SHA256
1
0
forked from pool/cryptsetup

Accepting request 645498 from home:lnussel:branches:security

- Suggest hmac package (boo#1090768)
- remove old upgrade hack for upgrades from 12.1
- New version 2.0.5
  Changes since version 2.0.4
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  * Wipe full header areas (including unused) during LUKS format.
    Since this version, the whole area up to the data offset is zeroed,
    and subsequently, all keyslots areas are wiped with random data.
    This ensures that no remaining old data remains in the LUKS header
    areas, but it could slow down format operation on some devices.
    Previously only first 4k (or 32k for LUKS2) and the used keyslot
    was overwritten in the format operation.
  * Several fixes to error messages that were unintentionally replaced
    in previous versions with a silent exit code.
    More descriptive error messages were added, including error
    messages if
     - a device is unusable (not a block device, no access, etc.),
     - a LUKS device is not detected,
     - LUKS header load code detects unsupported version,
     - a keyslot decryption fails (also happens in the cipher check),
     - converting an inactive keyslot.
  * Device activation fails if data area overlaps with LUKS header.
  * Code now uses explicit_bzero to wipe memory if available
    (instead of own implementation).
  * Additional VeraCrypt modes are now supported, including Camellia
    and Kuznyechik symmetric ciphers (and cipher chains) and Streebog
    hash function. These were introduced in a recent VeraCrypt upstream.
    Note that Kuznyechik requires out-of-tree kernel module and
    Streebog hash function is available only with the gcrypt cryptographic
    backend for now.

OBS-URL: https://build.opensuse.org/request/show/645498
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=144
This commit is contained in:
Ludwig Nussel 2018-10-31 08:59:56 +00:00 committed by Git OBS Bridge
parent 405535408f
commit 3dd02a4dcc
6 changed files with 136 additions and 55 deletions

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAltkMxMACgkQ2bBXe9k+
mPwN2hAAvJwEaj1rfAUVhwZ21wMx7wDezI0OLamKAtKKP8saYjH9GA8HpfikGhHD
/LqcM31dacsyFP2iK+qj5GuS8aPm9HqePkXa0sqBcWw7Bsr4a091HYtReT3+bG8j
zIZtTzsjapZ425/nVB9ClJcEES8N3OpW+zhamv84T1zDwbVtC5x1wiMtsvdM6Rhg
bz7R7kam/OPIxgfSWVufVUaMGWDO6zPwND1Wn7ZVm6UNsTPLV/M3/H+uPm4y+jaW
In+eDhb05eNcY94dBVhRdqd/72CJ1OXUMEo8GEtmVPljvCDI2ljZ4LEoBUve323f
/kzjzZZqljaVoQOl3pT+d7jqvg5EybM6crV8E++VJO3mVSAd5CZhk4LV/HsrnDuy
4XtZLSPSQQkyhcezZ0+8EmGzzXVlBMfg6o/Jsnao5DKuIoea78mmH1DX6XnEjFoI
MeM+W+3A1scK05LYeo6ZhtGvwlVxUOfsrl5zDp1X+kTT94zPvjmsY2xa0cP3eXZ3
vxSI1dosbmL91tE65gEVa1dGEYWMWYeR8K8ZqwVhxsg3QJInOM+sh/KdWQP1o/Lp
S1D5zi/8gi9R43K7Nd3Xi027d02gOkwvowie1leXBXdNYrAZIeQJbcdXiXbSAOiD
NTjKDPwGZbXmPcQckF1er9nd821ofxbnGEM6jBzCEprEX3YSf3M=
=V9r2
-----END PGP SIGNATURE-----

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9d3a3c7033293e0c97f0ad0501fd5b4d4913ae497cbf70cca06633ccc54b5734
size 10444544

