eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-08 01:10:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: eessppeelllloo:v1_6_8
Branches Tags
eessppeelllloo:main eessppeelllloo:ci-fuzzing eessppeelllloo:doxygen-fixes eessppeelllloo:master eessppeelllloo:tcrypt-argon2 eessppeelllloo:vm-test eessppeelllloo:coverity_scan eessppeelllloo:v2.8.x eessppeelllloo:v2.7.x eessppeelllloo:v2.3.x eessppeelllloo:v2.4.x eessppeelllloo:v2.2.x eessppeelllloo:v2_0_x eessppeelllloo:v1_7_x
eessppeelllloo:v2.8.1 eessppeelllloo:v2.8.1-rc0 eessppeelllloo:v2.8.0 eessppeelllloo:v2.8.0-rc1 eessppeelllloo:v2.8.0-rc0 eessppeelllloo:v2.7.5 eessppeelllloo:v2.7.4 eessppeelllloo:v2.7.3 eessppeelllloo:v2.7.2 eessppeelllloo:v2.7.1 eessppeelllloo:v2.7.0 eessppeelllloo:v2.7.0-rc1 eessppeelllloo:v2.7.0-rc0 eessppeelllloo:v2.6.1 eessppeelllloo:v2.6.0 eessppeelllloo:v2.6.0-rc0 eessppeelllloo:v2.5.0 eessppeelllloo:v2.5.0-rc1 eessppeelllloo:v2.3.7 eessppeelllloo:v2.4.3 eessppeelllloo:v2.4.2 eessppeelllloo:v2.4.1 eessppeelllloo:v2.4.0 eessppeelllloo:v2.4.0-rc1 eessppeelllloo:v2.4.0-rc0 eessppeelllloo:v2.3.6 eessppeelllloo:v2.3.5 eessppeelllloo:v2.3.5-rc0 eessppeelllloo:v2.3.4 eessppeelllloo:v2.3.3 eessppeelllloo:v2.3.2 eessppeelllloo:v2.3.1 eessppeelllloo:v2.3.0 eessppeelllloo:v2.3.0-rc0 eessppeelllloo:v2.2.2 eessppeelllloo:v2.2.1 eessppeelllloo:v2.2.0 eessppeelllloo:v2.2.0-rc1 eessppeelllloo:v2.2.0-rc0 eessppeelllloo:v2.1.0 eessppeelllloo:v2.0.6 eessppeelllloo:v2.0.5 eessppeelllloo:v2.0.4 eessppeelllloo:v2.0.3 eessppeelllloo:v2.0.2 eessppeelllloo:v2.0.1 eessppeelllloo:v2.0.0 eessppeelllloo:v2.0.0-rc1 eessppeelllloo:v2.0.0-rc0 eessppeelllloo:v1_7_5 eessppeelllloo:v1_7_4 eessppeelllloo:v1_7_3 eessppeelllloo:v1_7_2 eessppeelllloo:v1_7_1 eessppeelllloo:v1_7_0 eessppeelllloo:v1_6_8 eessppeelllloo:v1_6_7 eessppeelllloo:v1_6_6 eessppeelllloo:v1_6_5 eessppeelllloo:v1_6_4 eessppeelllloo:v1_6_3 eessppeelllloo:v1_6_2 eessppeelllloo:v1_6_1 eessppeelllloo:v1_6_0 eessppeelllloo:v1_5_1 eessppeelllloo:v1_5_0 eessppeelllloo:v1_4_3 eessppeelllloo:v1_4_2 eessppeelllloo:v1_4_1 eessppeelllloo:v1_4_0 eessppeelllloo:v1_3_1 eessppeelllloo:v1_3_0 eessppeelllloo:v1_2_0 eessppeelllloo:v1_1_3 eessppeelllloo:v1_1_2 eessppeelllloo:v1_1_1 eessppeelllloo:v1_1_0 eessppeelllloo:v1_0_7
..
compare: eessppeelllloo:v1_7_x
Branches Tags
eessppeelllloo:ci-fuzzing eessppeelllloo:doxygen-fixes eessppeelllloo:main eessppeelllloo:master eessppeelllloo:tcrypt-argon2 eessppeelllloo:vm-test eessppeelllloo:coverity_scan eessppeelllloo:v2.8.x eessppeelllloo:v2.7.x eessppeelllloo:v2.3.x eessppeelllloo:v2.4.x eessppeelllloo:v2.2.x eessppeelllloo:v2_0_x eessppeelllloo:v1_7_x
eessppeelllloo:v2.8.1 eessppeelllloo:v2.8.1-rc0 eessppeelllloo:v2.8.0 eessppeelllloo:v2.8.0-rc1 eessppeelllloo:v2.8.0-rc0 eessppeelllloo:v2.7.5 eessppeelllloo:v2.7.4 eessppeelllloo:v2.7.3 eessppeelllloo:v2.7.2 eessppeelllloo:v2.7.1 eessppeelllloo:v2.7.0 eessppeelllloo:v2.7.0-rc1 eessppeelllloo:v2.7.0-rc0 eessppeelllloo:v2.6.1 eessppeelllloo:v2.6.0 eessppeelllloo:v2.6.0-rc0 eessppeelllloo:v2.5.0 eessppeelllloo:v2.5.0-rc1 eessppeelllloo:v2.3.7 eessppeelllloo:v2.4.3 eessppeelllloo:v2.4.2 eessppeelllloo:v2.4.1 eessppeelllloo:v2.4.0 eessppeelllloo:v2.4.0-rc1 eessppeelllloo:v2.4.0-rc0 eessppeelllloo:v2.3.6 eessppeelllloo:v2.3.5 eessppeelllloo:v2.3.5-rc0 eessppeelllloo:v2.3.4 eessppeelllloo:v2.3.3 eessppeelllloo:v2.3.2 eessppeelllloo:v2.3.1 eessppeelllloo:v2.3.0 eessppeelllloo:v2.3.0-rc0 eessppeelllloo:v2.2.2 eessppeelllloo:v2.2.1 eessppeelllloo:v2.2.0 eessppeelllloo:v2.2.0-rc1 eessppeelllloo:v2.2.0-rc0 eessppeelllloo:v2.1.0 eessppeelllloo:v2.0.6 eessppeelllloo:v2.0.5 eessppeelllloo:v2.0.4 eessppeelllloo:v2.0.3 eessppeelllloo:v2.0.2 eessppeelllloo:v2.0.1 eessppeelllloo:v2.0.0 eessppeelllloo:v2.0.0-rc1 eessppeelllloo:v2.0.0-rc0 eessppeelllloo:v1_7_5 eessppeelllloo:v1_7_4 eessppeelllloo:v1_7_3 eessppeelllloo:v1_7_2 eessppeelllloo:v1_7_1 eessppeelllloo:v1_7_0 eessppeelllloo:v1_6_8 eessppeelllloo:v1_6_7 eessppeelllloo:v1_6_6 eessppeelllloo:v1_6_5 eessppeelllloo:v1_6_4 eessppeelllloo:v1_6_3 eessppeelllloo:v1_6_2 eessppeelllloo:v1_6_1 eessppeelllloo:v1_6_0 eessppeelllloo:v1_5_1 eessppeelllloo:v1_5_0 eessppeelllloo:v1_4_3 eessppeelllloo:v1_4_2 eessppeelllloo:v1_4_1 eessppeelllloo:v1_4_0 eessppeelllloo:v1_3_1 eessppeelllloo:v1_3_0 eessppeelllloo:v1_2_0 eessppeelllloo:v1_1_3 eessppeelllloo:v1_1_2 eessppeelllloo:v1_1_1 eessppeelllloo:v1_1_0 eessppeelllloo:v1_0_7

136 Commits
v1_6_8 ... v1_7_x

Author SHA1 Message Date
Milan Broz
4de2ae6841 Allow build branch v1_7_x in Travis. 2017-10-19 16:33:46 +02:00
Ondrej Kozina
6d88e53ffa dracut-reencrypt: add --progress-frequency parameter 2017-10-19 15:09:50 +02:00
Milan Broz
c0a860c1e9 Add parameter for progress update without in separate lines 2017-10-19 15:09:50 +02:00
Ondrej Kozina
a96d999087 crypt_deactivate: fail earlier when holders detected 
crypt_deactivate fails earlier without noisy dm retries
when other device holders detected. The early detection
works if:

a) other device-mapper device has a hold reference on the
   device

- or -

b) mounted fs is detected on the device
 2017-10-19 15:09:50 +02:00
Milan Broz
27c1c28102 Fix blockwise access functions for systems with big page size. 
Initially cryptsetup expected underlying device that was, by definition,
always aligned to a sector size (and length was always multiple of sectors).

For the images in file, we can now access the image directly.
Expecting that the image is always aligned to the whole block is now false
(the last block in file image can be incomplete).

Moreover, we cannot easily detect underlying block device sector (block) size
(the storage stack can be complex with various RAID and loop block sizes),
so code uses systyem PAGE_SIZE in this situation (should be the safest way).

Unfortunately, PAGE_SIZE can be bigger (1MB) than device sector (4k) and
the blockwise functions then fails because the image in file is not
aligned to PAGE_SIZE multiple.

Fix it by checking that read/write for the last part of an image is
the exact requested size and not a full block.

(The problem is for example for an unaligned hidden Truecrypt header
on PPC64LE systems, where page size is 64k.)
 2017-10-19 15:06:58 +02:00
Milan Broz
4f13504b8e Point pdf links to kernel.org. 
Some browsers seems to be already smarter than a 5th grader
and blocks the content on gitlab.
 2017-06-29 12:27:30 +02:00
Milan Broz
6d3b96b7dc Fxi luksKill slot to work in batch mode in non-tty environment. 
If there is no TTY on stdin (like nohup or service) then
batch mode should not fail to kill slot.

For more info see Issue#329.
 2017-06-21 13:53:39 +02:00
Milan Broz
8aa2ec8cf3 Add Travis config files to stable branch. 2017-06-21 13:53:08 +02:00
Milan Broz
f21be95712 Fix API tracker URL. 2017-06-18 09:01:13 +02:00
Milan Broz
31a117c74c Update po file... 2017-04-27 12:25:42 +02:00
Milan Broz
24c2b0bcb9 Fix stupid version typo in release notes. 2017-04-27 10:56:59 +02:00
Milan Broz
dfe27e4e8b Update README.md. 2017-04-27 10:48:25 +02:00
Milan Broz
0ba577666c Version 1.7.5. 2017-04-27 08:43:49 +02:00
Milan Broz
4e198501d7 Add 1.7.5 release notes. 2017-04-27 08:43:02 +02:00
Milan Broz
0f03d04599 Align benchmark output even for longer cipher names. 2017-04-26 14:34:38 +02:00
Harald Hoyer
8af93e19a2 dracut-reencrypt: call "udevadm settle" once more 
Somehow testing in qemu resulted sometimes in an endless loop.
Either the timing or the settle fixed the issue.
When the VM was in an endless loop, an strace showed, that the first 512
and 1024 of the crypt partition was read over and over. Either it was
the udev blkid, or some device mapper udev rule.
Maybe the reencrypt tool opens and closes the device fd, where the close
triggers a udev blkid and causes the reencrypt tool to reread the device...
Anyhow.. with this settle the issue was not seen anymore.
 2017-04-26 10:53:55 +02:00
Harald Hoyer
ffa035f45e dracut-reencrypt: add UUID handling to rd.luks.reencrypt= 
This patch adds a udev rule, so that you can specify
rd.luks.reencrypt=<UUID> instead of rd.luks.reencrypt=<devname>

It also moves the job to the "settled" queue, which means, that it is
executed after udev has settled.
 2017-04-26 10:53:45 +02:00
Harald Hoyer
3da51bba75 dracut-reencrypt: add finished hook 
A finished hook prevents dracut-initqueue from exiting and lets it
finish the batched jobs. Without a "finished hook" and without
"root=<dev>" on the kernel command line, the reencrypt job would not be
executed.

Normally you want to reencrypt without a "root=<dev>" on the kernel
command and want to reboot after the reencrypt job is done.

This patch adds the missing "finished hook".
 2017-04-26 10:53:30 +02:00
Milan Broz
83c42227da Fix API test for FIPS mode. 2017-04-21 14:13:06 +02:00
Milan Broz
a495563a35 Fix luksFormat if running in FIPS mode on recent kernel. 
Recently introduced check for weak keys for XTS mode makes
zeroed key for algorithm check unusable.

Use random key for the test instead.
 2017-04-21 14:12:50 +02:00
Milan Broz
c02c1494f7 Fix dm-verity max-size parameter. 2017-04-21 14:10:48 +02:00
Milan Broz
e91b90b8c9 Fix access to unaligned hidden TrueCrypt header. 
On native 4k-sector device the old hidden header is not aligned
with hw sector size and derect-io access with SEEK_END fails.

Let's extend blockwise functions to support a negative offset
and use the same logic as normal unaligned writes.

Fixes problem mentioned in
https://gitlab.com/cryptsetup/cryptsetup/merge_requests/18
 2017-04-04 16:04:49 +02:00
Milan Broz
7c25327396 Fix write_lseek prototype and avoid using void in arithmetic warning. 2017-04-04 16:04:33 +02:00
Ondrej Kozina
4dd568fbfc read_lseek_blockwise: use void pointer 2017-04-04 16:04:20 +02:00
Ondrej Kozina
d3316ec930 Slight code style improvements for blockwise functions. 2017-04-04 16:04:06 +02:00
Ondrej Kozina
b489b0aa64 Add interrupt safe read_lseek_blockwise function. 2017-04-04 16:03:53 +02:00
Ondrej Kozina
2d298071e4 Use read/write buffer functions where appropriate. 2017-04-04 16:03:39 +02:00
Ondrej Kozina
327ebccdb1 Add read_buffer and write_buffer functions. 
Introduce functions for proper I/O handling. These functions
are able to deal with interrupts and partial I/O.
 2017-04-04 16:03:05 +02:00
Ondrej Kozina
a6c8f974fe Avoid write with zero size. 
This can happen if write buffer size is smaller than underlying
block size and initial buffer is misaligned.

Also use size_t for buffer length variables.
 2017-04-04 16:01:21 +02:00
Milan Broz
bcb5d150b0 Update README.md for 1.7.4. 2017-03-15 10:56:20 +01:00
Milan Broz
640eba3569 Update copyright years. 2017-03-12 13:23:34 +01:00
Milan Broz
f8db1ce650 Add 1.7.4. Release notes. 2017-03-12 13:01:46 +01:00
Milan Broz
3406a6f447 Used LUKS1 compiled-in defaults also in Python wrapper. 2017-03-12 12:05:33 +01:00
Milan Broz
672db2c6b4 Update po files. 2017-03-12 12:05:08 +01:00
Milan Broz
b35b98bcd9 Update po files. 2017-03-02 09:40:14 +01:00
Milan Broz
afb7a5ce4b Set 1.7.4. version. 2017-03-02 09:38:38 +01:00
Bastien DHIVER
f3947c0109 Add hashMode parameter in CryptSetup_luksFormat() 2017-03-02 09:34:14 +01:00
Milan Broz
9067054f59 Clarify use of --size parameter. 2017-03-02 09:34:03 +01:00
Milan Broz
3b02c1e690 Fix race while allocating free loop device. 
Fixes Issue #314.

Thanks to Martin Jeřábek for the report.
 2017-03-02 09:33:49 +01:00
Milan Broz
945249fd02 Fix possible fd leaks after exec. 
Thanks Natanael Copa for the report.
Fixes issue#313.
 2017-03-02 09:33:15 +01:00
Milan Broz
68a140d0c5 Fix OpenSSL 1.1.0 compatibility 
If backward-compatible API is not defined (-DOPENSSL_API_COMPAT=0x10100000L)
deprecated symbols cannot be used.

Also see https://bugs.gentoo.org/show_bug.cgi?id=604698

Thanks eroen for reporting this.
 2017-03-02 09:32:52 +01:00
Milan Broz
4f223476f8 Fix TrueCrypt URL in man page. 2017-03-02 09:32:28 +01:00
Arno Wagner
2d93638302 some typos fixed in FAQ 2017-03-02 09:32:15 +01:00
Arno Wagner
25129a99eb Updates to FAQ 
- Finished section 9 initrd with examples how to do your own
- Some minor fixes elswehere
 2017-03-02 09:32:00 +01:00
Milan Broz
9dbce46c0f Update veritysetup man page. 
Thanks Michal Virgovic for patch.
 2017-03-02 09:31:37 +01:00
Milan Broz
0185defb7f Check for data device and hash device area overlap in veritysetup. 
Thanks Michal Virgovic for tests.
 2017-03-02 09:31:18 +01:00
Aric Belsito
50412375da Fix use of LibreSSL. 2017-03-02 09:30:09 +01:00
Milan Broz
057c88eca9 Fix missing CRYPT_ACTIVATE_SAME_CPU_CRYPT flag check in status command. 2017-03-02 09:29:08 +01:00
Milan Broz
a552ea9ac8 Update readme.md for version 1.7.3. 2016-10-30 15:03:36 +01:00
Milan Broz
25e185f6f5 Set 1.7.3 version. 2016-10-28 12:18:22 +02:00
Milan Broz
db09bc58fc Update 1.7.3 Release notes. 2016-10-28 12:11:40 +02:00
Milan Broz
0061ce298a Verify passphrase in cryptsetup-reencrypt when encrypting new drive. 2016-10-28 12:07:35 +02:00
Milan Broz
c8da0a76aa Fix keylength = 0 (no key) case. 2016-10-28 11:55:20 +02:00
Milan Broz
7dbb47f76a Fix crypt_generate_volume_key to use size_t for keylength. 2016-10-28 11:54:58 +02:00
Tobias Stoeckmann
d68d981f36 Avoid integer overflows during memory allocation. 
It is possible to overflow integers during memory allocation with
insanely large "key bytes" specified in a LUKS header.

Although it could be argued to properly validate LUKS headers while
parsing them, it's still a good idea to fix any form of possible
overflow attacks against cryptsetup in these allocation functions.
 2016-10-28 11:54:18 +02:00
Tobias Stoeckmann
f65dbd5a07 Avoid buffer overflow in uuid_or_device. 
The function uuid_or_device is prone to a buffer overflow if a very long
spec has been defined. The range check happens against PATH_MAX, with
i being set to 5 (due to "UUID=" offset of spec), but "/dev/disk/by-uuid"
has been already written into device.

The difference between "/dev/disk/by-uuid" and "UUID=" is 13, therefore
the correct range check must happen against PATH_MAX - 13.
@@ -204,7 +204,7 @@ const char *uuid_or_device(const char *spec)
                strcpy(device, "/dev/disk/by-uuid/");
 2016-10-28 11:52:54 +02:00
Milan Broz
2c7c527990 Add 1.7.3. Release Notes. 2016-10-28 11:18:33 +02:00
Milan Broz
3cf86ec1be Update po files. 2016-10-28 11:00:00 +02:00
Eduardo Villanueva Che
274c417e56 Fixed veritysetup bug with hash offsets bigger than 2gb. 
The lseek in function write_blockwise() could return value
that is greater than integer for result so it can overflow
and fail the whole write.
[comment added by mbroz]
 2016-10-22 09:34:02 +02:00
Jonas Meurer
337b20a4ed Fix several minor spelling errors found by Lintian 
* lib/setup.c: miliseconds -> milliseconds
* lib/utils_wipe.c: Unsuported -> Unsupported
* man/crypsetup.8: implicitely -> implicitly
* man/veritysetup.8: verion -> version
* python/pycryptsetup.c: miliseconds -> milliseconds
 2016-10-22 09:33:30 +02:00
Milan Broz
35ab06c61c Set configured default iteration time early in crypt_init constructor. 2016-10-20 14:41:15 +02:00
Milan Broz
3e5e9eb620 Rephrase UUID error message forc cryptsetup-reencrypt. 2016-10-20 14:36:58 +02:00
Milan Broz
e856bc37bb Fix error path after conversion to OpenSSL 1.1.0. 2016-10-20 08:26:56 +02:00
Milan Broz
f594435298 Support OpenSSL 1.1.0 in cryptsetup backend. 2016-10-20 08:26:45 +02:00
Milan Broz
a1fb77b8b3 Fix Nettle crypto backend definitions. 2016-10-19 21:17:03 +02:00
Milan Broz
8e3d5bbd70 Try to find python$VERSION-config. 2016-10-19 12:47:53 +02:00
Per x Johansson
443a8b806f Fix memory leak when using openssl backend 
Fixes a memory leak when using openssl backend caused by mismatched
calls to EVP_DigestInit and EVP_DigestFinal_ex.
 2016-10-18 14:44:51 +02:00
Milan Broz
2fc8b6a306 Fix PBKDF2 benchmark to not double iteration count for corner case. 
If measurement function returns exactly 500 ms, the iteration
calculation loop doubles iteration count but instead of repeating
measurement it uses this value directly.

Thanks to Ondrej Mosnacek for bug report.
 2016-06-23 09:53:22 +02:00
Milan Broz
94f4f6b1b6 Force test to read device to detect corrupted blocks. 
(If udev scanning is switched off, there is no real activity on device yet.)
 2016-06-23 09:53:14 +02:00
Milan Broz
af1ce99a6f Update Readme.md. 2016-06-04 14:21:04 +02:00
Milan Broz
602d7f0bb0 Workaround for align test for scsi_debug kernel in-use issue. 2016-06-04 13:13:33 +02:00
Milan Broz
53c4fbac2d Fix possible leak if reencryption is interrupted. 2016-06-04 13:13:24 +02:00
Milan Broz
acc846ceba Revert soname change. 2016-06-04 13:13:15 +02:00
Milan Broz
89bce3d21b Prepare version 1.7.2. 
Bump libcryptsetup version (new defines, all backward compatible).
 2016-06-04 11:40:44 +02:00
Milan Broz
1de98c12a6 Add 1.7.2 Release notes. 2016-06-04 11:37:11 +02:00
Milan Broz
4d62ef49de Update po files. 2016-06-02 19:18:46 +02:00
Milan Broz
de14f78e25 Update po files. 2016-05-25 15:16:54 +02:00
Milan Broz
a2d33996f4 Fix error message. 2016-05-25 15:16:08 +02:00
Milan Broz
d59d935308 Update po files. 2016-05-19 13:12:41 +02:00
Milan Broz
7c62c82c8f Fix help text for cipher benchmark specification. 2016-05-19 12:59:46 +02:00
Ondrej Kozina
664f48e29d keymanage: eliminate double close() call 
fix  double close() cases in LUKS_hdr_backup() and LUKS_hdr_restore()
functions. It should be harmless unless libcryptsetup is used
in multi-thread setup which is not supported anyway.
 2016-05-19 12:59:33 +02:00
Milan Broz
96896efed4 Add ABI tracker output link. 2016-05-19 12:59:17 +02:00
Milan Broz
bdf16abc53 Update LUKS doc format. 
Clarify fixed sector size and keyslots alignment.
 2016-05-19 12:58:56 +02:00
Milan Broz
8030bd0593 Support activation options for error handling modes in dm-verity. 
This patch adds veritysetup support for these Linux kernel dm-verity options:

  --ignore-corruption - dm-verity just logs detected corruption
  --restart-on-corruption - dm-verity restarts the kernel if corruption is detected

  If the options above are not specified, default behaviour for dm-verity remains.
  Default is that I/O operation fails with I/O error if corrupted block is detected.

  --ignore-zero-blocks - Instructs dm-verity to not verify blocks that are expected
   to contain zeroes and always return zeroes directly instead.

NOTE that these options could have serious security or functional impacts,
do not use them without assessing the risks!
 2016-05-19 12:58:39 +02:00
Milan Broz
a89e6e6e89 Fix dm-verity test typo. 2016-05-19 12:58:06 +02:00
Ondrej Kozina
a5ed08f2d4 dracut_90reencrypt: fix warns reported by static analysis 
- moddir is assigned in parent script run by dracut (warning was
  silenced)

- fix defect wrt to assignement and making variable local on
  same line. The variable cwd was first assigned by subshell
  and later any error originating in subshell was masked by
  making the variable local (which returns always 'true')
 2016-05-19 12:57:53 +02:00
Milan Broz
f92786a044 Avoid possible divide-by-zero warnings. 2016-05-19 12:57:31 +02:00
Milan Broz
b282cb2366 Fix warnings reported by static analysis. 
- ensure that strings are \0 terminated (most of this is already
handled on higher level anyway)

- fix resource leak in error path in tcrypt.c

- fix time of check/time of use race in sysfs path processing

- insruct Coverity scanner to ignore constant expression in random.c
(it is intented to stop compile-time misconfiguration of RNG that would be fatal)
 2016-05-19 12:56:51 +02:00
Milan Broz
883bde3f1b Avoid tar archive warnings if tests are run as superuser. 2016-05-19 12:56:16 +02:00
Milan Broz
e969eba2bb Include sys/sysmacros.h if present. 
Needed for major/minor definitions.

Thanks Mike Frysinger for pointing this out.
 2016-05-19 12:55:54 +02:00
Milan Broz
3c3756fbd7 Link reencryption utility to uuid library. 
(Fixes last patch.)
 2016-05-19 12:55:36 +02:00
VittGam
b8359b3652 Fix off-by-one error in maximum keyfile size. 
Allow keyfiles up to DEFAULT_KEYFILE_SIZE_MAXKB * 1024 bytes in size, and not that value minus one.

Signed-off-by: Vittorio Gambaletta <git-cryptsetup@vittgam.net>
 2016-05-19 12:54:57 +02:00
Ondrej Kozina
75eaac3fef cryptsetup-reencrypt: enable resume of decryption 
to enable resume of interrupted decryption user has
to pass uuid of the former luks device. That uuid is used
to resume the operation if temporary files LUKS-* still
exist.
 2016-05-19 12:54:39 +02:00
Milan Broz
d70e2ba18d Update po files. 2016-05-19 12:54:20 +02:00
Arno Wagner
3a27ce636a sync to WIKI version 2016-05-19 12:53:49 +02:00
Milan Broz
0a951da27f Disable DIRECT_IO for LUKS header with unaligned keyslots. 
Fixes issue#287.

Such a header is very rare, it is not worth to do more detection here.
 2016-05-19 12:53:23 +02:00
Athira Rajeev
be6ab40fb9 Fix device_block_size_fd to return bsize correctly incase of files. 
This patch is for issue #287

In the code for returning block size ( device_block_size_fd in lib/utils_device.c ),
always returns zero in case of files and device_read_test is not executed.

This patch is to fix device_block_size_fd to return block size correctly incase of files.

Signed-off-by: Athira Rajeevatrajeev@linux.vnet.ibm.com
 2016-05-19 12:52:57 +02:00
Milan Broz
29ecd515ac Update README for 1.7.1. 2016-05-19 12:52:20 +02:00
Milan Broz
0c7ce6215b Set devel version. 2016-02-28 14:46:13 +01:00
Milan Broz
ddd587d78d Prepare version 1.7.1. 2016-02-28 13:40:11 +01:00
Milan Broz
e6ef5bb698 Add 1.7.1 release notes. 2016-02-28 13:39:13 +01:00
Milan Broz
b4cf5e2dab Fix align test for new scsi_debug defaults. 2016-02-28 11:14:09 +01:00
Ondrej Kozina
a1683189da cryptsetup-reencrypt: harden checks for hdr backups removal 
There're various situations where hdr backups together with log file
may get removed even when the hdr was already marked unusable. This
patch fixes the most sever case already reported and generaly tries
harder protecting the log file and both hdr backups.
 2016-02-28 11:13:10 +01:00
Ondrej Kozina
a0fc06280e cryptsetup-reencrypt: drop unreachable code path 
MAKE_USABLE flag is never used in device_check()
 2016-02-28 09:45:48 +01:00
Milan Broz
830edb22cf Update po files. 2016-02-28 09:45:31 +01:00
Milan Broz
26bf547bbc Update po files. 2016-02-23 17:42:33 +01:00
Ondrej Kozina
cec31efee2 Clarify the reencrypt_keyslot= option 2016-02-21 18:58:06 +01:00
Milan Broz
4ad075e928 Fix kernel crypto backend to set key before accept call even for HMAC. 2016-02-21 18:57:49 +01:00
Milan Broz
10a6318b1f Fix cipher_null key setting in kernel crypto backend. 2016-02-21 18:57:15 +01:00
Ondrej Kozina
18528edc31 Fix hang in low level device-mapper code. 
udev cookies should be set right in before the dm_task_run()
call otherwise we risk a hang while waiting for a cookie
associated with not yet executed dm task.

For example: failing to add table line (dm_task_add_target())
results in such hang.
 2016-02-21 18:57:06 +01:00
Milan Broz
2b91d7c385 Set skcipher key before accept() call in kernel crypto backend. 
Also relax input errno checking to catch all errors.
 2016-02-21 18:56:50 +01:00
Loui Chang
8d7235b9a9 Update version control history url 
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
 2016-02-21 18:56:20 +01:00
Loui Chang
02295bed47 Man page typo 
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
 2016-02-21 18:56:05 +01:00
Milan Broz
0657956351 Update sr.po. 2016-02-21 18:54:29 +01:00
Milan Broz
9f50fd2980 Allow special "-" (standard input) keyfile hangdling even for TCRYPT devices. 
Fail if there are more keyfiles specified for non-TCRYPT device.

Fixes issue#269.
 2016-01-01 19:19:44 +01:00
Milan Broz
e32376acf1 Fix luksKillSlot to not suppress provided password in batch mode. 
Batch mode should enable no-query keyslot wipe but only if user
did not provided password or keyfile explicitely.

Fixes issue #265.

Signed-off-by: Milan Broz <gmazyland@gmail.com>
 2015-11-22 12:57:07 +01:00
Milan Broz
8ab9c9dc68 Update po files. 2015-11-20 08:55:36 +01:00
Milan Broz
a5363f184c Set devel version. 2015-11-03 13:41:14 +01:00
Milan Broz
e2637c5d49 Prepare version 1.7.0. 2015-11-03 13:32:24 +01:00
Milan Broz
4a72695241 Update README.md. 2015-11-03 13:15:42 +01:00
Milan Broz
af31af5e3d Add 1.7.0 Release notes. 2015-11-03 13:03:55 +01:00
Milan Broz
2aa0bb7eac Update LUKS default hash and kernel crypto api hash check. 2015-11-02 21:07:49 +01:00
Milan Broz
8ae62715a8 Update po files. 2015-11-02 21:07:20 +01:00
Arno Wagner
506ba27358 Synced to Wiki version with new markup stripper. 2015-11-02 20:37:47 +01:00
Milan Broz
4384e50578 Decrease iteration time for compat tests. 2015-10-29 12:44:15 +01:00
Milan Broz
1623ee71ab Remove experimental warning for reencrypt tool. 2015-10-29 12:16:37 +01:00
Milan Broz
f425d07ec7 Switch to sha256 and 2s iteration time for LUKS devices defaults. 
Note that no longer using SHA1 is just to prevent situation
when it is no longer available on hardened systems, there is
no known security problem (finding collisions is not a problem for LUKS).

Increasing iteration time is in combination with PBKDF2 benchmark
fixes try to keep PBKDF2 iteration count still high enough and
also acceptable for users.

