Commit 93da52f8 authored by Milan Broz's avatar Milan Broz

Rewrite key input handling, add limits.

git-svn-id: https://cryptsetup.googlecode.com/svn/trunk@474 36d66b0a-2a48-0410-832c-cd162a569da5
parent aef20fe0
2011-04-15 Milan Broz <mbroz@redhat.com>
* Increase maximum loopAES keyfile size.
2011-04-18 Milan Broz <mbroz@redhat.com>
* Respect maximum keyfile size paramater.
* Introduce maximum default keyfile size, add configure option.
* Require the whole key read from keyfile in create command (broken in 1.2.0).
2011-04-14 Milan Broz <mbroz@redhat.com>
* Version 1.3.0-rc1.
......
......@@ -253,6 +253,9 @@ CS_NUM_WITH([luks1-keybits],[key length in bits for LUKS1], [256])
CS_STR_WITH([loopaes-cipher], [cipher for loop-AES mode], [aes])
CS_NUM_WITH([loopaes-keybits],[key length in bits for loop-AES mode], [256])
CS_NUM_WITH([keyfile-size-maxkb],[maximum keyfile size (in kilobytes)], [8192])
CS_NUM_WITH([passphrase-size-max],[maximum keyfile size (in kilobytes)], [512])
dnl ==========================================================================
AC_CONFIG_FILES([ Makefile
......
......@@ -104,7 +104,7 @@ static int hash_keys(struct volume_key **vk,
return r;
}
static int keyfile_is_gpg(char *buffer, unsigned int buffer_len)
static int keyfile_is_gpg(char *buffer, size_t buffer_len)
{
int r = 0;
int index = buffer_len < 100 ? buffer_len - 1 : 100;
......@@ -121,22 +121,19 @@ int LOOPAES_parse_keyfile(struct crypt_device *cd,
struct volume_key **vk,
unsigned int *keys_count,
char *buffer,
unsigned int buffer_len)
size_t buffer_len)
{
const char *keys[LOOPAES_KEYS_MAX];
int i, key_index, key_len, offset;
log_dbg("Parsing loop-AES keyfile of size %d.", buffer_len);
if (buffer_len < LOOPAES_KEYFILE_MINSIZE) {
log_err(cd, _("Incompatible loop-AES keyfile detected.\n"));
if (!buffer_len)
return -EINVAL;
}
if (keyfile_is_gpg(buffer, buffer_len)) {
log_err(cd, "Detected not yet supported GPG encrypted keyfile.\n");
log_std(cd, "Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n");
log_err(cd, _("Detected not yet supported GPG encrypted keyfile.\n"));
log_std(cd, _("Please use gpg --decrypt <KEYFILE> | cryptsetup --keyfile=- ...\n"));
return -EINVAL;
}
......
#ifndef _LOOPAES_H
#define _LOOPAES_H
#include <unistd.h>
#include "config.h"
#define LOOPAES_KEYS_MAX 65
#define LOOPAES_KEYFILE_MINSIZE 60
#define LOOPAES_KEYFILE_MAXSIZE 16000
int LOOPAES_parse_keyfile(struct crypt_device *cd,
struct volume_key **vk,
unsigned int *keys_count,
char *buffer,
unsigned int buffer_len);
size_t buffer_len);
int LOOPAES_activate(struct crypt_device *cd,
const char *name,
......
