diff --git a/cryptsetup-2.0.1.tar.sign b/cryptsetup-2.0.1.tar.sign deleted file mode 100644 index d8195f4..0000000 --- a/cryptsetup-2.0.1.tar.sign +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAlpkfDAACgkQ2bBXe9k+ -mPxsUA//dMQaPwqITtohSntd+xGobT4uvlL/7B7MzD+61wSSh0gEk5wkpGkF4laL -7ai9JL9j2t0djBtCykFgke6VoWupZze9cSlOm/CV227wdBSwdOFo/Y5MlEWNozoT -JS1il/TM/egsxAt6GN7jUYPJ/TtcaFaLIZWXEb+xAT91Ep5FAL4Kpeu5Jd6m2hA0 -tWy3JtPeICp7z2gNvrb5bid3CzHTE6y5fgK5hoLtHQASCOvDUrEtCCuB+6USqtS1 -3dZ4uhm1p+MuEgSo5K4OZfbc0lT56qtIdnrqD+HveRJUbeqyBhaj71SSJgmfE+Em -AS07LlZwqwozKopK4/e97Nq8PHAidj6NNbWBXs8cWidzAQCAo3y0yTfAVQsj0mJh -PRNUOrL9Ev2klNo63swIe121aPitX2ybeIWMNGbdg8NYm8jhYfVUp2jAsP12V2rZ -daFu46t3ZZQwYHKp7jgR83ghj7J7qynqWT+Z3BUoNg+vvD5d5ZWJTvxEOgSvzkle -HjkJoW0bZoCvzzArVAlMCl5u+JpEGZQe0XCQyzfU1Glkur1EVKdpMvF8OusjtyZb -t6va9N9zDgX3b6BiA9HMB2EWwfXNDICNPEf5dOHPECsLx/tT2+BCtFIlKE7ne2r+ -iwIepRcMYL9kPSu5nTnCpImTWvPNBqJe8vfCaXMZi91H6ZQGwCE= -=WOMG ------END PGP SIGNATURE----- diff --git a/cryptsetup-2.0.1.tar.xz b/cryptsetup-2.0.1.tar.xz deleted file mode 100644 index db945c4..0000000 --- a/cryptsetup-2.0.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:41d188092c52e23d576af41cf0cfe0555d8f7efa21598d4c57c56ea1b6d9c975 -size 10110424 diff --git a/cryptsetup-2.0.4.tar.sign b/cryptsetup-2.0.4.tar.sign new file mode 100644 index 0000000..4e23f62 --- /dev/null +++ b/cryptsetup-2.0.4.tar.sign @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAltkMxMACgkQ2bBXe9k+ +mPwN2hAAvJwEaj1rfAUVhwZ21wMx7wDezI0OLamKAtKKP8saYjH9GA8HpfikGhHD +/LqcM31dacsyFP2iK+qj5GuS8aPm9HqePkXa0sqBcWw7Bsr4a091HYtReT3+bG8j +zIZtTzsjapZ425/nVB9ClJcEES8N3OpW+zhamv84T1zDwbVtC5x1wiMtsvdM6Rhg +bz7R7kam/OPIxgfSWVufVUaMGWDO6zPwND1Wn7ZVm6UNsTPLV/M3/H+uPm4y+jaW +In+eDhb05eNcY94dBVhRdqd/72CJ1OXUMEo8GEtmVPljvCDI2ljZ4LEoBUve323f +/kzjzZZqljaVoQOl3pT+d7jqvg5EybM6crV8E++VJO3mVSAd5CZhk4LV/HsrnDuy +4XtZLSPSQQkyhcezZ0+8EmGzzXVlBMfg6o/Jsnao5DKuIoea78mmH1DX6XnEjFoI +MeM+W+3A1scK05LYeo6ZhtGvwlVxUOfsrl5zDp1X+kTT94zPvjmsY2xa0cP3eXZ3 +vxSI1dosbmL91tE65gEVa1dGEYWMWYeR8K8ZqwVhxsg3QJInOM+sh/KdWQP1o/Lp +S1D5zi/8gi9R43K7Nd3Xi027d02gOkwvowie1leXBXdNYrAZIeQJbcdXiXbSAOiD +NTjKDPwGZbXmPcQckF1er9nd821ofxbnGEM6jBzCEprEX3YSf3M= +=V9r2 +-----END PGP SIGNATURE----- diff --git a/cryptsetup-2.0.4.tar.xz b/cryptsetup-2.0.4.tar.xz new file mode 100644 index 0000000..4cdd185 --- /dev/null +++ b/cryptsetup-2.0.4.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9d3a3c7033293e0c97f0ad0501fd5b4d4913ae497cbf70cca06633ccc54b5734 +size 10444544 diff --git a/cryptsetup.changes b/cryptsetup.changes index 877d9a0..421d9d3 100644 --- a/cryptsetup.changes +++ b/cryptsetup.changes @@ -1,3 +1,137 @@ +------------------------------------------------------------------- +Tue Aug 21 07:40:54 UTC 2018 - lnussel@suse.de + +- New version 2.0.4 + + Changes since version 2.0.3 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + * Use the libblkid (blockid) library to detect foreign signatures + on a device before LUKS format and LUKS2 auto-recovery. + This change fixes an unexpected recovery using the secondary + LUKS2 header after a device was already overwritten with + another format (filesystem or LVM physical volume). + LUKS2 will not recreate a primary header if it detects a valid + foreign signature. In this situation, a user must always + use cryptsetup repair command for the recovery. + Note that libcryptsetup and utilities are now linked to libblkid + as a new dependence. + To compile code without blockid support (strongly discouraged), + use --disable-blkid configure switch. + * Add prompt for format and repair actions in