From 3dd02a4dccc515230d2fbd3fcbf899a0025feb4e19eb820f9aa4a5d86fc973b6 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Wed, 31 Oct 2018 08:59:56 +0000 Subject: [PATCH] Accepting request 645498 from home:lnussel:branches:security - Suggest hmac package (boo#1090768) - remove old upgrade hack for upgrades from 12.1 - New version 2.0.5 Changes since version 2.0.4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Wipe full header areas (including unused) during LUKS format. Since this version, the whole area up to the data offset is zeroed, and subsequently, all keyslots areas are wiped with random data. This ensures that no remaining old data remains in the LUKS header areas, but it could slow down format operation on some devices. Previously only first 4k (or 32k for LUKS2) and the used keyslot was overwritten in the format operation. * Several fixes to error messages that were unintentionally replaced in previous versions with a silent exit code. More descriptive error messages were added, including error messages if - a device is unusable (not a block device, no access, etc.), - a LUKS device is not detected, - LUKS header load code detects unsupported version, - a keyslot decryption fails (also happens in the cipher check), - converting an inactive keyslot. * Device activation fails if data area overlaps with LUKS header. * Code now uses explicit_bzero to wipe memory if available (instead of own implementation). * Additional VeraCrypt modes are now supported, including Camellia and Kuznyechik symmetric ciphers (and cipher chains) and Streebog hash function. These were introduced in a recent VeraCrypt upstream. Note that Kuznyechik requires out-of-tree kernel module and Streebog hash function is available only with the gcrypt cryptographic backend for now. OBS-URL: https://build.opensuse.org/request/show/645498 OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=144 --- cryptsetup-2.0.4.tar.sign | 16 -------- cryptsetup-2.0.4.tar.xz | 3 -- cryptsetup-2.0.5.tar.sign | 16 ++++++++ cryptsetup-2.0.5.tar.xz | 3 ++ cryptsetup.changes | 68 +++++++++++++++++++++++++++++++ cryptsetup.spec | 85 ++++++++++++++++++++++----------------- 6 files changed, 136 insertions(+), 55 deletions(-) delete mode 100644 cryptsetup-2.0.4.tar.sign delete mode 100644 cryptsetup-2.0.4.tar.xz create mode 100644 cryptsetup-2.0.5.tar.sign create mode 100644 cryptsetup-2.0.5.tar.xz diff --git a/cryptsetup-2.0.4.tar.sign b/cryptsetup-2.0.4.tar.sign deleted file mode 100644 index 4e23f62..0000000 --- a/cryptsetup-2.0.4.tar.sign +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAltkMxMACgkQ2bBXe9k+ -mPwN2hAAvJwEaj1rfAUVhwZ21wMx7wDezI0OLamKAtKKP8saYjH9GA8HpfikGhHD -/LqcM31dacsyFP2iK+qj5GuS8aPm9HqePkXa0sqBcWw7Bsr4a091HYtReT3+bG8j -zIZtTzsjapZ425/nVB9ClJcEES8N3OpW+zhamv84T1zDwbVtC5x1wiMtsvdM6Rhg -bz7R7kam/OPIxgfSWVufVUaMGWDO6zPwND1Wn7ZVm6UNsTPLV/M3/H+uPm4y+jaW -In+eDhb05eNcY94dBVhRdqd/72CJ1OXUMEo8GEtmVPljvCDI2ljZ4LEoBUve323f -/kzjzZZqljaVoQOl3pT+d7jqvg5EybM6crV8E++VJO3mVSAd5CZhk4LV/HsrnDuy -4XtZLSPSQQkyhcezZ0+8EmGzzXVlBMfg6o/Jsnao5DKuIoea78mmH1DX6XnEjFoI -MeM+W+3A1scK05LYeo6ZhtGvwlVxUOfsrl5zDp1X+kTT94zPvjmsY2xa0cP3eXZ3 -vxSI1dosbmL91tE65gEVa1dGEYWMWYeR8K8ZqwVhxsg3QJInOM+sh/KdWQP1o/Lp -S1D5zi/8gi9R43K7Nd3Xi027d02gOkwvowie1leXBXdNYrAZIeQJbcdXiXbSAOiD -NTjKDPwGZbXmPcQckF1er9nd821ofxbnGEM6jBzCEprEX3YSf3M= -=V9r2 ------END PGP SIGNATURE----- diff --git a/cryptsetup-2.0.4.tar.xz b/cryptsetup-2.0.4.tar.xz deleted file mode 100644 index 4cdd185..0000000 --- a/cryptsetup-2.0.4.