[cleanup] More test cleanups

This commit is contained in:
hellekin 2014-10-28 15:46:36 -03:00 committed by Jaromil
parent 14ed549a55
commit 788c133f94

215
tomb
View File

@ -429,29 +429,38 @@ EOF
# Check if a filename is a valid tomb # Check if a filename is a valid tomb
is_valid_tomb() { is_valid_tomb() {
_verbose "is_valid_tomb ::1 tomb file::" $1 _verbose "is_valid_tomb ::1 tomb file::" $1
# argument check
{ test "$1" = "" } && {
_warning "Tomb file is missing from arguments."; return 1 }
# file checks
{ test -r "$1" } || {
_warning "Tomb file not found: ::1 tomb file::" $1; return 1 }
{ test -f "$1" } || {
_warning "Tomb file is not a regular file: ::1 tomb file::" $1; return 1 }
{ test -s "$1" } || {
_warning "Tomb file is empty (zero length): ::1 tomb file::" $1; return 1 }
{ test -w "$1" } || {
_warning "Tomb file is not writable: ::1 tomb file::" $1; return 1 }
# check file type (if its a Luks fs) # First argument must be the path to a tomb
[[ -z "$1" ]] && {
_failure "Tomb file is missing from arguments." }
# Tomb file must be a readable, writable, not-empty regular file.
[[ ! -r "$1" ]] && {
_failure "Tomb file not found: ::1 tomb file::" $1 }
[[ ! -f "$1" ]] && {
_failure "Tomb file is not a regular file: ::1 tomb file::" $1 }
[[ ! -s "$1" ]] && {
_failure "Tomb file is empty (zero length): ::1 tomb file::" $1 }
[[ ! -w "$1" ]] && {
_failure "Tomb file is not writable: ::1 tomb file::" $1 }
# TODO: split the rest of that function out.
# We already have a valid tomb, now we're checking
# whether we can alter it.
# Tomb file may be a LUKS FS (or we are creating it)
file "$1" | grep -i "luks encrypted file" > /dev/null || { file "$1" | grep -i "luks encrypted file" > /dev/null || {
_warning "File is not yet a tomb: ::1 tomb file::" $1 } _warning "File is not yet a tomb: ::1 tomb file::" $1 }
_plot $1 # Set TOMB{PATH,DIR,FILE,NAME} _plot $1 # Set TOMB{PATH,DIR,FILE,NAME}
# Tomb cannot be already mounted (or we cannot alter it)
mount -l | grep "${TOMBFILE}.*\[$TOMBNAME\]$" > /dev/null mount -l | grep "${TOMBFILE}.*\[$TOMBNAME\]$" > /dev/null
{ test $? = 0 } && { [[ $? == 0 ]] && {
_warning "Tomb is currently in use: ::1 tomb name::" $TOMBNAME; return 1 } _failure "Tomb is currently in use: ::1 tomb name::" $TOMBNAME }
_message "Valid tomb file found: ::1 tomb path::" $TOMBPATH _message "Valid tomb file found: ::1 tomb path::" $TOMBPATH
return 0 return 0
} }
@ -502,6 +511,7 @@ dump_secrets() {
_verbose "TOMBTMPFILES: ::1 temp files::" ${(@)TOMBTMPFILES} _verbose "TOMBTMPFILES: ::1 temp files::" ${(@)TOMBTMPFILES}
_verbose "TOMBLOOPDEVS: ::1 loop devices::" ${(@)TOMBLOOPDEVS} _verbose "TOMBLOOPDEVS: ::1 loop devices::" ${(@)TOMBLOOPDEVS}
} }
# }}} # }}}
# {{{ Commandline interaction # {{{ Commandline interaction
@ -1115,19 +1125,18 @@ bury_key() {
# password would enhance security). Nevertheless here we prefer # password would enhance security). Nevertheless here we prefer
# usability. # usability.
if option_is_set --tomb-pwd; then { option_is_set --tomb-pwd } && {
tomb_pwd="`option_value --tomb-pwd`" local tombpwd="`option_value --tomb-pwd`"
_verbose "tomb-pwd = ::1 tomb pass::" $tomb_pwd _verbose "tomb-pwd = ::1 tomb pass::" $tombpwd
ask_key_password "$tomb_pwd" ask_key_password "$tombpwd"
else } || {
ask_key_password ask_key_password
fi
{ test $? = 0 } || {
_warning "Wrong password supplied."
