tomb

the crypto undertaker
git clone git://parazyd.org/tomb.git
Log | Files | Refs | README | LICENSE

commit 8f9e9f9d2afcec6a81f1efd5fba765aa4d04c44c
parent 61362ce34e757beadd43468ef279d8b2e0dddc56
Author: Jaromil <jaromil@dyne.org>
Date:   Wed, 12 Jun 2013 00:03:36 +0200

fixes to --tomb-pwd and new test script

Diffstat:
Aextras/test/dig_forge_lock_open_close.sh | 48++++++++++++++++++++++++++++++++++++++++++++++++
Dextras/test/simple.test.sh | 16----------------
Mtomb | 39+++++++++++++++++++++++++--------------
3 files changed, 73 insertions(+), 30 deletions(-)

diff --git a/extras/test/dig_forge_lock_open_close.sh b/extras/test/dig_forge_lock_open_close.sh @@ -0,0 +1,48 @@ +#/usr/bin/env zsh + +T="../../tomb" +source utils.sh + +rm /tmp/test.tomb{,.key} -f || exit 1 + +sudo -k + +${T} dig -s 10 /tmp/test.tomb + +sudo losetup -a + +${T} --ignore-swap --unsecure-dev-mode --tomb-pwd f00za --use-urandom \ + forge /tmp/test.tomb.key + +sudo losetup -a + +${T} --ignore-swap --unsecure-dev-mode --tomb-pwd f00za \ + lock /tmp/test.tomb -k /tmp/test.tomb.key + +sudo losetup -a + +# sanity_tomb /tmp/asd.tomb +echo +echo trying to open with wrong password +echo + +${T} --unsecure-dev-mode --tomb-pwd wrongpassword \ + open /tmp/test.tomb + +sudo losetup -a + +echo +echo trying to open with good password +echo + +${T} --unsecure-dev-mode --tomb-pwd f00za \ + open /tmp/test.tomb + +sudo losetup -a + +${T} --unsecure-dev-mode close test + +sudo losetup -a + +rm /tmp/test.tomb{,.key} -f || exit 1 + diff --git a/extras/test/simple.test.sh b/extras/test/simple.test.sh @@ -1,16 +0,0 @@ -rm /tmp/asd.tomb{,.key} -f || exit 1 -sudo -k -../tomb --no-color --unsecure-dev-mode --sudo-pwd $sudo_pwd --tomb-pwd f00za --use-urandom create /tmp/asd -s 10 >&4 2>&4 || echo error creating: $? >&3 -sanity_tomb /tmp/asd.tomb || echo error sanity checks: $? >&3 -../tomb --no-color --unsecure-dev-mode --sudo-pwd $sudo_pwd --tomb-pwd wrongpassword open /tmp/asd.tomb >&4 2>&4 && echo error: open with wrong password is successful >&3 -../tomb --no-color --unsecure-dev-mode --sudo-pwd $sudo_pwd --tomb-pwd f00za open /tmp/asd.tomb >&4 2>&4 || echo error opening: $? >&3 -../tomb --no-color list >&4 2>&4 || echo error listing: $? >&3 -../tomb --no-color list --get-mountpoint asd >&4 || echo error listing specific: $? >&3 -mountpoint=`../tomb --no-color list --get-mountpoint asd` -df $mountpoint >&4 || echo error df: $? >&3 - -../tomb --no-color --unsecure-dev-mode --sudo-pwd $sudo_pwd close asd >&4 2>&4 || echo error closing: $? >&3 - -rm /tmp/asd.tomb{,.key} -f - - diff --git a/tomb b/tomb @@ -40,10 +40,9 @@ # {{{ Global variables -VERSION=1.3 -DATE="May/2013" +VERSION=1.3.1 +DATE="Jun/2013" TOMBEXEC=$0 -TOMBOPENEXEC="${TOMBEXEC}-open" typeset -a OLDARGS for arg in ${argv}; do OLDARGS+=($arg); done DD="dd" @@ -191,7 +190,7 @@ check_priv() { # save original user username=$USER if [ $UID != 0 ]; then - xxx "Using sudo for root execution of 'tomb ${(f)OLDARGS}'" + xxx "Using sudo for root execution of '${TOMBEXEC} ${(f)OLDARGS}'" # check if sudo has a timestamp active sudok=false @@ -215,8 +214,8 @@ EOF fi # are we root already # make sure necessary kernel modules are loaded - modprobe dm_mod - modprobe dm_crypt + modprobe dm_mod 2>/dev/null + modprobe dm_crypt 2>/dev/null return 0 } @@ -496,6 +495,13 @@ ask_key_password() { local tombpass="" if option_is_set --tomb-pwd; then tombpass=`option_value --tomb-pwd` + xxx "ask_key_password takes tombpass from CLI argument: $tombpass" + + get_lukskey "$tombpass" ${tombkey} >/dev/null + + if [ $? = 0 ]; then + passok=1; _message "Password OK."; fi + else for c in 1 2 3; do if [ $c = 1 ]; then @@ -679,7 +685,8 @@ gen_key() { unset tombpass done else - tombpass=`option_value --tomb-pwd` + tombpass="`option_value --tomb-pwd`" + xxx "gen_key takes tombpass from CLI argument: $tombpass" fi @@ -1046,7 +1053,7 @@ lock_tomb_with_key() { fi # load key from options or file - tombkey=`load_key ${tombdir}/${tombfile}` + tombkey=`load_key ${tombdir}/${tombfile}.key` { test $? = 0 } || { losetup -d $nstloop die "Aborting operations: error loading key $tombkey" } @@ -1115,6 +1122,7 @@ lock_tomb_with_key() { # backward compatibility create_tomb() { + xxx "create_tomb(): ${=@} ${=OLDARGS}" if ! [ $1 ]; then _warning "no tomb name specified for creation" return 1 @@ -1125,19 +1133,20 @@ create_tomb() { _warning "Creating this tomb would overwrite an existing file. Operation aborted." die "`ls -lh $1`" } - dig_tomb ${=PARAM} { test $? = 0 } || { die "Failed to dig tomb, operation aborted." } + tombfile=`basename $1` tombdir=`dirname $1` # make sure the file has a .tomb extension tombname=${tombfile%%\.*} tombfile=${tombname}.tomb - forge_key ${tombfile}.key + ${TOMBEXEC} dig ${=PARAM} + ${TOMBEXEC} forge ${tombdir}/${tombfile}.key { test $? = 0 } || { die "Failed to forge key, operation aborted." } - lock_tomb_with_key ${tombfile} -l ${tombfile}.key + ${TOMBEXEC} lock ${tombdir}/${tombfile} -k ${tombdir}/${tombfile}.key { test $? = 0 } || { die "Failed to lock tomb with key, operation aborted." } yes "Tomb $tombname succesfully created" @@ -1212,6 +1221,7 @@ mount_tomb() { if [ $? != 0 ]; then # is it a LUKS encrypted nest? see cryptsetup(1) _warning "$tombfile is not a valid Luks encrypted storage file" + losetup -d ${nstloop} return 1 fi say "this tomb is a valid LUKS encrypted device" @@ -1238,6 +1248,7 @@ mount_tomb() { tombpass=`ask_key_password $tombkey` { test $? = 0 } || { + losetup -d ${nstloop} die "No valid password supplied" } get_lukskey "${tombpass}" ${tombkey} | \ @@ -1884,10 +1895,10 @@ main() { subcommands_opts[open]="f n -nohook=n k: -key=k o: -mount-options=o -ignore-swap -sudo-pwd: -tomb-pwd:" subcommands_opts[mount]=${subcommands_opts[open]} - subcommands_opts[create]="f s: -size=s -force k: -key=k -ignore-swap -kdf: -sudo-pwd: -tomb-pwd: -use-urandom" + subcommands_opts[create]="f -force -ignore-swap s: -size=s k: -key=k -kdf: -sudo-pwd: -tomb-pwd: -use-urandom" - subcommands_opts[forge]="f -ignore-swap k: -key=k -kdf: -use-urandom" - subcommands_opts[dig]="f -ignore-swap s: -size=s" + subcommands_opts[forge]="f -force -ignore-swap k: -key=k -kdf: -tomb-pwd: -use-urandom" + subcommands_opts[dig]="f -forge -ignore-swap s: -size=s" subcommands_opts[lock]="f -force -ignore-swap s: -size=s k: -key=k -sudo-pwd: -tomb-pwd:" subcommands_opts[passwd]="f -ignore-swap -kdf: -tomb-old-pwd: -tomb-pwd: "