commit 48e40f9652959b4a20a7e7f57667f0270c6a77e5cc90a1879162fdcf0c9a12c5 Author: OBS User unknown Date: Tue Jun 5 02:29:16 2007 +0000 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=1 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/Makefile.doc b/Makefile.doc new file mode 100644 index 0000000..cdbae23 --- /dev/null +++ b/Makefile.doc @@ -0,0 +1,3 @@ +crypttab.5: crypttab.5.txt + a2x -d manpage -f manpage crypttab.5.txt + rm -f crypttab.5.xml diff --git a/boot.crypto b/boot.crypto new file mode 100644 index 0000000..0431143 --- /dev/null +++ b/boot.crypto @@ -0,0 +1,1066 @@ +#!/bin/bash +# Copyright (C) 1996-2007 SUSE Linux Products GmbH, Nuernberg, Germany. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Author: Werner Fink , 2001-2006 +# Chris Rivera 2006 +# Ludwig Nussel 2007 +# +# /etc/init.d/boot.crypto +# +### BEGIN INIT INFO +# Provides: boot.crypto +# Required-Start: boot.localfs boot.device-mapper +# Should-Start: +# Required-Stop: +# Default-Start: B +# Default-Stop: +# Description: Enable crypto file systems before leaving boot phase +# Short-Description: Enable crypto file systems before leaving boot phase +### END INIT INFO + +# Determine the base and follow a runlevel link name. +base=${0##*/} +link=${base#*[SK][0-9][0-9]} + +. /etc/rc.status + +trap "echo" SIGINT SIGSEGV +set +e + +# Redirect to real device (e.g. in case of boot logging) +: ${CRYPTOTAB:=/etc/cryptotab} +: ${CRYPTTAB:=/etc/crypttab} +: ${TIMEOUT:=120} +if test -z "$REDIRECT" ; then + if (echo -n > /dev/tty) 2>/dev/null ; then + REDIRECT=/dev/tty + else + REDIRECT=/dev/console + fi +fi + +splash="" +did_redirect="" +otty=$(stty -g) +redirect () +{ + test -z "$did_redirect" || return 0 + did_redirect=1 + if test -e /proc/splash ; then + read splash < /proc/splash + echo verbose > /proc/splash + fi + test -z "$otty" || stty "$otty" < $REDIRECT; + stty -nl -ixon ignbrk -brkint < $REDIRECT + if test -x /etc/init.d/kbd -a -n "$RUNLEVEL" ; then + /etc/init.d/kbd start + fi +} + +restore () +{ + test -n "$did_redirect" || return 0 + test -z "$otty" || stty "$otty" < $REDIRECT; + [[ "$splash" =~ silent ]] && echo silent > /proc/splash +} + +ppid=0 +prmt="" +setprompt () +{ + if test -t 1 -a "$TERM" != "raw" -a "$TERM" != "dumb" && stty size <&1 > /dev/null 2>&1 + then + ( + trap "exit 0" SIGTERM + trap "echo" SIGINT SIGSEGV + usleep 15000 + while test $timeout -gt 0 ; do + # cursor to start of line, erase line, print prompt + echo -en "\r\e[2K${prmt}" + sleep 2 + : $((timeout-=2)) + done + ) & ppid=$! + else + usleep 15000 + echo -en "\r${prmt}" + ppid=0 + fi +} + +unsetprompt () +{ + local ret=$? + test $ppid -gt 0 && kill -15 $ppid + ppid=0 + return $ret +} + +reverse () +{ + local _line + while read -r _line ; do + case "$_line" in \#*|"") continue ;; esac + reverse + echo "$_line" + break + done +} + +detachloopdev () +{ + if [ -n "$loopdev" ]; then + losetup -d $loopdev &> /dev/null || true + fi +} + +# +# Check for valid super blocks +# +check_superblock() +{ + local fs="$1" + local device="$2" + case "$fs" in + ext[23]) tune2fs -l $device &> /dev/null ;; + reiserfs) debugreiserfs $device &> /dev/null ;; + *) true ;; + esac +} + +# +# parameters: filesys device mountpoint physdev quiet +# return value: +# 0 - ok +# 1 - enter passphrase again +# 2 - skip entry +# 3 - fsck +# +paranoid_safety_checks() +{ + local filesys device mp physdev quiet choice + filesys="$1" + device="$2" + mp="$3" + physdev="$4" + quiet="$5" + + check_superblock "$filesys" "$device" + + if test $? -gt 0 || ! mount -t "$filesys" -n -o ro "$device" "$mp" &> /dev/null ; then + umount -n "$mp" &> /dev/null || true + if test -n "$quiet"; then + return 2 + fi + echo "${warn}An error occured. Maybe the wrong passphrase was" + echo "entered or the file system on $physdev is corrupted.${norm}" + while true ; do + # TODO: rephrase that + echo "${extd}Do you want to retry entering the passphrase?${norm}" + echo -n "${extd}Alternatively you may continue with a file system check.