Llewellyn/Tomb
1
0
Fork 0
mirror of https://github.com/Llewellynvdm/Tomb.git synced 2024-09-29 05:09:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

whitespace cleanup

Browse Source
This commit is contained in:
Jaromil 2013-05-25 15:05:21 +02:00
parent 37792ffdc5
commit c20ca3a920
1 changed files with 330 additions and 330 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

542
tomb
View File

@ -60,11 +60,11 @@ option_is_set() {
[[ -n ${(k)opts[$1]} ]]; [[ -n ${(k)opts[$1]} ]];
r=$? r=$?
if [[ $2 == out ]]; then if [[ $2 == out ]]; then
if [[ $r == 0 ]]; then if [[ $r == 0 ]]; then
echo 'set' echo 'set'
else else
echo 'unset' echo 'unset'
fi fi
fi fi
return $r; return $r;
} }
@ -159,7 +159,7 @@ progress() {
# progress create 90 formatting the tomb # progress create 90 formatting the tomb
# progress create 100 tomb created successfully # progress create 100 tomb created successfully
if ! option_is_set --batch; then if ! option_is_set --batch; then
return return
fi fi
print "[m][P][$1][$2][$3]" >&2 print "[m][P][$1][$2][$3]" >&2
@ -184,8 +184,8 @@ check_bin() {
# check for filesystem creation progs # check for filesystem creation progs
command -v mkfs.ext4 > /dev/null && \ command -v mkfs.ext4 > /dev/null && \
MKFS="mkfs.ext4 -q -F -j -L" || \ MKFS="mkfs.ext4 -q -F -j -L" || \
MKFS="mkfs.ext3 -q -F -j -L" MKFS="mkfs.ext3 -q -F -j -L"
# check for mktemp # check for mktemp
command -v mktemp > /dev/null || MKTEMP=0 command -v mktemp > /dev/null || MKTEMP=0
@ -195,15 +195,15 @@ check_bin() {
command -v e2fsck resize2fs > /dev/null || RESIZER=0 command -v e2fsck resize2fs > /dev/null || RESIZER=0
if which tomb-kdf-pbkdf2 &> /dev/null; then if which tomb-kdf-pbkdf2 &> /dev/null; then
KDF_PBKDF2="tomb-kdf-pbkdf2" KDF_PBKDF2="tomb-kdf-pbkdf2"
else else
local our_pbkdf2 local our_pbkdf2
our_pbkdf2="$(dirname $(readlink -f $TOMBEXEC))/kdf/tomb-kdf-pbkdf2" our_pbkdf2="$(dirname $(readlink -f $TOMBEXEC))/kdf/tomb-kdf-pbkdf2"
if which $our_pbkdf2 &> /dev/null; then if which $our_pbkdf2 &> /dev/null; then
KDF_PBKDF2=$our_pbkdf2 KDF_PBKDF2=$our_pbkdf2
else else
KDF_PBKDF2= KDF_PBKDF2=
fi fi
fi fi
} }
@ -252,7 +252,7 @@ safe_dir() {
return 0 return 0
else else
_warning "WARNING: we cannot ensure we're running in RAM." _warning "WARNING: we cannot ensure we're running in RAM."
xxx "Wait a bit before retrying... (attempt $tries)" xxx "Wait a bit before retrying... (attempt $tries)"
sync && sleep 0.5 sync && sleep 0.5
fi fi
done done
@ -308,7 +308,7 @@ SETPROMPT Password:
GETPIN GETPIN
EOF` EOF`
if [[ `tail -n1 <<<$output` =~ ERR ]]; then if [[ `tail -n1 <<<$output` =~ ERR ]]; then
return 1 return 1
fi fi
head -n1 <<<$output | awk '/^D / { sub(/^D /, ""); print }' head -n1 <<<$output | awk '/^D / { sub(/^D /, ""); print }'
return 0 return 0
@ -336,7 +336,7 @@ check_priv() {
sudok=false sudok=false
# sudo -n ${TOMBEXEC} &> /dev/null # sudo -n ${TOMBEXEC} &> /dev/null
if ! option_is_set --sudo-pwd; then if ! option_is_set --sudo-pwd; then
if [ $? != 0 ]; then # if not then ask a password if [ $? != 0 ]; then # if not then ask a password
cat <<EOF | pinentry 2>/dev/null | awk '/^D / { sub(/^D /, ""); print }' | sudo -S -v cat <<EOF | pinentry 2>/dev/null | awk '/^D / { sub(/^D /, ""); print }' | sudo -S -v
OPTION ttyname=$TTY OPTION ttyname=$TTY
OPTION lc-ctype=$LANG OPTION lc-ctype=$LANG
@ -345,10 +345,10 @@ SETDESC Sudo execution of Tomb ${OLDARGS[@]}
SETPROMPT Insert your USER password: SETPROMPT Insert your USER password:
GETPIN GETPIN
EOF EOF
fi fi
else else
_verbose "Escalating privileges using sudo-pwd" _verbose "Escalating privileges using sudo-pwd"
sudo -S -v <<<`option_value --sudo-pwd` sudo -S -v <<<`option_value --sudo-pwd`
fi fi
sudo "${TOMBEXEC}" -U ${UID} -G ${GID} -T ${TTY} "${(@)OLDARGS}" sudo "${TOMBEXEC}" -U ${UID} -G ${GID} -T ${TTY} "${(@)OLDARGS}"
exit $? exit $?