16
cryptsetup-2.0.5.tar.sign Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAlvVz2sACgkQ2bBXe9k+
mPyYuQ//fNwPronpHFrOzmv277cfzVT6zrgLKOaf/YlqA0h5XmBVX9xcOD9rXhda
ld9rumIQn9s8G8HLavxxxhnciqeNOS0T/1ry3NVpxYdfF1FptIjchH/Lo697P5dX
C1oAqchOqfxjm6dwmbllvXTgoHV657JUC5tuaL6Wl26DrhImmAgNi42yZehNtHZz
8FN0Fc0muU06LUmKR2a4P5xj2SvlNntMnvld+qLHf+k+bBrcJyu2cqaBNns45mXy
uDHXclP+8ofXW3mELmSBJ89GzLkr8Zpxp2dITv2GqtewX1MH5b8cMUwIVsCClqHl
2YNGhMqRkDDj0C8u8JpYvmmZxcMUaKr5EMze18NeqPXpZCBoW5nvEtsS7hWbCdyu
VPqdP4mHfHeQtZkk3U4SZLEU7xFzcTwhgpxRQPe6ujyz+PlrOLk0Z9js9WgOJZ1U
7a9YNnXWlNIcVqOoYm9SPBo9nj+eoVUr2GG3lT02udj5YhGZjDG0gbjgtM99jg+T
Bcv/h9abx6a2TmPIRW9Pa98ggIaeY3HbAK4D4xBritrfhvtyXMAYWbwj8ZkyCsCX
41I10Eh3dNXR6/OJQFjKv7RCqGzanyCzEG0F+G4mw5xqPx5jhowmjI7GaC54X7UZ
7RWYt1pl8F+UGIbBRl3BWuI+cHM0RBJ4Jx53f6zpqDP9hL58RbA=
=o3rq
-----END PGP SIGNATURE-----

3
cryptsetup-2.0.5.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a0f72ca2c824a5a555dc8924413dfe947eca23ab2e30bcff54eaafefe5fe301d
size 10476304

View File

@ -1,3 +1,71 @@
-------------------------------------------------------------------
Tue Oct 30 10:10:35 UTC 2018 - lnussel@suse.de
- Suggest hmac package (boo#1090768)
- remove old upgrade hack for upgrades from 12.1
- New version 2.0.5
Changes since version 2.0.4
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Wipe full header areas (including unused) during LUKS format.
Since this version, the whole area up to the data offset is zeroed,
and subsequently, all keyslots areas are wiped with random data.
This ensures that no remaining old data remains in the LUKS header
areas, but it could slow down format operation on some devices.
Previously only first 4k (or 32k for LUKS2) and the used keyslot
was overwritten in the format operation.
* Several fixes to error messages that were unintentionally replaced
in previous versions with a silent exit code.
More descriptive error messages were added, including error
messages if
- a device is unusable (not a block device, no access, etc.),
- a LUKS device is not detected,
- LUKS header load code detects unsupported version,
- a keyslot decryption fails (also happens in the cipher check),
- converting an inactive keyslot.
* Device activation fails if data area overlaps with LUKS header.
* Code now uses explicit_bzero to wipe memory if available
(instead of own implementation).
* Additional VeraCrypt modes are now supported, including Camellia
and Kuznyechik symmetric ciphers (and cipher chains) and Streebog
hash function. These were introduced in a recent VeraCrypt upstream.
Note that Kuznyechik requires out-of-tree kernel module and
Streebog hash function is available only with the gcrypt cryptographic
backend for now.
* Fixes static build for integritysetup if the pwquality library is used.
* Allows passphrase change for unbound keyslots.
* Fixes removed keyslot number in verbose message for luksKillSlot,
luksRemoveKey and erase command.
* Adds blkid scan when attempting to open a plain device and warn the user
about existing device signatures in a ciphertext device.
* Remove LUKS header signature if luksFormat fails to add the first keyslot.
* Remove O_SYNC from device open and use fsync() to speed up
wipe operation considerably.
* Create --master-key-file in luksDump and fail if the file already exists.
* Fixes a bug when LUKS2 authenticated encryption with a detached header
wiped the header device instead of dm-integrity data device area (causing
unnecessary LUKS2 header auto recovery).
-------------------------------------------------------------------
Tue Oct 30 09:55:50 UTC 2018 - lnussel@suse.de
- make parallell installable version for SLE12
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Aug 21 07:40:54 UTC 2018 - lnussel@suse.de Tue Aug 21 07:40:54 UTC 2018 - lnussel@suse.de

