Description Thomas Deutschmann (RETIRED) 2015-11-04 16:49:37 UTC

Hi,

from cryptsetup-1.7.0 release notes:

> Changes since version 1.6.8
> 
> * Default hash function is now SHA256 (used in key derivation function
>   and anti-forensic splitter).
> 
>   Note that replacing SHA1 with SHA256 is not for security reasons.
>   (LUKS does not have problems even if collisions are found for SHA1,
>   for details see FAQ item 5.20).
> 
>   Using SHA256 as default is mainly to prevent compatibility problems
>   on hardened systems where SHA1 is already be phased out.
> 
>   Note that all checks (kernel crypto API availability check) now uses
>   SHA256 as well.

So >=sys-fs/cryptsetup-1.7.0 should add a check for CRYPTO_SHA256 kernel configuration option:

--- cryptsetup-1.7.0.ebuild.old 2015-11-04 13:28:38.000000000 +0100
+++ cryptsetup-1.7.0.ebuild     2015-11-04 14:59:32.000000000 +0100
@@ -45,8 +45,9 @@
        static? ( ${LIB_DEPEND} )"

 pkg_setup() {
-       local CONFIG_CHECK="~DM_CRYPT ~CRYPTO ~CRYPTO_CBC"
+       local CONFIG_CHECK="~DM_CRYPT ~CRYPTO ~CRYPTO_CBC ~CRYPTO_SHA256"
        local WARNING_DM_CRYPT="CONFIG_DM_CRYPT:\tis not set (required for cryptsetup)\n"
+       local WARNING_CRYPTO_SHA256="CONFIG_CRYPTO_SHA256:\tis not set (required for cryptsetup)\n"
        local WARNING_CRYPTO_CBC="CONFIG_CRYPTO_CBC:\tis not set (required for kernel 2.6.19)\n"
        local WARNING_CRYPTO="CONFIG_CRYPTO:\tis not set (required for cryptsetup)\n"
        check_extra_config


Reproducible: Always