forked from pool/cryptsetup
Accepting request 145274 from home:lnussel:branches:security
ATTENTION: wait for cryptsetup-mkinitrd before checkin, otherwise installation with root on crypto no longer boot - version 1.5.1: * Added keyslot checker * Add crypt_keyslot_area() API call. * Optimize seek to keyfile-offset (Issue #135, thx to dreisner). * Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers. * Allocate loop device late (only when real block device needed). * Rework underlying device/file access functions. * Create hash image if doesn't exist in veritysetup format. * Provide better error message if running as non-root user (device-mapper, loop). - split off hashalot and boot.crypto - move to /usr OBS-URL: https://build.opensuse.org/request/show/145274 OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=97
This commit is contained in:
parent
7a1b87dbd3
commit
2469c1380b
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:798e4ac415ebe1e4415e1b77b955b72c376dfc3d0fd7fc414f886f896da6393d
|
||||
size 17582
|
@ -1,35 +0,0 @@
|
||||
Index: hashalot-0.3/hashalot.c
|
||||
===================================================================
|
||||
--- hashalot-0.3.orig/hashalot.c
|
||||
+++ hashalot-0.3/hashalot.c
|
||||
@@ -34,6 +34,7 @@
|
||||
#include "sha512.h"
|
||||
|
||||
#define PASSWDBUFFLEN 130
|
||||
+#define MAXHASHLEN (ULONG_MAX/2 - 2)
|
||||
|
||||
typedef int (*phash_func_t)(char dest[], size_t dest_len, const char src[], size_t src_len);
|
||||
|
||||
@@ -182,8 +183,7 @@ static void *
|
||||
xmalloc (size_t size) {
|
||||
void *p;
|
||||
|
||||
- if (size == 0)
|
||||
- return NULL;
|
||||
+ assert(size != 0);
|
||||
|
||||
p = malloc(size);
|
||||
if (p == NULL) {
|
||||
@@ -242,6 +242,12 @@ main(int argc, char *argv[])
|
||||
show_usage(argv[0]);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
+ if (hashlen >= MAXHASHLEN) {
|
||||
+ fprintf(stderr,
|
||||
+ "please supply a value smaller than %lu for the -n option\n",
|
||||
+ MAXHASHLEN);
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
break;
|
||||
case 's':
|
||||
salt = optarg;
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:407154c510a2401ecfaa1919588003964ba36121882f8d26125324805565f8d0
|
||||
size 864500
|
@ -1,17 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1.4.12 (GNU/Linux)
|
||||
|
||||
iQIcBAABAgAGBQJP/HM8AAoJENmwV3vZPpj8vP0P/Ava8T7fJGfvn1H+56RKG1lh
|
||||
I8RGFRzQCXN4xpYoxPBfFYpbc5GoteFw/Pcb0BKddePBk4tHuHYPRwvS1ps8nyH/
|
||||
ekb8P5fsrkHV6+o/j5s99oY8dkW/FFYx0YfVOER63DpU7WWRK7md0smsQpaCUFKV
|
||||
9pv3jvh/1AMDmvs5wgxV0BWKXih/COUoGlG1AJU9V6PlKol6wxOYzXw2t6LqU3Zg
|
||||
9gHjlSPUuorabKnfkkcG+Gy7yT2Y8d+EnVdc1H+ihHLH27hmcSGMf/csm+tCCuJ5
|
||||
To/jXFB642BObohLGmE9bPhRp9Pj2bi59M6lPKRYQ2ncowewkqIZ2s4SJ8r5stn5
|
||||
W0UhXgkGLjQd4xti8/etpebnDPzMdSRg5LuLSxOTf/bjWI1jH63+4AfYoF+mx/N9
|
||||
kT6EKiIR216TBdffv1i28HbG4pQIsGhlx0JkQnAUqklHDNWf7fSMGEuadYYNngcD
|
||||
cBCPmD3R0JXM6qf6RasdCGlHUnR3DZKUzLGqqkq8/r7SvyxqRbIoerBrNxwcHUbh
|
||||
emzfHS09ysx33RhEenFfZNH4lL6PEPnlrg2q8DfUj/NoUkiw9qfTM4cRIBabgoi9
|
||||
uc2Qt/jK+QvE1clxBE4XmepZZH+e2Pdy52JrnI1ckA+FvY44GwBVE1hfxyyXFc+J
|
||||
3V84y23640r2RvRoq2ff
|
||||
=67gq
|
||||
-----END PGP SIGNATURE-----
|
3
cryptsetup-1.5.1.tar.bz2
Normal file
3
cryptsetup-1.5.1.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:16d23f78cab35937281a0ae7a8febce0c3a1a0f291cc94e169a7b968b81d2b36
|
||||
size 958979
|
17
cryptsetup-1.5.1.tar.bz2.asc
Normal file
17
cryptsetup-1.5.1.tar.bz2.asc
Normal file
@ -0,0 +1,17 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1.4.12 (GNU/Linux)
|
||||
|
||||
iQIcBAABAgAGBQJQfb41AAoJENmwV3vZPpj8nv4QAJAGr5zYVzCnuBS3j6AKWwIo
|
||||
JUcoxRnNPNSuw+qIk3oVhsEfCZKZrhPbVKN4l058r9UVrKfCjH/BpemkEkvPpJXe
|
||||
I7xm6H+PI9nSx43h69Y+aW9LVD4y4F5WpBrlzCcYbJbKiDYmobXciaU+c81AuJFe
|
||||
s682e0oDp691oiUHtuXD70ivhqi7hkUgm5ftLSDNJ8K2i4V60AsQ6CCHNc7HobJo
|
||||
jEnzwwsSXhyad8SCiyWhfyCadHcDfMrlQHcbCOl5DnFRM5hJz7fOedXz2D6jpGhA
|
||||
MLQHVEE7ANDCz2RvrX7Bh9BTfGydQfDlelD+gDqVmdrOcy0x9EDQ6Ux3ITroms65
|
||||
wLfX5yWA7yaqWUGpoeQhQ0w5Pnsy7SnDxXXRK+yg90QRkJYrS7idrwXHQSPhkaFS
|
||||
LSgxnEMEYnyEy6g25nFSEx+gRqkdnXioXpe2ULr4DgZwRcjTeLyQ8aeVu0a/9JWw
|
||||
amTLEgq77R5uk10Eco5dlI0bjb/bkSvT/9IrvKSWiPnE3XkaX6isK5F0EmLhnZDj
|
||||
uotYrZ0MBHfaqFP/qiqbMQ1kb0AFdhzYyEJ63gGd0gRNcdM/GYxvKOADii9WDOT2
|
||||
MSX2KZOnaTxFBUsatgGcedJgcQL3QumHUfPzE2qOkzt5KCthbV5Oe9tyvGoy/UVh
|
||||
/TQwxHvPZVH/lpaJsGtx
|
||||
=VyhW
|
||||
-----END PGP SIGNATURE-----
|
@ -1,8 +0,0 @@
|
||||
#!/bin/sh
|
||||
# repo is at http://cryptsetup.googlecode.com/svn/trunk
|
||||
set -e -x
|
||||
SVN_VERSION="1.0.7_SVNr`svnversion .`"
|
||||
rm -rf cryptsetup-${SVN_VERSION}
|
||||
svn export . cryptsetup-${SVN_VERSION}
|
||||
tar --owner=root --group=root --force-local -cjf cryptsetup-${SVN_VERSION}.tar.bz2 cryptsetup-${SVN_VERSION}
|
||||
rm -rf cryptsetup-${SVN_VERSION}
|
@ -1,3 +1,22 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Dec 13 10:46:43 UTC 2012 - lnussel@suse.de
|
||||
|
||||
- version 1.5.1:
|
||||
* Added keyslot checker
|
||||
* Add crypt_keyslot_area() API call.
|
||||
* Optimize seek to keyfile-offset (Issue #135, thx to dreisner).
|
||||
* Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers.
|
||||
* Allocate loop device late (only when real block device needed).
|
||||
* Rework underlying device/file access functions.
|
||||
* Create hash image if doesn't exist in veritysetup format.
