SHA256
1
0
forked from pool/cryptsetup
Commit Graph

267 Commits

Author SHA256 Message Date
Ana Guerrero
a3b9b4d0c2 Accepting request 1166583 from security
OBS-URL: https://build.opensuse.org/request/show/1166583
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=127
2024-04-10 15:48:58 +00:00
ab2a7c9655 Accepting request 1166516 from home:AndreasStieger:branches:security
cryptsetup 2.7.2

OBS-URL: https://build.opensuse.org/request/show/1166516
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=196
2024-04-10 07:32:59 +00:00
Ana Guerrero
17b57cbf7d Accepting request 1158211 from security
OBS-URL: https://build.opensuse.org/request/show/1158211
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=126
2024-03-17 21:10:48 +00:00
a3ab8c2f62 Accepting request 1157608 from home:pmonrealgonzalez:branches:security
- Update to 2.7.1:
 * Fix interrupted LUKS1 decryption resume.
   With the replacement of the cryptsetup-reencrypt tool by the cryptsetup
   reencrypt command, resuming the interrupted LUKS1 decryption operation
   could fail. LUKS2 was not affected.
 * Allow --link-vk-to-keyring with --test-passphrase option.
   This option allows uploading the volume key in a user-specified kernel
   keyring without activating the device.
 * Fix crash when --active-name was used in decryption initialization.
 * Updates and changes to man pages, including indentation, sorting options
   alphabetically, fixing mistakes in crypt_set_keyring_to_link, and fixing
   some typos.
 * Fix compilation with libargon2 when --disable-internal-argon2 was used.
 * Do not require installed argon2.h header and never compile internal
   libargon2 code if the crypto library directly supports Argon2.
 * Fixes to regression tests to support older Linux distributions.

OBS-URL: https://build.opensuse.org/request/show/1157608
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=194
2024-03-15 11:46:26 +00:00
Ana Guerrero
97f8c697a5 Accepting request 1142597 from security
OBS-URL: https://build.opensuse.org/request/show/1142597
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=125
2024-01-30 17:24:12 +00:00
9a7370c09b Accepting request 1142596 from home:pmonrealgonzalez:branches:security
- Update to 2.7.0:
  * Full changelog in:
    mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.0-ReleaseNotes
  * Introduce support for hardware OPAL disk encryption.
  * plain mode: Set default cipher to aes-xts-plain64 and password hashing
    to sha256.
  * Allow activation (open), luksResume, and luksAddKey to use the volume
    key stored in a keyring.
  * Allow to store volume key to a user-specified keyring in open and
    luksResume commands.
  * Do not flush IO operations if resize grows the device.
    This can help performance in specific cases where the encrypted device
    is extended automatically while running many IO operations.
  * Use only half of detected free memory for Argon2 PBKDF on systems
    without swap (for LUKS2 new keyslot or format operations).
  * Add the possibility to specify a directory for external LUKS2 token
    handlers (plugins).
  * Do not allow reencryption/decryption on LUKS2 devices with
    authenticated encryption or hardware (OPAL) encryption.
  * Do not fail LUKS format if the operation was interrupted on subsequent
    device wipe.
  * Fix the LUKS2 keyslot option to be used while activating the device
    by a token.
  * Properly report if the dm-verity device cannot be activated due to
    the inability to verify the signed root hash (ENOKEY).
  * Fix to check passphrase for selected keyslot only when adding
    new keyslot.
  * Fix to not wipe the keyslot area before in-place overwrite.
  * bitlk: Fix segfaults when attempting to verify the volume key.
  * Add --disable-blkid command line option to avoid blkid device check.

