OpenSDE
/
rocklinux
mirror of https://github.com/amery/rocklinux.git
2
0
Fork 0
Code Releases Wiki Activity
mirror of the now-defunct rocklinux.org
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3320 Commits
1 Branch
0 Tags
34 MiB
Tree: 37dbdba200
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '37dbdba200'
${ noResults }
rocklinux/package/base/util-linux/cryptoloop-support.diff

514 lines
14 KiB
Raw Normal View History

Clifford Wolf: Updated Copyright Notes git-svn-id: http://www.rocklinux.org/svn/rock-linux/trunk@4570 c5f82cb5-29bc-0310-9cd0-bff59a50e3bc
20 years ago
fake: updated util-linux (2.12) and added cryptoloop support git-svn-id: http://www.rocklinux.org/svn/rock-linux/trunk@2406 c5f82cb5-29bc-0310-9cd0-bff59a50e3bc
21 years ago
  1. # --- ROCK-COPYRIGHT-NOTE-BEGIN ---
  2. #
  3. # This copyright note is auto-generated by ./scripts/Create-CopyPatch.
  4. # Please add additional copyright information _after_ the line containing
  5. # the ROCK-COPYRIGHT-NOTE-END tag. Otherwise it might get removed by
  6. # the ./scripts/Create-CopyPatch script. Do not edit this copyright text!
  7. #
  8. # ROCK Linux: rock-src/package/base/util-linux/cryptoloop-support.diff
  9. # ROCK Linux is Copyright (C) 1998 - 2004 Clifford Wolf
  10. #
  11. # This patch file is dual-licensed. It is available under the license the
  12. # patched project is licensed under, as long as it is an OpenSource license
  13. # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
  14. # of the GNU General Public License as published by the Free Software
  15. # Foundation; either version 2 of the License, or (at your option) any later
  16. # version.
  17. #
  18. # --- ROCK-COPYRIGHT-NOTE-END ---
  20. --- util-linux-2.12/mount/mount.8.orig 2003-09-21 18:14:26.000000000 -0400
  21. +++ util-linux-2.12/mount/mount.8 2003-09-21 18:16:18.000000000 -0400
  22. @@ -1696,6 +1696,11 @@
  23. .BR loop ", " offset " and " encryption ,
  24. that are really options to
  25. .BR losetup (8).
  26. +You can also use the
  27. +.BR keygen
  28. +option to have mount call an external program from, which it will read the
  29. +encryption key. Arguments to this program can be given, separated by semicolons.
  30. +
  31. If no explicit loop device is mentioned
  32. (but just an option `\fB\-o loop\fP' is given), then
  33. .B mount
  34. --- util-linux-2.12/mount/mount.c.orig 2003-09-21 18:14:27.000000000 -0400
  35. +++ util-linux-2.12/mount/mount.c 2003-09-21 18:16:18.000000000 -0400
  36. @@ -195,7 +195,7 @@
  37. };
  39. static char *opt_loopdev, *opt_vfstype, *opt_offset, *opt_encryption,
  40. - *opt_speed;
  41. + *opt_keygen, *opt_speed;
  43. static struct string_opt_map {
  44. char *tag;
  45. @@ -206,6 +206,7 @@
  46. { "vfs=", 1, &opt_vfstype },
  47. { "offset=", 0, &opt_offset },
  48. { "encryption=", 0, &opt_encryption },
  49. + { "keygen=", 0, &opt_keygen },
  50. { "speed=", 0, &opt_speed },
  51. { NULL, 0, NULL }
  52. };
  53. @@ -586,7 +587,7 @@
  54. *type = opt_vfstype;
  55. }
  57. - *loop = ((*flags & MS_LOOP) || *loopdev || opt_offset || opt_encryption);
  58. + *loop = ((*flags & MS_LOOP) || *loopdev || opt_offset || opt_encryption || opt_keygen);
  59. *loopfile = *spec;
  61. if (*loop) {
  62. @@ -596,6 +597,11 @@
  63. printf(_("mount: skipping the setup of a loop device\n"));
  64. } else {
  65. int loopro = (*flags & MS_RDONLY);
  66. + /* Extra args to the keygen program. Right now there are 2: *
  67. + * - the looped file *
  68. + * - the encryption type used */
  69. + char *keygen_args[] = {*loopfile, opt_encryption};
  70. + const int _n_keygen_args = 2;
  72. if (!*loopdev || !**loopdev)
  73. *loopdev = find_unused_loop_device();
  74. @@ -604,6 +610,8 @@
  75. if (verbose)
  76. printf(_("mount: going to use the loop device %s\n"), *loopdev);
  77. offset = opt_offset ? strtoul(opt_offset, NULL, 0) : 0;
  78. + if (opt_keygen)
  79. + pfd = use_keygen_prog(opt_keygen, keygen_args, _n_keygen_args);
  80. if (set_loop(*loopdev, *loopfile, offset,
  81. opt_encryption, pfd, &loopro)) {
  82. if (verbose)
  83. --- util-linux-2.12/mount/lomount.c.orig 2003-09-21 18:14:26.000000000 -0400
  84. +++ util-linux-2.12/mount/lomount.c 2003-09-21 18:43:27.000000000 -0400
  85. @@ -10,7 +10,6 @@
  86. * 2000-09-24 Marc Mutz <Marc@Mutz.com>
  87. * - added -p option to pass passphrases via fd's to losetup/mount.
