diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata index 332265b..43f7538 100644 --- a/.cryptsetup.metadata +++ b/.cryptsetup.metadata @@ -1 +1 @@ -73945fc1ab637ce58c1f4bd5dd9c529cf96b16e7 SOURCES/cryptsetup-1.6.3.tar.bz2 +2e7a045cc88491df4f08e0f4023c15fcbdf170d6 SOURCES/cryptsetup-1.6.6.tar.xz diff --git a/.gitignore b/.gitignore index f8a34f5..00371b9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/cryptsetup-1.6.3.tar.bz2 +SOURCES/cryptsetup-1.6.6.tar.xz diff --git a/SOURCES/cryptsetup-1.6.7-drop-fips-post.patch b/SOURCES/cryptsetup-1.6.7-drop-fips-post.patch new file mode 100644 index 0000000..a780383 --- /dev/null +++ b/SOURCES/cryptsetup-1.6.7-drop-fips-post.patch @@ -0,0 +1,110 @@ +From 01b2be2b72bc5509e8155982b9dae0bc5914b6c9 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Thu, 30 Oct 2014 15:21:31 +0100 +Subject: [PATCH 1/2] libcryptsetup: drop FIPS power on self test + +- cryptsetup library is not required to be FIPS certified anymore + due to fact gcrypt PBKDF2 algorithm can be used instead of + cryptsetup internal one. + +- check in library constructor is no longer needed and therefore + removed. + +- all other checks regarding MK extraction or random generator + restrictions remain the same +--- + lib/setup.c | 5 ----- + lib/utils_fips.c | 23 +---------------------- + lib/utils_fips.h | 5 +---- + 3 files changed, 2 insertions(+), 31 deletions(-) + +diff --git a/lib/setup.c b/lib/setup.c +index 8261445..0ca9e11 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -2690,8 +2690,3 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name, + + return 0; + } +- +-static void __attribute__((constructor)) libcryptsetup_ctor(void) +-{ +- crypt_fips_libcryptsetup_check(); +-} +diff --git a/lib/utils_fips.c b/lib/utils_fips.c +index 9a3caae..1e284f6 100644 +--- a/lib/utils_fips.c ++++ b/lib/utils_fips.c +@@ -1,7 +1,7 @@ + /* + * FIPS mode utilities + * +- * Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved. ++ * Copyright (C) 2011-2014, Red Hat, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License +@@ -18,15 +18,11 @@ + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +-#include +-#include + #include +-#include "nls.h" + #include "utils_fips.h" + + #if !ENABLE_FIPS + int crypt_fips_mode(void) { return 0; } +-void crypt_fips_libcryptsetup_check(void) {} + #else + #include + +@@ -34,21 +30,4 @@ int crypt_fips_mode(void) + { + return FIPSCHECK_kernel_fips_mode() && !access(FIPS_MODULE_FILE, F_OK); + } +- +-static void crypt_fips_verify(const char *name, const char *function) +-{ +- if (access(FIPS_MODULE_FILE, F_OK)) +- return; +- +- if (!FIPSCHECK_verify(name, function)) { +- fputs(_("FIPS checksum verification failed.\n"), stderr); +- if (FIPSCHECK_kernel_fips_mode()) +- _exit(EXIT_FAILURE); +- } +-} +- +-void crypt_fips_libcryptsetup_check(void) +-{ +- crypt_fips_verify(LIBCRYPTSETUP_VERSION_FIPS, "crypt_init"); +-} + #endif /* ENABLE_FIPS */ +diff --git a/lib/utils_fips.h b/lib/utils_fips.h +index 59f2339..fc430bd 100644 +--- a/lib/utils_fips.h ++++ b/lib/utils_fips.h +@@ -1,7 +1,7 @@ + /* + * FIPS mode utilities + * +- * Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved. ++ * Copyright (C) 2011-2014, Red