cryptsetup and + integritysetup if foreign signatures are detected on the device + through the blockid library. + After the confirmation, all known signatures are then wiped as + part of the format or repair procedure. + * Print consistent verbose message about keyslot and token numbers. + For keyslot actions: Key slot unlocked/created/removed. + For token actions: Token created/removed. + * Print error, if a non-existent token is tried to be removed. + * Add support for LUKS2 token definition export and import. + The token command now can export/import customized token JSON file + directly from command line. See the man page for more details. + * Add support for new dm-integrity superblock version 2. + * Add an error message when nothing was read from a key file. + * Update cryptsetup man pages, including --type option usage. + * Add a snapshot of LUKS2 format specification to documentation + and accordingly fix supported secondary header offsets. + * Add bundled optimized Argon2 SSE (X86_64 platform) code. + If the bundled Argon2 code is used and the new configure switch + --enable-internal-sse-argon2 option is present, and compiler flags + support required optimization, the code will try to use optimized + and faster variant. + Always use the shared library (--enable-libargon2) if possible. + This option was added because an enterprise distribution + rejected to support the shared Argon2 library and native support + in generic cryptographic libraries is not ready yet. + * Fix compilation with crypto backend for LibreSSL >= 2.7.0. + LibreSSL introduced OpenSSL 1.1.x API functions, so compatibility + wrapper must be commented out. + * Fix on-disk header size calculation for LUKS2 format if a specific + data alignment is requested. Until now, the code used default size + that could be wrong for converted devices. + + Changes since version 2.0.2 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + * Expose interface to unbound LUKS2 keyslots. + Unbound LUKS2 keyslot allows storing a key material that is independent + of master volume key (it is not bound to encrypted data segment). + * New API extensions for unbound keyslots (LUKS2 only) + crypt_keyslot_get_key_size() and crypt_volume_key_get() + These functions allow to get key and key size for unbound keyslots. + * New enum value CRYPT_SLOT_UNBOUND for keyslot status (LUKS2 only). + * Add --unbound keyslot option to the cryptsetup luksAddKey command. + * Add crypt_get_active_integrity_failures() call to get integrity + failure count for dm-integrity devices. + * Add crypt_get_pbkdf_default() function to get per-type PBKDF default + setting. + * Add new flag to crypt_keyslot_add_by_key() to force update device + volume key. This call is mainly intended for a wrapped key change. + * Allow volume key store in a file with cryptsetup. + The --dump-master-key together with --master-key-file allows cryptsetup + to store the binary volume key to a file instead of standard output. + * Add support detached header for cryptsetup-reencrypt command. + * Fix VeraCrypt PIM handling - use proper iterations count formula + for PBKDF2-SHA512 and PBKDF2-Whirlpool used in system volumes. + * Fix cryptsetup tcryptDump for VeraCrypt PIM (support --veracrypt-pim). + * Add --with-default-luks-format configure time option. + (Option to override default LUKS format version.) + * Fix LUKS version conversion for detached (and trimmed) LUKS headers. + * Add luksConvertKey cryptsetup command that converts specific keyslot + from one PBKDF to another. + * Do not allow conversion to LUKS2 if LUKSMETA (external