View File

@ -17,8 +17,12 @@
%define so_ver 12 %define so_ver 12
%if 0%{?is_backports}
Name: cryptsetup2
%else
Name: cryptsetup Name: cryptsetup
Version: 2.0.4 %endif
Version: 2.0.5
Release: 0 Release: 0
Summary: Set Up dm-crypt Based Encrypted Block Devices Summary: Set Up dm-crypt Based Encrypted Block Devices
License: SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.0-or-later License: SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.0-or-later
@ -28,7 +32,7 @@ Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetu
# GPG signature of the uncompressed tarball. # GPG signature of the uncompressed tarball.
Source1: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{version}.tar.sign Source1: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{version}.tar.sign
Source2: baselibs.conf Source2: baselibs.conf
Source3: %{name}.keyring Source3: cryptsetup.keyring
BuildRequires: device-mapper-devel BuildRequires: device-mapper-devel
BuildRequires: fipscheck BuildRequires: fipscheck
BuildRequires: fipscheck-devel BuildRequires: fipscheck-devel
@ -44,6 +48,11 @@ BuildRequires: popt-devel
BuildRequires: suse-module-tools BuildRequires: suse-module-tools
BuildRequires: pkgconfig(blkid) BuildRequires: pkgconfig(blkid)
BuildRequires: pkgconfig(libargon2) BuildRequires: pkgconfig(libargon2)
%if 0%{?is_backports}
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
%endif
Requires(post): coreutils Requires(post): coreutils
Requires(postun): coreutils Requires(postun): coreutils
@ -57,6 +66,7 @@ time via the config file %{_sysconfdir}/crypttab.
%package -n libcryptsetup%{so_ver} %package -n libcryptsetup%{so_ver}
Summary: Set Up dm-crypt Based Encrypted Block Devices Summary: Set Up dm-crypt Based Encrypted Block Devices
Group: System/Libraries Group: System/Libraries
Suggests: libcryptsetup%{so_ver}-hmac
%description -n libcryptsetup%{so_ver} %description -n libcryptsetup%{so_ver}
cryptsetup is used to conveniently set up dm-crypt based device-mapper cryptsetup is used to conveniently set up dm-crypt based device-mapper
@ -73,7 +83,7 @@ Group: System/Base
This package contains HMAC checksums for integrity checking of libcryptsetup4, This package contains HMAC checksums for integrity checking of libcryptsetup4,
used for FIPS. used for FIPS.
%package -n libcryptsetup-devel %package -n lib%{name}-devel
Summary: Set Up dm-crypt Based Encrypted Block Devices Summary: Set Up dm-crypt Based Encrypted Block Devices
Group: Development/Libraries/C and C++ Group: Development/Libraries/C and C++
Requires: glibc-devel Requires: glibc-devel
@ -81,8 +91,12 @@ Requires: libcryptsetup%{so_ver} = %{version}
# cryptsetup-devel last used 11.1 # cryptsetup-devel last used 11.1
Provides: cryptsetup-devel = %{version} Provides: cryptsetup-devel = %{version}
Obsoletes: cryptsetup-devel < %{version} Obsoletes: cryptsetup-devel < %{version}
%if 0%{?is_backports}
# have to conflict with main package that is in SLE
Conflicts: cryptsetup-devel < %{version}
%endif
%description -n libcryptsetup-devel %description -n lib%{name}-devel
cryptsetup is used to conveniently set up dm-crypt based device-mapper cryptsetup is used to conveniently set up dm-crypt based device-mapper
targets. It allows to set up targets to read cryptoloop compatible targets. It allows to set up targets to read cryptoloop compatible
volumes as well as LUKS formatted ones. The package additionally volumes as well as LUKS formatted ones. The package additionally
@ -90,7 +104,11 @@ includes support for automatically setting up encrypted volumes at boot
time via the config file %{_sysconfdir}/crypttab. time via the config file %{_sysconfdir}/crypttab.
%prep %prep
%setup -q %setup -n cryptsetup-%{version} -q
%if 0%{?is_backports}
sed -i -e '/AC_INIT/s/cryptsetup/cryptsetup2/' configure.ac
