Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
cryptsetup
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Locked Files
Issues
21
Issues
21
List
Boards
Labels
Service Desk
Milestones
Merge Requests
2
Merge Requests
2
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
cryptsetup
cryptsetup
Commits
a97de38b
Commit
a97de38b
authored
Nov 05, 2017
by
Andrea Gelmini
Committed by
Milan Broz
Nov 08, 2017
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix typos.
parent
444eac35
Changes
36
Hide whitespace changes
Inline
Side-by-side
Showing
36 changed files
with
79 additions
and
79 deletions
+79
-79
FAQ
FAQ
+2
-2
INSTALL
INSTALL
+1
-1
README.md
README.md
+1
-1
ChangeLog.old
docs/ChangeLog.old
+12
-12
v1.3.0-ReleaseNotes
docs/v1.3.0-ReleaseNotes
+1
-1
v1.4.0-ReleaseNotes
docs/v1.4.0-ReleaseNotes
+1
-1
v2.0.0-RC1-ReleaseNotes
docs/v2.0.0-RC1-ReleaseNotes
+1
-1
crypto_backend.h
lib/crypto_backend/crypto_backend.h
+1
-1
libcryptsetup.h
lib/libcryptsetup.h
+3
-3
libdevmapper.c
lib/libdevmapper.c
+2
-2
keymanage.c
lib/luks1/keymanage.c
+3
-3
luks2_disk_metadata.c
lib/luks2/luks2_disk_metadata.c
+3
-3
luks2_json_metadata.c
lib/luks2/luks2_json_metadata.c
+2
-2
setup.c
lib/setup.c
+1
-1
tcrypt.c
lib/tcrypt/tcrypt.c
+2
-2
utils.c
lib/utils.c
+1
-1
utils_benchmark.c
lib/utils_benchmark.c
+5
-5
utils_device_locking.c
lib/utils_device_locking.c
+1
-1
utils_dm.h
lib/utils_dm.h
+1
-1
utils_pbkdf.c
lib/utils_pbkdf.c
+1
-1
cryptsetup-reencrypt.8
man/cryptsetup-reencrypt.8
+1
-1
cryptsetup.8
man/cryptsetup.8
+3
-3
veritysetup.8
man/veritysetup.8
+2
-2
README
misc/dict_search/README
+1
-1
README
misc/dracut_90reencrypt/README
+2
-2
chk_luks_keyslots.c
misc/keyslot_checker/chk_luks_keyslots.c
+3
-3
keyslot_test_remote_pass.c
misc/luks2_keyslot_example/keyslot_test_remote_pass.c
+1
-1
pycryptsetup.c
python/pycryptsetup.c
+1
-1
cryptsetup.c
src/cryptsetup.c
+1
-1
cryptsetup_reencrypt.c
src/cryptsetup_reencrypt.c
+1
-1
api-test-2.c
tests/api-test-2.c
+8
-8
api-test.c
tests/api-test.c
+6
-6
cryptsetup-valg-supps
tests/cryptsetup-valg-supps
+1
-1
device-test
tests/device-test
+1
-1
generate-luks2-non-null-byte-beyond-json0.img.sh
...nerators/generate-luks2-non-null-byte-beyond-json0.img.sh
+1
-1
generate-luks2-overlapping-areas-c1-json0.img.sh
...nerators/generate-luks2-overlapping-areas-c1-json0.img.sh
+1
-1
No files found.
FAQ
View file @
a97de38b
...
...
@@ -2475,7 +2475,7 @@ offset length name data type description
More details:
Cipher, mode and pasword hash (or no hash):
Cipher, mode and pas
s
word hash (or no hash):
-e cipher [-N] => -c cipher-cbc-plain -H plain [-s 256]
-e cipher => -c cipher-cbc-plain -H ripemd160 [-s 256]
...
...
@@ -2616,7 +2616,7 @@ My take is this was much more driven by some big egos that wanted
to make a splash for self-aggrandizement, than by any actual
security concerns. Ignore it.
* 9.3 How do I do my own inird with cryptsetup?
* 9.3 How do I do my own ini
t
rd with cryptsetup?
It depends on the distribution. Below, I give a very simple example
and step-by-step instructions for Debian. With a bit of work, it
...
...
INSTALL
View file @
a97de38b
...
...
@@ -44,7 +44,7 @@ The simplest way to compile this package is:
`sh ./configure'
instead
to
prevent
`
csh
' from trying to execute
`configure'
itself
.
Running
`
configure
' takes awhile. While running, it prints some
Running
`
configure
' takes a
while. While running, it prints some
messages telling which features it is checking for.
2. Type `make'
to
compile
the
package
.
...
...
README.md
View file @
a97de38b
...
...
@@ -26,7 +26,7 @@ Last version of the LUKS format specification is
Why LUKS?
---------
*
compatiblity via standardization,
*
compatib
i
lity via standardization,
*
secure against low entropy attacks,
*
support for multiple keys,
*
effective passphrase revocation,
...
...
docs/ChangeLog.old
View file @
a97de38b
...
...
@@ -178,7 +178,7 @@
* Document cryptsetup exit codes.
2011-03-18 Milan Broz <mbroz@redhat.com>
* Respect maximum keyfile size param
a
ter.
* Respect maximum keyfile size param
e
ter.
* Introduce maximum default keyfile size, add configure option.
* Require the whole key read from keyfile in create command (broken in 1.2.0).
* Fix offset option for loopaesOpen.
...
...
@@ -334,13 +334,13 @@
* Version 1.1.0.
