enable doas tests and add argon2 to CI

.github/workflows/linux.yml

@@ -25,13 +25,24 @@ jobs:
   build-matrix:
     strategy:
       matrix:
-        os: [ubuntu-22.04, ubuntu-20.04]
+        os: [ubuntu-22.04, ubuntu-20.04, ubuntu-24.04]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Install tomb dependencies
         run: |
           sudo apt-get update -y -q
-          sudo apt-get install -y -q zsh cryptsetup gpg gawk libgcrypt20-dev steghide qrencode python2 python3-pip python3-dev libssl-dev make gcc sudo gettext bsdmainutils file pinentry-curses xxd libsodium23 libsodium-dev
+          sudo apt-get install -y -q zsh cryptsetup gpg gawk libgcrypt20-dev steghide qrencode python3-pip python3-dev libssl-dev make gcc sudo gettext bsdmainutils file pinentry-curses xxd libsodium23 libsodium-dev argon2
+      - name: Install python2 on ubuntu 20
+        if: matrix.os == 'ubuntu-20.04'
+        run: sudo apt-get install -y -q python2
+      - name: Install python2 on ubuntu 22
+        if: matrix.os == 'ubuntu-22.04'
+        run: sudo apt-get install -y -q python2
+      - name: Install doas where found
+        if: matrix.os == 'ubuntu-24.04'
+        run: |
+          sudo apt-get install -y -q opendoas
+          echo "permit nopass root" | sudo tee /etc/doas.conf
       - uses: actions/checkout@v3
       - name: Build the pbkdf2 extras
         run: |

README.md

@@ -9,14 +9,15 @@ You can keep your volumes secure and easily manageable with simple commands.
 
 ![tomb's logo](https://github.com/dyne/Tomb/blob/master/extras/images/monmort.png)
 
+Create a new 120MiB `secret.tomb` folder and lock it with a new `secret.tomb.key` file.
 ```
- $ tomb dig -s 100 secret.tomb
- $ tomb forge secret.tomb.key
- $ tomb lock secret.tomb -k secret.tomb.key
+ $ tomb dig   -s 120 secret.tomb
+ $ tomb forge -k secret.tomb.key
+ $ tomb lock  -k secret.tomb.key secret.tomb
 ```
 To open it, do
 ```
- $ tomb open secret.tomb -k secret.tomb.key
+ $ tomb open  -k secret.tomb.key secret.tomb
 ```
 And after you are done
 ```
@@ -26,19 +27,19 @@ Or, if you are in a hurry, kill all processes with open files inside your tomb a
 ```
  $ tomb slam
 ```
-## [Get started on dyne.org/tomb](https://dyne.org/tomb)
+## 📖 [Get started on dyne.org/tomb](https://dyne.org/tomb)
 
 <a href="https://dyne.org/tomb"><img src="https://files.dyne.org/software_by_dyne.png" width="30%"></a>
 
-All information is found on our website.
-
-Use only stable and signed releases in production!
+More information in `man tomb` and on [dyne.org/docs/tomb](https://dyne.org/docs/tomb).
 
 ### 💾 [Download from files.dyne.org/tomb](https://files.dyne.org/tomb/)
 
+Use only stable and signed releases in production!
+
 Tomb's development is community-based!
 
-## How can you help
+## 🤏🏽 How can you help
 
 Donations are very welcome on [dyne.org/donate](https://www.dyne.org/donate)
 
@@ -55,4 +56,3 @@ There is also a [space for discussion](https://github.com/dyne/Tomb/discussions)
 Tomb is Copyright (C) 2007-2024 by the Dyne.org Foundation and maintained by [Jaromil](https://github.com/jaromil). The [AUTHORS](AUTHORS.md) file contains more information on all the developers involved. The license is GNU Public License v3.
 
 ## [More info on dyne.org/tomb](https://dyne.org/tomb)
-

doc/tomb.1

@@ -306,17 +306,6 @@ Select a different tool than sudo for privilege escalation.
 Alternatives supported so far are: pkexec, doas, sup, sud. For any
 alternative to work the executable must be included in the current
 PATH.
-.B
-.IP "--sphx-user \fI<username>\fR"
-Activate the SPHINX feature for password-authenticated key agreement.
-This option indicates the \fI<username>\fR used to retrieve the
-password from a sphinx oracle key reachable via TCP/IP.
