SHA256
1
0
forked from pool/cryptsetup

Accepting request 769866 from home:polslinux:branches:security

- Update to 2.3.0 (include release notes for 2.2.0)
  * BITLK (Windows BitLocker compatible) device access
  * Veritysetup now supports activation with additional PKCS7 signature
    of root hash through --root-hash-signature option.
  * Integritysetup now calculates hash integrity size according to algorithm
    instead of requiring an explicit tag size.
  * Integritysetup now supports fixed padding for dm-integrity devices.
  * A lot of fixes to online LUKS2 reecryption.
  * Add crypt_resume_by_volume_key() function to libcryptsetup.
    If a user has a volume key available, the LUKS device can be resumed
    directly using the provided volume key.
    No keyslot derivation is needed, only the key digest is checked.
  * Implement active device suspend info.
    Add CRYPT_ACTIVATE_SUSPENDED bit to crypt_get_active_device() flags
    that informs the caller that device is suspended (luksSuspend).
  * Allow --test-passphrase for a detached header.
    Before this fix, we required a data device specified on the command
    line even though it was not necessary for the passphrase check.
  * Allow --key-file option in legacy offline encryption.
    The option was ignored for LUKS1 encryption initialization.
  * Export memory safe functions.
    To make developing of some extensions simpler, we now export
    functions to handle memory with proper wipe on deallocation.
  * Fail crypt_keyslot_get_pbkdf for inactive LUKS1 keyslot.
  * Add optional global serialization lock for memory hard PBKDF.
  * Abort conversion to LUKS1 with incompatible sector size that is
    not supported in LUKS1.
  * Report error (-ENOENT) if no LUKS keyslots are available. User can now
    distinguish between a wrong passphrase and no keyslot available.
  * Fix a possible segfault in detached header handling (double free).
  * Add integritysetup support for bitmap mode introduced in Linux kernel 5.2.
  * The libcryptsetup now keeps all file descriptors to underlying device
    open during the whole lifetime of crypt device context to avoid excessive
    scanning in udev (udev run scan on every descriptor close).
  * The luksDump command now prints more info for reencryption keyslot
    (when a device is in-reencryption).
  * New --device-size parameter is supported for LUKS2 reencryption.
  * New --resume-only parameter is supported for LUKS2 reencryption.
  * The repair command now tries LUKS2 reencryption recovery if needed.
  * If reencryption device is a file image, an interactive dialog now
    asks if reencryption should be run safely in offline mode
    (if autodetection of active devices failed).
  * Fix activation through a token where dm-crypt volume key was not
    set through keyring (but using old device-mapper table parameter mode).
  * Online reencryption can now retain all keyslots (if all passphrases
    are provided). Note that keyslot numbers will change in this case.
  * Allow volume key file to be used if no LUKS2 keyslots are present.
  * Print a warning if online reencrypt is called over LUKS1 (not supported).
  * Fix TCRYPT KDF failure in FIPS mode.
  * Remove FIPS mode restriction for crypt_volume_key_get.
  * Reduce keyslots area size in luksFormat when the header device is too small.
  * Make resize action accept --device-size parameter (supports units suffix).

OBS-URL: https://build.opensuse.org/request/show/769866
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=153
This commit is contained in:
Ludwig Nussel 2020-02-04 16:53:39 +00:00 committed by Git OBS Bridge
parent 6a28f3c770
commit c833c93fcf
6 changed files with 81 additions and 24 deletions

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAlxdkp0ACgkQ2bBXe9k+
mPx0JxAAu+yx54yDHQO1QOZvINKVSrLwZ/nGAy+JDQsOsM/+zOlXictxD/yybzZv
GFuWdn5POnZDfwjp9b9UvudOUbxTLWNimyavV58iG0ICgFbxC6wpCVn0NxC+lPtt
3uThWXTgJzcDpGbi9oi7FWEoihG7DJHMsGVUeUnhcZC+NSdXl6/ZTb5i68/rNNzc
YHwM7OSWczn39Bdr0+/gs3jxnO01OP1weNgFZ6ChcENkSp8n+TQJEVwa+yiuO+rP
BcBws0zjBYTKcpm/ZtuPGczwOaEBwk/jyamgfoobIeCzIyyUdMrCxwE/3oYMJxqS
faijxMd21RZ3yqnkwvhTO1CbGWHAlVCqjAzyX8okhgjVi8gQpWvD67WRSC7FX+vD
72m9yZ5qTO0lNPTtze6xo88UvWskIZtSg1rPtP39vyBnAAgZflKFRu8r+IgXn612
VRJLlit+mCmKOgi5ochkxlJgrMY6FmWbVMlq1sxFy1dk3wRQTh5DYzT5IGnhdXi8
osY2swVKnVJhkThomVUJ8pXIwWGKZNGMzTU7Eofi9zSHwTMm0y6EdFNlXogrzmY3
vEHOb3zEqPujWegBeqsHhuHgPQewgts+7bIPEbvEPsSwSqMvX8BPsyLv7c6bat9x
GhXTLwGeJ2RcNmF5bH7GMe7b+XLVaeBzNjLE3Ty0iFWgzT3Uwd0=
=gOH9
-----END PGP SIGNATURE-----

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a3eeb2741f8f3376d16585191f3c60e067dd987e096c3c4b073fab7748b1c897
size 10662576