2010-01-10 Milan Broz <mbroz@redhat.com>
* Fix initialisation of gcrypt du
t
ing luksFormat.
* Convert hash name to lower case in header (fix sha1 backward comatible header)
* Fix initialisation of gcrypt du
r
ing luksFormat.
* Convert hash name to lower case in header (fix sha1 backward com
p
atible header)
* Check for minimum required gcrypt version.
2009-12-30 Milan Broz <mbroz@redhat.com>
* Fix key slot iteration count calculation (small -i value was the same as default).
* The slot and key digest iteration minimu
n
is now 1000.
* The slot and key digest iteration minimu
m
is now 1000.
* The key digest iteration # is calculated from iteration time (approx 1/8 of that).
* Version 1.1.0-rc4.
...
...
@@ -395,16 +395,16 @@
* Require device device-mapper to build and do not use backend wrapper for dm calls.
* Move memory locking and dm initialization to command layer.
* Increase priority of process if memory is locked.
* Add log macros and make logging mo
dre consi
tent.
* Add log macros and make logging mo
re consis
tent.
* Move command successful messages to verbose level.
* Introduce --debug parameter.
* Move device utils code and provide context parameter (for log).
* Keyfile now must be provided by path, only stdin file descriptor is used (api only).
* Do not call isatty() on closed keyfile descriptor.
* Run performance check for PBKDF2 from LUKS code, do not mix hash algoritms results.
* Run performance check for PBKDF2 from LUKS code, do not mix hash algorit
h
ms results.
* Add ability to provide pre-generated master key and UUID in LUKS header format.
* Add LUKS function to verify master key digest.
* Move key slot man
u
ipulation function into LUKS specific code.
* Move key slot manipulation function into LUKS specific code.
* Replace global options struct with separate parameters in helper functions.
* Add new libcryptsetup API (documented in libcryptsetup.h).
* Implement old API calls using new functions.
...
...
@@ -412,7 +412,7 @@
* Add --master-key-file option for luksFormat and luksAddKey.
2009-08-17 Milan Broz <mbroz@redhat.com>
* Fix PBKDF2 speed calculation for large passhrases.
* Fix PBKDF2 speed calculation for large pass
p
hrases.
* Allow using passphrase provided in options struct for LuksOpen.
* Allow restrict keys size in LuksOpen.
...
...
@@ -424,7 +424,7 @@
* Switch PBKDF2 from internal SHA1 to libgcrypt, make hash algorithm not hardcoded to SHA1 here.
* Add required parameters for changing hash used in LUKS key setup scheme.
* Do not export simple XOR helper now used only inside AF functions.
* Completely remove internal SHA1 implementa
n
ion code, not needed anymore.
* Completely remove internal SHA1 implementa
t
ion code, not needed anymore.
* Enable hash algorithm selection for LUKS through -h luksFormat option.
2009-07-28 Milan Broz <mbroz@redhat.com>
...
...
@@ -705,7 +705,7 @@
2005-12-06 Clemens Fruhwirth <clemens@endorphin.org>
* man/cryptsetup.8: Correct "seconds" to "microseconds" in the expla
i
nation for -i.
* man/cryptsetup.8: Correct "seconds" to "microseconds" in the explanation for -i.
2005-11-09 Clemens Fruhwirth <clemens@endorphin.org>
...
...
@@ -726,7 +726,7 @@
2005-09-08 Clemens Fruhwirth <clemens@endorphin.org>
* lib/setup.c (get_key): Fixed another incompatiblity with
* lib/setup.c (get_key): Fixed another incompatib
i
lity with
original cryptsetup.
2005-08-20 Clemens Fruhwirth <clemens@endorphin.org>
...
...
@@ -816,7 +816,7 @@
* man/cryptsetup.1: Add man page.
* lib/setup.c: Remove unnec
c
essary LUKS_write_phdr call, so the
* lib/setup.c: Remove unnecessary LUKS_write_phdr call, so the
phdr is written after passphrase reading, so the user can change
his mind, and not have a partial written LUKS header on it's disk.
...
...
docs/v1.3.0-ReleaseNotes
View file @
a97de38b
...
...
@@ -15,7 +15,7 @@ Important changes
* NSS (because of missing ripemd160 it cannot provide full backward compatibility)
* kernel userspace API (provided by kernel 2.6.38 and above)
(Note that kernel userspace backend is very slow for this type of operation.
But it can be useful
l
for embedded systems, because you can avoid userspace
But it can be useful for embedded systems, because you can avoid userspace
crypto library completely.)
Backend is selected during configure time, using --with-crypto_backend option.
...
...
docs/v1.4.0-ReleaseNotes
View file @
a97de38b
...
...
@@ -89,7 +89,7 @@ WARNING: This release removes old deprecated API from libcryptsetup
(It can be used to simulate trivial hidden disk concepts.)
libcryptsetup API changes:
* Added options to suport detached metadata device
* Added options to sup
p
ort detached metadata device
crypt_init_by_name_and_header()
crypt_set_data_device()
* Add crypt_last_error() API call.
...
...
docs/v2.0.0-RC1-ReleaseNotes
View file @
a97de38b
...
...
@@ -481,7 +481,7 @@ Other changes
For
LUKS2
it
is
always
better
to
specify
full
settings
(
do
not
rely
on
default
cost
values
).
For
example
,
we
can
set
to
use
Argon2id
with
iteration
cost
5
,
memory
128000
and
paral
el
l
set
1
:
and
paral
le
l
set
1
:
$
cryptsetup
luksFormat
--
type
luks2
<
device
>
\
--
pbkdf
argon2id
--
pbkdf
-
force
-
iterations
5
--
pbkdf
-
memory
128000
--
pbkdf
-
parallel
1
...
