Hello community,
here is the log from the commit of package cryptctl for openSUSE:Factory
checked in at 2017-06-04 02:00:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cryptctl (Old)
and /work/SRC/openSUSE:Factory/.cryptctl.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cryptctl"
Sun Jun 4 02:00:16 2017 rev:3 rq:500581 version:2.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/cryptctl/cryptctl.changes 2017-06-01
16:33:01.736628681 +0200
+++ /work/SRC/openSUSE:Factory/.cryptctl.new/cryptctl.changes 2017-06-04
02:00:23.083493983 +0200
@@ -1,0 +2,10 @@
+Thu Jun 1 13:00:57 UTC 2017 - h...@suse.com
+
+- Upgrade to upstream release 2.1 that brings important enhancements
+ in effort of implementing fate#322979:
+ * Improve KMIP compatibility with key prefix names and proper
+ serialisation of authentication header.
+ * Fail over KMIP connection using a server list.
+ * Destroy key on KMIP after its tracking record is erased from DB.
+
+-------------------------------------------------------------------
Old:
----
cryptctl-2.0.tgz
New:
----
cryptctl-2.1.tgz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cryptctl.spec ++++++
--- /var/tmp/diff_new_pack.5YwnLh/_old 2017-06-04 02:00:23.551427935 +0200
+++ /var/tmp/diff_new_pack.5YwnLh/_new 2017-06-04 02:00:23.555427370 +0200
@@ -17,7 +17,7 @@
Name: cryptctl
-Version: 2.0
+Version: 2.1
Release: 0
Summary: A utility for setting up LUKS-based disk encryption
License: GPL-3.0
++++++ cryptctl-2.0.tgz -> cryptctl-2.1.tgz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/command/client.go new/command/client.go
--- old/command/client.go 2017-05-11 15:49:38.135920761 +0200
+++ new/command/client.go 2017-05-31 13:42:19.429519219 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package command
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/command/server.go new/command/server.go
--- old/command/server.go 2017-05-11 15:49:38.311921813 +0200
+++ new/command/server.go 2017-06-01 12:42:35.899886409 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package command
@@ -242,10 +242,9 @@
// Walk through KMIP settings
useExternalKMIPServer := sys.InputBool("Should encryption keys be kept
on a KMIP-compatible key management appliance?")
if useExternalKMIPServer {
- sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_HOST, sys.Input(true,
"", "KMIP server host name"))
- sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_PORT,
sys.InputInt(true, 5696, 1, 65535, "KMIP port number"))
+ sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_ADDRS, sys.Input(true,
"", "Space-separated KMIP server addresses (host1:port1 host2:port2 ...)"))
sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_USER, sys.Input(false,
"", "KMIP username"))
- sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_PASS, sys.Input(false,
"", "KMIP password"))
+ sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_PASS,
sys.InputPassword(false, "", "KMIP password"))
sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_TLS_CA,
sys.Input(false, "", "PEM-encoded TLS certificate authority that issued KMIP
server certificate"))
sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_TLS_CERT,
sys.Input(false, "", "PEM-encoded TLS client identitiy certificate"))
sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_TLS_KEY,
sys.Input(false, "", "PEM-encoded TLS client identitiy certificate key"))
@@ -258,6 +257,16 @@
sysconf.Set(keyserv.SRV_CONF_MAIL_AGENT_AND_PORT, mta)
}
if sysconf.GetString(keyserv.SRV_CONF_MAIL_AGENT_AND_PORT, "") != "" {
+ if username := sys.Input(false,
+ sysconf.GetString(keyserv.SRV_CONF_MAIL_AGENT_USERNAME,
""),
+ "Plain authentication username for access to mail agent
(optional)"); username != "" {
+ sysconf.Set(keyserv.SRV_CONF_MAIL_AGENT_USERNAME,
username)
+ if password := sys.Input(false,
+
sysconf.GetString(keyserv.SRV_CONF_MAIL_AGENT_PASSWORD, ""),
+ "Plain authentication password for access to
mail agent (optional)"); password != "" {
+
sysconf.Set(keyserv.SRV_CONF_MAIL_AGENT_PASSWORD, password)
+ }
+ }
if fromAddr := sys.Input(false,
sysconf.GetString(keyserv.SRV_CONF_MAIL_FROM_ADDR, ""),
"Notification email's FROM address such as
\"r...@example.com\""); fromAddr != "" {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fs/crypt.go new/fs/crypt.go
--- old/fs/crypt.go 2017-05-11 15:49:38.135920761 +0200
+++ new/fs/crypt.go 2017-05-31 13:42:19.465519425 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package fs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fs/crypt_test.go new/fs/crypt_test.go
--- old/fs/crypt_test.go 2017-05-10 12:10:28.822405499 +0200
+++ new/fs/crypt_test.go 2017-05-31 13:42:19.485519541 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package fs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fs/file.go new/fs/file.go
--- old/fs/file.go 2017-04-12 10:14:52.257214284 +0200
+++ new/fs/file.go 2017-05-31 13:42:19.441519289 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package fs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fs/file_test.go new/fs/file_test.go
--- old/fs/file_test.go 2017-04-12 10:14:52.257214284 +0200
+++ new/fs/file_test.go 2017-05-31 13:42:19.401519058 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package fs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fs/fs.go new/fs/fs.go
--- old/fs/fs.go 2017-04-12 10:14:52.257214284 +0200
+++ new/fs/fs.go 2017-05-31 13:42:19.417519150 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package fs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fs/fs_test.go new/fs/fs_test.go
--- old/fs/fs_test.go 2017-04-12 10:14:52.257214284 +0200
+++ new/fs/fs_test.go 2017-05-31 13:42:19.453519356 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package fs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fs/mnt.go new/fs/mnt.go
--- old/fs/mnt.go 2017-04-12 10:14:52.257214284 +0200
+++ new/fs/mnt.go 2017-05-31 13:42:24.253546901 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package fs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fs/mnt_test.go new/fs/mnt_test.go
--- old/fs/mnt_test.go 2017-04-12 10:14:52.257214284 +0200
+++ new/fs/mnt_test.go 2017-05-31 13:42:24.233546785 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package fs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/keydb/db.go new/keydb/db.go
--- old/keydb/db.go 2017-05-08 16:30:12.695463369 +0200
+++ new/keydb/db.go 2017-05-31 13:42:50.705698687 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package keydb
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/keydb/db_test.go new/keydb/db_test.go
--- old/keydb/db_test.go 2017-05-09 11:56:13.655598444 +0200
+++ new/keydb/db_test.go 2017-05-31 13:42:50.713698733 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package keydb
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/keydb/record.go new/keydb/record.go
--- old/keydb/record.go 2017-05-09 11:54:39.087076246 +0200
+++ new/keydb/record.go 2017-05-31 13:42:50.673698504 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package keydb
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/keydb/record_test.go new/keydb/record_test.go
--- old/keydb/record_test.go 2017-05-10 11:53:31.925494009 +0200
+++ new/keydb/record_test.go 2017-05-31 13:42:50.685698572 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package keydb
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/keyserv/kmip_client.go new/keyserv/kmip_client.go
--- old/keyserv/kmip_client.go 2017-05-10 11:53:31.929494027 +0200
+++ new/keyserv/kmip_client.go 2017-06-01 14:52:47.172639453 +0200
@@ -1,3 +1,5 @@
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
+// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package keyserv
import (
@@ -12,6 +14,7 @@
"io"
"log"
"reflect"
+ "time"
)
const (
@@ -22,6 +25,7 @@
*/
MaxKMIPStructLen = 65536
KMIPAESKeySizeBits = 256 // The only kind of AES encryption key the
KMIP server and client will expect to use
+ ClientMaxRetry = 7 // Maximum number of times for client to retry
failed KMIP connection.
)
/*
@@ -30,8 +34,7 @@
KMIP servers implemented by other vendors.
*/
type KMIPClient struct {
- ServerHost string
- ServerPort int
+ ServerAddrs []string
Username, Password string
TLSConfig *tls.Config
}
@@ -40,13 +43,12 @@
Initialise a KMIP client.
The function does not immediately establish a connection to server.
*/
-func NewKMIPClient(host string, port int, username, password string, caCertPEM
[]byte, certFilePath, certKeyPath string) (*KMIPClient, error) {
+func NewKMIPClient(addrs []string, username, password string, caCertPEM
[]byte, certFilePath, certKeyPath string) (*KMIPClient, error) {
client := &KMIPClient{
- ServerHost: host,
- ServerPort: port,
- Username: username,
- Password: password,
- TLSConfig: new(tls.Config),
+ ServerAddrs: addrs,
+ Username: username,
+ Password: password,
+ TLSConfig: new(tls.Config),
}
if caCertPEM != nil && len(caCertPEM) > 0 {
// Use custom CA
@@ -100,23 +102,49 @@
/*
Establish a TLS connection to server, send exactly one request and expect
exactly one response, then close the connection.
-TLS handshake is way more expensive than KMIP operations, so consider using
the connection for more requests in the future.
+Retry up to a certain number of times in case IO error occurs.
*/
-func (client *KMIPClient) MakeRequest(request structure.SerialisedItem)
(structure.SerialisedItem, error) {
- addr := fmt.Sprintf("%s:%d", client.ServerHost, client.ServerPort)
- conn, err := tls.Dial("tcp", addr, client.TLSConfig)
- if err != nil {
- return nil, fmt.Errorf("KMIPClient.MakeRequest: connection to
\"%s\" failed - %v", addr, err)
- }
- defer conn.Close()
+func (client *KMIPClient) ConverseWithRetry(request structure.SerialisedItem)
(ttlv.Item, error) {
+ var err error
serialisedRequest := request.SerialiseToTTLV()
encodedRequest := ttlv.EncodeAny(serialisedRequest)
- if _, err = conn.Write(encodedRequest); err != nil {
- return nil, fmt.Errorf("KMIPClient.MakeRequest: failed to write
request - %v", err)
+ for i := 0; i < ClientMaxRetry; i++ {
+ if i > 0 {
+ // Introduce an artificial sleep to delay attempts
after failure
+ time.Sleep(1 * time.Second)
+ }
+ // Always prefer to use the first server among the list of
servers
+ addr := client.ServerAddrs[i%len(client.ServerAddrs)]
+ conn, err := tls.Dial("tcp", addr, client.TLSConfig)
+ if err != nil {
+ log.Printf("KMIPClient.ConverseWithRetry: IO failure
occured with KMIP server %s", addr)
+ continue
+ }
+ if _, err = conn.Write(encodedRequest); err != nil {
+ log.Printf("KMIPClient.ConverseWithRetry: IO failure
occured with KMIP server %s", addr)
+ conn.Close()
+ continue
+ }
+ ttlvResp, err := ReadFullTTLV(conn)
+ if err != nil {
+ log.Printf("KMIPClient.ConverseWithRetry: IO failure
occured with KMIP server %s", addr)
+ conn.Close()
+ continue
+ }
+ conn.Close()
+ return ttlvResp, nil
}
- ttlvResp, err := ReadFullTTLV(conn)
+ return nil, fmt.Errorf("KMIPClient.ConverseWithRetry: ultimately failed
in all attempts at conversing with server - %v", err)
+}
+
+/*
+Establish a TLS connection to server, send exactly one request and expect
exactly one response, then close the connection.
+TLS handshake is way more expensive than KMIP operations, so consider using
the connection for more requests in the future.
+*/
+func (client *KMIPClient) MakeRequest(request structure.SerialisedItem)
(structure.SerialisedItem, error) {
+ ttlvResp, err := client.ConverseWithRetry(request)
if err != nil {
- return nil, fmt.Errorf("KMIPClient.MakeRequest: failed to read
response - %v", err)
+ return nil, err
}
// TODO: refactor this into interface function in all request structures
var respItem structure.SerialisedItem
@@ -169,13 +197,11 @@
func (client *KMIPClient) CreateKey(keyName string) (id string, err error) {
defer func() {
// In the unlikely case that a misbehaving server causes client
to crash.
