* [dm-crypt] cryptsetup --iter-time default should be configurable (and reported in --help)
@ 2012-11-20 19:02 Daniel Kahn Gillmor
2012-11-20 20:32 ` Milan Broz
0 siblings, 1 reply; 2+ messages in thread
From: Daniel Kahn Gillmor @ 2012-11-20 19:02 UTC (permalink / raw)
To: dm-crypt
[-- Attachment #1.1: Type: text/plain, Size: 635 bytes --]
Hi folks--
I just noticed that the default for cryptsetup --iter-time isn't visible
in the output of cryptsetup --help.
I went looking to change this, and saw that the default is neither
configurable nor easily extracted.
The attached patch should make the default for this parameter
configurable (e.g. ./configure --with-luks1-iter-time=1000), as well as
reporting the compiled-in default in the output of --help.
I'm not currently subscribed to the dm-crypt mailing list; please Cc
me on replies.
Thanks very much for all your work on dm-crypt -- it's a valuable
component in the operating systems i use!
Regards,
--dkg
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: make --iter-time default configurable and documented --]
[-- Type: text/x-diff, Size: 2283 bytes --]
From fe6a079e055dc7b4ba2e14531582d82411d3d7b8 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Tue, 20 Nov 2012 13:43:28 -0500
Subject: [PATCH] make default LUKS PBKDF2 iteration time configurable
---
configure.in | 1 +
src/cryptsetup.c | 10 ++++++----
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/configure.in b/configure.in
index 6b7a79b..c937ab3 100644
--- a/configure.in
+++ b/configure.in
@@ -346,6 +346,7 @@ CS_STR_WITH([luks1-hash], [hash function for LUKS1 header], [sha1])
CS_STR_WITH([luks1-cipher], [cipher for LUKS1], [aes])
CS_STR_WITH([luks1-mode], [cipher mode for LUKS1], [cbc-essiv:sha256])
CS_NUM_WITH([luks1-keybits],[key length in bits for LUKS1], [256])
+CS_NUM_WITH([luks1-iter-time],[PBKDF2 iteration time for LUKS1 (in msec)], [1000])
CS_STR_WITH([loopaes-cipher], [cipher for loop-AES mode], [aes])
CS_NUM_WITH([loopaes-keybits],[key length in bits for loop-AES mode], [256])
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 0cc7f07..eae14ee 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -44,7 +44,7 @@ static uint64_t opt_offset = 0;
static uint64_t opt_skip = 0;
static int opt_skip_valid = 0;
static int opt_readonly = 0;
-static int opt_iteration_time = 1000;
+static int opt_iteration_time = DEFAULT_LUKS1_ITER_TIME;
static int opt_version_mode = 0;
static int opt_timeout = 0;
static int opt_tries = 3;
@@ -1165,10 +1165,12 @@ static void help(poptContext popt_context,
"<key file> optional key file for the new key for luksAddKey action\n"),
crypt_get_dir());
- log_std(_("\nDefault compiled-in keyfile parameters:\n"
+ log_std(_("\nDefault compiled-in key and passphrase parameters:\n"
"\tMaximum keyfile size: %dkB, "
- "Maximum interactive passphrase length %d (characters)\n"),
- DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
+ "Maximum interactive passphrase length %d (characters)\n"
+ "Default PBKDF2 iteration time for LUKS: %d (msec)\n"),
+ DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX,
+ DEFAULT_LUKS1_ITER_TIME);
log_std(_("\nDefault compiled-in device cipher parameters:\n"
"\tloop-AES: %s, Key %d bits\n"
--
1.7.10.4
[-- Attachment #2: Type: application/pgp-signature, Size: 965 bytes --]
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-11-20 20:32 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-11-20 19:02 [dm-crypt] cryptsetup --iter-time default should be configurable (and reported in --help) Daniel Kahn Gillmor
2012-11-20 20:32 ` Milan Broz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox