diffstat for cryptsetup-1.7.3 cryptsetup-1.7.3 askpass.c | 2 changelog | 1171 +++++++++++++++++++++++- control | 7 cryptdisks-udev.maintscript | 1 cryptdisks-udev.upstart | 25 cryptdisks.maintscript | 1 cryptdisks.upstart | 45 cryptsetup.maintscript | 2 passdev.c | 2 patches/fips-fix-luksformat-with-recent-kernels | 36 patches/series | 1 rules | 16 12 files changed, 1224 insertions(+), 85 deletions(-) diff -Nru cryptsetup-1.7.3/debian/askpass.c cryptsetup-1.7.3/debian/askpass.c --- cryptsetup-1.7.3/debian/askpass.c 2017-05-09 11:50:59.000000000 +0000 +++ cryptsetup-1.7.3/debian/askpass.c 2017-08-10 13:07:29.000000000 +0000 @@ -21,7 +21,7 @@ #define _GNU_SOURCE -#define _BSD_SOURCE +#define _DEFAULT_SOURCE #define _POSIX_C_SOURCE 1 #include #include diff -Nru cryptsetup-1.7.3/debian/changelog cryptsetup-1.7.3/debian/changelog --- cryptsetup-1.7.3/debian/changelog 2017-05-09 11:50:59.000000000 +0000 +++ cryptsetup-1.7.3/debian/changelog 2017-08-10 13:07:29.000000000 +0000 @@ -1,3 +1,22 @@ +cryptsetup (2:1.7.3-4ubuntu1) artful; urgency=low + + * New upstream release, merge from Debian unstable. Remaining + Ubuntu changes: + - debian/control: + + Depend on plymouth. + + Invert the "busybox | busybox-static" Recommends, as the latter + is the one we ship in main as part of the ubuntu-standard task. + + Drop explicit libgcrypt20 dependency from libcryptsetup4. + * d/p/fips-fix-luksformat-with-recent-kernels -- fix luksFormat + with recent FIPS enabled kernels. + * Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE + * Drop c99 std, as the default is now higher than that + * Use DEB_VERSION from dpkg/default.mk for pod2man release variable + * Drop upstart system jobs. + * Add maintscript to drop removed upstart system jobs. + + -- Andy Whitcroft Thu, 10 Aug 2017 14:07:29 +0100 + cryptsetup (2:1.7.3-4) unstable; urgency=high [ Guilhem Moulin ] @@ -210,6 +229,40 @@ -- Jonas Meurer Wed, 05 Oct 2016 20:53:09 +0200 +cryptsetup (2:1.7.2-0ubuntu4) artful; urgency=medium + + * Add maintscript to drop removed upstart system jobs. + + -- Dimitri John Ledkov Mon, 21 Aug 2017 11:36:04 +0100 + +cryptsetup (2:1.7.2-0ubuntu3) artful; urgency=medium + + * Drop _BSD_SOURCE in favor of _DEFAULT_SOURCe + * Drop c99 std, as the default is now higher than that + * Use DEB_VERSION from dpkg/default.mk for pod2man release variable + + -- Dimitri John Ledkov Sat, 19 Aug 2017 21:46:19 +0100 + +cryptsetup (2:1.7.2-0ubuntu2) artful; urgency=medium + + * Drop upstart system jobs. + + -- Dimitri John Ledkov Sat, 19 Aug 2017 20:57:17 +0100 + +cryptsetup (2:1.7.2-0ubuntu1) yakkety; urgency=medium + + * New upstream release, merge from Debian unstable (LP: #1548137). Remaining + Ubuntu changes: + - debian/control: + + Bump initramfs-tools Suggests to Depends: so system is not + potentially rendered unbootable. + + Depend on plymouth. + + Invert the "busybox | busybox-static" Recommends, as the latter + is the one we ship in main as part of the ubuntu-standard task. + + Drop explicit libgcrypt20 dependency from libcryptsetup4. + + -- Unit 193 Wed, 22 Jun 2016 16:30:01 -0400 + cryptsetup (2:1.7.0-2) unstable; urgency=medium [ Guilhem Moulin ] @@ -284,6 +337,35 @@ -- Jonas Meurer Thu, 07 Jan 2016 02:22:33 +0100 +cryptsetup (2:1.6.6-5ubuntu2) wily; urgency=medium + + * Fix stupid typo in Recommends "busybox | busybox-static" inversion. + Fixes binary moves for busybox into main. + + -- Andy Whitcroft Fri, 21 Aug 2015 08:56:34 +0100 + +cryptsetup (2:1.6.6-5ubuntu1) wily; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/control: + + Bump initramfs-tools Suggests to Depends: so system is not + potentially rendered unbootable. + + Depend on plymouth. + + Invert the "busybox | busybox-static" Recommends, as the latter + is the one we ship in main as part of the ubuntu-standard task. + + Drop explicit libgcrypt11 dependency from libcryptsetup4. + * Dropped changes, now in Debian: + - Remove hardcoded paths to udevadm. + - debian/initramfs/cryptroot-hook: + + Do not unconditionally include cryptsetup utils in the initramfs. + + Do not include any modules or utils in the initramfs, unless + rootfs/resume devices are encrypted or CRYPTSETUP is set to 'y' in + the initramfs.conf configuration file. + - debian/cryptsetup.maintscripts: + + Migrate upstart jobs to new names. + + -- Andy Whitcroft Tue, 07 Jul 2015 16:58:45 +0100 + cryptsetup (2:1.6.6-5) unstable; urgency=high * debian/cryptdisks.functions: fix the precheck for ubuntu+upstart @@ -436,6 +518,71 @@ -- Jonas Meurer Fri, 28 Jun 2013 12:14:55 +0200 +cryptsetup (2:1.6.1-1ubuntu7) vivid; urgency=medium + + * Drop explicit libgcrypt11 dependency from libcryptsetup4. + + -- Adam Conrad Fri, 27 Mar 2015 18:24:38 -0600 + +cryptsetup (2:1.6.1-1ubuntu6) vivid; urgency=medium + + * No-change rebuild for the libgcrypt20 transition. + + -- Adam Conrad Fri, 27 Mar 2015 06:16:08 -0600 + +cryptsetup (2:1.6.1-1ubuntu5) vivid; urgency=medium + + * ./debian/scripts/luksformat: Drop luksFormat -s and --ciper options. They + aren't necessary any more, and aes-cbc-essiv:sha256 is obsolete. This will + now use aes-xts-plain64 by default. (LP: #1414719) + + -- Martin Pitt Fri, 27 Feb 2015 09:37:05 +0100 + +cryptsetup (2:1.6.1-1ubuntu4) vivid; urgency=medium + + * No change rebuild to get debug symbols for all architectures. + + -- Brian Murray Wed, 03 Dec 2014 08:03:31 -0800 + +cryptsetup (2:1.6.1-1ubuntu3) utopic; urgency=high + + * No change rebuild against new dh_installinit, to call update-rc.d at + postinst. + + -- Dimitri John Ledkov Wed, 28 May 2014 10:39:30 +0100 + +cryptsetup (2:1.6.1-1ubuntu2) utopic; urgency=medium + + * debian/askpass.c: + - Fix bug (LP: #1301086) where askpass fails to restore terminal + settings. + + -- Robert Barabas Fri, 18 Apr 2014 14:08:51 -0400 + +cryptsetup (2:1.6.1-1ubuntu1) trusty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/control: + + Bump initramfs-tools Suggests to Depends: so system is not + potentially rendered unbootable. + + Depend on plymouth. + + - Invert the "busybox | busybox-static" Recommends, as the latter is + the one we ship in main as part of the ubuntu-standard task. + + - Remove hardcoded paths to udevadm (LP: #1184066). + + - debian/initramfs/cryptroot-hook: + + Do not unconditionally include cryptsetup utils in the initramfs. + + Do not include any modules or utils in the initramfs, unless + rootfs/resume devices are encrypted or CRYPTSETUP is set to 'y' in + the initramfs.conf configuration file. + + - debian/cryptsetup.maintscripts: + + Migrate upstart jobs to new names. + + -- Dmitrijs Ledkovs Fri, 01 Nov 2013 16:48:57 +0000 + cryptsetup (2:1.6.1-1) unstable; urgency=low [ Milan Broz ] @@ -477,6 +624,50 @@ -- Jonas Meurer Fri, 28 Jun 2013 12:10:41 +0200 +cryptsetup (2:1.4.3-4ubuntu4) saucy; urgency=low + + * debian/initramfs/cryptroot-hook: + - Do not unconditionally include cryptsetup utils in the initramfs. + - Do not include any modules or utils in the initramfs, unless + rootfs/resume devices are encrypted or CRYPTSETUP is set to 'y' in + the initramfs.conf configuration file. + + -- Dmitrijs Ledkovs Mon, 10 Jun 2013 16:25:46 +0100 + +cryptsetup (2:1.4.3-4ubuntu3) saucy; urgency=low + + * Remove hardcoded paths to udevadm (LP: #1184066). + + -- Colin Watson Tue, 28 May 2013 11:27:27 +0100 + +cryptsetup (2:1.4.3-4ubuntu2) raring; urgency=low + + * Invert the "busybox | busybox-static" Recommends, as the latter + is the one we ship in main as part of the ubuntu-standard task. + + -- Adam Conrad Fri, 16 Nov 2012 01:14:35 -0700 + +cryptsetup (2:1.4.3-4ubuntu1) raring; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/control: + + Bump initramfs-tools Suggests to Depends: so system is not + potentially rendered unbootable. + + Depend on plymouth. + + - init/upstart jobs: + + Rename cryptddisks{,-early}.upstart jobs to + cryptdisks-{enable,udev}.upstart, as we need both init & upstart jobs + for now. + + debian/cryptdisks{,-early}.init: Make the 'start' action of the init + script a no-op, this should be handled entirely by the upstart job; + and fix the LSB header to not declare this should be started in + runlevel 'S'. + + Do not install start symlinks for init scripts + + NB! shutdown is still handled by the SystemV init scripts + + -- Dmitrijs Ledkovs Tue, 13 Nov 2012 11:17:57 +0000 + cryptsetup (2:1.4.3-4) unstable; urgency=medium * change recommends for busybox to busybox | busybox-static. Thanks to @@ -509,6 +700,50 @@ -- Jonas Meurer Thu, 01 Nov 2012 15:34:09 +0100 +cryptsetup (2:1.4.3-2ubuntu1) quantal; urgency=low + + * Merge from debian unstable (LP: #1015753), remaining changes: + - debian/control: + + Bump initramfs-tools Suggests to Depends: so system is not + potentially rendered unbootable. + + Depend on plymouth. + + - init/upstart jobs: + + Add debian/cryptdisks-{enable,udev}.upstart for bootup. + + debian/cryptdisks{,-early}.init: Make the 'start' action of the init + script a no-op, this should be handled entirely by the upstart job; + and fix the LSB header to not declare this should be started in + runlevel 'S'. + + Do not install start symlinks for init scripts + + NB! shutdown is still handled by the SystemV init scripts + + * Rename cryptddisks{,-early}.upstart jobs back to + cryptdisks-{enable,udev}.upstart, as we need both init & upstart jobs + for now. + + * Dropped Changes, included in Debian: + - debian/control: + + Split up package in cryptsetup and cryptsetup-bin. (LP: #343363). + + - debian/cryptdisks.functions: + + Do not overwrite existing filesystems when creating swap (LP: #474258). + + Add aesni module when we have hardware encryption. + + Call 'udevadm settle' before 'dmsetup rename' http://pad.lv/874774 + + Suppress "Starting init crypto disks" message in "init" phase, to + avoid writing over fsck progress text. + + new function, crypttab_start_one_disk, to look for the named source + device in /etc/crypttab (by device name, UUID, or label) and start it + if configured to do so + + handle the case where crypttab contains a name for the source + device that is not the kernel's preferred name for it (as is the case + for LVs). + + - debian/initramfs/cryptroot-hook: + + Quiet warnings from find on arches that don't have all the + kernel/{arch,crypto} bits we're testing for. + + -- Dmitrijs Ledkovs Tue, 21 Aug 2012 11:57:28 +0100 + cryptsetup (2:1.4.3-2) unstable; urgency=medium * fix the shared library symbols magic: so far, the symbols file for @@ -584,6 +819,64 @@ -- Jonas Meurer Wed, 11 Apr 2012 23:55:35 +0200 +cryptsetup (2:1.4.1-2ubuntu4) precise; urgency=low + + * Our swap creation can trigger udev change events, which means udev may be + holding the device open at the time we try to call 'dmsetup rename' and + cause the /subsequent/ events to be missed because of dmsetup creating + device nodes by hand. So call 'udevadm settle' before 'dmsetup rename', + to ensure blkid is out of the way first. This should ensure swap + partitions are found by mountall in a non-racy manner. LP: #874774. + + -- Steve Langasek Fri, 13 Apr 2012 20:23:21 -0700 + +cryptsetup (2:1.4.1-2ubuntu3) precise; urgency=low + + * Start cryptdisks-enable upstart job on 'or container', to let us + simplify the udevtrigger job. + + -- Steve Langasek Wed, 04 Apr 2012 17:02:00 -0700 + +cryptsetup (2:1.4.1-2ubuntu2) precise; urgency=low + + * Split up package in cryptsetup and cryptsetup-bin. (LP: #343363). + * Do not overwrite existing filesystems when creating swap (LP: #474258). + * Add aesni module when we have hardware encryption. + + -- Jean-Louis Dupond Mon, 12 Mar 2012 10:14:30 +0100 + +cryptsetup (2:1.4.1-2ubuntu1) precise; urgency=low + + [ Jean-Louis Dupond ] + * Merge from debian unstable (LP: #776264), remaining changes: + - debian/cryptdisks.functions: Suppress "Starting init crypto disks" message + in "init" phase, to avoid writing over fsck progress text. + - debian/cryptroot-hook: Quiet warnings from find on arches that + don't have all the kernel/{arch,crypto} bits we're testing for. + - debian/control: + + Bump initramfs-tools Suggests to Depends: so system is not + potentially rendered unbootable. + + Depend on plymouth. + - Add debian/cryptdisks-{enable,udev}.upstart. + - debian/cryptdisks.functions: + + new function, crypttab_start_one_disk, to look for the named source + device in /etc/crypttab (by device name, UUID, or label) and start it + if configured to do so + - debian/cryptdisks{,-early}.init: Make the 'start' action of the init + script a no-op, this should be handled entirely by the upstart job; + and fix the LSB header to not declare this should be started in + runlevel 'S' + - debian/rules: + + Do not install start symlinks for init scripts, and + install debian/cryptdisks-{enable,udev}.upstart scripts. + + [ Steve Langasek ] + * debian/cryptdisks.functions: handle the case where crypttab contains a + name for the source device that is not the kernel's preferred name for + it (as is the case for LVs). + + -- Jean-Louis Dupond Thu, 08 Mar 2012 07:32:40 +0100 + cryptsetup (2:1.4.1-2) unstable; urgency=low * acknowledge NMU. Thanks to Michael Biebl. (closes: #659182) @@ -793,6 +1086,56 @@ -- Jonas Meurer Sun, 16 Jan 2011 01:01:03 +0100 +cryptsetup (2:1.1.3-4ubuntu3) precise; urgency=low + + [ Pali Rohar ] + * debian/cryptdisks.functions: Suppress "Starting init crypto disks" message + in "init" phase, to avoid writing over fsck progress text. + + -- Martin Pitt Wed, 26 Oct 2011 09:16:15 +0200 + +cryptsetup (2:1.1.3-4ubuntu2) oneiric; urgency=low + + * debian/cryptroot-hook: Quiet warnings from find on arches that + don't have all the kernel/{arch,crypto} bits we're testing for. + + -- Adam Conrad Sat, 01 Oct 2011 00:33:00 -0600 + +cryptsetup (2:1.1.3-4ubuntu1) natty; urgency=low + + * Merge from debian unstable (LP: #682177), remaining changes: + - debian/control: + + Bump initramfs-tools Suggests to Depends: so system is not + potentially rendered unbootable. + + Depend on plymouth. + - Add debian/cryptdisks-{enable,udev}.upstart. + - debian/cryptdisks.functions: + + new function, crypttab_start_one_disk, to look for the named source + device in /etc/crypttab (by device name, UUID, or label) and start it + if configured to do so + + wrap the call to /lib/cryptsetup/askpass with watershed, to make sure + we only ever have one of these running at a time; otherwise multiple + invocations could steal each other's input and/or write over each + other's output + + when called by cryptdisks-enable, check that we don't already have a + corresponding cryptdisks-udev job running (probably waiting for a + passphrase); if there is, wait until it's finished before continuing. + - debian/cryptdisks{,-early}.init: Make the 'start' action of the init + script a no-op, this should be handled entirely by the upstart job; + and fix the LSB header to not declare this should be started in + runlevel 'S' + - debian/cryptsetup.postinst: Remove any symlinks from /etc/rcS.d on + upgrade. + - debian/rules: + + Do not install start symlinks for init scripts, and + install debian/cryptdisks-{enable,udev}.upstart