diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata new file mode 100644 index 0000000..b45bee0 --- /dev/null +++ b/.cryptsetup.metadata @@ -0,0 +1 @@ +a2590635ff89a7c2fdb2fbbaaecfb2a27617efef SOURCES/cryptsetup-2.0.6.tar.xz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8ee04b7 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/cryptsetup-2.0.6.tar.xz diff --git a/SOURCES/cryptsetup-add-system-library-paths.patch b/SOURCES/cryptsetup-add-system-library-paths.patch new file mode 100644 index 0000000..cc22adf --- /dev/null +++ b/SOURCES/cryptsetup-add-system-library-paths.patch @@ -0,0 +1,22 @@ +diff -rupN cryptsetup-2.0.4.old/configure cryptsetup-2.0.4/configure +--- cryptsetup-2.0.4.old/configure 2018-08-03 12:31:52.000000000 +0200 ++++ cryptsetup-2.0.4/configure 2018-08-03 13:42:50.605275535 +0200 +@@ -12300,6 +12300,9 @@ fi + # before this can be enabled. + hardcode_into_libs=yes + ++ # Add ABI-specific directories to the system library path. ++ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" ++ + # Ideally, we could use ldconfig to report *all* directores which are + # searched for libraries, however this is still not possible. Aside from not + # being certain /sbin/ldconfig is available, command +@@ -12308,7 +12311,7 @@ fi + # appending ld.so.conf contents (and includes) to the search path. + if test -f /etc/ld.so.conf; then + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` +- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" ++ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" + fi + + # We used to test for /lib/ld.so.1 and disable shared libraries on diff --git a/SOURCES/cryptsetup-disable-luks2-integrity-test-until-next-usptream-rel.patch b/SOURCES/cryptsetup-disable-luks2-integrity-test-until-next-usptream-rel.patch new file mode 100644 index 0000000..aed5fc9 --- /dev/null +++ b/SOURCES/cryptsetup-disable-luks2-integrity-test-until-next-usptream-rel.patch @@ -0,0 +1,24 @@ +From 620f0cc8c0b69f9c9c56b5d13f3411f217ae9925 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Wed, 8 Aug 2018 11:40:55 +0200 +Subject: [PATCH 6/7] Disable luks2-integrity-test until next usptream release. + +--- + tests/luks2-integrity-test | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tests/luks2-integrity-test b/tests/luks2-integrity-test +index 0b7ddf0..d69df1c 100755 +--- a/tests/luks2-integrity-test ++++ b/tests/luks2-integrity-test +@@ -114,6 +114,7 @@ intformat() # alg integrity integrity_out key_size int_key_size sector_size csum + } + + ++skip "WARNING: This test can't be run with current build due to some hard coded values bound to old LUKS2 header size." + [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped." + [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped." + modprobe dm-integrity >/dev/null 2>&1 +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-increase-default-LUKS2-header-size-to-8MiBs.patch b/SOURCES/cryptsetup-increase-default-LUKS2-header-size-to-8MiBs.patch new file mode 100644 index 0000000..76e86a7 --- /dev/null +++ b/SOURCES/cryptsetup-increase-default-LUKS2-header-size-to-8MiBs.patch @@ -0,0 +1,25 @@ +From 18ec689f77a66f4d0632ee2829efccb542ba5f3b Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Fri, 3 Aug 2018 15:42:00 +0200 +Subject: [PATCH 7/7] Increase default LUKS2 header size to 8MiBs. + +--- + lib/luks2/luks2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/luks2/luks2.h b/lib/luks2/luks2.h +index 2a49618..892e847 100644 +--- a/lib/luks2/luks2.h ++++ b/lib/luks2/luks2.h +@@ -124,7 +124,7 @@ struct luks2_keyslot_params { + + #define LUKS2_HDR_BIN_LEN sizeof(struct luks2_hdr_disk) + +-#define LUKS2_HDR_DEFAULT_LEN 0x400000 /* 4 MiB */ ++#define LUKS2_HDR_DEFAULT_LEN 0x800000 /* 8 MiB */ + + #define LUKS2_MAX_KEYSLOTS_SIZE 0x8000000 /* 128 MiB */ + +-- +1.8.3.1 + diff --git a/SOURCES/cryptsetup-make-align-test-ready-for-larger-LUKS2-hdr.patch b/SOURCES/cryptsetup-make-align-test-ready-for-larger-LUKS2-hdr.patch new file mode 100644 index 0000000..735c608 --- /dev/null +++ b/SOURCES/cryptsetup-make-align-test-ready-for-larger-LUKS2-hdr.patch @@ -0,0 +1,14 @@ +diff -rupN cryptsetup-2.0.6.old/tests/align-test2 cryptsetup-2.0.6/tests/align-test2 +--- cryptsetup-2.0.6.old/tests/align-test2 2018-12-03 12:53:41.293185399 +0100 ++++ cryptsetup-2.0.6/tests/align-test2 2018-12-03 12:54:27.821936718 +0100 +@@ -9,7 +9,9 @@ PWD1="93R4P4pIqAH8" + PWD2="mymJeD8ivEhE" + FAST_PBKDF="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + +-EXPCT=8192 ++# FIXME: we need some sane API to get this information. This