From owner-linux-crypto@nl.linux.org Mon Mar 5 22:10:03 2001 Received: by humbolt.nl.linux.org id ; Mon, 5 Mar 2001 22:09:21 +0100 Received: from eik.ii.uib.no ([129.177.16.3]:21150 "EHLO ii.uib.no") by humbolt.nl.linux.org with ESMTP id convert rfc822-to-8bit; Mon, 5 Mar 2001 22:08:46 +0100 Received: from apal-192.ii.uib.no (apal.ii.uib.no) [129.177.192.27] by ii.uib.no with esmtp (Exim 3.03) id 14a2Dk-0006MF-00 ; Mon, 05 Mar 2001 22:08:44 +0100 Received: (from gisle@localhost) by apal.ii.uib.no (8.9.3+Sun/8.9.3) id WAA19827; Mon, 5 Mar 2001 22:08:43 +0100 (MET) Date: Mon, 5 Mar 2001 22:08:43 +0100 (MET) From: Gisle S{lensminde To: "Ian S. Nelson" cc: linux-crypto Subject: Re: Loading secure binaries? In-Reply-To: <3A9AE282.147DE47@echostar.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list On Mon, 26 Feb 2001, Ian S. Nelson wrote: > I'm working on an embedded Linux project and the issue of security is > starting to surface and it's beginning to look kind of interesting. > > Is there any plans with Linux-crypto or some other project that somebody > knows of to allow the loading of secure binaries? This have been discussed here earlier, and I do not think there are any such plans. Before any such scheme is implemented, it's allways important to consider what they are meant to protect against. More on this later. > > I was thinking of a scheme like this: > > there would be a new linux executable loader, perhaps one of the > misc binary loaders or an ELF hack, you'd want it to reside inside the > kernel though. > > Then add a new system call to provide a key to the kernel. This > could be pulled down off the internet or out of a secure piece of > hardware. In some applications it could be something the user provides > at login time. > > Then the new binaries would be AES/IDEA/DES encrypted with that key > and the new loader would use that key to decrypt them at load time. It's a bit unclear what you want to protect against. Some threats i can think about for networked embedded systems is: - The binaries/data are transefered/updated via the network, and an attacker should not be able to steal data or programs by listening to the network, or being a man in the middle. This is best protected by SSL, SSH or some other network encryption protocol. - Prevent people with physical access to the device to get any unautorized access. This could also be archived by disk encryption. This is already done in the kernel for whole partitions. A filesystem with one key per user (or anything similar) would be more direct on the target, but is it necessary. - Prevent intruders from executing malicious code. A signing/verification scheme will be the right thing to in that case. Possibly combined with disk encryption. In some case, a scheme like the one I think you describes will be usefull. It's known that attackes have got unathorised access to systems by replacing modules by their own, that can give permanent root acces, backdors etc. This scheme requires somebody to accept each and every executable/module to be executed on the system. This is in practice awkward executables on a workstation, but for systems where the number of executable is more controllable, like for embedded systems or kernel modules, it's archivable. > Anybody know of something like this? A logical extension would be to > embed GPG into the kernel and then you could execute signed and > encrypted binaries but that seems like overkill for what we're doing, we > just don't want a few key pieces of code to ever be decrypted anywhere > other than SDRAM. Not the whole of GPG, but such a scheme require asymetric crypto to be inserted into the kernel, and it will require some work, but it's absolutly archivable, the question is whether it will make systems so much more secure that it's worth the effort. -- Gisle Sælensminde ( gisle@ii.uib.no ) With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead. (from RFC 1925) Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Wed Mar 7 13:43:27 2001 Received: by humbolt.nl.linux.org id ; Wed, 7 Mar 2001 13:42:46 +0100 Received: from pop.gmx.net ([194.221.183.20]:28836 "HELO mail.gmx.net") by humbolt.nl.linux.org with SMTP id ; Wed, 7 Mar 2001 13:42:16 +0100 Received: (qmail 19053 invoked by uid 0); 7 Mar 2001 12:42:07 -0000 Received: from 156.15.fl3.ip.foni.net (HELO server.bodom.netz) (62.214.15.156) by mail.gmx.net (mp012-rz3) with SMTP; 7 Mar 2001 12:42:07 -0000 Received: from workstation (workstation.bodom.netz [192.168.50.100]) by server.bodom.netz (8.11.2/8.11.0/SuSE Linux 8.11.0-0.4) with SMTP id f27CfmR00658 for ; Wed, 7 Mar 2001 13:41:49 +0100 From: "Morbid Angel" To: Subject: what is this ? Date: Wed, 7 Mar 2001 13:42:30 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list Hi ! what is cipher-18 ? all works fine but i get a error msg : cant locate module cipher-18, what do i have forgotten ?) Kernel 2.2.18 Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Wed Mar 7 18:50:19 2001 Received: by humbolt.nl.linux.org id ; Wed, 7 Mar 2001 18:49:40 +0100 Received: from [194.46.8.33] ([194.46.8.33]:36360 "EHLO angusbay.vnl.com") by humbolt.nl.linux.org with ESMTP id ; Wed, 7 Mar 2001 18:48:32 +0100 Received: from amon by angusbay.vnl.com with local (Exim 3.22 #1) id 14ai43-0002Nb-00 (Debian); Wed, 07 Mar 2001 17:49:31 +0000 Date: Wed, 7 Mar 2001 17:49:30 +0000 From: Dale Amon To: linux-crypto Subject: Still seeing large file problem Message-ID: <20010307174930.Q2495@vnl.com> References: <3A9AE282.147DE47@echostar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: ; from gisle@ii.uib.no on Mon, Mar 05, 2001 at 10:08:43PM +0100 X-Operating-System: Linux, the choice of a GNU generation Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list Still having problems with 2G files. I can create a multigig file of zeroes file for my loopback, but I'm running into problems when I try to open it. I wrote a small test prog that repro's my problem and I've tried everything I can think of. I'm hoping there is something obvious and stupid and easily fixed :-) kernel: 2.4.0 with 2.4.0.3 int patches Linux starbase2 2.4.0 #5 SMP Wed Feb 14 19:22:54 GMT 2001 i686 unknown libc6: libc6-dev_2.2.2-1_i386.deb libc6_2.2.2-1_i386.deb dist: debian sid, bleeding edge current Test program: -------------- test.c #include #include #include #include main () { const char *file = "/bigloop"; int mode = O_RDONLY; int ffd; ffd = open (file, mode); if (ffd < 0) { perror (file); exit (1); } exit (0); } ------------ test run: # gcc -g test.c -o test # ./test /bigloop: File too large test file: # ls -lg /bigloop -rw-rw-r-- 1 root root 2252800000 Feb 26 14:59 /bigloop strace of test: root@starbase2:/home/amon# strace ./test execve("./test", ["./test"], [/* 20 vars */]) = 0 uname({sys="Linux", node="starbase2", ...