From c833c93fcf570439e102ec11e806e674bd17d4000c0fc08936797d80aec658e6 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Tue, 4 Feb 2020 16:53:39 +0000 Subject: [PATCH] Accepting request 769866 from home:polslinux:branches:security - Update to 2.3.0 (include release notes for 2.2.0) * BITLK (Windows BitLocker compatible) device access * Veritysetup now supports activation with additional PKCS7 signature of root hash through --root-hash-signature option. * Integritysetup now calculates hash integrity size according to algorithm instead of requiring an explicit tag size. * Integritysetup now supports fixed padding for dm-integrity devices. * A lot of fixes to online LUKS2 reecryption. * Add crypt_resume_by_volume_key() function to libcryptsetup. If a user has a volume key available, the LUKS device can be resumed directly using the provided volume key. No keyslot derivation is needed, only the key digest is checked. * Implement active device suspend info. Add CRYPT_ACTIVATE_SUSPENDED bit to crypt_get_active_device() flags that informs the caller that device is suspended (luksSuspend). * Allow --test-passphrase for a detached header. Before this fix, we required a data device specified on the command line even though it was not necessary for the passphrase check. * Allow --key-file option in legacy offline encryption. The option was ignored for LUKS1 encryption initialization. * Export memory safe functions. To make developing of some extensions simpler, we now export functions to handle memory with proper wipe on deallocation. * Fail crypt_keyslot_get_pbkdf for inactive LUKS1 keyslot. * Add optional global serialization lock for memory hard PBKDF. * Abort conversion to LUKS1 with incompatible sector size that is not supported in LUKS1. * Report error (-ENOENT) if no LUKS keyslots are available. User can now distinguish between a wrong passphrase and no keyslot available. * Fix a possible segfault in detached header handling (double free). * Add integritysetup support for bitmap mode introduced in Linux kernel 5.2. * The libcryptsetup now keeps all file descriptors to underlying device open during the whole lifetime of crypt device context to avoid excessive scanning in udev (udev run scan on every descriptor close). * The luksDump command now prints more info for reencryption keyslot (when a device is in-reencryption). * New --device-size parameter is supported for LUKS2 reencryption. * New --resume-only parameter is supported for LUKS2 reencryption. * The repair command now tries LUKS2 reencryption recovery if needed. * If reencryption device is a file image, an interactive dialog now asks if reencryption should be run safely in offline mode (if autodetection of active devices failed). * Fix activation through a token where dm-crypt volume key was not set through keyring (but using old device-mapper table parameter mode). * Online reencryption can now retain all keyslots (if all passphrases are provided). Note that keyslot numbers will change in this case. * Allow volume key file to be used if no LUKS2 keyslots are present. * Print a warning if online reencrypt is called over LUKS1 (not supported). * Fix TCRYPT KDF failure in FIPS mode. * Remove FIPS mode restriction for crypt_volume_key_get. * Reduce keyslots area size in luksFormat when the header device is too small. * Make resize action accept --device-size parameter (supports units suffix). OBS-URL: https://build.opensuse.org/request/show/769866 OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=153 --- cryptsetup-2.1.0.tar.sign | 16 ----------- cryptsetup-2.1.0.tar.xz | 3 --- cryptsetup-2.3.0.tar.sign | 16 +++++++++++ cryptsetup-2.3.0.tar.xz | 3 +++ cryptsetup.changes | 57 +++++++++++++++++++++++++++++++++++++++ cryptsetup.spec | 10 +++---- 6 files changed, 81 insertions(+), 24 deletions(-) delete mode 100644 cryptsetup-2.1.0.tar.sign delete mode 100644 cryptsetup-2.1.0.tar.xz create mode 100644 cryptsetup-2.3.0.tar.sign create mode 100644 cryptsetup-2.3.0.tar.xz diff --git a/cryptsetup-2.1.0.tar.sign b/cryptsetup-2.1.0.tar.sign deleted file mode 100644 index 1f375e2..0000000 --- a/cryptsetup-2.1.0.tar.sign +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAlxdkp0ACgkQ2bBXe9k+ -mPx0JxAAu+yx54yDHQO1QOZvINKVSrLwZ/nGAy+JDQsOsM/+zOlXictxD/yybzZv -GFuWdn5POnZDfwjp9b9UvudOUbxTLWNimyavV58iG0ICgFbxC6wpCVn0NxC+lPtt -3uThWXTgJzcDpGbi9oi7FWEoihG7DJHMsGVUeUnhcZC+NSdXl6/ZTb5i68/rNNzc -YHwM7OSWczn39Bdr0+/gs3jxnO01OP1weNgFZ6ChcENkSp8n+TQJEVwa+yiuO+rP -BcBws0zjBYTKcpm/ZtuPGczwOaEBwk/jyamgfoobIeCzIyyUdMrCxwE/3oYMJxqS -faijxMd21RZ3yqnkwvhTO1CbGWHAlVCqjAzyX8okhgjVi8gQpWvD67WRSC7FX+vD -72m9yZ5qTO0lNPTtze6xo88UvWskIZtSg1rPtP39vyBnAAgZflKFRu8r+IgXn612 -VRJLlit+mCmKOgi5ochkxlJgrMY6FmWbVMlq1sxFy1dk3wRQTh5DYzT5IGnhdXi8 -osY2swVKnVJhkThomVUJ8pXIwWGKZNGMzTU7Eofi9zSHwTMm0y6EdFNlXogrzmY3 -vEHOb3zEqPujWegBeqsHhuHgPQewgts+7bIPEbvEPsSwSqMvX8BPsyLv7c6bat9x -GhXTLwGeJ2RcNmF5bH7GMe7b+XLVaeBzNjLE3Ty0iFWgzT3Uwd0= -=gOH9 ------END PGP SIGNATURE----- diff --git a/cryptsetup-2.1.0.tar.xz b/cryptsetup-2.1.0.tar.xz deleted file mode 100644 index 771df0f..0000000 --- a/cryptsetup-2.1.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a3eeb2741f8f3376d16585191f3c60e067dd987e096c3c4b073fab7748b1c897 -size 10662576 diff --git a/cryptsetup-2.3.0.tar.sign b/cryptsetup-2.3.0.tar.sign new file mode 100644 index 0000000..b05b15e --- /dev/null +++ b/cryptsetup-2.3.0.tar.sign @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAl42+b4ACgkQ2bBXe9k+ +mPyC+w/+JY0R3jpt+iCfDjp/Terjwm+Q1NqOjTJ1pSps9ZzZF5vgqxDqF4IljxNX +zM4YtEN9HUUoE0U12FXmFTYlfoD4rj1AzR4Er9oX+P4YlGVQ0dmkGGr9gsmh+mpY +m9fZg3jLp+ebhkhIQqMgsUj2xjgQlYoc7hcRcNq9weatLBAidHIdd0JR/0ot2yAS +eLRodVOtfMvLDGhatMgwxm+FEXbPbgQXYrOemcqlHYPzKLv6xir9ZsLowZxABRaB +41LZ8o6+4VGqpoNA0r4M1XFqcJ0mDYLdLib7uNNFY97A5bZTUEmALuiHOBNdEygG +AgBUPnZPJUgSRKmJP4QL2CM6U3si3eNLDwrIjwp0cFtqnZB3bUzGfeu0h/XXSkrV +b6Yja7zneZNeWaxz8GWCiZwVVBtM2n7PamdVV4xqQF6GE0o84EkJ91oZBim+a/5B +PUOgcctQaYUAKkuvYXVhZQBaL5D4ppBWaFthENZSQ4sSlEILtsz5LYvWq1oMLWkv +rZN9lftPd5GqASkTIDQcTNL0GNdJR+P+0kMCNiWOCJzZNzEIk2D6tlyxjnJV8qrk +rFcShE9R3dADDJ9Ew+91JRk8C2XSG9gOS29K3fF2Hdnv7nfiTns3dh2V6kz/821W +E39CREgh0A67zppzKWyHnH1BayDeREgRA/TatjZWDAZOHWRM+Ig= +=cfqp +-----END PGP SIGNATURE----- diff --git a/cryptsetup-2.3.0.tar.xz b/cryptsetup-2.3.0.tar.xz new file mode 100644 index 0000000..2df831e --- /dev/null +++ b/cryptsetup-2.3.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:395690de99509428354d3cd15cf023bed01487e6f1565b2181e013dc847bbc85 +size 11035660 diff --git a/cryptsetup.changes b/cryptsetup.changes index c1b6626..6bd68f5 100644 --- a/cryptsetup.changes +++ b/cryptsetup.changes @@ -1,3 +1,60 @@ +------------------------------------------------------------------- +Tue Feb 4 07:59:24 UTC 2020 - Paolo Stivanin + +- Update to 2.3.0 (include release notes for 2.2.0) + * BITLK (Windows BitLocker compatible) device access + * Veritysetup now supports activation with additional PKCS7 signature + of root hash through --root-hash-signature option. + * Integritysetup now calculates hash integrity size according to algorithm + instead of requiring an explicit tag size. + * Integritysetup now supports fixed padding for dm-integrity devices. + * A lot of fixes to online LUKS2 reecryption. + * Add crypt_resume_by_volume_key() function to libcryptsetup. + If a user has a volume key available, the LUKS device can be resumed + directly using the provided volume key. + No keyslot derivation is needed, only the key digest is checked. + * Implement active device suspend