eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-05 16:00:05 +01:00
Code Issues Packages Projects Releases Wiki Activity
4,643 Commits 14 Branches 78 Tags
f1ba606c28a4bd0beb196a48af8e9b62a57ce23e
Commit Graph

92 Commits

Author SHA1 Message Date
Milan Broz
b7e3ea592b Avoid warning about unused parameter. 
This fixes compilation warning:
   error: unused parameter 'version' [-Werror=unused-parameter]
 2025-08-01 16:48:08 +02:00
Ondrej Kozina
000f03ad31 Switch to crypt_jobj_to_string_on_disk(). 
Use single function when we require json format
string representation for on disk format.
 2025-03-07 15:44:41 +01:00
Milan Broz
a45fb0a90d Do not include dlfcn.h if external token support is disabled. 
Fixes: #925
 2025-01-27 12:33:52 +00:00
Milan Broz
1e441bf75c Use #if for rest of defines. 2025-01-27 11:05:08 +00:00
Milan Broz
8364178b38 Update copyright year. 2025-01-15 23:09:36 +01:00
Ondrej Kozina
3c5aa4ef59 Remove unused code. 
Due to complete shift to device activation via keyslot context,
remove all remaining internal code activating device by passphrase
or by token.
 2024-11-08 15:46:28 +01:00
Milan Broz
661f57def4 Use SPDX license identifiers. 
This patch switches code to SPDX one-line license identifiers according to
https://spdx.dev/learn/handling-license-info/
and replacing long license text headers.

I used C++ format on the first line in style
// SPDX-License-Identifier: <id>
except exported libcryptsetup.h, when only C comments are used.

The only additional changes are:
- switch backend utf8.c from LGPL2+ to LGPL2.1+ (as in systemd)
- add some additional formatting lines.
 2024-06-03 16:38:15 +00:00
Milan Broz
40e5c7d095 Use crypt_safe_memcpy for operations with key. 2024-05-03 11:52:09 +00:00
Milan Broz
bd0ef58b3a Update copyright notice to include 2024 year. 2024-01-23 16:10:44 +01:00
Milan Broz
e1ef5214e7 Fix some typos found by lintian. 2023-11-29 09:49:55 +01:00
Ondrej Kozina
0328d61f29 Add crypt_token_set_external_path API. 
It can be used to override system library where
libcryptsetup looks for external token handlers (plugins).

The parameter is required to be absolute path and it is set
per process context.

Fixes: #846.
 2023-11-16 17:49:06 +01:00
Milan Broz
ffd630973b Fix unused parameter in LUKS2 external tokens handlers. 2023-08-28 12:42:37 +02:00
Ondrej Kozina
28e1c95c22 Allow priority ignore keyslots with specific token or keyslot specified. 2023-08-15 17:42:31 +02:00
Ondrej Kozina
6751b43424 Allow keyslot in internal LUKS2 token activation code. 
Extends code so that later API may support LUKS2 device
activation via token with specified keyslot.

Also allows testing if specific token is able to unlock specific
keyslot.
 2023-08-15 17:42:31 +02:00
Luca Boccassi
b9cc0129c9 libcryptsetup: add OPAL type and params 
Signed-off-by: Luca Boccassi <bluca@debian.org>
Co-authored-by: Ondrej Kozina <okozina@redhat.com>
 2023-07-17 13:14:52 +02:00
Milan Broz
72f799b393 Update Copyright year. 2023-02-09 17:11:18 +01:00
Ondrej Kozina
cdfa213ad0 Allocate internal buffer in LUKS2 keyring token with crypt_safe_alloc. 
With changes in db65a5ceac and subsequent
drop of library memlock_all we should lock keyring key material buffer
in memory system memory as well.
 2022-11-24 09:03:29 +00:00
Ondrej Kozina
81c56a8395 Move assert include in internal header files. 2022-11-16 16:54:33 +01:00
Milan Broz
f9e778a2cd luks2: fix warning undefined shift 
Explicitly set uint32_t for shift, found by clang undefined
sanitizer.
Undefine shift cannot happen in reality, though.
 2022-11-07 17:30:14 +00:00
Milan Broz
82b56300cd Wrap some very long lines. 2022-10-01 22:35:57 +02:00
Ondrej Kozina
b867f0b578 Add new API for adding new LUKS keyslots. 
The crypt_keyslot_add_by_keyslot_context & associated
helper functions allow more options when adding new
keyslot. For example there was no simple way of
adding new LUKS2 keyslot when the only active keyslot
could be unlocked by passphrase (KEK) provided by LUKS2 token
(plugin). Now all available options for unlocking keyslots
may also be used when creating new keyslot and it combine
as called needs.

