mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-08 17:30:03 +01:00
Rewrite key input handling, add limits.
git-svn-id: https://cryptsetup.googlecode.com/svn/trunk@474 36d66b0a-2a48-0410-832c-cd162a569da5
This commit is contained in:
Milan Broz
@@ -1,5 +1,7 @@
|
||||
2011-04-15 Milan Broz <mbroz@redhat.com>
|
||||
* Increase maximum loopAES keyfile size.
|
||||
2011-04-18 Milan Broz <mbroz@redhat.com>
|
||||
* Respect maximum keyfile size paramater.
|
||||
* Introduce maximum default keyfile size, add configure option.
|
||||
* Require the whole key read from keyfile in create command (broken in 1.2.0).
|
||||
|
||||
2011-04-14 Milan Broz <mbroz@redhat.com>
|
||||
* Version 1.3.0-rc1.
|
||||
|
||||
@@ -253,6 +253,9 @@ CS_NUM_WITH([luks1-keybits],[key length in bits for LUKS1], [256])
|
||||
CS_STR_WITH([loopaes-cipher], [cipher for loop-AES mode], [aes])
|
||||
CS_NUM_WITH([loopaes-keybits],[key length in bits for loop-AES mode], [256])
|
||||
|
||||
CS_NUM_WITH([keyfile-size-maxkb],[maximum keyfile size (in kilobytes)], [8192])
|
||||
CS_NUM_WITH([passphrase-size-max],[maximum keyfile size (in kilobytes)], [512])
|
||||
|
||||
dnl ==========================================================================
|
||||
|
||||
AC_CONFIG_FILES([ Makefile
|
||||
|
||||
@@ -104,7 +104,7 @@ static int hash_keys(struct volume_key **vk,
|
||||
return r;
|
||||
}
|
||||
|
||||
static int keyfile_is_gpg(char *buffer, unsigned int buffer_len)
|
||||
static int keyfile_is_gpg(char *buffer, size_t buffer_len)
|
||||
{
|
||||
int r = 0;
|
||||
int index = buffer_len < 100 ? buffer_len - 1 : 100;
|
||||
@@ -121,22 +121,19 @@ int LOOPAES_parse_keyfile(struct crypt_device *cd,
|
||||
struct volume_key **vk,
|
||||
unsigned int *keys_count,
|
||||
char *buffer,
|
||||
unsigned int buffer_len)
|
||||
|
||||
size_t buffer_len)
|
||||
{
|
||||
const char *keys[LOOPAES_KEYS_MAX];
|
||||
int i, key_index, key_len, offset;
|
||||
|
||||
log_dbg("Parsing loop-AES keyfile of size %d.", buffer_len);
|
||||
|
||||
if (buffer_len < LOOPAES_KEYFILE_MINSIZE) {
|
||||
log_err(cd, _("Incompatible loop-AES keyfile detected.\n"));
|
||||
if (!buffer_len)
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
if (keyfile_is_gpg(buffer, buffer_len)) {
|
||||
log_err(cd, "Detected not yet supported GPG encrypted keyfile.\n");
|
||||
log_std(cd, "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n");
|
||||
log_err(cd, _("Detected not yet supported GPG encrypted keyfile.\n"));
|
||||
log_std(cd, _("Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"));
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
|
||||
@@ -1,15 +1,16 @@
|
||||
#ifndef _LOOPAES_H
|
||||
#define _LOOPAES_H
|
||||
|
||||
#include <unistd.h>
|
||||
#include "config.h"
|
||||
|
||||
#define LOOPAES_KEYS_MAX 65
|
||||
#define LOOPAES_KEYFILE_MINSIZE 60
|
||||
#define LOOPAES_KEYFILE_MAXSIZE 16000
|
||||
|
||||
int LOOPAES_parse_keyfile(struct crypt_device *cd,
|
||||
struct volume_key **vk,
|
||||
unsigned int *keys_count,
|
||||
char *buffer,
|
||||
unsigned int buffer_len);
|
||||
size_t buffer_len);
|
||||
|
||||
int LOOPAES_activate(struct crypt_device *cd,
|
||||
const char *name,
|
||||
|
||||
60
lib/setup.c
60
lib/setup.c
@@ -151,6 +151,8 @@ static char *process_key(struct crypt_device *cd, const char *hash_name,
|
||||
return NULL;
|
||||
|
||||
key = crypt_safe_alloc(key_size);
|
||||
if (!key)
|
||||
return NULL;
|
||||
memset(key, 0, key_size);
|
||||
|
||||
/* key is coming from binary file */
|
||||
@@ -237,7 +239,7 @@ static int verify_other_keyslot(struct crypt_device *cd,
|
||||
crypt_keyslot_info ki;
|
||||
int openedIndex, r;
|
||||
char *password = NULL;
|
||||
unsigned int passwordLen;
|
||||
size_t passwordLen;
|
||||
|
||||
r = crypt_get_key(_("Enter any remaining LUKS passphrase: "),
|
||||
&password, &passwordLen, 0, key_file, cd->timeout,
|
||||
@@ -272,7 +274,7 @@ static int find_keyslot_by_passphrase(struct crypt_device *cd,
|
||||
{
|
||||
struct volume_key *vk = NULL;
|
||||
char *password = NULL;
|
||||
unsigned int passwordLen;
|
||||
size_t passwordLen;
|
||||
int r;
|
||||
|
||||
r = crypt_get_key(message,&password,&passwordLen, 0, key_file,
|
||||
@@ -346,9 +348,9 @@ static int create_device_helper(struct crypt_device *cd,
|
||||
const char *cipher,
|
||||
const char *cipher_mode,
|
||||
const char *key_file,