is hack. ++LUKS2_HDR_DEFAULT_LEN=$(grep -e "#define LUKS2_HDR_DEFAULT_LEN" ../lib/luks2/luks2.h | cut -d ' ' -f 3) ++EXPCT=$((LUKS2_HDR_DEFAULT_LEN/512)) + + cleanup() { + udevadm settle >/dev/null 2>&1 diff --git a/SOURCES/cryptsetup-make-api-test-2-default-LUKS2-hdr-size-aware.patch b/SOURCES/cryptsetup-make-api-test-2-default-LUKS2-hdr-size-aware.patch new file mode 100644 index 0000000..67192f7 --- /dev/null +++ b/SOURCES/cryptsetup-make-api-test-2-default-LUKS2-hdr-size-aware.patch @@ -0,0 +1,439 @@ +diff -rupN cryptsetup-2.0.4.old/tests/api-test-2.c cryptsetup-2.0.4/tests/api-test-2.c +--- cryptsetup-2.0.4.old/tests/api-test-2.c 2018-08-08 14:05:02.000387826 +0200 ++++ cryptsetup-2.0.4/tests/api-test-2.c 2018-08-08 14:05:35.946311814 +0200 +@@ -41,6 +41,7 @@ typedef int32_t key_serial_t; + + #include "api_test.h" + #include "luks.h" ++#include "luks2.h" + #include "libcryptsetup.h" + + #define DMDIR "/dev/mapper/" +@@ -165,31 +166,18 @@ static unsigned _min(unsigned a, unsigne + return a < b ? a : b; + } + +-/* FIXME: will fail with various LUKS2 header sizes */ +-static int get_luks2_offsets(int metadata_device, +- unsigned int alignpayload_sec, +- unsigned int alignoffset_sec, /* unused in LUKS2, bug? */ +- unsigned int sector_size, ++static int get_luks2_offsets(unsigned int alignpayload_sec, + uint64_t *r_header_size, + uint64_t *r_payload_offset) + { +- if (!sector_size) +- sector_size = 512; /* default? */ +- +- if ((sector_size % 512) && (sector_size % 4096)) +- return -1; +- + if (r_payload_offset) { +- if (metadata_device) +- *r_payload_offset = DIV_ROUND_UP_MODULO(4*1024*1024, (alignpayload_sec ?: 1) * sector_size); +- else +- *r_payload_offset = alignpayload_sec * sector_size; ++ *r_payload_offset = DIV_ROUND_UP_MODULO(LUKS2_HDR_DEFAULT_LEN, (alignpayload_sec ?: 1) * SECTOR_SIZE); + +- *r_payload_offset /= sector_size; ++ *r_payload_offset >>= SECTOR_SHIFT; + } + + if (r_header_size) +- *r_header_size = (4*1024*1024) / sector_size; ++ *r_header_size = LUKS2_HDR_DEFAULT_LEN >> SECTOR_SHIFT; + + return 0; + } +@@ -585,7 +573,7 @@ static void AddDeviceLuks2(void) + crypt_decode_key(key3, mk_hex2, key_size); + + // init test devices +- OK_(get_luks2_offsets(1, 0, 0, 0, &r_header_size, &r_payload_offset)); ++ OK_(get_luks2_offsets(0, &r_header_size, &r_payload_offset)); + OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size)); + OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, r_header_size - 1)); + +@@ -613,8 +601,8 @@ static void AddDeviceLuks2(void) + /* + * test limit values for backing device size + */ +- params.data_alignment = 8192; +- OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, NULL, &r_payload_offset)); ++ params.data_alignment = LUKS2_HDR_DEFAULT_LEN >> SECTOR_SHIFT; ++ OK_(get_luks2_offsets(params.data_alignment, NULL, &r_payload_offset)); + OK_(create_dmdevice_over_loop(L_DEVICE_0S, r_payload_offset)); + OK_(create_dmdevice_over_loop(L_DEVICE_1S, r_payload_offset + 1)); + OK_(create_dmdevice_over_loop(L_DEVICE_WRONG, r_payload_offset - 1)); +@@ -767,7 +755,7 @@ static void AddDeviceLuks2(void) + OK_(strcmp(cipher, crypt_get_cipher(cd))); + OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd))); + EQ_((int)key_size, crypt_get_volume_key_size(cd)); +- EQ_(8192, crypt_get_data_offset(cd)); ++ EQ_((LUKS2_HDR_DEFAULT_LEN >> SECTOR_SHIFT), crypt_get_data_offset(cd)); + OK_(strcmp(DEVICE_2, crypt_get_device_name(cd))); + + reset_log(); +@@ -809,7 +797,7 @@ static void AddDeviceLuks2(void) + FAIL_(crypt_keyslot_add_by_volume_key(cd, 1, key, key_size, PASSPHRASE, strlen(PASSPHRASE)), "VK doesn't match any digest"); + crypt_free(cd); + +- OK_(create_dmdevice_over_loop(L_DEVICE_1S, 8193)); ++ OK_(create_dmdevice_over_loop(L_DEVICE_1S, (LUKS2_HDR_DEFAULT_LEN >> SECTOR_SHIFT) + 1)); + OK_(crypt_init(&cd, DMDIR L_DEVICE_1S)); + crypt_set_iteration_time(cd, 1); + OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, NULL)); +@@ -900,7 +888,7 @@ static void Luks2HeaderRestore(void) + + crypt_decode_key(key, mk_hex, key_size); + +- OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, NULL, &r_payload_offset)); ++ OK_(get_luks2_offsets(params.data_alignment, NULL, &r_payload_offset)); + OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 5000)); + + // do not restore header over plain device +@@ -976,18 +964,20 @@ static void Luks2HeaderLoad(void) + size_t key_size = strlen(mk_hex) / 2; + const char *cipher = "aes"; + const char *cipher_mode = "cbc-essiv:sha256"; +- uint64_t r_payload_offset, r_header_size; ++ uint64_t