diff --git a/.gitignore b/.gitignore index c4585c3..e784048 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ -/cryptsetup-2.7.0.tar.xz -/cryptsetup-2.7.3.tar.xz +/cryptsetup-2.7.5.tar.xz diff --git a/cryptsetup-2.7.0.tar.sign b/cryptsetup-2.7.0.tar.sign deleted file mode 100644 index bb86ed0..0000000 --- a/cryptsetup-2.7.0.tar.sign +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAmWw5zoACgkQ2bBXe9k+ -mPztwhAAh8ieUWCcw7WwW4lc00ZH77sLc7Ro5J2/0ZAg/HpowOqGqhzJQZ+KJdeF -b6mebw7mKq4PHyzUS7Rba4wQiVEUD2kAQuoyXZJljsxegFOc1LxL/DSOCt7IFJyc -WB+525kPoRrpBWJhGXMn4OcVaelmIJAgDFHcYAccJJTKNgPjDrivpkTAxUsfdTTf -a1F/4I2o7eP5zkWkPqqQIvXzlwQnfD5ulZvnJ30t8E/07CZJ5Hf9iLRa6vruo7Rg -8cJHcOu4MhjuMu+oDvuefj8hM4FyfLU+tt0L7Z3iOZXAGffe+iQUQUyChvN/waEI -R8mpdc89amTHkMTCjYOo2X4sAH9a7mo5L2v+rm5NTZTZn53Gy1Ytbzy2agXY+ebf -DeKTVL3KTMe6KvQUfIqMSrM9oub6o8JDfO+0La9GSkNU/1VvHU5LK3FIomuP8Top -BPfdL8IxSgIityBbby1ZQD97aIgzPZkGsC7/5bVY7mj/LUZxJK61p49U0dlolwss -uzJarjAtDY0iNCfOv/AKZGnVzHAc2cEmVKJ6X243h2NRB5z1snFP8lDtB2AIdcUf -0vEZz1HcwW1de1C0jjQsf9elkeVJfrsFhRhRrEEiHyplR3/uaVwUtrDGOxPsRE+J -SE2sSfURqQPuBKeTO/ymVDt7G0iPd8Ts/BOhQYTn94rsjhONiz8= -=6sya ------END PGP SIGNATURE----- diff --git a/cryptsetup-2.7.5.tar.sign b/cryptsetup-2.7.5.tar.sign new file mode 100644 index 0000000..cc00fa3 --- /dev/null +++ b/cryptsetup-2.7.5.tar.sign @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAmbW3FUACgkQ2bBXe9k+ +mPwFbA//ZmEE58/+S4mDszoVeBtJAZDpSd0UBm+R6JTqNjwGSQw2KQbRW+qXLWIj +EUKd/xtW8iSDh+cqKFO12RN7BTHMHePt+qB8aw3L1WWbj2rQfLbEv+dQMg36Rweu +AZMR69PDhD8JX2xVV2nD/rrQFHoNfKT9od83QHmaK/knwOvd7ZHJ2sOyMmZvCNE8 +N8/454ERiT8W9hnHxWjsGtkzr81ucGpjbZDYlINaeD728QR64HDHnAkReAHegJt8 +uAejzAz+BGNkSkUFeRLP+3zOYUKBW6Ex/OIBQ4m+rrAR/b3TVNwGPUUAbelHZJWN ++jf+aPzo4Vv1v+Hl92CEbq29czpHyaLRrRNdhs57no7XdUkivJ+gdhr51xjaV9Zq +HnANYLVT+O/PPfFaALg1Qp5hfmhVCaVPLK05ug2qj9jVF0jIahvQsEzq1YfLiZNT +8UtAnV8ULA83GZlh1MDsuEp5815CKjs5dzpUpobStsVIZ6lkHabEFRfxr2Ae+7lw +veqmpNLN1K5+yXA1L8e9BtoxRxeczIS3ImPlYvojpCFgkamwXPqCoI4wVOCbG/Pu +5L1uDk1TAHEgmf4Iy31bPKLDQcv16aLV5S/w4fCWtybbBasax7qNqKTBAIZQp7o2 +C1hkxCcRxaNyMwEoof9myMjv9fn/0xidJ14GlgXpeANbq9jtXQo= +=S6/S +-----END PGP SIGNATURE----- diff --git a/cryptsetup-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch b/cryptsetup-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch new file mode 100644 index 0000000..d4ff3f5 --- /dev/null +++ b/cryptsetup-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch @@ -0,0 +1,42 @@ +From cfd043f6f0527407c57fb5a2735ee8e22c070cd7 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Wed, 28 Aug 2024 17:06:12 +0200 +Subject: [PATCH 09/10] Enable to use Argon2 in FIPS with openssl backend. + +This patch is required to read existing LUKS2 +keyslots created with Argon2 KDF before the system +got switched in FIPS mode. Creating new keyslots using +Argon2 was already blocked elsewhere and before this patch. +--- + lib/crypto_backend/crypto_openssl.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c +index 9f1be9e0..07c133b0 100644 +--- a/lib/crypto_backend/crypto_openssl.c ++++ b/lib/crypto_backend/crypto_openssl.c +@@ -611,13 +611,20 @@ static int openssl_argon2(const char *type, const char *password, size_t passwor + OSSL_PARAM_uint(OSSL_KDF_PARAM_THREADS, &threads), + OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_LANES, ¶llel), + OSSL_PARAM_uint32(OSSL_KDF_PARAM_ARGON2_MEMCOST, &memory), ++ /* to allow fetching blake2 in FIPS mode in later KDF_derive routine */ ++ OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_PROPERTIES, "-fips", 0), + OSSL_PARAM_END + }; + + if (OSSL_get_max_threads(ossl_ctx) == 0) + threads = 1; + +- argon2 = EVP_KDF_fetch(ossl_ctx, type, NULL); ++ /* ++ * '-fips' skips