......@@ -151,6 +151,8 @@ static char *process_key(struct crypt_device *cd, const char *hash_name,
return NULL;
key = crypt_safe_alloc(key_size);
if (!key)
return NULL;
memset(key, 0, key_size);
/* key is coming from binary file */
......@@ -237,7 +239,7 @@ static int verify_other_keyslot(struct crypt_device *cd,
crypt_keyslot_info ki;
int openedIndex, r;
char *password = NULL;
unsigned int passwordLen;
size_t passwordLen;
r = crypt_get_key(_("Enter any remaining LUKS passphrase: "),
&password, &passwordLen, 0, key_file, cd->timeout,
......@@ -272,7 +274,7 @@ static int find_keyslot_by_passphrase(struct crypt_device *cd,
{
struct volume_key *vk = NULL;
char *password = NULL;
unsigned int passwordLen;
size_t passwordLen;
int r;
r = crypt_get_key(message,&password,&passwordLen, 0, key_file,
......@@ -346,9 +348,9 @@ static int create_device_helper(struct crypt_device *cd,
const char *cipher,
const char *cipher_mode,
const char *key_file,
const char *key,
unsigned int keyLen,
int key_size,
const char *passphrase,
size_t passphrase_size,
size_t key_size,
uint64_t size,
uint64_t skip,
uint64_t offset,
......@@ -389,7 +391,7 @@ static int create_device_helper(struct crypt_device *cd,
if (cipher_mode && asprintf(&dm_cipher, "%s-%s", cipher, cipher_mode) < 0)
return -ENOMEM;
processed_key = process_key(cd, hash, key_file, key_size, key, keyLen);
processed_key = process_key(cd, hash, key_file, key_size, passphrase, passphrase_size);
if (!processed_key) {
r = -ENOENT;
goto out;
......@@ -454,7 +456,7 @@ int crypt_confirm(struct crypt_device *cd, const char *msg)
}
static int key_from_terminal(struct crypt_device *cd, char *msg, char **key,
unsigned int *key_len, int force_verify)
size_t *key_len, int force_verify)
{
char *prompt = NULL;
int r;
......@@ -468,12 +470,13 @@ static int key_from_terminal(struct crypt_device *cd, char *msg, char **key,
msg = prompt;
if (cd->password) {
*key = crypt_safe_alloc(MAX_TTY_PASSWORD_LEN);
*key = crypt_safe_alloc(DEFAULT_PASSPHRASE_SIZE_MAX);
if (!*key) {
r = -ENOMEM;
goto out;
}
r = cd->password(msg, *key, MAX_TTY_PASSWORD_LEN, cd->password_usrptr);
r = cd->password(msg, *key, DEFAULT_PASSPHRASE_SIZE_MAX,
cd->password_usrptr);
if (r < 0) {
crypt_safe_free(*key);
*key = NULL;
......@@ -491,7 +494,7 @@ static int volume_key_by_terminal_passphrase(struct crypt_device *cd, int keyslo
struct volume_key **vk)
{
char *passphrase_read = NULL;
unsigned int passphrase_size_read;
size_t passphrase_size_read;
int r = -EINVAL, tries = cd->tries;
*vk = NULL;
......@@ -520,7 +523,7 @@ out:
}
static int key_from_file(struct crypt_device *cd, char *msg,
char **key, unsigned int *key_len,
char **key, size_t *key_len,
const char *key_file, size_t key_size)
{
return crypt_get_key(msg, key, key_len, key_size, key_file,
......@@ -609,24 +612,26 @@ void crypt_set_password_callback(struct crypt_device *cd,
static int crypt_create_and_update_device(struct crypt_options *options, int update)
{
struct crypt_device *cd = NULL;
char *key = NULL;
unsigned int keyLen;
char *passphrase = NULL;
size_t passphrase_size = 0;
int r;
r = _crypt_init(&cd, CRYPT_PLAIN, options, 0, 1);
if (r)
return r;
r = crypt_get_key(_("Enter passphrase: "), &key, &keyLen, options->key_size,
options->key_file, cd->timeout, cd->password_verify, cd);
r = crypt_get_key(_("Enter passphrase: "), &passphrase, &passphrase_size,