r_payload_offset, r_header_size, r_header_size_compat; + + crypt_decode_key(key, mk_hex, key_size); + + // prepare test env +- OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, &r_header_size, &r_payload_offset)); ++ OK_(t_device_size(IMAGE1, &r_header_size_compat)); ++ r_header_size_compat >>= SECTOR_SHIFT; ++ OK_(get_luks2_offsets(params.data_alignment, &r_header_size, &r_payload_offset)); + // external header device + OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size)); + // prepared header on a device too small to contain header and payload +- //OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, r_payload_offset - 1)); +- OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, r_header_size - 1)); +- snprintf(cmd, sizeof(cmd), "dd if=" IMAGE1 " of=" DMDIR H_DEVICE_WRONG " bs=%" PRIu32 " count=%" PRIu64 " 2>/dev/null", params.sector_size, r_header_size - 1); ++ // compatimage2.img contains one sector of data. to create wrong device we need one sector less than the header size ++ OK_(create_dmdevice_over_loop(H_DEVICE_WRONG, r_header_size_compat - 2)); ++ snprintf(cmd, sizeof(cmd), "dd if=" IMAGE1 " of=" DMDIR H_DEVICE_WRONG " bs=%" PRIu32 " count=%" PRIu64 " 2>/dev/null", params.sector_size, r_header_size_compat - 2); + OK_(_system(cmd, 1)); + // some device + OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1000)); +@@ -1092,7 +1082,7 @@ static void Luks2HeaderBackup(void) + + crypt_decode_key(key, mk_hex, key_size); + +- OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, NULL, &r_payload_offset)); ++ OK_(get_luks2_offsets(params.data_alignment, NULL, &r_payload_offset)); + OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1)); + + // create LUKS device and backup the header +@@ -1180,8 +1170,8 @@ static void ResizeDeviceLuks2(void) + crypt_decode_key(key, mk_hex, key_size); + + // prepare env +- OK_(get_luks2_offsets(0, params.data_alignment, 0, 0, NULL, &r_payload_offset)); +- OK_(get_luks2_offsets(1, 0, 0, 0, &r_header_size, NULL)); ++ OK_(get_luks2_offsets(params.data_alignment, NULL, &r_payload_offset)); ++ OK_(get_luks2_offsets(0, &r_header_size, NULL)); + OK_(create_dmdevice_over_loop(H_DEVICE, r_header_size)); + OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 1000)); + OK_(create_dmdevice_over_loop(L_DEVICE_0S, 1000)); +@@ -1303,7 +1293,7 @@ static void TokenActivationByKeyring(voi + } + + // prepare the device +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + crypt_set_iteration_time(cd, 1); + OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL)); + EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0); +@@ -1312,7 +1302,7 @@ static void TokenActivationByKeyring(voi + crypt_free(cd); + + // test thread keyring key in token 0 +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); + EQ_(crypt_activate_by_token(cd, CDEVICE_1, 3, NULL, 0), 0); + FAIL_(crypt_activate_by_token(cd, CDEVICE_1, 3, NULL, 0), "already open"); +@@ -1331,7 +1321,7 @@ static void TokenActivationByKeyring(voi + } + + // add token 1 with process keyring key +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); + EQ_(crypt_token_json_set(cd, 3, NULL), 3); + EQ_(crypt_token_luks2_keyring_set(cd, 1, ¶ms), 1); +@@ -1339,7 +1329,7 @@ static void TokenActivationByKeyring(voi + crypt_free(cd); + + // test process keyring key in token 1 +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); + EQ_(crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0), 0); + FAIL_(crypt_activate_by_token(cd, CDEVICE_1, 1, NULL, 0), "already open"); +@@ -1364,7 +1354,7 @@ static void TokenActivationByKeyring(voi + exit(1); + } + +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); + EQ_(crypt_token_luks2_keyring_set(cd, 0, ¶ms), 0); + EQ_(crypt_token_assign_keyslot(cd, 0, 0), 0); +@@ -1376,7 +1366,7 @@ static void TokenActivationByKeyring(voi + crypt_free(cd); + + // activate by specific token +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); + EQ_(crypt_activate_by_token(cd, CDEVICE_1, 0, NULL, 0), 0); + OK_(crypt_deactivate(cd, CDEVICE_1)); +@@ -1390,7 +1380,7 @@ static void TokenActivationByKeyring(voi + } + + // activate by any token with token 0 having absent pass from keyring +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); + EQ_(crypt_activate_by_token(cd, CDEVICE_1, CRYPT_ANY_TOKEN, NULL, 0), 1); + OK_(crypt_deactivate(cd, CDEVICE_1)); +@@ -1403,7 +1393,7 @@ static void TokenActivationByKeyring(voi + } + + // replace pass for keyslot 0 making token 0 invalid +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); + OK_(crypt_keyslot_destroy(cd, 