Accepting request 1253109 from security

OBS-URL: https://build.opensuse.org/request/show/1253109
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=131

cryptsetup.changes

@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Fri Mar 14 10:06:24 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Set pbkdf2 as the default PBKDF algorithm in LUKS2 format.
+  [bsc#1236375, bsc#1236164]
+  * The default PBKDF algorithm in the LUKS2 format is now Argon2id
+    but its not FIPS compliant. A system would be unbootable if using
+    Argon2id or Argon2i for disk encryption and then switching to
+    kernel FIPS mode. This can be avoided by setting pbkdf2 as default.
+  * Build using the configure option --with-luks2-pbkdf=pbkdf2.
+  * Remove the dependency on libargon2 as is now provided by openssl.
+
 -------------------------------------------------------------------
 Fri Sep 13 07:36:26 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
 

cryptsetup.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package cryptsetup
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -40,7 +40,6 @@ BuildRequires:  suse-module-tools
 BuildRequires:  pkgconfig(blkid)
 BuildRequires:  pkgconfig(devmapper)
 BuildRequires:  pkgconfig(json-c)
-BuildRequires:  pkgconfig(libargon2)
 BuildRequires:  pkgconfig(libselinux)
 BuildRequires:  pkgconfig(libssh)
 BuildRequires:  pkgconfig(openssl)
@@ -131,6 +130,7 @@ rm -f man/*.8
   --enable-pwquality \
   --enable-gcrypt-pbkdf2 \
   --enable-libargon2 \
+  --with-luks2-pbkdf=pbkdf2 \
 %if %{?suse_version} < 1550
   --with-default-luks-format=LUKS1 \
 %endif