Hat, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License +@@ -21,9 +21,6 @@ + #ifndef _UTILS_FIPS_H + #define _UTILS_FIPS_H + +-struct crypt_device; +- + int crypt_fips_mode(void); +-void crypt_fips_libcryptsetup_check(void); + + #endif /* _UTILS_FIPS_H */ +-- +1.9.3 + diff --git a/SOURCES/cryptsetup-1.6.7-use-fsync-isntead-of-odirect.patch b/SOURCES/cryptsetup-1.6.7-use-fsync-isntead-of-odirect.patch new file mode 100644 index 0000000..4464cce --- /dev/null +++ b/SOURCES/cryptsetup-1.6.7-use-fsync-isntead-of-odirect.patch @@ -0,0 +1,85 @@ +From 3d6bcae84c5f55a82dc0056e3d7da33bee3f00b9 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Wed, 17 Sep 2014 16:38:39 +0200 +Subject: [PATCH] reencrypt: use fsync instead of O_DIRECT flag + +O_DIRECT operations directed towards filesystem are problematic: +There's no sane way how to detect specific filesystem requirements +for such operations. + +This patch is replacing O_DIRECT flag with O_SYNC flag for all +open() calls related to reencrypt log. The O_SYNC flag is used +when --use-fsync option is detected. + +Man page is modified accordingly. +--- + man/cryptsetup-reencrypt.8 | 6 ++++-- + src/cryptsetup_reencrypt.c | 12 ++---------- + 2 files changed, 6 insertions(+), 12 deletions(-) + +diff --git a/man/cryptsetup-reencrypt.8 b/man/cryptsetup-reencrypt.8 +index b3c374c..e0de656 100644 +--- a/man/cryptsetup-reencrypt.8 ++++ b/man/cryptsetup-reencrypt.8 +@@ -158,13 +158,15 @@ WARNING: This is destructive operation and cannot be reverted. + + .TP + .B "\-\-use-directio" +-Use direct-io (O_DIRECT) for all read/write data operations. ++Use direct-io (O_DIRECT) for all read/write data operations related ++to block device undergoing reencryption. + + Useful if direct-io operations perform better than normal buffered + operations (e.g. in virtual environments). + .TP + .B "\-\-use-fsync" +-Use fsync call after every written block. ++Use fsync call after every written block. This applies for reencryption ++log files as well. + .TP + .B "\-\-write-log" + Update log file after every block write. This can slow down reencryption +diff --git a/src/cryptsetup_reencrypt.c b/src/cryptsetup_reencrypt.c +index 997c388..a1cc51d 100644 +--- a/src/cryptsetup_reencrypt.c ++++ b/src/cryptsetup_reencrypt.c +@@ -76,7 +76,7 @@ struct reenc_ctx { + char crypt_path_org[PATH_MAX]; + char crypt_path_new[PATH_MAX]; + int log_fd; +- char *log_buf; ++ char log_buf[SECTOR_SIZE]; + + struct { + char *password; +@@ -351,13 +351,11 @@ static void close_log(struct reenc_ctx *rc) + log_dbg("Closing LUKS reencryption log file %s.", rc->log_file); + if (rc->log_fd != -1) + close(rc->log_fd); +- free(rc->log_buf); +- rc->log_buf = NULL; + } + + static int open_log(struct reenc_ctx *rc) + { +- int flags = opt_directio ? O_DIRECT : 0; ++ int flags = opt_fsync ? O_SYNC : 0; + + rc->log_fd = open(rc->log_file, O_RDWR|O_EXCL|O_CREAT|flags, S_IRUSR|S_IWUSR); + if (rc->log_fd != -1) { +@@ -371,12 +369,6 @@ static int open_log(struct reenc_ctx *rc) + if (rc->log_fd == -1) + return -EINVAL; + +- if (posix_memalign((void *)&rc->log_buf, alignment(rc->log_fd), SECTOR_SIZE)) { +- log_err(_("Allocation of aligned memory failed.