security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-10-31 20:08:43 +01:00
Code Activity
09c6f71351
gnupg/g13/sh-cmd.c

781 lines
19 KiB
C
Raw Normal View History

g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
/* sh-cmd.c - The Assuan server for g13-syshelp
* Copyright (C) 2015 Werner Koch
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <errno.h>
#include <assert.h>
#include "g13-syshelp.h"
#include <assuan.h>
#include "i18n.h"
#include "keyblob.h"
/* Local data for this server module. A pointer to this is stored in
the CTRL object of each connection. */
struct server_local_s
{
/* The Assuan contect we are working on. */
assuan_context_t assuan_ctx;
/* The malloced name of the device. */
char *devicename;
/* A stream open for read of the device set by the DEVICE command or
NULL if no DEVICE command has been used. */
estream_t devicefp;
};
/* Local prototypes. */
/*
Helper functions.
*/
/* Set an error and a description. */
#define set_error(e,t) assuan_set_error (ctx, gpg_error (e), (t))
#define set_error_fail_cmd() set_error (GPG_ERR_NOT_INITIALIZED, \
"not called via userv or unknown user")
/* Skip over options. Blanks after the options are also removed. */
static char *
skip_options (const char *line)
{
while (spacep (line))
line++;
while ( *line == '-' && line[1] == '-' )
{
while (*line && !spacep (line))
line++;
while (spacep (line))
line++;
}
return (char*)line;
}
/* Check whether the option NAME appears in LINE. */
/* static int */
/* has_option (const char *line, const char *name) */
/* { */
/* const char *s; */
/* int n = strlen (name); */
/* s = strstr (line, name); */
/* if (s && s >= skip_options (line)) */
/* return 0; */
/* return (s && (s == line || spacep (s-1)) && (!s[n] || spacep (s+n))); */
/* } */
/* Helper to print a message while leaving a command. */
static gpg_error_t
leave_cmd (assuan_context_t ctx, gpg_error_t err)
{
if (err)
{
const char *name = assuan_get_command_name (ctx);
if (!name)
name = "?";
if (gpg_err_source (err) == GPG_ERR_SOURCE_DEFAULT)
log_error ("command '%s' failed: %s\n", name,
gpg_strerror (err));
else
log_error ("command '%s' failed: %s <%s>\n", name,
gpg_strerror (err), gpg_strsource (err));
}
return err;
}
/* The handler for Assuan OPTION commands. */
static gpg_error_t
option_handler (assuan_context_t ctx, const char *key, const char *value)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err = 0;
(void)ctrl;
(void)key;
(void)value;
if (ctrl->fail_all_cmds)
err = set_error_fail_cmd ();
else
err = gpg_error (GPG_ERR_UNKNOWN_OPTION);
return err;
}
/* The handler for an Assuan RESET command. */
static gpg_error_t
reset_notify (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
(void)line;
xfree (ctrl->server_local->devicename);
ctrl->server_local->devicename = NULL;
es_fclose (ctrl->server_local->devicefp);
ctrl->server_local->devicefp = NULL;
ctrl->devti = NULL;
assuan_close_input_fd (ctx);
assuan_close_output_fd (ctx);
return 0;
}
static const char hlp_device[] =
"DEVICE <name>\n"
"\n"
"Set the device used by further commands.\n"
g13: Return an error for non-existing device. * g13/sh-cmd.c (cmd_device): Set ERR. Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-02 18:18:31 +01:00
"A device name or a PARTUUID string may be used.\n"
"Access to that device (by the g13 system) is locked\n"
"until a new DEVICE command or end of this process\n";
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
static gpg_error_t
cmd_device (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err = 0;
tab_item_t ti;
estream_t fp = NULL;
line = skip_options (line);
g13: Second chunk of code to support dm-crypt. * g13/be-dmcrypt.c, g13/be-dmcrypt.h: New. * g13/Makefile.am (g13_SOURCES): Add them. * g13/backend.c: Include be-dmcrypt.h and call-syshelp.h. (no_such_backend): Rename to _no_such_backend and provide replacement macro. (be_is_supported_conttype): Support DM-Crypt. (be_take_lock_for_create): Call set_segvice for DM-Crypt. (be_create_new_keys): Make it a dummy for DM-Crypt. (be_create_container): Call be_dmcrypt_create_container. (be_mount_container): call be_dmcrypt_mount_container. * g13/g13-syshelp.c (main): Enable verbose mode. * g13/g13tuple.c (get_tupledesc_data): New. * g13/g13tuple.h (unref_tupledesc): New. * g13/g13.h (server_control_): Add field "recipients". * g13/g13.c (main): Fix setting of recipients via cmdline. (g13_deinit_default_ctrl): Release recipients list. (g13_request_shutdown): New. Replace all direct update of shutdown_pending by calls this function. * g13/server.c (server_local_s): Remove field recipients which is now part of CTRL. (reset_notify, cmd_recipient, cmd_create): Adjust for this change. * g13/create.c (encrypt_keyblob): Rename to g13_encrypt_keyblob. (g13_create_container): Support DM-Crypt. * g13/mount.c (parse_header): Allow for meta data copies. (g13_mount_container): Support DM-Crypt. * g13/sh-cmd.c (cmd_create): Make it work. (cmd_mount): New. * g13/sh-dmcrypt.c (sh_dmcrypt_create_container): Make it work. (sh_dmcrypt_mount_container): New. -- With this patch we can now create an encrypted partition and partly mount it (i.e. setup keys and create the mapped device). We do not yet create a file system or mount that file system Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-13 17:01:45 +01:00