OBS-URL: https://build.opensuse.org/request/show/1142596
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=192
2024-01-29 17:02:57 +00:00
Dominique Leuenberger
540dc9dc26 Accepting request 1098512 from security
OBS-URL: https://build.opensuse.org/request/show/1098512
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=124
2023-07-15 21:14:26 +00:00
82af2dfa2d Accepting request 1098511 from home:pmonrealgonzalez:branches:security
- luksFormat: Handle system with low memory and no swap space [bsc#1211079]
  * Check for physical memory available also in PBKDF benchmark.
  * Try to avoid OOM killer on low-memory systems without swap.
  * Use only half of detected free memory on systems without swap.
  * Add patches:
    - cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch
    - cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch
    - cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch

OBS-URL: https://build.opensuse.org/request/show/1098511
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=190
2023-07-13 11:20:07 +00:00
Dominique Leuenberger
0a7c78c1ff Accepting request 1093291 from security
OBS-URL: https://build.opensuse.org/request/show/1093291
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=123
2023-06-17 20:20:05 +00:00
b44b295cd3 Accepting request 1093121 from home:pmonrealgonzalez:branches:security
- Enable running the regression test suite.
- Force a regeneration of the man pages from AsciiDoc.
- Add LUKS1 and LUKS2 On-Disk Format Specification pdfs to doc.

- FIPS: Remove not needed libcryptsetup12-hmac package that contains
  the HMAC checksums for integrity checking for FIPS. [bsc#1185116]
  * Remove the cryptsetup-rpmlintrc file.
  * Remove not needed fipscheck dependency.

OBS-URL: https://build.opensuse.org/request/show/1093121
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=188
2023-06-15 12:05:44 +00:00
Dominique Leuenberger
60962f2300 Accepting request 1064730 from security
cryptsetup 2.6.1

OBS-URL: https://build.opensuse.org/request/show/1064730
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=122
2023-02-14 15:42:30 +00:00
43e9b52bc7 Accepting request 1064729 from home:AndreasStieger:branches:security
cryptsetup 2.6.1

OBS-URL: https://build.opensuse.org/request/show/1064729
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=186
2023-02-12 21:21:51 +00:00
Dominique Leuenberger
2e667013fc Accepting request 1055943 from security
- Replace transitional %usrmerged macro with regular version check (boo#1206798)

OBS-URL: https://build.opensuse.org/request/show/1055943
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=121
2023-01-05 14:00:19 +00:00
cf385930c9 Accepting request 1052843 from home:lnussel:usrmerge
Replace transitional %usrmerged macro with regular version check (boo#1206798)

OBS-URL: https://build.opensuse.org/request/show/1052843
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=184
2023-01-04 16:08:29 +00:00
Dominique Leuenberger
e9929646b3 Accepting request 1038821 from security
OBS-URL: https://build.opensuse.org/request/show/1038821
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=120
2022-11-30 13:58:56 +00:00
8cea81ce7b Accepting request 1038690 from home:polslinux:branches:security
- cryptsetup 2.6.0:
  * Introduce support for handling macOS FileVault2 devices (FVAULT2).
  * libcryptsetup: no longer use global memory locking through mlockall()
  * libcryptsetup: process priority is increased only for key derivation
    (PBKDF) calls.
  * Add new LUKS keyslot context handling functions and API.
  * The volume key may now be extracted using a passphrase, keyfile, or
    token. For LUKS devices, it also returns the volume key after
    a successful crypt_format call.
  * Fix --disable-luks2-reencryption configuration option.
  * cryptsetup: Print a better error message and warning if the format
    produces an image without space available for data.
  * Print error if anti-forensic LUKS2 hash setting is not available.
    If the specified hash was not available, activation quietly failed.
  * Fix internal crypt segment compare routine if the user
    specified cipher in kernel format (capi: prefix).
  * cryptsetup: Add token unassign action.
    This action allows removing token binding on specific keyslot.
  * veritysetup: add support for --use-tasklets option.
    This option sets try_verify_in_tasklet kernel dm-verity option
    (available since Linux kernel 6.0) to allow some performance
    improvement on specific systems.
  * Provide pkgconfig Require.private settings.
    While we do not completely provide static build on udev systems,
    it helps produce statically linked binaries in certain situations.
  * Always update automake library files if autogen.sh is run.
    For several releases, we distributed older automake scripts by mistake.
  * reencryption: Fix user defined moved segment size in LUKS2 decryption.
    The --hotzone-size argument was ignored in cases where the actual data
    size was less than the original LUKS2 data offset.
  * Delegate FIPS mode detection to configured crypto backend.
    System FIPS mode check no longer depends on /etc/system-fips file.
  * Update documentation, including FAQ and man pages.

