Accepting request 645498 from home:lnussel:branches:security

- Suggest hmac package (boo#1090768)
- remove old upgrade hack for upgrades from 12.1
- New version 2.0.5
  Changes since version 2.0.4
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  * Wipe full header areas (including unused) during LUKS format.
    Since this version, the whole area up to the data offset is zeroed,
    and subsequently, all keyslots areas are wiped with random data.
    This ensures that no remaining old data remains in the LUKS header
    areas, but it could slow down format operation on some devices.
    Previously only first 4k (or 32k for LUKS2) and the used keyslot
    was overwritten in the format operation.
  * Several fixes to error messages that were unintentionally replaced
    in previous versions with a silent exit code.
    More descriptive error messages were added, including error
    messages if
     - a device is unusable (not a block device, no access, etc.),
     - a LUKS device is not detected,
     - LUKS header load code detects unsupported version,
     - a keyslot decryption fails (also happens in the cipher check),
     - converting an inactive keyslot.
  * Device activation fails if data area overlaps with LUKS header.
  * Code now uses explicit_bzero to wipe memory if available
    (instead of own implementation).
  * Additional VeraCrypt modes are now supported, including Camellia
    and Kuznyechik symmetric ciphers (and cipher chains) and Streebog
    hash function. These were introduced in a recent VeraCrypt upstream.
    Note that Kuznyechik requires out-of-tree kernel module and
    Streebog hash function is available only with the gcrypt cryptographic
    backend for now.

OBS-URL: https://build.opensuse.org/request/show/645498
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=144

cryptsetup-2.0.4.tar.sign

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAltkMxMACgkQ2bBXe9k+
-mPwN2hAAvJwEaj1rfAUVhwZ21wMx7wDezI0OLamKAtKKP8saYjH9GA8HpfikGhHD
-/LqcM31dacsyFP2iK+qj5GuS8aPm9HqePkXa0sqBcWw7Bsr4a091HYtReT3+bG8j
-zIZtTzsjapZ425/nVB9ClJcEES8N3OpW+zhamv84T1zDwbVtC5x1wiMtsvdM6Rhg
-bz7R7kam/OPIxgfSWVufVUaMGWDO6zPwND1Wn7ZVm6UNsTPLV/M3/H+uPm4y+jaW
-In+eDhb05eNcY94dBVhRdqd/72CJ1OXUMEo8GEtmVPljvCDI2ljZ4LEoBUve323f
-/kzjzZZqljaVoQOl3pT+d7jqvg5EybM6crV8E++VJO3mVSAd5CZhk4LV/HsrnDuy
-4XtZLSPSQQkyhcezZ0+8EmGzzXVlBMfg6o/Jsnao5DKuIoea78mmH1DX6XnEjFoI
-MeM+W+3A1scK05LYeo6ZhtGvwlVxUOfsrl5zDp1X+kTT94zPvjmsY2xa0cP3eXZ3
-vxSI1dosbmL91tE65gEVa1dGEYWMWYeR8K8ZqwVhxsg3QJInOM+sh/KdWQP1o/Lp
-S1D5zi/8gi9R43K7Nd3Xi027d02gOkwvowie1leXBXdNYrAZIeQJbcdXiXbSAOiD
-NTjKDPwGZbXmPcQckF1er9nd821ofxbnGEM6jBzCEprEX3YSf3M=
-=V9r2
------END PGP SIGNATURE-----

cryptsetup-2.0.4.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9d3a3c7033293e0c97f0ad0501fd5b4d4913ae497cbf70cca06633ccc54b5734
-size 10444544

