Merge pull request #350 from dyne/urandom-switch

switch default random source to /dev/urandom
This commit is contained in:
Jaromil 2019-05-22 10:13:07 +02:00 committed by GitHub
commit bd3e3c7056
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 87 additions and 88 deletions

View File

@ -1,4 +1,4 @@
.TH tomb 1 "April 16, 2017" "tomb"
.TH tomb 1 "May 22, 2019" "tomb"
.SH NAME
Tomb \- the Crypto Undertaker
@ -38,18 +38,18 @@ data gathered from a non-blocking source (/dev/urandom).
.IP "forge"
Creates a new \fIkey\fR and prompts the user for a \fIpassword\fR to
protect its usage using symmetric encryption. This operation uses
random data from a blocking source (/dev/random) and it may take long
when run on a server with low entropy; to switch using a non-blocking
source the \fI--use-urandom\fR flag can be used. The \fI-g\fR option
switches on the use of a GPG key instead of a password (asymmetric
encryption), then the \fI-r\fR option indicates the recipient key;
more recipient GPG ids can be indicated (comma separated). The default
cipher to protect the key is AES256, a custom one can be specified
using the \fI-o\fR option, for a list of supported ciphers use
\fI-v\fR. For additional protection against dictionary attacks on
keys, the \fI--kdf\fR option can be used when forging a key, making
sure that the \fItomb-kdb-pbkdf2\fR binaries in \fIextras/kdf\fR were
compiled and installed on the system.
random data from a non-blocking source (/dev/urandom) and it may take
long only in some cases; to switch using a blocking source the
\fI--use-random\fR flag can be used. The \fI-g\fR option switches on
the use of a GPG key instead of a password (asymmetric encryption),
then the \fI-r\fR option indicates the recipient key; more recipient
GPG ids can be indicated (comma separated). The default cipher to
protect the key is AES256, a custom one can be specified using the
\fI-o\fR option, for a list of supported ciphers use \fI-v\fR. For
additional protection against dictionary attacks on keys, the
\fI--kdf\fR option can be used when forging a key, making sure that
the \fItomb-kdb-pbkdf2\fR binaries in \fIextras/kdf\fR were compiled
and installed on the system.
.B
.IP "lock"
@ -292,11 +292,10 @@ Enable using dev-mode arguments, i.e. to pass passwords from
commandline options. This is mostly used needed for execution by
wrappers and testing suite.
.B
.IP "--use-urandom"
Use a non-blocking random source to improve the speed of the
\fIforge\fR command (key generation): tomb uses /dev/urandom instead
of /dev/random. According to some people using the non-blocking source
of Linux kernel doesn't degrades the quality of random.
.IP "--use-random"
Use a blocking random source. Tomb uses by default /dev/urandom since
the non-blocking source of Linux kernel doesn't degrades the quality
of random.
.B
.IP "--tomb-pwd <string>"
Use string as password when needed on tomb.
@ -533,7 +532,7 @@ channel on \fIhttps://irc.dyne.org\fR.
.SH COPYING
This manual is Copyright (c) 2011-2017 by Denis Roio <\fIjaromil@dyne.org\fR>
This manual is Copyright (c) 2011-2019 by Denis Roio <\fIjaromil@dyne.org\fR>
This manual includes contributions by Boyska and Hellekin O. Wolf.

View File

@ -1428,9 +1428,9 @@ forge_key() {
_warning "To make it faster you can move the mouse around."
_warning "If you are on a server, you can use an Entropy Generation Daemon."
# Use /dev/random as the entropy source, unless --use-urandom is specified
local random_source=/dev/random
{ option_is_set --use-urandom } && random_source=/dev/urandom
# Use /dev/random as the entropy source, unless --use-random is specified
local random_source=/dev/urandom
{ option_is_set --use-random } && random_source=/dev/random
_verbose "Data dump using ::1:: from ::2 source::" ${DD[1]} $random_source
TOMBSECRET=$(${=DD} bs=1 count=256 if=$random_source)
@ -2474,7 +2474,7 @@ main() {
subcommands_opts[create]="" # deprecated, will issue warning
# -o in forge and lock is used to pass an alternate cipher.
subcommands_opts[forge]="-ignore-swap k: -kdf: o: -tomb-pwd: -use-urandom "
subcommands_opts[forge]="-ignore-swap k: -kdf: o: -tomb-pwd: -use-random "
subcommands_opts[dig]="-ignore-swap s: -size=s "
subcommands_opts[lock]="-ignore-swap k: -kdf: o: -tomb-pwd: "
subcommands_opts[setkey]="k: -ignore-swap -kdf: -tomb-old-pwd: -tomb-pwd: "
@ -2571,7 +2571,7 @@ main() {
{ ! option_is_set --no-color } && { autoload -Uz colors && colors }
# Some options are only available during insecure mode
{ ! option_is_set --unsafe } && {
for opt in --tomb-pwd --use-urandom --tomb-old-pwd; do
for opt in --tomb-pwd --use-random --tomb-old-pwd; do
{ option_is_set $opt } && {
exitv=127 _failure "You specified option ::1 option::, which is DANGEROUS and should only be used for testing\nIf you really want so, add --unsafe" $opt }
done

