From 2469c1380b7c1325744da6ea1fe3b206487b7be99858dcd83c79a51e5d5f5f1f Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Thu, 13 Dec 2012 13:06:34 +0000 Subject: [PATCH] Accepting request 145274 from home:lnussel:branches:security ATTENTION: wait for cryptsetup-mkinitrd before checkin, otherwise installation with root on crypto no longer boot - version 1.5.1: * Added keyslot checker * Add crypt_keyslot_area() API call. * Optimize seek to keyfile-offset (Issue #135, thx to dreisner). * Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers. * Allocate loop device late (only when real block device needed). * Rework underlying device/file access functions. * Create hash image if doesn't exist in veritysetup format. * Provide better error message if running as non-root user (device-mapper, loop). - split off hashalot and boot.crypto - move to /usr OBS-URL: https://build.opensuse.org/request/show/145274 OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=97 --- boot.crypto-0_201206151440.tar.bz2 | 3 - bug-476290_hashalot-hashlen.diff | 35 ------- cryptsetup-1.5.0.tar.bz2 | 3 - cryptsetup-1.5.0.tar.bz2.asc | 17 ---- cryptsetup-1.5.1.tar.bz2 | 3 + cryptsetup-1.5.1.tar.bz2.asc | 17 ++++ cryptsetup-mktar | 8 -- cryptsetup.changes | 19 ++++ cryptsetup.spec | 120 +++------------------- hashalot-0.3.tar.bz2 | 3 - hashalot-ctrl-d.diff | 29 ------ hashalot-fixes.diff | 37 ------- hashalot-glibc210.diff | 25 ----- hashalot-libgcrypt.diff | 156 ----------------------------- hashalot-manpage.diff | 39 -------- hashalot-timeout.diff | 87 ---------------- 16 files changed, 54 insertions(+), 547 deletions(-) delete mode 100644 boot.crypto-0_201206151440.tar.bz2 delete mode 100644 bug-476290_hashalot-hashlen.diff delete mode 100644 cryptsetup-1.5.0.tar.bz2 delete mode 100644 cryptsetup-1.5.0.tar.bz2.asc create mode 100644 cryptsetup-1.5.1.tar.bz2 create mode 100644 cryptsetup-1.5.1.tar.bz2.asc delete mode 100644 cryptsetup-mktar delete mode 100644 hashalot-0.3.tar.bz2 delete mode 100644 hashalot-ctrl-d.diff delete mode 100644 hashalot-fixes.diff delete mode 100644 hashalot-glibc210.diff delete mode 100644 hashalot-libgcrypt.diff delete mode 100644 hashalot-manpage.diff delete mode 100644 hashalot-timeout.diff diff --git a/boot.crypto-0_201206151440.tar.bz2 b/boot.crypto-0_201206151440.tar.bz2 deleted file mode 100644 index 4cc4892..0000000 --- a/boot.crypto-0_201206151440.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:798e4ac415ebe1e4415e1b77b955b72c376dfc3d0fd7fc414f886f896da6393d -size 17582 diff --git a/bug-476290_hashalot-hashlen.diff b/bug-476290_hashalot-hashlen.diff deleted file mode 100644 index 880c4c6..0000000 --- a/bug-476290_hashalot-hashlen.diff +++ /dev/null @@ -1,35 +0,0 @@ -Index: hashalot-0.3/hashalot.c -=================================================================== ---- hashalot-0.3.orig/hashalot.c -+++ hashalot-0.3/hashalot.c -@@ -34,6 +34,7 @@ - #include "sha512.h" - - #define PASSWDBUFFLEN 130 -+#define MAXHASHLEN (ULONG_MAX/2 - 2) - - typedef int (*phash_func_t)(char dest[], size_t dest_len, const char