(Long term is to replace PBKDF2 algorithm with Password Hashing
Competiton winner.).

N.B. distributions can change these defaults in compilation time.
 2015-10-29 12:08:14 +01:00
Ondrej Kozina
d260be02d4 tcrypt: fix potential memory leak on error path 2015-10-29 12:06:40 +01:00
Milan Broz
4609fd87d7 Fix PBKDF2 iteration benchmark for longer key sizes. 
The previous PBKDF2 benchmark code did not take into account
output key length.
For SHA1 (with 160-bits output) and 256-bit keys (and longer)
it means that the final value was higher than it should be.

For other hash algorithms (like SHA256 or SHA512) it caused
that iteration count was smaller (in comparison to SHA1) than
expected for the requested time period.

This patch fixes the code to use key size for the formatted device
(or default LUKS key size if running in informational benchmark mode).

Thanks to A.Visconti, S.Bossi, A.Calo and H.Ragab
(http://www.club.di.unimi.it/) for point this out.
(Based on "What users should know about Full Disk Encryption
based on LUKS" paper to be presented on CANS2015).
 2015-10-29 11:52:18 +01:00
Milan Broz
9e90d91446 Update da.po. 2015-10-12 15:16:25 +02:00
Milan Broz
7bbf0796b5 Merge branch 'glebfm/cryptsetup-passwdqc' 2015-10-12 14:17:55 +02:00
Milan Broz
fe3148f074 Tweak passwdqc use. 2015-10-12 14:15:03 +02:00
Gleb Fotengauer-Malinovskiy
5e9c27118e Add optional libpasswdqc support for new LUKS passwords 
If password is entered through terminal (no keyfile specified) and
cryptsetup is compiled with --enable-passwdqc[=/etc/passwdqc.conf],
default system passwdqc settings are used to check password quality.
 2015-10-08 17:30:26 +00:00
Milan Broz
c362ba9293 Update it.po. 2015-09-24 10:20:31 +02:00
Milan Broz
e97048dd32 Set devel version. 2015-09-08 15:17:16 +02:00
Milan Broz
5ea0ba61be Add release notes for 1.6.7 link. 2015-09-08 13:11:36 +02:00
96 changed files with 12005 additions and 7030 deletions
Expand all files Collapse all files

117
.travis-functions.sh Normal file
View File

@@ -0,0 +1,117 @@
#!/bin/bash
#
# .travis-functions.sh:
# - helper functions to be sourced from .travis.yml
# - designed to respect travis' environment but testing locally is possible
# - modified copy from util-linux project
#
if [ ! -f "configure.ac" ]; then
echo ".travis-functions.sh must be sourced from source dir" >&2
return 1 || exit 1
fi
## some config settings
# travis docs say we get 1.5 CPUs
MAKE="make -j2"
DUMP_CONFIG_LOG="short"
export TS_OPT_parsable="yes"
function configure_travis
{
./configure "$@"
err=$?
if [ "$DUMP_CONFIG_LOG" = "short" ]; then
grep -B1 -A10000 "^## Output variables" config.log | grep -v "_FALSE="
elif [ "$DUMP_CONFIG_LOG" = "full" ]; then
cat config.log
fi
return $err
}
function check_root
{
local cfg_opts="$1"
[ -z "$cfg_opts" ] && return
# FIXME: --enable-python does not work here
configure_travis \
--enable-cryptsetup-reencrypt \
"$cfg_opts" \
|| return
$MAKE || return
sudo modprobe dm-crypt
sudo modprobe dm-verity
sudo modprobe dm-integrity
sudo dmsetup targets
# FIXME: we should use -E option here
sudo make check || return
#sudo $MAKE install || return
}
function travis_install_script
{
# install some packages from Ubuntu's default sources
sudo apt-get -qq update
sudo apt-get install -qq >/dev/null \
sharutils \
libgcrypt20-dev \
libssl-dev \
libdevmapper-dev \
libpopt-dev \
uuid-dev \
libsepol1-dev \
libtool \
dmsetup \
autoconf \
automake \
pkg-config \
autopoint \
gettext \
|| return
}
function travis_before_script
{
set -o xtrace
./autogen.sh
ret=$?
set +o xtrace
return $ret
}
function travis_script
{
local ret
set -o xtrace
case "$MAKE_CHECK" in
gcrypt)
check_root "--with-crypto_backend=gcrypt"
;;
openssl)
check_root "--with-crypto_backend=openssl"
;;
*)
echo "error, check environment (travis.yml)" >&2
false
;;
esac
ret=$?
set +o xtrace
return $ret
}
function travis_after_script
{
return 0
}

38
.travis.yml Normal file
View File

@@ -0,0 +1,38 @@
language: c
sudo: required
dist: trusty
compiler:
- gcc
env:
- MAKE_CHECK="gcrypt"
- MAKE_CHECK="openssl"
branches:
only:
- master
- v1_7_x
before_install:
- uname -a
- $CC --version
- which $CC
# workaround clang not system wide, fail on sudo make install
- export CC=`which $CC`
# workaround travis-ci issue #5301
- unset PYTHON_CFLAGS
install:
- source ./.travis-functions.sh
- travis_install_script
before_script:
- travis_before_script
script:
- travis_script
after_script:
- travis_after_script

2
ChangeLog
View File

@@ -3,4 +3,4 @@ Since version 1.6 this file is no longer maintained.
See docs/*ReleaseNotes for release changes documentation.
See version control history for full commit messages.
http://code.google.com/p/cryptsetup/source/list
https://gitlab.com/cryptsetup/cryptsetup/commits/master

3049
FAQ
View File

File diff suppressed because it is too large Load Diff

45
README.md
View File

@@ -18,6 +18,9 @@ only facilitate compatibility among distributions, but also provides secure mana
In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header,
enabling the user to transport or migrate his data seamlessly.
Last version of the LUKS format specification is
[available here](https://www.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf).
Why LUKS?
---------
* compatiblity via standardization,
@@ -29,6 +32,12 @@ Why LUKS?
[Project home page](https://gitlab.com/cryptsetup/cryptsetup/).
-----------------
**CVE-2016-4484 (Initrd root shell)**
This is problem in **intramfs** **scripts** only (these are **not** part of cryptsetup project), it is neiter bug in cryptsetup nor in LUKS.
Some distributions could add these scripts to distributed package, please check your distro updates for more info.
[Frequently asked questions (FAQ)](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions)
--------------------------------
@@ -36,24 +45,28 @@ Download
--------
All release tarballs and release notes are hosted on [kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
**The latest cryptsetup version is 1.6.8**
* [cryptsetup-1.6.8.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-1.6.8.tar.xz)
* Signature [cryptsetup-1.6.8.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-1.6.8.tar.sign)
**The latest cryptsetup version is 1.7.5**
* [cryptsetup-1.7.5.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.xz)
* Signature [cryptsetup-1.7.5.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.sign)
_(You need to decompress file first to check signature.)_
* [Cryptsetup 1.6.8 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/v1.6.8-ReleaseNotes).
* [Cryptsetup 1.7.5 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.5-ReleaseNotes).
Previous versions
* [Version 1.6.7](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-1.6.7.tar.xz) -
[Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-1.6.7.tar.sign) -
* [Version 1.6.6](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-1.6.6.tar.xz) -
[Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-1.6.6.tar.sign) -
[Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/v1.6.6-ReleaseNotes).
* [Version 1.6.5](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-1.6.5.tar.xz) -
[Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-1.6.5.tar.sign) -
[Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/v1.6.5-ReleaseNotes).
* [Version 1.6.4](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-1.6.4.tar.xz) -
[Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-1.6.4.tar.sign) -
[Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/v1.6.4-ReleaseNotes).
* [Version 1.7.4](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.4.tar.xz) -
[Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.4.tar.sign) -
[Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.4-ReleaseNotes).
* [Version 1.7.3](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.3.tar.xz) -
[Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.3.tar.sign) -
[Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.3-ReleaseNotes).
* [Version 1.7.2](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.2.tar.xz) -
[Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.2.tar.sign) -
[Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.2-ReleaseNotes).
* [Version 1.7.1](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.1.tar.xz) -
[Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.1.tar.sign) -
[Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.1-ReleaseNotes).
* [Version 1.7.0](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.0.tar.xz) -
[Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.0.tar.sign) -
[Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.0-ReleaseNotes).
Source and API docs
-------------------
@@ -62,6 +75,8 @@ mirror on [kernel.org](https://git.kernel.org/cgit/utils/cryptsetup/cryptsetup.g
For libcryptsetup documentation see [libcryptsetup API](https://gitlab.com/cryptsetup/cryptsetup/wikis/API/index.html) page.
The libcryptsetup API/ABI changes are tracked in [compatibility report](https://gitlab.com/cryptsetup/cryptsetup/wikis/ABI-tracker/timeline/libcryptsetup/index.html).
NLS PO files are maintained by [TranslationProject](http://translationproject.org/domain/cryptsetup.html).
Help!

60
configure.ac
View File

@@ -1,5 +1,5 @@
AC_PREREQ([2.67])
AC_INIT([cryptsetup],[1.6.8])
AC_INIT([cryptsetup],[1.7.5])
dnl library version from <major>.<minor>.<release>[-<suffix>]
LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
@@ -37,7 +37,7 @@ PKG_PROG_PKG_CONFIG
AC_HEADER_DIRENT
AC_HEADER_STDC
AC_CHECK_HEADERS(fcntl.h malloc.h inttypes.h sys/ioctl.h sys/mman.h \
ctype.h unistd.h locale.h byteswap.h endian.h)
sys/sysmacros.h ctype.h unistd.h locale.h byteswap.h endian.h)
AC_CHECK_HEADERS(uuid/uuid.h,,[AC_MSG_ERROR([You need the uuid library.])])
AC_CHECK_HEADER(libdevmapper.h,,[AC_MSG_ERROR([You need the device-mapper library.])])
@@ -97,12 +97,14 @@ AC_DEFUN([NO_FIPS], [
dnl ==========================================================================
dnl pwquality library (cryptsetup CLI only)
AC_ARG_ENABLE([pwquality], AS_HELP_STRING([--enable-pwquality],[enable password quality checking]),
[with_pwquality=$enableval],
[with_pwquality=no])
AC_ARG_ENABLE([pwquality],
AS_HELP_STRING([--enable-pwquality],
[enable password quality checking using pwquality library]),
[with_pwquality=$enableval],
[with_pwquality=no])
if test "x$with_pwquality" = "xyes"; then
AC_DEFINE(ENABLE_PWQUALITY, 1, [Enable password quality checking])
AC_DEFINE(ENABLE_PWQUALITY, 1, [Enable password quality checking using pwquality library])
PKG_CHECK_MODULES([PWQUALITY], [pwquality >= 1.0.0],,
AC_MSG_ERROR([You need pwquality library.]))
@@ -110,6 +112,31 @@ if test "x$with_pwquality" = "xyes"; then
PWQUALITY_STATIC_LIBS="$PWQUALITY_LIBS -lcrack -lz"
fi
dnl ==========================================================================
dnl passwdqc library (cryptsetup CLI only)
AC_ARG_ENABLE([passwdqc],
AS_HELP_STRING([--enable-passwdqc@<:@=CONFIG_PATH@:>@],
[enable password quality checking using passwdqc library (optionally with CONFIG_PATH)]),
[enable_passwdqc=$enableval],
[enable_passwdqc=no])
case "$enable_passwdqc" in
yes|no) use_passwdqc_config="" ;;
/*) use_passwdqc_config="$enable_passwdqc"; enable_passwdqc=yes ;;
*) AC_MSG_ERROR([Unrecognized --enable-passwdqc parameter.]) ;;
esac
AC_DEFINE_UNQUOTED([PASSWDQC_CONFIG_FILE], ["$use_passwdqc_config"], [passwdqc library config file])
if test "x$enable_passwdqc" = "xyes"; then
AC_DEFINE(ENABLE_PASSWDQC, 1, [Enable password quality checking using passwdqc library])
PASSWDQC_LIBS="-lpasswdqc"
fi
if test "x$with_pwquality$enable_passwdqc" = "xyesyes"; then
AC_MSG_ERROR([--enable-pwquality and --enable-passwdqc are mutually incompatible.])
fi
dnl ==========================================================================
dnl Crypto backend functions
@@ -262,6 +289,8 @@ LIBS=$saved_LIBS
LIBS="$LIBS $DEVMAPPER_LIBS"
AC_CHECK_DECLS([dm_task_secure_data], [], [], [#include <libdevmapper.h>])
AC_CHECK_DECLS([dm_task_retry_remove], [], [], [#include <libdevmapper.h>])
AC_CHECK_DECLS([dm_device_has_mounted_fs], [], [], [#include <libdevmapper.h>])
AC_CHECK_DECLS([dm_device_has_holders], [], [], [#include <libdevmapper.h>])
AC_CHECK_DECLS([DM_UDEV_DISABLE_DISK_RULES_FLAG], [have_cookie=yes], [have_cookie=no], [#include <libdevmapper.h>])
if test "x$enable_udev" = xyes; then
if test "x$have_cookie" = xno; then
@@ -345,6 +374,8 @@ AC_SUBST([DEVMAPPER_STATIC_LIBS])
AC_SUBST([PWQUALITY_LIBS])
AC_SUBST([PWQUALITY_STATIC_LIBS])
AC_SUBST([PASSWDQC_LIBS])
AC_SUBST([CRYPTO_CFLAGS])
AC_SUBST([CRYPTO_LIBS])
AC_SUBST([CRYPTO_STATIC_LIBS])
@@ -388,14 +419,19 @@ AC_ARG_WITH([python_version],
if test "x$with_python" = "xyes"; then
AM_PATH_PYTHON([$PYTHON_VERSION])
if ! test -x "$PYTHON-config" ; then
AC_MSG_ERROR([Cannot find python development packages to build bindings])
AC_PATH_PROGS([PYTHON_CONFIG], [python${PYTHON_VERSION}-config python-config], [no])
if test "${PYTHON_CONFIG}" = "no"; then
AC_MSG_ERROR([cannot find python${PYTHON_VERSION}-config or python-config in PATH])
fi
PYTHON_INCLUDES=$($PYTHON-config --includes)
AC_MSG_CHECKING(for python headers using $PYTHON_CONFIG --includes)
PYTHON_INCLUDES=$($PYTHON_CONFIG --includes)
AC_MSG_RESULT($PYTHON_INCLUDES)
AC_SUBST(PYTHON_INCLUDES)
PYTHON_LIBS=$($PYTHON-config --libs)
AC_MSG_CHECKING(for python libraries using $PYTHON_CONFIG --libs)
PYTHON_LIBS=$($PYTHON_CONFIG --libs)
AC_MSG_RESULT($PYTHON_LIBS)
AC_SUBST(PYTHON_LIBS)
fi
AM_CONDITIONAL([PYTHON_CRYPTSETUP], [test "x$with_python" = "xyes"])
@@ -406,11 +442,11 @@ CS_STR_WITH([plain-cipher], [cipher for plain mode], [aes])
CS_STR_WITH([plain-mode], [cipher mode for plain mode], [cbc-essiv:sha256])
CS_NUM_WITH([plain-keybits],[key length in bits for plain mode], [256])
CS_STR_WITH([luks1-hash], [hash function for LUKS1 header], [sha1])
CS_STR_WITH([luks1-hash], [hash function for LUKS1 header], [sha256])
CS_STR_WITH([luks1-cipher], [cipher for LUKS1], [aes])
CS_STR_WITH([luks1-mode], [cipher mode for LUKS1], [xts-plain64])
CS_NUM_WITH([luks1-keybits],[key length in bits for LUKS1], [256])
CS_NUM_WITH([luks1-iter-time],[PBKDF2 iteration time for LUKS1 (in ms)], [1000])
CS_NUM_WITH([luks1-iter-time],[PBKDF2 iteration time for LUKS1 (in ms)], [2000])
CS_STR_WITH([loopaes-cipher], [cipher for loop-AES mode], [aes])
CS_NUM_WITH([loopaes-keybits],[key length in bits for loop-AES mode], [256])

2
docs/doxygen_index
View File

@@ -4,7 +4,7 @@
* The documentation covers public parts of cryptsetup API. In the following sections you'll find
* the examples that describe some features of cryptsetup API.
* For more info about libcryptsetup API versions see
* <a href="http://upstream-tracker.org/versions/libcryptsetup.html">Upstream Tracker</a>.
* <a href="https://gitlab.com/cryptsetup/cryptsetup/wikis/ABI-tracker/timeline/libcryptsetup/index.html">API Tracker</a>.
*
* <OL type="A">
* <LI>@ref cexamples "Cryptsetup API examples"</LI>

2
docs/examples/crypt_log_usage.c
View File

@@ -1,7 +1,7 @@
/*
* An example of using logging through libcryptsetup API
*
* Copyright (C) 2011, Red Hat, Inc. All rights reserved.
* Copyright (C) 2011-2017, Red Hat, Inc. All rights reserved.
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public

2
docs/examples/crypt_luks_usage.c
View File

@@ -1,7 +1,7 @@
/*
* An example of using LUKS device through libcryptsetup API
*
* Copyright (C) 2011, Red Hat, Inc. All rights reserved.
* Copyright (C) 2011-2017, Red Hat, Inc. All rights reserved.
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public

BIN
docs/on-disk-format.pdf
View File

Binary file not shown.

81
docs/v1.7.0-ReleaseNotes Normal file
View File

@@ -0,0 +1,81 @@
Cryptsetup 1.7.0 Release Notes
==============================
The cryptsetup 1.7 release changes defaults for LUKS,
there are no API changes.
Changes since version 1.6.8
* Default hash function is now SHA256 (used in key derivation function
and anti-forensic splitter).
Note that replacing SHA1 with SHA256 is not for security reasons.
(LUKS does not have problems even if collisions are found for SHA1,
for details see FAQ item 5.20).
Using SHA256 as default is mainly to prevent compatibility problems
on hardened systems where SHA1 is already be phased out.
Note that all checks (kernel crypto API availability check) now uses
SHA256 as well.
* Default iteration time for PBKDF2 is now 2 seconds.
Increasing iteration time is in combination with PBKDF2 benchmark
fixes a try to keep PBKDF2 iteration count still high enough and
also still acceptable for users.
N.B. Long term is to replace PBKDF2 algorithm with Password Hashing
Competition winner - Argon2.
Distributions can still change these defaults in compilation time.
You can change iteration time and used hash function in existing LUKS
header with cryptsetup-reencrypt utility even without full reencryption
of device (see --keep-key option).
* Fix PBKDF2 iteration benchmark for longer key sizes.
The previous PBKDF2 benchmark code did not take into account
output key length properly.
For SHA1 (with 160-bits output) and 256-bit keys (and longer)
it means that the final iteration value was higher than it should be.
For other hash algorithms (like SHA256 or SHA512) it caused
that iteration count was lower (in comparison to SHA1) than
expected for the requested time period.
The PBKDF2 benchmark code is now fixed to use the key size for
the formatted device (or default LUKS key size if running in informational
benchmark mode).
Thanks to A.Visconti, S.Bossi, A.Calo and H.Ragab
(http://www.club.di.unimi.it/) for point this out.
(Based on "What users should know about Full Disk Encryption
based on LUKS" paper to be presented on CANS2015).
* Remove experimental warning for reencrypt tool.
The strong request for full backup before using reencryption utility
still applies :)
* Add optional libpasswdqc support for new LUKS passwords.
If password is entered through terminal (no keyfile specified) and
cryptsetup is compiled with --enable-passwdqc[=/etc/passwdqc.conf],
configured system passwdqc settings are used to check password quality.
* Update FAQ document.
Cryptsetup API NOTE:
Direct terminal handling and password calling callback for passphrase
entry will be removed from libcryptsetup in next major (2.x) version
(application should handle it itself).
It means that application have to always provide password in API calls.
Functions returning last error will be removed in next major version (2.x).
These functions did not work properly for early initialization errors
and application can implement better function easily using own error callback.
See comments in libcryptsetup.h for more info about deprecated functions.

36
docs/v1.7.1-ReleaseNotes Normal file
View File

@@ -0,0 +1,36 @@
Cryptsetup 1.7.1 Release Notes
==============================
Changes since version 1.7.0
* Code now uses kernel crypto API backend according to new
changes introduced in mainline kernel
While mainline kernel should contain backward compatible
changes, some stable series kernels do not contain fully
backported compatibility patches.
Without these patches most of cryptsetup operations
(like unlocking device) fail.
This change in cryptsetup ensures that all operations using
kernel crypto API works even on these kernels.
* The cryptsetup-reencrypt utility now properly detects removal
of underlying link to block device and does not remove
ongoing re-encryption log.
This allows proper recovery (resume) of reencrypt operation later.
NOTE: Never use /dev/disk/by-uuid/ path for reencryption utility,
this link disappears once the device metadata is temporarily
removed from device.
* Cryptsetup now allows special "-" (standard input) keyfile handling
even for TCRYPT (TrueCrypt and VeraCrypt compatible) devices.
* Cryptsetup now fails if there are more keyfiles specified
for non-TCRYPT device.
* The luksKillSlot command now does not suppress provided password
in batch mode (if password is wrong slot is not destroyed).
Note that not providing password in batch mode means that keyslot
is destroyed unconditionally.

37
docs/v1.7.2-ReleaseNotes Normal file
View File

@@ -0,0 +1,37 @@
Cryptsetup 1.7.2 Release Notes
==============================
Changes since version 1.7.1
* Update LUKS documentation format.
Clarify fixed sector size and keyslots alignment.
* Support activation options for error handling modes in Linux kernel
dm-verity module:
--ignore-corruption - dm-verity just logs detected corruption
--restart-on-corruption - dm-verity restarts the kernel if corruption is detected
If the options above are not specified, default behavior for dm-verity remains.
Default is that I/O operation fails with I/O error if corrupted block is detected.
--ignore-zero-blocks - Instructs dm-verity to not verify blocks that are expected
to contain zeroes and always return zeroes directly instead.
NOTE that these options could have security or functional impacts,
do not use them without assessing the risks!
* Fix help text for cipher benchmark specification (mention --cipher option).
* Fix off-by-one error in maximum keyfile size.
Allow keyfiles up to compiled-in default and not that value minus one.
* Support resume of interrupted decryption in cryptsetup-reencrypt utility.
To resume decryption, LUKS device UUID (--uuid option) option must be used.
* Do not use direct-io for LUKS header with unaligned keyslots.
Such headers were used only by the first cryptsetup-luks-1.0.0 release (2005).
* Fix device block size detection to properly work on particular file-based
containers over underlying devices with 4k sectors.

24
docs/v1.7.3-ReleaseNotes Normal file
View File

@@ -0,0 +1,24 @@
Cryptsetup 1.7.3 Release Notes
==============================
Changes since version 1.7.2
* Fix device access to hash offsets located beyond the 2GB device boundary in veritysetup.
* Set configured (compile-time) default iteration time for devices created directly through
libcryptsetup (default was hardcoded 1 second, the configured value applied only
for cryptsetup application).
* Fix PBKDF2 benchmark to not double iteration count for specific corner case.
If the measurement function returns exactly 500 ms, the iteration calculation loop
doubled iteration count but instead of repeating measurement it used this value directly.
* Verify passphrase in cryptsetup-reencrypt when encrypting a new drive.
* OpenSSL backend: fix memory leak if hash context was repeatedly reused.
* OpenSSL backend: add support for OpenSSL 1.1.0.
* Fix several minor spelling errors.
* Properly check maximal buffer size when parsing UUID from /dev/disk/.

22
docs/v1.7.4-ReleaseNotes Normal file
View File

@@ -0,0 +1,22 @@
Cryptsetup 1.7.4 Release Notes
==============================
Changes since version 1.7.3
* Allow to specify LUKS1 hash algorithm in Python luksFormat wrapper.
* Use LUKS1 compiled-in defaults also in Python wrapper.
* OpenSSL backend: Fix OpenSSL 1.1.0 support without backward compatible API.
* OpenSSL backend: Fix LibreSSL compatibility.
* Check for data device and hash device area overlap in veritysetup.
* Fix a possible race while allocating a free loop device.
* Fix possible file descriptor leaks if libcryptsetup is run from a forked process.
* Fix missing same_cpu_crypt flag in status command.
* Various updates to FAQ and man pages.

22
docs/v1.7.5-ReleaseNotes Normal file
View File

@@ -0,0 +1,22 @@
Cryptsetup 1.7.5 Release Notes
==============================
Changes since version 1.7.4
* Fixes to luksFormat to properly support recent kernel running in FIPS mode.
Cryptsetup must never use a weak key even if it is just used for testing
of algorithm availability. In FIPS mode, weak keys are always rejected.
A weak key is for example detected if the XTS encryption mode use
the same key for the tweak and the encryption part.
* Fixes accesses to unaligned hidden legacy TrueCrypt header.
On a native 4k-sector device the old hidden TrueCrypt header is not
aligned with the hw sector size (this problem was fixed in later TrueCrypt
on-disk format versions).
Cryptsetup now properly aligns the read so it does not fail.
* Fixes to optional dracut ramdisk scripts for offline re-encryption on initial boot.

4
lib/crypt_plain.c
View File

@@ -2,8 +2,8 @@
* cryptsetup plain device helper functions
*
* Copyright (C) 2004, Jana Saout <jana@saout.de>
* Copyright (C) 2010-2012 Red Hat, Inc. All rights reserved.
* Copyright (C) 2010-2012, Milan Broz
* Copyright (C) 2010-2017 Red Hat, Inc. All rights reserved.
* Copyright (C) 2010-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License

10
lib/crypto_backend/crypto_backend.h
View File

@@ -1,8 +1,8 @@
/*
* crypto backend implementation
*
* Copyright (C) 2010-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2010-2014, Milan Broz
* Copyright (C) 2010-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2010-2017, Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -58,9 +58,9 @@ int crypt_backend_rng(char *buffer, size_t length, int quality, int fips);
/* PBKDF*/
int crypt_pbkdf_check(const char *kdf, const char *hash,
const char *password, size_t password_size,
const char *salt, size_t salt_size,
uint64_t *iter_secs);
const char *password, size_t password_length,
const char *salt, size_t salt_length,
size_t key_length, uint64_t *iter_secs);
int crypt_pbkdf(const char *kdf, const char *hash,
const char *password, size_t password_length,
const char *salt, size_t salt_length,

62
lib/crypto_backend/crypto_cipher_kernel.c
View File

@@ -1,8 +1,8 @@
/*
* Linux kernel userspace API crypto backend implementation (skcipher)
*
* Copyright (C) 2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2014, Milan Broz
* Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2017, Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -88,33 +88,8 @@ int crypt_cipher_blocksize(const char *name)
return ca ? ca->blocksize : -EINVAL;
}
/* Shared with hash kernel backend */
int crypt_kernel_socket_init(struct sockaddr_alg *sa, int *tfmfd, int *opfd);
int crypt_kernel_socket_init(struct sockaddr_alg *sa, int *tfmfd, int *opfd)
{
*tfmfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
if (*tfmfd == -1)
return -ENOTSUP;
if (bind(*tfmfd, (struct sockaddr *)sa, sizeof(*sa)) == -1) {
close(*tfmfd);
*tfmfd = -1;
return -ENOENT;
}
*opfd = accept(*tfmfd, NULL, 0);
if (*opfd == -1) {
close(*tfmfd);
*tfmfd = -1;
return -EINVAL;
}
return 0;
}
/*
*ciphers
* ciphers
*
* ENOENT - algorithm not available
* ENOTSUP - AF_ALG family not available
@@ -128,7 +103,6 @@ int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
.salg_family = AF_ALG,
.salg_type = "skcipher",
};
int r;
h = malloc(sizeof(*h));
if (!h)
@@ -137,14 +111,28 @@ int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
snprintf((char *)sa.salg_name, sizeof(sa.salg_name),
"%s(%s)", mode, name);
r = crypt_kernel_socket_init(&sa, &h->tfmfd, &h->opfd);
if (r < 0) {
free(h);
return r;
h->opfd = -1;
h->tfmfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
if (h->tfmfd < 0) {
crypt_cipher_destroy(h);
return -ENOTSUP;
}
if (length && strcmp(name, "cipher_null") &&
setsockopt(h->tfmfd, SOL_ALG, ALG_SET_KEY, buffer, length) == -1) {
if (bind(h->tfmfd, (struct sockaddr *)&sa, sizeof(sa)) < 0) {
crypt_cipher_destroy(h);
return -ENOENT;
}
if (!strcmp(name, "cipher_null"))
length = 0;
if (setsockopt(h->tfmfd, SOL_ALG, ALG_SET_KEY, buffer, length) < 0) {
crypt_cipher_destroy(h);
return -EINVAL;
}
h->opfd = accept(h->tfmfd, NULL, 0);
if (h->opfd < 0) {
crypt_cipher_destroy(h);
return -EINVAL;
}
@@ -239,9 +227,9 @@ int crypt_cipher_decrypt(struct crypt_cipher *ctx,
int crypt_cipher_destroy(struct crypt_cipher *ctx)
{
if (ctx->tfmfd != -1)
if (ctx->tfmfd >= 0)
close(ctx->tfmfd);
if (ctx->opfd != -1)
if (ctx->opfd >= 0)
close(ctx->opfd);
memset(ctx, 0, sizeof(*ctx));
free(ctx);

4
lib/crypto_backend/crypto_gcrypt.c
View File

@@ -1,8 +1,8 @@
/*
* GCRYPT crypto backend implementation
*
* Copyright (C) 2010-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2010-2014, Milan Broz
* Copyright (C) 2010-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2010-2017, Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public