- /*
- if r := recover(); r != nil {
- msg := fmt.Sprintf("KMIPClient.CreateKey: the
function crashed due to programming error - %v", r)
- log.Print(msg)
- err = errors.New(msg)
- }
- */
+ if r := recover(); r != nil {
+ msg := fmt.Sprintf("KMIPClient.CreateKey: the function
crashed due to programming error - %v", r)
+ log.Print(msg)
+ err = errors.New(msg)
+ }
}()
resp, err := client.MakeRequest(&structure.SCreateRequest{
SRequestHeader: client.GetRequestHeader(),
@@ -270,7 +296,7 @@
defer func() {
// In the unlikely case that a misbehaving server causes client
to crash.
if r := recover(); r != nil {
- msg := fmt.Sprintf("KMIPClient.GetKey: (ID %s) the
function crashed due to programming error - %v", id, r)
+ msg := fmt.Sprintf("KMIPClient.DestroyKey: (ID %s) the
function crashed due to programming error - %v", id, r)
log.Print(msg)
err = errors.New(msg)
}
@@ -287,6 +313,5 @@
if err != nil {
return
}
- err =
ResponseItemToError(resp.(*structure.SDestroyResponse).SResponseBatchItem)
- return
+ return
ResponseItemToError(resp.(*structure.SDestroyResponse).SResponseBatchItem)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/keyserv/kmip_server.go new/keyserv/kmip_server.go
--- old/keyserv/kmip_server.go 2017-05-11 15:49:38.135920761 +0200
+++ new/keyserv/kmip_server.go 2017-05-31 13:42:56.253730524 +0200
@@ -1,3 +1,5 @@
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
+// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package keyserv
import (
@@ -13,6 +15,7 @@
"log"
"net"
"reflect"
+ "strings"
"time"
)
@@ -181,6 +184,7 @@
default:
err = fmt.Errorf("KMIPServer.HandleRequest: unknown request
type %s", reflect.TypeOf(req).String())
}
+ log.Printf("KMIPServer.HandleRequest: handled request type %s from %s,
err is %v", reflect.TypeOf(req).String(), conn.RemoteAddr().String(), err)
if err == nil {
conn.SetWriteDeadline(time.Now().Add(KMIPTimeoutSec *
time.Second))
_, err = conn.Write(ttlv.EncodeAny(resp.SerialiseToTTLV()))
@@ -202,7 +206,11 @@
*/
creationTime := time.Now()
kmipID, err := srv.DB.Upsert(keydb.Record{
- UUID: keyName,
+ /*
+ Name prefix explains key's origin to make it more
visible when stored in an external KMIP appliance.
+ But key database only recognises UUID, there's no need
for a prefix to be stored in key database.
+ */
+ UUID: strings.TrimPrefix(keyName, KeyNamePrefix),
CreationTime: creationTime,
Key: GetNewDiskEncryptionKeyBits(),
})
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/keyserv/kmip_server_test.go
new/keyserv/kmip_server_test.go
--- old/keyserv/kmip_server_test.go 2017-05-11 15:49:38.311921813 +0200
+++ new/keyserv/kmip_server_test.go 2017-05-31 13:42:59.933751639 +0200
@@ -1,3 +1,5 @@
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
+// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package keyserv
import (
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/keyserv/kmip_test.go new/keyserv/kmip_test.go
--- old/keyserv/kmip_test.go 2017-05-10 11:53:31.933494045 +0200
+++ new/keyserv/kmip_test.go 2017-06-01 14:32:34.225304203 +0200
@@ -1,3 +1,5 @@
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
+// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package keyserv
import (
@@ -7,6 +9,7 @@
"os"
"path"
"reflect"
+ "strconv"
"testing"
"time"
)
@@ -41,7 +44,10 @@
}
// Expect server to start in a second
time.Sleep(1 * time.Second)
- client, err := NewKMIPClient("localhost", server.GetPort(),
"username-does-not-matter", string(server.PasswordChallenge), caCert,
+ client, err := NewKMIPClient([]string{
+ "bad-server:1234",
+ "localhost:" + strconv.Itoa(server.GetPort()),
+ }, "username-does-not-matter", string(server.PasswordChallenge), caCert,
path.Join(PkgInGopath, "keyserv", "rpc_test.crt"),
path.Join(PkgInGopath, "keyserv", "rpc_test.key"))
if err != nil {
t.Fatal(err)
@@ -112,7 +118,54 @@
time.sleep(100)
*/
t.Skip("Start PyKMIP server manually and remove this skip statement to
run this test case")
- client, err := NewKMIPClient("127.0.0.1", 5696, "testuser", "testpass",
nil, "/etc/pykmip/client.crt", "/etc/pykmip/client.key")
+ client, err := NewKMIPClient([]string{"127.0.0.1:5696"}, "testuser",
