From b9976bf5b88e15fe252b62b04aaff0c7049da765ff675b69b9b830f107456efc Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Tue, 21 Aug 2018 07:44:40 +0000 Subject: [PATCH] - New version 2.0.4 Changes since version 2.0.3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Use the libblkid (blockid) library to detect foreign signatures on a device before LUKS format and LUKS2 auto-recovery. This change fixes an unexpected recovery using the secondary LUKS2 header after a device was already overwritten with another format (filesystem or LVM physical volume). LUKS2 will not recreate a primary header if it detects a valid foreign signature. In this situation, a user must always use cryptsetup repair command for the recovery. Note that libcryptsetup and utilities are now linked to libblkid as a new dependence. To compile code without blockid support (strongly discouraged), use --disable-blkid configure switch. * Add prompt for format and repair actions in cryptsetup and integritysetup if foreign signatures are detected on the device through the blockid library. After the confirmation, all known signatures are then wiped as part of the format or repair procedure. * Print consistent verbose message about keyslot and token numbers. For keyslot actions: Key slot unlocked/created/removed. For token actions: Token created/removed. * Print error, if a non-existent token is tried to be removed. * Add support for LUKS2 token definition export and import. The token command now can export/import customized token JSON file directly from command line. See the man page for more details. * Add support for new dm-integrity superblock version 2. * Add an error message when nothing was read from a key file. * Update cryptsetup man pages, including --type option usage. OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=141 --- cryptsetup-2.0.1.tar.sign | 16 ----- cryptsetup-2.0.1.tar.xz | 3 - cryptsetup-2.0.4.tar.sign | 16 +++++ cryptsetup-2.0.4.tar.xz | 3 + cryptsetup.changes | 134 ++++++++++++++++++++++++++++++++++++++ cryptsetup.spec | 4 +- 6 files changed, 155 insertions(+), 21 deletions(-) delete mode 100644 cryptsetup-2.0.1.tar.sign delete mode 100644 cryptsetup-2.0.1.tar.xz create mode 100644 cryptsetup-2.0.4.tar.sign create mode 100644 cryptsetup-2.0.4.tar.xz diff --git a/cryptsetup-2.0.1.tar.sign b/cryptsetup-2.0.1.tar.sign deleted file mode 100644 index d8195f4..0000000 --- a/cryptsetup-2.0.1.tar.sign +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAlpkfDAACgkQ2bBXe9k+ -mPxsUA//dMQaPwqITtohSntd+xGobT4uvlL/7B7MzD+61wSSh0gEk5wkpGkF4laL -7ai9JL9j2t0djBtCykFgke6VoWupZze9cSlOm/CV227wdBSwdOFo/Y5MlEWNozoT -JS1il/TM/egsxAt6GN7jUYPJ/TtcaFaLIZWXEb+xAT91Ep5FAL4Kpeu5Jd6m2hA0 -tWy3JtPeICp7z2gNvrb5bid3CzHTE6y5fgK5hoLtHQASCOvDUrEtCCuB+6USqtS1 -3dZ4uhm1p+MuEgSo5K4OZfbc0lT56qtIdnrqD+HveRJUbeqyBhaj71SSJgmfE+Em -AS07LlZwqwozKopK4/e97Nq8PHAidj6NNbWBXs8cWidzAQCAo3y0yTfAVQsj0mJh -PRNUOrL9Ev2klNo63swIe121aPitX2ybeIWMNGbdg8NYm8jhYfVUp2jAsP12V2rZ -daFu46t3ZZQwYHKp7jgR83ghj7J7qynqWT+Z3BUoNg+vvD5d5ZWJTvxEOgSvzkle -HjkJoW0bZoCvzzArVAlMCl5u+JpEGZQe0XCQyzfU1Glkur1EVKdpMvF8OusjtyZb -t6va9N9zDgX3b6BiA9HMB2EWwfXNDICNPEf5dOHPECsLx/tT2+BCtFIlKE7ne2r+ -iwIepRcMYL9kPSu5nTnCpImTWvPNBqJe8vfCaXMZi91H6ZQGwCE= -=WOMG ------END PGP SIGNATURE----- diff --git a/cryptsetup-2.0.1.tar.xz b/cryptsetup-2.0.1.tar.xz deleted file mode 100644 index db945c4..0000000 --- a/cryptsetup-2.0.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:41d188092c52e23d576af41cf0cfe0555d8f7efa21598d4c57c56ea1b6d9c975 -size 10110424 diff --git a/cryptsetup-2.0.4.tar.sign b/cryptsetup-2.0.4.tar.sign new file mode 100644 index 0000000..4e23f62 --- /dev/null +++ b/cryptsetup-2.0.4.tar.sign @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAltkMxMACgkQ2bBXe9k+ +mPwN2hAAvJwEaj1rfAUVhwZ21wMx7wDezI0OLamKAtKKP8saYjH9GA8HpfikGhHD +/LqcM31dacsyFP2iK+qj5GuS8aPm9HqePkXa0sqBcWw7Bsr4a091HYtReT3+bG8j +zIZtTzsjapZ425/nVB9ClJcEES8N3OpW+zhamv84T1zDwbVtC5x1wiMtsvdM6Rhg +bz7R7kam/OPIxgfSWVufVUaMGWDO6zPwND1Wn7ZVm6UNsTPLV/M3/H+uPm4y+jaW +In+eDhb05eNcY94dBVhRdqd/72CJ1OXUMEo8GEtmVPljvCDI2ljZ4LEoBUve323f +/kzjzZZqljaVoQOl3pT+d7jqvg5EybM6crV8E++VJO3mVSAd5CZhk4LV/HsrnDuy +4XtZLSPSQQkyhcezZ0+8EmGzzXVlBMfg6o/Jsnao5DKuIoea78mmH1DX6XnEjFoI +MeM+W+3A1scK05LYeo6ZhtGvwlVxUOfsrl5zDp1X+kTT94zPvjmsY2xa0cP3eXZ3 +vxSI1dosbmL91tE65gEVa1dGEYWMWYeR8K8ZqwVhxsg3QJInOM+sh/KdWQP1o/Lp +S1D5zi/8gi9R43K7Nd3Xi027d02gOkwvowie1leXBXdNYrAZIeQJbcdXiXbSAOiD +NTjKDPwGZbXmPcQckF1er9nd821ofxbnGEM6jBzCEprEX3YSf3M= +=V9r2 +-----END PGP SIGNATURE----- diff --git a/cryptsetup-2.0.4.tar.xz b/cryptsetup-2.0.4.tar.xz new file mode 100644 index 0000000..4cdd185 --- /dev/null +++ b/cryptsetup-2.0.4.