0)); + crypt_set_iteration_time(cd, 1); +@@ -1411,7 +1401,7 @@ static void TokenActivationByKeyring(voi + crypt_free(cd); + + // activate by any token with token 0 having wrong pass for keyslot 0 +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); + EQ_(crypt_activate_by_token(cd, CDEVICE_1, CRYPT_ANY_TOKEN, NULL, 0), 1); + OK_(crypt_deactivate(cd, CDEVICE_1)); +@@ -1420,7 +1410,7 @@ static void TokenActivationByKeyring(voi + // create new device, with two tokens: + // 1st token being invalid (missing key in keyring) + // 2nd token can activate keyslot 1 after failing to do so w/ keyslot 0 (wrong pass) +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + crypt_set_iteration_time(cd, 1); + OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL)); + EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0); +@@ -1442,7 +1432,7 @@ static void TokenActivationByKeyring(voi + exit(1); + } + +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); + EQ_(crypt_activate_by_token(cd, CDEVICE_1, CRYPT_ANY_TOKEN, NULL, 0), 1); + OK_(crypt_deactivate(cd, CDEVICE_1)); +@@ -1507,7 +1497,7 @@ static void Tokens(void) + FAIL_(crypt_token_register(&th_reserved), "luks2- is reserved prefix"); + + // basic token API tests +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + crypt_set_iteration_time(cd, 1); + OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL)); + EQ_(crypt_token_status(cd, -1, NULL), CRYPT_TOKEN_INVALID); +@@ -1706,7 +1696,7 @@ static void LuksConvert(void) + crypt_free(cd); + + // exercice non-pbkdf2 LUKSv2 conversion +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL)); + OK_(crypt_set_pbkdf_type(cd, &argon)); + EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0); +@@ -1714,7 +1704,7 @@ static void LuksConvert(void) + crypt_free(cd); + + // exercice non LUKS1 compatible keyslot +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, &luks2)); + EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0); + EQ_(crypt_keyslot_add_by_key(cd, 1, NULL, 32, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT), 1); +@@ -1723,7 +1713,7 @@ static void LuksConvert(void) + crypt_free(cd); + + // exercice LUKSv2 conversion with single pbkdf2 keyslot being active +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL)); + offset = crypt_get_data_offset(cd); + OK_(crypt_set_pbkdf_type(cd, &pbkdf2)); +@@ -1731,13 +1721,13 @@ static void LuksConvert(void) + OK_(crypt_convert(cd, CRYPT_LUKS1, NULL)); + EQ_(crypt_get_data_offset(cd), offset); + crypt_free(cd); +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_load(cd, CRYPT_LUKS, NULL)); + EQ_(crypt_get_data_offset(cd), offset); + crypt_free(cd); + + // do not allow conversion on keyslot No > 7 +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, &luks2)); + EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0); + EQ_(crypt_keyslot_add_by_volume_key(cd, 8, NULL, 32, PASSPHRASE1, strlen(PASSPHRASE1)), 8); +@@ -1745,14 +1735,14 @@ static void LuksConvert(void) + crypt_free(cd); + + // do not allow conversion with token +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, &luks2)); + OK_(crypt_token_json_set(cd, CRYPT_ANY_TOKEN, json)); + FAIL_(crypt_convert(cd, CRYPT_LUKS1, NULL), "Can't convert header with token."); + crypt_free(cd); + + // should be enough for both luks1 and luks2 devices with all vk lengths +- OK_(get_luks2_offsets(1, 0, 0, 0, NULL, &r_payload_offset)); ++ OK_(get_luks2_offsets(0, NULL, &r_payload_offset)); + OK_(create_dmdevice_over_loop(L_DEVICE_1S, r_payload_offset + 1)); + + // do not allow conversion for legacy luks1 device (non-aligned keyslot offset) +@@ -2202,7 +2192,7 @@ static void Pbkdf(void) + + // test LUKSv2 device + // test default values are set +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_format(cd, CRYPT_LUKS2, cipher, mode, NULL, NULL, 32, NULL)); + NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd)); + OK_(strcmp(pbkdf->type, DEFAULT_LUKS2_PBKDF)); +@@ -2259,7 +2249,7 @@ static void Pbkdf(void) + FAIL_(crypt_set_pbkdf_type(cd, &pbkdf2), "Unknown hash member"); + crypt_free(cd); + // test whether crypt_get_pbkdf_type() behaves accordingly after second crypt_load() call +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_load(cd, CRYPT_LUKS, NULL)); + NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd)); + OK_(strcmp(pbkdf->type, DEFAULT_LUKS2_PBKDF)); +@@ -2277,7 +2267,7 @@ static void Pbkdf(void) + crypt_free(cd); + + // test crypt_set_pbkdf_type() overwrites invalid value set by