On Sun, July 12, 2009 20:51, Sadako@xxxxxxxxxxxxxxxxx wrote: > Okay, thanks for the replies, I eventually figured out the the first > problem was due to me not actually understanding what "-h plain" does, I > presumed it was to specify a hexadecimal key, but instead it converts > whatever string is passed to a hexadecimal string, without any > cryptographic hash, which does actually make more sense than what I > thought it did. > > I should have been using dmsetup directly if I want to specify a hex key > to use... Right, I totally forgot about this too, since -h gives the hash function. > >> As far a the man page is concerned, reading key material from stdin is > not a valid option, thus the behavior is unspecified. > > Where does it say that? > > It's the man page which told me how to do it; > "From a key file: It will be cropped to the size given by -s. If there is > insufficient key material in the key file, cryptsetup will quit with an > error. > Okay, obviously your man page differs from the one I checked, which can of course happen. Btw, the key is not necessarily cropped to the length specified by -s, afaik for luks, first a key derivation is done, then the key is stripped down as needed. > If --key-file=- is used for reading the key from stdin, no trailing > newline is stripped from the input. Without that option, cryptsetup strips > trailing newlines from stdin input." > > Seeing as how "--keyfile=-" does seem kinda broken, I don't doubt you're > right, however I can't find any mention of any problems... Exactly that part was missing from my man page I checked, if it had been written in my man page, i'd assume this to work as you did (in general reading binary data with newlines etc. is perfectly doable via stdin, as we know). I'd consider this a bug then. > >> Did you run cryptsetup and supply to little key data, when prompted for > the key? Is the behavior then as expected? IF not, then file a bug > report. > > You can't really supply raw key data at the prompt. > It's when you specify the key data with --keyfile=/tmp/filename, it'll > error out as expected if there's too little key data, but not when using > "--keyfile=-" to read the data from stdin, however if that's not really a > valid option then I suppose I should no expect it to work. > Right, if there was a way to supress \n handling it would be possible though (using ctrl-d for EOF) - Forget I mentioned this possibility ;-). It seems to come down to a bug when reading from stdin. Regards -Sven --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