autoreconf -f -i
%endif
%build %build
%configure \ %configure \
@ -114,58 +132,53 @@ make %{?_smp_mflags} V=1
%{nil} %{nil}
%make_install %make_install
%if 0%{?is_backports}
# need to rename a files to avoid file conflict
for i in cryptsetup integritysetup veritysetup cryptsetup-reencrypt; do
mv %{buildroot}%{_sbindir}/$i %{buildroot}%{_sbindir}/${i}2
mv %{buildroot}%{_mandir}/man8/$i.8 %{buildroot}%{_mandir}/man8/${i}2.8
done
rm -f %{buildroot}%{_tmpfilesdir}/cryptsetup.conf
%endif
install -dm 0755 %{buildroot}/sbin install -dm 0755 %{buildroot}/sbin
ln -s ..%{_sbindir}/cryptsetup %{buildroot}/sbin ln -s ..%{_sbindir}/cryptsetup%{?is_backports:2} %{buildroot}/sbin
# don't want this file in /lib (FHS compat check), and can't move it to /usr/lib # don't want this file in /lib (FHS compat check), and can't move it to /usr/lib
find %{buildroot} -type f -name "*.la" -delete -print find %{buildroot} -type f -name "*.la" -delete -print
# #
%find_lang %{name} --all-name %find_lang %{name} --all-name
%if !0%{?is_backports}
#
%post %post
test -n "$FIRST_ARG" || FIRST_ARG="$1"
#
# convert noauto to nofail and turn on fsck (bnc#724113)
#
marker="%{_localstatedir}/adm/crypsetup.fstab.noauto_converted"
if [ "$FIRST_ARG" -gt 1 -a ! -e "$marker" ]; then
echo "updating %{_sysconfdir}/fstab ... "
tmpfstab="%{_sysconfdir}/fstab.cryptsetup.$$"
sed -e '/^\/dev\/mapper\/cr_.*,noauto\s/{s/,noauto\(\s\)/,nofail\1/;s/ 0 0$/ 0 2/}' < %{_sysconfdir}/fstab > "$tmpfstab"
if diff -u0 %{_sysconfdir}/fstab "$tmpfstab"; then
echo "no change"
rm -f "$tmpfstab"
> "$marker"
else
cp "$tmpfstab" "$marker"
mv "$tmpfstab" %{_sysconfdir}/fstab
fi
fi
%{?regenerate_initrd_post} %{?regenerate_initrd_post}
%tmpfiles_create %{_tmpfilesdir}/%{name}.conf %tmpfiles_create %{_tmpfilesdir}/cryptsetup.conf
%postun %postun
%{?regenerate_initrd_post} %{?regenerate_initrd_post}
%posttrans %posttrans
%{?regenerate_initrd_posttrans} %{?regenerate_initrd_posttrans}
#
%endif
%post -n libcryptsetup%{so_ver} -p /sbin/ldconfig %post -n libcryptsetup%{so_ver} -p /sbin/ldconfig
%postun -n libcryptsetup%{so_ver} -p /sbin/ldconfig %postun -n libcryptsetup%{so_ver} -p /sbin/ldconfig
%files -f %{name}.lang %files -f %{name}.lang
%doc AUTHORS COPYING* FAQ README TODO docs/ChangeLog.old docs/*ReleaseNotes %doc AUTHORS COPYING* FAQ README TODO docs/ChangeLog.old docs/*ReleaseNotes
/sbin/cryptsetup /sbin/cryptsetup%{?is_backports:2}
%{_sbindir}/cryptsetup %{_sbindir}/cryptsetup%{?is_backports:2}
%{_sbindir}/veritysetup %{_sbindir}/veritysetup%{?is_backports:2}
%{_sbindir}/integritysetup %{_sbindir}/integritysetup%{?is_backports:2}
%{_sbindir}/cryptsetup-reencrypt %{_sbindir}/cryptsetup-reencrypt%{?is_backports:2}
%{_mandir}/man8/cryptsetup.8%{ext_man} %{_mandir}/man8/cryptsetup%{?is_backports:2}.8%{ext_man}
%{_mandir}/man8/cryptsetup-reencrypt.8%{ext_man} %{_mandir}/man8/cryptsetup-reencrypt%{?is_backports:2}.8%{ext_man}
%{_mandir}/man8/veritysetup.8%{ext_man} %{_mandir}/man8/veritysetup%{?is_backports:2}.8%{ext_man}
%{_mandir}/man8/integritysetup.8%{ext_man} %{_mandir}/man8/integritysetup%{?is_backports:2}.8%{ext_man}
%if !0%{?is_backports}
%{_tmpfilesdir}/cryptsetup.conf %{_tmpfilesdir}/cryptsetup.conf
%ghost %dir /run/cryptsetup %ghost %dir /run/cryptsetup
%endif
%files -n libcryptsetup%{so_ver} %files -n libcryptsetup%{so_ver}
%{_libdir}/libcryptsetup.so.%{so_ver}* %{_libdir}/libcryptsetup.so.%{so_ver}*
@ -173,7 +186,7 @@ fi
%files -n libcryptsetup%{so_ver}-hmac %files -n libcryptsetup%{so_ver}-hmac
%{_libdir}/.libcryptsetup.so.%{so_ver}*hmac %{_libdir}/.libcryptsetup.so.%{so_ver}*hmac
%files -n libcryptsetup-devel %files -n lib%{name}-devel
%doc docs/examples/ %doc docs/examples/
%{_includedir}/libcryptsetup.h %{_includedir}/libcryptsetup.h
%{_libdir}/libcryptsetup.so %{_libdir}/libcryptsetup.so