forked from pool/cryptsetup
Accepting request 145274 from home:lnussel:branches:security
ATTENTION: wait for cryptsetup-mkinitrd before checkin, otherwise installation with root on crypto no longer boot - version 1.5.1: * Added keyslot checker * Add crypt_keyslot_area() API call. * Optimize seek to keyfile-offset (Issue #135, thx to dreisner). * Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers. * Allocate loop device late (only when real block device needed). * Rework underlying device/file access functions. * Create hash image if doesn't exist in veritysetup format. * Provide better error message if running as non-root user (device-mapper, loop). - split off hashalot and boot.crypto - move to /usr OBS-URL: https://build.opensuse.org/request/show/145274 OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=97
This commit is contained in:
parent
7a1b87dbd3
commit
2469c1380b
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:798e4ac415ebe1e4415e1b77b955b72c376dfc3d0fd7fc414f886f896da6393d
|
|
||||||
size 17582
|
|
@ -1,35 +0,0 @@
|
|||||||
Index: hashalot-0.3/hashalot.c
|
|
||||||
===================================================================
|
|
||||||
--- hashalot-0.3.orig/hashalot.c
|
|
||||||
+++ hashalot-0.3/hashalot.c
|
|
||||||
@@ -34,6 +34,7 @@
|
|
||||||
#include "sha512.h"
|
|
||||||
|
|
||||||
#define PASSWDBUFFLEN 130
|
|
||||||
+#define MAXHASHLEN (ULONG_MAX/2 - 2)
|
|
||||||
|
|
||||||
typedef int (*phash_func_t)(char dest[], size_t dest_len, const char src[], size_t src_len);
|
|
||||||
|
|
||||||
@@ -182,8 +183,7 @@ static void *
|
|
||||||
xmalloc (size_t size) {
|
|
||||||
void *p;
|
|
||||||
|
|
||||||
- if (size == 0)
|
|
||||||
- return NULL;
|
|
||||||
+ assert(size != 0);
|
|
||||||
|
|
||||||
p = malloc(size);
|
|
||||||
if (p == NULL) {
|
|
||||||
@@ -242,6 +242,12 @@ main(int argc, char *argv[])
|
|
||||||
show_usage(argv[0]);
|
|
||||||
exit(EXIT_FAILURE);
|
|
||||||
}
|
|
||||||
+ if (hashlen >= MAXHASHLEN) {
|
|
||||||
+ fprintf(stderr,
|
|
||||||
+ "please supply a value smaller than %lu for the -n option\n",
|
|
||||||
+ MAXHASHLEN);
|
|
||||||
+ exit(EXIT_FAILURE);
|
|
||||||
+ }
|
|
||||||
break;
|
|
||||||
case 's':
|
|
||||||
salt = optarg;
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:407154c510a2401ecfaa1919588003964ba36121882f8d26125324805565f8d0
|
|
||||||
size 864500
|
|
@ -1,17 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
Version: GnuPG v1.4.12 (GNU/Linux)
|
|
||||||
|
|
||||||
iQIcBAABAgAGBQJP/HM8AAoJENmwV3vZPpj8vP0P/Ava8T7fJGfvn1H+56RKG1lh
|
|
||||||
I8RGFRzQCXN4xpYoxPBfFYpbc5GoteFw/Pcb0BKddePBk4tHuHYPRwvS1ps8nyH/
|
|
||||||
ekb8P5fsrkHV6+o/j5s99oY8dkW/FFYx0YfVOER63DpU7WWRK7md0smsQpaCUFKV
|
|
||||||
9pv3jvh/1AMDmvs5wgxV0BWKXih/COUoGlG1AJU9V6PlKol6wxOYzXw2t6LqU3Zg
|
|
||||||
9gHjlSPUuorabKnfkkcG+Gy7yT2Y8d+EnVdc1H+ihHLH27hmcSGMf/csm+tCCuJ5
|
|
||||||