${norm}" + choice= + read -p " ([${extd}yes${norm}]/${extd}no${norm}/${extd}check${norm}/) " choice < $REDIRECT || { echo 'no'; choice='no'; } + case "$choice" in + [yY][eE][sS]|[yY]|"") + return 1 ;; + [nN][oO]|[nN]) + return 2 ;; + [Cc][hH][eE][Cc][kK]|[Cc]) + return 3 ;; + esac + done + else + umount -n "$mp" &> /dev/null || true + fi + + return 0 +} + +run_fsck() +{ + local filesys device mp physdev + filesys="$1" + device="$2" + mp="$3" + physdev="$4" + # + # Checking the structure on the loop device + # + if test -x /sbin/fsck.$filesys; then + fsck -T -a -t $filesys $device + else + true + fi + if test $? -gt 1; then + echo "${extd}fsck of $device failed. Please repair manually.${norm}" + echo "${warn}Warning: do never try to repair if you have entered the wrong passphrase.${norm}" + # run sulogin only during boot + if test "$base" != "$link"; then + PS1="(repair filesystem) # " + /sbin/sulogin -t "$timeout" $REDIRECT < $REDIRECT > $REDIRECT 2>&1 + sync + + if ! paranoid_safety_checks "$filesys" "$device" "$mp" "$physdev" 'quiet'; then + echo "${extd}$physdev still appears to be damaged, skipping${norm}" + /sbin/cryptsetup remove $name || true + detachloopdev + return 1 + fi + else + # leave the device set up so user can fun fsck manually + return 1 + fi + fi + return 0 +} + +report() +{ + rc_failed "$1" + shift + echo -n "$*" + rc_status -v +} + +start_cryptotab () +{ + local stat=0 + local haveone='' + timeout="$TIMEOUT" + + test -n "$tostart" || echo "Activating crypto devices using $CRYPTOTAB ... " + while read loopdev physdev access filesys crypto mopt info rest ; do + case "$loopdev" in + \#*|"") continue ;; + esac + + if test -n "$tostart" -a "$loopdev" != "$tostart" -a "$physdev" != "$tostart" -a "$access" != "$tostart"; then + continue + fi + + haveone=1 + + redirect + + # key length for cryptsetup + keylen= + ivgen='plain' + hashalgo='sha512' + name= + # + + # Does the user want to skip current entry? + # + doskip=0 + # + # Does the mount point exit? + # + if ! test -d $access ; then + report 5 "$physdev: $access doesn't exist" + continue + fi + if ! test -e $physdev ; then + report 5 "$physdev doesn't exist" + continue + fi + # + # Seeking for crypto modules + # + case "$crypto" in + twofish) keylen=192; ivgen='null'; hashalgo='ripemd160:20' ;; + twofishSL92) keylen=256; ivgen='null' ;; + twofish[0-9]*) keylen=${crypto#twofish}; ;; + #TODO add more algorithm or better detection + *) + report 2 "$physdev: unsupported algorithm \"$crypto\"" + continue + ;; + esac + cipher=twofish-cbc-$ivgen + + name="${loopdev#/dev/}" + name="cryptotab_${name//[^A-Za-z0-9]/_}" + + if [ -e "/dev/mapper/$name" ]; then + report 5 "$physdev: $name already mapped" + continue + fi + + while true; do # setup/check loop + # + # Restore virgin state + # + if [ -b "/dev/mapper/$name" ]; then + /sbin/cryptsetup remove $name || true + fi + detachloopdev + device="$loopdev" + + # + # Setting up loop device + # + if test -n "$info" ; then + prmt="${extd}Please enter passphrase for \"$info\" ($physdev): ${norm}" + else + prmt="${extd}Please enter passphrase for $physdev: ${norm}" + fi + + # we always use a loop device to avoid block size issues + # with e.g. cdroms for backward compatability + if ! losetup $loopdev $physdev; then + report 1 "$physdev..." + continue 2 + fi + + params="-t $timeout -c $cipher -s $keylen -h $hashalgo" + + setprompt + /sbin/cryptsetup $params create "$name" "$device" < $REDIRECT > $REDIRECT 2>&1 + stat=$? + unsetprompt + + if test "$stat" -ne 0; then + detachloopdev + report 1 "$physdev..." + continue 2 + fi + + device="/dev/mapper/$name" + + paranoid_safety_checks "$filesys" "$device" "$access" "$physdev" + stat="$?" + if test "$stat" = 1; then # retype passphrase + continue + elif test "$stat" = 2; then # skip entry + doskip=1 + fi + break + done + # + # Does the user want to skip this entry? + # + if test $doskip -gt 0 ; then + /sbin/cryptsetup remove $name || true + report 