Hello community,
here is the log from the commit of package ecryptfs-utils
checked in at Thu Sep 25 23:29:40 CEST 2008.
--------
--- ecryptfs-utils/ecryptfs-utils.changes 2008-08-23 10:46:19.000000000 +0200
+++ /mounts/work_src_done/STABLE/ecryptfs-utils/ecryptfs-utils.changes 2008-09-19 11:56:20.000000000 +0200
@@ -1,0 +2,8 @@
+Fri Sep 19 11:55:34 CEST 2008 - meissner@suse.de
+
+- Upgraded to version 58
+ - config file changes yet again
+ - some documentation fixes
+ - some TPM related fixes
+
+-------------------------------------------------------------------
Old:
----
ecryptfs-utils-56.tar.bz2
New:
----
ecryptfs-utils-58.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ecryptfs-utils.spec ++++++
--- /var/tmp/diff_new_pack.g24484/_old 2008-09-25 23:29:28.000000000 +0200
+++ /var/tmp/diff_new_pack.g24484/_new 2008-09-25 23:29:28.000000000 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package ecryptfs-utils (Version 56)
+# spec file for package ecryptfs-utils (Version 58)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@@ -24,7 +24,7 @@
Group: Productivity/Security
AutoReqProv: on
Summary: Userspace Utilities for ecryptfs
-Version: 56
+Version: 58
Release: 1
Source0: http://downloads.sourceforge.net/ecryptfs/%{name}-%{version}.tar.bz2
Patch0: ecryptfs-utils-fixes.patch
@@ -87,6 +87,11 @@
/%_lib/security/pam_ecryptfs.so
%changelog
+* Fri Sep 19 2008 meissner@suse.de
+- Upgraded to version 58
+ - config file changes yet again
+ - some documentation fixes
+ - some TPM related fixes
* Sat Aug 23 2008 meissner@suse.de
- Upgraded to version 56
- more manpages
++++++ ecryptfs-utils-56.tar.bz2 -> ecryptfs-utils-58.tar.bz2 ++++++
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/ecryptfs-utils-56/configure new/ecryptfs-utils-58/configure
--- old/ecryptfs-utils-56/configure 2008-08-13 21:58:51.000000000 +0200
+++ new/ecryptfs-utils-58/configure 2008-09-09 00:21:49.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for ecryptfs-utils 56.
+# Generated by GNU Autoconf 2.61 for ecryptfs-utils 58.
#
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
@@ -726,8 +726,8 @@
# Identity of this package.
PACKAGE_NAME='ecryptfs-utils'
PACKAGE_TARNAME='ecryptfs-utils'
-PACKAGE_VERSION='56'
-PACKAGE_STRING='ecryptfs-utils 56'
+PACKAGE_VERSION='58'
+PACKAGE_STRING='ecryptfs-utils 58'
PACKAGE_BUGREPORT=''
ac_unique_file="src/libecryptfs"
@@ -1457,7 +1457,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures ecryptfs-utils 56 to adapt to many kinds of systems.
+\`configure' configures ecryptfs-utils 58 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1528,7 +1528,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of ecryptfs-utils 56:";;
+ short | recursive ) echo "Configuration of ecryptfs-utils 58:";;
esac
cat <<\_ACEOF
@@ -1664,7 +1664,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-ecryptfs-utils configure 56
+ecryptfs-utils configure 58
generated by GNU Autoconf 2.61
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1678,7 +1678,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by ecryptfs-utils $as_me 56, which was
+It was created by ecryptfs-utils $as_me 58, which was
generated by GNU Autoconf 2.61. Invocation command line was
$ $0 $@
@@ -22765,7 +22765,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by ecryptfs-utils $as_me 56, which was
+This file was extended by ecryptfs-utils $as_me 58, which was
generated by GNU Autoconf 2.61. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -22818,7 +22818,7 @@
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-ecryptfs-utils config.status 56
+ecryptfs-utils config.status 58
configured by $0, generated by GNU Autoconf 2.61,
with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/ecryptfs-utils-56/configure.ac new/ecryptfs-utils-58/configure.ac
--- old/ecryptfs-utils-56/configure.ac 2008-08-13 21:58:29.000000000 +0200
+++ new/ecryptfs-utils-58/configure.ac 2008-09-09 00:21:11.000000000 +0200
@@ -10,7 +10,7 @@
AC_PREREQ(2.59)
-AC_INIT([ecryptfs-utils],[56])
+AC_INIT([ecryptfs-utils],[58])
AC_CANONICAL_HOST
AC_CANONICAL_TARGET
AM_INIT_AUTOMAKE([${PACKAGE_NAME}], [${PACKAGE_VERSION}])
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/ecryptfs-utils-56/doc/ecryptfs-faq.html new/ecryptfs-utils-58/doc/ecryptfs-faq.html
--- old/ecryptfs-utils-56/doc/ecryptfs-faq.html 2008-07-10 20:35:11.000000000 +0200
+++ new/ecryptfs-utils-58/doc/ecryptfs-faq.html 2008-09-04 23:29:15.000000000 +0200
@@ -31,6 +31,9 @@
<li><a href="#versions">What versions of the kernel have eCryptfs
support?</a></li>
+<li><a href="#deployment">Will eCryptfs by itself protect all my
+data?</a></li>
+
<li><a href="#access_lower">Can I access the lower files while
eCryptfs is mounted?</a></li>
@@ -147,6 +150,61 @@
is supported and is in active development.
</p>
+<a name="deployment">
+
+<p><h3>Q. Will eCryptfs by itself protect all my data?</h3></p>
+
+<p>
+eCryptfs is just one component in a comprehensive set of mechanisms to
+protect the confidentiality of your data. Simply mounting eCryptfs
+over a directory in your home directory will probably not provide
+sufficient coverage for everything your applications will write to
+disk. For instance, applications that produce and store thumbnails of
+your images may write the thumbnails to an unprotected location.
+</p>
+
+<p>
+Sensitive application data will typically wind up in the following
+locations, although some applications will write data to other
+locations not listed here:
+</p>
+
+<ul>
+<li>Anywhere in your home directory</li>
+<li>The /tmp directory</li>
+<li>The /var directory</li>
+<li>The swap device</li>
+</ul>
+
+<p>
+The /tmp directory and the swap device can be easily protected with
+dm-crypt using a key randomly generated when the system is booted,
+since the information in those locations does not need to persist
+between reboots. eCryptfs must mount the /var directory prior to any
+daemons or other system applications reading from or writing to that
+location (including the syslog utility). eCryptfs must also mount over
+the user's home directory prior to the user logging into the system.