scripts. + + link dynamically against libgcrypt and libgpg-error. + - Add debian/cryptsetup.apport: Apport package hook. Install in + debian/rules and create dir in debian/cryptsetup.dirs. + - debian/cryptsetup.postrm: call update-initramfs on package removal. + + -- Lorenzo De Liso Sat, 27 Nov 2010 17:37:43 +0100 + cryptsetup (2:1.1.3-4) unstable; urgency=high * bump standards-version to 3.9.1, no changes required @@ -898,6 +1241,69 @@ -- Jonas Meurer Sat, 10 Jul 2010 14:32:40 +0200 +cryptsetup (2:1.1.2-1ubuntu1) maverick; urgency=low + + * Merge from Debian unstable (LP: #594365). Remaining changes: + - debian/control: + + Bump initramfs-tools Suggests to Depends: so system is not + potentially rendered unbootable. + + Depend on plymouth. + - Add debian/cryptdisks-{enable,udev}.upstart. + - debian/cryptdisks.functions: + + new function, crypttab_start_one_disk, to look for the named source + device in /etc/crypttab (by device name, UUID, or label) and start it + if configured to do so + + wrap the call to /lib/cryptsetup/askpass with watershed, to make sure + we only ever have one of these running at a time; otherwise multiple + invocations could steal each other's input and/or write over each + other's output + + initially create the device under a temporary name and rename it only + at the end using 'dmsetup rename', to ensure that upstart/mountall + doesn't see our device before it's ready to go. + + do_tmp should mount under /var/run/cryptsetup for changing the + permissions of the filesystem root, not directly on /tmp, since + mounting on /tmp a) is racy, b) confuses mountall something fierce. + + when called by cryptdisks-enable, check that we don't already have a + corresponding cryptdisks-udev job running (probably waiting for a + passphrase); if there is, wait until it's finished before continuing. + - debian/cryptdisks{,-early}.init: Make the 'start' action of the init + script a no-op, this should be handled entirely by the upstart job; + and fix the LSB header to not declare this should be started in + runlevel 'S' + - debian/cryptsetup.postinst: Remove any symlinks from /etc/rcS.d on + upgrade. + - debian/rules: Do not install start symlinks for init scripts, and + install debian/cryptdisks-{enable,udev}.upstart scripts. + - Add debian/cryptsetup.apport: Apport package hook. Install in + debian/rules and create dir in debian/cryptsetup.dirs. + - debian/rules: link dynamically against libgcrypt and libgpg-error. + - debian/cryptsetup.postrm: call update-initramfs on package removal. + * Dropped changes, merged/superseded in Debian: + - Add ext4 support to passdev. + - cryptroot-hook: don't call copy_modules_dir with empty arguments when + archcrypto isn't found + - Set USPLASH=y and FRAMEBUFFER=y in the hook config to pull plymouth into + the initramfs. + - change interaction to use plymouth directly if present, and if not, to + fall back to /lib/cryptsetup/askpass as before + - cryptdisks.functions: replace 'echo -e' bashism with 'printf'. + - debian/initramfs/cryptroot-script: if plymouth is present in the + initramfs, use this directly, bypassing the cryptsetup askpass script + - debian/initramfs/cryptroot-hook: Properly anchor our regexps when + grepping /etc/crypttab so that we don't incorrectly match device names + that are substrings of one another. + - debian/initramfs/cryptroot-script: Don't leak /conf/conf.d/cryptroot + file descriptor to subprocesses. + - Fix grammar error in debian/initramfs/cryptroot-script + ("setup" -> "set up") + - debian/initramfs/cryptroot-script: Fix this to work with current + initramfs-tools: + + Source /scripts/functions after checking for prerequisites. + + prereqs(): Do not assume we are running within initramfs, and + calculate relative path correctly. + + -- Steve Langasek Mon, 14 Jun 2010 21:47:28 -0700 + cryptsetup (2:1.1.2-1) unstable; urgency=low * new upstream release, changes include: @@ -1015,6 +1421,171 @@ -- Jonas Meurer Mon, 08 Mar 2010 14:15:35 +0100 +cryptsetup (2:1.1.0~rc2-1ubuntu14) maverick; urgency=low + + [ David Stansby ] + * Fix grammar error in debian/initramfs/cryptroot-script + ("setup" -> "set up") (LP: #578896) + + -- James Westby Mon, 17 May 2010 13:33:40 +0100 + +cryptsetup (2:1.1.0~rc2-1ubuntu13) lucid; urgency=low + + * debian/initramfs/cryptroot-script: Don't leak /conf/conf.d/cryptroot + file descriptor to subprocesses. + + -- Colin Watson Mon, 29 Mar 2010 22:18:36 +0100 + +cryptsetup (2:1.1.0~rc2-1ubuntu12) lucid; urgency=low + + * debian/initramfs/cryptroot-hook: Properly anchor our regexps when + grepping /etc/crypttab so that we don't incorrectly match device names + that are substrings of one another. + * debian/cryptdisks-{enable,udev}.conf, debian/control: drop + 'console output' and add a hard dependency on plymouth instead of + watershed, to avoid spitting extra messages to the console. + + -- Steve Langasek Thu, 18 Feb 2010 06:19:19 -0800 + +cryptsetup (2:1.1.0~rc2-1ubuntu11) lucid; urgency=low + + * Set FRAMEBUFFER=y in the file that we actually ship. + * debian/cryptsetup.postrm: call update-initramfs on package removal. + LP: #468228. + + -- Steve Langasek Mon, 25 Jan 2010 03:07:52 -0800 + +cryptsetup (2:1.1.0~rc2-1ubuntu10) lucid; urgency=low + + * cryptdisks.functions: replace 'echo -e' bashism with 'printf'. + * cryptdisks.functions: when called by cryptdisks-enable, check that we + don't already have a corresponding cryptdisks-udev job running (probably + waiting for a passphrase); if there is, wait until it's finished before + continuing. + + -- Steve Langasek Thu, 21 Jan 2010 14:57:21 +0000 + +cryptsetup (2:1.1.0~rc2-1ubuntu9) lucid; urgency=low + + * Set FRAMEBUFFER=y in the hook config as well, to pull plymouth into the + initramfs. + * cryptdisks.functions, debian/initramfs/cryptroot-script: fix the + invocation of plymouth, so that we actually get proper passphrase prompts + (once bug #496765 is fixed). + + -- Steve Langasek Sat, 16 Jan 2010 02:32:41 -0800 + +cryptsetup (2:1.1.0~rc2-1ubuntu8) lucid; urgency=low + + * cryptdisks.functions: do_tmp should mount under /var/run/cryptsetup for + changing the permissions of the filesystem root, not directly on /tmp, + since mounting on /tmp a) is racy, b) confuses mountall something fierce. + LP: #475936. + + -- Steve Langasek Tue, 22 Dec 2009 20:24:28 +0000 + +cryptsetup (2:1.1.0~rc2-1ubuntu7) lucid; urgency=low + + * Depend on watershed. + + -- Steve Langasek Tue, 22 Dec 2009 01:37:36 +0000 + +cryptsetup (2:1.1.0~rc2-1ubuntu6) lucid; urgency=low + + [ Steve Langasek ] + * Fix the LSB header in the init scripts, now that we don't install to + rcS.d. + + [ Martin Pitt ] + * debian/initramfs/cryptroot-script: Fix this to work with current + initramfs-tools: + - Source /scripts/functions after checking for prerequisites. + - prereqs(): Do not assume we are running within initramfs, and calculate + relative path correctly. + + -- Martin Pitt Fri, 18 Dec 2009 17:07:07 +0100 + +cryptsetup (2:1.1.0~rc2-1ubuntu5) lucid; urgency=low + + * Rename the upstart job introduced in the previous upload to + cryptdisks-udev and restore the previous version of the job as + cryptdisks-enable, to run at the end of udev coldplugging as before; + this isn't entirely race-free, but should nevertheless give us the + two passes needed to cover devices that are decrypted using keys stored + on other encrypted disks. LP: #443980. + + -- Steve Langasek Wed, 16 Dec 2009 06:41:30 +0000 + +cryptsetup (2:1.1.0~rc2-1ubuntu4) lucid; urgency=low + + [ Steve Langasek ] + * debian/initramfs/cryptroot-script: if plymouth is present in the + initramfs, use this directly, bypassing the cryptsetup askpass script; + but keep support for these other frontends around on a transitional + basis. + * debian/cryptdisks.functions: + - change interaction to use plymouth directly if present, and if not, to + fall back to /lib/cryptsetup/askpass as before + - wrap the call to /lib/cryptsetup/askpass with watershed, to make sure + we only ever have one of these running at a time; otherwise multiple + invocations could steal each other's input and/or write over each + other's output + - new function, crypttab_start_one_disk, to look for the named source + device in /etc/crypttab (by device name, UUID, or label) and start it + if configured to do so + * debian/cryptdisks-enable.upstart: run the upstart job once for each block + device, using the new crypttab_start_one_disk function, triggered by udev; + this doesn't eliminate the possibility of a race with gdm when the + decrypted volume isn't a 'bootwait' mount point (since gdm kills + plymouth), but it does eliminate the race between udev and cryptsetup. + LP: #454898. + * debian/cryptdisks-enable.upstart: check that the package is installed + and exit gracefully if it's not. LP: #435814 + * debian/cryptdisk.functions: initially create the device under a temporary + name and rename it only at the end using 'dmsetup rename', to ensure that + upstart/mountall doesn't see our device before it's ready to go. + LP: #475936. + + [ Colin Watson ] + * Add ext4 support to passdev. + + -- Steve Langasek Tue, 15 Dec 2009 18:05:45 -0800 + +cryptsetup (2:1.1.0~rc2-1ubuntu3) lucid; urgency=low + + * cryptroot-hook: Use if [ -n … ] instead of if ! test -z …. + + -- Loïc Minier Sat, 12 Dec 2009 11:32:52 +0100 + +cryptsetup (2:1.1.0~rc2-1ubuntu2) lucid; urgency=low + + * cryptroot-hook: dont call copy_modules_dir with empty arguments when + archcrypto isnt found (LP: #495161) + + -- Oliver Grawert Fri, 11 Dec 2009 14:39:00 +0100 + +cryptsetup (2:1.1.0~rc2-1ubuntu1) lucid; urgency=low + + * Merge with Debian testing. Remaining Ubuntu changes: + - debian/rules: cryptsetup is linked dynamically against libgcrypt and + libgpg-error. + - Upstart migration: + + Add debian/cryptdisks-enable.upstart. + + debian/cryptdisks{,-early}.init: Make the 'start' action of the init + script a no-op, this should be handled entirely by the upstart job. + (LP #473615) + + debian/cryptsetup.postinst: Remove any symlinks from /etc/rcS.d on + upgrade. + + debian/rules: Do not install start symlinks for those two, and install + debian/cryptdisks-enable.upstart scripts. + - Add debian/cryptsetup.apport: Apport package hook. Install in + debian/rules, and create dir in debian/cryptsetup.dirs. + - Start usplash in initramfs, since we need it for fancy passphrase input: + + debian/initramfs/cryptroot-conf, debian/initramfs-conf.d: USPLASH=y + + debian/control: Bump initramfs-tools Suggests to Depends:. + + -- Martin Pitt Wed, 11 Nov 2009 15:04:27 +0100 + cryptsetup (2:1.1.0~rc2-1) unstable; urgency=low * new upstream release candidate (1.1.0-rc2), highlights include: @@ -1188,6 +1759,80 @@ -- Jonas Meurer Sat, 04 Jul 2009 15:52:06 +0200 +cryptsetup (2:1.0.6+20090405.svn49-1ubuntu8) lucid; urgency=low + + [ Steve Langasek ] + * Make the 'start' action of the init script a no-op, this should be + handled entirely by the upstart job now; and remove any symlinks from + /etc/rcS.d on upgrade. LP: #473615. + + [ Reinhard Tartler ] + * Add an apport hook + * import the blkid and un_blkid from debian, LP: #446517 + * also use this script by default (setting in /etc/default/cryptdisks) + + -- Steve Langasek Wed, 04 Nov 2009 12:06:47 +0000 + +cryptsetup (2:1.0.6+20090405.svn49-1ubuntu7) karmic; urgency=low + + * Reupload previous version, siretart had left changes in bzr which + weren't documented in the changelog and caused FTBFS. + + -- Scott James Remnant Wed, 14 Oct 2009 13:57:59 +0100 + +cryptsetup (2:1.0.6+20090405.svn49-1ubuntu6) karmic; urgency=low + + [ Steve Langasek ] + * Move the Debian Vcs- fields aside. + + [ Scott James Remnant ] + * debian/cryptdisks-enable.upstart: Don't overcompensate for my idiocy, + cryptsetup should not need a controlling terminal, just a terminal + is fine. May fix LP: #439138. + + -- Scott James Remnant Wed, 14 Oct 2009 04:52:16 +0100 + +cryptsetup (2:1.0.6+20090405.svn49-1ubuntu4) karmic; urgency=low + + * debian/cryptdisks-enable.upstart: Things that often help include + not setting stdin/out to /dev/null, so you can actually type the + passphrase. I am an idiot. LP: #430496. + + -- Scott James Remnant Thu, 17 Sep 2009 17:58:01 +0100 + +cryptsetup (2:1.0.6+20090405.svn49-1ubuntu3) karmic; urgency=low + + * debian/cryptdisks-enable.upstart: add upstart job to enable encrypted + disks once we've finished probing for udev devices, so that mountall + can use them. LP: #430496. + + -- Scott James Remnant Thu, 17 Sep 2009 00:04:00 +0100 + +cryptsetup (2:1.0.6+20090405.svn49-1ubuntu2) karmic; urgency=low + + * debian/initramfs/cryptroot-conf: declare that we want usplash included + in the initramfs whenever this package is installed. LP: #427356. + + -- Steve Langasek Tue, 15 Sep 2009 08:43:15 -0700 + +cryptsetup (2:1.0.6+20090405.svn49-1ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - Ubuntu specific: + + debian/rules: link dynamically for better security supportability and + smaller packages. + + debian/control: Depend on initramfs-tools so system is not potentially + rendered unbootable. + - debian/initramfs/cryptroot-script wait for encrypted device to appear, + report with log_*_msg (debian bug 488271). + - debian/initramfs/cryptroot-hook: fix support for UUID and LABEL + correlation between fstab and crypttab (debian bug 522041). + - debian/askpass.c, debian/initramfs/cryptroot-script: using newline + escape in passphrase prompt to avoid line-wrapping (debian bug 528133). + * Drop 04_fix_udevsettle_call.patch: fixed upstream differently. + + -- Kees Cook Sun, 10 May 2009 17:29:32 -0700 + cryptsetup (2:1.0.6+20090405.svn49-1) unstable; urgency=low * New upstream svn snapshot. Highlights include: @@ -1229,6 +1874,67 @@ -- Jonas Meurer Mon, 06 Apr 2009 08:49:14 +0200 +cryptsetup (2:1.0.6-7ubuntu7) jaunty; urgency=low + + * debian/control: Depend on initramfs-tools so system is not potentially + rendered unbootable (LP: #358654). + + -- Kees Cook Thu, 09 Apr 2009 12:29:31 -0700 + +cryptsetup (2:1.0.6-7ubuntu6) jaunty; urgency=low + + * debian/initramfs/cryptroot-script: we don't require vol_id to understand + the encrypted device, but we should check the device is fully up first + before continuing by calling udevadm settle. LP: #291752. + + -- Steve Langasek Sat, 07 Mar 2009 21:39:14 -0800 + +cryptsetup (2:1.0.6-7ubuntu5) jaunty; urgency=low + + * debian/initramfs/cryptroot-hook: fix support for UUID and LABEL correlation + between fstab and crypttab (LP: #287879). + + -- TJ Mon, 16 Feb 2009 23:00:00 +0000 + +cryptsetup (2:1.0.6-7ubuntu4) jaunty; urgency=low + + * debian/askpass.c: also handle newline escape code in console prompt. + + -- Kees Cook Sun, 15 Feb 2009 08:57:05 -0800 + +cryptsetup (2:1.0.6-7ubuntu3) jaunty; urgency=low + + [ https://launchpad.net/~svenkata ] + * debian/checks/un_vol_id: dynamically build the "unknown volume type" + string, to allow for encrypted swap, LP: #316607 + + -- Dustin Kirkland Thu, 12 Feb 2009 16:57:30 -0600 + +cryptsetup (2:1.0.6-7ubuntu2) jaunty; urgency=low + + * debian/askpass.c: handle newline escape code in