55
lib/crypto_backend/crypto_kernel.c
View File

@@ -1,8 +1,8 @@
/*
* Linux kernel userspace API crypto backend implementation
*
* Copyright (C) 2010-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2010-2014, Milan Broz
* Copyright (C) 2010-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2010-2017, Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -68,8 +68,34 @@ struct crypt_hmac {
int hash_len;
};
/* Defined in crypt_kernel_ciphers.c */
extern int crypt_kernel_socket_init(struct sockaddr_alg *sa, int *tfmfd, int *opfd);
static int crypt_kernel_socket_init(struct sockaddr_alg *sa, int *tfmfd, int *opfd,
const void *key, size_t key_length)
{
*tfmfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
if (*tfmfd < 0)
return -ENOTSUP;
if (bind(*tfmfd, (struct sockaddr *)sa, sizeof(*sa)) < 0) {
close(*tfmfd);
*tfmfd = -1;
return -ENOENT;
}
if (key && setsockopt(*tfmfd, SOL_ALG, ALG_SET_KEY, key, key_length) < 0) {
close(*tfmfd);
*tfmfd = -1;
return -EINVAL;
}
*opfd = accept(*tfmfd, NULL, 0);
if (*opfd < 0) {
close(*tfmfd);
*tfmfd = -1;
return -EINVAL;
}
return 0;
}
int crypt_backend_init(struct crypt_device *ctx)
{
@@ -77,7 +103,7 @@ int crypt_backend_init(struct crypt_device *ctx)
struct sockaddr_alg sa = {
.salg_family = AF_ALG,
.salg_type = "hash",
.salg_name = "sha1",
.salg_name = "sha256",
};
int tfmfd = -1, opfd = -1;
@@ -87,7 +113,7 @@ int crypt_backend_init(struct crypt_device *ctx)
if (uname(&uts) == -1 || strcmp(uts.sysname, "Linux"))
return -EINVAL;
if (crypt_kernel_socket_init(&sa, &tfmfd, &opfd) < 0)
if (crypt_kernel_socket_init(&sa, &tfmfd, &opfd, NULL, 0) < 0)
return -EINVAL;
close(tfmfd);
@@ -152,7 +178,7 @@ int crypt_hash_init(struct crypt_hash **ctx, const char *name)
strncpy((char *)sa.salg_name, ha->kernel_name, sizeof(sa.salg_name));
if (crypt_kernel_socket_init(&sa, &h->tfmfd, &h->opfd) < 0) {
if (crypt_kernel_socket_init(&sa, &h->tfmfd, &h->opfd, NULL, 0) < 0) {
free(h);
return -EINVAL;
}
@@ -188,9 +214,9 @@ int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
int crypt_hash_destroy(struct crypt_hash *ctx)
{
if (ctx->tfmfd != -1)
if (ctx->tfmfd >= 0)
close(ctx->tfmfd);
if (ctx->opfd != -1)
if (ctx->opfd >= 0)
close(ctx->opfd);
memset(ctx, 0, sizeof(*ctx));
free(ctx);
@@ -227,16 +253,11 @@ int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
snprintf((char *)sa.salg_name, sizeof(sa.salg_name),
"hmac(%s)", ha->kernel_name);
if (crypt_kernel_socket_init(&sa, &h->tfmfd, &h->opfd) < 0) {
if (crypt_kernel_socket_init(&sa, &h->tfmfd, &h->opfd, buffer, length) < 0) {
free(h);
return -EINVAL;
}
if (setsockopt(h->tfmfd, SOL_ALG, ALG_SET_KEY, buffer, length) == -1) {
crypt_hmac_destroy(h);
return -EINVAL;
}
*ctx = h;
return 0;
}
@@ -268,9 +289,9 @@ int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
int crypt_hmac_destroy(struct crypt_hmac *ctx)
{
if (ctx->tfmfd != -1)
if (ctx->tfmfd >= 0)
close(ctx->tfmfd);
if (ctx->opfd != -1)
if (ctx->opfd >= 0)
close(ctx->opfd);
memset(ctx, 0, sizeof(*ctx));
free(ctx);

10
lib/crypto_backend/crypto_nettle.c
View File

@@ -1,8 +1,8 @@
/*
* Nettle crypto backend implementation
*
* Copyright (C) 2011-2012 Red Hat, Inc. All rights reserved.
* Copyright (C) 2011-2014, Milan Broz
* Copyright (C) 2011-2017 Red Hat, Inc. All rights reserved.
* Copyright (C) 2011-2017, Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -30,9 +30,9 @@
static char *version = "Nettle";
typedef void (*init_func) (void *);
typedef void (*update_func) (void *, unsigned, const uint8_t *);
typedef void (*digest_func) (void *, unsigned, uint8_t *);
typedef void (*set_key_func) (void *, unsigned, const uint8_t *);
typedef void (*update_func) (void *, size_t, const uint8_t *);
typedef void (*digest_func) (void *, size_t, uint8_t *);
typedef void (*set_key_func) (void *, size_t, const uint8_t *);
struct hash_alg {
const char *name;

4
lib/crypto_backend/crypto_nss.c
View File

@@ -1,8 +1,8 @@
/*
* NSS crypto backend implementation
*
* Copyright (C) 2010-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2010-2014, Milan Broz
* Copyright (C) 2010-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2010-2017, Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public

106
lib/crypto_backend/crypto_openssl.c
View File

@@ -1,8 +1,8 @@
/*
* OPENSSL crypto backend implementation
*
* Copyright (C) 2010-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2010-2014, Milan Broz
* Copyright (C) 2010-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2010-2017, Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -38,23 +38,79 @@
static int crypto_backend_initialised = 0;
struct crypt_hash {
EVP_MD_CTX md;
EVP_MD_CTX *md;
const EVP_MD *hash_id;
int hash_len;
};
struct crypt_hmac {
HMAC_CTX md;
HMAC_CTX *md;
const EVP_MD *hash_id;
int hash_len;
};
/*
* Compatible wrappers for OpenSSL < 1.1.0
*/
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static void openssl_backend_init(void)
{
OpenSSL_add_all_algorithms();
}
static const char *openssl_backend_version(void)
{
return SSLeay_version(SSLEAY_VERSION);
}
static EVP_MD_CTX *EVP_MD_CTX_new(void)
{
EVP_MD_CTX *md = malloc(sizeof(*md));
if (md)
EVP_MD_CTX_init(md);
return md;
}
static void EVP_MD_CTX_free(EVP_MD_CTX *md)
{
EVP_MD_CTX_cleanup(md);
free(md);
}
static HMAC_CTX *HMAC_CTX_new(void)
{
HMAC_CTX *md = malloc(sizeof(*md));
if (md)
HMAC_CTX_init(md);
return md;
}
static void HMAC_CTX_free(HMAC_CTX *md)
{
HMAC_CTX_cleanup(md);
free(md);
}
#else
static void openssl_backend_init(void)
{
}
static const char *openssl_backend_version(void)
{
return OpenSSL_version(OPENSSL_VERSION);
}
#endif
int crypt_backend_init(struct crypt_device *ctx)
{
if (crypto_backend_initialised)
return 0;
OpenSSL_add_all_algorithms();
openssl_backend_init();
crypto_backend_initialised = 1;
return 0;
@@ -67,7 +123,7 @@ uint32_t crypt_backend_flags(void)
const char *crypt_backend_version(void)
{
return SSLeay_version(SSLEAY_VERSION);
return openssl_backend_version();
}
/* HASH */
@@ -89,13 +145,21 @@ int crypt_hash_init(struct crypt_hash **ctx, const char *name)
if (!h)
return -ENOMEM;
h->md = EVP_MD_CTX_new();
if (!h->md) {
free(h);
return -ENOMEM;
}
h->hash_id = EVP_get_digestbyname(name);
if (!h->hash_id) {
EVP_MD_CTX_free(h->md);
free(h);
return -EINVAL;
}
if (EVP_DigestInit(&h->md, h->hash_id) != 1) {
if (EVP_DigestInit_ex(h->md, h->hash_id, NULL) != 1) {
EVP_MD_CTX_free(h->md);
free(h);
return -EINVAL;
}
@@ -107,7 +171,7 @@ int crypt_hash_init(struct crypt_hash **ctx, const char *name)
static int crypt_hash_restart(struct crypt_hash *ctx)
{
if (EVP_DigestInit(&ctx->md, ctx->hash_id) != 1)
if (EVP_DigestInit_ex(ctx->md, ctx->hash_id, NULL) != 1)
return -EINVAL;
return 0;
@@ -115,7 +179,7 @@ static int crypt_hash_restart(struct crypt_hash *ctx)
int crypt_hash_write(struct crypt_hash *ctx, const char *buffer, size_t length)
{
if (EVP_DigestUpdate(&ctx->md, buffer, length) != 1)
if (EVP_DigestUpdate(ctx->md, buffer, length) != 1)
return -EINVAL;
return 0;
@@ -129,7 +193,7 @@ int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
if (length > (size_t)ctx->hash_len)
return -EINVAL;
if (EVP_DigestFinal_ex(&ctx->md, tmp, &tmp_len) != 1)
if (EVP_DigestFinal_ex(ctx->md, tmp, &tmp_len) != 1)
return -EINVAL;
memcpy(buffer, tmp, length);
@@ -146,7 +210,7 @@ int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
int crypt_hash_destroy(struct crypt_hash *ctx)
{
EVP_MD_CTX_cleanup(&ctx->md);
EVP_MD_CTX_free(ctx->md);
memset(ctx, 0, sizeof(*ctx));
free(ctx);
return 0;
@@ -167,14 +231,20 @@ int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
if (!h)
return -ENOMEM;
h->md = HMAC_CTX_new();
if (!h->md) {
free(h);
return -ENOMEM;
}
h->hash_id = EVP_get_digestbyname(name);
if (!h->hash_id) {
HMAC_CTX_free(h->md);
free(h);
return -EINVAL;
}
HMAC_CTX_init(&h->md);
HMAC_Init_ex(&h->md, buffer, length, h->hash_id, NULL);
HMAC_Init_ex(h->md, buffer, length, h->hash_id, NULL);
h->hash_len = EVP_MD_size(h->hash_id);
*ctx = h;
@@ -183,12 +253,12 @@ int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
static void crypt_hmac_restart(struct crypt_hmac *ctx)
{
HMAC_Init_ex(&ctx->md, NULL, 0, ctx->hash_id, NULL);
HMAC_Init_ex(ctx->md, NULL, 0, ctx->hash_id, NULL);
}
int crypt_hmac_write(struct crypt_hmac *ctx, const char *buffer, size_t length)
{
HMAC_Update(&ctx->md, (const unsigned char *)buffer, length);
HMAC_Update(ctx->md, (const unsigned char *)buffer, length);
return 0;
}
@@ -200,7 +270,7 @@ int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
if (length > (size_t)ctx->hash_len)
return -EINVAL;
HMAC_Final(&ctx->md, tmp, &tmp_len);
HMAC_Final(ctx->md, tmp, &tmp_len);
memcpy(buffer, tmp, length);
crypt_backend_memzero(tmp, sizeof(tmp));
@@ -215,7 +285,7 @@ int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
int crypt_hmac_destroy(struct crypt_hmac *ctx)
{
HMAC_CTX_cleanup(&ctx->md);
HMAC_CTX_free(ctx->md);
memset(ctx, 0, sizeof(*ctx));
free(ctx);
return 0;
@@ -250,7 +320,7 @@ int crypt_pbkdf(const char *kdf, const char *hash,
return -EINVAL;
if (!PKCS5_PBKDF2_HMAC(password, (int)password_length,
(unsigned char *)salt, (int)salt_length,
(const unsigned char *)salt, (int)salt_length,
(int)iterations, hash_id, (int)key_length, (unsigned char *)key))
return -EINVAL;

2
lib/crypto_backend/crypto_storage.c
View File

@@ -2,7 +2,7 @@
* Generic wrapper for storage encryption modes and Initial Vectors
* (reimplementation of some functions from Linux dm-crypt kernel)
*
* Copyright (C) 2014, Milan Broz
* Copyright (C) 2014-2017, Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public

4
lib/crypto_backend/pbkdf2_generic.c
View File

@@ -4,8 +4,8 @@
* Copyright (C) 2004 Free Software Foundation
*
* cryptsetup related changes
* Copyright (C) 2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2014, Milan Broz
* Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2017, Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public

50
lib/crypto_backend/pbkdf_check.c
View File

@@ -1,7 +1,7 @@
/*
* PBKDF performance check
* Copyright (C) 2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2014, Milan Broz
* Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2017, Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -18,6 +18,7 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include <stdlib.h>
#include <errno.h>
#include <sys/time.h>
#include <sys/resource.h>
@@ -52,31 +53,39 @@ static long time_ms(struct rusage *start, struct rusage *end)
/* This code benchmarks PBKDF and returns iterations/second using specified hash */
int crypt_pbkdf_check(const char *kdf, const char *hash,
const char *password, size_t password_size,
const char *salt, size_t salt_size,
uint64_t *iter_secs)
const char *password, size_t password_length,
const char *salt, size_t salt_length,
size_t key_length, uint64_t *iter_secs)
{
struct rusage rstart, rend;
int r = 0, step = 0;
long ms = 0;
char buf;
char *key = NULL;
unsigned int iterations;
if (!kdf || !hash)
if (!kdf || !hash || key_length <= 0)
return -EINVAL;
key = malloc(key_length);
if (!key)
return -ENOMEM;
iterations = 1 << 15;
while (ms < 500) {
if (getrusage(RUSAGE_SELF, &rstart) < 0)
return -EINVAL;
while (1) {
if (getrusage(RUSAGE_SELF, &rstart) < 0) {
r = -EINVAL;
goto out;
}
r = crypt_pbkdf(kdf, hash, password, password_size, salt,
salt_size, &buf, 1, iterations);
r = crypt_pbkdf(kdf, hash, password, password_length, salt,
salt_length, key, key_length, iterations);
if (r < 0)
return r;
goto out;
if (getrusage(RUSAGE_SELF, &rend) < 0)
return -EINVAL;
if (getrusage(RUSAGE_SELF, &rend) < 0) {
r = -EINVAL;
goto out;
}
ms = time_ms(&rstart, &rend);
if (ms > 500)
@@ -91,11 +100,18 @@ int crypt_pbkdf_check(const char *kdf, const char *hash,
else
iterations <<= 1;
if (++step > 10 || !iterations)
return -EINVAL;
if (++step > 10 || !iterations) {
r = -EINVAL;
goto out;
}
}
if (iter_secs)
*iter_secs = (iterations * 1000) / ms;
out:
if (key) {
crypt_backend_memzero(key, key_length);
free(key);
}
return r;
}

18
lib/internal.h
View File

@@ -3,8 +3,8 @@
*
* Copyright (C) 2004, Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2012, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -57,8 +57,8 @@ struct volume_key {
char key[];
};
struct volume_key *crypt_alloc_volume_key(unsigned keylength, const char *key);
struct volume_key *crypt_generate_volume_key(struct crypt_device *cd, unsigned keylength);
struct volume_key *crypt_alloc_volume_key(size_t keylength, const char *key);
struct volume_key *crypt_generate_volume_key(struct crypt_device *cd, size_t keylength);
void crypt_free_volume_key(struct volume_key *vk);
/* Device backend */
@@ -75,6 +75,9 @@ int device_block_size(struct device *device);
int device_read_ahead(struct device *device, uint32_t *read_ahead);
int device_size(struct device *device, uint64_t *size);
int device_open(struct device *device, int flags);
void device_disable_direct_io(struct device *device);
int device_is_identical(struct device *device1, struct device *device2);
enum devcheck { DEV_OK = 0, DEV_EXCL = 1, DEV_SHARED = 2 };
int device_block_adjust(struct crypt_device *cd,
@@ -98,9 +101,12 @@ char *crypt_get_partition_device(const char *dev_path, uint64_t offset, uint64_t
char *crypt_get_base_device(const char *dev_path);
uint64_t crypt_dev_partition_offset(const char *dev_path);
ssize_t write_buffer(int fd, const void *buf, size_t count);
ssize_t read_buffer(int fd, void *buf, size_t count);
ssize_t write_blockwise(int fd, int bsize, void *buf, size_t count);
ssize_t read_blockwise(int fd, int bsize, void *_buf, size_t count);
ssize_t write_lseek_blockwise(int fd, int bsize, char *buf, size_t count, off_t offset);
ssize_t read_blockwise(int fd, int bsize, void *buf, size_t count);
ssize_t write_lseek_blockwise(int fd, int bsize, void *buf, size_t count, off_t offset);
ssize_t read_lseek_blockwise(int fd, int bsize, void *buf, size_t count, off_t offset);
unsigned crypt_getpagesize(void);
int init_crypto(struct crypt_device *ctx);

10
lib/libcryptsetup.h
View File

@@ -3,8 +3,8 @@
*
* Copyright (C) 2004, Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2015, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2015, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -752,6 +752,12 @@ int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot);
#define CRYPT_ACTIVATE_SAME_CPU_CRYPT (1 << 6)
/** use submit_from_crypt_cpus for dm-crypt */
#define CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS (1 << 7)
/** dm-verity: ignore_corruption flag - ignore corruption, log it only */
#define CRYPT_ACTIVATE_IGNORE_CORRUPTION (1 << 8)
/** dm-verity: restart_on_corruption flag - restart kernel on corruption */
#define CRYPT_ACTIVATE_RESTART_ON_CORRUPTION (1 << 9)
/** dm-verity: ignore_zero_blocks - do not verify zero blocks */
#define CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS (1 << 10)
/**

103
lib/libdevmapper.c
View File

@@ -3,8 +3,8 @@
*
* Copyright (C) 2004, Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2015, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2015, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -159,6 +159,15 @@ static void _dm_set_verity_compat(const char *dm_version, unsigned verity_maj,
{
if (verity_maj > 0)
_dm_crypt_flags |= DM_VERITY_SUPPORTED;
else
return;
/*
* ignore_corruption, restart_on corruption is available since 1.2 (kernel 4.1)
* ignore_zero_blocks since 1.3 (kernel 4.5)
* (but some dm-verity targets 1.2 don't support it)
*/
if (_dm_satisfies_version(1, 3, verity_maj, verity_min))
_dm_crypt_flags |= DM_VERITY_ON_CORRUPTION_SUPPORTED;
log_dbg("Detected dm-verity version %i.%i.%i.",
verity_maj, verity_min, verity_patch);
@@ -357,14 +366,35 @@ out:
/* https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity */
static char *get_dm_verity_params(struct crypt_params_verity *vp,
struct crypt_dm_active_device *dmd)
struct crypt_dm_active_device *dmd, uint32_t flags)
{
int max_size, r;
int max_size, r, num_options = 0;
char *params = NULL, *hexroot = NULL, *hexsalt = NULL;
char features[256];
if (!vp || !dmd)
return NULL;
/* These flags are not compatible */
if ((flags & CRYPT_ACTIVATE_IGNORE_CORRUPTION) &&
(flags & CRYPT_ACTIVATE_RESTART_ON_CORRUPTION))
flags &= ~CRYPT_ACTIVATE_IGNORE_CORRUPTION;
if (flags & CRYPT_ACTIVATE_IGNORE_CORRUPTION)
num_options++;
if (flags & CRYPT_ACTIVATE_RESTART_ON_CORRUPTION)
num_options++;
if (flags & CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS)
num_options++;
if (num_options)
snprintf(features, sizeof(features)-1, " %d%s%s%s", num_options,
(flags & CRYPT_ACTIVATE_IGNORE_CORRUPTION) ? " ignore_corruption" : "",
(flags & CRYPT_ACTIVATE_RESTART_ON_CORRUPTION) ? " restart_on_corruption" : "",
(flags & CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS) ? " ignore_zero_blocks" : "");
else
*features = '\0';
hexroot = crypt_safe_alloc(dmd->u.verity.root_hash_size * 2 + 1);
if (!hexroot)
goto out;
@@ -381,19 +411,19 @@ static char *get_dm_verity_params(struct crypt_params_verity *vp,
max_size = strlen(hexroot) + strlen(hexsalt) +
strlen(device_block_path(dmd->data_device)) +
strlen(device_block_path(dmd->u.verity.hash_device)) +
strlen(vp->hash_name) + 128;
strlen(vp->hash_name) + strlen(features) + 128;
params = crypt_safe_alloc(max_size);
if (!params)
goto out;
r = snprintf(params, max_size,
"%u %s %s %u %u %" PRIu64 " %" PRIu64 " %s %s %s",
"%u %s %s %u %u %" PRIu64 " %" PRIu64 " %s %s %s %s",
vp->hash_type, device_block_path(dmd->data_device),
device_block_path(dmd->u.verity.hash_device),
vp->data_block_size, vp->hash_block_size,
vp->data_size, dmd->u.verity.hash_offset,
vp->hash_name, hexroot, hexsalt);
vp->hash_name, hexroot, hexsalt, features);
if (r < 0 || r >= max_size) {
crypt_safe_free(params);
params = NULL;
@@ -434,7 +464,7 @@ static int _dm_simple(int task, const char *name, int udev_wait)
if (udev_wait)
(void)_dm_udev_wait(cookie);
out:
out:
dm_task_destroy(dmt);
return r;
}
@@ -591,9 +621,6 @@ static int _dm_create_device(const char *name, const char *type,
if (!dm_task_set_uuid(dmt, dev_uuid))
goto out_no_removal;
if (_dm_use_udev() && !_dm_task_set_cookie(dmt, &cookie, udev_flags))
goto out_no_removal;
}
if ((dm_flags() & DM_SECURE_SUPPORTED) && !dm_task_secure_data(dmt))
@@ -610,6 +637,9 @@ static int _dm_create_device(const char *name, const char *type,
!dm_task_set_read_ahead(dmt, read_ahead, DM_READ_AHEAD_MINIMUM_FLAG))
goto out_no_removal;
#endif
/* do not set cookie for DM_DEVICE_RELOAD task */
if (!reload && _dm_use_udev() && !_dm_task_set_cookie(dmt, &cookie, udev_flags))
goto out_no_removal;
if (!dm_task_run(dmt))
goto out_no_removal;
@@ -676,7 +706,7 @@ int dm_create_device(struct crypt_device *cd, const char *name,
if (dmd->target == DM_CRYPT)
table_params = get_dm_crypt_params(dmd, dmd_flags);
else if (dmd->target == DM_VERITY)
table_params = get_dm_verity_params(dmd->u.verity.vp, dmd);
table_params = get_dm_verity_params(dmd->u.verity.vp, dmd, dmd_flags);
r = _dm_create_device(name, type, dmd->data_device, dmd_flags,
dmd->uuid, dmd->size, table_params, reload);
@@ -696,7 +726,13 @@ int dm_create_device(struct crypt_device *cd, const char *name,
if (r == -EINVAL &&
dmd_flags & (CRYPT_ACTIVATE_SAME_CPU_CRYPT|CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS) &&
!(dm_flags() & (DM_SAME_CPU_CRYPT_SUPPORTED|DM_SUBMIT_FROM_CRYPT_CPUS_SUPPORTED)))
log_err(cd, _("Requested dmcrypt performance options are not supported.\n"));
log_err(cd, _("Requested dm-crypt performance options are not supported.\n"));
if (r == -EINVAL && dmd_flags & (CRYPT_ACTIVATE_IGNORE_CORRUPTION|
CRYPT_ACTIVATE_RESTART_ON_CORRUPTION|
CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS) &&
!(dm_flags() & DM_VERITY_ON_CORRUPTION_SUPPORTED))
log_err(cd, _("Requested dm-verity data corruption handling options are not supported.\n"));
crypt_safe_free(table_params);
dm_exit_context();
@@ -893,7 +929,7 @@ static int _dm_query_crypt(uint32_t get_flags,
return -EINVAL;
}
/* All parameters shold be processed */
/* All parameters should be processed */
if (params)
return -EINVAL;
}
@@ -936,7 +972,8 @@ static int _dm_query_verity(uint32_t get_flags,
uint32_t val32;
uint64_t val64;
ssize_t len;
char *str, *str2;
char *str, *str2, *arg;
unsigned int i;
int r;
if (get_flags & DM_ACTIVE_VERITY_PARAMS)
@@ -1032,8 +1069,6 @@ static int _dm_query_verity(uint32_t get_flags,
/* salt */
str = strsep(&params, " ");
if (params)
return -EINVAL;
if (vp) {
if (!strcmp(str, "-")) {
vp->salt_size = 0;
@@ -1047,6 +1082,33 @@ static int _dm_query_verity(uint32_t get_flags,
}
}
/* Features section, available since verity target version 1.3 */
if (params) {
/* Number of arguments */
val64 = strtoull(params, &params, 10);
if (*params != ' ')
return -EINVAL;
params++;
for (i = 0; i < val64; i++) {
if (!params)
return -EINVAL;
arg = strsep(&params, " ");
if (!strcasecmp(arg, "ignore_corruption"))
dmd->flags |= CRYPT_ACTIVATE_IGNORE_CORRUPTION;
else if (!strcasecmp(arg, "restart_on_corruption"))
dmd->flags |= CRYPT_ACTIVATE_RESTART_ON_CORRUPTION;
else if (!strcasecmp(arg, "ignore_zero_blocks"))
dmd->flags |= CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS;
else /* unknown option */
return -EINVAL;
}
/* All parameters should be processed */
if (params)
return -EINVAL;
}
return 0;
}
@@ -1119,6 +1181,13 @@ int dm_query_device(struct crypt_device *cd, const char *name,
dmd->uuid = strdup(tmp_uuid + DM_UUID_PREFIX_LEN);
}
dmd->holders = 0;
#if (HAVE_DECL_DM_DEVICE_HAS_HOLDERS && HAVE_DECL_DM_DEVICE_HAS_MOUNTED_FS)
if (get_flags & DM_ACTIVE_HOLDERS)
dmd->holders = (dm_device_has_mounted_fs(dmi.major, dmi.minor) ||
dm_device_has_holders(dmi.major, dmi.minor));
#endif
r = (dmi.open_count > 0);
out:
if (dmt)

4
lib/loopaes/loopaes.c
View File

@@ -1,8 +1,8 @@
/*
* loop-AES compatible volume handling
*
* Copyright (C) 2011-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2011-2013, Milan Broz
* Copyright (C) 2011-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2011-2017, Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public

4
lib/loopaes/loopaes.h
View File

@@ -1,8 +1,8 @@
/*
* loop-AES compatible volume handling
*
* Copyright (C) 2011-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2011-2013, Milan Broz
* Copyright (C) 2011-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2011-2017, Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public

2
lib/luks1/af.c
View File

@@ -2,7 +2,7 @@
* AFsplitter - Anti forensic information splitter
*
* Copyright (C) 2004, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
*
* AFsplitter diffuses information over a large stripe of data,
* therefor supporting secure data destruction.

2
lib/luks1/af.h
View File

@@ -2,7 +2,7 @@
* AFsplitter - Anti forensic information splitter
*
* Copyright (C) 2004, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
*
* AFsplitter diffuses information over a large stripe of data,
* therefor supporting secure data destruction.

4
lib/luks1/keyencryption.c
View File

@@ -2,8 +2,8 @@
* LUKS - Linux Unified Key Setup
*
* Copyright (C) 2004-2006, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2014, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License

41
lib/luks1/keymanage.c
View File

@@ -2,8 +2,8 @@
* LUKS - Linux Unified Key Setup
*
* Copyright (C) 2004-2006, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2013-2014, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2013-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -62,7 +62,7 @@ int LUKS_keyslot_area(struct luks_phdr *hdr,
if(keyslot >= LUKS_NUMKEYS || keyslot < 0)
return -EINVAL;
*offset = hdr->keyblock[keyslot].keyMaterialOffset * SECTOR_SIZE;
*offset = (uint64_t)hdr->keyblock[keyslot].keyMaterialOffset * SECTOR_SIZE;
*length = AF_split_sectors(hdr->keyBytes, LUKS_STRIPES) * SECTOR_SIZE;
return 0;
@@ -201,12 +201,11 @@ int LUKS_hdr_backup(const char *backup_file, struct crypt_device *ctx)
r = -EINVAL;
goto out;
}
if (write(devfd, buffer, buffer_size) < buffer_size) {
if (write_buffer(devfd, buffer, buffer_size) < buffer_size) {
log_err(ctx, _("Cannot write header backup file %s.\n"), backup_file);
r = -EIO;
goto out;
}
close(devfd);
r = 0;
out:
@@ -254,12 +253,13 @@ int LUKS_hdr_restore(
goto out;
}
if (read(devfd, buffer, buffer_size) < buffer_size) {
if (read_buffer(devfd, buffer, buffer_size) < buffer_size) {
log_err(ctx, _("Cannot read header backup file %s.\n"), backup_file);
r = -EIO;
goto out;
}
close(devfd);
devfd = -1;
r = LUKS_read_phdr(hdr, 0, 0, ctx);
if (r == 0) {
@@ -306,6 +306,7 @@ int LUKS_hdr_restore(
goto out;
}
close(devfd);
devfd = -1;
/* Be sure to reload new data */
r = LUKS_read_phdr(hdr, 1, 0, ctx);
@@ -497,7 +498,7 @@ int LUKS_read_phdr_backup(const char *backup_file,
return -ENOENT;
}
if (read(devfd, hdr, hdr_size) < hdr_size)
if (read_buffer(devfd, hdr, hdr_size) < hdr_size)
r = -EIO;
else {
LUKS_fix_header_compatible(hdr);
@@ -545,6 +546,16 @@ int LUKS_read_phdr(struct luks_phdr *hdr,
if (!r)
r = LUKS_check_device_size(ctx, hdr->keyBytes);
/*
* Cryptsetup 1.0.0 did not align keyslots to 4k (very rare version).
* Disable direct-io to avoid possible IO errors if underlying device
* has bigger sector size.
*/
if (!r && hdr->keyblock[0].keyMaterialOffset * SECTOR_SIZE < LUKS_ALIGN_KEYSLOTS) {
log_dbg("Old unaligned LUKS keyslot detected, disabling direct-io.");
device_disable_direct_io(device);
}
close(devfd);
return r;
}
@@ -620,9 +631,11 @@ static int LUKS_check_cipher(struct luks_phdr *hdr, struct crypt_device *ctx)
if (!empty_key)
return -ENOMEM;
r = LUKS_decrypt_from_storage(buf, sizeof(buf),
hdr->cipherName, hdr->cipherMode,
empty_key, 0, ctx);
/* No need to get KEY quality random but it must avoid known weak keys. */
r = crypt_random_get(ctx, empty_key->key, empty_key->keylength, CRYPT_RND_NORMAL);
if (!r)
r = LUKS_decrypt_from_storage(buf, sizeof(buf), hdr->cipherName,
hdr->cipherMode, empty_key, 0, ctx);
crypt_free_volume_key(empty_key);
crypt_memzero(buf, sizeof(buf));
@@ -674,9 +687,9 @@ int LUKS_generate_phdr(struct luks_phdr *header,
/* Set Magic */
memcpy(header->magic,luksMagic,LUKS_MAGIC_L);
header->version=1;
strncpy(header->cipherName,cipherName,LUKS_CIPHERNAME_L);
strncpy(header->cipherMode,cipherMode,LUKS_CIPHERMODE_L);
strncpy(header->hashSpec,hashSpec,LUKS_HASHSPEC_L);
strncpy(header->cipherName,cipherName,LUKS_CIPHERNAME_L-1);
strncpy(header->cipherMode,cipherMode,LUKS_CIPHERMODE_L-1);
strncpy(header->hashSpec,hashSpec,LUKS_HASHSPEC_L-1);
header->keyBytes=vk->keylength;
@@ -804,7 +817,7 @@ int LUKS_set_key(unsigned int keyIndex,
* Avoid floating point operation
* Final iteration count is at least LUKS_SLOT_ITERATIONS_MIN
*/
PBKDF2_temp = (*PBKDF2_per_sec / 2) * (uint64_t)iteration_time_ms;
PBKDF2_temp = *PBKDF2_per_sec * (uint64_t)iteration_time_ms;
PBKDF2_temp /= 1024;
if (PBKDF2_temp > UINT32_MAX)
PBKDF2_temp = UINT32_MAX;

2
lib/luks1/luks.h
View File

@@ -2,7 +2,7 @@
* LUKS - Linux Unified Key Setup
*
* Copyright (C) 2004-2006, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License

