Accepting request 29937 from security

Copy from security/cryptsetup based on submit request 29937 from user lnussel OBS-URL: https://build.opensuse.org/request/show/29937 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=41
2010-01-21 10:33:50 +00:00 · 2010-01-21 10:33:50 +00:00 · 7494f24427
commit 7494f24427
parent fbfbd32658 c007e95de9
9 changed files with 121 additions and 77 deletions
--- a/baselibs.conf
+++ b/baselibs.conf
@ -0,0 +1 @@
+libcryptsetup1
--- a/boot.crypto-0_200910201446.tar.bz2
+++ b/boot.crypto-0_200910201446.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:748209e4d765d7b66b6479f7e838e1ceca1823c00184b7732f647f9f5807d56d
-size 17933
--- a/boot.crypto-0_200911271000.tar.bz2
+++ b/boot.crypto-0_200911271000.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:65d653f82ff72ad2cf5e703663331c42460df5253297d149b2ff7fa2b6e4fd1b
+size 17953
--- a/cryptsetup-1.0.7-eofpw.diff
+++ b/cryptsetup-1.0.7-eofpw.diff
@ -1,42 +0,0 @@
-From 6b92a27195e21e9d96ce2f324c3da593a01a7ae0 Mon Sep 17 00:00:00 2001
-From: Ludwig Nussel <ludwig.nussel@suse.de>
-Date: Tue, 29 Sep 2009 11:09:31 +0200
-Subject: [PATCH] Fail if piped input is broken.
-
---
- ChangeLog   |    1 +
- lib/utils.c |   13 ++++++++++---
- 2 files changed, 11 insertions(+), 3 deletions(-)
-
-Index: cryptsetup-1.0.7/lib/utils.c
-===================================================================
--- cryptsetup-1.0.7.orig/lib/utils.c
-+++ cryptsetup-1.0.7/lib/utils.c
-@@ -361,6 +361,7 @@ int get_key(char *prompt, char **key, un
- 	char *pass = NULL;
- 	int newline_stop;
- 	int read_horizon;
-+	int regular_file = 0;
- 
- 	if(key_file && !strcmp(key_file, "-")) {
- 		/* Allow binary reading from stdin */
-@@ -435,6 +436,8 @@ int get_key(char *prompt, char **key, un
- 				// goto out_err;
- 				fprintf(stderr,"Warning: exhausting read requested, but key file is not a regular file, function might never return.\n");
- 			}
-+			else
-+				regular_file = 1;
- 		}
- 		buflen = 0;
- 		for(i = 0; read_horizon == 0 || i < read_horizon; i++) {
-@@ -452,6 +455,10 @@ int get_key(char *prompt, char **key, un
- 		}
- 		if(key_file)
- 			close(fd);
-+		/* Fail if piped input dies reading nothing */
-+		if(!i && !regular_file) {
-+			goto out_err;
-+		}
- 		pass[i] = 0;
- 		*key = pass;
- 		*passLen = i;
--- a/cryptsetup-1.0.7.tar.bz2
+++ b/cryptsetup-1.0.7.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:829af59ab5bb47e4ff384a927458b4ffbb86380825de5f9ac751a89df599ed99
-size 417339
--- a/cryptsetup-1.1.0.tar.bz2
+++ b/cryptsetup-1.1.0.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b343fa6bf3c48b633e68da25e44aebd6a32a3dc21c10604acd6faa04e41f58f3
+size 465778
--- a/cryptsetup-1.1.0.tar.bz2.asc
+++ b/cryptsetup-1.1.0.tar.bz2.asc
@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.10 (GNU/Linux)
+
+iEYEABECAAYFAktS7HYACgkQf1Jlc7shgi8PwQCfVFwnRLdjn7hILuxXq5TLtmsa
+elIAn0VqeFuSEqPg3qu9BqPnmdkoMRzI
+=mOAm
+-----END PGP SIGNATURE-----
--- a/cryptsetup.changes
+++ b/cryptsetup.changes
@ -1,3 +1,78 @@
+-------------------------------------------------------------------
+Mon Jan 18 12:18:32 UTC 2010 - lnussel@suse.de
+
+- cryptsetup 1.1.0:
+
+ * IMPORTANT: the default compiled-in cipher parameters changed
+	plain mode: aes-cbc-essiv:sha256 (default is backward incompatible!).
+	LUKS mode: aes-cbc-essiv:sha256 (only key size increased)
+	In both modes is now default key size 256bits.
+
+	 * Default compiled-in parameters are now configurable through configure options:
+	   --with-plain-* / --with-luks1-* (see configure --help)
+
+	 * If you need backward compatible defaults for distribution use
+	   configure --with-plain-mode=cbc-plain --with-luks1-keybits=128
+
+	 Default compiled-in modes are printed in "cryptsetup --help" output.
+
+ * Change in iterations count (LUKS):
+	The slot and key digest iteration minimum count is now 1000.
+	The key digest iteration count is calculated from iteration time (approx 1/8 of req. time).
+	For more info about above items see discussion here: http://tinyurl.com/yaug97y
+
+ * New libcryptsetup API (documented in libcryptsetup.h).
+
+	The old API (using crypt_options struct) is still available but will remain
+	frozen and not used for new functions.
+	Soname of library changed to libcryptsetup.so.1.0.0.
+	(But only recompilation should be needed for old programs.)
+
+	The new API provides much more flexible operation over LUKS device for
+	applications, it is preferred that new applications will use libcryptsetup
+	and not wrapper around cryptsetup binary.
+
+ * New luksHeaderBackup and luksHeaderRestore commands.
+
+	These commands allows binary backup of LUKS header.
+	Please read man page about possible security issues with backup files.
+
+ * New luksSuspend (freeze device and wipe key) and luksResume (with provided passphrase).
+
+	luksSuspend wipe encryption key in kernel memory and set device to suspend
+	(blocking all IO) state. This option can be used for situations when you need
+	temporary wipe encryption key (like suspend to RAM etc.)
+	Please read man page for more information.
+
+ * New --master-key-file option for luksFormat and luksAddKey.
+
+	User can now specify pre-generated master key in file, which allows regenerating
+	LUKS header or add key with only master key knowledge.
+
+ * Uses libgcrypt and enables all gcrypt hash algorithms for LUKS through -h luksFormat option.
+
+	Please note that using different hash for LUKS header make device incompatible with
+	old cryptsetup releases.
+
+ * Introduces --debug parameter.
+
+	Use when reporting bugs (just run cryptsetup with --debug and attach output
+	to issue report.) Sensitive data are never printed to this log.
+
+ * Moves command successful messages to verbose level.
+
+ * Requires device-mapper library and libgcrypt to build.
+
+ * Uses dm-uuid for all crypt devices, contains device type and name now.
+
+ * Removes support for dangerous non-exclusive option
+	(it is ignored now, LUKS device must be always opened exclusive)
+
+- boot.crypto:
+  * don't use dirty prompt override hack anymore
+  * wait for volume groups if resume volume is on lvm (bnc#556895)
+  * dynamically determine whether the cryptomgr module is neeeded
+
 -------------------------------------------------------------------
 Mon Oct 19 14:33:57 UTC 2009 - lnussel@suse.de

