encrypt/source/decrypt.sh

   1 #!/bin/sh
   2 ##############################################
   3 # Script for Secure Linux Project            #
   4 # Copyright(c) 2005, 2006 by Roland Haeder   #
   5 ##############################################
   6 # Purpose: Decryption of the root system     #
   7 ##############################################
   8 # This software is licensed under the GNU    #
   9 # General Public License Version 2 or either #
  10 # and comes with ABSOLUTELY NO WARRANTY      #
  11 # neither implied nor explicit.              #
  12 ##############################################
  13
  14 halt_script()
  15 {
  16         umount $MOUNT/home
  17         umount $MOUNT
  18         umount $KEYS > /dev/null 2>&1
  19         losetup -d /dev/loop2 > /dev/null 2>&1
  20         losetup -d /dev/loop9 > /dev/null 2>&1
  21         losetup -d /dev/loop8 > /dev/null 2>&1
  22         losetup -d $STICK_LOOP > /dev/null 2>&1
  23         losetup -d /dev/loop7 > /dev/null 2>&1
  24         # Add more todo here!
  25         exit 1
  26 }
  27
  28 if ! test -e /proc/version; then
  29         # Mount missing /proc
  30         mount /proc
  31 fi
  32
  33 if test -e .local.sh; then
  34         . ./.local.sh
  35         if test "$STICK_START" == "xxx"; then
  36                 echo "$0: Cannot continue!"
  37                 echo "Please run stick.sh first to setup your USB sticks."
  38                 exit 3
  39         fi
  40  else
  41         echo "$0: Settings file .local.sh not found."
  42         echo "Please start the setup process with gen.sh!"
  43         exit 3
  44 fi
  45
  46 # Check given gpgkey
  47 if test -e "$STICK_KEY"; then
  48         MD5=`md5sum -b $STICK_KEY | cut -c -32`
  49         if test "$MD5" != "$STICK_MD5"; then
  50                 echo "$0: Cannot verify stick key $STICK_KEY!"
  51                 exit 4
  52         fi
  53  else
  54         echo "$0: Cannot find stick-key $STICK_KEY!"
  55         exit 5
  56 fi
  57
  58 # Ask for username and passphrase to search on the USB stick for the matching
  59 # and unlock it with the passphrase. But we do this step-by-step. So first
  60 # ask for username
  61 losetup -o $STICK_START /dev/loop8 $STICK_DEVICE || halt_script
  62
  63 # Remove debug file
  64 rm -f /mounts.lst > /dev/null 2>&1
  65
  66 for ((FAILED=1, TRY=1; ($FAILED != 0) && (TRY <= 3); TRY++)) do
  67         echo -n "Enter password: "
  68         read -s passw
  69         if test "$passw" != ""; then
  70                 # Check partition
  71                 fsck -t $STICK_TYPE -p -v $BOOT_DEVICE
  72
  73                 # Mount the boot-partition temporary
  74                 mount -t $STICK_TYPE $BOOT_DEVICE /mnt/boot
  75
  76                 # Decrypt the master image which holds the secret keys
  77                 MASTER_SEED=`cat /.seed_master`
  78                 MASTER_PASS=`cat /.pass_master`
  79                 echo $MASTER_PASS | losetup -p 0 -S $MASTER_SEED -C $ITER -e $CIPHER /dev/loop13 /mnt/boot/master.img || halt_script
  80                 # "Source" the user's special script which holds the start position
  81                 source /mnt/boot/.start2_$1.sh
  82                 # Mount the master image read/write to update the seed
  83                 mount -t $STICK_TYPE -o ro /dev/loop13 /mnt/stick
  84                 # Decrypt the 2nd partition for importing temporarily the user's key
  85                 USER_SEED=`cat /mnt/stick/.seed_$1`
  86                 USER_PASS=`cat /mnt/stick/.pass_$1`
  87                 losetup -o $START2 /dev/loop12 "$STICK_DEVICE"
  88                 echo $USER_PASS | losetup -p 0 -S $USER_SEED -c $ITER -e $CIPHER /dev/loop11 /dev/loop12
  89                 mount -t $STICK_TYPE -o ro /dev/loop11 /mnt/stick2 || halt_script
  90                 # Import the secret key
  91                 gpg --import < /mnt/stick2/$1-secret.gpg > /dev/null 2>&1
  92                 # Umount and rehash USER_SEED/USER_PASS
  93                 umount /mnt/stick2 > /dev/null 2>&1
  94                 losetup -d /dev/loop11 > /dev/null 2>&1
  95                 USER_SEED=`head -c $SEED_LEN $RAND | uuencode -m - | head -2 | tail -1`
  96                 USER_PASS=`head -c $PASS_LEN $RAND | uuencode -m - | head -2 | tail -1`
  97                 echo $USER_SEED > /mnt/stick/.seed_$1
  98                 echo $USER_PASS > /mnt/stick/.pass_$1
  99                 echo $USER_PASS | losetup -p 0 -S $USER_SEED -c $ITER -e $CIPHER /dev/loop11 /dev/loop12
 100                 mkfs -t $STICK_TYPE -b 1024 /dev/loop11
 101                 mount -t $STICK_TYPE /dev/loop11 /mnt/stick2
 102                 gpg --export-secret-keys -a "$1" > /mnt/stick2/$1-secret.gpg
 103                 umount /mnt/stick2
 104                 losetup -d /dev/loop11
 105
 106                 # Remove last loop-devices
 107                 losetup -d /dev/loop12 > /dev/null 2>&1
 108                 umount /mnt/stick > /dev/null 2>&1
 109                 losetup -d /dev/loop13 > /dev/null 2>&1
 110                 umount /mnt/boot > /dev/null 2>&1
 111
 112                 # Decrypt the stick now to access the key for decrypting the asset
 113                 echo $passw | losetup -e $CIPHER -K $STICK_KEY -p 0 -G /root/.gnupg /dev/loop2 /dev/loop8
 114                 STATUS="$?"
 115                 if test "$STATUS" == "0"; then
 116                         # mount >> /mounts.lst
 117                         STICK_WARNING=false
 118                         fsck -t $STICK_TYPE -p -v /dev/loop2 > /stick.msg 2>&1
 119                         STATUS="$?"
 120                         if test "$STATUS" != "0"; then
 121                                 # Hold a warning message
 122                                 STICK_WARING=true
 123                         fi
 124                         mount -t $STICK_TYPE /dev/loop2 $KEYS > /dev/null 2>&1
 125                         if test "$?" == "0"; then
 126                                 # Check if key exists
 127                                 FAILED="1"
 128                                 if test -e "$KEYS/$1-secret.gpg"; then
 129                                         MD5=`md5sum -b $KEYS/$1-secret.gpg | cut -c -32`
 130                                         for m5 in $MD5SUMS; do
 131                                                 if test "$m5" == "$MD5"; then
 132                                                         # It does exist so stop searching for it
 133                                                         echo "Accepted."
 134                                                         FAILED="0"
 135                                                         break
 136                                                 fi
 137                                         done
 138
 139                                         if test "$FAILED" == "1"; then
 140                                                 # MD5 sums differ
 141                                                 echo "failed!"
 142                                                 echo
 143                                                 echo "$0: Sorry, cannot verify keyfile! Fatal error."
 144                                                 halt_script
 145                                         fi
 146                                  else
 147                                         # Keyfile not found! :-(
 148                                         echo "failed!"
 149                                         echo
 150                                         echo "$0: Sorry, invalid user $1!"
 151                                         USER=""
 152                                 fi
 153                          else
 154                                 echo "failed!"
 155                                 halt_script
 156                         fi
 157                         if ! test STICK_WARNING; then
 158                                 echo "$0: WARNING: The stick-fs was bad or not unmounted before! ($STATUS)"
 159                                 cat /stick.msg
 160                                 echo "Press RETURN to continue or CTRL-C to enter rescue console..."
 161                                 read -s dummy || halt_script
 162                         fi
 163                         rm -f /stick.msg > /dev/null 2>&1
 164                  else
 165                         echo "Wrong password! (Attempts left: $((3 - $TRY)))"
 166                 fi
 167          else
 168                 echo "No password given!"
 169                 TRY=$(($TRY-1))
 170         fi
 171 done
 172
 173 if [ $FAILED -ne 0 ]; then
 174         echo "$0: Sorry, you get only three attempts to guess the password."
 175         halt_script
 176 fi
 177
 178 if test "$FAILED" == "0"; then
 179         # The key seems to be not changed so let's decrypt the asset
 180         echo "$0: Stage 1 - Decrypting asset..."
 181         echo $passw | losetup -e $CIPHER -p 0 -K "$KEYS/$1-secret.gpg" -G /root/.gnupg /dev/loop7 $ASSET || halt_script > /dev/null 2>&1
 182         echo "$0: Stage 1 - done."
 183
 184         # Prepare all loop devices
 185         umount $MOUNT
 186         losetup -d /dev/loop10 > /dev/null 2>&1
 187         losetup -d /dev/loop3 > /dev/null 2>&1
 188         losetup -d /dev/loop4 > /dev/null 2>&1
 189
 190         # Setup the root and data "partition"
 191         echo "$0: Stage 2 - Faking partitions (root=8,base-swap=3,base=7) ..."
 192         losetup -o $ROOT_OFFSET /dev/loop10 /dev/loop7 || halt_script
 193         losetup -o $SWAP_OFFSET /dev/loop3 /dev/loop7 || halt_script
 194         echo "$0: Stage 2 - done."
 195
 196         # Mount devices
 197         # mount >> /mounts.lst
 198         echo "$0: Stage 3 - Checking root-fs (this could take loooong)..."
 199         fsck -t $ROOT_TYPE -p -v /dev/loop10 > /fsck.log 2>&1
 200         if test "$?" != "0"; then
 201                 cat /fsck.log
 202                 echo "Press RETURN to continue or CTRL+C to enter rescue console..."
 203                 read -s dummy || /bin/sh
 204         fi
 205         rm -f /fsck.log > /dev/null 2>&1
 206         echo "$0: Stage 3 - done."
 207
 208         echo "$0: Stage 4 - Mounting root-fs ..."
 209         mount /dev/loop10 $MOUNT > /dev/null 2>&1
 210         echo "$0: Stage 4 - done."
 211
 212         echo "$0: Stage 5 - Preparing DATA filesystem ..."
 213         if test -e "/.raid_cfg.sh"; then
 214                 # Run RAID setup script (no "exit" command there!)
 215                 source raid.sh $1 $passw
 216                 # Something which you can use but not /home!
 217                 losetup -o $DATA_OFFSET /dev/loop5 /dev/loop7 > /dev/null 2>&1
 218         else
 219                 # /home without RAID
 220                 losetup -o $DATA_OFFSET /dev/loop9 /dev/loop7 > /dev/null 2>&1
 221         fi
 222         echo "$0: Stage 5 - done."
 223
 224         # Remove the key with loop device
 225         echo "$0: Stage 6 - Removing USB stick ..."
 226         umount $KEYS
 227         losetup -d /dev/loop2
 228         losetup -d /dev/loop8
 229         echo "$0: Stage 6 - done."
 230
 231         # Mount DATA (mostly /home)
 232         # mount >> /mounts.lst
 233         echo "$0: Stage 7 - Checking filesystem on DATA ..."
 234         fsck -t $DATA_TYPE -p -v /dev/loop9 > /dev/null 2>&1
 235         echo "$0: Stage 7 - done."
 236
 237         echo "$0: Stage 8 - Mounting filesystem on DATA ..."
 238         mount -t $DATA_TYPE /dev/loop9 $MOUNT/home/ > /dev/null 2>&1
 239         echo "$0: Stage 8 - done."
 240
 241         # Run swap.sh (DO NOT USE exit THERE!)
 242         echo "$0: Stage 9 - Activating swap space ..."
 243         source swap.sh $1
 244         echo "$0: Stage 9 - done."
 245 else
 246         halt_script
 247 fi