12
lib/random.c
View File

@@ -1,7 +1,7 @@
/*
* cryptsetup kernel RNG access functions
*
* Copyright (C) 2010-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2010-2017, Red Hat, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -28,6 +28,10 @@
#include "libcryptsetup.h"
#include "internal.h"
#ifndef O_CLOEXEC
#define O_CLOEXEC 0
#endif
static int random_initialised = 0;
#define URANDOM_DEVICE "/dev/urandom"
@@ -152,13 +156,13 @@ int crypt_random_init(struct crypt_device *ctx)
/* Used for CRYPT_RND_NORMAL */
if(urandom_fd == -1)
urandom_fd = open(URANDOM_DEVICE, O_RDONLY);
urandom_fd = open(URANDOM_DEVICE, O_RDONLY | O_CLOEXEC);
if(urandom_fd == -1)
goto fail;
/* Used for CRYPT_RND_KEY */
if(random_fd == -1)
random_fd = open(RANDOM_DEVICE, O_RDONLY | O_NONBLOCK);
random_fd = open(RANDOM_DEVICE, O_RDONLY | O_NONBLOCK | O_CLOEXEC);
if(random_fd == -1)
goto fail;
@@ -234,9 +238,11 @@ void crypt_random_exit(void)
int crypt_random_default_key_rng(void)
{
/* coverity[pointless_string_compare] */
if (!strcmp(DEFAULT_RNG, RANDOM_DEVICE))
return CRYPT_RNG_RANDOM;
/* coverity[pointless_string_compare] */
if (!strcmp(DEFAULT_RNG, URANDOM_DEVICE))
return CRYPT_RNG_URANDOM;

28
lib/setup.c
View File

@@ -3,8 +3,8 @@
*
* Copyright (C) 2004, Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2014, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -626,7 +626,7 @@ int crypt_init(struct crypt_device **cd, const char *device)
dm_backend_init();
h->iteration_time = 1000;
h->iteration_time = DEFAULT_LUKS1_ITER_TIME;
h->password_verify = 0;
h->tries = 3;
h->rng_type = crypt_random_default_key_rng();
@@ -969,7 +969,7 @@ out:
if (r < 0) {
crypt_free(*cd);
*cd = NULL;
} else if (!(*cd)->type && name) {
} else if (!(*cd)->type) {
/* For anonymous device (no header found) remember initialized name */
(*cd)->u.none.active_name = strdup(name);
}
@@ -1074,7 +1074,7 @@ static int _crypt_format_luks1(struct crypt_device *cd,
&alignment_offset, DEFAULT_DISK_ALIGNMENT);
r = LUKS_generate_phdr(&cd->u.luks1.hdr, cd->volume_key, cipher, cipher_mode,
(params && params->hash) ? params->hash : "sha1",
(params && params->hash) ? params->hash : DEFAULT_LUKS1_HASH,
uuid, LUKS_STRIPES,
required_alignment / SECTOR_SIZE,
alignment_offset / SECTOR_SIZE,
@@ -1188,6 +1188,12 @@ static int _crypt_format_verity(struct crypt_device *cd,
} else
cd->u.verity.hdr.data_size = params->data_size;
if (device_is_identical(crypt_metadata_device(cd), crypt_data_device(cd)) &&
(cd->u.verity.hdr.data_size * params->data_block_size) > params->hash_area_offset) {
log_err(cd, _("Data area overlaps with hash area.\n"));
return -EINVAL;
}
hash_size = crypt_hash_size(params->hash_name);
if (hash_size <= 0) {
log_err(cd, _("Hash algorithm %s not supported.\n"),
@@ -2215,7 +2221,7 @@ int crypt_activate_by_volume_key(struct crypt_device *cd,
}
r = VERITY_activate(cd, name, volume_key, volume_key_size,
&cd->u.verity.hdr, CRYPT_ACTIVATE_READONLY);
&cd->u.verity.hdr, flags|CRYPT_ACTIVATE_READONLY);
if (r == -EPERM) {
free(cd->u.verity.root_hash);
@@ -2243,6 +2249,7 @@ int crypt_activate_by_volume_key(struct crypt_device *cd,
int crypt_deactivate(struct crypt_device *cd, const char *name)
{
struct crypt_device *fake_cd = NULL;
struct crypt_dm_active_device dmd = {};
int r;
if (!name)
@@ -2260,6 +2267,13 @@ int crypt_deactivate(struct crypt_device *cd, const char *name)
switch (crypt_status(cd, name)) {
case CRYPT_ACTIVE:
case CRYPT_BUSY:
r = dm_query_device(cd, name, DM_ACTIVE_HOLDERS, &dmd);
if (r >= 0 && dmd.holders) {
log_err(cd, _("Device %s is still in use.\n"), name);
r = -EBUSY;
break;
}
if (isTCRYPT(cd->type))
r = TCRYPT_deactivate(cd, name);
else
@@ -2366,7 +2380,7 @@ void crypt_set_password_retry(struct crypt_device *cd, int tries)
void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_ms)
{
log_dbg("Iteration time set to %" PRIu64 " miliseconds.", iteration_time_ms);
log_dbg("Iteration time set to %" PRIu64 " milliseconds.", iteration_time_ms);
cd->iteration_time = iteration_time_ms;
}
void crypt_set_iterarion_time(struct crypt_device *cd, uint64_t iteration_time_ms)

50
lib/tcrypt/tcrypt.c
View File

@@ -1,8 +1,8 @@
/*
* TCRYPT (TrueCrypt-compatible) and VeraCrypt volume handling
*
* Copyright (C) 2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2015, Milan Broz
* Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2017, Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -314,12 +314,13 @@ static int TCRYPT_decrypt_hdr_one(struct tcrypt_alg *alg, const char *mode,
{
char backend_key[TCRYPT_HDR_KEY_LEN];
char iv[TCRYPT_HDR_IV_LEN] = {};
char mode_name[MAX_CIPHER_LEN];
char mode_name[MAX_CIPHER_LEN + 1];
struct crypt_cipher *cipher;
char *c, *buf = (char*)&hdr->e;
int r;
/* Remove IV if present */
mode_name[MAX_CIPHER_LEN] = '\0';
strncpy(mode_name, mode, MAX_CIPHER_LEN);
c = strchr(mode_name, '-');
if (c)
@@ -468,8 +469,7 @@ static int TCRYPT_pool_keyfile(struct crypt_device *cd,
return -EIO;
}
/* FIXME: add while */
data_size = read(fd, data, TCRYPT_KEYFILE_LEN);
data_size = read_buffer(fd, data, TCRYPT_KEYFILE_LEN);
close(fd);
if (data_size < 0) {
log_err(cd, _("Error reading keyfile %s.\n"), keyfile);
@@ -612,10 +612,10 @@ int TCRYPT_read_phdr(struct crypt_device *cd,
return -EINVAL;
r = device_alloc(&base_device, base_device_path);
free(base_device_path);
if (r < 0)
return r;
devfd = device_open(base_device, O_RDONLY);
free(base_device_path);
device_free(base_device);
} else
devfd = device_open(device, O_RDONLY);
@@ -627,27 +627,26 @@ int TCRYPT_read_phdr(struct crypt_device *cd,
r = -EIO;
if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
if (lseek(devfd, TCRYPT_HDR_SYSTEM_OFFSET, SEEK_SET) >= 0 &&
read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size) {
if (read_lseek_blockwise(devfd, bs, hdr, hdr_size,
TCRYPT_HDR_SYSTEM_OFFSET) == hdr_size) {
r = TCRYPT_init_hdr(cd, hdr, params);
}
} else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_BCK, SEEK_END) >= 0 &&
read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
if (read_lseek_blockwise(devfd, bs, hdr, hdr_size,
TCRYPT_HDR_HIDDEN_OFFSET_BCK) == hdr_size)
r = TCRYPT_init_hdr(cd, hdr, params);
} else {
if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET, SEEK_SET) >= 0 &&
read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
if (read_lseek_blockwise(devfd, bs, hdr, hdr_size,
TCRYPT_HDR_HIDDEN_OFFSET) == hdr_size)
r = TCRYPT_init_hdr(cd, hdr, params);
if (r &&
lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_OLD, SEEK_END) >= 0 &&
read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
if (r && read_lseek_blockwise(devfd, bs, hdr, hdr_size,
TCRYPT_HDR_HIDDEN_OFFSET_OLD) == hdr_size)
r = TCRYPT_init_hdr(cd, hdr, params);
}
} else if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
if (lseek(devfd, TCRYPT_HDR_OFFSET_BCK, SEEK_END) >= 0 &&
read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
if (read_lseek_blockwise(devfd, bs, hdr, hdr_size,
TCRYPT_HDR_OFFSET_BCK) == hdr_size)
r = TCRYPT_init_hdr(cd, hdr, params);
} else if (read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
r = TCRYPT_init_hdr(cd, hdr, params);
@@ -723,6 +722,9 @@ int TCRYPT_activate(struct crypt_device *cd,
if (!algs)
return -EINVAL;
if (hdr->d.sector_size == 0)
return -EINVAL;
if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER)
dmd.size = 0;
else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER)
@@ -757,18 +759,23 @@ int TCRYPT_activate(struct crypt_device *cd,
r = device_block_adjust(cd, dmd.data_device, device_check,
dmd.u.crypt.offset, &dmd.size, &dmd.flags);
if (r)
if (r) {
device_free(part_device);
return r;
}
/* Frome here, key size for every cipher must be the same */
dmd.u.crypt.vk = crypt_alloc_volume_key(algs->cipher[0].key_size +
algs->cipher[0].key_extra_size, NULL);
if (!dmd.u.crypt.vk)
if (!dmd.u.crypt.vk) {
device_free(part_device);
return -ENOMEM;
}
for (i = algs->chain_count; i > 0; i--) {
if (i == 1) {
strncpy(dm_name, name, sizeof(dm_name));
dm_name[sizeof(dm_name)-1] = '\0';
strncpy(dm_name, name, sizeof(dm_name)-1);
dmd.flags = flags;
} else {
snprintf(dm_name, sizeof(dm_name), "%s_%d", name, i-1);
@@ -910,7 +917,7 @@ int TCRYPT_init_by_name(struct crypt_device *cd, const char *name,
struct tcrypt_phdr *tcrypt_hdr)
{
struct tcrypt_algs *algs;
char cipher[MAX_CIPHER_LEN * 4], mode[MAX_CIPHER_LEN], *tmp;
char cipher[MAX_CIPHER_LEN * 4], mode[MAX_CIPHER_LEN+1], *tmp;
size_t key_size;
int r;
@@ -924,6 +931,7 @@ int TCRYPT_init_by_name(struct crypt_device *cd, const char *name,
if (!tmp)
return -EINVAL;
*tmp = '\0';
mode[MAX_CIPHER_LEN] = '\0';
strncpy(mode, ++tmp, MAX_CIPHER_LEN);
key_size = dmd->u.crypt.vk->keylength;

4
lib/tcrypt/tcrypt.h
View File

@@ -1,8 +1,8 @@
/*
* TCRYPT (TrueCrypt-compatible) header defitinion
*
* Copyright (C) 2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2014, Milan Broz
* Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2017, Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public

171
lib/utils.c
View File

@@ -3,8 +3,8 @@
*
* Copyright (C) 2004, Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2012, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -56,22 +56,70 @@ static void *aligned_malloc(void **base, int size, int alignment)
/* Credits go to Michal's padlock patches for this alignment code */
char *ptr;
ptr = malloc(size + alignment);
if(ptr == NULL) return NULL;
ptr = malloc(size + alignment);
if (!ptr)
return NULL;
*base = ptr;
if(alignment > 1 && ((long)ptr & (alignment - 1))) {
if (alignment > 1 && ((long)ptr & (alignment - 1)))
ptr += alignment - ((long)(ptr) & (alignment - 1));
}
return ptr;
#endif
}
ssize_t read_buffer(int fd, void *buf, size_t count)
{
size_t read_size = 0;
ssize_t r;
if (fd < 0 || !buf)
return -EINVAL;
do {
r = read(fd, buf, count - read_size);
if (r == -1 && errno != EINTR)
return r;
if (r == 0)
return (ssize_t)read_size;
if (r > 0) {
read_size += (size_t)r;
buf = (uint8_t*)buf + r;
}
} while (read_size != count);
return (ssize_t)count;
}
ssize_t write_buffer(int fd, const void *buf, size_t count)
{
size_t write_size = 0;
ssize_t w;
if (fd < 0 || !buf || !count)
return -EINVAL;
do {
w = write(fd, buf, count - write_size);
if (w < 0 && errno != EINTR)
return w;
if (w == 0)
return (ssize_t)write_size;
if (w > 0) {
write_size += (size_t) w;
buf = (const uint8_t*)buf + w;
}
} while (write_size != count);
return (ssize_t)write_size;
}
ssize_t write_blockwise(int fd, int bsize, void *orig_buf, size_t count)
{
void *hangover_buf, *hangover_buf_base = NULL;
void *buf, *buf_base = NULL;
int r, hangover, solid, alignment;
int r, alignment;
size_t hangover, solid;
ssize_t ret = -1;
if (fd == -1 || !orig_buf || bsize <= 0)
@@ -89,29 +137,31 @@ ssize_t write_blockwise(int fd, int bsize, void *orig_buf, size_t count)
} else
buf = orig_buf;
r = write(fd, buf, solid);
if (r < 0 || r != solid)
goto out;
if (solid) {
r = write_buffer(fd, buf, solid);
if (r < 0 || r != (ssize_t)solid)
goto out;
}
if (hangover) {
hangover_buf = aligned_malloc(&hangover_buf_base, bsize, alignment);
if (!hangover_buf)
goto out;
r = read(fd, hangover_buf, bsize);
if (r < 0 || r < hangover)
r = read_buffer(fd, hangover_buf, bsize);
if (r < 0 || r < (ssize_t)hangover)
goto out;
if (r < bsize)
bsize = r;
r = lseek(fd, -bsize, SEEK_CUR);
if (r < 0)
if (lseek(fd, -bsize, SEEK_CUR) < 0)
goto out;
memcpy(hangover_buf, (char*)buf + solid, hangover);
r = write(fd, hangover_buf, bsize);
if (r < 0 || r < hangover)
r = write_buffer(fd, hangover_buf, bsize);
if (r < 0 || r < (ssize_t)hangover)
goto out;
}
ret = count;
@@ -122,10 +172,12 @@ out:
return ret;
}
ssize_t read_blockwise(int fd, int bsize, void *orig_buf, size_t count) {
ssize_t read_blockwise(int fd, int bsize, void *orig_buf, size_t count)
{
void *hangover_buf, *hangover_buf_base = NULL;
void *buf, *buf_base = NULL;
int r, hangover, solid, alignment;
int r, alignment;
size_t hangover, solid;
ssize_t ret = -1;
if (fd == -1 || !orig_buf || bsize <= 0)
@@ -142,16 +194,16 @@ ssize_t read_blockwise(int fd, int bsize, void *orig_buf, size_t count) {
} else
buf = orig_buf;
r = read(fd, buf, solid);
if(r < 0 || r != solid)
r = read_buffer(fd, buf, solid);
if (r < 0 || r != (ssize_t)solid)
goto out;
if (hangover) {
hangover_buf = aligned_malloc(&hangover_buf_base, bsize, alignment);
if (!hangover_buf)
goto out;
r = read(fd, hangover_buf, bsize);
if (r < 0 || r < hangover)
r = read_buffer(fd, hangover_buf, bsize);
if (r < 0 || r < (ssize_t)hangover)
goto out;
memcpy((char *)buf + solid, hangover_buf, hangover);
@@ -172,7 +224,8 @@ out:
* is implicitly included in the read/write offset, which can not be set to non-aligned
* boundaries. Hence, we combine llseek with write.
*/
ssize_t write_lseek_blockwise(int fd, int bsize, char *buf, size_t count, off_t offset) {
ssize_t write_lseek_blockwise(int fd, int bsize, void *buf, size_t count, off_t offset)
{
char *frontPadBuf;
void *frontPadBuf_base = NULL;
int r, frontHang;
@@ -182,6 +235,12 @@ ssize_t write_lseek_blockwise(int fd, int bsize, char *buf, size_t count, off_t
if (fd == -1 || !buf || bsize <= 0)
return -1;
if (offset < 0)
offset = lseek(fd, offset, SEEK_END);
if (offset < 0)
return -1;
frontHang = offset % bsize;
if (lseek(fd, offset - frontHang, SEEK_SET) < 0)
@@ -193,24 +252,24 @@ ssize_t write_lseek_blockwise(int fd, int bsize, char *buf, size_t count, off_t
if (!frontPadBuf)
goto out;
r = read(fd, frontPadBuf, bsize);
if (r < 0 || r != bsize)
goto out;
innerCount = bsize - frontHang;
if (innerCount > count)
innerCount = count;
r = read_buffer(fd, frontPadBuf, bsize);
if (r < (frontHang + innerCount))
goto out;
memcpy(frontPadBuf + frontHang, buf, innerCount);
if (lseek(fd, offset - frontHang, SEEK_SET) < 0)
goto out;
r = write(fd, frontPadBuf, bsize);
if (r < 0 || r != bsize)
r = write_buffer(fd, frontPadBuf, frontHang + innerCount);
if (r != (frontHang + innerCount))
goto out;
buf += innerCount;
buf = (char*)buf + innerCount;
count -= innerCount;
}
@@ -223,6 +282,58 @@ out:
return ret;
}
ssize_t read_lseek_blockwise(int fd, int bsize, void *buf, size_t count, off_t offset)
{
char *frontPadBuf;
void *frontPadBuf_base = NULL;
int r, frontHang;
size_t innerCount = 0;
ssize_t ret = -1;
if (fd == -1 || !buf || bsize <= 0)
return -1;
if (offset < 0)
offset = lseek(fd, offset, SEEK_END);
if (offset < 0)
return -1;
frontHang = offset % bsize;
if (lseek(fd, offset - frontHang, SEEK_SET) < 0)
return ret;
if (frontHang) {
frontPadBuf = aligned_malloc(&frontPadBuf_base,
bsize, get_alignment(fd));
if (!frontPadBuf)
return ret;
innerCount = bsize - frontHang;
if (innerCount > count)
innerCount = count;
r = read_buffer(fd, frontPadBuf, bsize);
if (r < (frontHang + innerCount))
goto out;
memcpy(buf, frontPadBuf + frontHang, innerCount);
buf = (char*)buf + innerCount;
count -= innerCount;
}
ret = read_blockwise(fd, bsize, buf, count);
if (ret >= 0)
ret += innerCount;
out:
free(frontPadBuf_base);
return ret;
}
/* MEMLOCK */
#define DEFAULT_PROCESS_PRIORITY -18

19
lib/utils_benchmark.c
View File

@@ -1,8 +1,8 @@
/*
* libcryptsetup - cryptsetup library, cipher bechmark
*
* Copyright (C) 2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2013, Milan Broz
* Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -240,7 +240,7 @@ int crypt_benchmark_kdf(struct crypt_device *cd,
size_t salt_size,
uint64_t *iterations_sec)
{
int r;
int r, key_length = 0;
if (!iterations_sec)
return -EINVAL;
@@ -249,14 +249,21 @@ int crypt_benchmark_kdf(struct crypt_device *cd,
if (r < 0)
return r;
// FIXME: this should be in KDF check API parameters later
if (cd)
key_length = crypt_get_volume_key_size(cd);
if (key_length == 0)
key_length = DEFAULT_LUKS1_KEYBITS / 8;
if (!strncmp(kdf, "pbkdf2", 6))
r = crypt_pbkdf_check(kdf, hash, password, password_size,
salt, salt_size, iterations_sec);
salt, salt_size, key_length, iterations_sec);
else
r = -EINVAL;
if (!r)
log_dbg("KDF %s, hash %s: %" PRIu64 " iterations per second.",
kdf, hash, *iterations_sec);
log_dbg("KDF %s, hash %s: %" PRIu64 " iterations per second (%d-bits key).",
kdf, hash, *iterations_sec, key_length * 8);
return r;
}

10
lib/utils_crypt.c
View File

@@ -2,8 +2,8 @@
* utils_crypt - cipher utilities for cryptsetup
*
* Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2012, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -22,6 +22,7 @@
#include <stdlib.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
@@ -98,7 +99,7 @@ void *crypt_safe_alloc(size_t size)
{
struct safe_allocation *alloc;
if (!size)
if (!size || size > (SIZE_MAX - offsetof(struct safe_allocation, data)))
return NULL;
alloc = malloc(size + offsetof(struct safe_allocation, data));
@@ -360,7 +361,7 @@ int crypt_get_key(const char *prompt,
/* If not requsted otherwise, we limit input to prevent memory exhaustion */
if (keyfile_size_max == 0) {
keyfile_size_max = DEFAULT_KEYFILE_SIZE_MAXKB * 1024;
keyfile_size_max = DEFAULT_KEYFILE_SIZE_MAXKB * 1024 + 1;
unlimited_read = 1;
}
@@ -422,6 +423,7 @@ int crypt_get_key(const char *prompt,
char_read = read(fd, &pass[i], 1);
if (char_read < 0) {
log_err(cd, _("Error reading passphrase.\n"));
r = -EPIPE;
goto out_err;
}

4
lib/utils_crypt.h
View File

@@ -2,8 +2,8 @@
* utils_crypt - cipher utilities for cryptsetup
*
* Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2012, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License

45
lib/utils_device.c
View File

@@ -3,8 +3,8 @@
*
* Copyright (C) 2004, Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2015, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2015, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -50,8 +50,10 @@ static int device_block_size_fd(int fd, size_t *min_size)
if (fstat(fd, &st) < 0)
return -EINVAL;
if (S_ISREG(st.st_mode))
if (S_ISREG(st.st_mode)) {
r = (int)crypt_getpagesize();
bsize = r;
}
else if (ioctl(fd, BLKSSZGET, &bsize) >= 0)
r = bsize;
else
@@ -417,25 +419,22 @@ out:
static int device_internal_prepare(struct crypt_device *cd, struct device *device)
{
char *loop_device, *file_path = NULL;
char *loop_device = NULL, *file_path = NULL;
int r, loop_fd, readonly = 0;
if (device->init_done)
return 0;
log_dbg("Allocating a free loop device.");
loop_device = crypt_loop_get_device();
if (!loop_device) {
if (getuid() || geteuid())
log_err(cd, _("Cannot use a loopback device, "
"running as non-root user.\n"));
else
log_err(cd, _("Cannot find a free loopback device.\n"));
if (getuid() || geteuid()) {
log_err(cd, _("Cannot use a loopback device, "
"running as non-root user.\n"));
return -ENOTSUP;
}
log_dbg("Allocating a free loop device.");
/* Keep the loop open, dettached on last close. */
loop_fd = crypt_loop_attach(loop_device, device->path, 0, 1, &readonly);
loop_fd = crypt_loop_attach(&loop_device, device->path, 0, 1, &readonly);
if (loop_fd == -1) {
log_err(cd, _("Attaching loopback device failed "
"(loop device with autoclear flag is required).\n"));
@@ -528,3 +527,23 @@ size_t size_round_up(size_t size, unsigned int block)
size_t s = (size + (block - 1)) / block;
return s * block;
}
void device_disable_direct_io(struct device *device)
{
device->o_direct = 0;
}
int device_is_identical(struct device *device1, struct device *device2)
{
if (device1 == device2)
return 1;
if (!device1 || !device2 || !device_path(device1) || !device_path(device2))
return 0;
/* This should be better check - major/minor for block device etc */
if (!strcmp(device_path(device1), device_path(device2)))
return 1;
return 0;
}

29
lib/utils_devpath.c
View File

@@ -3,8 +3,8 @@
*
* Copyright (C) 2004, Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2013, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -31,6 +31,9 @@
#include <limits.h>
#include <sys/stat.h>
#include <sys/types.h>
#ifdef HAVE_SYS_SYSMACROS_H
# include <sys/sysmacros.h> /* for major, minor */
#endif
#include "internal.h"
static char *__lookup_dev(char *path, dev_t dev, int dir_level, const int max_level)
@@ -276,24 +279,30 @@ char *crypt_get_partition_device(const char *dev_path, uint64_t offset, uint64_t
major(st.st_rdev), minor(st.st_rdev)) < 0)
return NULL;
len = readlink(path, link, sizeof(link) - 1);
if (len < 0)
dir = opendir(path);
if (!dir)
return NULL;
len = readlink(path, link, sizeof(link) - 1);
if (len < 0) {
closedir(dir);
return NULL;
}
/* Get top level disk name for sysfs search */
link[len] = '\0';
devname = strrchr(link, '/');
if (!devname)
if (!devname) {
closedir(dir);
return NULL;
}
devname++;
/* DM devices do not use kernel partitions. */
if (dm_is_dm_kernel_name(devname))
return NULL;
dir = opendir(path);
if (!dir)
if (dm_is_dm_kernel_name(devname)) {
closedir(dir);
return NULL;
}
devname_len = strlen(devname);
while((entry = readdir(dir))) {

20
lib/utils_dm.h
View File

@@ -3,8 +3,8 @@
*
* Copyright (C) 2004, Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2015, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2015, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -42,19 +42,22 @@ struct device;
#define DM_TCW_SUPPORTED (1 << 6) /* tcw (TCRYPT CBC with whitening) */
#define DM_SAME_CPU_CRYPT_SUPPORTED (1 << 7) /* same_cpu_crypt */
#define DM_SUBMIT_FROM_CRYPT_CPUS_SUPPORTED (1 << 8) /* submit_from_crypt_cpus */
#define DM_VERITY_ON_CORRUPTION_SUPPORTED (1 << 9) /* ignore/restart_on_corruption, ignore_zero_block */
uint32_t dm_flags(void);
#define DM_ACTIVE_DEVICE (1 << 0)
#define DM_ACTIVE_UUID (1 << 1)
#define DM_ACTIVE_HOLDERS (1 << 2)
#define DM_ACTIVE_CRYPT_CIPHER (1 << 2)
#define DM_ACTIVE_CRYPT_KEYSIZE (1 << 3)
#define DM_ACTIVE_CRYPT_KEY (1 << 4)
#define DM_ACTIVE_CRYPT_CIPHER (1 << 3)
#define DM_ACTIVE_CRYPT_KEYSIZE (1 << 4)
#define DM_ACTIVE_CRYPT_KEY (1 << 5)
#define DM_ACTIVE_VERITY_ROOT_HASH (1 << 6)
#define DM_ACTIVE_VERITY_HASH_DEVICE (1 << 7)
#define DM_ACTIVE_VERITY_PARAMS (1 << 8)
#define DM_ACTIVE_VERITY_ROOT_HASH (1 << 5)
#define DM_ACTIVE_VERITY_HASH_DEVICE (1 << 6)
#define DM_ACTIVE_VERITY_PARAMS (1 << 7)
struct crypt_dm_active_device {
enum { DM_CRYPT = 0, DM_VERITY } target;
@@ -62,6 +65,7 @@ struct crypt_dm_active_device {
uint32_t flags; /* activation flags */
const char *uuid;
struct device *data_device;
unsigned holders:1;
union {
struct {
const char *cipher;

2
lib/utils_fips.c
View File

@@ -1,7 +1,7 @@
/*
* FIPS mode utilities
*
* Copyright (C) 2011-2015, Red Hat, Inc. All rights reserved.
* Copyright (C) 2011-2017, Red Hat, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License

2
lib/utils_fips.h
View File

@@ -1,7 +1,7 @@
/*
* FIPS mode utilities
*
* Copyright (C) 2011-2015, Red Hat, Inc. All rights reserved.
* Copyright (C) 2011-2017, Red Hat, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License

48
lib/utils_loop.c
View File

@@ -1,8 +1,8 @@
/*
* loopback block device utilities
*
* Copyright (C) 2011-2015, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2015, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -19,6 +19,7 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
@@ -28,6 +29,9 @@
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/types.h>
#ifdef HAVE_SYS_SYSMACROS_H
# include <sys/sysmacros.h> /* for major, minor */
#endif
#include <linux/loop.h>
#include "utils_loop.h"
@@ -70,7 +74,7 @@ static char *crypt_loop_get_device_old(void)
return NULL;
}
char *crypt_loop_get_device(void)
static char *crypt_loop_get_device(void)
{
char dev[64];
int i, loop_fd;
@@ -96,12 +100,15 @@ char *crypt_loop_get_device(void)
return strdup(dev);
}
int crypt_loop_attach(const char *loop, const char *file, int offset,
int crypt_loop_attach(char **loop, const char *file, int offset,
int autoclear, int *readonly)
{
struct loop_info64 lo64 = {0};
char *lo_file_name;
int loop_fd = -1, file_fd = -1, r = 1;
*loop = NULL;
file_fd = open(file, (*readonly ? O_RDONLY : O_RDWR) | O_EXCL);
if (file_fd < 0 && (errno == EROFS || errno == EACCES) && !*readonly) {
*readonly = 1;
@@ -110,18 +117,33 @@ int crypt_loop_attach(const char *loop, const char *file, int offset,
if (file_fd < 0)
goto out;
loop_fd = open(loop, *readonly ? O_RDONLY : O_RDWR);
if (loop_fd < 0)
goto out;
while (loop_fd < 0) {
*loop = crypt_loop_get_device();
if (!*loop)
goto out;
strncpy((char*)lo64.lo_file_name, file, LO_NAME_SIZE);
loop_fd = open(*loop, *readonly ? O_RDONLY : O_RDWR);
if (loop_fd < 0)
goto out;
if (ioctl(loop_fd, LOOP_SET_FD, file_fd) < 0) {
if (errno != EBUSY)
goto out;
free(*loop);
*loop = NULL;
close(loop_fd);
loop_fd = -1;
}
}
lo_file_name = (char*)lo64.lo_file_name;
lo_file_name[LO_NAME_SIZE-1] = '\0';
strncpy(lo_file_name, file, LO_NAME_SIZE-1);
lo64.lo_offset = offset;
if (autoclear)
lo64.lo_flags |= LO_FLAGS_AUTOCLEAR;
if (ioctl(loop_fd, LOOP_SET_FD, file_fd) < 0)
goto out;
if (ioctl(loop_fd, LOOP_SET_STATUS64, &lo64) < 0) {
(void)ioctl(loop_fd, LOOP_CLR_FD, 0);
goto out;
@@ -143,6 +165,10 @@ out:
close(loop_fd);
if (file_fd >= 0)
close(file_fd);
if (r && *loop) {
free(*loop);
*loop = NULL;
}
return r ? -1 : loop_fd;
}

7
lib/utils_loop.h
View File

@@ -1,8 +1,8 @@
/*
* loopback block device utilities
*
* Copyright (C) 2011-2015, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2015, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -24,10 +24,9 @@
/* loopback device helpers */
char *crypt_loop_get_device(void);
char *crypt_loop_backing_file(const char *loop);
int crypt_loop_device(const char *loop);
int crypt_loop_attach(const char *loop, const char *file, int offset,
int crypt_loop_attach(char **loop, const char *file, int offset,
int autoclear, int *readonly);
int crypt_loop_detach(const char *loop);
int crypt_loop_resize(const char *loop);

11
lib/utils_wipe.c
View File

@@ -2,8 +2,8 @@
* utils_wipe - wipe a device
*
* Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2011-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2012, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -29,6 +29,9 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#ifdef HAVE_SYS_SYSMACROS_H
# include <sys/sysmacros.h> /* for major, minor */
#endif
#include <fcntl.h>
#include "libcryptsetup.h"
@@ -128,7 +131,7 @@ int crypt_wipe(struct device *device,
ssize_t written;
if (!size || size % SECTOR_SIZE || (size > MAXIMUM_WIPE_BYTES)) {
log_dbg("Unsuported wipe size for device %s: %ld.",
log_dbg("Unsupported wipe size for device %s: %ld.",
device_path(device), (unsigned long)size);
return -EINVAL;
}
@@ -183,7 +186,7 @@ int crypt_wipe(struct device *device,
written = _crypt_wipe_random(devfd, bsize, buffer, offset, size);
break;
default:
log_dbg("Unsuported wipe type requested: (%d)", type);
log_dbg("Unsupported wipe type requested: (%d)", type);
written = -1;
}

