SHA256
1
0
forked from pool/cryptsetup

- New version 2.0.4

Changes since version 2.0.3
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  * Use the libblkid (blockid) library to detect foreign signatures
    on a device before LUKS format and LUKS2 auto-recovery.
    This change fixes an unexpected recovery using the secondary
    LUKS2 header after a device was already overwritten with
    another format (filesystem or LVM physical volume).
    LUKS2 will not recreate a primary header if it detects a valid
    foreign signature. In this situation, a user must always
    use cryptsetup repair command for the recovery.
    Note that libcryptsetup and utilities are now linked to libblkid
    as a new dependence.
    To compile code without blockid support (strongly discouraged),
    use --disable-blkid configure switch.
  * Add prompt for format and repair actions in cryptsetup and
    integritysetup if foreign signatures are detected on the device
    through the blockid library.
    After the confirmation, all known signatures are then wiped as
    part of the format or repair procedure.
  * Print consistent verbose message about keyslot and token numbers.
    For keyslot actions: Key slot <number> unlocked/created/removed.
    For token actions: Token <number> created/removed.
  * Print error, if a non-existent token is tried to be removed.
  * Add support for LUKS2 token definition export and import.
    The token command now can export/import customized token JSON file
    directly from command line. See the man page for more details.
  * Add support for new dm-integrity superblock version 2.
  * Add an error message when nothing was read from a key file.
  * Update cryptsetup man pages, including --type option usage.

OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=141
This commit is contained in:
Ludwig Nussel 2018-08-21 07:44:40 +00:00 committed by Git OBS Bridge
parent 6a3a5ab46f
commit b9976bf5b8
6 changed files with 155 additions and 21 deletions

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAlpkfDAACgkQ2bBXe9k+
mPxsUA//dMQaPwqITtohSntd+xGobT4uvlL/7B7MzD+61wSSh0gEk5wkpGkF4laL
7ai9JL9j2t0djBtCykFgke6VoWupZze9cSlOm/CV227wdBSwdOFo/Y5MlEWNozoT
JS1il/TM/egsxAt6GN7jUYPJ/TtcaFaLIZWXEb+xAT91Ep5FAL4Kpeu5Jd6m2hA0
tWy3JtPeICp7z2gNvrb5bid3CzHTE6y5fgK5hoLtHQASCOvDUrEtCCuB+6USqtS1
3dZ4uhm1p+MuEgSo5K4OZfbc0lT56qtIdnrqD+HveRJUbeqyBhaj71SSJgmfE+Em
AS07LlZwqwozKopK4/e97Nq8PHAidj6NNbWBXs8cWidzAQCAo3y0yTfAVQsj0mJh
PRNUOrL9Ev2klNo63swIe121aPitX2ybeIWMNGbdg8NYm8jhYfVUp2jAsP12V2rZ
daFu46t3ZZQwYHKp7jgR83ghj7J7qynqWT+Z3BUoNg+vvD5d5ZWJTvxEOgSvzkle
HjkJoW0bZoCvzzArVAlMCl5u+JpEGZQe0XCQyzfU1Glkur1EVKdpMvF8OusjtyZb
t6va9N9zDgX3b6BiA9HMB2EWwfXNDICNPEf5dOHPECsLx/tT2+BCtFIlKE7ne2r+
iwIepRcMYL9kPSu5nTnCpImTWvPNBqJe8vfCaXMZi91H6ZQGwCE=
=WOMG
-----END PGP SIGNATURE-----

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:41d188092c52e23d576af41cf0cfe0555d8f7efa21598d4c57c56ea1b6d9c975
size 10110424