To/jXFB642BObohLGmE9bPhRp9Pj2bi59M6lPKRYQ2ncowewkqIZ2s4SJ8r5stn5
|
|
||||||
W0UhXgkGLjQd4xti8/etpebnDPzMdSRg5LuLSxOTf/bjWI1jH63+4AfYoF+mx/N9
|
|
||||||
kT6EKiIR216TBdffv1i28HbG4pQIsGhlx0JkQnAUqklHDNWf7fSMGEuadYYNngcD
|
|
||||||
cBCPmD3R0JXM6qf6RasdCGlHUnR3DZKUzLGqqkq8/r7SvyxqRbIoerBrNxwcHUbh
|
|
||||||
emzfHS09ysx33RhEenFfZNH4lL6PEPnlrg2q8DfUj/NoUkiw9qfTM4cRIBabgoi9
|
|
||||||
uc2Qt/jK+QvE1clxBE4XmepZZH+e2Pdy52JrnI1ckA+FvY44GwBVE1hfxyyXFc+J
|
|
||||||
3V84y23640r2RvRoq2ff
|
|
||||||
=67gq
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
cryptsetup-1.5.1.tar.bz2
Normal file
3
cryptsetup-1.5.1.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:16d23f78cab35937281a0ae7a8febce0c3a1a0f291cc94e169a7b968b81d2b36
|
||||||
|
size 958979
|
17
cryptsetup-1.5.1.tar.bz2.asc
Normal file
17
cryptsetup-1.5.1.tar.bz2.asc
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v1.4.12 (GNU/Linux)
|
||||||
|
|
||||||
|
iQIcBAABAgAGBQJQfb41AAoJENmwV3vZPpj8nv4QAJAGr5zYVzCnuBS3j6AKWwIo
|
||||||
|
JUcoxRnNPNSuw+qIk3oVhsEfCZKZrhPbVKN4l058r9UVrKfCjH/BpemkEkvPpJXe
|
||||||
|
I7xm6H+PI9nSx43h69Y+aW9LVD4y4F5WpBrlzCcYbJbKiDYmobXciaU+c81AuJFe
|
||||||
|
s682e0oDp691oiUHtuXD70ivhqi7hkUgm5ftLSDNJ8K2i4V60AsQ6CCHNc7HobJo
|
||||||
|
jEnzwwsSXhyad8SCiyWhfyCadHcDfMrlQHcbCOl5DnFRM5hJz7fOedXz2D6jpGhA
|
||||||
|
MLQHVEE7ANDCz2RvrX7Bh9BTfGydQfDlelD+gDqVmdrOcy0x9EDQ6Ux3ITroms65
|
||||||
|
wLfX5yWA7yaqWUGpoeQhQ0w5Pnsy7SnDxXXRK+yg90QRkJYrS7idrwXHQSPhkaFS
|
||||||
|
LSgxnEMEYnyEy6g25nFSEx+gRqkdnXioXpe2ULr4DgZwRcjTeLyQ8aeVu0a/9JWw
|
||||||
|
amTLEgq77R5uk10Eco5dlI0bjb/bkSvT/9IrvKSWiPnE3XkaX6isK5F0EmLhnZDj
|
||||||
|
uotYrZ0MBHfaqFP/qiqbMQ1kb0AFdhzYyEJ63gGd0gRNcdM/GYxvKOADii9WDOT2
|
||||||
|
MSX2KZOnaTxFBUsatgGcedJgcQL3QumHUfPzE2qOkzt5KCthbV5Oe9tyvGoy/UVh
|
||||||
|
/TQwxHvPZVH/lpaJsGtx
|
||||||
|
=VyhW
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,8 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
# repo is at http://cryptsetup.googlecode.com/svn/trunk
|
|
||||||
set -e -x
|
|
||||||
SVN_VERSION="1.0.7_SVNr`svnversion .`"
|
|
||||||
rm -rf cryptsetup-${SVN_VERSION}
|
|
||||||
svn export . cryptsetup-${SVN_VERSION}
|
|
||||||
tar --owner=root --group=root --force-local -cjf cryptsetup-${SVN_VERSION}.tar.bz2 cryptsetup-${SVN_VERSION}
|
|
||||||
rm -rf cryptsetup-${SVN_VERSION}
|
|
@ -1,3 +1,22 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Dec 13 10:46:43 UTC 2012 - lnussel@suse.de
|
||||||
|
|
||||||
|
- version 1.5.1:
|
||||||
|
* Added keyslot checker
|
||||||
|
* Add crypt_keyslot_area() API call.
|
||||||
|
* Optimize seek to keyfile-offset (Issue #135, thx to dreisner).
|
||||||
|
* Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers.
|
||||||
|
* Allocate loop device late (only when real block device needed).
|
||||||
|
* Rework underlying device/file access functions.
|
||||||
|
* Create hash image if doesn't exist in veritysetup format.
