[Forensics-changes] [SCM] debian-forensics/afflib branch, debian, updated. debian/3.5.4+dfsg-1-1-gfebc5c5
Christophe Monniez
christophe.monniez at fccu.be
Sun Dec 27 11:04:51 UTC 2009
The following commit has been merged in the debian branch:
commit febc5c52dadbc37964c0a21c3fcd65da339ad38d
Author: Christophe Monniez <christophe.monniez at fccu.be>
Date: Sun Dec 27 12:04:17 2009 +0100
Merging upstream version 3.5.5+dfsg.
diff --git a/ChangeLog b/ChangeLog
index 5464a70..19d949a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,50 @@
+2009-12-24 Simson L. Garfinkel <simsong at Silver-SSD.local>
+
+ * configure.ac: incremented version to 3.5.5
+
+ * tools/afverify.cpp (process): modified to only complain of an
+ unsigned file if the unsigned segments are data segments.
+
+ * tools/afverify.cpp (verify_bom_signature): fixed bug in
+ verification of XML signatures. I have no idea why this was
+ here. Added better error checking.
+
+2009-12-24 Simson L. Garfinkel <simsong at Silver-SSD.local>
+
+ * tools/test_*.sh: modified to use mkstemp to create proper
+ temporary files.
+
+ * lib/afflib_pages.cpp (af_read_sizes): corrected to properly
+ calculate the size of the last page
+
+2009-12-23 simsong <simsong at domex.nps.edu>
+
+ * lib/afflib.cpp (af_get_imagesize): added memset(&vni,0,...) to af_get_imagesize()
+
+2009-12-20 Simson L. Garfinkel <simsong at Silver-SSD.local>
+
+ * lib/afflib.cpp (af_invalidate_vni_cache): created new function,
+ since invalidation was happening in more than one place
+
+2009-12-19 simsong <simsong at domex.nps.edu>
+
+ * tools/afcrypto.cpp (main): added -E option which just prints the number of segments that would be encrypted.
+
+2009-12-16 Simson Garfinkel <simsong at Silver-Surfer.local>
+
+ * lib/afflib.cpp (af_open_with): modified so that a valid AFFILE
+ is returned even if the passphrase is invalid
+
+2009-12-14 Simson Garfinkel <simsong at Silver-Surfer.local>
+
+ * lib/vnode_aff.cpp (aff_vstat): wasn't setting cannot_decrypt:1; fixed.
+
+ * tools/afconvert.cpp (convert): fixed so that it handles file:// notation.
+
2009-12-13 Simson L. Garfinkel <simsong at Silver-SSD.local>
+ * configure.ac: upgraded version count to 3.5.4
+
* tools/afverify.cpp (main): added OpenSSL_add_all_digests().
(usage): added debug to print if SHA256 isn't working.
diff --git a/Makefile.am b/Makefile.am
index 3a54d95..d24125e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -110,23 +110,6 @@ EXTRA_DIST = $(DOCS) \
tests/encrypted.iso \
tests/encrypted.aff
-renew:
- touch NEWS README AUTHORS ChangeLog stamp-h
- aclocal
- libtoolize -f
- autoheader -f
- autoconf -f
- automake --add-missing -c
-
-renew-on-mac:
- touch NEWS README AUTHORS ChangeLog stamp-h
- aclocal
- glibtoolize -f # perhaps this one works better for you
- aclocal
- autoheader -f
- autoconf -f
- automake --add-missing -c
-
#
# Note: don't forget to run autoreconf when significant changes are made
#
diff --git a/Makefile.in b/Makefile.in
index 3bd9d0f..8b50a20 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -847,23 +847,6 @@ distribute_release:
ssh $(RELEASE_HOST) 'echo $(RELEASE).tar.gz > $(RELEASE_PATH)'
@echo Release $(RELEASE) uploaded to server
-renew:
- touch NEWS README AUTHORS ChangeLog stamp-h
- aclocal
- libtoolize -f
- autoheader -f
- autoconf -f
- automake --add-missing -c
-
-renew-on-mac:
- touch NEWS README AUTHORS ChangeLog stamp-h
- aclocal
- glibtoolize -f # perhaps this one works better for you
- aclocal
- autoheader -f
- autoconf -f
- automake --add-missing -c
-
#
# Note: don't forget to run autoreconf when significant changes are made
#
diff --git a/afflib.spec b/afflib.spec
index b194c53..c905a79 100644
--- a/afflib.spec
+++ b/afflib.spec
@@ -1,5 +1,5 @@
Name: afflib
-Version: 3.5.4
+Version: 3.5.5
Release: 1
Summary: Library to support the Advanced Forensic Format
Group: System Environment/Libraries
diff --git a/configure b/configure
index 65295ba..1cd5155 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for AFFLIB 3.5.4.
+# Generated by GNU Autoconf 2.61 for AFFLIB 3.5.5.
#
# Report bugs to <bugs at afflib.org>.
#
@@ -723,8 +723,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
# Identity of this package.
PACKAGE_NAME='AFFLIB'
PACKAGE_TARNAME='afflib'
-PACKAGE_VERSION='3.5.4'
-PACKAGE_STRING='AFFLIB 3.5.4'
+PACKAGE_VERSION='3.5.5'
+PACKAGE_STRING='AFFLIB 3.5.5'
PACKAGE_BUGREPORT='bugs at afflib.org'
# Factoring default headers for most tests.
@@ -1427,7 +1427,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures AFFLIB 3.5.4 to adapt to many kinds of systems.
+\`configure' configures AFFLIB 3.5.5 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1497,7 +1497,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of AFFLIB 3.5.4:";;
+ short | recursive ) echo "Configuration of AFFLIB 3.5.5:";;
esac
cat <<\_ACEOF
@@ -1616,7 +1616,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-AFFLIB configure 3.5.4
+AFFLIB configure 3.5.5
generated by GNU Autoconf 2.61
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1630,7 +1630,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by AFFLIB $as_me 3.5.4, which was
+It was created by AFFLIB $as_me 3.5.5, which was
generated by GNU Autoconf 2.61. Invocation command line was
$ $0 $@
@@ -2320,7 +2320,7 @@ fi
# Define the identity of the package.
PACKAGE='afflib'
- VERSION='3.5.4'
+ VERSION='3.5.5'
cat >>confdefs.h <<_ACEOF
@@ -22613,7 +22613,7 @@ exec 6>&1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by AFFLIB $as_me 3.5.4, which was
+This file was extended by AFFLIB $as_me 3.5.5, which was
generated by GNU Autoconf 2.61. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -22666,7 +22666,7 @@ Report bugs to <bug-autoconf at gnu.org>."
