12:35 p.m.
The first patch fixes a rather serious bug, the second patch allows
multiple --key parameters and default parameters.
There is a third patch to libguestfs which adds a test, coming up.
I did not yet review and fix the documentation. I think we need to
centralize it in one place because at the moment the same
documentation for --key is copy/pasted all over the tools.
Rich.
12:35 p.m.
New subject: [PATCH 1/2] options: Fix segfault when multiple --key parameters given.
Easily reproducible using:
$ guestfish --key dev1:key:key1 --key dev2:key:key2
causing this stack trace (or others depending on where the memory
corruption was caught):
Program received signal SIGABRT, Aborted.
0x00007ffff7905625 in raise () from /lib64/libc.so.6
(gdb) bt
#0 0x00007ffff7905625 in raise () from /lib64/libc.so.6
#1 0x00007ffff78ee8d9 in abort () from /lib64/libc.so.6
#2 0x00007ffff79494af in __libc_message () from /lib64/libc.so.6
#3 0x00007ffff7950a6c in malloc_printerr () from /lib64/libc.so.6
#4 0x00007ffff79528d0 in _int_free () from /lib64/libc.so.6
#5 0x00005555555bdd6e in free_key_store ()
#6 0x0000555555589027 in main ()
(gdb) quit
---
options/keys.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/options/keys.c b/options/keys.c
index 7f68986..f783066 100644
--- a/options/keys.c
+++ b/options/keys.c
@@ -216,7 +216,8 @@ key_store_import_key (struct key_store *ks, const struct key_store_key
*key)
}
assert (ks != NULL);
- new_keys = realloc (ks->keys, sizeof (*ks->keys) + 1);
+ new_keys = realloc (ks->keys,
+ (ks->nr_keys + 1) * sizeof (struct key_store_key));
if (!new_keys)
error (EXIT_FAILURE, errno, "realloc");
--
2.23.0
8:08 a.m.
New subject: [PATCH 1/2] options: Fix segfault when multiple --key parameters given.
On Tuesday, 12 November 2019 19:35:11 CET Richard W.M. Jones wrote:
Easily reproducible using:
$ guestfish --key dev1:key:key1 --key dev2:key:key2
causing this stack trace (or others depending on where the memory
corruption was caught):
Program received signal SIGABRT, Aborted.
0x00007ffff7905625 in raise () from /lib64/libc.so.6
(gdb) bt
#0 0x00007ffff7905625 in raise () from /lib64/libc.so.6
#1 0x00007ffff78ee8d9 in abort () from /lib64/libc.so.6
#2 0x00007ffff79494af in __libc_message () from /lib64/libc.so.6
#3 0x00007ffff7950a6c in malloc_printerr () from /lib64/libc.so.6
#4 0x00007ffff79528d0 in _int_free () from /lib64/libc.so.6
#5 0x00005555555bdd6e in free_key_store ()
#6 0x0000555555589027 in main ()
(gdb) quit
---
options/keys.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/options/keys.c b/options/keys.c
index 7f68986..f783066 100644
--- a/options/keys.c
+++ b/options/keys.c
@@ -216,7 +216,8 @@ key_store_import_key (struct key_store *ks, const struct
key_store_key *key)
}
assert (ks != NULL);
- new_keys = realloc (ks->keys, sizeof (*ks->keys) + 1);
+ new_keys = realloc (ks->keys,
+ (ks->nr_keys + 1) * sizeof (struct key_store_key));
Theoretically, sizeof (*ks->keys) should still be fine, instead of
explicitly spelling the struct name.
Apart from that, LGTM.
--
Pino Toscano
12:35 p.m.
New subject: [PATCH 2/2] options: Allow multiple --key parameters and default keys.
This allows multiple --key parameters on the command line to match a
single device. This could either be specified as:
tool --key /dev/sda1:key:trykey1 --key /dev/sda1:key:trykey2
which would try "trykey1" and "trykey2" against /dev/sda1.
And/or you can specify default keys which are tried against each
device (after more specific keys fail), eg:
tool --key :key:defaultkey1 --key :key:defaultkey2
which would try "defaultkey1" and "defaultkey2" against all devices.
