Rebase to 2.7.2
- Resolves: RHEL-33395
This commit is contained in:
Daniel Zatovic
parent
d65e6f1354
commit
42c9648451
@ -1,61 +0,0 @@
|
||||
From b417154e71b571607513a768b3cb8e4587f00ba8 Mon Sep 17 00:00:00 2001
|
||||
From: Milan Broz <gmazyland@gmail.com>
|
||||
Date: Fri, 9 Feb 2024 12:37:10 +0100
|
||||
Subject: [PATCH] Fix configure Argon2 OpenSSL detection to not compile
|
||||
internal Argon2.
|
||||
|
||||
Code is not called anyway, but should be completely disabled.
|
||||
Note: there is intentionally no way to disable OpenSSL Argon2 if present.
|
||||
---
|
||||
configure.ac | 4 ++--
|
||||
meson.build | 5 ++++-
|
||||
2 files changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 84cef4ba..2e2f7d9e 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -346,7 +346,7 @@ AC_DEFUN([CONFIGURE_OPENSSL], [
|
||||
|
||||
saved_LIBS=$LIBS
|
||||
AC_CHECK_DECLS([OSSL_get_max_threads], [], [], [#include <openssl/thread.h>])
|
||||
- AC_CHECK_DECLS([OSSL_KDF_PARAM_ARGON2_VERSION], [], [], [#include <openssl/core_names.h>])
|
||||
+ AC_CHECK_DECLS([OSSL_KDF_PARAM_ARGON2_VERSION], [use_internal_argon2=0], [], [#include <openssl/core_names.h>])
|
||||
LIBS=$saved_LIBS
|
||||
])
|
||||
|
||||
@@ -523,7 +523,7 @@ AC_ARG_ENABLE([libargon2],
|
||||
|
||||
if test $use_internal_argon2 = 0 -o "x$enable_internal_argon2" = "xno" ; then
|
||||
if test "x$enable_internal_argon2" = "xyes" -o "x$enable_libargon" = "xyes"; then
|
||||
- AC_MSG_WARN([Argon2 in $with_crypto_backend lib is used; internal Argon2 options are ignored.])
|
||||
+ AC_MSG_NOTICE([Argon2 in $with_crypto_backend lib is used; internal Argon2 options are ignored.])
|
||||
fi
|
||||
enable_internal_argon2=no
|
||||
enable_internal_sse_argon2=no
|
||||
diff --git a/meson.build b/meson.build
|
||||
index b26c71c4..2aba2f28 100644
|
||||
--- a/meson.build
|
||||
+++ b/meson.build
|
||||
@@ -512,6 +512,9 @@ elif get_option('crypto-backend') == 'openssl'
|
||||
conf.set10('HAVE_DECL_OSSL_KDF_PARAM_ARGON2_VERSION',
|
||||
cc.has_header_symbol('openssl/core_names.h', 'OSSL_KDF_PARAM_ARGON2_VERSION',
|
||||
dependencies: crypto_backend_library))
|
||||
+ if conf.get('HAVE_DECL_OSSL_KDF_PARAM_ARGON2_VERSION') == 1
|
||||
+ use_internal_argon2 = false
|
||||
+ endif
|
||||
elif get_option('crypto-backend') == 'nss'
|
||||
if get_option('fips')
|
||||
error('nss crypto backend is not supported with FIPS enabled')
|
||||
@@ -560,7 +563,7 @@ threads = []
|
||||
use_internal_sse_argon2 = false
|
||||
if not use_internal_argon2 or get_option('argon-implementation') == 'none'
|
||||
if get_option('argon-implementation') == 'internal' or get_option('argon-implementation') == 'libargon2'
|
||||
- warning('Argon2 in crypto library is used; internal Argon2 options are ignored.')
|
||||
+ message('Argon2 in crypto library is used; internal Argon2 options are ignored.')
|
||||
endif
|
||||
conf.set10('USE_INTERNAL_ARGON2', false,
|
||||
description: 'Use internal Argon2.')