"testpass", nil, "/etc/pykmip/kmipclient.com.crt",
"/etc/pykmip/kmipclient.com.key")
+ if err != nil {
+ t.Fatal(err)
+ }
+ client.TLSConfig.InsecureSkipVerify = true
+ if err != nil {
+ t.Fatal(err)
+ }
+ // Create two keys
+ var id1, id2 string
+ if id1, err = client.CreateKey("test key 1"); err != nil || id1 == "" {
+ t.Fatal(err, id1)
+ }
+ if id2, err = client.CreateKey("test key 2"); err != nil || id2 == "" {
+ t.Fatal(err, id2)
+ }
+ // Retrieve both keys and non-existent key
+ received1, err := client.GetKey(id1)
+ if err != nil {
+ t.Fatal(err)
+ }
+ received2, err := client.GetKey(id2)
+ if err != nil {
+ t.Fatal(err)
+ }
+ if _, err := client.GetKey("does not exist"); err == nil {
+ t.Fatal("did not error")
+ }
+ if reflect.DeepEqual(received1, received2) || len(received1) == 0 {
+ t.Fatal(hex.Dump(received1), hex.Dump(received2))
+ }
+ if err := client.DestroyKey(id1); err != nil {
+ t.Fatal(err)
+ }
+ if err := client.DestroyKey(id2); err != nil {
+ t.Fatal(err)
+ }
+ if err := client.DestroyKey("does not exist"); err == nil {
+ t.Fatal("did not error")
+ }
+}
+
+func TestKMIPAgainstHpeEskm(t *testing.T) {
+ t.Skip("Acquire HPE ESKM credentials and remove this skip statement to
run this test case")
+ client, err := NewKMIPClient([]string{"SERVER:5696"}, "USERNAME",
"PASSWORD", nil, "PATH_TO_CRT", "PATH_TO_KEY")
+ if err != nil {
+ t.Fatal(err)
+ }
client.TLSConfig.InsecureSkipVerify = true
if err != nil {
t.Fatal(err)
@@ -140,10 +193,12 @@
if reflect.DeepEqual(received1, received2) || len(received1) == 0 {
t.Fatal(hex.Dump(received1), hex.Dump(received2))
}
- // Destroy and retrieve again
if err := client.DestroyKey(id1); err != nil {
t.Fatal(err)
}
+ if err := client.DestroyKey(id2); err != nil {
+ t.Fatal(err)
+ }
if err := client.DestroyKey("does not exist"); err == nil {
t.Fatal("did not error")
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/keyserv/mail.go new/keyserv/mail.go
--- old/keyserv/mail.go 2017-05-03 11:15:05.719097537 +0200
+++ new/keyserv/mail.go 2017-05-31 13:43:06.737790683 +0200
@@ -1,3 +1,5 @@
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
+// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package keyserv
import (
@@ -13,6 +15,8 @@
SRV_CONF_MAIL_RECIPIENTS = "EMAIL_RECIPIENTS"
SRV_CONF_MAIL_FROM_ADDR = "EMAIL_FROM_ADDRESS"
SRV_CONF_MAIL_AGENT_AND_PORT = "EMAIL_AGENT_AND_PORT"
+ SRV_CONF_MAIL_AGENT_USERNAME = "EMAIL_AGENT_USERNAME"
+ SRV_CONF_MAIL_AGENT_PASSWORD = "EMAIL_AGENT_PASSWORD"
)
// Return true only if both at-sign and full-stop are in the string.
@@ -25,6 +29,8 @@
Recipients []string // List of Email addresses that receive
notifications
FromAddress string // FROM address of the notifications
AgentAddressPort string // Address and port number of mail
transportation agent for sending notifications
+ AuthUsername string // (Optional) Username for plain
authentication, if the SMTP server requires it.
+ AuthPassword string // (Optional) Password for plain
authentication, if the SMTP server requires it.
}
// Return true only if all mail parameters are present.
@@ -65,11 +71,17 @@
// Deliver an email to all recipients.
func (mail *Mailer) Send(subject, text string) error {
- msg := fmt.Sprintf("Subject: %s\r\n\r\n%s", subject, text)
- if err := smtp.SendMail(mail.AgentAddressPort, nil, mail.FromAddress,
mail.Recipients, []byte(msg)); err != nil {
- return fmt.Errorf("Send: failed to send email to \"%v\" - %v",
mail.Recipients, err)
+ if mail.Recipients == nil || len(mail.Recipients) == 0 {
+ return fmt.Errorf("No recipient specified for mail \"%s\"",
subject)
+ }
+ var auth smtp.Auth
+ if mail.AuthUsername != "" {
+ auth = smtp.PlainAuth("", mail.AuthUsername, mail.AuthPassword,
mail.AgentAddressPort)
}
- return nil
+ // Construct appropriate mail headers
+ mailBody := fmt.Sprintf("MIME-Version: 1.0\r\nContent-type: text/plain;
charset=utf-8\r\nFrom: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n%s",
+ mail.FromAddress, strings.Join(mail.Recipients, ", "), subject,
text)
+ return smtp.SendMail(mail.AgentAddressPort, auth, mail.FromAddress,
mail.Recipients, []byte(mailBody))
}
// Read mail settings from keys in sysconfig file.
