pool/cryptsetup
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 145274 from home:lnussel:branches:security

Browse Source 
ATTENTION: wait for cryptsetup-mkinitrd before checkin, otherwise installation
with root on crypto no longer boot

- version 1.5.1:
  * Added keyslot checker
  * Add crypt_keyslot_area() API call.
  * Optimize seek to keyfile-offset (Issue #135, thx to dreisner).
  * Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers.
  * Allocate loop device late (only when real block device needed).
  * Rework underlying device/file access functions.
  * Create hash image if doesn't exist in veritysetup format.
  * Provide better error message if running as non-root user (device-mapper, loop).
- split off hashalot and boot.crypto
- move to /usr

OBS-URL: https://build.opensuse.org/request/show/145274
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=97
This commit is contained in:
Ludwig Nussel 2012-12-13 13:06:34 +00:00 committed by Git OBS Bridge
parent 7a1b87dbd3
commit 2469c1380b
16 changed files with 54 additions and 547 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
boot.crypto-0_201206151440.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:798e4ac415ebe1e4415e1b77b955b72c376dfc3d0fd7fc414f886f896da6393d
size 17582

35
bug-476290_hashalot-hashlen.diff
View File

@ -1,35 +0,0 @@
Index: hashalot-0.3/hashalot.c
===================================================================
--- hashalot-0.3.orig/hashalot.c
+++ hashalot-0.3/hashalot.c
@@ -34,6 +34,7 @@
#include "sha512.h"
#define PASSWDBUFFLEN 130
+#define MAXHASHLEN (ULONG_MAX/2 - 2)
typedef int (*phash_func_t)(char dest[], size_t dest_len, const char src[], size_t src_len);
@@ -182,8 +183,7 @@ static void *
xmalloc (size_t size) {
void *p;
- if (size == 0)
- return NULL;
+ assert(size != 0);
p = malloc(size);
if (p == NULL) {
@@ -242,6 +242,12 @@ main(int argc, char *argv[])
show_usage(argv[0]);
exit(EXIT_FAILURE);
}
+ if (hashlen >= MAXHASHLEN) {
+ fprintf(stderr,
+ "please supply a value smaller than %lu for the -n option\n",
+ MAXHASHLEN);
+ exit(EXIT_FAILURE);
+ }
break;
case 's':
salt = optarg;

3
cryptsetup-1.5.0.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:407154c510a2401ecfaa1919588003964ba36121882f8d26125324805565f8d0
size 864500

17
cryptsetup-1.5.0.tar.bz2.asc
View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAABAgAGBQJP/HM8AAoJENmwV3vZPpj8vP0P/Ava8T7fJGfvn1H+56RKG1lh
I8RGFRzQCXN4xpYoxPBfFYpbc5GoteFw/Pcb0BKddePBk4tHuHYPRwvS1ps8nyH/
ekb8P5fsrkHV6+o/j5s99oY8dkW/FFYx0YfVOER63DpU7WWRK7md0smsQpaCUFKV
9pv3jvh/1AMDmvs5wgxV0BWKXih/COUoGlG1AJU9V6PlKol6wxOYzXw2t6LqU3Zg
9gHjlSPUuorabKnfkkcG+Gy7yT2Y8d+EnVdc1H+ihHLH27hmcSGMf/csm+tCCuJ5
To/jXFB642BObohLGmE9bPhRp9Pj2bi59M6lPKRYQ2ncowewkqIZ2s4SJ8r5stn5
W0UhXgkGLjQd4xti8/etpebnDPzMdSRg5LuLSxOTf/bjWI1jH63+4AfYoF+mx/N9
kT6EKiIR216TBdffv1i28HbG4pQIsGhlx0JkQnAUqklHDNWf7fSMGEuadYYNngcD
cBCPmD3R0JXM6qf6RasdCGlHUnR3DZKUzLGqqkq8/r7SvyxqRbIoerBrNxwcHUbh
emzfHS09ysx33RhEenFfZNH4lL6PEPnlrg2q8DfUj/NoUkiw9qfTM4cRIBabgoi9
uc2Qt/jK+QvE1clxBE4XmepZZH+e2Pdy52JrnI1ckA+FvY44GwBVE1hfxyyXFc+J
3V84y23640r2RvRoq2ff
=67gq
-----END PGP SIGNATURE-----

