1. 27 Nov, 2018 2 commits
  2. 18 Oct, 2018 1 commit
  3. 14 Oct, 2018 2 commits
    • Milan Broz's avatar
      Fix issues found by Coverity scan. · 27eaf46c
      Milan Broz authored
      - possible overflow of data offset calculation in wipe and
      - dereferencing of pointer in a keyring error path.
    • Milan Broz's avatar
      Wipe full header areas (including unused) during LUKS format. · c2bce3e9
      Milan Broz authored
      All previous version of cryptsetup wiped only first 4k for LUKS1
      and both JSON areas for LUKS2 (first 32k) and the allocated
      keyslot area (as it contained the generated key).
      Remaining areas (unused keyslots, padding, and alignment) were
      not wiped and could contain some previous data.
      Since this commit, the whole area up to the data offset is zeroed,
      and subsequently, all keyslots areas are wiped with random data.
      Only exceptions are
       - padding/alignment areas for detached header
         if the data offset is set to 0
       - bogus LUKS1 keyslot areas (upstream code never
         created such keyslots but someone could use that).
      This operation could slow down luksFormat on some devices, but
      it guarantees that after this operation LUKS header does not
      contain any foreign data.
  4. 09 Aug, 2018 1 commit
  5. 19 Jul, 2018 1 commit
    • Milan Broz's avatar
      Print verbose message about keyslot and token numbers. · eabd23f3
      Milan Broz authored
      Move all messages to cryptsetup tools and print these
      verbose messages:
        - Key slot X unlocked.
        - Key slot X created.
        - Key slot X removed.
        - Token X created.
        - Token X removed.
      Also print error, if unknown token is tried to be removed.
  6. 26 Apr, 2018 1 commit
  7. 06 Apr, 2018 1 commit
    • Milan Broz's avatar
      Check cipher before writing metadata (LUKS2). · 187170ec
      Milan Broz authored
      Some ciphers and key sizes created on-disk metadata that cannot be used.
      Use the same test for length-preserving cipher as LUKS1.
      Also check if key for integrity algorithm is not too small.
      Fixes #373.
  8. 25 Mar, 2018 1 commit
  9. 20 Jan, 2018 1 commit
  10. 07 Dec, 2017 1 commit
  11. 08 Nov, 2017 1 commit
  12. 10 Oct, 2017 1 commit
  13. 24 Sep, 2017 2 commits
  14. 12 Aug, 2017 1 commit
    • Milan Broz's avatar
      Move PBKDF internal benchmark to one place. · 5fc79f56
      Milan Broz authored
      Also cache its value in active context, so we run benchmark
      only once.
      The patch also changes calculated value for LUKS1 key digest
      to 125 miliseconds (it means that for full 8 used slots
      the additional slow-down is circa 1 second).
      Note that there is no need to have too high iteration count
      for key digest; if it is too computationally expensive, attacker
      will better decrypt of one sector with candidate key anyway.
      (Check for a known signature.)
      The reason to have some delay for key digest check was
      to complicate brute-force search for volume key with LUKS header
      only (and if RNG used to generate volumekey was flawed
      allowing such a search i reasonable time).
  15. 10 Aug, 2017 1 commit
  16. 06 Aug, 2017 2 commits
    • Milan Broz's avatar
      Change PBKDF interface API. · 0abf57be
      Milan Broz authored
      Prepare API for PBKDF that can set three costs
        - time (similar to iterations in PBKDF2)
        - memory (required memory for memory-hard function)
        - threads (required number of threads/CPUs).
      This patch also removes wrongly designed API call
      crypt_benchmark_kdf and replaces it with the new call
      Two functions for PBKDF per context setting
      are introduced: crypt_set_pbkdf_type and crypt_get_pbkdf_type.
      The patch should be backward compatible when using
      crypt_set_iteration_time function (works only for PBKDF2).
      Signed-off-by: Milan Broz's avatarMilan Broz <gmazyland@gmail.com>
    • Milan Broz's avatar
      Add Argon2 bundled library to crypto backend. · 09d14a0b
      Milan Broz authored
      The Argon2i/id is a password hashing function that
      won Password Hashing Competiton.
      It will be (optionally) used in LUKS2 for passworrd-based
      key derivation.
      We have to bundle code for now (similar PBKDF2 years ago)
      because there is yet no usable implementation in common
      crypto libraries.
      (Once there is native implementation, cryptsetup
      will switch to the crypto library version.)
