From 110c3d10166506f12517a9112ce286edb1077606d6bda32f3fdcabd903a913f9 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Tue, 12 Aug 2014 13:38:20 +0000 Subject: [PATCH 1/2] Accepting request 244329 from home:msmeissn:branches:security - libcryptsetup4-hmac split off contain the hmac for FIPS certification OBS-URL: https://build.opensuse.org/request/show/244329 OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=113 --- baselibs.conf | 1 + cryptsetup.changes | 6 ++++++ cryptsetup.spec | 13 ++++++++++++- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/baselibs.conf b/baselibs.conf index 7819b67..44b405c 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1 +1,2 @@ libcryptsetup4 +libcryptsetup4-hmac diff --git a/cryptsetup.changes b/cryptsetup.changes index 0858125..b8e6f27 100644 --- a/cryptsetup.changes +++ b/cryptsetup.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Aug 11 15:21:03 UTC 2014 - meissner@suse.com + +- libcryptsetup4-hmac split off contain the hmac for FIPS certification + +------------------------------------------------------------------- Tue May 27 14:38:57 UTC 2014 - meissner@suse.com - version 1.6.4 diff --git a/cryptsetup.spec b/cryptsetup.spec index 2b29584..4dd4c66 100644 --- a/cryptsetup.spec +++ b/cryptsetup.spec @@ -25,7 +25,7 @@ License: SUSE-GPL-2.0-with-openssl-exception and LGPL-2.0+ Group: System/Base Source: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-%{version}.tar.xz -# this is the signature of the uncompressed tarball +# GPG signature of the uncompressed tarball. Source1: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-%{version}.tar.sign Source2: baselibs.conf Source3: %{name}.keyring @@ -60,6 +60,14 @@ volumes as well as LUKS formatted ones. The package additionally includes support for automatically setting up encrypted volumes at boot time via the config file /etc/crypttab. +%package -n libcryptsetup4-hmac +Summary: Checksums for libcryptsetup4 +Group: System/Base + +%description -n libcryptsetup4-hmac +This package contains HMAC checksums for integrity checking of libcryptsetup4, +used for FIPS. + %package -n libcryptsetup-devel Summary: Set Up dm-crypt Based Encrypted Block Devices Group: Development/Libraries/C and C++ @@ -146,6 +154,9 @@ fi %files -n libcryptsetup4 %defattr(-,root,root) /%{_libdir}/libcryptsetup.so.4* + +%files -n libcryptsetup4-hmac +%defattr(-,root,root) /%{_libdir}/.libcryptsetup.so.4*hmac %files -n libcryptsetup-devel From 9d75fbda8192fe4ff1bd55a29d3b8b670a4912ae59f675b97e7bcd811f5ddf68 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Wed, 13 Aug 2014 07:59:19 +0000 Subject: [PATCH 2/2] Accepting request 244369 from home:adra:branches:security version 1.6.5, Updated build requirements OBS-URL: https://build.opensuse.org/request/show/244369 OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=114 --- cryptsetup-1.6.4.tar.sign | 17 --------- cryptsetup-1.6.4.tar.xz | 3 -- cryptsetup-1.6.5.tar.sign | 17 +++++++++ cryptsetup-1.6.5.tar.xz | 3 ++ cryptsetup.changes | 26 ++++++++++++++ cryptsetup.spec | 73 +++++++++++++++++++-------------------- 6 files changed, 82 insertions(+), 57 deletions(-) delete mode 100644 cryptsetup-1.6.4.tar.sign delete mode 100644 cryptsetup-1.6.4.tar.xz