From a7e23cd6de28636bf1740d995b80574e00011346add24034f5e9fb0af6df585b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 3 May 2024 11:55:48 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main cryptsetup revision a3b65fc70655f817e62499452695dec5 --- .gitattributes | 23 + baselibs.conf | 3 + cryptsetup-2.6.1.tar.sign | 16 + cryptsetup-2.6.1.tar.xz | 3 + ...al-memory-available-also-in-PBKDF-be.patch | 72 + ...-killer-on-low-memory-systems-withou.patch | 160 ++ ...-detected-free-memory-on-systems-wit.patch | 41 + cryptsetup.changes | 1944 +++++++++++++++++ cryptsetup.keyring | 56 + cryptsetup.spec | 236 ++ 10 files changed, 2554 insertions(+) create mode 100644 .gitattributes create mode 100644 baselibs.conf create mode 100644 cryptsetup-2.6.1.tar.sign create mode 100644 cryptsetup-2.6.1.tar.xz create mode 100644 cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch create mode 100644 cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch create mode 100644 cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch create mode 100644 cryptsetup.changes create mode 100644 cryptsetup.keyring create mode 100644 cryptsetup.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..63dacec --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,3 @@ +libcryptsetup12 + provides "libcryptsetup12-hmac- = %{version}" + obsoletes "libcryptsetup12-hmac- < %{version}" diff --git a/cryptsetup-2.6.1.tar.sign b/cryptsetup-2.6.1.tar.sign new file mode 100644 index 0000000..5730336 --- /dev/null +++ b/cryptsetup-2.6.1.tar.sign @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAmPlHwIACgkQ2bBXe9k+ +mPwtxg/+PohA6Ygk3e61i0IZmLdvHO2PJG3JefLxf1QDqImkKcALgUdNrt/qv1SZ +CBtM4pmYXfhIpYzavSPZdAC0nLvKkx66PpQRCk/ZmUSNZJ8IzmoM5MPZhWLspYtK +Z4mVXJz+UVdCAf7ayK7li9A+a947jpVKFlc5hSiQ8SnmkT8X0MhqGPLsO9Z6ndNK ++VpBPozZ1YQ6THYp2so5lF3BW9G6YAkm5XhN6IQreDCdZwF0Y4lff6G9PNHFSLpC +k9yLmvUgDsDNTcEjXeKbtvIlOzjjHfhJkEmyo9jNDWNUSU6wt5RqnCZmd1VbCQyB +HVCKb9Y0Yoz9rvzFBWnU6d1ZCe3aKLrVF89yK6mJ7CYh4CVURMJmIJ+1rEeg2z5n +NhXSLrMMF+Q9P/VNupOMec1DOg2OMRKExps5r7kvDeVOz9FmJoguMxAu1+dt0Ze8 +4b86ii2F+Py2tOy5OzQu7PvQkKbl8dvi8qJM8cEovKIsWiHTp/2Heo0gjXaLJ/kK +v/821T9v3ZO7dmtlhgps9q4xEjWV/u3kWwXXFgEtKby48UVzTGNXsDDdkrVEdy2J +jKBnqO31mGa8ButNRQvZ6rEOPFaCmdpy95/u5v22LhlACdkEwt5Cky0t6NMKSpvp +sSgVzYmU6Pk5RdOzZCt1pyIPwEfJa1y5N1k/kuBasdqPw95RRsM= +=m/Re +-----END PGP SIGNATURE----- diff --git a/cryptsetup-2.6.1.tar.xz b/cryptsetup-2.6.1.tar.xz new file mode 100644 index 0000000..aeb3569 --- /dev/null +++ b/cryptsetup-2.6.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:410ded65a1072ab9c8e41added37b9729c087fef4d2db02bb4ef529ad6da4693 +size 11402380 diff --git a/cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch b/cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch new file mode 100644 index 0000000..3b22f0c --- /dev/null +++ b/cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch @@ -0,0 +1,72 @@ +From 7893c33d71cde09e240234c484c6c468f22c2fe7 Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Mon, 3 Apr 2023 13:31:16 +0200 +Subject: [PATCH] Check for physical memory available also in PBKDF benchmark. + +--- + lib/internal.h | 1 + + lib/utils_benchmark.c | 9 +++++++++ + lib/utils_pbkdf.c | 4 ++-- + 3 files changed, 12 insertions(+), 2 deletions(-) + +Index: cryptsetup-2.6.1/lib/internal.h +=================================================================== +--- cryptsetup-2.6.1.orig/lib/internal.h ++++ cryptsetup-2.6.1/lib/internal.h +@@ -89,6 +89,7 @@ int crypt_benchmark_pbkdf_internal(struc + struct crypt_pbkdf_type *pbkdf, + size_t volume_key_size); + const char *crypt_get_cipher_spec(struct crypt_device *cd); ++uint32_t pbkdf_adjusted_phys_memory_kb(void); + + /* Device backend */ + struct device; +Index: cryptsetup-2.6.1/lib/utils_benchmark.c +=================================================================== +--- cryptsetup-2.6.1.orig/lib/utils_benchmark.c ++++ cryptsetup-2.6.1/lib/utils_benchmark.c +@@ -101,6 +101,7 @@ int crypt_benchmark_pbkdf(struct crypt_d + { + int r, priority; + const char *kdf_opt; ++ uint32_t memory_kb; + + if (!pbkdf || (!password && password_size)) + return -EINVAL; +@@ -113,6 +114,14 @@ int crypt_benchmark_pbkdf(struct crypt_d + + log_dbg(cd, "Running %s(%s) benchmark.", pbkdf->type, kdf_opt); + ++ memory_kb = pbkdf_adjusted_phys_memory_kb(); ++ if (memory_kb < pbkdf->max_memory_kb) { ++ log_dbg(cd, "Not enough physical memory detected, " ++ "PBKDF max memory decreased from %dkB to %dkB.", ++ pbkdf->max_memory_kb, memory_kb); ++ pbkdf->max_memory_kb = memory_kb; ++ } ++ + crypt_process_priority(cd, &priority, true); + r = crypt_pbkdf_perf(pbkdf->type, pbkdf->hash, password, password_size, + salt, salt_size, volume_key_size, pbkdf->time_ms, +Index: cryptsetup-2.6.1/lib/utils_pbkdf.c +=================================================================== +--- cryptsetup-2.6.1.orig/lib/utils_pbkdf.c ++++ cryptsetup-2.6.1/lib/utils_pbkdf.c +@@ -61,7 +61,7 @@ const struct crypt_pbkdf_type *crypt_get + return NULL; + } + +-static uint32_t adjusted_phys_memory(void) ++uint32_t pbkdf_adjusted_phys_memory_kb(void) + { + uint64_t memory_kb = crypt_getphysmemory_kb(); + +@@ -249,7 +249,7 @@ int init_pbkdf_type(struct crypt_device + } + + if (cd_pbkdf->max_memory_kb) { +- memory_kb = adjusted_phys_memory(); ++ memory_kb = pbkdf_adjusted_phys_memory_kb(); + if (cd_pbkdf->max_memory_kb > memory_kb) { + log_dbg(cd, "Not enough physical memory detected, " + "PBKDF max memory decreased from %dkB to %dkB.", diff --git a/cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch b/cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch new file mode 100644 index 0000000..4b61884 --- /dev/null +++ b/cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch @@ -0,0 +1,160 @@ +From 899bad8c06957a94a198d1eaa293ed8db205f1de Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Mon, 20 Feb 2023 16:45:36 +0100 +Subject: [PATCH] Try to avoid OOM killer on low-memory systems without swap. + +Benchmark for memory-hard KDF is tricky, seems that relying +on maximum half of physical memory is not enough. + +Let's allow only free physical available space if there is no swap. +This should not cause changes on normal systems, at least. +--- + lib/internal.h | 2 ++ + lib/utils.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++ + lib/utils_pbkdf.c | 11 ++++++++++- + tests/api-test-2.c | 12 ++++++++---- + 4 files changed, 67 insertions(+), 5 deletions(-) + +Index: cryptsetup-2.6.1/lib/internal.h +=================================================================== +--- cryptsetup-2.6.1.orig/lib/internal.h ++++ cryptsetup-2.6.1/lib/internal.h +@@ -169,6 +169,8 @@ int crypt_uuid_cmp(const char *dm_uuid, + size_t crypt_getpagesize(void); + unsigned crypt_cpusonline(void); + uint64_t crypt_getphysmemory_kb(void); ++uint64_t crypt_getphysmemoryfree_kb(void); ++bool crypt_swapavailable(void); + + int init_crypto(struct crypt_device *ctx); + +Index: cryptsetup-2.6.1/lib/utils.c +=================================================================== +--- cryptsetup-2.6.1.orig/lib/utils.c ++++ cryptsetup-2.6.1/lib/utils.c +@@ -59,6 +59,53 @@ uint64_t crypt_getphysmemory_kb(void) + return phys_memory_kb; + } + ++uint64_t crypt_getphysmemoryfree_kb(void) ++{ ++ long pagesize, phys_pages; ++ uint64_t phys_memoryfree_kb; ++ ++ pagesize = sysconf(_SC_PAGESIZE); ++ phys_pages = sysconf(_SC_AVPHYS_PAGES); ++ ++ if (pagesize < 0 || phys_pages < 0) ++ return 0; ++ ++ phys_memoryfree_kb = pagesize / 1024; ++ phys_memoryfree_kb *= phys_pages; ++ ++ return phys_memoryfree_kb; ++} ++ ++bool crypt_swapavailable(void) ++{ ++ int fd; ++ ssize_t size; ++ char buf[4096], *p; ++ uint64_t total; ++ ++ if ((fd = open("/proc/meminfo", O_RDONLY)) < 0) ++ return true; ++ ++ size = read(fd, buf, sizeof(buf)); ++ close(fd); ++ if (size < 1) ++ return true; ++ ++ if (size < (ssize_t)sizeof(buf)) ++ buf[size] = 0; ++ else ++ buf[sizeof(buf) - 1] = 0; ++ ++ p = strstr(buf, "SwapTotal:"); ++ if (!p) ++ return true; ++ ++ if (sscanf(p, "SwapTotal: %" PRIu64 " kB", &total) != 1) ++ return true; ++ ++ return total > 0; ++} ++ + void crypt_process_priority(struct crypt_device *cd, int *priority, bool raise) + { + int _priority, new_priority; +Index: cryptsetup-2.6.1/lib/utils_pbkdf.c +=================================================================== +--- cryptsetup-2.6.1.orig/lib/utils_pbkdf.c ++++ cryptsetup-2.6.1/lib/utils_pbkdf.c +@@ -63,7 +63,7 @@ const struct crypt_pbkdf_type *crypt_get + + uint32_t pbkdf_adjusted_phys_memory_kb(void) + { +- uint64_t memory_kb = crypt_getphysmemory_kb(); ++ uint64_t free_kb, memory_kb = crypt_getphysmemory_kb(); + + /* Ignore bogus value */ + if (memory_kb < (128 * 1024) || memory_kb > UINT32_MAX) +@@ -75,6 +75,15 @@ uint32_t pbkdf_adjusted_phys_memory_kb(v + */ + memory_kb /= 2; + ++ /* ++ * Never use more that available free space on system without swap. ++ */ ++ if (!crypt_swapavailable()) { ++ free_kb = crypt_getphysmemoryfree_kb(); ++ if (free_kb > (64 * 1024) && free_kb < memory_kb) ++ return free_kb; ++ } ++ + return memory_kb; + } + +Index: cryptsetup-2.6.1/tests/api-test-2.c +=================================================================== +--- cryptsetup-2.6.1.orig/tests/api-test-2.c ++++ cryptsetup-2.6.1/tests/api-test-2.c +@@ -2802,7 +2802,8 @@ static void Pbkdf(void) + OK_(strcmp(pbkdf->type, default_luks2_pbkdf)); + OK_(strcmp(pbkdf->hash, default_luks1_hash)); + EQ_(pbkdf->time_ms, default_luks2_iter_time); +- EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory()); ++ GE_(pbkdf->max_memory_kb, 64 * 1024); ++ GE_(adjusted_pbkdf_memory(), pbkdf->max_memory_kb); + EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads)); + // set and verify argon2 type + OK_(crypt_set_pbkdf_type(cd, &argon2)); +@@ -2827,7 +2828,8 @@ static void Pbkdf(void) + OK_(strcmp(pbkdf->type, default_luks2_pbkdf)); + OK_(strcmp(pbkdf->hash, default_luks1_hash)); + EQ_(pbkdf->time_ms, default_luks2_iter_time); +- EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory()); ++ GE_(pbkdf->max_memory_kb, 64 * 1024); ++ GE_(adjusted_pbkdf_memory(), pbkdf->max_memory_kb); + EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads)); + // try to pass illegal values + argon2.parallel_threads = 0; +@@ -2858,14 +2860,16 @@ static void Pbkdf(void) + OK_(strcmp(pbkdf->type, default_luks2_pbkdf)); + OK_(strcmp(pbkdf->hash, default_luks1_hash)); + EQ_(pbkdf->time_ms, default_luks2_iter_time); +- EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory()); ++ GE_(pbkdf->max_memory_kb, 64 * 1024); ++ GE_(adjusted_pbkdf_memory(), pbkdf->max_memory_kb); + EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads)); + crypt_set_iteration_time(cd, 1); + OK_(crypt_load(cd, CRYPT_LUKS, NULL)); + OK_(strcmp(pbkdf->type, default_luks2_pbkdf)); + OK_(strcmp(pbkdf->hash, default_luks1_hash)); + EQ_(pbkdf->time_ms, 1); +- EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory()); ++ GE_(pbkdf->max_memory_kb, 64 * 1024); ++ GE_(adjusted_pbkdf_memory(), pbkdf->max_memory_kb); + EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads)); + CRYPT_FREE(cd); + diff --git a/cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch b/cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch new file mode 100644 index 0000000..ac5ab35 --- /dev/null +++ b/cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch @@ -0,0 +1,41 @@ +From 6721d3a8b29b13fe88aeeaefe09d457e99d1c6fa Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Mon, 17 Apr 2023 13:41:17 +0200 +Subject: [PATCH] Use only half of detected free memory on systems without + swap. + +As tests shows, limiting used Argon2 memory to free memory on +systems without swap is still not enough. +Use just half of it, this should bring needed margin while +still use Argon2. + +Note, for very-low memory constrained systems user should +avoid memory-hard PBKDF (IOW manually select PBKDF2), we +do not do this automatically. +--- + lib/utils_pbkdf.