password prompt. + * debian/initramfs/cryptroot-script: add newline to split cryptroot + password prompt onto two lines for readability (LP: #326900). + + -- Kees Cook Sun, 08 Feb 2009 07:26:01 -0800 + +cryptsetup (2:1.0.6-7ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/initramfs/cryptroot-script: + - must source /scripts/functions to get the log_*_msg() functions. + - wait for encrypted device to show up (LP 164044, 291752). + - disable error message 'failed to setup lvm device' (LP 151532). + - debian/rules: + - fix location of ltmain.sh (Ubuntu-specific until libtool 2.2.x is + in Debian unstable). + - link dynamically (LP 62751). + - add 04_fix_udevsettle_call.patch: fix path to binary for udevsettle. + * Revert versioned build-depency on libdevmapper-dev, since Ubuntu's + version is higher now. + + -- Kees Cook Tue, 06 Jan 2009 13:00:16 -0800 + cryptsetup (2:1.0.6-7) unstable; urgency=medium * Add patches/01_gettext_package.patch: Remove -luks from GETTEXT_PACKAGE @@ -1273,6 +1979,38 @@ -- Jonas Meurer Wed, 17 Dec 2008 21:25:45 +0100 +cryptsetup (2:1.0.6-6ubuntu2.1) intrepid-proposed; urgency=low + + * debian/initramfs/cryptroot-script: do not require that vol_id + can parse the encrypted device as valid (LP: #291752). + + -- Kees Cook Fri, 31 Oct 2008 13:10:06 -0700 + +cryptsetup (2:1.0.6-6ubuntu2) intrepid; urgency=low + + * Fixes for (LP: #272301) + * debian/initramfs/cryptroot-script: must source /scripts/functions to get + the log_*_msg() functions + * 04_fix_udevsettle_call.patch: fix path to binary for udevsettle + + -- Dustin Kirkland Fri, 19 Sep 2008 18:03:28 -0500 + +cryptsetup (2:1.0.6-6ubuntu1) intrepid; urgency=low + + * drop almost all ubuntu specific changes from the cryptsetup package, + because they have been merged in debian. Thanks a lot! + * merge from debian, remaining changes: + - remove versioned build-depency on libdevmapper-dev, we are using a + rather sophisticated loop for making sure the root filesystem appears. + * debian/rules: fix location of ltmain.sh + * don't exit usplash anymore in the init script. LP: #110970, #139363 + * Disable error message 'failed to setup lvm device'. It is harmless, and + caused by the fact that the udev rules provided by lvm2 are setting up + the lvm on their own. In debian the scripts here are responsible for this + but obviously fail in ubuntu. LP: #151532 + + -- Reinhard Tartler Sat, 30 Aug 2008 17:52:16 +0200 + cryptsetup (2:1.0.6-6) unstable; urgency=high * Don't cat keyfile into pipe for do_noluks(). cryptsetup handles @@ -1374,6 +2112,79 @@ -- Jonas Meurer Mon, 07 Jul 2008 00:30:07 +0200 +cryptsetup (2:1.0.6-2ubuntu7) intrepid; urgency=low + + * reintroduce changes from 2:1.0.6-2ubuntu5 that have been accidentally + dropped in version 2:1.0.6-2ubuntu6. + + -- Reinhard Tartler Fri, 20 Jun 2008 15:15:54 +0200 + +cryptsetup (2:1.0.6-2ubuntu6) intrepid; urgency=low + + [ Kjell Braden ] + * load scripts/functions for log_{begin,end}_msg + * debian/initramfs/cryptroot-script: wait for the cryptsource, not the resulting mapped root device + * debian/initramfs/cryptroot-hook: copy binaries to the right directory + + [ Reinhard Tartler ] + * remove versioned build-depency on libdevmapper-dev, we are using a + rather sophisticated loop for making sure the root filesystem appears. + + -- Reinhard Tartler Wed, 18 Jun 2008 00:26:43 +0200 + +cryptsetup (2:1.0.6-2ubuntu5) intrepid; urgency=low + + * Okay, I give up. include preprocessed manpages and adapt + debian/rules to easily produce those. + ATTENTION: on subsequent uploads, make sure that the manpages are + available and up-to-date. + + -- Reinhard Tartler Sun, 15 Jun 2008 13:33:07 +0200 + +cryptsetup (2:1.0.6-2ubuntu4) intrepid; urgency=low + + * also use local dtd in debian/doc/variables.xml.in. + + -- Reinhard Tartler Sun, 15 Jun 2008 12:55:42 +0200 + +cryptsetup (2:1.0.6-2ubuntu3) intrepid; urgency=low + + * try harder to fix FTBFS. + + -- Reinhard Tartler Sun, 15 Jun 2008 11:42:54 +0200 + +cryptsetup (2:1.0.6-2ubuntu2) intrepid; urgency=low + + * build docbook documentation using local dtds instead of trying to + download them at buildtime. Fixes FTBFS. + + -- Reinhard Tartler Sun, 15 Jun 2008 11:12:28 +0200 + +cryptsetup (2:1.0.6-2ubuntu1) intrepid; urgency=low + + * Merge new debian version. Remaining changes: + - Add XSBC-Vcs-Bzr tag to indicate that this package is managed using + bzr on launchpad. + - debian/rules: cryptsetup is linked dynamically against libgcrypt and + libgpg-error. + - cryptdisks.functions: stop usplash on user input. LP #62751 + - Parse comments in lines not starting with '#', LP #185380 + - If the encrypted source device hasn't shown up yet, give it a + little while to deal with removable devices. LP #164044 + * Depend on race-free version of libdevmapper, thus making udevsettle + call from cryptsetup binary unnecessary. Dropping patch + debian/patches/06_run_udevsettle.patch + * remove patch from LP #73862, loading optimized modules has been solved + in debian in another way. + * cryptdisk.functions: remove spurious call to load_optimized_module. + LP: #239946 + * bugfix: make regex work if keyfile has extended attributes. LP: #231339. + * remove patch in cryptdisks.functions for rexecing the script itself for + ensuring that a tty is always available. (See LP #58794.) According to + Scott, this is not necessary anymore. + + -- Reinhard Tartler Sat, 14 Jun 2008 23:28:51 +0200 + cryptsetup (2:1.0.6-2) unstable; urgency=low [ Jonas Meurer ] @@ -1399,6 +2210,54 @@ -- David Härdeman Mon, 26 May 2008 08:12:32 +0200 +cryptsetup (2:1.0.6-1ubuntu4) intrepid; urgency=low + + [ Kjell Braden ] + * Fix configuration parsing (LP: #239808) + + [ Reinhard Tartler ] + * cryptroot-script: use 'echo' instead of 'log_begin_msg' (LP: #237723) + + -- Reinhard Tartler Fri, 13 Jun 2008 21:26:17 +0200 + +cryptsetup (2:1.0.6-1ubuntu3) intrepid; urgency=low + + * Parse comments in lines not starting with '#', LP: #185380 + * in cryptroot hook, don't rely on 'udevadm settle' to wait long enough + for the cryptdevice to appear. Reimplement the busy waiting loop found + while waiting for the root file system. Patch based on work by Swâmi + Petaramesh. LP: #164044 + * debian/crypdisks.functions: call 'env' with full path. LP: #178829. + + -- Reinhard Tartler Mon, 26 May 2008 22:12:32 +0200 + +cryptsetup (2:1.0.6-1ubuntu2) intrepid; urgency=low + + * Simplify the patch in debian/cryptdisks.functions that stops usplash + before asking for a passphrase. + + -- Reinhard Tartler Mon, 26 May 2008 20:18:14 +0200 + +cryptsetup (2:1.0.6-1ubuntu1) intrepid; urgency=low + + * Merge new debian version. Remaining changes: + - cryptsetup is linked dynamically against libgcrypt and libgpg-error. + - stop usplash on user input. LP #62751 + - debian/cryptdisks.functions: Always output and read from the console. + LP #58794. + - Add XSBC-Vcs-Bzr tag to indicate that this package is managed using + bzr on launchpad. + - debian/initramfs/cryptroot-hook: LP #73862 + Added patch to install aes optimized cypher module + - try to load optimized cypher module in cryptsetup.functions as well, + because cryptroot-hook is only executed when we really have a + cryptoroot. + * other ubuntu changes have been merged into debian. Please report bugs + if you believe some patches have been dropped. + * removed 07_typos_fix.patch, has been reviewed and applied upstream. + + -- Reinhard Tartler Sun, 25 May 2008 22:52:30 +0200 + cryptsetup (2:1.0.6-1) unstable; urgency=low [ Jonas Meurer ] @@ -1530,6 +2389,138 @@ -- Jonas Meurer Thu, 06 Dec 2007 15:56:05 +0100 +cryptsetup (2:1.0.5-2ubuntu12) hardy; urgency=low + + * added debian/patches/07_typos_fix.dpatch: fixed typos in man pages. (LP: #164181) + + -- Bruno Barrera Yever Mon, 07 Apr 2008 18:43:05 -0500 + +cryptsetup (2:1.0.5-2ubuntu11) hardy; urgency=low + + * debian/initramfs/cryptroot-script: Do show the disk name after all, since + some people use multiple encrypted partitions as LVM PVs. (LP: #201413) + + -- Martin Pitt Sun, 06 Apr 2008 11:54:41 -0600 + +cryptsetup (2:1.0.5-2ubuntu10) hardy; urgency=low + + * debian/initramfs/cryptroot-script: Do not mention the name of the + encrypted device. It is just technobabble anyway (sda4_crypt), and there + is just one root partition ever, so it is not needed to tell apart + different partitions. From a security POV, someone who can change your + initramfs to boot a different root partition can just as well change the + strings, too. (LP: #201413) + + -- Martin Pitt Wed, 02 Apr 2008 15:51:53 +0200 + +cryptsetup (2:1.0.5-2ubuntu9) hardy; urgency=low + + * debian/scripts/luksformat: Use 256 bit key size by default. + (LP: #78508) + * debian/patches/02_manpage.dpatch: Clarify default key sizes (128 for + luksFormat and 256 for create) in cryptsetup.8. (side-note in LP #78508) + + -- Martin Pitt Wed, 27 Feb 2008 17:43:46 +0100 + +cryptsetup (2:1.0.5-2ubuntu8) hardy; urgency=low + + * Fix -x calls and access() call. + + -- Scott James Remnant Fri, 14 Dec 2007 16:54:53 +0000 + +cryptsetup (2:1.0.5-2ubuntu7) hardy; urgency=low + + * debian/initramfs/cryptroot-script: call udevadm instead of udevsettle + * debian/patches/06_call_udevsettle.dpatch: likewise + + -- Scott James Remnant Fri, 14 Dec 2007 16:11:36 +0000 + +cryptsetup (2:1.0.5-2ubuntu6) hardy; urgency=low + + * Make cryptsetup understand devices specified by UUID=... or LABEL= + in crypttab. (LP: #153597) + + -- Andrea Colangelo Mon, 29 Oct 2007 18:22:51 +0100 + +cryptsetup (2:1.0.5-2ubuntu5) hardy; urgency=low + + * reenable additional udevsettle calls in cryptroot hook from + https://launchpad.net/bugs/85640, LP: #132373. + * change maintainer to ubuntu-core-dev. + * use Vcs-Bzr instead of XSCB-Vcs-Bzr header in debian/control. + + -- Reinhard Tartler Thu, 08 Nov 2007 23:52:19 +0100 + +cryptsetup (2:1.0.5-2ubuntu4) hardy; urgency=low + + * reapply changes from version 2:1.0.5-2ubuntu2, got dropped with last + upload. Sorry, pitti. + * convert patch to lib/libdevmapper.c to a dpatch. + + -- Reinhard Tartler Sun, 04 Nov 2007 21:42:43 +0100 + +cryptsetup (2:1.0.5-2ubuntu3) hardy; urgency=low + + * RELIABILY FIX: lib/libdevmapper.c: Ensure that pending device creation + events are being processed by calling /sbin/udevsettle. Patch based on + OpenSUSE bug #285478, LP: #132373. + * Based on the change above, the patch from LP #85640 is no longer needed. + dropping the relevant parts. + * Fix debian/rules to not fail to build if autom4te.cache is left behind + from a previous incomplete build. + + -- Reinhard Tartler Fri, 02 Nov 2007 20:53:31 +0100 + +cryptsetup (2:1.0.5-2ubuntu2) gutsy; urgency=low + + * debian/initramfs/cryptroot-script: + - If the supplied password worked, remove the prompt from usplash again, + so that the user has some visual feedback that everything is alright. + (LP: #151305) + - Do not show the UUID device node of the outer physical device. It is + scary ("/dev/disk/by-uuid/1234yadayada") and displaying it does not + improve security at all: If attackers can tamper with your initramfs, + they can also change the prompt, and if the UUID of the physical device + changes, then booting will not even get that far. Now it is a much more + friendly "Enter passphrase for sda5_crypt:" which is still technical, + but it's necessary to point out which device will be unlocked in case + there are several. + + -- Martin Pitt Thu, 11 Oct 2007 19:51:58 +0200 + +cryptsetup (2:1.0.5-2ubuntu1) gutsy; urgency=low + + * Merge new debian version. Remaining changes: + - cryptsetup is linked dynamically against libgcrypt and libgpg-error. + This will break systems where /usr is a separate encrypted filesystem + but not have other bad consequences (in particular, systems with + encrypted root are still fine). The upsides include better + security supportability and smaller packages. + - libcryptsetup.so et al removed from the binary packages. They have + no stable ABI and are not suitable for use by other packages, and + were in violation of library policies etc. They're not needed since + the cryptsetup executable statically contains the relevant parts of + libcryptsetup. + - cryptdisks.functions: remove #!/bin/bash as it isn't a script + by itself; it's only sourced by other scripts. This gets rid + of the lintian warning `script-not-executable' for this file. + - stop usplash on user input. LP #62751 + - Always output and read from the console. LP #58794. + - Add XSBC-Vcs-Bzr tag to indicate that this package is managed using + bzr on launchpad. + - Bump libgcrypt11 build-dependency again to 1.2.4-2ubuntu2 to eliminate + libnsl linkage; + - debian/initramfs/cryptroot-hook: (LP: #73862) + Added patch to install aes optimized cypher module + - try to load optimized cypher module in cryptsetup.functions as well, + because cryptroot-hook is only executed when we really have a + cryptoroot. + - apply patch from pitti for allowing UUIDs in /etc/crypttab. + This allowes crypted PVs! LP: #144390. + - remove README.ubuntu, since it contains old and obsolete information. + + -- Reinhard Tartler Tue, 02 Oct 2007 21:31:28 +0200 + cryptsetup (2:1.0.5-2) unstable; urgency=low [ Jonas Meurer ] @@ -1578,6 +2569,68 @@ -- Jonas Meurer Mon, 24 Sep 2007 15:42:06 +0200 +cryptsetup (2:1.0.5-1ubuntu5) UNRELEASED; urgency=low + + * apply patch from pitti for allowing UUIDs in /etc/crypttab. + This allowes crypted PVs! LP: #144390. + * remove README.ubuntu, since it contains old and obsolete information. + + -- Reinhard Tartler Tue, 02 Oct 2007 19:59:24 +0200 + +cryptsetup (2:1.0.5-1ubuntu4) gutsy; urgency=low + + [ Stephan Hermann ] + * debian/initramfs/cryptroot-hook: (LP: #73862) + - Added patch to install aes optimized cypher module + + [ Reinhard Tartler ] + * re-applying old patch to new package version + * try to load optimized cypher module in cryptsetup.functions as well, + because cryptroot-hook is only executed when we really have a + cryptoroot. + + -- Reinhard Tartler Thu, 27 Sep 2007 19:38:48 +0200 + +cryptsetup (2:1.0.5-1ubuntu3) gutsy; urgency=low + + * Bump libgcrypt11 build-dependency again to 1.2.4-2ubuntu2 to eliminate + libnsl linkage; should finally produce a usable cryptsetup binary for + the udeb. + + -- Colin Watson Wed, 19 Sep 2007 15:28:52 +0100 + +cryptsetup (2:1.0.5-1ubuntu2) gutsy; urgency=low + + * Bump libgcrypt11 build-dependency to 1.2.4-2ubuntu1 and rebuild for + proper udeb dependencies. + + -- Colin Watson Wed, 19 Sep 2007 01:37:02 +0100 + +cryptsetup (2:1.0.5-1ubuntu1) gutsy; urgency=low + + * Merge new debian version. Remaining changes: + - cryptsetup is linked dynamically against libgcrypt and libgpg-error. + This will break systems where /usr is a separate encrypted filesystem + but not have other bad consequences (in particular, systems with + encrypted root are still fine). The upsides include better + security supportability and smaller packages. + - libcryptsetup.so et al removed from the binary packages. They have + no stable ABI and are not suitable for use by other packages, and + were in violation of library policies etc. They're not needed since + the cryptsetup executable statically contains the relevant parts of + libcryptsetup. + - cryptdisks.functions: remove #!