@ -365,10 +365,10 @@ check_command() {
#before wasting user's time #before wasting user's time
if ! option_is_set --ignore-swap && ! option_is_set -f; then if ! option_is_set --ignore-swap && ! option_is_set -f; then
if ! check_swap; then if ! check_swap; then
error "Swap activated. Disable it with swapoff, or use --ignore-swap" error "Swap activated. Disable it with swapoff, or use --ignore-swap"
exit 1 exit 1
fi fi
fi fi
} }
@ -464,22 +464,22 @@ EOF
cat $TOMBEXEC | awk ' cat $TOMBEXEC | awk '
/(_verbose|xxx) ".*"$/ { sub( /^(_verbose|xxx)/ , ""); /(_verbose|xxx) ".*"$/ { sub( /^(_verbose|xxx)/ , "");
print "#: _verbose"; print "msgid " $0; print "msgstr \"\"\n" } print "#: _verbose"; print "msgid " $0; print "msgstr \"\"\n" }
/(_success|yes) ".*"$/ { sub( /^(_success|yes)/ , ""); /(_success|yes) ".*"$/ { sub( /^(_success|yes)/ , "");
print "#: _success"; print "msgid " $0; print "msgstr \"\"\n" } print "#: _success"; print "msgid " $0; print "msgstr \"\"\n" }
/(_warning|no) ".*"$/ { sub( /^(_warning|no)/ , ""); /(_warning|no) ".*"$/ { sub( /^(_warning|no)/ , "");
print "#: _warning"; print "msgid " $0; print "msgstr \"\"\n" } print "#: _warning"; print "msgid " $0; print "msgstr \"\"\n" }
/(_failure|die) ".*"$/ { sub( /^(_failure|die)/ , ""); /(_failure|die) ".*"$/ { sub( /^(_failure|die)/ , "");
print "#: _failure"; print "msgid " $0; print "msgstr \"\"\n" } print "#: _failure"; print "msgid " $0; print "msgstr \"\"\n" }
/(_message|say) ".*"$/ { sub( /^(_message|say)/ , ""); /(_message|say) ".*"$/ { sub( /^(_message|say)/ , "");
print "#: _message"; print "msgid " $0; print "msgstr \"\"\n" } print "#: _message"; print "msgid " $0; print "msgstr \"\"\n" }
/(_message -n|act) ".*"$/ { sub( /^(_message -n|act)/ , ""); /(_message -n|act) ".*"$/ { sub( /^(_message -n|act)/ , "");
print "#: _message -n"; print "msgid " $0; print "msgstr \"\"\n" } print "#: _message -n"; print "msgid " $0; print "msgstr \"\"\n" }
' '
} }
# }}} # }}}
@ -554,8 +554,8 @@ decode_key() {
keyfile=${tombname%%\.*}.tomb.key keyfile=${tombname%%\.*}.tomb.key
if [[ -e "$keyfile" ]]; then if [[ -e "$keyfile" ]]; then
_warning "Key file $keyfile already exist." _warning "Key file $keyfile already exist."
return 1 return 1
fi fi
_message "Trying to exhume a key out of image $imagefile" _message "Trying to exhume a key out of image $imagefile"
for c in 1 2 3; do for c in 1 2 3; do
@ -612,7 +612,7 @@ BEGIN { ciphers=0 }
exec_safe_bind_hooks() { exec_safe_bind_hooks() {
if [[ -n ${(k)opts[-o]} ]]; then if [[ -n ${(k)opts[-o]} ]]; then
MOUNTOPTS=${opts[-o]} MOUNTOPTS=${opts[-o]}
fi fi
local MOUNTPOINT="${1}" local MOUNTPOINT="${1}"
local ME=${SUDO_USER:-$(whoami)} local ME=${SUDO_USER:-$(whoami)}
@ -685,8 +685,8 @@ forge_key() {
_message "Commanded to forge key $1" _message "Commanded to forge key $1"
if ! [ $1 ]; then if ! [ $1 ]; then
_warning "no key name specified for creation" _warning "no key name specified for creation"
return 1 return 1
fi fi
# if swap is on, we remind the user about possible data leaks to disk # if swap is on, we remind the user about possible data leaks to disk
@ -716,13 +716,13 @@ forge_key() {
chmod 0600 ${keytmp}/tomb.tmp chmod 0600 ${keytmp}/tomb.tmp
random_source=/dev/random random_source=/dev/random
if option_is_set --use-urandom; then if option_is_set --use-urandom; then
random_source=/dev/urandom random_source=/dev/urandom
fi fi
if [[ $DD = "dcfldd" ]]; then if [[ $DD = "dcfldd" ]]; then
$DD bs=1 count=256 if=$random_source of=${keytmp}/tomb.tmp statusinterval=1 $DD bs=1 count=256 if=$random_source of=${keytmp}/tomb.tmp statusinterval=1
else else
$DD bs=1 count=256 if=$random_source of=${keytmp}/tomb.tmp $DD bs=1 count=256 if=$random_source of=${keytmp}/tomb.tmp
fi fi
if ! [ -r ${keytmp}/tomb.tmp ]; then if ! [ -r ${keytmp}/tomb.tmp ]; then
_warning "cannot generate encryption key" _warning "cannot generate encryption key"
@ -744,7 +744,7 @@ forge_key() {
# this does a check on the file header, virtuosism by hellekin # this does a check on the file header, virtuosism by hellekin
# [[ `file =(awk '/^-+BEGIN/,0' $1) -bi` =~ application/pgp ]] # [[ `file =(awk '/^-+BEGIN/,0' $1) -bi` =~ application/pgp ]]
if ! is_valid_key ${tombkey}; then if ! is_valid_key ${tombkey}; then
_warning "The key does not seem to be valid" _warning "The key does not seem to be valid"
_warning "Dumping contents to screen:" _warning "Dumping contents to screen:"
cat ${tombkey} cat ${tombkey}
_warning "--" _warning "--"
@ -774,8 +774,8 @@ dig_tomb() {
if ! option_is_set -f && ! option_is_set --ignore-swap; then check_swap; fi if ! option_is_set -f && ! option_is_set --ignore-swap; then check_swap; fi
if ! [ $1 ]; then if ! [ $1 ]; then
_warning "no tomb name specified for creation" _warning "no tomb name specified for creation"
return 1 return 1
fi fi
@ -827,9 +827,9 @@ dig_tomb() {
# it take arguments as the LUKS cipher to be used # it take arguments as the LUKS cipher to be used
lock_tomb_with_key() { lock_tomb_with_key() {
if ! [ $1 ]; then if ! [ $1 ]; then
_warning "no tomb specified for locking" _warning "no tomb specified for locking"
_warning "usage: tomb lock file.tomb file.tomb.key" _warning "usage: tomb lock file.tomb file.tomb.key"
return 1 return 1
fi fi
tombfile=`basename $1` tombfile=`basename $1`
@ -853,10 +853,10 @@ lock_tomb_with_key() {
xxx "loop mounted on ${nstloop}" xxx "loop mounted on ${nstloop}"
_message "checking if the tomb is empty (we never step on somebody else's bones)" _message "checking if the tomb is empty (we never step on somebody else's bones)"
cryptsetup isLuks ${nstloop} cryptsetup isLuks ${nstloop}
if [ $? = 0 ]; then if [ $? = 0 ]; then
# is it a LUKS encrypted nest? then bail out and avoid reformatting it # is it a LUKS encrypted nest? then bail out and avoid reformatting it
_warning "The tomb was already locked with another key" _warning "The tomb was already locked with another key"
losetup -d ${nstloop} losetup -d ${nstloop}
die "Operation aborted. I cannot lock an already locked tomb. Go dig a new one." die "Operation aborted. I cannot lock an already locked tomb. Go dig a new one."