options->key_size, options->key_file,
cd->timeout, cd->password_verify, cd);
if (!r)
r = create_device_helper(cd, options->name, options->hash,
options->cipher, NULL, options->key_file, key, keyLen,
options->cipher, NULL, options->key_file,
passphrase, passphrase_size,
options->key_size, options->size, options->skip,
options->offset, NULL, options->flags & CRYPT_FLAG_READONLY,
options->flags, update);
crypt_safe_free(key);
crypt_safe_free(passphrase);
crypt_free(cd);
return r;
}
......@@ -756,7 +761,7 @@ int crypt_luksFormat(struct crypt_options *options)
char cipherName[LUKS_CIPHERNAME_L];
char cipherMode[LUKS_CIPHERMODE_L];
char *password=NULL;
unsigned int passwordLen;
size_t passwordLen;
struct crypt_device *cd = NULL;
struct crypt_params_luks1 cp = {
.hash = options->hash,
......@@ -822,7 +827,7 @@ int crypt_luksOpen(struct crypt_options *options)
if (options->key_file)
r = crypt_activate_by_keyfile(cd, options->name,
CRYPT_ANY_SLOT, options->key_file, options->key_size,
CRYPT_ANY_SLOT, options->key_file, 0,
flags);
else
r = crypt_activate_by_passphrase(cd, options->name,
......@@ -1614,7 +1619,7 @@ int crypt_resume_by_keyfile(struct crypt_device *cd,
{
struct volume_key *vk = NULL;
char *passphrase_read = NULL;
unsigned int passphrase_size_read;
size_t passphrase_size_read;
int r, suspended = 0;
log_dbg("Resuming volume %s.", name);
......@@ -1668,7 +1673,7 @@ int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
{
struct volume_key *vk = NULL;
char *password = NULL, *new_password = NULL;
unsigned int passwordLen, new_passwordLen;
size_t passwordLen, new_passwordLen;
int r;
log_dbg("Adding new keyslot, existing passphrase %sprovided,"
......@@ -1742,8 +1747,8 @@ int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
size_t new_keyfile_size)
{
struct volume_key *vk = NULL;
char *password = NULL; unsigned int passwordLen;
char *new_password = NULL; unsigned int new_passwordLen;
char *password = NULL; size_t passwordLen;
char *new_password = NULL; size_t new_passwordLen;
int r;
log_dbg("Adding new keyslot, existing keyfile %s, new keyfile %s.",
......@@ -1814,7 +1819,7 @@ int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
{
struct volume_key *vk = NULL;
int r = -EINVAL;
char *new_password = NULL; unsigned int new_passwordLen;
char *new_password = NULL; size_t new_passwordLen;
log_dbg("Adding new keyslot %d using volume key.", keyslot);
......@@ -1894,7 +1899,7 @@ int crypt_activate_by_passphrase(struct crypt_device *cd,
crypt_status_info ci;
struct volume_key *vk = NULL;
char *read_passphrase = NULL;
unsigned int passphraseLen = 0;
size_t passphraseLen = 0;
int r;
log_dbg("%s volume %s [keyslot %d] using %spassphrase.",
......@@ -1961,7 +1966,8 @@ int crypt_activate_by_keyfile(struct crypt_device *cd,
crypt_status_info ci;
struct volume_key *vk = NULL;
char *passphrase_read = NULL;
unsigned int passphrase_size_read, key_count = 0;
size_t passphrase_size_read;
unsigned int key_count = 0;
int r;
log_dbg("Activating volume %s [keyslot %d] using keyfile %s.",
......@@ -2011,7 +2017,7 @@ int crypt_activate_by_keyfile(struct crypt_device *cd,
r = keyslot;
} else if (isLOOPAES(cd->type)) {
r = key_from_file(cd, NULL, &passphrase_read, &passphrase_size_read,
keyfile, LOOPAES_KEYFILE_MAXSIZE);
keyfile, keyfile_size);
if (r < 0)
goto out;
r = LOOPAES_parse_keyfile(cd, &vk, &key_count,
......
