change default cipher to aes-cbc-essiv:256

change default hash to ripemd160 remove obsolete "wipe" add default setting support for older versions move crypto settings from cryptobox.conf to /usr/share/cryptobox/defaults
2005-10-17 12:01:18 +00:00 · 2005-10-17 12:01:18 +00:00 · c3deedc570
parent 9da0c40427
commit c3deedc570
4 changed files with 32 additions and 11 deletions
--- a/cbox-tree.d/etc/cryptobox/cryptobox.conf
+++ b/cbox-tree.d/etc/cryptobox/cryptobox.conf
@ -25,13 +25,11 @@ OPENSSL_CONF_FILE=/etc/cryptobox/openssl.cnf
 IDLE_COUNTER_FILE=/tmp/cbox-idle-counter

 # crypto settings
-HASH=sha512
-ALGO=aes
+# since 0.2.1 you find the default crypto settings in /usr/share/cryptobox/defaults
 CRYPTMAPPER_DEV=/dev/mapper/cryptobox-data

 # some programs
 SFDISK=/sbin/sfdisk
-WIPE=/usr/bin/wipe
 MKFS_DATA=/sbin/mkfs.ext3
 MKFS_CONFIG=/sbin/mkfs.ext2
 CRYPTSETUP=/sbin/cryptsetup
--- a/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh
+++ b/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh
@ -45,10 +45,12 @@ function initial_checks()
 {
 	local device="$1"
 	[ ! -b "$device" ] && log_msg "blockdevice $device does not exist" && return 1
-	[ ! -x "$WIPE" ] && log_msg "$WIPE not found" && return 1
 	[ ! -x "$SFDISK" ] && log_msg "$SFDISK not found" && return 1
-	for a in $ALGO $HASH
-		do	grep -q "^name *: $a$" /proc/crypto || modprobe "$a"
+	# TODO: remove this section, as soon as the crypto algorithms are statically build into the kernel
+	local algos
+	for algo in "$(config_get_value cipher)" "$(config_get_value hash)"
+		do	local a=$(echo "$algo" | sed 's/-.*$//');	# remove everything after "-" (e.g. for "aes-cbc-essiv:sha256")
+			grep -q "^name *: $a$" /proc/crypto || modprobe "$a"
 			grep -q "^name *: $a$" /proc/crypto || { log_msg "$a is not supported by kernel" && return 1; }
 	  done
 	log_msg "inital checks successful"
@ -85,9 +87,28 @@ function config_get_value()
 		else	conf_dir=$CONFIG_DEFAULTS_DIR
 	  fi
 	[ -z "$1" ] && error_msg 1 "empty setting name"
-	[ ! -e "$conf_dir/$1" ] && error_msg 2 "unknown configuration value ($1)"
-	# remove trailing line break
-	echo -n $(cat "$conf_dir/$1")
+	# check for existence - maybe use default values (for old releases without this setting)
+	if [ ! -e "$conf_dir/$1" ] 
+		then	case "$1" in
+					version )
+						echo -n "0.2"
+						;;
+					cipher )
+						echo -n "aes"
+						;;
+					hash )
+						echo -n "sha512"
+						;;
+					* )
+						error_msg 2 "unknown configuration value ($1)"
+						# empty output
+						;;
+				  esac
+		else	echo -n $(cat "$conf_dir/$1")
+				# this removes the trailing line break
+	  fi
+	# always return without error
+	true
 }


@ -136,7 +157,7 @@ function create_crypto()
 {
 	local device="$1"
 	# passphrase may be passed via command line
-	$CRYPTSETUP -h "$HASH" -c "$ALGO" create "`basename $CRYPTMAPPER_DEV`" "${device}2"
+	$CRYPTSETUP -h "$(config_get_value hash)" -c "$(config_get_value cipher" create "`basename $CRYPTMAPPER_DEV`" "${device}2"
 }


@ -244,7 +265,7 @@ function mount_crypto()
 	[ -z "$device" ] && error_msg 4 'no valid harddisk found!'
 	# passphrase is read from stdin
 	log_msg "Mounting crypto partition ..."
-	$CRYPTSETUP -h "$HASH" -c "$ALGO" create "`basename $CRYPTMAPPER_DEV`" "${device}2"
+	$CRYPTSETUP -h "$(config_get_value hash)" -c "$(config_get_value cipher)" create "`basename $CRYPTMAPPER_DEV`" "${device}2"
 	if mount "$CRYPTMAPPER_DEV" "$CRYPTO_DIR"
 		then	log_msg "Mount succeded - now starting samba ..."
 			/etc/init.d/samba start
--- a/cbox-tree.d/usr/share/cryptobox/defaults/cipher
+++ b/cbox-tree.d/usr/share/cryptobox/defaults/cipher
@ -0,0 +1 @@
+aes-cbc-essiv:sha256
--- a/cbox-tree.d/usr/share/cryptobox/defaults/hash
+++ b/cbox-tree.d/usr/share/cryptobox/defaults/hash
@ -0,0 +1 @@
+ripemd160