...
lib/crypto_backend/crypto_backend.h
View file @
a97de38b
...
...
@@ -53,7 +53,7 @@ int crypt_hmac_write(struct crypt_hmac *ctx, const char *buffer, size_t length);
int
crypt_hmac_final
(
struct
crypt_hmac
*
ctx
,
char
*
buffer
,
size_t
length
);
int
crypt_hmac_destroy
(
struct
crypt_hmac
*
ctx
);
/* RNG (if fips param
a
ter set, must provide FIPS compliance) */
/* RNG (if fips param
e
ter set, must provide FIPS compliance) */
enum
{
CRYPT_RND_NORMAL
=
0
,
CRYPT_RND_KEY
=
1
,
CRYPT_RND_SALT
=
2
};
int
crypt_backend_rng
(
char
*
buffer
,
size_t
length
,
int
quality
,
int
fips
);
...
...
lib/libcryptsetup.h
View file @
a97de38b
...
...
@@ -239,7 +239,7 @@ struct crypt_pbkdf_type {
*
* @return 0 on success or negative errno value otherwise.
*
* @note For LUKS1, only PBKDF2 is supp
p
orted, other settings will be rejected.
* @note For LUKS1, only PBKDF2 is supported, other settings will be rejected.
* @note For non-LUKS context types the call succeeds, but PBKDF is not used.
*/
int
crypt_set_pbkdf_type
(
struct
crypt_device
*
cd
,
...
...
@@ -511,7 +511,7 @@ struct crypt_params_luks2 {
*
* @note Note that crypt_format does not enable any keyslot (in case of work with LUKS device),
* but it stores volume key internally and subsequent crypt_keyslot_add_* calls can be used.
* @note For VERITY @link crypt-type @endlink, only uuid parameter is used, other
s parama
ters
* @note For VERITY @link crypt-type @endlink, only uuid parameter is used, other
parame
ters
* are ignored and verity specific attributes are set through mandatory params option.
*/
int
crypt_format
(
struct
crypt_device
*
cd
,
...
...
@@ -1648,7 +1648,7 @@ typedef enum {
crypt_token_info
crypt_token_status
(
struct
crypt_device
*
cd
,
int
token
,
const
char
**
type
);
/**
* LUKS2 keyring token param
a
ters.
* LUKS2 keyring token param
e
ters.
*
* @see crypt_token_builtin_set
*
...
...
lib/libdevmapper.c
View file @
a97de38b
...
...
@@ -1155,7 +1155,7 @@ static int check_retry(uint32_t *dmd_flags, uint32_t dmt_flags)
/* If kernel keyring is not supported load key directly in dm-crypt */
if
((
*
dmd_flags
&
CRYPT_ACTIVATE_KEYRING_KEY
)
&&
!
(
dmt_flags
&
DM_KERNEL_KEYRING_SUPPORTED
))
{
log_dbg
(
"dm-crypt doesn't suport kernel keyring"
);
log_dbg
(
"dm-crypt doesn't sup
p
ort kernel keyring"
);
*
dmd_flags
=
*
dmd_flags
&
~
CRYPT_ACTIVATE_KEYRING_KEY
;
ret
=
1
;
}
...
...
@@ -1288,7 +1288,7 @@ int dm_status_device(struct crypt_device *cd, const char *name)
struct
stat
st
;
/* libdevmapper is too clever and handles
* path argument differenly with error.
* path argument differen
t
ly with error.
* Fail early here if parameter is non-existent path.
*/
if
(
strchr
(
name
,
'/'
)
&&
stat
(
name
,
&
st
)
<
0
)
...
...
lib/luks1/keymanage.c
View file @
a97de38b
...
...
@@ -457,7 +457,7 @@ static int _keyslot_repair(struct luks_phdr *phdr, struct crypt_device *ctx)
}
/*
* check repair result before writ
t
ing because repair can't fix out of order
* check repair result before writing because repair can't fix out of order
* keyslot offsets and would corrupt header again
*/
if
(
LUKS_check_keyslots
(
ctx
,
phdr
))
...
...
@@ -539,7 +539,7 @@ static void _to_lower(char *str, unsigned max_len)
static
void
LUKS_fix_header_compatible
(
struct
luks_phdr
*
header
)
{
/* Old cryptsetup expects "sha1", gcrypt allows case insensi
s
tive names,
/* Old cryptsetup expects "sha1", gcrypt allows case insensitive names,
* so always convert hash to lower case in header */
_to_lower
(
header
->
hashSpec
,
LUKS_HASHSPEC_L
);
...
...
@@ -865,7 +865,7 @@ int LUKS_set_key(unsigned int keyIndex,
return
-
EINVAL
;
}
/* LUKS keyslot has always at least 4000 stripes accoding to specification */
/* LUKS keyslot has always at least 4000 stripes acco
r
ding to specification */
if
(
hdr
->
keyblock
[
keyIndex
].
stripes
<
4000
)
{
log_err
(
ctx
,
_
(
"Key slot %d material includes too few stripes. Header manipulation?
\n
"
),
keyIndex
);
...
...
lib/luks2/luks2_disk_metadata.c
View file @
a97de38b
...
...
@@ -182,7 +182,7 @@ static void hdr_to_disk(struct luks2_hdr *hdr,
}
/*
* Sanity checks before checkum is validated
* Sanity checks before check
s
um is validated
*/
static
int
hdr_disk_sanity_check_pre
(
struct
luks2_hdr_disk
*
hdr
,
size_t
*
hdr_json_size
,
int
secondary
,
...