@@ -77,4 +89,6 @@
mail.Recipients = sysconf.GetStringArray(SRV_CONF_MAIL_RECIPIENTS,
[]string{})
mail.FromAddress = sysconf.GetString(SRV_CONF_MAIL_FROM_ADDR, "")
mail.AgentAddressPort = sysconf.GetString(SRV_CONF_MAIL_AGENT_AND_PORT,
"")
+ mail.AuthUsername = sysconf.GetString(SRV_CONF_MAIL_AGENT_USERNAME, "")
+ mail.AuthPassword = sysconf.GetString(SRV_CONF_MAIL_AGENT_PASSWORD, "")
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/keyserv/mail_test.go new/keyserv/mail_test.go
--- old/keyserv/mail_test.go 2017-05-03 11:15:05.667097294 +0200
+++ new/keyserv/mail_test.go 2017-05-31 13:44:56.310419438 +0200
@@ -1,8 +1,9 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package keyserv
import (
+ "net"
"testing"
)
@@ -42,6 +43,13 @@
if err := m.Send("abc", "123"); err == nil {
t.Fatal("did not error")
}
+ if _, err := net.Dial("tcp", "localhost:25"); err != nil {
+ t.Skip("an MTA on localhost would be required to continue this
test")
+ }
+ m = Mailer{Recipients: []string{"root@localhost"}, FromAddress:
"root@localhost", AgentAddressPort: "localhost:25"}
+ if err := m.Send("cryptctl mailer test subject", "cryptctl mailer test
text body"); err != nil {
+ t.Fatal(err)
+ }
}
func TestMailerReadFromSysconfig(t *testing.T) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/keyserv/rpc_client.go new/keyserv/rpc_client.go
--- old/keyserv/rpc_client.go 2017-05-11 15:49:38.311921813 +0200
+++ new/keyserv/rpc_client.go 2017-05-31 13:44:56.558420862 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package keyserv
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/keyserv/rpc_client_test.go
new/keyserv/rpc_client_test.go
--- old/keyserv/rpc_client_test.go 2017-05-11 15:49:38.311921813 +0200
+++ new/keyserv/rpc_client_test.go 2017-05-31 13:44:56.526420678 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package keyserv
@@ -193,12 +193,13 @@
}); err == nil {
t.Fatal("did not error")
}
+ // Erasing a non-existent key should not result in an error
if err := client.EraseKey(EraseKeyReq{
Password: HashPassword(salt, TEST_RPC_PASS),
Hostname: "localhost",
UUID: "doesnotexist",
- }); err == nil {
- t.Fatal("did not error")
+ }); err != nil {
+ t.Fatal(err)
}
if err := client.EraseKey(EraseKeyReq{
Password: HashPassword(salt, TEST_RPC_PASS),
@@ -207,12 +208,13 @@
}); err != nil {
t.Fatal(err)
}
+ // Erasing a non-existent key should not result in an error
if err := client.EraseKey(EraseKeyReq{
Password: HashPassword(salt, TEST_RPC_PASS),
Hostname: "localhost",
UUID: "aaa",
- }); err == nil {
- t.Fatal("did not error")
+ }); err != nil {
+ t.Fatal(err)
}
fmt.Println("About to run teardown")
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/keyserv/rpc_svc.go new/keyserv/rpc_svc.go
--- old/keyserv/rpc_svc.go 2017-05-11 15:49:38.311921813 +0200
+++ new/keyserv/rpc_svc.go 2017-06-01 12:41:26.439420140 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package keyserv
@@ -22,6 +22,7 @@
"path"
"path/filepath"
"reflect"
+ "strconv"
"strings"
"time"
)
@@ -45,13 +46,14 @@
SRV_CONF_MAIL_RETRIEVAL_SUBJ = "EMAIL_KEY_RETRIEVAL_SUBJECT"
SRV_CONF_MAIL_RETRIEVAL_TEXT = "EMAIL_KEY_RETRIEVAL_GREETING"
- SRV_CONF_KMIP_SERVER_HOST = "KMIP_SERVER_HOST"
- SRV_CONF_KMIP_SERVER_PORT = "KMIP_SERVER_PORT"
+ SRV_CONF_KMIP_SERVER_ADDRS = "KMIP_SERVER_ADDRESSES"
SRV_CONF_KMIP_SERVER_USER = "KMIP_SERVER_USER"
SRV_CONF_KMIP_SERVER_PASS = "KMIP_SERVER_PASS"
SRV_CONF_KMIP_SERVER_TLS_CA = "KMIP_CA_PEM"
SRV_CONF_KMIP_SERVER_TLS_CERT = "KMIP_TLS_CERT_PEM"
SRV_CONF_KMIP_SERVER_TLS_KEY = "KMIP_TLS_CERT_KEY_PEM"
+
+ KeyNamePrefix = "cryptctl-" // Prefix string prepended to KMIP keys
)
var PkgInGopath = path.Join(path.Join(os.Getenv("GOPATH"),
"/src/github.com/HouzuoGuo/cryptctl")) // this package in gopath
@@ -101,8 +103,7 @@
KeyCreationGreeting string // greeting of the
notification email sent by key creation request
KeyRetrievalSubject string // subject of the notification
email sent by key retrieval request
KeyRetrievalGreeting string // greeting of the
notification email sent by key retrieval request
- KMIPHost string // optional KMIP server host
- KMIPPort int // optional KMIP server port
+ KMIPAddresses []string // optional KMIP server
addresses (server1:port1 server2:port2 ...)
KMIPUser string // optional KMIP service
access user
KMIPPass string // optional KMIP service
access password
KMIPCertAuthorityPEM string // optional KMIP server CA
certificate
@@ -153,8 +154,8 @@
conf.KeyRetrievalSubject =
sysconf.GetString(SRV_CONF_MAIL_RETRIEVAL_SUBJ, "An encrypted file system has
been accessed")
conf.KeyRetrievalGreeting =
sysconf.GetString(SRV_CONF_MAIL_RETRIEVAL_TEXT, "The key server has sent the
following encryption key to allow access to its file systems:")
- conf.KMIPHost = sysconf.GetString(SRV_CONF_KMIP_SERVER_HOST, "")
- conf.KMIPPort = sysconf.GetInt(SRV_CONF_KMIP_SERVER_PORT, 0)
+ conf.KMIPAddresses = sysconf.GetStringArray(SRV_CONF_KMIP_SERVER_ADDRS,
[]string{})
+
conf.KMIPUser = sysconf.GetString(SRV_CONF_KMIP_SERVER_USER, "")
conf.KMIPPass = sysconf.GetString(SRV_CONF_KMIP_SERVER_PASS, "")
conf.KMIPCertAuthorityPEM =
sysconf.GetString(SRV_CONF_KMIP_SERVER_TLS_CA, "")
@@ -189,6 +190,9 @@
if err != nil {
return nil, err
}
+ /*
+ The author of TLS related libraries in Go has an opinion about CRL
+ */
srv.TLSConfig.Certificates = make([]tls.Certificate, 1)
srv.TLSConfig.Certificates[0], err =
tls.LoadX509KeyPair(config.CertPEM, config.KeyPEM)
// Configure client authentication upon request
@@ -218,7 +222,7 @@
*/
func (srv *CryptServer) ListenRPC() error {
var err error
- if srv.Config.KMIPHost == "" {
+ if len(srv.Config.KMIPAddresses) == 0 {
// If RPC server settings do not have KMIP connectivity
settings, start my own KMIP server.
if srv.BuiltInKMIPServer, err = NewKMIPServer(srv.KeyDB,
srv.Config.CertPEM, srv.Config.KeyPEM); err != nil {
return err
@@ -229,7 +233,7 @@
go srv.BuiltInKMIPServer.HandleConnections()
// The client initialisation routine does not immediately
connect to server.