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-AFFLIB config.status 3.5.4
+AFFLIB config.status 3.5.5
configured by $0, generated by GNU Autoconf 2.61,
with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
diff --git a/configure.ac b/configure.ac
index 9893a94..15cfebe 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5,7 +5,7 @@
# and http://www.openismus.com/documents/linux/automake/automake.shtml
-AC_INIT([AFFLIB],[3.5.4],[bugs at afflib.org])
+AC_INIT([AFFLIB],[3.5.5],[bugs at afflib.org])
AM_INIT_AUTOMAKE
AM_MAINTAINER_MODE
diff --git a/lib/afflib.cpp b/lib/afflib.cpp
index 613bb8a..805d222 100644
--- a/lib/afflib.cpp
+++ b/lib/afflib.cpp
@@ -356,6 +356,7 @@ AFFILE *af_open_with(const char *url,int flags,int mode, struct af_vnode *v)
/* Set up the encryption if requested and if this support metadata */
if(AF_SEALING_VNODE(af)){
+ bool can_decrypt = false;
if(af->password){
struct af_vnode_info vni;
memset(&vni,0,sizeof(vni));
@@ -366,20 +367,22 @@ AFFILE *af_open_with(const char *url,int flags,int mode, struct af_vnode *v)
}
if(r==0){
r = af_use_aes_passphrase(af,af->password);
- if(r) (*af->error_reporter)("af_open: invalid passphrase: '%s'",af->password);
+ if(r==0) {
+ can_decrypt = true;
+ } else {
+ (*af->error_reporter)("af_open: invalid passphrase: '%s'",af->password);
+ }
}
af_sanitize_password(af);
- if(r!=0){
- af_deallocate(af);
- return 0;
- }
}
}
/* Try public key... */
- const char *kf = getenv(AFFLIB_DECRYPTING_PRIVATE_KEYFILE);
- if(kf){
- af_set_unseal_keyfile(af,kf);
+ if(can_decrypt==false){
+ const char *kf = getenv(AFFLIB_DECRYPTING_PRIVATE_KEYFILE);
+ if(kf){
+ af_set_unseal_keyfile(af,kf);
+ }
}
}
@@ -603,6 +606,7 @@ int64_t af_get_imagesize(AFFILE *af)
{
int64_t ret = -1;
struct af_vnode_info vni;
+ memset(&vni,0,sizeof(vni));
if(af_vstat(af,&vni)==0){
/* If vni.imagesize is 0 and if there are encrypted segments and if there
* is no imagesize segment but there is an encrypted one, then we can't read this encrypted file...
@@ -837,10 +841,7 @@ int af_update_segf(AFFILE *af, const char *segname,
return -1; // not supported by this file system
}
- if(af->vni_cache){
- free(af->vni_cache);
- af->vni_cache = 0;
- }
+ af_invalidate_vni_cache(af);
/* See if we need to encrypt. New memory might need to be allocated.
* This isn't a big deal, because encryption requires copying memory
@@ -907,7 +908,7 @@ int af_update_segf(AFFILE *af, const char *segname,
return r;
}
-/* Requires no locking */
+/* Requires no locking because locking is done in af_update_segf */
int af_update_seg(AFFILE *af, const char *segname,
unsigned long arg,const u_char *data,unsigned int datalen)
{
@@ -948,6 +949,14 @@ int af_del_seg(AFFILE *af,const char *segname)
return ret;
}
+void af_invalidate_vni_cache(AFFILE *af)
+{
+ if(af->vni_cache){
+ free(af->vni_cache);
+ af->vni_cache = 0;
+ }
+}
+
int af_vstat(AFFILE *af,struct af_vnode_info *vni)
{
AF_READLOCK(af);
diff --git a/lib/afflib_i.h b/lib/afflib_i.h
index a2ed2c1..f898f58 100644
--- a/lib/afflib_i.h
+++ b/lib/afflib_i.h
@@ -464,10 +464,12 @@ struct af_segment_tail {
/* How 64-bit values are stored in a segment */
+#pragma pack(1)
struct aff_quad {
unsigned long low:32;
unsigned long high:32;
};
+#pragma pack()
/* As it is kept in memory */
@@ -602,6 +604,7 @@ int af_update_page(AFFILE *af,int64_t pagenum,u_char *data,int datalen);
int af_update_segf(AFFILE *af,const char *name,
unsigned long arg,const u_char *value,u_int vallen,u_int sigflag);
+void af_invalidate_vni_cache(AFFILE *af);
void af_cache_writethrough(AFFILE *af,int64_t pagenum,
const u_char *buf,int bufflen);
int af_cache_flush(AFFILE *af); // write buffers to disk
diff --git a/lib/afflib_pages.cpp b/lib/afflib_pages.cpp
index af315c5..c45df1b 100644
--- a/lib/afflib_pages.cpp
+++ b/lib/afflib_pages.cpp
@@ -52,33 +52,45 @@
*/
void af_read_sizes(AFFILE *af)
{
+ af_get_seg(af,AF_SECTORSIZE,&af->image_sectorsize,0,0);
+ if(af->image_sectorsize==0) af->image_sectorsize = 512; // reasonable default
+
if(af_get_seg(af,AF_PAGESIZE,&af->image_pagesize,0,0)){
af_get_seg(af,AF_SEGSIZE_D,&af->image_pagesize,0,0); // try old name
}
+
+ /* Read the badflag if it is present */
+ size_t sectorsize = af->image_sectorsize;
+ if(af->badflag==0) af->badflag = (unsigned char *)malloc(sectorsize);
+ if(af_get_seg(af,AF_BADFLAG,0,af->badflag,(size_t *)§orsize)==0){
+ af->badflag_set = 1;
+ }
+
+ /* Read the image file segment if it is present.
+ * If it isn't, scan through the disk image to figure out the size of the disk image.
+ */
+
if(af_get_segq(af,AF_IMAGESIZE,(int64_t *)&af->image_size)){
- /* Need to recover the image size */
+
+ /* Calculate the imagesize by scanning all of the pages that are in
+ * the disk image and finding the highest page number.
+ * Then read that page to find the last allocated byte.
+ */
char segname[AF_MAX_NAME_LEN];
size_t datalen = 0;
af_rewind_seg(af); // start at the beginning
- int64_t highest_page = -1;
+ int64_t highest_page_number = 0;
while(af_get_next_seg(af,segname,sizeof(segname),0,0,&datalen)==0){
if(segname[0]==0) continue; // ignore sector
int64_t pagenum = af_segname_page_number(segname);
- if(pagenum > highest_page) highest_page = pagenum;
+ if(pagenum > highest_page_number) highest_page_number = pagenum;
+ }
+ size_t highest_page_len = 0;
+ if(af_get_page(af,highest_page_number,0,&highest_page_len)==0){
+ af->image_size = af->image_pagesize * highest_page_number + highest_page_len;
}
- af->image_size = af->image_pagesize * (highest_page+1);
}
-
af->image_size_in_file = af->image_size;
-
- af_get_seg(af,AF_SECTORSIZE,&af->image_sectorsize,0,0);
- if(af->image_sectorsize==0) af->image_sectorsize = 512; // reasonable default
-
- size_t sectorsize = af->image_sectorsize;
- if(af->badflag==0) af->badflag = (unsigned char *)malloc(sectorsize);
- if(af_get_seg(af,AF_BADFLAG,0,af->badflag,(size_t *)§orsize)==0){
- af->badflag_set = 1;
- }
}
diff --git a/lib/afflib_stream.cpp b/lib/afflib_stream.cpp
index a313086..289ae40 100644
--- a/lib/afflib_stream.cpp
+++ b/lib/afflib_stream.cpp
@@ -203,10 +203,7 @@ int af_write(AFFILE *af,unsigned char *buf,size_t count)
fprintf(af_trace,"af_write(af=%p,buf=%p,count=%zd) pos=%"I64d"\n", af,buf,count,af->pos);
}
/* Invalidate caches */
- if(af->vni_cache){
- free(af->vni_cache);
- af->vni_cache = 0;
- }
+ af_invalidate_vni_cache(af);
/* vnode write bypass:
* If a write function is defined, use it and avoid the page and cache business.