\n")); +- close_log(rc); +- return -ENOMEM; +- } +- + if (!rc->in_progress && write_log(rc) < 0) { + close_log(rc); + return -EIO; +-- +1.9.3 + diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec index 7e33af5..4d4c135 100644 --- a/SPECS/cryptsetup.spec +++ b/SPECS/cryptsetup.spec @@ -1,23 +1,32 @@ +%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} + +%define python3_enable 0 + Summary: A utility for setting up encrypted disks Name: cryptsetup -Version: 1.6.3 -Release: 2%{?dist} +Version: 1.6.6 +Release: 3%{?dist} License: GPLv2+ and LGPLv2+ Group: Applications/System URL: http://cryptsetup.googlecode.com/ BuildRequires: libgcrypt-devel, popt-devel, device-mapper-devel BuildRequires: libgpg-error-devel, libuuid-devel, libsepol-devel BuildRequires: libselinux-devel, python-devel, libpwquality-devel +%if %{python3_enable} +BuildRequires: python3-devel +%endif BuildRequires: fipscheck-devel >= 1.3.0 Provides: cryptsetup-luks = %{version}-%{release} Obsoletes: cryptsetup-luks < 1.4.0 -Requires: cryptsetup-libs = %{version}-%{release} -Requires: fipscheck-lib%{_isa} >= 1.3.0 +Requires: cryptsetup-libs%{?_isa} = %{version}-%{release} +Requires: fipscheck-lib%{?_isa} >= 1.3.0 Requires: libpwquality >= 1.2.0 %define dracutmodulesdir %{_prefix}/lib/dracut/modules.d %define upstream_version %{version} -Source0: http://cryptsetup.googlecode.com/files/cryptsetup-%{upstream_version}.tar.bz2 +Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-%{upstream_version}.tar.xz +Patch0: %{name}-1.6.7-use-fsync-isntead-of-odirect.patch +Patch1: %{name}-1.6.7-drop-fips-post.patch %if 0%{?fedora} >= 19 || 0%{?rhel} >= 7 %define configure_cipher --enable-gcrypt-pbkdf2 @@ -47,10 +56,11 @@ Group: System Environment/Libraries Summary: Cryptsetup shared library Provides: cryptsetup-luks-libs = %{version}-%{release} Obsoletes: cryptsetup-luks-libs < 1.4.0 -Requires: fipscheck-lib%{_isa} >= 1.3.0 +Obsoletes: cryptsetup-reencrypt-libs < 1.6.5 +Requires: fipscheck-lib%{?_isa} >= 1.3.0 # Need support for empty password in gcrypt PBKDF2 %if 0%{?fedora} >= 19 || 0%{?rhel} >= 7 -Requires: libgcrypt >= 1.5.0-9 +Requires: libgcrypt >= 1.5.3-3 %endif %description libs @@ -68,11 +78,13 @@ disk verification using dm-verity kernel module. %package reencrypt Group: Applications/System Summary: A utility for offline reencryption of LUKS encrypted disks. +Provides: cryptsetup-reencrypt = %{version}-%{release} +Obsoletes: cryptsetup-reencrypt < 1.6.5 Requires: cryptsetup-libs = %{version}-%{release} %description reencrypt This package contains cryptsetup-reencrypt utility which -can be used for offline reencryption of disk in site. +can be used for offline reencryption of disk in situ. Also includes dracut module required to perform reencryption of device containing a root filesystem. @@ -87,10 +99,29 @@ Obsoletes: python-cryptsetup < 1.4.0 This package provides Python bindings for libcryptsetup, a library for setting up disk encryption using dm-crypt kernel module. +%if %{python3_enable} +%package python3 +Group: System Environment/Libraries +Summary: Python3 bindings for libcryptsetup +Requires: %{name}-libs = %{version}-%{release} +Provides: python3-cryptsetup = %{version}-%{release} + +%description python3 +This package provides Python bindings for libcryptsetup, a library +for setting up