if srv.KMIPClient, err = NewKMIPClient(
- "localhost", srv.BuiltInKMIPServer.GetPort(),
+ []string{"localhost:" +
strconv.Itoa(srv.BuiltInKMIPServer.GetPort())},
"does-not-matter",
string(srv.BuiltInKMIPServer.PasswordChallenge),
nil, "", ""); err != nil {
return err
@@ -245,7 +249,7 @@
}
}
if srv.KMIPClient, err = NewKMIPClient(
- srv.Config.KMIPHost, srv.Config.KMIPPort,
+ srv.Config.KMIPAddresses,
srv.Config.KMIPUser, srv.Config.KMIPPass,
caCert, srv.Config.KMIPCertPEM, srv.Config.KMIPKeyPEM);
err != nil {
return err
@@ -395,8 +399,14 @@
} else if err := req.Validate(); err != nil {
return err
}
- // No matter key is located in built-in KMIP server or external KMIP
server, the KMIP client needs to create the key.
- kmipKeyID, err := rpcConn.Svc.KMIPClient.CreateKey(req.UUID)
+ /*
+ No matter key is located in built-in KMIP server or external
KMIP server, the KMIP client needs to create the key.
+ But if the KMIP server is an external appliance, having the
name prefix makes it more apparent where the key
+ originates.
+ If KMIP server is the built-in one, the server will remove the
prefix string before storing record UUID in built-in key database.
+ But key database only recognises UUID, there's no need for a
prefix to be stored in key database.
+ */
+ kmipKeyID, err := rpcConn.Svc.KMIPClient.CreateKey(KeyNamePrefix +
req.UUID)
if err != nil {
return fmt.Errorf("CryptServiceConn.CreateKey: KMIP client
refused to create the key - %v", err)
}
@@ -605,7 +615,17 @@
if err := rpcConn.Svc.ValidatePassword(req.Password); err != nil {
return err
}
- return rpcConn.Svc.KeyDB.Erase(req.UUID)
+ rec, found := rpcConn.Svc.KeyDB.GetByUUID(req.UUID)
+ if !found {
+ // No need to return error in case key has already disappeared
from key server
+ return nil
+ }
+ kmipErr := rpcConn.Svc.KMIPClient.DestroyKey(rec.ID)
+ dbErr := rpcConn.Svc.KeyDB.Erase(req.UUID)
+ if dbErr == nil && kmipErr != nil {
+ return fmt.Errorf("EraseKey: key tracking record has been
erased from database, but KMIP did not erase it - %v", kmipErr)
+ }
+ return dbErr
}
// Reload key database into memory. This function can only be called from
127.0.0.1. No password is required.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/keyserv/rpc_svc_test.go new/keyserv/rpc_svc_test.go
--- old/keyserv/rpc_svc_test.go 2017-05-05 15:40:57.623136513 +0200
+++ new/keyserv/rpc_svc_test.go 2017-06-01 14:25:52.106974576 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package keyserv
@@ -107,6 +107,7 @@
KeyCreationGreeting: "b",
KeyRetrievalSubject: "c",
KeyRetrievalGreeting: "d",
+ KMIPAddresses: []string{},
}) {
t.Fatalf("%+v", svcConf)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/kmip/structure/const.go new/kmip/structure/const.go
--- old/kmip/structure/const.go 2017-05-05 16:33:24.064824922 +0200
+++ new/kmip/structure/const.go 2017-05-31 13:44:56.466420334 +0200
@@ -1,3 +1,5 @@
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
+// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package structure
import (
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/kmip/structure/op_common.go
new/kmip/structure/op_common.go
--- old/kmip/structure/op_common.go 2017-05-08 10:31:01.908508293 +0200
+++ new/kmip/structure/op_common.go 2017-06-01 14:55:51.121761395 +0200
@@ -1,3 +1,5 @@
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
+// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package structure
import (
@@ -135,21 +137,29 @@
func (header SRequestHeader) SerialiseToTTLV() ttlv.Item {
header.IBatchCount.Tag = TagBatchCount
- return ttlv.NewStructure(
- TagRequestHeader,
- header.SProtocolVersion.SerialiseToTTLV(),
- header.SAuthentication.SerialiseToTTLV(),
- &header.IBatchCount)
+ if header.SAuthentication.SCredential.SCredentialValue.TUsername.Value
== "" {
+ // Omit authentication header if no username data is given
+ return ttlv.NewStructure(
+ TagRequestHeader,
+ header.SProtocolVersion.SerialiseToTTLV(),
+ &header.IBatchCount)
+ } else {
+ return ttlv.NewStructure(
+ TagRequestHeader,
+ header.SProtocolVersion.SerialiseToTTLV(),
+ header.SAuthentication.SerialiseToTTLV(),
+ &header.IBatchCount)
+ }
}
func (header *SRequestHeader) DeserialiseFromTTLV(in ttlv.Item) error {
if err := DecodeStructItem(in, TagRequestHeader, TagProtocolVersion,
&header.SProtocolVersion); err != nil {
return err
- } else if err := DecodeStructItem(in, TagRequestHeader,
TagAuthentication, &header.SAuthentication); err != nil {
- return err
} else if err := DecodeStructItem(in, TagRequestHeader, TagBatchCount,
&header.IBatchCount); err != nil {
return err
}
+ // Decode authentication header if it is given
+ DecodeStructItem(in, TagRequestHeader, TagAuthentication,
&header.SAuthentication)
return nil
}
@@ -346,6 +356,8 @@
if respItem.EResultStatus.Value == ValResultStatusSuccess {
items = append(items,
respItem.SResponsePayload.SerialiseToTTLV())
} else {
+ respItem.EResultReason.Tag = TagResultReason
+ respItem.EResultMessage.Tag = TagResultMessage
items = append(items, &respItem.EResultReason,
&respItem.EResultMessage)
}
return ttlv.NewStructure(TagBatchItem, items...)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/kmip/structure/op_create.go
new/kmip/structure/op_create.go
--- old/kmip/structure/op_create.go 2017-05-05 14:27:21.355190669 +0200
+++ new/kmip/structure/op_create.go 2017-05-31 13:44:56.298419370 +0200
@@ -1,6 +1,9 @@
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
+// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package structure
import (
+ "errors"
"fmt"
"github.com/HouzuoGuo/cryptctl/kmip/ttlv"
)
@@ -27,6 +30,9 @@
if err := DecodeStructItem(in, TagRequestMessage, TagBatchItem,
&createReq.SRequestBatchItem); err != nil {
return err
}
+ if createReq.SRequestBatchItem.EOperation.Value != ValOperationCreate {
+ return errors.New("SCreateRequest.DeserialiseFromTTLV: input is
not a create request")
+ }
return nil
}
@@ -91,6 +97,9 @@
if err := DecodeStructItem(in, TagResponseMessage, TagBatchItem,
&createResp.SResponseBatchItem); err != nil {
return err
}
+ if createResp.SResponseBatchItem.EOperation.Value != ValOperationCreate
{
+ return errors.New("SCreateResponse.DeserialiseFromTTLV: input
is not a create response")
+ }
return nil
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/kmip/structure/op_destroy.go
new/kmip/structure/op_destroy.go
--- old/kmip/structure/op_destroy.go 2017-05-02 11:44:07.005652544 +0200
+++ new/kmip/structure/op_destroy.go 2017-05-31 13:44:56.354419690 +0200
@@ -1,6 +1,9 @@
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
+// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package structure
import (
+ "errors"
"fmt"
"github.com/HouzuoGuo/cryptctl/kmip/ttlv"
)
@@ -27,6 +30,9 @@
if err := DecodeStructItem(in, TagRequestMessage, TagBatchItem,
&destroyReq.SRequestBatchItem); err != nil {
return err
}
+ if destroyReq.SRequestBatchItem.EOperation.Value != ValOperationDestroy
{
+ return errors.New("SDestroyRequest.DeserialiseFromTTLV: input
is not a destroy request")
+ }
return nil
}
@@ -68,6 +74,9 @@
if err := DecodeStructItem(in, TagResponseMessage, TagBatchItem,
&destroyResp.SResponseBatchItem); err != nil {
return err
}
+ if destroyResp.SResponseBatchItem.EOperation.Value !=
ValOperationDestroy {
+ return errors.New("SDestroyResponse.DeserialiseFromTTLV: input
is not a destroy response")
+ }
return nil
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/kmip/structure/op_get.go new/kmip/structure/op_get.go
--- old/kmip/structure/op_get.go 2017-05-02 11:44:07.009652563 +0200
+++ new/kmip/structure/op_get.go 2017-05-31 13:44:56.434420149 +0200
@@ -1,6 +1,9 @@
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
+// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package structure
import (
+ "errors"
"fmt"
"github.com/HouzuoGuo/cryptctl/kmip/ttlv"
)
@@ -27,6 +30,9 @@
if err := DecodeStructItem(in, TagRequestMessage, TagBatchItem,
&getReq.SRequestBatchItem); err != nil {
return err
}
+ if getReq.SRequestBatchItem.EOperation.Value != ValOperationGet {
+ return errors.New("SGetRequest.DeserialiseFromTTLV: input is
not a get request")
+ }
return nil
}
@@ -68,6 +74,9 @@
if err := DecodeStructItem(in, TagResponseMessage, TagBatchItem,
&getResp.SResponseBatchItem); err != nil {
return err
}
+ if getResp.SResponseBatchItem.EOperation.Value != ValOperationGet {
+ return errors.New("SGetResponse.DeserialiseFromTTLV: input is
not a get response")
+ }
return nil
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/kmip/structure/serialisation_test.go
new/kmip/structure/serialisation_test.go
--- old/kmip/structure/serialisation_test.go 2017-05-08 10:15:35.383887948
+0200
+++ new/kmip/structure/serialisation_test.go 2017-05-31 13:44:56.386419875
+0200
@@ -1,3 +1,5 @@
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
+// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package structure
import (
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/kmip/ttlv/dencode.go new/kmip/ttlv/dencode.go
--- old/kmip/ttlv/dencode.go 2017-05-08 11:38:54.789105478 +0200
+++ new/kmip/ttlv/dencode.go 2017-05-31 13:44:56.498420517 +0200
@@ -1,3 +1,5 @@
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
+// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package ttlv
import (
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/kmip/ttlv/encoding_test.go
new/kmip/ttlv/encoding_test.go
--- old/kmip/ttlv/encoding_test.go 2017-05-04 10:26:26.112467080 +0200
+++ new/kmip/ttlv/encoding_test.go 2017-05-31 13:44:56.330419553 +0200
@@ -1,3 +1,5 @@
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
+// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package ttlv
import (
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/kmip/ttlv/sample.go new/kmip/ttlv/sample.go
--- old/kmip/ttlv/sample.go 2017-05-05 16:33:24.072824969 +0200
+++ new/kmip/ttlv/sample.go 2017-05-31 13:44:56.506420563 +0200
@@ -1,3 +1,5 @@
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
+// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package ttlv
var SampleCreateRequest = WiresharkDumpToBytes(`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/kmip/ttlv/types.go new/kmip/ttlv/types.go
--- old/kmip/ttlv/types.go 2017-05-08 10:08:46.273873037 +0200
+++ new/kmip/ttlv/types.go 2017-05-31 13:44:56.422420082 +0200
@@ -1,3 +1,5 @@
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
+// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package ttlv
import (
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/main.go new/main.go
--- old/main.go 2017-04-12 10:14:52.257214284 +0200
+++ new/main.go 2017-06-01 11:17:39.060901553 +0200
@@ -1,5 +1,5 @@
// +build linux
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package main
@@ -15,7 +15,7 @@
func PrintHelpAndExit(exitStatus int) {
fmt.Println(`cryptctl: encrypt and decrypt file systems using network
key server.