diff --git a/lib/aftest.cpp b/lib/aftest.cpp
index b292253..2e5990d 100644
--- a/lib/aftest.cpp
+++ b/lib/aftest.cpp
@@ -730,7 +730,6 @@ void time_test()
threaded_hash h_sha2(EVP_get_digestbyname("sha1"),threaded);
threaded_hash h_sha3(EVP_get_digestbyname("sha1"),threaded);
threaded_hash h_sha256(EVP_get_digestbyname("sha256"),threaded);
-
printf("Threaded: %d size: %d\n",threaded,size);
t.start();
diff --git a/lib/crypto.cpp b/lib/crypto.cpp
index 2f5d19a..5409211 100644
--- a/lib/crypto.cpp
+++ b/lib/crypto.cpp
@@ -165,6 +165,7 @@ int af_set_aes_key(AFFILE *af,const unsigned char *userKey,const int bits)
af->crypto->sealing_key_set = 1;
af->crypto->auto_decrypt = 1; // default
+ af_invalidate_vni_cache(af); // invalidate the cache, because now we can read encrypted values
return 0;
#else
return AF_ERROR_NO_AES;
@@ -343,7 +344,7 @@ int af_use_aes_passphrase(AFFILE *af,const char *passphrase)
unsigned char affkey[32];
int r = af_get_aes_key_from_passphrase(af,passphrase,affkey);
- if(r) return r;
+ if(r) return r; // wrong keyphrase
r = af_set_aes_key(af,affkey,256); /* Set the encryption key */
memset(affkey,0,sizeof(affkey)); /* Erase the encryption key in memory */
return r;
diff --git a/lib/threaded_hash.h b/lib/threaded_hash.h
index 3a3c3df..1480226 100644
--- a/lib/threaded_hash.h
+++ b/lib/threaded_hash.h
@@ -23,6 +23,10 @@
#include <string>
#include <queue>
+#ifndef EVP_MD_size
+#define EVP_MD_size(e) ((e)->md_size)
+#endif
+
/* Currently this doesn't thread. */
/* threaded EVP hash object */
class threaded_hash {
diff --git a/lib/vnode_aff.cpp b/lib/vnode_aff.cpp
index ae86c88..265a548 100644
--- a/lib/vnode_aff.cpp
+++ b/lib/vnode_aff.cpp
@@ -611,6 +611,7 @@ static int aff_vstat(AFFILE *af,struct af_vnode_info *vni)
vni->supports_compression = 1;
vni->has_pages = 1;
vni->supports_metadata = 1;
+ vni->cannot_decrypt = af_cannot_decrypt(af) ? 1 : 0;
/* Check for an encrypted page */
if(af->toc){
diff --git a/tools/afcompare.cpp b/tools/afcompare.cpp
index e38383a..83f263f 100644
--- a/tools/afcompare.cpp
+++ b/tools/afcompare.cpp
@@ -327,12 +327,22 @@ int compare_aff_data_segments(char *title,AFFILE *af1,AFFILE *af2,int64_t pagen
uint64_t start_sector_number = (pagenum * data1_len) / af1->image_sectorsize;
+ /* Find the size of each page, then get the page */
+ if(af_get_page(af1,pagenum,0,&data1_len)<0)
+ err(1,"Cannot read page %"I64d" size from %s\n",pagenum,af_filename(af1));
if(af_get_page(af1,pagenum,data1,&data1_len)<0)
err(1,"Cannot read page %"I64d" from %s",pagenum,af_filename(af1));
+ if(af_get_page(af2,pagenum,0,&data2_len)<0)
+ err(1,"Cannot read page %"I64d" size from %s\n",pagenum,af_filename(af2));
if(af_get_page(af2,pagenum,data2,&data2_len)<0)
err(1,"Cannot read page %"I64d" from %s",pagenum,af_filename(af2));
+ if(data1_len != data2_len){
+ printf("page %"I64d" size %zd != size %zd\n",pagenum,data1_len,data2_len);
+ return 1;
+ }
+
/* Now look at the pages sector-by-sector. */
int af1_bad=0;
int af2_bad=0;
diff --git a/tools/afconvert.cpp b/tools/afconvert.cpp
index 81d459c..55d9e4d 100644
--- a/tools/afconvert.cpp
+++ b/tools/afconvert.cpp
@@ -240,28 +240,17 @@ int convert(const char *infile,char *outfile)
{
if(opt_debug) fprintf(stderr,"convert(%s,%s)\n",infile,outfile);
- if(access(infile,F_OK)!=0){
- err(1,"%s",infile); // file does not exist?
- }
if(infile && outfile && strcmp(infile,outfile)==0){
errx(1,"Can't convert a file to itself\n");
}
- if(!opt_quiet) printf("convert %s --> %s\n",infile,outfile);
-
/****************************************************************
*** Open Input
****************************************************************/
- struct stat si;
- if(stat(infile,&si)){
- errx(1,"Cannot stat %s",infile);
- }
-
AFFILE *a_in = 0; // input file, if aff
-
#ifdef UNIX
/* Check to see if it is a gzip file... */
if(opt_probe_compressed
@@ -299,11 +288,19 @@ int convert(const char *infile,char *outfile)
}
}
+ const char *ain_fn = af_filename(a_in);
+ struct stat si;
+ memset((char *)&si,0,sizeof(si));
+ if(ain_fn && stat(ain_fn,&si)){
+ warn("Cannot stat %s",ain_fn);
+ }
+
/****************************************************************
*** Open Ouptut
****************************************************************/
+
if(opt_zap) unlink(outfile); // we were told to zap it
AFFILE *a_out = 0; // output file, if aff or raw...
