eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-11 19:00:02 +01:00
Code Issues Packages Projects Releases Wiki Activity
3,599 Commits 15 Branches 78 Tags
c1302555b7999675c3293c202604e790a2f69746
Commit Graph

3599 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Milan Broz
c1302555b7 Provide pkgconfig Require.private. 
While we do not completely provides static build on udev
systems, having theses modules in pkgconfig can be useful otherwise.
 2022-08-23 12:06:07 +00:00
Ondrej Kozina
01c032df04 Do not reload LUKS2 metadata when not necessary. 
Following API calls trigerred LUKS2 metadata reload
from storage in case of failure:

crypt_convert
crypt_keyslot_add_by_key
crypt_keyslot_add_by_keyfile_device_offset
crypt_keyslot_add_by_passphrase
crypt_keyslot_change_by_passphrase
crypt_reencrypt_init_by_keyring
crypt_reencrypt_init_by_passphrase

This patch replaces LUKS2 metadata reload with
backup LUKS2 metadata copy kept in memory that is updated on
each sucessfull metadata write and rolled back to it whenever
needed in any of those calls listed above.
 2022-08-19 14:46:42 +02:00
Milan Broz
88d9524e6c Mark crypt_memory_lock() API call deprecated. 
And remove its implementation.
 2022-08-16 19:56:32 +02:00
Milan Broz
4b47091b85 Remove call to explicit memlockall from cryptsetup. 
Memory with keys is now locked per range.
 2022-08-16 19:56:28 +02:00
Milan Broz
b9bf657449 Set process priority only for PBKDF benchmark. 
Do not increase priority for the whole run, only
increase it when we calculate PBKDF paramaters.
 2022-08-16 19:56:24 +02:00
Milan Broz
21d87a246e Do not use safe_malloc for LUKS header backup. 
The content of LUKS header is not a key material, no need
to lock memory for possibly big header and big memory area locks.

Just ensure we wipe buffer before release of memory.
 2022-08-16 19:56:20 +02:00
Milan Broz
db65a5ceac Lock memory in crypt_safe alloc functions. 
This patch locks all memory ranges in safe allocations.

While crypto backend can have some secure memory calls,
it is usually limited by intitial config.

For our use is enough to keep keys in memory and prevent
swapping it out.

If the lock fails (because of limits) we quietly
stay with plain malloc.
 2022-08-16 19:56:00 +02:00
daniel.zatovic
132027bafa Force probe in tests instead of lsblk which can use udev cache. 2022-08-11 21:26:03 +02:00
daniel.zatovic
f6fd73aea5 Add FIPS checks before running tests in FIPS mode. 2022-08-10 11:37:25 +00:00
Ondrej Kozina
5b001b7962 Delegate FIPS mode detection to configured crypto backend. 
System FIPS mode check is no longer dependent on /etc/system-fips
file. The change should be compatible with older distributions since
we now depend on crypto backend internal routine.

This commit affects only FIPS enabled systems (with FIPS enabled
builds). In case this causes any regression in current distributions
feel free to drop the patch.

For reference see https://bugzilla.redhat.com/show_bug.cgi?id=2080516
 2022-08-10 10:53:39 +02:00
daniel.zatovic
429afe8fc3 Add valgrind support to more tests. 2022-08-10 07:45:13 +00:00
Milan Broz
abfb5e374f Remove leftover debug option in test. 2022-08-09 22:54:43 +02:00
daniel.zatovic
f8c79f9a95 Fix valgrind summary leak detection. 
Currently, only 1-9 leaks are detected. More than 10 leaks are evaluated
as no leak.
 2022-08-05 16:38:38 +02:00
Milan Broz
190e4fc033 Always update automake library files if autogen.sh is run. 
Fixes: #761
 2022-08-01 08:47:34 +00:00
Ondrej Kozina
093adfc5f9 Fix user defined moved segment size in LUKS2 decryption. 
--hotzone-size argument was ignored in cases where actual data size
was less than original LUKS2 data offset.
 2022-08-01 07:05:06 +00:00
Milan Broz
a009614191 Set devel version. 2022-07-30 09:29:00 +02:00
Milan Broz
75111d382b Version 2.5.0. v2.5.0 2022-07-28 17:32:33 +02:00
Yuri Kozlov
1cc6c82f21 po: update ru.po (from translationproject.org) 2022-07-28 17:32:04 +02:00
Frédéric Marchal
2c555bd4a0 po: update fr.po (from translationproject.org) 2022-07-28 17:32:04 +02:00
Roland Illig
3f3f5a6aab po: update de.po (from translationproject.org) 2022-07-28 17:32:04 +02:00
Ondrej Kozina
c6ed1becd7 Fix bogus conditions in tests. 
Do not test for dm-crypt versions not supported
by upstream kernels.
 2022-07-28 17:18:57 +02:00
Milan Broz
766ac108ec Fix option descriptions and lists mentioned in man pages. 2022-07-28 10:51:22 +00:00
Milan Broz
94e5d227ce Fix warning messages if some kernel option is not supported. 
Thus was broken by commit
  "Check if DM create device failed in an early phase."
  10b1d6493e