}) = 0 brk(0) = 0x8049630 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(0x3, 0xbffff02c) = 0 old_mmap(NULL, 43259, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0$\320\1"..., 1024) = 1024 fstat64(0x3, 0xbffff074) = 0 old_mmap(NULL, 1108036, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40022000 mprotect(0x40127000, 38980, PROT_NONE) = 0 old_mmap(0x40127000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x104000) = 0x40127000 old_mmap(0x4012d000, 14404, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4012d000 close(3) = 0 munmap(0x40017000, 43259) = 0 getpid() = 13901 open("/bigloop", O_RDONLY) = -1 EFBIG (File too large) write(2, "/bigloop: File too large\n", 25/bigloop: File too large ) = 25 _exit(1) = ? -- ------------------------------------------------------ Use Linux: A computer Dale Amon, CEO/MD is a terrible thing Village Networking Ltd to waste. Belfast, Northern Ireland ------------------------------------------------------ Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Wed Mar 7 19:33:01 2001 Received: by humbolt.nl.linux.org id ; Wed, 7 Mar 2001 19:32:15 +0100 Received: from SilCon.SilCon.com ([206.99.109.10]:56621 "EHLO silcon.silcon.com") by humbolt.nl.linux.org with ESMTP id ; Wed, 7 Mar 2001 19:31:37 +0100 Received: from pepper ([207.33.208.253]) by silcon.silcon.com (8.11.2/8.11.2) with SMTP id f27IVQN00129 for ; Wed, 7 Mar 2001 10:31:26 -0800 Reply-To: From: "George Milliken" To: "linux-crypto" Subject: RE: Still seeing large file problem Date: Wed, 7 Mar 2001 10:30:15 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20010307174930.Q2495@vnl.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list remove -----Original Message----- From: owner-linux-crypto@nl.linux.org [mailto:owner-linux-crypto@nl.linux.org]On Behalf Of Dale Amon Sent: Wednesday, March 07, 2001 9:50 AM To: linux-crypto Subject: Still seeing large file problem Still having problems with 2G files. I can create a multigig file of zeroes file for my loopback, but I'm running into problems when I try to open it. I wrote a small test prog that repro's my problem and I've tried everything I can think of. I'm hoping there is something obvious and stupid and easily fixed :-) kernel: 2.4.0 with 2.4.0.3 int patches Linux starbase2 2.4.0 #5 SMP Wed Feb 14 19:22:54 GMT 2001 i686 unknown libc6: libc6-dev_2.2.2-1_i386.deb libc6_2.2.2-1_i386.deb dist: debian sid, bleeding edge current Test program: -------------- test.c #include #include #include #include main () { const char *file = "/bigloop"; int mode = O_RDONLY; int ffd; ffd = open (file, mode); if (ffd < 0) { perror (file); exit (1); } exit (0); } ------------ test run: # gcc -g test.c -o test # ./test /bigloop: File too large test file: # ls -lg /bigloop -rw-rw-r-- 1 root root 2252800000 Feb 26 14:59 /bigloop strace of test: root@starbase2:/home/amon# strace ./test execve("./test", ["./test"], [/* 20 vars */]) = 0 uname({sys="Linux", node="starbase2", ...}) = 0 brk(0) = 0x8049630 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(0x3, 0xbffff02c) = 0 old_mmap(NULL, 43259, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0$\320\1"..., 1024) = 1024 fstat64(0x3, 0xbffff074) = 0 old_mmap(NULL, 1108036, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40022000 mprotect(0x40127000, 38980, PROT_NONE) = 0 old_mmap(0x40127000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x104000) = 0x40127000 old_mmap(0x4012d000, 14404, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4012d000 close(3) = 0 munmap(0x40017000, 43259) = 0 getpid() = 13901 open("/bigloop", O_RDONLY) = -1 EFBIG (File too large) write(2, "/bigloop: File too large\n", 25/bigloop: File too large ) = 25 _exit(1) = ? -- ------------------------------------------------------ Use Linux: A computer Dale Amon, CEO/MD is a terrible thing Village Networking Ltd to waste. Belfast, Northern Ireland ------------------------------------------------------ Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Wed Mar 7 21:13:57 2001 Received: by humbolt.nl.linux.org id ; Wed, 7 Mar 2001 21:12:15 +0100 Received: from mta01-svc.ntlworld.com ([62.253.162.41]:6572 "EHLO mta01-svc.ntlworld.com") by humbolt.nl.linux.org with ESMTP id ; Wed, 7 Mar 2001 21:11:47 +0100 Received: from wompom.mcdonald.org.uk ([62.252.164.161]) by mta01-svc.ntlworld.com (InterMail vM.4.01.02.27 201-229-119-110) with ESMTP id <20010307200901.RAGI283.mta01-svc.ntlworld.com@wompom.mcdonald.org.uk> for ; Wed, 7 Mar 2001 20:09:01 +0000 Received: from bifrons.mcdonald.org.uk [192.168.77.12] by wompom.mcdonald.org.uk with smtp (Exim 3.12 #1 (Debian)) id 14akEx-0000Dq-00; Wed, 07 Mar 2001 20:08:55 +0000 Received: by bifrons.mcdonald.org.uk (sSMTP sendmail emulation); Wed, 7 Mar 2001 20:08:53 +0000 Date: Wed, 7 Mar 2001 20:08:53 +0000 From: Andrew McDonald To: linux-crypto@nl.linux.org Subject: Re: what is this ? Message-ID: <20010307200853.A372@mcdonald.org.uk> Mail-Followup-To: linux-crypto@nl.linux.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: ; from mangel@gmx.de on Wed, Mar 07, 2001 at 01:42:30PM +0100 Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list On Wed, Mar 07, 2001 at 01:42:30PM +0100, Morbid Angel wrote: > > what is cipher-18 ? > > all works fine but i get a error msg : cant locate module cipher-18, > what do i have forgotten ?) > Kernel 2.2.18 You need the appropriate aliases in your /etc/modules.conf file. Cipher 18 is AES, for which you probably want: alias cipher-18 rijndael This allows modprobe to automatically load the required module. The crypto patch for 2.4.x uses a different method, which avoids the need for these aliases. Andrew -- Andrew McDonald E-mail: andrew@mcdonald.org.uk http://www.mcdonald.org.uk/andrew/ Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Thu Mar 8 16:59:31 2001 Received: by humbolt.nl.linux.org id ; Thu, 8 Mar 2001 16:58:42 +0100 Received: from 29.13.fl3.ip.foni.net ([62.214.13.29]:51205 "EHLO server.bodom.netz") by humbolt.nl.linux.org with ESMTP id ; Thu, 8 Mar 2001 16:58:05 +0100 Received: from workstation (workstation.bodom.netz [192.168.50.100]) by server.bodom.netz (8.11.2/8.11.2/SuSE Linux 8.11.1-0.5) with SMTP id f28FtSR03353 for ; Thu, 8 Mar 2001 16:55:28 +0100 From: "Morbid Angel" To: Subject: still problems with SuSE 2.2.18 Kernel + patch.int.2.2.18.3 Date: Thu, 8 Mar 2001 16:55:27 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list Hi ! If i patch the Suse 2.2.18 Kernel with the Patch.int.2.2.18.3 i get this errors : Hunk #1 FAILED at 3 Hunk #2 FAILED at 11 2 out of 2 hunks FAILED -- saving rejects to file net/Config.in.rej Config.in.rej : *************** *** 3,8 **** # mainmenu_option next_comment comment 'Networking options' tristate 'Packet socket' CONFIG_PACKET bool 'Kernel/User netlink socket' CONFIG_NETLINK if [ "$CONFIG_NETLINK" = "y" ]; then --- 3,9 ---- # mainmenu_option next_comment comment 'Networking options' + source net/cipe/Config.in tristate 'Packet socket' CONFIG_PACKET bool 'Kernel/User netlink socket' CONFIG_NETLINK if [ "$CONFIG_NETLINK" = "y" ]; then *************** *** 10,15 **** tristate 'Netlink device emulation' CONFIG_NETLINK_DEV fi bool 'Network firewalls' CONFIG_FIREWALL bool 'Socket Filtering' CONFIG_FILTER tristate 'Unix domain sockets' CONFIG_UNIX bool 'TCP/IP networking' CONFIG_INET --- 11,19 ---- tristate 'Netlink device emulation' CONFIG_NETLINK_DEV fi bool 'Network firewalls' CONFIG_FIREWALL + if [ "$CONFIG_FIREWALL" = "y" ]; then + bool 'Network security (ENskip support)' CONFIG_NET_SECURITY + fi bool 'Socket Filtering' CONFIG_FILTER tristate 'Unix domain sockets' CONFIG_UNIX bool 'TCP/IP networking' CONFIG_INET can someone say me what is this ? Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Thu Mar 8 20:21:18 2001 Received: by humbolt.nl.linux.org id ; Thu, 8 Mar 2001 20:20:38 +0100 Received: from eik.ii.uib.no ([129.177.16.3]:3274 "EHLO ii.uib.no") by humbolt.nl.linux.org with ESMTP id convert rfc822-to-8bit; Thu, 8 Mar 2001 20:20:06 +0100 Received: from apal-192.ii.uib.no (apal.ii.uib.no) [129.177.192.27] by ii.uib.no with esmtp (Exim 3.03) id 14b5xE-0002CA-00 ; Thu, 08 Mar 2001 20:20:04 +0100 Received: (from gisle@localhost) by apal.ii.uib.no (8.9.3+Sun/8.9.3) id UAA28606; Thu, 8 Mar 2001 20:19:56 +0100 (MET) Date: Thu, 8 Mar 2001 20:19:56 +0100 (MET) From: Gisle S{lensminde To: Morbid Angel cc: Subject: Re: still problems with SuSE 2.2.18 Kernel + patch.int.2.2.18.3 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list On Thu, 8 Mar 2001, Morbid Angel wrote: > Hi ! > > If i patch the Suse 2.2.18 Kernel with the Patch.int.2.2.18.3 i get this > errors : > Probably because SuSE have modified the kernel the delivers with their distro, and did it in a way that is incompatible with the kerneli, i.e modified it on a place kerneli modifies it as well. If you try the standard kernel from kernel.org, things should work fine. -- Gisle Sælensminde ( gisle@ii.uib.no ) With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead. (from RFC 1925) Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Thu Mar 8 20:29:15 2001 Received: by humbolt.nl.linux.org id ; Thu, 8 Mar 2001 20:28:34 +0100 Received: from mail2.uni-bielefeld.de ([129.70.4.90]:14150 "EHLO mail.uni-bielefeld.de") by humbolt.nl.linux.org with ESMTP id ; Thu, 8 Mar 2001 20:28:08 +0100 Received: from Mutz.com (ppp36-242.hrz.uni-bielefeld.de [129.70.36.242]) by mail.uni-bielefeld.de (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id <0G9W000K48QQ7W@mail.uni-bielefeld.de> for linux-crypto@nl.linux.org; Thu, 8 Mar 2001 20:28:04 +0100 (MET) Date: Thu, 08 Mar 2001 18:27:21 +0000 From: Marc Mutz Subject: Re: still problems with SuSE 2.2.18 Kernel + patch.int.2.2.18.3 To: Morbid Angel Cc: linux-crypto@nl.linux.org Message-id: <3AA7CF09.3F131F5C@Mutz.com> Organization: University of Bielefeld - Dep. of Mathematics / Dep. of Physics MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18-0001 i586) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT X-Accept-Language: en References: Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list Morbid Angel wrote: > > Hi ! > > If i patch the Suse 2.2.18 Kernel with the Patch.int.2.2.18.3 i get this > errors : > > Hunk #1 FAILED at 3 > Hunk #2 FAILED at 11 > 2 out of 2 hunks FAILED -- saving rejects to file net/Config.in.rej > > can someone say me what is this ? Don't know, because in the .rej file there is no hint as to why the patch fails. But you can safely ignore this error if you don't want cipe or ENSkip in the kernel build process (I would not recommend ENskip at all and CIPE can be build from outside the kernel source tree). If you want resolve this error, simply insert the lines marked with '+' at the beginning into their respective places between the existing lines in net/Config.in, the rm *.orig *.rej. Marc -- Marc Mutz http://EncryptionHOWTO.sourceforge.net/ University of Bielefeld, Dep. of Mathematics / Dep. of Physics PGP-keyID's: 0xd46ce9ab (RSA), 0x7ae55b9e (DSS/DH) Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Thu Mar 8 20:34:38 2001 Received: by humbolt.nl.linux.org id ; Thu, 8 Mar 2001 20:33:58 +0100 Received: from ns.suse.de ([213.95.15.193]:60676 "EHLO Cantor.suse.de") by humbolt.nl.linux.org with ESMTP id convert rfc822-to-8bit; Thu, 8 Mar 2001 20:33:33 +0100 Received: from Hermes.suse.de (Hermes.suse.de [213.95.15.136]) by Cantor.suse.de (Postfix) with ESMTP id 8D8BA1E153; Thu, 8 Mar 2001 20:33:32 +0100 (MET) Date: Thu, 8 Mar 2001 20:33:32 +0100 (MET) From: Roman Drahtmueller To: Gisle S{lensminde Cc: Morbid Angel , Subject: Re: still problems with SuSE 2.2.18 Kernel + patch.int.2.2.18.3 In-Reply-To: Message-ID: X-Organization: SuSE GmbH MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list > > Hi ! > > > > If i patch the Suse 2.2.18 Kernel with the Patch.int.2.2.18.3 i get this > > errors : > > > > Probably because SuSE have modified the kernel the delivers with their > distro, and did it in a way that is incompatible with the kerneli, i.e > modified it on a place kerneli modifies it as well. If you try the > standard kernel from kernel.org, things should work fine. There are indeed changes in the SuSE kernels, mainly additional drivers (which are not contained in the mainstream kernel) as well as newer drivers and last-minute bugfixes. It is very well possible that some small things need to be patched by hand for the thing to succeed. Anyway, we're working on integrating the kerneli patches to our distribution kernel. Thanks, Roman. -- - - | Roman