* Add --keyfile-size and --new-keyfile-size (in bytes) size and

disallow overloading of --key-size for limiting keyfile reads.

git-svn-id: https://cryptsetup.googlecode.com/svn/trunk@356 36d66b0a-2a48-0410-832c-cd162a569da5

ChangeLog

@@ -6,6 +6,8 @@
 	* Add crypt_set_rng_type() and crypt_get_rng_type() to API.
 	* Add crypt_set_uuid() to API.
 	* Allow UUID setting in luksFormat and luksUUID (--uuid parameter).
+	* Add --keyfile-size and --new-keyfile-size (in bytes) size and disallow overloading
+	  of --key-size for limiting keyfile reads.
 
 2010-10-17  Milan Broz  <mbroz@redhat.com>
 	* Add crypt_get_device_name() to API (get underlying device name).

man/cryptsetup.8

@@ -43,14 +43,14 @@ These are valid LUKS actions:
 initializes a LUKS partition and sets the initial key, either via prompting or via <key file>.
 
 \fB<options>\fR can be [\-\-cipher, \-\-verify-passphrase, \-\-key-size, \-\-key-slot,
-\-\-key-file (takes precedence over optional second argument), \-\-use-random | \-\-use-urandom, \-\-uuid].
+\-\-key-file (takes precedence over optional second argument), \-\-keyfile-size, \-\-use-random | \-\-use-urandom, \-\-uuid].
 
 .PP
 \fIluksOpen\fR <device> <name>
 .IP
 opens the LUKS partition <device> and sets up a mapping <name> after successful verification of the supplied key material (either via key file by \-\-key-file, or via prompting).
 
-\fB<options>\fR can be [\-\-key-file, \-\-readonly].
+\fB<options>\fR can be [\-\-key-file, \-\-keyfile-size, \-\-readonly].
 .PP
 \fIluksClose\fR <name>
 .IP
@@ -69,14 +69,14 @@ After that operation you have to use \fIluksResume\fR to reinstate encryption ke
 Resumes suspended device and reinstates encryption key. You will need provide passphrase
 identical to \fIluksOpen\fR command (using prompting or key file).
 
-\fB<options>\fR can be [\-\-key-file]
+\fB<options>\fR can be [\-\-key-file, \-\-keyfile-size]
 .PP
 \fIluksAddKey\fR <device> [<new key file>]
 .IP
 add a new key file/passphrase. An existing passphrase or key file (via \-\-key-file) must be supplied.
 The key file with the new material is supplied as a positional argument.
 
-\fB<options>\fR can be [\-\-key-file, \-\-key-slot].
+\fB<options>\fR can be [\-\-key-file, \-\-keyfile-size, \-\-new-keyfile-size, \-\-key-slot].
 .PP
 \fIluksRemoveKey\fR <device> [<key file>] 
 .IP
@@ -87,7 +87,7 @@ remove supplied key or key file from LUKS device
 wipe key with number <key slot> from LUKS device. A remaining passphrase or
 key file (via \-\-key-file) must be supplied.
 
-\fB<options>\fR can be [\-\-key-file].
+\fB<options>\fR can be [\-\-key-file, \-\-keyfile-size].
 .PP
 \fIluksDelKey\fR <device> <key slot number>
 .IP
@@ -176,6 +176,14 @@ If you want to set a new key via a key file, you have to use a positional arg to
 If the key file is "-", stdin will be used. With the "-" key file reading will
 not stop when new line character is detected. See section \fBNOTES ON PASSWORD PROCESSING\fR for more information.
 .TP
+.B "\-\-keyfile-size, \-d \fIvalue\fR"
+Limits read from keyfile to \fIvalue\fR bytes.
+Usable together with all comands using key file.
+.TP
+.B "\-\-new-keyfile-size  \fIvalue\fR"
+Limits read from new keyfile to \fIvalue\fR bytes in \fIluksAddKey\fR when adding new key file.
+Default is exhaustive read from key file.
+.TP
 .B "\-\-master-key-file"
 Use pre-generated master key stored in file. For \fIluksFormat\fR it allows LUKS header reformatting with the same master key (if all other parameters are the same existing encrypted data remains intact).
 
@@ -199,8 +207,6 @@ Can be used for \fIcreate\fR or \fIluksFormat\fR, all other LUKS actions will us
 Default is set during compilation, if not changed it is 256 bits.
 
 Use \fIcryptsetup \-\-help\fR to show defaults.
-
-For \fIluksOpen\fR this option specifies number of bits read from the key-file (default is exhaustive read from key-file).
 .TP
 .B "\-\-size, \-b"
 force the size of the underlying device in sectors.

src/cryptsetup.c

@@ -26,6 +26,8 @@ static char *opt_master_key_file = NULL;
 static char *opt_header_backup_file = NULL;
 static char *opt_uuid = NULL;
 static unsigned int opt_key_size = 0;
+static unsigned int opt_keyfile_size = 0;
+static unsigned int opt_new_keyfile_size = 0;
 static int opt_key_slot = CRYPT_ANY_SLOT;
 static uint64_t opt_size = 0;
 static uint64_t opt_offset = 0;
@@ -399,8 +401,9 @@ static int action_luksFormat(int arg)
 						    key, keysize, NULL, 0);
 	} else {
 		crypt_get_key(_("Enter LUKS passphrase: "),
-			      &password, &passwordLen, 0,
-			      key_file, opt_timeout,
+			      &password, &passwordLen,
+			      opt_keyfile_size, key_file,
+			      opt_timeout,
 			      opt_batch_mode ? 0 : 1, /* always verify */
 			      cd);
 
