1. 18 Jan, 2018 1 commit
    • Milan Broz's avatar
      Properly fail in luksFormat if cipher format is missing required IV. · aeea93fa
      Milan Broz authored
      For now, crypto API quietly used cipher witout IV if a cipher
      algorithm wihtou IV specificaton was used (e.g. aes-xts).
      
      This caused fail later during activation.
      
      This patch allows only two specific backed use without specified IV
      (ECB mode and NULL cipher).
      
      Also check cipher string early during parsing of CLI options.
      aeea93fa
  2. 17 Jan, 2018 1 commit
    • Milan Broz's avatar
      Introduce new 64bit *keyfile_device_offset functions. · f34ce81f
      Milan Broz authored
      The keyfile interface was designed, well, for keyfiles.
      
      Unfortunately, a keyfile can be placed on a device and the size_t offset
      can overflow.
      
      We have to introduce new set of fucntions that allows 64bit offsets even on 32bit systems:
       - crypt_resume_by_keyfile_device_offset
       - crypt_keyslot_add_by_keyfile_device_offset
       - crypt_activate_by_keyfile_device_offset
       - crypt_keyfile_device_read
      
      The new functions have added _device_ in name.
      
      Old functions are just internall wrappers around these.
      
      Also cryptsetup --keyfile-offset and --new-keyfile-offset must now
      process 64bit offsets.
      
      For more info see issue 359.
      f34ce81f
  3. 08 Nov, 2017 1 commit
  4. 29 Oct, 2017 1 commit
  5. 17 Oct, 2017 1 commit
  6. 10 Oct, 2017 1 commit
  7. 04 Oct, 2017 1 commit
  8. 24 Sep, 2017 3 commits
  9. 22 Aug, 2017 1 commit
  10. 15 Aug, 2017 1 commit
  11. 12 Aug, 2017 2 commits
    • Milan Broz's avatar
    • Milan Broz's avatar
      Move PBKDF internal benchmark to one place. · 5fc79f56
      Milan Broz authored
      Also cache its value in active context, so we run benchmark
      only once.
      
      The patch also changes calculated value for LUKS1 key digest
      to 125 miliseconds (it means that for full 8 used slots
      the additional slow-down is circa 1 second).
      
      Note that there is no need to have too high iteration count
      for key digest; if it is too computationally expensive, attacker
      will better decrypt of one sector with candidate key anyway.
      (Check for a known signature.)
      
      The reason to have some delay for key digest check was
      to complicate brute-force search for volume key with LUKS header
      only (and if RNG used to generate volumekey was flawed
      allowing such a search i reasonable time).
      5fc79f56
  12. 10 Aug, 2017 1 commit
  13. 07 Aug, 2017 1 commit
  14. 06 Aug, 2017 2 commits
    • Milan Broz's avatar
      Add Argon2 benchmark code. · 8a859391
      Milan Broz authored
      Code based on patch by Ondrej Mosnacek
      
      The new benchmark works as follows:
      
      Phase 1:
      It searches for smallest parameters, such that the duration is 250 ms
      (this part is quite fast).
      Then it uses that data point to estimate the paramters that will have
      the desired duration (and fulfill the basic constraints).
      
      Phase 2:
      The candidate parameters are then measured and if their duration falls
      within +-5% of the target duration, they are accepted.
      Otherwise, new candidate parameters are estimated based on the last
      measurement and phase 2 is repeated.
      
      When measuring the duration for given parameters, the measurement
      is repeated 3 or 4 times and a minimum of the measured durations
      is used as the final duration (to reduce variance in measurements).
      A minimum is taken instead of mean, because the measurements definitely
      have a certain lower bound, but no upper bound (therefore mean value
      would tend to be higher than the value with highest probability density).
      The actual "most likely" duration is going to be somewhere just above
      the minimum measurable value, so minimum over the observations is
      a better estimate than mean.
      Signed-off-by: Milan Broz's avatarMilan Broz <gmazyland@gmail.com>
      8a859391
    • Milan Broz's avatar
      Change PBKDF interface API. · 0abf57be
      Milan Broz authored
      Prepare API for PBKDF that can set three costs
        - time (similar to iterations in PBKDF2)
        - memory (required memory for memory-hard function)
        - threads (required number of threads/CPUs).
      
      This patch also removes wrongly designed API call
      crypt_benchmark_kdf and replaces it with the new call
      crypt_benchmark_pbkdf.
      
      Two functions for PBKDF per context setting
      are introduced: crypt_set_pbkdf_type and crypt_get_pbkdf_type.
      
      The patch should be backward compatible when using
      crypt_set_iteration_time function (works only for PBKDF2).
      Signed-off-by: Milan Broz's avatarMilan Broz <gmazyland@gmail.com>
      0abf57be
  15. 26 Jul, 2017 1 commit
  16. 28 Jun, 2017 2 commits
  17. 27 Jun, 2017 1 commit
  18. 24 Jun, 2017 1 commit
  19. 23 Jun, 2017 1 commit
  20. 21 Jun, 2017 1 commit
  21. 26 Apr, 2017 1 commit
  22. 05 Apr, 2017 1 commit
  23. 12 Mar, 2017 2 commits
  24. 02 Mar, 2017 1 commit
    • Daniel Reichelt's avatar
      support PIM parameter for VeraCrypt compatible devices · 9a798a76
      Daniel Reichelt authored
      This patch adds the --veracrypt-pim=INT and --veracrypt-query-pim command-
      line parameters to support specification of or being queried for a custom
      Personal Iteration Multiplier respectively. This affects the number of
      iterations for key derivation from the entered password. The manpage is
      also updated accordingly.
      
      Fixes Issue #307.
      9a798a76
  25. 02 Nov, 2016 1 commit
  26. 18 May, 2016 1 commit
  27. 01 Jan, 2016 1 commit
  28. 22 Nov, 2015 1 commit
  29. 20 Nov, 2015 2 commits
  30. 29 Oct, 2015 1 commit
    • Milan Broz's avatar
      Fix PBKDF2 iteration benchmark for longer key sizes. · 4609fd87
      Milan Broz authored
      The previous PBKDF2 benchmark code did not take into account
      output key length.
      For SHA1 (with 160-bits output) and 256-bit keys (and longer)
      it means that the final value was higher than it should be.
      
      For other hash algorithms (like SHA256 or SHA512) it caused
      that iteration count was smaller (in comparison to SHA1) than
      expected for the requested time period.
      
      This patch fixes the code to use key size for the formatted device
      (or default LUKS key size if running in informational benchmark mode).
      
      Thanks to A.Visconti, S.Bossi, A.Calo and H.Ragab
      (http://www.club.di.unimi.it/) for point this out.
      (Based on "What users should know about Full Disk Encryption
      based on LUKS" paper to be presented on CANS2015).
      4609fd87
  31. 08 Sep, 2015 1 commit
  32. 27 Aug, 2015 1 commit
  33. 26 Aug, 2015 1 commit