else else
@ -873,11 +873,11 @@ lock_tomb_with_key() {
tombkey=${tombkeydir}/stdin.tmp tombkey=${tombkeydir}/stdin.tmp
else else
# take key from a file # take key from a file
tombkey=`option_value -k` tombkey=`option_value -k`
fi fi
else else
# guess key as lying besides the tomb # guess key as lying besides the tomb
tombkey=${tombdir}/${tombname}.tomb.key tombkey=${tombdir}/${tombname}.tomb.key
fi fi
if [ -r "${tombkey}" ]; then if [ -r "${tombkey}" ]; then
@ -892,13 +892,13 @@ lock_tomb_with_key() {
# [[ `file =(awk '/^-+BEGIN/,0' $1) -bi` =~ application/pgp ]] # [[ `file =(awk '/^-+BEGIN/,0' $1) -bi` =~ application/pgp ]]
if ! is_valid_key ${tombkey}; then if ! is_valid_key ${tombkey}; then
_warning "The key seems invalid, the application/pgp header is missing" _warning "The key seems invalid, the application/pgp header is missing"
losetup -d ${nstloop} losetup -d ${nstloop}
die "Operation aborted." die "Operation aborted."
fi fi
# the encryption cipher for a tomb can be set at creation using -o # the encryption cipher for a tomb can be set at creation using -o
if option_is_set -o; then if option_is_set -o; then
cipher="`option_value -o`" cipher="`option_value -o`"
else else
cipher="aes-cbc-essiv:sha256" cipher="aes-cbc-essiv:sha256"
fi fi
@ -908,20 +908,20 @@ lock_tomb_with_key() {
_message "a password is required to use key ${keyname}" _message "a password is required to use key ${keyname}"
local passok=0 local passok=0
if option_is_set --tomb-pwd; then if option_is_set --tomb-pwd; then
tombpass=`option_value --tomb-pwd` tombpass=`option_value --tomb-pwd`
else else
for c in 1 2 3; do for c in 1 2 3; do
if [ $c = 1 ]; then if [ $c = 1 ]; then
tombpass=`exec_as_user ${TOMBEXEC} askpass "Insert password to use key: $keyname"` tombpass=`exec_as_user ${TOMBEXEC} askpass "Insert password to use key: $keyname"`
else else
tombpass=`exec_as_user ${TOMBEXEC} askpass "Insert password to use key: $keyname (retry $c)"` tombpass=`exec_as_user ${TOMBEXEC} askpass "Insert password to use key: $keyname (retry $c)"`
fi fi
if [[ $? != 0 ]]; then if [[ $? != 0 ]]; then
losetup -d ${nstloop} losetup -d ${nstloop}
die "User aborted" die "User aborted"
fi fi
get_lukskey "${tombpass}" ${tombkey} >/dev/null get_lukskey "${tombpass}" ${tombkey} >/dev/null
if [ $? = 0 ]; then if [ $? = 0 ]; then
passok=1; _message "Password OK." passok=1; _message "Password OK."