OBS-URL: https://build.opensuse.org/request/show/1038690
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=182
2022-11-29 07:29:17 +00:00
Dominique Leuenberger
db4246dcb6 Accepting request 1003455 from security
OBS-URL: https://build.opensuse.org/request/show/1003455
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=119
2022-09-15 20:57:41 +00:00
59aec6d066 Accepting request 1003354 from home:bluca:branches:security
- Add virtual provides for 'integritysetup' and 'veritysetup' to match
  package names provided by Fedora/RHEL, to allow the same set of
  dependencies to be used across all RPM distributions.

OBS-URL: https://build.opensuse.org/request/show/1003354
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=180
2022-09-14 07:18:13 +00:00
Dominique Leuenberger
c067b49eca Accepting request 999047 from security
- cryptsetup 2.5.0:
  * Split manual pages into per-action pages and use AsciiDoc format. 
  * Remove cryptsetup-reencrypt tool from the project and move reencryption
    to already existing "cryptsetup reencrypt" command.
    If you need to emulate the old cryptsetup-reencrypt binary, use simple
    wrappers script running "exec cryptsetup reencrypt $@".
  * LUKS2: implement --decryption option that allows LUKS removal.
  * Fix decryption operation with --active-name option and restrict
    it to be used only with LUKS2.
  * Do not refresh reencryption digest when not needed.
    This should speed up the reencryption resume process.
  * Store proper resilience data in LUKS2 reencrypt initialization.
    Resuming reencryption now does not require specification of resilience
    type parameters if these are the same as during initialization.
  * Properly wipe the unused area after reencryption with datashift in
    the forward direction.
  * Check datashift value against larger sector size.
    For example, it could cause an issue if misaligned 4K sector appears
    during decryption.
  * Do not allow sector size increase reencryption in offline mode.
  * Do not allow dangerous sector size change during reencryption.
  * Ask the user for confirmation before resuming reencryption.
  * Do not resume reencryption with conflicting parameters.
  * Add --force-offline-reencrypt option.
  * Do not allow nested encryption in LUKS reencrypt.
  * Support all options allowed with luksFormat with encrypt action.
  * Add resize action to integritysetup.
  * Remove obsolete dracut plugin reencryption example.
  * Fix possible keyslot area size overflow during conversion to LUKS2.
  * Allow use of --header option for cryptsetup close. (forwarded request 999046 from lnussel)

OBS-URL: https://build.opensuse.org/request/show/999047
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=118
2022-08-25 13:33:10 +00:00
0ffce94442 Accepting request 999046 from home:lnussel:branches:security
- cryptsetup 2.5.0:
  * Split manual pages into per-action pages and use AsciiDoc format. 
  * Remove cryptsetup-reencrypt tool from the project and move reencryption
    to already existing "cryptsetup reencrypt" command.
    If you need to emulate the old cryptsetup-reencrypt binary, use simple
    wrappers script running "exec cryptsetup reencrypt $@".
  * LUKS2: implement --decryption option that allows LUKS removal.
  * Fix decryption operation with --active-name option and restrict
    it to be used only with LUKS2.
  * Do not refresh reencryption digest when not needed.
    This should speed up the reencryption resume process.
  * Store proper resilience data in LUKS2 reencrypt initialization.
    Resuming reencryption now does not require specification of resilience
    type parameters if these are the same as during initialization.
  * Properly wipe the unused area after reencryption with datashift in
    the forward direction.
  * Check datashift value against larger sector size.
    For example, it could cause an issue if misaligned 4K sector appears
    during decryption.
  * Do not allow sector size increase reencryption in offline mode.
  * Do not allow dangerous sector size change during reencryption.
  * Ask the user for confirmation before resuming reencryption.
  * Do not resume reencryption with conflicting parameters.
  * Add --force-offline-reencrypt option.
  * Do not allow nested encryption in LUKS reencrypt.
  * Support all options allowed with luksFormat with encrypt action.
  * Add resize action to integritysetup.
  * Remove obsolete dracut plugin reencryption example.
  * Fix possible keyslot area size overflow during conversion to LUKS2.
  * Allow use of --header option for cryptsetup close.

