SHA256
1
0
forked from pool/cryptsetup

Accepting request 145274 from home:lnussel:branches:security

ATTENTION: wait for cryptsetup-mkinitrd before checkin, otherwise installation
with root on crypto no longer boot

- version 1.5.1:
  * Added keyslot checker
  * Add crypt_keyslot_area() API call.
  * Optimize seek to keyfile-offset (Issue #135, thx to dreisner).
  * Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers.
  * Allocate loop device late (only when real block device needed).
  * Rework underlying device/file access functions.
  * Create hash image if doesn't exist in veritysetup format.
  * Provide better error message if running as non-root user (device-mapper, loop).
- split off hashalot and boot.crypto
- move to /usr

OBS-URL: https://build.opensuse.org/request/show/145274
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=97
This commit is contained in:
Ludwig Nussel 2012-12-13 13:06:34 +00:00 committed by Git OBS Bridge
parent 7a1b87dbd3
commit 2469c1380b
16 changed files with 54 additions and 547 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:798e4ac415ebe1e4415e1b77b955b72c376dfc3d0fd7fc414f886f896da6393d
size 17582

View File

@ -1,35 +0,0 @@
Index: hashalot-0.3/hashalot.c
===================================================================
--- hashalot-0.3.orig/hashalot.c
+++ hashalot-0.3/hashalot.c
@@ -34,6 +34,7 @@
#include "sha512.h"
#define PASSWDBUFFLEN 130
+#define MAXHASHLEN (ULONG_MAX/2 - 2)
typedef int (*phash_func_t)(char dest[], size_t dest_len, const char src[], size_t src_len);
@@ -182,8 +183,7 @@ static void *
xmalloc (size_t size) {
void *p;
- if (size == 0)
- return NULL;
+ assert(size != 0);
p = malloc(size);
if (p == NULL) {
@@ -242,6 +242,12 @@ main(int argc, char *argv[])
show_usage(argv[0]);
exit(EXIT_FAILURE);
}
+ if (hashlen >= MAXHASHLEN) {
+ fprintf(stderr,
+ "please supply a value smaller than %lu for the -n option\n",
+ MAXHASHLEN);
+ exit(EXIT_FAILURE);
+ }
break;
case 's':
salt = optarg;

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:407154c510a2401ecfaa1919588003964ba36121882f8d26125324805565f8d0
size 864500

View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAABAgAGBQJP/HM8AAoJENmwV3vZPpj8vP0P/Ava8T7fJGfvn1H+56RKG1lh
I8RGFRzQCXN4xpYoxPBfFYpbc5GoteFw/Pcb0BKddePBk4tHuHYPRwvS1ps8nyH/
ekb8P5fsrkHV6+o/j5s99oY8dkW/FFYx0YfVOER63DpU7WWRK7md0smsQpaCUFKV
9pv3jvh/1AMDmvs5wgxV0BWKXih/COUoGlG1AJU9V6PlKol6wxOYzXw2t6LqU3Zg
9gHjlSPUuorabKnfkkcG+Gy7yT2Y8d+EnVdc1H+ihHLH27hmcSGMf/csm+tCCuJ5
To/jXFB642BObohLGmE9bPhRp9Pj2bi59M6lPKRYQ2ncowewkqIZ2s4SJ8r5stn5
W0UhXgkGLjQd4xti8/etpebnDPzMdSRg5LuLSxOTf/bjWI1jH63+4AfYoF+mx/N9
kT6EKiIR216TBdffv1i28HbG4pQIsGhlx0JkQnAUqklHDNWf7fSMGEuadYYNngcD
cBCPmD3R0JXM6qf6RasdCGlHUnR3DZKUzLGqqkq8/r7SvyxqRbIoerBrNxwcHUbh
emzfHS09ysx33RhEenFfZNH4lL6PEPnlrg2q8DfUj/NoUkiw9qfTM4cRIBabgoi9
uc2Qt/jK+QvE1clxBE4XmepZZH+e2Pdy52JrnI1ckA+FvY44GwBVE1hfxyyXFc+J
3V84y23640r2RvRoq2ff
=67gq
-----END PGP SIGNATURE-----

