rpms/volume_key
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to volume_key-0.3.5

Browse Source
This commit is contained in:
Miloslav Trmač 2010-11-24 16:52:33 +01:00
parent 4886de908b
commit 82c3707961
8 changed files with 8 additions and 843 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,2 +1,3 @@
volume_key-0.3.3.tar.xz
/volume_key-0.3.4.tar.xz
/volume_key-0.3.5.tar.xz

2
sources
View File

@ -1 +1 @@
d11c119ae250b771fa24796df096ac49 volume_key-0.3.4.tar.xz
f0f82a4ccb7b78c5ef10ca7b73ce5496 volume_key-0.3.5.tar.xz

79
volume_key-0.3.4-cert-errors.patch
View File

@ -1,79 +0,0 @@
Subject: [PATCH] Report certificate errors sooner.
2010-10-18 Miloslav Trmač <mitr@redhat.com>
* src/volume_key.c (pos_interact): Split from pos_init ().
(do_save, do_reencrypt): Call pos_init () as early as possible. Use
pos_interact () at the original location.
diff --git a/src/volume_key.c b/src/volume_key.c
index 855956f..83d9a02 100644
--- a/src/volume_key.c
+++ b/src/volume_key.c
@@ -601,7 +601,7 @@ struct packet_output_state
char *passphrase;
};
-/* Init POS.
+/* Init POS, without user interaction.
Return 0 if OK, -1 on error. */
static int
pos_init (struct packet_output_state *pos, GError **error)
@@ -635,6 +635,22 @@ pos_init (struct packet_output_state *pos, GError **error)
}
else
{
+ /* Will ask for passphrase in pos_interact */
+ }
+ return 0;
+}
+
+/* Interact with the user about POS.
+ Return 0 if OK, -1 on error. */
+static int
+pos_interact (struct packet_output_state *pos, GError **error)
+{
+ if (output_format_cleartext != 0 || output_certificate != NULL)
+ {
+ /* Nothing - pos_init () is enough. */
+ }
+ else
+ {
char *passphrase;
unsigned failed;
@@ -805,6 +821,9 @@ do_save (int argc, char *argv[])
error_exit (_("Usage: %s --save VOLUME [PACKET]"), g_get_prgname ());
error = NULL;
+ if (pos_init (&pos, &error) != 0)
+ error_exit ("%s", error->message);
+
v = libvk_volume_open (argv[1], &error);
if (v == NULL)
error_exit (_("Error opening `%s': %s"), argv[1], error->message);
@@ -824,7 +843,7 @@ do_save (int argc, char *argv[])
else if (libvk_volume_get_secret (v, LIBVK_SECRET_DEFAULT, ui, &error) != 0)
error_exit (_("Error opening `%s': %s"), argv[1], error->message);
- if (pos_init (&pos, &error) != 0
+ if (pos_interact (&pos, &error) != 0
|| output_packet (&pos, v, ui, &error) != 0)
error_exit ("%s", error->message);
if (output_created_random_passphrase != NULL)
@@ -1007,12 +1026,15 @@ do_reencrypt (int argc, char *argv[])
error_exit (_("Usage: %s --%s PACKET"), g_get_prgname (), "reencrypt");
error = NULL;
+ if (pos_init (&pos, &error) != 0)
+ error_exit ("%s", error->message);
+
ui = create_ui ();
pack = open_packet_file (argv[1], ui, &error);
if (pack == NULL)
error_exit ("%s", error->message);
- if (pos_init (&pos, &error) != 0
+ if (pos_interact (&pos, &error) != 0
|| output_packet (&pos, pack, ui, &error) != 0)
error_exit ("%s", error->message);
pos_free (&pos);