break; break;
@ -984,8 +984,8 @@ lock_tomb_with_key() {
# backward compatibility # backward compatibility
create_tomb() { create_tomb() {
if ! [ $1 ]; then if ! [ $1 ]; then
_warning "no tomb name specified for creation" _warning "no tomb name specified for creation"
return 1 return 1
fi fi
dig_tomb ${=PARAM} dig_tomb ${=PARAM}
@ -1023,21 +1023,21 @@ get_lukskey() {
firstline=`head -n1 $keyfile` firstline=`head -n1 $keyfile`
xxx "get_lukskey XXX $keyfile" xxx "get_lukskey XXX $keyfile"
if [[ $firstline =~ '^_KDF_' ]]; then if [[ $firstline =~ '^_KDF_' ]]; then
_verbose "KDF: `cut -d_ -f 3 <<<$firstline`" _verbose "KDF: `cut -d_ -f 3 <<<$firstline`"
case `cut -d_ -f 3 <<<$firstline` in case `cut -d_ -f 3 <<<$firstline` in
pbkdf2sha1) pbkdf2sha1)
if [[ -z $KDF_PBKDF2 ]]; then if [[ -z $KDF_PBKDF2 ]]; then
die "The tomb use kdf method 'pbkdf2', which is unsupported on your system" die "The tomb use kdf method 'pbkdf2', which is unsupported on your system"
fi fi
pbkdf2_param=`cut -d_ -f 4- <<<$firstline | tr '_' ' '` pbkdf2_param=`cut -d_ -f 4- <<<$firstline | tr '_' ' '`
tombpass=$(${KDF_PBKDF2} ${=pbkdf2_param} 2> /dev/null <<<$tombpass) tombpass=$(${KDF_PBKDF2} ${=pbkdf2_param} 2> /dev/null <<<$tombpass)
;; ;;
*) *)
_failure "No suitable program for KDF `cut -f 3 <<<$firstline`" _failure "No suitable program for KDF `cut -f 3 <<<$firstline`"
unset tombpass unset tombpass
return 1 return 1
;; ;;
esac esac
fi fi
print ${tombpass} | \ print ${tombpass} | \
gpg --batch --passphrase-fd 0 --no-tty --no-options --status-fd 2 \ gpg --batch --passphrase-fd 0 --no-tty --no-options --status-fd 2 \
@ -1057,29 +1057,29 @@ gen_key() {
local tombpass="" local tombpass=""
local tombpasstmp="" local tombpasstmp=""
if ! option_is_set --tomb-pwd; then if ! option_is_set --tomb-pwd; then
while true; do while true; do
# 3 tries to write two times a matching password # 3 tries to write two times a matching password
tombpass=`exec_as_user ${TOMBEXEC} askpass "Secure key for ${tombname}"` tombpass=`exec_as_user ${TOMBEXEC} askpass "Secure key for ${tombname}"`
if [[ $? != 0 ]]; then if [[ $? != 0 ]]; then
die "User aborted" die "User aborted"
fi fi
if [ -z $tombpass ]; then if [ -z $tombpass ]; then
_warning "you set empty password, which is not possible" _warning "you set empty password, which is not possible"
continue continue
fi fi
tombpasstmp=$tombpass tombpasstmp=$tombpass
tombpass=`exec_as_user ${TOMBEXEC} askpass "Secure key for ${tombname} (again)"` tombpass=`exec_as_user ${TOMBEXEC} askpass "Secure key for ${tombname} (again)"`
if [[ $? != 0 ]]; then if [[ $? != 0 ]]; then
die "User aborted" die "User aborted"
fi fi
if [ "$tombpasstmp" = "$tombpass" ]; then if [ "$tombpasstmp" = "$tombpass" ]; then
break; break;
fi fi
unset tombpasstmp unset tombpasstmp
unset tombpass unset tombpass
done done
else else
tombpass=`option_value --tomb-pwd` tombpass=`option_value --tomb-pwd`
fi fi
@ -1088,40 +1088,40 @@ gen_key() {
_verbose "KDF method chosen is: '`option_value --kdf`'" _verbose "KDF method chosen is: '`option_value --kdf`'"
kdf_method=$(cut -d: -f1 <<<`option_value --kdf` ) kdf_method=$(cut -d: -f1 <<<`option_value --kdf` )
case $kdf_method in case $kdf_method in
pbkdf2) pbkdf2)
if [[ -z $KDF_PBKDF2 ]]; then if [[ -z $KDF_PBKDF2 ]]; then
die "The tomb use kdf method 'pbkdf2', which is unsupported on your system" die "The tomb use kdf method 'pbkdf2', which is unsupported on your system"
fi fi
# --kdf takes one parameter: iter time (on present machine) in seconds # --kdf takes one parameter: iter time (on present machine) in seconds
seconds=$(cut -d: -f2 -s <<<`option_value --kdf`) seconds=$(cut -d: -f2 -s <<<`option_value --kdf`)
if [[ -z $seconds ]]; then if [[ -z $seconds ]]; then
seconds=1 seconds=1
fi fi
local -i microseconds local -i microseconds
microseconds=$((seconds*1000000)) microseconds=$((seconds*1000000))
_verbose "Microseconds: $microseconds" _verbose "Microseconds: $microseconds"
pbkdf2_salt=`${KDF_PBKDF2}-gensalt` pbkdf2_salt=`${KDF_PBKDF2}-gensalt`
pbkdf2_iter=`${KDF_PBKDF2}-getiter $microseconds` pbkdf2_iter=`${KDF_PBKDF2}-getiter $microseconds`
