diff --git a/ChangeLog b/ChangeLog index 6df124dc..be218e59 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ * Add crypt_set_rng_type() and crypt_get_rng_type() to API. * Add crypt_set_uuid() to API. * Allow UUID setting in luksFormat and luksUUID (--uuid parameter). + * Add --keyfile-size and --new-keyfile-size (in bytes) size and disallow overloading + of --key-size for limiting keyfile reads. 2010-10-17 Milan Broz * Add crypt_get_device_name() to API (get underlying device name). diff --git a/man/cryptsetup.8 b/man/cryptsetup.8 index 495bb3ba..548362f9 100644 --- a/man/cryptsetup.8 +++ b/man/cryptsetup.8 @@ -43,14 +43,14 @@ These are valid LUKS actions: initializes a LUKS partition and sets the initial key, either via prompting or via . \fB\fR can be [\-\-cipher, \-\-verify-passphrase, \-\-key-size, \-\-key-slot, -\-\-key-file (takes precedence over optional second argument), \-\-use-random | \-\-use-urandom, \-\-uuid]. +\-\-key-file (takes precedence over optional second argument), \-\-keyfile-size, \-\-use-random | \-\-use-urandom, \-\-uuid]. .PP \fIluksOpen\fR .IP opens the LUKS partition and sets up a mapping after successful verification of the supplied key material (either via key file by \-\-key-file, or via prompting). -\fB\fR can be [\-\-key-file, \-\-readonly]. +\fB\fR can be [\-\-key-file, \-\-keyfile-size, \-\-readonly]. .PP \fIluksClose\fR .IP @@ -69,14 +69,14 @@ After that operation you have to use \fIluksResume\fR to reinstate encryption ke Resumes suspended device and reinstates encryption key. You will need provide passphrase identical to \fIluksOpen\fR command (using prompting or key file). -\fB\fR can be [\-\-key-file] +\fB\fR can be [\-\-key-file, \-\-keyfile-size] .PP \fIluksAddKey\fR [] .IP add a new key file/passphrase. An existing passphrase or key file (via \-\-key-file) must be supplied. The key file with the new material is supplied as a positional argument. -\fB\fR can be [\-\-key-file, \-\-key-slot]. +\fB\fR can be [\-\-key-file, \-\-keyfile-size, \-\-new-keyfile-size, \-\-key-slot]. .PP \fIluksRemoveKey\fR [] .IP @@ -87,7 +87,7 @@ remove supplied key or key file from LUKS device wipe key with number from LUKS device. A remaining passphrase or key file (via \-\-key-file) must be supplied. -\fB\fR can be [\-\-key-file]. +\fB\fR can be [\-\-key-file, \-\-keyfile-size]. .PP \fIluksDelKey\fR .IP @@ -176,6 +176,14 @@ If you want to set a new key via a key file, you have to use a positional arg to If the key file is "-", stdin will be used. With the "-" key file reading will not stop when new line character is detected. See section \fBNOTES ON PASSWORD PROCESSING\fR for more information. .TP +.B "\-\-keyfile-size, \-d \fIvalue\fR" +Limits read from keyfile to \fIvalue\fR bytes. +Usable together with all comands using key file. +.TP +.B "\-\-new-keyfile-size \fIvalue\fR" +Limits read from new keyfile to \fIvalue\fR bytes in \fIluksAddKey\fR when adding new key file. +Default is exhaustive read from key file. +.TP .B "\-\-master-key-file" Use pre-generated master key stored in file. For \fIluksFormat\fR it allows LUKS header reformatting with the same master key (if all other parameters are the same existing encrypted data remains intact). @@ -199,8 +207,6 @@ Can be used for \fIcreate\fR or \fIluksFormat\fR, all other LUKS actions will us Default is set during compilation, if not changed it is 256 bits. Use \fIcryptsetup \-\-help\fR to show defaults. - -For \fIluksOpen\fR this option specifies number of bits read from the key-file (default is exhaustive read from key-file). .TP .B "\-\-size, \-b" force the size of the underlying device in sectors. diff --git a/src/cryptsetup.c b/src/cryptsetup.c index e86b6260..839ead05 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -26,6 +26,8 @@ static char *opt_master_key_file = NULL; static char *opt_header_backup_file = NULL; static char *opt_uuid = NULL; static unsigned int opt_key_size = 0; +static unsigned int opt_keyfile_size = 0; +static unsigned int opt_new_keyfile_size = 0; static int opt_key_slot = CRYPT_ANY_SLOT; static uint64_t opt_size = 0; static uint64_t opt_offset = 0; @@ -399,8 +401,9 @@ static int action_luksFormat(int arg) key, keysize, NULL, 0); } else { crypt_get_key(_("Enter LUKS passphrase: "), - &password, &passwordLen, 0, - key_file, opt_timeout, + &password, &passwordLen, + opt_keyfile_size, key_file, + opt_timeout, opt_batch_mode ? 