Merge branch 'master' into fixes

Conflicts:
	src/tomb
This commit is contained in:
Jaromil 2011-02-12 10:18:59 +01:00
commit c2090c9743
2 changed files with 133 additions and 37 deletions

147
src/tomb
View File

@ -160,17 +160,17 @@ ask_usbkey() {
# user interface (just to ask the password) # user interface (just to ask the password)
ask_password() { ask_password() {
exec_as_user xhost 2>&1 >/dev/null xhost 2>&1 >/dev/null
if [ $? = 0 ]; then # we have access to the X display if [ $? = 0 ]; then # we have access to the X display
exec_as_user which tomb-askpass > /dev/null which tomb-askpass > /dev/null
if [ $? = 0 ]; then if [ $? = 0 ]; then
export scolopendro="`exec_as_user tomb-askpass ${1} 2>/dev/null`" export scolopendro="`tomb-askpass ${1} 2>/dev/null`"
return return
fi fi
exec_as_user which ssh-askpass # 2>&1 > /dev/null which ssh-askpass # 2>&1 > /dev/null
if [ $? = 0 ]; then if [ $? = 0 ]; then
export scolopendro="`exec_as_user ssh-askpass "Tomb: provide the password to unlock"`" export scolopendro="`ssh-askpass "Tomb: provide the password to unlock"`"
return return
fi fi
@ -499,37 +499,37 @@ create_tomb() {
mount_tomb() { mount_tomb() {
if ! [ $CMD2 ]; then if ! [ $CMD2 ]; then
error "need an argument, operation aborted." error "need an argument, operation aborted."
return 1 return 1
elif [ -r $CMD2 ]; then elif [ -r $CMD2 ]; then
tombfile=$CMD2 tombfile=`basename $CMD2`
tombdir=`dirname $CMD2`
else else
# try also adding a .tomb extension # try also adding a .tomb extension
tombfile="${CMD2%\.*}.tomb" tombfile=${tombfile%%\.*}.tomb
if ! [ -r $tombfile ]; then if ! [ -r $tombfile ]; then
error "cannot find a tomb named $CMD2" error "cannot find a tomb named $CMD2"
return 1 return 1
fi fi
fi fi
file $tombfile | grep -i 'luks encrypted.*cbc-essiv' 2>&1 >/dev/null file ${tombdir}/${tombfile} | grep -i 'luks encrypted.*cbc-essiv' 2>&1 >/dev/null
if [ $? != 0 ]; then if [ $? != 0 ]; then
error "$CMD2 is not a valid tomb file, operation aborted" error "$CMD2 is not a valid tomb file, operation aborted"
tomb-notify "Not a tomb." "$CMD2 doesn't seems a real tomb." tomb-notify "Not a tomb." "$CMD2 doesn't seems a real tomb."
return 1 return 1
fi fi
tombdir=`dirname $tombfile` tombname=${tombfile%%\.*}
tombname=`echo $tombfile | cut -d. -f1` act "mounting tomb named after $tombname"
if [ $KEY ]; then if [ $KEY ]; then
# key manually chosen from commandline with -k # key manually chosen from commandline with -k
tombkey="`basename $KEY`" tombkey="`basename $KEY`"
tombkeypath="$KEY" tombkeypath="$KEY"
else else
tombkey="`basename ${tombfile}.gpg`" tombkey=${tombfile}.gpg
if [ -r $tombkey ]; then if [ -r $tombkey ]; then
tombkeypath=$tombkey tombkeypath=$tombkey
elif [ -r "$tombdir/$tombkey" ]; then elif [ -r "$tombdir/$tombkey" ]; then
@ -573,7 +573,7 @@ mount_tomb() {
mkdir -p $tombmount mkdir -p $tombmount
nstloop=`losetup -f` nstloop=`losetup -f`
losetup -f ${tombfile} losetup -f ${tombdir}/${tombfile}
act "check for a valid LUKS encrypted device" act "check for a valid LUKS encrypted device"
cryptsetup isLuks ${nstloop} cryptsetup isLuks ${nstloop}
@ -591,7 +591,7 @@ mount_tomb() {
mapdate="`date +%s`" mapdate="`date +%s`"
mapdate="`echo ${mapdate}/60 | bc -l | cut -d. -f1`" mapdate="`echo ${mapdate}/60 | bc -l | cut -d. -f1`"
mapper="tomb.`basename $tombfile | cut -d. -f1`.$mapdate.`basename $nstloop`" mapper="tomb.${tombname}.${mapdate}.`basename $nstloop`"
notice "Password is required for key ${tombkey}" notice "Password is required for key ${tombkey}"
keyname=`basename $tombkey | cut -d. -f1` keyname=`basename $tombkey | cut -d. -f1`
@ -630,6 +630,8 @@ mount_tomb() {
act "encrypted storage filesystem check" act "encrypted storage filesystem check"
fsck -p -C0 /dev/mapper/${mapper} fsck -p -C0 /dev/mapper/${mapper}
act "tomb engraved as $tombname"
tune2fs -L ${tombname} /dev/mapper/${mapper}
mount -o rw,noatime,nodev /dev/mapper/${mapper} ${tombmount} mount -o rw,noatime,nodev /dev/mapper/${mapper} ${tombmount}
@ -644,6 +646,108 @@ mount_tomb() {
return 0 return 0
} }
encode_key() {
tombkey=$CMD2
imagefile=$CMD3
file $tombkey | grep PGP > /dev/null
if [ $? != 0 ]; then
error "encode failed: $tombkey is not a tomb key"
return 1
fi
file $imagefile | grep JPEG > /dev/null
if [ $? != 0 ]; then
error "encode failed: $imagefile is not a jpeg image"
return 1
fi
notice "Encoding key $tombkey inside image $imagefile"
act "please choose a password for the encoding"
# here user is prompted for key password
for c in 1 2 3; do
# 3 tries to write two times a matching password
ask_password ${FILE}
scolotemp=$scolopendro
ask_password "${FILE} (again)"
if [ "$scolotemp" = "$scolopendro" ]; then
break;
fi
unset $scolotemp
unset $scolopendro
done
if [ -z $scolopendro ]; then
error "passwords don't match, aborting operation."
return 1
fi
awk '
/^-----/ {next}
/^Version/ {next}
/^Comment/ {next}
{print $0}' ${tombkey} \
| steghide embed --embedfile - --coverfile ${imagefile} \
-p ${scolopendro} -z 9 -e serpent cbc
if [ $? != 0 ]; then
error "encoding error: steghide reports problems"
res=1
else
notice "tomb key encoded succesfully into image ${imagefile}"
res=0
fi
unset scolopendro
return $res
}
decode_key() {
tombname=$CMD2
imagefile=$CMD3
res=1
file $imagefile | grep JPEG > /dev/null
if [ $? != 0 ]; then
error "encode failed: $imagefile is not a jpeg image"
return 1
fi
tombfile=${tombname%%\.*}.tomb.gpg
notice "Decoding a key out of image $imagefile"
for c in 1 2 3; do
if [ $c = 1 ]; then
ask_password ${keyname}
else
ask_password "$keyname (retry $c)"
fi
steghide extract -sf ${imagefile} -p ${scolopendro} -xf - \
| awk '
BEGIN {
print "-----BEGIN PGP MESSAGE-----"
print "Version: GnuPG v1.4.10 (GNU/Linux)"
}
{ print $0 }
END {
print "-----END PGP MESSAGE-----"
}' > ${tombfile}
if [ "`cat ${tombfile} | wc -l`" != "3" ]; then
act "${tombfile} succesfully decoded"
res=0
break;
fi
done
unset scolopendro
if [ $res != 0 ]; then
error "nothing found."
fi
return $res
}
exec_bind_hooks() { exec_bind_hooks() {
mnt=$1 # first argument is where the tomb is mounted mnt=$1 # first argument is where the tomb is mounted
if ! [ -r ${mnt}/bind-hooks ]; then return; fi if ! [ -r ${mnt}/bind-hooks ]; then return; fi
@ -851,17 +955,6 @@ EOF
act "Tomb is now installed." act "Tomb is now installed."
} }
kill_tomb() {
# TODO: fixME - should close all tombs
umount /tmp/tomb* 2>&1 > /dev/null
# todo check which are tomb loops
losetup -d /dev/loop* 2>&1 > /dev/null
statuses=`ps ax| grep -v awk | awk "/tomb-status.$basemap/"' { print $1 }'`
for ts in ${(f)statuses}; do
kill $ts
done
}
case "$CMD" in case "$CMD" in
@ -874,8 +967,10 @@ case "$CMD" in
unmount) check_priv ; umount_tomb ${CMD2} ;; unmount) check_priv ; umount_tomb ${CMD2} ;;
close) check_priv ; umount_tomb ${CMD2} ;; close) check_priv ; umount_tomb ${CMD2} ;;
encode) encode_key ${CMD2} ${CMD3} ;;
decode) decode_key ${CMD2} ;;
install) check_priv ; install_tomb ;; install) check_priv ; install_tomb ;;
kill) check_priv ; kill_tomb ;;
status) tomb-status ;; status) tomb-status ;;
notify) tomb-notify $CMD2 $CMD3 ;; notify) tomb-notify $CMD2 $CMD3 ;;