src[], size_t src_len); - -@@ -182,8 +183,7 @@ static void * - xmalloc (size_t size) { - void *p; - -- if (size == 0) -- return NULL; -+ assert(size != 0); - - p = malloc(size); - if (p == NULL) { -@@ -242,6 +242,12 @@ main(int argc, char *argv[]) - show_usage(argv[0]); - exit(EXIT_FAILURE); - } -+ if (hashlen >= MAXHASHLEN) { -+ fprintf(stderr, -+ "please supply a value smaller than %lu for the -n option\n", -+ MAXHASHLEN); -+ exit(EXIT_FAILURE); -+ } - break; - case 's': - salt = optarg; diff --git a/cryptsetup-1.5.0.tar.bz2 b/cryptsetup-1.5.0.tar.bz2 deleted file mode 100644 index 33b8f71..0000000 --- a/cryptsetup-1.5.0.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:407154c510a2401ecfaa1919588003964ba36121882f8d26125324805565f8d0 -size 864500 diff --git a/cryptsetup-1.5.0.tar.bz2.asc b/cryptsetup-1.5.0.tar.bz2.asc deleted file mode 100644 index 7ee27e6..0000000 --- a/cryptsetup-1.5.0.tar.bz2.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.12 (GNU/Linux) - -iQIcBAABAgAGBQJP/HM8AAoJENmwV3vZPpj8vP0P/Ava8T7fJGfvn1H+56RKG1lh -I8RGFRzQCXN4xpYoxPBfFYpbc5GoteFw/Pcb0BKddePBk4tHuHYPRwvS1ps8nyH/ -ekb8P5fsrkHV6+o/j5s99oY8dkW/FFYx0YfVOER63DpU7WWRK7md0smsQpaCUFKV -9pv3jvh/1AMDmvs5wgxV0BWKXih/COUoGlG1AJU9V6PlKol6wxOYzXw2t6LqU3Zg -9gHjlSPUuorabKnfkkcG+Gy7yT2Y8d+EnVdc1H+ihHLH27hmcSGMf/csm+tCCuJ5 -To/jXFB642BObohLGmE9bPhRp9Pj2bi59M6lPKRYQ2ncowewkqIZ2s4SJ8r5stn5 -W0UhXgkGLjQd4xti8/etpebnDPzMdSRg5LuLSxOTf/bjWI1jH63+4AfYoF+mx/N9 -kT6EKiIR216TBdffv1i28HbG4pQIsGhlx0JkQnAUqklHDNWf7fSMGEuadYYNngcD -cBCPmD3R0JXM6qf6RasdCGlHUnR3DZKUzLGqqkq8/r7SvyxqRbIoerBrNxwcHUbh -emzfHS09ysx33RhEenFfZNH4lL6PEPnlrg2q8DfUj/NoUkiw9qfTM4cRIBabgoi9 -uc2Qt/jK+QvE1clxBE4XmepZZH+e2Pdy52JrnI1ckA+FvY44GwBVE1hfxyyXFc+J -3V84y23640r2RvRoq2ff -=67gq ------END PGP SIGNATURE----- diff --git a/cryptsetup-1.5.1.tar.bz2 b/cryptsetup-1.5.1.tar.bz2 new file mode 100644 index 0000000..c206810 --- /dev/null +++ b/cryptsetup-1.5.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:16d23f78cab35937281a0ae7a8febce0c3a1a0f291cc94e169a7b968b81d2b36 +size 958979 diff --git a/cryptsetup-1.5.1.tar.bz2.asc b/cryptsetup-1.5.1.tar.bz2.asc new file mode 100644 index 0000000..627c96e --- /dev/null +++ b/cryptsetup-1.5.1.tar.bz2.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.12 (GNU/Linux) + +iQIcBAABAgAGBQJQfb41AAoJENmwV3vZPpj8nv4QAJAGr5zYVzCnuBS3j6AKWwIo +JUcoxRnNPNSuw+qIk3oVhsEfCZKZrhPbVKN4l058r9UVrKfCjH/BpemkEkvPpJXe +I7xm6H+PI9nSx43h69Y+aW9LVD4y4F5WpBrlzCcYbJbKiDYmobXciaU+c81AuJFe +s682e0oDp691oiUHtuXD70ivhqi7hkUgm5ftLSDNJ8K2i4V60AsQ6CCHNc7HobJo +jEnzwwsSXhyad8SCiyWhfyCadHcDfMrlQHcbCOl5DnFRM5hJz7fOedXz2D6jpGhA +MLQHVEE7ANDCz2RvrX7Bh9BTfGydQfDlelD+gDqVmdrOcy0x9EDQ6Ux3ITroms65 +wLfX5yWA7yaqWUGpoeQhQ0w5Pnsy7SnDxXXRK+yg90QRkJYrS7idrwXHQSPhkaFS +LSgxnEMEYnyEy6g25nFSEx+gRqkdnXioXpe2ULr4DgZwRcjTeLyQ8aeVu0a/9JWw +amTLEgq77R5uk10Eco5dlI0bjb/bkSvT/9IrvKSWiPnE3XkaX6isK5F0EmLhnZDj +uotYrZ0MBHfaqFP/qiqbMQ1kb0AFdhzYyEJ63gGd0gRNcdM/GYxvKOADii9WDOT2 +MSX2KZOnaTxFBUsatgGcedJgcQL3QumHUfPzE2qOkzt5KCthbV5Oe9tyvGoy/UVh +/TQwxHvPZVH/lpaJsGtx +=VyhW +-----END PGP SIGNATURE----- diff --git a/cryptsetup-mktar b/cryptsetup-mktar deleted file mode 100644 index 4ef003f..0000000 --- a/cryptsetup-mktar +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh -# repo is at http://cryptsetup.googlecode.com/svn/trunk -set -e -x -SVN_VERSION="1.0.7_SVNr`svnversion .