - local: .gitlab/ci/fedora.yml
-  - local: .gitlab/ci/rhel.yml
+  - local: .gitlab/ci/fedora-opal.yml
   - local: .gitlab/ci/centos.yml
-  - local: .gitlab/ci/annocheck.yml
+#  - local: .gitlab/ci/annocheck.yml
   - local: .gitlab/ci/csmock.yml
   - local: .gitlab/ci/gitlab-shared-docker.yml
   - local: .gitlab/ci/compilation-various-disables.yml
   - local: .gitlab/ci/compilation-gcc.gitlab-ci.yml
   - local: .gitlab/ci/compilation-clang.gitlab-ci.yml
+  - local: .gitlab/ci/compilation-spellcheck.yml
   - local: .gitlab/ci/alpinelinux.yml
-  - local: .gitlab/ci/ubuntu-32bit.yml
+  - local: .gitlab/ci/debian-i686.yml
   - local: .gitlab/ci/cifuzz.yml

.gitlab/ci/alpinelinux.yml

@@ -1,14 +1,16 @@
 .alpinelinux-dependencies:
-  after_script:
-    - sudo dmesg > /mnt/artifacts/dmesg.log
-    - sudo cp /var/log/messages /mnt/artifacts/
-    - '[ "$(ls -A /var/coredumps)" ] && exit 1 || true'
+  variables:
+    DISTRO: cryptsetup-alpine-edge
+  extends:
+    - .fail_if_coredump_generated
   before_script:
     - >
       sudo apk add
-      lvm2-dev openssl1.1-compat-dev popt-dev util-linux-dev json-c-dev
-      argon2-dev device-mapper which sharutils gettext gettext-dev automake
+      lvm2-dev openssl-dev popt-dev util-linux-dev json-c-dev
+      argon2-dev device-mapper which sharutils gettext-dev argp-standalone automake
       autoconf libtool build-base keyutils tar jq expect git asciidoctor
+    # Be sure we have updated basic tools and system
+    - sudo apk upgrade gcc binutils build-base musl
     - ./autogen.sh
     - ./configure --prefix=/usr --libdir=/lib --sbindir=/sbin --disable-static --enable-libargon2 --with-crypto_backend=openssl --disable-external-tokens --disable-ssh-token --enable-asciidoc
 
@@ -17,7 +19,7 @@ test-main-commit-job-alpinelinux:
     - .alpinelinux-dependencies
   tags:
     - libvirt
-    - alpinelinux
+    - cryptsetup-alpine-edge
   stage: test
   interruptible: true
   variables:
@@ -38,7 +40,7 @@ test-mergerq-job-alpinelinux:
     - .alpinelinux-dependencies
   tags:
     - libvirt
-    - alpinelinux
+    - cryptsetup-alpine-edge
   stage: test
   interruptible: true
   variables:

.gitlab/ci/annocheck.yml

@@ -1,19 +1,18 @@
 test-main-commit-job-annocheck:
   extends:
-    - .dump_kernel_log
+    - .fail_if_coredump_generated
   tags:
     - libvirt
-    - rhel9-annocheck
+    - cryptsetup-rhel-9
   stage: test
   interruptible: true
   allow_failure: true
   variables:
+    DISTRO: cryptsetup-rhel-9
     RUN_SSH_PLUGIN_TEST: "1"
   rules:
     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
       when: never
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
   script:
-    - /opt/build-rpm-script.sh > /dev/null 2>&1
-    - annocheck /var/lib/mock/rhel-9.0.0-candidate-x86_64/result/*.rpm --profile=el9
-    - annocheck /var/lib/mock/rhel-9.0.0-candidate-x86_64/result/*.rpm --profile=el8
+    - sudo /opt/run-annocheck.sh

.gitlab/ci/build_srpm

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -e
+
+SAVED_PWD=$(pwd)
+GIT_DIR="$SAVED_PWD/upstream_git"
+SPEC="$GIT_DIR/misc/fedora/cryptsetup.spec"
+
+rm -fr $GIT_DIR
+
+git clone -q --depth 1 https://gitlab.com/cryptsetup/cryptsetup.git $GIT_DIR
+cd $GIT_DIR
+
+GIT_COMMIT=$(git rev-parse --short=8 HEAD)
+[ -z "$GIT_COMMIT" ] && exit 1
+
+sed -i "s/^AC_INIT.*/AC_INIT([cryptsetup],[$GIT_COMMIT])/" $GIT_DIR/configure.ac
+sed -i "s/^Version:.*/Version: $GIT_COMMIT/" $SPEC
+sed -i "s/%{version_no_tilde}/$GIT_COMMIT/" $SPEC
+sed -i "2i %global source_date_epoch_from_changelog 0" $SPEC
+sed -i "3i %define _unpackaged_files_terminate_build 0" $SPEC
+
+./autogen.sh
+./configure
+make -j dist
+
+rpmbuild --define "_sourcedir $GIT_DIR" --define "_srcrpmdir $SAVED_PWD" -bs $SPEC
+
+cd $SAVED_PWD
+rm -fr $GIT_DIR
+
+exit 0

