From b2c9096cf0be6d655550ae880da8735ef048fc10 Mon Sep 17 00:00:00 2001 From: Tom Gundersen Date: Fri, 29 Jun 2012 15:26:59 +0200 Subject: Revert "cryptsetup: use systemd-cryptsetup rather than rolling our own" This reverts commit 6fe21269e5d54c52c168eac40225dca12a79c355. git failure. this was not meant to be in master. nowhere near ready for that :) --- functions | 73 +++++++++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 55 insertions(+), 18 deletions(-) (limited to 'functions') diff --git a/functions b/functions index d8fdb34..000cd60 100644 --- a/functions +++ b/functions @@ -382,21 +382,52 @@ activate_vgs() { } do_unlock() { - local name=$1 device=$2 password=$3 options=$4 + # $1 = requested name + # $2 = source device + # $3 = password + # $4 = options + stat_append "${1}.." + local open=create a=$1 b=$2 failed=0 + # Ordering of options is different if you are using LUKS vs. not. + # Use ugly swizzling to deal with it. + # isLuks only gives an exit code but no output to stdout or stderr. + if cryptsetup isLuks "$2" 2>/dev/null; then + open=luksOpen + a=$2 + b=$1 fi case $3 in SWAP) - $password="/dev/urandom" - $options+=",swap" + local _overwriteokay=0 + if [[ -b $2 && -r $2 ]]; then + # This is DANGEROUS! If there is any known file system, + # partition table, RAID or LVM volume on the device + # we don't overwrite it. + # + # 'blkid' returns 2 if no valid signature has been found. + # Only in this case we should allow overwriting the device. + # + # This sanity check _should_ be sufficient, but it might not. + # This may cause dataloss if it is not used carefully. + blkid -p "$2" &>/dev/null + (( $? == 2 )) && _overwriteokay=1 + fi + if (( _overwriteokay == 0 )); then + false + elif cryptsetup -d /dev/urandom $4 $open "$a" "$b" >/dev/null; then + stat_append "creating swapspace.." + mkswap -f -L $1 /dev/mapper/$1 >/dev/null + fi;; ASK) - $password="none" + printf "\nOpening '$1' volume:\n" + cryptsetup $4 $open "$a" "$b" < /dev/console;; /dev*) local ckdev=${3%%:*} local cka=${3#*:} local ckb=${cka#*:} local cka=${cka%:*} - local ckfile=$(mktemp /run/initscripts-cryptsetup/key-XXXXXX) - local ckdir=/run/initscripts-cryptsetup/drive + local ckfile=/dev/ckfile + local ckdir=/dev/ckdir case ${cka} in *[!0-9]*) # Use a file on the device @@ -411,30 +442,36 @@ do_unlock() { # cka is numeric: cka=offset, ckb=length dd if=${ckdev} of=${ckfile} bs=1 skip=${cka} count=${ckb} >/dev/null 2>&1;; esac - $password="${ckfile}" + cryptsetup -d ${ckfile} $4 $open "$a" "$b" >/dev/null + dd if=/dev/urandom of=${ckfile} bs=1 count=$(stat -c %s ${ckfile}) conv=notrunc >/dev/null 2>&1 + rm ${ckfile};; /*) + cryptsetup -d "$3" $4 $open "$a" "$b" >/dev/null;; *) printf "${C_FAIL}crypttab contains a literal encryption key. This will stop working in the future.${C_OTHER}\n" - $password=$(mktemp /run/initscripts-cryptsetup/key-XXXXXX) - echo "$3" > $password + echo "$3" | cryptsetup $4 $open "$a" "$b" >/dev/null;; esac - /usr/lib/systemd/systemd-cryptsetup $name $device $password $options & + if (( $? )); then + failed=1 + stat_append "failed " + else + stat_append "ok " + fi + return $failed } read_crypttab() { # $1 = function to call with the split out line from the crypttab - local line nspo failed - mkdir -p /run/initscripts-cryptsetup + local line nspo failed=0 while read line; do [[ $line && $line != '#'* ]] || continue eval nspo=("${line%#*}") - $1 "${nspo[0]}" "${nspo[1]}" "${nspo[2]}" "${nspo[*]:3}" + if $1 "${nspo[0]}" "${nspo[1]}" "${nspo[2]}" "${nspo[*]:3}"; then + crypto_unlocked=1 + else + failed=1 + fi done < /etc/crypttab - systemd-tty-ask-password-agent --query --console - failed=$? - wait - shred /run/initsrcipts-cryptsetup/key* - rm -rf /run/initscripts-cryptsetup return $failed } -- cgit v1.2.3-54-g00ecf