Drahtmüller // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Thu Mar 8 22:45:38 2001 Received: by humbolt.nl.linux.org id ; Thu, 8 Mar 2001 22:44:47 +0100 Received: from 41.130.fl1.ip.foni.net ([212.7.130.41]:3844 "EHLO server.bodom.netz") by humbolt.nl.linux.org with ESMTP id ; Thu, 8 Mar 2001 22:44:16 +0100 Received: from workstation (workstation.bodom.netz [192.168.50.100]) by server.bodom.netz (8.11.2/8.11.2/SuSE Linux 8.11.1-0.5) with SMTP id f28LfqF00583 for ; Thu, 8 Mar 2001 22:41:52 +0100 From: "Morbid Angel" To: Subject: "clean" 2.2.18 src and still problems !!! :(( Date: Thu, 8 Mar 2001 22:41:47 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list so i took a "clean" (without any patches) 2.2.18 Kernel source and i have patched it with the int patch (patch-int-2.2.18.3) i haven't got any error messages in the "make menuconfig" in the "crypto options" i have set : Crypto support <*> Crypto ciphers <*> IDEA cipher <*> but : 1. if i do losetup -e idea /dev/loop0 /mycryptofile it asks for the keysize and (!) 2 times for the password than i can see on console 10 : modprobe: cant find cipher-18 and all works fine after that 2. if i make the AES cipher as a module in the "Crypto options" and put this line into /etc/modules.conf : "alias cipher-18 rijndael" and do "losetup -e idea /dev/loop0 /mycryptofile" , it asks for the keysize and only 1 time for the password but i cant access the crypted file with "mount -t ext2 /dev/loop0 /dir" it says "mount: wrong fs type ,bad option, bad superblock on /dev/loop0, or to many mounted file systems" WHY ? PS: sorry for my english but i hope you understand what i mean , else ask me Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Fri Mar 9 13:15:14 2001 Received: by humbolt.nl.linux.org id ; Fri, 9 Mar 2001 13:14:28 +0100 Received: from mail2.uni-bielefeld.de ([129.70.4.90]:54909 "EHLO mail.uni-bielefeld.de") by humbolt.nl.linux.org with ESMTP id ; Fri, 9 Mar 2001 13:13:53 +0100 Received: from uni-bielefeld.de (ppp36-244.hrz.uni-bielefeld.de [129.70.36.244]) by mail.uni-bielefeld.de (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id <0G9X00BD7JAX9J@mail.uni-bielefeld.de> for linux-crypto@nl.linux.org; Fri, 9 Mar 2001 13:13:46 +0100 (MET) Date: Fri, 09 Mar 2001 12:12:00 +0000 From: Marc Mutz Subject: Re: "clean" 2.2.18 src and still problems !!! :(( To: Morbid Angel Cc: linux-crypto@nl.linux.org Message-id: <3AA8C890.BA538D9F@uni-bielefeld.de> Organization: University of Bielefeld - Dep. of Mathematics / Dep. of Physics MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18-0001 i586) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT X-Accept-Language: en References: Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list Morbid Angel wrote: > (patch-int-2.2.18.3) > 1. if i do losetup -e idea /dev/loop0 /mycryptofile it asks for the keysize This cannot be. To the best of my knowledge, 2.2.18.3 does not ask for the keysize. You are using 2.2.18.4pre, or you have patched util-linux with the patch from 2.2.18.4pre. Marc -- Marc Mutz http://EncryptionHOWTO.sourceforge.net/ University of Bielefeld, Dep. of Mathematics / Dep. of Physics PGP-keyID's: 0xd46ce9ab (RSA), 0x7ae55b9e (DSS/DH) Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Fri Mar 9 14:59:45 2001 Received: by humbolt.nl.linux.org id ; Fri, 9 Mar 2001 14:59:06 +0100 Received: from [194.46.8.33] ([194.46.8.33]:32264 "EHLO angusbay.vnl.com") by humbolt.nl.linux.org with ESMTP id ; Fri, 9 Mar 2001 14:58:46 +0100 Received: from amon by angusbay.vnl.com with local (Exim 3.22 #1) id 14bNQw-0005Hz-00 (Debian); Fri, 09 Mar 2001 13:59:54 +0000 Date: Fri, 9 Mar 2001 13:59:54 +0000 From: Dale Amon To: linux-crypto Subject: Re: Still seeing large file problem Message-ID: <20010309135953.N9823@vnl.com> References: <3A9AE282.147DE47@echostar.com> <20010307174930.Q2495@vnl.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: <20010307174930.Q2495@vnl.com>; from amon@vnl.com on Wed, Mar 07, 2001 at 05:49:30PM +0000 X-Operating-System: Linux, the choice of a GNU generation Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list I might also add to my previously posted data that tar and other apps are accessing large files with no problem. It's only the code I'm compiling on the machine, ie like losetup with the crypt patches (from which that little test prog was lifted near verbatim) that seem to be having the problem. Difficult to make any progress working on the loopback problem until I've got this sorted. Any help or ideas would be much appreciated. -- ------------------------------------------------------ Use Linux: A computer Dale Amon, CEO/MD is a terrible thing Village Networking Ltd to waste. Belfast, Northern Ireland ------------------------------------------------------ Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Fri Mar 9 16:18:34 2001 Received: by humbolt.nl.linux.org id ; Fri, 9 Mar 2001 16:17:36 +0100 Received: from pop.gmx.net ([194.221.183.20]:20998 "HELO mail.gmx.net") by humbolt.nl.linux.org with SMTP id ; Fri, 9 Mar 2001 16:16:43 +0100 Received: (qmail 20643 invoked by uid 0); 9 Mar 2001 15:16:41 -0000 Received: from 85.130.fl1.ip.foni.net (HELO server.bodom.netz) (212.7.130.85) by mail.gmx.net (mp015-rz3) with SMTP; 9 Mar 2001 15:16:41 -0000 Received: from workstation (workstation.bodom.netz [192.168.50.100]) by server.bodom.netz (8.11.2/8.11.2/SuSE Linux 8.11.1-0.5) with SMTP id f29FGTB07214 for ; Fri, 9 Mar 2001 16:16:29 +0100 From: "Morbid Angel" To: Subject: hmmm problems with patch for util-linux Date: Fri, 9 Mar 2001 16:16:27 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list hmmm i tryied to patch util-linux (one more time clean sources) but after this: user$ ./configure user$ make -C lib setproctitle.o i got this error msg's : make: Entering directory `user/src/util-linux-2.10o/lib' Makefile:1 : ../make_include: No such file or directory make: *** No rule to make target `../make_include'. Stop. make: Leaving directory `/usr/src/util-linux-2.10o/lib' why ? Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Sat Mar 10 12:13:59 2001 Received: by humbolt.nl.linux.org id ; Sat, 10 Mar 2001 12:12:48 +0100 Received: from pop.gmx.net ([194.221.183.20]:19048 "HELO mail.gmx.net") by humbolt.nl.linux.org with SMTP id ; Sat, 10 Mar 2001 12:12:17 +0100 Received: (qmail 32113 invoked by uid 0); 10 Mar 2001 11:12:14 -0000 Received: from 16.135.fl1.ip.foni.net (HELO server.bodom.netz) (212.7.135.16) by mail.gmx.net (mp017-rz3) with SMTP; 10 Mar 2001 11:12:14 -0000 Received: from workstation (workstation.bodom.netz [192.168.50.100]) by server.bodom.netz (8.11.2/8.11.2/SuSE Linux 8.11.1-0.5) with SMTP id f2AB88B10955 for ; Sat, 10 Mar 2001 12:08:08 +0100 From: "Morbid Angel" To: Subject: still problems Date: Sat, 10 Mar 2001 12:07:50 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list hmmm the other error it was my mistake but now i have problems with make mount (make losetup and umount works fine) i get this : cc -c -O -pipe -O2 -m486 -fomit-frame-pointer -I../lib -Wall -Wmissing-proto types -Wstrict-prototypes -DNCH=1 -DSBINDIR=\"/sbin\" -DUSRSBINDIR=\"/usr/s bin\" -DLOGDIR=\"/var/log\" -DVARPATH=\"/var\" -DLOCALEDIR=\"/usr/share/loca le\" -DHAVE_NFS nfsmount.c nfsmount.c: In function `nfsmount': nfsmount.c:647: `NFS_FHSIZE' undeclared (first use in this function) nfsmount.c:647: (Each undeclared identifier is reported only once nfsmount.c:647: for each function it appears in.) nfsmount.c:665: warning: unreachable code at beginning of switch statement nfsmount.c:699: `NFS_PORT' undeclared (first use in this function) make: *** [nfsmount.o] Error 1 what can i do ? Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Fri Mar 16 22:25:03 2001 Received: by humbolt.nl.linux.org id ; Fri, 16 Mar 2001 22:24:13 +0100 Received: from pop.gmx.net ([194.221.183.20]:44466 "HELO mail.gmx.net") by humbolt.nl.linux.org with SMTP id ; Fri, 16 Mar 2001 22:23:55 +0100 Received: (qmail 14460 invoked by uid 0); 16 Mar 2001 21:23:53 -0000 Received: from 61.135.fl1.ip.foni.net (HELO server.bodom.netz) (212.7.135.61) by mail.gmx.net (mail07) with SMTP; 16 Mar 2001 21:23:53 -0000 Received: from workstation (workstation.bodom.netz [192.168.50.100]) by server.bodom.netz (8.11.2/8.11.2/SuSE Linux 8.11.1-0.5) with SMTP id f2GLNhA01474 for ; Fri, 16 Mar 2001 22:23:43 +0100 From: "Morbid Angel" To: Subject: problems with 2.4.0 kernal and int patch Date: Fri, 16 Mar 2001 22:23:36 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list Hi ! i have problems with Kernel 2.4.0 and INT patch i have done all like it is written in the howto and it all was succesfull but if i want mount my crypted file i get ever "File to large" my crypto file is 12GB big, but i know the 2.4.0 kernel can "work" with files >2GB why do i get this error message ? what can i do ? Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Mon Mar 19 18:49:34 2001 Received: by humbolt.nl.linux.org id ; Mon, 19 Mar 2001 18:48:44 +0100 Received: from mail2.uni-bielefeld.de ([129.70.4.90]:55416 "EHLO mail.uni-bielefeld.de") by humbolt.nl.linux.org with ESMTP id ; Mon, 19 Mar 2001 18:48:20 +0100 Received: from uni-bielefeld.de ("port 1305"@ppp36-454.hrz.uni-bielefeld.de [129.70.37.198]) by mail.uni-bielefeld.de (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id <0GAG00GH3HGDAA@mail.uni-bielefeld.de> for linux-crypto@nl.linux.org; Mon, 19 Mar 2001 18:48:14 +0100 (MET) Date: Mon, 19 Mar 2001 15:20:23 +0000 From: Marc Mutz Subject: Re: problems with 2.4.0 kernal and int patch To: Morbid Angel Cc: linux-crypto@nl.linux.org Message-id: <3AB623B7.2ED040A8@uni-bielefeld.de> Organization: University of Bielefeld - Dep. of Mathematics / Dep. of Physics MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18-0001 i586) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT X-Accept-Language: en References: Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list Morbid Angel wrote: > > Hi ! > > i have problems with Kernel 2.4.0 and INT patch > > i have done all like it is written in the howto > and it all was succesfull > > but if i want mount my crypted file i get ever "File to large" > my crypto file is 12GB big, but i know the 2.4.0 kernel can "work" with > files >2GB > > why do i get this error message ? > what can i do ? > Shrink the crypted file to a reasonable size. I honestly cannot imagine needing that much encrypted space at all. When you go through what you want to put into it one by one, you'll most probably see that there's no point in putting so much stuff into it. Personally, I used up to 2G, mostly because I was putting my complete email traffic there (with all the mailing lists I am subscribed to). But that's nonsense. Everybody can see your email when you send it or when you use PGP, you don't need to encrypt it a second time. It suffices to put one's .netscape, .pgp, .gnupg etc there. My encrypted space is now much smaller. Also, if you really care about your data and want it protected, you won't put so much stuff in it, not even mentioning stuff that everybody knows, because of known-plaintext attacks. If you use blowfish, I would not dare to encrypt that much data under a single key, because of the birthday attack, whose 'magic number', ie. the size of data where equal ciphertext blocks will occur with probability 1/2, is about 2^32 blocks, ie. 32GByte. Marc -- Marc Mutz http://EncryptionHOWTO.sourceforge.net/ University of Bielefeld, Dep. of Mathematics / Dep. of Physics PGP-keyID's: 0xd46ce9ab (RSA), 0x7ae55b9e (DSS/DH) Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Fri Mar 23 21:39:40 2001 Received: by humbolt.nl.linux.org id ; Fri, 23 Mar 2001 21:39:05 +0100 Received: from [194.46.8.33] ([194.46.8.33]:48138 "EHLO angusbay.vnl.com") by humbolt.nl.linux.org with ESMTP id ; Fri, 23 Mar 2001 21:38:40 +0100 Received: from amon by angusbay.vnl.com with local (Exim 3.22 #1) id 14gYLg-0000qE-00 (Debian); Fri, 23 Mar 2001 20:39:52 +0000 Date: Fri, 23 Mar 2001 20:39:52 +0000 From: Dale Amon To: linux-crypto@nl.linux.org Subject: Re: problems with 2.4.0 kernal and int patch Message-ID: <20010323203951.W16687@vnl.com> References: <3AB623B7.2ED040A8@uni-bielefeld.