3
cryptsetup-1.5.1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:16d23f78cab35937281a0ae7a8febce0c3a1a0f291cc94e169a7b968b81d2b36
size 958979

View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAABAgAGBQJQfb41AAoJENmwV3vZPpj8nv4QAJAGr5zYVzCnuBS3j6AKWwIo
JUcoxRnNPNSuw+qIk3oVhsEfCZKZrhPbVKN4l058r9UVrKfCjH/BpemkEkvPpJXe
I7xm6H+PI9nSx43h69Y+aW9LVD4y4F5WpBrlzCcYbJbKiDYmobXciaU+c81AuJFe
s682e0oDp691oiUHtuXD70ivhqi7hkUgm5ftLSDNJ8K2i4V60AsQ6CCHNc7HobJo
jEnzwwsSXhyad8SCiyWhfyCadHcDfMrlQHcbCOl5DnFRM5hJz7fOedXz2D6jpGhA
MLQHVEE7ANDCz2RvrX7Bh9BTfGydQfDlelD+gDqVmdrOcy0x9EDQ6Ux3ITroms65
wLfX5yWA7yaqWUGpoeQhQ0w5Pnsy7SnDxXXRK+yg90QRkJYrS7idrwXHQSPhkaFS
LSgxnEMEYnyEy6g25nFSEx+gRqkdnXioXpe2ULr4DgZwRcjTeLyQ8aeVu0a/9JWw
amTLEgq77R5uk10Eco5dlI0bjb/bkSvT/9IrvKSWiPnE3XkaX6isK5F0EmLhnZDj
uotYrZ0MBHfaqFP/qiqbMQ1kb0AFdhzYyEJ63gGd0gRNcdM/GYxvKOADii9WDOT2
MSX2KZOnaTxFBUsatgGcedJgcQL3QumHUfPzE2qOkzt5KCthbV5Oe9tyvGoy/UVh
/TQwxHvPZVH/lpaJsGtx
=VyhW
-----END PGP SIGNATURE-----

View File

@ -1,8 +0,0 @@
#!/bin/sh
# repo is at http://cryptsetup.googlecode.com/svn/trunk
set -e -x
SVN_VERSION="1.0.7_SVNr`svnversion .`"
rm -rf cryptsetup-${SVN_VERSION}
svn export . cryptsetup-${SVN_VERSION}
tar --owner=root --group=root --force-local -cjf cryptsetup-${SVN_VERSION}.tar.bz2 cryptsetup-${SVN_VERSION}
rm -rf cryptsetup-${SVN_VERSION}

View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Thu Dec 13 10:46:43 UTC 2012 - lnussel@suse.de
- version 1.5.1:
* Added keyslot checker
* Add crypt_keyslot_area() API call.
* Optimize seek to keyfile-offset (Issue #135, thx to dreisner).
* Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers.
* Allocate loop device late (only when real block device needed).
* Rework underlying device/file access functions.
* Create hash image if doesn't exist in veritysetup format.
* Provide better error message if running as non-root user (device-mapper, loop).
-------------------------------------------------------------------
Wed Dec 12 16:00:29 UTC 2012 - lnussel@suse.de
- split off hashalot and boot.crypto
- move to /usr
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Nov 20 18:41:11 CET 2012 - sbrabec@suse.cz Tue Nov 20 18:41:11 CET 2012 - sbrabec@suse.cz