...
@@ -324,7 +324,7 @@ static int hdr_write_disk(struct device *device, struct luks2_hdr *hdr,
}
/*
* Calculate checksum and write header with checkum.
* Calculate checksum and write header with check
s
um.
*/
r
=
hdr_checksum_calculate
(
hdr_disk
.
checksum_alg
,
&
hdr_disk
,
json_area
,
hdr_json_len
);
...
...
@@ -504,7 +504,7 @@ static json_object *parse_and_validate_json(const char *json_area, int length)
if
(
!
jobj
)
return
NULL
;
/* successful
l
parse_json_len must not return offset <= 0 */
/* successful parse_json_len must not return offset <= 0 */
assert
(
offset
>
0
);
r
=
validate_json_area
(
json_area
,
offset
,
length
);
...
...
lib/luks2/luks2_json_metadata.c
View file @
a97de38b
...
...
@@ -844,7 +844,7 @@ static void LUKS2_hdr_free_unused_objects(struct crypt_device *cd, struct luks2_
int
LUKS2_hdr_write
(
struct
crypt_device
*
cd
,
struct
luks2_hdr
*
hdr
)
{
/* FIXME: we risk to hide future intenal implementation bugs with this */
/* FIXME: we risk to hide future inte
r
nal implementation bugs with this */
LUKS2_hdr_free_unused_objects
(
cd
,
hdr
);
if
(
LUKS2_hdr_validate
(
hdr
->
jobj
))
...
...
@@ -1317,7 +1317,7 @@ int LUKS2_config_set_requirements(struct crypt_device *cd, struct luks2_hdr *hdr
/* any remaining bit in requirements is unknown therefore illegal */
if
(
reqs
)
{
log_dbg
(
"Illegal requiremnt flag(s) requested"
);
log_dbg
(
"Illegal requirem
e
nt flag(s) requested"
);
goto
err
;
}
...
...
lib/setup.c
View file @
a97de38b
...
...
@@ -3959,7 +3959,7 @@ int crypt_convert(struct crypt_device *cd,
return
crypt_load
(
cd
,
type
,
params
);
}
/* Internal
l
access function to header pointer */
/* Internal access function to header pointer */
void
*
crypt_get_hdr
(
struct
crypt_device
*
cd
,
const
char
*
type
)
{
/* If requested type differs, ignore it */
...
...
lib/tcrypt/tcrypt.c
View file @
a97de38b
...
...
@@ -350,7 +350,7 @@ static int TCRYPT_decrypt_hdr_one(struct tcrypt_alg *alg, const char *mode,
}
/*
* For cha
n
ined ciphers and CBC mode we need "outer" decryption.
* For chained ciphers and CBC mode we need "outer" decryption.
* Backend doesn't provide this, so implement it here directly using ECB.
*/
static
int
TCRYPT_decrypt_cbci
(
struct
tcrypt_algs
*
ciphers
,
...
...
@@ -775,7 +775,7 @@ int TCRYPT_activate(struct crypt_device *cd,
return
r
;
}
/* From
e
here, key size for every cipher must be the same */
/* From here, key size for every cipher must be the same */
dmd
.
u
.
crypt
.
vk
=
crypt_alloc_volume_key
(
algs
->
cipher
[
0
].
key_size
+
algs
->
cipher
[
0
].
key_extra_size
,
NULL
);
if
(
!
dmd
.
u
.
crypt
.
vk
)
{
...
...
lib/utils.c
View file @
a97de38b
...
...
@@ -421,7 +421,7 @@ int crypt_keyfile_read(struct crypt_device *cd, const char *keyfile,
goto
out_err
;
}
/* If not requsted otherwise, we limit input to prevent memory exhaustion */
/* If not requ
e
sted otherwise, we limit input to prevent memory exhaustion */
if
(
keyfile_size_max
==
0
)
{
keyfile_size_max
=
DEFAULT_KEYFILE_SIZE_MAXKB
*
1024
+
1
;
unlimited_read
=
1
;
...
...
lib/utils_benchmark.c
View file @
a97de38b
/*
* libcryptsetup - cryptsetup library, cipher bechmark
* libcryptsetup - cryptsetup library, cipher be
n
chmark
*
* Copyright (C) 2012-2017, Red Hat, Inc. All rights reserved.
* Copyright (C) 2012-2017, Milan Broz
...
...
@@ -281,8 +281,8 @@ static int benchmark_callback(uint32_t time_ms, void *usrptr)
/*
* Used in internal places to benchmark crypt_device context PBKDF.
* Once requested parameters are benchmarked, iterations attribute is set,
* and the bench
a
marked values can be reused.
* Note that memory cost can be changed after benchark (if used).
* and the benchmarked values can be reused.
* Note that memory cost can be changed after bench
m
ark (if used).
* NOTE: You need to check that you are benchmarking for the same key size.
*/
int
crypt_benchmark_pbkdf_internal
(
struct
crypt_device
*
cd
,
...
...
@@ -306,8 +306,8 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd,
if
(
!
strcmp
(
pbkdf
->
type
,
CRYPT_KDF_PBKDF2
))
{
/*
* For PBKDF2 it is enou
c
h to run benchmark for only 1 second
* and interpolate final itera
r
ions value from it.
* For PBKDF2 it is enou
g
h to run benchmark for only 1 second
* and interpolate final itera
t
ions value from it.
*/
ms_tmp
=
pbkdf
->
time_ms
;
pbkdf
->
time_ms
=
1000
;
...
