120 Commits

Author SHA1 Message Date
Markus Volk 3a71951a5e cryptsetup: fix udev PACKAGECONFIG
This commit removed the lvm2-udevrules package.
[https://git.openembedded.org/meta-openembedded/commit/?h=master-next&id=c37c867e1adddd6fa39cf3f3d4c6688ea6dc825a]

Align accordingly to avoid error at do_rootfs

Error:
 Problem 1: package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libblockdev.so.3()(64bit), but none of the providers can be installed
  - package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libbd_utils.so.3()(64bit), but none of the providers can be installed
  - package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libblockdev >= 3.2.0, but none of the providers can be installed
  - package gvfs-1.56.0-r0.corei7_64 from oe-repo requires udisks2, but none of the providers can be installed
  - package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12()(64bit), but none of the providers can be installed
  - package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.0)(64bit), but none of the providers can be installed
  - package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.4)(64bit), but none of the providers can be installed
  - package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.7)(64bit), but none of the providers can be installed
  - package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires cryptsetup >= 2.7.5, but none of the providers can be installed
  - conflicting requests
  - nothing provides lvm2-udevrules needed by cryptsetup-2.7.5-r0.corei7_64 from oe-repo
 Problem 2: package gvfs-1.56.0-r0.corei7_64 from oe-repo requires udisks2, but none of the providers can be installed
  - package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libblockdev.so.3()(64bit), but none of the providers can be installed
  - package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libbd_utils.so.3()(64bit), but none of the providers can be installed
  - package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libblockdev >= 3.2.0, but none of the providers can be installed
  - package gvfsd-trash-1.56.0-r0.corei7_64 from oe-repo requires libgvfscommon.so()(64bit), but none of the providers can be installed
  - package gvfsd-trash-1.56.0-r0.corei7_64 from oe-repo requires libgvfsdaemon.so()(64bit), but none of the providers can be installed
  - package gvfsd-trash-1.56.0-r0.corei7_64 from oe-repo requires gvfs >= 1.56.0, but none of the providers can be installed
  - package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12()(64bit), but none of the providers can be installed
  - package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.0)(64bit), but none of the providers can be installed
  - package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.4)(64bit), but none of the providers can be installed
  - package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.7)(64bit), but none of the providers can be installed
  - package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires cryptsetup >= 2.7.5, but none of the providers can be installed
  - conflicting requests
  - nothing provides lvm2-udevrules needed by cryptsetup-2.7.5-r0.corei7_64 from oe-repo
(try to add '--skip-broken' to skip uninstallable packages)

Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1ca8df16af)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-11-19 13:13:28 -08:00
Yi Zhao cf174f190d cryptsetup: upgrade 2.7.4 -> 2.7.5
Release Notes:
https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.5-ReleaseNotes

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-09-04 15:34:53 -07:00
Khem Raj 6bff9188c7 botan: Make it reproducible
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-08-15 23:20:05 -07:00
Wang Mingyu a403ed1c3e cryptsetup: upgrade 2.7.3 -> 2.7.4
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-08-09 14:25:12 -07:00
Wang Mingyu ed2c9d24a5 botan: upgrade 3.4.0 -> 3.5.0
License-Update: Copyright year updated to 2024.

Changelog:
==========
* CVE-2024-34702: Fix a DoS caused by excessive name constraints.
* CVE-2024-39312: Fix a name constraint processing error, where if
  permitted and excluded rules both applied to a certificate, only the
  permitted rules would be checked.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-07-15 16:36:10 -07:00
Wang Mingyu 7916a5c55a cryptsetup: upgrade 2.7.2 -> 2.7.3
Changelog:
============
* Do not allow formatting LUKS2 with Opal SED (hardware encryption)
* Fixes to wiping LUKS2 headers after Opal locking area erase.
* Mention the need for possible PSID revert before Opal format for some
  drives (man page).
* Fix Bitlocker-compatible code to ignore newly seen metadata entries.
* Fix interactive query retry if LUKS2 unbound keyslot is present.
* Detect unsupported zoned devices for LUKS header devices.
* Allow "capi" cipher format for benchmark command and fix parsing
  of plain IV in "capi" format.
* Add support for HCTR2 encryption mode.
* Source code now uses SPDX license identifiers instead of full
  license preambles.
* Fix missing includes for cryptographic backend that could cause
  compilation errors for some systems.
* Fix tests to work correctly in FIPS mode with recent OpenSSL 3.2.
* Fix various (mostly false positive) issues detected by Coverity.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-06-27 09:18:49 -07:00
Wang Mingyu 2d78fc2010 libsodium: upgrade 1.0.19 -> 1.0.20
License-Update: Copyright year updated to 2024.

