[dm-crypt] Problem with piped passphrases containing newline character

[dm-crypt] Problem with piped passphrases containing newline character

[Nico R.]

[-- Attachment #1: Type: text/plain, Size: 2070 bytes --]

Hello!

I am using some code like the following in order to initialize and open
LUKS containers:

$ gpg -d < secret.asc | sudo \
    cryptsetup luksFormat /dev/$DEVICE -

$ gpg -d < secret.asc | sudo \
    cryptsetup --key-file=- luksOpen /dev/$DEVICE blah


secret.asc is a file encrypted with GnuPG, which contains unknown
(possibly random) data. It usually includes at least one newline character.

The above commands have been carefully crafted after reading the man
page over and over (especially the parts about reading passphrases from
standard input or a pipe, and about newline handling), and after
studying the relevant parts of the code. I believe that this was the
proper way to use passphrases which are binary blobs with cryptsetup
versions around 1.0.6.

It used to work properly with cryptsetup-1.0.6. However, I am now
experiencing an error with cryptsetup-1.1.1 if the passphrase is
containing a newline character. I am using a simplified testcase to show
the problem. The following commands are written for bash. I assume that
there is a block device named /dev/loop0 which has enough space to hold
a LUKS container.

$ export LC_ALL=POSIX
$ echo -n $'foo\nbar' | sudo \
    cryptsetup luksFormat /dev/loop0 -
$ echo -n $'foo\nbar' | sudo \
    cryptsetup --key-file=- luksOpen /dev/loop0 testing
No key available with this passphrase.


At first it seemed to be related to issue 52[1], but trying out the svn
revisions around 208 did not confirm that assumption.

I svn-bisect[2]-ed the problem, and found out that the change in
behavior was probably introduced somewhere between r109 and r124
(inclusively, each). I have not digged even more deeply into it, because
I currently do not understand the tricky details.

This is probably a bug in the code, or the documentation is misleading.
Or am I using cryptsetup improperly and am I misunderstanding its manpage?


[1] https://code.google.com/p/cryptsetup/issues/detail?id=52
[2] http://search.cpan.org/perldoc?svn-bisect


Thanks
-- 
Nico


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [dm-crypt] Problem with piped passphrases containing newline character

[Milan Broz]

On 05/27/2010 12:48 AM, Nico R. wrote:

> It used to work properly with cryptsetup-1.0.6. However, I am now
> experiencing an error with cryptsetup-1.1.1 if the passphrase is
> containing a newline character. I am using a simplified testcase to show
> the problem. The following commands are written for bash. I assume that
> there is a block device named /dev/loop0 which has enough space to hold
> a LUKS container.
> 
> $ export LC_ALL=POSIX
> $ echo -n $'foo\nbar' | sudo \
>     cryptsetup luksFormat /dev/loop0 -
> $ echo -n $'foo\nbar' | sudo \
>     cryptsetup --key-file=- luksOpen /dev/loop0 testing
> No key available with this passphrase.

Yes, seems there is regression.

Can you report this as new issue to project page? I'll close it when
it is fixed (and I'll add this test to regression tests to no repeat it again.)

Milan

Re: [dm-crypt] Problem with piped passphrases containing newline character

[Nico R.]

[-- Attachment #1: Type: text/plain, Size: 484 bytes --]

On 2010-05-27T09:20Z, Milan Broz wrote:
> On 05/27/2010 12:48 AM, Nico R. wrote:
> 
[issue with embedded newlines in passphrases]
> 
> Yes, seems there is regression.
> 
> Can you report this as new issue to project page?

As I don’t have a Google account, no. You’ll have to add the issue
yourself or ask someone else to do that, sorry.

> I'll close it when
> it is fixed (and I'll add this test to regression tests to no repeat it again.)

Thanks.
-- 
Nico


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [dm-crypt] Problem with piped passphrases containing newline character

[Milan Broz]

On 05/28/2010 10:34 AM, Nico R. wrote:
> On 2010-05-27T09:20Z, Milan Broz wrote:
>> On 05/27/2010 12:48 AM, Nico R. wrote:
>>
> [issue with embedded newlines in passphrases]
>>
>> Yes, seems there is regression.
>>
>> Can you report this as new issue to project page?
> 
> As I don’t have a Google account, no. You’ll have to add the issue
> yourself or ask someone else to do that, sorry.

Well, ok. It should be fixed in current devel code anyway.

http://code.google.com/p/cryptsetup/source/detail?r=237

Milan

Re: [dm-crypt] Problem with piped passphrases containing newline character

[Nico R.]

[-- Attachment #1: Type: text/plain, Size: 641 bytes --]

On 2010-05-28T08:43:59Z, Milan Broz wrote:
> On 05/28/2010 10:34 AM, Nico R. wrote:
>> On 2010-05-27T09:20Z, Milan Broz wrote:
>>> On 05/27/2010 12:48 AM, Nico R. wrote:
>>>
>> [issue with embedded newlines in passphrases]
>>>
>>> Yes, seems there is regression.
>>>
[…]
> 
> Well, ok. It should be fixed in current devel code anyway.
> 
> http://code.google.com/p/cryptsetup/source/detail?r=237

Thanks. The added test code in /trunk/tests/compat-test looks good.


If I read it correctly, luksFormat can now also use the --key-file
option. This should be added to the man page before a release, I think.
-- 
Nico


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]