--- a/cryptsetup.spec
+++ b/cryptsetup.spec
@ -1,7 +1,7 @@
 #
-# spec file for package cryptsetup (Version 1.0.7)
+# spec file for package cryptsetup (Version 1.1.0)
 #
-# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -25,20 +25,22 @@ BuildRequires:  libselinux-devel
 # hashalot version
 %define haver 0.3 
 # boot.crypto version
-%define bcver 0_200910201446
-License:        BSD 3-clause (or similar) ; GPL v2 only ; GPL v2 or later
+%define bcver 0_200911271000
+License:        BSD3c(or similar) ; GPLv2 ; GPLv2+
 Group:          System/Base
 AutoReqProv:    on
-Version:        1.0.7
-Release:        10
+Version:        1.1.0
+Release:        1
 Summary:        Set Up dm-crypt Based Encrypted Block Devices
-Source:         cryptsetup-%{version}.tar.bz2
-Source1:        hashalot-%haver.tar.bz2
-# http://www.suse.de/~lnussel/boot.crypto.git
-Source2:        boot.crypto-%{bcver}.tar.bz2
+Source:         http://cryptsetup.googlecode.com/files/cryptsetup-%{version}.tar.bz2
+Source1:        http://cryptsetup.googlecode.com/files/cryptsetup-%{version}.tar.bz2.asc
+Source2:        baselibs.conf
+Source10:       hashalot-%haver.tar.bz2
+# git://gitorious.org/opensuse/boot_crypto.git
+Source20:       boot.crypto-%{bcver}.tar.bz2
 # use this to create the tarball from svn
 Source99:       cryptsetup-mktar
-Patch0:         cryptsetup-1.0.7-eofpw.diff
+#Patch0:         cryptsetup-svn131-noascii.diff
 Patch10:        hashalot-fixes.diff
 Patch11:        hashalot-libgcrypt.diff
 Patch12:        hashalot-ctrl-d.diff
@ -68,12 +70,12 @@ Authors:
    Christophe Saout <christophe@saout.de>
    Ben Slusky <sluskyb@paranoiacs.org>