0001-fix-aarch64-Move-target-pragma-after-arm_neon.h-incl.patch
removed since it's included in 1.0.20

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-06-07 09:11:58 -07:00
Wang Mingyu b2aea7bec1 botan: upgrade 3.2.0 -> 3.4.0
Changelog:
============
- Add Ed448 signatures and X448 key exchange
- X.509 certificate verification now can optionally ignore the expiration date of root certificates.
- Support for "hybrid" EC point encoding is now deprecated.
- Support for creating EC_Group objects with parameters larger than 521 bits is now deprecated
- Add new build options to disable deprecated features, and to enable experimental features.
- Fix a bug affecting use of SIV and CCM ciphers in the FFI interface.
- Add new FFI interface botan_cipher_requires_entire_message
- Internal refactorings of the mp layer to support a new elliptic curve library.
- Use a new method for constant time division in Kyber to avoid a possible side channel where the compiler inserts use of a variable time division.
- Refactor test RNG usage to improve reproducibility.
- Add std::span interfaces to BigInt
- Refactorings and improvements to low level load/store utility functions.
- Fix the amalgamation build on ARM64
- Add Mac ARM based CI build
- Fix a thread serialization bug that caused sporadic test failures.
- Update GH Actions to v4
- Add examples of password based encryption and HTTPS+ASIO client.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-06-07 09:11:55 -07:00
Wang Mingyu c7a2dde455 cryptsetup: upgrade 2.7.1 -> 2.7.2
Changelog:
==========
* Fix activation of OPAL-only encrypted LUKS device with tokens.
* Fix formatting of OPAL devices with 4096-byte sector size.
* Fix incorrect OPAL locking range alignment calculation if used
  over an unaligned device partition.
* Add --hw-opal-factory-reset option description to the manual page.
* Do not check the passphrase quality for OPAL Admin PIN,
  as this passphrase already exists.
* Update license for FAQ document to CC BY-SA 4.0.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-04-17 23:47:23 -07:00
Yi Zhao 4aa939bfe9 cryptsetup: upgrade 2.7.0 -> 2.7.1
Cryptsetup 2.7.1 Release Notes
==============================
Stable bug-fix release with minor extensions.

Changes since version 2.7.0
* Fix interrupted LUKS1 decryption resume.
  With the replacement of the cryptsetup-reencrypt tool by the cryptsetup
  reencrypt command, resuming the interrupted LUKS1 decryption operation
  could fail. LUKS2 was not affected.

* Allow --link-vk-to-keyring with --test-passphrase option.
  This option allows uploading the volume key in a user-specified kernel
  keyring without activating the device.

* Fix crash when --active-name was used in decryption initialization.

* Updates and changes to man pages, including indentation, sorting options
  alphabetically, fixing mistakes in crypt_set_keyring_to_link, and
  fixing some typos.

* Fix compilation with libargon2 when --disable-internal-argon2 was used.

* Do not require installed argon2.h header and never compile internal
  libargon2 code if the crypto library directly supports Argon2.

* Fixes to regression tests to support older Linux distributions.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-03-10 21:54:07 -07:00
Yi Zhao 228f10be48 cryptsetup: upgrade 2.6.1 -> 2.7.0
Release Notes:
https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.0-ReleaseNotes

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-03-01 16:37:55 -08:00
Alexander Stein e569af1ff4 libkcapi: Update HOMEPAGE url
The library's homepage url has changed.

Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-02-28 08:01:19 -08:00
Martin Jansa 21f956598d recipes: drop ${SRCPV} usage
* Drop SRCPV similarly like oe-core did in:
  https://git.openembedded.org/openembedded-core/commit/?h=nanbield&id=843f82a246a535c353e08072f252d1dc78217872

* SRCPV is deferred now from PV to PKGV since:
  https://git.openembedded.org/openembedded-core/commit/?h=nanbield&id=a8e7b0f932b9ea69b3a218fca18041676c65aba0

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
2024-02-09 09:52:12 -08:00
alperak 6f7ee19d66 libkcapi: upgrade 1.4.0 -> 1.5.0
License-Update: Copyright years change

Changelog:

    move all sha* applications to the libexec directory to allow them to coexist with other packages sha* applications - the caller is expected to make a symlink to them
    add sha3sum
    add kcapi_md_sha3_* wrapper APIs
    various small fixes

Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-01-19 09:51:07 -08:00
BELOUARGA Mohamed 205ed387f6 Monocypher: Correct source URI and license
Monocypher has two recipes and a release tarball in home page and in github

Signed-off-by: BELOUARGA Mohamed <m.belouarga@technologyandstrategy.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-01-19 09:51:06 -08:00
Wang Mingyu 7f858e4f54 pkcs11-helper: upgrade 1.29.0 -> 1.30.0
Changelog:
===========
* core: add dynamic loader provider attribute
* openssl: support DSA in libressl-3.5.0
* openssl: fix openssl_ex_data_dup prototype

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-12-18 22:17:19 -08:00
Martin Jansa 0cda5a8fb9 monocypher: pass LIBDIR to fix installed-vs-shipped QA issue with multilib
* fixes:
ERROR: monocypher-4.0.2-r0 do_package: QA Issue: monocypher: Files/directories were installed but not shipped in any package:
  /usr/lib/libmonocypher.so
  /usr/lib/libmonocypher.so.4
  /usr/lib/libmonocypher.a
  /usr/lib/pkgconfig
  /usr/lib/pkgconfig/monocypher.pc
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
monocypher: 5 installed and not shipped files. [installed-vs-shipped]

this only fixes the above issues, to make it usable with other
libdir values the .pc files would need to be fixed to respect passed
LIBDIR value as well as now they expect just lib:
monocypher.pc:libdir=${exec_prefix}/lib
tests/speed/libhydrogen.pc:libdir=${exec_prefix}/lib

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-12-07 14:25:11 -08:00
BELOUARGA Mohamed dae158819f monocypher: add crypto library recipe
Adds monocypher, an easy to use, easy to deploy, auditable crypto library written in portable C. It approaches the size of TweetNaCl and the speed of libsodium

Signed-off-by: BELOUARGA Mohamed <m.belouarga@technologyandstrategy.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-11-30 17:41:38 -08:00
alperak b18bbc7467 botan: upgrade 2.19.3 -> 3.2.0
License-Update: Copyright year updated.

Changelog:

https://botan.randombit.net/news.html#version-3-0-0-2023-04-11
https://botan.randombit.net/news.html#version-3-1-0-2023-07-11
https://botan.randombit.net/news.html#version-3-1-1-2023-07-13
https://botan.randombit.net/news.html#version-3-2-0-2023-10-09

Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-11-17 11:38:25 -08:00
Khem Raj fe8ee3c8d6 libsodium: Fix build with clang on aarch64
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-11-06 08:49:52 -08:00
Khem Raj 294b2e9ae9 libsodium: upgrade 1.0.18 -> 1.0.19
License-Update: Copyright years changed

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-11-06 08:49:52 -08:00
Kai Kang ea21dd17d2 libmcrypt: fix multilib conflict
It fails to install libmcrypt-dev and lib32-libmcrypt-dev at same time:

Error: Transaction test error:
  file /usr/bin/libmcrypt-config conflicts between attempted installs of
  libmcrypt-dev-2.5.8-r0.core2_64 and lib32-libmcrypt-dev-2.5.8-r0.i586

Use MULTILIB_SCRIPTS from multilib_script.bbclass to handle them.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-08-31 22:37:31 -07:00
Martin Jansa 3a91bdb9cb libtomcrypt: add PACKAGECONFIG for ltm enabled by default
* enabled by default, because that's what dropbear expects and fails
  without as shown in:
  http://errors.yoctoproject.org/Errors/Details/720460/
  dropbear/2022.83-r0/crypto_desc.c:72: undefined reference to `ltm_desc'