|
||||
* Provide better error message if running as non-root user (device-mapper, loop).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 12 16:00:29 UTC 2012 - lnussel@suse.de
|
||||
|
||||
- split off hashalot and boot.crypto
|
||||
- move to /usr
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 20 18:41:11 CET 2012 - sbrabec@suse.cz
|
||||
|
||||
|
120
cryptsetup.spec
120
cryptsetup.spec
@ -29,11 +29,7 @@ BuildRequires: libselinux-devel
|
||||
BuildRequires: libtool
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: popt-devel
|
||||
# hashalot version
|
||||
%define haver 0.3
|
||||
# boot.crypto version
|
||||
%define bcver 0_201206151440
|
||||
Version: 1.5.0
|
||||
Version: 1.5.1
|
||||
Release: 0
|
||||
#Release: %{?beta:0.}<CI_CNT>.<B_CNT>%{?beta:.}%{?beta}
|
||||
Summary: Set Up dm-crypt Based Encrypted Block Devices
|
||||
@ -43,26 +39,7 @@ Source: http://cryptsetup.googlecode.com/files/cryptsetup-%{ver}.tar.bz2
|
||||
Source1: http://cryptsetup.googlecode.com/files/cryptsetup-%{ver}.tar.bz2.asc
|
||||
Source2: baselibs.conf
|
||||
Source3: %{name}.keyring
|
||||
Source10: hashalot-%haver.tar.bz2
|
||||
# git://gitorious.org/opensuse/boot_crypto.git
|
||||
Source20: boot.crypto-%{bcver}.tar.bz2
|
||||
# use this to create the tarball from svn
|
||||
Source99: cryptsetup-mktar
|
||||
#Patch0: cryptsetup-svn131-noascii.diff
|
||||
Patch10: hashalot-fixes.diff
|
||||
Patch11: hashalot-libgcrypt.diff
|
||||
Patch12: hashalot-ctrl-d.diff
|
||||
Patch13: hashalot-timeout.diff
|
||||
Patch14: hashalot-manpage.diff
|
||||
Patch15: bug-476290_hashalot-hashlen.diff
|
||||
Patch16: hashalot-glibc210.diff
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
Provides: aaa_base:/etc/init.d/boot.crypto
|
||||
Obsoletes: util-linux-crypto <= 2.12r
|
||||
# we need losetup
|
||||
Requires: util-linux
|
||||
PreReq: %fillup_prereq %insserv_prereq
|
||||
PreReq: coreutils diffutils
|
||||
|
||||
%description
|
||||
cryptsetup is used to conveniently set up dm-crypt based device-mapper
|
||||
@ -104,20 +81,7 @@ time via the config file /etc/crypttab.
|
||||
|
||||
%prep
|
||||
%gpg_verify %{S:1}
|
||||
%setup -n %name-%ver -q -b 10 -b 20
|
||||
#patch0 -p1
|
||||
pushd ../hashalot-%haver
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
popd
|
||||
pushd ../boot.crypto-%bcver
|
||||
#patch20 -p1
|
||||
popd
|
||||
%setup -n %name-%ver -q
|
||||
|
||||
%build
|
||||
# cryptsetup build
|
||||
@ -125,61 +89,24 @@ popd
|
||||
autoreconf -f -i
|
||||
test -e po/Makevars || cp po/Makevars.template po/Makevars
|
||||
%configure \
|
||||
--libdir=/%_lib \
|
||||
--bindir=/sbin --sbindir=/sbin \
|
||||
--disable-static --enable-shared \
|
||||
--enable-cryptsetup-reencrypt \
|
||||
--enable-selinux
|
||||
--disable-static --enable-shared \
|
||||
--enable-cryptsetup-reencrypt \
|
||||
--enable-selinux
|
||||
make %{?_smp_mflags}
|
||||
#
|
||||
# hashalot build
|
||||
pushd ../hashalot-%haver
|
||||
autoreconf -f -i
|
||||
%{?suse_update_config:%{suse_update_config}}
|
||||
%configure --sbindir=/sbin
|
||||
make %{?_smp_mflags}
|
||||
popd
|
||||
|
||||
%install
|
||||
make install DESTDIR=$RPM_BUILD_ROOT
|
||||
# move devel stuff to %%{libdir}
|
||||
rm -f $RPM_BUILD_ROOT/%{_lib}/libcryptsetup.so
|
||||
mkdir -p $RPM_BUILD_ROOT%{_libdir}
|
||||