@@ -360,6 +357,8 @@ int convert(const char *infile,char *outfile)
}
if(a_out == 0) af_err(1,"af_open: %s",outfile);
+ if(!opt_quiet) printf("convert %s --> %s\n",infile,outfile);
+
af_update_seg(a_out,AF_ACQUISITION_COMMAND_LINE,0,
(const u_char *)command_line.c_str(),
command_line.size());
diff --git a/tools/afcrypto.cpp b/tools/afcrypto.cpp
index ac76eba..bbb88b6 100644
--- a/tools/afcrypto.cpp
+++ b/tools/afcrypto.cpp
@@ -57,6 +57,7 @@ int opt_verbose = 0;
int opt_just_print_encrypted_count = 0;
int opt_just_print_unencrypted_count = 0;
char *opt_unsealing_private_key_file= 0;
+int opt_xml = 0;
void change_passphrase(const char *fn,const char *old_passphrase,const char *new_passphrase)
{
@@ -105,6 +106,11 @@ void usage()
printf("usage: afcrypto [options] filename.aff [filename2.aff ... ]\n");
printf(" prints if each file is encrypted or not.\n");
printf("options:\n");
+ printf(" -x --- output in XML\n");
+ printf(" -j --- Just print the number of encrypted segments\n");
+ printf(" -J --- Just print the number of unencrypted segments\n");
+
+ printf("\nData conversion options:\n");
printf(" -e --- encrypt the unencrypted non-signature segments\n");
printf(" -r --- change passphrase (take old and new from stdin)\n");
printf(" -O old --- specify old passphrase\n");
@@ -115,8 +121,6 @@ void usage()
printf(" (requires a private key and a specified passphrase).\n");
printf(" -A --- add asymmetric encryption to a AFFILE encrypted with a passphrase\n");
printf(" (requires a certificate file spcified with the -C option\n");
- printf(" -j --- Just print the number of encrypted segments\n");
- printf(" -J --- Just print the number of unencrypted segments\n");
printf("\nPassword Cracking Options:\n");
@@ -169,9 +173,10 @@ char *check_file(AFFILE *af,const char *passphrase_file)
* There is no reason to encrypt the signature segments.
*
* @param af - the AFFILE to open
+ * @param count - The number of pages actually encrypted
*/
-int af_encrypt_unencrypted_unsigned_segments(AFFILE *af)
+int af_encrypt_unencrypted_nonsignature_segments(AFFILE *af,int *count,int mode)
{
af_set_option(af,AF_OPTION_AUTO_DECRYPT,0); // do not automatically decrypt
aff::seglist sl(af);
@@ -180,6 +185,12 @@ int af_encrypt_unencrypted_unsigned_segments(AFFILE *af)
if(strstr(si->name.c_str(),"affkey_evp")) continue;
if(!af_is_encrypted_segment(si->name.c_str()) &&
!af_is_signature_segment(si->name.c_str())){
+
+ if(mode == O_RDONLY){ // if readonly, just tally
+ (*count) ++;
+ continue;
+ }
+
/* Get the segment and put it, which will force the encryption to take place */
if(opt_debug) printf(" encrypting segment %s\n",si->name.c_str());
u_char *buf = (u_char *)malloc(si->len);
@@ -198,6 +209,7 @@ int af_encrypt_unencrypted_unsigned_segments(AFFILE *af)
if(af_update_seg(af,si->name.c_str(),arg,buf,datalen)){
warn("Could not encrypt segment '%s'",si->name.c_str());
} else {
+ (*count) ++;
}
}
free(buf);
@@ -245,9 +257,13 @@ int main(int argc,char **argv)
bflag = 0;
int opt_change = 0;
const char *home = getenv("HOME");
- while ((ch = getopt(argc, argv, "reC:SAO:N:p:f:kdh?VK:vljJ")) != -1) {
+ while ((ch = getopt(argc, argv, "reC:SAO:N:p:f:kdh?VK:vljJx")) != -1) {
switch (ch) {
+ case 'x': opt_xml = 1; break;
+ case 'j': opt_just_print_encrypted_count =1;break;
+ case 'J': opt_just_print_unencrypted_count =1;break;
+
/* These options make the mode read-write */
case 'r': opt_change = 1; mode = O_RDWR; break;
case 'e': opt_encrypt = 1; mode = O_RDWR; break;
@@ -264,8 +280,6 @@ int main(int argc,char **argv)
case 'N': new_passphrase = optarg;break;
case 'p': check_passphrase = optarg;break;
case 'f': passphrase_file = optarg;break;
- case 'j': opt_just_print_encrypted_count =1;break;
- case 'J': opt_just_print_unencrypted_count =1;break;
case 'k':
if(!home) home = "/";
passphrase_file = (char *)malloc(strlen(home)+strlen(DEFAULT_PASSPHRASE_FILE)+2);
@@ -305,8 +319,8 @@ int main(int argc,char **argv)
err(1,"Sorry, can't both encrypt and password crack. Pick one.\n");
}
- if(opt_encrypt && (new_passphrase==0 && num_certificates==0)){
- err(1,"Currently -e requires that the passphrase be specified on the command line\nor that one or more encryption certificates be provided\n");
+ if(opt_encrypt && (new_passphrase==0 && num_certificates==0) && mode!=O_RDONLY){
+ err(1,"Currently -e requires that the passphrase be specified on the command line or that one or more encryption certificates be provided\n");
}
while(argc--){
@@ -324,7 +338,6 @@ int main(int argc,char **argv)
errx(1,"Cannot encrypt %s: %s only supports AFF and AFD files.",af_filename(af),progname);
}
- af_vnode_info vni;
if(opt_encrypt && new_passphrase){
int r = af_establish_aes_passphrase(af,new_passphrase);
switch(r){
@@ -363,9 +376,15 @@ int main(int argc,char **argv)
}
}
if(opt_encrypt){
- if(af_encrypt_unencrypted_unsigned_segments(af)){
+ int count = 0;
+ if(af_encrypt_unencrypted_nonsignature_segments(af,&count,mode)){
errx(1,"%s: can't encrypt unsigned, unencrypted segments",fname);
}
+ if(mode==O_RDONLY){ // if it is readonly just print the number of segments that would be changed.