* add comment about the LICENSE
* use EXTRA_OEMAKE

* FYI: if you need to use this in dunfell (for whatever reason e.g. to
  avoid CVE-2019-17362 in dropbear which contains bundled libtomcrypt),
  then you need to add:

  # Only needed for dunfell, fixed in kirkstone with:
  # https://git.openembedded.org/openembedded-core/commit/?h=kirkstone&id=4b308773eca7570ce5007e8f953b56252c17fdb1
  DEPENDS += "libtool-cross"
  EXTRA_OEMAKE += "'LIBTOOL=${HOST_SYS}-libtool'"

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-07-20 19:08:57 -07:00
Martin Jansa d449d72c4b libtomcrypt: backport a fix for CVE-2019-17362
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-07-20 19:08:57 -07:00
Martin Jansa 7dfddd7049 libtomcrypt: pass LIBPATH to fix installed-vs-shipped with multilib
* fixes:
  ERROR: QA Issue: libtomcrypt: Files/directories were installed but not shipped in any package:
    /usr/lib
    /usr/lib/libtomcrypt.so.1.0.1
    /usr/lib/libtomcrypt.so.1
    /usr/lib/libtomcrypt.so
    /usr/lib/pkgconfig
    /usr/lib/pkgconfig/libtomcrypt.pc
  Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
  libtomcrypt: 6 installed and not shipped files. [installed-vs-shipped]

  when libdir is /usr/lib64 with multilib

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-05-04 06:47:00 -07:00
Wang Mingyu b00744ddd8 cryptsetup: upgrade 2.6.0 -> 2.6.1
0001-Replace-off64_t-with-off_t.patch
removed since it's includedin 2.6.1.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-03-04 10:41:27 -08:00
Khem Raj a2df377c31 pkcs11-helper: Update to latest tip of trunk
This helps fixing build with clang16

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-03-02 00:31:38 -08:00
Niko Mauno 6a87f2ba9c Fix missing leading whitespace with ':append'
Mitigate occurences where ':append' operator is used and leading
whitespace character is obviously missing, risking inadvertent
string concatenation.

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-01-25 08:51:25 -08:00
Khem Raj a8e8825ee1 cryptsetup: Upgrade to 2.6.0
- Disable documentation as it needs asciidoctor which is not available
- Rename cryptsetup-reencrypt packageconfig to luks2-reencryption to match
  the relevant configure option.
- Add a patch to enable 64bit off_t and lfs64

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-12-18 23:34:20 -08:00
Chen Pei 2392dc7925 botan: upgrade 2.19.2 -> 2.19.3
Version 2.19.3, 2022-11-16
    CVE-2022-43705: A malicious OCSP responder could forge OCSP responses due to a
    failure to validate that an embedded certificate was issued by the end-entity
    issuing certificate authority.

Signed-off-by: Chen Pei <cp0613@linux.alibaba.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-11-25 18:11:10 -08:00
Khem Raj 1b31a90bf5 libmcrypt: Suppress implicit-int warnings as errors
This is needed for clang-15+

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-09-05 22:49:35 -07:00
Peter Kjellerstedt fc57827421 cryptsetup: Add support for building without SSH tokens
Cryptsetup SSH tokens is the only feature that has a dependency on
libssh. Add a packageconfig to control this dependency.

Change-Id: Iac4f91e099ad2e3a79aab183734108f8bfbff57f
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-06-30 07:01:38 -04:00
Wang Mingyu 1711600fc5 botan: upgrade 2.19.1 -> 2.19.2
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-06-06 13:58:43 -07:00
Samuli Piippo c8541a3482 libtomcrypt: add recipe
LibTomCrypt is a fairly comprehensive, modular and portable cryptographic
toolkit that provides developers with a vast array of well known published
block ciphers, one-way hash functions, chaining modes, pseudo-random number
generators, public key cryptography and a plethora of other routines.

Signed-off-by: Samuli Piippo <samuli.piippo@qt.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-05-31 08:26:23 -07:00
wangmy ad5a17d3c7 pkcs11-helper: upgrade 1.28.0 -> 1.29.0
2020-04-21 - Version 1.29.0

    build: do not fail if slot evnets are disabled, thanks to Fabrice Fontaine.
    core: do not assume standard objects supported by provider.
    openssl: set back key into EVP for openssl-3 to work, thanks to apollo13.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-05-09 08:59:46 -07:00
Alejandro Enedino Hernandez Samaniego f850d140d7 cryptsetup: Add luks2 configure options defaults
Cryptsetup allows for certain luks2 related defaults to be
set for libcryptsetup, these include the default PBKDF
algorithm, memory limit for Argon2, parallel threads and
iteration time.