3
cryptsetup-1.5.1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:16d23f78cab35937281a0ae7a8febce0c3a1a0f291cc94e169a7b968b81d2b36
size 958979

17
cryptsetup-1.5.1.tar.bz2.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAABAgAGBQJQfb41AAoJENmwV3vZPpj8nv4QAJAGr5zYVzCnuBS3j6AKWwIo
JUcoxRnNPNSuw+qIk3oVhsEfCZKZrhPbVKN4l058r9UVrKfCjH/BpemkEkvPpJXe
I7xm6H+PI9nSx43h69Y+aW9LVD4y4F5WpBrlzCcYbJbKiDYmobXciaU+c81AuJFe
s682e0oDp691oiUHtuXD70ivhqi7hkUgm5ftLSDNJ8K2i4V60AsQ6CCHNc7HobJo
jEnzwwsSXhyad8SCiyWhfyCadHcDfMrlQHcbCOl5DnFRM5hJz7fOedXz2D6jpGhA
MLQHVEE7ANDCz2RvrX7Bh9BTfGydQfDlelD+gDqVmdrOcy0x9EDQ6Ux3ITroms65
wLfX5yWA7yaqWUGpoeQhQ0w5Pnsy7SnDxXXRK+yg90QRkJYrS7idrwXHQSPhkaFS
LSgxnEMEYnyEy6g25nFSEx+gRqkdnXioXpe2ULr4DgZwRcjTeLyQ8aeVu0a/9JWw
amTLEgq77R5uk10Eco5dlI0bjb/bkSvT/9IrvKSWiPnE3XkaX6isK5F0EmLhnZDj
uotYrZ0MBHfaqFP/qiqbMQ1kb0AFdhzYyEJ63gGd0gRNcdM/GYxvKOADii9WDOT2
MSX2KZOnaTxFBUsatgGcedJgcQL3QumHUfPzE2qOkzt5KCthbV5Oe9tyvGoy/UVh
/TQwxHvPZVH/lpaJsGtx
=VyhW
-----END PGP SIGNATURE-----

8
cryptsetup-mktar
View File

@ -1,8 +0,0 @@
#!/bin/sh
# repo is at http://cryptsetup.googlecode.com/svn/trunk
set -e -x
SVN_VERSION="1.0.7_SVNr`svnversion .`"
rm -rf cryptsetup-${SVN_VERSION}
svn export . cryptsetup-${SVN_VERSION}
tar --owner=root --group=root --force-local -cjf cryptsetup-${SVN_VERSION}.tar.bz2 cryptsetup-${SVN_VERSION}
rm -rf cryptsetup-${SVN_VERSION}

19
cryptsetup.changes
View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Thu Dec 13 10:46:43 UTC 2012 - lnussel@suse.de
- version 1.5.1:
* Added keyslot checker
* Add crypt_keyslot_area() API call.
* Optimize seek to keyfile-offset (Issue #135, thx to dreisner).
* Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers.
* Allocate loop device late (only when real block device needed).
* Rework underlying device/file access functions.
* Create hash image if doesn't exist in veritysetup format.
* Provide better error message if running as non-root user (device-mapper, loop).
-------------------------------------------------------------------
Wed Dec 12 16:00:29 UTC 2012 - lnussel@suse.de
- split off hashalot and boot.crypto
- move to /usr
-------------------------------------------------------------------
Tue Nov 20 18:41:11 CET 2012 - sbrabec@suse.cz

120
cryptsetup.spec
View File

@ -29,11 +29,7 @@ BuildRequires: libselinux-devel
BuildRequires: libtool
BuildRequires: pkgconfig
BuildRequires: popt-devel
# hashalot version
%define haver 0.3
# boot.crypto version
%define bcver 0_201206151440
Version: 1.5.0
Version: 1.5.1
Release: 0
#Release: %{?beta:0.}<CI_CNT>.<B_CNT>%{?beta:.}%{?beta}
Summary: Set Up dm-crypt Based Encrypted Block Devices
@ -43,26 +39,7 @@ Source: http://cryptsetup.googlecode.com/files/cryptsetup-%{ver}.tar.bz2
Source1: http://cryptsetup.googlecode.com/files/cryptsetup-%{ver}.tar.bz2.asc
Source2: baselibs.conf
Source3: %{name}.keyring
Source10: hashalot-%haver.tar.bz2
# git://gitorious.org/opensuse/boot_crypto.git
Source20: boot.crypto-%{bcver}.tar.bz2
# use this to create the tarball from svn
Source99: cryptsetup-mktar
#Patch0: cryptsetup-svn131-noascii.diff
Patch10: hashalot-fixes.diff
Patch11: hashalot-libgcrypt.diff
Patch12: hashalot-ctrl-d.diff
Patch13: hashalot-timeout.diff
Patch14: hashalot-manpage.diff
Patch15: bug-476290_hashalot-hashlen.diff
Patch16: hashalot-glibc210.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Provides: aaa_base:/etc/init.d/boot.crypto
Obsoletes: util-linux-crypto <= 2.12r
# we need losetup
Requires: util-linux
PreReq: %fillup_prereq %insserv_prereq
PreReq: coreutils diffutils
%description
cryptsetup is used to conveniently set up dm-crypt based device-mapper
@ -104,20 +81,7 @@ time via the config file /etc/crypttab.
%prep
%gpg_verify %{S:1}
%setup -n %name-%ver -q -b 10 -b 20
#patch0 -p1
pushd ../hashalot-%haver
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
popd
pushd ../boot.crypto-%bcver
#patch20 -p1
popd
%setup -n %name-%ver -q
%build
# cryptsetup build
@ -125,61 +89,24 @@ popd
autoreconf -f -i
test -e po/Makevars || cp po/Makevars.template po/Makevars
%configure \
--libdir=/%_lib \
--bindir=/sbin --sbindir=/sbin \
--disable-static --enable-shared \
--enable-cryptsetup-reencrypt \
--enable-selinux
--disable-static --enable-shared \
--enable-cryptsetup-reencrypt \
--enable-selinux
make %{?_smp_mflags}
#
# hashalot build
pushd ../hashalot-%haver
autoreconf -f -i
%{?suse_update_config:%{suse_update_config}}
%configure --sbindir=/sbin
make %{?_smp_mflags}
popd
%install
make install DESTDIR=$RPM_BUILD_ROOT
# move devel stuff to %%{libdir}
rm -f $RPM_BUILD_ROOT/%{_lib}/libcryptsetup.so
mkdir -p $RPM_BUILD_ROOT%{_libdir}
ln -s /%{_lib}/libcryptsetup.so.4 $RPM_BUILD_ROOT%{_libdir}/libcryptsetup.so
mv $RPM_BUILD_ROOT/%_lib/pkgconfig $RPM_BUILD_ROOT/%_libdir