+</p>
+
+<p>
+You will need to consider other applications that diverge from
+traditional paths for storing data on a case-by-case basis. Analyzing
+application behavior with the kernel auditing system is one way to
+profile the behavior of an application, and explicit SE Linux rules
+that only allow applications to write to encrypted mountpoints helps
+prevent inadvertent information leakage. We recommend always using
+eCryptfs together with appropriate Mandatory Access Control (MAC)
+mechanisms to ensure that your sensitive data is always encrypted.
+</p>
+
+<p>
+Proper deployment of a comprehensive per-file encryption mechanism is
+a task best tackled by the entire Linux distribution. The eCryptfs
+team is working closely with various major Linux distributions to help
+ensure that eCryptfs is properly used as one component of a
+comprehensive data protection strategy.
+</p>
+
<a name="access_lower">
<p><h3>Q. Can I access the lower files while eCryptfs is mounted?</h3></p>
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/ecryptfs-utils-56/doc/Makefile.in new/ecryptfs-utils-58/doc/Makefile.in
--- old/ecryptfs-utils-56/doc/Makefile.in 2008-08-13 21:58:51.000000000 +0200
+++ new/ecryptfs-utils-58/doc/Makefile.in 2008-09-09 00:21:51.000000000 +0200
@@ -235,9 +235,9 @@
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/Makefile'; \
cd $(top_srcdir) && \
- $(AUTOMAKE) --foreign doc/Makefile
+ $(AUTOMAKE) --gnu doc/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/ecryptfs-utils-56/doc/manpage/ecryptfs.7 new/ecryptfs-utils-58/doc/manpage/ecryptfs.7
--- old/ecryptfs-utils-56/doc/manpage/ecryptfs.7 2008-08-13 17:52:53.000000000 +0200
+++ new/ecryptfs-utils-58/doc/manpage/ecryptfs.7 2008-09-02 18:13:33.000000000 +0200
@@ -53,6 +53,17 @@
.TP
.B openssl_keyfile=(filename)
The filename should be the filename of a file containing an RSA SSL key.
+.TP
+.B openssl_passwd_file=(filename)
+The password should be specified in a file with passwd=(openssl-password). It is highly reccomended that the file be stored on a secure medium such as a personal usb key.
+.TP
+.B openssl_passwd_fd=(file descriptor)
+The password is specified through the specified file descriptor.
+.TP
+.B openssl_passwd=(password)
+The password can be specified on the command line. Since the password is
+visible in the process list, it is highly recommended to use this option
+only for testing purposes.
.SH EXAMPLE
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/ecryptfs-utils-56/doc/manpage/Makefile.in new/ecryptfs-utils-58/doc/manpage/Makefile.in
--- old/ecryptfs-utils-56/doc/manpage/Makefile.in 2008-08-13 21:58:51.000000000 +0200
+++ new/ecryptfs-utils-58/doc/manpage/Makefile.in 2008-09-09 00:21:51.000000000 +0200
@@ -237,9 +237,9 @@
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/manpage/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/manpage/Makefile'; \
cd $(top_srcdir) && \
- $(AUTOMAKE) --foreign doc/manpage/Makefile
+ $(AUTOMAKE) --gnu doc/manpage/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/ecryptfs-utils-56/src/daemon/Makefile.in new/ecryptfs-utils-58/src/daemon/Makefile.in
--- old/ecryptfs-utils-56/src/daemon/Makefile.in 2008-08-13 21:58:51.000000000 +0200
+++ new/ecryptfs-utils-58/src/daemon/Makefile.in 2008-09-09 00:21:51.000000000 +0200
@@ -231,9 +231,9 @@
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/daemon/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/daemon/Makefile'; \
cd $(top_srcdir) && \
- $(AUTOMAKE) --foreign src/daemon/Makefile
+ $(AUTOMAKE) --gnu src/daemon/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/ecryptfs-utils-56/src/include/Makefile.in new/ecryptfs-utils-58/src/include/Makefile.in
--- old/ecryptfs-utils-56/src/include/Makefile.in 2008-08-13 21:58:52.000000000 +0200
+++ new/ecryptfs-utils-58/src/include/Makefile.in 2008-09-09 00:21:51.000000000 +0200
@@ -214,9 +214,9 @@
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/include/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/include/Makefile'; \
cd $(top_srcdir) && \
- $(AUTOMAKE) --foreign src/include/Makefile
+ $(AUTOMAKE) --gnu src/include/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/ecryptfs-utils-56/src/key_mod/ecryptfs_key_mod_openssl.c new/ecryptfs-utils-58/src/key_mod/ecryptfs_key_mod_openssl.c
--- old/ecryptfs-utils-56/src/key_mod/ecryptfs_key_mod_openssl.c 2008-08-13 20:49:59.000000000 +0200
+++ new/ecryptfs-utils-58/src/key_mod/ecryptfs_key_mod_openssl.c 2008-09-02 18:10:16.000000000 +0200
@@ -598,9 +598,9 @@
syslog(LOG_INFO, "%s: Called\n", __FUNCTION__);
subgraph_ctx = (struct ecryptfs_subgraph_ctx *)(*foo);
- if (strcmp(node->mnt_opt_names[0], "passwd_file") == 0)
+ if (strcmp(node->mnt_opt_names[0], "openssl_passwd_file") == 0)
