X-Original-To: alpine-aports@mail.alpinelinux.org Delivered-To: alpine-aports@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id 6EE6CDC07A1 for ; Thu, 7 Jan 2016 19:02:13 +0000 (UTC) Received: from lithium.8pit.net (lithium.8pit.net [81.4.121.103]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id DDEF5DC0522; Thu, 7 Jan 2016 19:02:11 +0000 (UTC) Received: from localhost (ip5f5ac9df.dynamic.kabel-deutschland.de [95.90.201.223]) by lithium.8pit.net (OpenSMTPD) with ESMTPSA id 1e778d12 TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO; Thu, 7 Jan 2016 20:02:10 +0100 (CET) From: =?UTF-8?q?S=C3=B6ren=20Tempel?= To: alpine-aports@lists.alpinelinux.org Subject: [alpine-aports] [PATCH v2] main/cryptsetup: use newest dmcrypt service version from gentoo Date: Thu, 7 Jan 2016 20:02:07 +0100 Message-Id: <1452193327-6868-1-git-send-email-soeren+git@soeren-tempel.net> X-Mailer: git-send-email 2.7.0 In-Reply-To: <1452192090-2733-1-git-send-email-soeren+git@soeren-tempel.net> References: <1452192090-2733-1-git-send-email-soeren+git@soeren-tempel.net> X-Virus-Scanned: ClamAV using ClamSMTP X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: The findfs change has been reapplied. --- main/cryptsetup/APKBUILD | 8 +-- main/cryptsetup/dmcrypt.confd | 23 ++++++-- main/cryptsetup/dmcrypt.initd | 132 +++++++++++++++++++----------------------- 3 files changed, 83 insertions(+), 80 deletions(-) diff --git a/main/cryptsetup/APKBUILD b/main/cryptsetup/APKBUILD index 676ce67..7ee5099 100644 --- a/main/cryptsetup/APKBUILD +++ b/main/cryptsetup/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=cryptsetup pkgver=1.7.0 -pkgrel=0 +pkgrel=1 pkgdesc="Userspace setup tool for transparent encryption of block devices using the Linux 2.6 cryptoapi" url="https://gitlab.com/cryptsetup/cryptsetup" arch="all" @@ -61,12 +61,12 @@ libs() { md5sums="ca3fd784f3232136dcd711a31cb0193e cryptsetup-1.7.0.tar.gz 7d5c8727ea417cabe86df67a9de1de16 flush-stdout.patch 1369aeaed84e41c8d585695596a24bd6 dmcrypt.confd -a9a478ee9b5612379326cd96354779b4 dmcrypt.initd" +058807d0516dec293d382ee27cc89fb8 dmcrypt.initd" sha256sums="f1d1f010442e9b3ca26ba917be475bf2adbe28452cb30bf8047a9978cc52adcd cryptsetup-1.7.0.tar.gz 6ac335bb14ff2f90de00769be20da4c5527101fab6593259a4d87be84904ae67 flush-stdout.patch 0c30e081c0b8f879964ae49735f10b05a1d92f4f481042851958860945e13271 dmcrypt.confd -477107555f0bedd662ae8181428de5428122b64139d3033ec7b5c1c801238665 dmcrypt.initd" +a7a930cf14161a18c2ac6c3e7d4b2cf4ed03d9fcd77c89e7a6f6c60bad4bede8 dmcrypt.initd" sha512sums="f3947ae04424dff479cc2932eb9ef99e33d8d1bf0f47255379940bdd47ddb42224d86dc397ed4b01ac8819faedd8265acc7d61f5fd091e56f3e8836c5b2b7740 cryptsetup-1.7.0.tar.gz 301e3e3da5a899e0a6f01f44fbf37bb6a3f5b6a4fb41243bae6d3b7aea747276e784626cd1b19721cc264652c10ae8c560c4d20094e33bb82fb2fae0160682c0 flush-stdout.patch d04ae17d3708ef20ade7afb223d4ef19e1b6812e0be8f9499e37e9c71344568b42030d9dd8f6918a9bfb211a3a94b40a9354e3b32a009cb165e84508d0a5e14b dmcrypt.confd -0f8ca37330dfe4584026277542db63eb31b3fe8060096e840be3b75ba8fb1e8bddff3212c0324dc15cf59a804b74f92f538fbedc8ec876c9c9ece4ab37f00bb0 