.gitlab/ci/centos.yml

@@ -1,14 +1,16 @@
 .centos-openssl-backend:
   extends:
-    - .dump_kernel_log
+    - .fail_if_coredump_generated
   before_script:
+    - sudo dnf clean all
     - >
       sudo dnf -y -q  install
       autoconf automake device-mapper-devel gcc gettext-devel json-c-devel
       libblkid-devel libpwquality-devel libselinux-devel libssh-devel libtool
       libuuid-devel make popt-devel libsepol-devel nc openssh-clients passwd
       pkgconfig sharutils sshpass tar uuid-devel vim-common device-mapper
-      expect gettext git jq keyutils openssl-devel openssl gem
+      expect gettext git jq keyutils openssl-devel openssl gem swtpm swtpm-tools
+      tpm2-tools
     - sudo gem install asciidoctor
     - sudo -E git clean -xdf
     - ./autogen.sh
@@ -21,11 +23,13 @@ test-main-commit-centos-stream9:
     - .centos-openssl-backend
   tags:
     - libvirt
-    - centos-stream9
+    - cryptsetup-centos-stream-9
   stage: test
   interruptible: true
   variables:
+    DISTRO: cryptsetup-centos-stream-9
     RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
   rules:
     - if: $RUN_SYSTEMD_PLUGIN_TEST != null
       when: never
@@ -42,11 +46,59 @@ test-mergerq-centos-stream9:
     - .centos-openssl-backend
   tags:
     - libvirt
-    - centos-stream9
+    - cryptsetup-centos-stream-9
   stage: test
   interruptible: true
   variables:
+    DISTRO: cryptsetup-centos-stream-9
     RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
+  rules:
+    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+      when: never
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  script:
+    - make -j
+    - make -j -C tests check-programs
+    - sudo -E make check
+
+test-main-commit-centos-stream10:
+  extends:
+    - .centos-openssl-backend
+  tags:
+    - libvirt
+    - cryptsetup-centos-stream-10
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-centos-stream-10
+    RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
+  rules:
+    - if: $RUN_SYSTEMD_PLUGIN_TEST != null
+      when: never
+    - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH =~ /v2\..\.x$/
+  script:
+    - make -j
+    - make -j -C tests check-programs
+    - sudo -E make check
+
+test-mergerq-centos-stream10:
+  extends:
+    - .centos-openssl-backend
+  tags:
+    - libvirt
+    - cryptsetup-centos-stream-10
+  stage: test
+  interruptible: true
+  variables:
+    DISTRO: cryptsetup-centos-stream-10
+    RUN_SSH_PLUGIN_TEST: "1"
+    RUN_KEYRING_TRUSTED_TEST: "1"
   rules:
     - if: $RUN_SYSTEMD_PLUGIN_TEST != null
       when: never

.gitlab/ci/cibuild-setup-ubuntu.sh

@@ -5,17 +5,20 @@ set -ex
 PACKAGES=(
 	git make autoconf automake autopoint pkg-config libtool libtool-bin
 	gettext libssl-dev libdevmapper-dev libpopt-dev uuid-dev libsepol-dev
-	libjson-c-dev libssh-dev libblkid-dev tar libargon2-0-dev libpwquality-dev
-	sharutils dmsetup jq xxd expect keyutils netcat passwd openssh-client sshpass
-	asciidoctor
+	libjson-c-dev libssh-dev libblkid-dev tar libargon2-dev libpwquality-dev
+	sharutils dmsetup jq xxd expect keyutils netcat-openbsd passwd openssh-client
+	sshpass asciidoctor
 )
 
 COMPILER="${COMPILER:?}"
 COMPILER_VERSION="${COMPILER_VERSION:?}"
 
