Rework clevis to use the José-based architecture

latchset · Oct 26, 2016 · fe3f91a · fe3f91a
1 parent 0b0415f
commit fe3f91a
Show file tree

Hide file tree

Showing 46 changed files with 3,940 additions and 2,571 deletions.
diff --git a/.gitignore b/.gitignore
@@ -20,7 +20,6 @@ aclocal.m4
 ar-lib
 autom4te.cache
 build
-clevis.pc
 compile
 config.guess
 config.log
@@ -35,6 +34,12 @@ ltmain.sh
 Makefile.in
 Makefile
 missing
-src/clevis
+src/clevis-pin
+src/clevis-pin-http
+src/clevis-pin-sss
+src/clevis-pin-tang
+src/clevis-pin-test
 tags
 test-driver
+udisks2/clevis-luks-udisks2
+udisks2/clevis-luks-udisks2.desktop
diff --git a/COPYING b/COPYING
diff --git a/Makefile.am b/Makefile.am
@@ -1,5 +1,8 @@
+DISTCHECK_CONFIGURE_FLAGS = --with-dracutmodulesdir=$$dc_install_base/$(dracutmodulesdir)
+
 ACLOCAL_AMFLAGS = -I m4
-SUBDIRS = src
+SUBDIRS = src dracut udisks2
 
-pkgconfigdir = $(libdir)/pkgconfig
-pkgconfig_DATA = clevis.pc
+EXTRA_DIST = COPYING tests/httpd.py
+dist_check_SCRIPTS = tests/pin-test tests/pin-http tests/pin-sss tests/pin-tang
+TESTS = $(dist_check_SCRIPTS)
diff --git a/clevis.pc.in b/clevis.pc.in
diff --git a/configure.ac b/configure.ac
@@ -12,9 +12,20 @@ LT_INIT([disable-static])
 
 PKG_PROG_PKG_CONFIG([0.25])
 
-PKG_CHECK_MODULES([LIBCRYPTO], [libcrypto])
-PKG_CHECK_MODULES([JANSSON], [jansson])
-PKG_CHECK_MODULES([CURL], [libcurl])
+PKG_CHECK_MODULES([jose], [jose-openssl >= 6 jose-zlib >= 6])
+PKG_CHECK_MODULES([luksmeta], [luksmeta >= 3])
+PKG_CHECK_MODULES([libcrypto], [libcrypto])
+PKG_CHECK_MODULES([udisks2], [udisks2])
+PKG_CHECK_MODULES([dracut], [dracut])
+
+AC_CHECK_HEADER([http_parser.h], [], [AC_MSG_ERROR([http-parser required!])])
+AC_SEARCH_LIBS([http_parser_execute], [http_parser], [], [AC_MSG_ERROR([http-parser required!])])
+
+AC_ARG_WITH([dracutmodulesdir],
+	    [AS_HELP_STRING([--with-dracutmodulesdir=DIR], [Directory for dracut modules])],
+	    [],
+	    [with_dracutmodulesdir=$($PKG_CONFIG --variable=dracutmodulesdir dracut)])
+AC_SUBST([dracutmodulesdir], [$with_dracutmodulesdir])
 
 CLEVIS_CFLAGS="\
 -Wall \
@@ -36,8 +47,5 @@ CLEVIS_CFLAGS="\
 "
 AC_SUBST([CLEVIS_CFLAGS])
 