|
||||||
|
* Provide better error message if running as non-root user (device-mapper, loop).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Dec 12 16:00:29 UTC 2012 - lnussel@suse.de
|
||||||
|
|
||||||
|
- split off hashalot and boot.crypto
|
||||||
|
- move to /usr
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Nov 20 18:41:11 CET 2012 - sbrabec@suse.cz
|
Tue Nov 20 18:41:11 CET 2012 - sbrabec@suse.cz
|
||||||
|
|
||||||
|
114
cryptsetup.spec
114
cryptsetup.spec
@ -29,11 +29,7 @@ BuildRequires: libselinux-devel
|
|||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: popt-devel
|
BuildRequires: popt-devel
|
||||||
# hashalot version
|
Version: 1.5.1
|
||||||
%define haver 0.3
|
|
||||||
# boot.crypto version
|
|
||||||
%define bcver 0_201206151440
|
|
||||||
Version: 1.5.0
|
|
||||||
Release: 0
|
Release: 0
|
||||||
#Release: %{?beta:0.}<CI_CNT>.<B_CNT>%{?beta:.}%{?beta}
|
#Release: %{?beta:0.}<CI_CNT>.<B_CNT>%{?beta:.}%{?beta}
|
||||||
Summary: Set Up dm-crypt Based Encrypted Block Devices
|
Summary: Set Up dm-crypt Based Encrypted Block Devices
|
||||||
@ -43,26 +39,7 @@ Source: http://cryptsetup.googlecode.com/files/cryptsetup-%{ver}.tar.bz2
|
|||||||
Source1: http://cryptsetup.googlecode.com/files/cryptsetup-%{ver}.tar.bz2.asc
|
Source1: http://cryptsetup.googlecode.com/files/cryptsetup-%{ver}.tar.bz2.asc
|
||||||
Source2: baselibs.conf
|
Source2: baselibs.conf
|
||||||
Source3: %{name}.keyring
|
Source3: %{name}.keyring
|
||||||
Source10: hashalot-%haver.tar.bz2
|
|
||||||
# git://gitorious.org/opensuse/boot_crypto.git
|
|
||||||
Source20: boot.crypto-%{bcver}.tar.bz2
|
|
||||||
# use this to create the tarball from svn
|
|
||||||
Source99: cryptsetup-mktar
|
|
||||||
#Patch0: cryptsetup-svn131-noascii.diff
|
|
||||||
Patch10: hashalot-fixes.diff
|
|
||||||
Patch11: hashalot-libgcrypt.diff
|
|
||||||
Patch12: hashalot-ctrl-d.diff
|
|
||||||
Patch13: hashalot-timeout.diff
|
|
||||||
Patch14: hashalot-manpage.diff
|
|
||||||
Patch15: bug-476290_hashalot-hashlen.diff
|
|
||||||
Patch16: hashalot-glibc210.diff
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
Provides: aaa_base:/etc/init.d/boot.crypto
|
|
||||||
Obsoletes: util-linux-crypto <= 2.12r
|
|
||||||
# we need losetup
|
|
||||||
Requires: util-linux
|
|
||||||
PreReq: %fillup_prereq %insserv_prereq
|
|
||||||
PreReq: coreutils diffutils
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
cryptsetup is used to conveniently set up dm-crypt based device-mapper
|
cryptsetup is used to conveniently set up dm-crypt based device-mapper
|
||||||
@ -104,20 +81,7 @@ time via the config file /etc/crypttab.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%gpg_verify %{S:1}
|
%gpg_verify %{S:1}
|
||||||
%setup -n %name-%ver -q -b 10 -b 20
|
%setup -n %name-%ver -q
|
||||||
#patch0 -p1
|
|
||||||
pushd ../hashalot-%haver
|
|
||||||
%patch10 -p1
|
|
||||||
%patch11 -p1
|
|
||||||
%patch12 -p1
|
|
||||||
%patch13 -p1
|
|
||||||
%patch14 -p1
|
|
||||||
%patch15 -p1
|
|
||||||
%patch16 -p1
|
|
||||||
popd
|
|
||||||
pushd ../boot.crypto-%bcver
|
|
||||||
#patch20 -p1
|
|
||||||
popd
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# cryptsetup build
|
# cryptsetup build
|
||||||
@ -125,61 +89,24 @@ popd
|
|||||||
autoreconf -f -i
|
autoreconf -f -i
|
||||||
test -e po/Makevars || cp po/Makevars.template po/Makevars
|
test -e po/Makevars || cp po/Makevars.template po/Makevars
|
||||||
%configure \
|
%configure \
|
||||||
--libdir=/%_lib \
|
|
||||||
--bindir=/sbin --sbindir=/sbin \
|
|
||||||
--disable-static --enable-shared \
|
--disable-static --enable-shared \
|
||||||
--enable-cryptsetup-reencrypt \
|
--enable-cryptsetup-reencrypt \
|
||||||
--enable-selinux
|
--enable-selinux
|
||||||
make %{?_smp_mflags}
|
make %{?_smp_mflags}
|
||||||
#
|
|
||||||
# hashalot build
|
|
||||||
pushd ../hashalot-%haver
|
|
||||||
autoreconf -f -i
|
|
||||||