......@@ -33,6 +33,9 @@
#include "nls.h"
#include "utils_crypt.h"
#define log_dbg(x) crypt_log(NULL, CRYPT_LOG_DEBUG, x)
#define log_err(cd, x) crypt_log(cd, CRYPT_LOG_ERROR, x)
struct safe_allocation {
size_t size;
char data[0];
......@@ -99,12 +102,12 @@ void crypt_safe_free(void *data)
void *crypt_safe_realloc(void *data, size_t size)
{
struct safe_allocation *alloc;
void *new_data;
new_data = crypt_safe_alloc(size);
if (new_data && data) {
struct safe_allocation *alloc;
alloc = data - offsetof(struct safe_allocation, data);
......@@ -191,135 +194,177 @@ out_err:
return failed;
}
static int crypt_get_key_tty(const char *prompt,
char **key, size_t *key_size,
int timeout, int verify,
struct crypt_device *cd)
{
int key_size_max = DEFAULT_PASSPHRASE_SIZE_MAX;
int r = -EINVAL;
char *pass = NULL, *pass_verify = NULL;
log_dbg("Interactive passphrase entry requested.");
pass = crypt_safe_alloc(key_size_max + 1);
if (!pass) {
log_err(cd, _("Out of memory while reading passphrase.\n"));
return -ENOMEM;
}
if (interactive_pass(prompt, pass, key_size_max, timeout)) {
log_err(cd, _("Error reading passphrase from terminal.\n"));
goto out_err;
}
pass[key_size_max] = '\0';
if (verify) {
pass_verify = crypt_safe_alloc(key_size_max);
if (!pass_verify) {
log_err(cd, _("Out of memory while reading passphrase.\n"));
r = -ENOMEM;
goto out_err;
}
if (interactive_pass(_("Verify passphrase: "),
pass_verify, key_size_max, timeout)) {
log_err(cd, _("Error reading passphrase from terminal.\n"));
goto out_err;
}
if (strncmp(pass, pass_verify, key_size_max)) {
log_err(cd, _("Passphrases do not match.\n"));
goto out_err;
}
}
*key = pass;
*key_size = strlen(pass);
r = 0;
out_err:
crypt_safe_free(pass_verify);
if (r)
crypt_safe_free(pass);
return r;
}
/*
* Password reading behaviour matrix of get_key
* FIXME: rewrite this from scratch.
* p v n h
* -----------------+---+---+---+---
* interactive | Y | Y | Y | Inf
* from fd | N | N | Y | Inf
* from binary file | N | N | N | Inf or options->key_size
*
* Legend: p..prompt, v..can verify, n..newline-stop, h..read horizon
*
* Note: --key-file=- is interpreted as a read from a binary file (stdin)
* key_size_max == 0 means detect maximum according to input type (tty/file)
* timeout and verify options only applies to tty input
*/
int crypt_get_key(char *prompt, char **key, unsigned int *passLen, int key_size,
const char *key_file, int timeout, int verify,
int crypt_get_key(const char *prompt,
char **key, size_t *key_size,
size_t keyfile_size_max, const char *key_file,
int timeout, int verify,
struct crypt_device *cd)
{
int fd = -1;
int fd, regular_file, read_stdin, char_read, unlimited_read = 0;
int r = -EINVAL;
char *pass = NULL;
int read_horizon;
int regular_file = 0;
int read_stdin;
int r;
size_t buflen, i;
struct stat st;
*key = NULL;
*key_size = 0;
/* Passphrase read from stdin? */
read_stdin = (!key_file || !strcmp(key_file, "-")) ? 1 : 0;
/* read_horizon applies only for real keyfile, not stdin or terminal */
read_horizon = (key_file && !read_stdin) ? key_size : 0 /* until EOF */;
if(read_stdin && isatty(STDIN_FILENO))
return crypt_get_key_tty(prompt, key, key_size, timeout, verify, cd);
if (keyfile_size_max < 0) {