5 "$physdev..." + detachloopdev + continue + fi + + if ! run_fsck "$filesys" "$device" "$access" "$physdev"; then + report 1 "$physdev..." + continue + fi + + case "$mopt" in + default|"") mopt="" ;; + esac + + mount -t $filesys ${mopt:+-o $mopt} $device $access + stat=$? + if test $stat -gt 0 ; then + stat=1 + /sbin/cryptsetup remove $name || true + detachloopdev + fi + report $stat "$physdev..." + done < $CRYPTOTAB + + if test -z "$haveone" -a -z "$tostart"; then + rc_failed 6 + rc_status -v1 + fi +} + +hashalotcryptsetup() +{ + /sbin/hashalot ${halgo:+$halgo} -t $timeout ${pseed:+-s $pseed} ${itercountk:+-C $itercountk} | /sbin/cryptsetup "$@" +} + +start_crypttab () +{ + local stat=0 + local haveone='' + + test -n "$tostart" || echo "Activating crypto devices using $CRYPTTAB ... " + while read name physdev keyfile options dummy; do + case "$name" in + \#*|"") continue ;; + esac + + if test -n "$tostart" -a "$name" != "$tostart" -a "$physdev" != "$tostart"; then + continue + fi + + haveone=1 + redirect + + # skip mapped entries + if test -e /dev/mapper/$name; then + report 5 "$physdev: $name already mapped" + continue + fi + + test "$keyfile" = "none" && keyfile="" + test "$options" = "none" && options="" + + # make sure the keyfile exists + if test -n "$keyfile" -a ! -e "$keyfile"; then + report 5 "$physdev: $keyfile does not exist" + continue + fi + if ! test -e $physdev ; then + report 5 "$physdev doesn't exist" + continue + fi + + # parse the options field + skip="" + params="" + makeswap="" + maketmp="" + noauto="" + luks="" + check="" + checkargs="" + loopdev="" + param_ro="" + cipher="" + keysize="" + halgo="" + timeout="" + tries="" + pseed="" + itercountk="" + while test -n "$options"; do + arg=${options%%,*} + options=${options##$arg} + options=${options##,} + param=${arg%%=*} + value=${arg##$param=} + + case "$param" in + cipher) + if test -z "$value" ; then + echo $"$dst: no value for cipher option, skipping" + skip="yes" + fi + cipher="$value" + ;; + size) + if test -z "$value" ; then + echo $"$dst: no value for size option, skipping" + skip="yes" + fi + keysize="$value" + ;; + hash) + if test -z "$value" ; then + echo $"$dst: no value for hash option, skipping" + skip="yes" + fi + halgo="$value" + ;; + verify) params="$params -y" ;; + swap) makeswap="yes" ;; + tmp) maketmp="yes" ;; + noauto) noauto="yes" ;; + luks) luks="yes" ;; + loop) loopdev="yes" ;; + readonly) param_ro="-r" ;; + timeout) + case "$value" in + [0-9]*) timeout="$value";; + *) echo "invalid timeout '$value' ignored" ;; + esac + ;; + tries) + if test -n "$value" ; then + params="$params --tries=$tries" + fi + ;; + check) + if test -n "$value" -a -x /lib/cryptsetup/checks/"$value" ; then + check="/lib/cryptsetup/checks/$value" + else + check="/lib/cryptsetup/checks/vol_id" + fi + ;; + checkargs) + if test -n "$value" ; then + checkargs="$value" + fi + ;; + pseed) pseed="$value" ;; + itercountk) itercountk="$value" ;; + precheck|loud|ssl|gpg|keyscript|*) + echo "unsupported crypttab option: '$param'" + skip='yes' + ;; + esac + done + + if test -n "$luks"; then + if test -n "$cipher" -o -n "$halgo" -o -n "$keysize" -o -n "$pseed" -o -n "$itercountk"; then + echo "cipher, hash, size, pseed and itercountk options are ignored for LUKS" + fi + fi + if test -n "$keyfile"; then + if test -n "$halgo" -o -n "$pseed" -o -n "$itercountk"; then + report 2 "${ext}hash, pseed and itercountk options are invalid when using a key file${norm}" + continue + fi + fi + + if test "$skip" = "yes" -o \( "$noauto" = "yes" -a -z "$tostart" \); then + report 5 "$physdev" + continue + fi + + if test -n "$param_ro"; then + params="$params $param_ro" + fi + + # we always want a timeout to prevent accidential hanging boot + if test -z "$timeout"; then + timeout="$TIMEOUT" + fi + params="$params --timeout=$timeout" + + device="$physdev" + # if device is a regular file then it's an image + if test -n "$loopdev" -o -f $device; then + loopdev='' + for i in 0 