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +Index: cryptsetup-2.6.1/lib/utils_pbkdf.c +=================================================================== +--- cryptsetup-2.6.1.orig/lib/utils_pbkdf.c ++++ cryptsetup-2.6.1/lib/utils_pbkdf.c +@@ -76,10 +76,17 @@ uint32_t pbkdf_adjusted_phys_memory_kb(v + memory_kb /= 2; + + /* +- * Never use more that available free space on system without swap. ++ * Never use more that half of available free memory on system without swap. + */ + if (!crypt_swapavailable()) { + free_kb = crypt_getphysmemoryfree_kb(); ++ ++ /* ++ * Using exactly free memory causes OOM too, use only half of the value. ++ * Ignore small values (< 64MB), user should use PBKDF2 in such environment. ++ */ ++ free_kb /= 2; ++ + if (free_kb > (64 * 1024) && free_kb < memory_kb) + return free_kb; + } diff --git a/cryptsetup.changes b/cryptsetup.changes new file mode 100644 index 0000000..0d7c453 --- /dev/null +++ b/cryptsetup.changes @@ -0,0 +1,1944 @@ +------------------------------------------------------------------- +Thu Jul 13 09:46:24 UTC 2023 - Pedro Monreal + +- luksFormat: Handle system with low memory and no swap space [bsc#1211079] + * Check for physical memory available also in PBKDF benchmark. + * Try to avoid OOM killer on low-memory systems without swap. + * Use only half of detected free memory on systems without swap. + * Add patches: + - cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch + - cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch + - cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch + +------------------------------------------------------------------- +Wed Jun 14 08:07:56 UTC 2023 - Pedro Monreal + +- Enable running the regression test suite. +- Force a regeneration of the man pages from AsciiDoc. +- Add LUKS1 and LUKS2 On-Disk Format Specification pdfs to doc. + +------------------------------------------------------------------- +Wed Jun 14 07:31:41 UTC 2023 - Pedro Monreal + +- FIPS: Remove not needed libcryptsetup12-hmac package that contains + the HMAC checksums for integrity checking for FIPS. [bsc#1185116] + * Remove the cryptsetup-rpmlintrc file. + * Remove not needed fipscheck dependency. + +------------------------------------------------------------------- +Sun Feb 12 21:15:43 UTC 2023 - Andreas Stieger + +- cryptsetup 2.6.1 + * bitlk: Fixes for BitLocker-compatible on-disk metadata parser + * Fix possible iteration overflow in OpenSSL2 PBKDF2 crypto + backend + * portability and compilation fixes + * verity: Fix possible hash offset setting overflow. + * bitlk: Fix use of startup BEK key on big-endian platforms. + * Do not initiate encryption (reencryption command) when the + header and data devices are the same. If data device reduction + is not requsted, this leads to data corruption since LUKS + metadata was written over the data device. + * Fix possible memory leak if crypt_load() fails. + * Always use passphrases with a minimal 8 chars length for + benchmarking, as used in some implementation of FIPS mode + +------------------------------------------------------------------- +Tue Dec 27 10:30:22 UTC 2022 - Ludwig Nussel + +- Replace transitional %usrmerged macro with regular version check (boo#1206798) + +------------------------------------------------------------------- +Mon Nov 28 13:51:24 UTC 2022 - Paolo Stivanin + +- cryptsetup 2.6.0: + * Introduce support for handling macOS FileVault2 devices (FVAULT2). + * libcryptsetup: no longer use global memory locking through mlockall() + * libcryptsetup: process priority is increased only for key derivation + (PBKDF) calls. + * Add new LUKS keyslot context handling functions and API. + * The volume key may now be extracted using a passphrase, keyfile, or + token. For LUKS devices, it also returns the volume key after + a successful crypt_format call. + * Fix --disable-luks2-reencryption configuration option. + * cryptsetup: Print a better error message and warning if the format + produces an image without space available for data. + * Print error if anti-forensic LUKS2 hash setting is not available. + If the specified hash was not available, activation quietly failed. + * Fix internal crypt segment compare routine if the user + specified cipher in kernel format (capi: prefix). + * cryptsetup: Add token unassign action. + This action allows removing token binding on specific keyslot. + * veritysetup: add support for --use-tasklets option. + This option sets try_verify_in_tasklet kernel dm-verity option + (available since Linux kernel 6.0) to allow some performance + improvement on specific systems. + * Provide pkgconfig Require.private settings. + While we do not completely provide static build on udev systems, + it helps produce statically linked binaries in certain situations. + * Always update automake library files if autogen.sh is run. + For several releases, we distributed older automake scripts by mistake. + * reencryption: Fix user defined moved segment size in LUKS2 decryption. + The --hotzone-size argument was ignored in cases where the actual data + size was less than the original LUKS2 data offset. + * Delegate FIPS mode detection to configured crypto backend. + System FIPS mode check no longer depends on /etc/system-fips file. + * Update documentation, including FAQ and man pages. + +------------------------------------------------------------------- +Tue Sep 13 15:52:52 UTC 2022 - Luca Boccassi + +- Add virtual provides for 'integritysetup' and 'veritysetup' to match + package names provided by Fedora/RHEL, to allow the same set of + dependencies to be used across all RPM distributions. + +------------------------------------------------------------------- +Mon Aug 22 08:38:16 UTC 2022 - Ludwig Nussel + +- cryptsetup 2.5.0: + * Split manual pages into per-action pages and use AsciiDoc format. + * Remove cryptsetup-reencrypt tool from the project and move reencryption + to already existing "cryptsetup reencrypt" command. + If you need to emulate the old cryptsetup-reencrypt binary, use simple + wrappers script running "exec cryptsetup reencrypt $@". + * LUKS2: implement --decryption option that allows LUKS removal. + * Fix decryption operation with --active-name option and restrict + it to be used only with LUKS2. + * Do not refresh reencryption digest when not needed. + This should speed up the reencryption resume process. + * Store proper resilience data in LUKS2 reencrypt initialization. + Resuming reencryption now does not require specification of resilience + type parameters if these are the same as during initialization. + * Properly wipe the unused area after reencryption with datashift in + the forward direction. + * Check datashift value against larger sector size. + For example, it could cause an issue if misaligned 4K sector appears + during decryption. + * Do not allow sector size increase reencryption in offline mode. + * Do not allow dangerous sector size change during reencryption. + * Ask the user for confirmation before resuming reencryption. + * Do not resume reencryption with conflicting parameters. + * Add --force-offline-reencrypt option. + * Do not allow nested encryption in LUKS reencrypt. + * Support all options allowed with luksFormat with encrypt action. + * Add resize action to integritysetup. + * Remove obsolete dracut plugin reencryption example. + * Fix possible keyslot area size overflow during conversion to LUKS2. + * Allow use of --header option for cryptsetup close. + * Fix activation of LUKS2 device with integrity and detached header. + * Add ZEROOUT IOCTL support for crypt_wipe API call. + * VERITY: set loopback sector size according to dm-verity block sizes. + * veritysetup: dump device sizes. + * LUKS2 token: prefer token PIN query before passphrase in some cases. + When a user provides --token-type or specific --token-id, a token PIN + query is preferred to a passphrase query. + * LUKS2 token: allow tokens to be replaced with --token-replace option + for cryptsetup token command. + * LUKS2 token: do not continue operation when interrupted in PIN prompt. + * Add --progress-json parameter to utilities. + * Add support for --key-slot option in luksResume action. +- move man pages to separate subpackage +- drop backports handling + +------------------------------------------------------------------- +Fri Jan 14 19:19:43 UTC 2022 - Andreas Stieger + +- cryptsetup 2.4.3: + * Fix possible attacks against data confidentiality through + LUKS2 online reencryption extension crash recovery + CVE-2021-4122, boo#1194469 + * Add configure option --disable-luks2-reencryption to completely + disable LUKS2 reencryption code. + * Improve internal metadata validation code for reencryption + metadata + * Add updated documentation for LUKS2 On-Disk Format + Specification version 1.1.0 + * Fix support for bitlk (BitLocker compatible) startup key with + new metadata entry introduced in Windows 11 + * Fix space restriction for LUKS2 reencryption with data shift + +------------------------------------------------------------------- +Thu Nov 18 20:15:22 UTC 2021 - Andreas Stieger + +- cryptsetup 2.4.2: + * Fix possible large memory allocation if LUKS2 header size is + invalid. + * Fix memory corruption in debug message printing LUKS2 + checksum. + * veritysetup: remove link to the UUID library for the static + build. + * Remove link to pwquality library for integritysetup and + veritysetup. These tools do not read passphrases. + * OpenSSL3 backend: avoid remaining deprecated calls in API. + Crypto backend no longer use API deprecated in OpenSSL 3.0 + * Check if kernel device-mapper create device failed in an early + phase. This happens when a concurrent creation of device-mapper + devices meets in the very early state. + * Do not set compiler optimization flag for Argon2 KDF if the + memory wipe is implemented in libc. + * Do not attempt to unload LUKS2 tokens if external tokens are + disabled. This allows building a static binary with + --disable-external-tokens. + * LUKS convert: also check sysfs for device activity. + If udev symlink is missing, code fallbacks to sysfs scan to + prevent data corruption for the active device. + +------------------------------------------------------------------- +Thu Sep 16 15:23:52 UTC 2021 - Ludwig Nussel + +- cryptsetup 2.4.1 + * Fix compilation for libc implementations without dlvsym(). + * Fix compilation and tests on systems with non-standard libraries + * Try to workaround some issues on systems without udev support. + * Fixes for OpenSSL3 crypto backend (including FIPS mode). + * Print error message when assigning a token to an inactive keyslot. + * Fix offset bug in LUKS2 encryption code if --offset option was used. + * Do not allow LUKS2 decryption for devices with data offset. + * Fix LUKS1 cryptsetup repair command for some specific problems. + +------------------------------------------------------------------- +Wed Aug 25 13:46:12 UTC 2021 - Ludwig Nussel + +- As YaST passes necessary parameters to cryptsetup anyway, we do + not necessarily need to take grub into consideration. So back to + Argon2 to see how it goes. + +------------------------------------------------------------------- +Tue Aug 3 13:42:20 UTC 2021 - Ludwig Nussel + +- need to use PBKDF2 by default for LUKS2 as grub can't decrypt when + using Argon. + +------------------------------------------------------------------- +Mon Aug 2 14:43:51 UTC 2021 - Ludwig Nussel + +- cryptsetup 2.4.0 (jsc#SLE-20275) + * External LUKS token plugins + * Experimental SSH token + * Default LUKS2 PBKDF is now Argon2id + * Increase minimal memory cost for Argon2 benchmark to 64MiB. + * Autodetect optimal encryption sector size on LUKS2 format. + * Use VeraCrypt option by default and add --disable-veracrypt option. + * Support --hash and --cipher to limit opening time for TCRYPT type + * Fixed default OpenSSL crypt backend support for OpenSSL3. + * integritysetup: add integrity-recalculate-reset flag. + * cryptsetup: retains keyslot number in luksChangeKey for LUKS2. + * Fix cryptsetup resize using LUKS2 tokens. + * Add close --deferred and --cancel-deferred options. + * Rewritten command-line option parsing to avoid libpopt arguments + memory leaks. + * Add --test-args option. + +------------------------------------------------------------------- +Mon Aug 2 12:39:40 UTC 2021 - Fabian Vogt + +- Use LUKS2 as default format on Tumbleweed. + It provides some additional features which other tools + (e.g. systemd-cryptenroll) rely on. GRUB 2.06 supports unlocking + LUKS2 volumes meanwhile. + +------------------------------------------------------------------- +Thu Jul 1 12:50:25 UTC 2021 - Ludwig Nussel + +- cryptsetup 2.3.6: + * integritysetup: Fix possible dm-integrity mapping table truncation. + * cryptsetup: Backup header can be used to activate TCRYPT device. + Use --header option to specify the header. + * cryptsetup: Avoid LUKS2 decryption without detached header. + This feature will be added later and is currently not supported. + * Additional fixes and workarounds for common warnings produced + by some static analysis tools (like gcc-11 analyzer) and additional + code hardening. + * Fix standalone libintl detection for compiled tests. + * Add Blake2b and Blake2s hash support for crypto backends. + Kernel and gcrypt crypto backend support all variants. + OpenSSL supports only Blake2b-512 and Blake2s-256. + Crypto backend supports kernel notation e.g. "blake2b-512". + +------------------------------------------------------------------- +Sat Mar 13 11:29:54 UTC 2021 - Andreas Stieger + +- cryptsetup 2.3.5: + * Fix partial reads of passphrase from an interactive terminal + * Fix maximum length of password entered through a terminal + * integritysetup: support new dm-integrity HMAC recalculation + options + * integritysetup: display of recalculating sector in dump command + * veritysetup: fix verity FEC if stored in the same image with + hashes + * veritysetup: run FEC repair check even if root hash fails + * veritysetup: do not process hash image if hash area is empty + * veritysetup: store verity hash algorithm in superblock in + lowercase + * bitlk: fix a crash if the device disappears during BitLocker + scan + * bitlk: show a better error when trying to open an NTFS device + * bitlk: add support for startup key protected VMKs + * Fix LUKS1 repair code (regression since version 1.7.x) + * Fix luksKeyChange for LUKS2 with assigned tokens + * Fix cryptsetup resize using LUKS2 tokens + * Print a visible error if device resize is not supported + * Add error message when suspending wrong non-LUKS device + * Fix default XTS mode key size in reencryption + * Rephrase missing locking directory warning and move it to + debug level + * Many fixes for the use of cipher_null (empty debug cipher) + * Fixes for libpasswdqc 2.0.x (optional passphrase quality check) + * Fixes for problems discovered by various tools for code + analysis + * Various fixes to man pages +- silence hmac packaging warnings + +------------------------------------------------------------------- +Fri Mar 12 22:39:39 UTC 2021 - Dirk Müller + +- move licenses to licensedir + +------------------------------------------------------------------- +Tue Dec 8 08:52:50 UTC 2020 - Ludwig Nussel + +- SLE marker: implements jsc#SLE-5911, bsc#1165580, jsc#SLE-145149 + +------------------------------------------------------------------- +Wed Nov 4 17:33:26 UTC 2020 - Ludwig Nussel + +- prepare usrmerge (boo#1029961) + +------------------------------------------------------------------- +Fri Sep 4 09:49:31 CEST 2020 - Ludwig Nussel + +- Update to 2.3.4: + * Fix a possible out-of-bounds memory write while validating LUKS2 data + segments metadata (CVE-2020-14382, boo#1176128). + * Ignore reported optimal IO size if not aligned to minimal page size. + * Added support for new no_read/write_wrokqueue dm-crypt options (kernel 5.9). + * Added support panic_on_corruption option for dm-verity devices (kernel 5.9). + * Support --master-key-file option for online LUKS2 reencryption + * Always return EEXIST error code if a device already exists. + * Fix a problem in integritysetup if a hash algorithm has dash in the name. + * Fix crypto backend to properly handle ECB mode. + * TrueCrypt/VeraCrypt compatible mode now supports the activation of devices + with a larger sector. + * LUKS2: Do not create excessively large headers. + * Fix unspecified sector size for BitLocker compatible mode. + * Fix reading key data size in metadata for BitLocker compatible mode. + +------------------------------------------------------------------- +Thu May 28 18:43:29 UTC 2020 - Andreas Stieger + +- Update to 2.3.3: + * Fix BitLocker compatible device access that uses native 4kB + sectors + * Support large IV count (--iv-large-sectors) cryptsetup option + for plain device mapping + * Fix a memory leak in BitLocker compatible handling + * Allow EBOIV (Initialization Vector algorithm) use + * LUKS2: Require both keyslot cipher and key size option, do + not fail silently +- includes changes from 2.3.2: + * Add option to dump content of LUKS2 unbound keyslot + * Add support for discards (TRIM) for standalone dm-integrity + devices (Kernel 5.7) via --allow-discards, not for LUKS2 + * Fix cryptsetup-reencrypt to work on devices that do not allow + direct-io device access. + * Fix a crash in the BitLocker-compatible code error path + * Fix Veracrypt compatible support for longer (>64 bytes) + passphrases + +------------------------------------------------------------------- +Thu Apr 2 14:27:18 UTC 2020 - Ludwig Nussel + +- Split translations to -lang package +- New version to 2.3.1 + * Support VeraCrypt 128 bytes passwords. + VeraCrypt now allows passwords of maximal length 128 bytes + (compared to legacy TrueCrypt where it was limited by 64 bytes). + * Strip extra newline from BitLocker recovery keys + There might be a trailing newline added by the text editor when + the recovery passphrase was passed using the --key-file option. + * Detect separate libiconv library. + It should fix compilation issues on distributions with iconv + implemented in a separate library. + * Various fixes and workarounds to build on old Linux distributions. + * Split lines with hexadecimal digest printing for large key-sizes. + * Do not wipe the device with no integrity profile. + With --integrity none we performed useless full device wipe. + * Workaround for dm-integrity kernel table bug. + Some kernels show an invalid dm-integrity mapping table + if superblock contains the "recalculate" bit. This causes + integritysetup to not recognize the dm-integrity device. + Integritysetup now specifies kernel options such a way that + even on unpatched kernels mapping table is correct. + * Print error message if LUKS1 keyslot cannot be processed. + If the crypto backend is missing support for hash algorithms + used in PBKDF2, the error message was not visible. + * Properly align LUKS2 keyslots area on conversion. + If the LUKS1 payload offset (data offset) is not aligned + to 4 KiB boundary, new LUKS2 keyslots area in now aligned properly. + * Validate LUKS2 earlier on conversion to not corrupt the device + if binary keyslots areas metadata are not correct. + +------------------------------------------------------------------- +Tue Feb 4 07:59:24 UTC 2020 - Paolo Stivanin + +- Update to 2.3.0 (include release notes for 2.2.0) + * BITLK (Windows BitLocker compatible) device access + * Veritysetup now supports activation with additional PKCS7 signature + of root hash through --root-hash-signature option. + * Integritysetup now calculates hash integrity size according to algorithm + instead of requiring an explicit tag size. + * Integritysetup now supports fixed padding for dm-integrity devices. + * A lot of fixes to online LUKS2 reecryption. + * Add crypt_resume_by_volume_key() function to libcryptsetup. + If a user has a volume key available, the LUKS device can be resumed + directly using the provided volume key. + No keyslot derivation is needed, only the key digest is checked. + * Implement active device suspend info. + Add CRYPT_ACTIVATE_SUSPENDED bit to crypt_get_active_device() flags + that informs the caller that device is suspended (luksSuspend). + * Allow --test-passphrase for a detached header. + Before this fix, we required a data device specified on the command + line even though it was not necessary for the passphrase check. + * Allow --key-file option in legacy offline encryption. + The option was ignored for LUKS1 encryption initialization. + * Export memory safe functions. + To make developing of some extensions simpler, we now export + functions to handle memory with proper wipe on deallocation. + * Fail crypt_keyslot_get_pbkdf for inactive LUKS1 keyslot. + * Add optional global serialization lock for memory hard PBKDF. + * Abort conversion to LUKS1 with incompatible sector size that is + not supported in LUKS1. + * Report error (-ENOENT) if no LUKS keyslots are available. User can now + distinguish between a wrong passphrase and no keyslot available. + * Fix a possible segfault in detached header handling (double free). + * Add integritysetup support for bitmap mode introduced in Linux kernel 5.2. + * The libcryptsetup now keeps all file descriptors to underlying device + open during the whole lifetime of crypt device context to avoid excessive + scanning in udev (udev run scan on every descriptor close). + * The luksDump command now prints more info for reencryption keyslot + (when a device is in-reencryption). + * New --device-size parameter is supported for LUKS2 reencryption. + * New --resume-only parameter is supported for LUKS2 reencryption. + * The repair command now tries LUKS2 reencryption recovery if needed. + * If reencryption device is a file image, an interactive dialog now + asks if reencryption should be run safely in offline mode + (if autodetection of active devices failed). + * Fix activation through a token where dm-crypt volume key was not + set through keyring (but using old device-mapper table parameter mode). + * Online reencryption can now retain all keyslots (if all passphrases + are provided). Note that keyslot numbers will change in this case. + * Allow volume key file to be used if no LUKS2 keyslots are present. + * Print a warning if online reencrypt is called over LUKS1 (not supported). + * Fix TCRYPT KDF failure in FIPS mode. + * Remove FIPS mode restriction for crypt_volume_key_get. + * Reduce keyslots area size in luksFormat when the header device is too small. + * Make resize action accept --device-size parameter (supports units suffix). + +------------------------------------------------------------------- +Thu Oct 17 11:55:51 UTC 2019 - Vítězslav Čížek + +- Create a weak dependency cycle between libcryptsetup and + libcryptsetup-hmac to make sure they are installed together + (bsc#1090768) + +------------------------------------------------------------------- +Fri Feb 15 15:01:18 UTC 2019 - Jan Engelhardt + +- Use noun phrase in summary. + +------------------------------------------------------------------- +Fri Feb 15 09:41:52 UTC 2019 - lnussel@suse.de + +- New version 2.1.0 + * The default size of the LUKS2 header is increased to 16 MB. + It includes metadata and the area used for binary keyslots; + it means that LUKS header backup is now 16MB in size. + * Cryptsetup now doubles LUKS default key size if XTS mode is used + (XTS mode uses two internal keys). This does not apply if key size + is explicitly specified on the command line and it does not apply + for the plain mode. + This fixes a confusion with AES and 256bit key in XTS mode where + code used AES128 and not AES256 as often expected. + * Default cryptographic backend used for LUKS header processing is now + OpenSSL. For years, OpenSSL provided better performance for PBKDF. + + * The Python bindings are no longer supported and the code was removed + from cryptsetup distribution. Please use the libblockdev project + that already covers most of the libcryptsetup functionality + including LUKS2. + * Cryptsetup now allows using --offset option also for luksFormat. + * Cryptsetup now supports new refresh action (that is the alias for + "open --refresh"). + * Integritysetup now supports mode with detached data device through + new --data-device option. +- 2.1.0 would use LUKS2 as default, we stay with LUKS1 for now until + someone has time to evaluate the fallout from switching to LUKS2. + +------------------------------------------------------------------- +Tue Oct 30 10:10:35 UTC 2018 - lnussel@suse.de + +- Suggest hmac package (boo#1090768) +- remove old upgrade hack for upgrades from 12.1 +- New version 2.0.5 + + Changes since version 2.0.4 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + * Wipe full header areas (including unused) during LUKS format. + + Since this version, the whole area up to the data offset is zeroed, + and subsequently, all keyslots areas are wiped with random data. + This ensures that no remaining old data remains in the LUKS header + areas, but it could slow down format operation on some devices. + Previously only first 4k (or 32k for LUKS2) and the used keyslot + was overwritten in the format operation. + + * Several fixes to error messages that were unintentionally replaced + in previous versions with a silent exit code. + More descriptive error messages were added, including error + messages if + - a device is unusable (not a block device, no access, etc.), + - a LUKS device is not detected, + - LUKS header load code detects unsupported version, + - a keyslot decryption fails (also happens in the cipher check), + - converting an inactive keyslot. + + * Device activation fails if data area overlaps with LUKS header. + + * Code now uses explicit_bzero to wipe memory if available + (instead of own implementation). + + * Additional VeraCrypt modes are now supported, including Camellia + and Kuznyechik symmetric ciphers (and cipher chains) and Streebog + hash function. These were introduced in a recent VeraCrypt upstream. + + Note that Kuznyechik requires out-of-tree kernel module and + Streebog hash function is available only with the gcrypt cryptographic + backend for now. + + * Fixes static build for integritysetup if the pwquality library is used. + + * Allows passphrase change for unbound keyslots. + + * Fixes removed keyslot number in verbose message for luksKillSlot, + luksRemoveKey and erase command. + + * Adds blkid scan when attempting to open a plain device and warn the user + about existing device signatures in a ciphertext device. + + * Remove LUKS header signature if luksFormat fails to add the first keyslot. + + * Remove O_SYNC from device open and use fsync() to speed up + wipe operation considerably. + + * Create --master-key-file in luksDump and fail if the file already exists. + + * Fixes a bug when LUKS2 authenticated encryption with a detached header + wiped the header device instead of dm-integrity data device area (causing + unnecessary LUKS2 header auto recovery). + +------------------------------------------------------------------- +Tue Oct 30 09:55:50 UTC 2018 - lnussel@suse.de + +- make parallell installable version for SLE12 + +------------------------------------------------------------------- +Tue Aug 21 07:40:54 UTC 2018 - lnussel@suse.de + +- New version 2.0.4 + + Changes since version 2.0.3 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + * Use the libblkid (blockid) library to detect foreign signatures + on a device before LUKS format and LUKS2 auto-recovery. + This change fixes an unexpected recovery using the secondary + LUKS2 header after a device was already overwritten with + another format (filesystem or LVM physical volume). + LUKS2 will not recreate a primary header if it detects a valid + foreign signature. In this situation, a user must always + use cryptsetup repair command for the recovery. + Note that libcryptsetup and utilities are now linked to libblkid + as a new dependence. + To compile code without blockid support (strongly discouraged), + use --disable-blkid configure switch. + * Add prompt for format and repair actions in cryptsetup and + integritysetup if foreign signatures are detected on the device + through the blockid library. + After the confirmation, all known signatures are then wiped as + part of the format or repair procedure. + * Print consistent verbose message about keyslot and token numbers. + For keyslot actions: Key slot unlocked/created/removed. + For token actions: Token created/removed. + * Print error, if a non-existent token is tried to be removed. + * Add support for LUKS2 token definition export and import. + The token command now can export/import customized token JSON file + directly from command line. See the man page for more details. + * Add support for new dm-integrity superblock version 2. + * Add an error message when nothing was read from a key file. + * Update cryptsetup man