View File

@ -29,11 +29,7 @@ BuildRequires: libselinux-devel
BuildRequires: libtool BuildRequires: libtool
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: popt-devel BuildRequires: popt-devel
# hashalot version Version: 1.5.1
%define haver 0.3
# boot.crypto version
%define bcver 0_201206151440
Version: 1.5.0
Release: 0 Release: 0
#Release: %{?beta:0.}<CI_CNT>.<B_CNT>%{?beta:.}%{?beta} #Release: %{?beta:0.}<CI_CNT>.<B_CNT>%{?beta:.}%{?beta}
Summary: Set Up dm-crypt Based Encrypted Block Devices Summary: Set Up dm-crypt Based Encrypted Block Devices
@ -43,26 +39,7 @@ Source: http://cryptsetup.googlecode.com/files/cryptsetup-%{ver}.tar.bz2
Source1: http://cryptsetup.googlecode.com/files/cryptsetup-%{ver}.tar.bz2.asc Source1: http://cryptsetup.googlecode.com/files/cryptsetup-%{ver}.tar.bz2.asc
Source2: baselibs.conf Source2: baselibs.conf
Source3: %{name}.keyring Source3: %{name}.keyring
Source10: hashalot-%haver.tar.bz2
# git://gitorious.org/opensuse/boot_crypto.git
Source20: boot.crypto-%{bcver}.tar.bz2
# use this to create the tarball from svn
Source99: cryptsetup-mktar
#Patch0: cryptsetup-svn131-noascii.diff
Patch10: hashalot-fixes.diff
Patch11: hashalot-libgcrypt.diff
Patch12: hashalot-ctrl-d.diff
Patch13: hashalot-timeout.diff
Patch14: hashalot-manpage.diff
Patch15: bug-476290_hashalot-hashlen.diff
Patch16: hashalot-glibc210.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
Provides: aaa_base:/etc/init.d/boot.crypto
Obsoletes: util-linux-crypto <= 2.12r
# we need losetup
Requires: util-linux
PreReq: %fillup_prereq %insserv_prereq
PreReq: coreutils diffutils
%description %description
cryptsetup is used to conveniently set up dm-crypt based device-mapper cryptsetup is used to conveniently set up dm-crypt based device-mapper
@ -104,20 +81,7 @@ time via the config file /etc/crypttab.
%prep %prep
%gpg_verify %{S:1} %gpg_verify %{S:1}
%setup -n %name-%ver -q -b 10 -b 20 %setup -n %name-%ver -q
#patch0 -p1
pushd ../hashalot-%haver
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
popd
pushd ../boot.crypto-%bcver
#patch20 -p1
popd
%build %build
# cryptsetup build # cryptsetup build
@ -125,61 +89,24 @@ popd
autoreconf -f -i autoreconf -f -i
test -e po/Makevars || cp po/Makevars.template po/Makevars test -e po/Makevars || cp po/Makevars.template po/Makevars
%configure \ %configure \
--libdir=/%_lib \ --disable-static --enable-shared \
--bindir=/sbin --sbindir=/sbin \ --enable-cryptsetup-reencrypt \
--disable-static --enable-shared \ --enable-selinux
--enable-cryptsetup-reencrypt \
--enable-selinux
make %{?_smp_mflags} make %{?_smp_mflags}
#
# hashalot build
pushd ../hashalot-%haver
autoreconf -f -i
%{?suse_update_config:%{suse_update_config}}
%configure --sbindir=/sbin
make %{?_smp_mflags}
popd
%install %install
make install DESTDIR=$RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT
# move devel stuff to %%{libdir} install -d -m 755 $RPM_BUILD_ROOT/sbin
rm -f $RPM_BUILD_ROOT/%{_lib}/libcryptsetup.so ln -s ..%{_sbindir}/cryptsetup $RPM_BUILD_ROOT/sbin
mkdir -p $RPM_BUILD_ROOT%{_libdir}