fips provider for Argon2 variants implementations. ++ * We need it to be able to read existing keyslots in FIPS mode. ++ * Writing new Argon2 enabled keyslots in FIPS mode is blocked elsewhere. ++ */ ++ argon2 = EVP_KDF_fetch(ossl_ctx, type, "-fips"); + if (!argon2) + return -EINVAL; + +-- +2.46.0 + diff --git a/cryptsetup-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch b/cryptsetup-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch new file mode 100644 index 0000000..c5cd8a1 --- /dev/null +++ b/cryptsetup-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch @@ -0,0 +1,37 @@ +From f903ddcf447474fda1a036584b550d12dd620a73 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Thu, 29 Aug 2024 15:31:08 +0200 +Subject: [PATCH 10/10] Warn if Argon2 keyslot is unlocked in FIPS mode. + +--- + lib/luks2/luks2_keyslot.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/luks2/luks2_keyslot.c b/lib/luks2/luks2_keyslot.c +index bb9d4537..2f979d81 100644 +--- a/lib/luks2/luks2_keyslot.c ++++ b/lib/luks2/luks2_keyslot.c +@@ -573,6 +573,7 @@ int LUKS2_keyslot_open(struct crypt_device *cd, + { + struct luks2_hdr *hdr; + int r_prio, r = -EINVAL; ++ struct crypt_pbkdf_type pbkdf; + + hdr = crypt_get_hdr(cd, CRYPT_LUKS2); + if (!hdr) +@@ -599,7 +600,11 @@ int LUKS2_keyslot_open(struct crypt_device *cd, + log_err(cd, _("Not enough available memory to open a keyslot.")); + else if (r != -EPERM && r != -ENOENT) + log_err(cd, _("Keyslot open failed.")); +- } ++ } else if (crypt_fips_mode() && !LUKS2_keyslot_pbkdf(hdr, r, &pbkdf) && ++ !strncmp(pbkdf.type, "argon2", 6)) ++ log_err(cd, "The %s KDF used in keyslot %d is not FIPS compliant.\n" ++ "Please refer to cryptsetup-luksConvertKey(8) man page to switch it to pbkdf2.", ++ pbkdf.type, r); + + return r; + } +-- +2.46.0 + diff --git a/cryptsetup.spec b/cryptsetup.spec index c3dcfcd..d3c5a2a 100644 --- a/cryptsetup.spec +++ b/cryptsetup.spec @@ -1,7 +1,7 @@ Summary: Utility for setting up encrypted disks Name: cryptsetup -Version: 2.7.3 -Release: 2%{?dist} +Version: 2.7.5 +Release: 1%{?dist} License: GPL-2.0-or-later WITH cryptsetup-OpenSSL-exception AND LGPL-2.1-or-later WITH cryptsetup-OpenSSL-exception URL: https://gitlab.com/cryptsetup/cryptsetup BuildRequires: autoconf, automake, libtool, gettext-devel, @@ -19,7 +19,9 @@ Provides: %{name}-reencrypt = %{version} Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-%{upstream_version}.tar.xz # Following patch has to applied last -Patch9999: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch +Patch0001: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch +Patch0002: %{name}-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch +Patch0003: %{name}-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch %description The cryptsetup package contains a utility for setting up @@ -107,6 +109,12 @@ rm -rf %{buildroot}%{_libdir}/%{name}/*.la %ghost %attr(700, -, -) %dir /run/cryptsetup %changelog +* Fri Oct 04 2024 Ondrej Kozina - 2.7.5-1 +- Update to cryptsetup 2.7.5 +- patch: Warn if Argon2 keyslot is unlocked in FIPS mode. +- patch: Enable Argon2 in FIPS with openssl backend. +- Resolves: RHEL-57036 RHEL-57037 RHEL-61581 + * Mon Jun 24 2024 Troy Dawson - 2.7.3-2 - Bump release for June 2024 mass rebuild diff --git a/sources b/sources index e325e6f..6411b72 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (cryptsetup-2.7.3.tar.xz) = 08cff21873aeb7cc5b2561abf5d33cdf0fa814eeaabf6a01f858461726ea9faeef651357da33bce7b347ca2f12d6d02bccdb279893f3749cb781ce1fe5c1571c +SHA512 (cryptsetup-2.7.5.tar.xz) = 13eca93cdb00a143d2ca60b6f66ede5adc4072ca0c4bfebd8454a3541e69d269fcdb4afc97ad799e87a999b2bd46c1f31fa924a3d616d72a3337970b1e718d55