fd = open(node->val, O_RDONLY);
- else if (strcmp(node->mnt_opt_names[0], "passwd_fd") == 0)
+ else if (strcmp(node->mnt_opt_names[0], "openssl_passwd_fd") == 0)
fd = strtol(node->val, NULL, 0);
else {
rc = MOUNT_ERROR;
@@ -621,7 +621,7 @@
close(fd);
walker = file_head.next;
while (walker) {
- if (strcmp(walker->name, "passwd") == 0) {
+ if (strcmp(walker->name, "openssl_passwd") == 0) {
if ((rc =
asprintf(&subgraph_ctx->openssl_data.passphrase,
"%s", walker->value)) == -1) {
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/ecryptfs-utils-56/src/key_mod/ecryptfs_key_mod_tspi.c new/ecryptfs-utils-58/src/key_mod/ecryptfs_key_mod_tspi.c
--- old/ecryptfs-utils-56/src/key_mod/ecryptfs_key_mod_tspi.c 2008-04-11 21:34:10.000000000 +0200
+++ new/ecryptfs-utils-58/src/key_mod/ecryptfs_key_mod_tspi.c 2008-09-06 00:39:59.000000000 +0200
@@ -25,12 +25,17 @@
#include
#include
#include
+#include
+#include
+#include
#include
#include
#include "config.h"
#include "../include/ecryptfs.h"
#include "../include/decision_graph.h"
+#define ECRYPTFS_TSPI_DEFAULT_MAX_NUM_CONNECTIONS 10
+
#undef DEBUG
#ifdef DEBUG
@@ -166,6 +171,136 @@
static pthread_mutex_t encrypt_lock = PTHREAD_MUTEX_INITIALIZER;
+struct ecryptfs_tspi_connect_ticket;
+
+struct ecryptfs_tspi_connect_ticket {
+ struct ecryptfs_tspi_connect_ticket *next;
+#define ECRYPTFS_TSPI_TICKET_CTX_INITIALIZED 0x00000001
+ uint32_t flags;
+ pthread_mutex_t lock;
+ pthread_mutex_t wait;
+ TSS_HCONTEXT tspi_ctx;
+ uint32_t num_pending;
+};
+
+static pthread_mutex_t ecryptfs_ticket_list_lock = PTHREAD_MUTEX_INITIALIZER;
+
+static uint32_t ecryptfs_tspi_num_tickets_free;
+static uint32_t ecryptfs_tspi_num_tickets_used;
+static uint32_t ecryptfs_tspi_num_tickets_connected;
+
+static struct ecryptfs_tspi_connect_ticket *ptr_to_free_ticket_list_head = NULL;
+static struct ecryptfs_tspi_connect_ticket *ptr_to_used_ticket_list_head = NULL;
+
+static int
+ecryptfs_tspi_grab_ticket(struct ecryptfs_tspi_connect_ticket **ret_ticket)
+{
+ struct ecryptfs_tspi_connect_ticket *ticket;
+ int rc = 0;
+
+ (*ret_ticket) = NULL;
+ pthread_mutex_lock(&ecryptfs_ticket_list_lock);
+ ticket = ptr_to_free_ticket_list_head;
+ if (!ticket) {
+ struct ecryptfs_tspi_connect_ticket *tmp;
+
+ ticket = ptr_to_used_ticket_list_head;
+ pthread_mutex_lock(&ticket->lock);
+ tmp = ticket->next;
+ while (tmp) {
+ struct ecryptfs_tspi_connect_ticket *next;
+
+ pthread_mutex_lock(&tmp->lock);
+ next = tmp->next;
+ if (tmp->num_pending < ticket->num_pending) {
+ pthread_mutex_unlock(&ticket->lock);
+ ticket = tmp;
+ } else
+ pthread_mutex_unlock(&tmp->lock);
+ tmp = next;
+ }
+ ticket->num_pending++;
+ pthread_mutex_unlock(&ticket->lock);
+ } else {
+ while (ticket) {
+ struct ecryptfs_tspi_connect_ticket *next;
+
+ pthread_mutex_lock(&ticket->lock);
+ next = ticket->next;
+ if (ticket->flags
+ & ECRYPTFS_TSPI_TICKET_CTX_INITIALIZED) {
+ pthread_mutex_unlock(&ticket->lock);
+ break;
+ }
+ pthread_mutex_unlock(&ticket->lock);
+ ticket = next;
+ }
+ if (!ticket) {
+ TSS_RESULT result;
+
+ ticket = ptr_to_free_ticket_list_head;
+ pthread_mutex_lock(&ticket->lock);
+ if ((result = Tspi_Context_Create(&ticket->tspi_ctx))
+ != TSS_SUCCESS) {
+ syslog(LOG_ERR, "Tspi_Context_Create failed: "
+ "[%s]\n", Trspi_Error_String(result));
+ rc = -EIO;
+ pthread_mutex_unlock(&ticket->lock);
+ pthread_mutex_unlock(
+ &ecryptfs_ticket_list_lock);
+ goto out;
+ }
+ if ((result = Tspi_Context_Connect(ticket->tspi_ctx,
+ NULL))
+ != TSS_SUCCESS) {
+ syslog(LOG_ERR, "Tspi_Context_Connect "
+ "failed: [%s]\n",
+ Trspi_Error_String(result));
+ rc = -EIO;
+ pthread_mutex_unlock(&ticket->lock);
+ pthread_mutex_unlock(
+ &ecryptfs_ticket_list_lock);
+ goto out;
+ }
+ ticket->flags |= ECRYPTFS_TSPI_TICKET_CTX_INITIALIZED;
+ ecryptfs_tspi_num_tickets_connected++;
+ pthread_mutex_unlock(&ticket->lock);
+ }
+ pthread_mutex_lock(&ticket->lock);
+ ptr_to_free_ticket_list_head = ticket->next;
+ ticket->next = ptr_to_used_ticket_list_head;
+ ptr_to_used_ticket_list_head = ticket;
+ ecryptfs_tspi_num_tickets_free--;
+ ecryptfs_tspi_num_tickets_used++;
+ ticket->num_pending++;
+ pthread_mutex_unlock(&ticket->lock);
+ }
+ pthread_mutex_unlock(&ecryptfs_ticket_list_lock);
+ pthread_mutex_lock(&ticket->wait);
+ pthread_mutex_lock(&ticket->lock);
+ ticket->num_pending--;
+ pthread_mutex_unlock(&ticket->lock);
+ (*ret_ticket) = ticket;
+out:
+ return rc;
+}
+
+static int
+ecryptfs_tspi_release_ticket(struct ecryptfs_tspi_connect_ticket *ticket)
+{
+ int rc = 0;
+
+ pthread_mutex_lock(&ecryptfs_ticket_list_lock);
+ pthread_mutex_unlock(&ticket->wait);
+ ptr_to_used_ticket_list_head = ticket->next;
+ ticket->next = ptr_to_free_ticket_list_head;
+ ptr_to_free_ticket_list_head = ticket;