-.B
-.IP "--sphx-host \fI<domain>\fR"
-Activate the SPHINX feature for password-authenticated key agreement.
-This option indicates the \fI<domain>\fR used to retrieve the password
-from a sphinx oracle daemon reachable via TCP/IP. This is not the
-network address of the daemon, which is configured in /etc/sphinx
 
 .B
 .IP "-h"
@@ -484,24 +473,6 @@ its copies are destroyed. The \fI-r\fR option can be used in the tomb
 commands: \fIopen\fR, \fIforge\fR \fIsetkey\fR, \fIpasswd\fR,
 \fIbury\fR, \fIexhume\fR and \fIresize\fR.
 
-.SH SPHINX (PAKE)
-
-Using the package libsphinx
-.UR https://github.com/stef/libsphinx
-.UE
-and its python client/daemon implementation pwdsphinx
-.UR https://github.com/stef/pwdsphinx
-.UE
-is possible to store and retrieve safely the password that locks the
-tomb. Using this feature will make it impossible to retrieve the
-password without the oracle sphinx server running and reachable. Each
-key entry needs a username and a domain specified on creation and
-a password that locks it.
-
-SPHINX makes it impossible to maliciously retrieve the password
-locking the tomb key without an attacker accessing both the
-server, the sphinx password and the tomb key file.
-
 .SH EXAMPLES
 
 .IP \(bu

extras/test/00_create.sh

@@ -15,18 +15,6 @@ test_expect_success 'Testing tomb creation: dig, forge and lock' '
     tt_lock --tomb-pwd $DUMMYPASS
     '
 
-if test_have_prereq SPHINX ORACLE; then
-	test_export "sphinx_test"
-	test_expect_success 'Testing tomb creation: dig, forge and lock (sphinx password handling)' '
-        tt_dig -s 20 &&
-        tt_forge --tomb-pwd $DUMMYPASS --sphx-user $DUMMYUSER --sphx-host $DUMMYHOST &&
-        print $(echo $DUMMYPASS | sphinx get $DUMMYUSER $DUMMYHOST) \
-            | gpg --batch --passphrase-fd 0 --no-tty --no-options -d $tomb_key \
-            | xxd &&
-        tt_lock --tomb-pwd $DUMMYPASS --sphx-user $DUMMYUSER --sphx-host $DUMMYHOST
-        '
-fi
-
 if test_have_prereq DOAS; then
     test_export "doas_test"
     test_expect_success 'Testing tomb creation: dig, forge and lock (using doas instead of sudo)' '
@@ -39,4 +27,26 @@ if test_have_prereq DOAS; then
         '
 fi
 
+if test_have_prereq BTRFS; then
+    test_export "btrfs"
+    test_expect_success 'Testing tomb creation using BTRFS filesystem' '
+    tt_dig -s 120 &&
+    tt_forge --tomb-pwd $DUMMYPASS &&
+    print $DUMMYPASS \
+        | gpg --batch --passphrase-fd 0 --no-tty --no-options -d $tomb_key \
+        | xxd &&
+    tt_lock --tomb-pwd $DUMMYPASS --filesystem btrfs
+    '
+
+    test_export "btrfsmixed"
+    test_expect_success 'Testing tomb creation using BTRFS mixedmode filesystem' '
+    tt_dig -s 20 &&
+    tt_forge --tomb-pwd $DUMMYPASS &&
+    print $DUMMYPASS \
+        | gpg --batch --passphrase-fd 0 --no-tty --no-options -d $tomb_key \
+        | xxd &&
+    tt_lock --tomb-pwd $DUMMYPASS --filesystem btrfsmixedmode
+    '
+fi
+
 test_done

extras/test/10_operations.sh

@@ -44,14 +44,6 @@ if test_have_prereq LSOF; then
         '
 fi
 
-if test_have_prereq SPHINX ORACLE; then
-    test_export "sphinx_test" # Using already generated tomb
-    test_expect_success 'Testing open with good password (sphinx)' '
-        tt_open --tomb-pwd $DUMMYPASS --sphx-user $DUMMYUSER --sphx-host $DUMMYHOST &&
-        tt_close
-        '
-fi
-
 if test_have_prereq DOAS; then
     test_export "doas_test" # Using already generated tomb