`" -rm -rf cryptsetup-${SVN_VERSION} -svn export . cryptsetup-${SVN_VERSION} -tar --owner=root --group=root --force-local -cjf cryptsetup-${SVN_VERSION}.tar.bz2 cryptsetup-${SVN_VERSION} -rm -rf cryptsetup-${SVN_VERSION} diff --git a/cryptsetup.changes b/cryptsetup.changes index f90236b..9b9f484 100644 --- a/cryptsetup.changes +++ b/cryptsetup.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Thu Dec 13 10:46:43 UTC 2012 - lnussel@suse.de + +- version 1.5.1: + * Added keyslot checker + * Add crypt_keyslot_area() API call. + * Optimize seek to keyfile-offset (Issue #135, thx to dreisner). + * Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers. + * Allocate loop device late (only when real block device needed). + * Rework underlying device/file access functions. + * Create hash image if doesn't exist in veritysetup format. + * Provide better error message if running as non-root user (device-mapper, loop). + +------------------------------------------------------------------- +Wed Dec 12 16:00:29 UTC 2012 - lnussel@suse.de + +- split off hashalot and boot.crypto +- move to /usr + ------------------------------------------------------------------- Tue Nov 20 18:41:11 CET 2012 - sbrabec@suse.cz diff --git a/cryptsetup.spec b/cryptsetup.spec index ebc537e..4e8cf62 100644 --- a/cryptsetup.spec +++ b/cryptsetup.spec @@ -29,11 +29,7 @@ BuildRequires: libselinux-devel BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: popt-devel -# hashalot version -%define haver 0.3 -# boot.crypto version -%define bcver 0_201206151440 -Version: 1.5.0 +Version: 1.5.1 Release: 0 #Release: %{?beta:0.}.%{?beta:.}%{?beta} Summary: Set Up dm-crypt Based Encrypted Block Devices @@ -43,26 +39,7 @@ Source: http://cryptsetup.googlecode.com/files/cryptsetup-%{ver}.tar.bz2 Source1: http://cryptsetup.googlecode.com/files/cryptsetup-%{ver}.tar.bz2.asc Source2: baselibs.conf Source3: %{name}.keyring -Source10: hashalot-%haver.tar.bz2 -# git://gitorious.org/opensuse/boot_crypto.git -Source20: boot.crypto-%{bcver}.tar.bz2 -# use this to create the tarball from svn -Source99: cryptsetup-mktar -#Patch0: cryptsetup-svn131-noascii.diff -Patch10: hashalot-fixes.diff -Patch11: hashalot-libgcrypt.diff -Patch12: hashalot-ctrl-d.diff -Patch13: hashalot-timeout.diff -Patch14: hashalot-manpage.diff -Patch15: bug-476290_hashalot-hashlen.diff -Patch16: hashalot-glibc210.