|
||||
const char *key,
|
||||
unsigned int keyLen,
|
||||
int key_size,
|
||||
const char *passphrase,
|
||||
size_t passphrase_size,
|
||||
size_t key_size,
|
||||
uint64_t size,
|
||||
uint64_t skip,
|
||||
uint64_t offset,
|
||||
@@ -389,7 +391,7 @@ static int create_device_helper(struct crypt_device *cd,
|
||||
if (cipher_mode && asprintf(&dm_cipher, "%s-%s", cipher, cipher_mode) < 0)
|
||||
return -ENOMEM;
|
||||
|
||||
processed_key = process_key(cd, hash, key_file, key_size, key, keyLen);
|
||||
processed_key = process_key(cd, hash, key_file, key_size, passphrase, passphrase_size);
|
||||
if (!processed_key) {
|
||||
r = -ENOENT;
|
||||
goto out;
|
||||
@@ -454,7 +456,7 @@ int crypt_confirm(struct crypt_device *cd, const char *msg)
|
||||
}
|
||||
|
||||
static int key_from_terminal(struct crypt_device *cd, char *msg, char **key,
|
||||
unsigned int *key_len, int force_verify)
|
||||
size_t *key_len, int force_verify)
|
||||
{
|
||||
char *prompt = NULL;
|
||||
int r;
|
||||
@@ -468,12 +470,13 @@ static int key_from_terminal(struct crypt_device *cd, char *msg, char **key,
|
||||
msg = prompt;
|
||||
|
||||
if (cd->password) {
|
||||
*key = crypt_safe_alloc(MAX_TTY_PASSWORD_LEN);
|
||||
*key = crypt_safe_alloc(DEFAULT_PASSPHRASE_SIZE_MAX);
|
||||
if (!*key) {
|
||||
r = -ENOMEM;
|
||||
goto out;
|
||||
}
|
||||
r = cd->password(msg, *key, MAX_TTY_PASSWORD_LEN, cd->password_usrptr);
|
||||
r = cd->password(msg, *key, DEFAULT_PASSPHRASE_SIZE_MAX,
|
||||
cd->password_usrptr);
|
||||
if (r < 0) {
|
||||
crypt_safe_free(*key);
|
||||
*key = NULL;
|
||||
@@ -491,7 +494,7 @@ static int volume_key_by_terminal_passphrase(struct crypt_device *cd, int keyslo
|
||||
struct volume_key **vk)
|
||||
{
|
||||
char *passphrase_read = NULL;
|
||||
unsigned int passphrase_size_read;
|
||||
size_t passphrase_size_read;
|
||||
int r = -EINVAL, tries = cd->tries;
|
||||
|
||||
*vk = NULL;
|
||||
@@ -520,7 +523,7 @@ out:
|
||||
}
|
||||
|
||||
static int key_from_file(struct crypt_device *cd, char *msg,
|
||||
char **key, unsigned int *key_len,
|
||||
char **key, size_t *key_len,
|
||||
const char *key_file, size_t key_size)
|
||||
{
|
||||
return crypt_get_key(msg, key, key_len, key_size, key_file,
|
||||
@@ -609,24 +612,26 @@ void crypt_set_password_callback(struct crypt_device *cd,
|
||||
static int crypt_create_and_update_device(struct crypt_options *options, int update)
|
||||
{
|
||||
struct crypt_device *cd = NULL;
|
||||
char *key = NULL;
|
||||
unsigned int keyLen;
|
||||
char *passphrase = NULL;
|
||||
size_t passphrase_size = 0;
|
||||
int r;
|
||||
|
||||
r = _crypt_init(&cd, CRYPT_PLAIN, options, 0, 1);
|
||||
if (r)
|
||||
return r;
|
||||
|
||||
r = crypt_get_key(_("Enter passphrase: "), &key, &keyLen, options->key_size,
|
||||
options->key_file, cd->timeout, cd->password_verify, cd);
|
||||
r = crypt_get_key(_("Enter passphrase: "), &passphrase, &passphrase_size,
|
||||
options->key_size, options->key_file,
|
||||
cd->timeout, cd->password_verify, cd);
|
||||
if (!r)
|
||||
r = create_device_helper(cd, options->name, options->hash,
|
||||
options->cipher, NULL, options->key_file, key, keyLen,
|
||||
options->cipher, NULL, options->key_file,
|
||||
passphrase, passphrase_size,
|
||||
options->key_size, options->size, options->skip,
|
||||
options->offset, NULL, options->flags & CRYPT_FLAG_READONLY,
|
||||
options->flags, update);
|
||||
|
||||
crypt_safe_free(key);
|
||||
crypt_safe_free(passphrase);
|
||||
crypt_free(cd);
|
||||
return r;
|
||||
}
|
||||
@@ -756,7 +761,7 @@ int crypt_luksFormat(struct crypt_options *options)
|
||||
char cipherName[LUKS_CIPHERNAME_L];
|
||||
char cipherMode[LUKS_CIPHERMODE_L];
|
||||
char *password=NULL;
|
||||
unsigned int passwordLen;
|
||||
size_t passwordLen;
|
||||
struct crypt_device *cd = NULL;
|
||||
struct crypt_params_luks1 cp = {
|
||||
.hash = options->hash,
|
||||
@@ -822,7 +827,7 @@ int crypt_luksOpen(struct crypt_options *options)
|
||||
|
||||
if (options->key_file)
|
||||
r = crypt_activate_by_keyfile(cd, options->name,
|
||||
CRYPT_ANY_SLOT, options->key_file, options->key_size,
|
||||
CRYPT_ANY_SLOT, options->key_file, 0,
|
||||
flags);
|
||||
else
|
||||
r = crypt_activate_by_passphrase(cd, options->name,
|
||||
@@ -1614,7 +1619,7 @@ int crypt_resume_by_keyfile(struct crypt_device *cd,
|
||||
{
|
||||
struct volume_key *vk = NULL;
