Hi folks--
I just noticed that the default for cryptsetup --iter-time isn't visible
in the output of cryptsetup --help.
I went looking to change this, and saw that the default is neither
configurable nor easily extracted.
The attached patch should make the default for this parameter
configurable (e.g. ./configure --with-luks1-iter-time=1000), as well as
reporting the compiled-in default in the output of --help.
I'm not currently subscribed to the dm-crypt mailing list; please Cc
me on replies.
Thanks very much for all your work on dm-crypt -- it's a valuable
component in the operating systems i use!
Regards,
--dkg
From fe6a079e055dc7b4ba2e14531582d82411d3d7b8 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@xxxxxxxxxxxxxxxxx>
Date: Tue, 20 Nov 2012 13:43:28 -0500
Subject: [PATCH] make default LUKS PBKDF2 iteration time configurable
---
configure.in | 1 +
src/cryptsetup.c | 10 ++++++----
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/configure.in b/configure.in
index 6b7a79b..c937ab3 100644
--- a/configure.in
+++ b/configure.in
@@ -346,6 +346,7 @@ CS_STR_WITH([luks1-hash], [hash function for LUKS1 header], [sha1])
CS_STR_WITH([luks1-cipher], [cipher for LUKS1], [aes])
CS_STR_WITH([luks1-mode], [cipher mode for LUKS1], [cbc-essiv:sha256])
CS_NUM_WITH([luks1-keybits],[key length in bits for LUKS1], [256])
+CS_NUM_WITH([luks1-iter-time],[PBKDF2 iteration time for LUKS1 (in msec)], [1000])
CS_STR_WITH([loopaes-cipher], [cipher for loop-AES mode], [aes])
CS_NUM_WITH([loopaes-keybits],[key length in bits for loop-AES mode], [256])
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 0cc7f07..eae14ee 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -44,7 +44,7 @@ static uint64_t opt_offset = 0;
static uint64_t opt_skip = 0;
static int opt_skip_valid = 0;
static int opt_readonly = 0;
-static int opt_iteration_time = 1000;
+static int opt_iteration_time = DEFAULT_LUKS1_ITER_TIME;
static int opt_version_mode = 0;
static int opt_timeout = 0;
static int opt_tries = 3;
@@ -1165,10 +1165,12 @@ static void help(poptContext popt_context,
"<key file> optional key file for the new key for luksAddKey action\n"),
crypt_get_dir());
- log_std(_("\nDefault compiled-in keyfile parameters:\n"
+ log_std(_("\nDefault compiled-in key and passphrase parameters:\n"
"\tMaximum keyfile size: %dkB, "
- "Maximum interactive passphrase length %d (characters)\n"),
- DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX);
+ "Maximum interactive passphrase length %d (characters)\n"
+ "Default PBKDF2 iteration time for LUKS: %d (msec)\n"),
+ DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX,
+ DEFAULT_LUKS1_ITER_TIME);
log_std(_("\nDefault compiled-in device cipher parameters:\n"
"\tloop-AES: %s, Key %d bits\n"
--
1.7.10.4
Attachment:
pgpBNRnCMV4tW.pgp
Description: PGP signature
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