6
extras/test/90_setkey.sh Normal file → Executable file
View File

@ -7,7 +7,7 @@ source ./setup
test_export "test" # Using already generated tomb
test_expect_success 'Testing set key' '
tt forge -k $tomb_key_new --tomb-pwd $DUMMYPASS \
--ignore-swap --unsafe --use-urandom --force &&
--ignore-swap --unsafe --force &&
tt setkey -k $tomb_key_new $tomb_key $tomb \
--unsafe --tomb-pwd $DUMMYPASS --tomb-old-pwd $DUMMYPASS &&
tt open -k $tomb_key_new $tomb \
@ -20,7 +20,7 @@ test_expect_success 'Testing set key' '
test_export "recipient" # Using already generated tomb
test_expect_success 'Testing tomb with GnuPG keys: setkey' '
tt forge $tomb_key_new -g -r $KEY2 --ignore-swap --unsafe --use-urandom &&
tt forge $tomb_key_new -g -r $KEY2 --ignore-swap --unsafe &&
tt setkey -k $tomb_key_new $tomb_key $tomb -g -r $KEY2 &&
tt open -k $tomb_key_new $tomb -g &&
tt_close
@ -30,7 +30,7 @@ if test_have_prereq SPHINX ORACLE; then
test_export "sphinx_test" # Using already generated tomb
test_expect_success 'Testing set key (sphinx)' '
tt forge -k $tomb_key_new --tomb-pwd $DUMMYPASS \
--ignore-swap --unsafe --use-urandom --force \
--ignore-swap --unsafe --force \
--sphx-user $DUMMYUSER --sphx-host $DUMMYHOST &&
tt setkey -k $tomb_key_new $tomb_key $tomb \
--unsafe --tomb-pwd $DUMMYPASS --tomb-old-pwd $DUMMYPASS \