The available methods (keyslot contexts) are:
passphrase, keyfile, key (binary representation) and LUSK2 token.
 2022-09-21 17:36:28 +02:00
Ondrej Kozina
0397cac878 Abort assigning tokens with invalid parameters earlier. 2022-09-16 13:30:39 +02:00
Guilhem Moulin
3106b4e2c1 More typo and spelling fixes. 
Reported by `git ls-tree -rz --name-only | grep -Evz -e '\.(pdf|xz)$' -e
^po/ | xargs -r0 spellintian --`.  All changes are
documentation-related (comments, manuals, etc.) except for s/fial/fail/
in tests/unit-wipe-test.

The remaining entry are AFAICT all false positives, mostly annotations
such as `@param name name of xyz` or `struct foo foo`:

	$ git ls-tree -rz HEAD --name-only | grep -Evz -e '\.(pdf|xz)$' -e ^po/ | xargs -r0 spellintian --
	COPYING.LGPL: "GNU Library Public License" -> "GNU Library General Public License"
	autogen.sh: echo echo (duplicate word) -> echo
	configure.ac: fi fi (duplicate word) -> fi
	docs/v1.7.2-ReleaseNotes: option option (duplicate word) -> option
	lib/crypto_backend/cipher_check.c: block block (duplicate word) -> block
	lib/libcryptsetup.h: name name (duplicate word) -> name
	lib/libcryptsetup.h: type type (duplicate word) -> type
	lib/libcryptsetup.h: passphrase passphrase (duplicate word) -> passphrase
	lib/libcryptsetup.h: flags flags (duplicate word) -> flags
	lib/libcryptsetup.h: password password (duplicate word) -> password
	lib/libcryptsetup.h: salt salt (duplicate word) -> salt
	lib/libcryptsetup.h: keyslot keyslot (duplicate word) -> keyslot
	lib/libcryptsetup.h: priority priority (duplicate word) -> priority
	lib/libcryptsetup.h: offset offset (duplicate word) -> offset
	lib/libcryptsetup.h: length length (duplicate word) -> length
	lib/libcryptsetup.h: keyfile keyfile (duplicate word) -> keyfile
	lib/libcryptsetup.h: token token (duplicate word) -> token
	lib/libcryptsetup.h: cipher cipher (duplicate word) -> cipher
	lib/libcryptsetup.h: size size (duplicate word) -> size
	lib/luks2/luks2_json_metadata.c: long long (duplicate word) -> long
	lib/luks2/luks2_keyslot_luks2.c: AFEKSize AFEKSize (duplicate word) -> AFEKSize
	lib/luks2/luks2_reencrypt.c: alignment alignment (duplicate word) -> alignment
	lib/luks2/luks2_reencrypt_digest.c: ptr ptr (duplicate word) -> ptr
	lib/luks2/luks2_reencrypt_digest.c: buffer buffer (duplicate word) -> buffer
	lib/luks2/luks2_segment.c: min min (duplicate word) -> min
	lib/verity/verity_fec.c: blocks blocks (duplicate word) -> blocks
	man/cryptsetup.8.adoc: LUKS LUKS (duplicate word) -> LUKS
	scripts/cryptsetup.conf.in: root root (duplicate word) -> root
	src/Makemodule.am: endif endif (duplicate word) -> endif
	src/cryptsetup.c: long long (duplicate word) -> long
	src/utils_args.c: long long (duplicate word) -> long
	tests/compat-test2: fi fi (duplicate word) -> fi
	tests/device-test: echo echo (duplicate word) -> echo
	tests/differ.c: long long (duplicate word) -> long
	tests/loopaes-test: done done (duplicate word) -> done
	tests/luks2-integrity-test: aead aead (duplicate word) -> aead
	tests/luks2-reencryption-test: fi fi (duplicate word) -> fi
	tests/mode-test: done done (duplicate word) -> done
	tests/password-hash-test: cat cat (duplicate word) -> cat
	tests/password-hash-test: fi fi (duplicate word) -> fi
	tests/unit-wipe.c: long long (duplicate word) -> long
	tests/verity-compat-test: done done (duplicate word) -> done
	tests/verity-compat-test: fi fi (duplicate word) -> fi
	tokens/ssh/cryptsetup-ssh.c: argp argp (duplicate word) -> argp
	tokens/ssh/cryptsetup-ssh.c: arguments arguments (duplicate word) -> arguments

(Treated COPYING.LGPL as a false positive too since it's the exact text
from https://www.gnu.org/licenses/old-licenses/lgpl-2.1.html .)
 2022-07-15 16:35:02 +02:00
Ondrej Kozina
416f1343fe Split LUKS2_activate_by_token. 2022-02-04 13:32:45 +01:00
Milan Broz
ab975bc1c4 Update copyright year. 
And unify format in several places.
 2022-01-29 10:43:02 +01:00
Ondrej Kozina
230b80404d Remove parameters annotated by __attribute__((unused)). 
Attribute unused is useless and makes code imcomprehensible
when decorates internal functions not exposed via API.

