Accepting request 915495 from security

Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/915495
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=115

cryptsetup-2.3.6.tar.sign

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAmCwxOgACgkQ2bBXe9k+
-mPzlCg//XVdN6WnGhf35DT2f39GpSUimEAmkK/P3xKYGouzlUEac20mzXsNvkv+H
-BpTN507H44ThgQENPAaKTea9FkqpZIcoBZcPnTXJOQ/ZIfR+iglb4zF9lR1PuVx7
-PuyVZ7BgMxM6lFvOwt5/bkktCDn8uX0nYvzqf9DXWVFUm973NayqftxsbgPa+4DT
-vW2E87sJOM2NLw6psPu3o+wYkKm4N1r+M9JCWNqY8bwvlV5YbW4yBifZl4oU+99l
-VXcqgSQunAvEzRPhtwCUxfYNRULx6xknNZVuwl37sSYgDpjjooy+6qjz1PX8g/qa
-4/Wc0u2q/QmIUq13D2dFdQIrfDaZEJe8d0/yyaCnxPlCVFOhmr31U08o2pK1zJSK
-duUqWVIKQNSFafygrPTeMRhZ1L2iwJZgjuCDyhoJSa62kGvYcLxjEoXjRmeiLXAn
-7aVrmbf4tmJUJ8EUden40JM7MxPeKwHfUhE4Aq//qDfPVId7YFdgnBh6PmwUcyRm
-HTyNJP8ULFX+u+v9C5YbXxb+h6xb65wzQDY1T1IPEJicIu/kv/syac/9QUkF9yG+
-Gsxaq9Ath2UYp7NW11/LXW0jmWVcM2eOfZi6xg8+vT6HWxG58Qzh//gPoLBpzBOj
-E94vQim+q+ky0ePAqi2uEfZUiiID2ns4JYeXoYkxx9aGl/eRrp8=
-=AlrZ
------END PGP SIGNATURE-----

cryptsetup-2.3.6.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b296b7a21ea576c2b180611ccb19d06aec8dddaedf7c704b0c6a81210c25635f
-size 11154148

cryptsetup-2.4.0.tar.sign

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAmEdJXMACgkQ2bBXe9k+
+mPwJSg/+OW43g7S4Q/K+vBi8S+RN3Pzqi8ao2K+OmGWK/7FhKWxrXSN7J8gJigxd
+uD+NukmQublFtYdfKXj2unF/Fd28YGHCqSfVrFvn2jmcMnlwxSz5220Bic1eai8a
+hq0Hve425n5RpTzNtpkBBZQbiLmY25J1wUkygcoEwT+spyFA0d6oZUhTWcAcqa2b
+IP9XkVFEociSWpjZfuhJGN5+jSG91JwYKbuNJFZvH1uez6zTLdNDj9+zoxfsrLW4
+BZYh8FQbZq54pUJnX4tafuRm7L/3LjK0DWWq60P3dvzTyj5b/qzORThNMpvCoolN
+I7Yfl7PD8j3B2WpgLQ+62jBVSOBjZGOpvj6PbQVizk2ELznF1LkTyneQ1rIwzxRw
+xWqHZfFU0Frj16yiNfRDrBKq4QsrYBOGov7q3OP3Xsw3H/C5lNxEOzx9NkC97LlA
+ryMiFSOXFHfCvTCXWQi90N311S4Usg/+n4qevwM4MxXmHJ6HfIqOLYMFftrWoiqC
+c+86lgZnNFtmFQnD+/Jvfu7AlAE0aLQodDz3w9otF4QfztDwnvnWsrjAntff4u1U
+WqL3EK7NGPJELDRvOpLq77l5eCJ1x5Qgma1RN2ag5APgs5IrmKBGz3H0WxEArz4K
+IWQ9FAHMMVIcJfblW96mE/zIoTc6dc0quUlpmROTFWKleijMk0I=
+=nfsi
+-----END PGP SIGNATURE-----

cryptsetup-2.4.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c5c8bda31159a9c010ea72e708053cc4252cf5eebdca520e150abc0609287ff8
+size 11162168

