From unknown Sat Jun 21 10:39:52 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#69275 <69275@debbugs.gnu.org> To: bug#69275 <69275@debbugs.gnu.org> Subject: Status: [PATCH] gnu: ecryptfs-utils: Add the openssl key module. Reply-To: bug#69275 <69275@debbugs.gnu.org> Date: Sat, 21 Jun 2025 17:39:52 +0000 retitle 69275 [PATCH] gnu: ecryptfs-utils: Add the openssl key module. reassign 69275 guix-patches submitter 69275 Brian Kubisiak severity 69275 normal tag 69275 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 19 11:16:26 2024 Received: (at submit) by debbugs.gnu.org; 19 Feb 2024 16:16:26 +0000 Received: from localhost ([127.0.0.1]:43268 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rc6JZ-0002J7-9r for submit@debbugs.gnu.org; Mon, 19 Feb 2024 11:16:26 -0500 Received: from lists.gnu.org ([209.51.188.17]:49344) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rc6JW-0002Ix-9y for submit@debbugs.gnu.org; Mon, 19 Feb 2024 11:16:20 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rc6JA-0003ls-1h for guix-patches@gnu.org; Mon, 19 Feb 2024 11:15:56 -0500 Received: from [75.171.8.149] (helo=mail.kubisiak.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rc6Is-0006Tx-1A for guix-patches@gnu.org; Mon, 19 Feb 2024 11:15:55 -0500 dkim-signature: v=1; a=rsa-sha256; d=kubisiak.com; s=s1; c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type; bh=zaa7kVHkNZDaW1fhoMjMCz8yDO6dVT6WmeJJPhzKft4=; b=ntYF5uFMHLy9g9Q10zo5+InVoBnYIJskckQ3NLW3vHVzhD9l3gJSro9e/oqwWuKKR9EH2QRM/VuZvESyiJdU7bFXo6sP6BYd/Y/xGlhOPFlgLj/jXbkZr5yJR2ivkEsK1h2zZLBVNSTXT8ocI56qsHdxAhBKSjUONCX7d7sqzi+5N7j8hcxzulFG6Ka6Y/0mB4ZrxPb4tx2QYo2C9MVevNGwUgrvfLbWMfnUuwpJf+k0+1JSXtY3e7U8o4 9BKmVj+wBMt7PZo2fqB3uruQJss5zF1BPyA2/1PUVleFFvys0MiAvzDmjQr+5aRo5jcFuXur2ZP82yUI5Rh8ydtt9KRg== Received: from peregrine (192-184-148-161.fiber.dynamic.sonic.net [192.184.148.161]) by mail.kubisiak.com with ESMTPSA (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256) ; Mon, 19 Feb 2024 09:15:07 -0600 Date: Mon, 19 Feb 2024 07:15:08 -0800 From: Brian Kubisiak To: guix-patches@gnu.org Subject: [PATCH] gnu: ecryptfs-utils: Add the openssl key module. Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Host-Lookup-Failed: Reverse DNS lookup failed for 75.171.8.149 (failed) Received-SPF: pass client-ip=75.171.8.149; envelope-from=brian@kubisiak.com; helo=mail.kubisiak.com X-Spam_score_int: -12 X-Spam_score: -1.3 X-Spam_bar: - X-Spam_report: (-1.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_TEMPERROR=0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: -4.2 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.2 (-----) * gnu/packages/patches/ecryptfs-utils-openssl-1.1.patch: New file. * gnu/local.mk (dist_patch_DATA): Add the patch. * gnu/packages/linux.scm (ecryptfs-utils)[source]: Apply the patch. [inputs]: Add openssl-1.1. Change-Id: I89cc15534e93cf20f2b5084157cbefaec5084ec8 --- gnu/local.mk | 1 + gnu/packages/linux.scm | 4 +- .../patches/ecryptfs-utils-openssl-1.1.patch | 52 +++++++++++++++++++ 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/ecryptfs-utils-openssl-1.1.patch diff --git a/gnu/local.mk b/gnu/local.mk