-Copyright (C) 2016 SUSE Linux GmbH, Germany
+Copyright (C) 2017 SUSE Linux GmbH, Germany
This program comes with ABSOLUTELY NO WARRANTY.This is free software, and you
are welcome to redistribute it under certain conditions; see file "LICENSE".
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ospackage/etc/sysconfig/cryptctl-server
new/ospackage/etc/sysconfig/cryptctl-server
--- old/ospackage/etc/sysconfig/cryptctl-server 2017-05-11 15:49:38.135920761
+0200
+++ new/ospackage/etc/sysconfig/cryptctl-server 2017-06-01 13:50:17.938692498
+0200
@@ -78,10 +78,22 @@
## Default: ""
#
# Mail agent address and port number in the format of "address:port". The
address must be fully qualified domain name.
-# If all Email parameters are filled in, notifications will be sent upon key
creation/retrieval events.
+# If this parameter is set, mail notifications will be sent upon key
creation/retrieval events.
EMAIL_AGENT_AND_PORT=""
## Type: string
+## Default: ""
+#
+# Mail agent plain authentication username (optional).
+EMAIL_AGENT_USERNAME=""
+
+## Type: string
+## Default: ""
+#
+# Mail agent plain authentication password (optional).
+EMAIL_AGENT_PASSWORD=""
+
+## Type: string
## Default: "A new file system has been encrypted"
#
# Subject shown in notification emails sent by key creation events.
@@ -108,8 +120,9 @@
## Type: string
## Default: ""
#
-# If key server should act as KMIP proxy, this is the KMIP host name.
-KMIP_SERVER_HOST=""
+# If key server should act as KMIP proxy, this is the KMIP hostname:port list,
separated by space.
+# (e.g. host1:port1 host2:port2 ...)
+KMIP_SERVER_ADDRESSES=""
## Type: integer
## Default: ""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ospackage/man/cryptctl.8 new/ospackage/man/cryptctl.8
--- old/ospackage/man/cryptctl.8 2017-05-11 15:49:38.491922888 +0200
+++ new/ospackage/man/cryptctl.8 2017-05-31 13:45:21.458563746 +0200
@@ -1,6 +1,6 @@
.\"/*
.\" * All rights reserved
-.\" * Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+.\" * Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
.\" * Authors: Howard Guo
.\" *
.\" * This program is free software; you can redistribute it and/or
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/routine/encrypt.go new/routine/encrypt.go
--- old/routine/encrypt.go 2017-05-11 15:49:38.311921813 +0200
+++ new/routine/encrypt.go 2017-05-31 13:44:56.286419301 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package routine
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/routine/encrypt_test.go new/routine/encrypt_test.go
--- old/routine/encrypt_test.go 2017-05-11 15:49:38.135920761 +0200
+++ new/routine/encrypt_test.go 2017-05-31 13:44:56.518420632 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package routine
@@ -487,7 +487,8 @@
resetDisks()
// Now that server has shut down, try to unlock disks using key records
only.
if len(srv.KeyDB.RecordsByUUID) != 2 {
- t.Fatal(srv.KeyDB.RecordsByUUID)
+
+ t.Fatalf("%+v\n", srv.KeyDB.RecordsByUUID)
}
records := make([]keydb.Record, 0, 0)
for _, record := range srv.KeyDB.RecordsByUUID {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/routine/openssl.go new/routine/openssl.go
--- old/routine/openssl.go 2017-04-12 10:14:52.257214284 +0200
+++ new/routine/openssl.go 2017-05-31 13:44:56.550420815 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package routine
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/routine/openssl_test.go new/routine/openssl_test.go
--- old/routine/openssl_test.go 2017-04-12 10:14:52.257214284 +0200
+++ new/routine/openssl_test.go 2017-05-31 13:44:56.486420449 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package routine
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/routine/unlock.go new/routine/unlock.go
--- old/routine/unlock.go 2017-05-11 15:49:38.311921813 +0200
+++ new/routine/unlock.go 2017-05-31 13:44:56.538420747 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package routine
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sys/daemon.go new/sys/daemon.go
--- old/sys/daemon.go 2017-04-12 10:14:52.257214284 +0200
+++ new/sys/daemon.go 2017-05-31 13:44:56.454420264 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package sys
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sys/daemon_test.go new/sys/daemon_test.go
--- old/sys/daemon_test.go 2017-04-12 10:14:52.257214284 +0200
+++ new/sys/daemon_test.go 2017-05-31 13:44:56.374419805 +0200
@@ -1,3 +1,5 @@
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
+// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package sys
import "testing"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sys/exec.go new/sys/exec.go
--- old/sys/exec.go 2017-04-12 10:14:52.257214284 +0200
+++ new/sys/exec.go 2017-05-31 13:44:56.414420036 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package sys
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sys/exec_test.go new/sys/exec_test.go
--- old/sys/exec_test.go 2017-04-12 10:14:52.257214284 +0200
+++ new/sys/exec_test.go 2017-05-31 13:44:56.318419484 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package sys
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sys/sysconfig.go new/sys/sysconfig.go
--- old/sys/sysconfig.go 2017-04-12 10:14:52.257214284 +0200
+++ new/sys/sysconfig.go 2017-05-31 13:44:56.394419921 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package sys
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sys/sysconfig_test.go new/sys/sysconfig_test.go
--- old/sys/sysconfig_test.go 2017-04-12 10:14:52.257214284 +0200
+++ new/sys/sysconfig_test.go 2017-05-31 13:44:56.406419990 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package sys
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sys/term.go new/sys/term.go
--- old/sys/term.go 2017-05-11 15:49:38.135920761 +0200
+++ new/sys/term.go 2017-05-31 13:44:56.442420197 +0200
@@ -1,4 +1,4 @@
-// cryptctl - Copyright (c) 2016 SUSE Linux GmbH, Germany
+// cryptctl - Copyright (c) 2017 SUSE Linux GmbH, Germany
// This source code is licensed under GPL version 3 that can be found in
LICENSE file.
package sys