create mode 100644 cryptsetup-1.6.5.tar.sign create mode 100644 cryptsetup-1.6.5.tar.xz diff --git a/cryptsetup-1.6.4.tar.sign b/cryptsetup-1.6.4.tar.sign deleted file mode 100644 index 7dbe8af..0000000 --- a/cryptsetup-1.6.4.tar.sign +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQIcBAABCAAGBQJTD0ctAAoJENmwV3vZPpj8WAkQAKo2flibcxZAR7lW6NfW2SUo -VysNEylCPRQbPbDOrWRGQMrjNlQWz0YU504P+GwVFOrALW7K2v71oVa+8AE3dukh -0aogPTzso6HlNFnnjbd2IkCAbhgejn6gshhd2rF64YxLx5QOnX744aS5HgEb3QC4 -rkSGIih/rJz0GEsNb4gpuTceO9BnBINbmbV4172CbyOWvndkgArazkB5f1Qi5d2r -SUQVZQIzGmW+qVmsGElS4AtCsYz59qfeL6+REVHEY0YV9M1MkWF3ZCsflW6t0Qgb -MUzNb3MEYYh2NaQoF4Ul1ZbHNgnx6as9B/uCIuV6LPQiJvl7PkBlN56vO6FI2nE5 -x2yXed8Y2OJBGstHsGtMoP8DP96U0IKcEPpSwttKVwl6+qCqu3Wns27eAvrkKnD/ -8/PGrk1F9H+iB4JLez/WyrWEveQQKugkJPf8HUSNW4J5/Q/joD0/2sKfIBTYbEG1 -Hf0jvcfhnsMf4cr06K1VeOVkr596/EEQRyEKAEQHdRdSDXvZeprjA+yBai6v6V+W -OCm4DK3D6o9jhCLeotFSlOsMfA9gxWJ9uKrEnR7ITh7PmTf8PiZbX+VkexuwP8vT -PaDjBCRZ2mm1nIfYxohcEMNz/WgRdFKx4vmb13OyY1tEcQYjIk/EoP7EZrGNS1tJ -5X1fSnePI1PuO+WuyaHy -=jEBe ------END PGP SIGNATURE----- diff --git a/cryptsetup-1.6.4.tar.xz b/cryptsetup-1.6.4.tar.xz deleted file mode 100644 index b4df0c0..0000000 --- a/cryptsetup-1.6.4.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:70b8e86eef94bbb4441ad38460d87138130d7aaaafe5d01131c3ba50b9f0dca0 -size 1081492 diff --git a/cryptsetup-1.6.5.tar.sign b/cryptsetup-1.6.5.tar.sign new file mode 100644 index 0000000..70e5967 --- /dev/null +++ b/cryptsetup-1.6.5.tar.sign @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAABCAAGBQJTsAB+AAoJENmwV3vZPpj8bh0P/3MhINlKtwNZUIpBmutuioiN +TSZBXnC08oriTWll3LaUtT18q4gfdNZ0nmetew9AcdAHtaYEiSgdiuVkx4TVmXNV +I7oAE1GCopYt7KCBBS06ql3RylrqEdpt0dscb0WDvvbtc5G0WFh9rDflsPXZpaEt +heqpLG6mNUHnkfl9SOc3h0X9/H6G6bITvn1nJdNvfoZFJdqVI28d059Ax4dsx9ag +x/smj/TyvfxpJ897g0Ta+j8PPXLm3vanZZW/eBYujJd/ks6dGY9oeqyU3xZ/Uiwx +D6qDSbrkD8kzXoj7YyyMWkK3QtL3vhBSJoRC9Icf8hCg3jHS2FZ5ZYS6hzYvJQp7 +qsiOBxAyMgl1u0hYYldv0WRyi3Dv+C7HQdVHZicLdK30KqN3DKyJEPTnVt4+1nj2 +xNyZKM0kkHHMK+Cws2p17Y/ESH8TocJzaYdOehA5avRix7F9Ygg1g9BUGMGo3GDb +DsrTes35A9GGnQ6M+/YIFmzfaG92SLDUHzxCBtZ6I1GPAsxK41qSJ5CMbfxN0w3/ +SGa3Xybi2ZTyDJf5pSJdnnRsU51dayG3ensXPwc56/thkLGiapIVziWWVTA9TsaS +4B9emIPFkpkyX3mrfMsW3ap+lkkZ/KuqSeTkQep+Y24a/yaRX4YBjJCvAuu3DaZc +tGJBiO00fS647Vw/KP5w +=E6bJ +-----END PGP SIGNATURE----- diff --git a/cryptsetup-1.6.5.tar.xz b/cryptsetup-1.6.5.tar.xz new file mode 100644 index 0000000..80aad09 --- /dev/null +++ b/cryptsetup-1.6.5.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:267973f20be43f9d685f7193aa23954b60768c74a1d330243114d4b8bc17ca9a +size 1136892 diff --git a/cryptsetup.changes b/cryptsetup.changes index b8e6f27..d6b4a84 100644 --- a/cryptsetup.changes +++ b/cryptsetup.changes @@ -1,3 +1,29 @@ +------------------------------------------------------------------- +Tue Aug 12 16:34:04 UTC 2014 - asterios.dramis@gmail.com + +- version 1.6.5 + * Allow LUKS header operation handling without requiring root privilege. + It means that you can manipulate with keyslots as a regular user, only + write access to device (or image) is required. + * Fix internal PBKDF2 key derivation function implementation for alternative + crypto backends (kernel, NSS) which do not support PBKDF2 