ln -s /%{_lib}/libcryptsetup.so.4 $RPM_BUILD_ROOT%{_libdir}/libcryptsetup.so
mv $RPM_BUILD_ROOT/%_lib/pkgconfig $RPM_BUILD_ROOT/%_libdir
# don't want this file in /lib (FHS compat check), and can't move it to /usr/lib # don't want this file in /lib (FHS compat check), and can't move it to /usr/lib
rm -f $RPM_BUILD_ROOT/%_lib/*.la rm -f $RPM_BUILD_ROOT/%_libdir/*.la
#
# hashalot install
pushd ../hashalot-%haver
make install DESTDIR=$RPM_BUILD_ROOT
popd
# remove unwanted symlinks
rm -f $RPM_BUILD_ROOT/sbin/{rmd160,sha256,sha384,sha512}
#
# boot.crypto
make -C ../boot.crypto-* install DESTDIR=$RPM_BUILD_ROOT
ln -s /etc/init.d/boot.crypto $RPM_BUILD_ROOT/sbin/rccrypto
# #
%find_lang %name --all-name %find_lang %name --all-name
# systemd is now providing cryptsetup manpage
rm -f $RPM_BUILD_ROOT%_mandir/man5/crypttab.5*
%pre %pre
# hack to catch update case from aaa_base/util-linux-crypto
if [ -f /etc/init.d/boot.d/S??boot.crypto ]; then
touch /var/run/cryptsetup.boot.crypto.enabled
fi
%post %post
[ -x /sbin/mkinitrd_setup ] && mkinitrd_setup test -n "$FIRST_ARG" || FIRST_ARG="$1"
%{fillup_and_insserv boot.crypto}
if [ -e /var/run/cryptsetup.boot.crypto.enabled ]; then
rm -f /var/run/cryptsetup.boot.crypto.enabled
%{fillup_and_insserv -fY boot.crypto}
fi
%{fillup_and_insserv boot.crypto-early}
# #
# convert noauto to nofail and turn on fsck (bnc#724113) # convert noauto to nofail and turn on fsck (bnc#724113)
# #
@ -198,42 +125,25 @@ if [ "$FIRST_ARG" -gt 1 -a ! -e "$marker" ]; then
fi fi
fi fi
%postun
[ -x /sbin/mkinitrd_setup ] && mkinitrd_setup
%{insserv_cleanup}
%post -n libcryptsetup4 -p /sbin/ldconfig %post -n libcryptsetup4 -p /sbin/ldconfig
%postun -n libcryptsetup4 -p /sbin/ldconfig %postun -n libcryptsetup4 -p /sbin/ldconfig
%files -f %name.lang %files -f %name.lang
%defattr(-,root,root) %defattr(-,root,root)
%ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/crypttab #ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/crypttab
%ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/cryptotab #ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/cryptotab
/etc/init.d/boot.crypto
/etc/init.d/boot.crypto-early
%dir /lib/mkinitrd
%dir /lib/mkinitrd/scripts
/lib/mkinitrd/scripts/setup-luks.sh
/lib/mkinitrd/scripts/boot-luks.sh
/lib/mkinitrd/scripts/setup-luks2.sh
/lib/mkinitrd/scripts/setup-luks_final.sh
/usr/sbin/convert_cryptotab
/sbin/cryptsetup /sbin/cryptsetup
/sbin/veritysetup %{_sbindir}/cryptsetup
/sbin/hashalot %{_sbindir}/veritysetup
/sbin/rccrypto %{_sbindir}/cryptsetup-reencrypt
/sbin/cryptsetup-reencrypt
%_mandir/man1/hashalot.1.gz
%_mandir/man8/cryptsetup.8.gz %_mandir/man8/cryptsetup.8.gz
%_mandir/man8/cryptsetup-reencrypt.8.gz %_mandir/man8/cryptsetup-reencrypt.8.gz
%_mandir/man8/veritysetup.8.gz %_mandir/man8/veritysetup.8.gz
%_mandir/man5/cryptotab.5.gz
/lib/cryptsetup
%files -n libcryptsetup4 %files -n libcryptsetup4
%defattr(-,root,root) %defattr(-,root,root)
/%_lib/libcryptsetup.so.4* /%{_libdir}/libcryptsetup.so.4*
%files -n libcryptsetup-devel %files -n libcryptsetup-devel
%defattr(-,root,root) %defattr(-,root,root)