---
options/decrypt.c | 41 ++++++++++++++++++-----
options/keys.c | 83 +++++++++++++++++++++++++++++------------------
options/options.h | 8 +++--
3 files changed, 89 insertions(+), 43 deletions(-)
diff --git a/options/decrypt.c b/options/decrypt.c
index 234163d..131e79c 100644
--- a/options/decrypt.c
+++ b/options/decrypt.c
@@ -26,6 +26,8 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <libintl.h>
+#include <error.h>
#include "c-ctype.h"
@@ -74,21 +76,42 @@ inspect_do_decrypt (guestfs_h *g, struct key_store *ks)
if (partitions == NULL)
exit (EXIT_FAILURE);
- int need_rescan = 0;
- size_t i;
+ int need_rescan = 0, r;
+ size_t i, j;
+
for (i = 0; partitions[i] != NULL; ++i) {
CLEANUP_FREE char *type = guestfs_vfs_type (g, partitions[i]);
if (type && STREQ (type, "crypto_LUKS")) {
char mapname[32];
make_mapname (partitions[i], mapname, sizeof mapname);
- CLEANUP_FREE char *key = get_key (ks, partitions[i]);
- /* XXX Should we call guestfs_luks_open_ro if readonly flag
- * is set? This might break 'mount_ro'.
- */
- if (guestfs_luks_open (g, partitions[i], key, mapname) == -1)
- exit (EXIT_FAILURE);
-
+ CLEANUP_FREE_STRING_LIST char **keys = get_keys (ks, partitions[i]);
+
+ if (guestfs_int_count_strings (keys) == 0)
+ error (EXIT_FAILURE, 0,
+ _("no key was provided to open LUKS encrypted %s, "
+ "try using --key on the command line"),
+ partitions[i]);
+
+ /* Try each key in turn. */
+ for (j = 0; keys[j] != NULL; ++j) {
+ /* XXX Should we call guestfs_luks_open_ro if readonly flag
+ * is set? This might break 'mount_ro'.
+ */
+ guestfs_push_error_handler (g, NULL, NULL);
+ r = guestfs_luks_open (g, partitions[i], keys[j], mapname);
+ guestfs_pop_error_handler (g);
+ if (r == 0)
+ goto opened;
+ }
+ error (EXIT_FAILURE, 0,
+ _("could not find key to open LUKS encrypted %s.\n\n"
+ "Try using --key on the command line.\n\n"
+ "Original error: %s (%d)"),
+ partitions[i], guestfs_last_error (g),
+ guestfs_last_errno (g));
+
+ opened:
need_rescan = 1;
}
}
diff --git a/options/keys.c b/options/keys.c
index f783066..817508b 100644
--- a/options/keys.c
+++ b/options/keys.c
@@ -121,17 +121,35 @@ read_first_line_from_file (const char *filename)
return ret;
}
-char *
-get_key (struct key_store *ks, const char *device)
+/* Return the key(s) matching this particular device from the
+ * keystore. There may be multiple. If none are read from the
+ * keystore, ask the user.
+ */
+char **
+get_keys (struct key_store *ks, const char *device)
{
- size_t i;
+ size_t i, j, len;
+ char **r;
+ char *s;
+
+ /* We know the returned list must have at least one element and not
+ * more than ks->nr_keys.
+ */
+ len = 1;
+ if (ks)
+ len = MIN (1, ks->nr_keys);
+ r = calloc (len+1, sizeof (char *));
+ if (r == NULL)
+ error (EXIT_FAILURE, errno, "calloc");
+
+ j = 0;
if (ks) {
for (i = 0; i < ks->nr_keys; ++i) {
struct key_store_key *key = &ks->keys[i];
- char *s;
- if (STRNEQ (key->device, device))
+ if (STRNEQ (key->device, "") &&
+ STRNEQ (key->device, device))
continue;
switch (key->type) {
@@ -139,63 +157,64 @@ get_key (struct key_store *ks, const char *device)
s = strdup (key->string.s);
if (!s)
error (EXIT_FAILURE, errno, "strdup");
- return s;
+ r[j++] = s;
+ break;
case key_file:
- return read_first_line_from_file (key->file.name);
+ s = read_first_line_from_file (key->file.name);
+ r[j++] = s;
+ break;
}
-
- /* Key not found in the key store, ask the user for it. */
- break;
}
}
- return read_key (device);
+ if (j == 0) {
+ /* Key not found in the key store, ask the user for it. */
+ s = read_key (device);
+ if (!s)
+ error (EXIT_FAILURE, 0, _("could not read key from user"));
+ r[0] = s;
+ }
+
+ return r;
}
struct key_store *
-key_store_add_from_selector (struct key_store *ks, const char *selector_orig)
+key_store_add_from_selector (struct key_store *ks, const char *selector)
{
