diff --git a/ChangeLog b/ChangeLog index cae94370..fca8200f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 2012-05-27 Milan Broz * Fix readonly activation if underlying device is readonly (1.4.0). * Include stddef.h in libdevmapper.h (size_t definition). + * Version 1.4.3. 2012-05-21 Milan Broz * Add --enable-fips for linking with fipscheck library. diff --git a/configure.in b/configure.in index 7bda32b3..194781a5 100644 --- a/configure.in +++ b/configure.in @@ -1,9 +1,9 @@ AC_PREREQ([2.67]) -AC_INIT([cryptsetup],[1.4.3-git]) +AC_INIT([cryptsetup],[1.4.3]) dnl library version from ..[-] LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-) -LIBCRYPTSETUP_VERSION_INFO=5:0:1 +LIBCRYPTSETUP_VERSION_INFO=6:0:2 AC_CONFIG_SRCDIR(src/cryptsetup.c) AC_CONFIG_MACRO_DIR([m4]) diff --git a/docs/v1.4.3-ReleaseNotes b/docs/v1.4.3-ReleaseNotes new file mode 100644 index 00000000..a8c451d1 --- /dev/null +++ b/docs/v1.4.3-ReleaseNotes @@ -0,0 +1,62 @@ +Cryptsetup 1.4.3 Release Notes +============================== + +Changes since version 1.4.2 + +* Fix readonly activation if underlying device is readonly (1.4.0). + +* Fix loop mapping on readonly file. + +* Include stddef.h in libdevmapper.h (size_t definition). + +* Fix keyslot removal for device with 4k hw block (1.4.0). +(Wipe keyslot failed in this case.) + +* Relax --shared flag to allow mapping even for overlapping segments. + + The --shared flag (and API CRYPT_ACTIVATE_SHARED flag) is now able + to map arbitrary overlapping area. From API it is even usable + for LUKS devices. + It is user responsibility to not cause data corruption though. + + This allows e.g. scubed to work again and also allows some + tricky extensions later. + +* Allow empty cipher (cipher_null) for testing. + + You can now use "null" (or directly ciphe_null-ecb) in cryptsetup. + This means no encryption, useful for performance tests + (measure dm-crypt layer overhead). + +* Switch on retry on device remove for libdevmapper. + Device-mapper now retry removal if device is busy. + +* Allow "private" activation (skip some udev global rules) flag. + Cryptsetup library API now allows to specify CRYPT_ACTIVATE_PRIVATE, + which means that some udev rules are not processed. + (Used for temporary devices, like internal keyslot mappings where + it is not desirable to run any device scans.) + +* This release also includes some Red Hat/Fedora specific extensions +related to FIPS140-2 compliance. + +In fact, all these patches are more formal changes and are just subset +of building blocks for FIPS certification. See FAQ for more details +about FIPS. + +FIPS extensions are enabled by using --enable-fips configure switch. + +In FIPS mode (kernel booted with fips=1 and gcrypt in FIPS mode) + + - it provides library and binary integrity verification using + libfipscheck (requires pre-generated checksums) + + - it uses FIPS approved RNG for encryption key and salt generation + (note that using /dev/random is not formally FIPS compliant RNG). + + - only gcrypt crypto backend is currently supported in FIPS mode. + +The FIPS RNG requirement for salt comes from NIST SP 800-132 recommendation. +(Recommendation for Password-Based Key Derivation. Part 1: Storage Applications. +http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf) +LUKS should be aligned to this recommendation otherwise.