View File

@ -57,8 +57,8 @@ command -v qrencode > /dev/null || QRENCODE=0
typeset -A results
tests=(dig forge lock badpass open close passwd chksum bind setkey recip-dig
recip-forge recip-lock recip-open recip-close recip-passwd recip-resize
tests=(dig forge lock badpass open close passwd chksum bind setkey recip-dig
recip-forge recip-lock recip-open recip-close recip-passwd recip-resize
recip-setkey recip-default recip-hidden shared shared-passwd shared-setkey)
{ test $RESIZER = 1 } && { tests+=(resize) }
@ -92,11 +92,11 @@ test-tomb-create() {
notice "Testing creation: forge"
tt forge /tmp/test.tomb.key \
--ignore-swap --unsafe --tomb-pwd ${dummypass} --use-urandom
--ignore-swap --unsafe --tomb-pwd ${dummypass}
{ test $? = 0 } && {
{ test $? = 0 } && {
results+=(forge SUCCESS)
#
#
notice "Dump of clear key contents to examine them:"
print ${dummypass} \
| gpg --batch --passphrase-fd 0 --no-tty --no-options -d /tmp/test.tomb.key \
@ -107,7 +107,7 @@ test-tomb-create() {
notice "Testing creation: lock"
tt lock /tmp/test.tomb -k /tmp/test.tomb.key \
--ignore-swap --unsafe --tomb-pwd ${dummypass}
--ignore-swap --unsafe --tomb-pwd ${dummypass}
{ test $? = 0 } && { results+=(lock SUCCESS) }
}
@ -122,29 +122,29 @@ test-tomb-recip() {
notice "Testing tomb with recipient creation: dig"
tt dig -s 20 $tomb
{ test $? = 0 } && { results+=(recip-dig SUCCESS) }
notice "Testing tomb with recipient creation: forge"
tt forge $tomb_key -g -r $gpgid_1 --ignore-swap --unsafe --use-urandom
{ test $? = 0 } && { results+=(recip-forge SUCCESS) }
tt forge $tomb_key -g -r $gpgid_1 --ignore-swap --unsafe
{ test $? = 0 } && { results+=(recip-forge SUCCESS) }
notice "Testing tomb with recipient creation: lock"
tt lock $tomb -k $tomb_key -g -r $gpgid_1 --ignore-swap --unsafe
{ test $? = 0 } && { results+=(recip-lock SUCCESS) }
notice "Testing tomb with recipient opening: open"
tt open $tomb -k $tomb_key -g
{ test $? = 0 } && { results+=(recip-open SUCCESS) }
notice "Testing tomb with recipient closing: close"
tt close recip
{ test $? = 0 } && { results+=(recip-close SUCCESS) }
{ test $STEGHIDE = 1 } && {
notice "Testing tomb with recipient steganographic hiding of keys"
cp -f arditi.jpg /tmp/recip.jpg
sudo rm -f /tmp/recip.steg.key
tt --unsafe --tomb-pwd ${dummypass} bury -k /tmp/recip.tomb.key \
/tmp/recip.jpg -g -r "$gpgid_1"
{ test $? = 0 } && { results+=(recip-stgin SUCCESS) }
@ -164,7 +164,7 @@ test-tomb-recip() {
{ test $? = 0 } && { results+=(recip-stgimpl SUCCESS) }
tt close recip
}
notice "Testing tomb with recipient changing gpg key: passwd"
res=0
tt passwd -k $tomb_key -g -r $gpgid_2
@ -174,16 +174,16 @@ test-tomb-recip() {
tt close recip
{ test $? = 0 } || { res=1 }
{ test $res = 0 } && { results+=(recip-passwd SUCCESS) }
notice "Testing tomb with recipient resizing a tomb: resize"
tt resize -s 30 $tomb -k $tomb_key -g -r $gpgid_2
{ test $? = 0 } && { results+=(recip-resize SUCCESS) }
notice "Testing tomb with recipient setting a new key: setkey"
sudo rm -f /tmp/new.recip.tomb.key
res=0
tt forge /tmp/new.recip.tomb.key -g -r $gpgid_2 \
--ignore-swap --unsafe --use-urandom
--ignore-swap --unsafe
{ test $? = 0 } || { res=1 }
tt setkey -k /tmp/new.recip.tomb.key $tomb_key $tomb -g -r $gpgid_2
{ test $? = 0 } || { res=1 }
@ -196,18 +196,18 @@ test-tomb-recip() {
test-tomb-recip-default() {
notice "wiping all default.tomb* in /tmp"
rm -f /tmp/default.tomb /tmp/default.tomb.key /tmp/default.tmp
rm -f /tmp/default.tomb /tmp/default.tomb.key /tmp/default.tmp
notice "Testing tomb with the default recipient"
res=0
tt dig -s 20 /tmp/default.tomb
{ test $? = 0 } || { res=1 }
tt forge /tmp/default.tomb.key -g --ignore-swap --unsafe --use-urandom
tt forge /tmp/default.tomb.key -g --ignore-swap --unsafe
{ test $? = 0 } || { res=1 }
tt lock /tmp/default.tomb -k /tmp/default.tomb.key \
--ignore-swap --unsafe -g
{ test $? = 0 } || { res=1 }
gpg -d --status-fd 2 /tmp/default.tomb.key 1> /dev/null 2> /tmp/default.tmp
gpg -d --status-fd 2 /tmp/default.tomb.key 1> /dev/null 2> /tmp/default.tmp
[[ -z "$(grep 'Tomb Test 2' /tmp/default.tmp)" ]] && { res=1 }
{ test $res = 0 } && { results+=(recip-default SUCCESS) }
}
@ -216,12 +216,12 @@ test-tomb-recip-hidden() {
notice "wiping all hidden.tomb* in /tmp"
rm -f /tmp/hidden.tomb /tmp/hidden.tomb.key
notice "Testing tomb with hidden recipient"
res=0
tt dig -s 20 /tmp/hidden.tomb
{ test $? = 0 } || { res=1 }
tt forge /tmp/hidden.tomb.key -g -R $gpgid_1 --ignore-swap --unsafe --use-urandom