Also we should set EINVAL if we detect unsuported option.
 2022-07-28 10:50:55 +00:00
Ondrej Kozina
f96e19147c Add prompt for LUKS2 decryption with header export. 2022-07-28 12:50:13 +02:00
Ondrej Kozina
05dbf04d82 Add early warning for reencryption of image files. 2022-07-28 12:47:10 +02:00
Ondrej Kozina
b9b7c3a9bd Add detached header warning in reencrypt man page. 2022-07-28 10:41:20 +00:00
Ondrej Kozina
17e6d2053a Add mangle tests for LUKS2 decryption with datashift. 2022-07-28 07:57:36 +00:00
Ondrej Kozina
912109ae66 Improve reencryption parameters verification in cli. 
Try to catch as many invalid parameters as possible
before entering library call.
 2022-07-28 07:57:36 +00:00
Ondrej Kozina
25b877a403 Fix bug in reencryption parameters verification. 2022-07-28 07:57:36 +00:00
Milan Broz
8270b72bfc Use bool instead od int in LUKS1 reencryption context. 2022-07-27 12:01:11 +02:00
Milan Broz
9c0cdcc2f9 Do not use huge LUKS1 reencryption context on heap. 
This will reduce cryptsetup tool size (~20kB at least).
 2022-07-27 11:57:05 +02:00
Milan Broz
1e2cb2d419 Avoid using huge dummy context in LUKS1 reencryption check. 
This struct is not needed at all, just use NULL.
 2022-07-27 11:47:06 +02:00
Guilhem Moulin
3e178caeaf Document more supported options in cryptsetup-luksResume(8). 
`cryptsetup luksResume --disable-external-tokens --keyfile-offset 123`
does work but these options weren't documented.
 2022-07-21 02:29:05 +02:00
Guilhem Moulin
803957cd3e Add support for --key-slot in luksResume action. 2022-07-20 20:00:09 +02:00
Milan Broz
bf4bfeac8a Rename some tests to simplify localtest parsing. 2022-07-18 15:09:28 +02:00
Milan Broz
090dca635a Add ssh-test-plugin to localtest if RUN_SSH_PLUGIN_TEST is set. 2022-07-18 11:16:23 +02:00
Milan Broz
0369ffdcc1 Rename ssh plugin test to ssh-test-plugin. 
So we can filter it out in local tests
(*-test means generic tests, *-test-plugin specific plugin tests).
 2022-07-18 09:11:23 +02:00
Milan Broz
648a85ed3a Unify use of tabulators in tests. 2022-07-16 19:14:31 +00:00
Milan Broz
8f3884e0d7 Change default target for Makefile.localtest. 2022-07-16 19:14:31 +00:00
Guilhem Moulin
289d5e5891 Add unit-utils-crypt-test to Makefile.localtest's list of tests. 
This requires (re-)building the executable with -DNO_CRYPTSETUP_PATH.
Only in that case do we allow the test to run under non-empty
$CRYPTSETUP_PATH.
 2022-07-16 19:14:31 +00:00
Guilhem Moulin
b37d04975d Add compat-test-args to Makefile.localtest's list of tests. 2022-07-16 19:14:31 +00:00
Guilhem Moulin
6578dac2f9 Add blockwise-compat to Makefile.localtest's list of tests. 
This requires (re-)building `unit-utils-io` with -DNO_CRYPTSETUP_PATH.
Only in that case do we allow the test to run under non-empty
$CRYPTSETUP_PATH.
 2022-07-16 19:14:31 +00:00
Guilhem Moulin
dc5f284e42 blockwise-compat: Wait a bit so scsi_debug has a chance to fully initialize. 
Similar to a76c96d361.  See also !386.
 2022-07-16 19:14:31 +00:00
Guilhem Moulin
32149e4ee7 blockwise-compat: Make skip() exit with status 77. 
This is mostly useful under TESTSUITE_NOSKIP=y.
 2022-07-16 19:14:31 +00:00
Guilhem Moulin
0e4857ee81 unit-wipe-test: Make skip() exit with status 77. 
This is mostly useful under TESTSUITE_NOSKIP=y.
 2022-07-16 19:14:31 +00:00
Milan Broz
06dd06ea27 tests: allow unit-wipe-test to run with local tests. 2022-07-16 19:14:31 +00:00
Milan Broz
03eb8f860a tests: check for differ existence in compat-test. 2022-07-16 19:14:31 +00:00
Guilhem Moulin
fbcef71c41 Pass $(LDFLAGS) when building fake_token_path.so. 
The Debian tooling sets ‘LDFLAGS = -Wl,-z,relro -Wl,-z,now’ and
complains when anything is built without hardened compiler/linker flags.

Granted this is a non-issue here since fake_token_path.so isn't included
in any binary package, but muting the false positive is arguably no
better fix than honoring $(LDFLAGS) during the build.
 2022-07-16 13:51:11 +02:00
Milan Broz
8315ada3b0 Fix wipe unit test if direct-io not available. 
If test is run in tmpfs, direct-io is not supported.

Thanks Guilhem Moulin for reporting the issue.
 2022-07-15 21:50:21 +02:00
Yuri Chornoivan
782dae9292 po: update uk.po (from translationproject.org) 2022-07-15 20:15:48 +02:00