From 44f59a53bb3b541ddcc2e07f33857642f7fbb281 Mon Sep 17 00:00:00 2001 From: Sebastian L Date: Fri, 3 Feb 2023 16:08:42 +0100 Subject: [PATCH] Use curl instead of wget - Added curl as dependency - Added openssl as dependency (One should now fetch a key over a non-encrypted connection) - Renamed wget_or_ask to fetch_or_ask Busybox wget caused problems, that's why I changed it to curl with which it seems to work better --- README.mdown | 6 ++-- build-deb.sh | 6 ++-- src/DEBIAN/control | 2 +- src/etc/initramfs-tools/hooks/curl.sh | 20 ++++++++++++ src/etc/initramfs-tools/hooks/wget.sh | 32 ------------------- .../scripts/{wget_or_ask => fetch_or_ask} | 10 +----- tests/initramfs.sh | 8 ++--- tests/keyscript.sh | 6 ++-- tests/shellcheck.sh | 4 +-- 9 files changed, 37 insertions(+), 57 deletions(-) create mode 100755 src/etc/initramfs-tools/hooks/curl.sh delete mode 100755 src/etc/initramfs-tools/hooks/wget.sh rename src/lib/cryptsetup/scripts/{wget_or_ask => fetch_or_ask} (92%) diff --git a/README.mdown b/README.mdown index 9aae460..72ff02e 100644 --- a/README.mdown +++ b/README.mdown @@ -26,19 +26,19 @@ rm unencrypted_keyfile 3. Install the keyscript and initramfs hooks. ``` -wget https://github.com/stupidpupil/https-keyscript/releases/download/v1.0.1/https-keyscript_1.0.3_all.deb +curl https://github.com/stupidpupil/https-keyscript/releases/download/v1.0.1/https-keyscript_1.0.3_all.deb sudo dpkg -i https-keyscript_1.0.3_all.deb ``` 4. Add keyfile to LUKS slots. ``` -busybox sh /lib/cryptsetup/scripts/wget_or_ask "somepassphrase:https://example.org/encrypted_keyfile" > unencrypted_keyfile +busybox sh /lib/cryptsetup/scripts/fetch_or_ask "somepassphrase:https://example.org/encrypted_keyfile" > unencrypted_keyfile sudo cryptsetup luksAddKey /dev/someDevice unencrypted_keyfile rm unencrypted_keyfile ``` -5. Update the `/dev/someDevice` entry in `/etc/crypttab` with the option `keyscript=wget_or_ask` and with a 'key file' field like `somepassphrase:https://example.org/encrypted_keyfile`. +5. Update the `/dev/someDevice` entry in `/etc/crypttab` with the option `keyscript=fetch_or_ask` and with a 'key file' field like `somepassphrase:https://example.org/encrypted_keyfile`. 6. `sudo update-initramfs -u` (You might also need to add the `initramfs` option to the `crypttab` in step 5 due to _systemd_'s [lack of support for keyscripts](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618862); see the [crypttab man page](http://manpages.ubuntu.com/manpages/cosmic/man5/crypttab.5.html).) diff --git a/build-deb.sh b/build-deb.sh index 90ae7ea..caf41d8 100755 --- a/build-deb.sh +++ b/build-deb.sh @@ -2,10 +2,10 @@ chmod u=rwx src/etc/initramfs-tools/hooks/*.sh chmod u=rwx src/etc/initramfs-tools/scripts/init-premount/*.sh -chmod u=rwx src/lib/cryptsetup/scripts/wget_or_ask +chmod u=rwx src/lib/cryptsetup/scripts/fetch_or_ask chmod og=rx src/etc/initramfs-tools/hooks/*.sh chmod