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build -Provides: aaa_base:/etc/init.d/boot.crypto -Obsoletes: util-linux-crypto <= 2.12r -# we need losetup -Requires: util-linux -PreReq: %fillup_prereq %insserv_prereq -PreReq: coreutils diffutils %description cryptsetup is used to conveniently set up dm-crypt based device-mapper @@ -104,20 +81,7 @@ time via the config file /etc/crypttab. %prep %gpg_verify %{S:1} -%setup -n %name-%ver -q -b 10 -b 20 -#patch0 -p1 -pushd ../hashalot-%haver -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -popd -pushd ../boot.crypto-%bcver -#patch20 -p1 -popd +%setup -n %name-%ver -q %build # cryptsetup build @@ -125,61 +89,24 @@ popd autoreconf -f -i test -e po/Makevars || cp po/Makevars.template po/Makevars %configure \ - --libdir=/%_lib \ - --bindir=/sbin --sbindir=/sbin \ - --disable-static --enable-shared \ - --enable-cryptsetup-reencrypt \ - --enable-selinux + --disable-static --enable-shared \ + --enable-cryptsetup-reencrypt \ + --enable-selinux make %{?_smp_mflags} -# -# hashalot build -pushd ../hashalot-%haver -autoreconf -f -i -%{?suse_update_config:%{suse_update_config}} -%configure --sbindir=/sbin -make %{?_smp_mflags} -popd %install make install DESTDIR=$RPM_BUILD_ROOT -# move devel stuff to %%{libdir} -rm -f $RPM_BUILD_ROOT/%{_lib}/libcryptsetup.so -mkdir -p $RPM_BUILD_ROOT%{_libdir} -ln -s /%{_lib}/libcryptsetup.so.4 $RPM_BUILD_ROOT%{_libdir}/libcryptsetup.so -mv $RPM_BUILD_ROOT/%_lib/pkgconfig $RPM_BUILD_ROOT/%_libdir +install -d -m 755 $RPM_BUILD_ROOT/sbin +ln -s ..%{_sbindir}/cryptsetup $RPM_BUILD_ROOT/sbin # don't want this file in /lib (FHS compat check), and can't move it to /usr/lib -rm -f $RPM_BUILD_ROOT/%_lib/*.la -# -# hashalot install -pushd ../hashalot-%haver -make install DESTDIR=$RPM_BUILD_ROOT -popd -# remove unwanted symlinks -rm -f $RPM_BUILD_ROOT/sbin/{rmd160,sha256,sha384,sha512} -# -# boot.crypto -make -C ../boot.crypto-* install DESTDIR=$RPM_BUILD_ROOT -ln -s /etc/init.d/boot.crypto $RPM_BUILD_ROOT/sbin/rccrypto +rm -f $RPM_BUILD_ROOT/%_libdir/*.la # %find_lang %name --all-name -# systemd is now providing cryptsetup manpage -rm -f $RPM_BUILD_ROOT%_mandir/man5/crypttab.5* - %pre -# hack to catch update case from aaa_base/util-linux-crypto -if [ -f /etc/init.d/boot.d/S??boot.crypto ]; then - touch /var/run/cryptsetup.boot.crypto.enabled -fi %post -[ -x /sbin/mkinitrd_setup ] && mkinitrd_setup -%{fillup_and_insserv boot.crypto} -if [ -e /var/run/cryptsetup.boot.crypto.enabled ]; then - rm -f /var/run/cryptsetup.boot.crypto.enabled - %{fillup_and_insserv -fY boot.crypto} -fi -%{fillup_and_insserv boot.crypto-early} +test -n "$FIRST_ARG" || FIRST_ARG="$1" # # convert noauto to nofail and turn on fsck (bnc#724113) # @@ -198,42 +125,25 @@ if [ "$FIRST_ARG" -gt 1 -a ! -e "$marker" ]; then fi fi -%postun -[ -x /sbin/mkinitrd_setup ] && mkinitrd_setup -%{insserv_cleanup} - %post -n libcryptsetup4 -p /sbin/ldconfig %postun -n libcryptsetup4 -p /sbin/ldconfig %files -f %name.lang %defattr(-,root,root) -%ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/crypttab -%ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/cryptotab -/etc/init.d/boot.crypto -/etc/init.d/boot.crypto-early -%dir /lib/mkinitrd -%dir /lib/mkinitrd/scripts -/lib/mkinitrd/scripts/setup-luks.sh -/lib/mkinitrd/scripts/boot-luks.sh -/lib/mkinitrd/scripts/setup-luks2.sh -/lib/mkinitrd/scripts/setup-luks_final.sh -/usr/sbin/convert_cryptotab +#ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/crypttab +#ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/cryptotab /sbin/cryptsetup -/sbin/veritysetup -/sbin/hashalot -/sbin/rccrypto -/sbin/cryptsetup-reencrypt -%_mandir/man1/hashalot.1.gz +%{_sbindir}/cryptsetup +%{_sbindir}/veritysetup +%{_sbindir}/cryptsetup-reencrypt %_mandir/man8/cryptsetup.8.gz %_mandir/man8/cryptsetup-reencrypt.8.gz %_mandir/man8/veritysetup.8.gz -%_mandir/man5/cryptotab.5.gz -/lib/cryptsetup %files -n libcryptsetup4 %defattr(-,root,root) -/%_lib/libcryptsetup.so.4* +/%{_libdir}/libcryptsetup.so.4* %files -n libcryptsetup-devel %defattr(-,root,root) diff --git a/hashalot-0.3.tar.bz2 b/hashalot-0.3.tar.bz2 deleted file mode 100644 index c3c7c9d..0000000 --- a/hashalot-0.3.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5958c371ba2469150b19f4c3a66bb374a7b1e287df4d0bfeb5e7c480da15424d -size 68508 diff --git a/hashalot-ctrl-d.diff b/hashalot-ctrl-d.diff deleted file mode 100644 index 8b99c70..0000000 --- a/hashalot-ctrl-d.diff +++ /dev/null @@ -1,29 +0,0 @@ -exit unsuccessfully on empty passphrase if input is a tty - -allows user to press ctrl-d to abort - -Signed-off-by: Ludwig Nussel - -Index: hashalot-0.3/hashalot.c -=================================================================== ---- hashalot-0.3.orig/hashalot.c -+++ hashalot-0.3/hashalot.c -@@ -135,10 +135,14 @@ phash_lookup(const char phash_name[], si - static char * - xgetpass(const char *prompt) - { -- if (isatty(STDIN_FILENO)) /* terminal */ -- return getpass(prompt); /* FIXME getpass(3) obsolete */ -- else { /* file descriptor */ -- char *pass = NULL; -+ char *pass = NULL; -+ if (isatty(STDIN_FILENO)) { /* terminal */ -+ pass = getpass(prompt); /* FIXME getpass(3) obsolete */ -+ if(!pass || !*pass) { -+ exit(EXIT_FAILURE); -+ } -+ return pass; -+ } else { /* file descriptor */ - int buflen, i; - - buflen=0; diff --git a/hashalot-fixes.diff b/hashalot-fixes.diff deleted file mode 100644 index 1829599..0000000 --- a/hashalot-fixes.diff +++ /dev/null @@ -1,37 +0,0 @@ -- print help text to stdout so it can be read via pager -- use proper length in phash_rmd160() - -Signed-off-by: Ludwig Nussel - -Index: hashalot-0.3/hashalot.c -=================================================================== ---- hashalot-0.3/hashalot.c.orig -+++ hashalot-0.3/hashalot.c -@@ -42,7 +42,7 @@ phash_rmd160(char dest[], size_t dest_le - tmp[PASSWDBUFFLEN - 1] = '\0'; - - rmd160_hash_buffer(key, src, src_len); -- rmd160_hash_buffer(key + RMD160_HASH_SIZE, tmp, src_len + 1 /* dangerous! */); -+ rmd160_hash_buffer(key + RMD160_HASH_SIZE, tmp, strlen(tmp)); - - memcpy(dest, key, dest_len); - -@@ -95,7 +95,7 @@ show_usage(const char argv0[]) - { - struct func_table_t *p = func_table; - -- fprintf (stderr, -+ fprintf (stdout, - "usage:\n" - " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] HASHTYPE\n" - " or\n" -@@ -106,7 +106,8 @@ show_usage(const char argv0[]) - for (; p->name; ++p) - fprintf (stderr, "%s ", p->name); - -- fprintf (stderr, "\n"); -+ -+ fprintf (stdout, "\n"); - - return 1; - } diff --git a/hashalot-glibc210.diff b/hashalot-glibc210.diff deleted file mode 100644 index f422d57..0000000 --- a/hashalot-glibc210.diff +++ /dev/null @@ -1,25 +0,0 @@ -Index: hashalot-0.3/hashalot.c -=================================================================== ---- hashalot-0.3.orig/hashalot.c -+++ hashalot-0.3/hashalot.