0 : 1, /* always verify */ cd); @@ -453,9 +456,8 @@ static int action_luksOpen(int arg) if (opt_key_file) { crypt_set_password_retry(cd, 1); - /* limit bytes read from keyfile using opt_key_size*/ r = crypt_activate_by_keyfile(cd, action_argv[1], - CRYPT_ANY_SLOT, opt_key_file, opt_key_size / 8, + CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size, flags); } else r = crypt_activate_by_passphrase(cd, action_argv[1], @@ -530,8 +532,8 @@ static int action_luksAddKey(int arg) key, keysize, NULL, 0); } else if (opt_key_file || opt_new_key_file) { r = crypt_keyslot_add_by_keyfile(cd, opt_key_slot, - opt_key_file, 0, - opt_new_key_file, 0); + opt_key_file, opt_keyfile_size, + opt_new_key_file, opt_new_keyfile_size); } else { r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot, NULL, 0, NULL, 0); @@ -617,7 +619,7 @@ static int action_luksResume(int arg) if (opt_key_file) r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT, - opt_key_file, opt_key_size / 8); + opt_key_file, opt_keyfile_size); else r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT, NULL, 0); @@ -760,9 +762,11 @@ int main(int argc, char **argv) { "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL }, { "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL }, { "verify-passphrase", 'y', POPT_ARG_NONE, &opt_verify_passphrase, 0, N_("Verifies the passphrase by asking for it twice"), NULL }, - { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file (can be /dev/random)"), NULL }, + { "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL }, { "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL }, { "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") }, + { "keyfile-size", 'l', POPT_ARG_INT, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") }, + { "new-keyfile-size", '\0', POPT_ARG_INT, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") }, { "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL }, { "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") }, { "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") }, @@ -830,6 +834,25 @@ int main(int argc, char **argv) exit(0); } + if (!(aname = (char *)poptGetArg(popt_context))) + usage(popt_context, 1, _("Argument missing."), + poptGetInvocationName(popt_context)); + for(action = action_types; action->type; action++) + if (strcmp(action->type, aname) == 0) + break; + if (!action->type) + usage(popt_context, 1, _("Unknown action."), + poptGetInvocationName(popt_context)); + + if (opt_key_size && + strcmp(aname, "luksFormat") && + strcmp(aname, "create")) { + usage(popt_context, 1, + _("Option --key-size is allowed only for luksFormat and create.\n" + "To limit read from keyfile use --keyfile-size=(bytes)."), + poptGetInvocationName(popt_context)); + } + if (opt_key_size % 8) usage(popt_context, 1, _("Key size must be a multiple of 8 bits"), @@ -842,16 +865,6 @@ int main(int argc, char **argv) poptGetInvocationName(popt_context)); } - if (!(aname = (char *)poptGetArg(popt_context))) - usage(popt_context, 1, _("Argument missing."), - poptGetInvocationName(popt_context)); - for(action = action_types; action->type; action++) - if (strcmp(action->type, aname) == 0) - break; - if (!action->type) - usage(popt_context, 1, _("Unknown action."), - poptGetInvocationName(popt_context)); - if (opt_random && opt_urandom) usage(popt_context, 1, _("Only one of --use-[u]random options is allowed."), poptGetInvocationName(popt_context));