From a5721a07196cf00c26ea1bfb651aab756d202ccb Mon Sep 17 00:00:00 2001
From: root <root@rshg054.dnsready.net>
Date: Sat, 26 May 2012 00:02:35 +0000
Subject: Sat May 26 00:02:35 UTC 2012

---
 core/cryptsetup/PKGBUILD        |  17 +--
 core/cryptsetup/encrypt_hook    | 249 +++++++++++++++++++---------------------
 core/cryptsetup/encrypt_install |  37 ++++--
 3 files changed, 153 insertions(+), 150 deletions(-)

(limited to 'core/cryptsetup')

diff --git a/core/cryptsetup/PKGBUILD b/core/cryptsetup/PKGBUILD
index 3e9f8bc8a..fedc9ea92 100644
--- a/core/cryptsetup/PKGBUILD
+++ b/core/cryptsetup/PKGBUILD
@@ -1,8 +1,8 @@
-# $Id: PKGBUILD 157320 2012-04-26 22:51:21Z eric $
+# $Id: PKGBUILD 159428 2012-05-24 08:14:23Z thomas $
 # Maintainer: Thomas Bächler <thomas@archlinux.org>
 pkgname=cryptsetup
-pkgver=1.4.1
-pkgrel=3
+pkgver=1.4.2
+pkgrel=1
 pkgdesc="Userspace setup tool for transparent encryption of block devices using dm-crypt"
 arch=(i686 x86_64)
 license=('GPL')
@@ -15,13 +15,14 @@ source=(http://cryptsetup.googlecode.com/files/${pkgname}-${pkgver}.tar.bz2
         http://cryptsetup.googlecode.com/files/${pkgname}-${pkgver}.tar.bz2.asc
         encrypt_hook
         encrypt_install)
-sha256sums=('82b143328c2b427ef2b89fb76c701d311c95b54093c21bbf22342f7b393bddcb'
-            '71c6506d4b6d0b22b9b6c2a68e604959e4c072af04680ed6acc0126c97bdbc88'
-            '811bbea1337106ad811731c746d73ee81039bad00aef52398e3a377ad0766757'
-            'ddbbdcb8eff93a3a7622ec633e90d5c0d68e3afbeaf942dc2309adab345047d4')
+sha256sums=('1fe80d7b19d24b3f65d2e446decfed859e2c4d17fdf7c19289d82dc7cd60dfe7'
+            '4e6dbece8d1baad861479aca70d0cf30887420da9b5eab45d65d064c656893ed'
+            'e4c00e2da274bf4cab3f72a0de779790a11a946d36b83144e74d3791e230b262'
+            'cba1dc38ff6cc4d3740d0badfb2b151bb03d19e8e9fa497569ac2fb6f4196e0e')
+
 build() {
   cd "${srcdir}"/$pkgname-${pkgver}
-  ./configure --prefix=/usr --disable-static --sbindir=/sbin
+  ./configure --prefix=/usr --disable-static
   make
 }
 
diff --git a/core/cryptsetup/encrypt_hook b/core/cryptsetup/encrypt_hook
index 956b18023..0f35782c6 100644
--- a/core/cryptsetup/encrypt_hook
+++ b/core/cryptsetup/encrypt_hook
@@ -1,148 +1,137 @@
-# vim: set ft=sh:
-# TODO this one needs some work to work with lots of different
-#       encryption schemes
-run_hook ()
-{
-    /sbin/modprobe -a -q dm-crypt >/dev/null 2>&1
-    if [ -e "/sys/class/misc/device-mapper" ]; then
-        if [ ! -e "/dev/mapper/control" ]; then
-            mkdir /dev/mapper
-            mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |')
-        fi
-        [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
-
-        # Get keyfile if specified
-        ckeyfile="/crypto_keyfile.bin"
-        if [ "x${cryptkey}" != "x" ]; then
-            ckdev="$(echo "${cryptkey}" | cut -d: -f1)"
-            ckarg1="$(echo "${cryptkey}" | cut -d: -f2)"
-            ckarg2="$(echo "${cryptkey}" | cut -d: -f3)"
-            if poll_device "${ckdev}" ${rootdelay}; then
-                case ${ckarg1} in
-                    *[!0-9]*)
-                        # Use a file on the device
-                        # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
-                        mkdir /ckey
-                        mount -r -t ${ckarg1} ${ckdev} /ckey
-                        dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1
-                        umount /ckey
-                        ;;
-                    *)
-                        # Read raw data from the block device
-                        # ckarg1 is numeric: ckarg1=offset, ckarg2=length
-                        dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1
-                        ;;
-                esac
-            fi
-            [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
-        fi
+#!/usr/bin/ash
 
