eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-20 15:20:07 +01:00
Code Issues Packages Projects Releases Wiki Activity
2,267 Commits 13 Branches 81 Tags
a1111c7aa0ff267427bba440cc38bbf765d4cb1c
Commit Graph

2267 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Milan Broz
f049f719f8 Fix keyslot validation. 2018-04-24 10:51:47 +02:00
Milan Broz
30754473fc Add API to get integrity current failure count for dm-integrity. 2018-04-24 08:51:32 +02:00
Ondrej Kozina
7c70e6ce74 Add repair test for keyslot with kdf leftover params. 2018-04-21 20:29:17 +02:00
Ondrej Kozina
a702b7ccc5 Add new validation test for keyslot digest bond 2018-04-21 20:29:12 +02:00
Ondrej Kozina
f6be62ac5f Add repair for known glitches in LUKS2 json. 2018-04-21 20:27:05 +02:00
Ondrej Kozina
dddd30bef8 Add paranoid check for accidental volume key length change. 2018-04-21 20:18:00 +02:00
Ondrej Kozina
a054206d25 Suppress useless slash escaping in json lib 2018-04-21 20:14:28 +02:00
Ondrej Kozina
5b6f06b2ac Hide luks2 specific keyslot allocation from internal api. 2018-04-21 19:43:11 +02:00
Ondrej Kozina
6f83822b6e Validate all keyslot implementations after load and before write. 2018-04-21 19:42:55 +02:00
Ondrej Kozina
9b635a3e90 Cleanup LUKS2 keyslot specific validation. 
- do not run general LUKS2 format validation from inside the specific one
- validate luks2 json object only
- temporary move digests count restrictions, going to be fixed in next
  commit
 2018-04-21 19:37:05 +02:00
Ondrej Kozina
172af5465d Harden LUKS2 keyslot kdf section validation. 2018-04-21 19:36:31 +02:00
Ondrej Kozina
22f10dd8d2 Remove custom made 'contains' helper from keyslot validation. 2018-04-21 10:57:24 +02:00
Ondrej Kozina
790fdc0aa6 Add crypt_volume_key_get tests for unbound key. 2018-04-21 10:54:12 +02:00
Ondrej Kozina
45356f5e12 Split keyslot update in separate functions. 
This patch fixes several problems:

- pbkdf benchmark should be run with keyslot encryption key length
  instead volume key length
- run LUKS2 keyslot validation on final keyslot json object instead
  temporary stub created in keyslot_alloc
- replace whole json kdf object during keyslot update. We left behind
  old parameters from old pbkdf during transition to differnt type
 2018-04-21 10:53:54 +02:00
Ondrej Kozina
08ee50403d Move reading keyslot pbkdf params in helper. 2018-04-20 21:08:03 +02:00
Milan Broz
aa1551c6e8 Introduce CRYPT_SLOT_UNBOUND keyslot status for LUKS2. 
A keyslot not bound to any segment can store any key for any purpose.

To easily check slot status, new enum value is introduced.
This status is valid only for LUKS2, so the functions are backward compatible
with LUKS1.
 2018-04-19 22:28:13 +02:00
Ondrej Kozina
879403a172 Add tests for cryptsetup luksAddKey --unbound. 2018-04-19 18:29:47 +02:00
Milan Broz
6ddf765d8d Remove example covered by cryptsetup already. 2018-04-19 18:29:26 +02:00
Ondrej Kozina
38d83c27b4 Add --unbound keyslot option to cryptsetup. 
An unbound keyslot is slot not assigned to a segment;
such a keyslot cannot be used to activate LUKS device, but
can be used for an arbitrary key store.

This patch adds --unboud option for luksAddKey cryptsetup command.
 2018-04-19 18:25:35 +02:00
Ondrej Kozina
103fa8fa2c Remove redundant check for key file. 
Semantically same check is in tools_get_key routine.
 2018-04-19 18:18:56 +02:00
Ondrej Kozina
53dcee6176 Test dump of volume key in a file. 2018-04-19 18:17:45 +02:00
Ondrej Kozina
0c6129c54e Allow volume key store in a file with cryptsetup. 
The --dump-master-key together with --master-key-file allows cryptsetup
to store the volume key to a file instead of standard output.
 2018-04-19 18:08:37 +02:00
Ondrej Kozina
1f01754ea6 Update FIPS restrictions on crypt_volume_key_get 
Allow crypt_volume_key_get for wrapped volume keys.
Allow crypt_volume_key_get for unbound LUKS2 keyslot keys.
 2018-04-19 18:01:31 +02:00
Milan Broz
f8a7ab1752 Add crypt_get_pbkdf_default() function to get per-type PBKDF default. 2018-04-16 15:26:43 +02:00
Ondrej Kozina
09842ce46f Update docs for crypt_keyslot_add_by_key. 2018-04-15 15:46:16 +02:00
Ondrej Kozina
0b849985b2 Do not wipe keys for wrapped key enabled ciphers. 
We can't wipe (overwrite with random noise) wrapped key in
kernel. Such keys are usually structured and not only random
bytes.

