eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-12 03:10:08 +01:00
Code Issues Packages Projects Releases Wiki Activity
3,533 Commits 16 Branches 78 Tags
a2afe0396f49c88cb8a188e40fd37eb6e348ebcc
Commit Graph

3533 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
daniel.zatovic
a2afe0396f Split manual pages into per-action page and use AsciiDoc format 
Use pre-generated man pages in make dist.

[Added fixes and updates from Ondrej Kozina and Milan Broz]
 2022-07-13 21:08:02 +02:00
daniel.zatovic
fec2517386 CI: enable Asciidoctor 2022-07-13 16:03:35 +02:00
Ondrej Kozina
c413434715 Add error message for failed in-use auto-detect. 
When reencrypting image files cryptsetup is unable to
detect reliably if image file is in use or not.

User must decide it explictly. Add error message that
references --force-offline-reencrypt to solve the issue
in non interactive mode.

(It will be replaced with early detection in before 2.5.0 final
release).
 2022-07-13 10:56:17 +00:00
Milan Broz
aa126ac10a Remove dracut plugin that is obsolete and will not work with current reencrypt code. 2022-07-12 17:58:48 +00:00
Ondrej Kozina
56d4e9924e Add LUKS2 reencryption mangle tests. 2022-07-12 14:05:03 +02:00
Ondrej Kozina
a60fd0a81b Do not fail LUKS2 validation by newer online-reencrypt requirement. 
Do not invalidate LUKS2 format when future online-reencrypt
requirement flag is encountered (by older releases).
But it must stop device from being activated, reencrypted
or modified.
 2022-07-12 14:05:03 +02:00
Ondrej Kozina
af68e8a1da Check for multiple online reencrypt requirement flags. 
Having multiple online-reencrypt requirements flags
candidate in config section should invalidate LUKS2
metadata.
 2022-07-12 14:05:03 +02:00
Ondrej Kozina
13f6dfa61f Add proper version data to reencryption verification digest. 
LUKS2 decryption requires new online-reencrypt version
flag (v3).

The verification digest performs coding
for version suffix in "online-reencrypt-v" flag string
as follows:

'v1' :  unused (no digest)
'v2' :  0x30 + 2   = 0x32 = '2'
'v3' :  0x30 + 3   = 0x33 = '3'
(...)
'v10':  0x30 + 10  = 0x3A = ':'
'v11':  0x30 + 11  = 0x3B = ';'
(...)
'v207': 0x30 + 207 = 0xFF
 2022-07-12 14:03:25 +02:00
Ondrej Kozina
8493f6afd5 Change size of requirement version to 1 byte. 
Mostly due to reencryption verification routine
currently expects only single byte of version
data to create digest from.
 2022-07-12 13:54:24 +02:00
Milan Broz
1a55b69a0f Fix leak of dm target structure. 
The dmd_source need to be cleared with dm_targets_free().
 2022-07-07 09:17:13 +00:00
Milan Broz
914f621251 Do not use uninitialized memory for cipher check. 
We do not care about the bufer content, but valgrind do, just wipe
the buffer before test.
 2022-07-07 09:17:13 +00:00
Milan Broz
5904516122 Skip reencryption test if required ciphers are not available in userspace. 
This happens for some very old systems like CentOS6 or own compiled
crypto libraries.
 2022-07-05 15:08:43 +02:00
Milan Broz
4507ced868 Report failure if userspace cannot use specified cipher. 
Reencryption require support both for kernel and userspace library.

If only kernel supports the copher, the error was quiet.
 2022-07-05 15:07:33 +02:00
Milan Broz
b4603f1e28 Fix valgrind test in compat-test. 2022-07-04 14:34:04 +02:00
Petr Pisar
1c21c24f7b po: update cs.po (from translationproject.org) 2022-07-04 09:36:22 +02:00
Ondrej Kozina
0009d9532e Extend LUKS2 decryption with datashift API tests. 2022-06-30 11:21:38 +02:00
Ondrej Kozina
47cb9b0ee2 Fix copy&paste mistake in exclusive open comment. 2022-06-27 16:01:50 +02:00
Ondrej Kozina
0ffd105cb8 Harden LUKS2 decryption with datashift parameters. 
Abort early if detached header is passed in API
by any chance.
 2022-06-27 16:01:50 +02:00
Ondrej Kozina
24d498e393 Add debug message in LUKS2 reencryption initialization. 2022-06-27 16:01:50 +02:00
Ondrej Kozina
3c8b3201d7 Improve crypt_reencrypt_status return values. 
Empty context or any non-LUKS types now returns
CRYPT_REENCRYPT_INVALID value.

For LUKS1 devices return CRYPT_REENCRYPT_NONE
(since any LUKS1 device in legacy reencryption
does not have valid LUKS1 header/metadata).
 2022-06-27 16:01:50 +02:00
Ondrej Kozina
f531b567e0 Test reencryption initalization error path. 
Test cli behaves properly when there's not enough
space in keyslots area for new unbound keyslot or
reencryption keyslot.