1 2 3 4 5 6 7; do + if ! test -b "/dev/loop$i"; then + continue + fi + + unset loopsize + read loopsize < /sys/block/loop$i/size + if test $? -eq 0 -a "$loopsize" = '0' && /sbin/losetup $param_ro "/dev/loop$i" $device; then + device="/dev/loop$i" + loopdev="$device" + break + fi + done + + if test -z "$loopdev"; then + report 1 "$physdev: failed to find a usable loop device" + continue + fi + fi + + doskip=0 + + while true; do # setup/check loop + + if [ -b "/dev/mapper/$name" ]; then + /sbin/cryptsetup remove $name + fi + + if test -z "$keyfile"; then + prmt="${extd}Please enter passphrase for $physdev ($name): ${norm}" + setprompt + fi + + # map the devices + if test -n "$luks" || cryptsetup isLuks "$device" &> /dev/null; then + luks='yes' + /sbin/cryptsetup $params ${keyfile:+-d $keyfile} luksOpen "$device" "$name" < $REDIRECT &> $REDIRECT + stat=$? + else + # XXX hack + if test -n "$pseed" -o -n "$itercountk"; then + params="$params -d /dev/stdin" # cannot use "-" as cryptsetup would hash that + cryptsetup=hashalotcryptsetup + else + cryptsetup=/sbin/cryptsetup + fi + params="$params ${cipher:+-c $cipher} ${halgo:+-h $halgo} ${keysize:+-s $keysize}" + $cryptsetup $params ${keyfile:+-d $keyfile} create "$name" "$device" < $REDIRECT &> $REDIRECT + stat=$? + unset cryptsetup + fi + if test -z "$keyfile"; then + unsetprompt + fi + + if test $stat -ne 0; then + report 1 "$physdev... " + doskip=1 + detachloopdev + break + fi + + # run check if it's set + if test -n "$check"; then + $check "/dev/mapper/$name" $checkargs + if test $? -ne 0; then + report 1 "$physdev... " + doskip=1 + /sbin/cryptsetup remove $name + detachloopdev + break + fi + fi + + mountpoint='' + fs_type='auto' + infstab='' + read dummy mountpoint fs_type dummy < <(/bin/awk -vd=/dev/mapper/$name '$1==d{print;exit}' < /etc/fstab) + if test "$?" -eq 0; then + infstab='yes' + fi + + # run mkfs if the tmp option was given + if test "$maketmp" = "yes"; then + echo "Creating filesystem on /dev/mapper/$name..." + if test "$fs_type" = 'auto'; then + fs_type='ext2' + fi + /sbin/mkfs -t "$fs_type" /dev/mapper/$name + + if test $? -ne 0; then + report 1 "$phsdev: failed to create temporary file system." + doskip=1 + /sbin/cryptsetup remove $name + detachloopdev + break + fi + fi + + # no need for paranoid checks with luks as cryptsetup is able to + # verify the passphrase itself then + # + # if the device is not in fstab we can't do paranoid checks as we + # don't know what the intention of the device is + if test "$makeswap" != 'yes' -a -z "$luks" -a -n "$infstab"; then + if test -z "$luks"; then + paranoid_safety_checks "$fs_type" "/dev/mapper/$name" "$mountpoint" "$physdev" + stat="$?" + if test "$stat" = 1; then # retype passphrase + continue + elif test "$stat" = 2; then # skip entry + report 5 "$physdev..." + doskip=1 + fi + fi + fi + + break; + done # setup/check loop + + if test "$doskip" -gt 0; then + if test -b "/dev/mapper/$name"; then + /sbin/cryptsetup remove "$name" + fi + detachloopdev + continue + fi + + # run mkswap if necessary. boot.swap with enable this later + if test "$makeswap" = "yes"; then + mkswap "/dev/mapper/$name" + stat="$?" + test $stat -eq 0 || stat=1 + report $stat "$physdev..." + continue + fi + + if test -z "$infstab"; then + report 0 "$physdev..." + continue + fi + + if ! run_fsck "$fs_type" "/dev/mapper/$name" "$mp" "$physdev"; then + report 1 "$physdev..." + continue + fi + + mount /dev/mapper/$name + stat="$?" + + if test $stat -gt 0 ; then + stat=1 + /sbin/cryptsetup remove $name || true + detachloopdev + fi + + # set permissions for tmp dirs + if test "$maketmp" = "yes"; then + chmod 1777 $mountpoint + fi + + report $stat "$physdev..." + + done < $CRYPTTAB + if test -z "$haveone" -a -z "$tostart"; then + rc_failed 6 + rc_status -v1 + fi +} + +umount_or_swapoff() +{ + # unmount device + if /bin/grep -q "^/dev/mapper/$name[ \t]" /proc/mounts; then + umount "/dev/mapper/$name" + if test $? -gt 0 ; then + return 1 + fi + elif /bin/grep -q "^/dev/mapper/$name[ \t]" /proc/swaps; then + swapoff "/dev/mapper/$name" + if test $? -gt 0 ; then + return 1 + fi + fi + + return 0 +} + + +stop_cryptotab () +{ + local haveone='' + + test -n "$tostop" || echo "Turning off crypto devices using $CRYPTOTAB ... " + + while read loopdev physdev access filesys crypto mopt rest ; do + case "$loopdev" in + \#*|"") continue ;; + esac + + if test -n "$tostop" -a "$loopdev" != "$tostop" -a "$physdev" != "$tostop" -a "$access" != "$tostop"; then + continue + fi + + haveone=1 + + name="${loopdev#/dev/}" + name="cryptotab_${name//[^A-Za-z0-9]/_}" + + if test -b "/dev/mapper/$name"; then + + if ! umount_or_swapoff; then + report 1 "$physdev..." + continue + fi + + cryptsetup remove "$name" || rc_failed 1 + fi + + if losetup $loopdev >/dev/null 2>&1; then + losetup -d $loopdev || rc_failed 1 + fi + + echo -n "$physdev..." + rc_status -v + + done < <(reverse < $CRYPTOTAB) + + if test -z "$haveone" -a -z "$tostop"; then + rc_status -v1 + fi +} + +stop_crypttab () +{ + local haveone='' + + test -n "$tostop" || echo "Turning off crypto devices using $CRYPTTAB ... " + + while read name physdev keyfile options dummy; do + case "$name" in + \#*|"") continue ;; + esac + + if test -n "$tostop" -a "$name" != "$tostop" -a "$physdev" != "$tostop"; then + continue + fi + + haveone=1 + + loopdev="" + device="$physdev" + + if test -b "/dev/mapper/$name"; then + if ! umount_or_swapoff; then + report 1 "$physdev..." + continue + fi + + /sbin/cryptsetup remove "$name" || rc_failed 1 + fi + + # delete the loop device + while read line; do + case "$line" in + *\(${physdev}\)*) device=${line%%:*}; loopdev='yes' ;; + esac + done < <(/sbin/losetup -a) + + if test -n "$loopdev" && losetup $device >/dev/null 2>&1; then + /sbin/losetup -d $device || rc_failed 1 + fi + + echo -n "$physdev..." + rc_status -v + + done < <(reverse < $CRYPTTAB) + + if test -z "$haveone" -a -z "$tostop"; then + rc_status -v1 + fi +} + +status_cryptotab() +{ + local state str + local haveone='' + while read loopdev physdev access filesys crypto mopt info rest ; do + case "$loopdev" in + \#*|"") continue ;; + esac + + haveone=1 + + name="${loopdev#/dev/}" + name="cryptotab_${name//[^A-Za-z0-9]/_}" + + echo -n "$physdev" + state=0 + str='' + + if losetup "$loopdev" > /dev/null 2>&1; then + str="$str ${loopdev#/dev/}" + state=$((state+1)) + fi + if test -b "/dev/mapper/$name"; then + str="$str mapped" + state=$((state+1)) + fi + if /bin/grep -q "^/dev/mapper/$name[ \t]" /proc/mounts; then + str="$str mounted" + state=$((state+1)) + fi + + if test "$state" = 3; then + rc_failed 0 + elif test "$state" != 0; then + rc_failed 4 + else + rc_failed 3 + fi + + if test -n "$str"; then + echo -n " [$str ]" + fi + rc_status -v + + done < $CRYPTOTAB + + if test -z "$haveone"; then + report 3 "$CRYPTOTAB" + fi +} + +status_crypttab() +{ + local state str + local haveone='' + + while read name physdev keyfile options dummy; do + case "$name" in + \#*|"") continue ;; + esac + + haveone=1 + + echo -n "$physdev" + state=0 + str='' + + loopdev='' + # find the loop device + while read line; do + case "$line" in + *\(${physdev}\)*) loopdev=${line%%:*};; + esac + done < <(/sbin/losetup -a) + + if test -n "$loopdev" && losetup "$loopdev" > /dev/null 2>&1; then + str="$str ${loopdev#/dev/}" + state=$((state|1)) + fi + if test -b "/dev/mapper/$name"; then + str="$str mapped" + state=$((state|2)) + fi + if /bin/grep -q "^/dev/mapper/$name[ \t]" /proc/mounts; then + str="$str mounted" + state=$((state|4)) + elif /bin/grep -q "^/dev/mapper/$name[ \t]" /proc/swaps; then + str="$str swap" + state=$((state|4)) + fi + + if test -n "$str"; then + echo -n " [$str ]" + fi + if test "$state" != 0; then + if test $((state&2)) = 0; then + rc_failed 4 + else + if ! test -e "$physdev"; then + rc_failed 1 + else + rc_failed 0 + fi + fi + else + rc_failed 3 + fi + rc_status -v + + done < $CRYPTTAB + + if test -z "$haveone"; then + report 3 "$CRYPTTAB" + fi +} + +# +# Cutomize_{start,stop}_hook are for interactive usage only +# +cutomize_start_hook () +{ + local srv + + test "$base" != "$link" && return 0 + test -s /etc/sysconfig/boot.crypto || return 0 + . /etc/sysconfig/boot.crypto + + for srv in $TRY_RESTART_AT_START ; do + test -n "$srv" || break + test -x /etc/init.d/$srv || continue + /etc/init.d/$srv try-restart + done + + for srv in $RESTART_AT_START ; do + test -n "$srv" || break + test -x /etc/init.d/$srv || continue + /etc/init.d/$srv restart + done + + for srv in $RELOAD_AT_START ; do + test -n "$srv" || break + test -x /etc/init.d/$srv || continue + /etc/init.d/$srv reload + done +} + +cutomize_stop_hook () +{ + local srv + + test "$base" != "$link" && return 0 + test -s /etc/sysconfig/boot.crypto || return 0 + . /etc/sysconfig/boot.crypto + + for srv in $TRY_RESTART_AT_STOP ; do + test -n "$srv" || break + test -x /etc/init.d/$srv || continue + /etc/init.d/$srv try-restart + done + + for srv in $RESTART_AT_STOP ; do + test -n "$srv" || break + test -x /etc/init.d/$srv || continue + /etc/init.d/$srv restart + done + + for srv in $RELOAD_AT_STOP ; do + test -n "$srv" || break + test -x /etc/init.d/$srv || continue + /etc/init.d/$srv reload + done +} + +rc_reset +case "$1" in + start|b) + + if ! /sbin/modprobe -q dm-crypt; then + echo "kernel lacks dm-crypt support" + rc_failed 5 + rc_status -v + rc_exit + fi + + tostart="$2" + + if test -s $CRYPTOTAB; then + start_cryptotab + fi + + if test -s $CRYPTTAB; then + start_crypttab + fi + + rc_failed 0 + + restore + + cutomize_start_hook + ;; + stop) + + tostop="$2" + + if test -s $CRYPTOTAB; then + stop_cryptotab + fi + + if test -s $CRYPTTAB; then + stop_crypttab + fi + + rc_failed 0 + + cutomize_stop_hook + ;; + status) + if test -s $CRYPTOTAB; then + status_cryptotab + fi + + if test -s $CRYPTTAB; then + status_crypttab + fi + rc_failed 0 + ;; + restart) + $0 stop + $0 start + rc_status + ;; + *) + echo "Usage: $0 {start|stop|status|restart}" + exit 1 + ;; +esac +rc_exit diff --git a/cryptsetup-1.0.5.tar.bz2 b/cryptsetup-1.0.5.tar.bz2 new file mode 100644 index 0000000..d57250c --- /dev/null +++ b/cryptsetup-1.0.5.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4bab529afa00cafde3bc5df2769578c88438f80c5152d4257cd0e86986f95bc4 +size 322394 diff --git a/cryptsetup-luks-implicit-declarations.diff b/cryptsetup-luks-implicit-declarations.diff new file mode 100644 index 0000000..0ecee26 --- /dev/null +++ b/cryptsetup-luks-implicit-declarations.diff @@ -0,0 +1,117 @@ +fix implicit function declarations + +Signed-off-by: Ludwig Nussel + +Index: cryptsetup-luks-1.0.4_SVN30/lib/internal.h +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/lib/internal.h ++++ cryptsetup-luks-1.0.4_SVN30/lib/internal.h +@@ -62,6 +62,9 @@ int hash(const char *backend_name, const + struct setup_backend *get_setup_backend(const char *name); + void put_setup_backend(struct setup_backend *backend); + ++void hexprint(char *d, int n); ++ ++int sector_size_for_device(const char *device); + ssize_t write_blockwise(int fd, const void *buf, size_t count); + ssize_t read_blockwise(int fd, void *_buf, size_t count); + ssize_t write_lseek_blockwise(int fd, const char *buf, size_t count, off_t offset); +Index: cryptsetup-luks-1.0.4_SVN30/lib/libcryptsetup.h +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/lib/libcryptsetup.h ++++ cryptsetup-luks-1.0.4_SVN30/lib/libcryptsetup.h +@@ -45,6 +45,8 @@ int crypt_luksDelKey(struct crypt_option + int crypt_luksAddKey(struct crypt_options *options); + int crypt_luksUUID(struct crypt_options *options); + int crypt_isLuks(struct crypt_options *options); ++int crypt_luksFormat(struct crypt_options *options); ++int crypt_luksDump(struct crypt_options *options); + + void crypt_get_error(char *buf, size_t size); + void crypt_put_options(struct crypt_options *options); +Index: cryptsetup-luks-1.0.4_SVN30/lib/setup.c +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/lib/setup.c ++++ cryptsetup-luks-1.0.4_SVN30/lib/setup.c +@@ -107,7 +107,7 @@ static int interactive_pass(const char * + { + struct termios orig, tmp; + int failed = -1; +- int infd, outfd; ++ int infd = STDIN_FILENO, outfd; + + if (maxlen < 1) + goto out_err; +Index: cryptsetup-luks-1.0.4_SVN30/lib/utils.c +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/lib/utils.c ++++ cryptsetup-luks-1.0.4_SVN30/lib/utils.