16
cryptsetup-2.0.4.tar.sign Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAltkMxMACgkQ2bBXe9k+
mPwN2hAAvJwEaj1rfAUVhwZ21wMx7wDezI0OLamKAtKKP8saYjH9GA8HpfikGhHD
/LqcM31dacsyFP2iK+qj5GuS8aPm9HqePkXa0sqBcWw7Bsr4a091HYtReT3+bG8j
zIZtTzsjapZ425/nVB9ClJcEES8N3OpW+zhamv84T1zDwbVtC5x1wiMtsvdM6Rhg
bz7R7kam/OPIxgfSWVufVUaMGWDO6zPwND1Wn7ZVm6UNsTPLV/M3/H+uPm4y+jaW
In+eDhb05eNcY94dBVhRdqd/72CJ1OXUMEo8GEtmVPljvCDI2ljZ4LEoBUve323f
/kzjzZZqljaVoQOl3pT+d7jqvg5EybM6crV8E++VJO3mVSAd5CZhk4LV/HsrnDuy
4XtZLSPSQQkyhcezZ0+8EmGzzXVlBMfg6o/Jsnao5DKuIoea78mmH1DX6XnEjFoI
MeM+W+3A1scK05LYeo6ZhtGvwlVxUOfsrl5zDp1X+kTT94zPvjmsY2xa0cP3eXZ3
vxSI1dosbmL91tE65gEVa1dGEYWMWYeR8K8ZqwVhxsg3QJInOM+sh/KdWQP1o/Lp
S1D5zi/8gi9R43K7Nd3Xi027d02gOkwvowie1leXBXdNYrAZIeQJbcdXiXbSAOiD
NTjKDPwGZbXmPcQckF1er9nd821ofxbnGEM6jBzCEprEX3YSf3M=
=V9r2
-----END PGP SIGNATURE-----

3
cryptsetup-2.0.4.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9d3a3c7033293e0c97f0ad0501fd5b4d4913ae497cbf70cca06633ccc54b5734
size 10444544