Fixes: #688.
 2022-06-27 16:01:43 +02:00
Jakub Bogusz
7c76881921 po: update pl.po (from translationproject.org) 2022-06-24 15:19:10 +02:00
Milan Broz
f642417ed7 Add check to LUKS1 convert for segments count. 2022-06-23 07:24:27 +02:00
Milan Broz
1c1df24258 Clean up convert code style. 
Remove FIXMEs and comment style.
 2022-06-23 07:10:22 +02:00
Milan Broz
b3e8e1a9d4 Log visible error if convert fails due to validation check 2022-06-23 07:08:42 +02:00
Milan Broz
d22b003640 Fix possible keyslot area size overflow during convert to LUKS2 
If keyslots are not sorted according to binary area offset,
the calculation of area size is wrong and can overflow
(LUKS1 does not store area size, only offset).

Let's just use function that calculates size from volume key size.
Images where keyslot areas are not aligned to 4k offset
are not supported anyway.

Fixes: #753
 2022-06-23 07:06:38 +02:00
Ondrej Kozina
a485f44b57 Fix decryption with datashift initialization. 
It did not work with --active-name option for
active LUKS2 devices.
 2022-06-21 15:27:43 +02:00
Ondrej Kozina
f182d73001 Speed up reencryption tests. 
By not testing repeatedly that 'wipe' test utility actually
wipes the device. This test is supposed to test reencryption
code.

I have left untouched already existing first time checks
for each data digest.
 2022-06-21 10:47:42 +02:00
Yuri Chornoivan
05fc7b172d po: update uk.po (from translationproject.org) 2022-06-20 17:30:20 +02:00
Hiroshi Takekawa
66c5b52b42 po: update ja.po (from translationproject.org) 2022-06-20 17:30:20 +02:00
Frédéric Marchal
af3559a0f6 po: update fr.po (from translationproject.org) 2022-06-20 17:30:20 +02:00
Roland Illig
bcde337a42 po: update de.po (from translationproject.org) 2022-06-20 17:30:20 +02:00
Yuri Chornoivan
83103627b2 Fix minor typo. 
Fixes: #752
 2022-06-20 11:37:44 +00:00
Milan Broz
8f8703f1c3 Update cryptsetup.pot. 2022-06-17 19:58:31 +02:00
Milan Broz
857d17d210 Fix makefile to include wipe-test in dist tarball. 2022-06-17 19:57:31 +02:00
Milan Broz
62a3954c9d Add a debug message after crypt_load in error path. 2022-06-17 19:30:35 +02:00
Milan Broz
c72aecf86d Add comment to validation code. 2022-06-17 16:08:52 +02:00
Milan Broz
d9b66afe5e Replace json_bool with stdbool. 
This is some relict from old code, just use bool, we already
require it elsewhere.
 2022-06-17 16:04:31 +02:00
Milan Broz
18ada2b7de Check for interval overflow in LUKS2 validation code. 
Invalid values that overflows in interval check were silently ignored.

Fix this by explictily adding check for interval overflow in keyslots
and segment validation.

Fixes: #748
 2022-06-17 16:03:32 +02:00
Milan Broz
279490b622 Add test for keyslot area overflow during validation. 2022-06-17 16:03:32 +02:00
Milan Broz
dfd96d8a39 Report uint64 overflows and conversion errors in log debug during LUKS2 validate. 2022-06-17 16:03:30 +02:00
Milan Broz
ba9e36ceae Add empty string check to LUKS2 JSON validation. 
Most of the LUKS2 fields cannot be empty,
add check for JSON validation for it to fail early.

Fixes: #746
 2022-06-17 14:46:50 +02:00
Ondrej Kozina
f97af5dcfe Add LUKS2 decryption with datashift tests. 2022-06-17 13:48:15 +02:00
Ondrej Kozina
b4e9bca354 Enable LUKS2 decryption datashift support in cli. 
Fixes: #669.
 2022-06-17 13:48:12 +02:00
Ondrej Kozina
c36f9899cf Add support for LUKS2 decryption with datashift. 
Adds support for LUKS2 decryption of devices with a
header put in the head of data device. During the initialization
header is exported to a file and first data segment
is moved to head of data device in place of original header.

The feature introduces several new resilience modes (combination
of existing modes datashift and "checksum" or "journal").
Where datashift resilience mode is applied for data moved towards
the first segment and first segment is decrypted in-place.

The mode is not backward compatible with prior LUKS2 reencryption
and therefor interrupted operation in progress can not be resumed
using older cryptsetup releases.

Fixes: #669.
 2022-06-17 13:48:12 +02:00
Ondrej Kozina
f3a46b8e93 Check user provided correct passphrase before initializing decryption. 
It would fail later anyway (due to wrong passphrase provided) but
it's better to stop sooner.
 2022-06-17 13:48:12 +02:00
Ondrej Kozina
b84132c140 Wrap some long lines. 2022-06-17 13:48:12 +02:00
Ondrej Kozina
90ff707bff Move load_luks2_by_name helper. 2022-06-17 13:48:12 +02:00
Ondrej Kozina
f00d897240 Wipe unused area after reencryption with datashift in forward direction. 2022-06-17 13:48:12 +02:00
Ondrej Kozina
daa2b60d62 Sync signature wipes in tools_wipe_all_signutares. 2022-06-17 13:48:12 +02:00