-grep -E '^deb' /etc/apt/sources.list > /etc/apt/sources.list~
-sed -Ei 's/^deb /deb-src /' /etc/apt/sources.list~
-cat /etc/apt/sources.list~ >> /etc/apt/sources.list
+sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/ubuntu.sources
+
+# use this on older Ubuntu
+# grep -E '^deb' /etc/apt/sources.list > /etc/apt/sources.list~
+# sed -Ei 's/^deb /deb-src /' /etc/apt/sources.list~
+# cat /etc/apt/sources.list~ >> /etc/apt/sources.list
 
 apt-get -y update --fix-missing
 DEBIAN_FRONTEND=noninteractive apt-get -yq install software-properties-common wget lsb-release
@@ -28,7 +31,7 @@ if [[ $COMPILER == "gcc" ]]; then
 	PACKAGES+=(gcc-$COMPILER_VERSION)
 elif [[ $COMPILER == "clang" ]]; then
 	wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -
-	add-apt-repository "deb http://apt.llvm.org/${RELEASE}/   llvm-toolchain-${RELEASE}-${COMPILER_VERSION} main"
+	add-apt-repository -n "deb http://apt.llvm.org/${RELEASE}/   llvm-toolchain-${RELEASE}-${COMPILER_VERSION} main"
 
 	# scan-build
 	PACKAGES+=(clang-tools-$COMPILER_VERSION clang-$COMPILER_VERSION lldb-$COMPILER_VERSION lld-$COMPILER_VERSION clangd-$COMPILER_VERSION)
@@ -37,14 +40,8 @@ else
 	exit 1
 fi
 
-apt-get -y update --fix-missing
+#apt-get -y update --fix-missing
+(r=3;while ! apt-get -y update --fix-missing ; do ((--r))||exit;sleep 5;echo "Retrying";done)
+
 DEBIAN_FRONTEND=noninteractive apt-get -yq install "${PACKAGES[@]}"
 apt-get -y build-dep cryptsetup
-
-echo "====================== VERSIONS ==================="
-if [[ $COMPILER == "clang" ]]; then
-	echo "Using scan-build${COMPILER_VERSION:+-$COMPILER_VERSION}"
-fi
-
-${COMPILER}-$COMPILER_VERSION -v
-echo "====================== END VERSIONS ==================="

.gitlab/ci/cifuzz.yml

@@ -1,46 +1,25 @@
 cifuzz:
-  variables:
-    OSS_FUZZ_PROJECT_NAME: cryptsetup
-    CFL_PLATFORM: gitlab
-    CIFUZZ_DEBUG: "True"
-    FUZZ_SECONDS: 300 # 5 minutes per fuzzer
-    ARCHITECTURE: "x86_64"
-    DRY_RUN: "False"
-    LOW_DISK_SPACE: "True"
-    BAD_BUILD_CHECK: "True"
-    LANGUAGE: "c"
-    DOCKER_HOST: "tcp://docker:2375"
-    DOCKER_IN_DOCKER: "true"
-    DOCKER_DRIVER: overlay2
-    DOCKER_TLS_CERTDIR: ""
-  image:
-    name: gcr.io/oss-fuzz-base/cifuzz-base
-    entrypoint: [""]
-  services:
-    - docker:dind
-
+  image: ubuntu:noble
+  tags:
+    - gitlab-org-docker
   stage: test
-  parallel:
-    matrix:
-      - SANITIZER: [address, undefined, memory]
+  interruptible: true
   rules:
-    # Default code change.
-    # - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    #   variables:
-    #     MODE: "code-change"
     - if: $CI_PROJECT_PATH != "cryptsetup/cryptsetup"
       when: never
     - if: $BUILD_AND_RUN_FUZZERS != null
   before_script:
-    # Get gitlab's container id.
-    - export CFL_CONTAINER_ID=`cut -c9- < /proc/1/cpuset`
+    - apt-get -y update
+    - >
+      apt-get -y install -y -qq git clang make autoconf automake autopoint
+      pkgconf libtool libtool-bin gettext libssl-dev libdevmapper-dev
+      libpopt-dev uuid-dev libsepol-dev libjson-c-dev libssh-dev libblkid-dev
+      flex bison cmake ninja-build
+  parallel:
+    matrix:
+      # memory does not work for now
+      - SANITIZER: [address, undefined]
   script:
-    # Will build and run the fuzzers.
-    # We use a hack to override CI_JOB_ID, because otherwise a bad path is used
-    # in GitLab CI environment
-    - CI_JOB_ID="$CI_PROJECT_NAMESPACE/$CI_PROJECT_TITLE" python3 "/opt/oss-fuzz/infra/cifuzz/cifuzz_combined_entrypoint.py"
-  artifacts:
-    # Upload artifacts when a crash makes the job fail.
-    when: always
-    paths:
-      - artifacts/
+    - cd tests/fuzz
+    - ./oss-fuzz-build.sh
+    - ls -l out