%{?suse_update_config:%{suse_update_config}}
|
|
||||||
%configure --sbindir=/sbin
|
|
||||||
make %{?_smp_mflags}
|
|
||||||
popd
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
make install DESTDIR=$RPM_BUILD_ROOT
|
make install DESTDIR=$RPM_BUILD_ROOT
|
||||||
# move devel stuff to %%{libdir}
|
install -d -m 755 $RPM_BUILD_ROOT/sbin
|
||||||
rm -f $RPM_BUILD_ROOT/%{_lib}/libcryptsetup.so
|
ln -s ..%{_sbindir}/cryptsetup $RPM_BUILD_ROOT/sbin
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_libdir}
|
|
||||||
ln -s /%{_lib}/libcryptsetup.so.4 $RPM_BUILD_ROOT%{_libdir}/libcryptsetup.so
|
|
||||||
mv $RPM_BUILD_ROOT/%_lib/pkgconfig $RPM_BUILD_ROOT/%_libdir
|
|
||||||
# don't want this file in /lib (FHS compat check), and can't move it to /usr/lib
|
# don't want this file in /lib (FHS compat check), and can't move it to /usr/lib
|
||||||
rm -f $RPM_BUILD_ROOT/%_lib/*.la
|
rm -f $RPM_BUILD_ROOT/%_libdir/*.la
|
||||||
#
|
|
||||||
# hashalot install
|
|
||||||
pushd ../hashalot-%haver
|
|
||||||
make install DESTDIR=$RPM_BUILD_ROOT
|
|
||||||
popd
|
|
||||||
# remove unwanted symlinks
|
|
||||||
rm -f $RPM_BUILD_ROOT/sbin/{rmd160,sha256,sha384,sha512}
|
|
||||||
#
|
|
||||||
# boot.crypto
|
|
||||||
make -C ../boot.crypto-* install DESTDIR=$RPM_BUILD_ROOT
|
|
||||||
ln -s /etc/init.d/boot.crypto $RPM_BUILD_ROOT/sbin/rccrypto
|
|
||||||
#
|
#
|
||||||
%find_lang %name --all-name
|
%find_lang %name --all-name
|
||||||
|
|
||||||
# systemd is now providing cryptsetup manpage
|
|
||||||
rm -f $RPM_BUILD_ROOT%_mandir/man5/crypttab.5*
|
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
# hack to catch update case from aaa_base/util-linux-crypto
|
|
||||||
if [ -f /etc/init.d/boot.d/S??boot.crypto ]; then
|
|
||||||
touch /var/run/cryptsetup.boot.crypto.enabled
|
|
||||||
fi
|
|
||||||
|
|
||||||
%post
|
%post
|
||||||
[ -x /sbin/mkinitrd_setup ] && mkinitrd_setup
|
test -n "$FIRST_ARG" || FIRST_ARG="$1"
|
||||||
%{fillup_and_insserv boot.crypto}
|
|
||||||
if [ -e /var/run/cryptsetup.boot.crypto.enabled ]; then
|
|
||||||
rm -f /var/run/cryptsetup.boot.crypto.enabled
|
|
||||||
%{fillup_and_insserv -fY boot.crypto}
|
|
||||||
fi
|
|
||||||
%{fillup_and_insserv boot.crypto-early}
|
|
||||||
#
|
#
|
||||||
# convert noauto to nofail and turn on fsck (bnc#724113)
|
# convert noauto to nofail and turn on fsck (bnc#724113)
|
||||||
#
|
#
|
||||||
@ -198,42 +125,25 @@ if [ "$FIRST_ARG" -gt 1 -a ! -e "$marker" ]; then
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
%postun
|
|
||||||
[ -x /sbin/mkinitrd_setup ] && mkinitrd_setup
|
|
||||||
%{insserv_cleanup}
|
|
||||||
|
|
||||||
%post -n libcryptsetup4 -p /sbin/ldconfig
|
%post -n libcryptsetup4 -p /sbin/ldconfig
|
||||||
|
|
||||||
%postun -n libcryptsetup4 -p /sbin/ldconfig
|
%postun -n libcryptsetup4 -p /sbin/ldconfig
|
||||||
|
|
||||||
%files -f %name.lang
|
%files -f %name.lang
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/crypttab
|
#ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/crypttab
|
||||||
%ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/cryptotab
|
#ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/cryptotab
|
||||||
/etc/init.d/boot.crypto
|
|
||||||
/etc/init.d/boot.crypto-early
|
|
||||||
%dir /lib/mkinitrd
|
|
||||||
%dir /lib/mkinitrd/scripts
|
|
||||||
/lib/mkinitrd/scripts/setup-luks.sh
|
|
||||||
/lib/mkinitrd/scripts/boot-luks.sh
|
|
||||||
/lib/mkinitrd/scripts/setup-luks2.sh
|
|
||||||
/lib/mkinitrd/scripts/setup-luks_final.sh
|
|
||||||
/usr/sbin/convert_cryptotab
|
|
||||||
/sbin/cryptsetup
|
/sbin/cryptsetup
|
||||||
/sbin/veritysetup
|
%{_sbindir}/cryptsetup
|
||||||
/sbin/hashalot
|
%{_sbindir}/veritysetup
|
||||||
/sbin/rccrypto
|
%{_sbindir}/cryptsetup-reencrypt
|
||||||
/sbin/cryptsetup-reencrypt
|
|
||||||
%_mandir/man1/hashalot.1.gz
|
|
||||||
%_mandir/man8/cryptsetup.8.gz
|
%_mandir/man8/cryptsetup.8.gz