+ ecryptfs_tspi_num_tickets_free++;
+ ecryptfs_tspi_num_tickets_used--;
+ pthread_mutex_unlock(&ecryptfs_ticket_list_lock);
+ return rc;
+}
+
static int
ecryptfs_tspi_encrypt(char *to, size_t *to_size, char *from, size_t from_size,
unsigned char *blob, int blob_type)
@@ -173,32 +308,25 @@
static TSS_HPOLICY h_srk_policy = 0;
static TSS_HKEY h_srk = 0;
TSS_RESULT result;
- TSS_HCONTEXT h_encrypt_ctx;
TSS_HKEY hKey;
TSS_HENCDATA h_encdata;
uint32_t encdata_size;
BYTE *encdata;
struct tspi_data tspi_data;
+ struct ecryptfs_tspi_connect_ticket *ticket;
int rc = 0;
pthread_mutex_lock(&encrypt_lock);
(*to_size) = 0;
ecryptfs_tspi_deserialize(&tspi_data, blob);
DBG_print_hex((BYTE *)&tspi_data.uuid, sizeof(TSS_UUID));
- if ((result = Tspi_Context_Create(&h_encrypt_ctx)) != TSS_SUCCESS) {
- syslog(LOG_ERR, "Tspi_Context_Create failed: [%s]\n",
- Trspi_Error_String(result));
- rc = -EIO;
- goto out;
- }
- if ((result = Tspi_Context_Connect(h_encrypt_ctx, NULL))
- != TSS_SUCCESS) {
- syslog(LOG_ERR, "Tspi_Context_Connect failed: [%s]\n",
- Trspi_Error_String(result));
- rc = -EIO;
+ rc = ecryptfs_tspi_grab_ticket(&ticket);
+ if (rc) {
+ syslog(LOG_ERR, "%s: Error attempting to get TSPI connection "
+ "ticket; rc = [%d]\n", __FUNCTION__, rc);
goto out;
}
- if ((result = Tspi_Context_LoadKeyByUUID(h_encrypt_ctx,
+ if ((result = Tspi_Context_LoadKeyByUUID(ticket->tspi_ctx,
TSS_PS_TYPE_SYSTEM,
ecryptfs_tspi_srk_uuid,
&h_srk)) != TSS_SUCCESS) {
@@ -223,7 +351,7 @@
rc = -EIO;
goto out;
}
- if ((result = Tspi_Context_CreateObject(h_encrypt_ctx,
+ if ((result = Tspi_Context_CreateObject(ticket->tspi_ctx,
TSS_OBJECT_TYPE_ENCDATA,
TSS_ENCDATA_SEAL, &h_encdata))
!= TSS_SUCCESS) {
@@ -232,7 +360,7 @@
rc = -EIO;
goto out;
}
- if ((result = Tspi_Context_LoadKeyByUUID(h_encrypt_ctx,
+ if ((result = Tspi_Context_LoadKeyByUUID(ticket->tspi_ctx,
TSS_PS_TYPE_USER,
tspi_data.uuid, &hKey))
!= TSS_SUCCESS) {
@@ -260,9 +388,11 @@
(*to_size) = encdata_size;
if (to)
memcpy(to, encdata, (*to_size));
- Tspi_Context_FreeMemory(h_encrypt_ctx, encdata);
+ Tspi_Context_FreeMemory(ticket->tspi_ctx, encdata);
out:
pthread_mutex_unlock(&encrypt_lock);
+ if (ticket)
+ ecryptfs_tspi_release_ticket(ticket);
return rc;
}
@@ -272,7 +402,6 @@
ecryptfs_tspi_decrypt(char *to, size_t *to_size, char *from, size_t from_size,
unsigned char *blob, int blob_type)
{
- static TSS_HCONTEXT h_decrypt_context = 0;
static TSS_HPOLICY h_srk_policy = 0;
static TSS_HKEY h_srk = 0;
static TSS_HENCDATA h_encdata;
@@ -280,63 +409,51 @@
BYTE *encdata;
struct tspi_data tspi_data;
struct key_mapper *walker, *new_mapper;
+ struct ecryptfs_tspi_connect_ticket *ticket;
TSS_RESULT result;
int rc = 0;
pthread_mutex_lock(&decrypt_lock);
ecryptfs_tspi_deserialize(&tspi_data, blob);
- if (h_decrypt_context == 0) {
- if ((result = Tspi_Context_Create(&h_decrypt_context))
- != TSS_SUCCESS) {
- syslog(LOG_ERR, "Tspi_Context_Create failed: [%s]\n",
- Trspi_Error_String(result));
- rc = -EINVAL;
- goto out_uninit;
- }
- DBGSYSLOG("New TSP context: 0x%x", h_decrypt_context);
- if ((result = Tspi_Context_Connect(h_decrypt_context, NULL))
- != TSS_SUCCESS) {
- syslog(LOG_ERR, "Tspi_Context_Connect failed: [%s]\n",
- Trspi_Error_String(result));
- rc = -EINVAL;
- goto out_uninit;
- }
- if ((result = Tspi_Context_LoadKeyByUUID(h_decrypt_context,
+ rc = ecryptfs_tspi_grab_ticket(&ticket);
+ if (rc) {
+ syslog(LOG_ERR, "%s: Error attempting to get TSPI connection "
+ "ticket; rc = [%d]\n", __FUNCTION__, rc);
+ goto out;
+ }
+ if ((result = Tspi_Context_LoadKeyByUUID(ticket->tspi_ctx,
TSS_PS_TYPE_SYSTEM,
ecryptfs_tspi_srk_uuid,
&h_srk)) != TSS_SUCCESS) {
- syslog(LOG_ERR,
- "Tspi_Context_LoadKeyByUUID failed: [%s]\n",
- Trspi_Error_String(result));
- rc = -EIO;
- goto out_uninit;
- }
- if ((result = Tspi_GetPolicyObject(h_srk, TSS_POLICY_USAGE,
- &h_srk_policy))
- != TSS_SUCCESS) {
- syslog(LOG_ERR, "Tspi_GetPolicyObject failed: [%s]\n",
- Trspi_Error_String(result));
- rc = -EIO;
- goto out_uninit;
- }
- if ((result = Tspi_Policy_SetSecret(h_srk_policy,
- TSS_SECRET_MODE_PLAIN, 0, NULL))
- != TSS_SUCCESS) {
- syslog(LOG_ERR, "Tspi_Policy_SetSecret failed: [%s]\n",
- Trspi_Error_String(result));
- rc = -EIO;
- goto out_uninit;
- }
- if ((result = Tspi_Context_CreateObject(h_decrypt_context,
+ syslog(LOG_ERR, "Tspi_Context_LoadKeyByUUID failed: [%s]\n",
+ Trspi_Error_String(result));
+ rc = -EIO;
+ goto out;
+ }
+ if ((result = Tspi_GetPolicyObject(h_srk, TSS_POLICY_USAGE,
+ &h_srk_policy))
+ != TSS_SUCCESS) {
+ syslog(LOG_ERR, "Tspi_GetPolicyObject failed: [%s]\n",
+ Trspi_Error_String(result));
+ rc = -EIO;
+ goto out;
+ }
+ if ((result = Tspi_Policy_SetSecret(h_srk_policy,
+ TSS_SECRET_MODE_PLAIN, 0, NULL))