directly and have + issues with longer HMAC keys. + * Support for Python3 for simple Python binding. + Python >= 2.6 is now required. You can set Python compiled version by setting + --with-python_version configure option (together with --enable-python). + * Use internal PBKDF2 in Nettle library for Nettle crypto backend. + Cryptsetup compilation requires Nettle >= 2.6 (if using Nettle crypto backend). + * Allow simple status of crypt device without providing metadata header. + The command "cryptsetup status" will print basic info, even if you + do not provide detached header argument. + * Allow to specify ECB mode in cryptsetup benchmark. + * Add some LUKS images for regression testing. + Note that if image with Whirlpool fails, the most probable cause is that + you have old gcrypt library with flawed whirlpool hash. + Read FAQ section 8.3 for more info. +- Removed e2fsprogs-devel and libtool build requirements (not needed). +- Added libpwquality-devel and libuuid-devel build requirements. + ------------------------------------------------------------------- Mon Aug 11 15:21:03 UTC 2014 - meissner@suse.com diff --git a/cryptsetup.spec b/cryptsetup.spec index 4dd4c66..0ce0302 100644 --- a/cryptsetup.spec +++ b/cryptsetup.spec @@ -16,31 +16,32 @@ # +%define so_ver 4 + Name: cryptsetup -Url: http://code.google.com/p/cryptsetup/ -Version: 1.6.4 +Version: 1.6.5 Release: 0 Summary: Set Up dm-crypt Based Encrypted Block Devices License: SUSE-GPL-2.0-with-openssl-exception and LGPL-2.0+ Group: System/Base - -Source: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-%{version}.tar.xz +Url: http://code.google.com/p/cryptsetup/ +Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-%{version}.tar.xz # GPG signature of the uncompressed tarball. Source1: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-%{version}.tar.sign Source2: baselibs.conf Source3: %{name}.keyring -BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: device-mapper-devel -BuildRequires: e2fsprogs-devel BuildRequires: fipscheck BuildRequires: fipscheck-devel BuildRequires: libgcrypt-devel +BuildRequires: libpwquality-devel BuildRequires: libselinux-devel -BuildRequires: libtool +BuildRequires: libuuid-devel # 2.6.38 has the required if_alg.h BuildRequires: linux-glibc-devel >= 2.6.38 BuildRequires: pkgconfig BuildRequires: popt-devel +BuildRoot: %{_tmppath}/%{name}-%{version}-build %description cryptsetup is used to conveniently set up dm-crypt based device-mapper @@ -49,11 +50,11 @@ volumes as well as LUKS formatted ones. The package additionally includes support for automatically setting up encrypted volumes at boot time via the config file /etc/crypttab. -%package -n libcryptsetup4 +%package -n libcryptsetup%{so_ver} Summary: Set Up dm-crypt Based Encrypted Block Devices -Group: System/Base +Group: System/Libraries -%description -n libcryptsetup4 +%description -n libcryptsetup%{so_ver} cryptsetup is used to conveniently set up dm-crypt based device-mapper targets. It allows to set up targets to read cryptoloop compatible volumes as well as LUKS formatted ones. The package additionally @@ -64,20 +65,20 @@ time via the config file /etc/crypttab. Summary: Checksums for libcryptsetup4 Group: System/Base -%description -n libcryptsetup4-hmac +%description -n libcryptsetup4-hmac This package contains HMAC checksums for integrity checking of libcryptsetup4, used for FIPS. %package -n libcryptsetup-devel Summary: Set Up dm-crypt Based Encrypted Block Devices Group: Development/Libraries/C and C++ +Requires: glibc-devel +Requires: libcryptsetup%{so_ver} = %{version} # cryptsetup-devel last used 11.1 Provides: cryptsetup-devel = %{version} Obsoletes: cryptsetup-devel < %{version} -Requires: glibc-devel -Requires: libcryptsetup4 = %{version} -%description -n libcryptsetup-devel +%description -n libcryptsetup-devel cryptsetup is used to conveniently set up dm-crypt based device-mapper targets. It allows to set up targets to read cryptoloop compatible volumes as well as LUKS formatted ones. The package additionally @@ -88,14 +89,10 @@ time via the config file /etc/crypttab. %setup -q %build -# cryptsetup build -%{?suse_update_config:%{suse_update_config}} -autoreconf -f -i -test -e po/Makevars || cp po/Makevars.template po/Makevars -%configure \ - --disable-static --enable-shared \ - --enable-cryptsetup-reencrypt \ - --enable-selinux --enable-fips +%configure --enable-cryptsetup-reencrypt \ + --enable-selinux \ + --enable-fips \ + --enable-pwquality make %{?_smp_mflags} %install @@ -107,13 +104,13 @@ make %{?_smp_mflags} fipshmac %{buildroot}/%{_libdir}/libcryptsetup.so.* \ %{nil} -make install DESTDIR=$RPM_BUILD_ROOT -install -d -m 755 $RPM_BUILD_ROOT/sbin -ln -s ..%{_sbindir}/cryptsetup $RPM_BUILD_ROOT/sbin +make install DESTDIR=%{buildroot} +install -dm 0755 %{buildroot}/sbin +ln -s ..%{_sbindir}/cryptsetup %{buildroot}/sbin # don't want this file in /lib (FHS compat check), and can't move it to /usr/lib -rm -f $RPM_BUILD_ROOT/%_libdir/*.la +rm -f %{buildroot}/%{_libdir}/*.la # -%find_lang %name --all-name +%find_lang %{name} --all-name %post test -n "$FIRST_ARG" || FIRST_ARG="$1" @@ -135,33 +132,35 @@ if [ "$FIRST_ARG" -gt 1 -a ! -e "$marker" ]; then fi fi -%post -n libcryptsetup4 -p /sbin/ldconfig +%post -n libcryptsetup%{so_ver} -p /sbin/ldconfig -%postun -n libcryptsetup4 -p /sbin/ldconfig +%postun -n libcryptsetup%{so_ver} -p /sbin/ldconfig -%files -f %name.lang +%files -f %{name}.lang %defattr(-,root,root) +%doc AUTHORS COPYING* FAQ README TODO docs/ChangeLog.old docs/*ReleaseNotes #ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/crypttab #ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/cryptotab /sbin/cryptsetup %{_sbindir}/cryptsetup %{_sbindir}/veritysetup %{_sbindir}/cryptsetup-reencrypt -%_mandir/man8/cryptsetup.8.gz -%_mandir/man8/cryptsetup-reencrypt.8.gz -%_mandir/man8/veritysetup.8.gz +%{_mandir}/man8/cryptsetup.8.gz +%{_mandir}/man8/cryptsetup-reencrypt.8.gz +%{_mandir}/man8/veritysetup.8.gz -%files -n libcryptsetup4 +%files -n libcryptsetup%{so_ver} %defattr(-,root,root) -/%{_libdir}/libcryptsetup.so.4* +%{_libdir}/libcryptsetup.so.%{so_ver}* %files -n libcryptsetup4-hmac %defattr(-,root,root) -/%{_libdir}/.libcryptsetup.so.4*hmac +%{_libdir}/.libcryptsetup.so.%{so_ver}*hmac %files -n libcryptsetup-devel %defattr(-,root,root) -%_includedir/libcryptsetup.h +%doc docs/examples/ +%{_includedir}/libcryptsetup.h %{_libdir}/libcryptsetup.so %{_libdir}/pkgconfig/*