|
||||
char *passphrase_read = NULL;
|
||||
unsigned int passphrase_size_read;
|
||||
size_t passphrase_size_read;
|
||||
int r, suspended = 0;
|
||||
|
||||
log_dbg("Resuming volume %s.", name);
|
||||
@@ -1668,7 +1673,7 @@ int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
|
||||
{
|
||||
struct volume_key *vk = NULL;
|
||||
char *password = NULL, *new_password = NULL;
|
||||
unsigned int passwordLen, new_passwordLen;
|
||||
size_t passwordLen, new_passwordLen;
|
||||
int r;
|
||||
|
||||
log_dbg("Adding new keyslot, existing passphrase %sprovided,"
|
||||
@@ -1742,8 +1747,8 @@ int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
|
||||
size_t new_keyfile_size)
|
||||
{
|
||||
struct volume_key *vk = NULL;
|
||||
char *password = NULL; unsigned int passwordLen;
|
||||
char *new_password = NULL; unsigned int new_passwordLen;
|
||||
char *password = NULL; size_t passwordLen;
|
||||
char *new_password = NULL; size_t new_passwordLen;
|
||||
int r;
|
||||
|
||||
log_dbg("Adding new keyslot, existing keyfile %s, new keyfile %s.",
|
||||
@@ -1814,7 +1819,7 @@ int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
|
||||
{
|
||||
struct volume_key *vk = NULL;
|
||||
int r = -EINVAL;
|
||||
char *new_password = NULL; unsigned int new_passwordLen;
|
||||
char *new_password = NULL; size_t new_passwordLen;
|
||||
|
||||
log_dbg("Adding new keyslot %d using volume key.", keyslot);
|
||||
|
||||
@@ -1894,7 +1899,7 @@ int crypt_activate_by_passphrase(struct crypt_device *cd,
|
||||
crypt_status_info ci;
|
||||
struct volume_key *vk = NULL;
|
||||
char *read_passphrase = NULL;
|
||||
unsigned int passphraseLen = 0;
|
||||
size_t passphraseLen = 0;
|
||||
int r;
|
||||
|
||||
log_dbg("%s volume %s [keyslot %d] using %spassphrase.",
|
||||
@@ -1961,7 +1966,8 @@ int crypt_activate_by_keyfile(struct crypt_device *cd,
|
||||
crypt_status_info ci;
|
||||
struct volume_key *vk = NULL;
|
||||
char *passphrase_read = NULL;
|
||||
unsigned int passphrase_size_read, key_count = 0;
|
||||
size_t passphrase_size_read;
|
||||
unsigned int key_count = 0;
|
||||
int r;
|
||||
|
||||
log_dbg("Activating volume %s [keyslot %d] using keyfile %s.",
|
||||
@@ -2011,7 +2017,7 @@ int crypt_activate_by_keyfile(struct crypt_device *cd,
|
||||
r = keyslot;
|
||||
} else if (isLOOPAES(cd->type)) {
|
||||
r = key_from_file(cd, NULL, &passphrase_read, &passphrase_size_read,
|
||||
keyfile, LOOPAES_KEYFILE_MAXSIZE);
|
||||
keyfile, keyfile_size);
|
||||
if (r < 0)
|
||||
goto out;
|
||||
r = LOOPAES_parse_keyfile(cd, &vk, &key_count,
|
||||
|
||||
@@ -33,6 +33,9 @@
|
||||
#include "nls.h"
|
||||
#include "utils_crypt.h"
|
||||
|
||||
#define log_dbg(x) crypt_log(NULL, CRYPT_LOG_DEBUG, x)
|
||||
#define log_err(cd, x) crypt_log(cd, CRYPT_LOG_ERROR, x)
|
||||
|
||||
struct safe_allocation {
|
||||
size_t size;
|
||||
char data[0];
|
||||
@@ -99,12 +102,12 @@ void crypt_safe_free(void *data)
|
||||
|
||||
void *crypt_safe_realloc(void *data, size_t size)
|
||||
{
|
||||
struct safe_allocation *alloc;
|
||||
void *new_data;
|
||||
|
||||
new_data = crypt_safe_alloc(size);
|
||||
|
||||
if (new_data && data) {
|
||||
struct safe_allocation *alloc;
|
||||
|
||||
alloc = data - offsetof(struct safe_allocation, data);
|
||||
|
||||
@@ -191,135 +194,177 @@ out_err:
|
||||
return failed;
|
||||
}
|
||||
|
||||
/*
|
||||
* Password reading behaviour matrix of get_key
|
||||
* FIXME: rewrite this from scratch.
|
||||
* p v n h
|
||||
* -----------------+---+---+---+---
|
||||
* interactive | Y | Y | Y | Inf
|
||||
* from fd | N | N | Y | Inf
|
||||
* from binary file | N | N | N | Inf or options->key_size
|
||||
*
|
||||
* Legend: p..prompt, v..can verify, n..newline-stop, h..read horizon
|
||||
*
|
||||
* Note: --key-file=- is interpreted as a read from a binary file (stdin)
|
||||
*/
|
||||
|
||||
int crypt_get_key(char *prompt, char **key, unsigned int *passLen, int key_size,
|
||||
const char *key_file, int timeout, int verify,
|
||||
static int crypt_get_key_tty(const char *prompt,
|
||||
char **key, size_t *key_size,
|
||||
int timeout, int verify,
|
||||
struct crypt_device *cd)
|
||||
{
|
||||
int fd = -1;
|
||||
int key_size_max = DEFAULT_PASSPHRASE_SIZE_MAX;
|
||||
int r = -EINVAL;
|
||||
char *pass = NULL, *pass_verify = NULL;
|
||||
|
||||
log_dbg("Interactive passphrase entry requested.");
|
||||
|
||||