log_err(cd, _("Negative keyfile size not permitted.\n"));
return -EINVAL;
}
/* If not requsted otherwise, we limit input to prevent memory exhaustion */
if (keyfile_size_max == 0) {
keyfile_size_max = DEFAULT_KEYFILE_SIZE_MAXKB * 1024;
unlimited_read = 1;
}
/* Setup file descriptior */
fd = read_stdin ? STDIN_FILENO : open(key_file, O_RDONLY);
if (fd < 0) {
crypt_log(cd, CRYPT_LOG_ERROR,
_("Failed to open key file.\n"));
goto out_err;
log_err(cd, _("Failed to open key file.\n"));
return -EINVAL;
}
/* Interactive case */
if(isatty(fd)) {
int i;
pass = crypt_safe_alloc(MAX_TTY_PASSWORD_LEN);
if (!pass || interactive_pass(prompt, pass, MAX_TTY_PASSWORD_LEN, timeout)) {
crypt_log(cd, CRYPT_LOG_ERROR,
_("Error reading passphrase from terminal.\n"));
/* use 4k for buffer (page divisor but avoid huge pages) */
buflen = 4096 - sizeof(struct safe_allocation);
regular_file = 0;
if(!read_stdin) {
if(stat(key_file, &st) < 0) {
log_err(cd, _("Failed to stat key file.\n"));
goto out_err;
}
if (verify) {
char pass_verify[MAX_TTY_PASSWORD_LEN];
i = interactive_pass(_("Verify passphrase: "), pass_verify, sizeof(pass_verify), timeout);
if (i || strcmp(pass, pass_verify) != 0) {
crypt_log(cd, CRYPT_LOG_ERROR,
_("Passphrases do not match.\n"));
goto out_err;
}
memset(pass_verify, 0, sizeof(pass_verify));
}
*passLen = strlen(pass);
*key = pass;
} else {
/*
* This is either a fd-input or a file, in neither case we can verify the input,
* however we don't stop on new lines if it's a binary file.
*/
int buflen, i;
/* The following for control loop does an exhausting
* read on the key material file, if requested with
* key_size == 0, as it's done by LUKS. However, we
* should warn the user, if it's a non-regular file,
* such as /dev/random, because in this case, the loop
* will read forever.
*/
if(!read_stdin && read_horizon == 0) {
if(stat(key_file, &st) < 0) {
crypt_log(cd, CRYPT_LOG_ERROR,
_("Failed to stat key file.\n"));
goto out_err;
}
if(!S_ISREG(st.st_mode))
crypt_log(cd, CRYPT_LOG_NORMAL,
_("Warning: exhausting read requested, but key file"
" is not a regular file, function might never return.\n"));
if(S_ISREG(st.st_mode)) {
regular_file = 1;
/* known keyfile size, alloc it in one step */
if (st.st_size >= keyfile_size_max)
buflen = keyfile_size_max;
else
regular_file = 1;
buflen = st.st_size;
}
buflen = 0;
for(i = 0; read_horizon == 0 || i < read_horizon; i++) {
if(i >= buflen - 1) {
buflen += 128;
pass = crypt_safe_realloc(pass, buflen);
if (!pass) {
crypt_log(cd, CRYPT_LOG_ERROR,
_("Out of memory while reading passphrase.\n"));
goto out_err;
}
}
}
r = read(fd, pass + i, 1);
if (r < 0) {
crypt_log(cd, CRYPT_LOG_ERROR,
_("Error reading passphrase.\n"));
pass = crypt_safe_alloc(buflen);
if (!pass) {
log_err(cd, _("Out of memory while reading passphrase.\n"));
goto out_err;
}
for(i = 0; i < keyfile_size_max; i++) {
if(i == buflen) {
buflen += 4096;
pass = crypt_safe_realloc(pass, buflen);
if (!pass) {
log_err(cd, _("Out of memory while reading passphrase.\n"));
r = -ENOMEM;
goto out_err;
}
/* Stop on newline only if not requested read from keyfile */
if(r == 0 || (!key_file && pass[i] == '\n'))
break;
}
/* Fail if piped input dies reading nothing */
if(!i && !regular_file)
char_read = read(fd, &pass[i], 1);
