eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-12 11:20:10 +01:00
Code Issues Packages Projects Releases Wiki Activity
2,762 Commits 16 Branches 78 Tags
10e4d8fbac9e08c3d747005f45e6c828b8ed5791
Commit Graph

54 Commits

Author SHA1 Message Date
Milan Broz
d1d9dd8e20 Update Copyright year. 2021-01-25 22:00:25 +01:00
Ondrej Kozina
e6a3569743 Avoid name clash with newer json-c library. 
This is partial revert of previous commit and also
fixes wrong decision to name our internal helpers with
json_object prefix.
 2020-04-14 17:24:57 +02:00
Milan Broz
080566a1fd Update copyright year. 2020-01-03 13:04:55 +01:00
Milan Broz
35c49ababf Fix some compiler warnings. 2019-12-31 17:49:38 +01:00
Ondrej Kozina
3691add163 Minor code cleanup. 2019-11-28 16:38:53 +01:00
Ondrej Kozina
cc7a9e4607 Fix lookup function for keyslot-segment assignment. 
In reencryption we can have more than 3 segments.
 2019-11-28 16:38:53 +01:00
Ondrej Kozina
943fa69da6 Reduce code duplication in LUKS2 keyslot handling. 2019-11-28 16:38:53 +01:00
Ondrej Kozina
3bef291184 Unify low level LUKS2 keyslot unlock and verify code. 
Function is now unused, see later commit
 2019-11-28 16:38:53 +01:00
Ondrej Kozina
7316c53b04 Remove redundant digest id to key assignement. 2019-11-28 16:38:52 +01:00
Ondrej Kozina
5e1d1e1850 Add missing validation when unlocking keys for reencryption. 
We missed keyslot json validation when unlocking all keys necessary
for reencryption. Also assign appropriate verified digest id to
keys in volume key structure.
 2019-11-28 16:38:52 +01:00
Ondrej Kozina
e52c8e148c Remove unnecessary query for volume key size. 
In fact we need only stored key size in examined keyslot. It's valid for
default segment volume keys and in case of non-default segment
keys it always returns -1 and fallbacks to stored key size query
instead.
 2019-11-28 16:38:52 +01:00
Milan Broz
206b70c837 Explicitly print error message if keyslot open failed. 
The only quiet message now is EPERM (wrong password) that is
processed by the caller.

Fixes #488.
 2019-10-11 14:06:49 +02:00
Ondrej Kozina
a23e1cf729 LUKS2 code cleanup. 
- drop unused code
- drop unused function declarations
- remove local routines from internal api
 2019-08-05 18:29:37 +02:00
Ondrej Kozina
61dff96474 Reencryption keyslot must report as unbound. 2019-07-12 15:37:18 +02:00
Yuri Chornoivan
4143d9871e Fix minor typos 2019-06-28 12:02:39 +00:00
Ondrej Kozina
272505b99d If no hash is specified in pbkdf use default value for keyslot AF. 2019-06-13 17:04:21 +02:00
Ondrej Kozina
c77ae65a0d Wipe both keyslot data and metadata holding single write lock. 2019-06-12 12:36:51 +02:00
Ondrej Kozina
bbdf9b2745 Read and compare metadata sequence id after taking write lock. 2019-06-12 12:36:46 +02:00
Ondrej Kozina
96a87170f7 Return usage count from device locking functions. 2019-06-12 11:51:08 +02:00
Ondrej Kozina
9c3a020ecf Remove useless debug message from keyslot dump. 2019-05-27 16:23:56 +02:00
Ondrej Kozina
a7f80a2770 Add resilient LUKS2 reencryption library code. 2019-05-02 16:44:23 +02:00
Ondrej Kozina
86b2736480 Drop unused type parameter from LUKS2_keyslot_find_empty() 2019-04-23 10:41:56 +02:00
Ondrej Kozina
8f8ad83861 Validate metadata before writting binary keyslot area. 2019-03-01 20:29:49 +01:00
Milan Broz
319fd19b5e Add implementation of crypt_keyslot_pbkdf(). 
This function allows to get PBKDF parameters per-keyslot.
 2019-02-07 12:55:12 +01:00
Milan Broz
a6f5ce8c7b Update copyright year. 
And unify name copyright format.
 2019-01-25 09:45:57 +01:00
Milan Broz
307a7ad077 Add keyslot encryption params. 
This patch makes available LUKS2 per-keyslot encryption settings to user.

In LUKS2, keyslot can use different encryption that data.

We can use new crypt_keyslot_get_encryption and crypt_keyslot_set_encryption
API calls to set/get this encryption.

For cryptsetup new --keyslot-cipher and --keyslot-key-size options are added.