pages, including --type option usage. + * Add a snapshot of LUKS2 format specification to documentation + and accordingly fix supported secondary header offsets. + * Add bundled optimized Argon2 SSE (X86_64 platform) code. + If the bundled Argon2 code is used and the new configure switch + --enable-internal-sse-argon2 option is present, and compiler flags + support required optimization, the code will try to use optimized + and faster variant. + Always use the shared library (--enable-libargon2) if possible. + This option was added because an enterprise distribution + rejected to support the shared Argon2 library and native support + in generic cryptographic libraries is not ready yet. + * Fix compilation with crypto backend for LibreSSL >= 2.7.0. + LibreSSL introduced OpenSSL 1.1.x API functions, so compatibility + wrapper must be commented out. + * Fix on-disk header size calculation for LUKS2 format if a specific + data alignment is requested. Until now, the code used default size + that could be wrong for converted devices. + + Changes since version 2.0.2 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + * Expose interface to unbound LUKS2 keyslots. + Unbound LUKS2 keyslot allows storing a key material that is independent + of master volume key (it is not bound to encrypted data segment). + * New API extensions for unbound keyslots (LUKS2 only) + crypt_keyslot_get_key_size() and crypt_volume_key_get() + These functions allow to get key and key size for unbound keyslots. + * New enum value CRYPT_SLOT_UNBOUND for keyslot status (LUKS2 only). + * Add --unbound keyslot option to the cryptsetup luksAddKey command. + * Add crypt_get_active_integrity_failures() call to get integrity + failure count for dm-integrity devices. + * Add crypt_get_pbkdf_default() function to get per-type PBKDF default + setting. + * Add new flag to crypt_keyslot_add_by_key() to force update device + volume key. This call is mainly intended for a wrapped key change. + * Allow volume key store in a file with cryptsetup. + The --dump-master-key together with --master-key-file allows cryptsetup + to store the binary volume key to a file instead of standard output. + * Add support detached header for cryptsetup-reencrypt command. + * Fix VeraCrypt PIM handling - use proper iterations count formula + for PBKDF2-SHA512 and PBKDF2-Whirlpool used in system volumes. + * Fix cryptsetup tcryptDump for VeraCrypt PIM (support --veracrypt-pim). + * Add --with-default-luks-format configure time option. + (Option to override default LUKS format version.) + * Fix LUKS version conversion for detached (and trimmed) LUKS headers. + * Add luksConvertKey cryptsetup command that converts specific keyslot + from one PBKDF to another. + * Do not allow conversion to LUKS2 if LUKSMETA (external tool metadata) + header is detected. + * More cleanup and hardening of LUKS2 keyslot specific validation options. + Add more checks for cipher validity before writing metadata on-disk. + * Do not allow LUKS1 version downconversion if the header contains tokens. + * Add "paes" family ciphers (AES wrapped key scheme for mainframes) + to allowed ciphers. + Specific wrapped ley configuration logic must be done by 3rd party tool, + LUKS2 stores only keyslot material and allow activation of the device. + * Add support for --check-at-most-once option (kernel 4.17) to veritysetup. + This flag can be dangerous; if you can control underlying device + (you can change its content after it was verified) it will no longer + prevent reading tampered data and also it does not prevent silent + data corruptions that appear after the block was once read. + * Fix return code (EPERM instead of EINVAL) and retry count for bad + passphrase on non-tty input. + * Enable support for FEC decoding in veritysetup to check dm-verity devices + with additional Reed-Solomon code in userspace (verify command). + + Changes since version 2.0.1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + * Fix a regression in early detection of inactive keyslot for luksKillSlot. + It tried to ask for passphrase even for already erased keyslot. + * Fix a regression in loopaesOpen processing for keyfile on standard input. + Use of "-" argument was not working properly. + * Add LUKS2 specific options for cryptsetup-reencrypt. + Tokens and persistent flags are now transferred during reencryption; + change of PBKDF keyslot parameters is now supported and allows + to set precalculated values (no benchmarks). + * Do not allow LUKS2 --persistent and --test-passphrase cryptsetup flags + combination. Persistent flags are now stored only if the device was + successfully activated with the specified flags. + * Fix integritysetup format after recent Linux kernel changes that + requires to setup key for HMAC in all cases. + Previously integritysetup allowed HMAC with zero key that behaves + like a plain hash. + * Fix VeraCrypt PIM handling that modified internal iteration counts + even for subsequent activations. The PIM count is no longer printed + in debug log as it is sensitive information. + Also, the code now skips legacy TrueCrypt algorithms if a PIM + is specified (they cannot be used with PIM anyway). + * PBKDF values cannot be set (even with force parameters) below + hardcoded minimums. For PBKDF2 is it 1000 iterations, for Argon2 + it is 4 iterations and 32 KiB of memory cost. + * Introduce new crypt_token_is_assigned() API function for reporting + the binding between token and keyslots. + * Allow crypt_token_json_set() API function to create internal token types. + Do not allow unknown fields in internal token objects. + * Print message in cryptsetup that about was aborted if a user did not + answer YES in a query. + +------------------------------------------------------------------- +Tue Jan 30 12:26:48 UTC 2018 - astieger@suse.com + +- update to 2.0.1: + * To store volume key into kernel keyring, kernel 4.15 with + dm-crypt 1.18.1 is required + * Increase maximum allowed PBKDF memory-cost limit to 4 GiB + * Use /run/cryptsetup as default for cryptsetup locking dir + * Introduce new 64-bit byte-offset *keyfile_device_offset functions. + * New set of fucntions that allows 64-bit offsets even on 32bit systems + are now availeble: + - crypt_resume_by_keyfile_device_offset + - crypt_keyslot_add_by_keyfile_device_offset + - crypt_activate_by_keyfile_device_offset + - crypt_keyfile_device_read + The new functions have added the _device_ in name. + Old functions are just internal wrappers around these. + * Also cryptsetup --keyfile-offset and --new-keyfile-offset now + allows 64-bit offsets as parameters. + * Add error hint for wrongly formatted cipher strings in LUKS1 and + properly fail in luksFormat if cipher format is missing required IV. + +------------------------------------------------------------------- +Fri Dec 22 16:16:10 UTC 2017 - archie.cobbs@gmail.com + +- Update to version 2.0.0: + * Add support for new on-disk LUKS2 format + * Enable to use system libargon2 instead of bundled version + * Install tmpfiles.d configuration for LUKS2 locking directory + * New command integritysetup: support for the new dm-integrity kernel target + * Support for larger sector sizes for crypt devices + * Miscellaneous fixes and improvements + +------------------------------------------------------------------- +Sat Apr 29 11:52:58 UTC 2017 - mpluskal@suse.com + +- Update to version 1.7.5: + * Fixes to luksFormat to properly support recent kernel running + in FIPS mode (bsc#1031998). + * Fixes accesses to unaligned hidden legacy TrueCrypt header. + * Fixes to optional dracut ramdisk scripts for offline + re-encryption on initial boot. + +------------------------------------------------------------------- +Fri Mar 17 19:24:14 UTC 2017 - mpluskal@suse.com + +- Update to version 1.7.4: + * Allow to specify LUKS1 hash algorithm in Python luksFormat + wrapper. + * Use LUKS1 compiled-in defaults also in Python wrapper. + * OpenSSL backend: Fix OpenSSL 1.1.0 support without backward + compatible API. + * OpenSSL backend: Fix LibreSSL compatibility. + * Check for data device and hash device area overlap in + veritysetup. + * Fix a possible race while allocating a free loop device. + * Fix possible file descriptor leaks if libcryptsetup is run from + a forked process. + * Fix missing same_cpu_crypt flag in status command. + * Various updates to FAQ and man pages. +- Changes for version 1.7.3: + * Fix device access to hash offsets located beyond the 2GB device + boundary in veritysetup. + * Set configured (compile-time) default iteration time for + devices created directly through libcryptsetup + * Fix PBKDF2 benchmark to not double iteration count for specific + corner case. + * Verify passphrase in cryptsetup-reencrypt when encrypting a new + drive. + * OpenSSL backend: fix memory leak if hash context was repeatedly + reused. + * OpenSSL backend: add support for OpenSSL 1.1.0. + * Fix several minor spelling errors. + * Properly check maximal buffer size when parsing UUID from + /dev/disk/. + +------------------------------------------------------------------- +Thu Aug 25 15:15:15 UTC 2016 - alexander_naumov@opensuse.org + +- Update to version 1.7.2: + + * Update LUKS documentation format. + Clarify fixed sector size and keyslots alignment. + + * Support activation options for error handling modes in + Linux kernel dm-verity module: + --ignore-corruption - dm-verity just logs detected corruption + + --restart-on-corruption - dm-verity restarts the kernel if + corruption is detected + If the options above are not specified, default behavior for + dm-verity remains. Default is that I/O operation fails with + I/O error if corrupted block is detected. + + --ignore-zero-blocks - Instructs dm-verity to not verify + blocks that are expected to contain zeroes and always + return zeroes directly instead. + NOTE that these options could have security or functional + impacts, do not use them without assessing the risks! + + * Fix help text for cipher benchmark specification + (mention --cipher option). + + * Fix off-by-one error in maximum keyfile size. + Allow keyfiles up to compiled-in default and not that value + minus one. + + * Support resume of interrupted decryption in cryptsetup-reencrypt + utility. To resume decryption, LUKS device UUID (--uuid option) + option must be used. + + * Do not use direct-io for LUKS header with unaligned keyslots. + Such headers were used only by the first cryptsetup-luks-1.0.0 + release (2005). + * Fix device block size detection to properly work on particular + + file-based containers over underlying devices with 4k sectors. + +- Update to version 1.7.1: + + * Code now uses kernel crypto API backend according to new + changes introduced in mainline kernel + While mainline kernel should contain backward compatible + changes, some stable series kernels do not contain fully + backported compatibility patches. + Without these patches most of cryptsetup operations + (like unlocking device) fail. + This change in cryptsetup ensures that all operations using + kernel crypto API works even on these kernels. + + * The cryptsetup-reencrypt utility now properly detects removal + of underlying link to block device and does not remove + ongoing re-encryption log. + This allows proper recovery (resume) of reencrypt operation later. + NOTE: Never use /dev/disk/by-uuid/ path for reencryption utility, + this link disappears once the device metadata is temporarily + removed from device. + + * Cryptsetup now allows special "-" (standard input) keyfile handling + even for TCRYPT (TrueCrypt and VeraCrypt compatible) devices. + + * Cryptsetup now fails if there are more keyfiles specified + for non-TCRYPT device. + + * The luksKillSlot command now does not suppress provided password + in batch mode (if password is wrong slot is not destroyed). + Note that not providing password in batch mode means that keyslot + is destroyed unconditionally. + +------------------------------------------------------------------- +Sat Jan 9 12:12:06 UTC 2016 - benoit.monin@gmx.fr + +- update to 1.7.0: + * The cryptsetup 1.7 release changes defaults for LUKS, + there are no API changes. + * Default hash function is now SHA256 (used in key derivation + function and anti-forensic splitter). + * Default iteration time for PBKDF2 is now 2 seconds. + * Fix PBKDF2 iteration benchmark for longer key sizes. + * Remove experimental warning for reencrypt tool. + * Add optional libpasswdqc support for new LUKS passwords. + * Update FAQ document. + +------------------------------------------------------------------- +Thu Dec 10 16:05:57 CET 2015 - tiwai@suse.de + +- Fix missing dependency on coreutils for initrd macros (boo#958562) +- Call missing initrd macro at postun (boo#958562) + +------------------------------------------------------------------- +Tue Sep 8 20:19:34 UTC 2015 - asterios.dramis@gmail.com + +- Update to 1.6.8 + * If the null cipher (no encryption) is used, allow only empty + password for LUKS. (Previously cryptsetup accepted any password + in this case.) + The null cipher can be used only for testing and it is used + temporarily during offline encrypting not yet encrypted device + (cryptsetup-reencrypt tool). + Accepting only empty password prevents situation when someone + adds another LUKS device using the same UUID (UUID of existing + LUKS device) with faked header containing null cipher. + This could force user to use different LUKS device (with no + encryption) without noticing. + (IOW it prevents situation when attacker intentionally forces + user to boot into different system just by LUKS header + manipulation.) + Properly configured systems should have an additional integrity + protection in place here (LUKS here provides only + confidentiality) but it is better to not allow this situation + in the first place. + (For more info see QubesOS Security Bulletin QSB-019-2015.) + * Properly support stdin "-" handling for luksAddKey for both new + and old keyfile parameters. + * If encrypted device is file-backed (it uses underlying loop + device), cryptsetup resize will try to resize underlying loop + device as well. (It can be used to grow up file-backed device + in one step.) + * Cryptsetup now allows to use empty password through stdin pipe. + (Intended only for testing in scripts.) + +------------------------------------------------------------------- +Sun Apr 12 18:45:26 UTC 2015 - crrodriguez@opensuse.org + +- Enable verbose build log. + +------------------------------------------------------------------- +Sun Apr 12 18:41:39 UTC 2015 - crrodriguez@opensuse.org + +- regenerate the initrd if cryptsetup tool changes + (wanted by 90crypt dracut module) + +------------------------------------------------------------------- +Thu Apr 2 12:05:47 UTC 2015 - mpluskal@suse.com + +- Update to 1.6.7 + * Cryptsetup TCRYPT mode now supports VeraCrypt devices + (TrueCrypt extension) + * Support keyfile-offset and keyfile-size options even for plain + volumes. + * Support keyfile option for luksAddKey if the master key is + specified. + * For historic reasons, hashing in the plain mode is not used if + keyfile is specified (with exception of --key-file=-). Print + a warning if these parameters are ignored. + * Support permanent device decryption for cryptsetup-reencrypt. + To remove LUKS encryption from a device, you can now use + --decrypt option. + * Allow to use --header option in all LUKS commands. The + --header always takes precedence over positional device argument. + * Allow luksSuspend without need to specify a detached header. + * Detect if O_DIRECT is usable on a device allocation. There are + some strange storage stack configurations which wrongly allows + to open devices with direct-io but fails on all IO operations later. + * Add low-level performance options tuning for dmcrypt (for + Linux 4.0 and later). + * Get rid of libfipscheck library. + (Note that this option was used only for Red Hat and derived + distributions.) With recent FIPS changes we do not need to + link to this FIPS monster anymore. Also drop some no longer + needed FIPS mode checks. + * Many fixes and clarifications to man pages. + * Prevent compiler to optimize-out zeroing of buffers for on-stack + variables. + * Fix a crash if non-GNU strerror_r is used. + +------------------------------------------------------------------- +Sun Sep 14 21:50:33 UTC 2014 - asterios.dramis@gmail.com + +- version 1.6.6 + * LUKS: Fix keyslot device access for devices which + do not support direct IO operations. (Regression in 1.6.5.) + * LUKS: Fallback to old temporary keyslot device mapping method + if hash (for ESSIV) is not supported by userspace crypto + library. (Regression in 1.6.5.) + * Properly activate device with discard (TRIM for SSDs) + if requested even if dm_crypt module is not yet loaded. + Only if discard is not supported by the old kernel then + the discard option is ignored. + * Fix some static analysis build warnings (scan-build). + * Report crypto lib version only once (and always add kernel + version) in debug output. + +------------------------------------------------------------------- +Fri Aug 22 12:02:56 UTC 2014 - meissner@suse.com + +- Use --enable-gcrypt-pbkdf2 to use the PBKDFv2 method from libgcrypt. + +------------------------------------------------------------------- +Tue Aug 12 16:34:04 UTC 2014 - asterios.dramis@gmail.com + +- version 1.6.5 + * Allow LUKS header operation handling without requiring root privilege. + It means that you can manipulate with keyslots as a regular user, only + write access to device (or image) is required. + * Fix internal PBKDF2 key derivation function implementation for alternative + crypto backends (kernel, NSS) which do not support PBKDF2 directly and have + issues with longer HMAC keys. + * Support for Python3 for simple Python binding. + Python >= 2.6 is now required. You can set Python compiled version by setting + --with-python_version configure option (together with --enable-python). + * Use internal PBKDF2 in Nettle library for Nettle crypto backend. + Cryptsetup compilation requires Nettle >= 2.6 (if using Nettle crypto backend). + * Allow simple status of crypt device without providing metadata header. + The command "cryptsetup status" will print basic info, even if you + do not provide detached header argument. + * Allow to specify ECB mode in cryptsetup benchmark. + * Add some LUKS images for regression testing. + Note that if image with Whirlpool fails, the most probable cause is that + you have old gcrypt library with flawed whirlpool hash. + Read FAQ section 8.3 for more info. +- Removed e2fsprogs-devel and libtool build requirements (not needed). +- Added libpwquality-devel and libuuid-devel build requirements. + +------------------------------------------------------------------- +Mon Aug 11 15:21:03 UTC 2014 - meissner@suse.com + +- libcryptsetup4-hmac split off contain the hmac for FIPS certification + +------------------------------------------------------------------- +Tue May 27 14:38:57 UTC 2014 - meissner@suse.com + +- version 1.6.4 + - new tarball / signature location + * Implement new erase (with alias luksErase) command. + * Add internal "whirlpool_gcryptbug hash" for accessing flawed + Whirlpool hash in gcrypt (requires gcrypt 1.6.1 or above). + * Allow to use --disable-gcrypt-pbkdf2 during configuration + to force use internal PBKDF2 code. + * Require gcrypt 1.6.1 for imported implementation of PBKDF2 + (PBKDF2 in gcrypt 1.6.0 is too slow). + * Add --keep-key to cryptsetup-reencrypt. + * By default verify new passphrase in luksChangeKey and luksAddKey + commands (if input is from terminal). + * Fix memory leak in Nettle crypto backend. + * Support --tries option even for TCRYPT devices in cryptsetup. + * Support --allow-discards option even for TCRYPT devices. + (Note that this could destroy hidden volume and it is not suggested + by original TrueCrypt security model.) + * Link against -lrt for clock_gettime to fix undefined reference + to clock_gettime error (introduced in 1.6.2). + * Fix misleading error message when some algorithms are not available. + * Count system time in PBKDF2 benchmark if kernel returns no self + usage info. + +------------------------------------------------------------------- +Wed Apr 23 16:08:09 UTC 2014 - dmueller@suse.com + +- remove dependency on gpg-offline (source_validator already + checks for gpg integrity) + +------------------------------------------------------------------- +Sun Dec 15 20:04:00 UTC 2013 - crrodriguez@opensuse.org + +- version 1.6.3 +* Fix cryptsetup reencryption tool to work properly + with devices using 4kB sectors. +* Rewrite cipher benchmark loop which was unreliable on very fast machines. +* Support activation of old TrueCrypt containers (requires kernel 3.13) +* Other bugfixes. + +------------------------------------------------------------------- +Sun Aug 4 20:54:31 UTC 2013 - crrodriguez@opensuse.org + +- cryptsetup 1.6.2 +* Print error and fail if more device arguments + are present for isLuks command. +* Fix cipher specification string parsing +(found by gcc -fsanitize=address option). +* Try to map TCRYPT system encryption through partitions +* Workaround for some recent changes in automake + +------------------------------------------------------------------- +Tue Jul 2 18:53:21 UTC 2013 - crrodriguez@opensuse.org + +- cryptsetup 1.6.1 + * Fix loop-AES keyfile parsing. + * Fix passphrase pool overflow for too long TCRYPT passphrase. + * Fix deactivation of device when failed underlying node disappeared. + +- There is a bug in the released tarball, due to HAVE_BYTESWAP_H + and HAVE_ENDIAN_H not properly handled by the buildsystem. A + patch with permanent solution was sent and accepted upstream + and will appear in the next release, for now an spec file workaround + is in place, remove in the next update. + +------------------------------------------------------------------- +Sun Mar 24 19:17:47 UTC 2013 - jengelh@inai.de + +- Remove excessive dependencies of libcryptsetup-devel + (it does not require any of these) + +------------------------------------------------------------------- +Tue Jan 15 13:17:57 UTC 2013 - lnussel@suse.de + +- version 1.6.0 + * Change LUKS default cipher to to use XTS encryption mode, + aes-xts-plain64 (i.e. using AES128-XTS). + * license change to GPL-2.0+ from GPL-1.0 + * new unified command open and close. + * direct support for TCRYPT (TrueCrypt and compatible tc-play) on-disk format + * new benchmark command + +------------------------------------------------------------------- +Thu Dec 13 10:46:43 UTC 2012 - lnussel@suse.de + +- version 1.5.1: + * Added keyslot checker + * Add crypt_keyslot_area() API call. + * Optimize seek to keyfile-offset (Issue #135, thx to dreisner). + * Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers. + * Allocate loop device late (only when real block device needed). + * Rework underlying device/file access functions. + * Create hash image if doesn't exist in veritysetup format. + * Provide better error message if running as non-root user (device-mapper, loop). + +------------------------------------------------------------------- +Wed Dec 12 16:00:29 UTC 2012 - lnussel@suse.de + +- split off hashalot and boot.crypto +- move to /usr + +------------------------------------------------------------------- +Tue Nov 20 18:41:11 CET 2012 - sbrabec@suse.cz + +- Verify GPG signature. + +------------------------------------------------------------------- +Tue Sep 25 11:40:07 UTC 2012 - fcrozat@suse.com + +- Remove crypttab manpage, it is now provided by systemd. + +------------------------------------------------------------------- +Wed Aug 1 13:37:04 UTC 2012 - lnussel@suse.de + +- version 1.5.0: + * Add --device-size option for reencryption tool. + * Switch to use unit suffix for --reduce-device-size option. + * Remove open device debugging feature (no longer needed). + * Introduce cryptsetup-reencrypt - experimental offline LUKS reencryption tool. + * Fix luks-header-from-active script (do not use LUKS header on-disk, add UUID). + * Add --test-passphrase option for luksOpen (check passphrase only). + * Introduce veritysetup for dm-verity target management. + * Both data and header device can now be a file. + * Loop is automatically allocated in crypt_set_data_device(). + * Require only up to last keyslot area for header device (ignore data offset). + * Fix header backup and restore to work on files with large data offset. + * Fix readonly activation if underlying device is readonly (1.4.0). + * Fix keyslot removal (wipe keyslot) for device with 4k hw block (1.4.0). + * Allow empty cipher (cipher_null) for testing. + * Fix loop mapping on readonly file. + * Relax --shared test, allow mapping even for overlapping segments. + * Support shared flag for LUKS devices (dangerous). + * Switch on retry on device remove for libdevmapper. + * Allow "private" activation (skip some udev global rules) flag. + +------------------------------------------------------------------- +Mon Jul 9 09:37:43 UTC 2012 - cfarrell@suse.com + +- license update: SUSE-GPL-2.0-with-openssl-exception and LGPL-2.0+ + cryptsetup developers use a special exception to link against openSSL + +------------------------------------------------------------------- +Fri Jun 15 12:41:00 UTC 2012 - lnussel@suse.de + +- boot.crypto: + * update man page to mention systemd and wiki article + * sanitize dm target names (bnc#716240) + +------------------------------------------------------------------- +Tue Apr 17 13:03:28 UTC 2012 - lnussel@suse.de + +- boot.crypto: + * prefer physdev from crypttab + * fix non-plymouth use + +------------------------------------------------------------------- +Mon Apr 16 12:08:30 UTC 2012 - lnussel@suse.de + +- new version 1.4.2 + * Fix header check to support old (cryptsetup 1.0.0) header alignment. (1.4.0) + * Add --keyfile-offset and --new-keyfile-offset parameters to API and CLI. + * Add repair command and crypt_repair() for known LUKS metadata problems repair. + * Allow to specify --align-payload only for luksFormat. + * Unify password verification option. + * Support password verification with quiet flag if possible. (1.2.0) + * Fix retry if entered passphrases (with verify option) do not match. + * Support UUID= format for device specification. + * Add --master-key-file option to luksOpen (open using volume key). + * Fix use of empty keyfile. + * Fix error message for luksClose and detached LUKS header. + * Allow --header for status command to get full info with detached header. + +------------------------------------------------------------------- +Mon Apr 16 09:56:40 UTC 2012 - lnussel@suse.de + +- boot.crypto: + * avoid warning about module 'kernel' (bnc#741468) + * incorporate plymouth support + +------------------------------------------------------------------- +Fri Dec 16 13:06:18 UTC 2011 - jengelh@medozas.de + +- Update to new upstream release 1.4.1 +* support for trim/discard +* The on-disk LUKS header can now be detached (e.g. placed on + separate device or in file) +* Support key-slot option for luksOpen (use only explicit keyslot) +* API: Removal of deprecated API from libcryptsetup (all functions + using struct