# We use a length of 64bytes = 512bits (more than needed!?) # We use a length of 64bytes = 512bits (more than needed!?)
tombpass=`${KDF_PBKDF2} $pbkdf2_salt $pbkdf2_iter 64 <<<"${tombpass}"` tombpass=`${KDF_PBKDF2} $pbkdf2_salt $pbkdf2_iter 64 <<<"${tombpass}"`
header="_KDF_pbkdf2sha1_${pbkdf2_salt}_${pbkdf2_iter}_64\n" header="_KDF_pbkdf2sha1_${pbkdf2_salt}_${pbkdf2_iter}_64\n"
;; ;;
""|null) ""|null)
header="" header=""
;; ;;
*) *)
_warning "KDF method non recognized" _warning "KDF method non recognized"
return 1 return 1
header="" header=""
;; ;;
esac esac
echo -n $header echo -n $header
print "${tombpass}" \ print "${tombpass}" \
| gpg --openpgp --batch --no-options --no-tty --passphrase-fd 0 2>/dev/null \ | gpg --openpgp --batch --no-options --no-tty --passphrase-fd 0 2>/dev/null \
-o - -c -a ${lukskey} -o - -c -a ${lukskey}
unset tombpass unset tombpass
} }
@ -1136,8 +1136,8 @@ mount_tomb() {
if ! option_is_set -f && ! option_is_set --ignore-swap; then check_swap; fi if ! option_is_set -f && ! option_is_set --ignore-swap; then check_swap; fi
if ! [ ${1} ]; then if ! [ ${1} ]; then
_warning "no tomb name specified for creation" _warning "no tomb name specified for creation"
return 1 return 1
fi fi
@ -1168,11 +1168,11 @@ mount_tomb() {
tombkey=${tombkeydir}/stdin.tmp tombkey=${tombkeydir}/stdin.tmp
else else
# take key from a file # take key from a file
tombkey=`option_value -k` tombkey=`option_value -k`
fi fi
else else
# guess key as lying besides the tomb # guess key as lying besides the tomb
tombkey=${tombdir}/${tombfile}.key tombkey=${tombdir}/${tombfile}.key
fi fi
if ! [ -r ${tombkey} ]; then if ! [ -r ${tombkey} ]; then
_warning "key file not found: ${tombkey}" _warning "key file not found: ${tombkey}"
@ -1181,11 +1181,11 @@ mount_tomb() {
fi fi
if ! [ $2 ]; then if ! [ $2 ]; then
tombmount=/media/${tombfile} tombmount=/media/${tombfile}
_message "mountpoint not specified, using default: $tombmount" _message "mountpoint not specified, using default: $tombmount"
elif ! [ -x $2 ]; then elif ! [ -x $2 ]; then
_warning "mountpoint $2 doesn't exist, operation aborted." _warning "mountpoint $2 doesn't exist, operation aborted."
return 1 return 1
else else
tombmount=$2 tombmount=$2
fi fi
@ -1193,7 +1193,7 @@ mount_tomb() {
# check if its already open # check if its already open
mount -l | grep "${tombfile}.*\[$tombname\]$" 2>&1 > /dev/null mount -l | grep "${tombfile}.*\[$tombname\]$" 2>&1 > /dev/null
if [ $? = 0 ]; then if [ $? = 0 ]; then
_warning "$tombname is already open on $tombmount" _warning "$tombname is already open on $tombmount"
_message "here below its status is reported:" _message "here below its status is reported:"
list_tombs ${tombname} list_tombs ${tombname}
return 1 return 1
@ -1206,16 +1206,16 @@ mount_tomb() {
nstloop=`losetup -f` nstloop=`losetup -f`
if [ $? = 255 ]; then if [ $? = 255 ]; then
die "too many tomb opened. Please close any of them to open another tomb" die "too many tomb opened. Please close any of them to open another tomb"
fi fi
losetup -f ${tombdir}/${tombfile} losetup -f ${tombdir}/${tombfile}
cryptsetup isLuks ${nstloop} cryptsetup isLuks ${nstloop}
if [ $? != 0 ]; then if [ $? != 0 ]; then
# is it a LUKS encrypted nest? see cryptsetup(1) # is it a LUKS encrypted nest? see cryptsetup(1)
_warning "$tombfile is not a valid Luks encrypted storage file" _warning "$tombfile is not a valid Luks encrypted storage file"
$norm || rmdir $tombmount 2>/dev/null $norm || rmdir $tombmount 2>/dev/null
return 1 return 1
fi fi
say "this tomb is a valid LUKS encrypted device" say "this tomb is a valid LUKS encrypted device"
@ -1242,40 +1242,40 @@ mount_tomb() {
_warning "Password is required for key ${keyname}" _warning "Password is required for key ${keyname}"
for c in 1 2 3; do for c in 1 2 3; do
if ! option_is_set --tomb-pwd; then if ! option_is_set --tomb-pwd; then
tombpass=`exec_as_user ${TOMBEXEC} askpass "Open tomb ${keyname}"` tombpass=`exec_as_user ${TOMBEXEC} askpass "Open tomb ${keyname}"`
if [[ $? != 0 ]]; then if [[ $? != 0 ]]; then
die "User aborted" die "User aborted"
fi fi
else else
tombpass=`option_value --tomb-pwd` tombpass=`option_value --tomb-pwd`
fi fi
get_lukskey "${tombpass}" ${tombkey} | \ get_lukskey "${tombpass}" ${tombkey} | \
cryptsetup --key-file - luksOpen ${nstloop} ${mapper} cryptsetup --key-file - luksOpen ${nstloop} ${mapper}
local ret=$? local ret=$?
unset tombpass unset tombpass
if [[ $ret != 0 ]]; then if [[ $ret != 0 ]]; then
if [[ $c = 3 ]] || option_is_set --tomb-pwd; then if [[ $c = 3 ]] || option_is_set --tomb-pwd; then
die "Wrong password: aborting" die "Wrong password: aborting"
fi fi
continue continue
fi fi
# if key was from stdin delete temp file and dir # if key was from stdin delete temp file and dir
if [ $tombkeydir ]; then if [ $tombkeydir ]; then
${=WIPE} ${tombkey} ${=WIPE} ${tombkey}
rmdir $tombkeydir rmdir $tombkeydir
fi fi
if [ -r /dev/mapper/${mapper} ]; then if [ -r /dev/mapper/${mapper} ]; then
break; # password was correct break; # password was correct
fi fi
done done
if ! [ -r /dev/mapper/${mapper} ]; then if ! [ -r /dev/mapper/${mapper} ]; then
losetup -d ${nstloop} losetup -d ${nstloop}
$norm || rmdir ${tombmount} 2>/dev/null $norm || rmdir ${tombmount} 2>/dev/null
die "failure mounting the encrypted file" die "failure mounting the encrypted file"
fi fi
# array: [ cipher, keysize, loopdevice ] # array: [ cipher, keysize, loopdevice ]
@ -1326,8 +1326,8 @@ mount_tomb() {
# process bind-hooks (mount -o bind of directories) # process bind-hooks (mount -o bind of directories)
# and post-hooks (execute on open) # and post-hooks (execute on open)
if ! option_is_set -n ; then if ! option_is_set -n ; then
exec_safe_bind_hooks ${tombmount} exec_safe_bind_hooks ${tombmount}
exec_safe_post_hooks ${tombmount} open exec_safe_post_hooks ${tombmount} open
fi fi
return 0 return 0
} }
@ -1379,7 +1379,7 @@ BEGIN { main="" }
# needs an argument: name of tomb whose hooks belong # needs an argument: name of tomb whose hooks belong
list_tomb_binds() { list_tomb_binds() {
if [ "$1" = "" ]; then if [ "$1" = "" ]; then
_failure "internal error: list_tomb_binds called without argument."; fi _failure "internal error: list_tomb_binds called without argument."; fi
# list bind hooks on util-linux 2.20 (Debian 7) # list bind hooks on util-linux 2.20 (Debian 7)
mount -l \ mount -l \
@ -1400,7 +1400,7 @@ BEGIN { main="" }
mount -l | grep "^$tombmount" \ mount -l | grep "^$tombmount" \
| awk -vtomb="$1" ' | awk -vtomb="$1" '
/bind/ { print $1 ";" $3 ";" $5 ";" $6 ";" $7 }' /bind/ { print $1 ";" $3 ";" $5 ";" $6 ";" $7 }'
} }
# }}} # }}}
@ -1411,24 +1411,24 @@ BEGIN { main="" }
slam_tomb() { slam_tomb() {
# $1 = tomb mount point # $1 = tomb mount point
if [[ -z `fuser -m "$1" 2> /dev/null` ]]; then if [[ -z `fuser -m "$1" 2> /dev/null` ]]; then
return 0 return 0
fi fi
#Note: shells are NOT killed by INT or TERM, but they are killed by HUP #Note: shells are NOT killed by INT or TERM, but they are killed by HUP
for s in TERM HUP KILL; do for s in TERM HUP KILL; do
xxx "Sending $s to processes inside the tomb:" xxx "Sending $s to processes inside the tomb:"
if option_is_set -D; then if option_is_set -D; then
ps -fp `fuser -m /media/a.tomb 2> /dev/null`| ps -fp `fuser -m /media/a.tomb 2> /dev/null`|
while read line; do while read line; do
xxx $line xxx $line
done done
fi fi
fuser -s -m "$1" -k -M -$s fuser -s -m "$1" -k -M -$s
if [[ -z `fuser -m "$1" 2> /dev/null` ]]; then if [[ -z `fuser -m "$1" 2> /dev/null` ]]; then
return 0 return 0
fi fi
if ! option_is_set -f; then if ! option_is_set -f; then
sleep 3 sleep 3
fi fi
done done
return 1 return 1
} }
@ -1476,10 +1476,10 @@ umount_tomb() {
if [ $SLAM ]; then if [ $SLAM ]; then
_success "Slamming tomb $tombname mounted on $tombmount" _success "Slamming tomb $tombname mounted on $tombmount"
_message "Kill all processes busy inside the tomb" _message "Kill all processes busy inside the tomb"
if ! slam_tomb "$tombmount"; then if ! slam_tomb "$tombmount"; then
_warning "Cannot slam the tomb $tombname" _warning "Cannot slam the tomb $tombname"
return 1 return 1
fi fi
else else
say "Closing tomb $tombname mounted on $tombmount" say "Closing tomb $tombname mounted on $tombmount"
fi fi
@ -1494,11 +1494,11 @@ umount_tomb() {
if [[ $? != 0 ]]; then if [[ $? != 0 ]]; then
if [ $SLAM ]; then if [ $SLAM ]; then
_success "Slamming tomb: killing all processes using this hook" _success "Slamming tomb: killing all processes using this hook"
slam_tomb "$bind_mount" slam_tomb "$bind_mount"
if [[ $? == 1 ]]; then if [[ $? == 1 ]]; then
_warning "Cannot slam the bind hook $bind_mount" _warning "Cannot slam the bind hook $bind_mount"
return 1 return 1
fi fi
umount $bind_mount umount $bind_mount
else else
_warning "Tomb bind hook $bind_mount is busy, cannot close tomb." _warning "Tomb bind hook $bind_mount is busy, cannot close tomb."
@ -1515,9 +1515,9 @@ umount_tomb() {
umount ${tombmount} umount ${tombmount}
if ! [ $? = 0 ]; then _warning "Tomb is busy, cannot umount!" if ! [ $? = 0 ]; then _warning "Tomb is busy, cannot umount!"
else else
# this means we used a "default" mount point # this means we used a "default" mount point
{ test "${tombmount}" = "/media/${tombname}.tomb" } && { { test "${tombmount}" = "/media/${tombname}.tomb" } && {
rmdir ${tombmount} } rmdir ${tombmount} }
fi fi
cryptsetup luksClose $mapper cryptsetup luksClose $mapper
@ -1553,14 +1553,14 @@ change_passwd() {
# check the keyfile # check the keyfile
if ! [ -r $keyfile ]; then if ! [ -r $keyfile ]; then
_warning "key not found: $keyfile" _warning "key not found: $keyfile"
return 1 return 1
fi fi
if ! is_valid_key $keyfile ; then if ! is_valid_key $keyfile ; then
_warning "file doesn't seems to be a tomb key: $keyfile" _warning "file doesn't seems to be a tomb key: $keyfile"
_warning "operation aborted." _warning "operation aborted."