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9d3a3c7033293e0c97f0ad0501fd5b4d4913ae497cbf70cca06633ccc54b5734 -size 10444544 diff --git a/cryptsetup-2.0.5.tar.sign b/cryptsetup-2.0.5.tar.sign new file mode 100644 index 0000000..fc0979a --- /dev/null +++ b/cryptsetup-2.0.5.tar.sign @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAlvVz2sACgkQ2bBXe9k+ +mPyYuQ//fNwPronpHFrOzmv277cfzVT6zrgLKOaf/YlqA0h5XmBVX9xcOD9rXhda +ld9rumIQn9s8G8HLavxxxhnciqeNOS0T/1ry3NVpxYdfF1FptIjchH/Lo697P5dX +C1oAqchOqfxjm6dwmbllvXTgoHV657JUC5tuaL6Wl26DrhImmAgNi42yZehNtHZz +8FN0Fc0muU06LUmKR2a4P5xj2SvlNntMnvld+qLHf+k+bBrcJyu2cqaBNns45mXy +uDHXclP+8ofXW3mELmSBJ89GzLkr8Zpxp2dITv2GqtewX1MH5b8cMUwIVsCClqHl +2YNGhMqRkDDj0C8u8JpYvmmZxcMUaKr5EMze18NeqPXpZCBoW5nvEtsS7hWbCdyu +VPqdP4mHfHeQtZkk3U4SZLEU7xFzcTwhgpxRQPe6ujyz+PlrOLk0Z9js9WgOJZ1U +7a9YNnXWlNIcVqOoYm9SPBo9nj+eoVUr2GG3lT02udj5YhGZjDG0gbjgtM99jg+T +Bcv/h9abx6a2TmPIRW9Pa98ggIaeY3HbAK4D4xBritrfhvtyXMAYWbwj8ZkyCsCX +41I10Eh3dNXR6/OJQFjKv7RCqGzanyCzEG0F+G4mw5xqPx5jhowmjI7GaC54X7UZ +7RWYt1pl8F+UGIbBRl3BWuI+cHM0RBJ4Jx53f6zpqDP9hL58RbA= +=o3rq +-----END PGP SIGNATURE----- diff --git a/cryptsetup-2.0.5.tar.xz b/cryptsetup-2.0.5.tar.xz new file mode 100644 index 0000000..ec62a0a --- /dev/null +++ b/cryptsetup-2.0.5.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a0f72ca2c824a5a555dc8924413dfe947eca23ab2e30bcff54eaafefe5fe301d +size 10476304 diff --git a/cryptsetup.changes b/cryptsetup.changes index 421d9d3..3228621 100644 --- a/cryptsetup.changes +++ b/cryptsetup.changes @@ -1,3 +1,71 @@ +------------------------------------------------------------------- +Tue Oct 30 10:10:35 UTC 2018 - lnussel@suse.de + +- Suggest hmac package (boo#1090768) +- remove old upgrade hack for upgrades from 12.1 +- New version 2.0.5 + + Changes since version 2.0.4 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + * Wipe full header areas (including unused) during LUKS format. + + Since this version, the whole area up to the data offset is zeroed, + and subsequently, all keyslots areas are wiped with random data. + This ensures that no remaining old data remains in the LUKS header + areas, but it could slow down format operation on some devices. + Previously only first 4k (or 32k for LUKS2) and the used keyslot + was overwritten in the format operation. + + * Several fixes to error messages that were unintentionally replaced + in previous versions with a silent exit code. + More descriptive error messages were added, including error + messages if + - a device is unusable (not a block device, no access, etc.), + - a LUKS device is not detected, + - LUKS header load code detects unsupported version, + - a keyslot decryption fails (also happens in the cipher check), + - converting an inactive keyslot. + + * Device activation fails if data area overlaps with LUKS header. + + * Code now uses explicit_bzero to wipe memory if available + (instead of own implementation). + + * Additional VeraCrypt modes are now supported, including Camellia + and Kuznyechik symmetric ciphers (and cipher chains) and Streebog + hash function. These were introduced in a recent VeraCrypt upstream. + + Note that Kuznyechik requires out-of-tree kernel module and + Streebog hash function is available only