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - - #include - #include -Index: hashalot-0.3/Makefile.am -=================================================================== ---- hashalot-0.3.orig/Makefile.am -+++ hashalot-0.3/Makefile.am -@@ -4,7 +4,7 @@ sbin_PROGRAMS = hashalot - man_MANS = hashalot.1 - - hashalot_CFLAGS = $(LIBGCRYPT_CFLAGS) --hashalot_LDFLAGS = $(LIBGCRYPT_LIBS) -+hashalot_LDADD = $(LIBGCRYPT_LIBS) - - hashalot_SOURCES = hashalot.c rmd160.c rmd160.h sha512.c sha512.h - diff --git a/hashalot-libgcrypt.diff b/hashalot-libgcrypt.diff deleted file mode 100644 index 5aca911..0000000 --- a/hashalot-libgcrypt.diff +++ /dev/null @@ -1,156 +0,0 @@ -add support for -C (itercountk) option of loop-AES if libgcrypt is available - -Signed-off-by: Ludwig Nussel - -Index: hashalot-0.3/Makefile.am -=================================================================== ---- hashalot-0.3/Makefile.am.orig -+++ hashalot-0.3/Makefile.am -@@ -3,6 +3,9 @@ sbin_PROGRAMS = hashalot - - man_MANS = hashalot.1 - -+hashalot_CFLAGS = $(LIBGCRYPT_CFLAGS) -+hashalot_LDFLAGS = $(LIBGCRYPT_LIBS) -+ - hashalot_SOURCES = hashalot.c rmd160.c rmd160.h sha512.c sha512.h - - install-exec-hook: -Index: hashalot-0.3/configure.ac -=================================================================== ---- hashalot-0.3/configure.ac.orig -+++ hashalot-0.3/configure.ac -@@ -8,5 +8,6 @@ AC_PROG_LN_S - AC_HEADER_STDC - AC_CHECK_HEADERS(libgen.h stdio.h stdlib.h string.h unistd.h assert.h sys/types.h sys/mman.h endian.h , , [ AC_MSG_ERROR(required header not found)]) - AC_CHECK_FUNCS(getopt snprintf , , [ AC_MSG_ERROR(required function not found)]) -+AM_PATH_LIBGCRYPT(,[AC_DEFINE([HAVE_LIBGCRYPT], 1)]) - - AC_OUTPUT(Makefile) -Index: hashalot-0.3/hashalot.c -=================================================================== ---- hashalot-0.3/hashalot.c.orig -+++ hashalot-0.3/hashalot.c -@@ -25,6 +25,10 @@ - #include - #include - -+#if HAVE_LIBGCRYPT -+#include -+#endif -+ - #include "rmd160.h" - #include "sha512.h" - -@@ -97,9 +101,9 @@ show_usage(const char argv0[]) - - fprintf (stdout, - "usage:\n" -- " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] HASHTYPE\n" -+ " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n" - " or\n" -- " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ]\n" -+ " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n" - "\n" - "supported values for HASHTYPE: "); - -@@ -214,8 +218,9 @@ main(int argc, char *argv[]) - size_t hashlen = 0; - phash_func_t func; - int hex_output = 0, c; -+ unsigned long itercountk = 0; - -- while ((c = getopt(argc, argv, "n:s:x")) != -1) { -+ while ((c = getopt(argc, argv, "n:s:xC:")) != -1) { - switch (c) { - case 'n': - hashlen = strtoul(optarg, &p, 0); -@@ -233,6 +238,9 @@ main(int argc, char *argv[]) - case 'x': - hex_output++; - break; -+ case 'C': -+ itercountk = atoi(optarg); -+ break; - default: - show_usage(argv[0]); - exit(EXIT_FAILURE); -@@ -257,6 +265,8 @@ main(int argc, char *argv[]) - * plus a newline, plus a null */ - passhash = xmalloc(2*hashlen + 2); - -+ memset(passhash, 0, 2*hashlen+2); -+ - /* try to lock memory so it doesn't get swapped out for sure */ - if (mlockall(MCL_CURRENT | MCL_FUTURE) == -1) { - perror("mlockall"); -@@ -268,6 +278,69 @@ main(int argc, char *argv[]) - if (salt) - pass = salt_passphrase(pass, salt); - hashlen = func(passhash, hashlen, pass, strlen(pass)); -+ -+ if(itercountk) /* from loop-AES */ -+ { -+#if HAVE_LIBGCRYPT -+ gcry_cipher_hd_t ctx; -+ gcry_error_t err; -+ char tmp[32]; -+ char out[32]; -+ -+ if(hashlen > 32) { -+ fprintf(stderr, "WARNING: hashlen truncated to 32\n"); -+ hashlen = 32; -+ } -+ -+ if(!gcry_check_version("1.1.0")) { -+ fprintf(stderr, "libgcrypt initialization failed\n"); -+ exit(EXIT_FAILURE); -+ } -+ -+ memset(out, 0, sizeof(out)); -+ memcpy(out, passhash, hashlen); -+ -+ err = gcry_cipher_open(&ctx, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CBC, 0); -+ if(err) -+ { -+ fprintf(stderr, "can't initialize AES: %s\n", gcry_strerror (err)); -+ exit(EXIT_FAILURE); -+ } -+ -+ /* -+ * Set up AES-256 encryption key using same password and hash function -+ * as before but with password bit 0 flipped before hashing. That key -+ * is then used to encrypt actual loop key 'itercountk' thousand times. -+ */ -+ pass[0] ^= 1; -+ func(&tmp[0], 32, pass, strlen(pass)); -+ gcry_cipher_setkey(ctx, &tmp[0], 32); -+ itercountk *= 1000; -+ while(itercountk > 0) { -+ gcry_cipher_reset(ctx); -+ gcry_cipher_setiv(ctx, NULL, 0); -+ /* encrypt both 128bit blocks with AES-256 */ -+ gcry_cipher_encrypt(ctx, &out[ 0], 16, &out[ 0], 16); -+ gcry_cipher_reset(ctx); -+ gcry_cipher_setiv(ctx, NULL, 0); -+ gcry_cipher_encrypt(ctx, &out[16], 16, &out[16], 16); -+ /* exchange upper half of first block with lower half of second block */ -+ memcpy(&tmp[0], &out[8], 8); -+ memcpy(&out[8], &out[16], 8); -+ memcpy(&out[16], &tmp[0], 8); -+ itercountk--; -+ } -+ memset(&tmp[0], 0, sizeof(tmp)); -+ -+ memcpy(passhash, out, hashlen); -+ -+ gcry_cipher_close(ctx); -+#else -+ fprintf(stderr, "libgcrypt support is required for option -C\n"); -+ exit(EXIT_FAILURE); -+#endif -+ -+ } - memset (pass, 0, strlen (pass)); /* paranoia */ - free(pass); - diff --git a/hashalot-manpage.diff b/hashalot-manpage.diff deleted file mode 100644 index 80ce900..0000000 --- a/hashalot-manpage.diff +++ /dev/null @@ -1,39 +0,0 @@ -document -C and -t options in manpage - -Signed-off-by: Ludwig Nussel - -Index: hashalot-0.3/hashalot.1 -=================================================================== ---- hashalot-0.3/hashalot.1.orig -+++ hashalot-0.3/hashalot.1 -@@ -2,9 +2,9 @@ - .SH NAME - hashalot \- read a passphrase and print a hash - .SH SYNOPSIS --.B hashalot [ \-s SALT ] [ \-x ] [ \-n #BYTES ] HASHTYPE -+.B hashalot [ \-t secs ] [ \-s SALT ] [ \-x ] [ \-n #BYTES ] [ \-C itercountk ] HASHTYPE - .br --.B HASHTYPE [ \-s SALT ] [ \-x ] [ \-n #BYTES ] -+.B HASHTYPE [ \-t secs ] [ \-s SALT ] [ \-x ] [ \-n #BYTES ] [ \-C itercountk ] - .SH DESCRIPTION - .PP - \fIhashalot\fP is a small tool that reads a passphrase from standard -@@ -36,6 +36,18 @@ option can be used to limit (or increase - default is as appropriate for the specified hash algorithm: 20 bytes for - RIPEMD160, 32 bytes for SHA256, etc. The default for the "rmd160compat" - hash is 16 bytes, for compatibility with the old kerneli.org utilities. -+.PP -+The -+.B \-t -+option specifies a timeout for reading the passphrase from the terminal. -+.PP -+The -+.B \-C -+option specifies that the hashed password has to be encrypted -+itercountk thousand times using AES-256. Use for compatability with -+loop-AES. -+.PP -+The options \-t and \-C are currently SUSE specific - .SH AUTHOR - Ben Slusky - .PP diff --git a/hashalot-timeout.diff b/hashalot-timeout.diff deleted file mode 100644 index 5655788..0000000 --- a/hashalot-timeout.diff +++ /dev/null @@ -1,87 +0,0 @@ -add timeout option -t - -Signed-off-by: Ludwig Nussel - -Index: hashalot-0.3/hashalot.c -=================================================================== ---- hashalot-0.3.orig/hashalot.c -+++ hashalot-0.3/hashalot.c -@@ -21,6 +21,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -36,6 +37,12 @@ - - typedef int (*phash_func_t)(char dest[], size_t dest_len, const char src[], size_t src_len); - -+static int got_timeout; -+void alrm_handler(int num) -+{ -+ got_timeout = 1; -+} -+ - static int - phash_rmd160(char dest[], size_t dest_len, const char src[], size_t src_len) - { -@@ -101,9 +108,9 @@ show_usage(const char argv0[]) - - fprintf (stdout, - "usage:\n" -- " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n" -+ " hashalot [ -t secs ] [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n" - " or\n" -- " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n" -+ " HASHTYPE [ -t secs ] [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n" - "\n" - "supported values for HASHTYPE: "); - -@@ -222,8 +229,9 @@ main(int argc, char *argv[]) - phash_func_t func; - int hex_output = 0, c; - unsigned long itercountk = 0; -+ unsigned timeout = 0; - -- while ((c = getopt(argc, argv, "n:s:xC:")) != -1) { -+ while ((c = getopt(argc, argv, "n:s:xC:t:")) != -1) { - switch (c) { - case 'n': - hashlen = strtoul(optarg, &p, 0); -@@ -238,6 +246,9 @@ main(int argc, char *argv[]) - case 's': - salt = optarg; - break; -+ case 't': -+ timeout = atoi(optarg); -+ break; - case 'x': - hex_output++; - break; -@@ -276,8 +287,24 @@ main(int argc, char *argv[]) - fputs("Warning: couldn't lock memory, are you root?\n", stderr); - } - -+ if(timeout) { -+ struct sigaction sa; -+ sa.sa_handler = alrm_handler; -+ sigemptyset (&sa.sa_mask); -+ sa.sa_flags = 0; -+ sigaction(SIGALRM, &sa, NULL); -+ alarm(timeout); -+ } -+ - /* here we acquire the precious passphrase... */ - pass = xgetpass("Enter passphrase: "); -+ if(got_timeout) { -+ exit(EXIT_FAILURE); -+ } -+ if(timeout) { -+ alarm(0); -+ } -+ - if (salt) - pass = salt_passphrase(pass, salt); - hashlen = func(passhash, hashlen, pass, strlen(pass));