return 1 return 1
fi fi
local tmpnewkey lukskey c tombpass tombpasstmp local tmpnewkey lukskey c tombpass tombpasstmp
@ -1571,37 +1571,37 @@ change_passwd() {
_success "Changing password for $keyfile" _success "Changing password for $keyfile"
keyname=`basename $keyfile` keyname=`basename $keyfile`
if ! option_is_set --tomb-old-pwd; then if ! option_is_set --tomb-old-pwd; then
while true; do while true; do
tombpass=`exec_as_user ${TOMBEXEC} askpass "Type old password for ${keyname}" "Change tomb key password"` tombpass=`exec_as_user ${TOMBEXEC} askpass "Type old password for ${keyname}" "Change tomb key password"`
if [[ $? == 1 ]]; then if [[ $? == 1 ]]; then
die "User aborted" die "User aborted"
fi fi
if get_lukskey "${tombpass}" ${keyfile} > ${lukskey}; then if get_lukskey "${tombpass}" ${keyfile} > ${lukskey}; then
break break
fi fi
done done
else else
tombpass=`option_value --tomb-old-pwd` tombpass=`option_value --tomb-old-pwd`
if ! get_lukskey "${tombpass}" ${keyfile} > ${lukskey}; then if ! get_lukskey "${tombpass}" ${keyfile} > ${lukskey}; then
die "Invalid old password" die "Invalid old password"
fi fi
fi fi
{ {
gen_key $lukskey > ${tmpnewkey} gen_key $lukskey > ${tmpnewkey}
if ! is_valid_key $tmpnewkey; then if ! is_valid_key $tmpnewkey; then
die "Error: the newly generated keyfile does not seem valid" die "Error: the newly generated keyfile does not seem valid"
else else
# copy the new key as the original keyfile name # copy the new key as the original keyfile name
cp "${tmpnewkey}" "${keyfile}" cp "${tmpnewkey}" "${keyfile}"
_success "Your passphrase was successfully updated." _success "Your passphrase was successfully updated."
fi fi
} always { } always {
_verbose "cleanup: $tmpnewkey $lukskey" _verbose "cleanup: $tmpnewkey $lukskey"
# wipe all temp file # wipe all temp file
${=WIPE} "${tmpnewkey}" ${=WIPE} "${tmpnewkey}"
${=WIPE} "${lukskey}" ${=WIPE} "${lukskey}"
} }
return $? return $?
@ -1614,9 +1614,9 @@ change_passwd() {
resize_tomb() { resize_tomb() {
_message "Commanded to resize tomb $1 to $opts[-s] megabytes" _message "Commanded to resize tomb $1 to $opts[-s] megabytes"
if ! [ $1 ]; then if ! [ $1 ]; then
_failure "No tomb name specified for resizing" _failure "No tomb name specified for resizing"
elif ! [ -r "$1" ]; then elif ! [ -r "$1" ]; then
_failure "Cannot find $1" _failure "Cannot find $1"
fi fi
local c tombpass tombkey local c tombpass tombkey
@ -1628,18 +1628,18 @@ resize_tomb() {
if option_is_set -k ; then if option_is_set -k ; then
if [[ "`option_value -k`" == "-" ]]; then if [[ "`option_value -k`" == "-" ]]; then
# take key from stdin # take key from stdin
local tombkeydir local tombkeydir
tombkeydir=`safe_dir` tombkeydir=`safe_dir`
cat > ${tombkeydir}/stdin.tmp cat > ${tombkeydir}/stdin.tmp
tombkey=${tombkeydir}/stdin.tmp tombkey=${tombkeydir}/stdin.tmp
else else
# take key from a file # take key from a file
tombkey=`option_value -k` tombkey=`option_value -k`
fi fi
else else
# guess key as lying besides the tomb # guess key as lying besides the tomb
tombkey=${tombdir}/${tombfile}.key tombkey=${tombdir}/${tombfile}.key
fi fi
if ! [ -r ${tombkey} ]; then if ! [ -r ${tombkey} ]; then
@ -1650,21 +1650,21 @@ resize_tomb() {
local newtombsize=$opts[-s] local newtombsize=$opts[-s]
local oldtombsize=`stat -c %s "$1" 2>/dev/null` local oldtombsize=`stat -c %s "$1" 2>/dev/null`
local mounted_tomb=`mount -l | local mounted_tomb=`mount -l |
awk -vtomb="[$tombname]" '/^\/dev\/mapper\/tomb/ { if($7==tomb) print $1 }'` awk -vtomb="[$tombname]" '/^\/dev\/mapper\/tomb/ { if($7==tomb) print $1 }'`
if [ "$mounted_tomb" ]; then if [ "$mounted_tomb" ]; then
_failure "the tomb $tombname is open, to resize it it needs to be close." _failure "the tomb $tombname is open, to resize it it needs to be close."
fi fi
# MB to bytes conversion # MB to bytes conversion
newtombsize=`expr \( $newtombsize \* 1024 \) \* 1024 2> /dev/null` newtombsize=`expr \( $newtombsize \* 1024 \) \* 1024 2> /dev/null`
if ! [ "$newtombsize" ] ; then if ! [ "$newtombsize" ] ; then
_failure "You must specify the new size of $tombname" _failure "You must specify the new size of $tombname"
elif [[ $newtombsize != <-> ]]; then elif [[ $newtombsize != <-> ]]; then
_failure "Size is not an integer" _failure "Size is not an integer"
elif [ "$newtombsize" -le "$oldtombsize" ]; then elif [ "$newtombsize" -le "$oldtombsize" ]; then
_failure "the new size must be greater then old tomb size." _failure "the new size must be greater then old tomb size."