7
lib/verity/verity.c
View File

@@ -1,7 +1,7 @@
/*
* dm-verity volume handling
*
* Copyright (C) 2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -156,6 +156,7 @@ int VERITY_write_sb(struct crypt_device *cd,
int bsize = device_block_size(device);
struct verity_sb sb = {};
ssize_t hdr_size = sizeof(struct verity_sb);
char *algorithm;
uuid_t uuid;
int r, devfd = 0;
@@ -187,7 +188,9 @@ int VERITY_write_sb(struct crypt_device *cd,
sb.hash_block_size = cpu_to_le32(params->hash_block_size);
sb.salt_size = cpu_to_le16(params->salt_size);
sb.data_blocks = cpu_to_le64(params->data_size);
strncpy((char *)sb.algorithm, params->hash_name, sizeof(sb.algorithm));
algorithm = (char *)sb.algorithm;
algorithm[sizeof(sb.algorithm)-1] = '\0';
strncpy(algorithm, params->hash_name, sizeof(sb.algorithm)-1);
memcpy(sb.salt, params->salt, params->salt_size);
memcpy(sb.uuid, uuid, sizeof(sb.uuid));

2
lib/verity/verity.h
View File

@@ -1,7 +1,7 @@
/*
* dm-verity volume handling
*
* Copyright (C) 2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public

2
lib/verity/verity_hash.c
View File

@@ -1,7 +1,7 @@
/*
* dm-verity volume handling
*
* Copyright (C) 2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public

25
lib/volumekey.c
View File

@@ -2,7 +2,7 @@
* cryptsetup volume key implementation
*
* Copyright (C) 2004-2006, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2010-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2010-2017, Red Hat, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -20,22 +20,31 @@
*/
#include <string.h>
#include <stdint.h>
#include <stdlib.h>
#include "internal.h"
struct volume_key *crypt_alloc_volume_key(unsigned keylength, const char *key)
struct volume_key *crypt_alloc_volume_key(size_t keylength, const char *key)
{
struct volume_key *vk = malloc(sizeof(*vk) + keylength);
struct volume_key *vk;
if (keylength > (SIZE_MAX - sizeof(*vk)))
return NULL;
vk = malloc(sizeof(*vk) + keylength);
if (!vk)
return NULL;
vk->keylength = keylength;
if (key)
memcpy(&vk->key, key, keylength);
else
crypt_memzero(&vk->key, keylength);
/* keylength 0 is valid => no key */
if (vk->keylength) {
if (key)
memcpy(&vk->key, key, keylength);
else
crypt_memzero(&vk->key, keylength);
}
return vk;
}
@@ -49,7 +58,7 @@ void crypt_free_volume_key(struct volume_key *vk)
}
}
struct volume_key *crypt_generate_volume_key(struct crypt_device *cd, unsigned keylength)
struct volume_key *crypt_generate_volume_key(struct crypt_device *cd, size_t keylength)
{
int r;
struct volume_key *vk;

22
man/cryptsetup-reencrypt.8
View File

@@ -1,4 +1,4 @@
.TH CRYPTSETUP-REENCRYPT "8" "January 2015" "cryptsetup-reencrypt" "Maintenance Commands"
.TH CRYPTSETUP-REENCRYPT "8" "March 2017" "cryptsetup-reencrypt" "Maintenance Commands"
.SH NAME
cryptsetup-reencrypt - tool for offline LUKS device re-encryption
.SH SYNOPSIS
@@ -19,8 +19,6 @@ or kernel failures during reencryption (you can lose you data in this case).
\fIALWAYS BE SURE YOU HAVE RELIABLE BACKUP BEFORE USING THIS TOOL.\fR
.br
\fITHIS TOOL IS EXPERIMENTAL.\fR
The reencryption can be temporarily suspended (by TERM signal or by
using ctrl+c) but you need to retain temporary files named LUKS-<uuid>.[log|org|new].
LUKS device is unavailable until reencryption is finished though.
@@ -39,7 +37,8 @@ To start (or continue) re-encryption for <device> use:
\fB<options>\fR can be [\-\-batch-mode, \-\-block-size, \-\-cipher, \-\-debug,
\-\-device-size, \-\-hash, \-\-iter-time, \-\-use-random | \-\-use-urandom,
\-\-keep-key, \-\-key-size, \-\-key-file, \-\-key-slot, \-\-keyfile-offset,
\-\-keyfile-size, \-\-tries, \-\-use-directio, \-\-use-fsync, \-\-verbose, \-\-write-log]
\-\-keyfile-size, \-\-tries, \-\-use-directio, \-\-use-fsync, \-\-verbose, \-\-write-log,
\-\-uuid, \-\-progress-frequency]
To encrypt data on (not yet encrypted) device, use \fI\-\-new\fR with combination
with \fI\-\-reduce-device-size\fR.
@@ -155,7 +154,7 @@ Use with extreme care - shrinked filesystems are usually unrecoverable.
You cannot shrink device more than by 64 MiB (131072 sectors).
.TP
.B "\-\-new, N"
.B "\-\-new, \-N"
Create new header (encrypt not yet encrypted device).
This option must be used together with \-\-reduce-device-size.
@@ -182,9 +181,18 @@ log files as well.
Update log file after every block write. This can slow down reencryption
but will minimize data loss in the case of system crash.
.TP
.B "\-\-uuid" \fI<uuid>\fR
Use only while resuming an interrupted decryption process (see \-\-decrypt).
To find out what \fI<uuid>\fR to pass look for temporary files LUKS-<uuid>.[|log|org|new]
of the interrupted decryption process.
.TP
.B "\-\-batch-mode, \-q"
Suppresses all warnings and reencryption progress output.
.TP
.B "\-\-progress-frequency <seconds>"
Print separate line every <seconds> with reencryption progress.
.TP
.B "\-\-version"
Show the program version.
.SH RETURN CODES
@@ -227,9 +235,9 @@ Please attach the output of the failed command with the
.SH AUTHORS
Cryptsetup-reencrypt was written by Milan Broz <gmazyland@gmail.com>.
.SH COPYRIGHT
Copyright \(co 2012-2015 Milan Broz
Copyright \(co 2012-2017 Milan Broz
.br
Copyright \(co 2012-2013 Red Hat, Inc.
Copyright \(co 2012-2017 Red Hat, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

41
man/cryptsetup.8
View File

@@ -1,4 +1,4 @@
.TH CRYPTSETUP "8" "December 2013" "cryptsetup" "Maintenance Commands"
.TH CRYPTSETUP "8" "March 2017" "cryptsetup" "Maintenance Commands"
.SH NAME
cryptsetup - manage plain dm-crypt and LUKS encrypted volumes
.SH SYNOPSIS
@@ -107,10 +107,15 @@ Reports the status for the mapping <name>.
.IP
Resizes an active mapping <name>.
If \-\-size (in sectors) is not specified, the size of the
underlying block device is used. Note that this does not
change the raw device geometry, it just changes how many
sectors of the raw device are represented in the mapped device.
If \-\-size (in sectors) is not specified, the size is computed
from the underlying device. For LUKS it is the size of the
underlying device without the area reserved for LUKS header
(see data payload offset in \fBluksDump\fR command).
For plain crypt device the whole device size is used.
Note that this does not change the raw device geometry, it just
changes how many sectors of the raw device are represented
in the mapped device.
.SH PLAIN MODE
Plain dm-crypt encrypts the device sector-by-sector with a
single, non-salted hash of the passphrase. No checks
@@ -253,7 +258,7 @@ as positional argument or via \-\-key-file.
\fBWARNING:\fR If you read the passphrase from stdin
(without further argument or with '-' as argument
to \-\-key\-file), batch-mode (\-q) will be implicitely
to \-\-key\-file), batch-mode (\-q) will be implicitly
switched on and no warning will be given when you remove the
last remaining passphrase from a LUKS container. Removing
the last passphrase makes the LUKS container permanently
@@ -286,8 +291,9 @@ inaccessible.
.PP
\fIluksKillSlot\fR <device> <key slot number>
.IP
Wipe the key-slot number <key slot> from the LUKS device. A remaining
passphrase must be supplied, either interactively or via \-\-key-file.
Wipe the key-slot number <key slot> from the LUKS device. Except running
in batch-mode (\-q) a remaining passphrase must be supplied,
either interactively or via \-\-key-file.
This command can remove the last remaining key-slot, but requires
an interactive confirmation when doing so. Removing the last
passphrase makes a LUKS container permanently inaccessible.
@@ -297,11 +303,16 @@ passphrase makes a LUKS container permanently inaccessible.
\fBWARNING:\fR If you read the passphrase from stdin
(without further argument or with '-' as argument
to \-\-key-file), batch-mode (\-q) will be implicitely
to \-\-key-file), batch-mode (\-q) will be implicitly
switched on and no warning will be given when you remove the
last remaining passphrase from a LUKS container. Removing
the last passphrase makes the LUKS container permanently
inaccessible.
\fBNOTE:\fR If there is no passphrase provided (on stdin or through
\-\-key-file argument) and batch-mode (\-q) is active, the
key-slot is removed without any other warning.
.PP
\fIerase\fR <device>
.br
@@ -517,7 +528,7 @@ to be erased to prevent further access. Use this option carefully.
The keyfile parameter allows combination of file content with the
passphrase and can be repeated.
.PP
See also \fBhttp://www.truecrypt.org\fR for more information regarding
See also \fBhttps://en.wikipedia.org/wiki/TrueCrypt\fR for more information regarding
TrueCrypt.
Please note that cryptsetup does not use TrueCrypt code, please report
@@ -593,7 +604,7 @@ The current default in the distributed sources is
"aes-cbc-essiv:sha256" for plain dm-crypt and
"aes-xts-plain64" for LUKS.
If a hash is part of the cipher spefification, then it is
If a hash is part of the cipher specification, then it is
used as part of the IV generation. For example, ESSIV
needs a hash function, while "plain64" does not and
hence none is specified.
@@ -726,7 +737,7 @@ All other LUKS actions will use the key-size specified in the LUKS header.
Use \fIcryptsetup \-\-help\fR to show the compiled-in defaults.
.TP
.B "\-\-size, \-b <number of 512 byte sectors>"
Force the size of the underlying device in sectors of 512 bytes.
Set the size of the device in sectors of 512 bytes.
This option is only relevant for the \fIopen\fR and \fIresize\fR
actions.
.TP
@@ -879,7 +890,7 @@ This option applies only to \fIluksFormat\fR, \fIluksAddKey\fR and
password quality checking support.
For more info about password quality check, see manual page
for \fBpwquality.conf(5)\fR.
for \fBpwquality.conf(5)\fR and \fBpasswdqc.conf(5)\fR.
.TP
.B "\-\-version"
Show the program version.
@@ -1065,9 +1076,9 @@ Copyright \(co 2004 Jana Saout
.br
Copyright \(co 2004-2006 Clemens Fruhwirth
.br
Copyright \(co 2009-2015 Red Hat, Inc.
Copyright \(co 2009-2017 Red Hat, Inc.
.br
Copyright \(co 2009-2015 Milan Broz
Copyright \(co 2009-2017 Milan Broz
.br
Copyright \(co 2012-2014 Arno Wagner

66
man/veritysetup.8
View File

@@ -1,4 +1,4 @@
.TH VERITYSETUP "8" "December 2013" "veritysetup" "Maintenance Commands"
.TH VERITYSETUP "8" "March 2017" "veritysetup" "Maintenance Commands"
.SH NAME
veritysetup - manage dm-verity (block level verification) volumes
.SH SYNOPSIS
@@ -37,7 +37,8 @@ Creates a mapping with <name> backed by device <data_device> and using
The <root_hash> is a hexadecimal string.
\fB<options>\fR can be [\-\-hash-offset, \-\-no-superblock]
\fB<options>\fR can be [\-\-hash-offset, \-\-no-superblock,
\-\-ignore-corruption or \-\-restart-on-corruption, \-\-ignore-zero-blocks]
If option \-\-no-superblock is used, you have to use as the same options
as in initial format operation.
@@ -82,7 +83,7 @@ Create or use dm-verity without permanent on-disk superblock.
.TP
.B "\-\-format=number"
Specifies the hash version type.
Format type 0 is original Chrome OS verion. Format type 1 is current version.
Format type 0 is original Chrome OS version. Format type 1 is current version.
.TP
.B "\-\-data-block-size=bytes"
Used block size for the data device.
@@ -110,14 +111,63 @@ Use the provided UUID for format command instead of generating new one.
The UUID must be provided in standard UUID format,
e.g. 12345678-1234-1234-1234-123456789abc.
.TP
.B "\-\-ignore-corruption", "\-\-restart-on-corruption"
Defines what to do if data integrity problem is detected (data corruption).
Without these options kernel fails the IO operation with I/O error.
With \-\-ignore-corruption option the corruption is only logged.
With \-\-restart-on-corruption the kernel is restarted immediatelly.
(You have to provide way how to avoid restart loops.)
\fBWARNING:\fR Use these options only for very specific cases.
These options are available since Linux kernel version 4.1.
.TP
.B "\-\-ignore-zero-blocks"
Instruct kernel to not verify blocks that are expected to contain zeroes
and always directly return zeroes instead.
\fBWARNING:\fR Use this option only in very specific cases.
This option is available since Linux kernel version 4.5.
.TP
.B "\-\-hash=hash"
Hash algorithm for dm-verity. For default see \-\-help option.
.TP
.B "\-\-version"
Show the program version.
.SH RETURN CODES
Veritysetup returns 0 on success and a non-zero value on error.
Error codes are: 1 wrong parameters, 2 no permission,
3 out of memory, 4 wrong device specified, 5 device already exists
or device is busy.
Error codes are:
1 wrong parameters
2 no permission
3 out of memory
4 wrong device specified
5 device already exists or device is busy.
.SH EXAMPLES
.B "veritysetup \-\-data-blocks=256 format <data_device> <hash_device>"
Calculates and stores verification data on hash_device for the first 256 blocks (of block-size).
If hash_device does not exist, it is created (as file image).
.B "veritysetup format <data_device> <hash_device>"
Calculates and stores verification data on hash_device for the whole data_device.
.B "veritysetup \-\-data-blocks=256 \-\-hash-offset=1052672 format <device> <device>"
Verification data (hashes) is stored on the same device as data (starting at hash-offset).
Hash-offset must be greater than number of blocks in data-area.
.B "veritysetup \-\-data-blocks=256 \-\-hash-offset=1052672 create test-device <device> <device> <root_hash>"
Acivatees the verity device named test-device. Options \-\-data-blocks and \-\-hash-offset are the same
as in the format command. The <root_hash> was calculated in format command.
.B "veritysetup \-\-data-blocks=256 \-\-hash-offset=1052672 verify <data_device> <hash_device> <root_hash>"
Verifies device without activation (in userspace).
.SH REPORTING BUGS
Report bugs, including ones in the documentation, on
the cryptsetup mailing list at <dm-crypt@saout.de>
@@ -130,9 +180,9 @@ The first implementation of veritysetup was written by Chrome OS authors.
This version is based on verification code written by Mikulas Patocka <mpatocka@redhat.com>
and rewritten for libcryptsetup by Milan Broz <gmazyland@gmail.com>.
.SH COPYRIGHT
Copyright \(co 2012-2013 Red Hat, Inc.
Copyright \(co 2012-2017 Red Hat, Inc.
.br
Copyright \(co 2012-2014 Milan Broz
Copyright \(co 2012-2017 Milan Broz
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

8
misc/dracut_90reencrypt/README
View File

@@ -11,9 +11,11 @@ e.g. rd.luks.reencrypt=sda2:52G means only 52G of device
will be reencrypted (default is whole device).
(Name is kernel name of device.)
Also, you may specify keyslot which you want to use for reencryption,
rd.luks.reencrypt_keyslot=<keyslot_number>. Bear in mind that if you
use this option, all other keyslots will be deactivated.
If there's more than single active keyslot in the target luks device
you're required to select one keyslot explicitly for reencryption via
rd.luks.reencrypt_keyslot=<keyslot_number> option. Bear in mind that
if you use this option, all other keyslots will get deactivated in the
process.
Another argument, rd.luks.reencrypt_key=/dev/sda:/path/to/keyfile
can be used to read password for specific keyslot from device containing

2
misc/dracut_90reencrypt/module-setup.sh
View File

@@ -24,6 +24,8 @@ install() {
dracut_install cryptsetup-reencrypt
# moddir variable is assigned in dracut general shell lib
# shellcheck disable=SC2154
inst_hook cmdline 30 "$moddir/parse-reencrypt.sh"
inst_simple "$moddir"/reencrypt.sh /sbin/reencrypt
}

10
misc/dracut_90reencrypt/parse-reencrypt.sh
View File

@@ -18,10 +18,16 @@ if [ -n "$REENC_DEV" ] ; then
{
printf 'SUBSYSTEM!="block", GOTO="reenc_end"\n'
printf 'ACTION!="add|change", GOTO="reenc_end"\n'
printf 'KERNEL!="%s", GOTO="reenc_end"\n' $REENC_DEV
printf 'KERNEL=="%s", ' $REENC_DEV
printf 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="/sbin/initqueue \
--unique --onetime --name crypt-reencrypt-%%k \
--unique --onetime --settled --name crypt-reencrypt-%%k \
/sbin/reencrypt $env{DEVNAME} %s"\n' "$REENC_KEY $REENC_SLOT $REENC_SIZE"
printf 'ENV{ID_FS_UUID}=="*%s*", ' $REENC_DEV
printf 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="/sbin/initqueue \
--unique --onetime --settled --name crypt-reencrypt-%%k \
/sbin/reencrypt $env{DEVNAME} %s"\n' "$REENC_KEY $REENC_SLOT $REENC_SIZE"
printf 'LABEL="reenc_end"\n'
} > /etc/udev/rules.d/69-reencryption.rules
initqueue --unique --finished --name crypt-reencrypt-finished-${REENC_DEV} [ -e /tmp/reencrypted ]
fi

6
misc/dracut_90reencrypt/reencrypt.sh
View File

@@ -18,7 +18,7 @@ else
device="$1"
fi
PARAMS="$device -T 1 --use-fsync -B 32"
PARAMS="$device -T 1 --use-fsync --progress-frequency 5 -B 32"
if [ "$3" != "any" ]; then
PARAMS="$PARAMS -S $3"
fi
@@ -39,9 +39,11 @@ reenc_readkey() {
}
reenc_run() {
local cwd=$(pwd)
local cwd
cwd=$(pwd)
local _prompt="LUKS password for REENCRYPTING $device"
cd /tmp
udevadm settle
if [ "$1" = "none" ] ; then
if [ "$2" != "any" ]; then
_prompt="$_prompt, using keyslot $2"