with the gcrypt cryptographic + backend for now. + + * Fixes static build for integritysetup if the pwquality library is used. + + * Allows passphrase change for unbound keyslots. + + * Fixes removed keyslot number in verbose message for luksKillSlot, + luksRemoveKey and erase command. + + * Adds blkid scan when attempting to open a plain device and warn the user + about existing device signatures in a ciphertext device. + + * Remove LUKS header signature if luksFormat fails to add the first keyslot. + + * Remove O_SYNC from device open and use fsync() to speed up + wipe operation considerably. + + * Create --master-key-file in luksDump and fail if the file already exists. + + * Fixes a bug when LUKS2 authenticated encryption with a detached header + wiped the header device instead of dm-integrity data device area (causing + unnecessary LUKS2 header auto recovery). + +------------------------------------------------------------------- +Tue Oct 30 09:55:50 UTC 2018 - lnussel@suse.de + +- make parallell installable version for SLE12 + ------------------------------------------------------------------- Tue Aug 21 07:40:54 UTC 2018 - lnussel@suse.de diff --git a/cryptsetup.spec b/cryptsetup.spec index 1d221cf..754cfa5 100644 --- a/cryptsetup.spec +++ b/cryptsetup.spec @@ -17,8 +17,12 @@ %define so_ver 12 +%if 0%{?is_backports} +Name: cryptsetup2 +%else Name: cryptsetup -Version: 2.0.4 +%endif +Version: 2.0.5 Release: 0 Summary: Set Up dm-crypt Based Encrypted Block Devices License: SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.0-or-later @@ -28,7 +32,7 @@ Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetu # GPG signature of the uncompressed tarball. Source1: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{version}.tar.sign Source2: baselibs.conf -Source3: %{name}.keyring +Source3: cryptsetup.keyring BuildRequires: device-mapper-devel BuildRequires: fipscheck BuildRequires: fipscheck-devel @@ -44,6 +48,11 @@ BuildRequires: popt-devel BuildRequires: suse-module-tools BuildRequires: pkgconfig(blkid) BuildRequires: pkgconfig(libargon2) +%if 0%{?is_backports} +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +%endif Requires(post): coreutils Requires(postun): coreutils @@ -57,6 +66,7 @@ time via the config file %{_sysconfdir}/crypttab. %package -n libcryptsetup%{so_ver} Summary: Set Up dm-crypt Based Encrypted Block Devices Group: System/Libraries +Suggests: libcryptsetup%{so_ver}-hmac %description -n libcryptsetup%{so_ver} cryptsetup is used to conveniently set up dm-crypt based device-mapper @@ -73,7 +83,7 @@ Group: System/Base This package contains HMAC checksums for integrity checking of libcryptsetup4, used for FIPS. -%package -n libcryptsetup-devel +%package -n lib%{name}-devel Summary: Set Up dm-crypt Based Encrypted Block Devices Group: Development/Libraries/C and C++ Requires: glibc-devel @@ -81,8 +91,12 @@ Requires: libcryptsetup%{so_ver} = %{version} # cryptsetup-devel last used 11.1 Provides: cryptsetup-devel = %{version} Obsoletes: cryptsetup-devel < %{version} +%if 0%{?is_backports} +# have to conflict with main package that is in SLE +Conflicts: cryptsetup-devel < %{version} +%endif -%description -n libcryptsetup-devel +%description -n lib%{name}-devel cryptsetup is used to conveniently set up dm-crypt based device-mapper targets. It allows to set up targets to read cryptoloop compatible volumes as well as LUKS formatted ones. The package additionally @@ -90,7 +104,11 @@ includes support for automatically setting up encrypted volumes at boot time via the config file %{_sysconfdir}/crypttab. %prep -%setup -q +%setup -n cryptsetup-%{version} -q +%if 0%{?is_backports} +sed -i -e '/AC_INIT/s/cryptsetup/cryptsetup2/' configure.ac +autoreconf -f -i +%endif %build %configure \ @@ -114,58 +132,53 @@ make %{?