/* # warning hardwired to /dev/sdb1 ! */
/* if (strcmp (line, "/dev/sdb1")) */
/* { */
/* err = gpg_error (GPG_ERR_ENOENT); */
/* goto leave; */
/* } */
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
/* Always close an open device stream of this session. */
xfree (ctrl->server_local->devicename);
ctrl->server_local->devicename = NULL;
es_fclose (ctrl->server_local->devicefp);
ctrl->server_local->devicefp = NULL;
/* Are we allowed to use the given device? */
for (ti=ctrl->client.tab; ti; ti = ti->next)
if (!strcmp (line, ti->blockdev))
break;
if (!ti)
{
g13: Return an error for non-existing device. * g13/sh-cmd.c (cmd_device): Set ERR. Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-02 18:18:31 +01:00
err = set_error (GPG_ERR_EACCES, "device not configured for user");
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
goto leave;
}
ctrl->server_local->devicename = xtrystrdup (line);
if (!ctrl->server_local->devicename)
{
err = gpg_error_from_syserror ();
goto leave;
}
/* Check whether we have permissions to open the device and keep an
FD open. */
fp = es_fopen (ctrl->server_local->devicename, "rb");
if (!fp)
{
err = gpg_error_from_syserror ();
log_error ("error opening '%s': %s\n",
ctrl->server_local->devicename, gpg_strerror (err));
goto leave;
}
es_fclose (ctrl->server_local->devicefp);
ctrl->server_local->devicefp = fp;
fp = NULL;
ctrl->devti = ti;
g13: Return an error for non-existing device. * g13/sh-cmd.c (cmd_device): Set ERR. Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-02 18:18:31 +01:00
/* Fixme: Take some kind of lock. */
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
leave:
es_fclose (fp);
if (err)
{
xfree (ctrl->server_local->devicename);
ctrl->server_local->devicename = NULL;
ctrl->devti = NULL;
}
return leave_cmd (ctx, err);
}
static const char hlp_create[] =
"CREATE <type>\n"
"\n"
"Create a new encrypted partition on the current device.\n"
"<type> must be \"dm-crypt\" for now.";
static gpg_error_t
cmd_create (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err = 0;
g13: Second chunk of code to support dm-crypt. * g13/be-dmcrypt.c, g13/be-dmcrypt.h: New. * g13/Makefile.am (g13_SOURCES): Add them. * g13/backend.c: Include be-dmcrypt.h and call-syshelp.h. (no_such_backend): Rename to _no_such_backend and provide replacement macro. (be_is_supported_conttype): Support DM-Crypt. (be_take_lock_for_create): Call set_segvice for DM-Crypt. (be_create_new_keys): Make it a dummy for DM-Crypt. (be_create_container): Call be_dmcrypt_create_container. (be_mount_container): call be_dmcrypt_mount_container. * g13/g13-syshelp.c (main): Enable verbose mode. * g13/g13tuple.c (get_tupledesc_data): New. * g13/g13tuple.h (unref_tupledesc): New. * g13/g13.h (server_control_): Add field "recipients". * g13/g13.c (main): Fix setting of recipients via cmdline. (g13_deinit_default_ctrl): Release recipients list. (g13_request_shutdown): New. Replace all direct update of shutdown_pending by calls this function. * g13/server.c (server_local_s): Remove field recipients which is now part of CTRL. (reset_notify, cmd_recipient, cmd_create): Adjust for this change. * g13/create.c (encrypt_keyblob): Rename to g13_encrypt_keyblob. (g13_create_container): Support DM-Crypt. * g13/mount.c (parse_header): Allow for meta data copies. (g13_mount_container): Support DM-Crypt. * g13/sh-cmd.c (cmd_create): Make it work. (cmd_mount): New. * g13/sh-dmcrypt.c (sh_dmcrypt_create_container): Make it work. (sh_dmcrypt_mount_container): New. -- With this patch we can now create an encrypted partition and partly mount it (i.e. setup keys and create the mapped device). We do not yet create a file system or mount that file system Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-13 17:01:45 +01:00
estream_t fp = NULL;
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
line = skip_options (line);
if (strcmp (line, "dm-crypt"))
{
err = set_error (GPG_ERR_INV_ARG, "Type must be \"dm-crypt\"");
goto leave;
}
if (!ctrl->server_local->devicename
|| !ctrl->server_local->devicefp
|| !ctrl->devti)
{
err = set_error (GPG_ERR_ENOENT, "No device has been set");
goto leave;
}
err = sh_is_empty_partition (ctrl->server_local->devicename);
if (err)
{
