summaryrefslogtreecommitdiff
path: root/src/cryptsetup
AgeCommit message (Collapse)Author
2015-02-02cryptsetup: only warn on real key filesMartin Pitt
Simplify the check from commit 05f73ad to only apply the warning to regular files instead of enumerating device nodes.
2015-02-02cryptsetup: Do not warn If the key is /dev/*randomCristian Rodríguez
Using /dev/urandom as a key is valid for swap, do not warn if this devices are world readable.
2015-01-11Support negated fstab optionsZbigniew Jędrzejewski-Szmek
We would ignore options like "fail" and "auto", and for any option which takes a value the first assignment would win. Repeated and options equivalent to the default are rarely used, but they have been documented forever, and people might use them. Especially on the kernel command line it is easier to append a repeated or negated option at the end.
2015-01-11cryptsetup-generator: remove duplicated functionZbigniew Jędrzejewski-Szmek
2015-01-08cryptsetup: support header= optionAndrey Chaser
https://bugs.freedesktop.org/show_bug.cgi?id=66396
2014-12-05cryptsetup-generator: Add support for naming luks devices on kernel cmdlineJan Janssen
2014-12-05cryptsetup-generator: Add support for UUID-specific key files on kernel ↵Jan Janssen
command line
2014-12-05cryptsetup-generator: Split main() into more functions and use hasmapsJan Janssen
2014-11-28treewide: another round of simplificationsMichal Schmidt
Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".
2014-11-28treewide: use log_*_errno whenever %m is in the format stringMichal Schmidt
If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-11-28treewide: more log_*_errno + return simplificationsMichal Schmidt
2014-11-28treewide: no need to negate errno for log_*_errno()Michal Schmidt
It corrrectly handles both positive and negative errno values.
2014-11-28treewide: auto-convert the simple cases to log_*_errno()Michal Schmidt
As a followup to 086891e5c1 "log: add an "error" parameter to all low-level logging calls and intrdouce log_error_errno() as log calls that take error numbers", use sed to convert the simple cases to use the new macros: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/' Multi-line log_*() invocations are not covered. And we also should add log_unit_*_errno().
2014-11-24cryptsetup: default to no hash when keyfile is specifiedZbigniew Jędrzejewski-Szmek
For plain dm-crypt devices, the behavior of cryptsetup package is to ignore the hash algorithm when a key file is provided. It seems wrong to ignore a hash when it is explicitly specified, but we should default to no hash if the keyfile is specified. https://bugs.freedesktop.org/show_bug.cgi?id=52630
2014-11-07util: simplify proc_cmdline() to reuse get_process_cmdline()Lennart Poettering
Also, make all parsing of the kernel cmdline non-fatal.
2014-11-06s/commandline/command line/gHarald Hoyer
2014-10-24cryptsetup: Fix timeout on dm device.Hugo Grostabussiat
Fix a bug in systemd-cryptsetup-generator which caused the drop-in setting the job timeout for the dm device unit to be written with a name different than the unit name. https://bugs.freedesktop.org/show_bug.cgi?id=84409
2014-10-23cryptsetup: fix an OOM checkLennart Poettering
2014-09-25readahead: wipe out readaheadDaniel Buch
2014-07-31Reject invalid quoted stringsZbigniew Jędrzejewski-Szmek
String which ended in an unfinished quote were accepted, potentially with bad memory accesses. Reject anything which ends in a unfished quote, or contains non-whitespace characters right after the closing quote. _FOREACH_WORD now returns the invalid character in *state. But this return value is not checked anywhere yet. Also, make 'word' and 'state' variables const pointers, and rename 'w' to 'word' in various places. Things are easier to read if the same name is used consistently. mbiebl_> am I correct that something like this doesn't work mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-passwd "Unlock EncFS"' mbiebl_> systemd seems to strip of the quotes mbiebl_> systemctl status shows mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-password Unlock EncFS $RootDir $MountPoint mbiebl_> which is pretty weird
2014-07-26Always check asprintf return codeKarel Zak
There is a small number of the places in sources where we don't check asprintf() return code and assume that after error the function returns NULL pointer via the first argument. That's wrong, after error the content of pointer is undefined.
2014-06-30cryptsetup: allow x-systemd.device-timeoutZbigniew Jędrzejewski-Szmek
https://bugs.freedesktop.org/show_bug.cgi?id=54210
2014-06-23cryptsetup: don't add unit dependency on /dev/null devices when it is listed ↵Lennart Poettering
as password file As special magic, don't create device dependencies for /dev/null. Of course, there might be similar devices we might want to include, but given that none of them really make sense to specify as password source there's really no point in checking for anything else here. https://bugs.freedesktop.org/show_bug.cgi?id=75816
2014-06-19stop complaining about unknown kernel cmdline optionsLennart Poettering
Also stop warning about unknown kernel cmdline options in the various tools, not just in PID 1
2014-06-18cryptsetup: introduce new cryptsetup-pre.traget unit so that services can ↵Lennart Poettering
make sure they are started before and stopped after any LUKS setup https://bugzilla.redhat.com/show_bug.cgi?id=1097938
2014-06-13cryptsetup: check that password is not nullThomas Hindoe Paaboel Andersen
Beef up the assert to protect against passing null to strlen. Found with scan-build.
