Hi Arno, >> >> This appears to work (no message printed, exit status 0). >> >> What might not be obvious is that if binary_secret contains a '\n' >> character, input gets truncated at this point. > > This is documented in the man-page of the current release under > "NOTES ON PASSPHRASE PROCESSING FOR LUKS". You were right - I was looking at an old git version. The new version is clearer IMO. >> This should probably be clearer in the man page at a >> minimum (see patch), but I think a warning is appropriate too. >> Secret processing that stops at \n isn't appropriate for binary >> data. > > And that is the thing here. A passphrase is _not_ binary data! > Doing > > "cat binary_secret | cryptsetup luksFormat /dev/loop0" > > is inherently wrong. What you need to do is > > "cat file_with_passphrase_that_could_also_be_entered_interactively > | cryptsetup luksFormat /dev/loop0" I agree - just seeing a script that did the first one made me wonder if it even worked. > As to your patch, I am unable to match your patch to the > current version of the man-page. Did you do a "git pull" > before? May also be a problem on my side, please verify: > >> md5sum cryptsetup.8 > 4fd70bbd1018f95818902144499c2234 cryptsetup.8 Yep, I am out of date here. What do you think about a code change that woudl print a big fat warning if non-ascii bytes are detected on stdin? Not changing the behavior (we don't want to break people who might be already doing this), but just a warning. Kent > Arno > > > > > >> Thanks, >> Kent >> >> -- >> IBM LTC Security >> >> >> diff --git a/man/cryptsetup.8 b/man/cryptsetup.8 >> index b9298a5..f8d7abb 100644 >> --- a/man/cryptsetup.8 >> +++ b/man/cryptsetup.8 >> @@ -476,7 +476,8 @@ will quit with an error. >> >> If \-\-key-file=- is used for reading the key from stdin, no >> trailing newline is stripped from the input. Without that option, >> -cryptsetup strips trailing newlines from stdin input. >> +cryptsetup stops reading from stdin when it encounters a newline, >> +even if found in your binary key data! >> .SH NOTES ON PASSWORD PROCESSING FOR LUKS >> LUKS uses PBKDF2 to protect against dictionary attacks (see RFC 2898). >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@xxxxxxxx >> http://www.saout.de/mailman/listinfo/dm-crypt >> > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx > GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F > ---- > One of the painful things about our time is that those who feel certainty > are stupid, and those with any imagination and understanding are filled > with doubt and indecision. -- Bertrand Russell > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt -- IBM LTC Security _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