index 58011d1149..cb5741dc60 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1107,6 +1107,7 @@ dist_patch_DATA = \ %D%/packages/patches/dvd+rw-tools-add-include.patch \ %D%/packages/patches/dynaconf-unvendor-deps.patch \ %D%/packages/patches/dyninst-fix-glibc-compatibility.patch \ + %D%/packages/patches/ecryptfs-utils-openssl-1.1.patch \ %D%/packages/patches/efivar-211.patch \ %D%/packages/patches/eigen-fix-strict-aliasing-bug.patch \ %D%/packages/patches/einstein-build.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index d798c44a8f..100f322afd 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -7024,7 +7024,8 @@ (define-public ecryptfs-utils version ".orig.tar.gz")) (sha256 (base32 - "0zwq19siiwf09h7lwa7n7mgmrr8cxifp45lmwgcfr8c1gviv6b0i")))) + "0zwq19siiwf09h7lwa7n7mgmrr8cxifp45lmwgcfr8c1gviv6b0i")) + (patches (search-patches "ecryptfs-utils-openssl-1.1.patch")))) (build-system gnu-build-system) (arguments `(#:configure-flags (list "--disable-pywrap") @@ -7106,6 +7107,7 @@ (define-public ecryptfs-utils linux-pam lsof lvm2 + openssl-1.1 nss rsync sed diff --git a/gnu/packages/patches/ecryptfs-utils-openssl-1.1.patch b/gnu/packages/patches/ecryptfs-utils-openssl-1.1.patch new file mode 100644 index 0000000000..87b24829b4 --- /dev/null +++ b/gnu/packages/patches/ecryptfs-utils-openssl-1.1.patch @@ -0,0 +1,52 @@ +diff --git a/src/key_mod/ecryptfs_key_mod_openssl.c b/src/key_mod/ecryptfs_key_mod_openssl.c +index 56ebe2d..3959974 100644 +--- a/src/key_mod/ecryptfs_key_mod_openssl.c ++++ b/src/key_mod/ecryptfs_key_mod_openssl.c +@@ -141,6 +141,7 @@ ecryptfs_openssl_destroy_subgraph_ctx(struct ecryptfs_subgraph_ctx *ctx) + static int ecryptfs_openssl_generate_signature(char *sig, RSA *key) + { + int len, nbits, ebits, i; ++ const BIGNUM *n, *e; + int nbytes, ebytes; + unsigned char *hash; + unsigned char *data = NULL; +@@ -152,11 +153,14 @@ static int ecryptfs_openssl_generate_signature(char *sig, RSA *key) + rc = -ENOMEM; + goto out; + } +- nbits = BN_num_bits(key->n); ++ ++ RSA_get0_key(key, &n, &e, NULL); ++ ++ nbits = BN_num_bits(n); + nbytes = nbits / 8; + if (nbits % 8) + nbytes++; +- ebits = BN_num_bits(key->e); ++ ebits = BN_num_bits(e); + ebytes = ebits / 8; + if (ebits % 8) + ebytes++; +@@ -179,11 +183,11 @@ static int ecryptfs_openssl_generate_signature(char *sig, RSA *key) + data[i++] = '\02'; + data[i++] = (nbits >> 8); + data[i++] = nbits; +- BN_bn2bin(key->n, &(data[i])); ++ BN_bn2bin(n, &(data[i])); + i += nbytes; + data[i++] = (ebits >> 8); + data[i++] = ebits; +- BN_bn2bin(key->e, &(data[i])); ++ BN_bn2bin(e, &(data[i])); + i += ebytes; + SHA1(data, len + 3, hash); + to_hex(sig, (char *)hash, ECRYPTFS_SIG_SIZE); +@@ -278,7 +282,7 @@ static int ecryptfs_openssl_read_key(RSA **rsa, unsigned char *blob) + BIO *in = NULL; + int rc; + +- CRYPTO_malloc_init(); ++ OPENSSL_malloc_init(); + ERR_load_crypto_strings(); + OpenSSL_add_all_algorithms(); + ENGINE_load_builtin_engines(); base-commit: a35372cc0b9525b401c9a8b8c5eea6c3a83c9f4b prerequisite-patch-id: 22abd79e623712e121f73c89488a47c1b5b9cd7d prerequisite-patch-id: ebb44601cec0b6a5cf73e980522a864b2aae824e prerequisite-patch-id: 