1
po/LINGUAS
View File

@@ -8,6 +8,7 @@ id
it
nl
pl
pt_BR
sr
sv
uk

781
po/cs.po
View File

File diff suppressed because it is too large Load Diff

802
po/da.po
View File

File diff suppressed because it is too large Load Diff

780
po/de.po
View File

File diff suppressed because it is too large Load Diff

782
po/es.po
View File

File diff suppressed because it is too large Load Diff

373
po/fi.po
View File

@@ -6,13 +6,14 @@
#
msgid ""
msgstr ""
"Project-Id-Version: cryptsetup 1.6.8\n"
"Project-Id-Version: cryptsetup 1.7.0\n"
"Report-Msgid-Bugs-To: dm-crypt@saout.de\n"
"POT-Creation-Date: 2015-08-26 16:17+0200\n"
"PO-Revision-Date: 2015-08-27 20:08+0300\n"
"POT-Creation-Date: 2015-10-29 13:27+0100\n"
"PO-Revision-Date: 2015-11-08 12:48+0200\n"
"Last-Translator: Jorma Karvonen <karvonen.jorma@gmail.com>\n"
"Language-Team: Finnish <translation-team-fi@lists.sourceforge.net>\n"
"Language: fi\n"
"X-Bugs: Report translation errors to the Language-Team address.\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
@@ -230,8 +231,8 @@ msgstr "Jatkamista ei tueta laiteelle %s.\n"
msgid "Error during resuming device %s.\n"
msgstr "Virhe jatkettaessa laitteella %s.\n"
#: lib/setup.c:1654 lib/setup.c:2089 lib/setup.c:2103 src/cryptsetup.c:182
#: src/cryptsetup.c:244 src/cryptsetup.c:728 src/cryptsetup.c:1150
#: lib/setup.c:1654 lib/setup.c:2089 lib/setup.c:2103 src/cryptsetup.c:183
#: src/cryptsetup.c:244 src/cryptsetup.c:732 src/cryptsetup.c:1162
msgid "Enter passphrase: "
msgstr "Kirjoita salasanalause: "
@@ -245,7 +246,7 @@ msgid "Enter any passphrase: "
msgstr "Kirjoita mikä tahansa salasanalause: "
#: lib/setup.c:1742 lib/setup.c:1875 lib/setup.c:1879 lib/setup.c:1941
#: src/cryptsetup.c:984 src/cryptsetup.c:1015
#: src/cryptsetup.c:992 src/cryptsetup.c:1023
msgid "Enter new passphrase for key slot: "
msgstr "Kirjoita uusi salasanalause avainvälille: "
@@ -461,7 +462,7 @@ msgid "Device %s is too small. (LUKS requires at least %<PRIu64> bytes.)\n"
msgstr "Laite %s on liian pieni. (LUKS vaatii vähintään %<PRIu64> tavua.)\n"
#: lib/luks1/keymanage.c:180 lib/luks1/keymanage.c:418
#: src/cryptsetup_reencrypt.c:1130
#: src/cryptsetup_reencrypt.c:1131
#, c-format
msgid "Device %s is not a valid LUKS device.\n"
msgstr "Laite %s ei ole kelvollinen LUKS-laite.\n"
@@ -635,8 +636,8 @@ msgstr "Avainvälin %d materiaali sisältää liian vähän raitoja. Otsaketta o
msgid "Key slot %d unlocked.\n"
msgstr "Avaivälin %d lukitus avattu.\n"
#: lib/luks1/keymanage.c:990 src/cryptsetup.c:854
#: src/cryptsetup_reencrypt.c:1019 src/cryptsetup_reencrypt.c:1056
#: lib/luks1/keymanage.c:990 src/cryptsetup.c:858
#: src/cryptsetup_reencrypt.c:1020 src/cryptsetup_reencrypt.c:1057
msgid "No key available with this passphrase.\n"
msgstr "Tälle salasanalauseelle ei ole saatavissa avainta.\n"
@@ -703,11 +704,11 @@ msgstr "Käyttöjärjestelmäydin ei tue aktivointia tälle TCRYPT-perinnetilass
msgid "Activating TCRYPT system encryption for partition %s.\n"
msgstr "Aktivoidaan TCRYPT-järjestelmäsalaus osiolle %s.\n"
#: lib/tcrypt/tcrypt.c:806
#: lib/tcrypt/tcrypt.c:810
msgid "Kernel doesn't support TCRYPT compatible mapping.\n"
msgstr "Käyttöjärjestelmäydin ei tue TCRYPT -yhteensopivaa kuvausta.\n"
#: lib/tcrypt/tcrypt.c:1020
#: lib/tcrypt/tcrypt.c:1024
msgid "This function is not supported without TCRYPT header load."
msgstr "Tätä toimintoa ei tueta ilman TCRYPT-otsakelatausta."
@@ -797,7 +798,7 @@ msgid "Can't do passphrase verification on non-tty inputs.\n"
msgstr "Salasanalauseiden todennus epäonnistui ei-tty-syötteissä.\n"
#: src/cryptsetup.c:132 src/cryptsetup.c:560 src/cryptsetup.c:707
#: src/cryptsetup_reencrypt.c:522 src/cryptsetup_reencrypt.c:576
#: src/cryptsetup_reencrypt.c:523 src/cryptsetup_reencrypt.c:577
msgid "No known cipher specification pattern detected.\n"
msgstr "Havaittu tuntematon salakirjoitusmenetelmämäärittelymalli.\n"
@@ -817,7 +818,7 @@ msgstr "Vaaditaan valitsin --key-file.\n"
msgid "No device header detected with this passphrase.\n"
msgstr "Tälle salasanalauseelle ei ole saatavissa laiteotsaketta.\n"
#: src/cryptsetup.c:323 src/cryptsetup.c:1139
#: src/cryptsetup.c:323 src/cryptsetup.c:1151
msgid ""
"Header dump with volume key is sensitive information\n"
"which allows access to encrypted partition without passphrase.\n"
@@ -871,68 +872,68 @@ msgstr "Tämä korvaa tiedot kohteella %s peruuttamattomasti."
msgid "memory allocation error in action_luksFormat"
msgstr "muistivarausvirhe kohteessa action_luksFormat"
#: src/cryptsetup.c:713
#: src/cryptsetup.c:717
#, c-format
msgid "Cannot use %s as on-disk header.\n"
msgstr "Kohteen %s käyttö paikallisena levyotsakkeena epäonnistui.\n"
#: src/cryptsetup.c:780
#: src/cryptsetup.c:784
msgid "Reduced data offset is allowed only for detached LUKS header.\n"
msgstr "Pienennetty tietosiirrososoite sallitaan vain irrotetulle LUKS-otsakkeelle.\n"
#: src/cryptsetup.c:877 src/cryptsetup.c:933
#: src/cryptsetup.c:881 src/cryptsetup.c:937
#, c-format
msgid "Key slot %d selected for deletion.\n"
msgstr "Avainväli %d valittu poistoa varten.\n"
#: src/cryptsetup.c:880
#: src/cryptsetup.c:884
#, c-format
msgid "Key %d not active. Can't wipe.\n"
msgstr "Avain %d ei ole käytössä. Ei voida pyyhkiä pois.\n"
#: src/cryptsetup.c:888 src/cryptsetup.c:936
#: src/cryptsetup.c:892 src/cryptsetup.c:940
msgid "This is the last keyslot. Device will become unusable after purging this key."
msgstr "Tämä on viimeinen avainväli. Laite tulee käyttökelvottomaksi tämän avaimen poistamisen jälkeen."
#: src/cryptsetup.c:889
#: src/cryptsetup.c:893
msgid "Enter any remaining passphrase: "
msgstr "Kirjoita mikä tahansa jäljellä oleva salasanalause: "
#: src/cryptsetup.c:917
#: src/cryptsetup.c:921
msgid "Enter passphrase to be deleted: "
msgstr "Kirjoita poistettava salasanalause: "
#: src/cryptsetup.c:1000 src/cryptsetup_reencrypt.c:1094
#: src/cryptsetup.c:1008 src/cryptsetup_reencrypt.c:1095
#, c-format
msgid "Enter any existing passphrase: "
msgstr "Kirjoita mikä tahansa olemassa oleva salasanalause: "
#: src/cryptsetup.c:1051
#: src/cryptsetup.c:1063
msgid "Enter passphrase to be changed: "
msgstr "Kirjoita vaihdettava salasanalause: "
#: src/cryptsetup.c:1065 src/cryptsetup_reencrypt.c:1079
#: src/cryptsetup.c:1077 src/cryptsetup_reencrypt.c:1080
msgid "Enter new passphrase: "
msgstr "Kirjoita uusi salasanalause: "
#: src/cryptsetup.c:1089
#: src/cryptsetup.c:1101
msgid "Only one device argument for isLuks operation is supported.\n"
msgstr "Tuetaan vain yhtä laiteargumenttia isLuks-toiminnolle.\n"
#: src/cryptsetup.c:1245 src/cryptsetup.c:1266
#: src/cryptsetup.c:1257 src/cryptsetup.c:1278
msgid "Option --header-backup-file is required.\n"
msgstr "Vaaditaan valitsin --header-backup-file.\n"
#: src/cryptsetup.c:1303
#: src/cryptsetup.c:1315
#, c-format
msgid "Unrecognized metadata device type %s.\n"
msgstr "Tunnistamaton metatietolaitetyyppi %s.\n"
#: src/cryptsetup.c:1306
#: src/cryptsetup.c:1318
msgid "Command requires device and mapped name as arguments.\n"
msgstr "Komento vaatii laitteen ja kuvausnimen argumenttina.\n"
#: src/cryptsetup.c:1325
#: src/cryptsetup.c:1337
#, c-format
msgid ""
"This operation will erase all keyslots on device %s.\n"
@@ -941,115 +942,115 @@ msgstr ""
"Tämä toiminto poistaa kaikki avainvälit laitteesta %s.\n"
"Laite tulee käyttökelvottomaksi tämän toiminnon jälkeen."
#: src/cryptsetup.c:1359
#: src/cryptsetup.c:1371
msgid "<device> [--type <type>] [<name>]"
msgstr "<laite> [--type <tyyppi>] [<nimi>]"
#: src/cryptsetup.c:1359
#: src/cryptsetup.c:1371
msgid "open device as mapping <name>"
msgstr "avaa laite kuvauksena <nimi>"
#: src/cryptsetup.c:1360 src/cryptsetup.c:1361 src/cryptsetup.c:1362
#: src/cryptsetup.c:1363 src/veritysetup.c:311 src/veritysetup.c:312
#: src/cryptsetup.c:1372 src/cryptsetup.c:1373 src/cryptsetup.c:1374
#: src/cryptsetup.c:1375 src/veritysetup.c:311 src/veritysetup.c:312
msgid "<name>"
msgstr "<nimi>"
#: src/cryptsetup.c:1360
#: src/cryptsetup.c:1372
msgid "close device (remove mapping)"
msgstr "sulje laite (poista kuvaus)"
#: src/cryptsetup.c:1361
#: src/cryptsetup.c:1373
msgid "resize active device"
msgstr "muuta käytössä olevan laitteen kokoa"
#: src/cryptsetup.c:1362
#: src/cryptsetup.c:1374
msgid "show device status"
msgstr "näytä laitetila"
#: src/cryptsetup.c:1363
#: src/cryptsetup.c:1375
msgid "benchmark cipher"
msgstr "koestussalaus"
#: src/cryptsetup.c:1364 src/cryptsetup.c:1365 src/cryptsetup.c:1371
#: src/cryptsetup.c:1372 src/cryptsetup.c:1373 src/cryptsetup.c:1374
#: src/cryptsetup.c:1375 src/cryptsetup.c:1376 src/cryptsetup.c:1377
#: src/cryptsetup.c:1378
#: src/cryptsetup.c:1376 src/cryptsetup.c:1377 src/cryptsetup.c:1383
#: src/cryptsetup.c:1384 src/cryptsetup.c:1385 src/cryptsetup.c:1386
#: src/cryptsetup.c:1387 src/cryptsetup.c:1388 src/cryptsetup.c:1389
#: src/cryptsetup.c:1390
msgid "<device>"
msgstr "<laite>"
#: src/cryptsetup.c:1364
#: src/cryptsetup.c:1376
msgid "try to repair on-disk metadata"
msgstr "yritä korjata levyn sisäiset metatiedot"
#: src/cryptsetup.c:1365
#: src/cryptsetup.c:1377
msgid "erase all keyslots (remove encryption key)"
msgstr "poista kaikki avainvälit (poista salausavain)"
#: src/cryptsetup.c:1366 src/cryptsetup.c:1367
#: src/cryptsetup.c:1378 src/cryptsetup.c:1379
msgid "<device> [<new key file>]"
msgstr "<laite> [<uusi avaintiedosto>]"
#: src/cryptsetup.c:1366
#: src/cryptsetup.c:1378
msgid "formats a LUKS device"
msgstr "pohjustaa LUKS-laitteen"
#: src/cryptsetup.c:1367
#: src/cryptsetup.c:1379
msgid "add key to LUKS device"
msgstr "lisää avain LUKS-laitteeseen"
#: src/cryptsetup.c:1368 src/cryptsetup.c:1369
#: src/cryptsetup.c:1380 src/cryptsetup.c:1381
msgid "<device> [<key file>]"
msgstr "<laite> [<avaintiedosto>]"
#: src/cryptsetup.c:1368
#: src/cryptsetup.c:1380
msgid "removes supplied key or key file from LUKS device"
msgstr "poistaa tarjotun avaimen tai avaintiedoston LUKS-laitteesta"
#: src/cryptsetup.c:1369
#: src/cryptsetup.c:1381
msgid "changes supplied key or key file of LUKS device"
msgstr "vaihtaa LUKS-laitteen tarjotun avaimen tai avaintiedoston"
#: src/cryptsetup.c:1370
#: src/cryptsetup.c:1382
msgid "<device> <key slot>"
msgstr "<laite> <avainväli>"
#: src/cryptsetup.c:1370
#: src/cryptsetup.c:1382
msgid "wipes key with number <key slot> from LUKS device"
msgstr "pyyhkäisee pois avaimen numerolla <avainväli> LUKS-laitteesta"
#: src/cryptsetup.c:1371
#: src/cryptsetup.c:1383
msgid "print UUID of LUKS device"
msgstr "tulostaa LUKS-laitteen UUID-tunnuksen"
#: src/cryptsetup.c:1372
#: src/cryptsetup.c:1384
msgid "tests <device> for LUKS partition header"
msgstr "testaa <laite> LUKS-osio-otsakkeesta"
#: src/cryptsetup.c:1373
#: src/cryptsetup.c:1385
msgid "dump LUKS partition information"
msgstr "vedosta LUKS-osiotiedot"
#: src/cryptsetup.c:1374
#: src/cryptsetup.c:1386
msgid "dump TCRYPT device information"
msgstr "vedosta TCRYPT-laitetiedot"
#: src/cryptsetup.c:1375
#: src/cryptsetup.c:1387
msgid "Suspend LUKS device and wipe key (all IOs are frozen)."
msgstr "Keskeytä LUKS-laite ja pyyhi pois avain (kaikki siirräntäliitännät jäädytetään)."
#: src/cryptsetup.c:1376
#: src/cryptsetup.c:1388
msgid "Resume suspended LUKS device."
msgstr "Aloita uudelleen pysäytetty LUKS-laite."
#: src/cryptsetup.c:1377
#: src/cryptsetup.c:1389
msgid "Backup LUKS device header and keyslots"
msgstr "Varmuuskopioi LUKS-laiteotsake ja avainvälit"
#: src/cryptsetup.c:1378
#: src/cryptsetup.c:1390
msgid "Restore LUKS device header and keyslots"
msgstr "Palauta LUKS-laiteotsake ja avainvälit"
#: src/cryptsetup.c:1395 src/veritysetup.c:328
#: src/cryptsetup.c:1407 src/veritysetup.c:328
msgid ""
"\n"
"<action> is one of:\n"
@@ -1057,7 +1058,7 @@ msgstr ""
"\n"
"<toiminto> on yksi seuraavista:\n"
#: src/cryptsetup.c:1401
#: src/cryptsetup.c:1413
msgid ""
"\n"
"You can also use old <action> syntax aliases:\n"
@@ -1069,7 +1070,7 @@ msgstr ""
"\topen: luo (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
"\tclose: poista (plainClose), luksClose, loopaesClose, tcryptClose\n"
#: src/cryptsetup.c:1405
#: src/cryptsetup.c:1417
#, c-format
msgid ""
"\n"
@@ -1084,7 +1085,7 @@ msgstr ""
"<avainväli> on LUKS-avainväli muokattavaksi\n"
"<avaintiedosto> valinnainen avaintiedosto uudelle avaimelle luksAddKey-toimintoa varten\n"
#: src/cryptsetup.c:1412
#: src/cryptsetup.c:1424
#, c-format
msgid ""
"\n"
@@ -1098,7 +1099,7 @@ msgstr ""
"\tsalasanalauseen enimmäispituus %d (merkkiä)\n"
"PBKDF2-iteroinnin enimmäisaika LUKS-avainvälille: %d (millisekuntia)\n"
#: src/cryptsetup.c:1419
#: src/cryptsetup.c:1431
#, c-format
msgid ""
"\n"
@@ -1113,229 +1114,229 @@ msgstr ""
"\tplain-tyyppi: %s, Avain: %d bittiä, Salasanatiivistys: %s\n"
"\tLUKS1: %s, Avain: %d bittiä, LUKS-otsaketiivistys: %s, RNG: %s\n"
#: src/cryptsetup.c:1436 src/veritysetup.c:460
#: src/cryptsetup.c:1448 src/veritysetup.c:460
#, c-format
msgid "%s: requires %s as arguments"
msgstr "%s: vaatii %s argumentteina"
#: src/cryptsetup.c:1469 src/veritysetup.c:368 src/cryptsetup_reencrypt.c:1273
#: src/cryptsetup.c:1481 src/veritysetup.c:368 src/cryptsetup_reencrypt.c:1274
msgid "Show this help message"
msgstr "Näytä tämä opastesanoma"
#: src/cryptsetup.c:1470 src/veritysetup.c:369 src/cryptsetup_reencrypt.c:1274
#: src/cryptsetup.c:1482 src/veritysetup.c:369 src/cryptsetup_reencrypt.c:1275
msgid "Display brief usage"
msgstr "Näytä lyhyt käyttöopaste"
#: src/cryptsetup.c:1474 src/veritysetup.c:373 src/cryptsetup_reencrypt.c:1278
#: src/cryptsetup.c:1486 src/veritysetup.c:373 src/cryptsetup_reencrypt.c:1279
msgid "Help options:"
msgstr "Opastevalitsimet:"
#: src/cryptsetup.c:1475 src/veritysetup.c:374 src/cryptsetup_reencrypt.c:1279
#: src/cryptsetup.c:1487 src/veritysetup.c:374 src/cryptsetup_reencrypt.c:1280
msgid "Print package version"
msgstr "Tulosta pakkausversio"
#: src/cryptsetup.c:1476 src/veritysetup.c:375 src/cryptsetup_reencrypt.c:1280
#: src/cryptsetup.c:1488 src/veritysetup.c:375 src/cryptsetup_reencrypt.c:1281
msgid "Shows more detailed error messages"
msgstr "Näyttää yksityiskohtaisemmat virheilmoitukset"
#: src/cryptsetup.c:1477 src/veritysetup.c:376 src/cryptsetup_reencrypt.c:1281
#: src/cryptsetup.c:1489 src/veritysetup.c:376 src/cryptsetup_reencrypt.c:1282
msgid "Show debug messages"
msgstr "Näytä vianjäljityssanomat"
#: src/cryptsetup.c:1478 src/cryptsetup_reencrypt.c:1283
#: src/cryptsetup.c:1490 src/cryptsetup_reencrypt.c:1284
msgid "The cipher used to encrypt the disk (see /proc/crypto)"
msgstr "Salakirjoitusmenetelmä, jota käytetään salaamaan levy (katso /proc/crypto)"
#: src/cryptsetup.c:1479 src/cryptsetup_reencrypt.c:1285
#: src/cryptsetup.c:1491 src/cryptsetup_reencrypt.c:1286
msgid "The hash used to create the encryption key from the passphrase"
msgstr "Tiivisteavain, jota käytetään salausavaimen luomiseen salasanalauseesta"
#: src/cryptsetup.c:1480
#: src/cryptsetup.c:1492
msgid "Verifies the passphrase by asking for it twice"
msgstr "Todentaa salasanalauseen kysymällä kahdesti"
#: src/cryptsetup.c:1481 src/cryptsetup_reencrypt.c:1287
#: src/cryptsetup.c:1493 src/cryptsetup_reencrypt.c:1288
msgid "Read the key from a file."
msgstr "Lue avain tiedostosta."
#: src/cryptsetup.c:1482
#: src/cryptsetup.c:1494
msgid "Read the volume (master) key from file."
msgstr "Lue taltion (pää)avain tiedostosta."
#: src/cryptsetup.c:1483
#: src/cryptsetup.c:1495
msgid "Dump volume (master) key instead of keyslots info."
msgstr "Vedosta taltion (pää)avain eikä avainvälien tiedot."
#: src/cryptsetup.c:1484 src/cryptsetup_reencrypt.c:1284
#: src/cryptsetup.c:1496 src/cryptsetup_reencrypt.c:1285
msgid "The size of the encryption key"
msgstr "Salausavaimen koko"
#: src/cryptsetup.c:1484 src/cryptsetup_reencrypt.c:1284
#: src/cryptsetup.c:1496 src/cryptsetup_reencrypt.c:1285
msgid "BITS"
msgstr "BITTIÄ"
#: src/cryptsetup.c:1485 src/cryptsetup_reencrypt.c:1298
#: src/cryptsetup.c:1497 src/cryptsetup_reencrypt.c:1299
msgid "Limits the read from keyfile"
msgstr "Avaintiedostosta luettavat rajat"
#: src/cryptsetup.c:1485 src/cryptsetup.c:1486 src/cryptsetup.c:1487
#: src/cryptsetup.c:1488 src/veritysetup.c:379 src/veritysetup.c:380
#: src/veritysetup.c:382 src/cryptsetup_reencrypt.c:1297
#: src/cryptsetup_reencrypt.c:1298 src/cryptsetup_reencrypt.c:1299
#: src/cryptsetup_reencrypt.c:1300
#: src/cryptsetup.c:1497 src/cryptsetup.c:1498 src/cryptsetup.c:1499
#: src/cryptsetup.c:1500 src/veritysetup.c:379 src/veritysetup.c:380
#: src/veritysetup.c:382 src/cryptsetup_reencrypt.c:1298
#: src/cryptsetup_reencrypt.c:1299 src/cryptsetup_reencrypt.c:1300
#: src/cryptsetup_reencrypt.c:1301
msgid "bytes"
msgstr "tavua"
#: src/cryptsetup.c:1486 src/cryptsetup_reencrypt.c:1297
#: src/cryptsetup.c:1498 src/cryptsetup_reencrypt.c:1298
msgid "Number of bytes to skip in keyfile"
msgstr "Avaintiedostossa ohitettavien tavujen määrä"
#: src/cryptsetup.c:1487
#: src/cryptsetup.c:1499
msgid "Limits the read from newly added keyfile"
msgstr "Äskettäin lisätystä avaintiedostosta luetut rajat"
#: src/cryptsetup.c:1488
#: src/cryptsetup.c:1500
msgid "Number of bytes to skip in newly added keyfile"
msgstr "Ohitettu tavumäärä äskettäin lisätyssä avaintiedostossa"
#: src/cryptsetup.c:1489
#: src/cryptsetup.c:1501
msgid "Slot number for new key (default is first free)"
msgstr "Välinumero uudelle avaimelle (oletus on ensimmäinen vapaa)"
#: src/cryptsetup.c:1490
#: src/cryptsetup.c:1502
msgid "The size of the device"
msgstr "Laitteen koko"
#: src/cryptsetup.c:1490 src/cryptsetup.c:1491 src/cryptsetup.c:1492
#: src/cryptsetup.c:1498
#: src/cryptsetup.c:1502 src/cryptsetup.c:1503 src/cryptsetup.c:1504
#: src/cryptsetup.c:1510
msgid "SECTORS"
msgstr "SEKTORIA"
#: src/cryptsetup.c:1491
#: src/cryptsetup.c:1503
msgid "The start offset in the backend device"
msgstr "Alkusiirrososoite taustalaitteessa"
#: src/cryptsetup.c:1492
#: src/cryptsetup.c:1504
msgid "How many sectors of the encrypted data to skip at the beginning"
msgstr "Kuinka monta salaustietojen sektoria ohitetaan alussa"
#: src/cryptsetup.c:1493
#: src/cryptsetup.c:1505
msgid "Create a readonly mapping"
msgstr "Luo kirjoitussuojattu kuvaus"
#: src/cryptsetup.c:1494 src/cryptsetup_reencrypt.c:1288
#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1289
msgid "PBKDF2 iteration time for LUKS (in ms)"
msgstr "PBKDF2-iterointiaika kohteelle LUKS (millisekunneissa)"
#: src/cryptsetup.c:1494 src/cryptsetup_reencrypt.c:1288
#: src/cryptsetup.c:1506 src/cryptsetup_reencrypt.c:1289
msgid "msecs"
msgstr "ms"
#: src/cryptsetup.c:1495 src/cryptsetup_reencrypt.c:1289
#: src/cryptsetup.c:1507 src/cryptsetup_reencrypt.c:1290
msgid "Do not ask for confirmation"
msgstr "Älä pyydä vahvistusta"
#: src/cryptsetup.c:1496
#: src/cryptsetup.c:1508
msgid "Timeout for interactive passphrase prompt (in seconds)"
msgstr "Aikakatkaisu vuorovaikutteiselle salasanalausekyselylle (sekunteina)"
#: src/cryptsetup.c:1496
#: src/cryptsetup.c:1508
msgid "secs"
msgstr "s"
#: src/cryptsetup.c:1497 src/cryptsetup_reencrypt.c:1290
#: src/cryptsetup.c:1509 src/cryptsetup_reencrypt.c:1291
msgid "How often the input of the passphrase can be retried"
msgstr "Kuinka usein salasanasyötettä voidaan yrittää uudelleen"
#: src/cryptsetup.c:1498
#: src/cryptsetup.c:1510
msgid "Align payload at <n> sector boundaries - for luksFormat"
msgstr "Tasaa tietosisältö osoitteessa <n> sektorirajoihin - kohdetta luksFormat varten"
#: src/cryptsetup.c:1499
#: src/cryptsetup.c:1511
msgid "File with LUKS header and keyslots backup."
msgstr "Tiedosto LUKS-otsakkeella ja avainvälien varmuuskopiolla."
#: src/cryptsetup.c:1500 src/cryptsetup_reencrypt.c:1291
#: src/cryptsetup.c:1512 src/cryptsetup_reencrypt.c:1292
msgid "Use /dev/random for generating volume key."
msgstr "Käytä /dev/random taltioavaimen synnyttämiseen."
#: src/cryptsetup.c:1501 src/cryptsetup_reencrypt.c:1292
#: src/cryptsetup.c:1513 src/cryptsetup_reencrypt.c:1293
msgid "Use /dev/urandom for generating volume key."
msgstr "Käytä /dev/urandom taltioavaimen synnyttämiseen."
#: src/cryptsetup.c:1502
#: src/cryptsetup.c:1514
msgid "Share device with another non-overlapping crypt segment."
msgstr "Jaa laite toisen ei-päällekkäisen salaussegmentin kanssa."
#: src/cryptsetup.c:1503 src/veritysetup.c:385
#: src/cryptsetup.c:1515 src/veritysetup.c:385
msgid "UUID for device to use."
msgstr "UUID laitteelle käytettäväksi."
#: src/cryptsetup.c:1504
#: src/cryptsetup.c:1516
msgid "Allow discards (aka TRIM) requests for device."
msgstr "Salli hylkäys(lempinimeltään TRIM)-pyynnöt laitteelle."
#: src/cryptsetup.c:1505
#: src/cryptsetup.c:1517
msgid "Device or file with separated LUKS header."
msgstr "Laite tai tiedosto erillisellä LUKS-otsakkeella."
#: src/cryptsetup.c:1506
#: src/cryptsetup.c:1518
msgid "Do not activate device, just check passphrase."
msgstr "Älä aktivoi laitetta, tarkista vain salasanalauseke."
#: src/cryptsetup.c:1507
#: src/cryptsetup.c:1519
msgid "Use hidden header (hidden TCRYPT device)."
msgstr "Käytä piilotettua otsaketta (piilotettu TCRYPT-laite)."
#: src/cryptsetup.c:1508
#: src/cryptsetup.c:1520
msgid "Device is system TCRYPT drive (with bootloader)."
msgstr "Laite on järjestelmä-TCRYPT-levyasema (alkulatausohjelmalla)."
#: src/cryptsetup.c:1509
#: src/cryptsetup.c:1521
msgid "Use backup (secondary) TCRYPT header."
msgstr "Käytä (toissijaista) TCRYPT-varmuuskopio-otsaketta."
#: src/cryptsetup.c:1510
#: src/cryptsetup.c:1522
msgid "Scan also for VeraCrypt compatible device."
msgstr "Tutkinta myös VeraCrypt-yhteensopivalle laitteelle."
#: src/cryptsetup.c:1511
#: src/cryptsetup.c:1523
msgid "Type of device metadata: luks, plain, loopaes, tcrypt."
msgstr "Laitemetatietojen tyyppi: luks, plain, loopaes, tcrypt."
#: src/cryptsetup.c:1512
#: src/cryptsetup.c:1524
msgid "Disable password quality check (if enabled)."
msgstr "Ota pois käytöstä salasanan laatutarkistus (jos käytössä)."
#: src/cryptsetup.c:1513
#: src/cryptsetup.c:1525
msgid "Use dm-crypt same_cpu_crypt performance compatibility option."
msgstr "Käytä dm-crypt same_cpu_crypt-suorituskyky-yhteensopivuusvalitsinta."
#: src/cryptsetup.c:1514
#: src/cryptsetup.c:1526
msgid "Use dm-crypt submit_from_crypt_cpus performance compatibility option."
msgstr "Käytä dm-crypt submit_from_crypt_cpus-suorituskyky-yhteensopivuusvalitsinta."
#: src/cryptsetup.c:1530 src/veritysetup.c:402
#: src/cryptsetup.c:1542 src/veritysetup.c:402
msgid "[OPTION...] <action> <action-specific>"
msgstr "[VALITSIN...] <toiminto> <toimintokohtainen>"
#: src/cryptsetup.c:1577 src/veritysetup.c:439
#: src/cryptsetup.c:1589 src/veritysetup.c:439
msgid "Argument <action> missing."
msgstr "Argumentti <toiminto> puuttuu."
#: src/cryptsetup.c:1630 src/veritysetup.c:445
#: src/cryptsetup.c:1642 src/veritysetup.c:445
msgid "Unknown action."
msgstr "Tuntematon toiminto."
#: src/cryptsetup.c:1640
#: src/cryptsetup.c:1652
msgid "Option --shared is allowed only for open of plain device.\n"
msgstr "Valitsin --shared sallitaan vain pelkän laitteen avaukseen.\n"
#: src/cryptsetup.c:1645
#: src/cryptsetup.c:1657
msgid "Option --allow-discards is allowed only for open operation.\n"
msgstr "Valitsin --allow-discards sallitaan vain open-toiminnolle.\n"
#: src/cryptsetup.c:1653
#: src/cryptsetup.c:1665
msgid ""
"Option --key-size is allowed only for luksFormat, open and benchmark.\n"
"To limit read from keyfile use --keyfile-size=(bytes)."
@@ -1343,60 +1344,60 @@ msgstr ""
"Valitsin --key-size sallitaan vain muodoille luksFormat, open ja benchmark.\n"
"Käytä avaintiedostosta lukemisen rajoittamiseksi valitsinta --keyfile-size=(tavua)."
#: src/cryptsetup.c:1660
#: src/cryptsetup.c:1672
msgid "Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"
msgstr "Valitsin --test-passphrase sallitaan vain LUKS- ja TCRYPT-laitteiden avaamiseen.\n"
#: src/cryptsetup.c:1665 src/cryptsetup_reencrypt.c:1361
#: src/cryptsetup.c:1677 src/cryptsetup_reencrypt.c:1360
msgid "Key size must be a multiple of 8 bits"
msgstr "Avainkoon on oltava 8-bitin monikerta"
#: src/cryptsetup.c:1672 src/cryptsetup_reencrypt.c:1366
#: src/cryptsetup.c:1684 src/cryptsetup_reencrypt.c:1365
msgid "Key slot is invalid."
msgstr "Avainväli on virheellinen."
#: src/cryptsetup.c:1679
#: src/cryptsetup.c:1691
msgid "Option --key-file takes precedence over specified key file argument.\n"
msgstr "Valitsin --key-file on ensisijainen määritellylle avaintiedostoargumentille.\n"
#: src/cryptsetup.c:1687 src/veritysetup.c:467 src/cryptsetup_reencrypt.c:1350
#: src/cryptsetup.c:1699 src/veritysetup.c:467 src/cryptsetup_reencrypt.c:1349
msgid "Negative number for option not permitted."
msgstr "Valitsimelle ei sallita negatiivista numeroa."
#: src/cryptsetup.c:1691 src/cryptsetup_reencrypt.c:1344
#: src/cryptsetup_reencrypt.c:1370
#: src/cryptsetup.c:1703 src/cryptsetup_reencrypt.c:1343
#: src/cryptsetup_reencrypt.c:1369
msgid "Only one of --use-[u]random options is allowed."
msgstr "Vain yksi --use-[u]random -valitsin on sallittu."
#: src/cryptsetup.c:1695
#: src/cryptsetup.c:1707
msgid "Option --use-[u]random is allowed only for luksFormat."
msgstr "Valitsin --use-[u]random sallitaan vain luksFormat-muodolle."
#: src/cryptsetup.c:1699
#: src/cryptsetup.c:1711
msgid "Option --uuid is allowed only for luksFormat and luksUUID."
msgstr "Valitsin --uuid sallitaan vain luksFormat-muodolle ja luksUUID-muodolle."
#: src/cryptsetup.c:1703
#: src/cryptsetup.c:1715
msgid "Option --align-payload is allowed only for luksFormat."
msgstr "Valitsin --align-payload sallitaan vain luksFormat-muodolle."
#: src/cryptsetup.c:1709
#: src/cryptsetup.c:1721
msgid "Option --skip is supported only for open of plain and loopaes devices.\n"
msgstr "Valitsinta --skip tuetaan vain plain- ja loopaes-laitteiden avaamiseen.\n"
#: src/cryptsetup.c:1715
#: src/cryptsetup.c:1727
msgid "Option --offset is supported only for open of plain and loopaes devices.\n"
msgstr "Valitsinta --offset tuetaan vain plain- ja loopaes-laitteiden avaamiseen.\n"
#: src/cryptsetup.c:1721
#: src/cryptsetup.c:1733
msgid "Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"
msgstr "Valitsinta --tcrypt-hidden, --tcrypt-system tai --tcrypt-backup tuetaan vain TCRYPT-laiteeelle.\n"
#: src/cryptsetup.c:1726
#: src/cryptsetup.c:1738
msgid "Option --tcrypt-hidden cannot be combined with --allow-discards.\n"
msgstr "Valitsinta --tcrypt-hidden ei voida yhdistää valitsimeen --allow-discards.\n"
#: src/cryptsetup.c:1731
#: src/cryptsetup.c:1743
msgid "Option --veracrypt is supported only for TCRYPT device type.\n"
msgstr "Valitsinta --veracrypt tuetaan vain TCRYPT-laiteeelle.\n"
@@ -1537,7 +1538,7 @@ msgstr "Kohteen %s avaaminen eksklusiivisesti epäonnistui, laite on käytössä
msgid "Cannot open device %s\n"
msgstr "Laitteen %s avaus epäonnistui.\n"
#: src/cryptsetup_reencrypt.c:161 src/cryptsetup_reencrypt.c:913
#: src/cryptsetup_reencrypt.c:161 src/cryptsetup_reencrypt.c:914
msgid "Allocation of aligned memory failed.\n"
msgstr "Tasatun muistin varaaminen epäonnistui.\n"
@@ -1574,138 +1575,134 @@ msgstr "Uudelleensalauslokitiedoston lukeminen epäonnistui.\n"
msgid "Log file %s exists, resuming reencryption.\n"
msgstr "Lokitiedosto %s on olemassa, aloitetaan salaus uudelleen.\n"
#: src/cryptsetup_reencrypt.c:423
#: src/cryptsetup_reencrypt.c:424
msgid "Activating temporary device using old LUKS header.\n"
msgstr "Aktivoidaan tilapäinen laite käyttäen vanhaa LUKS-otsaketta.\n"
#: src/cryptsetup_reencrypt.c:434
#: src/cryptsetup_reencrypt.c:435
msgid "Activating temporary device using new LUKS header.\n"
msgstr "Aktivoidaan tilapäinen laite käyttäen uutta LUKS-otsaketta.\n"
#: src/cryptsetup_reencrypt.c:444
#: src/cryptsetup_reencrypt.c:445
msgid "Activation of temporary devices failed.\n"
msgstr "Tilapäisten laitteiden aktivoiminen epäonnistui.\n"
#: src/cryptsetup_reencrypt.c:470
#: src/cryptsetup_reencrypt.c:471
#, c-format
msgid "New LUKS header for device %s created.\n"
msgstr "Luotiin uusi LUKS-otsake laitteelle %s.\n"
#: src/cryptsetup_reencrypt.c:478
#: src/cryptsetup_reencrypt.c:479
#, c-format
msgid "Activated keyslot %i.\n"
msgstr "Aktivoitiin avainväli %i.\n"
#: src/cryptsetup_reencrypt.c:504
#: src/cryptsetup_reencrypt.c:505
#, c-format
msgid "LUKS header backup of device %s created.\n"
msgstr "Laitteen %s LUKS-otsakkeen varmuuskopio luotu.\n"
#: src/cryptsetup_reencrypt.c:552
#: src/cryptsetup_reencrypt.c:553
msgid "Creation of LUKS backup headers failed.\n"
msgstr "LUKS-varmuuskopio-otsakkeiden luominen epäonnistui.\n"
#: src/cryptsetup_reencrypt.c:654
#: src/cryptsetup_reencrypt.c:655
#, c-format
msgid "Cannot restore LUKS header on device %s.\n"
msgstr "LUKS-otsakkeen palautus laitteeseen %s epäonnistui.\n"
#: src/cryptsetup_reencrypt.c:656
#: src/cryptsetup_reencrypt.c:657
#, c-format
msgid "LUKS header on device %s restored.\n"
msgstr "LUKS-otsake palautettu laitteessa %s.\n"
#: src/cryptsetup_reencrypt.c:689
#: src/cryptsetup_reencrypt.c:690
#, c-format
msgid "Progress: %5.1f%%, ETA %02llu:%02llu, %4llu MiB written, speed %5.1f MiB/s%s"
msgstr "Eteneminen: %5.1f%%, ETA %02llu:%02llu, %4llu Mebitavua kirjoitettu, nopeus %5.1f Mebitavua/s%s"
#: src/cryptsetup_reencrypt.c:728 src/cryptsetup_reencrypt.c:804
#: src/cryptsetup_reencrypt.c:846
#: src/cryptsetup_reencrypt.c:729 src/cryptsetup_reencrypt.c:805
#: src/cryptsetup_reencrypt.c:847
msgid "Cannot seek to device offset.\n"
msgstr "Laitteen siirrososoitteen etsintä epäonnistui.\n"
#: src/cryptsetup_reencrypt.c:885 src/cryptsetup_reencrypt.c:891
#: src/cryptsetup_reencrypt.c:886 src/cryptsetup_reencrypt.c:892
msgid "Cannot open temporary LUKS device.\n"
msgstr "Tilapäisen LUKS-laitteen avaaminen epäonnistui.\n"
#: src/cryptsetup_reencrypt.c:896 src/cryptsetup_reencrypt.c:901
#: src/cryptsetup_reencrypt.c:897 src/cryptsetup_reencrypt.c:902
msgid "Cannot get device size.\n"
msgstr "Laitekoon hakeminen epäonnistui.\n"
#: src/cryptsetup_reencrypt.c:939
#: src/cryptsetup_reencrypt.c:940
msgid "Interrupted by a signal.\n"
msgstr "Signaalin keskeyttämä.\n"
#: src/cryptsetup_reencrypt.c:941
#: src/cryptsetup_reencrypt.c:942
msgid "IO error during reencryption.\n"
msgstr "Siirräntävirhe uudelleensalauksen aikana.\n"
#: src/cryptsetup_reencrypt.c:1048
#: src/cryptsetup_reencrypt.c:1049
msgid "Key file can be used only with --key-slot or with exactly one key slot active.\n"
msgstr "Avaintiedostoa voidaan käyttää vain valitsimen --key-slot kanssa tai täsmälleen yhden avainvälin ollessa aktiivisena.\n"
#: src/cryptsetup_reencrypt.c:1092 src/cryptsetup_reencrypt.c:1107
#: src/cryptsetup_reencrypt.c:1093 src/cryptsetup_reencrypt.c:1108
#, c-format
msgid "Enter passphrase for key slot %u: "
msgstr "Kirjoita salasanalause avainvälille %u: "
#: src/cryptsetup_reencrypt.c:1156
#: src/cryptsetup_reencrypt.c:1157
msgid "Cannot open reencryption log file.\n"
msgstr "Uudelleensalauslokitiedoston avaus epäonnistui.\n"
#: src/cryptsetup_reencrypt.c:1282
#: src/cryptsetup_reencrypt.c:1283
msgid "Reencryption block size"
msgstr "Uudelleensalauslohkon koko"
#: src/cryptsetup_reencrypt.c:1282
#: src/cryptsetup_reencrypt.c:1283
msgid "MiB"
msgstr "Mebitavua"
#: src/cryptsetup_reencrypt.c:1286
#: src/cryptsetup_reencrypt.c:1287
msgid "Do not change key, no data area reencryption."
msgstr "Älä vaihda avainta, yhtään data-aluetta ei ole salattu uudelleen."
#: src/cryptsetup_reencrypt.c:1293
#: src/cryptsetup_reencrypt.c:1294
msgid "Use direct-io when accessing devices."
msgstr "Käytä direct-io -siirräntää laitteisiin yhdistettäessä."
#: src/cryptsetup_reencrypt.c:1294
#: src/cryptsetup_reencrypt.c:1295
msgid "Use fsync after each block."
msgstr "Käytä fsync-komentoa jokaisen lohkon jälkeen."
#: src/cryptsetup_reencrypt.c:1295
#: src/cryptsetup_reencrypt.c:1296
msgid "Update log file after every block."
msgstr "Päivitä lokitiedosto jokaisen lohkon jälkeen."
#: src/cryptsetup_reencrypt.c:1296
#: src/cryptsetup_reencrypt.c:1297
msgid "Use only this slot (others will be disabled)."
msgstr "Käytä vain tätä väliä (muut ovat pois käytöstä)."
#: src/cryptsetup_reencrypt.c:1299
#: src/cryptsetup_reencrypt.c:1300
msgid "Reduce data device size (move data offset). DANGEROUS!"
msgstr "Pienennä datalaitekokoa (siirrä datasiirrososoitetta). VAARALLINEN!"
#: src/cryptsetup_reencrypt.c:1300
#: src/cryptsetup_reencrypt.c:1301
msgid "Use only specified device size (ignore rest of device). DANGEROUS!"
msgstr "Käytä vain määriteltyä laitekokoa (ohita laitteen loppu). VAARALLINEN!"
#: src/cryptsetup_reencrypt.c:1301
#: src/cryptsetup_reencrypt.c:1302
msgid "Create new header on not encrypted device."
msgstr "Luo uusi otsake ei-salattuun laitteeseen."
#: src/cryptsetup_reencrypt.c:1302
#: src/cryptsetup_reencrypt.c:1303
msgid "Permanently decrypt device (remove encryption)."
msgstr "Poista laitteen salaus pysyvästi (poista salaus)"
#: src/cryptsetup_reencrypt.c:1318
#: src/cryptsetup_reencrypt.c:1319
msgid "[OPTION...] <device>"
msgstr "[VALITSIN...] <laite>"
#: src/cryptsetup_reencrypt.c:1332
msgid "WARNING: this is experimental code, it can completely break your data.\n"
msgstr "VAROITUS: tämä on kokeellista koodia, se voi rikkoa tietosi kokonaan.\n"
#: src/cryptsetup_reencrypt.c:1333
#, c-format
msgid "Reencryption will change: volume key%s%s%s%s.\n"
@@ -1719,39 +1716,39 @@ msgstr ", aseta tiivisteeksi "
msgid ", set cipher to "
msgstr ", aseta salaukseksi "
#: src/cryptsetup_reencrypt.c:1340
#: src/cryptsetup_reencrypt.c:1339
msgid "Argument required."
msgstr "Argumentti vaadittu."
#: src/cryptsetup_reencrypt.c:1356
#: src/cryptsetup_reencrypt.c:1355
msgid "Only values between 1 MiB and 64 MiB allowed for reencryption block size."
msgstr "Vain arvot välillä 1 mebitavua ja 64 mebitavua ovat sallittuja uudelleensalauslohkokokoja."
#: src/cryptsetup_reencrypt.c:1375 src/cryptsetup_reencrypt.c:1380
#: src/cryptsetup_reencrypt.c:1374 src/cryptsetup_reencrypt.c:1379
msgid "Invalid device size specification."
msgstr "Virheellinen laitekokomäärittely."
#: src/cryptsetup_reencrypt.c:1383
#: src/cryptsetup_reencrypt.c:1382
msgid "Maximum device reduce size is 64 MiB."
msgstr "Maksimi laitepienennyskoko on 64 mebitavua."
#: src/cryptsetup_reencrypt.c:1386
#: src/cryptsetup_reencrypt.c:1385
msgid "Reduce size must be multiple of 512 bytes sector."
msgstr "Pienennyskoon on oltava 512-tavuisen sektorin monikerta."
#: src/cryptsetup_reencrypt.c:1390
#: src/cryptsetup_reencrypt.c:1389
msgid "Option --new must be used together with --reduce-device-size."
msgstr "Valitsinta --new on käytettävä yhdessä valitsimen --reduce-device-size kanssa."
#: src/cryptsetup_reencrypt.c:1394
#: src/cryptsetup_reencrypt.c:1393
msgid "Option --keep-key can be used only with --hash or --iter-time."
msgstr "Valitsinta --keep-key voidaan käyttää vain valitsimen --hash tai --iter-time kanssa."
#: src/cryptsetup_reencrypt.c:1398
#: src/cryptsetup_reencrypt.c:1397
msgid "Option --new cannot be used together with --decrypt."
msgstr "Valitsinta --new ei voi käytttää yhdessä valitsimen --decrypt kanssa."
#: src/cryptsetup_reencrypt.c:1402
#: src/cryptsetup_reencrypt.c:1401
msgid "Option --decrypt is incompatible with specified parameters."
msgstr "Valitsin --decrypt on yhteensopimaton määriteltyjen parametrien kanssa."
@@ -1768,7 +1765,7 @@ msgstr "Komento onnistui.\n"
msgid "Command failed with code %i"
msgstr "Komento epäonnistui koodilla %i"
#: src/utils_password.c:42
#: src/utils_password.c:42 src/utils_password.c:74
#, c-format
msgid "Cannot check password quality: %s\n"
msgstr "Salasanan laatutarkistus epäonnistui: %s\n"
@@ -1782,6 +1779,14 @@ msgstr ""
"Salasanan laatutarkistus epäonnistui:\n"
" %s\n"
#: src/utils_password.c:82
#, c-format
msgid "Password quality check failed: Bad passphrase (%s)\n"
msgstr "Salasanan laatutarkistus epäonnistui: Virheellinen salasana (%s)\n"
#~ msgid "WARNING: this is experimental code, it can completely break your data.\n"
#~ msgstr "VAROITUS: tämä on kokeellista koodia, se voi rikkoa tietosi kokonaan.\n"
#~ msgid "FIPS checksum verification failed.\n"
#~ msgstr "FIPS-tarkistussummavarmennus epäonnistui.\n"

822
po/fr.po
View File

File diff suppressed because it is too large Load Diff

1
po/id.po
View File

@@ -11,6 +11,7 @@ msgstr ""
"PO-Revision-Date: 2010-01-27 07:30+0700\n"
"Last-Translator: Arif E. Nugroho <arif_endro@yahoo.com>\n"
"Language-Team: Indonesian <translation-team-id@lists.sourceforge.net>\n"
"X-Bugs: Report translation errors to the Language-Team address.\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=ISO-8859-1\n"
"Content-Transfer-Encoding: 8bit\n"

1095
po/it.po
View File

File diff suppressed because it is too large Load Diff

784
po/nl.po
View File

File diff suppressed because it is too large Load Diff

768
po/pl.po
View File

File diff suppressed because it is too large Load Diff

1840
po/pt_BR.po Normal file
View File

File diff suppressed because it is too large Load Diff

808
po/sr.po
View File

File diff suppressed because it is too large Load Diff

2142
po/sv.po
View File

File diff suppressed because it is too large Load Diff

780
po/uk.po
View File

File diff suppressed because it is too large Load Diff

786
po/vi.po
View File

File diff suppressed because it is too large Load Diff

494
po/zh_CN.po
View File

File diff suppressed because it is too large Load Diff

4
python/pycryptsetup-test.py
View File

@@ -2,7 +2,7 @@
#
# Python bindings to libcryptsetup test
#
# Copyright (C) 2011-2014, Red Hat, Inc. All rights reserved.
# Copyright (C) 2011-2017, Red Hat, Inc. All rights reserved.
#
# This file is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
@@ -74,7 +74,7 @@ r = c.isLuks()
print("isLuks :", r)
c.askyes(message = "Is there anybody out there?")
c.log(priority = pycryptsetup.CRYPT_LOG_ERROR, message = "Nobody there...\n")
c.luksFormat(cipher = "aes", cipherMode= "xts-plain64", keysize = 512)
c.luksFormat(cipher = "aes", cipherMode= "xts-plain64", keysize = 512, hashMode = "sha256")
print("isLuks :", c.isLuks())
print("luksUUID:", c.luksUUID())
print("addKeyVK:", c.addKeyByVolumeKey(newPassphrase = PASSWORD, slot = 2))

28
python/pycryptsetup.c
View File

@@ -1,7 +1,7 @@
/*
* Python bindings to libcryptsetup
*
* Copyright (C) 2009-2014, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Written by Martin Sivak
*
* This file is free software; you can redistribute it and/or
@@ -413,22 +413,26 @@ static PyObject *CryptSetup_Info(CryptSetupObject* self, PyObject *args, PyObjec
static char
CryptSetup_luksFormat_HELP[] =
"Format device to enable LUKS\n\n\
luksFormat(cipher = 'aes', cipherMode = 'cbc-essiv:sha256', keysize = 256)\n\n\
luksFormat(cipher = 'aes', cipherMode = 'cbc-essiv:sha256', keysize = 256, hashMode = 'sha256')\n\n\
cipher - cipher specification, e.g. aes, serpent\n\
cipherMode - cipher mode specification, e.g. cbc-essiv:sha256, xts-plain64\n\
keysize - key size in bits";
keysize - key size in bits\n\
hashMode - hash specification, e.g. sha256";
static PyObject *CryptSetup_luksFormat(CryptSetupObject* self, PyObject *args, PyObject *kwds)
{
static const char *kwlist[] = {"cipher", "cipherMode", "keysize", NULL};
char *cipher_mode = NULL, *cipher = NULL;
int keysize = 256;
static const char *kwlist[] = {"cipher", "cipherMode", "keysize", "hashMode", NULL};
char *cipher_mode = NULL, *cipher = NULL, *hashMode = NULL;
int keysize = DEFAULT_LUKS1_KEYBITS;
PyObject *keysize_object = NULL;
struct crypt_params_luks1 params = {};
if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzO", CONST_CAST(char**)kwlist,
&cipher, &cipher_mode, &keysize_object))
if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzOz", CONST_CAST(char**)kwlist,
&cipher, &cipher_mode, &keysize_object,
&hashMode))
return NULL;
params.hash = hashMode;
if (!keysize_object || keysize_object == Py_None) {
/* use default value */
} else if (!PyInt_Check(keysize_object)) {
@@ -443,10 +447,10 @@ static PyObject *CryptSetup_luksFormat(CryptSetupObject* self, PyObject *args, P
} else
keysize = PyInt_AsLong(keysize_object);
// FIXME use #defined defaults
return PyObjectResult(crypt_format(self->device, CRYPT_LUKS1,
cipher ?: "aes", cipher_mode ?: "cbc-essiv:sha256",
NULL, NULL, keysize / 8, NULL));
cipher ?: DEFAULT_LUKS1_CIPHER,
cipher_mode ?: DEFAULT_LUKS1_MODE,
NULL, NULL, keysize / 8, &params));
}
static char
@@ -640,7 +644,7 @@ static char
CryptSetup_iterationTime_HELP[] =
"Set iteration time\n\n\
iterationTime(time_ms)\n\n\
time_ms - time in miliseconds";
time_ms - time in milliseconds";
static PyObject *CryptSetup_iterationTime(CryptSetupObject* self, PyObject *args, PyObject *kwds)
{

6
src/Makefile.am
View File

@@ -20,7 +20,8 @@ cryptsetup_SOURCES = \
cryptsetup_LDADD = \
$(top_builddir)/lib/libcryptsetup.la \
@POPT_LIBS@ \
@PWQUALITY_LIBS@
@PWQUALITY_LIBS@ \
@PASSWDQC_LIBS@
cryptsetup_CFLAGS = $(AM_CFLAGS) -Wall
@@ -76,7 +77,8 @@ cryptsetup_reencrypt_SOURCES = \
cryptsetup_reencrypt.c \
cryptsetup.h
cryptsetup_reencrypt_LDADD = $(cryptsetup_LDADD)
cryptsetup_reencrypt_LDADD = $(cryptsetup_LDADD) \
@UUID_LIBS@
cryptsetup_reencrypt_CFLAGS = $(cryptsetup_CFLAGS)
sbin_PROGRAMS += cryptsetup-reencrypt

59
src/cryptsetup.c
View File

@@ -3,8 +3,8 @@
*
* Copyright (C) 2004, Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2015, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2015, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -28,6 +28,7 @@ static const char *opt_hash = NULL;
static int opt_verify_passphrase = 0;
static const char *opt_key_file = NULL;
static const char *opt_keyfile_stdin = NULL;
static int opt_keyfiles_count = 0;
static const char *opt_keyfiles[MAX_KEYFILES];
@@ -239,11 +240,14 @@ static int tcrypt_load(struct crypt_device *cd, struct crypt_params_tcrypt *para
{
int r, tries = opt_tries, eperm = 0;
if (opt_keyfile_stdin)
tries = 1;
do {
/* TCRYPT header is encrypted, get passphrase now */
r = tools_get_key(_("Enter passphrase: "),
CONST_CAST(char**)&params->passphrase,
&params->passphrase_size, 0, 0, NULL, opt_timeout,
&params->passphrase_size, 0, 0, opt_keyfile_stdin, opt_timeout,
_verify_passphrase(0), 0, cd);
if (r < 0)
continue;
@@ -467,7 +471,7 @@ static int action_status(void)
log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
"readonly" : "read/write");
if (cad.flags & (CRYPT_ACTIVATE_ALLOW_DISCARDS|
CRYPT_ACTIVATE_ALLOW_DISCARDS|
CRYPT_ACTIVATE_SAME_CPU_CRYPT|
CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS))
log_std(" flags: %s%s%s\n",
(cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) ? "discards " : "",
@@ -491,8 +495,8 @@ static int action_benchmark_kdf(const char *hash)
if (r < 0)
log_std("PBKDF2-%-9s N/A\n", hash);
else
log_std("PBKDF2-%-9s %7" PRIu64 " iterations per second\n",
hash, kdf_iters);
log_std("PBKDF2-%-9s %7" PRIu64 " iterations per second for %d-bit key\n",
hash, kdf_iters, DEFAULT_LUKS1_KEYBITS);
return r;
}
@@ -576,8 +580,8 @@ static int action_benchmark(void)
key_size / 8, iv_size,
&enc_mbr, &dec_mbr);
if (!r) {
log_std(N_("# Algorithm | Key | Encryption | Decryption\n"));
log_std("%8s-%s %4db %6.1f MiB/s %6.1f MiB/s\n",
log_std(N_("# Algorithm | Key | Encryption | Decryption\n"));
log_std("%11s-%s %4db %6.1f MiB/s %6.1f MiB/s\n",
cipher, cipher_mode, key_size, enc_mbr, dec_mbr);
} else if (r == -ENOENT)
log_err(_("Cipher %s is not available.\n"), opt_cipher);
@@ -598,15 +602,15 @@ static int action_benchmark(void)
if (r == -ENOENT)
skipped++;
if (i == 0)
log_std(N_("# Algorithm | Key | Encryption | Decryption\n"));
log_std(N_("# Algorithm | Key | Encryption | Decryption\n"));
snprintf(cipher, MAX_CIPHER_LEN, "%s-%s",
bciphers[i].cipher, bciphers[i].mode);
if (!r)
log_std("%12s %4zub %6.1f MiB/s %6.1f MiB/s\n",
log_std("%15s %4zub %6.1f MiB/s %6.1f MiB/s\n",
cipher, bciphers[i].key_size*8, enc_mbr, dec_mbr);
else
log_std("%12s %4zub %13s %13s\n", cipher,
log_std("%15s %4zub %13s %13s\n", cipher,
bciphers[i].key_size*8, _("N/A"), _("N/A"));
}
if (skipped && skipped == i)
@@ -827,7 +831,8 @@ static int verify_keyslot(struct crypt_device *cd, int key_slot,
int i, r;
ki = crypt_keyslot_status(cd, key_slot);
if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !yesDialog(msg_last, NULL))
if (ki == CRYPT_SLOT_ACTIVE_LAST && !opt_batch_mode && !key_file &&
msg_last && !yesDialog(msg_last, NULL))
return -EPERM;
r = tools_get_key(msg_pass, &password, &passwordLen,
@@ -854,6 +859,10 @@ static int verify_keyslot(struct crypt_device *cd, int key_slot,
}
}
/* Handle inactive keyslots the same as bad password here */
if (r == -ENOENT)
r = -EPERM;
if (r == -EPERM)
log_err(_("No key available with this passphrase.\n"));
out:
@@ -887,11 +896,17 @@ static int action_luksKillSlot(void)
goto out;
}
if (!opt_batch_mode) {
if (!opt_batch_mode || opt_key_file || !isatty(STDIN_FILENO)) {
r = verify_keyslot(cd, opt_key_slot,
_("This is the last keyslot. Device will become unusable after purging this key."),
_("Enter any remaining passphrase: "),
opt_key_file, opt_keyfile_offset, opt_keyfile_size);
if (r == -EPIPE && (!opt_key_file || tools_is_stdin(opt_key_file))) {
log_dbg("Failed read from input, ignoring passphrase.");
r = 0;
}
if (r < 0)
goto out;
}
@@ -1372,7 +1387,7 @@ static struct action_type {
{ "close", action_close, 1, 1, N_("<name>"), N_("close device (remove mapping)") },
{ "resize", action_resize, 1, 1, N_("<name>"), N_("resize active device") },
{ "status", action_status, 1, 0, N_("<name>"), N_("show device status") },
{ "benchmark", action_benchmark, 0, 0, N_("<name>"), N_("benchmark cipher") },
{ "benchmark", action_benchmark, 0, 0, N_("[--cipher <cipher>]"), N_("benchmark cipher") },
{ "repair", action_luksRepair, 1, 1, N_("<device>"), N_("try to repair on-disk metadata") },
{ "erase", action_luksErase , 1, 1, N_("<device>"), N_("erase all keyslots (remove encryption key)") },
{ "luksFormat", action_luksFormat, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
@@ -1529,7 +1544,7 @@ int main(int argc, const char **argv)
poptContext popt_context;
struct action_type *action;
const char *aname;
int r;
int r, total_keyfiles = 0;
crypt_set_log_callback(NULL, tool_log, NULL);
@@ -1543,11 +1558,15 @@ int main(int argc, const char **argv)
while((r = poptGetNextOpt(popt_context)) > 0) {
unsigned long long ull_value;
char *endp;
char *endp, *kf;
if (r == 5) {
if (opt_keyfiles_count < MAX_KEYFILES)
opt_keyfiles[opt_keyfiles_count++] = poptGetOptArg(popt_context);
kf = poptGetOptArg(popt_context);
if (tools_is_stdin(kf))
opt_keyfile_stdin = kf;
else if (opt_keyfiles_count < MAX_KEYFILES)
opt_keyfiles[opt_keyfiles_count++] = kf;
total_keyfiles++;
continue;
}
@@ -1699,6 +1718,10 @@ int main(int argc, const char **argv)
_("Negative number for option not permitted."),
poptGetInvocationName(popt_context));
if (total_keyfiles > 1 && strcmp(opt_type, "tcrypt"))
usage(popt_context, EXIT_FAILURE, _("Only one --key-file argument is allowed."),
poptGetInvocationName(popt_context));
if (opt_random && opt_urandom)
usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
poptGetInvocationName(popt_context));

4
src/cryptsetup.h
View File

@@ -3,8 +3,8 @@
*
* Copyright (C) 2004, Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2014, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License

101
src/cryptsetup_reencrypt.c
View File

@@ -1,8 +1,8 @@
/*
* cryptsetup-reencrypt - crypt utility for offline re-encryption
*
* Copyright (C) 2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2015, Milan Broz All rights reserved.
* Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2017, Milan Broz All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -24,6 +24,7 @@
#include <sys/time.h>
#include <linux/fs.h>
#include <arpa/inet.h>
#include <uuid/uuid.h>
#define PACKAGE_REENC "crypt_reencrypt"
@@ -33,6 +34,7 @@
static const char *opt_cipher = NULL;
static const char *opt_hash = NULL;
static const char *opt_key_file = NULL;
static const char *opt_uuid = NULL;
static long opt_keyfile_size = 0;
static long opt_keyfile_offset = 0;
static int opt_iteration_time = 1000;
@@ -49,6 +51,7 @@ static int opt_key_size = 0;
static int opt_new = 0;
static int opt_keep_key = 0;
static int opt_decrypt = 0;
static int opt_progress_frequency = 0;
static const char *opt_reduce_size_str = NULL;
static uint64_t opt_reduce_size = 0;
@@ -68,6 +71,7 @@ struct reenc_ctx {
uint64_t device_offset;
uint64_t device_shift;
int stained:1;
int in_progress:1;
enum { FORWARD = 0, BACKWARD = 1 } reencrypt_direction;
enum { REENCRYPT = 0, ENCRYPT = 1, DECRYPT = 2 } reencrypt_mode;
@@ -148,7 +152,7 @@ static int device_check(struct reenc_ctx *rc, header_magic set_magic)
rc->device);
return -EBUSY;
}
log_err(_("Cannot open device %s\n"), rc->device);
log_err(_("Cannot open device %s.\n"), rc->device);
return -EINVAL;
}
@@ -179,11 +183,6 @@ static int device_check(struct reenc_ctx *rc, header_magic set_magic)
log_verbose(_("Marking LUKS device %s unusable.\n"), rc->device);
memcpy(buf, NOMAGIC, MAGIC_L);
r = 0;
} else if (set_magic == MAKE_USABLE && !memcmp(buf, NOMAGIC, MAGIC_L) &&
version == 1) {
log_verbose(_("Marking LUKS device %s usable.\n"), rc->device);
memcpy(buf, MAGIC, MAGIC_L);
r = 0;
} else if (set_magic == CHECK_UNUSABLE && version == 1) {
r = memcmp(buf, NOMAGIC, MAGIC_L) ? -EINVAL : 0;
if (!r)
@@ -200,6 +199,8 @@ static int device_check(struct reenc_ctx *rc, header_magic set_magic)
log_err(_("Cannot write device %s.\n"), rc->device);
r = -EIO;
}
if (s > 0 && set_magic == MAKE_UNUSABLE)
rc->stained = 1;
} else
log_dbg("LUKS signature check failed for %s.", rc->device);
out:
@@ -370,6 +371,7 @@ static int open_log(struct reenc_ctx *rc)
rc->log_fd = open(rc->log_file, O_RDWR|O_EXCL|O_CREAT|flags, S_IRUSR|S_IWUSR);
if (rc->log_fd != -1) {
log_dbg("Created LUKS reencryption log file %s.", rc->log_file);
rc->stained = 0;
} else if (errno == EEXIST) {
log_std(_("Log file %s exists, resuming reencryption.\n"), rc->log_file);
rc->log_fd = open(rc->log_file, O_RDWR|flags);
@@ -653,8 +655,10 @@ static int restore_luks_header(struct reenc_ctx *rc)
crypt_free(cd);
if (r)
log_err(_("Cannot restore LUKS header on device %s.\n"), rc->device);
else
else {
log_verbose(_("LUKS header on device %s restored.\n"), rc->device);
rc->stained = 0;
}
return r;
}
@@ -662,10 +666,18 @@ static void print_progress(struct reenc_ctx *rc, uint64_t bytes, int final)
{
unsigned long long mbytes, eta;
struct timeval now_time;
double tdiff, mib;
double tdiff, mib, frequency;
char *eol = "";
gettimeofday(&now_time, NULL);
if (!final && time_diff(rc->end_time, now_time) < 0.5)
if (opt_progress_frequency)
frequency = (double)opt_progress_frequency;
else
frequency = 0.5;
if (final || opt_progress_frequency)
eol = "\n";
if (!final && time_diff(rc->end_time, now_time) < frequency)
return;
rc->end_time = now_time;
@@ -686,12 +698,12 @@ static void print_progress(struct reenc_ctx *rc, uint64_t bytes, int final)
eta = (unsigned long long)(rc->device_size / 1024 / 1024 / mib - tdiff);
/* vt100 code clear line */
log_err("\33[2K\r");
if (!opt_progress_frequency)
log_err("\33[2K\r");
log_err(_("Progress: %5.1f%%, ETA %02llu:%02llu, "
"%4llu MiB written, speed %5.1f MiB/s%s"),
(double)bytes / rc->device_size * 100,
eta / 60, eta % 60, mbytes, mib,
final ? "\n" :"");
eta / 60, eta % 60, mbytes, mib, eol);
}
static ssize_t read_buf(int fd, void *buf, size_t count)
@@ -791,6 +803,9 @@ static int copy_data_backward(struct reenc_ctx *rc, int fd_old, int fd_new,
if (write_log(rc) < 0)
return -EIO;
/* dirty the device during ENCRYPT mode */
rc->stained = 1;
while (!quit && rc->device_offset) {
if (rc->device_offset < block_size) {
working_offset = 0;
@@ -955,6 +970,7 @@ static int initialize_uuid(struct reenc_ctx *rc)
{
struct crypt_device *cd = NULL;
int r;
uuid_t device_uuid;
log_dbg("Initialising UUID.");
@@ -963,6 +979,16 @@ static int initialize_uuid(struct reenc_ctx *rc)
return 0;
}
if (opt_decrypt && opt_uuid) {
r = uuid_parse(opt_uuid, device_uuid);
if (!r)
rc->device_uuid = strdup(opt_uuid);
else
log_err(_("Provided UUID is invalid.\n"));
return r;
}
/* Try to load LUKS from device */
if ((r = crypt_init(&cd, rc->device)))
return r;
@@ -979,7 +1005,7 @@ static int initialize_uuid(struct reenc_ctx *rc)
}
static int init_passphrase1(struct reenc_ctx *rc, struct crypt_device *cd,
const char *msg, int slot_to_check, int check)
const char *msg, int slot_to_check, int check, int verify)
{
char *password;
int r = -EINVAL, retry_count;
@@ -990,11 +1016,15 @@ static int init_passphrase1(struct reenc_ctx *rc, struct crypt_device *cd,
set_int_handler(0);
r = crypt_get_key(msg, &password, &passwordLen,
0, 0, NULL /*opt_key_file*/,
0, 0, cd);
0, verify, cd);
if (r < 0)
return r;
if (quit)
if (quit) {
crypt_safe_free(password);
password = NULL;
passwordLen = 0;
return -EAGAIN;
}
/* library uses sigint internally, until it is fixed...*/
set_int_block(1);
@@ -1077,7 +1107,7 @@ static int initialize_passphrase(struct reenc_ctx *rc, const char *device)
log_dbg("Passhrases initialization.");
if (rc->reencrypt_mode == ENCRYPT && !rc->in_progress) {
r = init_passphrase1(rc, cd, _("Enter new passphrase: "), opt_key_slot, 0);
r = init_passphrase1(rc, cd, _("Enter new passphrase: "), opt_key_slot, 0, 1);
return r > 0 ? 0 : r;
}
@@ -1099,14 +1129,14 @@ static int initialize_passphrase(struct reenc_ctx *rc, const char *device)
} else if (rc->in_progress ||
opt_key_slot != CRYPT_ANY_SLOT ||
rc->reencrypt_mode == DECRYPT) {
r = init_passphrase1(rc, cd, msg, opt_key_slot, 1);
r = init_passphrase1(rc, cd, msg, opt_key_slot, 1, 0);
} else for (i = 0; i < MAX_SLOT; i++) {
ki = crypt_keyslot_status(cd, i);
if (ki != CRYPT_SLOT_ACTIVE && ki != CRYPT_SLOT_ACTIVE_LAST)
continue;
snprintf(msg, sizeof(msg), _("Enter passphrase for key slot %u: "), i);
r = init_passphrase1(rc, cd, msg, i, 1);
r = init_passphrase1(rc, cd, msg, i, 1, 0);
if (r < 0)
break;
}
@@ -1119,7 +1149,7 @@ static int initialize_context(struct reenc_ctx *rc, const char *device)
{
log_dbg("Initialising reencryption context.");
rc->log_fd =-1;
rc->log_fd = -1;
if (!(rc->device = strndup(device, PATH_MAX)))
return -ENOMEM;
@@ -1159,6 +1189,12 @@ static int initialize_context(struct reenc_ctx *rc, const char *device)
}
if (!rc->in_progress) {
if (opt_uuid) {
log_err(_("No decryption in progress, provided UUID can "
"be used only to resume suspended decryption process.\n"));
return -EINVAL;
}
if (!opt_reduce_size)
rc->reencrypt_direction = FORWARD;
else {
@@ -1186,10 +1222,7 @@ static void destroy_context(struct reenc_ctx *rc)
close_log(rc);
remove_headers(rc);
if ((rc->reencrypt_direction == FORWARD &&
rc->device_offset == rc->device_size) ||
(rc->reencrypt_direction == BACKWARD &&
(rc->device_offset == 0 || rc->device_offset == (uint64_t)~0))) {
if (!rc->stained) {
unlink(rc->log_file);
unlink(rc->header_file_org);
unlink(rc->header_file_new);
@@ -1205,7 +1238,9 @@ static void destroy_context(struct reenc_ctx *rc)
static int run_reencrypt(const char *device)
{
int r = -EINVAL;
static struct reenc_ctx rc = {};
static struct reenc_ctx rc = {
.stained = 1
};
if (initialize_context(&rc, device))
goto out;
@@ -1231,7 +1266,7 @@ static int run_reencrypt(const char *device)
goto out;
}
} else {
if ((r = initialize_passphrase(&rc, rc.header_file_new)))
if ((r = initialize_passphrase(&rc, opt_decrypt ? rc.header_file_org : rc.header_file_new)))
goto out;
}
@@ -1248,6 +1283,8 @@ static int run_reencrypt(const char *device)
// FIXME: fix error path above to not skip this
if (rc.reencrypt_mode != DECRYPT)
r = restore_luks_header(&rc);
else
rc.stained = 0;
out:
destroy_context(&rc);
return r;
@@ -1288,6 +1325,7 @@ int main(int argc, const char **argv)
{ "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
{ "iter-time", 'i', POPT_ARG_INT, &opt_iteration_time, 0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
{ "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
{ "progress-frequency",'\0', POPT_ARG_INT, &opt_progress_frequency, 0, N_("Progress line update (in seconds)"), N_("secs") },
{ "tries", 'T', POPT_ARG_INT, &opt_tries, 0, N_("How often the input of the passphrase can be retried"), NULL },
{ "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
{ "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
@@ -1301,6 +1339,7 @@ int main(int argc, const char **argv)
{ "device-size", '\0', POPT_ARG_STRING, &opt_device_size_str, 0, N_("Use only specified device size (ignore rest of device). DANGEROUS!"), N_("bytes") },
{ "new", 'N', POPT_ARG_NONE, &opt_new, 0, N_("Create new header on not encrypted device."), NULL },
{ "decrypt", '\0', POPT_ARG_NONE, &opt_decrypt, 0, N_("Permanently decrypt device (remove encryption)."), NULL },
{ "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("The uuid used to resume decryption."), NULL },
POPT_TABLEEND
};
poptContext popt_context;
@@ -1329,12 +1368,10 @@ int main(int argc, const char **argv)
exit(EXIT_SUCCESS);
}
if (!opt_batch_mode) {
log_std(_("WARNING: this is experimental code, it can completely break your data.\n"));
if (!opt_batch_mode)
log_verbose(_("Reencryption will change: volume key%s%s%s%s.\n"),
opt_hash ? _(", set hash to ") : "", opt_hash ?: "",
opt_cipher ? _(", set cipher to "): "", opt_cipher ?: "");
}
action_argv = poptGetArgs(popt_context);
if(!action_argv)
@@ -1403,6 +1440,10 @@ int main(int argc, const char **argv)
usage(popt_context, EXIT_FAILURE, _("Option --decrypt is incompatible with specified parameters."),
poptGetInvocationName(popt_context));
if (opt_uuid && !opt_decrypt)
usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only together with --decrypt."),
poptGetInvocationName(popt_context));
if (opt_debug) {
opt_verbose = 1;
crypt_set_debug_level(-1);