  88. * Used for encryption in non-interactive environments.
  89. - * The idea behind xgetpass() is stolen from GnuPG, v.1.0.3.
  90. */
  92. #define LOOPMAJOR 7
  93. @@ -24,12 +23,16 @@
  94. #include <ctype.h>
  95. #include <fcntl.h>
  96. #include <errno.h>
  97. +#include <limits.h>
  98. #include <stdlib.h>
  99. #include <unistd.h>
  100. +#include <sys/types.h>
  101. #include <sys/ioctl.h>
  102. #include <sys/stat.h>
  103. #include <sys/mman.h>
  104. #include <sys/sysmacros.h>
  105. +#include <regex.h>
  106. +#include <signal.h>
  108. #include "loop.h"
  109. #include "lomount.h"
  110. @@ -38,6 +41,7 @@
  112. extern int verbose;
  113. extern char *xstrdup (const char *s); /* not: #include "sundries.h" */
  114. +extern void *xmalloc (size_t size); /* idem */
  115. extern void error (const char *fmt, ...); /* idem */
  117. #ifdef LOOP_SET_FD
  118. @@ -198,43 +202,113 @@
  119. return 0;
  120. }
  122. -/*
  123. - * A function to read the passphrase either from the terminal or from
  124. - * an open file descriptor.
  125. - */
  126. -static char *
  127. -xgetpass(int pfd, const char *prompt) {
  128. - char *pass;
  129. - int buflen, i;
  130. -
  131. - if (pfd < 0) /* terminal */
  132. - return getpass(prompt);
  133. -
  134. - pass = NULL;
  135. - buflen = 0;
  136. - for (i=0; ; i++) {
  137. - if (i >= buflen-1) {
  138. - /* we're running out of space in the buffer.
  139. - * Make it bigger: */
  140. - char *tmppass = pass;
  141. - buflen += 128;
  142. - pass = realloc(tmppass, buflen);
  143. - if (pass == NULL) {
  144. - /* realloc failed. Stop reading. */
  145. - error("Out of memory while reading passphrase");
  146. - pass = tmppass; /* the old buffer hasn't changed */
  147. +/* A function to check the encryption parameters against /proc/crypto. *
  148. + * Returns 1 if everything checks out, 0 if there's any problem. *
  149. + * The purpose of this function is not so much to verify the parameters *
  150. + * before setting up the loop device; that task is made difficult by *
  151. + * the possibility of loadable encryption modules and the necessity of *
  152. + * falling back to the old (kerneli.org) CryptoAPI. Rather the intent *
  153. + * is to come up with a more useful error message after the setup *
  154. + * fails. Thus we return 1 in the event that some system error prevents *
  155. + * us from getting the info we want from /proc/crypto. */
  156. +static int
  157. +check_crypto(struct loop_info64 *loopinfo64) {
  158. + char *s = xmalloc(LINE_MAX), *name = xmalloc(LINE_MAX),
  159. + cipher_name[LO_NAME_SIZE+1];
  160. + int cipher_found = 0, min_size = 0, max_size = 0, retval;
  161. + FILE *fp;
  162. + struct stat st;
  163. +
  164. + if (stat("/proc/crypto", &st) == -1) {
  165. + retval = 1;
  166. + goto end;
  167. + } else if (S_ISDIR(st.st_mode)) {
  168. + /* Hm... must be using the old CryptoAPI. */
  169. + retval = 1;
  170. + goto end;
  171. + } else if ((fp = fopen("/proc/crypto", "r")) == NULL) {
  172. + retval = 1;
  173. + goto end;
  174. + }
  175. +
  176. + xstrncpy(cipher_name, loopinfo64->lo_crypt_name, LO_NAME_SIZE);
  177. + /* Chop off the cipher mode (ie. everything after the dash) */
  178. + cipher_name[strcspn(cipher_name, "-")] = '\0';
  179. +
  180. + while (fgets(s, LINE_MAX, fp) != NULL) {
  181. + if (sscanf(s, "name : %s", name) > 0) {
  182. + if (strcmp(name, cipher_name) == 0)
  183. + cipher_found = 1;