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: <3AB623B7.2ED040A8@uni-bielefeld.de>; from Marc.Mutz@uni-bielefeld.de on Mon, Mar 19, 2001 at 03:20:23PM +0000 X-Operating-System: Linux, the choice of a GNU generation Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list On Mon, Mar 19, 2001 at 03:20:23PM +0000, Marc Mutz wrote: > Morbid Angel wrote: > > > > Hi ! > > > > i have problems with Kernel 2.4.0 and INT patch > > > > i have done all like it is written in the howto > > and it all was succesfull > > > > but if i want mount my crypted file i get ever "File to large" > > my crypto file is 12GB big, but i know the 2.4.0 kernel can "work" with > > files >2GB > > > > why do i get this error message ? > > what can i do ? > > > > > Shrink the crypted file to a reasonable size. I honestly cannot imagine > needing that much encrypted space at all. When you go through what you > want to put into it one by one, you'll most probably see that there's no > point in putting so much stuff into it. Personally, I used up to 2G, > mostly because I was putting my complete email traffic there (with all > the mailing lists I am subscribed to). But that's nonsense. Everybody > can see your email when you send it or when you use PGP, you don't need > to encrypt it a second time. > > It suffices to put one's .netscape, .pgp, .gnupg etc there. My encrypted > space is now much smaller. > > Also, if you really care about your data and want it protected, you > won't put so much stuff in it, not even mentioning stuff that everybody > knows, because of known-plaintext attacks. If you use blowfish, I would > not dare to encrypt that much data under a single key, because of the > birthday attack, whose 'magic number', ie. the size of data where equal > ciphertext blocks will occur with probability 1/2, is about 2^32 blocks, > ie. 32GByte. > > Marc However I also still have the problem and have not seen an answer back to my debug query (help begging missive) on the issue. In my own case it simply is not possible to "make it smaller". I need a very large secure file system and it is not for a personal computer. There are reasons, but if I told you I'd have to shred you :-) I can't help think that there are other secure system projects blocked on this same requirement. I really want to get this issue sorted, and I've gone into gdb and I've written the test file that shows the issue must be in either the kernel or libraries associated with the open() call, not specifically in the loop back or crypto. Also, is Gisle coming back or is there any sign of someone doing a 2.4.2 int patch? The 2.4.0 still applies, but... -- ------------------------------------------------------ Use Linux: A computer Dale Amon, CEO/MD is a terrible thing Village Networking Ltd to waste. Belfast, Northern Ireland ------------------------------------------------------ Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Sun Mar 25 21:36:26 2001 Received: by humbolt.nl.linux.org id ; Sun, 25 Mar 2001 21:35:40 +0200 Received: from eik.ii.uib.no ([129.177.16.3]:22925 "EHLO ii.uib.no") by humbolt.nl.linux.org with ESMTP id convert rfc822-to-8bit; Sun, 25 Mar 2001 21:35:17 +0200 Received: from apal-192.ii.uib.no (apal.ii.uib.no) [129.177.192.27] by ii.uib.no with esmtp (Exim 3.03) id 14hGIO-0000Kl-00 ; Sun, 25 Mar 2001 21:35:24 +0200 Received: (from gisle@localhost) by apal.ii.uib.no (8.9.3+Sun/8.9.3) id VAA17988; Sun, 25 Mar 2001 21:35:13 +0200 (MEST) Date: Sun, 25 Mar 2001 21:35:13 +0200 (MEST) From: Gisle S{lensminde To: Dale Amon cc: Subject: Re: problems with 2.4.0 kernal and int patch In-Reply-To: <20010323203951.W16687@vnl.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list On Fri, 23 Mar 2001, Dale Amon wrote: > On Mon, Mar 19, 2001 at 03:20:23PM +0000, Marc Mutz wrote: > > Morbid Angel wrote: > > > > > However I also still have the problem and have not seen an answer > back to my debug query (help begging missive) on the issue. > > In my own case it simply is not possible to "make it smaller". I need a > very large secure file system and it is not for a personal computer. There > are reasons, but if I told you I'd have to shred you :-) > > I can't help think that there are other secure system projects blocked on > this same requirement. > > I really want to get this issue sorted, and I've gone into gdb and > I've written the test file that shows the issue must be in either > the kernel or libraries associated with the open() call, not > specifically in the loop back or crypto. The 2GB problem on loopback devices (that not is part of kerneli) is a wellknown problem. Since this is a deep kernel problem, the kernel list is a better place for this issue. There are people working on this problem, but they don't read this list. This problem impacts much more than crypto partitions. It is for example not possible to mount disk images > 2 GB. This makes it hard or impossible to mount DVD images on harddisk. I think Jens Axboe is working on the problem, and have a patch for it. (But I as far as I know he don't subscribe to this list) http://www.kernel.org/pub/linux/kernel/people/axboe/patches/ The patches are not included in the mianstream kernel yet, and I don't know whether that breaks something else, but you can try. > Also, is Gisle coming back or is there any sign of someone doing > a 2.4.2 int patch? The 2.4.0 still applies, but... :-) I have not upgraded to 2.4 yet, since my computer is too slow for that. I have ordered a new computer, so maybe in the future sometime, but don't hold your breath. -- Gisle Sælensminde ( gisle@ii.uib.no ) With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead. (from RFC 1925) Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Sun Mar 25 23:53:19 2001 Received: by humbolt.nl.linux.org id ; Sun, 25 Mar 2001 23:52:22 +0200 Received: from hq.alert.sk ([147.175.66.131]:14094 "EHLO hq.alert.sk") by humbolt.nl.linux.org with ESMTP id ; Sun, 25 Mar 2001 23:51:59 +0200 Received: by hq.alert.sk (Postfix, from userid 608) id EE9A045E41; Sun, 25 Mar 2001 23:51:57 +0200 (CEST) Date: Sun, 25 Mar 2001 23:51:57 +0200 From: Robert Varga To: linux-crypto@nl.linux.org Subject: problems with kerneli patch? Message-ID: <20010325235157.A29347@hq.alert.sk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="YiEDa0DAkWCtVeE4" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi everybody I've been on this list for a while, and I could see there are still problems. I am planning to use the crypto API to extend the Ext2 to support per-file encryption and other cute stuff. Could somebody summarize the known problems and wether they are being worked on? If not, I could take a look at them. --=20 Kind regards, Robert Varga ---------------------------------------------------------------------------= --- n@hq.sk http://hq.sk/~nite/gpgkey.