56702abf84319ed57932ea9a895700eb87954a20 prerequisite-patch-id: 26b2a4d0d2d944a4e8c9b5277781daa080836c03 prerequisite-patch-id: 3b30c17f33cfe426c2643be26bb5b8ff83ae7c0c -- 2.41.0 From debbugs-submit-bounces@debbugs.gnu.org Sat Nov 02 08:00:32 2024 Received: (at 69275) by debbugs.gnu.org; 2 Nov 2024 12:00:32 +0000 Received: from localhost ([127.0.0.1]:53386 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t7Cnw-0000Q6-44 for submit@debbugs.gnu.org; Sat, 02 Nov 2024 08:00:32 -0400 Received: from mailtransmit05.runbox.com ([185.226.149.38]:32964) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t7Cnt-0000Py-28 for 69275@debbugs.gnu.org; Sat, 02 Nov 2024 08:00:30 -0400 Received: from mailtransmit02.runbox ([10.9.9.162] helo=aibo.runbox.com) by mailtransmit05.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1t7Clh-002IJI-2Q for 69275@debbugs.gnu.org; Sat, 02 Nov 2024 12:58:13 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=futurile.net; s=selector1; h=Content-Type:MIME-Version:Message-ID:Subject: To:From:Date; bh=MvQtyJCSWKbYEp3RFNDCisQNzXG9rE4Tpm8ab8NdcnM=; b=XjKX0TIV+0CW ilvPvMj3ccXS5v4ZJ26DqDZBBmPBwcCeCu2cJqaqAiqCTJmNt6tXXj1JNRu75asFQ+XmYmgbCSB0j TuIBWYG4iuPJOH71NW163OiEDZCrBlVFdjRQnnqO8+E55zt8B1JhnucP3gNkqR/6E23uPJCZ73UYT HfmxHsMUPNUim9bOwc2cUCy92Y+ayebBdCp+euJzF6oOaQ4+82gw1mFAb0jIBw0E+n2dJh1QlvT8x 8/owm848r2X4hXhScgzdjJFuHEUGOYbQFENqWT9bKCZowufU5Ry2w8Sgz/xvW1H/qFmheFlYuL+O/ rO9OReMAaiJk2nFXti46jQ==; Received: from [10.9.9.74] (helo=submission03.runbox) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1t7Clg-0008VF-Md for 69275@debbugs.gnu.org; Sat, 02 Nov 2024 12:58:12 +0100 Received: by submission03.runbox with esmtpsa [Authenticated ID (641962)] (TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_256_GCM:256) (Exim 4.93) id 1t7ClY-008tfZ-Vc for 69275@debbugs.gnu.org; Sat, 02 Nov 2024 12:58:05 +0100 Date: Sat, 2 Nov 2024 11:58:04 +0000 From: Steve George To: 69275@debbugs.gnu.org Subject: RE: ecryptfs-utils: Add the openssl key module Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 69275 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Brian, You sent through a patch for adding the openssl module, your commit message doesn't say why it's required? As I don't use ecryptfs-utils I was wondering if you have a small example test of how it's used? Also, there's a bunch of pre-requisite patches, are these still needed? Thanks so much! Steve / Futurile From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 02 22:41:13 2025 Received: (at 69275) by debbugs.gnu.org; 3 Apr 2025 02:41:13 +0000 Received: from localhost ([127.0.0.1]:60167 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u0AW1-0001Kb-32 for submit@debbugs.gnu.org; Wed, 02 Apr 2025 22:41:13 -0400 Received: from [75.171.110.13] (port=1621 helo=mail.kubisiak.com) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u0AVy-0001KM-8r for 69275@debbugs.gnu.org; Wed, 02 Apr 2025 22:41:11 -0400 dkim-signature: v=1; a=rsa-sha256; d=kubisiak.com; s=s1; c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type; bh=2fyoDKJ97bwoQTCIMnmf7u0yYHfC1lqjiKJquiJr3FA=; b=gq2P7EYPptdR/qcmH/frn+6VHZhN+KFaJ1SKuJrnJ0mlicSqQWhR+xGmEbrotsh3bp2iceccrySyA05AwIUAN/RDjN949g3F2efxit9IHwXVe3FfGPo/ygqBakj/XJCTlM8K+2seIa6CyJ5IGjujoPaYEtRSfc/PDJCfvF5Ekx9G/QfpBpwsLV8SPAb+ne1JrIiW20PFZJAf1xWKRVfV52RV4FnqtuT2dLS6PcOEk1lzmYXG7ZSw6QypGD 0AF5/TbFfwFf79lh6JfZEV3H0QAKaX9pDoUZ2jbkYaa7iFmdmc4IzTBhMREBw+YPYzB5LuX9Aub9uun4jjlnpTbe0MpA== Received: from peregrine (135-180-130-213.dsl.dynamic.sonic.net [135.180.130.213]) (envelope-sender ) by mail.kubisiak.com with ESMTPSA id <6iasd5kmldkquuwljwlivhzg2zjs7esdtjcszaf2sdtmvgbzjg@vkqq7kuni3o2> for (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256) ; Wed, 2 Apr 2025 21:40:59 -0500 Date: Wed, 2 Apr 2025 19:40:57 -0700 From: Brian Kubisiak To: 69275@debbugs.gnu.org Subject: RE: ecryptfs-utils: Add the openssl key module Message-ID: <6iasd5kmldkquuwljwlivhzg2zjs7esdtjcszaf2sdtmvgbzjg@vkqq7kuni3o2> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi Steve, I apologize for the late reply---I somehow missed that you had responded to my patch. To be honest, I don't actually use ecryptfs with guix; I used guix with this patch to reproduce a linux kernel bug I had discovered [1] (this bug only happened when using the openssl key module). Afte [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [75.171.110.13 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [75.171.110.13 listed in bl.score.senderscore.com] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Debbugs-Envelope-To: 69275 Cc: steve@futurile.net X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) Hi Steve, I apologize for the late reply---I somehow missed that you had responded to my patch. To be honest, I don't actually use ecryptfs with guix; I used guix with this patch to reproduce a linux kernel bug I had discovered [1] (this bug only happened when using the openssl key module). After testing the fix for the kernel bug, I figured it was better to send this patch upstream rather than delete it forever. > You sent through a patch for adding the openssl module, your commit > message doesn't say why it's required? eCryptfs allows you to mount a filesystem overlay similar to overlayfs but with an added layer of encryption (i.e. files written to the overlay are encrypted before being written to the underlying storage). Keys are set up using "key modules" from ecryptfs-utils. Without my patch, the only available module on guix is the "passphrase" module that uses a user-supplied passphrase for encryption/decryption. My patch also enables the "openssl" module that performs encryption/decryption using an assymmetric key using openssl. > As I don't use ecryptfs-utils I was wondering if you have a small > example test of how it's used? Unfortunately I've lost the scripts that I was using to test this, but 'mount -t ecryptfs' should ask a sequence of questions about which module and key to use etc. > Also, there's a bunch of pre-requisite patches, are these still > needed? These are not required, I think this was just because I had a handful of other WIP commits on my local checkout when I created this patch. Brian [1] https://lore.kernel.org/ecryptfs/5j2q56p6qkhezva6b2yuqfrsurmvrrqtxxzrnp3wqu7xrz22i7@hoecdztoplbl/