pass = crypt_safe_alloc(key_size_max + 1);
|
||||
if (!pass) {
|
||||
log_err(cd, _("Out of memory while reading passphrase.\n"));
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
if (interactive_pass(prompt, pass, key_size_max, timeout)) {
|
||||
log_err(cd, _("Error reading passphrase from terminal.\n"));
|
||||
goto out_err;
|
||||
}
|
||||
pass[key_size_max] = '\0';
|
||||
|
||||
if (verify) {
|
||||
pass_verify = crypt_safe_alloc(key_size_max);
|
||||
if (!pass_verify) {
|
||||
log_err(cd, _("Out of memory while reading passphrase.\n"));
|
||||
r = -ENOMEM;
|
||||
goto out_err;
|
||||
}
|
||||
|
||||
if (interactive_pass(_("Verify passphrase: "),
|
||||
pass_verify, key_size_max, timeout)) {
|
||||
log_err(cd, _("Error reading passphrase from terminal.\n"));
|
||||
goto out_err;
|
||||
}
|
||||
|
||||
if (strncmp(pass, pass_verify, key_size_max)) {
|
||||
log_err(cd, _("Passphrases do not match.\n"));
|
||||
goto out_err;
|
||||
}
|
||||
}
|
||||
|
||||
*key = pass;
|
||||
*key_size = strlen(pass);
|
||||
r = 0;
|
||||
out_err:
|
||||
crypt_safe_free(pass_verify);
|
||||
if (r)
|
||||
crypt_safe_free(pass);
|
||||
return r;
|
||||
}
|
||||
|
||||
/*
|
||||
* Note: --key-file=- is interpreted as a read from a binary file (stdin)
|
||||
* key_size_max == 0 means detect maximum according to input type (tty/file)
|
||||
* timeout and verify options only applies to tty input
|
||||
*/
|
||||
int crypt_get_key(const char *prompt,
|
||||
char **key, size_t *key_size,
|
||||
size_t keyfile_size_max, const char *key_file,
|
||||
int timeout, int verify,
|
||||
struct crypt_device *cd)
|
||||
{
|
||||
int fd, regular_file, read_stdin, char_read, unlimited_read = 0;
|
||||
int r = -EINVAL;
|
||||
char *pass = NULL;
|
||||
int read_horizon;
|
||||
int regular_file = 0;
|
||||
int read_stdin;
|
||||
int r;
|
||||
size_t buflen, i;
|
||||
struct stat st;
|
||||
|
||||
*key = NULL;
|
||||
*key_size = 0;
|
||||
|
||||
/* Passphrase read from stdin? */
|
||||
read_stdin = (!key_file || !strcmp(key_file, "-")) ? 1 : 0;
|
||||
|
||||
/* read_horizon applies only for real keyfile, not stdin or terminal */
|
||||
read_horizon = (key_file && !read_stdin) ? key_size : 0 /* until EOF */;
|
||||
if(read_stdin && isatty(STDIN_FILENO))
|
||||
return crypt_get_key_tty(prompt, key, key_size, timeout, verify, cd);
|
||||
|
||||
if (keyfile_size_max < 0) {
|
||||
log_err(cd, _("Negative keyfile size not permitted.\n"));
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
/* If not requsted otherwise, we limit input to prevent memory exhaustion */
|
||||
if (keyfile_size_max == 0) {
|
||||
keyfile_size_max = DEFAULT_KEYFILE_SIZE_MAXKB * 1024;
|
||||
unlimited_read = 1;
|
||||
}
|
||||
|
||||
/* Setup file descriptior */
|
||||
fd = read_stdin ? STDIN_FILENO : open(key_file, O_RDONLY);
|
||||
if (fd < 0) {
|
||||
crypt_log(cd, CRYPT_LOG_ERROR,
|
||||
_("Failed to open key file.\n"));
|
||||
goto out_err;
|
||||
log_err(cd, _("Failed to open key file.\n"));
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
/* Interactive case */
|
||||
if(isatty(fd)) {
|
||||
int i;
|
||||
|
||||
pass = crypt_safe_alloc(MAX_TTY_PASSWORD_LEN);
|
||||
if (!pass || interactive_pass(prompt, pass, MAX_TTY_PASSWORD_LEN, timeout)) {
|
||||
crypt_log(cd, CRYPT_LOG_ERROR,
|
||||
_("Error reading passphrase from terminal.\n"));
|
||||
goto out_err;
|
||||
}
|
||||
if (verify) {
|
||||
char pass_verify[MAX_TTY_PASSWORD_LEN];
|
||||
i = interactive_pass(_("Verify passphrase: "), pass_verify, sizeof(pass_verify), timeout);
|
||||
if (i || strcmp(pass, pass_verify) != 0) {
|
||||
crypt_log(cd, CRYPT_LOG_ERROR,
|
||||
_("Passphrases do not match.\n"));
|
||||
goto out_err;
|
||||
}
|
||||
memset(pass_verify, 0, sizeof(pass_verify));
|
||||
}
|
||||
*passLen = strlen(pass);
|
||||
*key = pass;
|
||||
} else {
|
||||
/*
|
||||
* This is either a fd-input or a file, in neither case we can verify the input,
|
||||
* however we don't stop on new lines if it's a binary file.
|
||||
*/
|
||||
int buflen, i;
|
||||
|
||||
/* The following for control loop does an exhausting
|
||||
* read on the key material file, if requested with
|
||||
* key_size == 0, as it's done by LUKS. However, we
|
||||
* should warn the user, if it's a non-regular file,
|
||||
* such as /dev/random, because in this case, the loop
|
||||
* will read forever.