info. + Add CRYPT_ACTIVATE_SUSPENDED bit to crypt_get_active_device() flags + that informs the caller that device is suspended (luksSuspend). + * Allow --test-passphrase for a detached header. + Before this fix, we required a data device specified on the command + line even though it was not necessary for the passphrase check. + * Allow --key-file option in legacy offline encryption. + The option was ignored for LUKS1 encryption initialization. + * Export memory safe functions. + To make developing of some extensions simpler, we now export + functions to handle memory with proper wipe on deallocation. + * Fail crypt_keyslot_get_pbkdf for inactive LUKS1 keyslot. + * Add optional global serialization lock for memory hard PBKDF. + * Abort conversion to LUKS1 with incompatible sector size that is + not supported in LUKS1. + * Report error (-ENOENT) if no LUKS keyslots are available. User can now + distinguish between a wrong passphrase and no keyslot available. + * Fix a possible segfault in detached header handling (double free). + * Add integritysetup support for bitmap mode introduced in Linux kernel 5.2. + * The libcryptsetup now keeps all file descriptors to underlying device + open during the whole lifetime of crypt device context to avoid excessive + scanning in udev (udev run scan on every descriptor close). + * The luksDump command now prints more info for reencryption keyslot + (when a device is in-reencryption). + * New --device-size parameter is supported for LUKS2 reencryption. + * New --resume-only parameter is supported for LUKS2 reencryption. + * The repair command now tries LUKS2 reencryption recovery if needed. + * If reencryption device is a file image, an interactive dialog now + asks if reencryption should be run safely in offline mode + (if autodetection of active devices failed). + * Fix activation through a token where dm-crypt volume key was not + set through keyring (but using old device-mapper table parameter mode). + * Online reencryption can now retain all keyslots (if all passphrases + are provided). Note that keyslot numbers will change in this case. + * Allow volume key file to be used if no LUKS2 keyslots are present. + * Print a warning if online reencrypt is called over LUKS1 (not supported). + * Fix TCRYPT KDF failure in FIPS mode. + * Remove FIPS mode restriction for crypt_volume_key_get. + * Reduce keyslots area size in luksFormat when the header device is too small. + * Make resize action accept --device-size parameter (supports units suffix). + +------------------------------------------------------------------- Thu Oct 17 11:55:51 UTC 2019 - Vítězslav Čížek - Create a weak dependency cycle between libcryptsetup and diff --git a/cryptsetup.spec b/cryptsetup.spec index f05f570..3151a68 100644 --- a/cryptsetup.spec +++ b/cryptsetup.spec @@ -1,7 +1,7 @@ # # spec file for package cryptsetup # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,15 +22,15 @@ Name: cryptsetup2 %else Name: cryptsetup %endif -Version: 2.1.0 +Version: 2.3.0 Release: 0 Summary: Setup program for dm-crypt Based Encrypted Block Devices License: SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.0-or-later Group: System/Base -Url: https://gitlab.com/cryptsetup/cryptsetup/ -Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.1/cryptsetup-%{version}.tar.xz +URL: https://gitlab.com/cryptsetup/cryptsetup/ +Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-%{version}.tar.xz # GPG signature of the uncompressed tarball. -Source1: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.1/cryptsetup-%{version}.tar.sign +Source1: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-%{version}.tar.sign Source2: baselibs.conf Source3: cryptsetup.keyring BuildRequires: device-mapper-devel