ln -s /%{_lib}/libcryptsetup.so.4 $RPM_BUILD_ROOT%{_libdir}/libcryptsetup.so
|
||||
mv $RPM_BUILD_ROOT/%_lib/pkgconfig $RPM_BUILD_ROOT/%_libdir
|
||||
install -d -m 755 $RPM_BUILD_ROOT/sbin
|
||||
ln -s ..%{_sbindir}/cryptsetup $RPM_BUILD_ROOT/sbin
|
||||
# don't want this file in /lib (FHS compat check), and can't move it to /usr/lib
|
||||
rm -f $RPM_BUILD_ROOT/%_lib/*.la
|
||||
#
|
||||
# hashalot install
|
||||
pushd ../hashalot-%haver
|
||||
make install DESTDIR=$RPM_BUILD_ROOT
|
||||
popd
|
||||
# remove unwanted symlinks
|
||||
rm -f $RPM_BUILD_ROOT/sbin/{rmd160,sha256,sha384,sha512}
|
||||
#
|
||||
# boot.crypto
|
||||
make -C ../boot.crypto-* install DESTDIR=$RPM_BUILD_ROOT
|
||||
ln -s /etc/init.d/boot.crypto $RPM_BUILD_ROOT/sbin/rccrypto
|
||||
rm -f $RPM_BUILD_ROOT/%_libdir/*.la
|
||||
#
|
||||
%find_lang %name --all-name
|
||||
|
||||
# systemd is now providing cryptsetup manpage
|
||||
rm -f $RPM_BUILD_ROOT%_mandir/man5/crypttab.5*
|
||||
|
||||
%pre
|
||||
# hack to catch update case from aaa_base/util-linux-crypto
|
||||
if [ -f /etc/init.d/boot.d/S??boot.crypto ]; then
|
||||
touch /var/run/cryptsetup.boot.crypto.enabled
|
||||
fi
|
||||
|
||||
%post
|
||||
[ -x /sbin/mkinitrd_setup ] && mkinitrd_setup
|
||||
%{fillup_and_insserv boot.crypto}
|
||||
if [ -e /var/run/cryptsetup.boot.crypto.enabled ]; then
|
||||
rm -f /var/run/cryptsetup.boot.crypto.enabled
|
||||
%{fillup_and_insserv -fY boot.crypto}
|
||||
fi
|
||||
%{fillup_and_insserv boot.crypto-early}
|
||||
test -n "$FIRST_ARG" || FIRST_ARG="$1"
|
||||
#
|
||||
# convert noauto to nofail and turn on fsck (bnc#724113)
|
||||
#
|
||||
@ -198,42 +125,25 @@ if [ "$FIRST_ARG" -gt 1 -a ! -e "$marker" ]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
%postun
|
||||
[ -x /sbin/mkinitrd_setup ] && mkinitrd_setup
|
||||
%{insserv_cleanup}
|
||||
|
||||
%post -n libcryptsetup4 -p /sbin/ldconfig
|
||||
|
||||
%postun -n libcryptsetup4 -p /sbin/ldconfig
|
||||
|
||||
%files -f %name.lang
|
||||
%defattr(-,root,root)
|
||||
%ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/crypttab
|
||||
%ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/cryptotab
|
||||
/etc/init.d/boot.crypto
|
||||
/etc/init.d/boot.crypto-early
|
||||
%dir /lib/mkinitrd
|
||||
%dir /lib/mkinitrd/scripts
|
||||
/lib/mkinitrd/scripts/setup-luks.sh
|
||||
/lib/mkinitrd/scripts/boot-luks.sh
|
||||
/lib/mkinitrd/scripts/setup-luks2.sh
|
||||
/lib/mkinitrd/scripts/setup-luks_final.sh
|
||||
/usr/sbin/convert_cryptotab
|
||||
#ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/crypttab
|
||||
#ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/cryptotab
|
||||
/sbin/cryptsetup
|
||||
/sbin/veritysetup
|
||||
/sbin/hashalot
|
||||
/sbin/rccrypto
|
||||
/sbin/cryptsetup-reencrypt
|
||||
%_mandir/man1/hashalot.1.gz
|
||||
%{_sbindir}/cryptsetup
|
||||
%{_sbindir}/veritysetup
|
||||
%{_sbindir}/cryptsetup-reencrypt
|
||||
%_mandir/man8/cryptsetup.8.gz
|
||||
%_mandir/man8/cryptsetup-reencrypt.8.gz
|
||||
%_mandir/man8/veritysetup.8.gz
|
||||
%_mandir/man5/cryptotab.5.gz
|
||||
/lib/cryptsetup
|
||||
|
||||
%files -n libcryptsetup4
|
||||
%defattr(-,root,root)
|
||||
/%_lib/libcryptsetup.so.4*
|
||||
/%{_libdir}/libcryptsetup.so.4*
|
||||
|
||||
%files -n libcryptsetup-devel
|
||||
%defattr(-,root,root)