-AC_SUBST([CLEVIS_PINDIR], [${libdir}/${PACKAGE_NAME}])
-AX_DEFINE_DIR(CLEVIS_PINDIR, CLEVIS_PINDIR, [Location of pins (plugins)])
-
-AC_CONFIG_FILES([clevis.pc Makefile src/Makefile])
+AC_CONFIG_FILES([Makefile src/Makefile dracut/Makefile udisks2/Makefile])
 AC_OUTPUT
diff --git a/dracut/Makefile.am b/dracut/Makefile.am
@@ -0,0 +1,2 @@
+dracutdir = @dracutmodulesdir@/60$(PACKAGE_NAME)
+dist_dracut_SCRIPTS = module-setup.sh clevis-hook.sh
diff --git a/dracut/clevis-hook.sh b/dracut/clevis-hook.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Harald Hoyer <harald@redhat.com>
+# Author: Nathaniel McCallum <npmccallum@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
+
+shopt -s nullglob
+
+for question in /run/systemd/ask-password/ask.*; do
+    d=
+    s=
+
+    while read line; do
+        case "$line" in
+            Id=cryptsetup:*) d="${line##Id=cryptsetup:}";;
+            Socket=*) s="${line##Socket=}";;
+        esac
+    done < "$question"
+
+    [ -z "$d" -o -z "$s" ] && continue
+
+    luksmeta show -d "$d" | while read -r -a row; do
+        [ "${row[1]}" != "active" ] && continue
+        [ "${row[2]}" != "$UUID" ] && continue
+        n=${row[0]}
+
+        if pt="`luksmeta load -d $d -s $n -u $UUID | clevis decrypt`"; then
+            echo -n "+$pt" | nc -U -u --send-only "$s"
+            break;
+        fi
+    done
+done
diff --git a/dracut/module-setup.sh b/dracut/module-setup.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Nathaniel McCallum <npmccallum@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+depends() {
+    echo crypt systemd network
+    return 0
+}
+
+cmdline() {
+    echo "rd.neednet=1"
+}
+
+install() {
+    cmdline > "${initdir}/etc/cmdline.d/99clevis.conf"
+
+    inst_hook initqueue/online 60 "$moddir/clevis-hook.sh"
+    inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
+
+    inst_multiple \
+        /etc/services \
+        luksmeta \
+        nc \
+        clevis \
+        clevis-decrypt \
+        clevis-pin \
+        clevis-pin-http \
+        clevis-pin-sss \
+        clevis-pin-tang
+
+    dracut_need_initqueue
+}
+
diff --git a/src/Makefile.am b/src/Makefile.am
@@ -1,31 +1,27 @@
-AM_CFLAGS = @CLEVIS_CFLAGS@ @LIBCRYPTO_CFLAGS@ @JANSSON_CFLAGS@ @CURL_CFLAGS@
+AM_CFLAGS = @CLEVIS_CFLAGS@ @jose_CFLAGS@
+LDADD = @jose_LIBS@ libreadall.la
 
-include_HEADERS = clevis.h
+EXTRA_DIST = clevis.in clevis-decrypt.in clevis-encrypt.in clevis-bind-luks.in
+CLEANFILES = $(bin_SCRIPTS)
 
-lib_LTLIBRARIES = libclevis.la
-libclevis_la_LDFLAGS = -export-symbols-regex '^clevis_'
-libclevis_la_LIBADD = @LIBCRYPTO_LIBS@ @JANSSON_LIBS@
-libclevis_la_SOURCES = buf.c clevis.h
+bin_PROGRAMS = clevis-pin clevis-pin-http clevis-pin-sss clevis-pin-tang
+bin_SCRIPTS = clevis clevis-decrypt clevis-encrypt clevis-bind-luks
+noinst_LTLIBRARIES = libhttp.la libreadall.la
+check_PROGRAMS = clevis-pin-test
 
-noinst_LTLIBRARIES = libcore.la
-libcore_la_LIBADD = -ldl -lpthread libclevis.la
-libcore_la_SOURCES = list.c list.h pin.c pin.h
+libreadall_la_SOURCES = readall.c readall.h
 
-bin_PROGRAMS = clevis
-clevis_LDADD = libcore.la
-clevis_SOURCES = clevis.c crypto.c crypto.h pwd.c pwd.h
+libhttp_la_SOURCES = http.c http.h
+libhttp_la_LIBADD = -lhttp_parser
 
-pindir = @CLEVIS_PINDIR@
-pin_LTLIBRARIES = pwd.la sss.la http.la
+clevis_pin_sss_SOURCES = clevis-pin-sss.c sss.c sss.h
+clevis_pin_sss_LDADD = $(LDADD) @libcrypto_LIBS@
 
-pwd_la_SOURCES = pin_pwd.c
-pwd_la_LDFLAGS = -module -avoid-version
-pwd_la_LIBADD = libclevis.la
+clevis_pin_http_LDADD = $(LDADD) libhttp.la
 
-sss_la_SOURCES = pin_sss_alg.c pin_sss_alg.h pin_sss.c
-sss_la_LDFLAGS = -module -avoid-version
-sss_la_LIBADD = libcore.la
+clevis_pin_tang_SOURCES = tang.c tang.h clevis-pin-tang.c
+clevis_pin_tang_LDADD = $(LDADD) @libcrypto_LIBS@ libhttp.la
 
-http_la_SOURCES = pin_http.c
-http_la_LDFLAGS = -module -avoid-version
-http_la_LIBADD = libclevis.la @CURL_LIBS@
+
+%: %.in
+	$(AM_V_GEN)cp $(srcdir)/$@.in $@