161
volume_key-0.3.4-getpass.patch
View File

@ -1,161 +0,0 @@
Subject: [PATCH] Don't use getpass (), it is difficult to interrupt
2010-10-08 Miloslav Trmač <mitr@redhat.com>
* src/volume_key.c (get_password): New function.
(nss_password_fn, generic_ui_cb, passphrase_ui_cb): Use get_password ()
instead of getpass ().
diff --git a/src/volume_key.c b/src/volume_key.c
index abdd838..7f9f391 100644
--- a/src/volume_key.c
+++ b/src/volume_key.c
@@ -24,6 +24,7 @@ Author: Miloslav Trmač <mitr@redhat.com> */
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
+#include <termios.h>
#include <unistd.h>
#include <glib.h>
@@ -391,36 +392,93 @@ read_batch_string (void)
return res;
}
+/* Read a password (from /dev/tty if possible).
+ Return a password for g_free (), or NULL on error.
+ Unlike getpass(), does not block SIGINT and other signals. (We rely on the
+ shell to re-enable ECHO on SIGINT.) */
+static char *
+get_password (const char *prompt)
+{
+ FILE *tty, *in_file, *out_file;
+ char buf[LINE_MAX], *p;
+ struct termios otermios;
+ gboolean echo_disabled;
+
+ tty = fopen ("/dev/tty", "r+");
+ if (tty != NULL)
+ {
+ in_file = tty;
+ out_file = tty;
+ }
+ else
+ {
+ in_file = stdin;
+ out_file = stderr;
+ }
+
+ fputs (prompt, out_file);
+ fflush (out_file);
+
+ if (tcgetattr (fileno (in_file), &otermios) != 0)
+ echo_disabled = FALSE;
+ else
+ {
+ struct termios ntermios;
+
+ ntermios = otermios;
+ ntermios.c_lflag &= ~ECHO;
+ echo_disabled = tcsetattr (fileno (in_file), TCSAFLUSH, &ntermios) == 0;
+ }
+
+ p = fgets(buf, sizeof(buf), in_file);
+
+ if (echo_disabled)
+ {
+ (void)tcsetattr (fileno (in_file), TCSAFLUSH, &otermios);
+ putc ('\n', out_file);
+ }
+
+ if (tty != NULL)
+ fclose (tty);
+
+ if (p == NULL)
+ return NULL;
+
+ p = strchr(buf, '\r');
+ if (p != NULL)
+ *p = '\0';
+ p = strchr(buf, '\n');
+ if (p != NULL)
+ *p = '\0';
+
+ return g_strdup (buf);
+}
+
/* A PK11_SetPaswordFunc handler */
static char *
nss_password_fn (PK11SlotInfo *slot, PRBool retry, void *arg)
{
+ char *s, *res;
+
+ (void)arg;
if (batch_mode == 0)
{
- char *prompt, *s;
+ char *prompt;
- (void)arg;
if (retry)
fprintf (stderr, _("Error, try again.\n"));
prompt = g_strdup_printf (_("Enter password for `%s': "),
PK11_GetTokenName (slot));
- s = getpass (prompt);
+ s = get_password (prompt);
g_free (prompt);
- if (s == NULL)
- return NULL;
- return PL_strdup (s);
}
else
- {
- char *s, *res;
-
- s = read_batch_string ();
- if (s == NULL)
- return NULL;
- res = PL_strdup (s);
- g_free (s);
- return res;
- }
+ s = read_batch_string ();
+ if (s == NULL)
+ return NULL;
+ res = PL_strdup (s);
+ g_free (s);
+ return res;
}
/* A "generic" struct libvk_ui callback. */
@@ -435,10 +493,11 @@ generic_ui_cb (void *id, const char *prompt, int echo)
char *s, *res;
s = g_strdup_printf (_("%s: "), prompt);
- res = getpass (s);
+ res = get_password (s);
g_free (s);
if (res != NULL && res[0] != '\0')
- return g_strdup (res);
+ return res;
+ g_free (res);
return NULL;
}
else
@@ -487,10 +546,11 @@ passphrase_ui_cb (void *data, const char *prompt, unsigned failed_attempts)
return read_batch_string ();
}
s = g_strdup_printf (_("%s: "), prompt);
- res = getpass (s);
+ res = get_password (s);
g_free (s);
if (res != NULL && res[0] != '\0')
- return g_strdup (res);
+ return res;
+ g_free (res);
return NULL;
}
--
1.7.2.3

59
volume_key-0.3.4-passphrase-ui.patch
View File

@ -1,59 +0,0 @@
Subject: [PATCH 1/2] Tell the user when a non-NSS passphrase is incorrect.
2010-10-18 Miloslav Trmač <mitr@redhat.com>
* src/volume_key.c (passphrase_ui_cb): Tell the user when a non-NSS
passphrase is incorrect.
diff --git a/src/volume_key.c b/src/volume_key.c
index 7f9f391..c9c4bca 100644
--- a/src/volume_key.c
+++ b/src/volume_key.c
@@ -545,6 +545,8 @@ passphrase_ui_cb (void *data, const char *prompt, unsigned failed_attempts)
return NULL;
return read_batch_string ();
}
+ if (failed_attempts != 0)
+ fprintf (stderr, _("Error, try again.\n"));
s = g_strdup_printf (_("%s: "), prompt);
res = get_password (s);
g_free (s);
--
2010-10-18 Miloslav Trmač <mitr@redhat.com>
* lib/volume_luks.c (luks_apply_secret)
* src/volume_key.c (pos_interact): Only tell the user about an incorrect
passphrase once.
diff --git a/lib/volume_luks.c b/lib/volume_luks.c
index 4561a43..4650464 100644
--- a/lib/volume_luks.c
+++ b/lib/volume_luks.c
@@ -481,7 +481,9 @@ luks_apply_secret (struct libvk_volume *vol, const struct libvk_volume *packet,
failed, error);
if (passphrase == NULL)
goto err_prompts;
- passphrase2 = ui_get_passphrase (ui, prompt2, failed, error);
+ /* The repeated passphrase is always considered a first attempt -
+ otherwise src/volume_key.c would prepend "Error, try again". */
+ passphrase2 = ui_get_passphrase (ui, prompt2, 0, error);
if (passphrase2 == NULL)
goto err_passphrase;
passphrase_ok = strcmp (passphrase, passphrase2) == 0;
diff --git a/src/volume_key.c b/src/volume_key.c
index c9c4bca..855956f 100644
--- a/src/volume_key.c
+++ b/src/volume_key.c
@@ -652,9 +652,10 @@ pos_init (struct packet_output_state *pos, GError **error)
"New packet passphrase"), failed);
if (passphrase == NULL)
goto no_passphrase;
+ /* The repeated passphrase is always considered a first attempt -
+ otherwise passphrase_ui_cb would prepend "Error, try again". */
passphrase2 = passphrase_ui_cb (NULL,
- _("Repeat new packet passphrase"),
- failed);
+ _("Repeat new packet passphrase"), 0);
if (passphrase2 == NULL)
{
memset (passphrase, 0, strlen (passphrase));
--