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:5958c371ba2469150b19f4c3a66bb374a7b1e287df4d0bfeb5e7c480da15424d
|
||||
size 68508
|
@ -1,29 +0,0 @@
|
||||
exit unsuccessfully on empty passphrase if input is a tty
|
||||
|
||||
allows user to press ctrl-d to abort
|
||||
|
||||
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
|
||||
|
||||
Index: hashalot-0.3/hashalot.c
|
||||
===================================================================
|
||||
--- hashalot-0.3.orig/hashalot.c
|
||||
+++ hashalot-0.3/hashalot.c
|
||||
@@ -135,10 +135,14 @@ phash_lookup(const char phash_name[], si
|
||||
static char *
|
||||
xgetpass(const char *prompt)
|
||||
{
|
||||
- if (isatty(STDIN_FILENO)) /* terminal */
|
||||
- return getpass(prompt); /* FIXME getpass(3) obsolete */
|
||||
- else { /* file descriptor */
|
||||
- char *pass = NULL;
|
||||
+ char *pass = NULL;
|
||||
+ if (isatty(STDIN_FILENO)) { /* terminal */
|
||||
+ pass = getpass(prompt); /* FIXME getpass(3) obsolete */
|
||||
+ if(!pass || !*pass) {
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+ return pass;
|
||||
+ } else { /* file descriptor */
|
||||
int buflen, i;
|
||||
|
||||
buflen=0;
|
@ -1,37 +0,0 @@
|
||||
- print help text to stdout so it can be read via pager
|
||||
- use proper length in phash_rmd160()
|
||||
|
||||
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
|
||||
|
||||
Index: hashalot-0.3/hashalot.c
|
||||
===================================================================
|
||||
--- hashalot-0.3/hashalot.c.orig
|
||||
+++ hashalot-0.3/hashalot.c
|
||||
@@ -42,7 +42,7 @@ phash_rmd160(char dest[], size_t dest_le
|
||||
tmp[PASSWDBUFFLEN - 1] = '\0';
|
||||
|
||||
rmd160_hash_buffer(key, src, src_len);
|
||||
- rmd160_hash_buffer(key + RMD160_HASH_SIZE, tmp, src_len + 1 /* dangerous! */);
|
||||
+ rmd160_hash_buffer(key + RMD160_HASH_SIZE, tmp, strlen(tmp));
|
||||
|
||||
memcpy(dest, key, dest_len);
|
||||
|
||||
@@ -95,7 +95,7 @@ show_usage(const char argv0[])
|
||||
{
|
||||
struct func_table_t *p = func_table;
|
||||
|
||||
- fprintf (stderr,
|
||||
+ fprintf (stdout,
|
||||
"usage:\n"
|
||||
" hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] HASHTYPE\n"
|
||||
" or\n"
|
||||
@@ -106,7 +106,8 @@ show_usage(const char argv0[])
|
||||
for (; p->name; ++p)
|
||||
fprintf (stderr, "%s ", p->name);
|
||||
|
||||
- fprintf (stderr, "\n");
|
||||
+
|
||||
+ fprintf (stdout, "\n");
|
||||
|
||||
return 1;
|
||||
}
|
@ -1,25 +0,0 @@
|
||||
Index: hashalot-0.3/hashalot.c
|
||||
===================================================================
|
||||
--- hashalot-0.3.orig/hashalot.c
|
||||
+++ hashalot-0.3/hashalot.c
|
||||
@@ -22,6 +22,7 @@
|
||||
#include <unistd.h>
|
||||
#include <assert.h>
|
||||
#include <signal.h>
|
||||
+#include <limits.h>
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/mman.h>
|
||||
Index: hashalot-0.3/Makefile.am
|
||||
===================================================================
|
||||
--- hashalot-0.3.orig/Makefile.am
|
||||
+++ hashalot-0.3/Makefile.am
|
||||
@@ -4,7 +4,7 @@ sbin_PROGRAMS = hashalot
|
||||
man_MANS = hashalot.1
|
||||
|
||||
hashalot_CFLAGS = $(LIBGCRYPT_CFLAGS)
|
||||
-hashalot_LDFLAGS = $(LIBGCRYPT_LIBS)
|
||||
+hashalot_LDADD = $(LIBGCRYPT_LIBS)
|
||||
|
||||
hashalot_SOURCES = hashalot.c rmd160.c rmd160.h sha512.c sha512.h
|
||||
|
@ -1,156 +0,0 @@
|