_smp_mflags} V=1 %{nil} %make_install +%if 0%{?is_backports} +# need to rename a files to avoid file conflict +for i in cryptsetup integritysetup veritysetup cryptsetup-reencrypt; do + mv %{buildroot}%{_sbindir}/$i %{buildroot}%{_sbindir}/${i}2 + mv %{buildroot}%{_mandir}/man8/$i.8 %{buildroot}%{_mandir}/man8/${i}2.8 +done +rm -f %{buildroot}%{_tmpfilesdir}/cryptsetup.conf +%endif install -dm 0755 %{buildroot}/sbin -ln -s ..%{_sbindir}/cryptsetup %{buildroot}/sbin +ln -s ..%{_sbindir}/cryptsetup%{?is_backports:2} %{buildroot}/sbin # don't want this file in /lib (FHS compat check), and can't move it to /usr/lib find %{buildroot} -type f -name "*.la" -delete -print # %find_lang %{name} --all-name +%if !0%{?is_backports} +# %post -test -n "$FIRST_ARG" || FIRST_ARG="$1" -# -# convert noauto to nofail and turn on fsck (bnc#724113) -# -marker="%{_localstatedir}/adm/crypsetup.fstab.noauto_converted" -if [ "$FIRST_ARG" -gt 1 -a ! -e "$marker" ]; then - echo "updating %{_sysconfdir}/fstab ... " - tmpfstab="%{_sysconfdir}/fstab.cryptsetup.$$" - sed -e '/^\/dev\/mapper\/cr_.*,noauto\s/{s/,noauto\(\s\)/,nofail\1/;s/ 0 0$/ 0 2/}' < %{_sysconfdir}/fstab > "$tmpfstab" - if diff -u0 %{_sysconfdir}/fstab "$tmpfstab"; then - echo "no change" - rm -f "$tmpfstab" - > "$marker" - else - cp "$tmpfstab" "$marker" - mv "$tmpfstab" %{_sysconfdir}/fstab - fi -fi - %{?regenerate_initrd_post} -%tmpfiles_create %{_tmpfilesdir}/%{name}.conf +%tmpfiles_create %{_tmpfilesdir}/cryptsetup.conf %postun %{?regenerate_initrd_post} %posttrans %{?regenerate_initrd_posttrans} +# +%endif %post -n libcryptsetup%{so_ver} -p /sbin/ldconfig %postun -n libcryptsetup%{so_ver} -p /sbin/ldconfig %files -f %{name}.lang %doc AUTHORS COPYING* FAQ README TODO docs/ChangeLog.old docs/*ReleaseNotes -/sbin/cryptsetup -%{_sbindir}/cryptsetup -%{_sbindir}/veritysetup -%{_sbindir}/integritysetup -%{_sbindir}/cryptsetup-reencrypt -%{_mandir}/man8/cryptsetup.8%{ext_man} -%{_mandir}/man8/cryptsetup-reencrypt.8%{ext_man} -%{_mandir}/man8/veritysetup.8%{ext_man} -%{_mandir}/man8/integritysetup.8%{ext_man} +/sbin/cryptsetup%{?is_backports:2} +%{_sbindir}/cryptsetup%{?is_backports:2} +%{_sbindir}/veritysetup%{?is_backports:2} +%{_sbindir}/integritysetup%{?is_backports:2} +%{_sbindir}/cryptsetup-reencrypt%{?is_backports:2} +%{_mandir}/man8/cryptsetup%{?is_backports:2}.8%{ext_man} +%{_mandir}/man8/cryptsetup-reencrypt%{?is_backports:2}.8%{ext_man} +%{_mandir}/man8/veritysetup%{?is_backports:2}.8%{ext_man} +%{_mandir}/man8/integritysetup%{?is_backports:2}.8%{ext_man} +%if !0%{?is_backports} %{_tmpfilesdir}/cryptsetup.conf %ghost %dir /run/cryptsetup +%endif %files -n libcryptsetup%{so_ver} %{_libdir}/libcryptsetup.so.%{so_ver}* @@ -173,7 +186,7 @@ fi %files -n libcryptsetup%{so_ver}-hmac %{_libdir}/.libcryptsetup.so.%{so_ver}*hmac -%files -n libcryptsetup-devel +%files -n lib%{name}-devel %doc docs/examples/ %{_includedir}/libcryptsetup.h %{_libdir}/libcryptsetup.so