crypt_set_iteration_time() +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + crypt_set_iteration_time(cd, 0); + OK_(crypt_set_pbkdf_type(cd, &argon2)); + NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd)); +@@ -2352,7 +2342,7 @@ static void Luks2KeyslotAdd(void) + crypt_decode_key(key2, mk_hex2, key_size); + + /* test crypt_keyslot_add_by_key */ +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + crypt_set_iteration_time(cd, 1); + OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, key, key_size, NULL)); + EQ_(crypt_keyslot_add_by_key(cd, 1, key2, key_size, PASSPHRASE1, strlen(PASSPHRASE1), CRYPT_VOLUME_KEY_NO_SEGMENT), 1); +@@ -2432,7 +2422,7 @@ static void Luks2ActivateByKeyring(void) + } + + // prepare the device +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + crypt_set_iteration_time(cd, 1); + OK_(crypt_format(cd, CRYPT_LUKS2, cipher, cipher_mode, NULL, NULL, 32, NULL)); + EQ_(crypt_keyslot_add_by_volume_key(cd, 0, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 0); +@@ -2442,7 +2432,7 @@ static void Luks2ActivateByKeyring(void) + + // FIXME: all following tests work as expected but most error messages are missing + // check activate by keyring works exactly same as by passphrase +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); + EQ_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, 0, 0), 0); + EQ_(crypt_activate_by_keyring(cd, CDEVICE_1, KEY_DESC_TEST0, 0, 0), 0); +@@ -2472,7 +2462,7 @@ static void Luks2ActivateByKeyring(void) + exit(1); + } + +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); + FAIL_(crypt_activate_by_keyring(cd, NULL, KEY_DESC_TEST0, CRYPT_ANY_SLOT, 0), "no such key in keyring"); + FAIL_(crypt_activate_by_keyring(cd, CDEVICE_1, KEY_DESC_TEST0, CRYPT_ANY_SLOT, 0), "no such key in keyring"); +@@ -2718,7 +2708,7 @@ static void Luks2Requirements(void) + OK_(crypt_activate_by_token(cd, NULL, 1, NULL, 0)); + OK_(crypt_activate_by_token(cd, NULL, 1, NULL, t_dm_crypt_keyring_support() ? CRYPT_ACTIVATE_KEYRING_KEY : 0)); + #endif +- OK_(get_luks2_offsets(1, 8192, 0, 0, NULL, &r_payload_offset)); ++ OK_(get_luks2_offsets(8192, NULL, &r_payload_offset)); + OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_payload_offset + 2)); + //OK_(_system("dd if=" NO_REQS_LUKS2_HEADER " of=" NO_REQS_LUKS2_HEADER " bs=4096 2>/dev/null", 1)); + OK_(_system("dd if=" NO_REQS_LUKS2_HEADER " of=" DMDIR L_DEVICE_OK " bs=1M count=4 oflag=direct 2>/dev/null", 1)); +@@ -2863,7 +2853,7 @@ static void Luks2Flags(void) + struct crypt_device *cd; + uint32_t flags = 42; + +- OK_(crypt_init(&cd, DEVICE_1)); ++ OK_(crypt_init(&cd, DEVICE_2)); + OK_(crypt_load(cd, CRYPT_LUKS2, NULL)); + + /* check library erase passed variable on success when no flags set */ +diff -rupN cryptsetup-2.0.4.old/tests/Makefile.am cryptsetup-2.0.4/tests/Makefile.am +--- cryptsetup-2.0.4.old/tests/Makefile.am 2018-08-08 14:05:02.008387808 +0200 ++++ cryptsetup-2.0.4/tests/Makefile.am 2018-08-08 14:05:35.944311818 +0200 +@@ -80,7 +80,7 @@ api_test_CPPFLAGS = $(AM_CPPFLAGS) -incl + api_test_2_SOURCES = api-test-2.c api_test.h test_utils.c + api_test_2_LDADD = ../libcryptsetup.la + api_test_2_LDFLAGS = $(AM_LDFLAGS) -static +-api_test_2_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1 ++api_test_2_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1 -I$(top_srcdir)/lib/luks2 + api_test_2_CPPFLAGS = $(AM_CPPFLAGS) -include config.h + + vectors_test_SOURCES = crypto-vectors.c +diff -rupN cryptsetup-2.0.4.old/tests/Makefile.in cryptsetup-2.0.4/tests/Makefile.in +--- cryptsetup-2.0.4.old/tests/Makefile.in 2018-08-08 14:05:02.000387826 +0200 ++++ cryptsetup-2.0.4/tests/Makefile.in 2018-08-08 14:08:28.749924872 +0200 +@@ -466,7 +466,7 @@ api_test_CPPFLAGS = $(AM_CPPFLAGS) -incl + api_test_2_SOURCES = api-test-2.c api_test.h test_utils.c + api_test_2_LDADD = ../libcryptsetup.la + api_test_2_LDFLAGS = $(AM_LDFLAGS) -static +-api_test_2_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1 ++api_test_2_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1 -I$(top_srcdir)/lib/luks2 + api_test_2_CPPFLAGS = $(AM_CPPFLAGS) -include config.h + vectors_test_SOURCES = crypto-vectors.c + vectors_test_LDADD = ../libcrypto_backend.la @CRYPTO_LIBS@ @LIBARGON2_LIBS@ +diff -rupN cryptsetup-2.0.4.old/tests/test_utils.c cryptsetup-2.0.4/tests/test_utils.c +--- cryptsetup-2.0.4.old/tests/test_utils.c 2018-08-08 14:05:02.008387808 +0200 ++++ cryptsetup-2.0.4/tests/test_utils.c 2018-08-08 14:05:35.947311812 +0200 +@@ -118,13 +118,21 @@ void xlog(const char *msg, const char *t + + int t_device_size(const char *device, uint64_t *size) + { ++ struct stat st; + int devfd, r = 0; + + devfd = open(device, O_RDONLY); + if(devfd == -1) + return -EINVAL; + +- if (ioctl(devfd, BLKGETSIZE64, size) < 0) ++ if (fstat(devfd, &st) < 0) { ++ close(devfd); ++ return -EINVAL; ++ } ++ ++ if (S_ISREG(st.st_mode)) ++ *size = (uint64_t)st.st_size; ++ else if (ioctl(devfd, BLKGETSIZE64, size) < 0) + r = -EINVAL; + close(devfd); + return r; diff --git a/SOURCES/cryptsetup-make-reencryption-compat-test2-ready-for-different-L.patch b/SOURCES/cryptsetup-make-reencryption-compat-test2-ready-for-different-L.patch new file mode 100644 index 0000000..2274f2e --- /dev/null +++ b/SOURCES/cryptsetup-make-reencryption-compat-test2-ready-for-different-L.patch @@ -0,0 +1,123 @@ +From 619b533bfbb8e6782687eda9e2ba16fc2f73bd15 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Tue, 7 Aug 2018 10:17:31 +0200 +Subject: [PATCH 5/7] Make reencryption-compat-test2 ready for different LUKS2 + hdr size. + +--- + tests/reencryption-compat-test2 | 40 +++++++++++++++++++++++++++++----------- + 1 file changed, 29 insertions(+), 11 deletions(-) + +diff --git a/tests/reencryption-compat-test2 b/tests/reencryption-compat-test2 +index 411df1f..9656c7b 100755 +--- a/tests/reencryption-compat-test2 ++++ b/tests/reencryption-compat-test2 +@@ -19,6 +19,10 @@ PWD3="1-9Qu5Ejfnqv" + MNT_DIR=./mnt_luks + START_DIR=$(pwd) + ++# FIXME: we need some sane API to get this information. This is hack. ++LUKS2_HDR_DEFAULT_LEN=$(grep -e "#define LUKS2_HDR_DEFAULT_LEN" ../lib/luks2/luks2.h | cut -d ' ' -f 3) ++LUKS2_HDR_DEFAULT_LEN_SECTORS=$((LUKS2_HDR_DEFAULT_LEN/512)) ++ + function dm_crypt_features() + { + local VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv) +@@ -48,6 +52,7 @@ function remove_mapping() + umount $MNT_DIR > /dev/null 2>&1 + rmdir $MNT_DIR > /dev/null 2>&1 + del_scsi_device ++ test -z "$TMP_LOOP" || losetup -d "$TMP_LOOP" + } + + function fail() +@@ -113,9 +118,21 @@ function prepare() # $1 dev1_siz + fi + } + +-function check_hash_dev() # $1 dev, $2 hash ++function check_hash_dev() # $1 dev, $2 hash, [$3 optional max size in KiBs] + { +- HASH=$(sha256sum $1 | cut -d' ' -f 1) ++ local _dev=$1 ++ if [ $# -gt 2 ]; then ++ _dev=$(losetup -f) ++ losetup -f --sizelimit $3K $1 || fail ++ TMP_LOOP=$_dev ++ test -b $TMP_LOOP || fail ++ fi ++ ++ HASH=$(sha256sum $_dev | cut -d' ' -f 1) ++ test -b "$TMP_LOOP" && { ++ losetup -d "$TMP_LOOP" ++ unset TMP_LOOP ++ } + [ $HASH != "$2" ] && fail "HASH differs ($HASH)" + } + +@@ -218,7 +235,7 @@ HASH5=bb9f8df61474d25e71fa00722318cd387396ca1736605e1248821cc0de3d3af8 + HASH6=4d9cbaf3aa0935a8c113f139691b3daf9c94c8d6c278aedc8eec66a4b9f6c8ae + + echo "[1] Reencryption" +-prepare 8192 ++prepare $((4096+LUKS2_HDR_DEFAULT_LEN_SECTORS/2)) + echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 -s 128 -c aes-cbc-plain $FAST_PBKDF_ARGON --align-payload 4096 $IMG || fail + wipe $PWD1 + check_hash $PWD1 $HASH5 +@@ -260,9 +277,9 @@ $CRYPTSETUP luksDump $IMG | grep -q "luks2" > /dev/null || fail + + echo "[4] Encryption of not yet encrypted device" + # well, movin' zeroes :-) +-OFFSET=8192 # default LUKS2 header size +-prepare 8192 +-check_hash_dev $IMG $HASH4 ++OFFSET=$LUKS2_HDR_DEFAULT_LEN_SECTORS # default LUKS2 header size ++prepare $((4096+$OFFSET/2)) # in KiBs ++check_hash_dev $IMG $HASH4 8192 + echo $PWD1 | $REENC --type luks2 $IMG -c aes-cbc-essiv:sha256 -s 128 --new --reduce-device-size "$OFFSET"S -q $FAST_PBKDF_ARGON + check_hash $PWD1 $HASH5 + $CRYPTSETUP luksDump $IMG | grep -q "luks2" > /dev/null || fail +@@ -299,11 +316,11 @@ echo -e "$PWD2\n$PWD1\n$PWD2\n$PWD1\n$PWD2\n$PWD1\n$PWD2\n$PWD3" | $REENC -q $IM + check_slot 0 1 2 3 4 5 6 22 || fail "All keyslots expected to be enabled" + + echo "[7] Reencryption of block devices with different block size" +-add_scsi_device sector_size=512 dev_size_mb=8 ++add_scsi_device sector_size=512 dev_size_mb=16 + simple_scsi_reenc "[512 sector]" +-add_scsi_device sector_size=4096 dev_size_mb=8 ++add_scsi_device sector_size=4096 dev_size_mb=16 + simple_scsi_reenc "[4096 sector]" +-add_scsi_device sector_size=512 physblk_exp=3 dev_size_mb=8 ++add_scsi_device sector_size=512 physblk_exp=3 dev_size_mb=16 + simple_scsi_reenc "[4096/512 sector]" + echo "[OK]" + +@@ -350,7 +367,7 @@ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG || fa + wipe $PWD1 + check_hash $PWD1 $HASH5 + echo $PWD1 | $REENC $IMG -q --decrypt +-check_hash_dev $IMG $HASH4 ++check_hash_dev $IMG $HASH4 8192 + + echo "[11] Reencryption with tokens" + echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG || fail +@@ -403,7 +420,7 @@ $CRYPTSETUP isLuks $IMG_HDR || fail + $CRYPTSETUP luksDump $IMG_HDR | grep -q "0: luks2" || fail + + echo "[14] Reencryption with unbound keyslot" +-prepare 8192 ++prepare $((4096+LUKS2_HDR_DEFAULT_LEN_SECTORS/2)) + echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_ARGON $IMG || fail + echo $PWD2 | $CRYPTSETUP -q luksAddKey -S 3 --unbound --key-size 64 $FAST_PBKDF_ARGON $IMG || fail + wipe $PWD1 +@@ -421,6 +438,7 @@ check_hash $PWD1 $HASH1 + $CRYPTSETUP -q convert --type luks2 $IMG || fail + echo $PWD1 | $REENC $IMG -q $FAST_PBKDF_PBKDF2 || fail + check_hash $PWD1 $HASH1 ++prepare $((4096+LUKS2_HDR_DEFAULT_LEN_SECTORS/2)) + echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 $FAST_PBKDF_PBKDF2 $IMG || fail + wipe $PWD1 + check_hash $PWD1 $HASH5 +-- +1.8.3.1 + diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec new file mode 100644 index 0000000..d790f01 --- /dev/null +++ b/SPECS/cryptsetup.spec @@ -0,0 +1,270 @@ +%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} + +%if 0%{?fedora} +%if 0%{?fedora} >= 29 +Obsoletes: python2-cryptsetup +Obsoletes: cryptsetup-python3 +%global python2_enable 0 +%global python3_enable 0 +%else +%global python2_enable 1 +%global python3_enable 1 +%endif +%else +Obsoletes: cryptsetup-python3 +%global python3_enable 0 +%if 0%{?rhel} == 7 +%global python2_enable 1 +%else +Obsoletes: cryptsetup-python +Obsoletes: python2-cryptsetup +%global python2_enable 0 +%endif +%endif + +Summary: A utility for setting up encrypted disks +Name: cryptsetup +Version: 2.0.6 +Release: 1%{?dist} +License: GPLv2+ and LGPLv2+ +Group: Applications/System +URL: https://gitlab.com/cryptsetup/cryptsetup +BuildRequires: openssl-devel, popt-devel, device-mapper-devel +BuildRequires: libuuid-devel, gcc, libblkid-devel +%if %{python2_enable} +BuildRequires: python2-devel +%endif +%if %{python3_enable} +BuildRequires: python3-devel +%endif +BuildRequires: libpwquality-devel, json-c-devel +Provides: cryptsetup-luks = %{version}-%{release} +Obsoletes: cryptsetup-luks < 1.4.0 +Requires: cryptsetup-libs = %{version}-%{release} +Requires: libpwquality >= 1.2.0 + +%global upstream_version %{version} +Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{upstream_version}.tar.xz +Patch0: %{name}-make-api-test-2-default-LUKS2-hdr-size-aware.patch +Patch1: %{name}-make-reencryption-compat-test2-ready-for-different-L.patch +Patch2: %{name}-disable-luks2-integrity-test-until-next-usptream-rel.patch +Patch3: %{name}-increase-default-LUKS2-header-size-to-8MiBs.patch +Patch4: %{name}-make-align-test-ready-for-larger-LUKS2-hdr.patch +# Following patch has to applied last +Patch5: %{name}-add-system-library-paths.patch + +%description +The cryptsetup package contains a utility for setting up +disk encryption using dm-crypt kernel module. + +%package devel +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} +Requires: pkgconfig +Summary: Headers and libraries for using encrypted file systems +Provides: cryptsetup-luks-devel = %{version}-%{release} +Obsoletes: cryptsetup-luks-devel < 1.4.0 + +%description devel +The cryptsetup-devel package contains libraries and header files +used for writing code that makes use of disk encryption. + +%package libs +Group: System Environment/Libraries +Summary: Cryptsetup shared library +Provides: cryptsetup-luks-libs = %{version}-%{release} +Obsoletes: cryptsetup-luks-libs < 1.4.0 + +%description libs +This package contains the cryptsetup shared library, libcryptsetup. + +%package -n veritysetup +Group: Applications/System +Summary: A utility for setting up dm-verity volumes +Requires: cryptsetup-libs = %{version}-%{release} + +%description -n veritysetup +The veritysetup package contains a utility for setting up +disk verification using dm-verity kernel module. + +%package -n integritysetup +Group: Applications/System +Summary: A utility for setting up dm-integrity volumes +Requires: cryptsetup-libs = %{version}-%{release} + +%description -n integritysetup +The integritysetup package contains a utility for setting up +disk integrity protection using dm-integrity kernel module. + +%package reencrypt +Group: Applications/System +Summary: A utility for offline reencryption of LUKS encrypted disks. +Requires: cryptsetup-libs = %{version}-%{release} + +%description reencrypt +This package contains cryptsetup-reencrypt utility which +can be used for offline reencryption of disk in situ. + +%if %{python2_enable} +%package -n python2-cryptsetup +Group: System Environment/Libraries +Summary: Python bindings for libcryptsetup +Requires: %{name}-libs = %{version}-%{release} +%{?python_provide:%python_provide python2-cryptsetup} +# Remove before F30 +Provides: %{name}-python = %{version}-%{release} +Provides: %{name}-python%{?