From c3deedc570b454a0a3de6eadfe7928f0bee85d59 Mon Sep 17 00:00:00 2001 From: lars Date: Mon, 17 Oct 2005 12:01:18 +0000 Subject: [PATCH] change default cipher to aes-cbc-essiv:256 change default hash to ripemd160 remove obsolete "wipe" add default setting support for older versions move crypto settings from cryptobox.conf to /usr/share/cryptobox/defaults --- cbox-tree.d/etc/cryptobox/cryptobox.conf | 4 +- cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh | 37 +++++++++++++++---- .../usr/share/cryptobox/defaults/cipher | 1 + cbox-tree.d/usr/share/cryptobox/defaults/hash | 1 + 4 files changed, 32 insertions(+), 11 deletions(-) create mode 100644 cbox-tree.d/usr/share/cryptobox/defaults/cipher create mode 100644 cbox-tree.d/usr/share/cryptobox/defaults/hash diff --git a/cbox-tree.d/etc/cryptobox/cryptobox.conf b/cbox-tree.d/etc/cryptobox/cryptobox.conf index a53681a..7c36d89 100644 --- a/cbox-tree.d/etc/cryptobox/cryptobox.conf +++ b/cbox-tree.d/etc/cryptobox/cryptobox.conf @@ -25,13 +25,11 @@ OPENSSL_CONF_FILE=/etc/cryptobox/openssl.cnf IDLE_COUNTER_FILE=/tmp/cbox-idle-counter # crypto settings -HASH=sha512 -ALGO=aes +# since 0.2.1 you find the default crypto settings in /usr/share/cryptobox/defaults CRYPTMAPPER_DEV=/dev/mapper/cryptobox-data # some programs SFDISK=/sbin/sfdisk -WIPE=/usr/bin/wipe MKFS_DATA=/sbin/mkfs.ext3 MKFS_CONFIG=/sbin/mkfs.ext2 CRYPTSETUP=/sbin/cryptsetup diff --git a/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh b/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh index 28fb29d..df22e46 100755 --- a/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh +++ b/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh @@ -45,10 +45,12 @@ function initial_checks() { local device="$1" [ ! -b "$device" ] && log_msg "blockdevice $device does not exist" && return 1 - [ ! -x "$WIPE" ] && log_msg "$WIPE not found" && return 1 [ ! -x "$SFDISK" ] && log_msg "$SFDISK not found" && return 1 - for a in $ALGO $HASH - do grep -q "^name *: $a$" /proc/crypto || modprobe "$a" + # TODO: remove this section, as soon as the crypto algorithms are statically build into the kernel + local algos + for algo in "$(config_get_value cipher)" "$(config_get_value hash)" + do local a=$(echo "$algo" | sed 's/-.*$//'); # remove everything after "-" (e.g. for "aes-cbc-essiv:sha256") + grep -q "^name *: $a$" /proc/crypto || modprobe "$a" grep -q "^name *: $a$" /proc/crypto || { log_msg "$a is not supported by kernel" && return 1; } done log_msg "inital checks successful" @@ -85,9 +87,28 @@ function config_get_value() else conf_dir=$CONFIG_DEFAULTS_DIR fi [ -z "$1" ] && error_msg 1 "empty setting name" - [ ! -e "$conf_dir/$1" ] && error_msg 2 "unknown configuration value ($1)" - # remove trailing line break - echo -n $(cat "$conf_dir/$1") + # check for existence - maybe use default values (for old releases without this setting) + if [ ! -e "$conf_dir/$1" ] + then case "$1" in + version ) + echo -n "0.2" + ;; + cipher ) + echo -n "aes" + ;; + hash ) + echo -n "sha512" + ;; + * ) + error_msg 2 "unknown configuration value ($1)" + # empty output + ;; + esac + else echo -n $(cat "$conf_dir/$1") + # this removes the trailing line break + fi + # always return without error + true } @@ -136,7 +157,7 @@ function create_crypto() { local device="$1" # passphrase may be passed via command line - $CRYPTSETUP -h "$HASH" -c "$ALGO" create "`basename $CRYPTMAPPER_DEV`" "${device}2" + $CRYPTSETUP -h "$(config_get_value hash)" -c "$(config_get_value cipher" create "`basename $CRYPTMAPPER_DEV`" "${device}2" } @@ -244,7 +265,7 @@ function mount_crypto() [ -z "$device" ] && error_msg 4 'no valid harddisk found!' # passphrase is read from stdin log_msg "Mounting crypto partition ..." - $CRYPTSETUP -h "$HASH" -c "$ALGO" create "`basename $CRYPTMAPPER_DEV`" "${device}2" + $CRYPTSETUP -h "$(config_get_value hash)" -c "$(config_get_value cipher)" create "`basename $CRYPTMAPPER_DEV`" "${device}2" if mount "$CRYPTMAPPER_DEV" "$CRYPTO_DIR" then log_msg "Mount succeded - now starting samba ..." /etc/init.d/samba start diff --git a/cbox-tree.d/usr/share/cryptobox/defaults/cipher b/cbox-tree.d/usr/share/cryptobox/defaults/cipher new file mode 100644 index 0000000..aaa484a --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/defaults/cipher @@ -0,0 +1 @@ +aes-cbc-essiv:sha256 diff --git a/cbox-tree.d/usr/share/cryptobox/defaults/hash b/cbox-tree.d/usr/share/cryptobox/defaults/hash new file mode 100644 index 0000000..80341c0 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/defaults/hash @@ -0,0 +1 @@ +ripemd160