g13: Second chunk of code to support dm-crypt. * g13/be-dmcrypt.c, g13/be-dmcrypt.h: New. * g13/Makefile.am (g13_SOURCES): Add them. * g13/backend.c: Include be-dmcrypt.h and call-syshelp.h. (no_such_backend): Rename to _no_such_backend and provide replacement macro. (be_is_supported_conttype): Support DM-Crypt. (be_take_lock_for_create): Call set_segvice for DM-Crypt. (be_create_new_keys): Make it a dummy for DM-Crypt. (be_create_container): Call be_dmcrypt_create_container. (be_mount_container): call be_dmcrypt_mount_container. * g13/g13-syshelp.c (main): Enable verbose mode. * g13/g13tuple.c (get_tupledesc_data): New. * g13/g13tuple.h (unref_tupledesc): New. * g13/g13.h (server_control_): Add field "recipients". * g13/g13.c (main): Fix setting of recipients via cmdline. (g13_deinit_default_ctrl): Release recipients list. (g13_request_shutdown): New. Replace all direct update of shutdown_pending by calls this function. * g13/server.c (server_local_s): Remove field recipients which is now part of CTRL. (reset_notify, cmd_recipient, cmd_create): Adjust for this change. * g13/create.c (encrypt_keyblob): Rename to g13_encrypt_keyblob. (g13_create_container): Support DM-Crypt. * g13/mount.c (parse_header): Allow for meta data copies. (g13_mount_container): Support DM-Crypt. * g13/sh-cmd.c (cmd_create): Make it work. (cmd_mount): New. * g13/sh-dmcrypt.c (sh_dmcrypt_create_container): Make it work. (sh_dmcrypt_mount_container): New. -- With this patch we can now create an encrypted partition and partly mount it (i.e. setup keys and create the mapped device). We do not yet create a file system or mount that file system Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-13 17:01:45 +01:00
if (gpg_err_code (err) == GPG_ERR_FALSE)
err = gpg_error (GPG_ERR_CONFLICT);
g13: Return an error for non-existing device. * g13/sh-cmd.c (cmd_device): Set ERR. Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-02 18:18:31 +01:00
err = assuan_set_error (ctx, err, "Partition is not empty");
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
goto leave;
}
g13: Second chunk of code to support dm-crypt. * g13/be-dmcrypt.c, g13/be-dmcrypt.h: New. * g13/Makefile.am (g13_SOURCES): Add them. * g13/backend.c: Include be-dmcrypt.h and call-syshelp.h. (no_such_backend): Rename to _no_such_backend and provide replacement macro. (be_is_supported_conttype): Support DM-Crypt. (be_take_lock_for_create): Call set_segvice for DM-Crypt. (be_create_new_keys): Make it a dummy for DM-Crypt. (be_create_container): Call be_dmcrypt_create_container. (be_mount_container): call be_dmcrypt_mount_container. * g13/g13-syshelp.c (main): Enable verbose mode. * g13/g13tuple.c (get_tupledesc_data): New. * g13/g13tuple.h (unref_tupledesc): New. * g13/g13.h (server_control_): Add field "recipients". * g13/g13.c (main): Fix setting of recipients via cmdline. (g13_deinit_default_ctrl): Release recipients list. (g13_request_shutdown): New. Replace all direct update of shutdown_pending by calls this function. * g13/server.c (server_local_s): Remove field recipients which is now part of CTRL. (reset_notify, cmd_recipient, cmd_create): Adjust for this change. * g13/create.c (encrypt_keyblob): Rename to g13_encrypt_keyblob. (g13_create_container): Support DM-Crypt. * g13/mount.c (parse_header): Allow for meta data copies. (g13_mount_container): Support DM-Crypt. * g13/sh-cmd.c (cmd_create): Make it work. (cmd_mount): New. * g13/sh-dmcrypt.c (sh_dmcrypt_create_container): Make it work. (sh_dmcrypt_mount_container): New. -- With this patch we can now create an encrypted partition and partly mount it (i.e. setup keys and create the mapped device). We do not yet create a file system or mount that file system Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-13 17:01:45 +01:00
/* We need a writeable stream to create the container. */
fp = es_fopen (ctrl->server_local->devicename, "r+b");
if (!fp)
{
err = gpg_error_from_syserror ();
log_error ("error opening '%s': %s\n",
ctrl->server_local->devicename, gpg_strerror (err));
goto leave;
}
if (es_setvbuf (fp, NULL, _IONBF, 0))
{
err = gpg_error_from_syserror ();
log_error ("error setting '%s' to _IONBF: %s\n",
ctrl->server_local->devicename, gpg_strerror (err));
goto leave;
}
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
err = sh_dmcrypt_create_container (ctrl,
ctrl->server_local->devicename,
g13: Second chunk of code to support dm-crypt. * g13/be-dmcrypt.c, g13/be-dmcrypt.h: New. * g13/Makefile.am (g13_SOURCES): Add them. * g13/backend.c: Include be-dmcrypt.h and call-syshelp.h. (no_such_backend): Rename to _no_such_backend and provide replacement macro. (be_is_supported_conttype): Support DM-Crypt. (be_take_lock_for_create): Call set_segvice for DM-Crypt. (be_create_new_keys): Make it a dummy for DM-Crypt. (be_create_container): Call be_dmcrypt_create_container. (be_mount_container): call be_dmcrypt_mount_container. * g13/g13-syshelp.c (main): Enable verbose mode. * g13/g13tuple.c (get_tupledesc_data): New. * g13/g13tuple.h (unref_tupledesc): New. * g13/g13.h (server_control_): Add field "recipients". * g13/g13.c (main): Fix setting of recipients via cmdline. (g13_deinit_default_ctrl): Release recipients list. (g13_request_shutdown): New. Replace all direct update of shutdown_pending by calls this function. * g13/server.c (server_local_s): Remove field recipients which is now part of CTRL. (reset_notify, cmd_recipient, cmd_create): Adjust for this change. * g13/create.c (encrypt_keyblob): Rename to g13_encrypt_keyblob. (g13_create_container): Support DM-Crypt. * g13/mount.c (parse_header): Allow for meta data copies. (g13_mount_container): Support DM-Crypt. * g13/sh-cmd.c (cmd_create): Make it work. (cmd_mount): New. * g13/sh-dmcrypt.c (sh_dmcrypt_create_container): Make it work. (sh_dmcrypt_mount_container): New. -- With this patch we can now create an encrypted partition and partly mount it (i.e. setup keys and create the mapped device). We do not yet create a file system or mount that file system Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-13 17:01:45 +01:00