View File

@ -31,25 +31,27 @@ try() {
else return -1; fi else return -1; fi
} }
tombdir=`dirname $1`
tombfile=`basename $1`
tombname=${tombfile%%\.*}
# got an argument # got an argument
if [ $1 ]; then if [ $1 ]; then # is it a file?
# is it a tomb?
arg="${1%%\.*}.tomb"
if [ -f $arg ]; then if [ -f ${tombdir}/${tombfile} ]; then
file $arg | grep LUKS
# is it a luks partition
file ${tombdir}/${tombfile} | grep LUKS
if [ $? = 0 ]; then # tomb is a valid LUKS file if [ $? = 0 ]; then # tomb is a valid LUKS file
tomb mount $arg tomb mount ${tombdir}/${tombfile}
if [ $? = 0 ]; then # mount was succesfull (with password and all) if [ $? = 0 ]; then # mount was succesfull (with password and all)
# strip extension if there # strip extension if there
tombname="${arg%%.*}"
tombmap=`mount -l | awk "/\[${tombname}\]$/"' { print $1 } '` tombmap=`mount -l | awk "/\[${tombname}\]$/"' { print $1 } '`
tombmount=`mount -l | awk "/\[${tombname}\]$/"' { print $3 } '` tombmount=`mount -l | awk "/\[${tombname}\]$/"' { print $3 } '`
echo "tomb-status $tombmap $tombname $tombmount"
tomb-status $tombmap $tombname $tombmount &! tomb-status $tombmap $tombname $tombmount &!
exit 0 exit 0
else else
@ -62,8 +64,7 @@ if [ $1 ]; then
fi fi
elif [ -d $1 ]; then elif [ -d $1 ]; then # its a directory
# its a directory
# FIXME: somehow xdg-open loses mailcap mimes when executed by tomb-status # FIXME: somehow xdg-open loses mailcap mimes when executed by tomb-status
# try xdg-open; if [ $? = 0 ]; then xdg-open ${1}; exit 0; fi # try xdg-open; if [ $? = 0 ]; then xdg-open ${1}; exit 0; fi