460
volume_key-0.3.4-ssl-errors.patch
View File

@ -1,460 +0,0 @@
2010-09-29 Miloslav Trmač <mitr@redhat.com>
* lib/SSLerrs.h: New file.
* Makefile.am (lib_libvolume_key_la_SOURCES): Add lib/SSLerrs.h.
* lib/nss_error.c (mapping): Use SSLerrs.h.
diff --git a/Makefile.am b/Makefile.am
index 9874ff1..fc06d95 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -48,7 +48,7 @@ python/volume_key_wrap.c python/volume_key.py: python/volume_key.i
python/volume_key.py: python/volume_key_wrap.c
## Dependency data
-lib_libvolume_key_la_SOURCES = lib/SECerrs.h \
+lib_libvolume_key_la_SOURCES = lib/SECerrs.h lib/SSLerrs.h \
lib/crypto.c lib/crypto.h \
lib/kmip.c lib/kmip.h \
lib/libvolume_key.c lib/libvolume_key.h \
diff --git a/lib/SSLerrs.h b/lib/SSLerrs.h
new file mode 100644
index 0000000..4ae90f6
--- /dev/null
+++ b/lib/SSLerrs.h
@@ -0,0 +1,407 @@
+/* copied from nss-3.12.6/mozilla/security/nss/cmd/lib because NSS does not
+ provide any API for error number => string translation:
+ https://bugzilla.mozilla.org/show_bug.cgi?id=329017 */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* SSL-specific security error codes */
+/* caller must include "sslerr.h" */
+
+ER3(SSL_ERROR_EXPORT_ONLY_SERVER, SSL_ERROR_BASE + 0,
+"Unable to communicate securely. Peer does not support high-grade encryption.")
+
+ER3(SSL_ERROR_US_ONLY_SERVER, SSL_ERROR_BASE + 1,
+"Unable to communicate securely. Peer requires high-grade encryption which is not supported.")
+
+ER3(SSL_ERROR_NO_CYPHER_OVERLAP, SSL_ERROR_BASE + 2,
+"Cannot communicate securely with peer: no common encryption algorithm(s).")
+
+ER3(SSL_ERROR_NO_CERTIFICATE, SSL_ERROR_BASE + 3,
+"Unable to find the certificate or key necessary for authentication.")
+
+ER3(SSL_ERROR_BAD_CERTIFICATE, SSL_ERROR_BASE + 4,
+"Unable to communicate securely with peer: peers's certificate was rejected.")
+
+/* unused (SSL_ERROR_BASE + 5),*/
+
+ER3(SSL_ERROR_BAD_CLIENT, SSL_ERROR_BASE + 6,
+"The server has encountered bad data from the client.")
+
+ER3(SSL_ERROR_BAD_SERVER, SSL_ERROR_BASE + 7,
+"The client has encountered bad data from the server.")
+
+ER3(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE, SSL_ERROR_BASE + 8,
+"Unsupported certificate type.")
+
+ER3(SSL_ERROR_UNSUPPORTED_VERSION, SSL_ERROR_BASE + 9,
+"Peer using unsupported version of security protocol.")
+
+/* unused (SSL_ERROR_BASE + 10),*/
+
+ER3(SSL_ERROR_WRONG_CERTIFICATE, SSL_ERROR_BASE + 11,
+"Client authentication failed: private key in key database does not match public key in certificate database.")
+
+ER3(SSL_ERROR_BAD_CERT_DOMAIN, SSL_ERROR_BASE + 12,
+"Unable to communicate securely with peer: requested domain name does not match the server's certificate.")
+
+/* SSL_ERROR_POST_WARNING (SSL_ERROR_BASE + 13),
+ defined in sslerr.h
+*/
+
+ER3(SSL_ERROR_SSL2_DISABLED, (SSL_ERROR_BASE + 14),
+"Peer only supports SSL version 2, which is locally disabled.")
+
+
+ER3(SSL_ERROR_BAD_MAC_READ, (SSL_ERROR_BASE + 15),
+"SSL received a record with an incorrect Message Authentication Code.")
+
+ER3(SSL_ERROR_BAD_MAC_ALERT, (SSL_ERROR_BASE + 16),
+"SSL peer reports incorrect Message Authentication Code.")
+
+ER3(SSL_ERROR_BAD_CERT_ALERT, (SSL_ERROR_BASE + 17),
+"SSL peer cannot verify your certificate.")
+
+ER3(SSL_ERROR_REVOKED_CERT_ALERT, (SSL_ERROR_BASE + 18),
+"SSL peer rejected your certificate as revoked.")
+
+ER3(SSL_ERROR_EXPIRED_CERT_ALERT, (SSL_ERROR_BASE + 19),
+"SSL peer rejected your certificate as expired.")
+
+ER3(SSL_ERROR_SSL_DISABLED, (SSL_ERROR_BASE + 20),
+"Cannot connect: SSL is disabled.")
+
+ER3(SSL_ERROR_FORTEZZA_PQG, (SSL_ERROR_BASE + 21),
+"Cannot connect: SSL peer is in another FORTEZZA domain.")
+
+
+ER3(SSL_ERROR_UNKNOWN_CIPHER_SUITE , (SSL_ERROR_BASE + 22),
+"An unknown SSL cipher suite has been requested.")
+
+ER3(SSL_ERROR_NO_CIPHERS_SUPPORTED , (SSL_ERROR_BASE + 23),
+"No cipher suites are present and enabled in this program.")
+
+ER3(SSL_ERROR_BAD_BLOCK_PADDING , (SSL_ERROR_BASE + 24),
+"SSL received a record with bad block padding.")
+
+ER3(SSL_ERROR_RX_RECORD_TOO_LONG , (SSL_ERROR_BASE + 25),
+"SSL received a record that exceeded the maximum permissible length.")
+
+ER3(SSL_ERROR_TX_RECORD_TOO_LONG , (SSL_ERROR_BASE + 26),
+"SSL attempted to send a record that exceeded the maximum permissible length.")
+
+/*