  184. + else if (cipher_found)
  185. break;
  186. - }
  187. + } else {
  188. + sscanf(s, "min keysize : %d", &min_size);
  189. + sscanf(s, "max keysize : %d", &max_size);
  190. }
  191. - if (read(pfd, pass+i, 1) != 1 || pass[i] == '\n')
  192. - break;
  193. - }
  194. - if (pass == NULL)
  195. - return "";
  196. - else {
  197. - pass[i] = 0;
  198. - return pass;
  199. }
  200. + fclose(fp);
  201. +
  202. + if (!cipher_found) {
  203. + fprintf(stderr, _("Invalid cipher \"%s\"\n"), cipher_name);
  204. + retval = 0;
  205. + goto end;
  206. + } else if (loopinfo64->lo_encrypt_key_size < min_size ||
  207. + loopinfo64->lo_encrypt_key_size > max_size) {
  208. + fprintf(stderr, _("Invalid key length (%d) for %s cipher\n"),
  209. + loopinfo64->lo_encrypt_key_size, cipher_name);
  210. + retval = 0;
  211. + goto end;
  212. + }
  213. +
  214. + retval = 1;
  215. +end:
  216. + free(s);
  217. + free(name);
  218. + return retval;
  219. +}
  220. +
  221. +/* Same thing, for the old CryptoAPI. */
  222. +static int
  223. +check_crypto_old(struct loop_info *loopinfo) {
  224. + char *s = xmalloc(LINE_MAX), *name = xmalloc(PATH_MAX+1),
  225. + cipher_name[LO_NAME_SIZE+1];
  226. + int mask = 0, retval;
  227. + FILE *fp;
  228. + struct stat st;
  229. +
  230. + if (stat("/proc/crypto/cipher", &st) == -1) {
  231. + retval = 1;
  232. + goto end;
  233. + } else if (!S_ISDIR(st.st_mode)) {
  234. + retval = 1;
  235. + goto end;
  236. + }
  237. +
  238. + xstrncpy(cipher_name, loopinfo->lo_name, LO_NAME_SIZE);
  239. + snprintf(name, PATH_MAX+1, "/proc/crypto/cipher/%s", cipher_name);
  240. + if ((fp = fopen(name, "r")) == NULL) {
  241. + fprintf(stderr, _("Invalid cipher \"%s\"\n"), cipher_name);
  242. + retval = 0;
  243. + goto end;
  244. + }
  245. +
  246. + while (fgets(s, LINE_MAX, fp) != NULL) {
  247. + sscanf(s, "keysize_mask : %i", &mask);
  248. + }
  249. + fclose(fp);
  250. +
  251. + if (!(mask & (1 << (loopinfo->lo_encrypt_key_size - 1)))) {
  252. + fprintf(stderr, _("Invalid key length (%d) for %s cipher\n"),
  253. + loopinfo->lo_encrypt_key_size, cipher_name);
  254. + retval = 0;
  255. + goto end;
  256. + }
  257. +
  258. + retval = 1;
  259. +end:
  260. + free(s);
  261. + free(name);
  262. + return retval;
  263. }
  265. static int
  266. @@ -275,9 +349,40 @@
  267. if (digits_only(encryption)) {
  268. loopinfo64.lo_encrypt_type = atoi(encryption);
  269. } else {
  270. + regex_t keysize_re;
  271. + regmatch_t keysize_rm;
  272. + int rerror;
  273. + char *rerror_buf, *encryption_dup = xstrdup(encryption);
  274. +
  275. loopinfo64.lo_encrypt_type = LO_CRYPT_CRYPTOAPI;
  276. +
  277. + if ((rerror = regcomp(&keysize_re, "-[[:digit:]]+$",
  278. + REG_EXTENDED)) != 0) {
  279. + fprintf(stderr, _("RE error: "));
  280. + rerror_buf = xmalloc(LINE_MAX+1);
  281. + regerror(rerror, &keysize_re, rerror_buf, LINE_MAX);
  282. + fprintf(stderr, "%s\n", rerror_buf);
  283. + free(rerror_buf);
  284. + return -1;
  285. + }
  286. + rerror = regexec(&keysize_re, encryption_dup,
  287. + 1, &keysize_rm, 0);
  288. + regfree(&keysize_re);
  289. + if (rerror) {
  290. + fprintf(stderr,
  291. + _("You must specify a key size (in bits) "
  292. + "for use with CryptoAPI encryption.\n"));
  293. + return -1;
  294. + }
  295. +
  296. + /* convert the key size from #bits to #bytes */
  297. + loopinfo64.lo_encrypt_key_size =
  298. + atoi(encryption_dup + keysize_rm.rm_so + 1) / 8;
  299. + /* now cut off the key size */
  300. + encryption_dup[keysize_rm.rm_so] = '\0';
  301. snprintf(loopinfo64.lo_crypt_name, LO_NAME_SIZE,
  302. - "%s", encryption);
  303. + "%s", encryption_dup);
  304. + free(encryption_dup);
  305. }
  306. }
  308. @@ -307,9 +412,25 @@
  309. strlen(loopinfo64.lo_encrypt_key);
  310. break;
  311. default:
  312. - pass = xgetpass(pfd, _("Password: "));
  313. - xstrncpy(loopinfo64.lo_encrypt_key, pass, LO_KEY_SIZE);
  314. - loopinfo64.lo_encrypt_key_size = LO_KEY_SIZE;
  315. + if (pfd == -1) {
  316. + pass = getpass(_("Password: "));
  317. + xstrncpy(loopinfo64.lo_encrypt_key, pass, LO_KEY_SIZE);
  318. + } else {
  319. + /* If we're reading from an extenral program, *
  320. + * odds are good that a SIGCHLD will interrupt *
  321. + * this read(), and ruin our whole day. So we *
  322. + * must block it. */
  323. + sigset_t ss, oss;
  324. + sigemptyset(&ss);
  325. + sigaddset(&ss, SIGCHLD);
  326. + sigprocmask(SIG_BLOCK, &ss, &oss);
  327. + if (read(pfd, loopinfo64.lo_encrypt_key,
  328. + LO_KEY_SIZE) == -1) {
  329. + perror("read");
  330. + fprintf(stderr, _("Error reading encryption key, exiting\n"));
  331. + }
  332. + sigprocmask(SIG_SETMASK, &oss, NULL);
  333. + }
  334. }
  336. if (ioctl(fd, LOOP_SET_FD, ffd) < 0) {
  337. @@ -322,6 +443,14 @@
  338. struct loop_info loopinfo;
  339. int errsv = errno;
  341. + if (errno == EINVAL &&
  342. + loopinfo64.lo_encrypt_type == LO_CRYPT_CRYPTOAPI)
  343. + if (!check_crypto(&loopinfo64)) {
  344. + fprintf(stderr,
  345. + _("Error in crypto parameters, exiting\n"));
  346. + goto fail;
  347. + }
  348. +
  349. errno = loop_info64_to_old(&loopinfo64, &loopinfo);
  350. if (errno) {
  351. errno = errsv;
  352. @@ -330,6 +459,17 @@
  353. }
  355. if (ioctl(fd, LOOP_SET_STATUS, &loopinfo) < 0) {
  356. + errsv = errno;
  357. +
  358. + if (errno == EINVAL &&
  359. + loopinfo.lo_encrypt_type == LO_CRYPT_CRYPTOAPI)
  360. + if (!check_crypto_old(&loopinfo)) {
  361. + fprintf(stderr,
  362. + _("Error in crypto parameters, exiting\n"));
  363. + goto fail;
  364. + }
  365. +
  366. + errno = errsv;
  367. perror("ioctl: LOOP_SET_STATUS");
  368. goto fail;
  369. }
  370. @@ -416,6 +556,22 @@
  371. exit(1);
  372. }
  374. +void *
  375. +xmalloc (size_t size) {
  376. + void *t;
  377. +
  378. + if (size == 0)
  379. + return NULL;
  380. +
  381. + t = malloc (size);
  382. + if (t == NULL) {
  383. + fprintf(stderr, _("not enough memory"));
  384. + exit(1);
  385. + }
  386. +
  387. + return t;
  388. +}
  389. +
  390. char *
  391. xstrdup (const char *s) {
  392. char *t;
  393. --- util-linux-2.12/mount/sundries.c.orig 2003-09-21 18:14:27.000000000 -0400
  394. +++ util-linux-2.12/mount/sundries.c 2003-09-21 18:16:18.000000000 -0400
  395. @@ -12,6 +12,8 @@
  396. #include <stdio.h>
  397. #include <string.h>
  398. #include <mntent.h> /* for MNTTYPE_SWAP */
  399. +#include <sys/types.h>
  400. +#include <sys/wait.h>
  401. #include "fstab.h"
  402. #include "sundries.h"
  403. #include "realpath.h"
  404. @@ -285,3 +287,100 @@
  405. free(canonical);
  406. return xstrdup(path);
  407. }
  408. +
  409. +static volatile int keygen_wait = 1;
  410. +
  411. +/* Handle a SIGCHLD -- wait for the child process */
  412. +static void
  413. +child_handler (int i) {
  414. + int status;
  415. + if (keygen_wait && wait(&status) != -1) {
  416. + keygen_wait = 0;