OBS-URL: https://build.opensuse.org/request/show/999046
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=178
2022-08-24 11:32:11 +00:00
Dominique Leuenberger
de1f20aa9d Accepting request 946915 from security
OBS-URL: https://build.opensuse.org/request/show/946915
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=117
2022-01-19 23:11:59 +00:00
ee04894715 Accepting request 946498 from home:AndreasStieger:branches:security
cryptsetup 2.4.3
    CVE-2021-4122, boo#1194469

OBS-URL: https://build.opensuse.org/request/show/946498
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=177
2022-01-17 09:00:02 +00:00
Dominique Leuenberger
3ec70ab5a7 Accepting request 919547 from security
- cryptsetup 2.4.1
  * Fix compilation for libc implementations without dlvsym().
  * Fix compilation and tests on systems with non-standard libraries
  * Try to workaround some issues on systems without udev support.
  * Fixes for OpenSSL3 crypto backend (including FIPS mode).
  * Print error message when assigning a token to an inactive keyslot.
  * Fix offset bug in LUKS2 encryption code if --offset option was used.
  * Do not allow LUKS2 decryption for devices with data offset.
  * Fix LUKS1 cryptsetup repair command for some specific problems.

- cryptsetup 2.4.0 (jsc#SLE-20275)

OBS-URL: https://build.opensuse.org/request/show/919547
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=116
2021-09-21 19:12:23 +00:00
1e4cc6eca2 - cryptsetup 2.4.1
* Fix compilation for libc implementations without dlvsym().
  * Fix compilation and tests on systems with non-standard libraries
  * Try to workaround some issues on systems without udev support.
  * Fixes for OpenSSL3 crypto backend (including FIPS mode).
  * Print error message when assigning a token to an inactive keyslot.
  * Fix offset bug in LUKS2 encryption code if --offset option was used.
  * Do not allow LUKS2 decryption for devices with data offset.
  * Fix LUKS1 cryptsetup repair command for some specific problems.
- cryptsetup 2.4.0 (jsc#SLE-20275)

OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=176
2021-09-16 15:25:13 +00:00
Dominique Leuenberger
a9f0d82fe4 Accepting request 915495 from security
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/915495
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=115
2021-09-02 21:20:08 +00:00
cddcbab746 - As YaST passes necessary parameters to cryptsetup anyway, we do
not necessarily need to take grub into consideration. So back to
  Argon2 to see how it goes.

OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=175
2021-08-25 13:47:31 +00:00
002330efa3 update
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=174
2021-08-23 05:09:18 +00:00
9b4f111a1b add feature reference
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=173
2021-08-12 13:00:47 +00:00
c25748051d - need to use PBKDF2 by default for LUKS2 as grub can't decrypt when
using Argon.

OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=172
2021-08-03 13:44:07 +00:00
db71e925b5 merge
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=171
2021-08-02 15:43:50 +00:00
8d2c1398f0 - crypsetup 2.4.0~rc1
* External LUKS token plugins
  * Experimental SSH token
  * Default LUKS2 PBKDF is now Argon2id
  * Increase minimal memory cost for Argon2 benchmark to 64MiB.
  * Autodetect optimal encryption sector size on LUKS2 format.
  * Use VeraCrypt option by default and add --disable-veracrypt option.
  * Support --hash and --cipher to limit opening time for TCRYPT type
  * Fixed default OpenSSL crypt backend support for OpenSSL3.
  * integritysetup: add integrity-recalculate-reset flag.
  * cryptsetup: retains keyslot number in luksChangeKey for LUKS2.
  * Fix cryptsetup resize using LUKS2 tokens.
  * Add close --deferred and --cancel-deferred options.
  * Rewritten command-line option parsing to avoid libpopt arguments
    memory leaks.
  * Add --test-args option.
- switch to LUKS2 default format

OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=170
2021-08-02 15:10:27 +00:00
Dominique Leuenberger
2ca5e2b515 Accepting request 903414 from security
- cryptsetup 2.3.6:
  * integritysetup: Fix possible dm-integrity mapping table truncation.
  * cryptsetup: Backup header can be used to activate TCRYPT device.
    Use --header option to specify the header.
  * cryptsetup: Avoid LUKS2 decryption without detached header.
    This feature will be added later and is currently not supported.
  * Additional fixes and workarounds for common warnings produced
    by some static analysis tools (like gcc-11 analyzer) and additional
    code hardening.
  * Fix standalone libintl detection for compiled tests.
  * Add Blake2b and Blake2s hash support for crypto backends.
    Kernel and gcrypt crypto backend support all variants.
    OpenSSL supports only Blake2b-512 and Blake2s-256.
    Crypto backend supports kernel notation e.g. "blake2b-512".

OBS-URL: https://build.opensuse.org/request/show/903414
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=114
2021-07-04 20:10:04 +00:00
45054f2786 - cryptsetup 2.3.6:
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=169
2021-07-01 12:55:11 +00:00
Richard Brown
5920c59684 Accepting request 879091 from security
OBS-URL: https://build.opensuse.org/request/show/879091
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=113
2021-03-16 14:42:41 +00:00
8725925458 Accepting request 878732 from home:AndreasStieger:branches:security
cryptsetup 2.3.5

OBS-URL: https://build.opensuse.org/request/show/878732
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=167
2021-03-15 07:59:10 +00:00
Dominique Leuenberger
f540257485 Accepting request 853733 from security
- SLE marker: implements jsc#SLE-5911, bsc#116558, jsc#SLE-145149

OBS-URL: https://build.opensuse.org/request/show/853733
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=112
2020-12-08 12:23:17 +00:00
d173fab52a typo
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=165
2020-12-08 12:03:55 +00:00
9197d62a77 - SLE marker: implements jsc#SLE-5911, bsc#116558, jsc#SLE-145149
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=164
2020-12-08 08:53:32 +00:00
Dominique Leuenberger
8fc7ca0b5c Accepting request 849585 from security
- prepare usrmerge (boo#1029961) (forwarded request 849583 from lnussel)

OBS-URL: https://build.opensuse.org/request/show/849585
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=111
2020-11-23 15:38:36 +00:00
c6c715c2f5 Accepting request 849583 from home:lnussel:usrmove
- prepare usrmerge (boo#1029961)

OBS-URL: https://build.opensuse.org/request/show/849583
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=162
2020-11-20 09:26:02 +00:00
Dominique Leuenberger
f349d69df6 Accepting request 832027 from security
OBS-URL: https://build.opensuse.org/request/show/832027
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=110
2020-09-08 20:44:25 +00:00
d9929bafef Accepting request 832026 from home:lnussel:branches:security
- Update to 2.3.4:
  * Fix a possible out-of-bounds memory write while validating LUKS2 data
    segments metadata (CVE-2020-14382, boo#1176128).
  * Ignore reported optimal IO size if not aligned to minimal page size.
  * Added support for new no_read/write_wrokqueue dm-crypt options (kernel 5.9).
  * Added support panic_on_corruption option for dm-verity devices (kernel 5.9).
  * Support --master-key-file option for online LUKS2 reencryption
  * Always return EEXIST error code if a device already exists.
  * Fix a problem in integritysetup if a hash algorithm has dash in the name.
  * Fix crypto backend to properly handle ECB mode.
  * TrueCrypt/VeraCrypt compatible mode now supports the activation of devices
    with a larger sector.
  * LUKS2: Do not create excessively large headers.
  * Fix unspecified sector size for BitLocker compatible mode.
  * Fix reading key data size in metadata for BitLocker compatible mode.