install -d -m 755 $RPM_BUILD_ROOT/sbin
ln -s ..%{_sbindir}/cryptsetup $RPM_BUILD_ROOT/sbin
# don't want this file in /lib (FHS compat check), and can't move it to /usr/lib
rm -f $RPM_BUILD_ROOT/%_lib/*.la
#
# hashalot install
pushd ../hashalot-%haver
make install DESTDIR=$RPM_BUILD_ROOT
popd
# remove unwanted symlinks
rm -f $RPM_BUILD_ROOT/sbin/{rmd160,sha256,sha384,sha512}
#
# boot.crypto
make -C ../boot.crypto-* install DESTDIR=$RPM_BUILD_ROOT
ln -s /etc/init.d/boot.crypto $RPM_BUILD_ROOT/sbin/rccrypto
rm -f $RPM_BUILD_ROOT/%_libdir/*.la
#
%find_lang %name --all-name
# systemd is now providing cryptsetup manpage
rm -f $RPM_BUILD_ROOT%_mandir/man5/crypttab.5*
%pre
# hack to catch update case from aaa_base/util-linux-crypto
if [ -f /etc/init.d/boot.d/S??boot.crypto ]; then
touch /var/run/cryptsetup.boot.crypto.enabled
fi
%post
[ -x /sbin/mkinitrd_setup ] && mkinitrd_setup
%{fillup_and_insserv boot.crypto}
if [ -e /var/run/cryptsetup.boot.crypto.enabled ]; then
rm -f /var/run/cryptsetup.boot.crypto.enabled
%{fillup_and_insserv -fY boot.crypto}
fi
%{fillup_and_insserv boot.crypto-early}
test -n "$FIRST_ARG" || FIRST_ARG="$1"
#
# convert noauto to nofail and turn on fsck (bnc#724113)
#
@ -198,42 +125,25 @@ if [ "$FIRST_ARG" -gt 1 -a ! -e "$marker" ]; then
fi
fi
%postun
[ -x /sbin/mkinitrd_setup ] && mkinitrd_setup
%{insserv_cleanup}
%post -n libcryptsetup4 -p /sbin/ldconfig
%postun -n libcryptsetup4 -p /sbin/ldconfig
%files -f %name.lang
%defattr(-,root,root)
%ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/crypttab
%ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/cryptotab
/etc/init.d/boot.crypto
/etc/init.d/boot.crypto-early
%dir /lib/mkinitrd
%dir /lib/mkinitrd/scripts
/lib/mkinitrd/scripts/setup-luks.sh
/lib/mkinitrd/scripts/boot-luks.sh
/lib/mkinitrd/scripts/setup-luks2.sh
/lib/mkinitrd/scripts/setup-luks_final.sh
/usr/sbin/convert_cryptotab
#ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/crypttab
#ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/cryptotab
/sbin/cryptsetup
/sbin/veritysetup
/sbin/hashalot
/sbin/rccrypto
/sbin/cryptsetup-reencrypt
%_mandir/man1/hashalot.1.gz
%{_sbindir}/cryptsetup
%{_sbindir}/veritysetup
%{_sbindir}/cryptsetup-reencrypt
%_mandir/man8/cryptsetup.8.gz
%_mandir/man8/cryptsetup-reencrypt.8.gz
%_mandir/man8/veritysetup.8.gz
%_mandir/man5/cryptotab.5.gz
/lib/cryptsetup
%files -n libcryptsetup4
%defattr(-,root,root)
/%_lib/libcryptsetup.so.4*
/%{_libdir}/libcryptsetup.so.4*
%files -n libcryptsetup-devel
%defattr(-,root,root)