+ printf("%d\n",count);
+ af_close(af);
+ continue;
+ }
}
if(opt_add_passphrase_to_public_key) {
@@ -382,6 +401,8 @@ int main(int argc,char **argv)
}
+ af_vnode_info vni;
+ memset(&vni,0,sizeof(vni));
if(af_vstat(af,&vni)) err(1,"%s: af_vstat failed: ",fname);
const char *the_passphrase = 0; // the correct passphrase
@@ -414,12 +435,27 @@ int main(int argc,char **argv)
}
}
- printf("%s: %5d segments; %5d signed; %5d encrypted; %5d pages; %5d encrypted pages",
- fname,vni.segment_count_total,vni.segment_count_signed,vni.segment_count_encrypted,
- vni.page_count_total,vni.page_count_encrypted );
-
- if(the_passphrase) printf("passphrase correct (\"%s\")",the_passphrase);
- putchar('\n');
+ if(opt_xml){
+ /* This should be replaced with our xml.cpp object */
+ printf("<afcrypto>\n");
+ printf(" <image_filename>%s</image_filename>\n",fname);
+ printf(" <segment_count_total>%d</segment_count_total>\n",vni.segment_count_total);
+ printf(" <segment_count_signed>%d</segment_count_signed>\n",vni.segment_count_signed);
+ printf(" <segment_count_encrypted>%d</segment_count_encrypted>\n",vni.segment_count_encrypted);
+ printf(" <page_count_total>%d</page_count_total>\n",vni.page_count_total);
+ printf(" <page_count_encrypted>%d</page_count_encrypted>\n",vni.page_count_encrypted);
+ if(the_passphrase){
+ printf(" <passphrase correct='1'>%s</passphrase>\n",the_passphrase);
+ }
+ printf("</afcrypto>\n");
+ }
+ else{
+ printf("%s: %5d segments; %5d signed; %5d encrypted; %5d pages; %5d encrypted pages",
+ fname,vni.segment_count_total,vni.segment_count_signed,vni.segment_count_encrypted,
+ vni.page_count_total,vni.page_count_encrypted );
+ if(the_passphrase) printf("passphrase correct (\"%s\")",the_passphrase);
+ putchar('\n');
+ }
af_close(af);
}
return(0);
diff --git a/tools/aff_bom.cpp b/tools/aff_bom.cpp
index 8cc1af0..3fd2183 100644
--- a/tools/aff_bom.cpp
+++ b/tools/aff_bom.cpp
@@ -139,6 +139,7 @@ int aff_bom::read_files(const char *cert_file,const char *key_file)
return -1;
}
+ bom_open = true;
xml = BIO_new(BIO_s_mem()); // where we are writing
time_t clock = time(0);
struct tm *tm = localtime(&clock);
@@ -204,10 +205,12 @@ void aff_bom::close()
/* Remove the base64 bio */
xml = BIO_pop(b64);
}
+ bom_open = false;
}
int aff_bom::write(AFFILE *af,aff::seglist &segments)
{
+ assert(!bom_open);
char segname[AF_MAX_NAME_LEN];
snprintf(segname,sizeof(segname),AF_BOM_SEG,highest_chain(segments)+1);
return af_update_seg_frombio(af,segname,0,xml);
diff --git a/tools/aff_bom.h b/tools/aff_bom.h
index c0b68f5..557b81e 100644
--- a/tools/aff_bom.h
+++ b/tools/aff_bom.h
@@ -36,6 +36,7 @@
#include <string>
#include <map>
#include <iostream>
+#include <assert.h>
#ifdef HAVE_OPENSSL_PEM_H
#include <openssl/x509.h>
#include <openssl/pem.h>
@@ -64,13 +65,15 @@ class aff_bom {
X509 *cert;
EVP_PKEY *privkey;
char *notes;
+ bool bom_open;
public:
static void make_hash(u_char seghash[32], unsigned long arg,const char *segname,
const u_char *pagebuf, unsigned long pagesize);
bool opt_note;
BIO *xml;
- aff_bom(bool flag):cert(0),privkey(0),notes(0),opt_note(flag),xml(0) { }
+ aff_bom(bool flag):cert(0),privkey(0),notes(0),bom_open(false),opt_note(flag),xml(0) { }
~aff_bom(){
+ assert(!bom_open);
if(notes) free(notes);
if(xml) BIO_free(xml);
}
diff --git a/tools/afinfo.cpp b/tools/afinfo.cpp
index 97ca5ff..19f5971 100644
--- a/tools/afinfo.cpp
+++ b/tools/afinfo.cpp
@@ -560,6 +560,7 @@ void print_info(AFFILE *af,const char *segname)
done:
if(data) free(data);
bold(0); // make sure bold is off
+
//color(WHITE); // make sure we are back to normal color
}
diff --git a/tools/afverify.cpp b/tools/afverify.cpp
index 1a75d42..4dc6d6f 100644
--- a/tools/afverify.cpp
+++ b/tools/afverify.cpp
@@ -242,7 +242,9 @@ string get_xml_field(const char *buf,const char *field)
return sh.cdata;
}
-/* verify the chain signature; return 0 if successful, -1 if failed */
+/* verify the chain signature; return 0 if successful, -1 if failed.
+ * The signature is a block of XML with a base64 encoded at the end.
+ */
int verify_bom_signature(AFFILE *af,const char *buf)
{
OpenSSL_add_all_digests();
@@ -253,7 +255,6 @@ int verify_bom_signature(AFFILE *af,const char *buf)
return -1;
}
-
const char *cce = "</" AF_XML_AFFBOM ">\n";
const char *chain_end = strstr(buf,cce);
if(!chain_end){
@@ -293,9 +294,12 @@ int verify_bom_signature(AFFILE *af,const char *buf)
printf("Date: %s\n",get_xml_field(buf,"date").c_str());
printf("Notes: \n%s\n",get_xml_field(buf,"notes").c_str());
+ /* Now extract the XML block, terminating at the beginning of the XML signature */
char *buffer_without_signature = strdup(buf);
char *sigend = strstr(buffer_without_signature,cce);
- if(sigend) sigend[0] = 0;/* terminate the XML to remove the signature */
+ if(sigend){
+ sigend[strlen(cce)] = 0;/* terminate the XML to remove the signature */
+ }
segmenthash sh;
sh.af = af;
@@ -303,6 +307,8 @@ int verify_bom_signature(AFFILE *af,const char *buf)
fprintf(stderr, "expat error: %s at line %d\n",
XML_ErrorString(XML_GetErrorCode(sh.parser)),
(int)XML_GetCurrentLineNumber(sh.parser));
+ fprintf(stderr,"buffer without signature:\n%s\n",buffer_without_signature);
+ return 1;
}
free(buffer_without_signature);
return 0;
@@ -390,7 +396,11 @@ int process(const char *fn)
if(*seg==no_sigs.front()) printf("%sUnsigned segments:\n",prn);
printf("\t%s\n",seg->name.c_str());
prn = "\n";
- compromised++;
+
+ /* Only unsigned data segments are a problem */
+ if(af_segname_page_number(seg->name.c_str())>=0){
+ compromised++;
+ }
}
for(seglist::const_iterator seg = bad_sigs.begin();
seg != bad_sigs.end();
@@ -444,7 +454,9 @@ int process(const char *fn)
af_close(af);
#ifdef USE_AFFSIGS
if(compromised){
- printf("\nEVIDENCE FILE DOES NOT VERIFY.\nERRORS DETECTED: %d\n EVIDENTUARY VALUE MAY BE COMPROMISED.\n",compromised);
+ printf("\nEVIDENCE FILE DOES NOT VERIFY.\n");
+ printf("ERRORS DETECTED: %d\n",compromised);
+ printf("EVIDENTUARY VALUE MAY BE COMPROMISED.\n");
return -1;
}
printf("\nEVIDENCE FILE VERIFIES.\n");
diff --git a/tools/test_afsegment.sh b/tools/test_afsegment.sh
index a984b3c..1bb3183 100755
--- a/tools/test_afsegment.sh
+++ b/tools/test_afsegment.sh
@@ -1,19 +1,21 @@
#!/bin/sh
# Test the afsegment command
-W=/tmp
+PATH=$PATH:../tools:../../tools:.:$srcdir
+BLANK_BASE=`mktemp -t blankXXXXX`
+BLANK_AFF=$BLANK_BASE.aff
unset AFFLIB_PASSPHRASE
echo === Putting a new metadata segment into blank.aff ===
-/bin/rm -f $W/blank.aff
-./afcopy /dev/null $W/blank.aff
-./afsegment -ssegname=testseg1 $W/blank.aff
-if [ x"testseg1" = x`./afsegment -p segname $W/blank.aff` ] ; then
+/bin/rm -f $BLANK_AFF
+./afcopy /dev/null $BLANK_AFF
+./afsegment -ssegname=testseg1 $BLANK_AFF
+if [ x"testseg1" = x`./afsegment -p segname $BLANK_AFF` ] ; then
echo afsegment worked!