+ * Received a malformed (too long or short or invalid content) SSL handshake.
+ */
+ER3(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST , (SSL_ERROR_BASE + 27),
+"SSL received a malformed Hello Request handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO , (SSL_ERROR_BASE + 28),
+"SSL received a malformed Client Hello handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_SERVER_HELLO , (SSL_ERROR_BASE + 29),
+"SSL received a malformed Server Hello handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_CERTIFICATE , (SSL_ERROR_BASE + 30),
+"SSL received a malformed Certificate handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 31),
+"SSL received a malformed Server Key Exchange handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_CERT_REQUEST , (SSL_ERROR_BASE + 32),
+"SSL received a malformed Certificate Request handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_HELLO_DONE , (SSL_ERROR_BASE + 33),
+"SSL received a malformed Server Hello Done handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_CERT_VERIFY , (SSL_ERROR_BASE + 34),
+"SSL received a malformed Certificate Verify handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 35),
+"SSL received a malformed Client Key Exchange handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_FINISHED , (SSL_ERROR_BASE + 36),
+"SSL received a malformed Finished handshake message.")
+
+/*
+ * Received a malformed (too long or short) SSL record.
+ */
+ER3(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER , (SSL_ERROR_BASE + 37),
+"SSL received a malformed Change Cipher Spec record.")
+
+ER3(SSL_ERROR_RX_MALFORMED_ALERT , (SSL_ERROR_BASE + 38),
+"SSL received a malformed Alert record.")
+
+ER3(SSL_ERROR_RX_MALFORMED_HANDSHAKE , (SSL_ERROR_BASE + 39),
+"SSL received a malformed Handshake record.")
+
+ER3(SSL_ERROR_RX_MALFORMED_APPLICATION_DATA , (SSL_ERROR_BASE + 40),
+"SSL received a malformed Application Data record.")
+
+/*
+ * Received an SSL handshake that was inappropriate for the state we're in.
+ * E.g. Server received message from server, or wrong state in state machine.
+ */
+ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST , (SSL_ERROR_BASE + 41),
+"SSL received an unexpected Hello Request handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO , (SSL_ERROR_BASE + 42),
+"SSL received an unexpected Client Hello handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO , (SSL_ERROR_BASE + 43),
+"SSL received an unexpected Server Hello handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE , (SSL_ERROR_BASE + 44),
+"SSL received an unexpected Certificate handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 45),
+"SSL received an unexpected Server Key Exchange handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST , (SSL_ERROR_BASE + 46),
+"SSL received an unexpected Certificate Request handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE , (SSL_ERROR_BASE + 47),
+"SSL received an unexpected Server Hello Done handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY , (SSL_ERROR_BASE + 48),
+"SSL received an unexpected Certificate Verify handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 49),
+"SSL received an unexpected Client Key Exchange handshake message.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_FINISHED , (SSL_ERROR_BASE + 50),
+"SSL received an unexpected Finished handshake message.")
+
+/*
+ * Received an SSL record that was inappropriate for the state we're in.
+ */
+ER3(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER , (SSL_ERROR_BASE + 51),
+"SSL received an unexpected Change Cipher Spec record.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_ALERT , (SSL_ERROR_BASE + 52),
+"SSL received an unexpected Alert record.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE , (SSL_ERROR_BASE + 53),
+"SSL received an unexpected Handshake record.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA, (SSL_ERROR_BASE + 54),
+"SSL received an unexpected Application Data record.")
+
+/*
+ * Received record/message with unknown discriminant.
+ */
+ER3(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE , (SSL_ERROR_BASE + 55),
+"SSL received a record with an unknown content type.")
+
+ER3(SSL_ERROR_RX_UNKNOWN_HANDSHAKE , (SSL_ERROR_BASE + 56),
+"SSL received a handshake message with an unknown message type.")
+