/bin/bash as it isn't a script + by itself; it's only sourced by other scripts. This gets rid + of the lintian warning `script-not-executable' for this file. + - stop usplash on user input. LP #62751 + - Always output and read from the console. LP #58794. + * Add XSBC-Vcs-Bzr tag to indicate that this package is managed using + bzr on launchpad. + * UVF exception request granted by Scott Kitterman and Chuck Short + LP: #138295 + + -- Reinhard Tartler Sat, 08 Sep 2007 19:04:54 +0200 + cryptsetup (2:1.0.5-1) unstable; urgency=low [ Jonas Meurer ] @@ -1598,6 +2651,66 @@ -- Jonas Meurer Fri, 27 Jul 2007 04:59:33 +0200 +cryptsetup (2:1.0.4+svn29-1ubuntu6) gutsy; urgency=low + + * Add notes by Ilkka Tuohela in a new file debian/README.ubuntu + + -- Reinhard Tartler Sat, 08 Sep 2007 18:43:56 +0200 + +cryptsetup (2:1.0.4+svn29-1ubuntu5) gutsy; urgency=low + + * cryptsetup is linked dynamically against libgcrypt and libgpg-error. + This will break systems where /usr is a separate encrypted filesystem + but not have other bad consequences (in particular, systems with + encrypted root are still fine). The upsides include better + security supportability and smaller packages. + * libcryptsetup.so et al removed from the binary packages. They have + no stable ABI and are not suitable for use by other packages, and + were in violation of library policies etc. They're not needed since + the cryptsetup executable statically contains the relevant parts of + libcryptsetup. + * cryptdisks.functions: remove #!/bin/bash as it isn't a script + by itself; it's only sourced by other scripts. This gets rid + of the lintian warning `script-not-executable' for this file. + + -- Ian Jackson Fri, 31 Aug 2007 12:05:33 +0100 + +cryptsetup (2:1.0.4+svn29-1ubuntu4) gutsy; urgency=low + + * s/$CRYPTCMD/cryptsetup/ in debian/cryptdisks.functions + (LP: #115617) + + -- Reinhard Tartler Tue, 29 May 2007 17:04:05 +0200 + +cryptsetup (2:1.0.4+svn29-1ubuntu3) gutsy; urgency=low + + * make luksformat check if filesystem is already mounted to prevent a + strange error message. thanks to mvo for the patch (LP: #116633) + * remove file debian/initramfs-cryptroot-script from source. it is not + installed anywhere, and a leftover from the last merge. + * add missing hunk of cryptsetup.functions compared to debian package. + * reapply http://librarian.launchpad.net/7329604/bug85640.debdiff to + debian/initramfs/cryptroot-script, since stgraber's patch has been + lost in the last merge. (LP: #85640) + + -- Reinhard Tartler Tue, 29 May 2007 15:02:57 +0200 + +cryptsetup (2:1.0.4+svn29-1ubuntu2) gutsy; urgency=low + + * modprobe dm-mod from cryptsetup.functions. (LP: #64625, #91405) + + -- Reinhard Tartler Tue, 29 May 2007 13:31:39 +0200 + +cryptsetup (2:1.0.4+svn29-1ubuntu1) gutsy; urgency=low + + * Merge from Debian unstable. Remaining Ubuntu changes: + - stop usplash on user input. Ubuntu: #62751 + - Always output and read from the console. Ubuntu: #58794. + - Wait for Udev to be ready to avoid partition non-detection. (LP: #85640) + * Modify Maintainer value to match Debian-Maintainer-Field Spec + + -- Andrea Veri Sun, 6 May 2007 22:33:25 +0200 + cryptsetup (2:1.0.4+svn29-1) unstable; urgency=low * New upstream svn snapshot with several bugfixes @@ -1650,6 +2763,20 @@ -- Jonas Meurer Sat, 28 Apr 2007 20:45:50 +0200 +cryptsetup (2:1.0.4+svn26-1ubuntu2) feisty; urgency=low + + * Wait for Udev to be ready to avoid partition non-detection. (LP: #85640) + + -- Stéphane Graber Thu, 14 Apr 2007 10:03:41 +0200 + +cryptsetup (2:1.0.4+svn26-1ubuntu1) feisty; urgency=low + + * merge debian changes. Remaining ubuntu changes: + - stop usplash on user input. Ubuntu: #62751 + - Always output and read from the console. Ubuntu: #58794. + + -- Reinhard Tartler Sat, 3 Feb 2007 21:30:03 +0100 + cryptsetup (2:1.0.4+svn26-1) unstable; urgency=high [ Jonas Meurer ] @@ -1699,6 +2826,28 @@ -- Jonas Meurer Tue, 28 Nov 2006 18:17:12 +0100 +cryptsetup (2:1.0.4-8ubuntu2) feisty; urgency=low + + * fix and improve initramfs hook: terminate usplash if running, since + adequate secure text input is not possible with usplash ATM + * usplash support: Terminate usplash before asking a password. + Closes https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/62751 + + -- Reinhard Tartler Wed, 24 Jan 2007 22:43:28 +0100 + +cryptsetup (2:1.0.4-8ubuntu1) feisty; urgency=low + + * merge debian changes, remaining patches: + - Always output and read from the console. Ubuntu: #58794. + * other changes have been merged or do noy apply anymore + * read password via usplash if available in initramfs for rootfs. based on a patch from + Swen Thümmler (Thanks for that!) Ubuntu #62751 + * read password from initscript via usplash if running. should fix the + rest of Ubuntu #62751. Only problem with that patch: It asks only once + for the password! improvements welcome! + + -- Reinhard Tartler Sun, 19 Nov 2006 20:04:19 +0100 + cryptsetup (2:1.0.4-8) unstable; urgency=high [ Jonas Meurer ] @@ -1856,6 +3005,27 @@ -- Jonas Meurer Mon, 4 Sep 2006 03:55:35 +0200 +cryptsetup (2:1.0.3-3ubuntu3) edgy; urgency=low + + * Always output and read from the console. Ubuntu: #58794. + + -- Scott James Remnant Thu, 21 Sep 2006 03:05:18 +0100 + +cryptsetup (2:1.0.3-3ubuntu2) edgy; urgency=low + + * Load the dm-crypt module on startup. Ubuntu: #53475. + + -- Scott James Remnant Wed, 23 Aug 2006 11:53:49 +0200 + +cryptsetup (2:1.0.3-3ubuntu1) edgy; urgency=low + + * Sync with Debian: + Remaining Ubuntu Changes + + debian/cryptdisks.functions: + - Tell usplash to quit if we ask for a passphrase + + -- Sebastian Dröge Tue, 11 Jul 2006 20:03:27 +0200 + cryptsetup (2:1.0.3-3) unstable; urgency=low [ Jonas Meurer ] @@ -2275,4 +3445,3 @@ * "integrated LUKS" support (very messy hack) -- Michael Gebetsroither Thu, 10 Feb 2005 18:16:21 +0100 - diff -Nru cryptsetup-1.7.3/debian/control cryptsetup-1.7.3/debian/control --- cryptsetup-1.7.3/debian/control 2017-05-09 11:50:59.000000000 +0000 +++ cryptsetup-1.7.3/debian/control 2017-08-10 13:07:29.000000000 +0000 @@ -1,7 +1,8 @@ Source: cryptsetup Section: admin Priority: optional -Maintainer: Debian Cryptsetup Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Cryptsetup Team Uploaders: Jonas Meurer , Guilhem Moulin Build-Depends: libgcrypt20-dev (>= 1.6.1), libdevmapper-dev (>= 2:1.02.24-4), libpopt-dev, uuid-dev, libselinux1-dev, libsepol1-dev, libtool (>= 2.2), autoconf, automake (>= 1:1.12), pkg-config, autopoint, gettext, debhelper (>= 9.20120410~), xsltproc, docbook-xml, docbook-xsl (>= 1.74.3+dfsg), dpkg-dev (>= 1.15.1), po-debconf, dh-strip-nondeterminism @@ -13,7 +14,7 @@ Package: cryptsetup Architecture: linux-any Depends: ${shlibs:Depends}, ${misc:Depends}, dmsetup, cryptsetup-bin (>= 2:1.6.0) -Recommends: kbd, console-setup, initramfs-tools (>= 0.129) | linux-initramfs-tool, busybox | busybox-static +Recommends: kbd, console-setup, initramfs-tools (>= 0.129) | linux-initramfs-tool, busybox-static | busybox, plymouth Suggests: dosfstools, liblocale-gettext-perl, keyutils Provides: cryptsetup-luks Conflicts: cryptsetup-luks @@ -48,7 +49,7 @@ Section: libs Architecture: linux-any Multi-Arch: same -Depends: ${shlibs:Depends}, ${misc:Depends}, libgpg-error0 (>= 1.10-0.1), libgcrypt20 (>= 1.6.1) +Depends: ${shlibs:Depends}, ${misc:Depends}, libgpg-error0 (>= 1.10-0.1) Description: disk encryption support - shared library Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel diff -Nru cryptsetup-1.7.3/debian/cryptdisks-udev.maintscript cryptsetup-1.7.3/debian/cryptdisks-udev.maintscript --- cryptsetup-1.7.3/debian/cryptdisks-udev.maintscript 1970-01-01 00:00:00.000000000 +0000 +++ cryptsetup-1.7.3/debian/cryptdisks-udev.maintscript 2017-08-10 13:07:29.000000000 +0000 @@ -0,0 +1 @@ +rm_conffile /etc/init/upstart.conf 2:1.7.2-0ubuntu2~ cryptdisks-udev diff -Nru cryptsetup-1.7.3/debian/cryptdisks-udev.upstart cryptsetup-1.7.3/debian/cryptdisks-udev.upstart --- cryptsetup-1.7.3/debian/cryptdisks-udev.upstart 2017-05-09 11:50:59.000000000 +0000 +++ cryptsetup-1.7.3/debian/cryptdisks-udev.upstart 1970-01-01 00:00:00.000000000 +0000 @@ -1,25 +0,0 @@ -# cryptdisks - enable encrypted block devices - -description "enable encrypted block devices" - -start on block-device-added ID_FS_USAGE=crypto -instance $DEVNAME - -task - -script - if [ -r /lib/cryptsetup/cryptdisks.functions ]; then - . /lib/cryptsetup/cryptdisks.functions - else - exit 0 - fi - - case "$CRYPTDISKS_ENABLE" in - [Nn]*) - exit 1 - ;; - esac - - INITSTATE=udev - crypttab_start_one_disk "$DEVNAME" -end script diff -Nru cryptsetup-1.7.3/debian/cryptdisks.maintscript cryptsetup-1.7.3/debian/cryptdisks.maintscript --- cryptsetup-1.7.3/debian/cryptdisks.maintscript 1970-01-01 00:00:00.000000000 +0000 +++ cryptsetup-1.7.3/debian/cryptdisks.maintscript 2017-08-10 13:07:29.000000000 +0000 @@ -0,0 +1 @@ +rm_conffile /etc/init/upstart.conf 2:1.7.2-0ubuntu2~ cryptdisks diff -Nru cryptsetup-1.7.3/debian/cryptdisks.upstart cryptsetup-1.7.3/debian/cryptdisks.upstart --- cryptsetup-1.7.3/debian/cryptdisks.upstart 2017-05-09 11:50:59.000000000 +0000 +++ cryptsetup-1.7.3/debian/cryptdisks.upstart 1970-01-01 00:00:00.000000000 +0000 @@ -1,45 +0,0 @@ -# cryptdisks - enable encrypted block devices -# -# Sweep up any devices in /etc/crypttab that have not yet been started at -# the end of udev coldplugging; this partly duplicates the cryptdisks-udev -# job, but is necessary because: -# - some devices may not be registered as ID_FS_USAGE=crypto by udev (e.g., -# random-encrypted devices), but we don't want to call the upstart job -# for every single block device -# - some devices can only be decrypted after other devices are decrypted and -# mounted first, so we need a two-pass system (like -# /etc/init.d/cryptdisks{,-early} previously) -# -# This job currently still does not guarantee a race-free startup; instances -# of cryptdisks-udev may be started in parallel with this job. - -description "enable remaining boot-time encrypted block devices" - -start on stopped udevtrigger or container - -# Currently stopping is a no-op, so we can stop this anywhere during the -# shutdown sequence. We let the cryptdisks-early init script take care of -# device teardown instead; it happens that the distinction between the -# 'cryptdisks' and 'cryptdisks-early' jobs is irrelevant on shutdown because -# the only sequencing difference is lvm2, which has no init script that's -# called on shutdown. -stop on unmounted-remote-filesystems - -task - -pre-start script - if [ -r /lib/cryptsetup/cryptdisks.functions ]; then - . /lib/cryptsetup/cryptdisks.functions - else - exit 0 - fi - - case "$CRYPTDISKS_ENABLE" in - [Nn]*) - exit 1 - ;; - esac - - INITSTATE="init" - do_start -end script diff -Nru cryptsetup-1.7.3/debian/cryptsetup.maintscript cryptsetup-1.7.3/debian/cryptsetup.maintscript --- cryptsetup-1.7.3/debian/cryptsetup.maintscript 2017-05-09 11:50:59.000000000 +0000 +++ cryptsetup-1.7.3/debian/cryptsetup.maintscript 2017-08-10 13:07:29.000000000 +0000 @@ -1,3 +1,5 @@ mv_conffile /etc/init/cryptdisks-early.conf /etc/init/cryptdisks-udev.conf 2:1.4.3-4 mv_conffile /etc/init/cryptdisks-enable.conf /etc/init/cryptdisks.conf 2:1.6.1-1ubuntu1~ +rm_conffile /etc/init/cryptdisks-udev.conf 2:1.7.2-0ubuntu4~ +rm_conffile /etc/init/cryptdisks.conf 2:1.7.2-0ubuntu4~ rm_conffile /etc/bash_completion.d/cryptdisks 2:1.7.0-3 diff -Nru cryptsetup-1.7.3/debian/passdev.c cryptsetup-1.7.3/debian/passdev.c --- cryptsetup-1.7.3/debian/passdev.c 2017-05-09 11:50:59.000000000 +0000 +++ cryptsetup-1.7.3/debian/passdev.c 2017-08-10 13:07:29.000000000 +0000 @@ -20,7 +20,7 @@ */ -#define _BSD_SOURCE +#define _DEFAULT_SOURCE #include #include #include diff -Nru cryptsetup-1.7.3/debian/patches/fips-fix-luksformat-with-recent-kernels cryptsetup-1.7.3/debian/patches/fips-fix-luksformat-with-recent-kernels --- cryptsetup-1.7.3/debian/patches/fips-fix-luksformat-with-recent-kernels 1970-01-01 00:00:00.000000000 +0000 +++ cryptsetup-1.7.3/debian/patches/fips-fix-luksformat-with-recent-kernels 2017-08-10 13:07:29.000000000 +0000 @@ -0,0 +1,36 @@ +From 3c2135b36bbc52d052e4ced7c94dc4981eb07a53 Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Fri, 21 Apr 2017 08:16:14 +0200 +Subject: [PATCH] Fix luksFormat if running in FIPS mode on recent kernel. + +Recently introduced check for weak keys for XTS mode makes +zeroed key for algorithm check unusable. + +Use random key for the test instead. +--- + lib/luks1/keymanage.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c +index b700bab..5b1421b 100644 +--- a/lib/luks1/keymanage.c ++++ b/lib/luks1/keymanage.c +@@ -631,9 +631,11 @@ static int LUKS_check_cipher(struct luks_phdr *hdr, struct crypt_device *ctx) + if (!empty_key) + return -ENOMEM; + +- r = LUKS_decrypt_from_storage(buf, sizeof(buf), +- hdr->cipherName, hdr->cipherMode, +- empty_key, 0, ctx); ++ /* No need to get KEY quality random but it must avoid known weak keys. */ ++ r = crypt_random_get(ctx, empty_key->key, empty_key->keylength, CRYPT_RND_NORMAL); ++ if (!r) ++ r = LUKS_decrypt_from_storage(buf, sizeof(buf), hdr->cipherName, ++ hdr->cipherMode, empty_key, 0, ctx); + + crypt_free_volume_key(empty_key); + crypt_memzero(buf, sizeof(buf)); +-- +libgit2 0.25.0 + + diff -Nru cryptsetup-1.7.3/debian/patches/series cryptsetup-1.7.3/debian/patches/series --- cryptsetup-1.7.3/debian/patches/series 2017-05-09 11:50:59.000000000 +0000 +++ cryptsetup-1.7.3/debian/patches/series 2017-08-10 13:07:29.000000000 +0000 @@ -0,0 +1 @@ +fips-fix-luksformat-with-recent-kernels diff -Nru cryptsetup-1.7.3/debian/rules cryptsetup-1.7.3/debian/rules --- cryptsetup-1.7.3/debian/rules 2017-05-09 11:50:59.000000000 +0000 +++ cryptsetup-1.7.3/debian/rules 2017-08-10 13:07:29.000000000 +0000 @@ -1,6 +1,10 @@ #!/usr/bin/make -f -include /usr/share/dpkg/architecture.mk +# Export dpkg build flags +DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow,+pie +DEB_CFLAGS_MAINT_APPEND = -Wall +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/default.mk # Turn on verbose mode. export V=1 @@ -26,12 +30,6 @@ CC := $(DEB_HOST_GNU_TYPE)-gcc endif -# Export dpkg build flags -DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow,+pie -DEB_CFLAGS_MAINT_APPEND = -Wall -DPKG_EXPORT_BUILDFLAGS = 1 --include /usr/share/dpkg/buildflags.mk - ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) INSTALL_PROGRAM += -s endif @@ -79,8 +77,8 @@ # build upstream cryptsetup $(MAKE) # build askpass and passdev keyscripts - $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -pedantic -std=c99 debian/askpass.c -o debian/askpass - $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -pedantic -std=c99 debian/passdev.c -o debian/scripts/passdev + $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -pedantic debian/askpass.c -o debian/askpass + $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -pedantic debian/passdev.c -o debian/scripts/passdev build: build-indep build-arch