3
hashalot-0.3.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5958c371ba2469150b19f4c3a66bb374a7b1e287df4d0bfeb5e7c480da15424d
size 68508

29
hashalot-ctrl-d.diff
View File

@ -1,29 +0,0 @@
exit unsuccessfully on empty passphrase if input is a tty
allows user to press ctrl-d to abort
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
Index: hashalot-0.3/hashalot.c
===================================================================
--- hashalot-0.3.orig/hashalot.c
+++ hashalot-0.3/hashalot.c
@@ -135,10 +135,14 @@ phash_lookup(const char phash_name[], si
static char *
xgetpass(const char *prompt)
{
- if (isatty(STDIN_FILENO)) /* terminal */
- return getpass(prompt); /* FIXME getpass(3) obsolete */
- else { /* file descriptor */
- char *pass = NULL;
+ char *pass = NULL;
+ if (isatty(STDIN_FILENO)) { /* terminal */
+ pass = getpass(prompt); /* FIXME getpass(3) obsolete */
+ if(!pass || !*pass) {
+ exit(EXIT_FAILURE);
+ }
+ return pass;
+ } else { /* file descriptor */
int buflen, i;
buflen=0;

37
hashalot-fixes.diff
View File

@ -1,37 +0,0 @@
- print help text to stdout so it can be read via pager
- use proper length in phash_rmd160()
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
Index: hashalot-0.3/hashalot.c
===================================================================
--- hashalot-0.3/hashalot.c.orig
+++ hashalot-0.3/hashalot.c
@@ -42,7 +42,7 @@ phash_rmd160(char dest[], size_t dest_le
tmp[PASSWDBUFFLEN - 1] = '\0';
rmd160_hash_buffer(key, src, src_len);
- rmd160_hash_buffer(key + RMD160_HASH_SIZE, tmp, src_len + 1 /* dangerous! */);
+ rmd160_hash_buffer(key + RMD160_HASH_SIZE, tmp, strlen(tmp));
memcpy(dest, key, dest_len);
@@ -95,7 +95,7 @@ show_usage(const char argv0[])
{
struct func_table_t *p = func_table;
- fprintf (stderr,
+ fprintf (stdout,
"usage:\n"
" hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] HASHTYPE\n"
" or\n"
@@ -106,7 +106,8 @@ show_usage(const char argv0[])
for (; p->name; ++p)
fprintf (stderr, "%s ", p->name);
- fprintf (stderr, "\n");
+
+ fprintf (stdout, "\n");
return 1;
}

25
hashalot-glibc210.diff
View File

@ -1,25 +0,0 @@
Index: hashalot-0.3/hashalot.c
===================================================================
--- hashalot-0.3.orig/hashalot.c
+++ hashalot-0.3/hashalot.c
@@ -22,6 +22,7 @@
#include <unistd.h>
#include <assert.h>
#include <signal.h>
+#include <limits.h>
#include <sys/types.h>
#include <sys/mman.h>
Index: hashalot-0.3/Makefile.am
===================================================================
--- hashalot-0.3.orig/Makefile.am
+++ hashalot-0.3/Makefile.am
@@ -4,7 +4,7 @@ sbin_PROGRAMS = hashalot
man_MANS = hashalot.1
hashalot_CFLAGS = $(LIBGCRYPT_CFLAGS)
-hashalot_LDFLAGS = $(LIBGCRYPT_LIBS)
+hashalot_LDADD = $(LIBGCRYPT_LIBS)
hashalot_SOURCES = hashalot.c rmd160.c rmd160.h sha512.c sha512.h