+ER3(SSL_ERROR_RX_UNKNOWN_ALERT , (SSL_ERROR_BASE + 57),
+"SSL received an alert record with an unknown alert description.")
+
+/*
+ * Received an alert reporting what we did wrong. (more alerts above)
+ */
+ER3(SSL_ERROR_CLOSE_NOTIFY_ALERT , (SSL_ERROR_BASE + 58),
+"SSL peer has closed this connection.")
+
+ER3(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT , (SSL_ERROR_BASE + 59),
+"SSL peer was not expecting a handshake message it received.")
+
+ER3(SSL_ERROR_DECOMPRESSION_FAILURE_ALERT , (SSL_ERROR_BASE + 60),
+"SSL peer was unable to successfully decompress an SSL record it received.")
+
+ER3(SSL_ERROR_HANDSHAKE_FAILURE_ALERT , (SSL_ERROR_BASE + 61),
+"SSL peer was unable to negotiate an acceptable set of security parameters.")
+
+ER3(SSL_ERROR_ILLEGAL_PARAMETER_ALERT , (SSL_ERROR_BASE + 62),
+"SSL peer rejected a handshake message for unacceptable content.")
+
+ER3(SSL_ERROR_UNSUPPORTED_CERT_ALERT , (SSL_ERROR_BASE + 63),
+"SSL peer does not support certificates of the type it received.")
+
+ER3(SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT , (SSL_ERROR_BASE + 64),
+"SSL peer had some unspecified issue with the certificate it received.")
+
+
+ER3(SSL_ERROR_GENERATE_RANDOM_FAILURE , (SSL_ERROR_BASE + 65),
+"SSL experienced a failure of its random number generator.")
+
+ER3(SSL_ERROR_SIGN_HASHES_FAILURE , (SSL_ERROR_BASE + 66),
+"Unable to digitally sign data required to verify your certificate.")
+
+ER3(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE , (SSL_ERROR_BASE + 67),
+"SSL was unable to extract the public key from the peer's certificate.")
+
+ER3(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE , (SSL_ERROR_BASE + 68),
+"Unspecified failure while processing SSL Server Key Exchange handshake.")
+
+ER3(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE , (SSL_ERROR_BASE + 69),
+"Unspecified failure while processing SSL Client Key Exchange handshake.")
+
+ER3(SSL_ERROR_ENCRYPTION_FAILURE , (SSL_ERROR_BASE + 70),
+"Bulk data encryption algorithm failed in selected cipher suite.")
+
+ER3(SSL_ERROR_DECRYPTION_FAILURE , (SSL_ERROR_BASE + 71),
+"Bulk data decryption algorithm failed in selected cipher suite.")
+
+ER3(SSL_ERROR_SOCKET_WRITE_FAILURE , (SSL_ERROR_BASE + 72),
+"Attempt to write encrypted data to underlying socket failed.")
+
+ER3(SSL_ERROR_MD5_DIGEST_FAILURE , (SSL_ERROR_BASE + 73),
+"MD5 digest function failed.")
+
+ER3(SSL_ERROR_SHA_DIGEST_FAILURE , (SSL_ERROR_BASE + 74),
+"SHA-1 digest function failed.")
+
+ER3(SSL_ERROR_MAC_COMPUTATION_FAILURE , (SSL_ERROR_BASE + 75),
+"MAC computation failed.")
+
+ER3(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE , (SSL_ERROR_BASE + 76),
+"Failure to create Symmetric Key context.")
+
+ER3(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE , (SSL_ERROR_BASE + 77),
+"Failure to unwrap the Symmetric key in Client Key Exchange message.")
+
+ER3(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED , (SSL_ERROR_BASE + 78),
+"SSL Server attempted to use domestic-grade public key with export cipher suite.")
+
+ER3(SSL_ERROR_IV_PARAM_FAILURE , (SSL_ERROR_BASE + 79),
+"PKCS11 code failed to translate an IV into a param.")
+
+ER3(SSL_ERROR_INIT_CIPHER_SUITE_FAILURE , (SSL_ERROR_BASE + 80),
+"Failed to initialize the selected cipher suite.")
+
+ER3(SSL_ERROR_SESSION_KEY_GEN_FAILURE , (SSL_ERROR_BASE + 81),
+"Client failed to generate session keys for SSL session.")
+
+ER3(SSL_ERROR_NO_SERVER_KEY_FOR_ALG , (SSL_ERROR_BASE + 82),
+"Server has no key for the attempted key exchange algorithm.")
+
+ER3(SSL_ERROR_TOKEN_INSERTION_REMOVAL , (SSL_ERROR_BASE + 83),
+"PKCS#11 token was inserted or removed while operation was in progress.")
+
+ER3(SSL_ERROR_TOKEN_SLOT_NOT_FOUND , (SSL_ERROR_BASE + 84),
+"No PKCS#11 token could be found to do a required operation.")
+
+ER3(SSL_ERROR_NO_COMPRESSION_OVERLAP , (SSL_ERROR_BASE + 85),
+"Cannot communicate securely with peer: no common compression algorithm(s).")
+
+ER3(SSL_ERROR_HANDSHAKE_NOT_COMPLETED , (SSL_ERROR_BASE + 86),
+"Cannot initiate another SSL handshake until current handshake is complete.")
+
+ER3(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE , (SSL_ERROR_BASE + 87),
+"Received incorrect handshakes hash values from peer.")
+
+ER3(SSL_ERROR_CERT_KEA_MISMATCH , (SSL_ERROR_BASE + 88),
+"The certificate provided cannot be used with the selected key exchange algorithm.")