16
cryptsetup-2.3.0.tar.sign Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAl42+b4ACgkQ2bBXe9k+
mPyC+w/+JY0R3jpt+iCfDjp/Terjwm+Q1NqOjTJ1pSps9ZzZF5vgqxDqF4IljxNX
zM4YtEN9HUUoE0U12FXmFTYlfoD4rj1AzR4Er9oX+P4YlGVQ0dmkGGr9gsmh+mpY
m9fZg3jLp+ebhkhIQqMgsUj2xjgQlYoc7hcRcNq9weatLBAidHIdd0JR/0ot2yAS
eLRodVOtfMvLDGhatMgwxm+FEXbPbgQXYrOemcqlHYPzKLv6xir9ZsLowZxABRaB
41LZ8o6+4VGqpoNA0r4M1XFqcJ0mDYLdLib7uNNFY97A5bZTUEmALuiHOBNdEygG
AgBUPnZPJUgSRKmJP4QL2CM6U3si3eNLDwrIjwp0cFtqnZB3bUzGfeu0h/XXSkrV
b6Yja7zneZNeWaxz8GWCiZwVVBtM2n7PamdVV4xqQF6GE0o84EkJ91oZBim+a/5B
PUOgcctQaYUAKkuvYXVhZQBaL5D4ppBWaFthENZSQ4sSlEILtsz5LYvWq1oMLWkv
rZN9lftPd5GqASkTIDQcTNL0GNdJR+P+0kMCNiWOCJzZNzEIk2D6tlyxjnJV8qrk
rFcShE9R3dADDJ9Ew+91JRk8C2XSG9gOS29K3fF2Hdnv7nfiTns3dh2V6kz/821W
E39CREgh0A67zppzKWyHnH1BayDeREgRA/TatjZWDAZOHWRM+Ig=
=cfqp
-----END PGP SIGNATURE-----

3
cryptsetup-2.3.0.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:395690de99509428354d3cd15cf023bed01487e6f1565b2181e013dc847bbc85
size 11035660

View File

@ -1,3 +1,60 @@
-------------------------------------------------------------------
Tue Feb 4 07:59:24 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
- Update to 2.3.0 (include release notes for 2.2.0)
* BITLK (Windows BitLocker compatible) device access
* Veritysetup now supports activation with additional PKCS7 signature
of root hash through --root-hash-signature option.
* Integritysetup now calculates hash integrity size according to algorithm
instead of requiring an explicit tag size.
* Integritysetup now supports fixed padding for dm-integrity devices.
* A lot of fixes to online LUKS2 reecryption.
* Add crypt_resume_by_volume_key() function to libcryptsetup.
If a user has a volume key available, the LUKS device can be resumed
directly using the provided volume key.
No keyslot derivation is needed, only the key digest is checked.
* Implement active device suspend info.
Add CRYPT_ACTIVATE_SUSPENDED bit to crypt_get_active_device() flags
that informs the caller that device is suspended (luksSuspend).
* Allow --test-passphrase for a detached header.
Before this fix, we required a data device specified on the command
line even though it was not necessary for the passphrase check.
* Allow --key-file option in legacy offline encryption.
The option was ignored for LUKS1 encryption initialization.
* Export memory safe functions.
To make developing of some extensions simpler, we now export
functions to handle memory with proper wipe on deallocation.
* Fail crypt_keyslot_get_pbkdf for inactive LUKS1 keyslot.
* Add optional global serialization lock for memory hard PBKDF.
* Abort conversion to LUKS1 with incompatible sector size that is
not supported in LUKS1.
* Report error (-ENOENT) if no LUKS keyslots are available. User can now
distinguish between a wrong passphrase and no keyslot available.
* Fix a possible segfault in detached header handling (double free).
* Add integritysetup support for bitmap mode introduced in Linux kernel 5.2.
* The libcryptsetup now keeps all file descriptors to underlying device
open during the whole lifetime of crypt device context to avoid excessive
scanning in udev (udev run scan on every descriptor close).
* The luksDump command now prints more info for reencryption keyslot
(when a device is in-reencryption).
* New --device-size parameter is supported for LUKS2 reencryption.
* New --resume-only parameter is supported for LUKS2 reencryption.
* The repair command now tries LUKS2 reencryption recovery if needed.
* If reencryption device is a file image, an interactive dialog now
asks if reencryption should be run safely in offline mode
(if autodetection of active devices failed).
* Fix activation through a token where dm-crypt volume key was not
set through keyring (but using old device-mapper table parameter mode).
* Online reencryption can now retain all keyslots (if all passphrases
are provided). Note that keyslot numbers will change in this case.
* Allow volume key file to be used if no LUKS2 keyslots are present.
* Print a warning if online reencrypt is called over LUKS1 (not supported).
* Fix TCRYPT KDF failure in FIPS mode.
* Remove FIPS mode restriction for crypt_volume_key_get.
* Reduce keyslots area size in luksFormat when the header device is too small.
* Make resize action accept --device-size parameter (supports units suffix).
-------------------------------------------------------------------
Thu Oct 17 11:55:51 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
- Create a weak dependency cycle between libcryptsetup and

View File

@ -1,7 +1,7 @@
#
# spec file for package cryptsetup
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -22,15 +22,15 @@ Name: cryptsetup2
%else
Name: cryptsetup
%endif
Version: 2.1.0
Version: 2.3.0
Release: 0
Summary: Setup program for dm-crypt Based Encrypted Block Devices
License: SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.0-or-later
Group: System/Base
Url: https://gitlab.com/cryptsetup/cryptsetup/
Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.1/cryptsetup-%{version}.tar.xz
URL: https://gitlab.com/cryptsetup/cryptsetup/
Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-%{version}.tar.xz
# GPG signature of the uncompressed tarball.
Source1: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.1/cryptsetup-%{version}.tar.sign
Source1: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-%{version}.tar.sign
Source2: baselibs.conf
Source3: cryptsetup.keyring
BuildRequires: device-mapper-devel