||||
add support for -C (itercountk) option of loop-AES if libgcrypt is available
|
||||
|
||||
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
|
||||
|
||||
Index: hashalot-0.3/Makefile.am
|
||||
===================================================================
|
||||
--- hashalot-0.3/Makefile.am.orig
|
||||
+++ hashalot-0.3/Makefile.am
|
||||
@@ -3,6 +3,9 @@ sbin_PROGRAMS = hashalot
|
||||
|
||||
man_MANS = hashalot.1
|
||||
|
||||
+hashalot_CFLAGS = $(LIBGCRYPT_CFLAGS)
|
||||
+hashalot_LDFLAGS = $(LIBGCRYPT_LIBS)
|
||||
+
|
||||
hashalot_SOURCES = hashalot.c rmd160.c rmd160.h sha512.c sha512.h
|
||||
|
||||
install-exec-hook:
|
||||
Index: hashalot-0.3/configure.ac
|
||||
===================================================================
|
||||
--- hashalot-0.3/configure.ac.orig
|
||||
+++ hashalot-0.3/configure.ac
|
||||
@@ -8,5 +8,6 @@ AC_PROG_LN_S
|
||||
AC_HEADER_STDC
|
||||
AC_CHECK_HEADERS(libgen.h stdio.h stdlib.h string.h unistd.h assert.h sys/types.h sys/mman.h endian.h , , [ AC_MSG_ERROR(required header not found)])
|
||||
AC_CHECK_FUNCS(getopt snprintf , , [ AC_MSG_ERROR(required function not found)])
|
||||
+AM_PATH_LIBGCRYPT(,[AC_DEFINE([HAVE_LIBGCRYPT], 1)])
|
||||
|
||||
AC_OUTPUT(Makefile)
|
||||
Index: hashalot-0.3/hashalot.c
|
||||
===================================================================
|
||||
--- hashalot-0.3/hashalot.c.orig
|
||||
+++ hashalot-0.3/hashalot.c
|
||||
@@ -25,6 +25,10 @@
|
||||
#include <sys/types.h>
|
||||
#include <sys/mman.h>
|
||||
|
||||
+#if HAVE_LIBGCRYPT
|
||||
+#include <gcrypt.h>
|
||||
+#endif
|
||||
+
|
||||
#include "rmd160.h"
|
||||
#include "sha512.h"
|
||||
|
||||
@@ -97,9 +101,9 @@ show_usage(const char argv0[])
|
||||
|
||||
fprintf (stdout,
|
||||
"usage:\n"
|
||||
- " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] HASHTYPE\n"
|
||||
+ " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n"
|
||||
" or\n"
|
||||
- " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ]\n"
|
||||
+ " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n"
|
||||
"\n"
|
||||
"supported values for HASHTYPE: ");
|
||||
|
||||
@@ -214,8 +218,9 @@ main(int argc, char *argv[])
|
||||
size_t hashlen = 0;
|
||||
phash_func_t func;
|
||||
int hex_output = 0, c;
|
||||
+ unsigned long itercountk = 0;
|
||||
|
||||
- while ((c = getopt(argc, argv, "n:s:x")) != -1) {
|
||||
+ while ((c = getopt(argc, argv, "n:s:xC:")) != -1) {
|
||||
switch (c) {
|
||||
case 'n':
|
||||
hashlen = strtoul(optarg, &p, 0);
|
||||
@@ -233,6 +238,9 @@ main(int argc, char *argv[])
|
||||
case 'x':
|
||||
hex_output++;
|
||||
break;
|
||||
+ case 'C':
|
||||
+ itercountk = atoi(optarg);
|
||||
+ break;
|
||||
default:
|
||||
show_usage(argv[0]);
|
||||
exit(EXIT_FAILURE);
|
||||
@@ -257,6 +265,8 @@ main(int argc, char *argv[])
|
||||
* plus a newline, plus a null */
|
||||
passhash = xmalloc(2*hashlen + 2);
|
||||
|
||||
+ memset(passhash, 0, 2*hashlen+2);
|
||||
+
|
||||
/* try to lock memory so it doesn't get swapped out for sure */
|
||||
if (mlockall(MCL_CURRENT | MCL_FUTURE) == -1) {
|
||||
perror("mlockall");
|
||||
@@ -268,6 +278,69 @@ main(int argc, char *argv[])
|
||||
if (salt)
|
||||
pass = salt_passphrase(pass, salt);
|
||||
hashlen = func(passhash, hashlen, pass, strlen(pass));
|
||||
+
|
||||
+ if(itercountk) /* from loop-AES */