dmcrypt.initd" +81dad61cdecf1dc529b26eb3cdc15979a582c876b01268f88e7a71c8fae6911137c03bfa63fee64e064e5fb31f673610be27ecab9fc432229f13e7040698bd5c dmcrypt.initd" diff --git a/main/cryptsetup/dmcrypt.confd b/main/cryptsetup/dmcrypt.confd index 35a1fd2..642ff08 100644 --- a/main/cryptsetup/dmcrypt.confd +++ b/main/cryptsetup/dmcrypt.confd @@ -26,19 +26,30 @@ # Global options: #---------------- -# Max number of checks to perform (1 per second) -#dmcrypt_max_timeout=120 +# How long to wait for each timeout (in seconds). +dmcrypt_key_timeout=1 + +# Max number of checks to perform (see dmcrypt_key_timeout). +#dmcrypt_max_timeout=300 + +# Number of password retries. +dmcrypt_retries=5 # Arguments: #----------- # target= == Mapping name for partition. # swap= == Mapping name for swap partition. # source='' == Real device for partition. +# Note: You can (and should) specify a tag like UUID +# for blkid (see -t option). This is safer than using +# the full path to the device. # key='[:]' == Fullpath from / or from inside removable media. # remdev='' == Device that will be assigned to removable media. # gpg_options='' == Default are --quiet --decrypt # options='' == cryptsetup, for LUKS you can only use --readonly # loop_file='' == Loopback file. +# Note: If you omit $source, then a free loopback will +# be looked up automatically. # pre_mount='cmds' == commands to execute before mounting partition. # post_mount='cmds' == commands to execute after mounting partition. #----------- @@ -79,13 +90,13 @@ #key='/full/path/to/homekey' #remdev='/dev/sda1' -##/home with gpg protected key on removable media(such as usb-stick) +## /home with gpg protected key on removable media(such as usb-stick) #target=crypt-home #source='/dev/hda5' #key='/full/path/to/homekey:gpg' #remdev='/dev/sda1' -##/tmp with regular keyfile +## /tmp with regular keyfile #target=crypt-tmp #source='/dev/hda6' #key='/full/path/to/tmpkey' @@ -93,6 +104,8 @@ #post_mount='chown root:root ${mount_point}; chmod 1777 ${mount_point}' ## Loopback file example -#mount='crypt-loop-home' +#target='crypt-loop-home' #source='/dev/loop0' #loop_file='/mnt/crypt/home' + +# The file must be terminated by a newline. Or leave this comment last. diff --git a/main/cryptsetup/dmcrypt.initd b/main/cryptsetup/dmcrypt.initd index 900c94c..340b579 100644 --- a/main/cryptsetup/dmcrypt.initd +++ b/main/cryptsetup/dmcrypt.initd @@ -1,16 +1,16 @@ #!/sbin/openrc-run -# Copyright 1999-2013 Gentoo Foundation +# Copyright 1999-2015 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-fs/cryptsetup/files/1.5.1-dmcrypt.rc,v 1.1 2013/01/17 23:35:08 robbat2 Exp $ depend() { before checkfs fsck + + if grep -qs ^swap= "${conf_file}" ; then + before swap + fi } # We support multiple dmcrypt instances based on $SVCNAME -execute_hook="dm_crypt_execute_dmcrypt" -# XXX: Should we drop this ? -# execute_hook="dm_crypt_execute_localmount" conf_file="/etc/conf.d/${SVCNAME}" # Get splash helpers if available. @@ -20,9 +20,32 @@ fi # Setup mappings