...
lib/utils_device_locking.c
View file @
a97de38b
...
...
@@ -172,7 +172,7 @@ static void release_lock_handle(struct crypt_lock_handle *h)
if
(
S_ISBLK
(
h
->
mode
)
&&
/* was it block device */
!
flock
(
h
->
flock_fd
,
LOCK_EX
|
LOCK_NB
)
&&
/* lock to drop the file */
!
resource_by_devno
(
res
,
sizeof
(
res
),
h
->
devno
,
1
)
&&
/* acquire lock resource name */
!
fstat
(
h
->
flock_fd
,
&
buf_a
)
&&
/* read inode id refered by fd */
!
fstat
(
h
->
flock_fd
,
&
buf_a
)
&&
/* read inode id refer
r
ed by fd */
!
stat
(
res
,
&
buf_b
)
&&
/* does path file stil exist? */
same_inode
(
buf_a
,
buf_b
))
{
/* is it same id as the one referenced by fd? */
/* coverity[toctou] */
...
...
lib/utils_dm.h
View file @
a97de38b
...
...
@@ -86,7 +86,7 @@ struct crypt_dm_active_device {
/* struct crypt_active_device */
uint64_t
offset
;
/* offset in sectors */
uint64_t
iv_offset
;
/* IV initilisation sector */
uint64_t
iv_offset
;
/* IV initi
a
lisation sector */
uint32_t
tag_size
;
/* additional on-disk tag size */
uint32_t
sector_size
;
/* encryption sector size */
}
crypt
;
...
...
lib/utils_pbkdf.c
View file @
a97de38b
...
...
@@ -218,5 +218,5 @@ void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_m
pbkdf
->
flags
&=
~
(
CRYPT_PBKDF_NO_BENCHMARK
);
pbkdf
->
iterations
=
0
;
log_dbg
(
"Iteration time set to %"
PRIu64
" miliseconds."
,
iteration_time_ms
);
log_dbg
(
"Iteration time set to %"
PRIu64
" mil
l
iseconds."
,
iteration_time_ms
);
}
man/cryptsetup-reencrypt.8
View file @
a97de38b
...
...
@@ -201,7 +201,7 @@ Print separate line every <seconds> with reencryption progress.
Use only while encrypting not yet encrypted device (see \-\-new).
Specify LUKS version when performing in-place encryption. If the parameter
is om
mi
ted default value (LUKS1) is used. Type may be one of: \fBluks\fR (default),
is om
it
ted default value (LUKS1) is used. Type may be one of: \fBluks\fR (default),
\fBluks1\fR or \fBluks2\fR.
.TP
.B "\-\-version"
...
...
man/cryptsetup.8
View file @
a97de38b
...
...
@@ -432,7 +432,7 @@ The \fItoken\fR command is supported only for LUKS2.
For adding new keyring token, option \-\-key\-description is mandatory.
Also, new token is assigned to key slot specified with \-\-key\-slot option or to all
active key slots in the case \-\-key\-slot option is om
mi
ted.
active key slots in the case \-\-key\-slot option is om
it
ted.
To remove existing token, specify the token ID which should be removed with
\-\-token\-id option.
...
...
@@ -907,7 +907,7 @@ Set the memory cost for PBKDF (for Argon2i/id the number represents kilobytes).
Note that it is maximal value, PBKDF benchmark can decrease it.
This option is not available for PBKDF2.
.TP
.B "\-\-pbkdf\-paral
el
l <number>"
.B "\-\-pbkdf\-paral
le
l <number>"
Set the parallel cost for PBKDF (number of threads, up to 4).
Note that it is maximal value, it is decreased automatically if
CPU online count is lower.
...
...
@@ -1347,7 +1347,7 @@ the status command output. Also see losetup(8).
The LUKS2 on-disk metadata is updated in several steps and
to achieve proper atomic update, there is a locking mechanism.
For an image in file, code uses \fIflock(2)\fR system call.
For a block device, lock is perfomed over a special file stored
For a block device, lock is perfo
r
med over a special file stored
in a locking directory (by default \fI/run/lock/cryptsetup\fR).
The locking directory should be created with the proper security
context by the distribution during the boot-up phase.
...
...
man/veritysetup.8
View file @
a97de38b
...
...
@@ -120,7 +120,7 @@ Defines what to do if data integrity problem is detected (data corruption).
Without these options kernel fails the IO operation with I/O error.
With \-\-ignore-corruption option the corruption is only logged.
With \-\-restart-on-corruption the kernel is restarted immediatel
l
y.
With \-\-restart-on-corruption the kernel is restarted immediately.
(You have to provide way how to avoid restart loops.)
\fBWARNING:\fR Use these options only for very specific cases.
...
...
@@ -182,7 +182,7 @@ Hash-offset must be greater than number of blocks in data-area.
.B "veritysetup \-\-data-blocks=256 \-\-hash-offset=1052672 create test-device <device> <device> <root_hash>"
Ac
ivate
es the verity device named test-device. Options \-\-data-blocks and \-\-hash-offset are the same
Ac
tivat
es the verity device named test-device. Options \-\-data-blocks and \-\-hash-offset are the same
as in the format command. The <root_hash> was calculated in format command.
.B "veritysetup \-\-data-blocks=256 \-\-hash-offset=1052672 verify <data_device> <hash_device> <root_hash>"
...
...
misc/dict_search/README
View file @
a97de38b
...
...
@@ -13,7 +13,7 @@ luks|tcrypt specified device type (LUKS or TrueCrypt)
cpus - number of processes to start in parallel
Format of dictionary file is simple one password per line,
if first char on line
s # it is ski
ped as comment.
if first char on line
is # it is skip
ped as comment.
