change default cipher to aes-cbc-essiv:256
change default hash to ripemd160 remove obsolete "wipe" add default setting support for older versions move crypto settings from cryptobox.conf to /usr/share/cryptobox/defaults
This commit is contained in:
parent
9da0c40427
commit
c3deedc570
|
@ -25,13 +25,11 @@ OPENSSL_CONF_FILE=/etc/cryptobox/openssl.cnf
|
|||
IDLE_COUNTER_FILE=/tmp/cbox-idle-counter
|
||||
|
||||
# crypto settings
|
||||
HASH=sha512
|
||||
ALGO=aes
|
||||
# since 0.2.1 you find the default crypto settings in /usr/share/cryptobox/defaults
|
||||
CRYPTMAPPER_DEV=/dev/mapper/cryptobox-data
|
||||
|
||||
# some programs
|
||||
SFDISK=/sbin/sfdisk
|
||||
WIPE=/usr/bin/wipe
|
||||
MKFS_DATA=/sbin/mkfs.ext3
|
||||
MKFS_CONFIG=/sbin/mkfs.ext2
|
||||
CRYPTSETUP=/sbin/cryptsetup
|
||||
|
|
|
@ -45,10 +45,12 @@ function initial_checks()
|
|||
{
|
||||
local device="$1"
|
||||
[ ! -b "$device" ] && log_msg "blockdevice $device does not exist" && return 1
|
||||
[ ! -x "$WIPE" ] && log_msg "$WIPE not found" && return 1
|
||||
[ ! -x "$SFDISK" ] && log_msg "$SFDISK not found" && return 1
|
||||
for a in $ALGO $HASH
|
||||
do grep -q "^name *: $a$" /proc/crypto || modprobe "$a"
|
||||
# TODO: remove this section, as soon as the crypto algorithms are statically build into the kernel
|
||||
local algos
|
||||
for algo in "$(config_get_value cipher)" "$(config_get_value hash)"
|
||||
do local a=$(echo "$algo" | sed 's/-.*$//'); # remove everything after "-" (e.g. for "aes-cbc-essiv:sha256")
|
||||
grep -q "^name *: $a$" /proc/crypto || modprobe "$a"
|
||||
grep -q "^name *: $a$" /proc/crypto || { log_msg "$a is not supported by kernel" && return 1; }
|
||||
done
|
||||
log_msg "inital checks successful"
|
||||
|
@ -85,9 +87,28 @@ function config_get_value()
|
|||
else conf_dir=$CONFIG_DEFAULTS_DIR
|
||||
fi
|
||||
[ -z "$1" ] && error_msg 1 "empty setting name"
|
||||
[ ! -e "$conf_dir/$1" ] && error_msg 2 "unknown configuration value ($1)"
|
||||
# remove trailing line break
|
||||
echo -n $(cat "$conf_dir/$1")
|
||||
# check for existence - maybe use default values (for old releases without this setting)
|
||||
if [ ! -e "$conf_dir/$1" ]
|
||||
then case "$1" in
|
||||
version )
|
||||
echo -n "0.2"
|
||||
;;
|
||||
cipher )
|
||||
echo -n "aes"
|
||||
;;
|
||||
hash )
|
||||
echo -n "sha512"
|
||||
;;
|
||||
* )
|
||||
error_msg 2 "unknown configuration value ($1)"
|
||||
# empty output
|
||||
;;
|
||||
esac
|
||||
else echo -n $(cat "$conf_dir/$1")
|
||||
# this removes the trailing line break
|
||||
fi
|
||||
# always return without error
|
||||
true
|
||||
}
|
||||
|
||||
|
||||
|
@ -136,7 +157,7 @@ function create_crypto()
|
|||
{
|
||||
local device="$1"
|
||||
# passphrase may be passed via command line
|
||||
$CRYPTSETUP -h "$HASH" -c "$ALGO" create "`basename $CRYPTMAPPER_DEV`" "${device}2"
|
||||
$CRYPTSETUP -h "$(config_get_value hash)" -c "$(config_get_value cipher" create "`basename $CRYPTMAPPER_DEV`" "${device}2"
|
||||
}
|
||||
|
||||
|
||||
|
@ -244,7 +265,7 @@ function mount_crypto()
|
|||
[ -z "$device" ] && error_msg 4 'no valid harddisk found!'
|
||||
# passphrase is read from stdin
|
||||
log_msg "Mounting crypto partition ..."
|
||||
$CRYPTSETUP -h "$HASH" -c "$ALGO" create "`basename $CRYPTMAPPER_DEV`" "${device}2"
|
||||
$CRYPTSETUP -h "$(config_get_value hash)" -c "$(config_get_value cipher)" create "`basename $CRYPTMAPPER_DEV`" "${device}2"
|
||||
if mount "$CRYPTMAPPER_DEV" "$CRYPTO_DIR"
|
||||
then log_msg "Mount succeded - now starting samba ..."
|
||||
/etc/init.d/samba start
|
||||
|
|
1
cbox-tree.d/usr/share/cryptobox/defaults/cipher
Normal file
1
cbox-tree.d/usr/share/cryptobox/defaults/cipher
Normal file
|
@ -0,0 +1 @@
|
|||
aes-cbc-essiv:sha256
|
1
cbox-tree.d/usr/share/cryptobox/defaults/hash
Normal file
1
cbox-tree.d/usr/share/cryptobox/defaults/hash
Normal file
|
@ -0,0 +1 @@
|
|||
ripemd160
|
Loading…
Reference in a new issue