diff --git a/.gitignore b/.gitignore index b241d2b..9d41b4b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ volume_key-0.3.3.tar.xz /volume_key-0.3.4.tar.xz +/volume_key-0.3.5.tar.xz diff --git a/sources b/sources index f895001..05fd495 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -d11c119ae250b771fa24796df096ac49 volume_key-0.3.4.tar.xz +f0f82a4ccb7b78c5ef10ca7b73ce5496 volume_key-0.3.5.tar.xz diff --git a/volume_key-0.3.4-cert-errors.patch b/volume_key-0.3.4-cert-errors.patch deleted file mode 100644 index 6bc2aa9..0000000 --- a/volume_key-0.3.4-cert-errors.patch +++ /dev/null @@ -1,79 +0,0 @@ -Subject: [PATCH] Report certificate errors sooner. - -2010-10-18 Miloslav Trmač - - * src/volume_key.c (pos_interact): Split from pos_init (). - (do_save, do_reencrypt): Call pos_init () as early as possible. Use - pos_interact () at the original location. -diff --git a/src/volume_key.c b/src/volume_key.c -index 855956f..83d9a02 100644 ---- a/src/volume_key.c -+++ b/src/volume_key.c -@@ -601,7 +601,7 @@ struct packet_output_state - char *passphrase; - }; - --/* Init POS. -+/* Init POS, without user interaction. - Return 0 if OK, -1 on error. */ - static int - pos_init (struct packet_output_state *pos, GError **error) -@@ -635,6 +635,22 @@ pos_init (struct packet_output_state *pos, GError **error) - } - else - { -+ /* Will ask for passphrase in pos_interact */ -+ } -+ return 0; -+} -+ -+/* Interact with the user about POS. -+ Return 0 if OK, -1 on error. */ -+static int -+pos_interact (struct packet_output_state *pos, GError **error) -+{ -+ if (output_format_cleartext != 0 || output_certificate != NULL) -+ { -+ /* Nothing - pos_init () is enough. */ -+ } -+ else -+ { - char *passphrase; - unsigned failed; - -@@ -805,6 +821,9 @@ do_save (int argc, char *argv[]) - error_exit (_("Usage: %s --save VOLUME [PACKET]"), g_get_prgname ()); - - error = NULL; -+ if (pos_init (&pos, &error) != 0) -+ error_exit ("%s", error->message); -+ - v = libvk_volume_open (argv[1], &error); - if (v == NULL) - error_exit (_("Error opening `%s': %s"), argv[1], error->message); -@@ -824,7 +843,7 @@ do_save (int argc, char *argv[]) - else if (libvk_volume_get_secret (v, LIBVK_SECRET_DEFAULT, ui, &error) != 0) - error_exit (_("Error opening `%s': %s"), argv[1], error->message); - -- if (pos_init (&pos, &error) != 0 -+ if (pos_interact (&pos, &error) != 0 - || output_packet (&pos, v, ui, &error) != 0) - error_exit ("%s", error->message); - if (output_created_random_passphrase != NULL) -@@ -1007,12 +1026,15 @@ do_reencrypt (int argc, char *argv[]) - error_exit (_("Usage: %s --%s PACKET"), g_get_prgname (), "reencrypt"); - - error = NULL; -+ if (pos_init (&pos, &error) != 0) -+ error_exit ("%s", error->message); -+ - ui = create_ui (); - pack = open_packet_file (argv[1], ui, &error); - if (pack == NULL) - error_exit ("%s", error->message); - -- if (pos_init (&pos, &error) != 0 -+ if (pos_interact (&pos, &error) != 0 - || output_packet (&pos, pack, ui, &error) != 0) - error_exit ("%s", error->message); - pos_free (&pos); diff --git a/volume_key-0.3.4-getpass.patch b/volume_key-0.3.4-getpass.patch deleted file mode 100644 index 18dd31a..0000000 --- a/volume_key-0.3.4-getpass.patch +++ /dev/null @@ -1,161 +0,0 @@ -Subject: [PATCH] Don't use getpass (), it is difficult to interrupt - -2010-10-08 Miloslav Trmač - - * src/volume_key.c (get_password): New function. - (nss_password_fn, generic_ui_cb, passphrase_ui_cb): Use get_password () - instead of getpass (). - -diff --git a/src/volume_key.c b/src/volume_key.c -index abdd838..7f9f391 100644 ---- a/src/volume_key.c -+++ b/src/volume_key.c -@@ -24,6 +24,7 @@ Author: Miloslav Trmač */ - #include - #include - #include -+#include - #include - - #include -@@ -391,36 +392,93 @@ read_batch_string (void) - return res; - } - -+/* Read a password (from /dev/tty if possible). -+ Return a password for g_free (), or NULL on error. -+ Unlike getpass(), does not block SIGINT and other signals. (We rely on the -+ shell to re-enable ECHO on SIGINT.) */ -+static char * -+get_password (const char *prompt) -+{ -+ FILE *tty, *in_file, *out_file; -+ char buf[LINE_MAX], *p; -+ struct termios otermios; -+ gboolean echo_disabled; -+ -+ tty = fopen ("/dev/tty", "r+"); -+ if (tty != NULL) -+ { -+ in_file = tty; -+ out_file = tty; -+ } -+ else -+ { -+ in_file = stdin; -+ out_file = stderr; -+ } -+ -+ fputs (prompt, out_file); -+ fflush (out_file); -+ -+ if (tcgetattr (fileno (in_file), &otermios) != 0) -+ echo_disabled = FALSE; -+ else -+ { -+ struct termios ntermios; -+ -+ ntermios = otermios; -+ ntermios.c_lflag &= ~ECHO; -+ echo_disabled = tcsetattr (fileno (in_file), TCSAFLUSH, &ntermios) == 0; -+ } -+ -+ p = fgets(buf, sizeof(buf), in_file); -+ -+ if (echo_disabled) -+ { -+ (void)tcsetattr (fileno (in_file), TCSAFLUSH, &otermios); -+ putc ('\n', out_file); -+ } -+ -+ if (tty != NULL) -+ fclose (tty); -+ -+ if (p == NULL) -+ return NULL; -+ -+ p = strchr(buf, '\r'); -+ if (p != NULL) -+ *p = '\0'; -+ p = strchr(buf, '\n'); -+ if (p != NULL) -+ *p = '\0'; -+ -+ return g_strdup (buf); -+} -+ - /* A PK11_SetPaswordFunc handler */ - static char * - nss_password_fn (PK11SlotInfo *slot, PRBool retry, void *arg) - { -+ char *s, *res; -+ -+ (void)arg; - if (batch_mode == 0) - { -- char *prompt, *s; -+ char *prompt; - -- (void)arg; - if (retry) - fprintf (stderr, _("Error, try again.\n")); - prompt = g_strdup_printf (_("Enter password for `%s': "), - PK11_GetTokenName (slot)); -- s = getpass (prompt); -+ s = get_password (prompt); - g_free (prompt); -- if (s == NULL) -- return NULL; -- return PL_strdup (s); - } - else -- { -- char *s, *res; -- -- s = read_batch_string (); -- if (s == NULL) -- return NULL; -- res = PL_strdup (s); -- g_free (s); -- return res; -- } -+ s = read_batch_string (); -+ if (s == NULL) -+ return NULL; -+ res = PL_strdup (s); -+ g_free (s); -+ return res; - } - - /* A "generic" struct libvk_ui callback. */ -@@ -435,10 +493,11 @@ generic_ui_cb (void *id, const char *prompt, int echo) - char *s, *res; - - s = g_strdup_printf (_("%s: "), prompt); -- res = getpass (s); -+ res = get_password (s); - g_free (s); - if (res != NULL && res[0] != '\0') -- return g_strdup (res); -+ return res; -+ g_free (res); - return NULL; - } - else -@@ -487,10 +546,11 @@ passphrase_ui_cb (void *data, const char *prompt, unsigned failed_attempts) - return read_batch_string (); - } - s = g_strdup_printf (_("%s: "), prompt); -- res = getpass (s); -+ res = get_password (s); - g_free (s); - if (res != NULL && res[0] != '\0') -- return g_strdup (res); -+ return res; -+ g_free (res); - return NULL; - } - --- -1.7.2.3 - diff --git a/volume_key-0.3.4-passphrase-ui.patch b/volume_key-0.3.4-passphrase-ui.patch deleted file mode 100644 index 3ac9c7c..0000000 --- a/volume_key-0.3.4-passphrase-ui.patch +++ /dev/null @@ -1,59 +0,0 @@ -Subject: [PATCH 1/2] Tell the user when a non-NSS passphrase is incorrect. - -2010-10-18 Miloslav Trmač - - * src/volume_key.c (passphrase_ui_cb): Tell the user when a non-NSS - passphrase is incorrect. -diff --git a/src/volume_key.c b/src/volume_key.c -index 7f9f391..c9c4bca 100644 ---- a/src/volume_key.c -+++ b/src/volume_key.c -@@ -545,6 +545,8 @@ passphrase_ui_cb (void *data, const char *prompt, unsigned failed_attempts) - return NULL; - return read_batch_string (); - } -+ if (failed_attempts != 0) -+ fprintf (stderr, _("Error, try again.\n")); - s = g_strdup_printf (_("%s: "), prompt); - res = get_password (s); - g_free (s); --- - -2010-10-18 Miloslav Trmač - - * lib/volume_luks.c (luks_apply_secret) - * src/volume_key.c (pos_interact): Only tell the user about an incorrect - passphrase once. -diff --git a/lib/volume_luks.c b/lib/volume_luks.c -index 4561a43..4650464 100644 ---- a/lib/volume_luks.c -+++ b/lib/volume_luks.c -@@ -481,7 +481,9 @@ luks_apply_secret (struct libvk_volume *vol, const struct libvk_volume *packet, - failed, error); - if (passphrase == NULL) - goto err_prompts; -- passphrase2 = ui_get_passphrase (ui, prompt2, failed, error); -+ /* The repeated passphrase is always considered a first attempt - -+ otherwise src/volume_key.c would prepend "Error, try again". */ -+ passphrase2 = ui_get_passphrase (ui, prompt2, 0, error); - if (passphrase2 == NULL) - goto err_passphrase; - passphrase_ok = strcmp (passphrase, passphrase2) == 0; -diff --git a/src/volume_key.c b/src/volume_key.c -index c9c4bca..855956f 100644 ---- a/src/volume_key.c -+++ b/src/volume_key.c -@@ -652,9 +652,10 @@ pos_init (struct packet_output_state *pos, GError **error) - "New packet passphrase"), failed); - if (passphrase == NULL) - goto no_passphrase; -+ /* The repeated passphrase is always considered a first attempt - -+ otherwise passphrase_ui_cb would prepend "Error, try again". */ - passphrase2 = passphrase_ui_cb (NULL, -- _("Repeat new packet passphrase"), -- failed); -+ _("Repeat new packet passphrase"), 0); - if (passphrase2 == NULL) - { - memset (passphrase, 0, strlen (passphrase)); --- diff --git a/volume_key-0.3.4-ssl-errors.patch b/volume_key-0.3.4-ssl-errors.patch deleted file mode 100644 index e15caa2..0000000 --- a/volume_key-0.3.4-ssl-errors.patch +++ /dev/null @@ -1,460 +0,0 @@ -2010-09-29 Miloslav Trmač - - * lib/SSLerrs.h: New file. - * Makefile.am (lib_libvolume_key_la_SOURCES): Add lib/SSLerrs.h. - * lib/nss_error.c (mapping): Use SSLerrs.h. - -diff --git a/Makefile.am b/Makefile.am -index 9874ff1..fc06d95 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -48,7 +48,7 @@ python/volume_key_wrap.c python/volume_key.py: python/volume_key.i - python/volume_key.py: python/volume_key_wrap.c - - ## Dependency data --lib_libvolume_key_la_SOURCES = lib/SECerrs.h \ -+lib_libvolume_key_la_SOURCES = lib/SECerrs.h lib/SSLerrs.h \ - lib/crypto.c lib/crypto.h \ - lib/kmip.c lib/kmip.h \ - lib/libvolume_key.c lib/libvolume_key.h \ -diff --git a/lib/SSLerrs.h b/lib/SSLerrs.h -new file mode 100644 -index 0000000..4ae90f6 ---- /dev/null -+++ b/lib/SSLerrs.h -@@ -0,0 +1,407 @@ -+/* copied from nss-3.12.6/mozilla/security/nss/cmd/lib because NSS does not -+ provide any API for error number => string translation: -+ https://bugzilla.mozilla.org/show_bug.cgi?id=329017 */ -+/* ***** BEGIN LICENSE BLOCK ***** -+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 -+ * -+ * The contents of this file are subject to the Mozilla Public License Version -+ * 1.1 (the "License"); you may not use this file except in compliance with -+ * the License. You may obtain a copy of the License at -+ * http://www.mozilla.org/MPL/ -+ * -+ * Software distributed under the License is distributed on an "AS IS" basis, -+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -+ * for the specific language governing rights and limitations under the -+ * License. -+ * -+ * The Original Code is the Netscape security libraries. -+ * -+ * The Initial Developer of the Original Code is -+ * Netscape Communications Corporation. -+ * Portions created by the Initial Developer are Copyright (C) 1994-2000 -+ * the Initial Developer. All Rights Reserved. -+ * -+ * Contributor(s): -+ * -+ * Alternatively, the contents of this file may be used under the terms of -+ * either the GNU General Public License Version 2 or later (the "GPL"), or -+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -+ * in which case the provisions of the GPL or the LGPL are applicable instead -+ * of those above. If you wish to allow use of your version of this file only -+ * under the terms of either the GPL or the LGPL, and not to allow others to -+ * use your version of this file under the terms of the MPL, indicate your -+ * decision by deleting the provisions above and replace them with the notice -+ * and other provisions required by the GPL or the LGPL. If you do not delete -+ * the provisions above, a recipient may use your version of this file under -+ * the terms of any one of the MPL, the GPL or the LGPL. -+ * -+ * ***** END LICENSE BLOCK ***** */ -+ -+/* SSL-specific security error codes */ -+/* caller must include "sslerr.h" */ -+ -+ER3(SSL_ERROR_EXPORT_ONLY_SERVER, SSL_ERROR_BASE + 0, -+"Unable to communicate securely. Peer does not support high-grade encryption.") -+ -+ER3(SSL_ERROR_US_ONLY_SERVER, SSL_ERROR_BASE + 1, -+"Unable to communicate securely. Peer requires high-grade encryption which is not supported.") -+ -+ER3(SSL_ERROR_NO_CYPHER_OVERLAP, SSL_ERROR_BASE + 2, -+"Cannot communicate securely with peer: no common encryption algorithm(s).") -+ -+ER3(SSL_ERROR_NO_CERTIFICATE, SSL_ERROR_BASE + 3, -+"Unable to find the certificate or key necessary for authentication.") -+ -+ER3(SSL_ERROR_BAD_CERTIFICATE, SSL_ERROR_BASE + 4, -+"Unable to communicate securely with peer: peers's certificate was rejected.") -+ -+/* unused (SSL_ERROR_BASE + 5),*/ -+ -+ER3(SSL_ERROR_BAD_CLIENT, SSL_ERROR_BASE + 6, -+"The server has encountered bad data from the client.") -+ -+ER3(SSL_ERROR_BAD_SERVER, SSL_ERROR_BASE + 7, -+"The client has encountered bad data from the server.") -+ -+ER3(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE, SSL_ERROR_BASE + 8, -+"Unsupported certificate type.") -+ -+ER3(SSL_ERROR_UNSUPPORTED_VERSION, SSL_ERROR_BASE + 9, -+"Peer using unsupported version of security protocol.") -+ -+/* unused (SSL_ERROR_BASE + 10),*/ -+ -+ER3(SSL_ERROR_WRONG_CERTIFICATE, SSL_ERROR_BASE + 11, -+"Client authentication failed: private key in key database does not match public key in certificate database.") -+ -+ER3(SSL_ERROR_BAD_CERT_DOMAIN, SSL_ERROR_BASE + 12, -+"Unable to communicate securely with peer: requested domain name does not match the server's certificate.") -+ -+/* SSL_ERROR_POST_WARNING (SSL_ERROR_BASE + 13), -+ defined in sslerr.h -+*/ -+ -+ER3(SSL_ERROR_SSL2_DISABLED, (SSL_ERROR_BASE + 14), -+"Peer only supports SSL version 2, which is locally disabled.") -+ -+ -+ER3(SSL_ERROR_BAD_MAC_READ, (SSL_ERROR_BASE + 15), -+"SSL received a record with an incorrect Message Authentication Code.") -+ -+ER3(SSL_ERROR_BAD_MAC_ALERT, (SSL_ERROR_BASE + 16), -+"SSL peer reports incorrect Message Authentication Code.") -+ -+ER3(SSL_ERROR_BAD_CERT_ALERT, (SSL_ERROR_BASE + 17), -+"SSL peer cannot verify your certificate.") -+ -+ER3(SSL_ERROR_REVOKED_CERT_ALERT, (SSL_ERROR_BASE + 18), -+"SSL peer rejected your certificate as revoked.") -+ -+ER3(SSL_ERROR_EXPIRED_CERT_ALERT, (SSL_ERROR_BASE + 19), -+"SSL peer rejected your certificate as expired.") -+ -+ER3(SSL_ERROR_SSL_DISABLED, (SSL_ERROR_BASE + 20), -+"Cannot connect: SSL is disabled.") -+ -+ER3(SSL_ERROR_FORTEZZA_PQG, (SSL_ERROR_BASE + 21), -+"Cannot connect: SSL peer is in another FORTEZZA domain.") -+ -+ -+ER3(SSL_ERROR_UNKNOWN_CIPHER_SUITE , (SSL_ERROR_BASE + 22), -+"An unknown SSL cipher suite has been requested.") -+ -+ER3(SSL_ERROR_NO_CIPHERS_SUPPORTED , (SSL_ERROR_BASE + 23), -+"No cipher suites are present and enabled in this program.") -+ -+ER3(SSL_ERROR_BAD_BLOCK_PADDING , (SSL_ERROR_BASE + 24), -+"SSL received a record with bad block padding.") -+ -+ER3(SSL_ERROR_RX_RECORD_TOO_LONG , (SSL_ERROR_BASE + 25), -+"SSL received a record that exceeded the maximum permissible length.") -+ -+ER3(SSL_ERROR_TX_RECORD_TOO_LONG , (SSL_ERROR_BASE + 26), -+"SSL attempted to send a record that exceeded the maximum permissible length.") -+ -+/* -+ * Received a malformed (too long or short or invalid content) SSL handshake. -+ */ -+ER3(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST , (SSL_ERROR_BASE + 27), -+"SSL received a malformed Hello Request handshake message.") -+ -+ER3(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO , (SSL_ERROR_BASE + 28), -+"SSL received a malformed Client Hello handshake message.") -+ -+ER3(SSL_ERROR_RX_MALFORMED_SERVER_HELLO , (SSL_ERROR_BASE + 29), -+"SSL received a malformed Server Hello handshake message.") -+ -+ER3(SSL_ERROR_RX_MALFORMED_CERTIFICATE , (SSL_ERROR_BASE + 30), -+"SSL received a malformed Certificate handshake message.") -+ -+ER3(SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 31), -+"SSL received a malformed Server Key Exchange handshake message.") -+ -+ER3(SSL_ERROR_RX_MALFORMED_CERT_REQUEST , (SSL_ERROR_BASE + 32), -+"SSL received a malformed Certificate Request handshake message.") -+ -+ER3(SSL_ERROR_RX_MALFORMED_HELLO_DONE , (SSL_ERROR_BASE + 33), -+"SSL received a malformed Server Hello Done handshake message.") -+ -+ER3(SSL_ERROR_RX_MALFORMED_CERT_VERIFY , (SSL_ERROR_BASE + 34), -+"SSL received a malformed Certificate Verify handshake message.") -+ -+ER3(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 35), -+"SSL received a malformed Client Key Exchange handshake message.") -+ -+ER3(SSL_ERROR_RX_MALFORMED_FINISHED , (SSL_ERROR_BASE + 36), -+"SSL received a malformed Finished handshake message.") -+ -+/* -+ * Received a malformed (too long or short) SSL record. -+ */ -+ER3(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER , (SSL_ERROR_BASE + 37), -+"SSL received a malformed Change Cipher Spec record.") -+ -+ER3(SSL_ERROR_RX_MALFORMED_ALERT , (SSL_ERROR_BASE + 38), -+"SSL received a malformed Alert record.") -+ -+ER3(SSL_ERROR_RX_MALFORMED_HANDSHAKE , (SSL_ERROR_BASE + 39), -+"SSL received a malformed Handshake record.") -+ -+ER3(SSL_ERROR_RX_MALFORMED_APPLICATION_DATA , (SSL_ERROR_BASE + 40), -+"SSL received a malformed Application Data record.") -+ -+/* -+ * Received an SSL handshake that was inappropriate for the state we're in. -+ * E.g. Server received message from server, or wrong state in state machine. -+ */ -+ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST , (SSL_ERROR_BASE + 41), -+"SSL received an unexpected Hello Request handshake message.") -+ -+ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO , (SSL_ERROR_BASE + 42), -+"SSL received an unexpected Client Hello handshake message.") -+ -+ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO , (SSL_ERROR_BASE + 43), -+"SSL received an unexpected Server Hello handshake message.") -+ -+ER3(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE , (SSL_ERROR_BASE + 44), -+"SSL received an unexpected Certificate handshake message.") -+ -+ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 45), -+"SSL received an unexpected Server Key Exchange handshake message.") -+ -+ER3(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST , (SSL_ERROR_BASE + 46), -+"SSL received an unexpected Certificate Request handshake message.") -+ -+ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE , (SSL_ERROR_BASE + 47), -+"SSL received an unexpected Server Hello Done handshake message.") -+ -+ER3(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY , (SSL_ERROR_BASE + 48), -+"SSL received an unexpected Certificate Verify handshake message.") -+ -+ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 49), -+"SSL received an unexpected Client Key Exchange handshake message.") -+ -+ER3(SSL_ERROR_RX_UNEXPECTED_FINISHED , (SSL_ERROR_BASE + 50), -+"SSL received an unexpected Finished handshake message.") -+ -+/* -+ * Received an SSL record that was inappropriate for the state we're in. -+ */ -+ER3(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER , (SSL_ERROR_BASE + 51), -+"SSL received an unexpected Change Cipher Spec record.") -+ -+ER3(SSL_ERROR_RX_UNEXPECTED_ALERT , (SSL_ERROR_BASE + 52), -+"SSL received an unexpected Alert record.") -+ -+ER3(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE , (SSL_ERROR_BASE + 53), -+"SSL received an unexpected Handshake record.") -+ -+ER3(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA, (SSL_ERROR_BASE + 54), -+"SSL received an unexpected Application Data record.") -+ -+/* -+ * Received record/message with unknown discriminant. -+ */ -+ER3(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE , (SSL_ERROR_BASE + 55), -+"SSL received a record with an unknown content type.") -+ -+ER3(SSL_ERROR_RX_UNKNOWN_HANDSHAKE , (SSL_ERROR_BASE + 56), -+"SSL received a handshake message with an unknown message type.") -+ -+ER3(SSL_ERROR_RX_UNKNOWN_ALERT , (SSL_ERROR_BASE + 57), -+"SSL received an alert record with an unknown alert description.") -+ -+/* -+ * Received an alert reporting what we did wrong. (more alerts above) -+ */ -+ER3(SSL_ERROR_CLOSE_NOTIFY_ALERT , (SSL_ERROR_BASE + 58), -+"SSL peer has closed this connection.") -+ -+ER3(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT , (SSL_ERROR_BASE + 59), -+"SSL peer was not expecting a handshake message it received.") -+ -+ER3(SSL_ERROR_DECOMPRESSION_FAILURE_ALERT , (SSL_ERROR_BASE + 60), -+"SSL peer was unable to successfully decompress an SSL record it received.") -+ -+ER3(SSL_ERROR_HANDSHAKE_FAILURE_ALERT , (SSL_ERROR_BASE + 61), -+"SSL peer was unable to negotiate an acceptable set of security parameters.") -+ -+ER3(SSL_ERROR_ILLEGAL_PARAMETER_ALERT , (SSL_ERROR_BASE + 62), -+"SSL peer rejected a handshake message for unacceptable content.") -+ -+ER3(SSL_ERROR_UNSUPPORTED_CERT_ALERT , (SSL_ERROR_BASE + 63), -+"SSL peer does not support certificates of the type it received.") -+ -+ER3(SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT , (SSL_ERROR_BASE + 64), -+"SSL peer had some unspecified issue with the certificate it received.") -+ -+ -+ER3(SSL_ERROR_GENERATE_RANDOM_FAILURE , (SSL_ERROR_BASE + 65), -+"SSL experienced a failure of its random number generator.") -+ -+ER3(SSL_ERROR_SIGN_HASHES_FAILURE , (SSL_ERROR_BASE + 66), -+"Unable to digitally sign data required to verify your certificate.") -+ -+ER3(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE , (SSL_ERROR_BASE + 67), -+"SSL was unable to extract the public key from the peer's certificate.") -+ -+ER3(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE , (SSL_ERROR_BASE + 68), -+"Unspecified failure while processing SSL Server Key Exchange handshake.") -+ -+ER3(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE , (SSL_ERROR_BASE + 69), -+"Unspecified failure while processing SSL Client Key Exchange handshake.") -+ -+ER3(SSL_ERROR_ENCRYPTION_FAILURE , (SSL_ERROR_BASE + 70), -+"Bulk data encryption algorithm failed in selected cipher suite.") -+ -+ER3(SSL_ERROR_DECRYPTION_FAILURE , (SSL_ERROR_BASE + 71), -+"Bulk data decryption algorithm failed in selected cipher suite.") -+ -+ER3(SSL_ERROR_SOCKET_WRITE_FAILURE , (SSL_ERROR_BASE + 72), -+"Attempt to write encrypted data to underlying socket failed.") -+ -+ER3(SSL_ERROR_MD5_DIGEST_FAILURE , (SSL_ERROR_BASE + 73), -+"MD5 digest function failed.") -+ -+ER3(SSL_ERROR_SHA_DIGEST_FAILURE , (SSL_ERROR_BASE + 74), -+"SHA-1 digest function failed.") -+ -+ER3(SSL_ERROR_MAC_COMPUTATION_FAILURE , (SSL_ERROR_BASE + 75), -+"MAC computation failed.") -+ -+ER3(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE , (SSL_ERROR_BASE + 76), -+"Failure to create Symmetric Key context.") -+ -+ER3(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE , (SSL_ERROR_BASE + 77), -+"Failure to unwrap the Symmetric key in Client Key Exchange message.") -+ -+ER3(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED , (SSL_ERROR_BASE + 78), -+"SSL Server attempted to use domestic-grade public key with export cipher suite.") -+ -+ER3(SSL_ERROR_IV_PARAM_FAILURE , (SSL_ERROR_BASE + 79), -+"PKCS11 code failed to translate an IV into a param.") -+ -+ER3(SSL_ERROR_INIT_CIPHER_SUITE_FAILURE , (SSL_ERROR_BASE + 80), -+"Failed to initialize the selected cipher suite.") -+ -+ER3(SSL_ERROR_SESSION_KEY_GEN_FAILURE , (SSL_ERROR_BASE + 81), -+"Client failed to generate session keys for SSL session.") -+ -+ER3(SSL_ERROR_NO_SERVER_KEY_FOR_ALG , (SSL_ERROR_BASE + 82), -+"Server has no key for the attempted key exchange algorithm.") -+ -+ER3(SSL_ERROR_TOKEN_INSERTION_REMOVAL , (SSL_ERROR_BASE + 83), -+"PKCS#11 token was inserted or removed while operation was in progress.") -+ -+ER3(SSL_ERROR_TOKEN_SLOT_NOT_FOUND , (SSL_ERROR_BASE + 84), -+"No PKCS#11 token could be found to do a required operation.") -+ -+ER3(SSL_ERROR_NO_COMPRESSION_OVERLAP , (SSL_ERROR_BASE + 85), -+"Cannot communicate securely with peer: no common compression algorithm(s).") -+ -+ER3(SSL_ERROR_HANDSHAKE_NOT_COMPLETED , (SSL_ERROR_BASE + 86), -+"Cannot initiate another SSL handshake until current handshake is complete.") -+ -+ER3(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE , (SSL_ERROR_BASE + 87), -+"Received incorrect handshakes hash values from peer.") -+ -+ER3(SSL_ERROR_CERT_KEA_MISMATCH , (SSL_ERROR_BASE + 88), -+"The certificate provided cannot be used with the selected key exchange algorithm.") -+ -+ER3(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA , (SSL_ERROR_BASE + 89), -+"No certificate authority is trusted for SSL client authentication.") -+ -+ER3(SSL_ERROR_SESSION_NOT_FOUND , (SSL_ERROR_BASE + 90), -+"Client's SSL session ID not found in server's session