- CLEANUP_FREE char *selector = strdup (selector_orig);
- const char *elem;
- char *saveptr;
+ CLEANUP_FREE_STRING_LIST char **fields =
+ guestfs_int_split_string (':', selector);
struct key_store_key key;
- if (!selector)
- error (EXIT_FAILURE, errno, "strdup");
+ if (!fields)
+ error (EXIT_FAILURE, errno, "guestfs_int_split_string");
- /* 1: device */
- elem = strtok_r (selector, ":", &saveptr);
- if (!elem) {
+ if (guestfs_int_count_strings (fields) != 3) {
invalid_selector:
- error (EXIT_FAILURE, 0, "invalid selector for --key: %s", selector_orig);
+ error (EXIT_FAILURE, 0, "invalid selector for --key: %s", selector);
}
- key.device = strdup (elem);
+
+ /* 1: device */
+ key.device = strdup (fields[0]);
if (!key.device)
error (EXIT_FAILURE, errno, "strdup");
/* 2: key type */
- elem = strtok_r (NULL, ":", &saveptr);
- if (!elem)
- goto invalid_selector;
- else if (STREQ (elem, "key"))
+ if (STREQ (fields[1], "key"))
key.type = key_string;
- else if (STREQ (elem, "file"))
+ else if (STREQ (fields[1], "file"))
key.type = key_file;
else
goto invalid_selector;
/* 3: actual key */
- elem = strtok_r (NULL, ":", &saveptr);
- if (!elem)
- goto invalid_selector;
switch (key.type) {
case key_string:
- key.string.s = strdup (elem);
+ key.string.s = strdup (fields[2]);
if (!key.string.s)
error (EXIT_FAILURE, errno, "strdup");
break;
case key_file:
- key.file.name = strdup (elem);
+ key.file.name = strdup (fields[2]);
if (!key.file.name)
error (EXIT_FAILURE, errno, "strdup");
break;
diff --git a/options/options.h b/options/options.h
index 6fadf1e..6e9b1da 100644
--- a/options/options.h
+++ b/options/options.h
@@ -104,7 +104,11 @@ struct mp {
/* A key in the key store. */
struct key_store_key {
- /* The device this key refers to. */
+ /* The device this key refers to. This is never NULL, but may be ""
+ * which is interpreted as a default key which is tried after any
+ * device-specific keys (there may be multiple defaults in the
+ * list).
+ */
char *device;
enum {
@@ -146,7 +150,7 @@ extern void print_inspect_prompt (void);
/* in key.c */
extern char *read_key (const char *param);
-extern char *get_key (struct key_store *ks, const char *device);
+extern char **get_keys (struct key_store *ks, const char *device);
extern struct key_store *key_store_add_from_selector (struct key_store *ks, const char
*selector);
extern struct key_store *key_store_import_key (struct key_store *ks, const struct
key_store_key *key);
extern void free_key_store (struct key_store *ks);
--
2.23.0
8:23 a.m.
New subject: [PATCH 2/2] options: Allow multiple --key parameters and default keys.
On Tuesday, 12 November 2019 19:35:12 CET Richard W.M. Jones wrote:
This allows multiple --key parameters on the command line to match a
single device. This could either be specified as:
tool --key /dev/sda1:key:trykey1 --key /dev/sda1:key:trykey2
which would try "trykey1" and "trykey2" against /dev/sda1.
This seems OK for me, so you can attempt multiple keys for a device.
And/or you can specify default keys which are tried against each
device (after more specific keys fail), eg:
tool --key :key:defaultkey1 --key :key:defaultkey2
which would try "defaultkey1" and "defaultkey2" against all devices.
However I do not see the point in this: IMHO you better make it explicit
which key is used for a certain device. Also, this makes it possible so
in case of two similar guests like:
- /dev/sda1 with key "key1", and /dev/sda2 with key "key2"
- /dev/sda1 with key "key2", and /dev/sda2 with key "key1"
the above command like will work in the same way, with no indication of
which key was successfully used for which device -- so you can silently
swap the first guest for the second with no changes to the v2v command
line...
What's the use case for this?
Please split this patch in two:
- multiple keys for the same device
- keys for all devices
Thanks,
--
Pino Toscano
2:33 a.m.
