* Fix key slot iteration count calculation (small -i value was the same as default).
* The slot and key digest iteration minimun is now 1000.
* The key digest iteration # is calculated from iteration time (approx 1/8 of that).
If something very strange happens, and the generated key is not completely random
(wrong RNG), attacker can skip the whole kesylot area processing and try to
brute force key according to limited set of keys.
The iteration time (default, inherited from slot iteration time, is cca 120ms)
can make this attack slower, if not impossible.
Note, that this is just theorethic problem, anyway it is better to be prepared
if possible:-)
git-svn-id: https://cryptsetup.googlecode.com/svn/trunk@159 36d66b0a-2a48-0410-832c-cd162a569da5
* Add ability to provide pre-generated master key and UUID in LUKS header format.
* Add LUKS function to verify master key digest.
* Move key slot manuipulation function into LUKS specific code.
Signed-off-by: Milan Broz <mbroz@redhat.com>
git-svn-id: https://cryptsetup.googlecode.com/svn/trunk@94 36d66b0a-2a48-0410-832c-cd162a569da5
* Pad luks header to 512 sector size. We need read/write in whole
sector anyway and space is unused (wiped in luksFormat) so there is
no need for read/seek/write exercise.
* Rework read/write blockwise to not split operation to many pieces.
thanks to Sebastian Andrzej Siewior:
The buffer has to be aligned due to the O_DIRECT in open(). Currently a small
blocksize buffer is allocated and everything is read in multiple reads and
copied back to the original buffer. In my case AFEKSize gets computed to 64000
which results in 125 reads with 512 bytes each.
This patch changes this behavior to a single operation where the majority is
read()/write() plus an optional fixup in case the request is not modulo block
size.
* Use posix_memalign and check for alignment if available.
Othewise use old align functions. Add autoconf to detect posix_memalign.
git-svn-id: https://cryptsetup.googlecode.com/svn/trunk@74 36d66b0a-2a48-0410-832c-cd162a569da5
(And remove misleading error message later.)
Because kernel and libdevmapper does not provide
better error message then "invalid parameters"
add some error hint if dm-crypt mapping failed.
(Key size and kernel version check for XTS and LRW mode
for now.)
git-svn-id: https://cryptsetup.googlecode.com/svn/trunk@52 36d66b0a-2a48-0410-832c-cd162a569da5
* Allow deletion of key slot while other keys have the same key
information (that implied rewritting verification logic).
git-svn-id: https://cryptsetup.googlecode.com/svn/trunk@41 36d66b0a-2a48-0410-832c-cd162a569da5