+ != TSS_SUCCESS) {
+ syslog(LOG_ERR, "Tspi_Policy_SetSecret failed: [%s]\n",
+ Trspi_Error_String(result));
+ rc = -EIO;
+ goto out;
+ }
+ if ((result = Tspi_Context_CreateObject(ticket->tspi_ctx,
TSS_OBJECT_TYPE_ENCDATA,
TSS_ENCDATA_SEAL, &h_encdata))
- != TSS_SUCCESS) {
- syslog(LOG_ERR,
- "Tspi_Context_CreateObject failed: [%s]\n",
- Trspi_Error_String(result));
- rc = -EIO;
- goto out_uninit;
- }
+ != TSS_SUCCESS) {
+ syslog(LOG_ERR, "Tspi_Context_CreateObject failed: [%s]\n",
+ Trspi_Error_String(result));
+ rc = -EIO;
+ goto out;
}
for (walker = mapper; walker; walker = walker->next)
if (!memcmp(&walker->uuid, &tspi_data.uuid, sizeof(TSS_UUID)))
@@ -349,7 +466,7 @@
rc = -EIO;
goto out;
}
- if ((result = Tspi_Context_LoadKeyByUUID(h_decrypt_context,
+ if ((result = Tspi_Context_LoadKeyByUUID(ticket->tspi_ctx,
TSS_PS_TYPE_USER,
tspi_data.uuid,
&new_mapper->hKey))
@@ -385,16 +502,12 @@
(*to_size) = encdata_bytes;
if (to)
memcpy(to, encdata, encdata_bytes);
- Tspi_Context_FreeMemory(h_decrypt_context, encdata);
+ Tspi_Context_FreeMemory(ticket->tspi_ctx, encdata);
rc = 0;
- goto out;
-out_uninit:
- Tspi_Context_Close(h_decrypt_context);
- h_decrypt_context = 0;
- h_srk_policy = 0;
- h_srk = 0;
out:
pthread_mutex_unlock(&decrypt_lock);
+ if (ticket)
+ ecryptfs_tspi_release_ticket(ticket);
return rc;
}
@@ -402,8 +515,8 @@
static struct key_mod_param tspi_params[] = {
{.id = ECRYPTFS_KEY_MOD_PARAM_TSPI_UUID,
.flags = ECRYPTFS_PARAM_FLAG_ECHO_INPUT,
- .option = "uuid",
- .description = "uuid",
+ .option = "tspi_uuid",
+ .description = "tspi_uuid",
.suggested_val = NULL,
.default_val = NULL,
.val = NULL},
@@ -439,6 +552,8 @@
static int ecryptfs_tspi_init(char **alias)
{
+ int i;
+
int rc = 0;
if (asprintf(alias, "tspi") == -1) {
@@ -446,6 +561,27 @@
rc = -ENOMEM;
goto out;
}
+ ecryptfs_tspi_num_tickets_free = 0;
+ ecryptfs_tspi_num_tickets_used = 0;
+ ecryptfs_tspi_num_tickets_connected = 0;
+ for (i = 0; i < ECRYPTFS_TSPI_DEFAULT_MAX_NUM_CONNECTIONS; i++) {
+ struct ecryptfs_tspi_connect_ticket *ticket;
+
+ ticket = malloc(sizeof(struct ecryptfs_tspi_connect_ticket));
+ if (!ticket) {
+ rc = -ENOMEM;
+ goto out;
+ }
+ pthread_mutex_init(&ticket->lock, NULL);
+ ticket->flags = 0;
+ ticket->tspi_ctx = 0;
+ ticket->num_pending = 0;
+ pthread_mutex_lock(&ecryptfs_ticket_list_lock);
+ ticket->next = ptr_to_free_ticket_list_head;
+ ptr_to_free_ticket_list_head = ticket;
+ ecryptfs_tspi_num_tickets_free++;
+ pthread_mutex_unlock(&ecryptfs_ticket_list_lock);
+ }
out:
return rc;
}
@@ -490,7 +626,7 @@
tspi_params[i].val = ¶m_vals[i];
memset(tspi_data, 0, sizeof(struct tspi_data));
for (i = 0; i < num_param_vals; i++)
- if (strcmp(tspi_params[i].option, "uuid") == 0) {
+ if (strcmp(tspi_params[i].option, "tspi_uuid") == 0) {
string_to_uuid(&tspi_data->uuid,
tspi_params[i].val->val);
uuid_set = 1;
@@ -539,9 +675,41 @@
return 0;
}
+#define ECRYPTFS_TSPI_MAX_WAIT_FOR_END 5
+
static int ecryptfs_tspi_finalize(void)
{
- return 0;
+ uint32_t retries = 0;
+ struct ecryptfs_tspi_connect_ticket *ticket;
+ int rc = 0;
+
+ while (ptr_to_used_ticket_list_head
+ && (retries < ECRYPTFS_TSPI_MAX_WAIT_FOR_END)) {
+ sleep(1);
+ retries++;
+ }
+ if (retries == ECRYPTFS_TSPI_MAX_WAIT_FOR_END) {
+ syslog(LOG_ERR, "%s: Stale TSPI tickets in used list; cannot "
+ "shut down cleanly\n", __FUNCTION__);
+ rc = -EBUSY;
+ goto out;
+ }
+ ticket = ptr_to_free_ticket_list_head;
+ while (ticket) {
+ struct ecryptfs_tspi_connect_ticket *next;
+
+ pthread_mutex_lock(&ticket->lock);
+ next = ticket->next;
+ if (ticket->flags
+ & ECRYPTFS_TSPI_TICKET_CTX_INITIALIZED) {
+ Tspi_Context_Close(ticket->tspi_ctx);
+ ticket->flags &= ~ECRYPTFS_TSPI_TICKET_CTX_INITIALIZED;
+ }
+ pthread_mutex_unlock(&ticket->lock);
+ ticket = next;
+ }
+out:
+ return rc;
}
static struct ecryptfs_key_mod_ops ecryptfs_tspi_ops = {
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/ecryptfs-utils-56/src/key_mod/Makefile.in new/ecryptfs-utils-58/src/key_mod/Makefile.in
--- old/ecryptfs-utils-56/src/key_mod/Makefile.in 2008-08-13 21:58:52.000000000 +0200
+++ new/ecryptfs-utils-58/src/key_mod/Makefile.in 2008-09-09 00:21:51.000000000 +0200
@@ -314,9 +314,9 @@
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/key_mod/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/key_mod/Makefile'; \
cd $(top_srcdir) && \
- $(AUTOMAKE) --foreign src/key_mod/Makefile
+ $(AUTOMAKE) --gnu src/key_mod/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/ecryptfs-utils-56/src/libecryptfs/Makefile.in new/ecryptfs-utils-58/src/libecryptfs/Makefile.in
--- old/ecryptfs-utils-56/src/libecryptfs/Makefile.in 2008-08-13 21:58:52.000000000 +0200
+++ new/ecryptfs-utils-58/src/libecryptfs/Makefile.in 2008-09-09 00:21:51.000000000 +0200