For LUKS, you have it run as root (device-mapper cannot
create dmcrypt devices as nrmal user. Code need
...
...
misc/dracut_90reencrypt/README
View file @
a97de38b
...
...
@@ -2,9 +2,9 @@ Example of simple dracut module for reencryption of system
LUKS drive on-the-fly.
Install in /usr/[share|lib]/dracut/modules.d/90reencrypt, then
build special intramfs "with dracut -a reencrypt -o crypt".
build special in
i
tramfs "with dracut -a reencrypt -o crypt".
Reencrypt module doesn't work (has a conflict) with crypt module as
of now. After successful
l
reencryption reboot using original initramfs.
of now. After successful reencryption reboot using original initramfs.
Dracut then recognize argument rd.luks.reencrypt=name:size,
e.g. rd.luks.reencrypt=sda2:52G means only 52G of device
...
...
misc/keyslot_checker/chk_luks_keyslots.c
View file @
a97de38b
...
...
@@ -61,7 +61,7 @@ const char *help =
" the threshold down to reduce misdetection. For values
\n
"
" larger than the default you need to adjust the threshold
\n
"
" up to retain sensitivity.
\n
"
" -v Print found suspic
u
ous sectors verbosely.
\n
"
" -v Print found suspic
i
ous sectors verbosely.
\n
"
" -d Print decimal addresses instead of hex ones.
\n
"
"
\n
"
;
...
...
@@ -321,8 +321,8 @@ int main(int argc, char **argv)
device
=
argv
[
optind
];
/* test whether we can open and read device */
/* This is neded as we are reading the actual data
* in the keyslots dir
t
ectly from the LUKS container.
/* This is ne
e
ded as we are reading the actual data
* in the keyslots directly from the LUKS container.
*/
f_luks
=
open
(
device
,
O_RDONLY
);
if
(
f_luks
==
-
1
)
{
...
...
misc/luks2_keyslot_example/keyslot_test_remote_pass.c
View file @
a97de38b
...
...
@@ -192,7 +192,7 @@ static int download_remote_password(struct crypt_device *cd, char *password, siz
return
-
EINVAL
;
/* extract third party metadata nec
c
essary to extract passphrase remotely */
/* extract third party metadata necessary to extract passphrase remotely */
json_object_object_get_ex
(
jobj_keyslot
,
"ssh_server"
,
&
jobj_server
);
json_object_object_get_ex
(
jobj_keyslot
,
"ssh_user"
,
&
jobj_user
);
json_object_object_get_ex
(
jobj_keyslot
,
"ssh_path"
,
&
jobj_path
);
...
...
python/pycryptsetup.c
View file @
a97de38b
...
...
@@ -235,7 +235,7 @@ static PyObject *CryptSetup_activate(CryptSetupObject* self, PyObject *args, PyO
static
char
CryptSetup_deactivate_HELP
[]
=
"Dectivate LUKS device
\n\n
\
"De
a
ctivate LUKS device
\n\n
\
deactivate()"
;
static
PyObject
*
CryptSetup_deactivate
(
CryptSetupObject
*
self
,
PyObject
*
args
,
PyObject
*
kwds
)
...
...
src/cryptsetup.c
View file @
a97de38b
...
...
@@ -119,7 +119,7 @@ static const char *luksType(const char *type)
static
int
_verify_passphrase
(
int
def
)
{
/* Batch mode switch off verify - if not overrid
ed
by -y */
/* Batch mode switch off verify - if not overrid
den
by -y */
if
(
opt_verify_passphrase
)
def
=
1
;
else
if
(
opt_batch_mode
)
...
...
src/cryptsetup_reencrypt.c
View file @
a97de38b
...
...
@@ -65,7 +65,7 @@ struct reenc_ctx {
char
*
device
;
char
*
device_uuid
;
const
char
*
type
;
uint64_t
device_size
;
/* overrid
ed
by parameter */
uint64_t
device_size
;
/* overrid
den
by parameter */
uint64_t
device_size_new_real
;
uint64_t
device_size_org_real
;
uint64_t
device_offset
;
...
...
tests/api-test-2.c
View file @
a97de38b
...
...
@@ -608,8 +608,8 @@ static void AddDeviceLuks2(void)
OK_
(
crypt_deactivate
(
cd
,
CDEVICE_1
));
EQ_
(
crypt_status
(
cd
,
CDEVICE_1
),
CRYPT_INACTIVE
);
// restrict format only to empty context
FAIL_
(
crypt_format
(
cd
,
CRYPT_LUKS2
,
cipher
,
cipher_mode
,
NULL
,
key
,
key_size
,
&
params
),
"Context is already formated"
);
FAIL_
(
crypt_format
(
cd
,
CRYPT_LUKS2
,
cipher
,
cipher_mode
,
NULL
,
key
,
key_size
,
NULL
),
"Context is already formated"
);
FAIL_
(
crypt_format
(
cd
,
CRYPT_LUKS2
,
cipher
,
cipher_mode
,
NULL
,
key
,
key_size
,
&
params
),
"Context is already format
t
ed"
);
FAIL_
(
crypt_format
(
cd
,
CRYPT_LUKS2
,
cipher
,
cipher_mode
,
NULL
,
key
,
key_size
,
NULL
),
"Context is already format
t
ed"
);
// change data device to wrong one
OK_
(
crypt_set_data_device
(
cd
,
DMDIR
L_DEVICE_0S
));
FAIL_
(
crypt_activate_by_volume_key
(
cd
,
CDEVICE_1
,
key
,
key_size
,
0
),
"Device too small"
);
...
...
@@ -628,7 +628,7 @@ static void AddDeviceLuks2(void)
EQ_
(
crypt_activate_by_passphrase
(
cd
,
CDEVICE_1
,
7
,
passphrase
,
strlen
(
passphrase
)
,
0
),
7
);
crypt_free
(
cd
);
OK_
(
crypt_init_by_name_and_header
(
&
cd
,
CDEVICE_1
,
DMDIR
H_DEVICE
));
FAIL_
(
crypt_format
(
cd
,
CRYPT_LUKS2
,
cipher
,
cipher_mode
,
NULL
,
key
,
key_size
,
&
params
),
"Context is already formated"
);
FAIL_
(
crypt_format
(
cd
,
CRYPT_LUKS2
,
cipher
,
cipher_mode
,
NULL
,
key
,
key_size
,
&
params
),
"Context is already format
t
ed"
);
EQ_
(
crypt_status
(
cd
,
CDEVICE_1
),
CRYPT_ACTIVE
);
crypt_free
(
cd
);
// check active status without header
...
...
@@ -854,7 +854,7 @@ static void Luks2HeaderRestore(void)
.
size
=
0
};
struct
crypt_params_luks1
luks1
=
{
.
data_alignment
=
8192
,
// 4M offset to pass align
e
ment test
.
data_alignment
=
8192
,
// 4M offset to pass alignment test
};
char
key
[
128
];
...
...
@@ -2175,7 +2175,7 @@ static void Pbkdf(void)
// bad.hash = "hamster_hash";
// FAIL_(crypt_set_pbkdf_type(cd, &pbkdf2), "Unknown hash member");
crypt_free
(
cd
);
// test whether crypt_get_pbkdf_type() behaves accordingl
t
after second crypt_load() call
// test whether crypt_get_pbkdf_type() behaves accordingl
y
after second crypt_load() call
OK_
(
crypt_init
(
&
cd
,
DEVICE_1
));
OK_
(
crypt_load
(
cd
,
CRYPT_LUKS
,
NULL
));
NOTNULL_
(
pbkdf
=
crypt_get_pbkdf_type
(
cd
));
...
...
@@ -2367,7 +2367,7 @@ static void Luks2Requirements(void)
OK_
(
crypt_set_pbkdf_type
(
cd
,
&
pbkdf2
));
NOTNULL_
(
crypt_get_pbkdf_type
(
cd
));
/* crypt_set_itertion_time (unrestricted) */
/* crypt_set_iter
a
tion_time (unrestricted) */
crypt_set_iteration_time
(
cd
,
1
);
pbkdf
=
crypt_get_pbkdf_type
(
cd
);
NOTNULL_
(
pbkdf
);
...
...
@@ -2504,7 +2504,7 @@ static void Luks2Requirements(void)
remove
(
BACKUP_FILE
);
OK_
(
crypt_header_backup
(
cd
,
CRYPT_LUKS
,
BACKUP_FILE
));
/* crypt_header_restore (restricted, do not drop the test until
l
we have safe option) */
/* crypt_header_restore (restricted, do not drop the test until we have safe option) */
FAIL_
((
r
=
crypt_header_restore
(
cd
,
CRYPT_LUKS2
,
BACKUP_FILE
)),
"Unmet requirements detected"
);
EQ_
(
r
,
-
ETXTBSY
);
remove
(
BACKUP_FILE
);
...
...
@@ -2584,7 +2584,7 @@ static void Luks2Requirements(void)
OK_
(
crypt_init_by_name
(
&
cd
,
CDEVICE_1
));
OK_
(
crypt_suspend
(
cd
,
CDEVICE_1
));
/* crypt_header_restore (restricted, do not drop the test until
l
we have safe option) */
/* crypt_header_restore (restricted, do not drop the test until we have safe option) */
/* refuse to overwrite header w/ backup including requirements */
FAIL_
((
r
=
crypt_header_restore
(
cd
,
CRYPT_LUKS2
,
BACKUP_FILE
)),
"Unmet requirements detected"
);
EQ_
(
r
,
-
ETXTBSY
);
...
...
tests/api-test.c
View file @
a97de38b
...
...
@@ -267,12 +267,12 @@ static int _setup(void)
_system
(
" [ ! -e "
EVL_HEADER_1
" ] && bzip2 -dk "
EVL_HEADER_1
".bz2"
,
1
);
/* keymaterial offset aims into payload area */
_system
(
" [ ! -e "
EVL_HEADER_2
" ] && bzip2 -dk "
EVL_HEADER_2
".bz2"
,
1
);
/* keymaterial offset is valid, number of stripes causes payload area to be overwriten */
/* keymaterial offset is valid, number of stripes causes payload area to be overwrit
t
en */
_system
(
" [ ! -e "
EVL_HEADER_3
" ] && bzip2 -dk "
EVL_HEADER_3
".bz2"
,
1
);
/* luks device header for data and header on same device. payloadOffset is greater than
* device size (crypt_load() test) */
_system
(
" [ ! -e "
EVL_HEADER_4
" ] && bzip2 -dk "
EVL_HEADER_4
".bz2"
,
1
);
/* two keyslots with same offset (overlaping keyslots) */
/* two keyslots with same offset (overlap
p
ing keyslots) */
_system
(
" [ ! -e "
EVL_HEADER_5
" ] && bzip2 -dk "
EVL_HEADER_5
".bz2"
,
1
);
/* valid header: payloadOffset=4096, key_size=32,
* volume_key = bb21158c733229347bd4e681891e213d94c685be6a5b84818afe7a78a6de7a1a */
...