fp);
if (es_fclose (fp))
{
gpg_error_t err2 = gpg_error_from_syserror ();
log_error ("error closing '%s': %s\n",
ctrl->server_local->devicename, gpg_strerror (err2));
if (!err)
err = err2;
}
fp = NULL;
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
g13: Second chunk of code to support dm-crypt. * g13/be-dmcrypt.c, g13/be-dmcrypt.h: New. * g13/Makefile.am (g13_SOURCES): Add them. * g13/backend.c: Include be-dmcrypt.h and call-syshelp.h. (no_such_backend): Rename to _no_such_backend and provide replacement macro. (be_is_supported_conttype): Support DM-Crypt. (be_take_lock_for_create): Call set_segvice for DM-Crypt. (be_create_new_keys): Make it a dummy for DM-Crypt. (be_create_container): Call be_dmcrypt_create_container. (be_mount_container): call be_dmcrypt_mount_container. * g13/g13-syshelp.c (main): Enable verbose mode. * g13/g13tuple.c (get_tupledesc_data): New. * g13/g13tuple.h (unref_tupledesc): New. * g13/g13.h (server_control_): Add field "recipients". * g13/g13.c (main): Fix setting of recipients via cmdline. (g13_deinit_default_ctrl): Release recipients list. (g13_request_shutdown): New. Replace all direct update of shutdown_pending by calls this function. * g13/server.c (server_local_s): Remove field recipients which is now part of CTRL. (reset_notify, cmd_recipient, cmd_create): Adjust for this change. * g13/create.c (encrypt_keyblob): Rename to g13_encrypt_keyblob. (g13_create_container): Support DM-Crypt. * g13/mount.c (parse_header): Allow for meta data copies. (g13_mount_container): Support DM-Crypt. * g13/sh-cmd.c (cmd_create): Make it work. (cmd_mount): New. * g13/sh-dmcrypt.c (sh_dmcrypt_create_container): Make it work. (sh_dmcrypt_mount_container): New. -- With this patch we can now create an encrypted partition and partly mount it (i.e. setup keys and create the mapped device). We do not yet create a file system or mount that file system Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-13 17:01:45 +01:00
leave:
es_fclose (fp);
return leave_cmd (ctx, err);
}
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
g13: Second chunk of code to support dm-crypt. * g13/be-dmcrypt.c, g13/be-dmcrypt.h: New. * g13/Makefile.am (g13_SOURCES): Add them. * g13/backend.c: Include be-dmcrypt.h and call-syshelp.h. (no_such_backend): Rename to _no_such_backend and provide replacement macro. (be_is_supported_conttype): Support DM-Crypt. (be_take_lock_for_create): Call set_segvice for DM-Crypt. (be_create_new_keys): Make it a dummy for DM-Crypt. (be_create_container): Call be_dmcrypt_create_container. (be_mount_container): call be_dmcrypt_mount_container. * g13/g13-syshelp.c (main): Enable verbose mode. * g13/g13tuple.c (get_tupledesc_data): New. * g13/g13tuple.h (unref_tupledesc): New. * g13/g13.h (server_control_): Add field "recipients". * g13/g13.c (main): Fix setting of recipients via cmdline. (g13_deinit_default_ctrl): Release recipients list. (g13_request_shutdown): New. Replace all direct update of shutdown_pending by calls this function. * g13/server.c (server_local_s): Remove field recipients which is now part of CTRL. (reset_notify, cmd_recipient, cmd_create): Adjust for this change. * g13/create.c (encrypt_keyblob): Rename to g13_encrypt_keyblob. (g13_create_container): Support DM-Crypt. * g13/mount.c (parse_header): Allow for meta data copies. (g13_mount_container): Support DM-Crypt. * g13/sh-cmd.c (cmd_create): Make it work. (cmd_mount): New. * g13/sh-dmcrypt.c (sh_dmcrypt_create_container): Make it work. (sh_dmcrypt_mount_container): New. -- With this patch we can now create an encrypted partition and partly mount it (i.e. setup keys and create the mapped device). We do not yet create a file system or mount that file system Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-13 17:01:45 +01:00
static const char hlp_mount[] =
"MOUNT <type>\n"
"\n"
"Mount an encrypted partition on the current device.\n"
"<type> must be \"dm-crypt\" for now.";
static gpg_error_t
cmd_mount (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err = 0;
unsigned char *keyblob = NULL;
size_t keybloblen;
tupledesc_t tuples = NULL;
line = skip_options (line);
if (strcmp (line, "dm-crypt"))
{
err = set_error (GPG_ERR_INV_ARG, "Type must be \"dm-crypt\"");
goto leave;
}
if (!ctrl->server_local->devicename
|| !ctrl->server_local->devicefp
|| !ctrl->devti)
{
err = set_error (GPG_ERR_ENOENT, "No device has been set");
goto leave;
}
err = sh_is_empty_partition (ctrl->server_local->devicename);
if (!err)
{
err = gpg_error (GPG_ERR_ENODEV);
assuan_set_error (ctx, err, "Partition is empty");
goto leave;
}
err = 0;
/* We expect that the client already decrypted the keyblob.