@@ -268,9 +268,9 @@
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/libecryptfs/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libecryptfs/Makefile'; \
cd $(top_srcdir) && \
- $(AUTOMAKE) --foreign src/libecryptfs/Makefile
+ $(AUTOMAKE) --gnu src/libecryptfs/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/ecryptfs-utils-56/src/Makefile.in new/ecryptfs-utils-58/src/Makefile.in
--- old/ecryptfs-utils-56/src/Makefile.in 2008-08-13 21:58:51.000000000 +0200
+++ new/ecryptfs-utils-58/src/Makefile.in 2008-09-09 00:21:51.000000000 +0200
@@ -222,9 +222,9 @@
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/Makefile'; \
cd $(top_srcdir) && \
- $(AUTOMAKE) --foreign src/Makefile
+ $(AUTOMAKE) --gnu src/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/ecryptfs-utils-56/src/pam_ecryptfs/Makefile.in new/ecryptfs-utils-58/src/pam_ecryptfs/Makefile.in
--- old/ecryptfs-utils-56/src/pam_ecryptfs/Makefile.in 2008-08-13 21:58:52.000000000 +0200
+++ new/ecryptfs-utils-58/src/pam_ecryptfs/Makefile.in 2008-09-09 00:21:51.000000000 +0200
@@ -239,9 +239,9 @@
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/pam_ecryptfs/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/pam_ecryptfs/Makefile'; \
cd $(top_srcdir) && \
- $(AUTOMAKE) --foreign src/pam_ecryptfs/Makefile
+ $(AUTOMAKE) --gnu src/pam_ecryptfs/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/ecryptfs-utils-56/src/utils/ecryptfs_generate_tpm_key.c new/ecryptfs-utils-58/src/utils/ecryptfs_generate_tpm_key.c
--- old/ecryptfs-utils-56/src/utils/ecryptfs_generate_tpm_key.c 2008-01-19 05:58:42.000000000 +0100
+++ new/ecryptfs-utils-58/src/utils/ecryptfs_generate_tpm_key.c 2008-09-05 23:36:19.000000000 +0200
@@ -23,8 +23,9 @@
*
* DESCRIPTION
*
- * Generate a sealing (storage) key bound to a specified set of PCRs values in
- * the current TPM's PCR's. The SRk password is assumed to be the SHA1 hash of 0 bytes.
+ * Generate a sealing (storage) key bound to a specified set of
+ * PCRs values in the current TPM's PCR's. The SRk password is
+ * assumed to be the SHA1 hash of 0 bytes.
*
* USAGE
* ecryptfs_generate_tpm_key -p 1 -p 2 -p 3
@@ -37,9 +38,9 @@
*
*/
-
#include
#include
+#include
#include
#include
#include "config.h"
@@ -50,144 +51,126 @@
const TSS_UUID SRK_UUID = TSS_UUID_SRK;
-void
-usage(char *name)
+void usage(char *name)
{
fprintf(stderr, "usage: %s <options>\n\n"
- "options: -p <num>\n"
- " \tBind the key to PCR <num>'s current value\n"
- " \trepeat this option to bind to more than 1 PCR\n", name);
+ "options: -p <num>\n"
+ " \tBind the key to PCR <num>'s current value\n"
+ " \trepeat this option to bind to more than 1 PCR\n",
+ name);
}
-char *
-util_bytes_to_string(char *bytes, int chars)
+char *util_bytes_to_string(char *bytes, int chars)
{
char *ret = (char *)malloc((chars*2) + 1);
int i, len = chars*2;
if (ret == NULL)
return ret;
-
for (i = 0; i < chars; i+=4) {
sprintf(&ret[i*2], "%02x%02x%02x%02x", bytes[i] & 0xff,
bytes[i+1] & 0xff, bytes[i+2] & 0xff,
bytes[i+3] & 0xff);
}
-
ret[len] = '\0';
-
return ret;
}
-
-int
-main(int argc, char **argv)
+int main(int argc, char **argv)
{
- TSS_FLAG initFlags;
- TSS_HKEY hKey, hSRK;
- TSS_HCONTEXT hContext;
- TSS_HTPM hTPM;
- TSS_RESULT result;
- TSS_HPOLICY hPolicy;
- TSS_HPCRS hPcrs;
- UINT32 ulPcrValueLength, subCap, subCapLength;
- UINT32 pulRespDataLength, numPcrs;
- BYTE *pNumPcrs, *rgbPcrValue, *uuidString, *pcrsSelectedValues[24];
- int i, c, *pcrsSelected = NULL, numPcrsSelected = 0;
- TSS_UUID *uuid;
-
+ TSS_HKEY hKey, hSRK;
+ TSS_HCONTEXT hContext;
+ TSS_HTPM hTPM;
+ TSS_RESULT result;
+ TSS_HPOLICY hPolicy;
+ TSS_HPCRS hPcrs;
+ UINT32 ulPcrValueLength, subCap, subCapLength;
+ UINT32 pulRespDataLength, numPcrs;
+ BYTE *pNumPcrs, *rgbPcrValue, *uuidString, *pcrsSelectedValues[24];
+ int i, c, *pcrsSelected = NULL, numPcrsSelected = 0;
+ TSS_UUID *uuid;
while (1) {
c = getopt(argc, argv, "p:");
if (c == -1)
break;
-
switch (c) {
case 'p':
numPcrsSelected++;
- pcrsSelected = realloc(pcrsSelected, sizeof(int) * numPcrsSelected);
+ pcrsSelected = realloc(pcrsSelected,
+ (sizeof(int)
+ * numPcrsSelected));
if (pcrsSelected == NULL) {
PRINT_ERR("Malloc of %zd bytes failed.",
- sizeof(int) * numPcrsSelected);
+ (sizeof(int)
+ * numPcrsSelected));
return -1;
}
- pcrsSelected[numPcrsSelected - 1] = atoi(optarg);
+ pcrsSelected[numPcrsSelected - 1] =
+ atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
-
- if (numPcrsSelected == 0) {
+ if (numPcrsSelected == 0)
printf("Warning: Key will not be bound to any PCR's!\n");
- }
-
if (numPcrsSelected > 24) {
PRINT_ERR("Too many PCRs selected! Exiting.");
+ return -EINVAL;
}
-
- // Create Context
result = Tspi_Context_Create(&hContext);
if (result != TSS_SUCCESS) {