|
||||||
%_mandir/man8/cryptsetup-reencrypt.8.gz
|
%_mandir/man8/cryptsetup-reencrypt.8.gz
|
||||||
%_mandir/man8/veritysetup.8.gz
|
%_mandir/man8/veritysetup.8.gz
|
||||||
%_mandir/man5/cryptotab.5.gz
|
|
||||||
/lib/cryptsetup
|
|
||||||
|
|
||||||
%files -n libcryptsetup4
|
%files -n libcryptsetup4
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
/%_lib/libcryptsetup.so.4*
|
/%{_libdir}/libcryptsetup.so.4*
|
||||||
|
|
||||||
%files -n libcryptsetup-devel
|
%files -n libcryptsetup-devel
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:5958c371ba2469150b19f4c3a66bb374a7b1e287df4d0bfeb5e7c480da15424d
|
|
||||||
size 68508
|
|
@ -1,29 +0,0 @@
|
|||||||
exit unsuccessfully on empty passphrase if input is a tty
|
|
||||||
|
|
||||||
allows user to press ctrl-d to abort
|
|
||||||
|
|
||||||
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
|
|
||||||
|
|
||||||
Index: hashalot-0.3/hashalot.c
|
|
||||||
===================================================================
|
|
||||||
--- hashalot-0.3.orig/hashalot.c
|
|
||||||
+++ hashalot-0.3/hashalot.c
|
|
||||||
@@ -135,10 +135,14 @@ phash_lookup(const char phash_name[], si
|
|
||||||
static char *
|
|
||||||
xgetpass(const char *prompt)
|
|
||||||
{
|
|
||||||
- if (isatty(STDIN_FILENO)) /* terminal */
|
|
||||||
- return getpass(prompt); /* FIXME getpass(3) obsolete */
|
|
||||||
- else { /* file descriptor */
|
|
||||||
- char *pass = NULL;
|
|
||||||
+ char *pass = NULL;
|
|
||||||
+ if (isatty(STDIN_FILENO)) { /* terminal */
|
|
||||||
+ pass = getpass(prompt); /* FIXME getpass(3) obsolete */
|
|
||||||
+ if(!pass || !*pass) {
|
|
||||||
+ exit(EXIT_FAILURE);
|
|
||||||
+ }
|
|
||||||
+ return pass;
|
|
||||||
+ } else { /* file descriptor */
|
|
||||||
int buflen, i;
|
|
||||||
|
|
||||||
buflen=0;
|
|
@ -1,37 +0,0 @@
|
|||||||
- print help text to stdout so it can be read via pager
|
|
||||||
- use proper length in phash_rmd160()
|
|
||||||
|
|
||||||
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
|
|
||||||
|
|
||||||
Index: hashalot-0.3/hashalot.c
|
|
||||||
===================================================================
|
|
||||||
--- hashalot-0.3/hashalot.c.orig
|
|
||||||
+++ hashalot-0.3/hashalot.c
|
|
||||||
@@ -42,7 +42,7 @@ phash_rmd160(char dest[], size_t dest_le
|
|
||||||
tmp[PASSWDBUFFLEN - 1] = '\0';
|
|
||||||
|
|
||||||
rmd160_hash_buffer(key, src, src_len);
|
|
||||||
- rmd160_hash_buffer(key + RMD160_HASH_SIZE, tmp, src_len + 1 /* dangerous! */);
|
|
||||||
+ rmd160_hash_buffer(key + RMD160_HASH_SIZE, tmp, strlen(tmp));
|
|
||||||
|
|
||||||
memcpy(dest, key, dest_len);
|
|
||||||
|
|
||||||
@@ -95,7 +95,7 @@ show_usage(const char argv0[])
|
|
||||||
{
|
|
||||||
struct func_table_t *p = func_table;
|
|
||||||
|
|
||||||
- fprintf (stderr,
|
|
||||||
+ fprintf (stdout,
|
|
||||||
"usage:\n"
|
|
||||||
" hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] HASHTYPE\n"
|
|
||||||
" or\n"
|
|
||||||
@@ -106,7 +106,8 @@ show_usage(const char argv0[])
|
|
||||||
for (; p->name; ++p)
|
|
||||||
fprintf (stderr, "%s ", p->name);
|
|
||||||
|
|
||||||
- fprintf (stderr, "\n");
|
|
||||||
+
|
|
||||||
+ fprintf (stdout, "\n");
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
@ -1,25 +0,0 @@
|
|||||||
Index: hashalot-0.3/hashalot.c
|
|
||||||
===================================================================
|
|
||||||
--- hashalot-0.3.orig/hashalot.c
|
|
||||||
+++ hashalot-0.3/hashalot.c
|
|
||||||
@@ -22,6 +22,7 @@
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <assert.h>
|
|
||||||
#include <signal.h>
|
|
||||||
+#include <limits.h>
|
|
||||||
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <sys/mman.h>
|
|
||||||
Index: hashalot-0.3/Makefile.am
|
|
||||||
===================================================================
|
|
||||||
--- hashalot-0.3.orig/Makefile.am
|
|
||||||
+++ hashalot-0.3/Makefile.am