|
||||
*/
|
||||
if(!read_stdin && read_horizon == 0) {
|
||||
/* use 4k for buffer (page divisor but avoid huge pages) */
|
||||
buflen = 4096 - sizeof(struct safe_allocation);
|
||||
regular_file = 0;
|
||||
if(!read_stdin) {
|
||||
if(stat(key_file, &st) < 0) {
|
||||
crypt_log(cd, CRYPT_LOG_ERROR,
|
||||
_("Failed to stat key file.\n"));
|
||||
log_err(cd, _("Failed to stat key file.\n"));
|
||||
goto out_err;
|
||||
}
|
||||
if(!S_ISREG(st.st_mode))
|
||||
crypt_log(cd, CRYPT_LOG_NORMAL,
|
||||
_("Warning: exhausting read requested, but key file"
|
||||
" is not a regular file, function might never return.\n"));
|
||||
else
|
||||
if(S_ISREG(st.st_mode)) {
|
||||
regular_file = 1;
|
||||
/* known keyfile size, alloc it in one step */
|
||||
if (st.st_size >= keyfile_size_max)
|
||||
buflen = keyfile_size_max;
|
||||
else
|
||||
buflen = st.st_size;
|
||||
}
|
||||
buflen = 0;
|
||||
for(i = 0; read_horizon == 0 || i < read_horizon; i++) {
|
||||
if(i >= buflen - 1) {
|
||||
buflen += 128;
|
||||
}
|
||||
|
||||
pass = crypt_safe_alloc(buflen);
|
||||
if (!pass) {
|
||||
log_err(cd, _("Out of memory while reading passphrase.\n"));
|
||||
goto out_err;
|
||||
}
|
||||
|
||||
for(i = 0; i < keyfile_size_max; i++) {
|
||||
if(i == buflen) {
|
||||
buflen += 4096;
|
||||
pass = crypt_safe_realloc(pass, buflen);
|
||||
if (!pass) {
|
||||
crypt_log(cd, CRYPT_LOG_ERROR,
|
||||
_("Out of memory while reading passphrase.\n"));
|
||||
log_err(cd, _("Out of memory while reading passphrase.\n"));
|
||||
r = -ENOMEM;
|
||||
goto out_err;
|
||||
}
|
||||
}
|
||||
|
||||
r = read(fd, pass + i, 1);
|
||||
if (r < 0) {
|
||||
crypt_log(cd, CRYPT_LOG_ERROR,
|
||||
_("Error reading passphrase.\n"));
|
||||
char_read = read(fd, &pass[i], 1);
|
||||
if (char_read < 0) {
|
||||
log_err(cd, _("Error reading passphrase.\n"));
|
||||
goto out_err;
|
||||
}
|
||||
|
||||
/* Stop on newline only if not requested read from keyfile */
|
||||
if(r == 0 || (!key_file && pass[i] == '\n'))
|
||||
if(char_read == 0 || (!key_file && pass[i] == '\n'))
|
||||
break;
|
||||
}
|
||||
|
||||
/* Fail if piped input dies reading nothing */
|
||||
if(!i && !regular_file)
|
||||
goto out_err;
|
||||
pass[i] = 0;
|
||||
*key = pass;
|
||||
*passLen = i;
|
||||
|
||||
/* Fail if we exceeded internal default (no specified size) */
|
||||
if (unlimited_read && i == keyfile_size_max) {
|
||||
log_err(cd, _("Maximum keyfile size exceeeded.\n"));
|
||||
goto out_err;
|
||||
}
|
||||
|
||||
if (!unlimited_read && i != keyfile_size_max) {
|
||||
log_err(cd, _("Cannot read requested amount of data.\n"));
|
||||
goto out_err;
|
||||
}
|
||||
|
||||
/* Well, for historical reasons reading empty keyfile is not fail. */
|
||||
if(!i) {
|
||||
crypt_safe_free(pass);
|
||||
pass = NULL;
|
||||
}
|
||||
|
||||
*key = pass;
|
||||
*key_size = i;
|
||||
r = 0;
|
||||
out_err:
|
||||
if(fd != STDIN_FILENO)
|
||||
close(fd);
|
||||
return 0;
|
||||
|
||||
out_err:
|
||||
if(fd >= 0 && fd != STDIN_FILENO)
|
||||
close(fd);
|
||||
if(pass)
|
||||
if (r)
|
||||
crypt_safe_free(pass);
|
||||
*key = NULL;
|
||||
*passLen = 0;
|
||||
return -EINVAL;
|
||||
return r;
|
||||
}
|
||||
|
||||
@@ -1,18 +1,22 @@
|
||||
#ifndef _UTILS_CRYPT_H
|
||||
#define _UTILS_CRYPT_H
|
||||
|
||||
#include <unistd.h>
|
||||
#include "config.h"
|
||||
|
||||
#define MAX_CIPHER_LEN 32
|
||||
#define MAX_CIPHER_LEN_STR "32"
|
||||
|
||||
#define MAX_TTY_PASSWORD_LEN 512
|
||||
|
||||
struct crypt_device;
|
||||
|
||||
int crypt_parse_name_and_mode(const char *s, char *cipher,
|
||||
int *key_nums, char *cipher_mode);
|
||||
|
||||
int crypt_get_key(char *prompt, char **key, unsigned int *passLen, int key_size,
|
||||
const char *key_file, int timeout, int how2verify,
|
||||
int crypt_get_key(const char *prompt,
|
||||
char **key, size_t *key_size,
|
||||
size_t keyfile_size_max,
|
||||
const char *key_file,
|
||||
int timeout, int verify,
|
||||
struct crypt_device *cd);
|
||||
|
||||
void *crypt_safe_alloc(size_t size);
|
||||
|
||||
@@ -6,9 +6,8 @@ cryptsetup - setup cryptographic volumes for dm-crypt (including LUKS extension)
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
cryptsetup is used to conveniently setup dm-crypt managed device-mapper mappings.
|
||||
.SH PLAIN MODE
|
||||
For basic (plain) dm-crypt mappings, there are four operations.
|
||||
.SH ACTIONS
|
||||
These strings are valid for \fB<action>\fR, followed by their \fB<action args>\fR:
|
||||
|
||||
\fIcreate\fR <name> <device>
|
||||
.IP
|
||||
@@ -170,7 +169,7 @@ compatible dm-crypt mode.
|
||||
.IP
|
||||
opens the loop-AES <device> and sets up a mapping <name>.
|
||||
|
||||
N.B. If keyfile is in GPG encrypted format, you have to use
|
||||
N.B. If key file is in GPG encrypted format, you have to use
|
||||
\-\-key-file=- and decrypt it before use.
|
||||
gpg --decrypt <keyfile> | cryptsetup loopaesOpen \-\-key-file=- <device> <name>
|
||||
|
||||
@@ -243,11 +242,11 @@ reading will not stop when new line character is detected.
|
||||
See section \fBNOTES ON PASSWORD PROCESSING\fR for more information.
|
||||
.TP
|
||||
.B "\-\-keyfile-size, \-l \fIvalue\fR"
|
||||
Limits read from keyfile to \fIvalue\fR bytes.
|
||||
Usable together with all comands using key file.
|
||||
Limits read from key file to \fIvalue\fR bytes.
|
||||
Usable together with all commands using key file.
|
||||
.TP
|
||||
.B "\-\-new-keyfile-size \fIvalue\fR"
|
||||
Limits read from new keyfile to \fIvalue\fR bytes in \fIluksAddKey\fR when
|
||||
Limits read from new key file to \fIvalue\fR bytes in \fIluksAddKey\fR when
|
||||
adding new key file. Default is exhaustive read from key file.
|
||||
.TP
|
||||
.B "\-\-master-key-file"
|
||||
@@ -348,19 +347,22 @@ The UUID must be provided in standard UUID format
|
||||
.TP
|
||||
.B "\-\-version"
|
||||
Show the version.
|
||||
.SH NOTES ON PASSWORD PROCESSING
|
||||
.SH NOTES ON PASSWORD PROCESSING FOR PLAIN MODE
|
||||
\fBFrom a terminal\fR: Password processing is new-line sensitive,
|
||||
meaning the reading will stop after encountering \\n.
|
||||
It will process the read material (without newline) with the default
|
||||
hash or the hash given by \-\-hash.
|
||||
After hashing, it will be cropped to the key size given by \-s.
|
||||
|
||||
\fBFrom stdin\fR: Reading will continue until EOF (so using
|
||||
e.g. /dev/random as stdin will not work), with the trailing
|
||||
newline stripped.
|
||||
After that the read data will be hashed with the default hash or
|
||||
the hash given by \-\-hash and the result will be cropped to
|
||||
the keysize given by \-s.
|
||||
\fBFrom stdin\fR: Reading will continue until EOF (or until
|
||||
maximum input size is reached), with the trailing newline stripped.
|
||||
The maximum input size is defined by the same compiled-in default
|
||||
as for the maximum key file size or can be overwrittten
|
||||
using \-\-keysfile-size option.
|
||||
|
||||
After that the read data will be hashed with the default hash
|
||||
or the hash given by \-\-hash and the result will be cropped
|
||||
to the keysize given by \-s.
|
||||
|
||||
If "plain" is used as an argument to the hash option, the input
|
||||
data will not be hashed.
|
||||
@@ -382,6 +384,10 @@ LUKS uses PBKDF2 to protect against dictionary attacks (see RFC 2898).
|
||||
LUKS will always do an exhaustive password reading.
|
||||
Hence, password can not be read from /dev/random, /dev/zero or any
|
||||
other stream that does not terminate.
|
||||
To prevent exhausting of system memory, cryptsetup limits
|
||||
maximum key file size. Compiled-in default is displayed in \-\-help
|
||||
output. You can limit reads from key file using \-\-key-size option,
|
||||
this option takes precedence over compiled-in default.
|
||||
|
||||
For any password creation action (luksAddKey, or luksFormat),
|
||||
the user may specify how much the time the password processing
|
||||
|
||||
@@ -29,12 +29,9 @@
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include <assert.h>
|
||||
|
||||
#include <libcryptsetup.h>
|
||||
#include <popt.h>
|
||||
|
||||
#include "../config.h"
|
||||
|
||||
#include "cryptsetup.h"
|
||||
|
||||
static int opt_verbose = 0;
|
||||
@@ -46,9 +43,9 @@ static char *opt_key_file = NULL;
|
||||
static char *opt_master_key_file = NULL;
|
||||
static char *opt_header_backup_file = NULL;
|
||||
static char *opt_uuid = NULL;
|
||||
static unsigned int opt_key_size = 0;
|
||||
static unsigned int opt_keyfile_size = 0;
|
||||
static unsigned int opt_new_keyfile_size = 0;
|
||||
static int opt_key_size = 0;
|
||||
static long opt_keyfile_size = 0;
|
||||
static long opt_new_keyfile_size = 0;
|
||||
static int opt_key_slot = CRYPT_ANY_SLOT;
|
||||
static uint64_t opt_size = 0;
|
||||
static uint64_t opt_offset = 0;
|
||||
@@ -178,6 +175,10 @@ static void _log(int level, const char *msg, void *usrptr)
|
||||
case CRYPT_LOG_ERROR:
|
||||
fputs(msg, stderr);
|
||||
break;
|
||||
case CRYPT_LOG_DEBUG:
|
||||
if (opt_debug)
|
||||
printf("# %s\n", msg);
|
||||
break;
|
||||
default:
|
||||
fprintf(stderr, "Internal error on logging class for msg: %s", msg);
|
||||
break;
|
||||
@@ -223,8 +224,8 @@ static int action_create(int arg)
|
||||
.offset = opt_offset,
|
||||
};
|
||||
char *password = NULL;
|
||||
unsigned int passwordLen;
|
||||
unsigned int key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
|
||||
size_t passwordLen;
|
||||
size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
|
||||
int r;
|
||||
|
||||
if (params.hash && !strcmp(params.hash, "plain"))
|
||||
@@ -234,6 +235,10 @@ static int action_create(int arg)
|
||||
if (opt_key_file && strcmp(opt_key_file, "-"))
|
||||
params.hash = NULL;
|
||||
|
||||
if (opt_keyfile_size && opt_key_file)
|
||||
log_std(("Ignoring keyfile size option, keyfile read size "
|
||||
"is always the same as encryption key size.\n"));
|
||||
|
||||
r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
|
||||
cipher, NULL, cipher_mode);
|
||||
if (r < 0) {
|
||||
@@ -261,8 +266,8 @@ static int action_create(int arg)
|
||||
opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
|
||||
else {
|
||||
r = crypt_get_key(_("Enter passphrase: "),
|
||||
&password, &passwordLen, 0, NULL,
|
||||
opt_timeout,
|
||||
&password, &passwordLen, opt_keyfile_size,
|
||||
NULL, opt_timeout,
|
||||
opt_batch_mode ? 0 : opt_verify_passphrase,
|
||||
cd);
|
||||
if (r < 0)
|
||||
@@ -303,7 +308,7 @@ static int action_loopaesOpen(int arg)
|
||||
goto out;
|
||||
|
||||
r = crypt_activate_by_keyfile(cd, action_argv[1],
|
||||
CRYPT_ANY_SLOT, opt_key_file, 0,
|
||||
CRYPT_ANY_SLOT, opt_key_file, opt_keyfile_size,
|
||||
opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
|
||||
out:
|
||||
crypt_free(cd);
|
||||
@@ -420,7 +425,7 @@ static int action_luksFormat(int arg)
|
||||
int r = -EINVAL, keysize;
|
||||
char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
|
||||
char *password = NULL;
|
||||
unsigned int passwordLen;
|
||||
size_t passwordLen;
|
||||
struct crypt_device *cd = NULL;
|
||||
struct crypt_params_luks1 params = {
|
||||
.hash = opt_hash ?: DEFAULT_LUKS1_HASH,
|
||||
@@ -526,8 +531,8 @@ static int verify_keyslot(struct crypt_device *cd, int key_slot,
|
||||
{
|
||||
crypt_keyslot_info ki;
|
||||
char *password = NULL;
|
||||
unsigned int passwordLen, i;
|
||||
int r;
|
||||
size_t passwordLen;
|
||||
int i, r;
|
||||
|
||||
ki = crypt_keyslot_status(cd, key_slot);
|
||||
if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !_yesDialog(msg_last, NULL))
|
||||
@@ -608,7 +613,7 @@ static int action_luksRemoveKey(int arg)
|
||||
{
|
||||
struct crypt_device *cd = NULL;
|
||||
char *password = NULL;
|
||||
unsigned int passwordLen;
|
||||
size_t passwordLen;
|
||||
int r;
|
||||
|
||||
if ((r = crypt_init(&cd, action_argv[0])))
|
||||
@@ -709,7 +714,7 @@ static int action_luksChangeKey(int arg)
|
||||
const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
|
||||
struct crypt_device *cd = NULL;
|
||||
char *vk = NULL, *password = NULL;
|
||||
unsigned int passwordLen = 0;
|
||||
size_t passwordLen = 0;
|
||||
size_t vk_size;
|
||||
int new_key_slot, old_key_slot, r;
|
||||
|
||||
@@ -834,7 +839,7 @@ out:
|
||||
static int luksDump_with_volume_key(struct crypt_device *cd)
|
||||
{
|
||||
char *vk = NULL, *password = NULL;
|
||||
unsigned int passwordLen = 0;
|
||||
size_t passwordLen = 0;
|
||||
size_t vk_size;
|
||||
int i, r;
|
||||
|
||||
@@ -1011,6 +1016,11 @@ static void help(poptContext popt_context, enum poptCallbackReason reason,
|
||||
"<key file> optional key file for the new key for luksAddKey action\n"),
|
||||
crypt_get_dir());
|
||||
|
||||
log_std(_("\nDefault compiled-in keyfile parameters:\n"
|
||||
"\tMaximum keyfile size: %dkB, "
|
||||
"Maximum interactive passphrase length %d (characters)\n"),
|
||||
DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
|
||||
|
||||
log_std(_("\nDefault compiled-in device cipher parameters:\n"
|
||||
"\tloop-AES: %s, Key %d bits\n"
|
||||
"\tplain: %s, Key: %d bits, Password hashing: %s\n"
|
||||
@@ -1095,8 +1105,8 @@ int main(int argc, char **argv)
|
||||
{ "master-key-file", '\0', POPT_ARG_STRING, &opt_master_key_file, 0, N_("Read the volume (master) key from file."), NULL },
|
||||
{ "dump-master-key", '\0', POPT_ARG_NONE, &opt_dump_master_key, 0, N_("Dump volume (master) key instead of keyslots info."), NULL },
|
||||
{ "key-size", 's', POPT_ARG_INT, &opt_key_size, 0, N_("The size of the encryption key"), N_("BITS") },
|
||||
{ "keyfile-size", 'l', POPT_ARG_INT, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
|
||||
{ "new-keyfile-size", '\0', POPT_ARG_INT, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
|
||||
{ "keyfile-size", 'l', POPT_ARG_LONG, &opt_keyfile_size, 0, N_("Limits the read from keyfile"), N_("bytes") },
|
||||
{ "new-keyfile-size", '\0', POPT_ARG_LONG, &opt_new_keyfile_size, 0, N_("Limits the read from newly added keyfile"), N_("bytes") },
|
||||
{ "key-slot", 'S', POPT_ARG_INT, &opt_key_slot, 0, N_("Slot number for new key (default is first free)"), NULL },
|
||||
{ "size", 'b', POPT_ARG_STRING, &popt_tmp, 1, N_("The size of the device"), N_("SECTORS") },
|
||||
{ "offset", 'o', POPT_ARG_STRING, &popt_tmp, 2, N_("The start offset in the backend device"), N_("SECTORS") },
|
||||
@@ -1222,6 +1232,12 @@ int main(int argc, char **argv)
|
||||
opt_key_file = (char*)action_argv[1];
|
||||
}
|
||||
|
||||
if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0) {
|
||||
usage(popt_context, EXIT_FAILURE,
|
||||
_("Negative number for option not permitted."),
|
||||
poptGetInvocationName(popt_context));
|
||||
}
|
||||
|
||||
if (opt_random && opt_urandom)
|
||||
usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
|
||||
poptGetInvocationName(popt_context));
|
||||
|
||||
@@ -1,9 +1,7 @@
|
||||
#ifndef CRYPTSETUP_H
|
||||
#define CRYPTSETUP_H
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include <config.h>
|
||||
#endif
|
||||
#include <config.h>
|
||||
|
||||
#include "lib/nls.h"
|
||||
#include "lib/utils_crypt.h"
|
||||
|
||||
@@ -52,10 +52,11 @@ format() # key_bits expected [forced]
|
||||
ALIGN=$($CRYPTSETUP luksDump $DEV |grep "Payload offset" | sed -e s/.*\\t//)
|
||||
#echo "ALIGN = $ALIGN"
|
||||
|
||||
if [ $ALIGN -ne $2 ] ; then
|
||||
if [ -z "$ALIGN" ] ; then
|
||||
fail "FAIL"
|
||||
elif [ $ALIGN -ne $2 ] ; then
|
||||
echo "FAIL"
|
||||