     test_expect_success 'Testing open with good password (using doas instead of sudo)' '

extras/test/30_kdf.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env zsh
 
-export test_description="Testing tomb with KDF key"
+export test_description="Testing tomb with KDF keys"
 
 source ./setup
 
@@ -12,18 +12,45 @@ if test_have_prereq KDF; then
         print $DUMMYPASS \
             | gpg --batch --passphrase-fd 0 --no-tty --no-options -d $tomb_key \
             | xxd &&
-        tt_lock --tomb-pwd $DUMMYPASS --kdf 1
+        tt_lock --tomb-pwd $DUMMYPASS
         '
 
     test_expect_success 'Testing KDF: tomb passwd' '
-        tt passwd -k $tomb_key --kdf 1 \
+        tt passwd -k $tomb_key \
             --unsafe --tomb-old-pwd $DUMMYPASS --tomb-pwd $DUMMYPASSNEW &&
-        tt passwd -k $tomb_key --kdf 1 \
+        tt passwd -k $tomb_key \
             --unsafe --tomb-old-pwd $DUMMYPASSNEW --tomb-pwd $DUMMYPASS
         '
 
     test_expect_success 'Testing KDF: tomb open & close' '
-        tt_open --tomb-pwd $DUMMYPASS --kdf 1 &&
+        tt_open --tomb-pwd $DUMMYPASS &&
+        tt_close
+        '
+fi
+
+# clean to avoid overwrite errors
+# rm -f "$tomb_key" "$tomb"
+
+if test_have_prereq ARGON2; then
+    test_export "argon2"
+    test_expect_success 'Testing KDF ARGON2: tomb creation' '
+        tt_dig -s 20 &&
+        tt_forge --tomb-pwd $DUMMYPASS --kdftype argon2 --kdfmem 18 --kdf 1 &&
+        print $DUMMYPASS \
+            | gpg --batch --passphrase-fd 0 --no-tty --no-options -d $tomb_key \
+            | xxd &&
+        tt_lock --tomb-pwd $DUMMYPASS
+        '
+
+    test_expect_success 'Testing KDF ARGON2: tomb passwd' '
+        tt passwd -k $tomb_key \
+            --unsafe --tomb-old-pwd $DUMMYPASS --tomb-pwd $DUMMYPASSNEW &&
+        tt passwd -k $tomb_key \
+            --unsafe --tomb-old-pwd $DUMMYPASSNEW --tomb-pwd $DUMMYPASS
+        '
+
+    test_expect_success 'Testing KDF ARGON2: tomb open & close' '
+        tt_open --tomb-pwd $DUMMYPASS &&
         tt_close
         '
 fi

extras/test/60_resize.sh

@@ -5,24 +5,29 @@ export test_description="Testing tomb resize feature"
 source ./setup
 
 if test_have_prereq RESIZER; then
-    test_export "test" # Using already generated tomb
-    test_expect_success 'Testing resize to 30 MB tomb' '
-        tt resize -s 30 $tomb -k $tomb_key --unsafe --tomb-pwd $DUMMYPASS
+  test_export "test" # Using already generated tomb
+  test_expect_success 'Testing resize to 30 MB tomb' '
+        tt resize -s 190 $tomb -k $tomb_key --unsafe --tomb-pwd $DUMMYPASS
         '
-if test_have_prereq GPGRCPT; then
+  if test_have_prereq GPGRCPT; then
     test_export "recipient" # Using already generated tomb
     test_expect_success 'Testing resize to 30 MB tomb with GnuPG keys' '
-        tt resize -s 30 $tomb -k $tomb_key -g -r $KEY2
+        tt resize -s 190 $tomb -k $tomb_key -g -r $KEY2
         '
-fi
+  fi
 
 fi # RESIZER
 
-if test_have_prereq RESIZER SPHINX ORACLE; then 
-       test_export "sphinx_test" # Using already generated tomb
-       test_expect_success 'Testing resize to 30 MB tomb (sphinx)' '
-        tt resize -s 30 $tomb -k $tomb_key --unsafe --tomb-pwd $DUMMYPASS --sphx-user $DUMMYUSER --sphx-host $DUMMYHOST
+if test_have_prereq BTRFS; then
+    test_export "btrfs"
+    test_expect_success 'Testing resize using BTRFS filesystem' '
+        tt resize -s 280 $tomb -k $tomb_key --unsafe --tomb-pwd $DUMMYPASS