_failure "You shall not bury a key whose password is unknown to you."
} }
[[ $? != 0 ]] && {
_warning "Wrong password supplied."
_failure "You shall not bury a key whose password is unknown to you." }
# we omit armor strings since having them as constants can give # We omit armor strings since having them as constants can give
# ground to effective attacks on steganography # ground to effective attacks on steganography
print - "$TOMBKEY" | awk ' print - "$TOMBKEY" | awk '
/^-----/ {next} /^-----/ {next}
@ -1150,78 +1159,75 @@ bury_key() {
# optional 2nd arg: the password to use (same as key, internal use) # optional 2nd arg: the password to use (same as key, internal use)
# optional 3rd arg: the key where to save the result (- for stdout) # optional 3rd arg: the key where to save the result (- for stdout)
exhume_key() { exhume_key() {
local imagefile="$1" # The image file where to look for the key
local tombpass="$2" # (Optional) the password to use (internal use)
local destkey="$3" # (Optional) the key file where to save the
# result (- for stdout)
local r=1 # Return code (default: fail)
imagefile="$1" # Ensure the image file is a readable JPEG
res=1 [[ ! -r $imagefile ]] && {
knownpass="$2"
destkey="$3"
[[ "$destkey" = "" ]] && {
destkey="`option_value -k`"
{ test "$destkey" = "" } && {
# no key output specified: fallback to stdout
destkey="-"
_message "printing exhumed key on stdout" }
}
{ test -r "$imagefile" } || {
_failure "Exhume failed, image file not found: ::1 image file::" $imagefile } _failure "Exhume failed, image file not found: ::1 image file::" $imagefile }
[[ ! $(file "$imagefile") =~ "JP.G" ]] && {
[[ `file "$imagefile"` =~ "JP.G" ]] || {
_failure "Exhume failed: ::1 image file:: is not a jpeg image." $imagefile } _failure "Exhume failed: ::1 image file:: is not a jpeg image." $imagefile }
# when a password is passed as argument then always print out # When a password is passed as argument then always print out
# the exhumed key on stdout without further checks (internal use) # the exhumed key on stdout without further checks (internal use)
{ test "$knownpass" = "" } || { [[ -n "$tombpass" ]] && {
TOMBKEY=`steghide extract -sf "$imagefile" -p "$knownpass" -xf -` TOMBKEY=$(steghide extract -sf $imagefile -p $tombpass -xf -)
{ test $? = 0 } || { [[ $? != 0 ]] && {
_failure "Wrong password or no steganographic key found" } _failure "Wrong password or no steganographic key found" }
recover_key $TOMBKEY recover_key $TOMBKEY
return 0 return 0
} }
{ test "$destkey" = "-" } || { # Ensure we have a valid destination for the key
if [[ -s "$destkey" ]]; then [[ -z $destkey ]] && { option_is_set -k } && destkey=$(option_value -k)
[[ -z $destkey ]] && {
destkey="-" # No key was specified: fallback to stdout
_message "printing exhumed key on stdout" }
# Bail out if destination exists, unless -f (force) was passed
[[ $destkey != "-" && -s $destkey ]] && {
_warning "File exists: ::1 tomb key::" $destkey _warning "File exists: ::1 tomb key::" $destkey
{ option_is_set -f } || { { option_is_set -f } && {
_warning "Use of --force selected: overwriting."
rm -f $destkey
} || {
_warning "Make explicit use of --force to overwrite." _warning "Make explicit use of --force to overwrite."