* Eventually we should move reading of the keyblob to here and ask
* the client to decrypt it. */
assuan_begin_confidential (ctx);
err = assuan_inquire (ctx, "KEYBLOB",
&keyblob, &keybloblen, 4 * 1024);
assuan_end_confidential (ctx);
if (err)
{
log_error (_("assuan_inquire failed: %s\n"), gpg_strerror (err));
goto leave;
}
err = create_tupledesc (&tuples, keyblob, keybloblen);
if (!err)
keyblob = NULL;
else
{
if (gpg_err_code (err) == GPG_ERR_NOT_SUPPORTED)
log_error ("unknown keyblob version received\n");
goto leave;
}
err = sh_dmcrypt_mount_container (ctrl,
ctrl->server_local->devicename,
tuples);
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
leave:
g13: Second chunk of code to support dm-crypt. * g13/be-dmcrypt.c, g13/be-dmcrypt.h: New. * g13/Makefile.am (g13_SOURCES): Add them. * g13/backend.c: Include be-dmcrypt.h and call-syshelp.h. (no_such_backend): Rename to _no_such_backend and provide replacement macro. (be_is_supported_conttype): Support DM-Crypt. (be_take_lock_for_create): Call set_segvice for DM-Crypt. (be_create_new_keys): Make it a dummy for DM-Crypt. (be_create_container): Call be_dmcrypt_create_container. (be_mount_container): call be_dmcrypt_mount_container. * g13/g13-syshelp.c (main): Enable verbose mode. * g13/g13tuple.c (get_tupledesc_data): New. * g13/g13tuple.h (unref_tupledesc): New. * g13/g13.h (server_control_): Add field "recipients". * g13/g13.c (main): Fix setting of recipients via cmdline. (g13_deinit_default_ctrl): Release recipients list. (g13_request_shutdown): New. Replace all direct update of shutdown_pending by calls this function. * g13/server.c (server_local_s): Remove field recipients which is now part of CTRL. (reset_notify, cmd_recipient, cmd_create): Adjust for this change. * g13/create.c (encrypt_keyblob): Rename to g13_encrypt_keyblob. (g13_create_container): Support DM-Crypt. * g13/mount.c (parse_header): Allow for meta data copies. (g13_mount_container): Support DM-Crypt. * g13/sh-cmd.c (cmd_create): Make it work. (cmd_mount): New. * g13/sh-dmcrypt.c (sh_dmcrypt_create_container): Make it work. (sh_dmcrypt_mount_container): New. -- With this patch we can now create an encrypted partition and partly mount it (i.e. setup keys and create the mapped device). We do not yet create a file system or mount that file system Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-13 17:01:45 +01:00
xfree (tuples);
destroy_tupledesc (tuples);
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
return leave_cmd (ctx, err);
}
g13: Add commands --suspend and --remove. * g13/g13.c (aSuspend, aResume): New. (opts): Add commands --suspend and --resume. (main): Implement dummy command aUmount. Implement commands aResume and aSuspend. * g13/sh-cmd.c (cmd_suspend): New. (cmd_resume): New. (register_commands): Add commands RESUME and SUSPEND. * g13/server.c (cmd_suspend): New. (cmd_resume): New. (register_commands): Add commands RESUME and SUSPEND. * g13/be-dmcrypt.c (be_dmcrypt_suspend_container): New. (be_dmcrypt_resume_container): New. * g13/backend.c (be_suspend_container): New. (be_resume_container): New. * g13/suspend.c, g13/suspend.h: New. * g13/mount.c (parse_header, read_keyblob_prefix, read_keyblob) (decrypt_keyblob, g13_is_container): Move to ... * g13/keyblob.c: new file. (keyblob_read): Rename to g13_keyblob_read and make global. (keyblob_decrypt): Rename to g13_keyblob_decrypt and make global. * g13/sh-dmcrypt.c (check_blockdev): Add arg expect_busy. (sh_dmcrypt_suspend_container): New. (sh_dmcrypt_resume_container): New. * g13/call-syshelp.c (call_syshelp_run_suspend): New. (call_syshelp_run_resume): New. -- The --suspend command can be used before a hibernate operation to make the encrypted partition inaccessible and wipe the key from the memory. Before --suspend is called a sync(1) should be run to make sure that their are no dirty buffers (dmsetup, as called by g13, actually does this for you but it does not harm to do it anyway. After the partition has been suspended a echo 3 >proc/sys/vm/drop_caches required to flush all caches which may still have content from the encrypted partition. The --resume command reverses the effect of the suspend but to do this it needs to decrypt again. Now, if the .gnupg directory lives on the encrypted partition this will be problematic because due to the suspend all processes accessing data on the encrypted partition will be put into an uninterruptible sleep (ps(1) shows a state of 'D'). This needs to be avoided. A workaround is to have a separate GnuPG home directory (say, "~/.gnupg-fallback") with only the public keys required to decrypt the partition along with a properly setup conf files. A GNUPGHOME=$(pwd)/.gnupg-fallback g13 --resume should then be able to resume the encrypted partition using the private key stored on a smartcard. The implementation is pretty basic right now but useful to me. Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-23 14:32:46 +01:00
