[dm-devel] [ANNOUNCE] cryptsetup 1.4.3

Milan Broz gmazyland at gmail.com
Thu May 31 08:38:10 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The stable cryptsetup 1.4.3 release is available at

   http://code.google.com/p/cryptsetup/

Feedback and bug reports are welcomed.


Cryptsetup 1.4.3 Release Notes
==============================

Changes since version 1.4.2

* Fix readonly activation if underlying device is readonly (1.4.0).

* Fix loop mapping on readonly file.

* Include stddef.h in libdevmapper.h (size_t definition).

* Fix keyslot removal for device with 4k hw block (1.4.0).
(Wipe keyslot failed in this case.)

* Relax --shared flag to allow mapping even for overlapping segments.

  The --shared flag (and API CRYPT_ACTIVATE_SHARED flag) is now able
  to map arbitrary overlapping area. From API it is even usable
  for LUKS devices.
  It is user responsibility to not cause data corruption though.

  This allows e.g. scubed to work again and also allows some
  tricky extensions later.

* Allow empty cipher (cipher_null) for testing.

  You can now use "null" (or directly cipher_null-ecb) in cryptsetup.
  This means no encryption, useful for performance tests
  (measure dm-crypt layer overhead).

* Switch on retry on device remove for libdevmapper.
  Device-mapper now retry removal if device is busy.

* Allow "private" activation (skip some udev global rules) flag.
  Cryptsetup library API now allows to specify CRYPT_ACTIVATE_PRIVATE,
  which means that some udev rules are not processed.
  (Used for temporary devices, like internal keyslot mappings where
  it is not desirable to run any device scans.)

* This release also includes some Red Hat/Fedora specific extensions
related to FIPS140-2 compliance.

In fact, all these patches are more formal changes and are just subset
of building blocks for FIPS certification. See FAQ for more details
about FIPS.

FIPS extensions are enabled by using --enable-fips configure switch.

In FIPS mode (kernel booted with fips=1 and gcrypt in FIPS mode)

  - it provides library and binary integrity verification using
  libfipscheck (requires pre-generated checksums)

  - it uses FIPS approved RNG for encryption key and salt generation
  (note that using /dev/random is not formally FIPS compliant RNG).

 - only gcrypt crypto backend is currently supported in FIPS mode.

The FIPS RNG requirement for salt comes from NIST SP 800-132 recommendation.
(Recommendation for Password-Based Key Derivation. Part 1: Storage Applications.
http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf)
LUKS should be aligned to this recommendation otherwise.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJPxy3yAAoJENmwV3vZPpj8338QAKV7PFpTuW8aIcx2wqM2C9QQ
JWudHWLwPml88YYQt00FhaBQgN6zklElp9TQTGf/6l0tqluDgxc3ALuMi9+jCDb0
yQGpgv1JE3ZhCb0OVpOBhp2p495J5zPVyBdOWEXIq0Go/pREoEbdQ9c5XANaKzF2
oYCpw1QhXIf2z6cUMiTMfN3Ivb4E4KDmaAJpuWLdkqrrdOMrepEneYs4VSH+feQ4
anmikqHqVSzkOQjmZ5cZYcfdMZCQlrJKdOpqwTQCLSzMvMLo3e/bb8J1l7+I1AIu
Rkap0ODlCVX+QsddI1b38GLPVn3wxtme4wC6/gsGRi+uHThtjnCEOFq5wn2mlveN
w6g3+F+sle+YjQsT5S9fgXlOMT4D6MaobTHQppDFa2ajYHsEJKWjX/yRALMBo7zq
pN0sVHUT/dEj06RoPTEnObJmL/y3wY+ibE19+PdmBewYPr1uhwLlA/vCwnLiItxr
GnRgXxex+rhJjrtCoJRrYNLeA6fFldrIovaoiHRft9bvJv9q3QYNgKLDJdCegUUT
9OO/HlzkB7Vsds4xtgRgHXJNP9dZqOd9ccX4a2bAUj45n8FJ9F/u/n9G5uS7X6c8
tOQCUmB+MS+WIINmSCP7wI3sDYfBaW4w0KxZvDyGQca6dddQPWabVARwKPG3q4Mi
eoxGYC+mPiCL0kENLY4M
=hmEH
-----END PGP SIGNATURE-----

More information about the dm-devel mailing list