tomb

the crypto undertaker
git clone git://parazyd.org/tomb.git
Log | Files | Refs | README | LICENSE

commit f7b83de6cab8f78ad1adb234ed06971709237ce7
parent 5158c380fefa46396ce3f2ec6ca6b994384de7d2
Author: Jaromil <jaromil@dyne.org>
Date:   Wed,  6 Aug 2014 11:21:08 +0200

cleanup implicitly exhumed key and move get_lukskey() closer to caller funcs

Diffstat:
Mtomb | 101+++++++++++++++++++++++++++++++++++++++++--------------------------------------
1 file changed, 52 insertions(+), 49 deletions(-)

diff --git a/tomb b/tomb @@ -634,6 +634,58 @@ gpg_decrypt() { } + +# Gets a key file and a password, prints out the decoded contents to +# be used directly by Luks as a cryptographic key +get_lukskey() { +# $1 is the password, $2 is the keyfile + + local lukspass="$1" + local keyfile="$2" + local exhumedkey + + firstline=`head -n1 $keyfile` + _verbose "get_lukskey XXX $keyfile" + + # key is KDF encoded + if [[ $firstline =~ '^_KDF_' ]]; then + _verbose "KDF: `cut -d_ -f 3 <<<$firstline`" + case `cut -d_ -f 3 <<<$firstline` in + pbkdf2sha1) + pbkdf2_param=`cut -d_ -f 4- <<<$firstline | tr '_' ' '` + lukspass=$(tomb-kdb-pbkdf2 ${=pbkdf2_param} 2> /dev/null <<<$lukspass) + ;; + *) + _failure "No suitable program for KDF `cut -f 3 <<<$firstline`." + unset lukspass + return 1 + ;; + esac + + # key needs to be exhumed from an image + elif [[ `file "$keyfile"` =~ "JP.G" ]]; then + exhumedkey="`safe_filename exhumedkey`" + _verbose "lukspass in get_lukskey: $lukspass" + + exhume_key "$keyfile" "$lukspass" "$exhumedkey" + keyfile="$exhumedkey" + fi + _verbose "lukspass in get_lukskey: $lukspass" + + # check validity, eventually repair adding headers + is_valid_key "$keyfile" || { + _failure "This key is unusable: $keyfile" } + + # saves decrypted content into $tomb_secret + gpg_decrypt "$lukspass" "$keyfile" + ret="$?" + + { test "$exhumedkey" = "" } || { ${=WIPE} "$exhumedkey" } + + _verbose "get_lukskey returns $ret" + return $ret +} + # This function asks the user for the password to use the key it tests # it against the return code of gpg on success returns 0 and prints # the password (be careful about where you save it!) @@ -794,55 +846,6 @@ print "-----END PGP MESSAGE-----" -# Gets a key file and a password, prints out the decoded contents to -# be used directly by Luks as a cryptographic key -get_lukskey() { -# $1 is the password, $2 is the keyfile - - local lukspass="$1" - local keyfile="$2" - local exhumedkey - - firstline=`head -n1 $keyfile` - _verbose "get_lukskey XXX $keyfile" - - # key is KDF encoded - if [[ $firstline =~ '^_KDF_' ]]; then - _verbose "KDF: `cut -d_ -f 3 <<<$firstline`" - case `cut -d_ -f 3 <<<$firstline` in - pbkdf2sha1) - pbkdf2_param=`cut -d_ -f 4- <<<$firstline | tr '_' ' '` - lukspass=$(tomb-kdb-pbkdf2 ${=pbkdf2_param} 2> /dev/null <<<$lukspass) - ;; - *) - _failure "No suitable program for KDF `cut -f 3 <<<$firstline`." - unset lukspass - return 1 - ;; - esac - - # key needs to be exhumed from an image - elif [[ `file "$keyfile"` =~ "JP.G" ]]; then - exhumedkey="`safe_filename exhumedkey`" - _verbose "lukspass in get_lukskey: $lukspass" - - exhume_key "$keyfile" "$lukspass" "$exhumedkey" - keyfile="$exhumedkey" - fi - _verbose "lukspass in get_lukskey: $lukspass" - - # check validity, eventually repair adding headers - is_valid_key "$keyfile" || { - _failure "This key is unusable: $keyfile" } - - # saves decrypted content into $tomb_secret - gpg_decrypt "$lukspass" "$keyfile" - - ret="$?" - _verbose "get_lukskey returns $ret" - return $ret -} - # takes care to encrypt a key # honored options: --kdf --tomb-pwd