cache.") -+ -+ER3(SSL_ERROR_DECRYPTION_FAILED_ALERT , (SSL_ERROR_BASE + 91), -+"Peer was unable to decrypt an SSL record it received.") -+ -+ER3(SSL_ERROR_RECORD_OVERFLOW_ALERT , (SSL_ERROR_BASE + 92), -+"Peer received an SSL record that was longer than is permitted.") -+ -+ER3(SSL_ERROR_UNKNOWN_CA_ALERT , (SSL_ERROR_BASE + 93), -+"Peer does not recognize and trust the CA that issued your certificate.") -+ -+ER3(SSL_ERROR_ACCESS_DENIED_ALERT , (SSL_ERROR_BASE + 94), -+"Peer received a valid certificate, but access was denied.") -+ -+ER3(SSL_ERROR_DECODE_ERROR_ALERT , (SSL_ERROR_BASE + 95), -+"Peer could not decode an SSL handshake message.") -+ -+ER3(SSL_ERROR_DECRYPT_ERROR_ALERT , (SSL_ERROR_BASE + 96), -+"Peer reports failure of signature verification or key exchange.") -+ -+ER3(SSL_ERROR_EXPORT_RESTRICTION_ALERT , (SSL_ERROR_BASE + 97), -+"Peer reports negotiation not in compliance with export regulations.") -+ -+ER3(SSL_ERROR_PROTOCOL_VERSION_ALERT , (SSL_ERROR_BASE + 98), -+"Peer reports incompatible or unsupported protocol version.") -+ -+ER3(SSL_ERROR_INSUFFICIENT_SECURITY_ALERT , (SSL_ERROR_BASE + 99), -+"Server requires ciphers more secure than those supported by client.") -+ -+ER3(SSL_ERROR_INTERNAL_ERROR_ALERT , (SSL_ERROR_BASE + 100), -+"Peer reports it experienced an internal error.") -+ -+ER3(SSL_ERROR_USER_CANCELED_ALERT , (SSL_ERROR_BASE + 101), -+"Peer user canceled handshake.") -+ -+ER3(SSL_ERROR_NO_RENEGOTIATION_ALERT , (SSL_ERROR_BASE + 102), -+"Peer does not permit renegotiation of SSL security parameters.") -+ -+ER3(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED , (SSL_ERROR_BASE + 103), -+"SSL server cache not configured and not disabled for this socket.") -+ -+ER3(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT , (SSL_ERROR_BASE + 104), -+"SSL peer does not support requested TLS hello extension.") -+ -+ER3(SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT , (SSL_ERROR_BASE + 105), -+"SSL peer could not obtain your certificate from the supplied URL.") -+ -+ER3(SSL_ERROR_UNRECOGNIZED_NAME_ALERT , (SSL_ERROR_BASE + 106), -+"SSL peer has no certificate for the requested DNS name.") -+ -+ER3(SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT , (SSL_ERROR_BASE + 107), -+"SSL peer was unable to get an OCSP response for its certificate.") -+ -+ER3(SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT , (SSL_ERROR_BASE + 108), -+"SSL peer reported bad certificate hash value.") -+ -+ER3(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 109), -+"SSL received an unexpected New Session Ticket handshake message.") -+ -+ER3(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 110), -+"SSL received a malformed New Session Ticket handshake message.") -+ -+ER3(SSL_ERROR_DECOMPRESSION_FAILURE, (SSL_ERROR_BASE + 111), -+"SSL received a compressed record that could not be decompressed.") -+ -+ER3(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, (SSL_ERROR_BASE + 112), -+"Renegotiation is not allowed on this SSL socket.") -+ -+ER3(SSL_ERROR_UNSAFE_NEGOTIATION, (SSL_ERROR_BASE + 113), -+"Peer attempted old style (potentially vulnerable) handshake.") -+ -+ER3(SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD, (SSL_ERROR_BASE + 114), -+"SSL received an unexpected uncompressed record.") -diff --git a/lib/nss_error.c b/lib/nss_error.c -index 211f2db..ea7f9ca 100644 ---- a/lib/nss_error.c -+++ b/lib/nss_error.c -@@ -1,6 +1,6 @@ - /* Internal (library + application) error reporting utilities. - --Copyright (C) 2009 Red Hat, Inc. All rights reserved. -+Copyright (C) 2009, 2010 Red Hat, Inc. All rights reserved. - This copyrighted material is made available to anyone wishing to use, modify, - copy, or redistribute it subject to the terms and conditions of the GNU General - Public License v.2. -@@ -20,6 +20,7 @@ Author: Miloslav Trmač */ - #include - #include - #include -+#include - - #include "nss_error.h" - -@@ -32,6 +33,7 @@ struct mapping - static const struct mapping mapping[] = { - #define ER3(A, B, C) { (A), (C) }, - #include "SECerrs.h" -+ #include "SSLerrs.h" - #undef ER3 - }; - diff --git a/volume_key-0.3.4-volume-doc.patch b/volume_key-0.3.4-volume-doc.patch deleted file mode 100644 index 898d9fd..0000000 --- a/volume_key-0.3.4-volume-doc.patch +++ /dev/null @@ -1,64 +0,0 @@ -2010-09-29 Miloslav Trmač - - * README - * doc/volume_key.8: Clarify which block device should be passed to - volume_key(8). - -diff --git a/README b/README -index a57bb02..ac58f51 100644 ---- a/README -+++ b/README -@@ -27,6 +27,11 @@ this: - * Run - volume_key --save /path/to/volume -o escrow-packet - You will be prompted for an escrow packet passphrase to protect the key. -+ -+ In all examples in this file, /path/to/volume is a LUKS device, not the -+ plaintext device containted within: (blkid -s TYPE /path/to/volume) should -+ report TYPE="crypto_LUKS". -+ - * Save the generated `escrow-packet' file, make sure you won't forget the - passphrase. - -@@ -87,6 +92,10 @@ Saving encryption keys - volume_key --save /path/to/volume -c /path/to/cert -o escrow-packet - where /path/to/cert points to the certificate distributed in the preparation - phase. -+ -+ In all examples in this file, /path/to/volume is a LUKS device, not the -+ plaintext device containted within: (blkid -s TYPE /path/to/volume) should -+ report TYPE="crypto_LUKS". - * Save the generated `escrow-packet' file in the prepared storage, associating - it with the system and the volume. - -diff --git a/doc/volume_key.8 b/doc/volume_key.8 -index b4a2000..be75b99 100644 ---- a/doc/volume_key.8 -+++ b/doc/volume_key.8 -@@ -16,7 +16,7 @@ - .\" Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - .\" - .\" Author: Miloslav Trmač ]) --.TH volume_key 8 "May 2009" volume_key -+.TH volume_key 8 "Sep 2010" volume_key - - .SH NAME - volume_key \- work with volume encryption secrets and escrow packets -@@ -45,6 +45,17 @@ options. - See the OPTIONS sections for details. - - .SH OPTIONS -+ -+In all options described below, -+.I VOLUME -+is a LUKS device, -+not the plaintext device containted within: -+.RS -+.B blkid \-s TYPE -+.I VOLUME -+.RE -+should report \fBTYPE="crypto_LUKS"\fP. -+ - The following options determine the mode of operation and expected operands of - \fBvolume_key\fP: - diff --git a/volume_key.spec b/volume_key.spec index 24cc446..e70dc6b 100644 --- a/volume_key.spec +++ b/volume_key.spec @@ -2,25 +2,14 @@ Summary: An utility for manipulating storage encryption keys and passphrases Name: volume_key -Version: 0.3.4 -Release: 4%{?dist} +Version: 0.3.5 +Release: 1%{?dist} License: GPLv2 Group: Applications/System URL: https://fedorahosted.org/volume_key/ Requires: volume_key-libs = %{version}-%{release} Source0: https://fedorahosted.org/releases/v/o/volume_key/volume_key-%{version}.tar.xz -# Upstream commit 3486c1c8112bd625bfe6bde55c337c4edbd75277 -Patch0: volume_key-0.3.4-volume-doc.patch -# Upstream commit a2ab2a3546f3ee5937bb4272f4f26650f31f42bb -Patch1: volume_key-0.3.4-ssl-errors.patch -# Upstream commit 82f476f614ff8492231e730b6ceffaa7242481cc -Patch2: volume_key-0.3.4-getpass.patch -# Upstream commits b66602b8ef4e6ef8325c0b97fce821e183a2ae84, -# 1dcafdcd6f3097487b92f86e9db3e5412c266ee5 -Patch3: volume_key-0.3.4-passphrase-ui.patch -# Upstream commit 40e5330c076f9f4e149c2091900602d3de41b119 -Patch4: volume_key-0.3.4-cert-errors.patch BuildRequires: cryptsetup-luks-devel, gettext-devel, glib2-devel, gnupg BuildRequires: gpgme-devel, libblkid-devel, nss-devel, python-devel @@ -84,11 +73,6 @@ for other formats is possible, some formats are planned for future releases. %prep %setup -q -%patch0 -p1 -b .volume-doc -%patch1 -p1 -b .ssl-errors -%patch2 -p1 -b .getpass -%patch3 -p1 -b .passphrase-ui -%patch4 -p1 -b .cert-errors %build %configure @@ -107,7 +91,7 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root,-) -%doc README +%doc README contrib %{_bindir}/volume_key %{_mandir}/man8/volume_key.8* @@ -129,6 +113,9 @@ rm -rf $RPM_BUILD_ROOT %{python_sitearch}/volume_key.py* %changelog +* Wed Nov 24 2010 Miloslav Trmač - 0.3.5-1 +- Update to volume_key-0.3.5 + * Mon Oct 18 2010 Miloslav Trmač - 0.3.4-4 - Tell the user if asking for the same passphrase again Resolves: #641111