-        if [ -n "${cryptdevice}" ]; then
-            DEPRECATED_CRYPT=0
-            cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)"
-            cryptname="$(echo "${cryptdevice}" | cut -d: -f2)"
-            cryptoptions="$(echo "${cryptdevice}" | cut -d: -f3)"
-        else
-            DEPRECATED_CRYPT=1
-            cryptdev="${root}"
-            cryptname="root"
-        fi
+run_hook() {
+    modprobe -a -q dm-crypt >/dev/null 2>&1
+    [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
 
-        warn_deprecated() {
-            echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
-            echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
-        }
-
-        OLDIFS="${IFS}"
-        IFS=","
-        for cryptopt in ${cryptoptions}; do
-            case ${cryptopt} in
-                allow-discards)
-                    echo "Enabling TRIM/discard support."
-                    cryptargs="${cryptargs} --allow-discards"
+    # Get keyfile if specified
+    ckeyfile="/crypto_keyfile.bin"
+    if [ -n "$cryptkey" ]; then
+        IFS=: read ckdev ckarg1 ckarg2 <<EOF
+$cryptkey
+EOF
+        if poll_device "${ckdev}" ${rootdelay}; then
+            case ${ckarg1} in
+                *[!0-9]*)
+                    # Use a file on the device
+                    # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
+                    mkdir /ckey
+                    mount -r -t "$ckarg1" "$ckdev" /ckey
+                    dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1
+                    umount /ckey
                     ;;
                 *)
-                    echo "Encryption option '${cryptopt}' not known, ignoring." >&2
+                    # Read raw data from the block device
+                    # ckarg1 is numeric: ckarg1=offset, ckarg2=length
+                    dd if="$ckdev" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1
                     ;;
             esac
-        done
-        IFS="${OLDIFS}"
+        fi
+        [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
+    fi
 
-        if  poll_device "${cryptdev}" ${rootdelay}; then
-            if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
-                [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
-                dopassphrase=1
-                # If keyfile exists, try to use that
-                if [ -f ${ckeyfile} ]; then
-                    if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${cryptargs} ${CSQUIET}; then
-                        dopassphrase=0
-                    else
-                        echo "Invalid keyfile. Reverting to passphrase."
-                    fi
-                fi
-                # Ask for a passphrase
-                if [ ${dopassphrase} -gt 0 ]; then
-                    echo ""
-                    echo "A password is required to access the ${cryptname} volume:"
+    if [ -n "${cryptdevice}" ]; then
+        DEPRECATED_CRYPT=0
+        IFS=: read cryptdev cryptname cryptoptions <<EOF
+$cryptdevice
+EOF
+    else
+        DEPRECATED_CRYPT=1
+        cryptdev="${root}"
+        cryptname="root"
+    fi
 
-                    #loop until we get a real password
-                    while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${cryptargs} ${CSQUIET}; do
-                        sleep 2;
-                    done
-                fi
-                if [ -e "/dev/mapper/${cryptname}" ]; then
-                    if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
-                        export root="/dev/mapper/root"
-                    fi
-                else
-                    err "Password succeeded, but ${cryptname} creation failed, aborting..."
-                    exit 1
-                fi
-            elif [ -n "${crypto}" ]; then
-                [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
-                msg "Non-LUKS encrypted device found..."
-                if [ $# -ne 5 ]; then
-                    err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
-                    err "Non-LUKS decryption not attempted..."
-                    return 1
-                fi
-                exe="/sbin/cryptsetup create ${cryptname} ${cryptdev} ${cryptargs}"
-                tmp=$(echo "${crypto}" | cut -d: -f1)
-                [ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\""
-                tmp=$(echo "${crypto}" | cut -d: -f2)
-                [ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\""
-                tmp=$(echo "${crypto}" | cut -d: -f3)
-                [ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\""
-                tmp=$(echo "${crypto}" | cut -d: -f4)
-                [ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\""
-                tmp=$(echo "${crypto}" | cut -d: -f5)
-                [ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\""
-                if [ -f ${ckeyfile} ]; then
-                    exe="${exe} --key-file ${ckeyfile}"
+    warn_deprecated() {
+        echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
+        echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
+    }
+
+    for cryptopt in ${cryptoptions//,/ }; do
+        case ${cryptopt} in
+            allow-discards)
+                echo "Enabling TRIM/discard support."
+                cryptargs="${cryptargs} --allow-discards"
+                ;;
+            *)
+                echo "Encryption option '${cryptopt}' not known, ignoring." >&2
+                ;;
+        esac
+    done
+
+    if  poll_device "${cryptdev}" ${rootdelay}; then
+        if cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
+            [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
+            dopassphrase=1
+            # If keyfile exists, try to use that
+            if [ -f ${ckeyfile} ]; then
+                if eval cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${cryptargs} ${CSQUIET}; then
+                    dopassphrase=0
                 else
-                    exe="${exe} --verify-passphrase"
-                    echo ""
-                    echo "A password is required to access the ${cryptname} volume:"
+                    echo "Invalid keyfile. Reverting to passphrase."
                 fi
-                eval "${exe} ${CSQUIET}"
+            fi
+            # Ask for a passphrase
+            if [ ${dopassphrase} -gt 0 ]; then
+                echo ""
+                echo "A password is required to access the ${cryptname} volume:"
 