Let's cleanup internal funtion prototypes whenever possible.
 2022-01-28 17:27:00 +00:00
Hector Martin
a1b577c085 Do not attempt to unload external tokens if USE_EXTERNAL_TOKENS is disabled. 
This allows building a static binary as long as --disable-external-tokens is used
 2021-09-17 05:44:18 +00:00
Milan Broz
5f2c751dd8 Use dlsym() for token load if dlvsym() is not available. 
To be discussed. Anyway, we need to support distros with musl...
 2021-08-25 13:39:07 +02:00
Guilhem Moulin
6a14f52e5d Fix minor spelling errors. 
(Found by Lintian.)
 2021-07-30 02:56:38 +02:00
Ondrej Kozina
796b901912 Do not retry tokens that already returned -ENOANO. 
In token based activation loop (token_id == CRYPT_ANY_TOKEN)
we do not want retry tokens that already returned -ENOANO (wrong pin)
once.
 2021-07-26 14:10:08 +02:00
Ondrej Kozina
c6ff9f8bd7 Respect keyslot priority with token based activation. 
crypt_activate_by_token functions did not respect LUKS2 keyslot
priorities. These calls were able to activate device via keyslot with
CRYPT_SLOT_PRIORITY_IGNORE even when token was set to
CRYPT_ANY_TOKEN. This commit changes the token based activation
so that keyslot with priority ignore is eligible for unlock only
when specific token is selected. Also when activating with token
set to CRYPT_ANY_TOKEN keyslots with higher priority take precedence
over keyslots with normal priority. Keyslot with priority ignore are
correctly ignored when token is CRYPT_ANY_TOKEN.
 2021-07-22 13:55:22 +02:00
Ondrej Kozina
4654e6f578 Add best effort try-loop for token based activation. 
The loop is run only when token id in any of crypt_activate_by_token*
calls is set to CRYPT_ANY_TOKEN.
 2021-07-22 13:55:19 +02:00
Ondrej Kozina
2cf38465c4 Change default error returned by token open. 
It has to be -ENOENT since -EPERM would wrongly
implied the token provided wrong keyslot passphrase.
 2021-07-22 13:47:40 +02:00
Ondrej Kozina
3428296186 Improve debug logs for external token handling. 2021-07-22 13:47:40 +02:00
Ondrej Kozina
6633fa626a Remove unused crypt_token_external_support. 
API can expose same information with crypt_token_external_path.

Also add print out of external token in cryptsetup --help action
(if enabled)
 2021-06-29 14:13:37 +00:00
Ondrej Kozina
aea841eeb0 Add crypt_token_external_path. 2021-06-26 22:08:45 +02:00
Ondrej Kozina
5b9e98f941 Change external token handlers (plugins) default location. 
Search for token handlers in %{libdir}/cryptsetup directory
by default. Distros may change default location via
--with-luks2-external-tokens-path parameter during configuration.
 2021-06-24 12:54:13 +02:00
Milan Broz
df5e54545e Add API and CLI option to disable token plugins. 
This could be useful for debugging external plugins
or ot intentionally disable loading of a token library.
 2021-06-13 23:22:44 +02:00
Milan Broz
4cdd826282 Check exit value for snprintf where it makes sense. 2021-05-18 22:07:47 +02:00
Ondrej Kozina
db44e9de22 Add api exposing external token handlers support. 2021-05-12 14:32:54 +02:00
Ondrej Kozina
c40be6cc7a Replace condition with assert for obvious coding mistake. 2021-04-15 21:43:31 +02:00
Ondrej Kozina
b047b8ae20 Improvements to error code handling during token based activation. 2021-04-15 21:43:31 +02:00
Ondrej Kozina
e9434dc9e3 Check tokens are eligible for unlocking segment keyslots. 
Defer token handler load and token unlock after check token
is assigned to keyslot containing proper data segment volume key.
 2021-04-15 21:43:30 +02:00
Ondrej Kozina
c6149c9cd8 Do not search/load token handler when not needed. 2021-04-15 21:41:09 +02:00
Ondrej Kozina
8f2b23cd94 Refactor LUKS2 token activation. 
Replace LUKS2_token_open_and_activate and
LUKS2_token_open_and_activavate_any with single function
instead.
 2021-04-15 21:41:06 +02:00
Ondrej Kozina
96d83455ca Add API for activating device by specific token type. 2021-03-19 15:26:35 +01:00
Ondrej Kozina
36805b3cfe Allow dash and underscore chars in external token names. 
Current alphabet for external token types is alphanumeric
characters including '-' and '_'. Empty strings are also
forbiden.
 2021-03-19 15:26:35 +01:00
Ondrej Kozina
5d0a11a21b Add pin size parameter in crypt_active_by_pin_token. 
Well, after all it really should have supported binary data
of arbitrary length.
 2021-03-18 18:06:13 +01:00
Milan Broz
2e4a3a9888 Remove unnecessary goto from token load. 2021-02-17 10:03:18 +01:00
Ondrej Kozina
bc7511762f Do not upload vk in keyring for cipher_null segment. 
It does not make sense to upload volume keys in
kernel keyring if segment cipher is cipher_null.
The real volume_key is thrown away and replaced
with empty key anyway.
 2021-02-16 18:08:35 +01:00