1. 01 Mar, 2019 1 commit
  2. 07 Feb, 2019 1 commit
  3. 31 Jan, 2019 1 commit
  4. 25 Jan, 2019 2 commits
    • Milan Broz's avatar
    • Milan Broz's avatar
      Switch default cryptographic backend to OpenSSL. · bc3d0feb
      Milan Broz authored
      Cryptsetup/libcryptsetup currently supports several cryptographic
      library backends.
      
      The fully supported are libgcrypt, OpenSSL and kernel crypto API.
      
      FIPS mode extensions are maintained only for libgcrypt and OpenSSL.
      
      (Nettle and NSS are usable only for some subset of algorithms and
      cannot provide full backward compatibility.)
      
      For years, OpenSSL provided better performance for PBKDF.
      
      Since this commit, cryptsetup uses OpenSSL as the default backend.
      
      You can always switch to other backend by using a configure switch,
      for libgcrypt (compatibility for older distributions) use:
      --with-crypto_backend=gcrypt
      bc3d0feb
  5. 16 Jan, 2019 1 commit
  6. 14 Jan, 2019 1 commit
    • Milan Broz's avatar
      Do not require gcrypt-devel for authconfig. · c04d332b
      Milan Broz authored
      The gcrypt does not use standard pkgconfig detection and requires
      specific macro (part of gcrypt development fileS) to be present
      during autoconfigure.
      
      With other crypto backend, like OpenSSL, this makes no sense,
      so make this part of autoconfigure optional.
      c04d332b
  7. 07 Jan, 2019 1 commit
    • Milan Broz's avatar
      Add keyslot encryption params. · 307a7ad0
      Milan Broz authored
      This patch makes available LUKS2 per-keyslot encryption settings to user.
      
      In LUKS2, keyslot can use different encryption that data.
      
      We can use new crypt_keyslot_get_encryption and crypt_keyslot_set_encryption
      API calls to set/get this encryption.
      
      For cryptsetup new --keyslot-cipher and --keyslot-key-size options are added.
      
      The default keyslot encryption algorithm (if cannot be derived from data encryption)
      is now available as configure options (default is aes-xts-plain64 with 512-bits key).
      NOTE: default was increased from 256-bits.
      307a7ad0
  8. 02 Jan, 2019 1 commit
  9. 09 Nov, 2018 1 commit
  10. 07 Nov, 2018 1 commit
  11. 28 Oct, 2018 1 commit
  12. 14 Oct, 2018 1 commit
  13. 04 Oct, 2018 1 commit
  14. 07 Aug, 2018 4 commits
    • Milan Broz's avatar
      Fix configure typo in previous patch. · 31364c17
      Milan Broz authored
      31364c17
    • Milan Broz's avatar
      Make tests for strings in configure more consistent. · 5e56966e
      Milan Broz authored
      Intead of
        test x$enable_xyz = xyes;
      use
        test "$enable_xyz" = "xyes"; then
      5e56966e
    • Milan Broz's avatar
      Use AC_ARG_ENABLE consistently. · 1f951ed7
      Milan Broz authored
      AC_ARG_ENABLE(feature, ...) -> AC_ARG_ENABLE([feature], ...
      1f951ed7
    • joerichey@google.com's avatar
      Fix configure.ac formatting · ecd82f1f
      joerichey@google.com authored
      Currently, AC_ARG_[ENABLE|WITH] are used in multiple different ways.
      This change makes all their uses the same by following the style of
      the GNU manual:
        - AC_ARG_ENABLE(foo) should only define $enable_foo
        - Use the 2 argument form with a --enable_foo flag
        - Use the 4 argument form with a --disable_foo flag
        - Format all uses the same way
        - Always compare using: test "x$enable_foo" = "xyes"
      
      This makes the easier to debug, more readable, and shorter.
      
      This formatting fix also revealed a bug (fix submitted seperately).
      ecd82f1f
  15. 03 Aug, 2018 1 commit
  16. 19 Jul, 2018 1 commit
  17. 11 Jul, 2018 3 commits
  18. 07 Jul, 2018 1 commit
    • Milan Broz's avatar
      Add optimized Argon2 SSE code. · ba384d15
      Milan Broz authored
      Note: it is always better to use external libargon2 library.
      
      Unfortunately, until Argon2 is in generic crypto libraries,
      we must sometimes use bundled version just for bureaucratic reasons.
      
      Let's include optimized variant of reference implementation as well.
      
      Note, this code will not add any SSE compiler switches.
      
      If --enable-internal-sse-argon2 option is used, it checks if current
      compilation flags support simple SSE progam and if so, it use
      the optimized variant.
      (Not tested for AVX optimizations; it expects that SSE is enabled as well.)
      ba384d15
  19. 03 May, 2018 1 commit
  20. 25 Apr, 2018 1 commit
  21. 24 Apr, 2018 1 commit
  22. 04 Apr, 2018 2 commits
    • Milan Broz's avatar
      Move absolute path helper to m4 macro. · f7ad64a3
      Milan Broz authored
      f7ad64a3
    • Eli Schwartz's avatar
      configure.ac: fix bashisms · 103d75f7
      Eli Schwartz authored
      In commits 9bcc97bc and
      5536b3a5 new features were
      added, which used bash-specific features in a POSIX sh script. This
      caused configure to completely fail with syntax errors on systems where
      /bin/sh was not symlinked to GNU bash.
      
      `==` is a bash-specific alias for `=` and should never, ever, ever be
      used since it offers no additional utility for bash but merely serves
      to confuse people writing POSIX.
      
      substring parameter expansion, e.g. `${with_tmpfilesdir:0:1}` is not
      POSIX but can be trivially replaced by case wildcards.
      103d75f7
  23. 07 Mar, 2018 1 commit
  24. 01 Mar, 2018 1 commit
  25. 21 Jan, 2018 1 commit
  26. 17 Jan, 2018 1 commit
    • Milan Broz's avatar
      Introduce new 64bit *keyfile_device_offset functions. · f34ce81f
      Milan Broz authored
      The keyfile interface was designed, well, for keyfiles.
      
      Unfortunately, a keyfile can be placed on a device and the size_t offset
      can overflow.
      
      We have to introduce new set of fucntions that allows 64bit offsets even on 32bit systems:
       - crypt_resume_by_keyfile_device_offset
       - crypt_keyslot_add_by_keyfile_device_offset
       - crypt_activate_by_keyfile_device_offset
       - crypt_keyfile_device_read
      
      The new functions have added _device_ in name.
      
      Old functions are just internall wrappers around these.
      
      Also cryptsetup --keyfile-offset and --new-keyfile-offset must now
      process 64bit offsets.
      
      For more info see issue 359.
      f34ce81f
  27. 04 Jan, 2018 1 commit
    • Milan Broz's avatar
      Use /run/cryptsetup as default for cryptsetup locking dir. · 6f4c15b2
      Milan Broz authored
      There are problems with sharing /run/lock with lockdev and also in early boot
      we cannot create the whole subir chain.
      
      It is safe to switch to separate locking dir.
      This can be changed with --with-luks2-lock-path and --with-luks2-lock-dir-perms
      configure switches.
      
      See Issue#361 and issue#362.
      6f4c15b2
  28. 17 Dec, 2017 1 commit
  29. 10 Dec, 2017 1 commit
  30. 05 Dec, 2017 1 commit
  31. 31 Oct, 2017 3 commits