From be454b79e1fb7edc80332a0b3c482d826feb1ec9 Mon Sep 17 00:00:00 2001 From: James Meyer Date: Mon, 6 Aug 2012 17:36:28 -0500 Subject: cryptsetup: 1.4.3 --- abs/core/cryptsetup/PKGBUILD | 39 +++--- abs/core/cryptsetup/encrypt_hook | 237 +++++++++++++++++++----------------- abs/core/cryptsetup/encrypt_install | 56 ++++++--- 3 files changed, 178 insertions(+), 154 deletions(-) diff --git a/abs/core/cryptsetup/PKGBUILD b/abs/core/cryptsetup/PKGBUILD index ceb826d..4ec9997 100644 --- a/abs/core/cryptsetup/PKGBUILD +++ b/abs/core/cryptsetup/PKGBUILD @@ -1,36 +1,35 @@ -# $Id: PKGBUILD 85278 2010-07-11 10:36:02Z thomas $ +# $Id: PKGBUILD 162744 2012-06-29 11:46:09Z thomas $ # Maintainer: Thomas Bächler pkgname=cryptsetup -pkgver=1.1.3 +pkgver=1.4.3 pkgrel=1 -pkgdesc="Userspace setup tool for transparent encryption of block devices using the Linux 2.6 cryptoapi" -arch=('i686' 'x86_64') +pkgdesc="Userspace setup tool for transparent encryption of block devices using dm-crypt" +arch=(i686 x86_64) license=('GPL') url="http://code.google.com/p/cryptsetup/" groups=('base') -depends=('device-mapper' 'libgcrypt' 'popt') -conflicts=('mkinitcpio<0.5.99') +depends=('device-mapper>=2.02.85-2' 'libgcrypt' 'popt' 'util-linux') +conflicts=('mkinitcpio<0.7') options=('!libtool' '!emptydirs') source=(http://cryptsetup.googlecode.com/files/${pkgname}-${pkgver}.tar.bz2 + http://cryptsetup.googlecode.com/files/${pkgname}-${pkgver}.tar.bz2.asc encrypt_hook - encrypt_install) -sha256sums=('9c8e68a272f6d9cfb6cd65cc0743f4c44a2096c61f74e0602bf40208b5e69c0a' - '64601eae6fbf3e3afceccec5877557aa208a82497c33cc94ad0a686b4022b5dc' - '8e4920bb4b5ce96508aa0c42b9b07326b70daf630519f1aa1d8082bca709c12a') + encrypt_install) +sha256sums=('d5ff2c00f6f791d77fa5636a02ae43ddbb46c6c793bdeafdec5e38fd15f99d0a' + 'ad610fe77d78bf7e91b7473f9d9c84de46ed1cc21f006fe3ae4791b0b6f42f3a' + 'e0cbcabb81233b4d465833dca0faf1e762dc3cb6611597a25fe24e5d7209f316' + 'cfe465bdad3d958bb2332a05e04f2e1e884422a5714dfd1a0a3b9b74bf7dc6ae') build() { - cd $srcdir/$pkgname-${pkgver} - ./configure --prefix=/usr --disable-static --sbindir=/sbin --libdir=/lib - make || return 1 + cd "${srcdir}"/$pkgname-${pkgver} + ./configure --prefix=/usr --disable-static + make } package() { - cd $srcdir/$pkgname-${pkgver} - make DESTDIR=$pkgdir install || return 1 + cd "${srcdir}"/$pkgname-${pkgver} + make DESTDIR="${pkgdir}" install # install hook - install -D -m644 $srcdir/encrypt_hook $pkgdir/lib/initcpio/hooks/encrypt - install -D -m644 $srcdir/encrypt_install $pkgdir/lib/initcpio/install/encrypt - # Fix pkgconfig location - install -d -m755 $pkgdir/usr/lib - mv $pkgdir/lib/pkgconfig $pkgdir/usr/lib/ + install -D -m644 "${srcdir}"/encrypt_hook "${pkgdir}"/usr/lib/initcpio/hooks/encrypt + install -D -m644 "${srcdir}"/encrypt_install "${pkgdir}"/usr/lib/initcpio/install/encrypt } diff --git a/abs/core/cryptsetup/encrypt_hook b/abs/core/cryptsetup/encrypt_hook index e84bc6e..372b7ba 100644 --- a/abs/core/cryptsetup/encrypt_hook +++ b/abs/core/cryptsetup/encrypt_hook @@ -1,131 +1,138 @@ -# vim: set ft=sh: -# TODO this one needs some work to work with lots of different -# encryption schemes -run_hook () -{ - /sbin/modprobe -a -q dm-crypt >/dev/null 2>&1 - if [ -e "/sys/class/misc/device-mapper" ]; then - if [ ! -e "/dev/mapper/control" ]; then - /bin/mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |') - fi - [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" +#!/usr/bin/ash - # Get keyfile if specified - ckeyfile="/crypto_keyfile.bin" - if [ "x${cryptkey}" != "x" ]; then - ckdev="$(echo "${cryptkey}" | cut -d: -f1)" - ckarg1="$(echo "${cryptkey}" | cut -d: -f2)" - ckarg2="$(echo "${cryptkey}" | cut -d: -f3)" - if poll_device "${ckdev}" ${rootdelay}; then - case ${ckarg1} in - *[!0-9]*) - # Use a file on the device - # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path - mkdir /ckey - mount -r -t ${ckarg1} ${ckdev} /ckey - dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1 - umount /ckey - ;; - *) - # Read raw data from the block device - # ckarg1 is numeric: ckarg1=offset, ckarg2=length - dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1 - ;; - esac - fi - [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." - fi +run_hook() { + modprobe -a -q dm-crypt >/dev/null 2>&1 + [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" - if [ -n "${cryptdevice}" ]; then - DEPRECATED_CRYPT=0 - cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)" - cryptname="$(echo "${cryptdevice}" | cut -d: -f2)" - else - DEPRECATED_CRYPT=1 - cryptdev="${root}" - cryptname="root" + # Get keyfile if specified + ckeyfile="/crypto_keyfile.bin" + if [ -n "$cryptkey" ]; then + IFS=: read ckdev ckarg1 ckarg2 </dev/null 2>&1 + umount /ckey + ;; + *) + # Read raw data from the block device + # ckarg1 is numeric: ckarg1=offset, ckarg2=length + dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1 + ;; + esac fi + [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." + fi - warn_deprecated() { - echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" - echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." - } + if [ -n "${cryptdevice}" ]; then + DEPRECATED_CRYPT=0 + IFS=: read cryptdev cryptname cryptoptions </dev/null 2>&1; then - [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated - dopassphrase=1 - # If keyfile exists, try to use that - if [ -f ${ckeyfile} ]; then - if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then - dopassphrase=0 - else - echo "Invalid keyfile. Reverting to passphrase." - fi - fi - # Ask for a passphrase - if [ ${dopassphrase} -gt 0 ]; then - echo "" - echo "A password is required to access the ${cryptname} volume:" + warn_deprecated() { + echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" + echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." + } - #loop until we get a real password - while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do - sleep 2; - done - fi - if [ -e "/dev/mapper/${cryptname}" ]; then - if [ ${DEPRECATED_CRYPT} -eq 1 ]; then - export root="/dev/mapper/root" - fi - else - err "Password succeeded, but ${cryptname} creation failed, aborting..." - exit 1 - fi - elif [ -n "${crypto}" ]; then - [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated - msg "Non-LUKS encrypted device found..." - if [ $# -ne 5 ]; then - err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" - err "Non-LUKS decryption not attempted..." - return 1 - fi - exe="/sbin/cryptsetup create ${cryptname} ${cryptdev}" - tmp=$(echo "${crypto}" | cut -d: -f1) - [ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\"" - tmp=$(echo "${crypto}" | cut -d: -f2) - [ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\"" - tmp=$(echo "${crypto}" | cut -d: -f3) - [ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\"" - tmp=$(echo "${crypto}" | cut -d: -f4) - [ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\"" - tmp=$(echo "${crypto}" | cut -d: -f5) - [ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\"" - if [ -f ${ckeyfile} ]; then - exe="${exe} --key-file ${ckeyfile}" + for cryptopt in ${cryptoptions//,/ }; do + case ${cryptopt} in + allow-discards) + echo "Enabling TRIM/discard support." + cryptargs="${cryptargs} --allow-discards" + ;; + *) + echo "Encryption option '${cryptopt}' not known, ignoring." >&2 + ;; + esac + done + + if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then + if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + dopassphrase=1 + # If keyfile exists, try to use that + if [ -f ${ckeyfile} ]; then + if eval cryptsetup --key-file ${ckeyfile} luksOpen ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then + dopassphrase=0 else - exe="${exe} --verify-passphrase" - echo "" - echo "A password is required to access the ${cryptname} volume:" + echo "Invalid keyfile. Reverting to passphrase." fi - eval "${exe} ${CSQUIET}" + fi + # Ask for a passphrase + if [ ${dopassphrase} -gt 0 ]; then + echo "" + echo "A password is required to access the ${cryptname} volume:" - if [ $? -ne 0 ]; then - err "Non-LUKS device decryption failed. verify format: " - err " crypto=hash:cipher:keysize:offset:skip" - exit 1 + #loop until we get a real password + while ! eval cryptsetup luksOpen ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do + sleep 2; + done + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + export root="/dev/mapper/root" fi - if [ -e "/dev/mapper/${cryptname}" ]; then - if [ ${DEPRECATED_CRYPT} -eq 1 ]; then - export root="/dev/mapper/root" - fi - else - err "Password succeeded, but ${cryptname} creation failed, aborting..." - exit 1 + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + exit 1 + fi + elif [ -n "${crypto}" ]; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + msg "Non-LUKS encrypted device found..." + if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then + err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" + err "Non-LUKS decryption not attempted..." + return 1 + fi + exe="cryptsetup create $cryptname $resolved $cryptargs" + IFS=: read c_hash c_cipher c_keysize c_offset c_skip <