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5958c371ba2469150b19f4c3a66bb374a7b1e287df4d0bfeb5e7c480da15424d
size 68508

View File

@ -1,29 +0,0 @@
exit unsuccessfully on empty passphrase if input is a tty
allows user to press ctrl-d to abort
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
Index: hashalot-0.3/hashalot.c
===================================================================
--- hashalot-0.3.orig/hashalot.c
+++ hashalot-0.3/hashalot.c
@@ -135,10 +135,14 @@ phash_lookup(const char phash_name[], si
static char *
xgetpass(const char *prompt)
{
- if (isatty(STDIN_FILENO)) /* terminal */
- return getpass(prompt); /* FIXME getpass(3) obsolete */
- else { /* file descriptor */
- char *pass = NULL;
+ char *pass = NULL;
+ if (isatty(STDIN_FILENO)) { /* terminal */
+ pass = getpass(prompt); /* FIXME getpass(3) obsolete */
+ if(!pass || !*pass) {
+ exit(EXIT_FAILURE);
+ }
+ return pass;
+ } else { /* file descriptor */
int buflen, i;
buflen=0;

View File

@ -1,37 +0,0 @@
- print help text to stdout so it can be read via pager
- use proper length in phash_rmd160()
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
Index: hashalot-0.3/hashalot.c
===================================================================
--- hashalot-0.3/hashalot.c.orig
+++ hashalot-0.3/hashalot.c
@@ -42,7 +42,7 @@ phash_rmd160(char dest[], size_t dest_le
tmp[PASSWDBUFFLEN - 1] = '\0';
rmd160_hash_buffer(key, src, src_len);
- rmd160_hash_buffer(key + RMD160_HASH_SIZE, tmp, src_len + 1 /* dangerous! */);
+ rmd160_hash_buffer(key + RMD160_HASH_SIZE, tmp, strlen(tmp));
memcpy(dest, key, dest_len);
@@ -95,7 +95,7 @@ show_usage(const char argv0[])
{
struct func_table_t *p = func_table;
- fprintf (stderr,
+ fprintf (stdout,
"usage:\n"
" hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] HASHTYPE\n"
" or\n"
@@ -106,7 +106,8 @@ show_usage(const char argv0[])
for (; p->name; ++p)
fprintf (stderr, "%s ", p->name);
- fprintf (stderr, "\n");
+
+ fprintf (stdout, "\n");
return 1;
}

View File

@ -1,25 +0,0 @@
Index: hashalot-0.3/hashalot.c
===================================================================
--- hashalot-0.3.orig/hashalot.c
+++ hashalot-0.3/hashalot.c
@@ -22,6 +22,7 @@
#include <unistd.h>
#include <assert.h>
#include <signal.h>
+#include <limits.h>
#include <sys/types.h>
#include <sys/mman.h>
Index: hashalot-0.3/Makefile.am
===================================================================
--- hashalot-0.3.orig/Makefile.am
+++ hashalot-0.3/Makefile.am
@@ -4,7 +4,7 @@ sbin_PROGRAMS = hashalot
man_MANS = hashalot.1
hashalot_CFLAGS = $(LIBGCRYPT_CFLAGS)
-hashalot_LDFLAGS = $(LIBGCRYPT_LIBS)
+hashalot_LDADD = $(LIBGCRYPT_LIBS)
hashalot_SOURCES = hashalot.c rmd160.c rmd160.h sha512.c sha512.h