|
|
||||||
@@ -4,7 +4,7 @@ sbin_PROGRAMS = hashalot
|
|
||||||
man_MANS = hashalot.1
|
|
||||||
|
|
||||||
hashalot_CFLAGS = $(LIBGCRYPT_CFLAGS)
|
|
||||||
-hashalot_LDFLAGS = $(LIBGCRYPT_LIBS)
|
|
||||||
+hashalot_LDADD = $(LIBGCRYPT_LIBS)
|
|
||||||
|
|
||||||
hashalot_SOURCES = hashalot.c rmd160.c rmd160.h sha512.c sha512.h
|
|
||||||
|
|
@ -1,156 +0,0 @@
|
|||||||
add support for -C (itercountk) option of loop-AES if libgcrypt is available
|
|
||||||
|
|
||||||
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
|
|
||||||
|
|
||||||
Index: hashalot-0.3/Makefile.am
|
|
||||||
===================================================================
|
|
||||||
--- hashalot-0.3/Makefile.am.orig
|
|
||||||
+++ hashalot-0.3/Makefile.am
|
|
||||||
@@ -3,6 +3,9 @@ sbin_PROGRAMS = hashalot
|
|
||||||
|
|
||||||
man_MANS = hashalot.1
|
|
||||||
|
|
||||||
+hashalot_CFLAGS = $(LIBGCRYPT_CFLAGS)
|
|
||||||
+hashalot_LDFLAGS = $(LIBGCRYPT_LIBS)
|
|
||||||
+
|
|
||||||
hashalot_SOURCES = hashalot.c rmd160.c rmd160.h sha512.c sha512.h
|
|
||||||
|
|
||||||
install-exec-hook:
|
|
||||||
Index: hashalot-0.3/configure.ac
|
|
||||||
===================================================================
|
|
||||||
--- hashalot-0.3/configure.ac.orig
|
|
||||||
+++ hashalot-0.3/configure.ac
|
|
||||||
@@ -8,5 +8,6 @@ AC_PROG_LN_S
|
|
||||||
AC_HEADER_STDC
|
|
||||||
AC_CHECK_HEADERS(libgen.h stdio.h stdlib.h string.h unistd.h assert.h sys/types.h sys/mman.h endian.h , , [ AC_MSG_ERROR(required header not found)])
|
|
||||||
AC_CHECK_FUNCS(getopt snprintf , , [ AC_MSG_ERROR(required function not found)])
|
|
||||||
+AM_PATH_LIBGCRYPT(,[AC_DEFINE([HAVE_LIBGCRYPT], 1)])
|
|
||||||
|
|
||||||
AC_OUTPUT(Makefile)
|
|
||||||
Index: hashalot-0.3/hashalot.c
|
|
||||||
===================================================================
|
|
||||||
--- hashalot-0.3/hashalot.c.orig
|
|
||||||
+++ hashalot-0.3/hashalot.c
|
|
||||||
@@ -25,6 +25,10 @@
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <sys/mman.h>
|
|
||||||
|
|
||||||
+#if HAVE_LIBGCRYPT
|
|
||||||
+#include <gcrypt.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#include "rmd160.h"
|
|
||||||
#include "sha512.h"
|
|
||||||
|
|
||||||
@@ -97,9 +101,9 @@ show_usage(const char argv0[])
|
|
||||||
|
|
||||||
fprintf (stdout,
|
|
||||||
"usage:\n"
|
|
||||||
- " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] HASHTYPE\n"
|
|
||||||
+ " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n"
|
|
||||||
" or\n"
|
|
||||||
- " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ]\n"
|
|
||||||
+ " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n"
|
|
||||||
"\n"
|
|
||||||
"supported values for HASHTYPE: ");
|
|
||||||
|
|
||||||
@@ -214,8 +218,9 @@ main(int argc, char *argv[])
|
|
||||||
size_t hashlen = 0;
|
|
||||||
phash_func_t func;
|
|
||||||
int hex_output = 0, c;
|
|
||||||
+ unsigned long itercountk = 0;
|
|
||||||
|
|
||||||
- while ((c = getopt(argc, argv, "n:s:x")) != -1) {
|
|
||||||
+ while ((c = getopt(argc, argv, "n:s:xC:")) != -1) {
|
|
||||||
switch (c) {
|
|
||||||
case 'n':
|
|
||||||
hashlen = strtoul(optarg, &p, 0);
|
|
||||||
@@ -233,6 +238,9 @@ main(int argc, char *argv[])
|
|
||||||
case 'x':
|
|
||||||
hex_output++;
|
|
||||||
break;
|
|
||||||
+ case 'C':
|
|
||||||
+ itercountk = atoi(optarg);
|
|
||||||
+ break;
|
|
||||||
default:
|
|
||||||
show_usage(argv[0]);
|
|
||||||
exit(EXIT_FAILURE);
|
|
||||||
@@ -257,6 +265,8 @@ main(int argc, char *argv[])
|
|
||||||
* plus a newline, plus a null */
|
|
||||||
passhash = xmalloc(2*hashlen + 2);
|
|
||||||
|
|
||||||
+ memset(passhash, 0, 2*hashlen+2);
|
|
||||||
+
|
|
||||||
/* try to lock memory so it doesn't get swapped out for sure */
|
|
||||||
if (mlockall(MCL_CURRENT | MCL_FUTURE) == -1) {
|
|
||||||
perror("mlockall");
|
|
||||||
@@ -268,6 +278,69 @@ main(int argc, char *argv[])
|
|
||||||