New subject: [PATCH 2/2] options: Allow multiple --key parameters and default keys.
On Fri, Nov 15, 2019 at 03:23:02PM +0100, Pino Toscano wrote:
On Tuesday, 12 November 2019 19:35:12 CET Richard W.M. Jones wrote:
> This allows multiple --key parameters on the command line to match a
> single device. This could either be specified as:
>
> tool --key /dev/sda1:key:trykey1 --key /dev/sda1:key:trykey2
>
> which would try "trykey1" and "trykey2" against /dev/sda1.
This seems OK for me, so you can attempt multiple keys for a device.
> And/or you can specify default keys which are tried against each
> device (after more specific keys fail), eg:
>
> tool --key :key:defaultkey1 --key :key:defaultkey2
>
> which would try "defaultkey1" and "defaultkey2" against all
devices.
However I do not see the point in this: IMHO you better make it explicit
which key is used for a certain device.
It's considerably more convenient for callers if they don't have to
store this mapping between opaque libguestfs device names (a concept
which is meaningless to most users and to the software which
orchestrates virt-v2v at scale), and keys.
Also there's no actual penalty to making this feature available, it's
a natural extension which falls out from the implementation, and it
doesn't affect performance unless the caller adds multiple --key
parameters. It's also how LUKS itself works if you enable
decrypt_keyctl in crypttab.
Also, this makes it possible so
in case of two similar guests like:
- /dev/sda1 with key "key1", and /dev/sda2 with key "key2"
- /dev/sda1 with key "key2", and /dev/sda2 with key "key1"
the above command like will work in the same way, with no indication of
which key was successfully used for which device -- so you can silently
swap the first guest for the second with no changes to the v2v command
line...
I didn't understand this. It seems an unlikely scenario in the first
place, and has no ill effects even if it does occur.
What's the use case for this?
So that IMS doesn't have to collect an exact mapping between opaque
libguestfs device names and keys, which will require some user to have
to enter device names that they don't understand into a UI without any
making typos rather than just supplying a list of keys that apply to a
single guest.
Please split this patch in two:
- multiple keys for the same device
- keys for all devices
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
5:11 a.m.
New subject: [PATCH 2/2] options: Allow multiple --key parameters and default keys.
On Saturday, 16 November 2019 09:33:21 CET Richard W.M. Jones wrote:
On Fri, Nov 15, 2019 at 03:23:02PM +0100, Pino Toscano wrote:
> On Tuesday, 12 November 2019 19:35:12 CET Richard W.M. Jones wrote:
> > This allows multiple --key parameters on the command line to match a
> > single device. This could either be specified as:
> >
> > tool --key /dev/sda1:key:trykey1 --key /dev/sda1:key:trykey2
> >
> > which would try "trykey1" and "trykey2" against /dev/sda1.
>
> This seems OK for me, so you can attempt multiple keys for a device.
>
> > And/or you can specify default keys which are tried against each
> > device (after more specific keys fail), eg:
> >
> > tool --key :key:defaultkey1 --key :key:defaultkey2
> >
> > which would try "defaultkey1" and "defaultkey2" against all
devices.
>
> However I do not see the point in this: IMHO you better make it explicit
> which key is used for a certain device.
It's considerably more convenient for callers if they don't have to
store this mapping between opaque libguestfs device names (a concept
which is meaningless to most users and to the software which
orchestrates virt-v2v at scale), and keys.
We use devices already for various things, including partitions and
(in this case) devices for keys. If you use libguestfs tools (virt-v2v
included) then you need to care about them, so "callers are dumb" is
not one of the best arguments you can come up with.
Also there's no actual penalty to making this feature available,
it's
a natural extension which falls out from the implementation, and it
doesn't affect performance unless the caller adds multiple --key
parameters. It's also how LUKS itself works if you enable
decrypt_keyctl in crypttab.
This is not about performance or how LUKS works (which both are
irrelevant for libguestfs users), but rather about explicitly specifying
a secret only to its target.
> Also, this makes it possible so
> in case of two similar guests like:
> - /dev/sda1 with key "key1", and /dev/sda2 with key "key2"
> - /dev/sda1 with key "key2", and /dev/sda2 with key "key1"
> the above command like will work in the same way, with no indication of
> which key was successfully used for which device -- so you can silently
> swap the first guest for the second with no changes to the v2v command
> line...
