Hide Forgot
Description of problem: After luksDelKey the keyslot must be unusable - it is because key slot area is wiped. But for the security correctness it should also clear additional information in header (salt and iteration count) the same as newer cryptsetup. (Moreover it allows to use upstream tests subset for QA.) Version-Release number of selected component (if applicable): cryptsetup-luks-1.0.3-7.el5 Fix is trivial.
Fixed in cryptsetup-luks-1.0.3-8.el5.
I run the test suite from comment #2 against cryptsetup-luks-1.0.3-8.el5 and CASE [8] passed: # make gcc -O0 -g -Wall -c -o differ.o differ.c gcc -o differ differ.o ./compat-test CASE: [1] open - compat image - acceptance check key slot 0 unlocked. Command successful. CASE: [2] open - compat image - denial check CASE: [3] format Command successful. CASE: [4] format using hash sha512 Command successful. CASE: [5] open key slot 0 unlocked. Command successful. CASE: [6] add key key slot 0 unlocked. Command successful. key slot 1 unlocked. Command successful. CASE: [7] unsuccessful delete CASE: [8] successful delete Command successful. key slot 0 unlocked. Command successful. CASE: [9] add key test for key files key slot 0 unlocked. Command successful. key slot 1 unlocked. Command successful. CASE: [10] delete key test with key1 as remaining key Command successful. key slot 1 unlocked. Command successful. CASE: [11] delete last key Command successful. Command successful. CASE: [12] parameter variation test Command successful. key slot 0 unlocked. Command successful. CASE: [13] open/close - stacked devices Command successful. key slot 0 unlocked. Command successful. Command successful. key slot 0 unlocked. Command successful. CASE: [14] Keyslots Command successful. key slot 0 unlocked. Command successful. key slot 0 unlocked. Command successful. key slot 2 unlocked. Command successful. CASE: [15] RemoveKey passphrase and keyfile Command successful. CASE: [16] create & status & resize CASE: [17] remove disappeared device Command successful. key slot 0 unlocked. Command successful. ./mode-test aes PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] aes-plain PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] aes-ecb PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] twofish-ecb PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] serpent-ecb PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] aes-cbc-null [n/a] aes-cbc-benbi PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] aes-cbc-plain PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] aes-cbc-plain64 PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] aes-cbc-essiv:sha256 PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] aes-lrw-null [n/a] aes-lrw-benbi [n/a] aes-lrw-plain [n/a] aes-lrw-plain64 [n/a] aes-lrw-essiv:sha256 [n/a] aes-xts-null [n/a] aes-xts-benbi PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] aes-xts-plain PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] aes-xts-plain64 PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] aes-xts-essiv:sha256 PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] twofish-cbc-null [n/a] twofish-cbc-benbi PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] twofish-cbc-plain PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] twofish-cbc-plain64 PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] twofish-cbc-essiv:sha256 PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] twofish-lrw-null [n/a] twofish-lrw-benbi [n/a] twofish-lrw-plain [n/a] twofish-lrw-plain64 [n/a] twofish-lrw-essiv:sha256 [n/a] twofish-xts-null [n/a] twofish-xts-benbi PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] twofish-xts-plain PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] twofish-xts-plain64 PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] twofish-xts-essiv:sha256 PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] serpent-cbc-null [n/a] serpent-cbc-benbi PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] serpent-cbc-plain PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] serpent-cbc-plain64 PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] serpent-cbc-essiv:sha256 PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] serpent-lrw-null [n/a] serpent-lrw-benbi [n/a] serpent-lrw-plain [n/a] serpent-lrw-plain64 [n/a] serpent-lrw-essiv:sha256 [n/a] serpent-xts-null [n/a] serpent-xts-benbi PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] serpent-xts-plain PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] serpent-xts-plain64 PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] serpent-xts-essiv:sha256 PLAIN:[table OK][status OK] LUKS:[table OK][status OK] CHECKSUM:[OK] ./password-hash-test HASH: ripemd160 KSIZE: 0 / pwd [OK] HASH: ripemd160 KSIZE: 256 / pwd [OK] HASH: ripemd160 KSIZE: 128 / pwd [OK] HASH: sha1 KSIZE: 256 / pwd [OK] HASH: sha1 KSIZE: 128 / pwd [OK] HASH: sha256 KSIZE: 256 / pwd [OK] HASH: sha256 KSIZE: 128 / pwd [OK] HASH: ripemd160 KSIZE: 256 / file [OK] HASH: sha256 KSIZE: 256 / file [OK] HASH: ripemd160 KSIZE: 256 / file [OK] HASH: sha256 KSIZE: 256 / file [OK] HASH: sha256 KSIZE: 128 / file [OK] HASH: sha256 KSIZE: 512 / file [OK] # echo $? 0
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: When removing a key from the key slot by running the "cryptsetup luksDelKey" command, only the key slot itself was cleared but the salt and iteration count remained in the key slot header. All additional information is now cleared as well.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0987.html