Hello community, here is the log from the commit of package cryptsetup for openSUSE:Factory checked in at 2018-08-28 09:22:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cryptsetup (Old) and /work/SRC/openSUSE:Factory/.cryptsetup.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cryptsetup" Tue Aug 28 09:22:31 2018 rev:102 rq:630730 version:2.0.4 Changes: -------- --- /work/SRC/openSUSE:Factory/cryptsetup/cryptsetup.changes 2018-02-13 10:25:33.509405741 +0100 +++ /work/SRC/openSUSE:Factory/.cryptsetup.new/cryptsetup.changes 2018-08-28 09:23:05.376574368 +0200 @@ -1,0 +2,134 @@ +Tue Aug 21 07:40:54 UTC 2018 - lnus...@suse.de + +- New version 2.0.4 + + Changes since version 2.0.3 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + * Use the libblkid (blockid) library to detect foreign signatures + on a device before LUKS format and LUKS2 auto-recovery. + This change fixes an unexpected recovery using the secondary + LUKS2 header after a device was already overwritten with + another format (filesystem or LVM physical volume). + LUKS2 will not recreate a primary header if it detects a valid + foreign signature. In this situation, a user must always + use cryptsetup repair command for the recovery. + Note that libcryptsetup and utilities are now linked to libblkid + as a new dependence. + To compile code without blockid support (strongly discouraged), + use --disable-blkid configure switch. + * Add prompt for format and repair actions in cryptsetup and + integritysetup if foreign signatures are detected on the device + through the blockid library. + After the confirmation, all known signatures are then wiped as + part of the format or repair procedure. + * Print consistent verbose message about keyslot and token numbers. + For keyslot actions: Key slot <number> unlocked/created/removed. + For token actions: Token <number> created/removed. + * Print error, if a non-existent token is tried to be removed. + * Add support for LUKS2 token definition export and import. + The token command now can export/import customized token JSON file + directly from command line. See the man page for more details. + * Add support for new dm-integrity superblock version 2. + * Add an error message when nothing was read from a key file. + * Update cryptsetup man pages, including --type option usage. + * Add a snapshot of LUKS2 format specification to documentation + and accordingly fix supported secondary header offsets. + * Add bundled optimized Argon2 SSE (X86_64 platform) code. + If the bundled Argon2 code is used and the new configure switch + --enable-internal-sse-argon2 option is present, and compiler flags + support required optimization, the code will try to use optimized + and faster variant. + Always use the shared library (--enable-libargon2) if possible. + This option was added because an enterprise distribution + rejected to support the shared Argon2 library and native support + in generic cryptographic libraries is not ready yet. + * Fix compilation with crypto backend for LibreSSL >= 2.7.0. + LibreSSL introduced OpenSSL 1.1.x API functions, so compatibility + wrapper must be commented out. + * Fix on-disk header size calculation for LUKS2 format if a specific + data alignment is requested. Until now, the code used default size + that could be wrong for converted devices. + + Changes since version 2.0.2 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + * Expose interface to unbound LUKS2 keyslots. + Unbound LUKS2 keyslot allows storing a key material that is independent + of master volume key (it is not bound to encrypted data segment). + * New API extensions for unbound keyslots (LUKS2 only) + crypt_keyslot_get_key_size() and crypt_volume_key_get() + These functions allow to get key and key size for unbound keyslots. + * New enum value CRYPT_SLOT_UNBOUND for keyslot status (LUKS2 only). + * Add --unbound keyslot option to the cryptsetup luksAddKey command. + * Add crypt_get_active_integrity_failures() call to get integrity + failure count for dm-integrity devices. + * Add crypt_get_pbkdf_default() function to get per-type PBKDF default + setting. + * Add new flag to crypt_keyslot_add_by_key() to force update device + volume key. This call is mainly intended for a wrapped key change. + * Allow volume key store in a file with cryptsetup. + The --dump-master-key together with --master-key-file allows cryptsetup + to store the binary volume key to a file instead of standard output. + * Add support detached header for cryptsetup-reencrypt command. + * Fix VeraCrypt PIM handling - use proper iterations count formula + for PBKDF2-SHA512 and PBKDF2-Whirlpool used