PRINT_TSS_ERR("Tspi_Context_Create", result);
return result;
}
-
- // Connect to Context
result = Tspi_Context_Connect(hContext, NULL);
if (result != TSS_SUCCESS) {
PRINT_TSS_ERR("Tspi_Context_Connect", result);
Tspi_Context_Close(hContext);
return result;
}
-
result = Tspi_Context_GetTpmObject(hContext, &hTPM);
if (result != TSS_SUCCESS) {
PRINT_TSS_ERR("Tspi_Context_GetTpmObject", result);
Tspi_Context_Close(hContext);
return result;
}
-
- /* Get the total number of PCRs in the TPM so we can check if any are out-of-bounds */
subCap = TSS_TPMCAP_PROP_PCR;
subCapLength = sizeof(UINT32);
- result = Tspi_TPM_GetCapability(hTPM, TSS_TPMCAP_PROPERTY, subCapLength, (BYTE *)&subCap,
+ result = Tspi_TPM_GetCapability(hTPM, TSS_TPMCAP_PROPERTY,
+ subCapLength, (BYTE *)&subCap,
&pulRespDataLength, &pNumPcrs );
if (result != TSS_SUCCESS) {
PRINT_TSS_ERR("Tspi_TPM_GetCapability", result);
Tspi_Context_Close(hContext);
return result;
}
-
numPcrs = *(UINT32 *)pNumPcrs;
-
- /* validate the PCRs selected */
for (i = 0; i < (int)numPcrsSelected; i++) {
if (pcrsSelected[i] > (int)numPcrs) {
- fprintf(stderr, "%d: invalid PCR register. PCRs range from 0 - %u\n",
- pcrsSelected[i], numPcrs);
+ fprintf(stderr, "%d: invalid PCR register. PCRs range "
+ "from 0 - %u\n", pcrsSelected[i], numPcrs);
return -1;
}
}
-
- /* create the PCR object */
- result = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_PCRS, 0, &hPcrs);
+ result = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_PCRS, 0,
+ &hPcrs);
if (result != TSS_SUCCESS) {
PRINT_TSS_ERR("Tspi_Context_CreateObject", result);
return result;
}
-
- /* Pull the values out of the TPM and insert them into the software object */
for (i = 0; i < numPcrsSelected; i++) {
- result = Tspi_TPM_PcrRead(hTPM, pcrsSelected[i], &ulPcrValueLength, &rgbPcrValue);
+ result = Tspi_TPM_PcrRead(hTPM, pcrsSelected[i],
+ &ulPcrValueLength, &rgbPcrValue);
if (result != TSS_SUCCESS) {
PRINT_TSS_ERR("Tspi_TPM_PcrRead", result);
Tspi_Context_Close(hContext);
return result;
}
-
- result = Tspi_PcrComposite_SetPcrValue(hPcrs, pcrsSelected[i], ulPcrValueLength,
+ result = Tspi_PcrComposite_SetPcrValue(hPcrs, pcrsSelected[i],
+ ulPcrValueLength,
rgbPcrValue);
if (result != TSS_SUCCESS) {
PRINT_TSS_ERR("Tspi_PcrComposite_SetPcrValue", result );
@@ -197,63 +180,56 @@
pcrsSelectedValues[i] = rgbPcrValue;
}
-
- /* Load the SRK */
- result = Tspi_Context_LoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM, SRK_UUID, &hSRK);
+ result = Tspi_Context_LoadKeyByUUID(hContext, TSS_PS_TYPE_SYSTEM,
+ SRK_UUID, &hSRK);
if (result != TSS_SUCCESS) {
PRINT_TSS_ERR("Tspi_Context_LoadKeyByUUID", result);
Tspi_Context_Close(hContext);
return result;
}
-
result = Tspi_GetPolicyObject(hSRK, TSS_POLICY_USAGE, &hPolicy);
if (result != TSS_SUCCESS) {
PRINT_TSS_ERR("Tspi_GetPolicyObject", result);
Tspi_Context_Close(hContext);
return result;
}
-
result = Tspi_Policy_SetSecret(hPolicy, TSS_SECRET_MODE_PLAIN, 0, NULL);
if (result != TSS_SUCCESS) {
PRINT_TSS_ERR("Tspi_GetPolicyObject", result);
Tspi_Context_Close(hContext);
return result;
}
-
- initFlags = TSS_KEY_TYPE_STORAGE | TSS_KEY_SIZE_2048 | TSS_KEY_VOLATILE |
- TSS_KEY_NO_AUTHORIZATION | TSS_KEY_NOT_MIGRATABLE;
-
- result = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY, initFlags, &hKey);
+ result = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY,
+ (TSS_KEY_TYPE_STORAGE
+ | TSS_KEY_SIZE_2048
+ | TSS_KEY_VOLATILE
+ | TSS_KEY_NO_AUTHORIZATION
+ | TSS_KEY_NOT_MIGRATABLE), &hKey);
if (result != TSS_SUCCESS) {
PRINT_TSS_ERR("Tspi_Context_CreateObject", result);
Tspi_Context_Close(hContext);
return result;
}
-
result = Tspi_Key_CreateKey(hKey, hSRK, hPcrs);
if (result != TSS_SUCCESS) {
PRINT_TSS_ERR("Tspi_Key_CreateKey", result);
Tspi_Context_Close(hContext);
return result;
}
-
result = Tspi_TPM_GetRandom(hTPM, (UINT32)16, (BYTE **)&uuid);
if (result != TSS_SUCCESS) {
PRINT_TSS_ERR("Tspi_TPM_GetRandom", result);
Tspi_Context_Close(hContext);
return result;
}
-
- result = Tspi_Context_RegisterKey(hContext, hKey, TSS_PS_TYPE_USER, *uuid,
- TSS_PS_TYPE_SYSTEM, SRK_UUID);
+ result = Tspi_Context_RegisterKey(hContext, hKey, TSS_PS_TYPE_USER,
+ *uuid, TSS_PS_TYPE_SYSTEM, SRK_UUID);
if (result != TSS_SUCCESS) {
PRINT_TSS_ERR("Tspi_Context_RegisterKey", result);
Tspi_Context_Close(hContext);
return result;
}
-
printf("Success: Key created bound to:\n");
-
for (i = 0; i < numPcrsSelected; i++) {
uuidString = util_bytes_to_string(pcrsSelectedValues[i], 20);
if (uuidString == NULL) {
@@ -266,19 +242,16 @@
free(uuidString);
Tspi_Context_FreeMemory(hContext, pcrsSelectedValues[i]);
}
-
uuidString = util_bytes_to_string((BYTE*)uuid, 16);
if (uuidString == NULL) {
PRINT_ERR("malloc of 33 bytes failed");
Tspi_Context_Close(hContext);
return result;
}
-
- printf("And registered in persistent storage with uuid: %s\n", uuidString);
-
+ printf("And registered in persistent storage with UUID "
+ "(tspi_uuid parameter): %s\n", uuidString);
Tspi_Context_FreeMemory(hContext, (BYTE *)uuid);
free(uuidString);
Tspi_Context_Close(hContext);
return 0;
}
-
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/ecryptfs-utils-56/src/utils/ecryptfs-setup-private new/ecryptfs-utils-58/src/utils/ecryptfs-setup-private
--- old/ecryptfs-utils-56/src/utils/ecryptfs-setup-private 2008-07-23 22:00:12.000000000 +0200
+++ new/ecryptfs-utils-58/src/utils/ecryptfs-setup-private 2008-09-08 17:55:30.000000000 +0200
@@ -20,6 +20,7 @@
echo " --loginpass System passphrase for USER, used to wrap MOUNTPASS"
echo " --mountpass Passphrase for mounting the ecryptfs directory,"
echo " defaults to a randomly generated 16 bytes"
+ echo " --force Force overwriting of an existing setup"
echo
echo " Be sure to properly escape your parameters according to your"
echo " shell's special character nuances, and also surround the"
@@ -66,6 +67,10 @@
MOUNTPASS="$2"
shift 2
;;
+ --force)
+ FORCE=1
+ shift 1
+ ;;
*)
usage
;;
@@ -99,12 +104,32 @@
error "User home directory [$HOME] does not exist"
fi
+# Check for previously setup private directory
+if [ -s "$HOME/.ecryptfs/wrapped-passphrase" -a "$FORCE" != "1" ]; then
+ error "wrapped-passphrase file already exists, use --force to overwrite."
+fi
+if [ -s "$HOME/.ecryptfs/$PRIVATE_DIR.sig" -a "$FORCE" != "1" ]; then
+ error "$PRIVATE_DIR.sig file already exists, use --force to overwrite."
+fi
+
# Check for active mounts
MOUNTPOINT="$HOME/$PRIVATE_DIR"
CRYPTDIR="$HOME/.$PRIVATE_DIR"
grep -qs "$MOUNTPOINT " /proc/mounts && error "[$MOUNTPOINT] is already mounted"
grep -qs "$CRYPTDIR " /proc/mounts && error "[$CRYPTDIR] is already mounted"
+# Check that the mount point and encrypted directory are empty.
+# Perhaps one day we could provide a migration mode (using rsync or something),
+# but this would be VERY hard to do safely.
+count=`ls -Al "$MOUNTPOINT" 2>/dev/null | grep -v "^total" | grep -v "^l.*mount.ecryptfs_private$" | wc -l`
+if [ "$count" != "0" ]; then
+ error "$MOUNTPOINT must be empty before proceeding"
+fi
+count=`ls -Al "$CRYPTDIR" 2>/dev/null | grep -v "^total" | wc -l`
+if [ "$count" != "0" ]; then
+ error "$CRYPTDIR must be empty before proceeding"
+fi
+
stty_orig=`stty -g`
# Prompt for the LOGINPASS, if not on the command line and not in the environment
if [ -z "$LOGINPASS" ]; then
@@ -142,6 +167,7 @@
# Pull 128 bits of random data from /dev/urandom, and convert
# to a string of 32 hex digits
MOUNTPASS=`head -c 16 /dev/urandom | od -x | head -n 1 |sed "s/^0000000//" | sed "s/\s*//g"`
+ RANDOM_MOUNTPASS=1
break
else
stty -echo
@@ -158,21 +184,24 @@
done
fi
-echo
-echo
-echo "Using username [$USER]"
-echo "Using mount passphrase [$MOUNTPASS]"
-echo "Using login passphrase [$LOGINPASS]"
-echo "Using mount point [$MOUNTPOINT]"
-echo "Using encrypted dir [$CRYPTDIR]"
-echo
-echo "This script will attempt to set up your system to mount"
-echo "$MOUNTPOINT with eCryptfs automatically on login,"
-echo "using your login passphrase."
+#echo
+#echo "Using username [$USER]"
+#echo "Using mount passphrase [$MOUNTPASS]"
+#echo "Using login passphrase [$LOGINPASS]"
+#echo "Using mount point [$MOUNTPOINT]"
+#echo "Using encrypted dir [$CRYPTDIR]"
+#echo
+#echo "This script will attempt to set up your system to mount"
+#echo "$MOUNTPOINT with eCryptfs automatically on login,"
+#echo "using your login passphrase."
echo
echo "************************************************************************"
-echo "YOU SHOULD RECORD THIS MOUNT PASSPHRASE AND STORE IN A SAFE LOCATION:"
-echo "$MOUNTPASS"
+if [ "$RANDOM_MOUNTPASS" = "1" ]; then
+ echo "YOU SHOULD RECORD THIS MOUNT PASSPHRASE AND STORE IN A SAFE LOCATION:"
+ echo "$MOUNTPASS"
+else
+ echo "YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IN A SAFE LOCATION:"
+fi
echo "THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME."
echo "************************************************************************"
echo
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/ecryptfs-utils-56/src/utils/Makefile.in new/ecryptfs-utils-58/src/utils/Makefile.in
--- old/ecryptfs-utils-56/src/utils/Makefile.in 2008-08-13 21:58:52.000000000 +0200
+++ new/ecryptfs-utils-58/src/utils/Makefile.in 2008-09-09 00:21:51.000000000 +0200
@@ -368,9 +368,9 @@
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/utils/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/utils/Makefile'; \
cd $(top_srcdir) && \
- $(AUTOMAKE) --foreign src/utils/Makefile
+ $(AUTOMAKE) --gnu src/utils/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org