crypt_options) + +------------------------------------------------------------------- +Thu Oct 27 15:53:20 UTC 2011 - lnussel@suse.de + +- on update convert noauto to nofail and turn on fsck (bnc#724113) + +------------------------------------------------------------------- +Mon Oct 10 00:18:10 UTC 2011 - jeffm@suse.com + +- cryptsetup-boot: Rescan LVM volumes after opening crypto (bnc#722916). + +------------------------------------------------------------------- +Fri Sep 30 20:07:51 UTC 2011 - coolo@suse.com + +- add libtool as buildrequire to make the spec file more reliable + +------------------------------------------------------------------- +Sun Sep 18 18:42:07 UTC 2011 - jengelh@medozas.de + +- Remove redundant tags/sections from specfile + +------------------------------------------------------------------- +Fri May 27 13:20:27 UTC 2011 - lnussel@suse.de + +- boot.crypto: + * don't hard require boot.device-mapper in boot.crypto + +------------------------------------------------------------------- +Wed May 25 06:42:03 UTC 2011 - lnussel@suse.de + +- new version 1.3.1: + * Fix keyfile=- processing in create command (regression in 1.3.0). + * Simplify device path status check (use /sys and do not scan /dev). + * Do not ignore device size argument for create command (regression in 1.2.0). + * Fix error paths in blockwise code and lseek_write call. + +------------------------------------------------------------------- +Mon Apr 11 14:04:11 UTC 2011 - lnussel@suse.de + +- new version 1.3.0: + * userspace crypto backends support + * Cryptsetup now automatically allocates loopback device + if device argument is file and not plain device. + * luksChangeKey command + * loopaesOpen command for loop-AES compatibility + +------------------------------------------------------------------- +Thu Feb 17 07:53:34 UTC 2011 - lnussel@suse.de + +- boot.crypto: + * also fix exit code in boot.crypto.functions (bnc#671822) + +------------------------------------------------------------------- +Mon Jan 31 15:32:57 UTC 2011 - lnussel@suse.de + +- boot.crypto: + * don't fail if loop module is not loaded + * adapt to new crypsetup exit codes (bnc#667931) + +------------------------------------------------------------------- +Mon Dec 20 13:01:54 UTC 2010 - lnussel@suse.de + +- new version 1.2.0 + * Add selection of random/urandom number generator for luksFormat + (option --use-random and --use-urandom). + + * Fix luksRemoveKey to not ask for remaining keyslot passphrase, + only for removed one. + + * No longer support luksDelKey (replaced with luksKillSlot). + * if you want to remove particular passphrase, use luksKeyRemove + * if you want to remove particular keyslot, use luksKillSlot + + Note that in batch mode luksKillSlot allows removing of any keyslot + without question, in normal mode requires passphrase or keyfile from + other keyslot. + + * Default alignment for device (if not overridden by topology info) + is now (multiple of) *1MiB*. + This reflects trends in storage technologies and aligns to the same + defaults for partitions and volume management. + + * Allow explicit UUID setting in luksFormat and allow change it later + in luksUUID (--uuid parameter). + + * All commands using key file now allows limited read from keyfile using + --keyfile-size and --new-keyfile-size parameters (in bytes). + + This change also disallows overloading of --key-size parameter which + is now exclusively used for key size specification (in bits.) + + * luksFormat using pre-generated master key now properly allows + using key file (only passphrase was allowed prior to this update). + + * Add --dump-master-key option for luksDump to perform volume (master) + key dump. Note that printed information allows accessing device without + passphrase so it must be stored encrypted. + + This operation is useful for simple Key Escrow function (volume key and + encryption parameters printed on paper on safe place). + + This operation requires passphrase or key file. + + * The reload command is no longer supported. + (Use dmsetup reload instead if needed. There is no real use for this + function except explicit data corruption:-) + + * Cryptsetup now properly checks if underlying device is in use and + disallows *luksFormat*, luksOpen and create commands on open + (e.g. already mapped or mounted) device. + + * Option --non-exclusive (already deprecated) is removed. + +Libcryptsetup API additions: + + * new functions + * crypt_get_type() - explicit query to crypt device context type + * crypt_resize() - new resize command using context + * crypt_keyslot_max() - helper to get number of supported keyslots + * crypt_get_active_device() - get active device info + * crypt_set/get_rng_type() - random/urandom RNG setting + * crypt_set_uuid() - explicit UUID change of existing device + * crypt_get_device_name() - get underlying device name + + * Fix optional password callback handling. + + * Allow to activate by internally cached volume key immediately after + crypt_format() without active slot (for temporary devices with + on-disk metadata) + + * libcryptsetup is binary compatible with 1.1.x release and still + supports legacy API calls + + * cryptsetup binary now uses only new API calls. + + * Static compilation of both library (--enable-static) and cryptsetup + binary (--enable-static-cryptsetup) is now properly implemented by common + libtool logic. + + Prior to this it produced miscompiled dynamic cryptsetup binary with + statically linked libcryptsetup. + + The static binary is compiled as src/cryptsetup.static in parallel + with dynamic build if requested. + +------------------------------------------------------------------- +Tue Nov 30 14:16:07 UTC 2010 - lnussel@suse.de + +- boot.crypto: + * drop cryptotab support + +------------------------------------------------------------------- +Tue Nov 16 14:05:47 UTC 2010 - lnussel@suse.de + +- boot.crypto: + * add a few tweaks for systemd (bnc#652767) + +------------------------------------------------------------------- +Wed Jul 7 14:38:11 UTC 2010 - lnussel@suse.de + +- new version 1.1.3 + * Fix device alignment ioctl calls parameters. (Device alignment + code was not working properly on some architectures like ppc64.) + * Fix activate_by_* API calls to handle NULL device name as + documented. (To enable check of passphrase/keyfile using + libcryptsetup without activating the device.) + * Fix udev support for old libdevmapper with not compatible definition. + * Added Polish translation file. + +------------------------------------------------------------------- +Thu Jul 1 14:27:12 UTC 2010 - lnussel@suse.de + +- skip temporary mappings in early stage as chmod needs to be called + on the mounted file systems (bnc#591704) + +------------------------------------------------------------------- +Sat Jun 26 10:07:24 UTC 2010 - jengelh@medozas.de + +- Use %_smp_mflags + +------------------------------------------------------------------- +Mon May 31 09:42:27 UTC 2010 - lnussel@suse.de + +- new version 1.1.2 fixes keyfile regression introduced by 1.1.1 + * Fix luksFormat/luksOpen reading passphrase from stdin and "-" keyfile. + * Support --key-file/-d option for luksFormat. + * Fix description of --key-file and add --verbose and --debug options to man page. + * Add verbose log level and move unlocking message there. + * Remove device even if underlying device disappeared (remove, luksClose). + * Fix (deprecated) reload device command to accept new device argument. + +------------------------------------------------------------------- +Tue May 25 08:11:30 UTC 2010 - lnussel@suse.de + +- new version 1.1.1 + * Detects and use device-mapper udev support if available. + * Supports device topology detection for data alignment. + * Fix luksOpen reading of passphrase on stdin (if "-" keyfile specified). + * Fix isLuks to initialise crypto backend (blkid instead is suggested anyway). + * Properly initialise crypto backend in header backup/restore commands. + * Do not verify unlocking passphrase in luksAddKey command. + * Allow no hash specification in plain device constructor - user can provide volume key directly. + * Try to use pkgconfig for device mapper library in configuration script. + * Add some compatibility checks and disable LUKS suspend/resume if not supported. + * Rearrange tests, "make check" now run all available test for package. + * Avoid class C++ keyword in library header. + +------------------------------------------------------------------- +Tue Mar 9 10:50:00 UTC 2010 - lnussel@suse.de + +- boot.crypto: + * turn off splash only if needed to avoid flicker + +------------------------------------------------------------------- +Tue Mar 2 12:02:50 UTC 2010 - lnussel@suse.de + +- boot.crypto: + * restore splash screen state after initrd prompt (bnc#559053) + * use highlighted prompt in initrd too + * fix adding volumes with initrd option (bnc#558891) + +------------------------------------------------------------------- +Tue Feb 2 12:21:44 UTC 2010 - lnussel@suse.de + +- boot.crypto: + * document the stages of the boot process + * show status message in boot.cypto-early + * don't perform some checks if the device is skipped anyways + * seed random number generator (bnc#575139) + +------------------------------------------------------------------- +Mon Jan 18 12:18:32 UTC 2010 - lnussel@suse.de + +- cryptsetup 1.1.0: + + * IMPORTANT: the default compiled-in cipher parameters changed + plain mode: aes-cbc-essiv:sha256 (default is backward incompatible!). + LUKS mode: aes-cbc-essiv:sha256 (only key size increased) + In both modes is now default key size 256bits. + + * Default compiled-in parameters are now configurable through configure options: + --with-plain-* / --with-luks1-* (see configure --help) + + * If you need backward compatible defaults for distribution use + configure --with-plain-mode=cbc-plain --with-luks1-keybits=128 + + Default compiled-in modes are printed in "cryptsetup --help" output. + + * Change in iterations count (LUKS): + The slot and key digest iteration minimum count is now 1000. + The key digest iteration count is calculated from iteration time (approx 1/8 of req. time). + For more info about above items see discussion here: http://tinyurl.com/yaug97y + + * New libcryptsetup API (documented in libcryptsetup.h). + + The old API (using crypt_options struct) is still available but will remain + frozen and not used for new functions. + Soname of library changed to libcryptsetup.so.1.0.0. + (But only recompilation should be needed for old programs.) + + The new API provides much more flexible operation over LUKS device for + applications, it is preferred that new applications will use libcryptsetup + and not wrapper around cryptsetup binary. + + * New luksHeaderBackup and luksHeaderRestore commands. + + These commands allows binary backup of LUKS header. + Please read man page about possible security issues with backup files. + + * New luksSuspend (freeze device and wipe key) and luksResume (with provided passphrase). + + luksSuspend wipe encryption key in kernel memory and set device to suspend + (blocking all IO) state. This option can be used for situations when you need + temporary wipe encryption key (like suspend to RAM etc.) + Please read man page for more information. + + * New --master-key-file option for luksFormat and luksAddKey. + + User can now specify pre-generated master key in file, which allows regenerating + LUKS header or add key with only master key knowledge. + + * Uses libgcrypt and enables all gcrypt hash algorithms for LUKS through -h luksFormat option. + + Please note that using different hash for LUKS header make device incompatible with + old cryptsetup releases. + + * Introduces --debug parameter. + + Use when reporting bugs (just run cryptsetup with --debug and attach output + to issue report.) Sensitive data are never printed to this log. + + * Moves command successful messages to verbose level. + + * Requires device-mapper library and libgcrypt to build. + + * Uses dm-uuid for all crypt devices, contains device type and name now. + + * Removes support for dangerous non-exclusive option + (it is ignored now, LUKS device must be always opened exclusive) + +- boot.crypto: + * don't use dirty prompt override hack anymore + * wait for volume groups if resume volume is on lvm (bnc#556895) + * dynamically determine whether the cryptomgr module is neeeded + +------------------------------------------------------------------- +Mon Oct 19 14:33:57 UTC 2009 - lnussel@suse.de + +- add luks script in volumemanager stage too, this way some side + effects are avoided (bnc#547612) + +------------------------------------------------------------------- +Wed Oct 7 12:37:24 UTC 2009 - lnussel@suse.de + +- boot.crypto: + * /lib/udev/vol_id no longer exists, use blkid instead + * add space at end of password prompt in initrd + * fix autodetetection of root on LVM on LUKS (bnc#528474) + +------------------------------------------------------------------- +Tue Oct 6 11:43:15 UTC 2009 - lnussel@suse.de + +- boot.crypto: more changes as agreed with the Debian maintainer: + * rename keyscript variable CRYPTTAB_DEVICE to CRYPTTAB_SOURCE + * export list of options in CRYPTTAB_OPTIONS + +------------------------------------------------------------------- +Tue Sep 29 11:25:58 UTC 2009 - lnussel@suse.de + +- replace patch that quits on EOF with upstream version + +------------------------------------------------------------------- +Fri Sep 25 12:42:23 UTC 2009 - lnussel@suse.de + +- actually hash=plain can be used to get raw keyscript output so + remove keyscript_raw