if (char_read < 0) {
log_err(cd, _("Error reading passphrase.\n"));
goto out_err;
pass[i] = 0;
*key = pass;
*passLen = i;
}
/* Stop on newline only if not requested read from keyfile */
if(char_read == 0 || (!key_file && pass[i] == '\n'))
break;
}
/* Fail if piped input dies reading nothing */
if(!i && !regular_file)
goto out_err;
/* Fail if we exceeded internal default (no specified size) */
if (unlimited_read && i == keyfile_size_max) {
log_err(cd, _("Maximum keyfile size exceeeded.\n"));
goto out_err;
}
if (!unlimited_read && i != keyfile_size_max) {
log_err(cd, _("Cannot read requested amount of data.\n"));
goto out_err;
}
/* Well, for historical reasons reading empty keyfile is not fail. */
if(!i) {
crypt_safe_free(pass);
pass = NULL;
}
if(fd != STDIN_FILENO)
close(fd);
return 0;
*key = pass;
*key_size = i;
r = 0;
out_err:
if(fd >= 0 && fd != STDIN_FILENO)
if(fd != STDIN_FILENO)
close(fd);
if(pass)
if (r)
crypt_safe_free(pass);
*key = NULL;
*passLen = 0;
return -EINVAL;
return r;
}
#ifndef _UTILS_CRYPT_H
#define _UTILS_CRYPT_H
#include <unistd.h>
#include "config.h"
#define MAX_CIPHER_LEN 32
#define MAX_CIPHER_LEN_STR "32"
#define MAX_TTY_PASSWORD_LEN 512
struct crypt_device;
int crypt_parse_name_and_mode(const char *s, char *cipher,
int *key_nums, char *cipher_mode);
int crypt_get_key(char *prompt, char **key, unsigned int *passLen, int key_size,
const char *key_file, int timeout, int how2verify,
int crypt_get_key(const char *prompt,
char **key, size_t *key_size,
size_t keyfile_size_max,
const char *key_file,
int timeout, int verify,
struct crypt_device *cd);
void *crypt_safe_alloc(size_t size);
......
......@@ -6,9 +6,8 @@ cryptsetup - setup cryptographic volumes for dm-crypt (including LUKS extension)
.SH DESCRIPTION
.PP
cryptsetup is used to conveniently setup dm-crypt managed device-mapper mappings.
.SH PLAIN MODE
For basic (plain) dm-crypt mappings, there are four operations.
.SH ACTIONS
These strings are valid for \fB<action>\fR, followed by their \fB<action args>\fR:
\fIcreate\fR <name> <device>
.IP
......@@ -170,7 +169,7 @@ compatible dm-crypt mode.
.IP
opens the loop-AES <device> and sets up a mapping <name>.
N.B. If keyfile is in GPG encrypted format, you have to use
N.B. If key file is in GPG encrypted format, you have to use
\-\-key-file=- and decrypt it before use.
gpg --decrypt <keyfile> | cryptsetup loopaesOpen \-\-key-file=- <device> <name>
......@@ -243,11 +242,11 @@ reading will not stop when new line character is detected.
See section \fBNOTES ON PASSWORD PROCESSING\fR for more information.
.TP
.B "\-\-keyfile-size, \-l \fIvalue\fR"
Limits read from keyfile to \fIvalue\fR bytes.
Usable together with all comands using key file.
Limits read from key file to \fIvalue\fR bytes.
Usable together with all commands using key file.
.TP
.B "\-\-new-keyfile-size \fIvalue\fR"
Limits read from new keyfile to \fIvalue\fR bytes in \fIluksAddKey\fR when
Limits read from new key file to \fIvalue\fR bytes in \fIluksAddKey\fR when
adding new key file. Default is exhaustive read from key file.
.TP
.B "\-\-master-key-file"
......@@ -348,19 +347,22 @@ The UUID must be provided in standard UUID format
.TP
.B "\-\-version"
Show the version.