      For now, we use reference (not optimized but portable) implementation.
      This patch contains bundled Argon2 algorithm library copied from
      For more info see Password Hashing Competition site:
      and draft of RFC document
        https://datatracker.ietf.org/doc/draft-irtf-cfrg-argon2/Signed-off-by: Milan Broz's avatarMilan Broz <gmazyland@gmail.com>
  17. 29 Jun, 2017 1 commit
  18. 16 Jun, 2017 1 commit
  19. 15 Jun, 2017 1 commit
    • Ondrej Kozina's avatar
      luks1: harden checks for possibly corrupted headers · bef56af7
      Ondrej Kozina authored
      this patches improves two areas:
      1) it checks for keyslot areas overlaping each other
      2) it checks if all keyslot areas fit in header area of device
         (pre-data-offset area) or if it can fit file (detached header)
         it's being loaded from. Those new checks are based on real data
         found in header (offsets) rather than based on assumption calculated
         from key length
  20. 08 Jun, 2017 2 commits
  21. 07 Jun, 2017 1 commit
  22. 21 Apr, 2017 1 commit
  23. 12 Mar, 2017 1 commit
  24. 08 Jun, 2016 1 commit
    • Ondrej Kozina's avatar
      code cleanup related to devfd checks · 16fab74a
      Ondrej Kozina authored
      alter all checks for devfd value after device_open to
      less than zero insted of equals to -1. device_open will
      return values different from -1 in case error happens.
      In LUKSv1 device_open should always return -1 in case of
      error but this check is safer.
      The rest is just formating improvement.
  25. 13 May, 2016 1 commit
    • Ondrej Kozina's avatar
      keymanage: eliminate double close() call · e1dca468
      Ondrej Kozina authored
      fix  double close() cases in LUKS_hdr_backup() and LUKS_hdr_restore()
      functions. It should be harmless unless libcryptsetup is used
      in multi-thread setup which is not supported anyway.
  26. 24 Apr, 2016 1 commit
    • Milan Broz's avatar
      Fix warnings reported by static analysis. · 683e4db4
      Milan Broz authored
      - ensure that strings are \0 terminated (most of this is already
      handled on higher level anyway)
      - fix resource leak in error path in tcrypt.c
      - fix time of check/time of use race in sysfs path processing
      - insruct Coverity scanner to ignore constant expression in random.c
      (it is intented to stop compile-time misconfiguration of RNG that would be fatal)
  27. 23 Mar, 2016 1 commit
  28. 01 Dec, 2015 2 commits
  29. 29 Oct, 2015 1 commit
    • Milan Broz's avatar
      Fix PBKDF2 iteration benchmark for longer key sizes. · 4609fd87
      Milan Broz authored
      The previous PBKDF2 benchmark code did not take into account
      output key length.
      For SHA1 (with 160-bits output) and 256-bit keys (and longer)
      it means that the final value was higher than it should be.
      For other hash algorithms (like SHA256 or SHA512) it caused
      that iteration count was smaller (in comparison to SHA1) than
      expected for the requested time period.
      This patch fixes the code to use key size for the formatted device
      (or default LUKS key size if running in informational benchmark mode).
      Thanks to A.Visconti, S.Bossi, A.Calo and H.Ragab
      (http://www.club.di.unimi.it/) for point this out.
      (Based on "What users should know about Full Disk Encryption
      based on LUKS" paper to be presented on CANS2015).
  30. 02 Jul, 2015 1 commit
    • Milan Broz's avatar
      If the null cipher is used, allow only empty password for LUKS. · dfa2755a
      Milan Broz authored
      The cipher_null is no-encryption, it can be used for testing
      or temporarily when encrypting device (cryptsetup-reencrypt).
      Accepting only empty password prevents situation when you replace
      a LUKS header on an unlocking device with the faked header using
      null cipher (and the same UUID).
      Here a system could think that the device was properly unlocked
      (with any entered password) and will try to use this unencrypted
      partition instead.
      (IOW it prevents situation when attacker intentionaly forces
      an user to boot into dirrerent system just by LUKS header manipulation.)
      Properly configured systems should have an additional integrity protection
      in place here (LUKS here provides only confidentiality) but it is better
      to not not allow this situation in the first place.
      (Despite the fact that once you allow physical tampering of your system
      it cannot be properly secured anymore.)
  31. 15 Jan, 2015 2 commits
  32. 11 Jan, 2015 1 commit
  33. 22 Jun, 2014 1 commit