...
@@ -796,8 +796,8 @@ static void AddDeviceLuks(void)
OK_
(
crypt_deactivate
(
cd
,
CDEVICE_1
));
EQ_
(
crypt_status
(
cd
,
CDEVICE_1
),
CRYPT_INACTIVE
);
// restrict format only to empty context
FAIL_
(
crypt_format
(
cd
,
CRYPT_LUKS1
,
cipher
,
cipher_mode
,
NULL
,
key
,
key_size
,
&
params
),
"Context is already formated"
);
FAIL_
(
crypt_format
(
cd
,
CRYPT_LUKS1
,
cipher
,
cipher_mode
,
NULL
,
key
,
key_size
,
NULL
),
"Context is already formated"
);
FAIL_
(
crypt_format
(
cd
,
CRYPT_LUKS1
,
cipher
,
cipher_mode
,
NULL
,
key
,
key_size
,
&
params
),
"Context is already format
t
ed"
);
FAIL_
(
crypt_format
(
cd
,
CRYPT_LUKS1
,
cipher
,
cipher_mode
,
NULL
,
key
,
key_size
,
NULL
),
"Context is already format
t
ed"
);
// change data device to wrong one
OK_
(
crypt_set_data_device
(
cd
,
DMDIR
L_DEVICE_0S
));
FAIL_
(
crypt_activate_by_volume_key
(
cd
,
CDEVICE_1
,
key
,
key_size
,
0
),
"Device too small"
);
...
...
@@ -816,7 +816,7 @@ static void AddDeviceLuks(void)
EQ_
(
crypt_activate_by_passphrase
(
cd
,
CDEVICE_1
,
7
,
passphrase
,
strlen
(
passphrase
)
,
0
),
7
);
crypt_free
(
cd
);
OK_
(
crypt_init_by_name_and_header
(
&
cd
,
CDEVICE_1
,
DMDIR
H_DEVICE
));
FAIL_
(
crypt_format
(
cd
,
CRYPT_LUKS1
,
cipher
,
cipher_mode
,
NULL
,
key
,
key_size
,
&
params
),
"Context is already formated"
);
FAIL_
(
crypt_format
(
cd
,
CRYPT_LUKS1
,
cipher
,
cipher_mode
,
NULL
,
key
,
key_size
,
&
params
),
"Context is already format
t
ed"
);
EQ_
(
crypt_status
(
cd
,
CDEVICE_1
),
CRYPT_ACTIVE
);
crypt_free
(
cd
);
// check active status without header
...
...
@@ -988,7 +988,7 @@ static void UseTempVolumes(void)
OK_
(
crypt_format
(
cd
,
CRYPT_PLAIN
,
"aes"
,
"cbc-essiv:sha256"
,
NULL
,
NULL
,
16
,
NULL
));
FAIL_
(
crypt_activate_by_volume_key
(
cd
,
NULL
,
"xxx"
,
3
,
0
),
"cannot verify key with plain"
);
FAIL_
(
crypt_volume_key_verify
(
cd
,
"xxx"
,
3
),
"cannot verify key with plain"
);
FAIL_
(
crypt_activate_by_volume_key
(
cd
,
CDEVICE_2
,
"xxx"
,
3
,
0
),
"wrong key leng
ht
"
);
FAIL_
(
crypt_activate_by_volume_key
(
cd
,
CDEVICE_2
,
"xxx"
,
3
,
0
),
"wrong key leng
th
"
);
OK_
(
crypt_activate_by_volume_key
(
cd
,
CDEVICE_2
,
"volumekeyvolumek"
,
16
,
0
));
EQ_
(
crypt_status
(
cd
,
CDEVICE_2
),
CRYPT_ACTIVE
);
OK_
(
crypt_deactivate
(
cd
,
CDEVICE_2
));
...
...
tests/cryptsetup-valg-supps
View file @
a97de38b
# Supresion file for valgrind
# Sup
p
resion file for valgrind
# known problem in libgcrypt
{
...
...
tests/device-test
View file @
a97de38b
...
...
@@ -66,7 +66,7 @@ DEV="$MNT_DIR/test.img"
mount
-t
tmpfs none
$MNT_DIR
||
skip
"Mounting tmpfs not available."
format luks1
echo
"[2] Kernel dmcrypt performace options"
echo
"[2] Kernel dmcrypt performa
n
ce options"
echo
-e
"
$PWD1
"
|
$CRYPTSETUP
open
--type
plain
$DEV
$DEV_NAME
--perf-same_cpu_crypt
>
/dev/null 2>&1
if
[
$?
-ne
0
]
;
then
echo
"TEST SKIPPED: dmcrypt options not available"
...
...
tests/generators/generate-luks2-non-null-byte-beyond-json0.img.sh
View file @
a97de38b
...
...
@@ -6,7 +6,7 @@
# *** Description ***
#
# generate primary header with json area concluded with illegal
# byte beyond terminating '}' charcter.
# byte beyond terminating '}' char
a
cter.
#
# secondary header is corrupted on purpose as well
#
...
...
tests/generators/generate-luks2-overlapping-areas-c1-json0.img.sh
View file @
a97de38b
...
...
@@ -5,7 +5,7 @@
#
# *** Description ***
#
# generate primary header with one area incuded within another one (in terms of 'offset' + 'length')
# generate primary header with one area inc
l
uded within another one (in terms of 'offset' + 'length')
#
# secondary header is corrupted on purpose as well
#
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment