Allow keyfiles up to DEFAULT_KEYFILE_SIZE_MAXKB * 1024 bytes in size, and not that value minus one.
Signed-off-by: Vittorio Gambaletta <git-cryptsetup@vittgam.net>
to enable resume of interrupted decryption user has
to pass uuid of the former luks device. That uuid is used
to resume the operation if temporary files LUKS-* still
exist.
This patch is for issue #287
In the code for returning block size ( device_block_size_fd in lib/utils_device.c ),
always returns zero in case of files and device_read_test is not executed.
This patch is to fix device_block_size_fd to return block size correctly incase of files.
Signed-off-by: Athira Rajeevatrajeev@linux.vnet.ibm.com
There're various situations where hdr backups together with log file
may get removed even when the hdr was already marked unusable. This
patch fixes the most sever case already reported and generaly tries
harder protecting the log file and both hdr backups.
udev cookies should be set right in before the dm_task_run()
call otherwise we risk a hang while waiting for a cookie
associated with not yet executed dm task.
For example: failing to add table line (dm_task_add_target())
results in such hang.
Batch mode should enable no-query keyslot wipe but only if user
did not provided password or keyfile explicitely.
Fixes issue #265.
Signed-off-by: Milan Broz <gmazyland@gmail.com>
Note that no longer using SHA1 is just to prevent situation
when it is no longer available on hardened systems, there is
no known security problem (finding collisions is not a problem for LUKS).
Increasing iteration time is in combination with PBKDF2 benchmark
fixes try to keep PBKDF2 iteration count still high enough and
also acceptable for users.
(Long term is to replace PBKDF2 algorithm with Password Hashing
Competiton winner.).
N.B. distributions can change these defaults in compilation time.
The previous PBKDF2 benchmark code did not take into account
output key length.
For SHA1 (with 160-bits output) and 256-bit keys (and longer)
it means that the final value was higher than it should be.
For other hash algorithms (like SHA256 or SHA512) it caused
that iteration count was smaller (in comparison to SHA1) than
expected for the requested time period.
This patch fixes the code to use key size for the formatted device
(or default LUKS key size if running in informational benchmark mode).
Thanks to A.Visconti, S.Bossi, A.Calo and H.Ragab
(http://www.club.di.unimi.it/) for point this out.
(Based on "What users should know about Full Disk Encryption
based on LUKS" paper to be presented on CANS2015).
If password is entered through terminal (no keyfile specified) and
cryptsetup is compiled with --enable-passwdqc[=/etc/passwdqc.conf],
default system passwdqc settings are used to check password quality.