= txt =20 --YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6vmh99aKR2/T45h8RAtB6AKCR2DiLq9i4Ht4bR1fb6ophj47B4wCfW6HH Ss+/Lq3AgIkUDO4KxaTpXWQ= =jFQC -----END PGP SIGNATURE----- --YiEDa0DAkWCtVeE4-- Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Mon Mar 26 19:33:40 2001 Received: by humbolt.nl.linux.org id ; Mon, 26 Mar 2001 19:32:54 +0200 Received: from mail2.uni-bielefeld.de ([129.70.4.90]:7583 "EHLO mail.uni-bielefeld.de") by humbolt.nl.linux.org with ESMTP id ; Mon, 26 Mar 2001 19:32:28 +0200 Received: from uni-bielefeld.de ("port 4673"@ppp36-419.hrz.uni-bielefeld.de [129.70.37.163]) by mail.uni-bielefeld.de (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id <0GAT00C8HFE0RM@mail.uni-bielefeld.de> for linux-crypto@nl.linux.org; Mon, 26 Mar 2001 19:32:26 +0200 (MET DST) Date: Mon, 26 Mar 2001 13:58:39 +0000 From: Marc Mutz Subject: Re: problems with kerneli patch? To: Robert Varga Cc: linux-crypto@nl.linux.org Message-id: <3ABF4B0F.4995EAAD@uni-bielefeld.de> Organization: University of Bielefeld - Dep. of Mathematics / Dep. of Physics MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18-0001 i586) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT X-Accept-Language: en References: <20010325235157.A29347@hq.alert.sk> Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list Robert Varga wrote: > > Could somebody summarize the known problems and wether they are being worked > on? If not, I could take a look at them. Do you mean conceptional or implementation-dependent? For the first, a starting point would be - of course - Applied Cryptography by B. Schneier. There is quite an extensive references section there, but the book is now more than six years old. For the second, here's a list of bug/inconvenients for the linux loopback device crypto and the cryptoapi, as far as i know and recall them: - 2G limit in the loopback device (2.2+2.4, axboe maybe has a patch for 2.4?) - deadlocks in the loopback device (2.4, axboe has a patch) - blowfish (and other ciphers) have endian-issues (2.2+2.4) This is mostly because a. no-one has really defined what the ciphers should return and accept (cryptoapi) b. the authors of ciphers often did not pay attention themselves c. no-one has tested the ciphers (due to a.) - blowfish (and others) have a problem with demand-module loading (2.2.18.4pre+2.4) For the third point: Alex, Gisle, should we define the input and output of *_{en,de}crypt functions to expect/provide an octet stream? Then all endian issues (except bit-endianess, which is a non-issue on platforms Linux runs on) go away. One then has to check (like Brian Gladman did in his paper on the subject he submitted to the AES comments last year) the papers and check the implementations in the kernel against that. Additions to this list are welcome. Marc -- Marc Mutz http://EncryptionHOWTO.sourceforge.net/ University of Bielefeld, Dep. of Mathematics / Dep. of Physics PGP-keyID's: 0xd46ce9ab (RSA), 0x7ae55b9e (DSS/DH) Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Tue Mar 27 10:11:43 2001 Received: by humbolt.nl.linux.org id ; Tue, 27 Mar 2001 10:10:36 +0200 Received: from midten.fast.no ([213.188.8.11]:47117 "EHLO midten.fast.no") by humbolt.nl.linux.org with ESMTP id ; Tue, 27 Mar 2001 10:10:03 +0200 Received: (from astor@localhost) by midten.fast.no (8.9.3/8.9.3) id KAA39180; Tue, 27 Mar 2001 10:09:51 +0200 (CEST) Date: Tue, 27 Mar 2001 10:09:51 +0200 From: Alexander S A Kjeldaas To: Marc Mutz Cc: Robert Varga , linux-crypto@nl.linux.org Subject: Re: problems with kerneli patch? Message-ID: <20010327100951.A38695@midten.fast.no> References: <20010325235157.A29347@hq.alert.sk> <3ABF4B0F.4995EAAD@uni-bielefeld.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <3ABF4B0F.4995EAAD@uni-bielefeld.de>; from Marc Mutz on Mon, Mar 26, 2001 at 01:58:39PM +0000 Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list On Mon, Mar 26, 2001 at 01:58:39PM +0000, Marc Mutz wrote: > Robert Varga wrote: > > > > > Could somebody summarize the known problems and wether they are being worked > > on? If not, I could take a look at them. > > > Do you mean conceptional or implementation-dependent? > > For the first, a starting point would be - of course - Applied > Cryptography by B. Schneier. There is quite an extensive references > section there, but the book is now more than six years old. > > For the second, here's a list of bug/inconvenients for the linux > loopback device crypto and the cryptoapi, as far as i know and recall > them: > > - 2G limit in the loopback device > (2.2+2.4, axboe maybe has a patch for 2.4?) > - deadlocks in the loopback device > (2.4, axboe has a patch) > - blowfish (and other ciphers) have endian-issues (2.2+2.4) > This is mostly because > a. no-one has really defined what the ciphers should > return and accept (cryptoapi) > b. the authors of ciphers often did not pay attention > themselves > c. no-one has tested the ciphers (due to a.) > - blowfish (and others) have a problem with demand-module > loading (2.2.18.4pre+2.4) > > For the third point: Alex, Gisle, should we define the input and output > of *_{en,de}crypt functions to expect/provide an octet stream? Yes we should and we do - at least in the 2.4 patch. The interface is right but some implementations are still wrong. astor Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Tue Mar 27 11:05:43 2001 Received: by humbolt.nl.linux.org id ; Tue, 27 Mar 2001 11:05:05 +0200 Received: from hank-fep6-0.inet.fi ([194.251.242.201]:48873 "EHLO fep06.tmt.tele.fi") by humbolt.nl.linux.org with ESMTP id ; Tue, 27 Mar 2001 11:04:26 +0200 Received: from pp.inet.fi ([212.213.41.217]) by fep06.tmt.tele.fi (InterMail vM.4.01.02.17 201-229-119) with ESMTP id <20010327090420.JYFK5948.fep06.tmt.tele.fi@pp.inet.fi>; Tue, 27 Mar 2001 12:04:20 +0300 Message-ID: <3AC05777.4CC064D4@pp.inet.fi> Date: Tue, 27 Mar 2001 12:03:51 +0300 From: Jari Ruusu X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18aa2 i686) X-Accept-Language: en MIME-Version: 1.0 To: Marc Mutz CC: Robert Varga , linux-crypto@nl.linux.org Subject: Re: problems with kerneli patch? References: <20010325235157.A29347@hq.alert.sk> <3ABF4B0F.4995EAAD@uni-bielefeld.