static const char hlp_suspend[] =
"SUSPEND <type>\n"
"\n"
"Suspend an encrypted partition and wipe the key.\n"
"<type> must be \"dm-crypt\" for now.";
static gpg_error_t
cmd_suspend (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err = 0;
line = skip_options (line);
if (strcmp (line, "dm-crypt"))
{
err = set_error (GPG_ERR_INV_ARG, "Type must be \"dm-crypt\"");
goto leave;
}
if (!ctrl->server_local->devicename
|| !ctrl->server_local->devicefp
|| !ctrl->devti)
{
err = set_error (GPG_ERR_ENOENT, "No device has been set");
goto leave;
}
err = sh_is_empty_partition (ctrl->server_local->devicename);
if (!err)
{
err = gpg_error (GPG_ERR_ENODEV);
assuan_set_error (ctx, err, "Partition is empty");
goto leave;
}
err = 0;
err = sh_dmcrypt_suspend_container (ctrl, ctrl->server_local->devicename);
leave:
return leave_cmd (ctx, err);
}
static const char hlp_resume[] =
"RESUME <type>\n"
"\n"
"Resume an encrypted partition and set the key.\n"
"<type> must be \"dm-crypt\" for now.";
static gpg_error_t
cmd_resume (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err = 0;
unsigned char *keyblob = NULL;
size_t keybloblen;
tupledesc_t tuples = NULL;
line = skip_options (line);
if (strcmp (line, "dm-crypt"))
{
err = set_error (GPG_ERR_INV_ARG, "Type must be \"dm-crypt\"");
goto leave;
}
if (!ctrl->server_local->devicename
|| !ctrl->server_local->devicefp
|| !ctrl->devti)
{
err = set_error (GPG_ERR_ENOENT, "No device has been set");
goto leave;
}
err = sh_is_empty_partition (ctrl->server_local->devicename);
if (!err)
{
err = gpg_error (GPG_ERR_ENODEV);
assuan_set_error (ctx, err, "Partition is empty");
goto leave;
}
err = 0;
/* We expect that the client already decrypted the keyblob.
* Eventually we should move reading of the keyblob to here and ask
* the client to decrypt it. */
assuan_begin_confidential (ctx);
err = assuan_inquire (ctx, "KEYBLOB",
&keyblob, &keybloblen, 4 * 1024);
assuan_end_confidential (ctx);
if (err)
{
log_error (_("assuan_inquire failed: %s\n"), gpg_strerror (err));
goto leave;
}
err = create_tupledesc (&tuples, keyblob, keybloblen);
if (!err)
keyblob = NULL;
else
{
if (gpg_err_code (err) == GPG_ERR_NOT_SUPPORTED)
log_error ("unknown keyblob version received\n");
goto leave;
}
err = sh_dmcrypt_resume_container (ctrl,
ctrl->server_local->devicename,
tuples);
leave:
xfree (tuples);
destroy_tupledesc (tuples);
return leave_cmd (ctx, err);
}
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
static const char hlp_getinfo[] =
"GETINFO <what>\n"
"\n"
"Multipurpose function to return a variety of information.\n"
"Supported values for WHAT are:\n"
"\n"
" version - Return the version of the program.\n"
" pid - Return the process id of the server.\n"
" showtab - Show the table for the user.";
static gpg_error_t
cmd_getinfo (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err = 0;
char *buf;
if (!strcmp (line, "version"))
{
const char *s = PACKAGE_VERSION;
err = assuan_send_data (ctx, s, strlen (s));
}
else if (!strcmp (line, "pid"))
{
char numbuf[50];
snprintf (numbuf, sizeof numbuf, "%lu", (unsigned long)getpid ());
err = assuan_send_data (ctx, numbuf, strlen (numbuf));
}
else if (!strncmp (line, "getsz", 5))
{
unsigned long long nblocks;
err = sh_blockdev_getsz (line+6, &nblocks);
if (!err)
log_debug ("getsz=%llu\n", nblocks);
}
else if (!strcmp (line, "showtab"))
{
tab_item_t ti;
for (ti=ctrl->client.tab; !err && ti; ti = ti->next)
{
buf = es_bsprintf ("%s %s%s %s %s%s\n",
ctrl->client.uname,
*ti->blockdev=='/'? "":"partuuid=",
ti->blockdev,
ti->label? ti->label : "-",
ti->mountpoint? " ":"",
ti->mountpoint? ti->mountpoint:"");
if (!buf)
err = gpg_error_from_syserror ();
else
{
err = assuan_send_data (ctx, buf, strlen (buf));
if (!err)
err = assuan_send_data (ctx, NULL, 0); /* Flush */
}
xfree (buf);
}
}
else
err = set_error (GPG_ERR_ASS_PARAMETER, "unknown value for WHAT");
return leave_cmd (ctx, err);
}
/* This command handler is used for all commands if this process has
not been started as expected. */
static gpg_error_t
fail_command (assuan_context_t ctx, char *line)
{
gpg_error_t err;
const char *name = assuan_get_command_name (ctx);
(void)line;
if (!name)
name = "?";
err = set_error_fail_cmd ();
log_error ("command '%s' failed: %s\n", name, gpg_strerror (err));
return err;
}
/* Tell the Assuan library about our commands. */
static int
register_commands (assuan_context_t ctx, int fail_all)
{
static struct {
const char *name;
assuan_handler_t handler;
const char * const help;
} table[] = {
{ "DEVICE", cmd_device, hlp_device },
{ "CREATE", cmd_create, hlp_create },