Also it doesn't make sense to wipe these keys. They are supposed
to be protected (encrypted) by keys sealed in hardware.

TODO: tests: 1) with header, 2) without header (dm-crypt only),
      3) arch with working paes cipher (at least).
 2018-04-15 15:44:17 +02:00
Ondrej Kozina
34b8a48252 Add stand-alone device suspend. 2018-04-15 15:41:42 +02:00
Ondrej Kozina
6f6e1efbc8 Abort conversion when wrapped key cipher is used. 2018-04-15 15:40:48 +02:00
Milan Broz
9a72ec366d Move generic ciper backend utilities to separate file. 
And add wrapped key check.
 2018-04-15 15:31:10 +02:00
Ondrej Kozina
d97302f351 Extend suspend tests for missing header case. 2018-04-15 13:12:25 +02:00
Ondrej Kozina
4eb75f3c80 Add debug message for failed external token validation. 2018-04-15 13:10:32 +02:00
Ondrej Kozina
e5f72a0d4f Remove duplicate CRYPT_ANY_TOKEN define. 2018-04-15 13:10:01 +02:00
Ondrej Kozina
b11b11f9b0 Add test for LUKS2 conversion with tokens. 2018-04-15 13:08:57 +02:00
Ondrej Kozina
70077db07d Abort conversion when LUKS2 header contains tokens. 
Tokens may contain import 3rd party data. Prompt users
to remove such tokens explicitly.
 2018-04-15 13:08:44 +02:00
Ondrej Kozina
eed682c529 Add fixme in luks2->luks1 convert code. 2018-04-15 13:05:22 +02:00
Ondrej Kozina
fbf2d64f34 Allow crypt_volume_key_get for unbound keyslots. 2018-04-15 13:05:08 +02:00
Ondrej Kozina
48bf08922c Make all LUKS2 key size helpers return negative value on error. 2018-04-15 13:03:51 +02:00
Ondrej Kozina
3616ee50c0 Fix off by one bug in LUKS2 keyslot max id allocation. 
This is almost impossible to hit bug. The max keyslot id is
checked in higher layer.
 2018-04-12 15:50:24 +02:00
Ondrej Kozina
255c8e8ff4 Avoid pbkdf benchmark on LUKS2 header down conversion. 
Also clarify use of placeholder keyslots in down conversion.
 2018-04-12 15:49:35 +02:00
Ondrej Kozina
0891e84bf8 Add reencrypt tests for --master-key-file option. 2018-04-12 15:45:40 +02:00
Ondrej Kozina
a63db4ab24 Add --master-key-file parameter to cryptsetup-reencrypt. 2018-04-12 15:45:30 +02:00
Ondrej Kozina
169d45fbdb Move reading master key in command line utilities. 
Move and rename _read_mk->tools_read_mk in utils_password.c
 2018-04-12 15:44:19 +02:00
Ondrej Kozina
965e0237a3 Add basic test for CRYPT_VOLUME_KEY_SET flag. 
Also test for bug in keyslot to digest assignment if target
digest id is not 0.
 2018-04-12 15:42:32 +02:00
Ondrej Kozina
4caef0dec7 Add new volume key flag to crypt_keyslot_add_by_key. 
The new flag may be used to force update device volume key.
 2018-04-12 15:35:34 +02:00
Ondrej Kozina
622763b240 Fix memory leak on error path in cryptsetup-reencrypt. 2018-04-11 16:12:15 +02:00
Ondrej Kozina
35d29b22c0 Move CRYPT_ANY_DIGEST definition. 2018-04-11 15:49:29 +02:00
Ondrej Kozina
fee1d659cf Fix wrong digest assignment to new LUKS2 (volume key) keyslot. 
All new LUKS2 keyslots added by passphrase or by volume key
were assigned to digest 0 despite the fact segment was assigned
to different digest.
 2018-04-11 15:49:15 +02:00
Ondrej Kozina
869767a5cf Move general i/o code to stand-alone utility file. 
Get rid of internal library stuff linked to the utilities.
Also rename 'count' param to 'length' clarifying handling
of the parameter internally.
 2018-04-11 15:33:43 +02:00
Milan Broz
23b01621ff Print better debug message for open with write mode. 2018-04-10 15:33:30 +02:00
Milan Broz
f21ebaf839 Check LUKS2 conversion for luksmeta header. 
We will reject upconversion if there is a luksmeta magic signature.
 2018-04-10 14:54:35 +02:00