View File

@ -1,156 +0,0 @@
add support for -C (itercountk) option of loop-AES if libgcrypt is available
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
Index: hashalot-0.3/Makefile.am
===================================================================
--- hashalot-0.3/Makefile.am.orig
+++ hashalot-0.3/Makefile.am
@@ -3,6 +3,9 @@ sbin_PROGRAMS = hashalot
man_MANS = hashalot.1
+hashalot_CFLAGS = $(LIBGCRYPT_CFLAGS)
+hashalot_LDFLAGS = $(LIBGCRYPT_LIBS)
+
hashalot_SOURCES = hashalot.c rmd160.c rmd160.h sha512.c sha512.h
install-exec-hook:
Index: hashalot-0.3/configure.ac
===================================================================
--- hashalot-0.3/configure.ac.orig
+++ hashalot-0.3/configure.ac
@@ -8,5 +8,6 @@ AC_PROG_LN_S
AC_HEADER_STDC
AC_CHECK_HEADERS(libgen.h stdio.h stdlib.h string.h unistd.h assert.h sys/types.h sys/mman.h endian.h , , [ AC_MSG_ERROR(required header not found)])
AC_CHECK_FUNCS(getopt snprintf , , [ AC_MSG_ERROR(required function not found)])
+AM_PATH_LIBGCRYPT(,[AC_DEFINE([HAVE_LIBGCRYPT], 1)])
AC_OUTPUT(Makefile)
Index: hashalot-0.3/hashalot.c
===================================================================
--- hashalot-0.3/hashalot.c.orig
+++ hashalot-0.3/hashalot.c
@@ -25,6 +25,10 @@
#include <sys/types.h>
#include <sys/mman.h>
+#if HAVE_LIBGCRYPT
+#include <gcrypt.h>
+#endif
+
#include "rmd160.h"
#include "sha512.h"
@@ -97,9 +101,9 @@ show_usage(const char argv0[])
fprintf (stdout,
"usage:\n"
- " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] HASHTYPE\n"
+ " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n"
" or\n"
- " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ]\n"
+ " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n"
"\n"
"supported values for HASHTYPE: ");
@@ -214,8 +218,9 @@ main(int argc, char *argv[])
size_t hashlen = 0;
phash_func_t func;
int hex_output = 0, c;
+ unsigned long itercountk = 0;
- while ((c = getopt(argc, argv, "n:s:x")) != -1) {
+ while ((c = getopt(argc, argv, "n:s:xC:")) != -1) {
switch (c) {
case 'n':
hashlen = strtoul(optarg, &p, 0);
@@ -233,6 +238,9 @@ main(int argc, char *argv[])
case 'x':
hex_output++;
break;
+ case 'C':
+ itercountk = atoi(optarg);
+ break;
default:
show_usage(argv[0]);
exit(EXIT_FAILURE);
@@ -257,6 +265,8 @@ main(int argc, char *argv[])
* plus a newline, plus a null */
passhash = xmalloc(2*hashlen + 2);
+ memset(passhash, 0, 2*hashlen+2);
+
/* try to lock memory so it doesn't get swapped out for sure */
if (mlockall(MCL_CURRENT | MCL_FUTURE) == -1) {
perror("mlockall");
@@ -268,6 +278,69 @@ main(int argc, char *argv[])
if (salt)
pass = salt_passphrase(pass, salt);
hashlen = func(passhash, hashlen, pass, strlen(pass));
+
+ if(itercountk) /* from loop-AES */
+ {
+#if HAVE_LIBGCRYPT
+ gcry_cipher_hd_t ctx;
+ gcry_error_t err;
+ char tmp[32];
+ char out[32];
+
+ if(hashlen > 32) {
+ fprintf(stderr, "WARNING: hashlen truncated to 32\n");
+ hashlen = 32;
+ }
+
+ if(!gcry_check_version("1.1.0")) {
+ fprintf(stderr, "libgcrypt initialization failed\n");
+ exit(EXIT_FAILURE);
+ }
+
+ memset(out, 0, sizeof(out));
+ memcpy(out, passhash, hashlen);
+
+ err = gcry_cipher_open(&ctx, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CBC, 0);
+ if(err)
+ {
+ fprintf(stderr, "can't initialize AES: %s\n", gcry_strerror (err));
+ exit(EXIT_FAILURE);
+ }
+
+ /*
+ * Set up AES-256 encryption key using same password and hash function
+ * as before but with password bit 0 flipped before hashing. That key
+ * is then used to encrypt actual loop key 'itercountk' thousand times.
+ */
+ pass[0] ^= 1;
+ func(&tmp[0], 32, pass, strlen(pass));
+ gcry_cipher_setkey(ctx, &tmp[0], 32);
+ itercountk *= 1000;
+ while(itercountk > 0) {
+ gcry_cipher_reset(ctx);
+ gcry_cipher_setiv(ctx, NULL, 0);
+ /* encrypt both 128bit blocks with AES-256 */
+ gcry_cipher_encrypt(ctx, &out[ 0], 16, &out[ 0], 16);
+ gcry_cipher_reset(ctx);
+ gcry_cipher_setiv(ctx, NULL, 0);
+ gcry_cipher_encrypt(ctx, &out[16], 16, &out[16], 16);
+ /* exchange upper half of first block with lower half of second block */
+ memcpy(&tmp[0], &out[8], 8);
+ memcpy(&out[8], &out[16], 8);
+ memcpy(&out[16], &tmp[0], 8);
+ itercountk--;
+ }
+ memset(&tmp[0], 0, sizeof(tmp));
+
+ memcpy(passhash, out, hashlen);
+
+ gcry_cipher_close(ctx);
+#else
+ fprintf(stderr, "libgcrypt support is required for option -C\n");
+ exit(EXIT_FAILURE);
+#endif
+
+ }
memset (pass, 0, strlen (pass)); /* paranoia */
free(pass);