View File

@ -1,3 +1,137 @@
-------------------------------------------------------------------
Tue Aug 21 07:40:54 UTC 2018 - lnussel@suse.de
- New version 2.0.4
Changes since version 2.0.3
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Use the libblkid (blockid) library to detect foreign signatures
on a device before LUKS format and LUKS2 auto-recovery.
This change fixes an unexpected recovery using the secondary
LUKS2 header after a device was already overwritten with
another format (filesystem or LVM physical volume).
LUKS2 will not recreate a primary header if it detects a valid
foreign signature. In this situation, a user must always
use cryptsetup repair command for the recovery.
Note that libcryptsetup and utilities are now linked to libblkid
as a new dependence.
To compile code without blockid support (strongly discouraged),
use --disable-blkid configure switch.
* Add prompt for format and repair actions in cryptsetup and
integritysetup if foreign signatures are detected on the device
through the blockid library.
After the confirmation, all known signatures are then wiped as
part of the format or repair procedure.
* Print consistent verbose message about keyslot and token numbers.
For keyslot actions: Key slot <number> unlocked/created/removed.
For token actions: Token <number> created/removed.
* Print error, if a non-existent token is tried to be removed.
* Add support for LUKS2 token definition export and import.
The token command now can export/import customized token JSON file
directly from command line. See the man page for more details.
* Add support for new dm-integrity superblock version 2.
* Add an error message when nothing was read from a key file.
* Update cryptsetup man pages, including --type option usage.
* Add a snapshot of LUKS2 format specification to documentation
and accordingly fix supported secondary header offsets.
* Add bundled optimized Argon2 SSE (X86_64 platform) code.
If the bundled Argon2 code is used and the new configure switch
--enable-internal-sse-argon2 option is present, and compiler flags
support required optimization, the code will try to use optimized
and faster variant.
Always use the shared library (--enable-libargon2) if possible.
This option was added because an enterprise distribution
rejected to support the shared Argon2 library and native support
in generic cryptographic libraries is not ready yet.
* Fix compilation with crypto backend for LibreSSL >= 2.7.0.
LibreSSL introduced OpenSSL 1.1.x API functions, so compatibility
wrapper must be commented out.
* Fix on-disk header size calculation for LUKS2 format if a specific
data alignment is requested. Until now, the code used default size
that could be wrong for converted devices.
Changes since version 2.0.2
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Expose interface to unbound LUKS2 keyslots.
Unbound LUKS2 keyslot allows storing a key material that is independent
of master volume key (it is not bound to encrypted data segment).
* New API extensions for unbound keyslots (LUKS2 only)
crypt_keyslot_get_key_size() and crypt_volume_key_get()
These functions allow to get key and key size for unbound keyslots.
* New enum value CRYPT_SLOT_UNBOUND for keyslot status (LUKS2 only).
* Add --unbound keyslot option to the cryptsetup luksAddKey command.
* Add crypt_get_active_integrity_failures() call to get integrity
failure count for dm-integrity devices.
* Add crypt_get_pbkdf_default() function to get per-type PBKDF default
setting.
* Add new flag to crypt_keyslot_add_by_key() to force update device
volume key. This call is mainly intended for a wrapped key change.
* Allow volume key store in a file with cryptsetup.
The --dump-master-key together with --master-key-file allows cryptsetup
to store the binary volume key to a file instead of standard output.
* Add support detached header for cryptsetup-reencrypt command.
* Fix VeraCrypt PIM handling - use proper iterations count formula
for PBKDF2-SHA512 and PBKDF2-Whirlpool used in system volumes.
* Fix cryptsetup tcryptDump for VeraCrypt PIM (support --veracrypt-pim).
* Add --with-default-luks-format configure time option.
(Option to override default LUKS format version.)
* Fix LUKS version conversion for detached (and trimmed) LUKS headers.
* Add luksConvertKey cryptsetup command that converts specific keyslot
from one PBKDF to another.
* Do not allow conversion to LUKS2 if LUKSMETA (external tool metadata)
header is detected.
* More cleanup and hardening of LUKS2 keyslot specific validation options.
Add more checks for cipher validity before writing metadata on-disk.
* Do not allow LUKS1 version downconversion if the header contains tokens.
* Add "paes" family ciphers (AES wrapped key scheme for mainframes)
to allowed ciphers.
Specific wrapped ley configuration logic must be done by 3rd party tool,
LUKS2 stores only keyslot material and allow activation of the device.
* Add support for --check-at-most-once option (kernel 4.17) to veritysetup.
This flag can be dangerous; if you can control underlying device
(you can change its content after it was verified) it will no longer
prevent reading tampered data and also it does not prevent silent
data corruptions that appear after the block was once read.
* Fix return code (EPERM instead of EINVAL) and retry count for bad
passphrase on non-tty input.
* Enable support for FEC decoding in veritysetup to check dm-verity devices
with additional Reed-Solomon code in userspace (verify command).
Changes since version 2.0.1
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Fix a regression in early detection of inactive keyslot for luksKillSlot.
It tried to ask for passphrase even for already erased keyslot.
* Fix a regression in loopaesOpen processing for keyfile on standard input.
Use of "-" argument was not working properly.
* Add LUKS2 specific options for cryptsetup-reencrypt.
Tokens and persistent flags are now transferred during reencryption;
change of PBKDF keyslot parameters is now supported and allows
to set precalculated values (no benchmarks).
* Do not allow LUKS2 --persistent and --test-passphrase cryptsetup flags
combination. Persistent flags are now stored only if the device was
successfully activated with the specified flags.
* Fix integritysetup format after recent Linux kernel changes that
requires to setup key for HMAC in all cases.
Previously integritysetup allowed HMAC with zero key that behaves
like a plain hash.
* Fix VeraCrypt PIM handling that modified internal iteration counts
even for subsequent activations. The PIM count is no longer printed
in debug log as it is sensitive information.
Also, the code now skips legacy TrueCrypt algorithms if a PIM
is specified (they cannot be used with PIM anyway).
* PBKDF values cannot be set (even with force parameters) below
hardcoded minimums. For PBKDF2 is it 1000 iterations, for Argon2
it is 4 iterations and 32 KiB of memory cost.
* Introduce new crypt_token_is_assigned() API function for reporting
the binding between token and keyslots.
* Allow crypt_token_json_set() API function to create internal token types.
Do not allow unknown fields in internal token objects.
* Print message in cryptsetup that about was aborted if a user did not
answer YES in a query.
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Jan 30 12:26:48 UTC 2018 - astieger@suse.com Tue Jan 30 12:26:48 UTC 2018 - astieger@suse.com

View File

@ -18,10 +18,10 @@
%define so_ver 12 %define so_ver 12
Name: cryptsetup Name: cryptsetup
Version: 2.0.1 Version: 2.0.4
Release: 0 Release: 0
Summary: Set Up dm-crypt Based Encrypted Block Devices Summary: Set Up dm-crypt Based Encrypted Block Devices
License: SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.0+ License: SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.0-or-later
Group: System/Base Group: System/Base
Url: https://gitlab.com/cryptsetup/cryptsetup/ Url: https://gitlab.com/cryptsetup/cryptsetup/
Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{version}.tar.xz Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{version}.tar.xz