+
+ER3(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA , (SSL_ERROR_BASE + 89),
+"No certificate authority is trusted for SSL client authentication.")
+
+ER3(SSL_ERROR_SESSION_NOT_FOUND , (SSL_ERROR_BASE + 90),
+"Client's SSL session ID not found in server's session cache.")
+
+ER3(SSL_ERROR_DECRYPTION_FAILED_ALERT , (SSL_ERROR_BASE + 91),
+"Peer was unable to decrypt an SSL record it received.")
+
+ER3(SSL_ERROR_RECORD_OVERFLOW_ALERT , (SSL_ERROR_BASE + 92),
+"Peer received an SSL record that was longer than is permitted.")
+
+ER3(SSL_ERROR_UNKNOWN_CA_ALERT , (SSL_ERROR_BASE + 93),
+"Peer does not recognize and trust the CA that issued your certificate.")
+
+ER3(SSL_ERROR_ACCESS_DENIED_ALERT , (SSL_ERROR_BASE + 94),
+"Peer received a valid certificate, but access was denied.")
+
+ER3(SSL_ERROR_DECODE_ERROR_ALERT , (SSL_ERROR_BASE + 95),
+"Peer could not decode an SSL handshake message.")
+
+ER3(SSL_ERROR_DECRYPT_ERROR_ALERT , (SSL_ERROR_BASE + 96),
+"Peer reports failure of signature verification or key exchange.")
+
+ER3(SSL_ERROR_EXPORT_RESTRICTION_ALERT , (SSL_ERROR_BASE + 97),
+"Peer reports negotiation not in compliance with export regulations.")
+
+ER3(SSL_ERROR_PROTOCOL_VERSION_ALERT , (SSL_ERROR_BASE + 98),
+"Peer reports incompatible or unsupported protocol version.")
+
+ER3(SSL_ERROR_INSUFFICIENT_SECURITY_ALERT , (SSL_ERROR_BASE + 99),
+"Server requires ciphers more secure than those supported by client.")
+
+ER3(SSL_ERROR_INTERNAL_ERROR_ALERT , (SSL_ERROR_BASE + 100),
+"Peer reports it experienced an internal error.")
+
+ER3(SSL_ERROR_USER_CANCELED_ALERT , (SSL_ERROR_BASE + 101),
+"Peer user canceled handshake.")
+
+ER3(SSL_ERROR_NO_RENEGOTIATION_ALERT , (SSL_ERROR_BASE + 102),
+"Peer does not permit renegotiation of SSL security parameters.")
+
+ER3(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED , (SSL_ERROR_BASE + 103),
+"SSL server cache not configured and not disabled for this socket.")
+
+ER3(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT , (SSL_ERROR_BASE + 104),
+"SSL peer does not support requested TLS hello extension.")
+
+ER3(SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT , (SSL_ERROR_BASE + 105),
+"SSL peer could not obtain your certificate from the supplied URL.")
+
+ER3(SSL_ERROR_UNRECOGNIZED_NAME_ALERT , (SSL_ERROR_BASE + 106),
+"SSL peer has no certificate for the requested DNS name.")
+
+ER3(SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT , (SSL_ERROR_BASE + 107),
+"SSL peer was unable to get an OCSP response for its certificate.")
+
+ER3(SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT , (SSL_ERROR_BASE + 108),
+"SSL peer reported bad certificate hash value.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 109),
+"SSL received an unexpected New Session Ticket handshake message.")
+
+ER3(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 110),
+"SSL received a malformed New Session Ticket handshake message.")
+
+ER3(SSL_ERROR_DECOMPRESSION_FAILURE, (SSL_ERROR_BASE + 111),
+"SSL received a compressed record that could not be decompressed.")
+
+ER3(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, (SSL_ERROR_BASE + 112),
+"Renegotiation is not allowed on this SSL socket.")
+
+ER3(SSL_ERROR_UNSAFE_NEGOTIATION, (SSL_ERROR_BASE + 113),
+"Peer attempted old style (potentially vulnerable) handshake.")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD, (SSL_ERROR_BASE + 114),
+"SSL received an unexpected uncompressed record.")
diff --git a/lib/nss_error.c b/lib/nss_error.c
index 211f2db..ea7f9ca 100644
--- a/lib/nss_error.c
+++ b/lib/nss_error.c
@@ -1,6 +1,6 @@
/* Internal (library + application) error reporting utilities.
-Copyright (C) 2009 Red Hat, Inc. All rights reserved.
+Copyright (C) 2009, 2010 Red Hat, Inc. All rights reserved.
This copyrighted material is made available to anyone wishing to use, modify,
copy, or redistribute it subject to the terms and conditions of the GNU General
Public License v.2.
@@ -20,6 +20,7 @@ Author: Miloslav Trmač <mitr@redhat.com> */
#include <glib.h>
#include <prerror.h>
#include <secerr.h>
+#include <sslerr.h>
#include "nss_error.h"
@@ -32,6 +33,7 @@ struct mapping
static const struct mapping mapping[] = {
#define ER3(A, B, C) { (A), (C) },
#include "SECerrs.h"
+ #include "SSLerrs.h"
#undef ER3
};