|
||||
+ {
|
||||
+#if HAVE_LIBGCRYPT
|
||||
+ gcry_cipher_hd_t ctx;
|
||||
+ gcry_error_t err;
|
||||
+ char tmp[32];
|
||||
+ char out[32];
|
||||
+
|
||||
+ if(hashlen > 32) {
|
||||
+ fprintf(stderr, "WARNING: hashlen truncated to 32\n");
|
||||
+ hashlen = 32;
|
||||
+ }
|
||||
+
|
||||
+ if(!gcry_check_version("1.1.0")) {
|
||||
+ fprintf(stderr, "libgcrypt initialization failed\n");
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+
|
||||
+ memset(out, 0, sizeof(out));
|
||||
+ memcpy(out, passhash, hashlen);
|
||||
+
|
||||
+ err = gcry_cipher_open(&ctx, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CBC, 0);
|
||||
+ if(err)
|
||||
+ {
|
||||
+ fprintf(stderr, "can't initialize AES: %s\n", gcry_strerror (err));
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Set up AES-256 encryption key using same password and hash function
|
||||
+ * as before but with password bit 0 flipped before hashing. That key
|
||||
+ * is then used to encrypt actual loop key 'itercountk' thousand times.
|
||||
+ */
|
||||
+ pass[0] ^= 1;
|
||||
+ func(&tmp[0], 32, pass, strlen(pass));
|
||||
+ gcry_cipher_setkey(ctx, &tmp[0], 32);
|
||||
+ itercountk *= 1000;
|
||||
+ while(itercountk > 0) {
|
||||
+ gcry_cipher_reset(ctx);
|
||||
+ gcry_cipher_setiv(ctx, NULL, 0);
|
||||
+ /* encrypt both 128bit blocks with AES-256 */
|
||||
+ gcry_cipher_encrypt(ctx, &out[ 0], 16, &out[ 0], 16);
|
||||
+ gcry_cipher_reset(ctx);
|
||||
+ gcry_cipher_setiv(ctx, NULL, 0);
|
||||
+ gcry_cipher_encrypt(ctx, &out[16], 16, &out[16], 16);
|
||||
+ /* exchange upper half of first block with lower half of second block */
|
||||
+ memcpy(&tmp[0], &out[8], 8);
|
||||
+ memcpy(&out[8], &out[16], 8);
|
||||
+ memcpy(&out[16], &tmp[0], 8);
|
||||
+ itercountk--;
|
||||
+ }
|
||||
+ memset(&tmp[0], 0, sizeof(tmp));
|
||||
+
|
||||
+ memcpy(passhash, out, hashlen);
|
||||
+
|
||||
+ gcry_cipher_close(ctx);
|
||||
+#else
|
||||
+ fprintf(stderr, "libgcrypt support is required for option -C\n");
|
||||
+ exit(EXIT_FAILURE);
|
||||
+#endif
|
||||
+
|
||||
+ }
|
||||
memset (pass, 0, strlen (pass)); /* paranoia */
|
||||
free(pass);
|
||||
|
@ -1,39 +0,0 @@
|
||||
document -C and -t options in manpage
|
||||
|
||||
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
|
||||
|
||||
Index: hashalot-0.3/hashalot.1
|
||||
===================================================================
|
||||
--- hashalot-0.3/hashalot.1.orig
|
||||
+++ hashalot-0.3/hashalot.1
|
||||
@@ -2,9 +2,9 @@
|
||||
.SH NAME
|
||||
hashalot \- read a passphrase and print a hash
|
||||
.SH SYNOPSIS
|
||||
-.B hashalot [ \-s SALT ] [ \-x ] [ \-n #BYTES ] HASHTYPE
|
||||
+.B hashalot [ \-t secs ] [ \-s SALT ] [ \-x ] [ \-n #BYTES ] [ \-C itercountk ] HASHTYPE
|
||||
.br
|
||||
-.B HASHTYPE [ \-s SALT ] [ \-x ] [ \-n #BYTES ]
|
||||
+.B HASHTYPE [ \-t secs ] [ \-s SALT ] [ \-x ] [ \-n #BYTES ] [ \-C itercountk ]
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
\fIhashalot\fP is a small tool that reads a passphrase from standard
|
||||
@@ -36,6 +36,18 @@ option can be used to limit (or increase
|
||||
default is as appropriate for the specified hash algorithm: 20 bytes for
|
||||
RIPEMD160, 32 bytes for SHA256, etc. The default for the "rmd160compat"
|
||||
hash is 16 bytes, for compatibility with the old kerneli.org utilities.