tt forge /tmp/hidden.tomb.key -g -R $gpgid_1 --ignore-swap --unsafe
{ test $? = 0 } || { res=1 }
tt lock /tmp/hidden.tomb -k /tmp/hidden.tomb.key \
--ignore-swap --unsafe -g -R $gpgid_1
@ -233,13 +233,13 @@ test-tomb-shared() {
notice "wiping all shared.tomb* in /tmp"
rm -f /tmp/shared.tomb /tmp/shared.tomb.key
notice "Testing sharing a tomb"
res=0
tt dig -s 20 /tmp/shared.tomb
{ test $? = 0 } || { res=1 }
tt forge /tmp/shared.tomb.key -g -r $gpgid_1,$gpgid_2 \
--ignore-swap --unsafe --use-urandom
--ignore-swap --unsafe
{ test $? = 0 } || { res=1 }
tt lock /tmp/shared.tomb -k /tmp/shared.tomb.key \
--ignore-swap --unsafe -g -r $gpgid_1
@ -249,16 +249,16 @@ test-tomb-shared() {
tt close shared
{ test $? = 0 } || { res=1 }
{ test $res = 0 } && { results+=(shared SUCCESS) }
notice "Testing changing recipients on a shared Tomb"
tt passwd -k /tmp/shared.tomb.key -g -r $gpgid_2,$gpgid_1
{ test $? = 0 } && { results+=(shared-passwd SUCCESS) }
notice "Testing setkey on a shared Tomb"
rm -f /tmp/new.shared.tomb.key
res=0
tt forge /tmp/new.shared.tomb.key -g -r $gpgid_1,$gpgid_2 \
--ignore-swap --unsafe --use-urandom
--ignore-swap --unsafe
{ test $? = 0 } || { res=1 }
tt setkey -k /tmp/new.shared.tomb.key /tmp/shared.tomb.key /tmp/shared.tomb \
-g -r $gpgid_2,$gpgid_1
@ -297,7 +297,7 @@ test-set-key() {
sudo rm -f /tmp/test.tomb.new.key
tt forge -k /tmp/test.tomb.new.key --force --unsafe --tomb-pwd ${dummypass} --use-urandom
tt forge -k /tmp/test.tomb.new.key --force --unsafe --tomb-pwd ${dummypass}
tt setkey -k /tmp/test.tomb.new.key --unsafe --tomb-pwd ${dummypass} --tomb-old-pwd ${dummypass} /tmp/test.tomb.key /tmp/test.tomb
@ -336,7 +336,7 @@ test-regression() {
${OLDT} -D dig -s 10 /tmp/regression-test.tomb
${OLDT} -D forge /tmp/regression-test.tomb.key \
--ignore-swap --unsafe --tomb-pwd ${dummypass} --use-urandom
--ignore-swap --unsafe --tomb-pwd ${dummypass}
${OLDT} -D lock /tmp/regression-test.tomb -k /tmp/regression-test.tomb.key \
--ignore-swap --unsafe --tomb-pwd ${dummypass}
@ -368,9 +368,9 @@ test-open-read-only() {
# Create new
tt dig -s 20 /tmp/testro.tomb
tt forge /tmp/testro.tomb.key \
--ignore-swap --unsafe --tomb-pwd ${dummypass} --use-urandom
--ignore-swap --unsafe --tomb-pwd ${dummypass}
tt lock /tmp/testro.tomb -k /tmp/testro.tomb.key \
--ignore-swap --unsafe --tomb-pwd ${dummypass}
--ignore-swap --unsafe --tomb-pwd ${dummypass}
notice "Testing open read only"
@ -453,9 +453,9 @@ tt --unsafe close test
{ test $RESIZER = 1 } && {
notice "Testing resize to 30 MiB"
tt --unsafe --tomb-pwd ${dummypass} -k /tmp/test.tomb.key resize /tmp/test.tomb -s 30
{ test $? = 0 } && { results+=(resize SUCCESS) }
}
@ -465,9 +465,9 @@ notice "Testing contents integrity"
tt -k /tmp/test.tomb.key --unsafe --tomb-pwd ${dummypass} open /tmp/test.tomb
{ test $? = 0 } && {
crc2="sha256 /media/test/datacheck.raw"
{ test "$crc" = "$crc2" } && { results+=(chksum SUCCESS) }
tt close test
@ -497,33 +497,33 @@ test-set-key
{ test $KDF = 1 } && {
{ test $KDF = 1 } && {
notice "Testing KDF key"
sudo rm -f /tmp/test.tomb.kdf /tmp/kdf.tomb
tt --unsafe --tomb-pwd ${dummypass} --use-urandom --kdf 1 forge -k /tmp/test.tomb.kdf
tt --unsafe --tomb-pwd ${dummypass} --kdf 1 forge -k /tmp/test.tomb.kdf
{ test $? = 0 } && { results+=(kdforge SUCCESS) }
tt passwd --unsafe --tomb-old-pwd ${dummypass} --tomb-pwd ${dummypassnew} --kdf 1 -k /tmp/test.tomb.kdf
{ test $? = 0 } && { results+=(kdfpass SUCCESS) }
tt dig -s 10 /tmp/kdf.tomb
tt lock /tmp/kdf.tomb -k /tmp/test.tomb.kdf \
--ignore-swap --unsafe --tomb-pwd ${dummypassnew} --kdf 1
{ test $? = 0 } && { results+=(kdflock SUCCESS) }
tt open /tmp/kdf.tomb -k /tmp/test.tomb.kdf \
--ignore-swap --unsafe --tomb-pwd ${dummypassnew} --kdf 1
{ test $? = 0 } && { results+=(kdfopen SUCCESS) }
${T} close kdf
}
{ test $STEGHIDE = 1 } && {
@ -532,7 +532,7 @@ test-set-key
cp -f arditi.jpg /tmp/tomb.jpg
sudo rm -f /tmp/test.steg.key
tt --unsafe --tomb-pwd ${dummypass} bury -k /tmp/test.tomb.key /tmp/tomb.jpg
{ test $? = 0 } && { results+=(stgin SUCCESS) }
@ -559,7 +559,7 @@ test-set-key
notice "test using open -k image.jpeg"
tt --unsafe --tomb-pwd ${dummypass} open -k /tmp/tomb.jpg /tmp/test.tomb
tt --unsafe --tomb-pwd ${dummypass} open -k /tmp/tomb.jpg /tmp/test.tomb
{ test $? = 0 } && { results+=(stgimpl SUCCESS) }
tt close test
@ -576,7 +576,7 @@ test-set-key
}
# rm /tmp/test.tomb{,.key} -f || exit 1
endloops=(`sudo losetup -a |cut -d: -f1`)
notice "Test results summary"

