At Fri, 4 Aug 2006 03:15:14 +0200, Jonas Meurer <jonas@xxxxxxxxxxxxxxx> wrote: > i prepared some patches which apply against cryptsetup 1.0.3-3 from > debian. Thanks again for all your efforts! > [luksAddKey.diff] > There was a typo in the luksAddKey source that caused cryptsetup to > ask for the passphrase to unlock twice. Actually, the correct behaviour is to filter both flags, as both flags can be delivered by the calling code and in no case we want verification on password retrieval. .flags = options->flags & ~(CRYPT_FLAG_VERIFY | CRYPT_FLAG_VERIFY_IF_POSSIBLE), Just FYI: The distinction between these flags is: When verification is impossible because of non-terminal input, get_key may panic (VERIFY) or not (VERIFY_IF_POSSIBLE). The former strict checking is forced when password verify is explicitly requested by --verify. If --verify isn't present on the cmdline, the latter relaxed checking is default unless we are running in batch-mode. > [protect_delkey.diff] > This one adds passphrase/key protection to luksDelKey. It asks for one > of the remaining passphrases/keys before actually deleting/disabling > the given slot. Merged, although I didn't duplicate LUKS_open_any_key. Changing the return value interface of LUKS_open_any_key a bit return i==LUKS_NUMKEYS?-EPERM:0; into return i==LUKS_NUMKEYS?-EPERM:i; is sufficient for the caller to detect whether the keyIndex, which is about to be deleted, is used for opening or not and in the former case refuse deletion. > and last but not least a minor issue: > action_luksAddKey from src/cryptsetup.c has a duplicated line: > .key_file = opt_key_file, > i guess that this was not intended, even though it doesn't do any harm. Right :) -- Fruhwirth Clemens - http://clemens.endorphin.org for robots: sp4mtrap@xxxxxxxxxxxxx --------------------------------------------------------------------- - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