cryptsetup-2.0.5.tar.sign

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAlvVz2sACgkQ2bBXe9k+
+mPyYuQ//fNwPronpHFrOzmv277cfzVT6zrgLKOaf/YlqA0h5XmBVX9xcOD9rXhda
+ld9rumIQn9s8G8HLavxxxhnciqeNOS0T/1ry3NVpxYdfF1FptIjchH/Lo697P5dX
+C1oAqchOqfxjm6dwmbllvXTgoHV657JUC5tuaL6Wl26DrhImmAgNi42yZehNtHZz
+8FN0Fc0muU06LUmKR2a4P5xj2SvlNntMnvld+qLHf+k+bBrcJyu2cqaBNns45mXy
+uDHXclP+8ofXW3mELmSBJ89GzLkr8Zpxp2dITv2GqtewX1MH5b8cMUwIVsCClqHl
+2YNGhMqRkDDj0C8u8JpYvmmZxcMUaKr5EMze18NeqPXpZCBoW5nvEtsS7hWbCdyu
+VPqdP4mHfHeQtZkk3U4SZLEU7xFzcTwhgpxRQPe6ujyz+PlrOLk0Z9js9WgOJZ1U
+7a9YNnXWlNIcVqOoYm9SPBo9nj+eoVUr2GG3lT02udj5YhGZjDG0gbjgtM99jg+T
+Bcv/h9abx6a2TmPIRW9Pa98ggIaeY3HbAK4D4xBritrfhvtyXMAYWbwj8ZkyCsCX
+41I10Eh3dNXR6/OJQFjKv7RCqGzanyCzEG0F+G4mw5xqPx5jhowmjI7GaC54X7UZ
+7RWYt1pl8F+UGIbBRl3BWuI+cHM0RBJ4Jx53f6zpqDP9hL58RbA=
+=o3rq
+-----END PGP SIGNATURE-----

cryptsetup-2.0.5.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a0f72ca2c824a5a555dc8924413dfe947eca23ab2e30bcff54eaafefe5fe301d
+size 10476304

cryptsetup.changes

@@ -1,3 +1,71 @@
+-------------------------------------------------------------------
+Tue Oct 30 10:10:35 UTC 2018 - lnussel@suse.de
+
+- Suggest hmac package (boo#1090768)
+- remove old upgrade hack for upgrades from 12.1
+- New version 2.0.5
+
+  Changes since version 2.0.4
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+  * Wipe full header areas (including unused) during LUKS format.
+
+    Since this version, the whole area up to the data offset is zeroed,
+    and subsequently, all keyslots areas are wiped with random data.
+    This ensures that no remaining old data remains in the LUKS header
+    areas, but it could slow down format operation on some devices.
+    Previously only first 4k (or 32k for LUKS2) and the used keyslot
+    was overwritten in the format operation.
+
+  * Several fixes to error messages that were unintentionally replaced
+    in previous versions with a silent exit code.
+    More descriptive error messages were added, including error
+    messages if
+     - a device is unusable (not a block device, no access, etc.),
+     - a LUKS device is not detected,
+     - LUKS header load code detects unsupported version,
+     - a keyslot decryption fails (also happens in the cipher check),
+     - converting an inactive keyslot.
+
+  * Device activation fails if data area overlaps with LUKS header.
+
+  * Code now uses explicit_bzero to wipe memory if available
+    (instead of own implementation).
+
+  * Additional VeraCrypt modes are now supported, including Camellia
+    and Kuznyechik symmetric ciphers (and cipher chains) and Streebog
+    hash function. These were introduced in a recent VeraCrypt upstream.
+
+    Note that Kuznyechik requires out-of-tree kernel module and
+    Streebog hash function is available only with the gcrypt cryptographic
+    backend for now.
+
+  * Fixes static build for integritysetup if the pwquality library is used.
+
+  * Allows passphrase change for unbound keyslots.
+
+  * Fixes removed keyslot number in verbose message for luksKillSlot,
+    luksRemoveKey and erase command.
+
+  * Adds blkid scan when attempting to open a plain device and warn the user
+    about existing device signatures in a ciphertext device.
+
+  * Remove LUKS header signature if luksFormat fails to add the first keyslot.
+
+  * Remove O_SYNC from device open and use fsync() to speed up
+    wipe operation considerably.
+
+  * Create --master-key-file in luksDump and fail if the file already exists.
+
+  * Fixes a bug when LUKS2 authenticated encryption with a detached header
+    wiped the header device instead of dm-integrity data device area (causing
+    unnecessary LUKS2 header auto recovery).
+
+-------------------------------------------------------------------
+Tue Oct 30 09:55:50 UTC 2018 - lnussel@suse.de
+
+- make parallell installable version for SLE12
+
 -------------------------------------------------------------------
 Tue Aug 21 07:40:54 UTC 2018 - lnussel@suse.de
 

cryptsetup.spec

@@ -17,8 +17,12 @@
 
 
 %define so_ver 12
+%if 0%{?is_backports}
+Name:           cryptsetup2
+%else
 Name:           cryptsetup
-Version:        2.0.4
+%endif
+Version:        2.0.5
 Release:        0
 Summary:        Set Up dm-crypt Based Encrypted Block Devices
 License:        SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.0-or-later
@@ -28,7 +32,7 @@ Source0:        https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetu
 # GPG signature of the uncompressed tarball.
 Source1:        https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{version}.tar.sign
 Source2:        baselibs.conf
-Source3:        %{name}.keyring
+Source3:        cryptsetup.keyring
 BuildRequires:  device-mapper-devel
 BuildRequires:  fipscheck
 BuildRequires:  fipscheck-devel
@@ -44,6 +48,11 @@ BuildRequires:  popt-devel
 BuildRequires:  suse-module-tools
 BuildRequires:  pkgconfig(blkid)
 BuildRequires:  pkgconfig(libargon2)
+%if 0%{?is_backports}
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool
+%endif
 Requires(post): coreutils
 Requires(postun): coreutils
 
@@ -57,6 +66,7 @@ time via the config file %{_sysconfdir}/crypttab.
 %package -n libcryptsetup%{so_ver}
 Summary:        Set Up dm-crypt Based Encrypted Block Devices
 Group:          System/Libraries
+Suggests:       libcryptsetup%{so_ver}-hmac
 
 %description -n libcryptsetup%{so_ver}
 cryptsetup is used to conveniently set up dm-crypt based device-mapper
@@ -73,7 +83,7 @@ Group:          System/Base
 This package contains HMAC checksums for integrity checking of libcryptsetup4,
 used for FIPS.
 
-%package -n libcryptsetup-devel
+%package -n lib%{name}-devel
 Summary:        Set Up dm-crypt Based Encrypted Block Devices
 Group:          Development/Libraries/C and C++
 Requires:       glibc-devel
@@ -81,8 +91,12 @@ Requires:       libcryptsetup%{so_ver} = %{version}
 # cryptsetup-devel last used 11.1
 Provides:       cryptsetup-devel = %{version}
 Obsoletes:      cryptsetup-devel < %{version}
+%if 0%{?is_backports}
+# have to conflict with main package that is in SLE
+Conflicts:      cryptsetup-devel < %{version}
+%endif
 
-%description -n libcryptsetup-devel
+%description -n lib%{name}-devel
 cryptsetup is used to conveniently set up dm-crypt based device-mapper
 targets. It allows to set up targets to read cryptoloop compatible
 volumes as well as LUKS formatted ones. The package additionally
@@ -90,7 +104,11 @@ includes support for automatically setting up encrypted volumes at boot
 time via the config file %{_sysconfdir}/crypttab.
 
 %prep
-%setup -q
+%setup -n cryptsetup-%{version} -q
+%if 0%{?is_backports}
+sed -i -e '/AC_INIT/s/cryptsetup/cryptsetup2/' configure.ac
+autoreconf -f -i
+%endif
 
 %build
 %configure \
@@ -114,58 +132,53 @@ make %{?_smp_mflags} V=1
 %{nil}
 
 %make_install
+%if 0%{?is_backports}
+# need to rename a files to avoid file conflict
+for i in cryptsetup integritysetup veritysetup cryptsetup-reencrypt; do
+	mv %{buildroot}%{_sbindir}/$i %{buildroot}%{_sbindir}/${i}2
+	mv %{buildroot}%{_mandir}/man8/$i.8 %{buildroot}%{_mandir}/man8/${i}2.8
+done
+rm -f %{buildroot}%{_tmpfilesdir}/cryptsetup.conf
+%endif
 install -dm 0755 %{buildroot}/sbin
-ln -s ..%{_sbindir}/cryptsetup %{buildroot}/sbin
+ln -s ..%{_sbindir}/cryptsetup%{?is_backports:2} %{buildroot}/sbin
 # don't want this file in /lib (FHS compat check), and can't move it to /usr/lib
 find %{buildroot} -type f -name "*.la" -delete -print
 #
 %find_lang %{name} --all-name
 