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list Marc Mutz wrote: > > Robert Varga wrote: > > > > > Could somebody summarize the known problems and wether they are being worked > > on? If not, I could take a look at them. > > > Do you mean conceptional or implementation-dependent? > > For the first, a starting point would be - of course - Applied > Cryptography by B. Schneier. There is quite an extensive references > section there, but the book is now more than six years old. > > For the second, here's a list of bug/inconvenients for the linux > loopback device crypto and the cryptoapi, as far as i know and recall > them: > > - 2G limit in the loopback device > (2.2+2.4, axboe maybe has a patch for 2.4?) > - deadlocks in the loopback device > (2.4, axboe has a patch) > - blowfish (and other ciphers) have endian-issues (2.2+2.4) > This is mostly because > a. no-one has really defined what the ciphers should > return and accept (cryptoapi) > b. the authors of ciphers often did not pay attention > themselves > c. no-one has tested the ciphers (due to a.) > - blowfish (and others) have a problem with demand-module > loading (2.2.18.4pre+2.4) > > For the third point: Alex, Gisle, should we define the input and output > of *_{en,de}crypt functions to expect/provide an octet stream? Then all > endian issues (except bit-endianess, which is a non-issue on platforms > Linux runs on) go away. One then has to check (like Brian Gladman did in > his paper on the subject he submitted to the AES comments last year) the > papers and check the implementations in the kernel against that. > > Additions to this list are welcome. There is no 2G loopback limit on Andrea Arcangeli's kernel 2.2.18aa2. See below. The TripleDES cipher stuff is my own (no international crypto patch applied), but it makes no difference in my opinion. ace486:/root/tt7 # dd if=/dev/zero of=zz1 bs=1024 count=6291456 6291456+0 records in 6291456+0 records out ace486:/root/tt7 # ls -l total 6297612 -rw-r--r-- 1 root root 6442450944 Mar 27 09:07 zz1 ace486:/root/tt7 # losetup -e TripleDES /dev/loop3 zz1 Password: ace486:/root/tt7 # mkfs -t ext2 /dev/loop3 mke2fs 1.18, 11-Nov-1999 for EXT2 FS 0.5b, 95/08/09 Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) 786432 inodes, 1572864 blocks 78643 blocks (5.00%) reserved for the super user First data block=0 48 block groups 32768 blocks per group, 32768 fragments per group 16384 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736 Writing inode tables: done Writing superblocks and filesystem accounting information: done ace486:/root/tt7 # mount -t ext2 /dev/loop3 /mnt2 ace486:/root/tt7 # ls -l ../big1 -rw-r--r-- 1 root root 1385140224 Mar 25 19:58 ../big1 ace486:/root/tt7 # df /mnt2 Filesystem 1k-blocks Used Available Use% Mounted on /dev/loop3 6192704 20 5878112 0% /mnt2 ace486:/root/tt7 # cat ../big1 ../big1 ../big1 ../big1 >/mnt2/zz2 ace486:/root/tt7 # ls -l /mnt2 total 5416016 drwxr-xr-x 2 root root 16384 Mar 27 09:09 lost+found -rw-r--r-- 1 root root 5540560896 Mar 27 10:19 zz2 ace486:/root/tt7 # umount /mnt2 ace486:/root/tt7 # losetup -d /dev/loop3 ace486:/root/tt7 # losetup -e TripleDES /dev/loop2 zz1 Password: ace486:/root/tt7 # mount -t ext2 /dev/loop2 /mnt2 ace486:/root/tt7 # ls -l /mnt2 total 5416016 drwxr-xr-x 2 root root 16384 Mar 27 09:09 lost+found -rw-r--r-- 1 root root 5540560896 Mar 27 10:19 zz2 ace486:/root/tt7 # cat /mnt2/zz2 | md5sum 2c5cc22dd03c527fe1e8136d0fa0bd89 ace486:/root/tt7 # cat ../big1 ../big1 ../big1 ../big1 | md5sum 2c5cc22dd03c527fe1e8136d0fa0bd89 ace486:/root/tt7 # df /mnt2 Filesystem 1k-blocks Used Available Use% Mounted on /dev/loop2 6192704 5416020 462112 92% /mnt2 ace486:/root/tt7 # uname -a Linux ace486 2.2.18aa2 #1 Fri Feb 9 21:13:56 EET 2001 i686 unknown Regards, Jari Ruusu Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Fri Mar 30 17:18:34 2001 Received: by humbolt.nl.linux.org id ; Fri, 30 Mar 2001 17:17:52 +0200 Received: from [194.46.8.33] ([194.46.8.33]:15888 "EHLO angusbay.vnl.com") by humbolt.nl.linux.org with ESMTP id ; Fri, 30 Mar 2001 17:17:39 +0200 Received: from amon by angusbay.vnl.com with local (Exim 3.22 #1) id 14j0fe-0002f4-00 (Debian); Fri, 30 Mar 2001 16:18:38 +0100 Date: Fri, 30 Mar 2001 16:18:37 +0100 From: Dale Amon To: Gisle S{lensminde Cc: linux-crypto@nl.linux.org Subject: Re: problems with 2.4.0 kernal and int patch Message-ID: <20010330161837.D16687@vnl.com> References: <20010323203951.W16687@vnl.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: ; from gisle@ii.uib.no on Sun, Mar 25, 2001 at 09:35:13PM +0200 X-Operating-System: Linux, the choice of a GNU generation Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list On Sun, Mar 25, 2001 at 09:35:13PM +0200, Gisle S{lensminde wrote: > mount DVD images on harddisk. I think Jens Axboe is working on the > problem, and have a patch for it. (But I as far as I know he don't > subscribe to this list) > > http://www.kernel.org/pub/linux/kernel/people/axboe/patches/ > I presume you mean the loop7 patch against 2.4.3pre1? -- ------------------------------------------------------ Use Linux: A computer Dale Amon, CEO/MD is a terrible thing Village Networking Ltd to waste. Belfast, Northern Ireland ------------------------------------------------------ Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ From owner-linux-crypto@nl.linux.org Sat Mar 31 19:13:41 2001 Received: by humbolt.nl.linux.org id ; Sat, 31 Mar 2001 19:12:48 +0200 Received: from cm.med.3284844210.kabelnet.net ([195.202.190.178]:40461 "EHLO phobos.hvrlab.org") by humbolt.nl.linux.org with ESMTP id ; Sat, 31 Mar 2001 19:12:20 +0200 Received: from janus.txd.hvrlab.org (IDENT:hvr@janus.txd.hvrlab.org [10.51.1.5]) by phobos.hvrlab.org (8.9.3/8.9.3) with ESMTP id TAA09941 for ; Sat, 31 Mar 2001 19:12:10 +0200 Date: Sat, 31 Mar 2001 19:12:10 +0200 Message-Id: <200103311712.TAA09941@phobos.hvrlab.org> From: Herbert Valerio Riedel To: linux-crypto@nl.linux.org Subject: ...unofficial 2.4.3 int patch... Mime-Version: 1.0 (generated by tm-edit 1.7) Content-Type: text/plain; charset=US-ASCII Sender: owner-linux-crypto@nl.linux.org Precedence: bulk Return-Path: X-Orcpt: rfc822;linux-crypto-list hello, ...since I was quite bored, I've put up a patch, which should apply cleanly to the 2.4.3final linux kernel source... ..this patch also contains Christoph's cleanups that went over this list some time ago.... I've tried to fix the blowfish cipher bug, by checking if the keysize is among the supported ones exported through /proc/crypto/blowfish* I haven't been able to test compatibility with old encrypted images, since this is the first 2.4. kernel which seems to have fixed that nasty loopback deadlock thingy... http://www.hvrlab.org/pub/crypto/patch-2.4.3int-0.gz -- Herbert Valerio Riedel / Finger hvr@gnu.org for GnuPG Public Key GnuPG Key Fingerprint: AC2A CD57 A5C8 A1CB 0A18 DA95 CB0B DB23 60B6 16F5 Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/