@@ -453,9 +456,8 @@ static int action_luksOpen(int arg)
 
 	if (opt_key_file) {
 		crypt_set_password_retry(cd, 1);
-		/* limit bytes read from keyfile using opt_key_size*/
 		r = crypt_activate_by_keyfile(cd, action_argv[1],
-			CRYPT_ANY_SLOT, opt_key_file, opt_key_size / 8,
+			CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
 			flags);
 	} else
 		r = crypt_activate_by_passphrase(cd, action_argv[1],
@@ -530,8 +532,8 @@ static int action_luksAddKey(int arg)
 						    key, keysize, NULL, 0);
 	} else if (opt_key_file || opt_new_key_file) {
 		r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot,
-						 opt_key_file, 0,
-						 opt_new_key_file, 0);
+						 opt_key_file, opt_keyfile_size,
+						 opt_new_key_file, opt_new_keyfile_size);
 	} else {
 		r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
 						    NULL, 0, NULL, 0);
@@ -617,7 +619,7 @@ static int action_luksResume(int arg)
 
 	if (opt_key_file)
 		r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,
-					    opt_key_file, opt_key_size / 8);
+					    opt_key_file, opt_keyfile_size);
 	else
 		r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
 					       NULL, 0);
@@ -760,9 +762,11 @@ int main(int argc, char **argv)
 		{ "cipher",            'c',  POPT_ARG_STRING, &opt_cipher,              0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
 		{ "hash",              'h',  POPT_ARG_STRING, &opt_hash,                0, N_("The hash used to create the encryption key from the passphrase"), NULL },
 		{ "verify-passphrase", 'y',  POPT_ARG_NONE, &opt_verify_passphrase,     0, N_("Verifies the passphrase by asking for it twice"), NULL },
-		{ "key-file",          'd',  POPT_ARG_STRING, &opt_key_file,            0, N_("Read the key from a file (can be /dev/random)"), NULL },
+		{ "key-file",          'd',  POPT_ARG_STRING, &opt_key_file,            0, N_("Read the key from a file."), NULL },
 		{ "master-key-file",  '\0',  POPT_ARG_STRING, &opt_master_key_file,     0, N_("Read the volume (master) key from file."), NULL },
 		{ "key-size",          's',  POPT_ARG_INT, &opt_key_size,               0, N_("The size of the encryption key"), N_("BITS") },
+		{ "keyfile-size",      'l',  POPT_ARG_INT, &opt_keyfile_size,           0, N_("Limits the read from keyfile"), N_("bytes") },
+		{ "new-keyfile-size", '\0',  POPT_ARG_INT, &opt_new_keyfile_size,       0, N_("Limits the read from newly added keyfile"), N_("bytes") },
 		{ "key-slot",          'S',  POPT_ARG_INT, &opt_key_slot,               0, N_("Slot number for new key (default is first free)"), NULL },
 		{ "size",              'b',  POPT_ARG_STRING, &popt_tmp,                1, N_("The size of the device"), N_("SECTORS") },
 		{ "offset",            'o',  POPT_ARG_STRING, &popt_tmp,                2, N_("The start offset in the backend device"), N_("SECTORS") },
@@ -830,6 +834,25 @@ int main(int argc, char **argv)
 		exit(0);
 	}
 
+	if (!(aname = (char *)poptGetArg(popt_context)))
+		usage(popt_context, 1, _("Argument <action> missing."),
+		      poptGetInvocationName(popt_context));
+	for(action = action_types; action->type; action++)
+		if (strcmp(action->type, aname) == 0)
+			break;
+	if (!action->type)
+		usage(popt_context, 1, _("Unknown action."),
+		      poptGetInvocationName(popt_context));
+
+	if (opt_key_size &&
+	   strcmp(aname, "luksFormat") &&
+	   strcmp(aname, "create")) {
+		usage(popt_context, 1,
+		      _("Option --key-size is allowed only for luksFormat and create.\n"
+		        "To limit read from keyfile use --keyfile-size=(bytes)."),
+		      poptGetInvocationName(popt_context));
+	}
+
 	if (opt_key_size % 8)
 		usage(popt_context, 1,
 		      _("Key size must be a multiple of 8 bits"),
@@ -842,16 +865,6 @@ int main(int argc, char **argv)
 		      poptGetInvocationName(popt_context));
 	}
 
-	if (!(aname = (char *)poptGetArg(popt_context)))
-		usage(popt_context, 1, _("Argument <action> missing."),
-		      poptGetInvocationName(popt_context));
-	for(action = action_types; action->type; action++)
-		if (strcmp(action->type, aname) == 0)
-			break;
-	if (!action->type)
-		usage(popt_context, 1, _("Unknown action."),
-		      poptGetInvocationName(popt_context));
-
 	if (opt_random && opt_urandom)
 		usage(popt_context, 1, _("Only one of --use-[u]random options is allowed."),
 		      poptGetInvocationName(popt_context));