_failure "Refusing to overwrite file. Operation aborted." } _failure "Refusing to overwrite file. Operation aborted." }
_warning "Use of --force selected: overwriting."
rm -f ${destkey}
fi
} }
_message "Trying to exhume a key out of image ::1 image file::" $imagefile _message "Trying to exhume a key out of image ::1 image file::" $imagefile
if option_is_set --tomb-pwd; then { option_is_set --tomb-pwd } && {
tombpass="`option_value --tomb-pwd`" tombpass=$(option_value --tomb-pwd)
_verbose "tomb-pwd = ::1 tomb pass::" $tombpass _verbose "tomb-pwd = ::1 tomb pass::" $tombpass
elif [[ -n $TOMBPASSWORD ]]; then } || {
# password is known already [[ -n $TOMBPASSWORD ]] && tombpass=$TOMBPASSWORD
tombpass=$TOMBPASSWORD } || {
else tombpass=$(exec_as_user ${TOMBEXEC} askpass \
tombpass=`exec_as_user ${TOMBEXEC} askpass "Insert password to exhume key from $imagefile"` "Insert password to exhume key from $imagefile")
if [[ $? != 0 ]]; then [[ $? != 0 ]] && {
_warning "User aborted password dialog." _warning "User aborted password dialog."
return 1 return 1
fi }
fi }
# always steghide required # Extract the key from the image
steghide extract -sf ${imagefile} -p ${tombpass} -xf ${destkey} steghide extract -sf $imagefile -p ${tombpass} -xf $destkey
res=$? r=$?
unset tombpass # Report to the user
[[ "$destkey" = "-" ]] && destkey="stdout"
[[ "$destkey" = "-" ]] && { destkey="stdout" } [[ $r == 0 ]] && {
if [ $res = 0 ]; then
_success "Key succesfully exhumed to ::1 key::." $destkey _success "Key succesfully exhumed to ::1 key::." $destkey
else } || {
_warning "Nothing found in ::1 image file::" $imagefile _warning "Nothing found in ::1 image file::" $imagefile
fi }
return $res return $r
} }
# Produces a printable image of the key contents so that it can be # Produces a printable image of the key contents so that it can be
@ -1229,18 +1235,19 @@ exhume_key() {
engrave_key() { engrave_key() {
# load key from options # load key from options
load_key || _failure "No key specified." load_key || _failure "No key specified."
local keyname=$(basename $TOMBKEYFILE) local keyname=$(basename $TOMBKEYFILE)
pngname="$keyname.qr.png" local pngname="$keyname.qr.png"
_success "Rendering a printable QRCode for key: ::1 tomb key file::" $TOMBKEYFILE _success "Rendering a printable QRCode for key: ::1 tomb key file::" $TOMBKEYFILE
# we omit armor strings to save space # we omit armor strings to save space
awk ' awk '/^-----/ {next}; /^Version/ {next}; {print $0}' $TOMBKEYFILE \
/^-----/ {next} | qrencode --size 4 --level H --casesensitive -o $pngname
/^Version/ {next} [[ $? != 0 ]] && {
{print $0}' $TOMBKEYFILE | qrencode --size 4 --level H \ _failure "QREncode reported an error." }
--casesensitive -o "$pngname"
{ test $? = 0 } || { _failure "QREncode reported an error." }
_success "Operation successful:" _success "Operation successful:"
# TODO: only if verbose and/or not silent
ls -lh $pngname ls -lh $pngname
file $pngname file $pngname
} }
@ -1318,30 +1325,34 @@ dig_tomb() {
forge_key() { forge_key() {
# can be specified both as simple argument or using -k # can be specified both as simple argument or using -k
destkey="$1" local destkey="$1"
{ option_is_set -k } && { destkey="`option_value -k`" } { option_is_set -k } && { destkey=$(option_value -k) }
{ test "$destkey" = "" } && { local algo="AES256" # Default encryption algorithm
_warning "A filename needs to be specified using -k to forge a new key."