echo "Expected alignment differs: expected $2 != detected $ALIGN"
|
||||
fail
|
||||
fail "Expected alignment differs: expected $2 != detected $ALIGN"
|
||||
fi
|
||||
echo "PASSED"
|
||||
}
|
||||
|
||||
@@ -263,6 +263,8 @@ $CRYPTSETUP -q remove $DEV_NAME || fail
|
||||
echo "key0" | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase || fail
|
||||
$CRYPTSETUP -q remove $DEV_NAME || fail
|
||||
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail
|
||||
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail
|
||||
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 -l -1 2>/dev/null && fail
|
||||
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail
|
||||
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 2>/dev/null && fail
|
||||
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d blah 2>/dev/null && fail
|
||||
@@ -325,5 +327,29 @@ $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -i 1 || fail
|
||||
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 || fail
|
||||
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 2>/dev/null && fail
|
||||
|
||||
prepare "[24] Keyfile limit" wipe
|
||||
$CRYPTSETUP -q luksFormat -i1 $LOOPDEV $KEY1 --key-slot 0 -l 13 || fail
|
||||
$CRYPTSETUP --key-file=$KEY1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
||||
$CRYPTSETUP --key-file=$KEY1 -l 0 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
||||
$CRYPTSETUP --key-file=$KEY1 -l -1 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
||||
$CRYPTSETUP --key-file=$KEY1 -l 14 luksOpen $LOOPDEV $DEV_NAME 2>/dev/null && fail
|
||||
$CRYPTSETUP --key-file=$KEY1 -l 13 luksOpen $LOOPDEV $DEV_NAME || fail
|
||||
$CRYPTSETUP luksClose $DEV_NAME || fail
|
||||
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 2>/dev/null && fail
|
||||
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -l 14 2>/dev/null && fail
|
||||
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -l -1 2>/dev/null && fail
|
||||
$CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 $KEY2 -i1 -l 13 --new-keyfile-size 12 || fail
|
||||
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 2>/dev/null && fail
|
||||
$CRYPTSETUP luksRemoveKey $LOOPDEV $KEY2 -l 12 || fail
|
||||
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 2>/dev/null && fail
|
||||
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 -l 14 2>/dev/null && fail
|
||||
$CRYPTSETUP luksChangeKey $LOOPDEV -d $KEY1 $KEY2 -i1 -l 13 || fail
|
||||
# -l is ignored for stdin if _only_ passphrase is used
|
||||
echo "key0" | $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY2 -i1 || fail
|
||||
# this is stupid, but expected
|
||||
echo "key0" | $CRYPTSETUP luksRemoveKey $LOOPDEV -l 2 2>/dev/null && fail
|
||||
echo "key01" | $CRYPTSETUP luksRemoveKey $LOOPDEV -d 4 2>/dev/null && fail
|
||||
echo -e "key0\n" | $CRYPTSETUP luksRemoveKey $LOOPDEV -d- -l 4 || fail
|
||||
|
||||
remove_mapping
|
||||
exit 0
|
||||
|
||||
@@ -20,20 +20,26 @@ cleanup() {
|
||||
exit $1
|
||||
}
|
||||
|
||||
crypt_key() # hash keysize pwd/file name outkey
|
||||
crypt_key() # hash keysize pwd/file name outkey [limit]
|
||||
{
|
||||
DEV2=$DEV_NAME"_x"
|
||||
LIMIT=""
|
||||
MODE=aes-cbc-essiv:sha256
|
||||
[ $2 -gt 256 ] && MODE=aes-xts-plain
|
||||
[ -n "$6" ] && LIMIT="-l $6"
|
||||
|
||||
echo -n "HASH: $1 KSIZE: $2 / $3"
|
||||
case "$3" in
|
||||
pwd)
|
||||
echo -e -n "$4" | $CRYPTSETUP create -c $MODE -h $1 -s $2 $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null
|
||||
echo -e -n "$4" | $CRYPTSETUP create -c $MODE -h $1 -s $2 $LIMIT $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null
|
||||
ret=$?
|
||||
;;
|
||||
stdin)
|
||||
echo -e -n "$4" | $CRYPTSETUP create -c $MODE -d "-" -h $1 -s $2 $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null
|
||||
echo -e -n "$4" | $CRYPTSETUP create -c $MODE -d "-" -h $1 -s $2 $LIMIT $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null
|
||||
ret=$?
|
||||
;;
|
||||
cat)
|
||||
cat $4 | $CRYPTSETUP create -c $MODE -h $1 -s $2 $LIMIT $DEV2 /dev/mapper/$DEV_NAME 2>/dev/null
|
||||
ret=$?
|
||||
;;
|
||||
file)
|
||||
@@ -99,4 +105,15 @@ crypt_key sha256 256 file $KEY_FILE ${KEY_FILE_HEX:0:64}
|
||||
crypt_key sha256 128 file $KEY_FILE ${KEY_FILE_HEX:0:32}
|
||||
crypt_key sha256 512 file $KEY_FILE $KEY_FILE_HEX
|
||||
|
||||
# stdin can be limited
|
||||
crypt_key plain 128 cat /dev/zero 00000000000000000000000000000000 16
|
||||
crypt_key plain 128 cat /dev/zero 00000000000000000000000000000000 17
|
||||
crypt_key plain 128 cat $KEY_FILE ${KEY_FILE_HEX:0:28}0000 14
|
||||
crypt_key sha256 128 cat $KEY_FILE a82c9227cc54c7475620ce85ba1fca1e 14
|
||||
crypt_key sha256:14 128 cat $KEY_FILE a82c9227cc54c7475620ce85ba1f0000 14
|
||||
|
||||
crypt_key sha256 128 pwd "0123456789abcdef" 9f9f5111f7b27a781f1f1ddde5ebc2dd 16
|
||||
crypt_key sha256 128 pwd "0123456789abcdef" 1be2e452b46d7a0d9656bbb1f768e824 4
|
||||
crypt_key sha256 128 pwd "0123" 1be2e452b46d7a0d9656bbb1f768e824 4
|
||||
|
||||
cleanup 0
|
||||
|
||||
Reference in New Issue
Block a user