64
volume_key-0.3.4-volume-doc.patch
View File

@ -1,64 +0,0 @@
2010-09-29 Miloslav Trmač <mitr@redhat.com>
* README
* doc/volume_key.8: Clarify which block device should be passed to
volume_key(8).
diff --git a/README b/README
index a57bb02..ac58f51 100644
--- a/README
+++ b/README
@@ -27,6 +27,11 @@ this:
* Run
volume_key --save /path/to/volume -o escrow-packet
You will be prompted for an escrow packet passphrase to protect the key.
+
+ In all examples in this file, /path/to/volume is a LUKS device, not the
+ plaintext device containted within: (blkid -s TYPE /path/to/volume) should
+ report TYPE="crypto_LUKS".
+
* Save the generated `escrow-packet' file, make sure you won't forget the
passphrase.
@@ -87,6 +92,10 @@ Saving encryption keys
volume_key --save /path/to/volume -c /path/to/cert -o escrow-packet
where /path/to/cert points to the certificate distributed in the preparation
phase.
+
+ In all examples in this file, /path/to/volume is a LUKS device, not the
+ plaintext device containted within: (blkid -s TYPE /path/to/volume) should
+ report TYPE="crypto_LUKS".
* Save the generated `escrow-packet' file in the prepared storage, associating
it with the system and the volume.
diff --git a/doc/volume_key.8 b/doc/volume_key.8
index b4a2000..be75b99 100644
--- a/doc/volume_key.8
+++ b/doc/volume_key.8
@@ -16,7 +16,7 @@
.\" Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
.\"
.\" Author: Miloslav Trmač <mitr@redhat.com>])
-.TH volume_key 8 "May 2009" volume_key
+.TH volume_key 8 "Sep 2010" volume_key
.SH NAME
volume_key \- work with volume encryption secrets and escrow packets
@@ -45,6 +45,17 @@ options.
See the OPTIONS sections for details.
.SH OPTIONS
+
+In all options described below,
+.I VOLUME
+is a LUKS device,
+not the plaintext device containted within:
+.RS
+.B blkid \-s TYPE
+.I VOLUME
+.RE
+should report \fBTYPE="crypto_LUKS"\fP.
+
The following options determine the mode of operation and expected operands of
\fBvolume_key\fP:

25
volume_key.spec
View File

@ -2,25 +2,14 @@
Summary: An utility for manipulating storage encryption keys and passphrases
Name: volume_key
Version: 0.3.4
Release: 4%{?dist}
Version: 0.3.5
Release: 1%{?dist}
License: GPLv2
Group: Applications/System
URL: https://fedorahosted.org/volume_key/
Requires: volume_key-libs = %{version}-%{release}
Source0: https://fedorahosted.org/releases/v/o/volume_key/volume_key-%{version}.tar.xz
# Upstream commit 3486c1c8112bd625bfe6bde55c337c4edbd75277
Patch0: volume_key-0.3.4-volume-doc.patch
# Upstream commit a2ab2a3546f3ee5937bb4272f4f26650f31f42bb
Patch1: volume_key-0.3.4-ssl-errors.patch
# Upstream commit 82f476f614ff8492231e730b6ceffaa7242481cc
Patch2: volume_key-0.3.4-getpass.patch
# Upstream commits b66602b8ef4e6ef8325c0b97fce821e183a2ae84,
# 1dcafdcd6f3097487b92f86e9db3e5412c266ee5
Patch3: volume_key-0.3.4-passphrase-ui.patch
# Upstream commit 40e5330c076f9f4e149c2091900602d3de41b119
Patch4: volume_key-0.3.4-cert-errors.patch
BuildRequires: cryptsetup-luks-devel, gettext-devel, glib2-devel, gnupg
BuildRequires: gpgme-devel, libblkid-devel, nss-devel, python-devel
@ -84,11 +73,6 @@ for other formats is possible, some formats are planned for future releases.
%prep
%setup -q
%patch0 -p1 -b .volume-doc
%patch1 -p1 -b .ssl-errors
%patch2 -p1 -b .getpass
%patch3 -p1 -b .passphrase-ui
%patch4 -p1 -b .cert-errors
%build
%configure
@ -107,7 +91,7 @@ rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root,-)
%doc README
%doc README contrib
%{_bindir}/volume_key
%{_mandir}/man8/volume_key.8*
@ -129,6 +113,9 @@ rm -rf $RPM_BUILD_ROOT
%{python_sitearch}/volume_key.py*
%changelog
* Wed Nov 24 2010 Miloslav Trmač <mitr@redhat.com> - 0.3.5-1
- Update to volume_key-0.3.5
* Mon Oct 18 2010 Miloslav Trmač <mitr@redhat.com> - 0.3.4-4
- Tell the user if asking for the same passphrase again
Resolves: #641111