improved ssl-check

replaced default cipher with "aes" (just for testing)

bin/cbox-manage.sh

@@ -302,6 +302,7 @@ function get_available_disks()
 			  do	[ "$scan" = "$avail" ] && echo "/dev/$avail" 
 			done
 	 done
+	return 0
 }
 
 
@@ -365,6 +366,7 @@ function umount_crypto()
 function box_purge()
 # removing just the first bytes from the harddisk should be enough
 # every harddisk will be overriden!
+# this feature is only useful for validation
 {
 	# TODO: not ALL harddisks, please!
 	get_available_disks | while read a

bin/cbox-root-actions.sh

@@ -138,9 +138,10 @@ case "$ACTION" in
 		  fi
 		# just in case, that there is no ext2/3 filesystem:
 		# set uid option (will fail silently for ext2/3)
-		mount -o remount,uid="$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
+		# TODO: there is no FILE_USER setting anymore - do we still need it?
+		#mount -o remount,uid="$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
 		# adapt top-level permission to current setup - again: may fail silently
-		chown "$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
+		#chown "$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
 		true
 		;;
 	umount )

bin/cryptobox.pl

@@ -18,6 +18,7 @@ use CGI;
 use ClearSilver;
 use ConfigFile;
 use English;
+use CGI::Carp;
 
 # drop privileges
 $UID = $EUID;
@@ -209,11 +210,14 @@ sub log_msg
 
 sub check_ssl
 {
-	# BEWARE: dirty trick - is there a better way?
-	# stunnel is not in transparent mode -> that means, it replaces REMOTE_ADDR with
-	# its own IP (localhost, of course)
-	# TODO: this does not work with a native ssl webserver
-	return ($ENV{'REMOTE_ADDR'} eq '127.0.0.1');
+	# check, if we are behind a proxy with ssl (e.g. pound)
+	return (0==0) if ($ENV{'HTTP_FRONT_END_HTTPS'} =~ m/^on$/i);
+	# environment variable set (e.g. via apache directive "SetEnv HTTPS On")
+	return (0==0) if ($ENV{'HTTPS'} =~ m/^on$/i);
+	# port 80 -> not encrypted
+	return (0==1) if ($ENV{'SERVER_PORT'} = 80);
+	# other ports -> maybe ok - we accept it
+	return (0==0);
 }
 
 
@@ -240,7 +244,7 @@ sub exec_cb_script {
 	} else {
 		# parent
 		@result = <PROG_OUT>;
-		close PROG_OUT or warn "error while running $CB_SCRIPT: $?";
+		close PROG_OUT or warn "error while running $CB_SCRIPT (params:" . join(" ",@params) . "): $?";
 	}
 	if (wantarray) {
 		return @result;
@@ -413,7 +417,10 @@ my $current_admin_pw;
 # first: check for ssl!
 if ( ! &check_ssl()) {
 	$pagedata->setValue('Data.Error', 'NoSSL');
-	$pagedata->setValue('Data.Redirect.URL', "https://" . $ENV{'HTTP_HOST'} . $ENV{'SCRIPT_NAME'});
+	# remove port number from HTTP_HOST
+	my $hostname = $ENV{'HTTP_HOST'};
+	$hostname =~ s/:[0-9]*//;
+	$pagedata->setValue('Data.Redirect.URL', "https://" . $hostname . $ENV{'SCRIPT_NAME'});
 	$pagedata->setValue('Data.Redirect.Delay', "3");
 } elsif ($query->param('action')) {
 	my $action = $query->param('action');

conf-examples/cryptobox.conf

@@ -25,8 +25,9 @@ LOG_FILE=/var/log/cryptobox.log
 CONFIG_MARKER=cryptobox.marker
 
 # crypto settings
-# there is no default hash, as this is ignored by luks
-DEFAULT_CIPHER=aes-cbc-essiv:sha256
+# TODO: for now, the usual default cipher does not work on ARM, so we enable it during development
+#DEFAULT_CIPHER=aes-cbc-essiv:sha256
+DEFAULT_CIPHER=aes
 DEV_MAPPER_DIR=/dev/mapper
 
 # distribution specific configuration