-                if [ $? -ne 0 ]; then
-                    err "Non-LUKS device decryption failed. verify format: "
-                    err "      crypto=hash:cipher:keysize:offset:skip"
-                    exit 1
+                #loop until we get a real password
+                while ! eval cryptsetup luksOpen ${cryptdev} ${cryptname} ${cryptargs} ${CSQUIET}; do
+                    sleep 2;
+                done
+            fi
+            if [ -e "/dev/mapper/${cryptname}" ]; then
+                if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+                    export root="/dev/mapper/root"
                 fi
-                if [ -e "/dev/mapper/${cryptname}" ]; then
-                    if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
-                        export root="/dev/mapper/root"
-                    fi
-                else
-                    err "Password succeeded, but ${cryptname} creation failed, aborting..."
-                    exit 1
+            else
+                err "Password succeeded, but ${cryptname} creation failed, aborting..."
+                exit 1
+            fi
+        elif [ -n "${crypto}" ]; then
+            [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
+            msg "Non-LUKS encrypted device found..."
+            if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then
+                err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
+                err "Non-LUKS decryption not attempted..."
+                return 1
+            fi
+            exe="cryptsetup create $cryptname $cryptdev $cryptargs"
+            IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF
+$crypto
+EOF
+            [ -n "$c_hash" ]    && exe="$exe --hash '$c_hash'"
+            [ -n "$c_cipher" ]  && exe="$exe --cipher '$c_cipher'"
+            [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'"
+            [ -n "$c_offset" ]  && exe="$exe --offset '$c_offset'"
+            [ -n "$c_skip" ]    && exe="$exe --skip '$c_skip'"
+            if [ -f "$ckeyfile" ]; then
+                exe="$exe --key-file $ckeyfile"
+            else
+                exe="$exe --verify-passphrase"
+                echo ""
+                echo "A password is required to access the ${cryptname} volume:"
+            fi
+            eval "$exe $CSQUIET"
+
+            if [ $? -ne 0 ]; then
+                err "Non-LUKS device decryption failed. verify format: "
+                err "      crypto=hash:cipher:keysize:offset:skip"
+                exit 1
+            fi
+            if [ -e "/dev/mapper/${cryptname}" ]; then
+                if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+                    export root="/dev/mapper/root"
                 fi
             else
-                err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
+                err "Password succeeded, but ${cryptname} creation failed, aborting..."
+                exit 1
             fi
+        else
+            err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
         fi
-        rm -f ${ckeyfile}
     fi
+    rm -f ${ckeyfile}
 }
+
+# vim: set ft=sh ts=4 sw=4 et:
diff --git a/core/cryptsetup/encrypt_install b/core/cryptsetup/encrypt_install
index 9ed50e863..79d2f3e4b 100644
--- a/core/cryptsetup/encrypt_install
+++ b/core/cryptsetup/encrypt_install
@@ -1,26 +1,39 @@
-# vim: set ft=sh:
+#!/bin/bash
 
-build()
-{
+build() {
     if [ -z "${CRYPTO_MODULES}" ]; then
-        MODULES=" dm-crypt $(all_modules "/crypto/") "
+        MODULES=" dm-crypt $(all_modules "/crypto/")"
     else
-        MODULES=" dm-crypt ${CRYPTO_MODULES} "
+        MODULES=" dm-crypt $CRYPTO_MODULES"
     fi
     FILES=""
     SCRIPT="encrypt"
-    [ -f "/sbin/cryptsetup" ] && add_binary "/sbin/cryptsetup" "/sbin/cryptsetup"
-    [ -f "/usr/sbin/cryptsetup" ] && add_binary "/usr/sbin/cryptsetup" "/sbin/cryptsetup"
-    add_binary "/sbin/dmsetup"
+
+    add_binary "cryptsetup"
+    add_binary "dmsetup"
     add_file "/usr/lib/udev/rules.d/10-dm.rules"
     add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
     add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
     add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
 }
 
-help ()
-{
-cat<<HELPEOF
-  This hook allows for an encrypted root device.
+help() {
+  cat <<HELPEOF
+This hook allows for an encrypted root device. Users should specify the device
+to be unlocked using 'cryptdevice=device:dmname' on the kernel command line,
+where 'device' is the path to the raw device, and 'dmname' is the name given to
+the device after unlocking, and will be available as /dev/mapper/dmname.
+
+For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on
+the kernel cmdline, where 'device' represents the raw block device where the key
+exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is
+the absolute path of the keyfile within the device.
+
+Without specifying a keyfile, you will be prompted for the password at runtime.
+This means you must have a keyboard available to input it, and you may need
+the keymap hook as well to ensure that the keyboard is using the layout you
+expect.
 HELPEOF
 }
+
+# vim: set ft=sh ts=4 sw=4 et:
-- 
cgit v1.2.3