g13: Second chunk of code to support dm-crypt. * g13/be-dmcrypt.c, g13/be-dmcrypt.h: New. * g13/Makefile.am (g13_SOURCES): Add them. * g13/backend.c: Include be-dmcrypt.h and call-syshelp.h. (no_such_backend): Rename to _no_such_backend and provide replacement macro. (be_is_supported_conttype): Support DM-Crypt. (be_take_lock_for_create): Call set_segvice for DM-Crypt. (be_create_new_keys): Make it a dummy for DM-Crypt. (be_create_container): Call be_dmcrypt_create_container. (be_mount_container): call be_dmcrypt_mount_container. * g13/g13-syshelp.c (main): Enable verbose mode. * g13/g13tuple.c (get_tupledesc_data): New. * g13/g13tuple.h (unref_tupledesc): New. * g13/g13.h (server_control_): Add field "recipients". * g13/g13.c (main): Fix setting of recipients via cmdline. (g13_deinit_default_ctrl): Release recipients list. (g13_request_shutdown): New. Replace all direct update of shutdown_pending by calls this function. * g13/server.c (server_local_s): Remove field recipients which is now part of CTRL. (reset_notify, cmd_recipient, cmd_create): Adjust for this change. * g13/create.c (encrypt_keyblob): Rename to g13_encrypt_keyblob. (g13_create_container): Support DM-Crypt. * g13/mount.c (parse_header): Allow for meta data copies. (g13_mount_container): Support DM-Crypt. * g13/sh-cmd.c (cmd_create): Make it work. (cmd_mount): New. * g13/sh-dmcrypt.c (sh_dmcrypt_create_container): Make it work. (sh_dmcrypt_mount_container): New. -- With this patch we can now create an encrypted partition and partly mount it (i.e. setup keys and create the mapped device). We do not yet create a file system or mount that file system Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-13 17:01:45 +01:00
{ "MOUNT", cmd_mount, hlp_mount },
g13: Add commands --suspend and --remove. * g13/g13.c (aSuspend, aResume): New. (opts): Add commands --suspend and --resume. (main): Implement dummy command aUmount. Implement commands aResume and aSuspend. * g13/sh-cmd.c (cmd_suspend): New. (cmd_resume): New. (register_commands): Add commands RESUME and SUSPEND. * g13/server.c (cmd_suspend): New. (cmd_resume): New. (register_commands): Add commands RESUME and SUSPEND. * g13/be-dmcrypt.c (be_dmcrypt_suspend_container): New. (be_dmcrypt_resume_container): New. * g13/backend.c (be_suspend_container): New. (be_resume_container): New. * g13/suspend.c, g13/suspend.h: New. * g13/mount.c (parse_header, read_keyblob_prefix, read_keyblob) (decrypt_keyblob, g13_is_container): Move to ... * g13/keyblob.c: new file. (keyblob_read): Rename to g13_keyblob_read and make global. (keyblob_decrypt): Rename to g13_keyblob_decrypt and make global. * g13/sh-dmcrypt.c (check_blockdev): Add arg expect_busy. (sh_dmcrypt_suspend_container): New. (sh_dmcrypt_resume_container): New. * g13/call-syshelp.c (call_syshelp_run_suspend): New. (call_syshelp_run_resume): New. -- The --suspend command can be used before a hibernate operation to make the encrypted partition inaccessible and wipe the key from the memory. Before --suspend is called a sync(1) should be run to make sure that their are no dirty buffers (dmsetup, as called by g13, actually does this for you but it does not harm to do it anyway. After the partition has been suspended a echo 3 >proc/sys/vm/drop_caches required to flush all caches which may still have content from the encrypted partition. The --resume command reverses the effect of the suspend but to do this it needs to decrypt again. Now, if the .gnupg directory lives on the encrypted partition this will be problematic because due to the suspend all processes accessing data on the encrypted partition will be put into an uninterruptible sleep (ps(1) shows a state of 'D'). This needs to be avoided. A workaround is to have a separate GnuPG home directory (say, "~/.gnupg-fallback") with only the public keys required to decrypt the partition along with a properly setup conf files. A GNUPGHOME=$(pwd)/.gnupg-fallback g13 --resume should then be able to resume the encrypted partition using the private key stored on a smartcard. The implementation is pretty basic right now but useful to me. Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-23 14:32:46 +01:00
{ "SUSPEND", cmd_suspend,hlp_suspend},
{ "RESUME", cmd_resume, hlp_resume },
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
{ "INPUT", NULL },
{ "OUTPUT", NULL },
{ "GETINFO", cmd_getinfo, hlp_getinfo },
{ NULL }
};
gpg_error_t err;
int i;
for (i=0; table[i].name; i++)
{
err = assuan_register_command (ctx, table[i].name,
fail_all ? fail_command : table[i].handler,
table[i].help);
if (err)
return err;
}
return 0;
}
/* Startup the server. */
gpg_error_t
syshelp_server (ctrl_t ctrl)
{
gpg_error_t err;
assuan_fd_t filedes[2];
assuan_context_t ctx = NULL;
/* We use a pipe based server so that we can work from scripts.