|
||||
+.PP
|
||||
+The
|
||||
+.B \-t
|
||||
+option specifies a timeout for reading the passphrase from the terminal.
|
||||
+.PP
|
||||
+The
|
||||
+.B \-C
|
||||
+option specifies that the hashed password has to be encrypted
|
||||
+itercountk thousand times using AES-256. Use for compatability with
|
||||
+loop-AES.
|
||||
+.PP
|
||||
+The options \-t and \-C are currently SUSE specific
|
||||
.SH AUTHOR
|
||||
Ben Slusky <sluskyb@paranoiacs.org>
|
||||
.PP
|
@ -1,87 +0,0 @@
|
||||
add timeout option -t
|
||||
|
||||
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
|
||||
|
||||
Index: hashalot-0.3/hashalot.c
|
||||
===================================================================
|
||||
--- hashalot-0.3.orig/hashalot.c
|
||||
+++ hashalot-0.3/hashalot.c
|
||||
@@ -21,6 +21,7 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <assert.h>
|
||||
+#include <signal.h>
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/mman.h>
|
||||
@@ -36,6 +37,12 @@
|
||||
|
||||
typedef int (*phash_func_t)(char dest[], size_t dest_len, const char src[], size_t src_len);
|
||||
|
||||
+static int got_timeout;
|
||||
+void alrm_handler(int num)
|
||||
+{
|
||||
+ got_timeout = 1;
|
||||
+}
|
||||
+
|
||||
static int
|
||||
phash_rmd160(char dest[], size_t dest_len, const char src[], size_t src_len)
|
||||
{
|
||||
@@ -101,9 +108,9 @@ show_usage(const char argv0[])
|
||||
|
||||
fprintf (stdout,
|
||||
"usage:\n"
|
||||
- " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n"
|
||||
+ " hashalot [ -t secs ] [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n"
|
||||
" or\n"
|
||||
- " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n"
|
||||
+ " HASHTYPE [ -t secs ] [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n"
|
||||
"\n"
|
||||
"supported values for HASHTYPE: ");
|
||||
|
||||
@@ -222,8 +229,9 @@ main(int argc, char *argv[])
|
||||
phash_func_t func;
|
||||
int hex_output = 0, c;
|
||||
unsigned long itercountk = 0;
|
||||
+ unsigned timeout = 0;
|
||||
|
||||
- while ((c = getopt(argc, argv, "n:s:xC:")) != -1) {
|
||||
+ while ((c = getopt(argc, argv, "n:s:xC:t:")) != -1) {
|
||||
switch (c) {
|
||||
case 'n':
|
||||
hashlen = strtoul(optarg, &p, 0);
|
||||
@@ -238,6 +246,9 @@ main(int argc, char *argv[])
|
||||
case 's':
|
||||
salt = optarg;
|
||||
break;
|
||||
+ case 't':
|
||||
+ timeout = atoi(optarg);
|
||||
+ break;
|
||||
case 'x':
|
||||
hex_output++;
|
||||
break;
|
||||
@@ -276,8 +287,24 @@ main(int argc, char *argv[])
|
||||
fputs("Warning: couldn't lock memory, are you root?\n", stderr);
|
||||
}
|
||||
|
||||
+ if(timeout) {
|
||||
+ struct sigaction sa;
|
||||
+ sa.sa_handler = alrm_handler;
|
||||
+ sigemptyset (&sa.sa_mask);
|
||||
+ sa.sa_flags = 0;
|
||||
+ sigaction(SIGALRM, &sa, NULL);
|
||||
+ alarm(timeout);
|
||||
+ }
|
||||
+
|
||||
/* here we acquire the precious passphrase... */
|
||||
pass = xgetpass("Enter passphrase: ");
|
||||
+ if(got_timeout) {
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+ if(timeout) {
|
||||
+ alarm(0);
|
||||
+ }
|
||||
+
|
||||
if (salt)
|
||||
pass = salt_passphrase(pass, salt);
|
||||
hashlen = func(passhash, hashlen, pass, strlen(pass));
|
Loading…
Reference in New Issue
Block a user