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9d3a3c7033293e0c97f0ad0501fd5b4d4913ae497cbf70cca06633ccc54b5734 +size 10444544 diff --git a/cryptsetup.changes b/cryptsetup.changes index 877d9a0..421d9d3 100644 --- a/cryptsetup.changes +++ b/cryptsetup.changes @@ -1,3 +1,137 @@ +------------------------------------------------------------------- +Tue Aug 21 07:40:54 UTC 2018 - lnussel@suse.de + +- New version 2.0.4 + + Changes since version 2.0.3 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + * Use the libblkid (blockid) library to detect foreign signatures + on a device before LUKS format and LUKS2 auto-recovery. + This change fixes an unexpected recovery using the secondary + LUKS2 header after a device was already overwritten with + another format (filesystem or LVM physical volume). + LUKS2 will not recreate a primary header if it detects a valid + foreign signature. In this situation, a user must always + use cryptsetup repair command for the recovery. + Note that libcryptsetup and utilities are now linked to libblkid + as a new dependence. + To compile code without blockid support (strongly discouraged), + use --disable-blkid configure switch. + * Add prompt for format and repair actions in cryptsetup and + integritysetup if foreign signatures are detected on the device + through the blockid library. + After the confirmation, all known signatures are then wiped as + part of the format or repair procedure. + * Print consistent verbose message about keyslot and token numbers. + For keyslot actions: Key slot unlocked/created/removed. + For token actions: Token created/removed. + * Print error, if a non-existent token is tried to be removed. + * Add support for LUKS2 token definition export and import. + The token command now can export/import customized token JSON file + directly from command line. See the man page for more details. + * Add support for new dm-integrity superblock version 2. + * Add an error message when nothing was read from a key file. + * Update cryptsetup man pages, including --type option usage. + * Add a snapshot of LUKS2 format specification to documentation + and accordingly fix supported secondary header offsets. + * Add bundled optimized Argon2 SSE (X86_64 platform) code. + If the bundled Argon2 code is used and the new configure switch + --enable-internal-sse-argon2 option is present, and compiler flags + support required optimization, the code will try to use optimized + and faster variant. + Always use the shared library (--enable-libargon2) if possible. + This option was added because an enterprise distribution + rejected to support the shared Argon2 library and native support + in generic cryptographic libraries is not ready yet. + * Fix compilation with crypto backend for LibreSSL >= 2.7.0. + LibreSSL introduced OpenSSL 1.1.x API functions, so compatibility + wrapper must be commented out. + * Fix on-disk header size calculation for LUKS2 format if a specific + data alignment is requested. Until now, the code used default size + that could be wrong for converted devices. + + Changes since version 2.0.2 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + * Expose interface to unbound LUKS2 keyslots. + Unbound LUKS2 keyslot allows storing a key material that is independent + of master volume key (it is not bound to encrypted data segment). + * New API extensions for unbound keyslots (LUKS2 only) + crypt_keyslot_get_key_size() and crypt_volume_key_get() + These functions allow to get key and key size for unbound keyslots. + * New enum value CRYPT_SLOT_UNBOUND for keyslot status (LUKS2 only). + * Add --unbound keyslot option to the cryptsetup luksAddKey command. + * Add crypt_get_active_integrity_failures() call to get integrity + failure count for dm-integrity devices. + * Add crypt_get_pbkdf_default() function to get per-type PBKDF default + setting. + * Add new flag to crypt_keyslot_add_by_key() to force update device + volume key. This call is mainly intended for a wrapped key change. + * Allow volume key store in a file with cryptsetup. + The --dump-master-key together with --master-key-file allows cryptsetup + to store the binary volume key to a file instead of standard output. + * Add support detached header for cryptsetup-reencrypt command. + * Fix VeraCrypt PIM handling - use proper iterations count formula + for PBKDF2-SHA512 and PBKDF2-Whirlpool used in system volumes. + * Fix cryptsetup tcryptDump for VeraCrypt PIM (support --veracrypt-pim). + * Add --with-default-luks-format configure time option. + (Option to override default LUKS format version.) + * Fix LUKS version conversion for detached (and trimmed) LUKS headers. + * Add luksConvertKey cryptsetup command that converts specific keyslot + from one PBKDF to another. + * Do not allow conversion to LUKS2 if LUKSMETA (external tool metadata) + header is detected. + * More cleanup and hardening of LUKS2 keyslot specific validation options. + Add more checks for cipher validity before writing metadata on-disk. + * Do not allow LUKS1 version downconversion if the header contains tokens. + * Add "paes" family ciphers (AES wrapped key scheme for mainframes) + to allowed ciphers. + Specific wrapped ley configuration logic must be done by 3rd party tool, + LUKS2 stores only keyslot material and allow activation of the device. + * Add support for --check-at-most-once option (kernel 4.17) to veritysetup. + This flag can be dangerous; if you can control underlying device + (you can change its content after it was verified) it will no longer + prevent reading tampered data and also it does not prevent silent + data corruptions that appear after the block was once read. + * Fix return code (EPERM instead of EINVAL) and retry count for bad + passphrase on non-tty input. + * Enable support for FEC decoding in veritysetup to check dm-verity devices + with additional Reed-Solomon code in userspace (verify command). + + Changes since version 2.0.1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + * Fix a regression in early detection of inactive keyslot for luksKillSlot. + It tried to ask for passphrase even for already erased keyslot. + * Fix a regression in loopaesOpen processing for keyfile on standard input. + Use of "-" argument was not working properly. + * Add LUKS2 specific options for cryptsetup-reencrypt. + Tokens and persistent flags are now transferred during reencryption; + change of PBKDF keyslot parameters is now supported and allows + to set precalculated values (no benchmarks). + * Do not allow LUKS2 --persistent and --test-passphrase cryptsetup flags + combination. Persistent flags are now stored only if the device was + successfully activated with the specified flags. + * Fix integritysetup format after recent Linux kernel changes that + requires to setup key for HMAC in all cases. + Previously integritysetup allowed HMAC with zero key that behaves + like a plain hash. + * Fix VeraCrypt PIM handling that modified internal iteration counts + even for subsequent activations. The PIM count is no longer printed + in debug log as it is sensitive information. + Also, the code now skips legacy TrueCrypt algorithms if a PIM + is specified (they cannot be used with PIM anyway). + * PBKDF values cannot be set (even with force parameters) below + hardcoded minimums. For PBKDF2 is it 1000 iterations, for Argon2 + it is 4 iterations and 32 KiB of memory cost. + * Introduce new crypt_token_is_assigned() API function for reporting + the binding between token and keyslots. + * Allow crypt_token_json_set() API function to create internal token types. + Do not allow unknown fields in internal token objects. + * Print message in cryptsetup that about was aborted if a user did not + answer YES in a query. + ------------------------------------------------------------------- Tue Jan 30 12:26:48 UTC 2018 - astieger@suse.com diff --git a/cryptsetup.spec b/cryptsetup.spec index 5f0ebcb..8eb29a3 100644 --- a/cryptsetup.spec +++ b/cryptsetup.spec @@ -18,10 +18,10 @@ %define so_ver 12 Name: cryptsetup -Version: 2.0.1 +Version: 2.0.4 Release: 0 Summary: Set Up dm-crypt Based Encrypted Block Devices -License: SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.0+ +License: SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.0-or-later Group: System/Base Url: https://gitlab.com/cryptsetup/cryptsetup/ Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{version}.tar.xz