156
hashalot-libgcrypt.diff
View File

@ -1,156 +0,0 @@
add support for -C (itercountk) option of loop-AES if libgcrypt is available
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
Index: hashalot-0.3/Makefile.am
===================================================================
--- hashalot-0.3/Makefile.am.orig
+++ hashalot-0.3/Makefile.am
@@ -3,6 +3,9 @@ sbin_PROGRAMS = hashalot
man_MANS = hashalot.1
+hashalot_CFLAGS = $(LIBGCRYPT_CFLAGS)
+hashalot_LDFLAGS = $(LIBGCRYPT_LIBS)
+
hashalot_SOURCES = hashalot.c rmd160.c rmd160.h sha512.c sha512.h
install-exec-hook:
Index: hashalot-0.3/configure.ac
===================================================================
--- hashalot-0.3/configure.ac.orig
+++ hashalot-0.3/configure.ac
@@ -8,5 +8,6 @@ AC_PROG_LN_S
AC_HEADER_STDC
AC_CHECK_HEADERS(libgen.h stdio.h stdlib.h string.h unistd.h assert.h sys/types.h sys/mman.h endian.h , , [ AC_MSG_ERROR(required header not found)])
AC_CHECK_FUNCS(getopt snprintf , , [ AC_MSG_ERROR(required function not found)])
+AM_PATH_LIBGCRYPT(,[AC_DEFINE([HAVE_LIBGCRYPT], 1)])
AC_OUTPUT(Makefile)
Index: hashalot-0.3/hashalot.c
===================================================================
--- hashalot-0.3/hashalot.c.orig
+++ hashalot-0.3/hashalot.c
@@ -25,6 +25,10 @@
#include <sys/types.h>
#include <sys/mman.h>
+#if HAVE_LIBGCRYPT
+#include <gcrypt.h>
+#endif
+
#include "rmd160.h"
#include "sha512.h"
@@ -97,9 +101,9 @@ show_usage(const char argv0[])
fprintf (stdout,
"usage:\n"
- " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] HASHTYPE\n"
+ " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n"
" or\n"
- " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ]\n"
+ " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n"
"\n"
"supported values for HASHTYPE: ");
@@ -214,8 +218,9 @@ main(int argc, char *argv[])
size_t hashlen = 0;
phash_func_t func;
int hex_output = 0, c;
+ unsigned long itercountk = 0;
- while ((c = getopt(argc, argv, "n:s:x")) != -1) {
+ while ((c = getopt(argc, argv, "n:s:xC:")) != -1) {
switch (c) {
case 'n':
hashlen = strtoul(optarg, &p, 0);
@@ -233,6 +238,9 @@ main(int argc, char *argv[])
case 'x':
hex_output++;
break;
+ case 'C':
+ itercountk = atoi(optarg);
+ break;
default:
show_usage(argv[0]);
exit(EXIT_FAILURE);
@@ -257,6 +265,8 @@ main(int argc, char *argv[])
* plus a newline, plus a null */
passhash = xmalloc(2*hashlen + 2);
+ memset(passhash, 0, 2*hashlen+2);
+
/* try to lock memory so it doesn't get swapped out for sure */
if (mlockall(MCL_CURRENT | MCL_FUTURE) == -1) {
perror("mlockall");
@@ -268,6 +278,69 @@ main(int argc, char *argv[])
if (salt)
pass = salt_passphrase(pass, salt);
hashlen = func(passhash, hashlen, pass, strlen(pass));
+
+ if(itercountk) /* from loop-AES */
+ {
+#if HAVE_LIBGCRYPT
+ gcry_cipher_hd_t ctx;
+ gcry_error_t err;
+ char tmp[32];
+ char out[32];
+
+ if(hashlen > 32) {
+ fprintf(stderr, "WARNING: hashlen truncated to 32\n");
+ hashlen = 32;
+ }
+
+ if(!gcry_check_version("1.1.0")) {
+ fprintf(stderr, "libgcrypt initialization failed\n");
+ exit(EXIT_FAILURE);
+ }
+
+ memset(out, 0, sizeof(out));
+ memcpy(out, passhash, hashlen);
+
+ err = gcry_cipher_open(&ctx, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CBC, 0);
+ if(err)
+ {
+ fprintf(stderr, "can't initialize AES: %s\n", gcry_strerror (err));
+ exit(EXIT_FAILURE);
+ }
+
+ /*
+ * Set up AES-256 encryption key using same password and hash function
+ * as before but with password bit 0 flipped before hashing. That key
+ * is then used to encrypt actual loop key 'itercountk' thousand times.
+ */
+ pass[0] ^= 1;
+ func(&tmp[0], 32, pass, strlen(pass));
+ gcry_cipher_setkey(ctx, &tmp[0], 32);
+ itercountk *= 1000;
+ while(itercountk > 0) {
+ gcry_cipher_reset(ctx);
+ gcry_cipher_setiv(ctx, NULL, 0);
+ /* encrypt both 128bit blocks with AES-256 */
+ gcry_cipher_encrypt(ctx, &out[ 0], 16, &out[ 0], 16);
+ gcry_cipher_reset(ctx);
+ gcry_cipher_setiv(ctx, NULL, 0);
+ gcry_cipher_encrypt(ctx, &out[16], 16, &out[16], 16);
+ /* exchange upper half of first block with lower half of second block */
+ memcpy(&tmp[0], &out[8], 8);
+ memcpy(&out[8], &out[16], 8);
+ memcpy(&out[16], &tmp[0], 8);
+ itercountk--;
+ }
+ memset(&tmp[0], 0, sizeof(tmp));
+
+ memcpy(passhash, out, hashlen);
+
+ gcry_cipher_close(ctx);
+#else
+ fprintf(stderr, "libgcrypt support is required for option -C\n");
+ exit(EXIT_FAILURE);
+#endif
+
+ }
memset (pass, 0, strlen (pass)); /* paranoia */
free(pass);