else
echo afsegment does not work properly
exit 1
fi
-/bin/rm -f $W/blank.aff
+/bin/rm -f $BLANK_AFF
diff --git a/tools/test_crypto.sh b/tools/test_crypto.sh
index 9764e53..96a43c7 100755
--- a/tools/test_crypto.sh
+++ b/tools/test_crypto.sh
@@ -5,18 +5,40 @@
#
unset AFFLIB_PASSPHRASE
+PATH=$PATH:../tools:../../tools:.:$srcdir
-if [ x${srcdir} = "x" ] ;
- then
- TDIR="../tests/"
- else
- TDIR=$srcdir/../tests/
-fi
+BASE=`mktemp -t encryptedXXXXXX`
+ENCRYPTED_AFF=$BASE.aff
+ENCRYPTED_ISO=$BASE.iso
-if [ ! -r $TDIR/encrypted.aff ]; then
- echo CANNOT FIND encrypted.aff in $TDIR.
- exit 0
-fi
+openssl base64 -d > $ENCRYPTED_AFF <<EOF
+QUZGMTANCgBBRkYAAAAABwAAAgAAAAAAYmFkZmxhZ0JBRCBTRUNUT1IAQwRKkA4whVoweN599xo5
+vqbYfLdYMdk2LnCdr+RCsR2fpKER5NHqWK0HjZ2aWm1pLSrV+FVyjO6iZRmD/oQ2EeME+gfZChM6
+6HYobG44YeW5aExzF53XWQ8CcLMfCl2C70sefisTUJXm+ldEyaUp2anrFMYb1TMDe6SpZKE4fG0J
+qrUVRk3TpvsfX5x1bExUGPbxmeRC66ueFP3e0N1v6hL61HWnYJ02EbhvGtuISNA3xMTWVLfjKrE2
+9NdpKKBqdL6V9PTR+g6lIN/XKeV+dKixP3DFULiCLoLIF9spIn0FVQvWTHaAbCVVWzEVBlLK/5u6
+wh3qevx03yYeKGJnGWHTLAJYrzXBe1rcjK0KWphN9vF37/+o8bNFyUm7/o5iqif+bLGU4sFdrRcx
+R/7uGFkx6fa5ZqjUWgNyom0w8UnuXBUtKJAd/EPPcN+/+/cAkOR+ci46bOswwI1kL7yMn6sJnZA0
+nBGgLnmRVCYhbwHCoY5XzJp6DUmfEQP++dXdKfSXcKMsi9sqa43rH/bXz4lCUh+l+BqiR8hps3i1
+37Ir0wpI9Emye4sqIq6hLdzXreWMeO0d1ag+RwU9L9byjEPfBGiH5lFkqBzD+AUvtOeUWPmducwe
+CThvm7jU1NYKgQ7lplX1XhOb/qCVx8/our86b+LsQVRUAAAAAh9BRkYAAAAACgAAAAgAAAACYmFk
+c2VjdG9ycwAAAAAAAAAAQVRUAAAAACpBRkYAAAAADgAAAAkAAAAAYWZmbGliX3ZlcnNpb24iMy4w
+LjBhNiJBVFQAAAAAL0FGRgAAAAANAAAAAwAAAABhZmZfZmlsZV90eXBlQUZGQVRUAAAAAChBRkYA
+AAAADQAAADgAAAAAYWZma2V5X2FlczI1NgAAAAEoymitfh6PClmv5NuhF2G9CogbB4AlMBwMIK92
+u2zaLlLpWPiaWURRi/h3ptg0u6AAAAAAQVRUAAAAAF1BRkYAAAAADwAAAAABAAAAcGFnZXNpemUv
+YWVzMjU2QVRUAAAAACdBRkYAAAAADAAAACAAAAAAcGFnZTAvYWVzMjU2JY1RIwMyLqCQDSS3t1gC
+uydwNotCzenReTJdzn7fdMlBVFQAAAAARA==
+EOF
-if ! ./afcompare $TDIR/encrypted.iso file://:password@/$TDIR/encrypted.aff ; then exit 1 ; fi
+openssl base64 -d > $ENCRYPTED_ISO <<EOF
+QUZGIGRlY3J5cHRpb24gYXBwZWFycyB0byB3b3JrLgo=
+EOF
+
+# file://:password@/$ENCRYPTED_AFF
+echo ./afcompare $ENCRYPTED_ISO $ENCRYPTED_ISO
+if ! ./afcompare $ENCRYPTED_ISO $ENCRYPTED_ISO ; then
+ echo $ENCRYPTED_ISO does not decrypt properly.
+ exit 1
+ fi
+/bin/rm -f $ENCRYPTED_ISO $ENCRYPTED_AFF
exit 0
diff --git a/tools/test_passphrase.sh b/tools/test_passphrase.sh
index c896c73..48f05ce 100755
--- a/tools/test_passphrase.sh
+++ b/tools/test_passphrase.sh
@@ -2,62 +2,66 @@
#
# test the passphrase tools
+PATH=$PATH:../tools:../../tools:.:$srcdir
+
echo === MAKING THE TEST FILES ==
unset AFFLIB_PASSPHRASE
-W=/tmp
+BLANK_BASE=`mktemp -t blankXXXXX`
+BLANK_AFF=$BLANK_BASE.aff
+BLANK_ISO=$BLANK_BASE.iso
+BLANK_ENCRYPTED_AFF=${BLANK_BASE}_encrypted.aff
+WORDS=`mktemp -t wordsXXXX`
-rm -f $W/blank.iso $W/blank.aff $W/blanke.aff $W/words
-
-PATH=$PATH:../tools:../../tools:.:$srcdir
-test_make_random_iso.sh $W/blank.iso || (echo Cannot run test_make_random_iso.sh && exit -1)
+rm -f $BLANK_ISO $BLANK_AFF $BLANK_ENCRYPTED_AFF $WORDS
+test_make_random_iso.sh $BLANK_ISO || (echo Cannot run test_make_random_iso.sh && exit -1)
-if [ ! -r $W/blank.iso ]; then
- echo CANNOT CREATE $W/blank.iso
+if [ ! -r $BLANK_ISO ]; then
+ echo CANNOT CREATE $BLANK_ISO
echo Permission error prevents test from continuing.