for an individual target/swap # Note: This relies on variables localized in the main body below. -dm_crypt_execute_dmcrypt() { +dm_crypt_execute() { local dev ret mode foo + if [ -z "${target}" -a -z "${swap}" ] ; then + return + fi + + # Set up default values. + : ${dmcrypt_key_timeout:=1} + : ${dmcrypt_max_timeout:=300} + : ${dmcrypt_retries:=5} + + # Handle automatic look up of the source path. + if [ -z "${source}" -a -n "${loop_file}" ] ; then + source=$(losetup --show -f "${loop_file}") + fi + case ${source} in + *=*) + source="$(findfs ${source})" + ;; + esac + if [ -z "${source}" ] || [ ! -e "${source}" ] ; then + ewarn "source \"${source}\" for ${target} missing, skipping..." + return + fi + if [ -n "${target}" ] ; then # let user set options, otherwise leave empty : ${options:=' '} @@ -36,15 +59,6 @@ dm_crypt_execute_dmcrypt() { # suspend2 users should have initramfs's init handling their swap partition either way. : ${options:='-c aes -h sha1 -d /dev/urandom'} : ${pre_mount:='mkswap ${dev}'} - else - return - fi - if [ "x${source#UUID}" != "x${source}" ]; then - source="$(findfs ${source})" - fi - if [ -z "${source}" ] && [ ! -e "${source}" ] ; then - ewarn "source \"${source}\" for ${target} missing, skipping..." - return fi if [ -n "${loop_file}" ] ; then @@ -54,11 +68,14 @@ dm_crypt_execute_dmcrypt() { fi # cryptsetup: - # luksOpen # is $source - # create # is $target - local arg1="create" arg2="${target}" arg3="${source}" luks=0 - - cryptsetup isLuks ${source} 2>/dev/null && { arg1="luksOpen"; arg2="${source}"; arg3="${target}"; luks=1; } + # open # is $source + # create # is $target + local arg1="create" arg2="${target}" arg3="${source}" + if cryptsetup isLuks ${source} 2>/dev/null ; then + arg1="open" + arg2="${source}" + arg3="${target}" + fi # Older versions reported: # ${target} is active: @@ -84,7 +101,7 @@ dm_crypt_execute_dmcrypt() { resettty='stty ${savetty}; trap - EXIT HUP INT TERM' trap 'eval "${resettty}"' EXIT HUP INT TERM stty -icanon - [ "${1}" = -t ] && stty min 0 time "$(( $2 * 10 ))" + stty min 0 time "$(( $2 * 10 ))" ans=$(dd count=1 bs=1 2>/dev/null) || ans='' eval "${resettty}" if [ -z "${ans}" ] ; then @@ -99,8 +116,8 @@ dm_crypt_execute_dmcrypt() { } # Notes: sed not used to avoid case where /usr partition is encrypted. - mode=${key/*:/} && ( [ "${mode}" = "${key}" ] || [ -z "${mode}" ] ) && mode=reg - key=${key/:*/} + mode=${key##*:} && ( [ "${mode}" = "${key}" ] || [ -z "${mode}" ] ) && mode=reg + key=${key%:*} case "${mode}" in gpg|reg) # handle key on removable device @@ -116,7 +133,7 @@ dm_crypt_execute_dmcrypt() { fi i=0 einfo "Please insert removable device for ${target}" - while [ ${i} -lt ${dmcrypt_max_timeout:-120} ] ; do + while [ ${i} -lt ${dmcrypt_max_timeout} ] ; do foo="" if mount -n -o ro "${remdev}" "${mntrem}" 2>/dev/null >/dev/null ; then # keyfile exists? @@ -124,7 +141,7 @@ dm_crypt_execute_dmcrypt() { umount -n "${mntrem}" rmdir "${mntrem}" einfo "Cannot find ${key} on removable media." - read_abort "Abort" ${read_timeout:--t 1} && return + read_abort "Abort" ${dmcrypt_key_timeout} && return else key="${mntrem}${key}" break @@ -158,13 +175,17 @@ dm_crypt_execute_dmcrypt() { if [ "${mode}" = "gpg" ] ; then : ${gpg_options:='-q -d'} # gpg available ? - if type -p gpg >/dev/null ; then - for i in 0 1 2 ; do + if command -v gpg >/dev/null ; then + i=0 + while [ ${i} -lt ${dmcrypt_retries} ] ; do # paranoid, don't store key in a variable, pipe it so it stays very little in ram unprotected. # save stdin stdout stderr "values" - gpg ${gpg_options} ${key} 2>/dev/null | cryptsetup ${options} ${arg1} ${arg2} ${arg3} + timeout ${dmcrypt_max_timeout} gpg ${gpg_options} ${key} 2>/dev/null | \ + cryptsetup --key-file - ${options} ${arg1} ${arg2} ${arg3} ret=$? - [ ${ret} -eq 0 ] && break + # The timeout command exits 124 when it times out. + [ ${ret} -eq 0 -o ${ret} -eq 124 ] && break + : $(( i += 1 )) done eend ${ret} "failure running cryptsetup" else @@ -195,49 +216,21 @@ dm_crypt_execute_dmcrypt() { else if [ -n "${pre_mount}" ] ; then dev="/dev/mapper/${target}" - ebegin " pre_mount: ${pre_mount}" + eval ebegin \"" pre_mount: ${pre_mount}"\" eval "${pre_mount}" > /dev/null ewend $? || cryptfs_status=1 fi fi } -# Run any post_mount commands for an individual mount -# -# Note: This relies on variables localized in the main body below. -dm_crypt_execute_localmount() { - local mount_point - - [ -z "${target}" ] && [ -z "${post_mount}" ] && return - - if ! cryptsetup status ${target} | egrep -q '\/dev/null - eend $? || cryptfs_status=1 - fi -} - # Lookup optional bootparams get_bootparam_val() { # We're given something like: # foo=bar=cow # Return the "bar=cow" part. case $1 in - *\=*) - local key=$(echo "$1" | cut -f1 -d=) - echo "$1" | cut -c $(( ${#key} + 2 )) + *=*) + echo "${1#*=}" ;; esac } @@ -249,16 +242,13 @@ start() { local x for x in $(cat /proc/cmdline) ; do case "${x}" in - key_timeout\=*) - local KEY_TIMEOUT=$(get_bootparam_val "${x}") - if [ ${KEY_TIMEOUT} -gt 0 ] ; then - read_timeout="-t ${KEY_TIMEOUT}" - fi - ;; + key_timeout=*) + dmcrypt_key_timeout=$(get_bootparam_val "${x}") + ;; esac done - while read -u 3 targetline ; do + while read targetline <&3 ; do case ${targetline} in # skip comments and blank lines ""|"#"*) continue ;; @@ -273,7 +263,7 @@ start() { case ${targetline} in target=*|swap=*) # If we have a target queued up, then execute it - ${execute_hook} + dm_crypt_execute # Prepare for the next target/swap by resetting variables unset gpg_options key loop_file target options pre_mount post_mount source swap remdev @@ -286,7 +276,7 @@ start() { fi ;; - dmcrypt_max_timeout=*) + dmcrypt_*=*) # ignore global options continue ;; @@ -296,12 +286,12 @@ start() { ;; esac - # Queue this setting for the next call to dm_crypt_execute_xxx + # Queue this setting for the next call to dm_crypt_execute eval "${targetline}" done 3< ${conf_file} # If we have a target queued up, then execute it - ${execute_hook} + dm_crypt_execute ewend ${cryptfs_status} "Failed to setup dm-crypt devices" } -- 2.7.0 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---