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@ -0,0 +1,40 @@
|
||||
From 293abb5435e2b4bec7f8333fb11c88d5c1f45800 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Mon, 5 Dec 2022 13:35:24 +0100
|
||||
Subject: [PATCH 3/3] Add FIPS related error message in keyslot add code.
|
||||
|
||||
Add hints on what went wrong when creating new LUKS
|
||||
keyslots. The hint is printed only in FIPS mode and
|
||||
when pbkdf2 failed with passphrase shorter than 8
|
||||
bytes.
|
||||
---
|
||||
lib/luks1/keymanage.c | 5 ++++-
|
||||
lib/luks2/luks2_keyslot_luks2.c | 2 ++
|
||||
2 files changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
Index: cryptsetup-2.7.2/lib/luks1/keymanage.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.7.2.orig/lib/luks1/keymanage.c
|
||||
+++ cryptsetup-2.7.2/lib/luks1/keymanage.c
|
||||
@@ -926,6 +926,8 @@ int LUKS_set_key(unsigned int keyIndex,
|
||||
derived_key->key, hdr->keyBytes,
|
||||
hdr->keyblock[keyIndex].passwordIterations, 0, 0);
|
||||
if (r < 0) {
|
||||
+ if (crypt_fips_mode() && passwordLen < 8)
|
||||
+ log_err(ctx, _("Invalid passphrase for PBKDF2 in FIPS mode."));
|
||||
if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
|
||||
hdr->keyblock[keyIndex].passwordIterations > INT_MAX)
|
||||
log_err(ctx, _("PBKDF2 iteration value overflow."));
|
||||
Index: cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
|
||||
===================================================================
|
||||
--- cryptsetup-2.7.2.orig/lib/luks2/luks2_keyslot_luks2.c
|
||||
+++ cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
|
||||
@@ -269,6 +269,8 @@ static int luks2_keyslot_set_key(struct
|
||||
pbkdf.iterations > INT_MAX)
|
||||
log_err(cd, _("PBKDF2 iteration value overflow."));
|
||||
crypt_free_volume_key(derived_key);
|
||||
+ if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2"))
|
||||
+ log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode."));
|
||||
return r;
|
||||
}
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
Summary: Utility for setting up encrypted disks
|
||||
Name: cryptsetup
|
||||
Version: 2.7.0
|
||||
Release: 2%{?dist}
|
||||
Version: 2.7.2
|
||||
Release: 1%{?dist}
|
||||
License: GPL-2.0-or-later WITH cryptsetup-OpenSSL-exception AND LGPL-2.1-or-later WITH cryptsetup-OpenSSL-exception
|
||||
URL: https://gitlab.com/cryptsetup/cryptsetup
|
||||
BuildRequires: autoconf, automake, libtool, gettext-devel,
|
||||
@ -18,7 +18,8 @@ Provides: %{name}-reencrypt = %{version}
|
||||
%global upstream_version %{version_no_tilde}
|
||||
Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-%{upstream_version}.tar.xz
|
||||
|
||||
Patch0: %{name}-2.7.1-Fix-configure-Argon2-OpenSSL-detection-to-not-compil.patch
|
||||
# Following patch has to applied last
|
||||
Patch9999: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch
|
||||
|
||||
%description
|
||||
The cryptsetup package contains a utility for setting up
|
||||
@ -119,6 +120,10 @@ rm -rf %{buildroot}%{_libdir}/%{name}/*.la
|
||||
%{_sbindir}/cryptsetup-ssh
|
||||
|
||||
%changelog
|
||||
* Tue Apr 30 2024 Daniel Zatovic <dzatovic@redhat.com> - 2.7.2-1
|
||||
- Update to cryptsetup 2.7.2
|
||||
- Resolves: RHEL-33395
|
||||
|
||||
* Fri Feb 09 2024 Ondrej Kozina <okozina@redhat.com> - 2.7.0-2
|
||||
- Rebuild for OpenSSL Argon2 implementation (OpenSSL 3.2)
|
||||
- patch: Do not compile unused internal argon2 implementation
|
||||
|
||||
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (cryptsetup-2.7.0.tar.xz) = 2654da50920eecbdb3457f8ee2aeed731175574eeb55c1f4b2ddf3c4b3632842b54db1af007057ffd19e6a9bfdc6d471cea77509aec127c07a2f2311e33ab21e
|
||||
SHA512 (cryptsetup-2.7.2.tar.xz) = 06f42f443b91d1f8af8af999dfedd4051ecb12ba5ef291cf2b44b6a5676e2c5cf1e686e19687f5cb6b1fd524dfc1a208cd25a3798367a480d80eac954aa8d6d4
|
||||
|
||||
Loading…
Reference in New Issue
Block a user