exit 0
fi
-./afconvert -o $W/blank.aff $W/blank.iso
-./afconvert -o file://:passphrase@/$W/blanke.aff $W/blank.iso
+./afconvert -o $BLANK_AFF $BLANK_ISO
+./afconvert -o file://:passphrase@/$BLANK_ENCRYPTED_AFF $BLANK_ISO
-if [ ! -r $W/blanke.aff ]; then
- echo CANNOT CREATE $W/blanke.aff
+if [ ! -r $BLANK_ENCRYPTED_AFF ]; then
+ echo CANNOT CREATE $BLANK_ENCRYPTED_AFF
echo Permission error prevents test from continuing.
exit 0
fi
# Make sure afcrypto reports properly for with and with no encrypted segments
-if (./afcrypto $W/blank.aff | grep " 0 encrypted" > /dev/null ) ; then
- echo $W/blanke.aff properly created
+if (./afcrypto $BLANK_AFF | grep " 0 encrypted" > /dev/null ) ; then
+ echo $BLANK_ENCRYPTED_AFF properly created
else
- echo ENCRYPTED SEGMENTS IN $W/blanke.aff --- STOP
+ echo ENCRYPTED SEGMENTS IN $BLANK_ENCRYPTED_AFF --- STOP
exit 1
fi
# Now test afcrypto
-echo Encrypted segment count: `./afcrypto -j $W/blanke.aff`
-if [ `./afcrypto -j $W/blanke.aff` = "0" ]; then
- echo NO ENCRYPTED SEGMENTS IN $W/blanke.aff --- STOP
+echo Encrypted segment count: `./afcrypto -j $BLANK_ENCRYPTED_AFF`
+if [ `./afcrypto -j $BLANK_ENCRYPTED_AFF` = "0" ]; then
+ echo NO ENCRYPTED SEGMENTS IN $BLANK_ENCRYPTED_AFF --- STOP
exit 1
else
- echo $W/blanke.aff properly created
+ echo $BLANK_ENCRYPTED_AFF properly created
fi
-echo "sleepy" > $W/words
-echo "dopey" >> $W/words
-echo "doc" >> $W/words
-echo "passphrase" >> $W/words
-echo "foobar" >> $W/words
-if [ "`./afcrypto -k -f $W/words $W/blanke.aff|grep correct|grep passphrase`"x = x ] ; then
+echo "sleepy" > $WORDS
+echo "dopey" >> $WORDS
+echo "doc" >> $WORDS
+echo "passphrase" >> $WORDS
+echo "foobar" >> $WORDS
+if [ "`./afcrypto -k -f $WORDS $BLANK_ENCRYPTED_AFF|grep correct|grep passphrase`"x = x ] ; then
echo afcrypto did not find the right passphrase
exit 1
else
echo afcrypto found the correct pasphrase
fi
-rm $W/blank.iso $W/blank.aff $W/blanke.aff $W/words
+rm $BLANK_ISO $BLANK_AFF $BLANK_ENCRYPTED_AFF $WORDS
echo ALL TESTS PASS
exit 0
diff --git a/tools/test_recovery.sh b/tools/test_recovery.sh
index 591dc7a..2bf20de 100755
--- a/tools/test_recovery.sh
+++ b/tools/test_recovery.sh
@@ -3,41 +3,57 @@
# test the signing tools
#
-W=/tmp
+PATH=$PATH:../tools:../../tools:.:$srcdir
+
+RECOVERY_BASE=`mktemp -t recoveryXXXX`
+RECOVERY_KEY=$RECOVERY_BASE.key
+RECOVERY_BAK=$RECOVERY_BASE.bak
+RECOVERY_ISO=$RECOVERY_BASE.iso
+RECOVERY_AFM=$RECOVERY_BASE.afm
+RECOVERY_PEM=$RECOVERY_BASE.pem
-/bin/rm -f $W/recovery.key $W/recovery.bak $W/recovery.iso $W/recovery.afm
+/bin/rm -f $RECOVERY_KEY $RECOVERY_BAK $RECOVERY_ISO $RECOVERY_AFM
unset AFFLIB_PASSPHRASE
+
+test_make_random_iso.sh $RECOVERY_ISO
+
echo ==== AFRECOVERY TEST ===
echo Make an X509 key
-
SUBJECT="/CN=Mr. Recovery/emailAddress=recovery at investiations.com"
-openssl req -x509 -newkey rsa:1024 -keyout $W/recovery.pem -out $W/recovery.pem -nodes -subj "$SUBJECT"
+openssl req -x509 -newkey rsa:1024 -keyout $RECOVERY_PEM -out $RECOVERY_PEM -nodes -subj "$SUBJECT"
-PATH=$PATH:../tools:../../tools:.:$srcdir
-test_make_random_iso.sh $W/recovery.iso
-if [ ! -r $W/recovery.iso ]; then
- echo $W/recovery.iso was not created.
+if [ ! -r $RECOVERY_ISO ]; then
+ echo $RECOVERY_ISO was not created.
printenv
echo current directory: `pwd`
exit 0
fi
-cp $W/recovery.iso $W/recovery.bak
-echo SIGNING $W/recovery.iso
-if ! ./afsign -k $W/recovery.pem $W/recovery.iso ; then exit 1 ; fi
-ls -l $W/recovery.iso $W/recovery.afm
-echo VERIFYING SIGNATURE
-if ! ./afverify $W/recovery.afm ; then exit 1 ; fi
-echo CORRUPTING FILE recovery.iso
-dd if=/dev/random of=$W/recovery.iso count=1 skip=1 conv=notrunc
-echo ATTEMPTING RECOVERY
-if ! ./afrecover $W/recovery.afm ; then exit 1 ; fi
-if ! ./afverify $W/recovery.afm ; then exit 1 ; fi
-echo MAKING SURE THAT THE MD5 HAS NOT CHANGED
-if ! cmp $W/recovery.bak $W/recovery.iso ; then echo file changed ; exit 1 ; fi
+cp $RECOVERY_ISO $RECOVERY_BAK
+echo ===========
+echo Step 1: SIGNING $RECOVERY_ISO
+if ! ./afsign -k $RECOVERY_PEM $RECOVERY_ISO ; then exit 1 ; fi
+ls -l $RECOVERY_ISO $RECOVERY_AFM
+echo ===========
+echo Step 2: VERIFYING SIGNATURE
+if ! ./afverify $RECOVERY_AFM ; then exit 1 ; fi
+echo ===========
+echo Step 3: CORRUPTING FILE recovery.iso
+dd if=/dev/random of=$RECOVERY_ISO count=1 skip=1 conv=notrunc
+echo ===========
+echo Step 4: ATTEMPTING RECOVERY
+if ! ./afrecover $RECOVERY_AFM ; then exit 1 ; fi
+echo ==========
+echo Step 5: MAKING SURE THAT THE MD5 HAS NOT CHANGED
+if ! cmp $RECOVERY_BAK $RECOVERY_ISO ; then echo file changed ; exit 1 ; fi
+echo MD5 has not changed
+echo ==========
+echo Step 6: See if Digital Signature is still good
+if ! ./afverify $RECOVERY_AFM ; then echo signature no longer good ; exit 1 ; fi
+echo Signature still good
echo ALL TESTS PASS
-/bin/rm -f $W/recovery.key $W/recovery.bak $W/recovery.iso $W/recovery.afm $W/recovery.pem
