Commit 4d6dd0df authored by Milan Broz's avatar Milan Broz

Move default cipher paramaters to config.h and allow change through

configuration script.

Change default LUKS keysize to 256.

Change default PLAIN mode to cbc-essiv:sha256.

Note that you have to specify cipher and mode in plain type,
otherwise there is backward incompatibility.

If you really need the same compatible paramaters, you can compile
cryptsetup using old defaults, e.g:

./configure --with-plain-mode=cbc-plain --with-luks1-keybits=128

git-svn-id: https://cryptsetup.googlecode.com/svn/trunk@151 36d66b0a-2a48-0410-832c-cd162a569da5
parent c6aa3c5d
2009-12-01 Milan Broz <mbroz@redhat.com>
* Allow changes of default compiled-in cipher parameters through configure.
* Switch default key size for LUKS to 256bits.
* Switch default plain mode to aes-cbc-essiv:sha256 (default is backward incompatible!).
2009-11-14 Milan Broz <mbroz@redhat.com>
* Add CRYPT_ prefix to enum defined in libcryptsetup.h.
* Fix status call to fail when running as non-root user.
......
......@@ -104,6 +104,33 @@ DEVMAPPER_LIBS="$DEVMAPPER_LIBS $LIB_PTHREAD"
AC_SUBST(DEVMAPPER_LIBS)
AC_SUBST(SELINUX_STATIC_LIBS)
dnl ==========================================================================
AC_DEFUN([CS_DEFINE],
[AC_DEFINE_UNQUOTED(DEFAULT_[]m4_translit([$1], [-a-z], [_A-Z]), [$2], [$3])
])
AC_DEFUN([CS_STR_WITH], [AC_ARG_WITH([$1],
[AS_HELP_STRING(--with-[$1], [default $2 [$3]])],
[CS_DEFINE([$1], ["$withval"], [$2])],
[CS_DEFINE([$1], ["$3"], [$2])]
)])
AC_DEFUN([CS_NUM_WITH], [AC_ARG_WITH([$1],
[AS_HELP_STRING(--with-[$1], [default $2 [$3]])],
[CS_DEFINE([$1], [$withval], [$2])],
[CS_DEFINE([$1], [$3], [$2])]
)])
CS_STR_WITH([plain-hash], [password hashing function for plain mode], [ripemd160])
CS_STR_WITH([plain-cipher], [cipher for plain mode], [aes])
CS_STR_WITH([plain-mode], [cipher mode for plain mode], [cbc-essiv:sha256])
CS_NUM_WITH([plain-keybits],[key length in bits for plain mode], [256])
CS_STR_WITH([luks1-hash], [hash function for LUKS1 header], [sha1])
CS_STR_WITH([luks1-cipher], [cipher for LUKS1], [aes])
CS_STR_WITH([luks1-mode], [cipher mode for LUKS1], [cbc-essiv:sha256])
CS_NUM_WITH([luks1-keybits],[key length in bits for LUKS1], [256])
dnl ==========================================================================
AM_CONDITIONAL(STATIC_CRYPTSETUP, test x$enable_static = xyes)
......
......@@ -203,10 +203,10 @@ static int action_create(int reload)
struct crypt_options options = {
.name = action_argv[0],
.device = action_argv[1],
.cipher = opt_cipher?opt_cipher:DEFAULT_CIPHER,
.hash = opt_hash ?: DEFAULT_HASH,
.cipher = opt_cipher ? opt_cipher : DEFAULT_CIPHER(PLAIN),
.hash = opt_hash ?: DEFAULT_PLAIN_HASH,
.key_file = opt_key_file,
.key_size = ((opt_key_size)?opt_key_size:DEFAULT_KEY_SIZE)/8,
.key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8,
.key_slot = opt_key_slot,
.flags = 0,
.size = opt_size,
......@@ -294,11 +294,11 @@ static int action_status(int arg)
static int _action_luksFormat_generateMK()
{
struct crypt_options options = {
.key_size = (opt_key_size ?: DEFAULT_LUKS_KEY_SIZE) / 8,
.key_size = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8,
.key_slot = opt_key_slot,
.device = action_argv[0],
.cipher = opt_cipher ?: DEFAULT_LUKS_CIPHER,
.hash = opt_hash ?: DEFAULT_LUKS_HASH,
.cipher = opt_cipher ?: DEFAULT_CIPHER(LUKS1),
.hash = opt_hash ?: DEFAULT_LUKS1_HASH,
.new_key_file = action_argc > 1 ? action_argv[1] : NULL,
.flags = opt_verify_passphrase ? CRYPT_FLAG_VERIFY : (!opt_batch_mode?CRYPT_FLAG_VERIFY_IF_POSSIBLE : 0),
.iteration_time = opt_iteration_time,
......@@ -340,18 +340,18 @@ static int _action_luksFormat_useMK()
char *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
struct crypt_device *cd = NULL;
struct crypt_params_luks1 params = {
.hash = opt_hash ?: DEFAULT_LUKS_HASH,
.hash = opt_hash ?: DEFAULT_LUKS1_HASH,
.data_alignment = opt_align_payload,
};
if (sscanf(opt_cipher ?: DEFAULT_LUKS_CIPHER,
if (sscanf(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
"%" MAX_CIPHER_LEN_STR "[^-]-%" MAX_CIPHER_LEN_STR "s",
cipher, cipher_mode) != 2) {
log_err("No known cipher specification pattern detected.\n");
return -EINVAL;
}
keysize = (opt_key_size ?: DEFAULT_LUKS_KEY_SIZE) / 8;
keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
if (_read_mk(opt_master_key_file, &key, keysize) < 0)
return -EINVAL;
......@@ -646,6 +646,12 @@ static void help(poptContext popt_context, enum poptCallbackReason reason,
"<key slot> is the LUKS key slot number to modify\n"
"<key file> optional key file for the new key for luksAddKey action\n"),
crypt_get_dir());
log_std(_("\nDefault compiled-in device cipher parameters:\n"
"\tplain: %s, Key: %d bits, Password hashing: %s\n"
"\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s\n"),
DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH);
exit(0);
} else
usage(popt_context, 0, NULL, NULL);
......
......@@ -7,15 +7,9 @@
#include "lib/nls.h"
#define DEFAULT_CIPHER "aes"
#define DEFAULT_LUKS_CIPHER "aes-cbc-essiv:sha256"
#define DEFAULT_HASH "ripemd160"
#define DEFAULT_LUKS_HASH "sha1"
#define DEFAULT_KEY_SIZE 256
#define DEFAULT_LUKS_KEY_SIZE 128
#define MAX_CIPHER_LEN 32
#define MAX_CIPHER_LEN_STR "32"
#define DEFAULT_CIPHER(type) (DEFAULT_##type##_CIPHER "-" DEFAULT_##type##_MODE)
#define log_dbg(x...) clogger(NULL, CRYPT_LOG_DEBUG, __FILE__, __LINE__, x)
#define log_std(x...) clogger(NULL, CRYPT_LOG_NORMAL, __FILE__, __LINE__, x)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment