Debian Bug report logs - #418450
cryptsetup: --key-file=- does not work as advertised

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-bugs@zugschlus.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cryptsetup: --key-file=- does not work as advertised

Date: Mon, 09 Apr 2007 21:45:42 +0200

Package: cryptsetup
Version: 2:1.0.4+svn26-1
Severity: normal

Hi,

--key-file=- does not take a key from standard input:

root@grml /mnt/hda1 # ./keyscript | cryptsetup -d - luksOpen /dev/hda5 hda5_crypt
Command failed.
root@grml /mnt/hda1 # ./keyscript | cryptsetup --key-file=- luksOpen /dev/hda5 hda5_crypt
Command failed.
root@grml /mnt/hda1 # ./keyscript | cryptsetup --key-file - luksOpen /dev/hda5 hda5_crypt
Command failed.
root@grml /mnt/hda1 # ./keyscript | cryptsetup luksOpen /dev/hda5 hda5_crypt
key slot 0 unlocked.
Command successful.
root@grml /mnt/hda1 #

As --key-file=- is used in
/usr/share/initramfs-tools/scripts/local-top/cryptroot, this bug
breaks initrds which obtain their key from a script. Removing
--key-file=- from the script allows booting with a keyscript.

Greetings
Marc

-- System Information:
Debian Release: lenny/sid
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20.4-scyw00225
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)

Versions of packages cryptsetup depends on:
ii  dmsetup  2:1.02.12-1                     The Linux Kernel Device Mapper use
ii  libc6    2.3.6.ds1-13                    GNU C Library: Shared libraries
ii  libdevma 2:1.02.12-1                     The Linux Kernel Device Mapper use
ii  libgcryp 1.2.3-2                         LGPL Crypto library - runtime libr
ii  libgpg-e 1.4-2                           library for common error values an
ii  libpopt0 1.10-3                          lib for parsing cmdline parameters
ii  libuuid1 1.39+1.40-WIP-2006.11.14+dfsg-2 universally unique id library

cryptsetup recommends no packages.

-- no debconf information

Message #10 received at 418450@bugs.debian.org (full text, mbox, reply):

From: David Härdeman <david@hardeman.nu>

To: Marc Haber <mh+debian-bugs@zugschlus.de>, 418450@bugs.debian.org

Subject: Re: [Pkg-cryptsetup-devel] Bug#418450: cryptsetup: --key-file=- does not work as advertised

Date: Thu, 12 Apr 2007 22:08:19 +0200

On Mon, Apr 09, 2007 at 09:45:42PM +0200, Marc Haber wrote:
>--key-file=- does not take a key from standard input:
>
>root@grml /mnt/hda1 # ./keyscript | cryptsetup -d - luksOpen /dev/hda5 hda5_crypt
>Command failed.
>root@grml /mnt/hda1 # ./keyscript | cryptsetup --key-file=- luksOpen /dev/hda5 hda5_crypt
>Command failed.
>root@grml /mnt/hda1 # ./keyscript | cryptsetup --key-file - luksOpen /dev/hda5 hda5_crypt
>Command failed.
>root@grml /mnt/hda1 # ./keyscript | cryptsetup luksOpen /dev/hda5 hda5_crypt
>key slot 0 unlocked.
>Command successful.
>root@grml /mnt/hda1 #

I'm guessing keyscript generates output which includes a newline which 
is not really part of the key?

austin:~# dd if=/dev/zero of=/test.img bs=1k count=1k
1024+0 records in
1024+0 records out
1048576 bytes (1.0 MB) copied, 0.00791454 seconds, 132 MB/s
austin:~# losetup -f /test.img 
austin:~# cryptsetup luksFormat /dev/loop0 

WARNING!
========
This will overwrite data on /dev/loop0 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: test
Verify passphrase: test
Command successful.
austin:~# echo -n "test" | cryptsetup --key-file=- luksOpen /dev/loop0 test
key slot 0 unlocked.
Command successful.
austin:~# cryptsetup remove test
austin:~# echo "test" | cryptsetup luksOpen /dev/loop0 test
key slot 0 unlocked.
Command successful.
austin:~# cryptsetup remove test
austin:~# echo "test" | cryptsetup --key-file=- luksOpen /dev/loop0 test
Command failed.

-- 
David Härdeman

Message #17 received at 418450@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-bugs@zugschlus.de>

To: David H?rdeman <david@hardeman.nu>, 418450@bugs.debian.org, 418450-submitter@bugs.debian.org

Cc: Marc Haber <mh+debian-bugs@zugschlus.de>

Subject: Re: Bug#418450: [Pkg-cryptsetup-devel] Bug#418450: cryptsetup: --key-file=- does not work as advertised

Date: Sat, 9 Jun 2007 23:58:13 +0200

On Thu, Apr 12, 2007 at 10:08:19PM +0200, David H?rdeman wrote:
> I'm guessing keyscript generates output which includes a newline which 
> is not really part of the key?

The guess is correct. Sorry for getting this wrong.