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + + #include "libcryptsetup.h" +Index: cryptsetup-luks-1.0.4_SVN30/luks/af.c +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/luks/af.c ++++ cryptsetup-luks-1.0.4_SVN30/luks/af.c +@@ -30,6 +30,7 @@ + #include + #include "sha1.h" + #include "XORblock.h" ++#include "random.h" + + /* diffuse: Information spreading over the whole dataset with + * the help of sha512. +Index: cryptsetup-luks-1.0.4_SVN30/luks/keyencryption.c +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/luks/keyencryption.c ++++ cryptsetup-luks-1.0.4_SVN30/luks/keyencryption.c +@@ -40,6 +40,9 @@ + (__a - 1) / __b + 1; \ + }) + ++static inline int round_up_modulo(int x, int m) { ++ return div_round_up(x, m) * m; ++} + + static int setup_mapping(const char *cipher, const char *name, + const char *device, unsigned int payloadOffset, +Index: cryptsetup-luks-1.0.4_SVN30/luks/keymanage.c +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/luks/keymanage.c ++++ cryptsetup-luks-1.0.4_SVN30/luks/keymanage.c +@@ -141,7 +141,7 @@ int LUKS_write_phdr(const char *device, + return r; + } + +-inline int round_up_modulo(int x, int m) { ++static inline int round_up_modulo(int x, int m) { + return div_round_up(x, m) * m; + } + +Index: cryptsetup-luks-1.0.4_SVN30/src/cryptsetup.c +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/src/cryptsetup.c ++++ cryptsetup-luks-1.0.4_SVN30/src/cryptsetup.c +@@ -4,6 +4,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -13,6 +14,9 @@ + + #include "cryptsetup.h" + ++// XXX! ++int LUKS_is_last_keyslot(const char *device, unsigned int keyIndex); ++ + static int opt_verbose = 1; + static char *opt_cipher = NULL; + static char *opt_hash = DEFAULT_HASH; diff --git a/cryptsetup-luks-libnostderr.diff b/cryptsetup-luks-libnostderr.diff new file mode 100644 index 0000000..edd1290 --- /dev/null +++ b/cryptsetup-luks-libnostderr.diff @@ -0,0 +1,189 @@ +use set_error instead of printf in library to report errors. + +Signed-off-by: Ludwig Nussel + +Index: cryptsetup-luks-1.0.4_SVN30/lib/setup.c +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/lib/setup.c ++++ cryptsetup-luks-1.0.4_SVN30/lib/setup.c +@@ -96,7 +96,7 @@ static int timed_read(int fd, char *pass + if (select(fd+1, &fds, NULL, NULL, &t) > 0) + failed = untimed_read(fd, pass, maxlen); + else +- fprintf(stderr, "Operation timed out.\n"); ++ set_error("Operation timed out"); + return failed; + } + +@@ -195,14 +195,16 @@ static int get_key(struct crypt_options + + pass = safe_alloc(512); + if (!pass || (i = interactive_pass(prompt, pass, 512, options->timeout))) { +- set_error("Error reading passphrase"); ++ if(!get_error()) ++ set_error("Error reading passphrase"); + goto out_err; + } + if (verify || verify_if_possible) { + char pass_verify[512]; + i = interactive_pass("Verify passphrase: ", pass_verify, sizeof(pass_verify), options->timeout); + if (i || strcmp(pass, pass_verify) != 0) { +- set_error("Passphrases do not match"); ++ if(!get_error()) ++ set_error("Passphrases do not match"); + goto out_err; + } + memset(pass_verify, 0, sizeof(pass_verify)); +@@ -383,7 +385,7 @@ static int parse_into_name_and_mode(cons + strncpy(mode,"cbc-plain",10); + } + else { +- fprintf(stderr, "no known cipher-spec pattern detected\n"); ++ set_error("no known cipher-spec pattern detected"); + return -EINVAL; + } + } +@@ -642,7 +644,6 @@ start: + r = -EINVAL; goto out; + } + if((r = LUKS_open_any_key(options->device, password, passwordLen, &hdr, &mk, backend)) < 0) { +- set_error("No key available with this passphrase.