-%package -n libcryptsetup0
-License:        BSD 3-clause (or similar) ; GPL v2 only ; GPL v2 or later
+%package -n libcryptsetup1
+License:        GPLv2+
 Summary:        Set Up dm-crypt Based Encrypted Block Devices
 Group:          System/Base

-%description  -n libcryptsetup0
+%description  -n libcryptsetup1
 cryptsetup is used to conveniently set up dm-crypt based device-mapper
 targets. It allows to set up targets to read cryptoloop compatible
 volumes as well as LUKS formatted ones. The package additionally
@ -89,13 +91,13 @@ Authors:
    Ben Slusky <sluskyb@paranoiacs.org>

 %package -n libcryptsetup-devel
-License:        BSD 3-clause (or similar) ; GPL v2 only ; GPL v2 or later
+License:        GPLv2+
 Summary:        Set Up dm-crypt Based Encrypted Block Devices
 Group:          Development/Libraries/C and C++
 # cryptsetup-devel last used 11.1
 Provides:       cryptsetup-devel = %{version}
 Obsoletes:      cryptsetup-devel < %{version}
-Requires:       libcryptsetup0 = %{version}
+Requires:       libcryptsetup1 = %{version}
 Requires:       device-mapper-devel libgcrypt-devel libgpg-error-devel e2fsprogs-devel glibc-devel

 %description  -n libcryptsetup-devel
@ -114,8 +116,8 @@ Authors:
    Ben Slusky <sluskyb@paranoiacs.org>

 %prep
-%setup -q -b 1 -b 2
-%patch0 -p1
+%setup -q -b 10 -b 20
+#patch0 -p1
 pushd ../hashalot-%haver
 %patch10 -p1
 %patch11 -p1
@ -130,27 +132,29 @@ popd
 # cryptsetup build
 %{?suse_update_config:%{suse_update_config}}
 autoreconf -f -i
+test -e po/Makevars || cp po/Makevars.template po/Makevars
 CFLAGS="$RPM_OPT_FLAGS" ./configure --prefix=%_prefix --mandir=%_mandir \
 				    --libdir=/%_lib \
 				    --bindir=/sbin --sbindir=/sbin \
 				    --disable-static --enable-shared \
 				    --enable-selinux
-make
+make %{?jobs:-j%jobs}
 #
 # hashalot build
 pushd ../hashalot-%haver
 autoreconf -f -i
 %{?suse_update_config:%{suse_update_config}}
 CFLAGS="$RPM_OPT_FLAGS" ./configure --prefix=%_prefix --sbindir=/sbin --mandir=%_mandir 
-make
+make %{?jobs:-j%jobs}
 popd

 %install
 make install DESTDIR=$RPM_BUILD_ROOT
-# move devel .so link to %{libdir}
+# move devel stuff to %{libdir}
 rm -f $RPM_BUILD_ROOT/%{_lib}/libcryptsetup.so
 mkdir -p $RPM_BUILD_ROOT%{_libdir}
-ln -s /%{_lib}/libcryptsetup.so.0.0.0 $RPM_BUILD_ROOT%{_libdir}/libcryptsetup.so
+ln -s /%{_lib}/libcryptsetup.so.1 $RPM_BUILD_ROOT%{_libdir}/libcryptsetup.so
+mv $RPM_BUILD_ROOT/%_lib/pkgconfig $RPM_BUILD_ROOT/%_libdir
 # don't want this file in /lib (FHS compat check), and can't move it to /usr/lib
 rm -f $RPM_BUILD_ROOT/%_lib/*.la
 #
@ -186,11 +190,9 @@ fi
 [ -x /sbin/mkinitrd_setup ] && mkinitrd_setup
 %{insserv_cleanup}

-%post -n libcryptsetup0
-/sbin/ldconfig
+%post -n libcryptsetup1 -p /sbin/ldconfig

-%postun -n libcryptsetup0
-/sbin/ldconfig
+%postun -n libcryptsetup1 -p /sbin/ldconfig

 %clean
 rm -rf $RPM_BUILD_ROOT
@ -216,14 +218,15 @@ rm -rf $RPM_BUILD_ROOT
 %_mandir/man5/cryptotab.5.gz
 /lib/cryptsetup

-%files -n libcryptsetup0
+%files -n libcryptsetup1
 %defattr(-,root,root)
-/%_lib/libcryptsetup.so.0
-/%_lib/libcryptsetup.so.0.0.0
+/%_lib/libcryptsetup.so.1
+/%_lib/libcryptsetup.so.1.0.0

 %files -n libcryptsetup-devel
 %defattr(-,root,root)
 %_includedir/libcryptsetup.h
 %{_libdir}/libcryptsetup.so
+%{_libdir}/pkgconfig/*

 %changelog