disk encryption using dm-crypt kernel module. +%endif + %prep %setup -q -n cryptsetup-%{upstream_version} +%patch0 -p1 +%patch1 -p1 chmod -x python/pycryptsetup-test.py +%if %{python3_enable} +# copy the whole directory for the python3 build +cp -a . %{py3dir} +%endif + %build %configure --enable-python --enable-fips --enable-cryptsetup-reencrypt --enable-pwquality %{?configure_cipher} # remove rpath @@ -98,18 +129,25 @@ sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool make %{?_smp_mflags} -%install -# Generate HMAC checksums (FIPS) -%define __spec_install_post \ - %{?__debug_package:%{__debug_install_post}} \ - %{__arch_install_post} \ - %{__os_install_post} \ - fipshmac -d %{buildroot}/%{_libdir}/fipscheck %{buildroot}/%{_libdir}/libcryptsetup.so.* \ -%{nil} +%if %{python3_enable} +pushd %{py3dir} +%configure --enable-python --with-python_version=3 +make %{?_smp_mflags} +popd +%endif +%install make install DESTDIR=%{buildroot} rm -rf %{buildroot}/%{_libdir}/*.la install -d %{buildroot}/%{_libdir}/fipscheck + +%if %{python3_enable} +pushd %{py3dir} +make install DESTDIR=%{buildroot} +rm -rf %{buildroot}/%{_libdir}/*.la +popd +%endif + %find_lang cryptsetup install -d -m755 %{buildroot}/%{dracutmodulesdir}/90reencrypt @@ -122,17 +160,22 @@ install -m755 misc/dracut_90reencrypt/reencrypt.sh %{buildroot}/%{dracutmodulesd %postun -n cryptsetup-libs -p /sbin/ldconfig %files -%doc COPYING AUTHORS FAQ docs/*ReleaseNotes +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc AUTHORS FAQ docs/*ReleaseNotes %{_mandir}/man8/cryptsetup.8.gz %{_sbindir}/cryptsetup %files -n veritysetup -%doc COPYING +%{!?_licensedir:%global license %%doc} +%license COPYING %{_mandir}/man8/veritysetup.8.gz %{_sbindir}/veritysetup %files reencrypt -%doc COPYING misc/dracut_90reencrypt/README +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc misc/dracut_90reencrypt/README %{_mandir}/man8/cryptsetup-reencrypt.8.gz %{_sbindir}/cryptsetup-reencrypt %{dracutmodulesdir}/90reencrypt @@ -145,18 +188,41 @@ install -m755 misc/dracut_90reencrypt/reencrypt.sh %{buildroot}/%{dracutmodulesd %{_libdir}/pkgconfig/libcryptsetup.pc %files libs -f cryptsetup.lang -%doc COPYING COPYING.LGPL +%{!?_licensedir:%global license %%doc} +%license COPYING COPYING.LGPL %{_libdir}/libcryptsetup.so.* -%{_libdir}/fipscheck/libcryptsetup.so.*.hmac %files python -%doc COPYING.LGPL python/pycryptsetup-test.py +%{!?_licensedir:%global license %%doc} +%license COPYING.LGPL +%doc python/pycryptsetup-test.py %exclude %{python_sitearch}/pycryptsetup.la %{python_sitearch}/pycryptsetup.so +%if %{python3_enable} +%files python3 +%{!?_licensedir:%global license %%doc} +%license COPYING.LGPL +%doc python/pycryptsetup-test.py +%exclude %{python3_sitearch}/pycryptsetup.la +%{python3_sitearch}/pycryptsetup.so +%endif + %clean %changelog +* Thu Dec 18 2014 Ondrej Kozina - 1.6.6-3 +- drop FIPS power on self test and library checksum +- Resolves: #1158897 + +* Mon Sep 29 2014 Ondrej Kozina - 1.6.6-2 +- patch: fix failures related to reencrypt log files +- Resolves: #1140199 + +* Mon Sep 8 2014 Ondrej Kozina - 1.6.6-1 +- Update to cryptsetup 1.6.6. +- Resolves: #1117372 #1038097 + * Fri Jan 24 2014 Daniel Mach - 1.6.3-2 - Mass rebuild 2014-01-24