Package: cryptsetup Version: 2:1.0.4~rc2-1 Severity: normal Tags: patch
I was trying to use SSL encrypted keys (which I could copy to a USB stick) because GPG encrypted keys are not yet supported. I used the script /usr/share/doc/cryptsetup/examples/gen-ssl-key to generate a encrypted key, decrypted it and added it with luksAddKey. Then I changed /etc/crypttab to the path of SSL encrypted key and added the keyword ssl. But /etc/init.d/cryptdisks couldn’t activate the partition. Trying to find the problem I discoverd the following bugs: 1. The function decrypt_ssl is available in /lib/cryptsetup/cryptdisks.functions as well as in /lib/cryptsetup/scripts/decrypt_ssl. It seems, the first is used. Both functions are different. 2. The function in /lib/cryptsetup/cryptdisks.functions begins like the other one, but then asks for a second passphrase to decrypt the previously decrypted key. This contradicts with gen-ssl-key which only uses one passphrase. I’ve changed the function to only ask for one passphrase like in /lib/cryptsetup/scripts/decrypt_ssl (see patch). 3. Neither decrypt_ssl (nor decrypt_gpg) are protecting the passphrase against spaces by using quotation marks (see patch). 4. You are using „read -s” to read the passphrase from the command line (silent mode), but the option -s only works with bash. If /bin/sh is linked to dash, it doesn’t work. I had to change /etc/init./cryptdisks to use /bin/bash instead of /bin/sh. 5. Now it works. The next step would be solving the problem how a normal user could use cryptsetup to activiate a encrypted partition or an encrypted removable device. Shade and sweet water! Stephan -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.18 Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Versions of packages cryptsetup depends on: ii dmsetup 2:1.02.08-1 The Linux Kernel Device Mapper use ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries ii libdevmapper1.02 2:1.02.08-1 The Linux Kernel Device Mapper use ii libgcrypt11 1.2.3-2 LGPL Crypto library - runtime libr ii libgpg-error0 1.4-1 library for common error values an ii libpopt0 1.10-3 lib for parsing cmdline parameters ii libuuid1 1.39-1 universally unique id library cryptsetup recommends no packages. -- no debconf information -- | Stephan Seitz E-Mail: [EMAIL PROTECTED] | | PGP Public Keys: http://fsing.rootsland.net/~stse/pgp.html |
--- cryptdisks.functions 2006-10-01 17:56:09.000000000 +0200 +++ cryptdisks.functions.new 2006-10-01 17:58:30.000000000 +0200 @@ -175,27 +175,17 @@ decrypt_ssl () { origumask=`umask` umask 077 - tmpkey=`tempfile` - - while ( ! /usr/bin/openssl enc -aes256 -d -salt -in $key -out $tmpkey \ - -k $password > /dev/null 2>&1 ); do - echo -en "\nSecond password for key $key: " - read -s password <${CONSOLE:-/dev/tty} - echo - [ "$password" = "" ] && return 0 - done - deckey=`tempfile` - while ( ! /usr/bin/openssl dsa -in $tmpkey -out $deckey -passin \ - pass:$password > /dev/null 2>&1 ); do - echo -en "\nFirst password for key $key: " + + while ( ! /usr/bin/openssl enc -aes256 -d -salt -in $key -out $deckey \ + -k "$password" > /dev/null 2>&1 ); do + echo -en "\nPassword for key $key: " read -s password <${CONSOLE:-/dev/tty} echo [ "$password" = "" ] && return 0 done password="" - rm -f $tmpkey && tmpkey="" umask $origumask }
signature.asc
Description: Digital signature