_isa} = %{version}-%{release} +Obsoletes: %{name}-python < %{version}-%{release} +Obsoletes: python-cryptsetup < 1.4.0 + +%description -n python2-cryptsetup +This package provides Python bindings for libcryptsetup, a library +for setting up disk encryption using dm-crypt kernel module. +%endif + +%if %{python3_enable} +%package python3 +Group: System Environment/Libraries +Summary: Python3 bindings for libcryptsetup +Requires: %{name}-libs = %{version}-%{release} +Provides: python3-cryptsetup = %{version}-%{release} + +%description python3 +This package provides Python bindings for libcryptsetup, a library +for setting up disk encryption using dm-crypt kernel module. +%endif + +%prep +%setup -q -n cryptsetup-%{upstream_version} +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +chmod -x python/pycryptsetup-test.py +chmod -x misc/dracut_90reencrypt/* + +# copy the whole directory for the python3 build +%if %{python3_enable} +cp -a . %{py3dir} +%endif + +%build +%if %{python2_enable} || %{python3_enable} +%configure --enable-python --enable-fips --enable-pwquality --enable-internal-sse-argon2 --with-crypto_backend=openssl --with-default-luks-format=LUKS2 +%else +%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --with-crypto_backend=openssl --with-default-luks-format=LUKS2 +%endif +make %{?_smp_mflags} + +%if %{python3_enable} +pushd %{py3dir} +%configure --enable-python --with-python_version=3 --enable-fips --enable-pwquality --enable-internal-sse-argon2 --with-crypto_backend=openssl --with-default-luks-format=LUKS2 +make %{?_smp_mflags} +popd +%endif + +%install +make install DESTDIR=%{buildroot} +rm -rf %{buildroot}/%{_libdir}/*.la + +%if %{python3_enable} +pushd %{py3dir} +make install DESTDIR=%{buildroot} +rm -rf %{buildroot}/%{_libdir}/*.la +popd +%endif +%find_lang cryptsetup + +%post -n cryptsetup-libs -p /sbin/ldconfig + +%postun -n cryptsetup-libs -p /sbin/ldconfig + +%files +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc AUTHORS FAQ docs/*ReleaseNotes +%{_mandir}/man8/cryptsetup.8.gz +%{_sbindir}/cryptsetup + +%files -n veritysetup +%{!?_licensedir:%global license %%doc} +%license COPYING +%{_mandir}/man8/veritysetup.8.gz +%{_sbindir}/veritysetup + +%files -n integritysetup +%{!?_licensedir:%global license %%doc} +%license COPYING +%{_mandir}/man8/integritysetup.8.gz +%{_sbindir}/integritysetup + +%files reencrypt +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc misc/dracut_90reencrypt +%{_mandir}/man8/cryptsetup-reencrypt.8.gz +%{_sbindir}/cryptsetup-reencrypt + +%files devel +%doc docs/examples/* +%{_includedir}/libcryptsetup.h +%{_libdir}/libcryptsetup.so +%{_libdir}/pkgconfig/libcryptsetup.pc + +%files libs -f cryptsetup.lang +%{!?_licensedir:%global license %%doc} +%license COPYING COPYING.LGPL +%{_libdir}/libcryptsetup.so.* +%{_tmpfilesdir}/cryptsetup.conf +%ghost %attr(700, -, -) %dir /run/cryptsetup + +%if %{python2_enable} +%files -n python2-cryptsetup +%{!?_licensedir:%global license %%doc} +%license COPYING.LGPL +%doc python/pycryptsetup-test.py +%exclude %{python_sitearch}/pycryptsetup.la +%{python_sitearch}/pycryptsetup.so +%endif + +%if %{python3_enable} +%files python3 +%{!?_licensedir:%global license %%doc} +%license COPYING.LGPL +%doc python/pycryptsetup-test.py +%exclude %{python3_sitearch}/pycryptsetup.la +%{python3_sitearch}/pycryptsetup.so +%endif + +%clean + +%changelog +* Mon Dec 03 2018 Ondrej Kozina - 2.0.6-1 +- Update to cryptsetup 2.0.6 +- Enables all supported metadata sizes in LUKS2 validation code. +- Resolves: #1653383 + +* Fri Aug 10 2018 Ondrej Kozina - 2.0.4-2 +- patch: fix device alignment bug when processing hinted + value by device topology info. +- Resolves: #1614219 + +* Wed Aug 08 2018 Ondrej Kozina - 2.0.4-1 +- Update to cryptsetup 2.0.4. +- patch: Add RHEL system library paths in configure. +- patch: Increase default LUKS2 header size to 8 MiBs. +- patch: update tests to be compatible with larger headers. +- Set default format to LUKS2. +- Cleanup changelog. +- Resolves: #1564540 #1595257 #1595266 #1595881 #1600164 + +* Fri May 04 2018 Ondrej Kozina - 2.0.3-1 +- Update to cryptsetup 2.0.3. + +* Tue Mar 27 2018 Björn Esser - 2.0.2-2 +- Rebuilt for libjson-c.so.4 (json-c v0.13.1) on fc28 + +* Wed Mar 07 2018 Milan Broz - 2.0.2-1 +- Update to cryptsetup 2.0.2.