         '
+
+    # test_export "btrfsmixed"
+    # test_expect_success 'Testing resize using BTRFS filesystem' '
+    #     tt resize -s 190 $tomb -k $tomb_key --unsafe --tomb-pwd $DUMMYPASS
+    #     '
 fi
 
 test_done

extras/test/65_passwd.sh

@@ -21,16 +21,4 @@ test_expect_success 'Testing tomb with GnuPG keys: passwd' '
 
 fi
 
-if test_have_prereq SPHINX ORACLE; then 
-       test_export "sphinx_test" # Using already generated tomb
-       test_expect_success 'Testing changing tomb password with sphinx' '
-           tt passwd -f -k $tomb_key --unsafe \
-               --tomb-old-pwd $DUMMYPASS --tomb-pwd $DUMMYPASSNEW \
-               --sphx-user $DUMMYUSER --sphx-host $DUMMYHOST &&
-           tt passwd -f -k $tomb_key --unsafe \
-               --tomb-old-pwd $DUMMYPASSNEW --tomb-pwd $DUMMYPASS \
-               --sphx-user $DUMMYUSER --sphx-host $DUMMYHOST
-           '
-fi
-
 test_done

extras/test/90_setkey.sh

@@ -28,23 +28,4 @@ test_expect_success 'Testing tomb with GnuPG keys: setkey' '
     '
 fi
 
-if test_have_prereq SPHINX ORACLE; then 
-    test_export "sphinx_test" # Using already generated tomb
-    test_expect_success 'Testing set key (sphinx)' '
-        tt forge -f -k $tomb_key_new --tomb-pwd $DUMMYPASS \
-            --ignore-swap --unsafe --force \
-            --sphx-user $DUMMYUSER --sphx-host $DUMMYHOST &&
-        tt setkey -f -k $tomb_key_new $tomb_key $tomb \
-            --unsafe --tomb-pwd $DUMMYPASS --tomb-old-pwd $DUMMYPASS \
-            --sphx-user $DUMMYUSER --sphx-host $DUMMYHOST &&
-        tt open -f -k $tomb_key_new $tomb \
-            --unsafe --tomb-pwd $DUMMYPASS \
-            --sphx-user $DUMMYUSER --sphx-host $DUMMYHOST &&
-        print $DUMMYPASS \
-            | gpg --batch --passphrase-fd 0 --no-tty --no-options -d $tomb_key_new \
-            | xxd &&
-        tt_close
-        '
-fi
-
 test_done

extras/test/setup

@@ -55,9 +55,9 @@ command -v lsof > /dev/null && test_set_prereq LSOF
 command -v python3 > /dev/null && test_set_prereq PYTHON3
 command -v cloakify > /dev/null && test_set_prereq CLOAKIFY
 command -v decloakify > /dev/null && test_set_prereq DECLOAKIFY
-command -v sphinx > /dev/null && test_set_prereq SPHINX
-command -v oracle > /dev/null && test_set_prereq ORACLE
 command -v doas > /dev/null && test_set_prereq DOAS
+command -v argon2 > /dev/null && test_set_prereq ARGON2
+command -v mkfs.btrfs > /dev/null && test_set_prereq BTRFS
 
 
 # GnuPG config
@@ -79,10 +79,6 @@ fi
 export DUMMYPASS=test
 export DUMMYPASSNEW=changetest
 
-# Dummy host and username for sphinx
-export DUMMYHOST=example.com
-export DUMMYUSER=user
-
 
 # Test helpers
 

extras/translations/de.po

@@ -1352,7 +1352,7 @@ msgstr ""
 "Stretchfunktion des Dateisystems"
 
 #: tomb:Resize:resize_tomb:3033
-msgid "The new size must be greater then old tomb size."
+msgid "The new size must be greater than old tomb size."
 msgstr "Die neue Größe muss größer sein als die alte."
 
 #: tomb:Resize:resize_tomb:3038

extras/translations/es.po

@@ -1321,7 +1321,7 @@ msgid "Tomb seems resized already, operating filesystem stretch"
 msgstr "Tumba parece ya redimensionado, operando reducción del SdF"
 
 #: tomb:Resize:resize_tomb:3033
-msgid "The new size must be greater then old tomb size."
+msgid "The new size must be greater than old tomb size."
 msgstr "El nuevo tamaño debe ser mayor que el viejo tamaño de la tumba."
 
 #: tomb:Resize:resize_tomb:3038