tool metadata) + header is detected. + * More cleanup and hardening of LUKS2 keyslot specific validation options. + Add more checks for cipher validity before writing metadata on-disk. + * Do not allow LUKS1 version downconversion if the header contains tokens. + * Add "paes" family ciphers (AES wrapped key scheme for mainframes) + to allowed ciphers. + Specific wrapped ley configuration logic must be done by 3rd party tool, + LUKS2 stores only keyslot material and allow activation of the device. + * Add support for --check-at-most-once option (kernel 4.17) to veritysetup. + This flag can be dangerous; if you can control underlying device + (you can change its content after it was verified) it will no longer + prevent reading tampered data and also it does not prevent silent + data corruptions that appear after the block was once read. + * Fix return code (EPERM instead of EINVAL) and retry count for bad + passphrase on non-tty input. + * Enable support for FEC decoding in veritysetup to check dm-verity devices + with additional Reed-Solomon code in userspace (verify command). + + Changes since version 2.0.1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + * Fix a regression in early detection of inactive keyslot for luksKillSlot. + It tried to ask for passphrase even for already erased keyslot. + * Fix a regression in loopaesOpen processing for keyfile on standard input. + Use of "-" argument was not working properly. + * Add LUKS2 specific options for cryptsetup-reencrypt. + Tokens and persistent flags are now transferred during reencryption; + change of PBKDF keyslot parameters is now supported and allows + to set precalculated values (no benchmarks). + * Do not allow LUKS2 --persistent and --test-passphrase cryptsetup flags + combination. Persistent flags are now stored only if the device was + successfully activated with the specified flags. + * Fix integritysetup format after recent Linux kernel changes that + requires to setup key for HMAC in all cases. + Previously integritysetup allowed HMAC with zero key that behaves + like a plain hash. + * Fix VeraCrypt PIM handling that modified internal iteration counts + even for subsequent activations. The PIM count is no longer printed + in debug log as it is sensitive information. + Also, the code now skips legacy TrueCrypt algorithms if a PIM + is specified (they cannot be used with PIM anyway). + * PBKDF values cannot be set (even with force parameters) below + hardcoded minimums. For PBKDF2 is it 1000 iterations, for Argon2 + it is 4 iterations and 32 KiB of memory cost. + * Introduce new crypt_token_is_assigned() API function for reporting + the binding between token and keyslots. + * Allow crypt_token_json_set() API function to create internal token types. + Do not allow unknown fields in internal token objects. + * Print message in cryptsetup that about was aborted if a user did not + answer YES in a query. + ------------------------------------------------------------------- Tue Jan 30 12:26:48 UTC 2018 - astieger@suse.com diff --git a/cryptsetup.spec b/cryptsetup.spec index 5f0ebcb..8eb29a3 100644 --- a/cryptsetup.spec +++ b/cryptsetup.spec @@ -18,10 +18,10 @@ %define so_ver 12 Name: cryptsetup -Version: 2.0.1 +Version: 2.0.4 Release: 0 Summary: Set Up dm-crypt Based Encrypted Block Devices -License: SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.0+ +License: SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.0-or-later Group: System/Base Url: https://gitlab.com/cryptsetup/cryptsetup/ Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{version}.tar.xz