again + +------------------------------------------------------------------- +Thu Sep 24 13:36:52 UTC 2009 - lnussel@suse.de + +- boot.crypto: + * don't use hashalot if keyfile is specified + * to comply with Debian, keyscripts must only output the password. + In order to allow keyscript to use different methods to retrieve + a key, add a keyscript_rawkey option. +- cryptsetup: + * When reading no single byte for the key abort. + +------------------------------------------------------------------- +Mon Sep 21 08:51:40 UTC 2009 - lnussel@suse.de + +- boot.crypto: + * fix test for keyfile (bnc#540363) + +------------------------------------------------------------------- +Wed Sep 16 12:49:07 UTC 2009 - lnussel@suse.de + +- boot.crypto: + * 2.6.31 requires the cryptomgr module in the initrd (bnc#535013) + +------------------------------------------------------------------- +Tue Sep 15 13:20:59 UTC 2009 - lnussel@suse.de + +- boot.crypto: + * uppercase variables exported to keyscript in anticipation of + Debian adopting the implementation + +------------------------------------------------------------------- +Fri Sep 4 10:04:05 UTC 2009 - lnussel@suse.de + +- boot.crypto: + * fix setting options without parameter + * infinite retries in initrd + * tries=0 means infinite tries + * implement retries in the script to make it work with keyscripts and non-luks volumes + * keyscript support (fate#302628) + * remove the option to fsck the fs as it actually never worked + * fix initrd option parsing + +------------------------------------------------------------------- +Thu Aug 27 06:59:55 UTC 2009 - lnussel@suse.de + +- new cryptsetup version 1.0.7 + * Allow removal of last slot in luksRemoveKey and luksKillSlot. + * Reject unsupported --offset and --skip options for luksFormat and update man page. + * Various man page fixes. + * Set UUID in device-mapper for LUKS devices. + * Retain readahead of underlying device. + * Display device name when asking for password. + * Check device size when loading LUKS header. Remove misleading error message later. + * Add error hint if dm-crypt mapping failed. + * Use better error messages if device doesn't exist or is already used by other mapping. + * Fix make distcheck. + * Check if all slots are full during luksAddKey. + * Fix segfault in set_error. + * Code cleanups, remove precompiled pot files, remove unnecessary files from po directory + * Fix uninitialized return value variable in setup.c. + * Code cleanups. (thanks to Ivan Stankovic) + * Fix wrong output for remaining key at key deletion. + * Allow deletion of key slot while other keys have the same key information. + * Add missing AM_PROG_CC_C_O to configure.in + * Remove duplicate sentence in man page. + * Wipe start of device (possible fs signature) before LUKS-formatting. + * Do not process configure.in in hidden directories. + * Return more descriptive error in case of IO or header format error. + * Use remapping to error target instead of calling udevsettle for temporary crypt device. + * Check device mapper communication and warn user if device-mapper support missing in kernel. + * Fix signal handler to properly close device. + * write_lseek_blockwise: declare innerCount outside the if block. + * add -Wall to the default CFLAGS. fix some signedness issues. + * Error handling improvement. + * Add non-exclusive override to interface definition. + * Refactor key slot selection into keyslot_from_option. + +------------------------------------------------------------------- +Wed Aug 19 14:08:40 CEST 2009 - lnussel@suse.de + +- boot.crypto: + * set infinite timeout during 2nd stage (bnc#456004) + +------------------------------------------------------------------- +Mon Jul 13 08:56:56 UTC 2009 - lnussel@suse.de + +- boot.crypto: + * wait for device before calling luksOpen (bnc#521446) + +------------------------------------------------------------------- +Wed Jun 17 11:30:08 CEST 2009 - coolo@novell.com + +- fix link order + +------------------------------------------------------------------- +Thu Jun 11 21:36:28 CEST 2009 - coolo@novell.com + +- fix compile with glibc 2.10 + +------------------------------------------------------------------- +Thu Apr 2 09:33:22 CEST 2009 - lnussel@suse.de + +- boot.crypto: + * resolve symlinks when searching for loop devices (bnc#490170) + * add extra man page tags to avoid FIXME output of docbook + * don't pipe password if there's only one device to open + * update copyright information + * fix spelling and actually stop in pre_stop_hook + * introduce initrd option in crypttab (bnc#465711) + +------------------------------------------------------------------- +Fri Mar 6 13:01:44 CET 2009 - lnussel@suse.de + +- boot.crypto: + * print dm name instead of physdev (bnc#456664) + * make prompt work with infinite timeout (bnc#466405) + * implement pre-stop hook (bnc#481870) + * remove hardcoded loop device number limit (bnc#481872) + * Warn if using a non-absolute path for physdev in crypttab +- hashalot: compute hash of empty passphrase if not interactive + (bnc#475135) + +------------------------------------------------------------------- +Tue Mar 3 16:27:23 CET 2009 - lnussel@suse.de + +- fix boot.crypto doesn't care on tries flag in crypttab (bnc#480741) +- mkinitrd scripts now included in boot.crypto git + +------------------------------------------------------------------- +Thu Feb 26 15:34:06 CET 2009 - mhopf@suse.de + +- Fix segfault with oversized hashes (bnc #476290). + +------------------------------------------------------------------- +Wed Feb 25 13:47:43 CET 2009 - jsmeix@suse.de + +- Fixed initrd LUKS password annoyance in mkinitrd-boot.sh and + mkinitrd-setup.sh when the same password is used for all + partitions. In this case the password is now only asked + once (bnc#465711). + +------------------------------------------------------------------- +Sun Dec 14 12:27:34 CET 2008 - bwalle@suse.de + +- Fix LUKS root partition residing on a soft raid (bnc#358341) + +------------------------------------------------------------------- +Mon Nov 3 14:03:33 CET 2008 - mkoenig@suse.de + +- boot.crypto-early: explicitly start before boot.localfs + +------------------------------------------------------------------- +Fri Sep 12 16:40:03 CEST 2008 - mkoenig@suse.de + +- branch off shlib to subpackage libcryptsetup0 +- rename cryptsetup-devel to libcryptsetup-devel + +------------------------------------------------------------------- +Wed Sep 3 11:09:34 CEST 2008 - hare@suse.de + +- Call mkinitrd_setup during %post and %postun (bnc#413709) + +------------------------------------------------------------------- +Wed Aug 20 15:20:06 CEST 2008 - mkoenig@suse.de + +- enable SELinux support (fate#303662) + +------------------------------------------------------------------- +Wed Aug 13 11:21:14 CEST 2008 - mkoenig@suse.de + +- boot.crypto: + * Fix init script tags + +------------------------------------------------------------------- +Fri Aug 8 11:42:10 CEST 2008 - mkoenig@suse.de + +- boot.crypto: + * Provide some reasonable exit status (bnc#409502) + +------------------------------------------------------------------- +Wed Jul 23 15:44:31 CEST 2008 - hare@suse.de + +- Include mkinitrd scriptlets. + +------------------------------------------------------------------- +Wed Jul 23 13:05:20 CEST 2008 - mkoenig@suse.de + +- use /sbin/udevadm settle instead of /sbin/udevsettle (bnc#404875) + +------------------------------------------------------------------- +Tue May 6 12:36:49 CEST 2008 - mkoenig@suse.de + +- load loop module in boot.crypto-early as it might be needed. + It is previously initially loaded by boot.localfs. + +------------------------------------------------------------------- +Wed Apr 9 15:59:09 CEST 2008 - mkoenig@suse.de + +- add support for boot.crypto-early (bnc#355824) + needed to encrypt block devices for usage with LVM or MD + adds a new option 'noearly' for crypttab, which will skip + the device in boot.crypto-early. + +------------------------------------------------------------------- +Wed Feb 27 12:10:32 CET 2008 - mkoenig@suse.de + +- update to svn revision 46: + * fix out of bound for key index in delKey (bnc#360041) + * Add typo fixes to the cryptsetup.8 manpage + * Add key-slot patch + * Remove O_EXCL requirement for certain LUKS operations + * mention luksKillSlot in the manpage + +------------------------------------------------------------------- +Mon Feb 4 16:22:42 CET 2008 - lnussel@suse.de + +- boot.crypto: + * check for columns of terminal (bnc#337614) + * enhance crypttab manpage (bnc#351061) + * check for fs_passno (bnc#345339) + +------------------------------------------------------------------- +Wed Jan 9 12:07:14 CET 2008 - lnussel@suse.de + +- upgrade to svn revision 42 which includes previous patches +- boot.crypto: + * don't mount read-only as safety check (bnc#345338) + * implement precheck scripts + * allow restarting of single volumes (bnc#345605) + * status query of individual devices (bnc#345605) + * add vol_id check script + * maintain boot.crypto stuff in revision control and use tarball + snapshots of it + +------------------------------------------------------------------- +Thu Nov 29 13:47:24 CET 2007 - lnussel@suse.de + +- upgrade to svn revision 38 + +------------------------------------------------------------------- +Wed Nov 7 12:40:02 CET 2007 - mkoenig@suse.de + +- add %fillup_prereq and %insserv_prereq to PreReq + +------------------------------------------------------------------- +Tue Oct 16 10:38:35 CEST 2007 - lnussel@suse.de + +- upgrade to svn revision 31 + * Rename luksDelKey into luksKillSlot + * Add luksRemoveKey that queries a given key before removal + * Fix segfault in luksOpen. + * Add LUKS_device_ready check for most LUKS calls, so that + cryptsetup dies before password querying in case a blockdev is + unavailable + * For LUKS key material access require exclusive access to the + underlying device. This will prevent multiple mappings onto a + single LUKS device. dm*crypt doesn't feature any syncing + capabilities, hence there is no real application for this as it + will likely lead to disk corruption. + * Add signal handler to keyencryption to free the temporary + mapping in case the user hits ctrl-c. + +------------------------------------------------------------------- +Mon Aug 27 16:25:54 CEST 2007 - lnussel@suse.de + +- remove /var/run/keymap from previous boot to make /etc/init.d/kbd + work (#296409) + +------------------------------------------------------------------- +Mon Aug 27 10:42:32 CEST 2007 - lnussel@suse.de + +- run fsck with progressbar (#304750) + +------------------------------------------------------------------- +Thu Jun 21 16:06:53 CEST 2007 - mkoenig@suse.de + +- run udevsettle to avoid problems with busy temporary + device mapper devices [#285478] + +------------------------------------------------------------------- +Mon Jun 11 09:23:24 CEST 2007 - lnussel@suse.de + +- rephrase error message (#279169) + +------------------------------------------------------------------- +Fri Jun 1 10:07:14 CEST 2007 - lnussel@suse.de + +- rename util-linux-crypto to cryptsetup +- remove dmconvert +- replace svn snapshot with official 1.0.5 release +- don't enable boot.crypto by default + +------------------------------------------------------------------- +Tue May 29 15:58:44 CEST 2007 - lnussel@suse.de + +- fix segfault when trying to open a non existing device +- fix gcc warnings +- add Short-Description to boot.crypto +- use %find_lang + +------------------------------------------------------------------- +Wed May 9 14:52:00 CEST 2007 - lnussel@suse.de + +- boot.crypto: implement 'status' +- boot.crypto: accept argument to start/stop single devices + +------------------------------------------------------------------- +Wed May 9 10:40:28 CEST 2007 - lnussel@suse.de + +- hashalot: add timeout option + +------------------------------------------------------------------- +Wed May 9 09:40:42 CEST 2007 - lnussel@suse.de + +- fix build + +------------------------------------------------------------------- +Tue May 8 15:16:41 CEST 2007 - lnussel@suse.de + +- boot.crypto: switch off splash screen only when needed +- boot.crypto: report status for individual volumes instead of using one global + exit status +- hashalot: exit unsucessfully on empty passphrase + +------------------------------------------------------------------- +Tue May 8 10:43:24 CEST 2007 - lnussel@suse.de + +- boot.crypto: sleep a bit longer before overwriting the prompt +- boot.crypto: add support for pseed and itercountk options +- boot.crypto: skip entries with unsupported/unknown options +- hashalot: add support for itercountk + +------------------------------------------------------------------- +Fri May 4 16:38:11 CEST 2007 - lnussel@suse.de + +- upgrade cryptsetup to current svn revision 30 which includes + previous patches. +- fix background prompt process not getting killed on ctrl-d in + boot.crypto + +------------------------------------------------------------------- +Fri Apr 27 15:46:05 CEST 2007 - lnussel@suse.de + +- upgrade cryptsetup to current svn revision 26. Does no longer hang + when a file is specified instead of a device. +- remove obsolete cryptsetup.sh script +- boot.crypto: + * drop support for cryptoloop, use cryptsetup also for cryptotab + * refactor code and create reusable components for use in cryptotab + and crypttab code path + * run sulogin only during boot if fsck failed + * support crypttab's 'tries' option +- add crypttab manpage based on Debian one + +------------------------------------------------------------------- +Tue Apr 24 17:38:40 CEST 2007 - lnussel@suse.de + +- add boot.crypto (#257884) +- add crypttab and cryptotab as %ghost to filelist + +------------------------------------------------------------------- +Tue Mar 27 10:22:48 CEST 2007 - mkoenig@suse.de + +- move devel .so link to %{libdir} +- run ldconfig, since we have now a shared lib installed + +------------------------------------------------------------------- +Fri Mar 23 16:18:12 CET 2007 - dmueller@suse.de + +- cryptsetup can now link shared since libpopt is + no longer under /usr + +------------------------------------------------------------------- +Fri Mar 9 12:06:53 CET 2007 - lnussel@suse.de + +- add patch to support old loop_fish2 key hash method + +------------------------------------------------------------------- +Thu Dec 7 18:33:01 CET 2006 - mkoenig@suse.de + +- update cryptsetup to version 1.0.4: + * added terminal timeout rewrite + * allow user selection of key slot + * reading binary keys from stdin using the "-" as key file + * fix 64 bit compiler warning issues. + * fix getline problem for 64-bit archs. + +------------------------------------------------------------------- +Fri Oct 13 11:30:19 CEST 2006 - mkoenig@suse.de + +- fix build failure due to missing pthreads + +------------------------------------------------------------------- +Wed Sep 13 12:39:27 CEST 2006 - hvogel@suse.de + +- use the LUKS version of cryptsetup +- split -devel subpackage for libcryptsetup +- remove patches because they are in the new cryptsetup + * cryptsetup-0.1-static.patch + * cryptsetup-0.1-retval.patch + * cryptsetup-0.1-dmi.exists.patch + * cryptsetup-0.1-timeout.patch +- use man page from the new cryptsetup + +------------------------------------------------------------------- +Tue May 16 11:03:08 CEST 2006 - hvogel@suse.de + +- Fix cryptsetup to work when the device does not exist yet + [#175931] + +------------------------------------------------------------------- +Wed Jan 25 21:42:28 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Mon Dec 19 14:46:30 CET 2005 - mmj@suse.de + +- Remove symlinks to hashalot we don't want + +------------------------------------------------------------------- +Thu Oct 13 15:04:29 CEST 2005 - hvogel@suse.de + +- Fix uninitialized var in dmconvert. Add + * dmconvert-0.2-uninitialized.patch +- Fix return value in cryptsetup. Add + * cryptsetup-0.1-retval.patch + +------------------------------------------------------------------- +Wed Jun 29 14:28:32 CEST 2005 - hvogel@suse.de + +- Link cryptsetup static so it can be in /sbin and you can get + /usr over nfs or even crypted + +------------------------------------------------------------------- +Mon May 9 17:23:39 CEST 2005 - hvogel@suse.de + +- New package, Version 2.12q + diff --git a/cryptsetup.keyring b/cryptsetup.keyring new file mode 100644 index 0000000..132c608 --- /dev/null +++ b/cryptsetup.keyring @@ -0,0 +1,56 @@ +pub 4096R/D93E98FC 2012-04-01 [expires: 2022-03-30] +uid Milan Broz +sub 4096R/4BBD6F43 2012-04-01 [expires: 2022-03-30] + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.19 (GNU/Linux) + +mQINBE94p38BEADZRET8y1gVxlfDk44/XwBbFjC7eM6EanyCuivUPMmPwYDo9qRe +y0JdOGhWhAZeutGGxsKliozmeTL25Z6wWICu2oeY+ZfbgJQYHFeQ01NVwoYy57hh +ytZw/6IMLFRcIaWSHd7oNdneQg6mVJcGdA/BOX68uo3RKSHj6Q8GoQ54F/NpCotz +VcP1ORpVJ5ptyG0x6OZm5Esn61pKE979wcHsz7EzcDYl+3MS63gZm+O3D1u80bUM +mBUlxyEiC5jo5ksTFheA8m/5CAPQtxzYvgezYlLLS3nkxaq2ERK5DhvMv0NktXSu +tfWQsOI5WLjG7UWStwAnO2W+CVZLcnZV0K6OKDaFbCj4ovg5HV0FyQZknN2O5Qbx +esNlNWkMOJAnnX6c/zowO7jq8GCpa3oJl3xxmwFbCZtH4z3fEVw0wAFc2JlnufR4 +dhaax9fhNoUJ4OSVTi9zqstxhEyywkazakEvAYwOlC5+1FKoc9UIvApAGvgcTJGT +Op7MuHptHGwWvGZEaJqcsqoy7rsYPxtDQ7bJuJJblzGIUxWAl8qsUsF8M4ISxBkf +fcUYiR0wh1luUhXFo2rRTKT+Ic/nJDE66Ee4Ecn9+BPlNODhlEG1vk62rhiYSnyz +y5MAUhUlstDxuEjYK+NGd2aYH0VANZalqlUZFTEdOdA6NYROxkYZVsVtXQARAQAB +tCBNaWxhbiBCcm96IDxnbWF6eWxhbmRAZ21haWwuY29tPokCPgQTAQIAKAUCT3in +fwIbAwUJEswDAAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ2bBXe9k+mPxp +bg//ZWDcQVNAKOWCviNnNvT315WbDrjsJ6FApF83hB52qQO9tvjb5ZY54794uwof +idOqi0XFoLkoLyiJkkvc3Q9SnM89hyhzrxnh2ym4rUr4cL6F9e99uC656er4telM +bg9OSPR2iNuqsAzyMhOGMEnnm97YQ2QWOnvbC8QgoQB5VvF3nZMgqTPTxctlUfc7 +t4BlGcIBLG0oINUNDf441KAXgMP05kVK0CDQd02CTPok2Qshbg6aw56eSSUTB4aq +ZM8St1ySJ2ccMDRC9mCqcNFtuuPyAAJAJFmEvlxahd0BA0mwV3ce38JBbTqs5k0X +2JVljHObgnfp3WDtuY8Lj0u8KvN0CAYJhRuhY40fARh8EPfkNvIx/740ueexsUBW +3N1/lCeABaOKtu11kVUxvDxaFRQc2I5vl/sZMunSjJQQiwrWNbrwZgidwkHzvizm +LjdgHgCJeEC+tu1qifTCOllufvXagjYmrH4hm/Qz6+91lLksrHooxp3nAcN78d5/ +E4reamx0+DleOJ2yD1UeP2wUDdB23OQU3ipVDYwIuIvDWiZSIVwXyDLhuc64ti4t +ScUGfucEKMER1eLTJ+zILHZ9R4K7C2BhEGSAyxkeeX/Z8pLNOJ1RdU+B+ZFNXuIH +LJbgrAiOOqr07WPbvRT1LvO/w/4m31D9Kalc4Jyqn9+pjtm5Ag0ET3infwEQAN6E +dXyfw9xr56CJ1asnQ1PSxpzEGlUsEHvn4wcufyC8KN6VGUlR3WinlaGvOICzvYOi +S06E6PqKDEgbbApBh2//6Ihk1OynS0y4hYepJi+pstdXoiud6NQSNQlcFjCfI8Wz +AT3rensVLmwc3HgRW5qqt5Vc+EWdg9cylZ48QdPyo3WyOd2pyL+yqNZPjMGijE8z +vzurwZiO9aBkJCjulqXMs1YyyIqfTxKQ1GCUQq4SoIQXjD8HvgJ7T/TpuDf9wFhe +onGqxiJpxb02LMEdkPgugKIgG6iOFplzrsySyoiJsGa0mJ0n0O6rXQxl1mK/zdfg +vm4CPDujbgINnIxRxPescCVYcmjM8kTlGYJuKp4GgbwbwkCISs4retaAXiP3a2f3 +eSaJc5SnWWa3JqH5ogkEWvuezjNxW5fMpBWszdQEsgnsdlK37V+aB5oWnnkZRlWk +1YhGwL1ODz+EZzSsGlkIr7BYakK3xRYbxVfQkUr7EeqruXohSOnPAowePYAXCigC +fWvIJMlrPLIOD2GOy9eV3UZ/JDn/7YPfFAjNb0gVdpqBCQNH/fP2ePC0FzW+3YL1 +UbR+qMAEbKbFepycg75LbC08jFuQVvauDQta4EAvBkF460PoskCzcMuREntjMxip +B6IMSoOD74tcGYfUp6/kcgdEaqyK8214couO/u8HABEBAAGJAiUEGAECAA8FAk94 +p38CGwwFCRLMAwAACgkQ2bBXe9k+mPzIRA//bAf0Ng8dJ+IgydRtdT9X2xYKyukk +A3HlrOImOoA4Thrv/HVe7U28AkiQt2DxOmNZYIV0BqvL+dWAD1HYCdQgsgVWVLpr +sFfqOYHnAWKsdqyNZHtPC9J6drnwv0vcER0dtDJjMDP4MJMTa4JNjNJYb29WfbIm +viDRtIcVujYFoZK2ZBa1Ec7yPfk4CsyE+Y3Qh9Gy8Z08NrrxIn+MVATBbocKs7j1 +JAvkFk+o1grGnw3NTXnB8gEygAKHHyUgzr5Nyn5qJ28EZr7Vc1FP2lUiKv0JBcHT +/9vVXJ1Grd+VF2cwYftMWRKR66lTaUS2BX0ta6IQQSj8nSRsoKapRniCfTm1D4I1 +6j9bOoEfFdVsMkcrYFtfhq97qgR8gZtVCJkrX2CARZ+a1J+NP/erASd6M1A3n3aM +F3xBFfFsotzPplmhzExCYwuOCWIBfPerUQh1MughvG/oT8ZapR6x/EVE+K90J10X +pPi8VMi/3QRC5DpCin3Kc14WAE4uEbyUWLKb3PmfmZaS6qFaJNtf2TyZodT0ACgu +v9Xs4el0j8FRaCqLvEZS4rKLNxb8EY3Z4LC61QfyAbg5P114muVZ4ro8dzhZ0zwk +ZLGeEsYPsQpLo6XPT/32PP8aHn/KKX+KM7ouCEhVeWszR20BMK6sxTBR+4aNqSKC +dgr42jrtvzRmJp4= +=E79s +-----END PGP PUBLIC KEY BLOCK----- diff --git a/cryptsetup.spec b/cryptsetup.spec new file mode 100644 index 0000000..a580c1b --- /dev/null +++ b/cryptsetup.spec @@ -0,0 +1,236 @@ +# +# spec file for package cryptsetup +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define so_ver 12 +Name: cryptsetup +Version: 2.6.1 +Release: 0 +Summary: Setup program for dm-crypt Based Encrypted Block Devices +License: LGPL-2.0-or-later AND SUSE-GPL-2.0-with-openssl-exception +Group: System/Base +URL: https://gitlab.com/cryptsetup/cryptsetup/ +Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-%{version}.tar.xz +# GPG signature of the uncompressed tarball. +Source1: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-%{version}.tar.sign +Source2: baselibs.conf +Source3: cryptsetup.keyring +#PATCH-FIX-UPSTREAM bsc#1211079 luksFormat: handle system with low memory and no swap space +Patch0: cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch +Patch1: cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch +Patch2: cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch +BuildRequires: device-mapper-devel +BuildRequires: libjson-c-devel +BuildRequires: libpwquality-devel +BuildRequires: libselinux-devel +BuildRequires: libuuid-devel +# 2.6.38 has the required if_alg.h +BuildRequires: linux-glibc-devel >= 2.6.38 +BuildRequires: pkgconfig +BuildRequires: popt-devel +BuildRequires: suse-module-tools +BuildRequires: pkgconfig(blkid) +BuildRequires: pkgconfig(libargon2) +BuildRequires: pkgconfig(libssh) +BuildRequires: pkgconfig(openssl) +BuildRequires: rubygem(asciidoctor) +Requires(post): coreutils +Requires(postun):coreutils +Provides: integritysetup = %{version}-%{release} +Provides: veritysetup = %{version}-%{release} +%if %{?suse_version} >= 1550 +# LUKS2 used as default format, which GRUB < 2.06 can't read +Conflicts: grub2 < 2.06 +%endif + +%lang_package(cryptsetup) + +%description +cryptsetup is used to conveniently set up dm-crypt based device-mapper +targets. It allows to set up targets to read cryptoloop compatible +volumes as well as LUKS formatted ones. The package additionally +includes support for automatically setting up encrypted volumes at boot +time via the config file %{_sysconfdir}/crypttab. + +%package ssh +Summary: Cryptsetup LUKS2 SSH token +Group: System/Base + +%description ssh +Experimental cryptsetup plugin for unlocking LUKS2 devices with +token connected to an SSH server. + +%package doc +Summary: Cryptsetup Documentation +Group: Documentation/Man +Supplements: (cryptsetup and man) +Supplements: (cryptsetup and patterns-base-documentation) +BuildArch: noarch + +%description doc +Documentation and man pages for cryptsetup + +%package -n libcryptsetup%{so_ver} +Summary: Library for setting up dm-crypt Based Encrypted Block Devices +Group: System/Libraries +Provides: libcryptsetup%{so_ver}-hmac = %{version} +Obsoletes: libcryptsetup%{so_ver}-hmac < %{version} + +%description -n libcryptsetup%{so_ver} +cryptsetup is used to conveniently set up dm-crypt based device-mapper +targets. It allows to set up targets to read cryptoloop compatible +volumes as well as LUKS formatted ones. The package additionally +includes support for automatically setting up encrypted volumes at boot +time via the config file %{_sysconfdir}/crypttab. + +%package -n lib%{name}-devel +Summary: Header files for libcryptsetup +Group: Development/Libraries/C and C++ +Requires: glibc-devel +Requires: libcryptsetup%{so_ver} = %{version} +# cryptsetup-devel last used 11.1 +Provides: cryptsetup-devel = %{version} +Obsoletes: cryptsetup-devel < %{version} + +%description -n lib%{name}-devel +cryptsetup is used to conveniently set up dm-crypt based device-mapper +targets. It allows to set up targets to read cryptoloop compatible +volumes as well as LUKS formatted ones. The package additionally +includes support for automatically setting up encrypted volumes at boot +time via the config file %{_sysconfdir}/crypttab. + +%prep +%autosetup -p1 + +%build +# force regeneration of manual pages from AsciiDoc +rm -f man/*.8 + +%configure \ + --enable-selinux \ + --enable-fips \ + --enable-pwquality \ + --enable-gcrypt-pbkdf2 \ + --enable-libargon2 \ +%if %{?suse_version} < 1550 + --with-default-luks-format=LUKS1 \ +%endif + --with-luks2-lock-path=/run/cryptsetup \ + --with-tmpfilesdir='%{_tmpfilesdir}' +%make_build + +%install + +%make_install +%if 0%{?suse_version} < 1550 +install -dm 0755 %{buildroot}/sbin +ln -s ..%{_sbindir}/cryptsetup %{buildroot}/sbin +%endif +# don't want this file in /lib (FHS compat check), and can't move it to /usr/lib +find %{buildroot} -type f -name "*.la" -delete -print + +%find_lang %{name} --all-name + +%check +%make_build check + +%post +%{?regenerate_initrd_post} +%tmpfiles_create %{_tmpfilesdir}/cryptsetup.conf + +%postun +%{?regenerate_initrd_post} + +%posttrans +%{?regenerate_initrd_posttrans} + +%post -n libcryptsetup%{so_ver} -p /sbin/ldconfig + +%postun -n libcryptsetup%{so_ver} -p /sbin/ldconfig + +%files +%license COPYING* +%if 0%{?suse_version} < 1550 +/sbin/cryptsetup +%endif +%{_sbindir}/cryptsetup +%{_sbindir}/veritysetup +%{_sbindir}/integritysetup +%{_tmpfilesdir}/cryptsetup.conf +%ghost %attr(700, -, -) %dir /run/cryptsetup + +%files lang -f %{name}.lang + +%files -n libcryptsetup%{so_ver} +%{_libdir}/libcryptsetup.so.%{so_ver}* + +%files -n lib%{name}-devel +%doc docs/examples/ +%{_includedir}/libcryptsetup.h +%{_libdir}/libcryptsetup.so +%{_libdir}/pkgconfig/* + +%files ssh +%license COPYING* +%dir %{_libdir}/%{name} +%{_libdir}/%{name}/libcryptsetup-token-ssh.so +%{_mandir}/man8/cryptsetup-ssh.8.gz +%{_sbindir}/cryptsetup-ssh + +%files doc +%doc AUTHORS FAQ.md README.md docs/*ReleaseNotes docs/on-disk-format*.pdf +%{_mandir}/man8/cryptsetup.8.gz +%{_mandir}/man8/cryptsetup-benchmark.8.gz +%{_mandir}/man8/cryptsetup-bitlkDump.8.gz +%{_mandir}/man8/cryptsetup-bitlkOpen.8.gz +%{_mandir}/man8/cryptsetup-close.8.gz +%{_mandir}/man8/cryptsetup-config.8.gz +%{_mandir}/man8/cryptsetup-convert.8.gz +%{_mandir}/man8/cryptsetup-create.8.gz +%{_mandir}/man8/cryptsetup-erase.8.gz +%{_mandir}/man8/cryptsetup-isLuks.8.gz +%{_mandir}/man8/cryptsetup-loopaesOpen.8.gz +%{_mandir}/man8/cryptsetup-luksAddKey.8.gz +%{_mandir}/man8/cryptsetup-luksChangeKey.8.gz +%{_mandir}/man8/cryptsetup-luksConvertKey.8.gz +%{_mandir}/man8/cryptsetup-luksDump.8.gz +%{_mandir}/man8/cryptsetup-luksErase.8.gz +%{_mandir}/man8/cryptsetup-luksFormat.8.gz +%{_mandir}/man8/cryptsetup-luksHeaderBackup.8.gz +%{_mandir}/man8/cryptsetup-luksHeaderRestore.8.gz +%{_mandir}/man8/cryptsetup-luksKillSlot.8.gz +%{_mandir}/man8/cryptsetup-luksOpen.8.gz +%{_mandir}/man8/cryptsetup-luksRemoveKey.8.gz +%{_mandir}/man8/cryptsetup-luksResume.8.gz +%{_mandir}/man8/cryptsetup-luksSuspend.8.gz +%{_mandir}/man8/cryptsetup-luksUUID.8.gz +%{_mandir}/man8/cryptsetup-open.8.gz +%{_mandir}/man8/cryptsetup-plainOpen.8.gz +%{_mandir}/man8/cryptsetup-reencrypt.8.gz +%{_mandir}/man8/cryptsetup-refresh.8.gz +%{_mandir}/man8/cryptsetup-repair.8.gz +%{_mandir}/man8/cryptsetup-resize.8.gz +%{_mandir}/man8/cryptsetup-status.8.gz +%{_mandir}/man8/cryptsetup-tcryptDump.8.gz +%{_mandir}/man8/cryptsetup-tcryptOpen.8.gz +%{_mandir}/man8/cryptsetup-token.8.gz +%{_mandir}/man8/integritysetup.8.gz +%{_mandir}/man8/veritysetup.8.gz +%{_mandir}/man8/cryptsetup-fvault2Dump.8.gz +%{_mandir}/man8/cryptsetup-fvault2Open.8.gz + +%changelog