The default keyslot encryption algorithm (if cannot be derived from data encryption)
is now available as configure options (default is aes-xts-plain64 with 512-bits key).
NOTE: default was increased from 256-bits.
 2019-01-07 13:07:46 +01:00
Milan Broz
0039834bb9 Rename function to describe precisely keys size it obtains. 
This should avoid confusion between key size for the stored key and
key size that actually encrypts the keyslot.
 2019-01-07 13:07:45 +01:00
Ondrej Kozina
de0b69691d Add json_object_object_del_by_uint helper routine. 2019-01-01 21:42:46 +01:00
Ondrej Kozina
82aae20e9c Add json_object_object_add_by_uint helper routine. 2019-01-01 21:42:46 +01:00
Milan Broz
991ab5de64 Fixe more context propagation paths. 2018-11-27 16:09:45 +01:00
Milan Broz
7812214db6 Add context to device handling functions. 2018-11-27 14:19:57 +01:00
Milan Broz
a5a8467993 Use context in debug log messages. 
To use per-context logging even for debug messages
we need to use the same macro as for error logging.
 2018-11-27 13:37:20 +01:00
Milan Broz
1167e6b86f Add support for Adiantum cipher mode. 2018-11-23 21:03:02 +01:00
Milan Broz
da6dbbd433 Fallback to default keyslot algorithm if backend does not know the cipher. 2018-11-22 15:49:56 +01:00
Ondrej Kozina
39905bd8fd Return proper err when looking for segment digest. 
Otherwise keyslot in luksDump are wrongly marked as device
keyslots even though default segment is not crypt.
 2018-08-01 13:57:06 +02:00
Rafael Fontenelle
f35ec9771e Fix typos 
A bunch of typos reported by codespell, most of them comments in the code
 2018-07-21 07:24:25 -03:00
Milan Broz
b00a87d8fa Remove trailing EOL for verbose and error messages. 2018-04-26 10:38:17 +02:00
Milan Broz
f049f719f8 Fix keyslot validation. 2018-04-24 10:51:47 +02:00
Ondrej Kozina
f6be62ac5f Add repair for known glitches in LUKS2 json. 2018-04-21 20:27:05 +02:00
Ondrej Kozina
6f83822b6e Validate all keyslot implementations after load and before write. 2018-04-21 19:42:55 +02:00
Ondrej Kozina
9b635a3e90 Cleanup LUKS2 keyslot specific validation. 
- do not run general LUKS2 format validation from inside the specific one
- validate luks2 json object only
- temporary move digests count restrictions, going to be fixed in next
  commit
 2018-04-21 19:37:05 +02:00
Ondrej Kozina
45356f5e12 Split keyslot update in separate functions. 
This patch fixes several problems:

- pbkdf benchmark should be run with keyslot encryption key length
  instead volume key length
- run LUKS2 keyslot validation on final keyslot json object instead
  temporary stub created in keyslot_alloc
- replace whole json kdf object during keyslot update. We left behind
  old parameters from old pbkdf during transition to differnt type
 2018-04-21 10:53:54 +02:00
Milan Broz
aa1551c6e8 Introduce CRYPT_SLOT_UNBOUND keyslot status for LUKS2. 
A keyslot not bound to any segment can store any key for any purpose.

To easily check slot status, new enum value is introduced.
This status is valid only for LUKS2, so the functions are backward compatible
with LUKS1.
 2018-04-19 22:28:13 +02:00
Milan Broz
9a72ec366d Move generic ciper backend utilities to separate file. 
And add wrapped key check.
 2018-04-15 15:31:10 +02:00
Ondrej Kozina
255c8e8ff4 Avoid pbkdf benchmark on LUKS2 header down conversion. 
Also clarify use of placeholder keyslots in down conversion.
 2018-04-12 15:49:35 +02:00
Milan Broz
187170ec51 Check cipher before writing metadata (LUKS2). 
Some ciphers and key sizes created on-disk metadata that cannot be used.
Use the same test for length-preserving cipher as LUKS1.

Also check if key for integrity algorithm is not too small.

Fixes #373.
 2018-04-06 12:57:58 +02:00
Milan Broz
ed2968e3e8 Add paes to ciphers that cannot be used for LUKS2 keyslot encryption. 
And use AES-XTS for keyslot in this case.
 2018-03-31 17:42:30 +02:00
Ondrej Kozina
1e2ad19d68 Validate LUKS2 keyslot json before opening it. 2018-03-22 14:06:31 +01:00
Milan Broz
180d96234e Fix another compiler warnings with extra flags. 2018-01-20 21:17:10 +01:00
Milan Broz
1fe014dbae Update copyright year. 2018-01-20 17:55:21 +01:00