return 1 } [[ -z "$destkey" ]] && {
_failure "A filename needs to be specified using -k to forge a new key." }
_message "Commanded to forge key ::1 key::" $destkey _message "Commanded to forge key ::1 key::" $destkey
_check_swap
_check_swap # Ensure the available memory is safe to use
# make sure that gnupg doesn't quits with an error before first run # Ensure GnuPG won't exit with an error before first run
{ test -r $HOME/.gnupg/pubring.gpg } || { [[ -r $HOME/.gnupg/pubring.gpg ]] || {
mkdir $HOME/.gnupg mkdir -m 0700 $HOME/.gnupg
touch $HOME/.gnupg/pubring.gpg } touch $HOME/.gnupg/pubring.gpg }
{ test -r "$destkey" } && { # Do not overwrite any files accidentally
[[ -r "$destkey" ]] && {
_warning "Forging this key would overwrite an existing file. Operation aborted." _warning "Forging this key would overwrite an existing file. Operation aborted."
_failure "`ls -lh $destkey`" } _failure "`ls -lh $destkey`" }
{ option_is_set -o } && { algopt="`option_value -o`" } # Update algorithm if it was passed on the command line with -o
algo=${algopt:-AES256} { option_is_set -o } && { algopt="$(option_value -o)" }
[[ -n "$algopt" ]] && algo=$algopt
_message "Commanded to forge key ::1 key:: with cipher algorithm ::2 algorithm::" $destkey $algo _message "Commanded to forge key ::1 key:: with cipher algorithm ::2 algorithm::" \
$destkey $algo
TOMBKEYFILE="$destkey" # Set global variable TOMBKEYFILE="$destkey" # Set global variable
@ -1350,13 +1361,12 @@ forge_key() {
_message "To make it faster you can move the mouse around." _message "To make it faster you can move the mouse around."
_message "If you are on a server, you can use an Entropy Generation Daemon." _message "If you are on a server, you can use an Entropy Generation Daemon."
# Use /dev/random as the entropy source, unless --use-random is specified
local random_source=/dev/random local random_source=/dev/random
if option_is_set --use-urandom; then { option_is_set --use-urandom } && random_source=/dev/urandom
random_source=/dev/urandom
fi
_verbose "Data dump using ::1:: from ::2 source::" ${DD[1]} $random_source _verbose "Data dump using ::1:: from ::2 source::" ${DD[1]} $random_source
TOMBSECRET=`${=DD} bs=1 count=256 if=$random_source` TOMBSECRET=$(${=DD} bs=1 count=256 if=$random_source)
[[ $? == 0 ]] || { [[ $? == 0 ]] || {
_warning "Cannot generate encryption key." _warning "Cannot generate encryption key."
_failure "Operation aborted." } _failure "Operation aborted." }
@ -1365,19 +1375,20 @@ forge_key() {
_success "Choose the password of your key: ::1 tomb key::" $TOMBKEYFILE _success "Choose the password of your key: ::1 tomb key::" $TOMBKEYFILE
_message "(You can also change it later using 'tomb passwd'.)" _message "(You can also change it later using 'tomb passwd'.)"
# _user_file $TOMBKEYFILE
touch $TOMBKEYFILE touch $TOMBKEYFILE
chown $_UID:$_GID $TOMBKEYFILE chown $_UID:$_GID $TOMBKEYFILE
chmod 0600 $TOMBKEYFILE chmod 0600 $TOMBKEYFILE
tombname="$TOMBKEYFILE" # XXX ??? tombname="$TOMBKEYFILE" # XXX ???
# the gen_key() function takes care of the new key's encryption # the gen_key() function takes care of the new key's encryption
if option_is_set --tomb-pwd; then { option_is_set --tomb-pwd } && {
tomb_new_pwd="`option_value --tomb-pwd`" local tombpwd="`option_value --tomb-pwd`"
_verbose "tomb-pwd = ::1 new pass::" $tomb_new_pwd _verbose "tomb-pwd = ::1 new pass::" $tombpwd
gen_key "$tomb_new_pwd" >> $TOMBKEYFILE gen_key "$tombpwd" >> $TOMBKEYFILE
else } || {
gen_key >> $TOMBKEYFILE gen_key >> $TOMBKEYFILE
fi }
# load the key contents (set global variable) # load the key contents (set global variable)
TOMBKEY=$(cat $TOMBKEYFILE) TOMBKEY=$(cat $TOMBKEYFILE)