+%if !0%{?is_backports}
+#
 %post
-test -n "$FIRST_ARG" || FIRST_ARG="$1"
-#
-# convert noauto to nofail and turn on fsck (bnc#724113)
-#
-marker="%{_localstatedir}/adm/crypsetup.fstab.noauto_converted"
-if [ "$FIRST_ARG" -gt 1 -a ! -e "$marker" ]; then
-	echo "updating %{_sysconfdir}/fstab ... "
-	tmpfstab="%{_sysconfdir}/fstab.cryptsetup.$$"
-	sed -e '/^\/dev\/mapper\/cr_.*,noauto\s/{s/,noauto\(\s\)/,nofail\1/;s/ 0 0$/ 0 2/}' < %{_sysconfdir}/fstab > "$tmpfstab"
-	if diff -u0 %{_sysconfdir}/fstab "$tmpfstab"; then
-		echo "no change"
-		rm -f "$tmpfstab"
-		> "$marker"
-	else
-		cp "$tmpfstab" "$marker"
-		mv "$tmpfstab" %{_sysconfdir}/fstab
-	fi
-fi
-
 %{?regenerate_initrd_post}
-%tmpfiles_create %{_tmpfilesdir}/%{name}.conf
+%tmpfiles_create %{_tmpfilesdir}/cryptsetup.conf
 
 %postun
 %{?regenerate_initrd_post}
 
 %posttrans
 %{?regenerate_initrd_posttrans}
+#
+%endif
 
 %post -n libcryptsetup%{so_ver} -p /sbin/ldconfig
 %postun -n libcryptsetup%{so_ver} -p /sbin/ldconfig
 
 %files -f %{name}.lang
 %doc AUTHORS COPYING* FAQ README TODO docs/ChangeLog.old docs/*ReleaseNotes
-/sbin/cryptsetup
-%{_sbindir}/cryptsetup
-%{_sbindir}/veritysetup
-%{_sbindir}/integritysetup
-%{_sbindir}/cryptsetup-reencrypt
-%{_mandir}/man8/cryptsetup.8%{ext_man}
-%{_mandir}/man8/cryptsetup-reencrypt.8%{ext_man}
-%{_mandir}/man8/veritysetup.8%{ext_man}
-%{_mandir}/man8/integritysetup.8%{ext_man}
+/sbin/cryptsetup%{?is_backports:2}
+%{_sbindir}/cryptsetup%{?is_backports:2}
+%{_sbindir}/veritysetup%{?is_backports:2}
+%{_sbindir}/integritysetup%{?is_backports:2}
+%{_sbindir}/cryptsetup-reencrypt%{?is_backports:2}
+%{_mandir}/man8/cryptsetup%{?is_backports:2}.8%{ext_man}
+%{_mandir}/man8/cryptsetup-reencrypt%{?is_backports:2}.8%{ext_man}
+%{_mandir}/man8/veritysetup%{?is_backports:2}.8%{ext_man}
+%{_mandir}/man8/integritysetup%{?is_backports:2}.8%{ext_man}
+%if !0%{?is_backports}
 %{_tmpfilesdir}/cryptsetup.conf
 %ghost %dir /run/cryptsetup
+%endif
 
 %files -n libcryptsetup%{so_ver}
 %{_libdir}/libcryptsetup.so.%{so_ver}*
@@ -173,7 +186,7 @@ fi
 %files -n libcryptsetup%{so_ver}-hmac
 %{_libdir}/.libcryptsetup.so.%{so_ver}*hmac
 
-%files -n libcryptsetup-devel
+%files -n lib%{name}-devel
 %doc docs/examples/
 %{_includedir}/libcryptsetup.h
 %{_libdir}/libcryptsetup.so