2
extras/test/setup Normal file → Executable file
View File

@ -116,7 +116,7 @@ tt() {
}
tt_dig() { tt dig "$tomb" "${@}"; }
tt_forge() { tt forge "$tomb_key" --ignore-swap --unsafe --use-urandom "${@}"; }
tt_forge() { tt forge "$tomb_key" --ignore-swap --unsafe "${@}"; }
tt_lock() { tt lock "$tomb" -k "$tomb_key" --ignore-swap --unsafe "${@}"; }
tt_open() { tt open "$tomb" -k "$tomb_key" --ignore-swap --unsafe "${@}"; }
tt_close() { tt close "$testname" "${@}"; }

10
tomb
View File

@ -1952,9 +1952,9 @@ forge_key() {
_warning "To make it faster you can move the mouse around."
_warning "If you are on a server, you can use an Entropy Generation Daemon."
# Use /dev/random as the entropy source, unless --use-urandom is specified
local random_source=/dev/random
{ option_is_set --use-urandom } && random_source=/dev/urandom
# Use /dev/urandom as the entropy source, unless --use-random is specified
local random_source=/dev/urandom
{ option_is_set --use-random } && random_source=/dev/random
_verbose "Data dump using ::1:: from ::2 source::" ${DD[1]} $random_source
TOMBSECRET=$(${=DD} bs=1 count=512 if=$random_source)
@ -3108,7 +3108,7 @@ main() {
subcommands_opts[create]="" # deprecated, will issue warning
# -o in forge and lock is used to pass an alternate cipher.
subcommands_opts[forge]="-ignore-swap k: -kdf: o: -tomb-pwd: -use-urandom r: R: -sphx-host: -sphx-user: "
subcommands_opts[forge]="-ignore-swap k: -kdf: o: -tomb-pwd: -use-random r: R: -sphx-host: -sphx-user: "
subcommands_opts[dig]="-ignore-swap s: -size=s "
subcommands_opts[lock]="-ignore-swap k: -kdf: o: -tomb-pwd: r: R: -sphx-host: -sphx-user: "
subcommands_opts[setkey]="k: -ignore-swap -kdf: -tomb-old-pwd: -tomb-pwd: r: R: -sphx-host: -sphx-user: "
@ -3208,7 +3208,7 @@ main() {
{ ! option_is_set --no-color } && { autoload -Uz colors && colors }
# Some options are only available during insecure mode
{ ! option_is_set --unsafe } && {
for opt in --tomb-pwd --use-urandom --tomb-old-pwd; do
for opt in --tomb-pwd --tomb-old-pwd; do
{ option_is_set $opt } && {
exitv=127 _failure "You specified option ::1 option::, which is DANGEROUS and should only be used for testing\nIf you really want so, add --unsafe" $opt }
done