I didn't understand this. It seems an unlikely scenario in the first
place, and has no ill effects even if it does occur.
I disagree with your assessment. Let's say that the first guest gets a
new encypted partition with coincidentally the same key as /dev/sda1:
I do not want that with a wildcard --key that device is silently opened
without the user acting and explicitly saying "this is the key for this
device" -- even if it is the same as another device.
> What's the use case for this?
So that IMS doesn't have to collect an exact mapping between opaque
libguestfs device names and keys, which will require some user to have
to enter device names that they don't understand into a UI without any
making typos rather than just supplying a list of keys that apply to a
single guest.
Few things here:
- if the UI does not help the user insert the proper mapping between
devices (which cloudforms already knows) and keys, then it's a
problem of the UI
- users can make typos even with your solution
- if the keys are provided without the UI in a machine-parseable format
already, it means the user is bypassing the UI and choosing to
"go low-level" on they own already
> Please split this patch in two:
> - multiple keys for the same device
> - keys for all devices
This still stands.
--
Pino Toscano
8:46 a.m.
New subject: [PATCH 2/2] options: Allow multiple --key parameters and default keys.
On Mon, Nov 18, 2019 at 12:11:15PM +0100, Pino Toscano wrote:
On Saturday, 16 November 2019 09:33:21 CET Richard W.M. Jones wrote:
> It's considerably more convenient for callers if they don't have to
> store this mapping between opaque libguestfs device names (a concept
> which is meaningless to most users and to the software which
> orchestrates virt-v2v at scale), and keys.
We use devices already for various things, including partitions and
(in this case) devices for keys. If you use libguestfs tools (virt-v2v
included) then you need to care about them, so "callers are dumb" is
not one of the best arguments you can come up with.
In practical terms this would mean IMS has to do a new round trip
where we would have to do libguestfs inspection on guests before they
are presented in the UI, which is a whole bunch of work, and I still
don't understand why this would be necessary.
> Also there's no actual penalty to making this feature
available, it's
> a natural extension which falls out from the implementation, and it
> doesn't affect performance unless the caller adds multiple --key
> parameters. It's also how LUKS itself works if you enable
> decrypt_keyctl in crypttab.
This is not about performance or how LUKS works (which both are
irrelevant for libguestfs users), but rather about explicitly specifying
a secret only to its target.
In the case where you run virt-v2v --key --key ... then the secrets
are only passed to a single VM. So even if it was possible for the VM
to capture these keys, it would only be capturing keys used by its own
disks. I really don't understand what could be the problem with this.
> > Also, this makes it possible so
> > in case of two similar guests like:
> > - /dev/sda1 with key "key1", and /dev/sda2 with key "key2"
> > - /dev/sda1 with key "key2", and /dev/sda2 with key "key1"
> > the above command like will work in the same way, with no indication of
> > which key was successfully used for which device -- so you can silently
> > swap the first guest for the second with no changes to the v2v command
> > line...
>
> I didn't understand this. It seems an unlikely scenario in the first
> place, and has no ill effects even if it does occur.
I disagree with your assessment. Let's say that the first guest gets a
new encypted partition with coincidentally the same key as /dev/sda1:
I do not want that with a wildcard --key that device is silently opened
without the user acting and explicitly saying "this is the key for this
device" -- even if it is the same as another device.
OK so I believe you are worried that someone uses the same --key
option against two different guests. But how is that any different
from now? They could still accidentally reuse a key between guests
even the way it works right now.
In any case I don't understand how the guest could capture or save the
key, so I don't understand what the specific danger is.
> > What's the use case for this?
>
> So that IMS doesn't have to collect an exact mapping between opaque
> libguestfs device names and keys, which will require some user to have
> to enter device names that they don't understand into a UI without any
> making typos rather than just supplying a list of keys that apply to a
> single guest.
Few things here:
- if the UI does not help the user insert the proper mapping between
devices (which cloudforms already knows) and keys, then it's a
problem of the UI
The problem is cloudforms doesn't really know libguestfs device names.
It knows something about devices and partitions, but those are derived
from SSA not libguestfs.
- users can make typos even with your solution
If they typo the passphrase I guess everyone will expect it not to
work. The problem is if they typo "/dev/sda2" which they have no idea
about.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
1831
days inactive
1837
days old
7 comments
2 participants
participants (2)
-
Pino Toscano -
Richard W.M. Jones