fi fi
local delta=`expr $newtombsize \- $oldtombsize` local delta=`expr $newtombsize \- $oldtombsize`
@ -1686,7 +1686,7 @@ resize_tomb() {
local nstloop=`losetup -f` local nstloop=`losetup -f`
if [ $? = 255 ]; then if [ $? = 255 ]; then
_failure "too many tomb opened. Please close any of them to open another tomb" _failure "too many tomb opened. Please close any of them to open another tomb"
fi fi
losetup -f "$1" losetup -f "$1"
@ -1700,37 +1700,37 @@ resize_tomb() {
else else
tombpass=`exec_as_user ${TOMBEXEC} askpass "$keyname (retry $c)"` tombpass=`exec_as_user ${TOMBEXEC} askpass "$keyname (retry $c)"`
fi fi
get_lukskey "${tombpass}" ${tombkey} | \ get_lukskey "${tombpass}" ${tombkey} | \
cryptsetup --key-file - luksOpen ${nstloop} ${mapper} cryptsetup --key-file - luksOpen ${nstloop} ${mapper}
unset tombpass unset tombpass
if [ -r /dev/mapper/${mapper} ]; then if [ -r /dev/mapper/${mapper} ]; then
break; # password was correct break; # password was correct
fi fi
done done
if ! [ -r /dev/mapper/${mapper} ]; then if ! [ -r /dev/mapper/${mapper} ]; then
losetup -d ${nstloop} losetup -d ${nstloop}
_failure "failure mounting the encrypted file" _failure "failure mounting the encrypted file"
fi fi
cryptsetup resize "${mapper}" cryptsetup resize "${mapper}"
if [ $? != 0 ]; then if [ $? != 0 ]; then
losetup -d ${nstloop} losetup -d ${nstloop}
_failure "cryptsetup failed to resize $mapper" _failure "cryptsetup failed to resize $mapper"
fi fi
e2fsck -f /dev/mapper/${mapper} e2fsck -f /dev/mapper/${mapper}
if [ $? != 0 ]; then if [ $? != 0 ]; then
losetup -d ${nstloop} losetup -d ${nstloop}
_failure "e2fsck failed to check $mapper" _failure "e2fsck failed to check $mapper"
fi fi
resize2fs /dev/mapper/${mapper} resize2fs /dev/mapper/${mapper}
if [ $? != 0 ]; then if [ $? != 0 ]; then
losetup -d ${nstloop} losetup -d ${nstloop}
_failure "resize2fs failed to resize $mapper" _failure "resize2fs failed to resize $mapper"
fi fi
sleep 1 # needs to settle a bit sleep 1 # needs to settle a bit
@ -1835,8 +1835,8 @@ list_tombs() {
} }
if option_is_set --get-mountpoint; then if option_is_set --get-mountpoint; then
echo $tombmount echo $tombmount
continue continue
fi fi
# breaking up such strings is good for translation # breaking up such strings is good for translation
print -n "$fg[green]$tombname" print -n "$fg[green]$tombname"
@ -1872,7 +1872,7 @@ list_tombs() {
if [[ ${tombp} -ge 90 ]]; then if [[ ${tombp} -ge 90 ]]; then
print -n "$fg_no_bold[green]$tombname" print -n "$fg_no_bold[green]$tombname"
print "$fg_bold[red] Your tomb is almost full!" print "$fg_bold[red] Your tomb is almost full!"
fi fi
# now check hooks # now check hooks
@ -2000,9 +2000,9 @@ main() {
### Detect subcommand ### Detect subcommand
local -aU every_opts #every_opts behave like a set; that is, an array with unique elements local -aU every_opts #every_opts behave like a set; that is, an array with unique elements
for optspec in $subcommands_opts$main_opts; do for optspec in $subcommands_opts$main_opts; do
for opt in ${=optspec}; do for opt in ${=optspec}; do
every_opts+=${opt} every_opts+=${opt}
done done
done done
local -a oldstar local -a oldstar
oldstar=($argv) oldstar=($argv)
@ -2023,12 +2023,12 @@ main() {
unset discardme unset discardme
subcommand=$1 subcommand=$1
if [[ -z $subcommand ]]; then if [[ -z $subcommand ]]; then
subcommand="__default" subcommand="__default"
fi fi
if [[ -z ${(k)subcommands_opts[$subcommand]} ]]; then if [[ -z ${(k)subcommands_opts[$subcommand]} ]]; then
_warning "There's no such command \"$subcommand\"." _warning "There's no such command \"$subcommand\"."
_failure "Please try -h for help" 127 _failure "Please try -h for help" 127
# die "Subcommand '$subcommand' doesn't exist" 127 # die "Subcommand '$subcommand' doesn't exist" 127
fi fi
argv=(${oldstar}) argv=(${oldstar})
@ -2066,14 +2066,14 @@ main() {
fi fi
### End parsing command-specific options ### End parsing command-specific options
if ! option_is_set --no-color; then if ! option_is_set --no-color; then
autoload colors; colors autoload colors; colors
fi fi
if ! option_is_set --unsecure-dev-mode; then if ! option_is_set --unsecure-dev-mode; then
for opt in --sudo-pwd --tomb-pwd --use-urandom --tomb-old-pwd; do for opt in --sudo-pwd --tomb-pwd --use-urandom --tomb-old-pwd; do
if option_is_set $opt; then if option_is_set $opt; then
die "You specified option $opt, which is DANGEROUS and should only be used for testing\nIf you really want so, add --unsecure-dev-mode" 127 die "You specified option $opt, which is DANGEROUS and should only be used for testing\nIf you really want so, add --unsecure-dev-mode" 127
fi fi
done done
fi fi
# when we run as root, we remember the original uid:gid # when we run as root, we remember the original uid:gid
@ -2152,9 +2152,9 @@ main() {
_warning "resize2fs not installed. Cannot resize your tomb." _warning "resize2fs not installed. Cannot resize your tomb."
return 1 return 1
fi fi
check_priv check_priv
resize_tomb $PARAM[1] resize_tomb $PARAM[1]
;; ;;
# internal commands useful to developers # internal commands useful to developers
'source') return 0 ;; 'source') return 0 ;;