38
src/utils_password.c
View File

@@ -1,8 +1,8 @@
/*
* Password quality check wrapper
*
* Copyright (C) 2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2014, Milan Broz
* Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -23,7 +23,7 @@
int opt_force_password = 0;
#if ENABLE_PWQUALITY
#if defined ENABLE_PWQUALITY
#include <pwquality.h>
static int tools_check_pwquality(const char *password)
@@ -58,12 +58,40 @@ static int tools_check_pwquality(const char *password)
pwquality_free_settings(pwq);
return r;
}
#else /* ENABLE_PWQUALITY */
#elif defined ENABLE_PASSWDQC
#include <passwdqc.h>
static int tools_check_pwquality(const char *password)
{
passwdqc_params_t params;
char *parse_reason;
const char *check_reason;
const char *config = PASSWDQC_CONFIG_FILE;
passwdqc_params_reset(&params);
if (*config && passwdqc_params_load(&params, &parse_reason, config)) {
log_err(_("Cannot check password quality: %s\n"),
(parse_reason ? parse_reason : "Out of memory"));
free(parse_reason);
return -EINVAL;
}
check_reason = passwdqc_check(&params.qc, password, NULL, NULL);
if (check_reason) {
log_err(_("Password quality check failed: Bad passphrase (%s)\n"),
check_reason);
return -EPERM;
}
return 0;
}
#else /* !(ENABLE_PWQUALITY || ENABLE_PASSWDQC) */
static int tools_check_pwquality(const char *password)
{
return 0;
}
#endif /* ENABLE_PWQUALITY */
#endif /* ENABLE_PWQUALITY || ENABLE_PASSWDQC */
int tools_is_cipher_null(const char *cipher)
{

8
src/utils_tools.c
View File

@@ -3,8 +3,8 @@
*
* Copyright (C) 2004, Jana Saout <jana@saout.de>
* Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
* Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2014, Milan Broz
* Copyright (C) 2009-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2009-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -206,7 +206,7 @@ const char *uuid_or_device(const char *spec)
strcpy(device, "/dev/disk/by-uuid/");
ptr = &device[strlen(device)];
i = uuid_len;
while ((s = spec[i++]) && i < PATH_MAX) {
while ((s = spec[i++]) && i < (PATH_MAX - 13)) {
if (!isxdigit(s) && s != '-')
return spec; /* Bail it out */
if (isalpha(s))
@@ -319,7 +319,7 @@ int tools_string_to_size(struct crypt_device *cd, const char *s, uint64_t *size)
}
tmp = *size * mult;
if ((tmp / *size) != mult) {
if (*size && (tmp / *size) != mult) {
log_dbg("Device size overflow.");
return -EINVAL;
}

35
src/veritysetup.c
View File

@@ -1,8 +1,8 @@
/*
* veritysetup - setup cryptographic volumes for dm-verity
*
* Copyright (C) 2012-2013, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2013, Milan Broz
* Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2017, Milan Broz
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -33,6 +33,9 @@ static uint64_t data_blocks = 0;
static const char *salt_string = NULL;
static uint64_t hash_offset = 0;
static const char *opt_uuid = NULL;
static int opt_restart_on_corruption = 0;
static int opt_ignore_corruption = 0;
static int opt_ignore_zero_blocks = 0;
static int opt_version_mode = 0;
@@ -127,6 +130,13 @@ static int _activate(const char *dm_device,
if ((r = crypt_init(&cd, hash_device)))
goto out;
if (opt_ignore_corruption)
activate_flags |= CRYPT_ACTIVATE_IGNORE_CORRUPTION;
if (opt_restart_on_corruption)
activate_flags |= CRYPT_ACTIVATE_RESTART_ON_CORRUPTION;
if (opt_ignore_zero_blocks)
activate_flags |= CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS;
if (use_superblock) {
params.flags = flags;
params.hash_area_offset = hash_offset;
@@ -273,6 +283,14 @@ static int action_status(int arg)
}
log_std(" hash offset: %" PRIu64 " sectors\n",
vp.hash_area_offset * vp.hash_block_size / 512);
if (cad.flags & (CRYPT_ACTIVATE_IGNORE_CORRUPTION|
CRYPT_ACTIVATE_RESTART_ON_CORRUPTION|
CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS))
log_std(" flags: %s%s%s\n",
(cad.flags & CRYPT_ACTIVATE_IGNORE_CORRUPTION) ? "ignore_corruption " : "",
(cad.flags & CRYPT_ACTIVATE_RESTART_ON_CORRUPTION) ? "restart_on_corruption " : "",
(cad.flags & CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS) ? "ignore_zero_blocks" : "");
}
out:
crypt_free(cd);
@@ -383,6 +401,9 @@ int main(int argc, const char **argv)
{ "hash", 'h', POPT_ARG_STRING, &hash_algorithm, 0, N_("Hash algorithm"), N_("string") },
{ "salt", 's', POPT_ARG_STRING, &salt_string, 0, N_("Salt"), N_("hex string") },
{ "uuid", '\0', POPT_ARG_STRING, &opt_uuid, 0, N_("UUID for device to use."), NULL },
{ "restart-on-corruption", 0,POPT_ARG_NONE,&opt_restart_on_corruption, 0, N_("Restart kernel if corruption is detected"), NULL },
{ "ignore-corruption", 0, POPT_ARG_NONE, &opt_ignore_corruption, 0, N_("Ignore corruption, log it only"), NULL },
{ "ignore-zero-blocks", 0, POPT_ARG_NONE, &opt_ignore_zero_blocks, 0, N_("Do not verify zeroed blocks"), NULL },
POPT_TABLEEND
};
@@ -468,6 +489,16 @@ int main(int argc, const char **argv)
poptGetInvocationName(popt_context));
}
if ((opt_ignore_corruption || opt_restart_on_corruption || opt_ignore_zero_blocks) && strcmp(aname, "create"))
usage(popt_context, EXIT_FAILURE,
_("Option --ignore-corruption, --restart-on-corruption or --ignore-zero-blocks is allowed only for create operation.\n"),
poptGetInvocationName(popt_context));
if (opt_ignore_corruption && opt_restart_on_corruption)
usage(popt_context, EXIT_FAILURE,
_("Option --ignore-corruption and --restart-on-corruption cannot be used together.\n"),
poptGetInvocationName(popt_context));
if (opt_debug) {
opt_verbose = 1;
crypt_set_debug_level(-1);

10
tests/align-test
View File

@@ -14,8 +14,10 @@ cleanup() {
rmdir $MNT_DIR 2>/dev/null
fi
[ -b /dev/mapper/$DEV_STACKED ] && dmsetup remove $DEV_STACKED >/dev/null 2>&1
# FIXME scsi_debug sometimes in-use here
sleep 1
rmmod scsi_debug 2>/dev/null
sleep 2
sleep 1
}
fail()
@@ -141,7 +143,7 @@ cleanup
echo "# Create enterprise-class 4K drive"
echo "# (logical_block_size=4096, physical_block_size=4096, alignment_offset=0)"
add_device dev_size_mb=16 sector_size=4096 num_tgts=1
add_device dev_size_mb=16 sector_size=4096 num_tgts=1 opt_blks=64
format 256 4096
format 256 2560 8
format 128 2048
@@ -187,7 +189,7 @@ format_null 512 4096 2048
cleanup
echo "# Offset check: 4096B sector drive"
add_device dev_size_mb=16 sector_size=4096 num_tgts=1
add_device dev_size_mb=16 sector_size=4096 num_tgts=1 opt_blks=64
format_null 64 2048 0 8:72:136:200:264:328:392:456
format_null 64 520 1
format_null 64 520 8
@@ -213,7 +215,7 @@ cleanup
echo "# Create enterprise-class 4K drive with fs and LUKS images."
# loop device here presents 512 block but images have 4k block
# cryptsetup should properly use 4k block on direct-io
add_device dev_size_mb=16 sector_size=4096 physblk_exp=0 num_tgts=1
add_device dev_size_mb=16 sector_size=4096 physblk_exp=0 num_tgts=1 opt_blks=64
for file in $(ls img_fs_*.img.bz2) ; do
echo "Format using fs image $file."
bzip2 -d -c $file | dd of=$DEV bs=1M 2>/dev/null || fail "bad image"

61
tests/api-test.c
View File

@@ -124,9 +124,6 @@ static int fips_mode(void)
int fd;
char buf = 0;
if (access("/etc/system-fips", F_OK))
return 0;
fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
if (fd < 0)
@@ -417,16 +414,8 @@ static int _setup(void)
if (_system(cmd, 1))
return 1;
if (!THE_LOOP_DEV)
THE_LOOP_DEV = crypt_loop_get_device();
if (!THE_LOOP_DEV) {
printf("Cannot find free loop device.\n");
return 1;
}
if (crypt_loop_device(THE_LOOP_DEV)) {
fd = crypt_loop_attach(THE_LOOP_DEV, test_loop_file, 0, 0, &ro);
close(fd);
}
fd = crypt_loop_attach(&THE_LOOP_DEV, test_loop_file, 0, 0, &ro);
close(fd);
tmp_file_1 = strdup(THE_LFILE_TEMPLATE);
if ((fd=mkstemp(tmp_file_1)) == -1) {
@@ -441,34 +430,15 @@ static int _setup(void)
_system("dmsetup create " DEVICE_EMPTY_name " --table \"0 10000 zero\"", 1);
_system("dmsetup create " DEVICE_ERROR_name " --table \"0 10000 error\"", 1);
if (!DEVICE_1)
DEVICE_1 = crypt_loop_get_device();
if (!DEVICE_1) {
printf("Cannot find free loop device.\n");
return 1;
}
if (crypt_loop_device(DEVICE_1)) {
_system(" [ ! -e " IMAGE1 " ] && bzip2 -dk " IMAGE1 ".bz2", 1);
fd = crypt_loop_attach(DEVICE_1, IMAGE1, 0, 0, &ro);
close(fd);
}
if (!DEVICE_2)
DEVICE_2 = crypt_loop_get_device();
if (!DEVICE_2) {
printf("Cannot find free loop device.\n");
return 1;
}
if (crypt_loop_device(DEVICE_2)) {
_system("dd if=/dev/zero of=" IMAGE_EMPTY " bs=1M count=4 2>/dev/null", 1);
fd = crypt_loop_attach(DEVICE_2, IMAGE_EMPTY, 0, 0, &ro);
close(fd);
}
if (!DEVICE_3)
DEVICE_3 = crypt_loop_get_device();
if (!DEVICE_3) {
printf("Cannot find free loop device.\n");
return 1;
}
_system(" [ ! -e " IMAGE1 " ] && bzip2 -dk " IMAGE1 ".bz2", 1);
fd = crypt_loop_attach(&DEVICE_1, IMAGE1, 0, 0, &ro);
close(fd);
_system("dd if=/dev/zero of=" IMAGE_EMPTY " bs=1M count=4 2>/dev/null", 1);
fd = crypt_loop_attach(&DEVICE_2, IMAGE_EMPTY, 0, 0, &ro);
close(fd);
/* Keymaterial offset is less than 8 sectors */
_system(" [ ! -e " EVL_HEADER_1 " ] && bzip2 -dk " EVL_HEADER_1 ".bz2", 1);
/* keymaterial offset aims into payload area */
@@ -1522,7 +1492,7 @@ static void LuksHeaderBackup(void)
crypt_free(cd);
// exercise luksOpen using backup header on block device
fd = crypt_loop_attach(DEVICE_3, BACKUP_FILE, 0, 0, &ro);
fd = crypt_loop_attach(&DEVICE_3, BACKUP_FILE, 0, 0, &ro);
close(fd);
OK_(fd < 0);
OK_(crypt_init(&cd, DEVICE_3));
@@ -1808,6 +1778,8 @@ static void VerityTest(void)
/* hash fail */
root_hash[1] = ~root_hash[1];
OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, root_hash, 32, CRYPT_ACTIVATE_READONLY));
/* Be sure there was some read activity to mark device corrupted. */
_system("blkid " DMDIR CDEVICE_1, 0);
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
EQ_(CRYPT_ACTIVATE_READONLY|CRYPT_ACTIVATE_CORRUPTED, cad.flags);
OK_(crypt_deactivate(cd, CDEVICE_1));
@@ -1816,6 +1788,7 @@ static void VerityTest(void)
/* data fail */
OK_(crypt_set_data_device(cd, DEVICE_1));
OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, root_hash, 32, CRYPT_ACTIVATE_READONLY));
_system("blkid " DMDIR CDEVICE_1, 0);
OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
EQ_(CRYPT_ACTIVATE_READONLY|CRYPT_ACTIVATE_CORRUPTED, cad.flags);
OK_(crypt_deactivate(cd, CDEVICE_1));
@@ -1910,6 +1883,10 @@ static void TcryptTest(void)
OK_(crypt_deactivate(cd, CDEVICE_1));
crypt_free(cd);
// Following test uses non-FIPS algorithms in the cipher chain
if(_fips_mode)
return;
OK_(crypt_init(&cd, tcrypt_dev2));
params.keyfiles = NULL;
params.keyfiles_count = 0;

71
tests/compat-test
View File

@@ -229,7 +229,7 @@ echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
# Key Slot 1 and key material section 1 must change, the rest must not
prepare "[9] add key test for key files"
echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV $KEY1 || fail
echo $PWD1 | $CRYPTSETUP luksAddKey -i1 $LOOPDEV $KEY1 || fail
check "$KEY_SLOT1 $KEY_MATERIAL1"
$CRYPTSETUP -d $KEY1 luksOpen $LOOPDEV $DEV_NAME || fail
@@ -263,33 +263,33 @@ $CRYPTSETUP -q luksClose $DEV_NAME || fail
prepare "[14] format/open - passphrase on stdin & new line" wipe
# stdin defined by "-" must take even newline
#echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksFormat $LOOPDEV - || fail
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksFormat $LOOPDEV || fail
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -i1 -q --key-file=- luksFormat $LOOPDEV || fail
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
# now also try --key-file
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksFormat $LOOPDEV --key-file=- || fail
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -i1 -q luksFormat $LOOPDEV --key-file=- || fail
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q --key-file=- luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
# process newline if from stdin
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -q luksFormat $LOOPDEV || fail
echo -n -e "$PWD1\n$PWD2" | $CRYPTSETUP -i1 -q luksFormat $LOOPDEV || fail
echo "$PWD1" | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
prepare "[15] UUID - use and report provided UUID" wipe
echo $PWD1 | $CRYPTSETUP -q luksFormat --uuid blah $LOOPDEV 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --uuid $TEST_UUID $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat -i1 --uuid blah $LOOPDEV 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP -q luksFormat -i1 --uuid $TEST_UUID $LOOPDEV || fail
tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
[ "$tst"x = "$TEST_UUID"x ] || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat -i1 $LOOPDEV || fail
$CRYPTSETUP -q luksUUID --uuid $TEST_UUID $LOOPDEV || fail
tst=$($CRYPTSETUP -q luksUUID $LOOPDEV)
[ "$tst"x = "$TEST_UUID"x ] || fail
prepare "[16] luksFormat" wipe
echo $PWD1 | $CRYPTSETUP -q luksFormat --master-key-file /dev/urandom $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat --master-key-file /dev/urandom $LOOPDEV -d $KEY1 || fail
$CRYPTSETUP -q luksFormat --master-key-file /dev/urandom -s 256 --uuid $TEST_UUID $LOOPDEV $KEY1 || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat -i1 --master-key-file /dev/urandom $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat -i1 --master-key-file /dev/urandom $LOOPDEV -d $KEY1 || fail
$CRYPTSETUP -q luksFormat -i1 --master-key-file /dev/urandom -s 256 --uuid $TEST_UUID $LOOPDEV $KEY1 || fail
$CRYPTSETUP luksOpen -d $KEY1 $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
# open by UUID
@@ -298,11 +298,11 @@ $CRYPTSETUP luksOpen -d $KEY1 UUID=X$TEST_UUID $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP luksOpen -d $KEY1 UUID=$TEST_UUID $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
# empty keyfile
$CRYPTSETUP -q luksFormat $LOOPDEV $KEYE || fail
$CRYPTSETUP -q luksFormat -i1 $LOOPDEV $KEYE || fail
$CRYPTSETUP luksOpen -d $KEYE $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
# open by volume key
echo $PWD1 | $CRYPTSETUP -q luksFormat -s 256 --master-key-file $KEY1 $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat -i1 -s 256 --master-key-file $KEY1 $LOOPDEV || fail
$CRYPTSETUP luksOpen --master-key-file /dev/urandom $LOOPDEV $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP luksOpen --master-key-file $KEY1 $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP -q luksClose $DEV_NAME || fail
@@ -327,6 +327,8 @@ echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - --test-passphrase || fail
echo $PWD1 | $CRYPTSETUP luksAddKey -i1 $LOOPDEV -d - $KEY2 || fail
$CRYPTSETUP luksOpen $LOOPDEV -d $KEY2 --test-passphrase || fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d - -d $KEY1 --test-passphrase 2>/dev/null && fail
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV -d $KEY1 -d $KEY1 --test-passphrase 2>/dev/null && fail
# [0]PWD1 [1]PWD2 [2]$KEY1/1 [3]$KEY1 [4]$KEY2
$CRYPTSETUP -q luksFormat -i1 $LOOPDEV $KEY1 --key-slot 3 || fail
@@ -352,12 +354,23 @@ prepare "[18] RemoveKey passphrase and keyfile" reuse
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: DISABLED" || fail
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY1 2>/dev/null && fail
$CRYPTSETUP luksAddKey $LOOPDEV -i1 -d $KEY2 $KEY1 --key-slot 3 2>/dev/null || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: ENABLED" || fail
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 --keyfile-size 1 2>/dev/null && fail
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 4: DISABLED" || fail
# if password or keyfile is provided, batch mode must not suppress it
echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 2>/dev/null && fail
echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 -q 2>/dev/null && fail
echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- 2>/dev/null && fail
echo "badpw" | $CRYPTSETUP luksKillSlot $LOOPDEV 2 --key-file=- -q 2>/dev/null && fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: ENABLED" || fail
# kill slot using passphrase from 1
echo $PWD2 | $CRYPTSETUP luksKillSlot $LOOPDEV 2 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 2: DISABLED" || fail
# kill slot with redirected stdin
$CRYPTSETUP luksKillSlot $LOOPDEV 3 </dev/null || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 3: DISABLED" || fail
# remove key0 / slot 0
echo $PWD1 | $CRYPTSETUP luksRemoveKey $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: DISABLED" || fail
@@ -413,8 +426,8 @@ echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME2 2>/dev/null && fail
$CRYPTSETUP luksClose $DEV_NAME || fail
prepare "[21] luksDump" wipe
echo $PWD1 | $CRYPTSETUP -q luksFormat --uuid $TEST_UUID $LOOPDEV $KEY1 || fail
echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat -i1 --uuid $TEST_UUID $LOOPDEV $KEY1 || fail
echo $PWD1 | $CRYPTSETUP luksAddKey -i1 $LOOPDEV -d $KEY1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
echo $PWDW | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key 2>/dev/null && fail
@@ -423,7 +436,7 @@ $CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key -d $KEY1 | grep -q "MK dump:"
prepare "[22] remove disappeared device" wipe
dmsetup create $DEV_NAME --table "0 5000 linear $LOOPDEV 2" || fail
echo $PWD1 | $CRYPTSETUP -q -i 0 luksFormat /dev/mapper/$DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP -q -i1 luksFormat /dev/mapper/$DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP -q luksOpen /dev/mapper/$DEV_NAME $DEV_NAME2 || fail
# underlying device now returns error but node is still present
dmsetup load $DEV_NAME --table "0 5000 error" || fail
@@ -433,17 +446,17 @@ dmsetup remove $DEV_NAME || fail
prepare "[23] ChangeKey passphrase and keyfile" wipe
# [0]$KEY1 [1]key0
$CRYPTSETUP -q luksFormat $LOOPDEV $KEY1 --key-slot 0 || fail
echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 --key-slot 1 || fail
$CRYPTSETUP -q luksFormat $LOOPDEV $KEY1 -i1 --key-slot 0 || fail
echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV -i1 -d $KEY1 --key-slot 1 || fail
# keyfile [0] / keyfile [0]
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 --key-slot 0 || fail
$CRYPTSETUP luksChangeKey $LOOPDEV -i1 -d $KEY1 $KEY2 --key-slot 0 || fail
# passphrase [1] / passphrase [1]
echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey $LOOPDEV --key-slot 1 || fail
echo -e "$PWD1\n$PWD2\n" | $CRYPTSETUP luksChangeKey $LOOPDEV -i1 --key-slot 1 || fail
# keyfile [0] / keyfile [new]
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY2 $KEY1 || fail
$CRYPTSETUP luksChangeKey $LOOPDEV -i1 -d $KEY2 $KEY1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: DISABLED" || fail
# passphrase [1] / passphrase [new]
echo -e "$PWD2\n$PWD1\n" | $CRYPTSETUP luksChangeKey $LOOPDEV || fail
echo -e "$PWD2\n$PWD1\n" | $CRYPTSETUP luksChangeKey -i1 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: DISABLED" || fail
# use all slots
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -i 1 || fail
@@ -453,8 +466,8 @@ $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -i 1 || fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -i 1 || fail
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -i 1 || fail
# still allows replace
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 || fail
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 2>/dev/null && fail
$CRYPTSETUP luksChangeKey $LOOPDEV -i1 -d $KEY1 $KEY2 || fail
$CRYPTSETUP luksChangeKey $LOOPDEV -i1 -d $KEY1 $KEY2 2>/dev/null && fail
prepare "[24] Keyfile limit" wipe
$CRYPTSETUP -q luksFormat -i1 $LOOPDEV $KEY1 --key-slot 0 -l 13 || fail
@@ -509,7 +522,7 @@ $CRYPTSETUP luksResume $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP -q remove $DEV_NAME || fail
$CRYPTSETUP luksSuspend $DEV_NAME 2>/dev/null && fail
# LUKS
echo $PWD1 | $CRYPTSETUP -q luksFormat $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat -i1 $LOOPDEV || fail
echo $PWD1 | $CRYPTSETUP -q luksOpen $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP luksSuspend $DEV_NAME || fail
$CRYPTSETUP -q resize $DEV_NAME 2>/dev/null && fail
@@ -519,14 +532,14 @@ $CRYPTSETUP -q luksClose $DEV_NAME || fail
prepare "[27] luksOpen with specified key slot number" wipe
# first, let's try passphrase option
echo $PWD3 | $CRYPTSETUP luksFormat -S 5 $LOOPDEV || fail
echo $PWD3 | $CRYPTSETUP luksFormat -i1 -S 5 $LOOPDEV || fail
check $LUKS_HEADER $KEY_SLOT5 $KEY_MATERIAL5
echo $PWD3 | $CRYPTSETUP luksOpen -S 4 $LOOPDEV $DEV_NAME && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
echo $PWD3 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME || fail
check_exists
$CRYPTSETUP luksClose $DEV_NAME || fail
echo -e "$PWD3\n$PWD1" | $CRYPTSETUP luksAddKey -S 0 $LOOPDEV || fail
echo -e "$PWD3\n$PWD1" | $CRYPTSETUP luksAddKey -i1 -S 0 $LOOPDEV || fail
check $LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0
echo $PWD3 | $CRYPTSETUP luksOpen -S 0 $LOOPDEV $DEV_NAME && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
@@ -535,7 +548,7 @@ echo $PWD1 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME && fail
# second, try it with keyfiles
$CRYPTSETUP luksFormat -q -S 5 -d $KEY5 $LOOPDEV || fail
check $LUKS_HEADER $KEY_SLOT5 $KEY_MATERIAL5
$CRYPTSETUP luksAddKey -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
$CRYPTSETUP luksAddKey -i1 -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
check $LUKS_HEADER $KEY_SLOT1 $KEY_MATERIAL1
$CRYPTSETUP luksOpen -S 5 -d $KEY5 $LOOPDEV $DEV_NAME || fail
check_exists
@@ -559,7 +572,7 @@ $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
$CRYPTSETUP luksSuspend $DEV_NAME --header $HEADER_IMG || fail
echo $PWD1 | $CRYPTSETUP luksResume $DEV_NAME --header $HEADER_IMG || fail
$CRYPTSETUP luksClose $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP luksAddKey -S 5 _fakedev_ --header $HEADER_IMG $KEY5 || fail
echo $PWD1 | $CRYPTSETUP luksAddKey -i1 -S 5 _fakedev_ --header $HEADER_IMG $KEY5 || fail
$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "Key Slot 5: ENABLED" || fail
$CRYPTSETUP luksKillSlot -q _fakedev_ --header $HEADER_IMG 5 || fail
$CRYPTSETUP luksDump _fakedev_ --header $HEADER_IMG | grep -q "Key Slot 5: DISABLED" || fail
@@ -575,7 +588,7 @@ $CRYPTSETUP luksClose $DEV_NAME || fail
prepare "[30] LUKS erase" wipe
$CRYPTSETUP -q luksFormat -i1 $LOOPDEV $KEY5 --key-slot 5 || fail
$CRYPTSETUP luksAddKey -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
$CRYPTSETUP luksAddKey -i1 -S 1 -d $KEY5 $LOOPDEV $KEY1 || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 1: ENABLED" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 5: ENABLED" || fail
$CRYPTSETUP luksErase -q $LOOPDEV || fail

2
tests/luks1-compat-test
View File

@@ -61,7 +61,7 @@ if [ $(id -u) != 0 ]; then
fi
test_required
[ ! -d $TST_DIR ] && tar xjf luks1-images.tar.bz2
[ ! -d $TST_DIR ] && tar xjf luks1-images.tar.bz2 --no-same-owner
echo "ACTIVATION FS UUID CHECK"
for file in $(ls $TST_DIR/luks1_*) ; do

2
tests/tcrypt-compat-test
View File

@@ -67,7 +67,7 @@ function test_required()
test_required
export LANG=C
[ ! -d $TST_DIR ] && tar xjf tcrypt-images.tar.bz2
[ ! -d $TST_DIR ] && tar xjf tcrypt-images.tar.bz2 --no-same-owner
echo "HEADER CHECK"
for file in $(ls $TST_DIR/[tv]c_*) ; do

74
tests/verity-compat-test
View File

@@ -55,6 +55,18 @@ function check_exists()
[ -b /dev/mapper/$DEV_NAME ] || fail
}
function check_version()
{
VER_STR=$(dmsetup targets | grep verity | cut -f 3 -dv)
VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
# option supported in 1.3
test $VER_MAJ -gt 1 && return 0
test $VER_MIN -ge 3 && return 0
return 1
}
function compare_out() # $1 what, $2 expected
{
OPT=$(grep -v "^#" $DEV_OUT | grep -i "$1" | sed -e s/.*\:\ // )
@@ -78,7 +90,7 @@ function check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6
if [ $sb == yes ] ; then
VERIFY_PARAMS=""
else
FORMAT_PAFAMS="$FORMAT_PARAMS --no-superlock"
FORMAT_PARAMS="$FORMAT_PARAMS --no-superblock"
VERIFY_PARAMS=$FORMAT_PARAMS
fi
@@ -132,6 +144,21 @@ function check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6
done
}
function check_option() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, $6 CLI option, $7 status option
{
DEV_PARAMS="$LOOPDEV1 $LOOPDEV2"
FORMAT_PARAMS="--format=$4 --data-block-size=$1 --hash-block-size=$1 --hash=$5 --salt=$3"
echo -n "Option $6 "
$VERITYSETUP format $DEV_PARAMS $FORMAT_PARAMS >/dev/null 2>&1 || fail
$VERITYSETUP create $DEV_NAME $DEV_PARAMS $2 $6 >/dev/null 2>&1 || fail
check_exists
$VERITYSETUP status $DEV_NAME 2>/dev/null | grep flags | grep -q $7 || fail
dmsetup table $DEV_NAME 2>/dev/null | grep -q $7 || fail
$VERITYSETUP remove $DEV_NAME >/dev/null 2>&1 || fail
echo "[OK]"
}
function valgrind_setup()
{
which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
@@ -144,6 +171,31 @@ function valgrind_run()
INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${VERITYSETUP} "$@"
}
function checkOffsetBug() # $1 size, $2 hash-offset, $3 data-blocks
{
echo -n "Size :: $1 B | Hash-offset :: $2 blocks | Data-blocks :: $3 "
dd if=/dev/zero of=$IMG bs=1 count=0 seek=$1 >/dev/null 2>&1
$VERITYSETUP --data-blocks=$3 --hash-offset=$2 format $IMG $IMG >/dev/null 2>&1 || fail "Test [hash-offset greater than 2G] failed"
echo "[OK]"
remove_mapping
}
function checkOverlapBug() # $1 size, $2 hash-offset, $3 data-blocks
{
echo -n "Size :: $1 B | Hash-offset :: $2 blocks | "
dd if=/dev/zero of=$IMG bs=1 count=0 seek=$1 >/dev/null 2>&1
if [ -z $3 ] ; then
# veritysetup must fail
$VERITYSETUP --hash-offset=$2 format $IMG $IMG >/dev/null 2>&1 && fail "Test [overlap with option \"--data-blocks\" not entered] failed"
else
$VERITYSETUP --data-blocks=$3 --hash-offset=$2 format $IMG $IMG >/dev/null 2>&1 || fail "Test [overlap with option \"--data-blocks\" entered] failed"
RET=$?
[ "$3" -gt "$(($2 / 4096))" ] && [ "$RET" -eq "0" ] && fail "Test [overlap - hash-offset in data area] failed"
fi
echo "[OK]"
remove_mapping
}
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
[ ! -x "$VERITYSETUP" ] && skip "Cannot find $VERITYSETUP, test skipped."
@@ -181,5 +233,25 @@ check_root_hash 4096 ef29c902d87350f1da4bfa536e16cebc162a909bf89abe448b81ec500d4
check_root_hash 1024 d0e9163ca8844aaa2e88fe5265a8c5d9ee494a99 $SALT 1 sha1 8388608
check_root_hash 1024 73509e8e868be6b8ac939817a98a3d35121413b2 dadada 1 sha1 8388608
if check_version ; then
echo "Verity data corruption options test."
SALT=e48da609055204e89ae53b655ca2216dd983cf3cb829f34f63a297d106d53e2d
HASH=9de18652fe74edfb9b805aaed72ae2aa48f94333f1ba5c452ac33b1c39325174
prepare 8192 1024
check_option 512 $HASH $SALT 1 sha256 "--ignore-corruption" "ignore_corruption"
check_option 512 $HASH $SALT 1 sha256 "--restart-on-corruption" "restart_on_corruption"
check_option 512 $HASH $SALT 1 sha256 "--ignore-zero-blocks" "ignore_zero_blocks"
check_option 512 $HASH $SALT 1 sha256 "--ignore-corruption --ignore-zero-blocks" "ignore_corruption"
fi
echo "Veritysetup [hash-offset bigger than 2G works] "
checkOffsetBug 3000000000 2499997696 256
checkOffsetBug 10000000000 8000000000 128
echo "Veritysetup [overlap-detection] "
checkOverlapBug 2097152 1433600
checkOverlapBug 2097152 1433600 350
remove_mapping
exit 0