og=rx src/etc/initramfs-tools/scripts/init-premount/*.sh -chmod og=rx src/lib/cryptsetup/scripts/wget_or_ask +chmod og=rx src/lib/cryptsetup/scripts/fetch_or_ask -dpkg-deb -b src dist \ No newline at end of file +dpkg-deb -b src dist diff --git a/src/DEBIAN/control b/src/DEBIAN/control index d64cb60..b7e7047 100644 --- a/src/DEBIAN/control +++ b/src/DEBIAN/control @@ -6,6 +6,6 @@ Homepage: https://github.com/stupidpupil/https-keyscript Architecture: all Priority: optional Section: admin -Depends: cryptsetup (>= 2), wget (>= 1.15) +Depends: cryptsetup (>= 2), curl (>= 7.64.0), openssl (>= 1.1.1n) Recommends: keyutils (>= 1.5) Installed-Size: 5 diff --git a/src/etc/initramfs-tools/hooks/curl.sh b/src/etc/initramfs-tools/hooks/curl.sh new file mode 100755 index 0000000..2a15117 --- /dev/null +++ b/src/etc/initramfs-tools/hooks/curl.sh @@ -0,0 +1,20 @@ +#!/bin/sh -e +PREREQS="" +case $1 in + prereqs) echo "${PREREQS}"; exit 0;; +esac +. /usr/share/initramfs-tools/hook-functions + +# To find out what library are needed do +# strace curl https://badssl.com 2>&1 | grep open +for needed_lib in "libnss_dns*.so*" "libnss_files*.so*" "libresolv*.so*" "ld-linux*.so*" "libc-*.so" "libc.so.*" +do + lib=$(find /lib/ -name "$needed_lib" -type f) + if [ ! -z $lib ] + then + copy_exec "$lib" + fi +done + +copy_exec /etc/ssl/certs/ca-certificates.crt +copy_exec /usr/bin/curl diff --git a/src/etc/initramfs-tools/hooks/wget.sh b/src/etc/initramfs-tools/hooks/wget.sh deleted file mode 100755 index 556da06..0000000 --- a/src/etc/initramfs-tools/hooks/wget.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh -e -PREREQS="" -case $1 in - prereqs) echo "${PREREQS}"; exit 0;; -esac -. /usr/share/initramfs-tools/hook-functions - -copy_exec /usr/bin/wget /usr/bin/real_wget - -strace_and_copy_libs_for_url () -{ - LIB_PAT="\".*/lib/.*\"" - STRACED_LIBS=$(strace /usr/bin/wget --no-iri -q -O - "$1" 2>&1 | grep -o "$LIB_PAT") - - echo "$STRACED_LIBS" | while IFS= read -r line - do - # Strip the quotation marks - line="${line%\"}" - line="${line#\"}" - - if [ -f "$line" ] - then - copy_exec "$line" - fi - done -} - -strace_and_copy_libs_for_url "https://www.debian.org" -strace_and_copy_libs_for_url "https://raw.githubusercontent.com/stupidpupil/https-keyscript/master/tests/fixtures/encrypted_keyfile" -strace_and_copy_libs_for_url "https://mozilla-modern.badssl.com" - -copy_exec /etc/ssl/certs/ca-certificates.crt diff --git a/src/lib/cryptsetup/scripts/wget_or_ask b/src/lib/cryptsetup/scripts/fetch_or_ask similarity index 92% rename from src/lib/cryptsetup/scripts/wget_or_ask rename to src/lib/cryptsetup/scripts/fetch_or_ask index 186a422..b6b547b 100755 --- a/src/lib/cryptsetup/scripts/wget_or_ask +++ b/src/lib/cryptsetup/scripts/fetch_or_ask @@ -34,14 +34,6 @@ if [ -z "$url" ] || [ -z "$openssl_passphrase" ]; then use_https=0 fi -if [ -x /usr/bin/real_wget ]; then - wget_path="/usr/bin/real_wget" -elif [ -x /usr/bin/wget ]; then - wget_path="/usr/bin/wget" -else - wget_path="wget" -fi - # # Plymouth helper functions # @@ -149,7 +141,7 @@ https_try_fetch () message "Fetching remote keyfile for $CRYPTTAB_NAME..." - encrypted_keyfile=$($wget_path --secure-protocol=PFS -q -O - "$url") + encrypted_keyfile=$(curl -s "$url") if [ $? -eq 0 ]; then decrypted_keyfile=$(echo "$encrypted_keyfile" | openssl enc -base64 -aes-256-cbc -md sha256 -d -salt -k "$openssl_passphrase") diff --git a/tests/initramfs.sh b/tests/initramfs.sh index ec4f9c5..ca1f93f 100755 --- a/tests/initramfs.sh +++ b/tests/initramfs.sh @@ -47,15 +47,15 @@ if [ -z "$TEST_INSTALLED" ]; then echo "initramfs hooks run" mkdir -p "$INITRAMFS_ROOT/lib/cryptsetup/scripts" - cp "src/lib/cryptsetup/scripts/wget_or_ask" "$INITRAMFS_ROOT/lib/cryptsetup/scripts/wget_or_ask" + cp "src/lib/cryptsetup/scripts/fetch_or_ask" "$INITRAMFS_ROOT/lib/cryptsetup/scripts/fetch_or_ask" echo "keyscript copied" else # If there's no reference to the keyscript in the crypttab it won't be installed in the initramfs - if ! [ -x "$INITRAMFS_ROOT/lib/cryptsetup/scripts/wget_or_ask" ]; then + if ! [ -x "$INITRAMFS_ROOT/lib/cryptsetup/scripts/fetch_or_ask" ]; then mkdir -p "$INITRAMFS_ROOT/lib/cryptsetup/scripts" - cp "/lib/cryptsetup/scripts/wget_or_ask" "$INITRAMFS_ROOT/lib/cryptsetup/scripts/wget_or_ask" + cp "/lib/cryptsetup/scripts/fetch_or_ask" "$INITRAMFS_ROOT/lib/cryptsetup/scripts/fetch_or_ask" fi fi @@ -101,4 +101,4 @@ if [ $? -eq 0 ]; then rm -r "$INITRAMFS_ROOT" fi -exit "$exitCode" \ No newline at end of file +exit "$exitCode" diff --git a/tests/keyscript.sh b/tests/keyscript.sh index 558aada..e6e6313 100755 --- a/tests/keyscript.sh +++ b/tests/keyscript.sh @@ -12,9 +12,9 @@ export HTTPSKEYSCRIPT_TESTING=1 # Run the test against the src version of the keyscript if its available # or else against the installed version (which is useful for the initramfs test) -keyscriptPath="src/lib/cryptsetup/scripts/wget_or_ask" +keyscriptPath="src/lib/cryptsetup/scripts/fetch_or_ask" if [ ! -f "$keyscriptPath" ]; then - keyscriptPath="/lib/cryptsetup/scripts/wget_or_ask" + keyscriptPath="/lib/cryptsetup/scripts/fetch_or_ask" fi cExitCode=0 @@ -124,4 +124,4 @@ export CRYPTTAB_TRIED=1 runTest assertExitedWithAskpass -exit "$cExitCode" \ No newline at end of file +exit "$cExitCode" diff --git a/tests/shellcheck.sh b/tests/shellcheck.sh index 242c87f..d820bf0 100644 --- a/tests/shellcheck.sh +++ b/tests/shellcheck.sh @@ -1,6 +1,6 @@ #!/bin/sh SC_EXCLUDE="SC2181,SC2162,SC1091,SC2129" -shellcheck -s sh --exclude="$SC_EXCLUDE" src/lib/cryptsetup/scripts/wget_or_ask \ +shellcheck -s sh --exclude="$SC_EXCLUDE" src/lib/cryptsetup/scripts/fetch_or_ask \ src/etc/initramfs-tools/hooks/*.sh \ - src/etc/initramfs-tools/scripts/init-premount/networking.sh \ No newline at end of file + src/etc/initramfs-tools/scripts/init-premount/networking.sh