.SH NOTES ON PASSWORD PROCESSING
.SH NOTES ON PASSWORD PROCESSING FOR PLAIN MODE
\fBFrom a terminal\fR: Password processing is new-line sensitive,
meaning the reading will stop after encountering \\n.
It will process the read material (without newline) with the default
hash or the hash given by \-\-hash.
After hashing, it will be cropped to the key size given by \-s.
\fBFrom stdin\fR: Reading will continue until EOF (so using
e.g. /dev/random as stdin will not work), with the trailing
newline stripped.
After that the read data will be hashed with the default hash or
the hash given by \-\-hash and the result will be cropped to
the keysize given by \-s.
\fBFrom stdin\fR: Reading will continue until EOF (or until
maximum input size is reached), with the trailing newline stripped.
The maximum input size is defined by the same compiled-in default
as for the maximum key file size or can be overwrittten
using \-\-keysfile-size option.
After that the read data will be hashed with the default hash
or the hash given by \-\-hash and the result will be cropped
to the keysize given by \-s.
If "plain" is used as an argument to the hash option, the input
data will not be hashed.
......@@ -382,6 +384,10 @@ LUKS uses PBKDF2 to protect against dictionary attacks (see RFC 2898).
LUKS will always do an exhaustive password reading.
Hence, password can not be read from /dev/random, /dev/zero or any
other stream that does not terminate.
To prevent exhausting of system memory, cryptsetup limits
maximum key file size. Compiled-in default is displayed in \-\-help
output. You can limit reads from key file using \-\-key-size option,
this option takes precedence over compiled-in default.
For any password creation action (luksAddKey, or luksFormat),
the user may specify how much the time the password processing
......
......@@ -29,12 +29,9 @@
#include <unistd.h>
#include <fcntl.h>
#include <assert.h>
#include <libcryptsetup.h>
#include <popt.h>
#include "../config.h"
#include "cryptsetup.h"
static int opt_verbose = 0;
......@@ -46,9 +43,9 @@ static char *opt_key_file = NULL;
static char *opt_master_key_file = NULL;
static char *opt_header_backup_file = NULL;
static char *opt_uuid = NULL;
static unsigned int opt_key_size = 0;
static unsigned int opt_keyfile_size = 0;
static unsigned int opt_new_keyfile_size = 0;
static int opt_key_size = 0;
static long opt_keyfile_size = 0;
static long opt_new_keyfile_size = 0;
static int opt_key_slot = CRYPT_ANY_SLOT;
static uint64_t opt_size = 0;
static uint64_t opt_offset = 0;
......@@ -178,6 +175,10 @@ static void _log(int level, const char *msg, void *usrptr)
case CRYPT_LOG_ERROR:
fputs(msg, stderr);
break;
case CRYPT_LOG_DEBUG:
if (opt_debug)
printf("# %s\n", msg);
break;
default:
fprintf(stderr, "Internal error on logging class for msg: %s", msg);
break;
......@@ -223,8 +224,8 @@ static int action_create(int arg)
.offset = opt_offset,
};
char *password = NULL;
unsigned int passwordLen;
unsigned int key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
size_t passwordLen;
size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
int r;
if (params.hash && !strcmp(params.hash, "plain"))
......@@ -234,6 +235,10 @@ static int action_create(int arg)
if (opt_key_file && strcmp(opt_key_file, "-"))
params.hash = NULL;
if (opt_keyfile_size && opt_key_file)
log_std(("Ignoring keyfile size option, keyfile read size "
"is always the same as encryption key size.\n"));
r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
cipher, NULL, cipher_mode);
if (r < 0) {
......@@ -261,8 +266,8 @@ static int action_create(int arg)
opt_readonly ? CRYPT_ACTIVATE_READONLY : 0);
else {
r = crypt_get_key(_("Enter passphrase: "),
&password, &passwordLen, 0, NULL,
opt_timeout,