if (salt)
|
|
||||||
pass = salt_passphrase(pass, salt);
|
|
||||||
hashlen = func(passhash, hashlen, pass, strlen(pass));
|
|
||||||
+
|
|
||||||
+ if(itercountk) /* from loop-AES */
|
|
||||||
+ {
|
|
||||||
+#if HAVE_LIBGCRYPT
|
|
||||||
+ gcry_cipher_hd_t ctx;
|
|
||||||
+ gcry_error_t err;
|
|
||||||
+ char tmp[32];
|
|
||||||
+ char out[32];
|
|
||||||
+
|
|
||||||
+ if(hashlen > 32) {
|
|
||||||
+ fprintf(stderr, "WARNING: hashlen truncated to 32\n");
|
|
||||||
+ hashlen = 32;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if(!gcry_check_version("1.1.0")) {
|
|
||||||
+ fprintf(stderr, "libgcrypt initialization failed\n");
|
|
||||||
+ exit(EXIT_FAILURE);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ memset(out, 0, sizeof(out));
|
|
||||||
+ memcpy(out, passhash, hashlen);
|
|
||||||
+
|
|
||||||
+ err = gcry_cipher_open(&ctx, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CBC, 0);
|
|
||||||
+ if(err)
|
|
||||||
+ {
|
|
||||||
+ fprintf(stderr, "can't initialize AES: %s\n", gcry_strerror (err));
|
|
||||||
+ exit(EXIT_FAILURE);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Set up AES-256 encryption key using same password and hash function
|
|
||||||
+ * as before but with password bit 0 flipped before hashing. That key
|
|
||||||
+ * is then used to encrypt actual loop key 'itercountk' thousand times.
|
|
||||||
+ */
|
|
||||||
+ pass[0] ^= 1;
|
|
||||||
+ func(&tmp[0], 32, pass, strlen(pass));
|
|
||||||
+ gcry_cipher_setkey(ctx, &tmp[0], 32);
|
|
||||||
+ itercountk *= 1000;
|
|
||||||
+ while(itercountk > 0) {
|
|
||||||
+ gcry_cipher_reset(ctx);
|
|
||||||
+ gcry_cipher_setiv(ctx, NULL, 0);
|
|
||||||
+ /* encrypt both 128bit blocks with AES-256 */
|
|
||||||
+ gcry_cipher_encrypt(ctx, &out[ 0], 16, &out[ 0], 16);
|
|
||||||
+ gcry_cipher_reset(ctx);
|
|
||||||
+ gcry_cipher_setiv(ctx, NULL, 0);
|
|
||||||
+ gcry_cipher_encrypt(ctx, &out[16], 16, &out[16], 16);
|
|
||||||
+ /* exchange upper half of first block with lower half of second block */
|
|
||||||
+ memcpy(&tmp[0], &out[8], 8);
|
|
||||||
+ memcpy(&out[8], &out[16], 8);
|
|
||||||
+ memcpy(&out[16], &tmp[0], 8);
|
|
||||||
+ itercountk--;
|
|
||||||
+ }
|
|
||||||
+ memset(&tmp[0], 0, sizeof(tmp));
|
|
||||||
+
|
|
||||||
+ memcpy(passhash, out, hashlen);
|
|
||||||
+
|
|
||||||
+ gcry_cipher_close(ctx);
|
|
||||||
+#else
|
|
||||||
+ fprintf(stderr, "libgcrypt support is required for option -C\n");
|
|
||||||
+ exit(EXIT_FAILURE);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ }
|
|
||||||
memset (pass, 0, strlen (pass)); /* paranoia */
|
|
||||||
free(pass);
|
|
||||||
|
|
@ -1,39 +0,0 @@
|
|||||||
document -C and -t options in manpage
|
|
||||||
|
|
||||||
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
|
|
||||||
|
|
||||||
Index: hashalot-0.3/hashalot.1
|
|
||||||
===================================================================
|
|
||||||
--- hashalot-0.3/hashalot.1.orig
|
|
||||||
+++ hashalot-0.3/hashalot.1
|
|
||||||
@@ -2,9 +2,9 @@
|
|
||||||
.SH NAME
|
|
||||||
hashalot \- read a passphrase and print a hash
|
|
||||||
.SH SYNOPSIS
|
|
||||||
-.B hashalot [ \-s SALT ] [ \-x ] [ \-n #BYTES ] HASHTYPE
|
|
||||||
+.B hashalot [ \-t secs ] [ \-s SALT ] [ \-x ] [ \-n #BYTES ] [ \-C itercountk ] HASHTYPE
|
|
||||||
.br
|
|
||||||
-.B HASHTYPE [ \-s SALT ] [ \-x ] [ \-n #BYTES ]
|
|
||||||
+.B HASHTYPE [ \-t secs ] [ \-s SALT ] [ \-x ] [ \-n #BYTES ] [ \-C itercountk ]
|
|
||||||
.SH DESCRIPTION
|
|
||||||
.PP
|
|
||||||
\fIhashalot\fP is a small tool that reads a passphrase from standard
|
|
||||||
@@ -36,6 +36,18 @@ option can be used to limit (or increase
|
|
||||||
default is as appropriate for the specified hash algorithm: 20 bytes for
|
|
||||||
RIPEMD160, 32 bytes for SHA256, etc. The default for the "rmd160compat"
|
|
||||||
hash is 16 bytes, for compatibility with the old kerneli.org utilities.