Set default variables defined to the same values currently
coming from cryptsetup upstream, making this change transparent
for the user but allow these values to be customized.

Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandro@enedino.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-05-04 07:57:13 -07:00
Oleksandr Kravchuk 139cc11605 pkcs11-helper: fix PV
Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-04-13 19:21:41 -07:00
Khem Raj a0aaf7a23a libkcapi: Upgrade to 1.4.0
Drop upstreamed patch
Disable new warnings seen with gcc 12

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-04-13 19:21:41 -07:00
Khem Raj 4b46afe54e fsverity-utils: Define LIBDIR
This helps make it platform independent since some platforms e.g. ppc64
uses lib64 for system libpaths

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-03-21 08:25:11 -07:00
Khem Raj 14c7d8a0d7 recipes: Update LICENSE variable to use SPDX license identifiers
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-03-04 17:41:45 -08:00
Wang Mingyu e67a4dcf96 fsverity-utils: upgrade 1.4 -> 1.5
Changelog:
=========
* Made the 'fsverity sign' command and the 'libfsverity_sign_digest()' function
  support PKCS#11 tokens.
* Avoided a compiler error when building with musl libc.
* Avoided compiler warnings when building with OpenSSL 3.0.
* Improved documentation and test scripts.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-02-16 08:26:02 -08:00
Ross Burton b3a2b1e1d1 pkcs11-helper: set precise BSD license
This package is BSD-3-Clause.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-02-03 08:44:32 -08:00
Ross Burton 2f18574ffe pkcs11-helper: update homepage
www.opensc-project.org expired, so point at the GitHub project page.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-02-03 08:44:32 -08:00
wangmy ac3bf04b28 botan: upgrade 2.18.2 -> 2.19.1
License-Update: year updated to 2022.

Changelog:
=========
Fix a compilation problem affecting macOS XCode (GH #2880)
Fix a build problem preventing amalgamation builds in 2.19.0 (GH #2879)

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-01-25 10:56:04 -08:00
wangmy 9f4d806758 cryptsetup: upgrade 2.4.2 -> 2.4.3
Changelog:
=========
Stable security bug-fix release that fixes CVE-2021-4122.

All users of cryptsetup 2.4.x must upgrade to this version.

Changes since version 2.4.2
~~~~~~~~~~~~~~~~~~~~~~~~~~~

* Fix possible attacks against data confidentiality through LUKS2 online
  reencryption extension crash recovery (CVE-2021-4122).

  An attacker can modify on-disk metadata to simulate decryption in
  progress with crashed (unfinished) reencryption step and persistently
  decrypt part of the LUKS device.

  This attack requires repeated physical access to the LUKS device but
  no knowledge of user passphrases.

  The decryption step is performed after a valid user activates
  the device with a correct passphrase and modified metadata.
  There are no visible warnings for the user that such recovery happened
  (except using the luksDump command). The attack can also be reversed
  afterward (simulating crashed encryption from a plaintext) with
  possible modification of revealed plaintext.

  The size of possible decrypted data depends on configured LUKS2 header
  size (metadata size is configurable for LUKS2).
  With the default parameters (16 MiB LUKS2 header) and only one
  allocated keyslot (512 bit key for AES-XTS), simulated decryption with
  checksum resilience SHA1 (20 bytes checksum for 4096-byte blocks),
  the maximal decrypted size can be over 3GiB.

  The attack is not applicable to LUKS1 format, but the attacker can
  update metadata in place to LUKS2 format as an additional step.
  For such a converted LUKS2 header, the keyslot area is limited to
  decrypted size (with SHA1 checksums) over 300 MiB.

  The issue is present in all cryptsetup releases since 2.2.0.
  Versions 1.x, 2.0.x, and 2.1.x are not affected, as these do not
  contain LUKS2 reencryption extension.

  The problem was caused by reusing a mechanism designed for actual
  reencryption operation without reassessing the security impact for new
  encryption and decryption operations. While the reencryption requires
  calculating and verifying both key digests, no digest was needed to
  initiate decryption recovery if the destination is plaintext (no
  encryption key). Also, some metadata (like encryption cipher) is not
  protected, and an attacker could change it. Note that LUKS2 protects
  visible metadata only when a random change occurs. It does not protect
  against intentional modification but such modification must not cause
  a violation of data confidentiality.

  The fix introduces additional digest protection of reencryption
  metadata. The digest is calculated from known keys and critical
  reencryption metadata. Now an attacker cannot create correct metadata
  digest without knowledge of a passphrase for used keyslots.
  For more details, see LUKS2 On-Disk Format Specification version 1.1.0.

  The former reencryption operation (without the additional digest) is no
  longer supported (reencryption with the digest is not backward
  compatible). You need to finish in-progress reencryption before
  updating to new packages. The alternative approach is to perform
  a repair command from the updated package to recalculate reencryption
  digest and fix metadata.
  The reencryption repair operation always require a user passphrase.

  WARNING: Devices with older reencryption in progress can be no longer
  activated without performing the action mentioned above.

  Encryption in progress can be detected by running the luksDump command
  (output includes reencrypt keyslot with reencryption parameters). Also,
  during the active reencryption, no keyslot operations are available
  (change of passphrases, etc.).

  The issue was found by Milan Broz as cryptsetup maintainer.

Other changes
~~~~~~~~~~~~~
* Add configure option --disable-luks2-reencryption to completely disable
  LUKS2 reencryption code.