in system volumes. + * Fix cryptsetup tcryptDump for VeraCrypt PIM (support --veracrypt-pim). + * Add --with-default-luks-format configure time option. + (Option to override default LUKS format version.) + * Fix LUKS version conversion for detached (and trimmed) LUKS headers. + * Add luksConvertKey cryptsetup command that converts specific keyslot + from one PBKDF to another. + * Do not allow conversion to LUKS2 if LUKSMETA (external tool metadata) + header is detected. + * More cleanup and hardening of LUKS2 keyslot specific validation options. + Add more checks for cipher validity before writing metadata on-disk. + * Do not allow LUKS1 version downconversion if the header contains tokens. + * Add "paes" family ciphers (AES wrapped key scheme for mainframes) + to allowed ciphers. + Specific wrapped ley configuration logic must be done by 3rd party tool, + LUKS2 stores only keyslot material and allow activation of the device. + * Add support for --check-at-most-once option (kernel 4.17) to veritysetup. + This flag can be dangerous; if you can control underlying device + (you can change its content after it was verified) it will no longer + prevent reading tampered data and also it does not prevent silent + data corruptions that appear after the block was once read. + * Fix return code (EPERM instead of EINVAL) and retry count for bad + passphrase on non-tty input. + * Enable support for FEC decoding in veritysetup to check dm-verity devices + with additional Reed-Solomon code in userspace (verify command). + + Changes since version 2.0.1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + * Fix a regression in early detection of inactive keyslot for luksKillSlot. + It tried to ask for passphrase even for already erased keyslot. + * Fix a regression in loopaesOpen processing for keyfile on standard input. + Use of "-" argument was not working properly. + * Add LUKS2 specific options for cryptsetup-reencrypt. + Tokens and persistent flags are now transferred during reencryption; + change of PBKDF keyslot parameters is now supported and allows + to set precalculated values (no benchmarks). + * Do not allow LUKS2 --persistent and --test-passphrase cryptsetup flags + combination. Persistent flags are now stored only if the device was + successfully activated with the specified flags. + * Fix integritysetup format after recent Linux kernel changes that + requires to setup key for HMAC in all cases. + Previously integritysetup allowed HMAC with zero key that behaves + like a plain hash. + * Fix VeraCrypt PIM handling that modified internal iteration counts + even for subsequent activations. The PIM count is no longer printed + in debug log as it is sensitive information. + Also, the code now skips legacy TrueCrypt algorithms if a PIM + is specified (they cannot be used with PIM anyway). + * PBKDF values cannot be set (even with force parameters) below + hardcoded minimums. For PBKDF2 is it 1000 iterations, for Argon2 + it is 4 iterations and 32 KiB of memory cost. + * Introduce new crypt_token_is_assigned() API function for reporting + the binding between token and keyslots. + * Allow crypt_token_json_set() API function to create internal token types. + Do not allow unknown fields in internal token objects. + * Print message in cryptsetup that about was aborted if a user did not + answer YES in a query. + +------------------------------------------------------------------- Old: ---- cryptsetup-2.0.1.tar.sign cryptsetup-2.0.1.tar.xz New: ---- cryptsetup-2.0.4.tar.sign cryptsetup-2.0.4.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cryptsetup.spec ++++++ --- /var/tmp/diff_new_pack.YPH9T9/_old 2018-08-28 09:23:06.268577151 +0200 +++ /var/tmp/diff_new_pack.YPH9T9/_new 2018-08-28 09:23:06.272577163 +0200 @@ -18,10 +18,10 @@ %define so_ver 12 Name: cryptsetup -Version: 2.0.1 +Version: 2.0.4 Release: 0 Summary: Set Up dm-crypt Based Encrypted Block Devices -License: SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.0+ +License: SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.0-or-later Group: System/Base Url: https://gitlab.com/cryptsetup/cryptsetup/ Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{version}.tar.xz @@ -42,6 +42,7 @@ BuildRequires: pkgconfig BuildRequires: popt-devel BuildRequires: suse-module-tools +BuildRequires: pkgconfig(blkid) BuildRequires: pkgconfig(libargon2) Requires(post): coreutils Requires(postun): coreutils ++++++ cryptsetup-2.0.1.tar.xz -> cryptsetup-2.0.4.tar.xz ++++++ /work/SRC/openSUSE:Factory/cryptsetup/cryptsetup-2.0.1.tar.xz /work/SRC/openSUSE:Factory/.cryptsetup.new/cryptsetup-2.0.4.tar.xz differ: char 15, line 1