39
hashalot-manpage.diff
View File

@ -1,39 +0,0 @@
document -C and -t options in manpage
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
Index: hashalot-0.3/hashalot.1
===================================================================
--- hashalot-0.3/hashalot.1.orig
+++ hashalot-0.3/hashalot.1
@@ -2,9 +2,9 @@
.SH NAME
hashalot \- read a passphrase and print a hash
.SH SYNOPSIS
-.B hashalot [ \-s SALT ] [ \-x ] [ \-n #BYTES ] HASHTYPE
+.B hashalot [ \-t secs ] [ \-s SALT ] [ \-x ] [ \-n #BYTES ] [ \-C itercountk ] HASHTYPE
.br
-.B HASHTYPE [ \-s SALT ] [ \-x ] [ \-n #BYTES ]
+.B HASHTYPE [ \-t secs ] [ \-s SALT ] [ \-x ] [ \-n #BYTES ] [ \-C itercountk ]
.SH DESCRIPTION
.PP
\fIhashalot\fP is a small tool that reads a passphrase from standard
@@ -36,6 +36,18 @@ option can be used to limit (or increase
default is as appropriate for the specified hash algorithm: 20 bytes for
RIPEMD160, 32 bytes for SHA256, etc. The default for the "rmd160compat"
hash is 16 bytes, for compatibility with the old kerneli.org utilities.
+.PP
+The
+.B \-t
+option specifies a timeout for reading the passphrase from the terminal.
+.PP
+The
+.B \-C
+option specifies that the hashed password has to be encrypted
+itercountk thousand times using AES-256. Use for compatability with
+loop-AES.
+.PP
+The options \-t and \-C are currently SUSE specific
.SH AUTHOR
Ben Slusky <sluskyb@paranoiacs.org>
.PP

87
hashalot-timeout.diff
View File

@ -1,87 +0,0 @@
add timeout option -t
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
Index: hashalot-0.3/hashalot.c
===================================================================
--- hashalot-0.3.orig/hashalot.c
+++ hashalot-0.3/hashalot.c
@@ -21,6 +21,7 @@
#include <string.h>
#include <unistd.h>
#include <assert.h>
+#include <signal.h>
#include <sys/types.h>
#include <sys/mman.h>
@@ -36,6 +37,12 @@
typedef int (*phash_func_t)(char dest[], size_t dest_len, const char src[], size_t src_len);
+static int got_timeout;
+void alrm_handler(int num)
+{
+ got_timeout = 1;
+}
+
static int
phash_rmd160(char dest[], size_t dest_len, const char src[], size_t src_len)
{
@@ -101,9 +108,9 @@ show_usage(const char argv0[])
fprintf (stdout,
"usage:\n"
- " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n"
+ " hashalot [ -t secs ] [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n"
" or\n"
- " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n"
+ " HASHTYPE [ -t secs ] [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n"
"\n"
"supported values for HASHTYPE: ");
@@ -222,8 +229,9 @@ main(int argc, char *argv[])
phash_func_t func;
int hex_output = 0, c;
unsigned long itercountk = 0;
+ unsigned timeout = 0;
- while ((c = getopt(argc, argv, "n:s:xC:")) != -1) {
+ while ((c = getopt(argc, argv, "n:s:xC:t:")) != -1) {
switch (c) {
case 'n':
hashlen = strtoul(optarg, &p, 0);
@@ -238,6 +246,9 @@ main(int argc, char *argv[])
case 's':
salt = optarg;
break;
+ case 't':
+ timeout = atoi(optarg);
+ break;
case 'x':
hex_output++;
break;
@@ -276,8 +287,24 @@ main(int argc, char *argv[])
fputs("Warning: couldn't lock memory, are you root?\n", stderr);
}
+ if(timeout) {
+ struct sigaction sa;
+ sa.sa_handler = alrm_handler;
+ sigemptyset (&sa.sa_mask);
+ sa.sa_flags = 0;
+ sigaction(SIGALRM, &sa, NULL);
+ alarm(timeout);
+ }
+
/* here we acquire the precious passphrase... */
pass = xgetpass("Enter passphrase: ");
+ if(got_timeout) {
+ exit(EXIT_FAILURE);
+ }
+ if(timeout) {
+ alarm(0);
+ }
+
if (salt)
pass = salt_passphrase(pass, salt);
hashlen = func(passhash, hashlen, pass, strlen(pass));