  When used, the libcryptsetup library can read metadata with
  reencryption code, but all reencryption API calls and cryptsetup
  reencrypt commands are disabled.

  Devices with online reencryption in progress cannot be activated.
  This option can cause some incompatibilities. Please use with care.

* Improve internal metadata validation code for reencryption metadata.

* Add updated documentation for LUKS2 On-Disk Format Specification
  version 1.1.0 (with reencryption extension description and updated
  metadata description). See docs/on-disk-format-luks2.pdf or online
  version in https://gitlab.com/cryptsetup/LUKS2-docs repository.

* Fix support for bitlk (BitLocker compatible) startup key with new
  metadata entry introduced in Windows 11.

* Fix space restriction for LUKS2 reencryption with data shift.
  The code required more space than was needed.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-01-19 09:01:04 -08:00
wangmy 466ffb8414 pkcs11-helper: upgrade 1.27 -> 1.28
0001-build-openssl-remove-RSA_SSLV23_PADDING-constant-usa.patch
0001-nss-use-nss-pkcs11-h.patch
removed since they're included in 1.28.

Changelog:
=========
 * build: openssl: remove RSA_SSLV23_PADDING constant usage due to openssl-3
   compatibility.
 * build: nss: use nss pkcs11.h
 * build: windows: checksum in PE
 * build: windows: support openssl-1.1.1
 * mbed: require >=mbedtls-2, mbed dropped polarssl compatibility,
 * certificate: add methods accept full mechanism
 * core: load provider library as private.
 * core: add pkcs11h_getProperty, pkcs11h_setProperty to support adding
   properties without breaking API.
 * core: add pkcs11h_initializeProvider, pkcs11h_registerProvider,
   pkcs11h_setProviderProperty, pkcs11h_setProviderPropertyByName to
   support adding properties without breaking API
 * core: add initialization arguments property
 * core: add PKCS11H_PROVIDER_PROPERTY_PROVIDER_DESTRUCT_HOOK.
 * session: respect login required token flag.
 * certificate: respect always authenticate flag.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-01-05 11:10:02 -08:00
Khem Raj d7a91f13c4 pkcs11-helper: Fix build with nss >= 3.73.1
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-12-25 13:30:13 -08:00
Khem Raj b6eb9036eb libkcapi: Fix build with musl
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
2021-12-21 18:49:37 -08:00
Oleksandr Kravchuk e95b6af4c8 libkcapi: update to 1.3.1
Dropped upstreamed patch.

License-Update: copyright years updated.

Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-12-15 19:11:18 -08:00
wangmy 830666b54d cryptsetup: upgrade 2.4.1 -> 2.4.2
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-11-22 10:15:00 -08:00