2014-04-24Fix keysize handling in cryptsetup (bits vs. bytes)David Härdeman
The command line key-size is in bits but the libcryptsetup API expects bytes. Note that the modulo 8 check is in the original cryptsetup binary as well, so it's no new limitation. (v2: changed the point at which the /= 8 is performed, rebased, removed tabs)
2014-04-24Add more password agent informationDavid Härdeman
Add an (optional) "Id" key in the password agent .ask files. The Id is supposed to be a simple string in "<subsystem>:<target>" form which is used to provide more information on what the requested passphrase is to be used for (which e.g. allows an agent to only react to cryptsetup requests). (v2: rebased, fixed indentation, escape name, use strappenda)
2014-04-19cryptsetup: copy value, not key for (rd.)luks.keyMatthew Monaco
2014-03-24cryptsetup: minor typo fixLennart Poettering
2014-03-13cryptsetup: call static variables parsed from command line arg_XYZ like in ↵Lennart Poettering
all other tools
2014-03-06generators: add Documentation= fields that point to the generator man pagesLennart Poettering
2014-03-06util: move more intellegince into parse_proc_cmdline()Lennart Poettering
Already split variable assignments before invoking the callback. And drop "rd." settings if we are not in an initrd.
2014-03-06cryptsetup: some fixesLennart Poettering
2014-02-17Extract looping over /proc/cmdline into a shared functionZbigniew Jędrzejewski-Szmek
In cryptsetup-generator automatic cleanup had to be replaced with manual cleanup, and the code gets a bit longer. But existing code had the issue that it returned negative values from main(), which was wrong, so should be reworked anyway.
2014-02-08cryptsetup-generator: auto add deps for device as passwordDave Reisner
If the password is a device file, we can add Requires/After dependencies on the device rather than requiring the user to do so.
2014-01-26cryptsetup: Support key-slot optionChristian Seiler
Debian recently introduced the option key-slot to /etc/crypttab to specify the LUKS key slot to be used for decrypting the device. On systems where a keyfile is used and the key is not in the first slot, this can speed up the boot process quite a bit, since cryptsetup does not need to try all of the slots sequentially. (Unsuccessfully testing a key slot typically takes up to about 1 second.) This patch makes systemd aware of this option. Debian bug that introduced the feature: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704470
2013-11-06util: unify reading of /proc/cmdlineLennart Poettering
Instead of individually checking for containers in each user do this once in a new call proc_cmdline() that read the file only if we are not in a container.
2013-10-13Introduce udev object cleanup functionsZbigniew Jędrzejewski-Szmek
2013-10-03Introduce _cleanup_endmntent_Zbigniew Jędrzejewski-Szmek
2013-10-02cryptsetup: fix OOM handling when parsing mount optionsLennart Poettering
2013-09-29set IgnoreOnIsolate=true for systemd-cryptsetup@.serviceAndrey Borzenkov
When crypttab contains noauto, cryptsetup service does not have any explicit dependencies. If service is started later manually (directly or via mount dependency) it will be stopped on isolate. mount units already have IgnoreOnIsolate set by default. Set it by default for cryptsetup units as well.
2013-09-23Fix obsolete references to systemd-random-seed-load.serviceEelco Dolstra
This service was merged with systemd-random-seed-save.service in c35b956d34bbb8bb208e49e45de2c103ca11911c.
2013-09-13cryptsetup-generator: allow specifying options in /proc/cmdlineTom Gundersen
The main usecase for this is to make it possible to use cryptsetup in the initrd without it having to include a host-specific /etc/crypttab. Tested-by: Thomas Bächler <thomas@archlinux.org>
2013-09-13cryptsetup-generator: don't create tmp+swap unitsTom Gundersen
2013-09-11cryptsetup: Retry indefinitely if tries=0 option has been set.Thomas Bächler
When running from initrd, entering a wrong passphrase usually means that you cannot boot. Therefore, we allow trying indefinitely.
2013-08-14systemd-cryptsetup: makes “discard” a synonym for “allow-discards”Ondrej Balaz
systemd-cryptsetup recognizes option 'allow-discards' in /etc/crypttab to enable TRIM passthrough to underlying encrypted device. In Debian this option was changed to 'discard' to avoid hyphen in option name. (see: #648868 and `man crypttab`). [zj: update crypttab(5) too, making "discard" the default.]
2013-07-16cryptsetup: Add tcrypt supportJan Janssen
Tcrypt uses a different approach to passphrases/key files. The passphrase and all key files are incorporated into the "password" to open the volume. So, the idea of slots that provide a way to open the volume with different passphrases/key files that are independent from each other like with LUKS does not apply. Therefore, we use the key file from /etc/crypttab as the source for the passphrase. The actual key files that are combined with the passphrase into a password are provided as a new option in /etc/crypttab and can be given multiple times if more than one key file is used by a volume.
2013-07-16cryptsetup: Move attaching of the device out of mainJan Janssen
2013-07-16cryptsetup: Move password query out of mainJan Janssen
Also use _cleanup_free_ where possible.