|
|
||||||
+.PP
|
|
||||||
+The
|
|
||||||
+.B \-t
|
|
||||||
+option specifies a timeout for reading the passphrase from the terminal.
|
|
||||||
+.PP
|
|
||||||
+The
|
|
||||||
+.B \-C
|
|
||||||
+option specifies that the hashed password has to be encrypted
|
|
||||||
+itercountk thousand times using AES-256. Use for compatability with
|
|
||||||
+loop-AES.
|
|
||||||
+.PP
|
|
||||||
+The options \-t and \-C are currently SUSE specific
|
|
||||||
.SH AUTHOR
|
|
||||||
Ben Slusky <sluskyb@paranoiacs.org>
|
|
||||||
.PP
|
|
@ -1,87 +0,0 @@
|
|||||||
add timeout option -t
|
|
||||||
|
|
||||||
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
|
|
||||||
|
|
||||||
Index: hashalot-0.3/hashalot.c
|
|
||||||
===================================================================
|
|
||||||
--- hashalot-0.3.orig/hashalot.c
|
|
||||||
+++ hashalot-0.3/hashalot.c
|
|
||||||
@@ -21,6 +21,7 @@
|
|
||||||
#include <string.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <assert.h>
|
|
||||||
+#include <signal.h>
|
|
||||||
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <sys/mman.h>
|
|
||||||
@@ -36,6 +37,12 @@
|
|
||||||
|
|
||||||
typedef int (*phash_func_t)(char dest[], size_t dest_len, const char src[], size_t src_len);
|
|
||||||
|
|
||||||
+static int got_timeout;
|
|
||||||
+void alrm_handler(int num)
|
|
||||||
+{
|
|
||||||
+ got_timeout = 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int
|
|
||||||
phash_rmd160(char dest[], size_t dest_len, const char src[], size_t src_len)
|
|
||||||
{
|
|
||||||
@@ -101,9 +108,9 @@ show_usage(const char argv0[])
|
|
||||||
|
|
||||||
fprintf (stdout,
|
|
||||||
"usage:\n"
|
|
||||||
- " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n"
|
|
||||||
+ " hashalot [ -t secs ] [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n"
|
|
||||||
" or\n"
|
|
||||||
- " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n"
|
|
||||||
+ " HASHTYPE [ -t secs ] [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n"
|
|
||||||
"\n"
|
|
||||||
"supported values for HASHTYPE: ");
|
|
||||||
|
|
||||||
@@ -222,8 +229,9 @@ main(int argc, char *argv[])
|
|
||||||
phash_func_t func;
|
|
||||||
int hex_output = 0, c;
|
|
||||||
unsigned long itercountk = 0;
|
|
||||||
+ unsigned timeout = 0;
|
|
||||||
|
|
||||||
- while ((c = getopt(argc, argv, "n:s:xC:")) != -1) {
|
|
||||||
+ while ((c = getopt(argc, argv, "n:s:xC:t:")) != -1) {
|
|
||||||
switch (c) {
|
|
||||||
case 'n':
|
|
||||||
hashlen = strtoul(optarg, &p, 0);
|
|
||||||
@@ -238,6 +246,9 @@ main(int argc, char *argv[])
|
|
||||||
case 's':
|
|
||||||
salt = optarg;
|
|
||||||
break;
|
|
||||||
+ case 't':
|
|
||||||
+ timeout = atoi(optarg);
|
|
||||||
+ break;
|
|
||||||
case 'x':
|
|
||||||
hex_output++;
|
|
||||||
break;
|
|
||||||
@@ -276,8 +287,24 @@ main(int argc, char *argv[])
|
|
||||||
fputs("Warning: couldn't lock memory, are you root?\n", stderr);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if(timeout) {
|
|
||||||
+ struct sigaction sa;
|
|
||||||
+ sa.sa_handler = alrm_handler;
|
|
||||||
+ sigemptyset (&sa.sa_mask);
|
|
||||||
+ sa.sa_flags = 0;
|
|
||||||
+ sigaction(SIGALRM, &sa, NULL);
|
|
||||||
+ alarm(timeout);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* here we acquire the precious passphrase... */
|
|
||||||
pass = xgetpass("Enter passphrase: ");
|
|
||||||
+ if(got_timeout) {
|
|
||||||
+ exit(EXIT_FAILURE);
|
|
||||||
+ }
|
|
||||||
+ if(timeout) {
|
|
||||||
+ alarm(0);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (salt)
|
|
||||||
pass = salt_passphrase(pass, salt);
|
|
||||||
hashlen = func(passhash, hashlen, pass, strlen(pass));
|
|
Loading…
Reference in New Issue
Block a user