OBS-URL: https://build.opensuse.org/request/show/832026
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=160
2020-09-04 08:13:03 +00:00
Dominique Leuenberger
e7c9a9bb28 Accepting request 810247 from security
OBS-URL: https://build.opensuse.org/request/show/810247
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=109
2020-06-03 18:29:42 +00:00
91d92afad9 Accepting request 810023 from home:AndreasStieger:branches:security
cryptsetup 2.3.3

OBS-URL: https://build.opensuse.org/request/show/810023
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=158
2020-05-29 15:01:56 +00:00
Dominique Leuenberger
26eae3b3c3 Accepting request 790921 from security
- Split translations to -lang package
- New version to 2.3.1
  * Support VeraCrypt 128 bytes passwords.
    VeraCrypt now allows passwords of maximal length 128 bytes
    (compared to legacy TrueCrypt where it was limited by 64 bytes).
  * Strip extra newline from BitLocker recovery keys
    There might be a trailing newline added by the text editor when
    the recovery passphrase was passed using the --key-file option.
  * Detect separate libiconv library.
    It should fix compilation issues on distributions with iconv
    implemented in a separate library.
  * Various fixes and workarounds to build on old Linux distributions.
  * Split lines with hexadecimal digest printing for large key-sizes.
  * Do not wipe the device with no integrity profile.
    With --integrity none we performed useless full device wipe.
  * Workaround for dm-integrity kernel table bug.
    Some kernels show an invalid dm-integrity mapping table
    if superblock contains the "recalculate" bit. This causes
    integritysetup to not recognize the dm-integrity device.
    Integritysetup now specifies kernel options such a way that
    even on unpatched kernels mapping table is correct.
  * Print error message if LUKS1 keyslot cannot be processed.
    If the crypto backend is missing support for hash algorithms
    used in PBKDF2, the error message was not visible.
  * Properly align LUKS2 keyslots area on conversion.
    If the LUKS1 payload offset (data offset) is not aligned
    to 4 KiB boundary, new LUKS2 keyslots area in now aligned properly.
  * Validate LUKS2 earlier on conversion to not corrupt the device
    if binary keyslots areas metadata are not correct.

OBS-URL: https://build.opensuse.org/request/show/790921
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=108
2020-04-05 18:49:04 +00:00
7b6ff2d0f5 - Split translations to -lang package
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=156
2020-04-02 14:37:41 +00:00
8873d8f729 - New version to 2.3.1
* Support VeraCrypt 128 bytes passwords.
    VeraCrypt now allows passwords of maximal length 128 bytes
    (compared to legacy TrueCrypt where it was limited by 64 bytes).
  * Strip extra newline from BitLocker recovery keys
    There might be a trailing newline added by the text editor when
    the recovery passphrase was passed using the --key-file option.
  * Detect separate libiconv library.
    It should fix compilation issues on distributions with iconv
    implemented in a separate library.
  * Various fixes and workarounds to build on old Linux distributions.
  * Split lines with hexadecimal digest printing for large key-sizes.
  * Do not wipe the device with no integrity profile.
    With --integrity none we performed useless full device wipe.
  * Workaround for dm-integrity kernel table bug.
    Some kernels show an invalid dm-integrity mapping table
    if superblock contains the "recalculate" bit. This causes
    integritysetup to not recognize the dm-integrity device.
    Integritysetup now specifies kernel options such a way that
    even on unpatched kernels mapping table is correct.
  * Print error message if LUKS1 keyslot cannot be processed.
    If the crypto backend is missing support for hash algorithms
    used in PBKDF2, the error message was not visible.
  * Properly align LUKS2 keyslots area on conversion.
    If the LUKS1 payload offset (data offset) is not aligned
    to 4 KiB boundary, new LUKS2 keyslots area in now aligned properly.
  * Validate LUKS2 earlier on conversion to not corrupt the device
    if binary keyslots areas metadata are not correct.

OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=155
2020-04-02 14:27:54 +00:00
Dominique Leuenberger
7252bcb7bd Accepting request 770054 from security
OBS-URL: https://build.opensuse.org/request/show/770054
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=107
2020-02-09 20:02:18 +00:00
c833c93fcf Accepting request 769866 from home:polslinux:branches:security
- Update to 2.3.0 (include release notes for 2.2.0)
  * BITLK (Windows BitLocker compatible) device access
  * Veritysetup now supports activation with additional PKCS7 signature
    of root hash through --root-hash-signature option.
  * Integritysetup now calculates hash integrity size according to algorithm
    instead of requiring an explicit tag size.
  * Integritysetup now supports fixed padding for dm-integrity devices.
  * A lot of fixes to online LUKS2 reecryption.
  * Add crypt_resume_by_volume_key() function to libcryptsetup.
    If a user has a volume key available, the LUKS device can be resumed
    directly using the provided volume key.
    No keyslot derivation is needed, only the key digest is checked.
  * Implement active device suspend info.
    Add CRYPT_ACTIVATE_SUSPENDED bit to crypt_get_active_device() flags
    that informs the caller that device is suspended (luksSuspend).
  * Allow --test-passphrase for a detached header.
    Before this fix, we required a data device specified on the command
    line even though it was not necessary for the passphrase check.
  * Allow --key-file option in legacy offline encryption.
    The option was ignored for LUKS1 encryption initialization.
  * Export memory safe functions.
    To make developing of some extensions simpler, we now export
    functions to handle memory with proper wipe on deallocation.
  * Fail crypt_keyslot_get_pbkdf for inactive LUKS1 keyslot.
  * Add optional global serialization lock for memory hard PBKDF.
  * Abort conversion to LUKS1 with incompatible sector size that is
    not supported in LUKS1.
  * Report error (-ENOENT) if no LUKS keyslots are available. User can now
    distinguish between a wrong passphrase and no keyslot available.
  * Fix a possible segfault in detached header handling (double free).
  * Add integritysetup support for bitmap mode introduced in Linux kernel 5.2.
  * The libcryptsetup now keeps all file descriptors to underlying device
    open during the whole lifetime of crypt device context to avoid excessive
    scanning in udev (udev run scan on every descriptor close).
  * The luksDump command now prints more info for reencryption keyslot
    (when a device is in-reencryption).
  * New --device-size parameter is supported for LUKS2 reencryption.
  * New --resume-only parameter is supported for LUKS2 reencryption.
  * The repair command now tries LUKS2 reencryption recovery if needed.
  * If reencryption device is a file image, an interactive dialog now
    asks if reencryption should be run safely in offline mode
    (if autodetection of active devices failed).
  * Fix activation through a token where dm-crypt volume key was not
    set through keyring (but using old device-mapper table parameter mode).
  * Online reencryption can now retain all keyslots (if all passphrases
    are provided). Note that keyslot numbers will change in this case.
  * Allow volume key file to be used if no LUKS2 keyslots are present.
  * Print a warning if online reencrypt is called over LUKS1 (not supported).
  * Fix TCRYPT KDF failure in FIPS mode.
  * Remove FIPS mode restriction for crypt_volume_key_get.
  * Reduce keyslots area size in luksFormat when the header device is too small.
  * Make resize action accept --device-size parameter (supports units suffix).

OBS-URL: https://build.opensuse.org/request/show/769866
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=153
2020-02-04 16:53:39 +00:00
Dominique Leuenberger
f33f765a5e Accepting request 755886 from security
OBS-URL: https://build.opensuse.org/request/show/755886
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=106
2019-12-17 12:29:09 +00:00