cryptsetup.changes

@@ -1,3 +1,44 @@
+-------------------------------------------------------------------
+Wed Aug 25 13:46:12 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
+
+- As YaST passes necessary parameters to cryptsetup anyway, we do
+  not necessarily need to take grub into consideration. So back to
+  Argon2 to see how it goes.
+
+-------------------------------------------------------------------
+Tue Aug  3 13:42:20 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
+
+- need to use PBKDF2 by default for LUKS2 as grub can't decrypt when
+  using Argon.
+
+-------------------------------------------------------------------
+Mon Aug  2 14:43:51 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
+
+- crypsetup 2.4.0 (jsc#SLE-20275)
+  * External LUKS token plugins
+  * Experimental SSH token
+  * Default LUKS2 PBKDF is now Argon2id
+  * Increase minimal memory cost for Argon2 benchmark to 64MiB.
+  * Autodetect optimal encryption sector size on LUKS2 format.
+  * Use VeraCrypt option by default and add --disable-veracrypt option.
+  * Support --hash and --cipher to limit opening time for TCRYPT type
+  * Fixed default OpenSSL crypt backend support for OpenSSL3.
+  * integritysetup: add integrity-recalculate-reset flag.
+  * cryptsetup: retains keyslot number in luksChangeKey for LUKS2.
+  * Fix cryptsetup resize using LUKS2 tokens.
+  * Add close --deferred and --cancel-deferred options.
+  * Rewritten command-line option parsing to avoid libpopt arguments
+    memory leaks.
+  * Add --test-args option.
+
+-------------------------------------------------------------------
+Mon Aug  2 12:39:40 UTC 2021 - Fabian Vogt <fvogt@suse.com>
+
+- Use LUKS2 as default format on Tumbleweed.
+  It provides some additional features which other tools
+  (e.g. systemd-cryptenroll) rely on. GRUB 2.06 supports unlocking
+  LUKS2 volumes meanwhile.
+
 -------------------------------------------------------------------
 Thu Jul  1 12:50:25 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
 

cryptsetup.spec

@@ -16,21 +16,22 @@
 #
 
 
+%define tar_version 2.4.0
 %define so_ver 12
 %if 0%{?is_backports}
 Name:           cryptsetup2
 %else
 Name:           cryptsetup
 %endif
-Version:        2.3.6
+Version:        2.4.0
 Release:        0
 Summary:        Setup program for dm-crypt Based Encrypted Block Devices
-License:        SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.0-or-later
+License:        LGPL-2.0-or-later AND SUSE-GPL-2.0-with-openssl-exception
 Group:          System/Base
 URL:            https://gitlab.com/cryptsetup/cryptsetup/
-Source0:        https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-%{version}.tar.xz
+Source0:        https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-%{tar_version}.tar.xz
 # GPG signature of the uncompressed tarball.
-Source1:        https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-%{version}.tar.sign
+Source1:        https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-%{tar_version}.tar.sign
 Source2:        baselibs.conf
 Source3:        cryptsetup.keyring
 Source4:        %{name}-rpmlintrc
@@ -48,6 +49,7 @@ BuildRequires:  popt-devel
 BuildRequires:  suse-module-tools
 BuildRequires:  pkgconfig(blkid)
 BuildRequires:  pkgconfig(libargon2)
+BuildRequires:  pkgconfig(libssh)
 BuildRequires:  pkgconfig(openssl)
 Requires(post): coreutils
 Requires(postun): coreutils
@@ -56,6 +58,10 @@ BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
 %endif
+%if %{?suse_version} >= 1550
+# LUKS2 used as default format, which GRUB < 2.06 can't read
+Conflicts:      grub2 < 2.06
+%endif
 
 %lang_package(cryptsetup)
 
@@ -66,6 +72,15 @@ volumes as well as LUKS formatted ones. The package additionally
 includes support for automatically setting up encrypted volumes at boot
 time via the config file %{_sysconfdir}/crypttab.
 
+
+%package ssh
+Summary:        Cryptsetup LUKS2 SSH token
+Group:          System/Base
+
+%description ssh
+Experimental cryptsetup plugin for unlocking LUKS2 devices with
+token connected to an SSH server.
+
 %package -n libcryptsetup%{so_ver}
 Summary:        Library for setting up dm-crypt Based Encrypted Block Devices
 Group:          System/Libraries
@@ -108,7 +123,7 @@ includes support for automatically setting up encrypted volumes at boot
 time via the config file %{_sysconfdir}/crypttab.
 
 %prep
-%setup -n cryptsetup-%{version} -q
+%autosetup -n cryptsetup-%{tar_version}
 %if 0%{?is_backports}
 sed -i -e '/AC_INIT/s/cryptsetup/cryptsetup2/' configure.ac
 autoreconf -f -i
@@ -122,7 +137,9 @@ autoreconf -f -i
   --enable-pwquality \
   --enable-gcrypt-pbkdf2 \
   --enable-libargon2 \
+%if %{?suse_version} < 1550
   --with-default-luks-format=LUKS1 \
+%endif
   --with-luks2-lock-path=/run/cryptsetup \
   --with-tmpfilesdir='%{_tmpfilesdir}'
 %make_build
@@ -173,7 +190,7 @@ find %{buildroot} -type f -name "*.la" -delete -print
 
 %files
 %license COPYING*
-%doc AUTHORS FAQ README TODO docs/ChangeLog.old docs/*ReleaseNotes
+%doc AUTHORS FAQ README.md docs/*ReleaseNotes
 %if !0%{?usrmerged}
 /sbin/cryptsetup%{?is_backports:2}
 %endif
@@ -204,4 +221,11 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/libcryptsetup.so
 %{_libdir}/pkgconfig/*
 
+%files ssh
+%license COPYING COPYING.LGPL
+%dir %{_libdir}/%{name}
+%{_libdir}/%{name}/libcryptsetup-token-ssh.so
+%{_mandir}/man8/cryptsetup-ssh.8.gz
+%{_sbindir}/cryptsetup-ssh
+
 %changelog