Please consider documenting the different behavior with and/or without
--key-file=-, as cryptsetup also takes a passphrase on stdin when
--key-file=- is not given.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Message #25 received at 418450@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-bugs@zugschlus.de>

To: David H?rdeman <david@hardeman.nu>, 418450@bugs.debian.org, 418450-submitter@bugs.debian.org

Cc: Marc Haber <mh+debian-bugs@zugschlus.de>

Subject: Re: Bug#418450: [Pkg-cryptsetup-devel] Bug#418450: cryptsetup: --key-file=- does not work as advertised

Date: Tue, 17 Jul 2007 14:37:41 +0200

tags #418450 - moreinfo
thanks

Requested information was delivered on June 9.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Message #39 received at 418450-close@bugs.debian.org (full text, mbox, reply):

From: Jonas Meurer <mejo@debian.org>

To: 418450-close@bugs.debian.org

Subject: Bug#418450: fixed in cryptsetup 2:1.0.5-2

Date: Wed, 26 Sep 2007 10:47:03 +0000

Source: cryptsetup
Source-Version: 2:1.0.5-2

We believe that the bug you reported is fixed in the latest version of
cryptsetup, which is due to be installed in the Debian FTP archive:

cryptsetup-udeb_1.0.5-2_amd64.udeb
  to pool/main/c/cryptsetup/cryptsetup-udeb_1.0.5-2_amd64.udeb
cryptsetup_1.0.5-2.diff.gz
  to pool/main/c/cryptsetup/cryptsetup_1.0.5-2.diff.gz
cryptsetup_1.0.5-2.dsc
  to pool/main/c/cryptsetup/cryptsetup_1.0.5-2.dsc
cryptsetup_1.0.5-2_amd64.deb
  to pool/main/c/cryptsetup/cryptsetup_1.0.5-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 418450@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Meurer <mejo@debian.org> (supplier of updated cryptsetup package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 24 Sep 2007 15:42:06 +0200
Source: cryptsetup
Binary: cryptsetup cryptsetup-udeb
Architecture: source amd64
Version: 2:1.0.5-2
Distribution: unstable
Urgency: low
Maintainer: Jonas Meurer <mejo@debian.org>
Changed-By: Jonas Meurer <mejo@debian.org>
Description: 
 cryptsetup - configures encrypted block devices
 cryptsetup-udeb - configures encrypted block devices (udeb)
Closes: 401766 409775 411784 418450 421693 436434 438169 438198 438450 438473 441428
Changes: 
 cryptsetup (2:1.0.5-2) unstable; urgency=low
 .
   [ Jonas Meurer ]
   * Add libselinux1-dev and libsepol1-dev to build-depends. Detected by
     the build daemon from hell by Steinar H. Gunderson. Thanks to Manoj
     Srivastava for advice.
   * Fix the watchfile
   * Fix cryptopensc-hook to honor key=none. Thanks to Daniel Baumann
     (closes: #436434)
   * Remove outdated README.html and example usbcrypto.* scripts from
     documentation. Add example usbcrypto.udev script. Thanks to Volker Sauer
     for the update. (closes: #409775)
   * Document that stdin is read different with '--key-file=-' than without.
     Thanks to Marc Haber. (closes: #418450)
   * Document that --timeout is useless in conjunction with --key-file. Thanks
     Alexander Zangerl. (closes: #421693)
   * [03_check_for_root.dpatch] Check for UID == 0 before actually doing
     something. Thanks to Benjamin Seidenberg. (closes: #401766)
   * [04_fix_unused_or_unitialized_variables.dpatch] Fix some gcc warnings
     about unused or unitialized variables. Thanks to Ludwig Nussel for the
     patch.
   * [05_segfault_at_nonexisting_device.dpatch] Fix segfault when trying to
     open a non existing device. Thanks to Ludwig Nussel for the patch.
     (closes: #438198)
   * Add CFLAGS="$(CFLAGS)" before ./configure invocation in debian/rules.
     This way CFLAGS are passed to the configure script. Thanks to Gordon
     Farquharson for the patch. (closes: #438450)
   * Add a warning about missing hash option in crypttab to initramfs
     cryptoroot hook. Thanks to Sebastian Leske for the patch.
     (closes: #438169)
   * Add support for openct using data objects on a smartcard as key. Thanks to
     Daniel Baumann <baumann@swiss-it.ch> for patch and documentation.
     (closes: #438473)
   * Polish opensc_decrypt and openct_decrypt.
   * Add initramfs patch by maximilian attems. Bump depends on initramfs-tools
     to (>= 0.91). (closes: #441428)
   * several cleanups to make lintian happy:
     - remove #!/bin/sh from cryptsetup.functions as it is not executable.
     - remove unused-override configure-generated-file-in-source config.log.
     - add some hyphen fixes to patches/02_manpage.dpatch
   * Filter out the detection of filesystem type 'minix' in checks vol_id and
     un_vol_id if checking for any valid filesystem. The minix fs signature
     seems short enough to be detected erroneously by /lib/udev/vol_id.
     Thanks to Fredrik Olofsson and arno for the bugreport. (closes: #411784)
   * Add Homepage field to debian/control.
Files: 
 5ad206a8625c2ce420f31b84003769bf 882 admin optional cryptsetup_1.0.5-2.dsc
 5f5e0c8d4b7c3f761e993b290ee0a8ae 44446 admin optional cryptsetup_1.0.5-2.diff.gz
 33121c13828ca7200e28aa0f43a81a0a 260504 admin optional cryptsetup_1.0.5-2_amd64.deb
 7f100565ef3ffac0c55bfcd9e10dc953 184474 debian-installer optional cryptsetup-udeb_1.0.5-2_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG+jGvd6lUs+JfIQIRAj24AJ4xEXFom9SxdB1+5UHpp6IiC+d7BwCdGa3W
Wv0wXBV0cAO4vNN9aLb7jJM=
=dXey
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.