eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-16 05:10:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Enable LUKS hash setting and document it.

Browse Source 
git-svn-id: https://cryptsetup.googlecode.com/svn/trunk@83 36d66b0a-2a48-0410-832c-cd162a569da5
This commit is contained in:
Milan Broz
2009-07-30 15:02:53 +00:00
parent 1a10c59b97
commit a0b795becb
4 changed files with 16 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@@ -7,6 +7,7 @@
* Add required parameters for changing hash used in LUKS key setup scheme. * Add required parameters for changing hash used in LUKS key setup scheme.
* Do not export simple XOR helper now used only inside AF functions. * Do not export simple XOR helper now used only inside AF functions.
* Completely remove internal SHA1 implementanion code, not needed anymore. * Completely remove internal SHA1 implementanion code, not needed anymore.
* Enable hash algorithm selection for LUKS through -h luksFormat option.
2009-07-28 Milan Broz <mbroz@redhat.com> 2009-07-28 Milan Broz <mbroz@redhat.com>
* Pad luks header to 512 sector size. * Pad luks header to 512 sector size.

6
luks/Makefile.am
View File

@@ -78,6 +78,12 @@ test:
@sync @sync
testing/fileDiffer.py $(IMG) $(ORIG_IMG) $(LUKS_HEADER) $(KEY_SLOT0) $(KEY_MATERIAL0) testing/fileDiffer.py $(IMG) $(ORIG_IMG) $(LUKS_HEADER) $(KEY_SLOT0) $(KEY_MATERIAL0)
@echo Case: format using hash sha512
@cp $(IMG) $(ORIG_IMG)
echo "key0" | ../src/cryptsetup -v -i 1000 -h sha512 -c aes-cbc-essiv:sha256 luksFormat $(LOOPDEV)
@sync
testing/fileDiffer.py $(IMG) $(ORIG_IMG) $(LUKS_HEADER) $(KEY_SLOT0) $(KEY_MATERIAL0)
@echo Case: open @echo Case: open
# Image must not change # Image must not change
@cp $(IMG) $(ORIG_IMG) @cp $(IMG) $(ORIG_IMG)

9
man/cryptsetup.8
View File

@@ -84,7 +84,14 @@ For more information about LUKS, see \fBhttp://code.google.com/p/cryptsetup/wiki
.SH OPTIONS .SH OPTIONS
.TP .TP
.B "\-\-hash, \-h" .B "\-\-hash, \-h"
specifies hash to use for password hashing. This option is only relevant for \fIcreate\fR action. The hash string is passed to libgcrypt, so all hashes accepted by gcrypt are supported. Default is "ripemd160". For \fIcreate\fR action specifies hash to use for password hashing.
For \fIluksFormat\fR action specifies hash used in LUKS key setup scheme and volume key digest.
\fBWARNING:\fR setting hash other than \fBsha1\fR causes LUKS device incompatible with older version of cryptsetup.
The hash string is passed to libgcrypt, so all hashes accepted by gcrypt are supported.
Default is \fB"ripemd160"\fR for \fIcreate\fR action and \fB"sha1"\fR for \fIluksFormat\fR.
.TP .TP
.B "\-\-cipher, \-c" .B "\-\-cipher, \-c"
set cipher specification string. For plain dm-crypt mappings, the default is "aes-cbc-plain", for LUKS mappings it's "aes-cbc-essiv:sha256". For pre-2.6.10 kernels, use "aes-plain" as they don't understand the new cipher spec strings. To use ESSIV, use "aes-cbc-essiv:sha256". set cipher specification string. For plain dm-crypt mappings, the default is "aes-cbc-plain", for LUKS mappings it's "aes-cbc-essiv:sha256". For pre-2.6.10 kernels, use "aes-plain" as they don't understand the new cipher spec strings. To use ESSIV, use "aes-cbc-essiv:sha256".

4
src/cryptsetup.c
View File

@@ -258,9 +258,7 @@ static int action_luksFormat(int arg)
.key_slot = opt_key_slot, .key_slot = opt_key_slot,
.device = action_argv[0], .device = action_argv[0],
.cipher = opt_cipher?opt_cipher:DEFAULT_LUKS_CIPHER, .cipher = opt_cipher?opt_cipher:DEFAULT_LUKS_CIPHER,
.hash = DEFAULT_LUKS_HASH, .hash = opt_hash ?: DEFAULT_LUKS_HASH,
// FIXME: enable other hash use here
//.hash = opt_hash ?: DEFAULT_LUKS_HASH,
.new_key_file = action_argc > 1 ? action_argv[1] : NULL, .new_key_file = action_argc > 1 ? action_argv[1] : NULL,
.flags = opt_verify_passphrase ? CRYPT_FLAG_VERIFY : (!opt_batch_mode?CRYPT_FLAG_VERIFY_IF_POSSIBLE : 0), .flags = opt_verify_passphrase ? CRYPT_FLAG_VERIFY : (!opt_batch_mode?CRYPT_FLAG_VERIFY_IF_POSSIBLE : 0),
.iteration_time = opt_iteration_time, .iteration_time = opt_iteration_time,