  417. + if (WEXITSTATUS(status) != 0)
  418. + exit(WEXITSTATUS(status));
  419. + }
  420. +}
  421. +
  422. +/* Make sure we clean up after the child */
  423. +static void
  424. +child_cleanup (void) {
  425. + /* "Clean up" means wait. So we let child_handler do all the work */
  426. + while (keygen_wait)
  427. + sleep(1);
  428. +}
  429. +
  430. +/* Split a string into pieces, using delim as the delimiter. *
  431. + * Returns the number of pieces. */
  432. +static int
  433. +split_args (char *args[], const char *str, const char *delim, int nargs) {
  434. + int i=0;
  435. + char *s = xstrdup(str);
  436. + args[0] = strtok(s, delim);
  437. + if (args[0] == NULL)
  438. + return 0;
  439. +
  440. + while (++i < nargs) {
  441. + if ((args[i] = strtok(NULL, delim)) == NULL)
  442. + break;
  443. + }
  444. +
  445. + return i;
  446. +}
  447. +
  448. +#define KEYGEN_MAX_ARGS 64 /* more than anyone will need, right? */
  449. +
  450. +/* Call an external program to give us the encryption key for an *
  451. + * encrypted device. We split the string s into a command and args on *
  452. + * semicolons ('cuz you can't put spaces in the fs_mntopts field), then *
  453. + * add some specific args (eg. the looped file or device, the *
  454. + * encryption method used; check the caller to see the actual list). *
  455. + * Returns a file descriptor from which we read the key. */
  456. +int
  457. +use_keygen_prog (const char *s, const char *addl_args[], int naddl_args) {
  458. + int fd[2];
  459. + pid_t keygen_pid;
  460. + struct sigaction sa;
  461. + sa.sa_handler = child_handler;
  462. + sa.sa_flags = SA_NOCLDSTOP;
  463. +
  464. + if (pipe(fd) == -1) {
  465. + perror("pipe");
  466. + exit(EX_SYSERR);
  467. + }
  468. + if (sigaction(SIGCHLD, &sa, NULL) == -1) {
  469. + perror("sigaction");
  470. + exit(EX_SYSERR);
  471. + }
  472. + if ((keygen_pid = fork()) == -1) {
  473. + perror("fork");
  474. + exit(EX_SYSERR);
  475. + } else if (keygen_pid) { /* parent */
  476. + atexit(child_cleanup);
  477. + close(fd[1]);
  478. + return fd[0];
  479. + } else { /* child */
  480. + char *args[KEYGEN_MAX_ARGS+1];
  481. + int i, n = split_args(args, s, ";", KEYGEN_MAX_ARGS - naddl_args);
  482. + if (!n) {
  483. + fprintf(stderr, _("Invalid keygen program, exiting\n"));
  484. + exit(EX_USAGE);
  485. + }
  486. + for(i=0; i < naddl_args && n+i < KEYGEN_MAX_ARGS; i++)
  487. + args[n+i] = (char *) addl_args[i];
  488. + args[n+i] = NULL;
  489. +
  490. + close(fd[0]);
  491. + if (dup2(fd[1], STDOUT_FILENO) == -1) {
  492. + perror("dup2");
  493. + exit(EX_SYSERR);
  494. + }
  495. + setuid(getuid()); /* set euid to ruid */
  496. + if (execvp(args[0], args) == -1) {
  497. + perror(args[0]);
  498. + exit(EX_USAGE);
  499. + }
  500. + }
  501. +
  502. + return 0; /* so gcc will shut up */
  503. +}
  504. +
  505. --- util-linux-2.12/mount/sundries.h.orig 2003-09-21 18:14:27.000000000 -0400
  506. +++ util-linux-2.12/mount/sundries.h 2003-09-21 18:16:18.000000000 -0400
  507. @@ -25,6 +25,7 @@
  508. void error (const char *fmt, ...);
  509. int matching_type (const char *type, const char *types);
  510. int matching_opts (const char *options, const char *test_opts);
  511. +int use_keygen_prog (const char *s, const char *addl_args[], int naddl_args);
  512. void *xmalloc (size_t size);
  513. char *xstrdup (const char *s);
  514. char *xstrndup (const char *s, int n);