View File

@ -1,39 +0,0 @@
document -C and -t options in manpage
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
Index: hashalot-0.3/hashalot.1
===================================================================
--- hashalot-0.3/hashalot.1.orig
+++ hashalot-0.3/hashalot.1
@@ -2,9 +2,9 @@
.SH NAME
hashalot \- read a passphrase and print a hash
.SH SYNOPSIS
-.B hashalot [ \-s SALT ] [ \-x ] [ \-n #BYTES ] HASHTYPE
+.B hashalot [ \-t secs ] [ \-s SALT ] [ \-x ] [ \-n #BYTES ] [ \-C itercountk ] HASHTYPE
.br
-.B HASHTYPE [ \-s SALT ] [ \-x ] [ \-n #BYTES ]
+.B HASHTYPE [ \-t secs ] [ \-s SALT ] [ \-x ] [ \-n #BYTES ] [ \-C itercountk ]
.SH DESCRIPTION
.PP
\fIhashalot\fP is a small tool that reads a passphrase from standard
@@ -36,6 +36,18 @@ option can be used to limit (or increase
default is as appropriate for the specified hash algorithm: 20 bytes for
RIPEMD160, 32 bytes for SHA256, etc. The default for the "rmd160compat"
hash is 16 bytes, for compatibility with the old kerneli.org utilities.
+.PP
+The
+.B \-t
+option specifies a timeout for reading the passphrase from the terminal.
+.PP
+The
+.B \-C
+option specifies that the hashed password has to be encrypted
+itercountk thousand times using AES-256. Use for compatability with
+loop-AES.
+.PP
+The options \-t and \-C are currently SUSE specific
.SH AUTHOR
Ben Slusky <sluskyb@paranoiacs.org>
.PP

View File

@ -1,87 +0,0 @@
add timeout option -t
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
Index: hashalot-0.3/hashalot.c
===================================================================
--- hashalot-0.3.orig/hashalot.c
+++ hashalot-0.3/hashalot.c
@@ -21,6 +21,7 @@
#include <string.h>
#include <unistd.h>
#include <assert.h>
+#include <signal.h>
#include <sys/types.h>
#include <sys/mman.h>
@@ -36,6 +37,12 @@
typedef int (*phash_func_t)(char dest[], size_t dest_len, const char src[], size_t src_len);
+static int got_timeout;
+void alrm_handler(int num)
+{
+ got_timeout = 1;
+}
+
static int
phash_rmd160(char dest[], size_t dest_len, const char src[], size_t src_len)
{
@@ -101,9 +108,9 @@ show_usage(const char argv0[])
fprintf (stdout,
"usage:\n"
- " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n"
+ " hashalot [ -t secs ] [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n"
" or\n"
- " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n"
+ " HASHTYPE [ -t secs ] [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n"
"\n"
"supported values for HASHTYPE: ");
@@ -222,8 +229,9 @@ main(int argc, char *argv[])
phash_func_t func;
int hex_output = 0, c;
unsigned long itercountk = 0;
+ unsigned timeout = 0;
- while ((c = getopt(argc, argv, "n:s:xC:")) != -1) {
+ while ((c = getopt(argc, argv, "n:s:xC:t:")) != -1) {
switch (c) {
case 'n':
hashlen = strtoul(optarg, &p, 0);
@@ -238,6 +246,9 @@ main(int argc, char *argv[])
case 's':
salt = optarg;
break;
+ case 't':
+ timeout = atoi(optarg);
+ break;
case 'x':
hex_output++;
break;
@@ -276,8 +287,24 @@ main(int argc, char *argv[])
fputs("Warning: couldn't lock memory, are you root?\n", stderr);
}
+ if(timeout) {
+ struct sigaction sa;
+ sa.sa_handler = alrm_handler;
+ sigemptyset (&sa.sa_mask);
+ sa.sa_flags = 0;
+ sigaction(SIGALRM, &sa, NULL);
+ alarm(timeout);
+ }
+
/* here we acquire the precious passphrase... */
pass = xgetpass("Enter passphrase: ");
+ if(got_timeout) {
+ exit(EXIT_FAILURE);
+ }
+ if(timeout) {
+ alarm(0);
+ }
+
if (salt)
pass = salt_passphrase(pass, salt);
hashlen = func(passhash, hashlen, pass, strlen(pass));