+/bin/rm -f $RECOVERY_KEY $RECOVERY_BAK $RECOVERY_ISO $RECOVERY_AFM $RECOVERY_PEM
diff --git a/tools/test_signing.sh b/tools/test_signing.sh
index d472f58..7f09dc3 100755
--- a/tools/test_signing.sh
+++ b/tools/test_signing.sh
@@ -2,9 +2,18 @@
#
# test the signing tools
-/bin/rm -f agent.pem analyst.pem archives.pem evidence.aff evidence2.aff evidence3.aff
unset AFFLIB_PASSPHRASE
+BASE=`mktemp -t baseXXXXX`
+AGENT_PEM=$BASE.agent.pem
+ANALYST_PEM=$BASE.analyst.pem
+ARCHIVES_PEM=$BASE.archives.pem
+EVIDENCE=$BASE.evidence.aff
+EVIDENCE2=$BASE.evidence2.aff
+EVIDENCE3=$BASE.evidence3.aff
+
+/bin/rm -f $AGENT_PEM $ANALYST_PEM $ARCHIVES_PEM $EVIDENCE $EVIDENCE2 $EVIDENCE3
+
echo === MAKING THE TEST FILES ===
PATH=$PATH:../tools:../../tools:.:$srcdir
@@ -14,47 +23,51 @@ test_make_random_iso.sh rawevidence.iso
echo ==== AFSIGN TEST ===
echo Making X.509 keys
-openssl req -x509 -newkey rsa:1024 -keyout agent.pem -out agent.pem -nodes -subj "/C=US/ST=California/L=Remote/O=Country Govt./OU=Sherif Dept/CN=Mr. Agent/emailAddress=agent at investiations.com"
+openssl req -x509 -newkey rsa:1024 -keyout $AGENT_PEM -out $AGENT_PEM -nodes -subj "/C=US/ST=California/L=Remote/O=Country Govt./OU=Sherif Dept/CN=Mr. Agent/emailAddress=agent at investiations.com"
- openssl req -x509 -newkey rsa:1024 -keyout analyst.pem -out analyst.pem -nodes -subj "/C=US/ST=California/L=Remote/O=State Police/OU=Forensics/CN=Ms. Analyst/emailAddress=analyst at investiations.com"
-openssl req -x509 -newkey rsa:1024 -keyout archives.pem -out archives.pem -nodes -subj "/C=US/ST=CA/L=Remote/O=Archives/OU=Electronic/CN=Dr. Librarian/emailAddress=drbits at investiations.com"
+ openssl req -x509 -newkey rsa:1024 -keyout $ANALYST_PEM -out $ANALYST_PEM -nodes -subj "/C=US/ST=California/L=Remote/O=State Police/OU=Forensics/CN=Ms. Analyst/emailAddress=analyst at investiations.com"
+openssl req -x509 -newkey rsa:1024 -keyout $ARCHIVES_PEM -out $ARCHIVES_PEM -nodes -subj "/C=US/ST=CA/L=Remote/O=Archives/OU=Electronic/CN=Dr. Librarian/emailAddress=drbits at investiations.com"
echo Making an AFF file to sign
-rm -f evidence.aff evidence?.aff
-./afconvert -o evidence.aff rawevidence.iso
+rm -f $EVIDENCE evidence?.aff
+./afconvert -o $EVIDENCE rawevidence.iso
echo Initial AFF file
-if ! ./afinfo -a evidence.aff ; then exit 1 ; fi
+if ! ./afinfo -a $EVIDENCE ; then exit 1 ; fi
echo Signing AFF file...
-if ! ./afsign -k agent.pem evidence.aff ; then echo afsign failed ; exit 1 ; fi
-if ! ./afverify evidence.aff ; then echo afverify failed ; exit 1 ; fi ;
+echo afsign -k $AGENT_PEM $EVIDENCE
+if ! ./afsign -k $AGENT_PEM $EVIDENCE ; then echo afsign failed ; exit 1 ; fi
+
+echo Verifying Signature...
+echo afverify $EVIDENCE
+if ! ./afverify $EVIDENCE ; then echo afverify failed ; exit 1 ; fi ;
echo Signature test 1 passed
echo Testing chain-of-custody signatures
echo Copying original raw file to evidence1.aff
-if ! ./afcopy -z -k agent.pem rawevidence.iso evidence1.aff ; then exit 1; fi
+if ! ./afcopy -z -k $AGENT_PEM rawevidence.iso evidence1.aff ; then exit 1; fi
if ! ./afinfo -a evidence1.aff ; then exit 1 ; fi
if ! ./afcompare rawevidence.iso evidence1.aff ; then exit 1 ; fi
if ! ./afverify evidence1.aff ; then exit 1 ; fi
echo
echo Making the second generation copy
-echo "This copy was made by the analyst" | ./afcopy -z -k analyst.pem -n evidence1.aff evidence2.aff
-if ! ./afinfo -a evidence2.aff ; then exit 1 ; fi
-if ! ./afcompare rawevidence.iso evidence2.aff ; then exit 1 ; fi
-if ! ./afverify evidence2.aff ; then exit 1 ; fi
+echo "This copy was made by the analyst" | ./afcopy -z -k $ANALYST_PEM -n evidence1.aff $EVIDENCE2
+if ! ./afinfo -a $EVIDENCE2 ; then exit 1 ; fi
+if ! ./afcompare rawevidence.iso $EVIDENCE2 ; then exit 1 ; fi
+if ! ./afverify $EVIDENCE2 ; then exit 1 ; fi
echo
echo Making the third generation copy
-echo "This copy was made by the archives" | ./afcopy -z -k archives.pem -n evidence2.aff evidence3.aff
-if ! ./afinfo -a evidence3.aff ; then exit 1 ; fi
-if ! ./afcompare rawevidence.iso evidence3.aff ; then exit 1 ; fi
-if ! ./afverify evidence3.aff ; then exit 1 ; fi
+echo "This copy was made by the archives" | ./afcopy -z -k $ARCHIVES_PEM -n $EVIDENCE2 $EVIDENCE3
+if ! ./afinfo -a $EVIDENCE3 ; then exit 1 ; fi
+if ! ./afcompare rawevidence.iso $EVIDENCE3 ; then exit 1 ; fi
+if ! ./afverify $EVIDENCE3 ; then exit 1 ; fi
echo All tests passed successfully
echo Erasing temporary files.
-rm -f agent.pem archives.pem analyst.pem evidence.aff evidence.afm rawevidence.iso cevidence.iso evidence2.aff evidence3.aff evidence.aff
+rm -f $AGENT_PEM $ARCHIVES_PEM $ANALYST_PEM $EVIDENCE evidence.afm rawevidence.iso cevidence.iso $EVIDENCE2 $EVIDENCE3 $EVIDENCE
exit 0
--
debian-forensics/afflib
More information about the forensics-changes
mailing list