assuan_init_pipe_server will automagically detect when we are
called with a socketpair and ignore FILEDES in this case. */
filedes[0] = assuan_fdopen (0);
filedes[1] = assuan_fdopen (1);
err = assuan_new (&ctx);
if (err)
{
log_error ("failed to allocate an Assuan context: %s\n",
gpg_strerror (err));
goto leave;
}
err = assuan_init_pipe_server (ctx, filedes);
if (err)
{
log_error ("failed to initialize the server: %s\n", gpg_strerror (err));
goto leave;
}
err = register_commands (ctx, 0 /*FIXME:ctrl->fail_all_cmds*/);
if (err)
{
log_error ("failed to the register commands with Assuan: %s\n",
gpg_strerror (err));
goto leave;
}
assuan_set_pointer (ctx, ctrl);
{
char *tmp = xtryasprintf ("G13-syshelp %s ready to serve requests "
"from %lu(%s)",
PACKAGE_VERSION,
(unsigned long)ctrl->client.uid,
ctrl->client.uname);
if (tmp)
{
assuan_set_hello_line (ctx, tmp);
xfree (tmp);
}
}
assuan_register_reset_notify (ctx, reset_notify);
assuan_register_option_handler (ctx, option_handler);
ctrl->server_local = xtrycalloc (1, sizeof *ctrl->server_local);
if (!ctrl->server_local)
{
err = gpg_error_from_syserror ();
goto leave;
}
ctrl->server_local->assuan_ctx = ctx;
while ( !(err = assuan_accept (ctx)) )
{
err = assuan_process (ctx);
if (err)
log_info ("Assuan processing failed: %s\n", gpg_strerror (err));
}
if (err == -1)
err = 0;
else
log_info ("Assuan accept problem: %s\n", gpg_strerror (err));
leave:
reset_notify (ctx, NULL); /* Release all items hold by SERVER_LOCAL. */
if (ctrl->server_local)
{
xfree (ctrl->server_local);
ctrl->server_local = NULL;
}
assuan_release (ctx);
return err;
}
gpg_error_t
sh_encrypt_keyblob (ctrl_t ctrl, const void *keyblob, size_t keybloblen,
char **r_enckeyblob, size_t *r_enckeybloblen)
{
assuan_context_t ctx = ctrl->server_local->assuan_ctx;
gpg_error_t err;
unsigned char *enckeyblob;
size_t enckeybloblen;
*r_enckeyblob = NULL;
/* Send the plaintext. */
err = g13_status (ctrl, STATUS_PLAINTEXT_FOLLOWS, NULL);
if (err)
return err;
assuan_begin_confidential (ctx);
err = assuan_send_data (ctx, keyblob, keybloblen);
if (!err)
err = assuan_send_data (ctx, NULL, 0);
assuan_end_confidential (ctx);
if (!err)
err = assuan_write_line (ctx, "END");
if (err)
{
log_error (_("error sending data: %s\n"), gpg_strerror (err));
return err;
}
/* Inquire the ciphertext. */
err = assuan_inquire (ctx, "ENCKEYBLOB",
&enckeyblob, &enckeybloblen, 16 * 1024);
if (err)
{
log_error (_("assuan_inquire failed: %s\n"), gpg_strerror (err));
return err;
}
*r_enckeyblob = enckeyblob;
*r_enckeybloblen = enckeybloblen;
return 0;
}
/* Send a status line with status ID NO. The arguments are a list of
strings terminated by a NULL argument. */
gpg_error_t
g13_status (ctrl_t ctrl, int no, ...)
{
gpg_error_t err = 0;
va_list arg_ptr;
const char *text;
va_start (arg_ptr, no);
if (1)
{
assuan_context_t ctx = ctrl->server_local->assuan_ctx;
char buf[950], *p;
size_t n;
p = buf;
n = 0;
while ( (text = va_arg (arg_ptr, const char *)) )
{
if (n)
{
*p++ = ' ';
n++;
}
for ( ; *text && n < DIM (buf)-2; n++)
*p++ = *text++;
}
*p = 0;
err = assuan_write_status (ctx, get_status_string (no), buf);
}
va_end (arg_ptr);
return err;
}
Copy Permalink