SHA256
1
0
forked from pool/cryptsetup
cryptsetup/cryptsetup.spec
Ludwig Nussel c833c93fcf Accepting request 769866 from home:polslinux:branches:security
- Update to 2.3.0 (include release notes for 2.2.0)
  * BITLK (Windows BitLocker compatible) device access
  * Veritysetup now supports activation with additional PKCS7 signature
    of root hash through --root-hash-signature option.
  * Integritysetup now calculates hash integrity size according to algorithm
    instead of requiring an explicit tag size.
  * Integritysetup now supports fixed padding for dm-integrity devices.
  * A lot of fixes to online LUKS2 reecryption.
  * Add crypt_resume_by_volume_key() function to libcryptsetup.
    If a user has a volume key available, the LUKS device can be resumed
    directly using the provided volume key.
    No keyslot derivation is needed, only the key digest is checked.
  * Implement active device suspend info.
    Add CRYPT_ACTIVATE_SUSPENDED bit to crypt_get_active_device() flags
    that informs the caller that device is suspended (luksSuspend).
  * Allow --test-passphrase for a detached header.
    Before this fix, we required a data device specified on the command
    line even though it was not necessary for the passphrase check.
  * Allow --key-file option in legacy offline encryption.
    The option was ignored for LUKS1 encryption initialization.
  * Export memory safe functions.
    To make developing of some extensions simpler, we now export
    functions to handle memory with proper wipe on deallocation.
  * Fail crypt_keyslot_get_pbkdf for inactive LUKS1 keyslot.
  * Add optional global serialization lock for memory hard PBKDF.
  * Abort conversion to LUKS1 with incompatible sector size that is
    not supported in LUKS1.
  * Report error (-ENOENT) if no LUKS keyslots are available. User can now
    distinguish between a wrong passphrase and no keyslot available.
  * Fix a possible segfault in detached header handling (double free).
  * Add integritysetup support for bitmap mode introduced in Linux kernel 5.2.
  * The libcryptsetup now keeps all file descriptors to underlying device
    open during the whole lifetime of crypt device context to avoid excessive
    scanning in udev (udev run scan on every descriptor close).
  * The luksDump command now prints more info for reencryption keyslot
    (when a device is in-reencryption).
  * New --device-size parameter is supported for LUKS2 reencryption.
  * New --resume-only parameter is supported for LUKS2 reencryption.
  * The repair command now tries LUKS2 reencryption recovery if needed.
  * If reencryption device is a file image, an interactive dialog now
    asks if reencryption should be run safely in offline mode
    (if autodetection of active devices failed).
  * Fix activation through a token where dm-crypt volume key was not
    set through keyring (but using old device-mapper table parameter mode).
  * Online reencryption can now retain all keyslots (if all passphrases
    are provided). Note that keyslot numbers will change in this case.
  * Allow volume key file to be used if no LUKS2 keyslots are present.
  * Print a warning if online reencrypt is called over LUKS1 (not supported).
  * Fix TCRYPT KDF failure in FIPS mode.
  * Remove FIPS mode restriction for crypt_volume_key_get.
  * Reduce keyslots area size in luksFormat when the header device is too small.
  * Make resize action accept --device-size parameter (supports units suffix).

OBS-URL: https://build.opensuse.org/request/show/769866
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=153
2020-02-04 16:53:39 +00:00

198 lines
6.5 KiB
RPMSpec

#
# spec file for package cryptsetup
#
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define so_ver 12
%if 0%{?is_backports}
Name: cryptsetup2
%else
Name: cryptsetup
%endif
Version: 2.3.0
Release: 0
Summary: Setup program for dm-crypt Based Encrypted Block Devices
License: SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.0-or-later
Group: System/Base
URL: https://gitlab.com/cryptsetup/cryptsetup/
Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-%{version}.tar.xz
# GPG signature of the uncompressed tarball.
Source1: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-%{version}.tar.sign
Source2: baselibs.conf
Source3: cryptsetup.keyring
BuildRequires: device-mapper-devel
BuildRequires: fipscheck
BuildRequires: fipscheck-devel
BuildRequires: libjson-c-devel
BuildRequires: libpwquality-devel
BuildRequires: libselinux-devel
BuildRequires: libuuid-devel
BuildRequires: pkgconfig(openssl)
# 2.6.38 has the required if_alg.h
BuildRequires: linux-glibc-devel >= 2.6.38
BuildRequires: pkgconfig
BuildRequires: popt-devel
BuildRequires: suse-module-tools
BuildRequires: pkgconfig(blkid)
BuildRequires: pkgconfig(libargon2)
%if 0%{?is_backports}
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
%endif
Requires(post): coreutils
Requires(postun): coreutils
%description
cryptsetup is used to conveniently set up dm-crypt based device-mapper
targets. It allows to set up targets to read cryptoloop compatible
volumes as well as LUKS formatted ones. The package additionally
includes support for automatically setting up encrypted volumes at boot
time via the config file %{_sysconfdir}/crypttab.
%package -n libcryptsetup%{so_ver}
Summary: Library for setting up dm-crypt Based Encrypted Block Devices
Group: System/Libraries
Suggests: libcryptsetup%{so_ver}-hmac = %{version}-%{release}
%description -n libcryptsetup%{so_ver}
cryptsetup is used to conveniently set up dm-crypt based device-mapper
targets. It allows to set up targets to read cryptoloop compatible
volumes as well as LUKS formatted ones. The package additionally
includes support for automatically setting up encrypted volumes at boot
time via the config file %{_sysconfdir}/crypttab.
%package -n libcryptsetup%{so_ver}-hmac
Summary: Checksums for libcryptsetup%{so_ver}
Group: System/Base
Requires: libcryptsetup%{so_ver} = %{version}-%{release}
%description -n libcryptsetup%{so_ver}-hmac
This package contains HMAC checksums for integrity checking of libcryptsetup4,
used for FIPS.
%package -n lib%{name}-devel
Summary: Header files for libcryptsetup
Group: Development/Libraries/C and C++
Requires: glibc-devel
Requires: libcryptsetup%{so_ver} = %{version}
# cryptsetup-devel last used 11.1
Provides: cryptsetup-devel = %{version}
Obsoletes: cryptsetup-devel < %{version}
%if 0%{?is_backports}
# have to conflict with main package that is in SLE
Conflicts: cryptsetup-devel < %{version}
%endif
%description -n lib%{name}-devel
cryptsetup is used to conveniently set up dm-crypt based device-mapper
targets. It allows to set up targets to read cryptoloop compatible
volumes as well as LUKS formatted ones. The package additionally
includes support for automatically setting up encrypted volumes at boot
time via the config file %{_sysconfdir}/crypttab.
%prep
%setup -n cryptsetup-%{version} -q
%if 0%{?is_backports}
sed -i -e '/AC_INIT/s/cryptsetup/cryptsetup2/' configure.ac
autoreconf -f -i
%endif
%build
%configure \
--enable-cryptsetup-reencrypt \
--enable-selinux \
--enable-fips \
--enable-pwquality \
--enable-gcrypt-pbkdf2 \
--enable-libargon2 \
--with-default-luks-format=LUKS1 \
--with-luks2-lock-path=/run/cryptsetup \
--with-tmpfilesdir='%{_tmpfilesdir}'
make %{?_smp_mflags} V=1
%install
# Generate HMAC checksums (FIPS)
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%__os_install_post \
fipshmac %{buildroot}/%{_libdir}/libcryptsetup.so.* \
%{nil}
%make_install
%if 0%{?is_backports}
# need to rename a files to avoid file conflict
for i in cryptsetup integritysetup veritysetup cryptsetup-reencrypt; do
mv %{buildroot}%{_sbindir}/$i %{buildroot}%{_sbindir}/${i}2
mv %{buildroot}%{_mandir}/man8/$i.8 %{buildroot}%{_mandir}/man8/${i}2.8
done
rm -f %{buildroot}%{_tmpfilesdir}/cryptsetup.conf
%endif
install -dm 0755 %{buildroot}/sbin
ln -s ..%{_sbindir}/cryptsetup%{?is_backports:2} %{buildroot}/sbin
# don't want this file in /lib (FHS compat check), and can't move it to /usr/lib
find %{buildroot} -type f -name "*.la" -delete -print
#
%find_lang %{name} --all-name
%if !0%{?is_backports}
#
%post
%{?regenerate_initrd_post}
%tmpfiles_create %{_tmpfilesdir}/cryptsetup.conf
%postun
%{?regenerate_initrd_post}
%posttrans
%{?regenerate_initrd_posttrans}
#
%endif
%post -n libcryptsetup%{so_ver} -p /sbin/ldconfig
%postun -n libcryptsetup%{so_ver} -p /sbin/ldconfig
%files -f %{name}.lang
%doc AUTHORS COPYING* FAQ README TODO docs/ChangeLog.old docs/*ReleaseNotes
/sbin/cryptsetup%{?is_backports:2}
%{_sbindir}/cryptsetup%{?is_backports:2}
%{_sbindir}/veritysetup%{?is_backports:2}
%{_sbindir}/integritysetup%{?is_backports:2}
%{_sbindir}/cryptsetup-reencrypt%{?is_backports:2}
%{_mandir}/man8/cryptsetup%{?is_backports:2}.8%{ext_man}
%{_mandir}/man8/cryptsetup-reencrypt%{?is_backports:2}.8%{ext_man}
%{_mandir}/man8/veritysetup%{?is_backports:2}.8%{ext_man}
%{_mandir}/man8/integritysetup%{?is_backports:2}.8%{ext_man}
%if !0%{?is_backports}
%{_tmpfilesdir}/cryptsetup.conf
%ghost %dir /run/cryptsetup
%endif
%files -n libcryptsetup%{so_ver}
%{_libdir}/libcryptsetup.so.%{so_ver}*
%files -n libcryptsetup%{so_ver}-hmac
%{_libdir}/.libcryptsetup.so.%{so_ver}*hmac
%files -n lib%{name}-devel
%doc docs/examples/
%{_includedir}/libcryptsetup.h
%{_libdir}/libcryptsetup.so
%{_libdir}/pkgconfig/*
%changelog