\n"); + goto out1; + } + +@@ -716,7 +717,7 @@ static int __crypt_luks_add_key(int arg, + r = -EINVAL; goto out; + } + if(LUKS_open_any_key(device, password, passwordLen, &hdr, &mk, backend) < 0) { +- printf("No key available with this passphrase.\n"); ++ set_error("No key available with this passphrase"); + r = -EPERM; goto out; + } + safe_free(password); +@@ -759,7 +760,7 @@ static int __crypt_luks_del_key(int arg, + } + openedIndex = LUKS_open_any_key(device, password, passwordLen, &hdr, &mk, backend); + if(openedIndex < 0 || keyIndex == openedIndex) { +- printf("No remaining key available with this passphrase.\n"); ++ set_error("No remaining key available with this passphrase"); + r = -EPERM; goto out; + } + } +Index: cryptsetup-luks-1.0.4_SVN30/luks/keymanage.c +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/luks/keymanage.c ++++ cryptsetup-luks-1.0.4_SVN30/luks/keymanage.c +@@ -76,20 +76,20 @@ int LUKS_read_phdr(const char *device, s + + devfd = open(device,O_RDONLY | O_DIRECT | O_SYNC); + if(-1 == devfd) { +- fprintf(stderr, _("Can't open device: %s\n"), device); ++ set_error(_("Can't open device %s"), device); + return -EINVAL; + } + + if(read_blockwise(devfd, hdr, sizeof(struct luks_phdr)) < sizeof(struct luks_phdr)) { + r = -EIO; + } else if(memcmp(hdr->magic, luksMagic, LUKS_MAGIC_L)) { /* Check magic */ +- fprintf(stderr, _("%s is not a LUKS partition\n"), device); ++ set_error(_("%s is not a LUKS partition\n"), device); + r = -EINVAL; + } else if(memcmp(hdr->hashSpec, "sha1", 4)) { /* Check for SHA1 - other hashspecs are not implemented ATM */ +- fputs(_("unknown hash spec in phdr"), stderr); ++ set_error(_("unknown hash spec in phdr")); + r = -EINVAL; + } else if((hdr->version = ntohs(hdr->version)) != 1) { /* Convert every uint16/32_t item from network byte order */ +- fprintf(stderr, _("unknown version %d\n"), hdr->version); ++ set_error( _("unknown LUKS version %d\n"), hdr->version); + r = -EINVAL; + } else { + hdr->payloadOffset = ntohl(hdr->payloadOffset); +@@ -117,7 +117,7 @@ int LUKS_write_phdr(const char *device, + + devfd = open(device,O_RDWR | O_DIRECT | O_SYNC); + if(-1 == devfd) { +- fprintf(stderr, _("Can't open device: %s\n"), device); ++ set_error(_("Can't open device %s"), device); + return -EINVAL; + } + +@@ -210,12 +210,12 @@ int LUKS_set_key(const char *device, uns + int r; + + if(hdr->keyblock[keyIndex].active != LUKS_KEY_DISABLED) { +- fprintf(stderr, _("key %d active, purge first.\n"), keyIndex); ++ set_error( _("key %d active, purge first"), keyIndex); + return -EINVAL; + } + + if(hdr->keyblock[keyIndex].stripes < LUKS_STRIPES) { +- fprintf(stderr,_("key material section %d includes too few stripes. Header manipulation?\n"),keyIndex); ++ set_error(_("key material section %d includes too few stripes. Header manipulation?"),keyIndex); + return -EINVAL; + } + r = getRandom(hdr->keyblock[keyIndex].passwordSalt, LUKS_SALTSIZE); +@@ -247,7 +247,8 @@ int LUKS_set_key(const char *device, uns + hdr->keyblock[keyIndex].keyMaterialOffset, + backend); + if(r < 0) { +- fprintf(stderr,"Failed to write to key storage.\n"); ++ if(!get_error()) ++ set_error("Failed to write to key storage"); + goto out; + } + +@@ -303,7 +304,8 @@ int LUKS_open_key(const char *device, + hdr->keyblock[keyIndex].keyMaterialOffset, + backend); + if(r < 0) { +- fprintf(stderr,"Failed to read from key storage\n"); ++ if(!get_error()) ++ set_error("Failed to read from key storage"); + goto out; + } + +@@ -387,7 +389,7 @@ static int wipe(const char *device, unsi + + devfd = open(device, O_RDWR | O_DIRECT); + if(devfd == -1) { +- fprintf(stderr, _("Can't open device: %s\n"), device); ++ set_error(_("Can't open device %s"), device); + return -EINVAL; + } + +Index: cryptsetup-luks-1.0.4_SVN30/lib/utils.c +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/lib/utils.c ++++ cryptsetup-luks-1.0.4_SVN30/lib/utils.c +@@ -226,7 +226,7 @@ ssize_t read_blockwise(int fd, void *ori + while(count) { + r = read(fd,padbuf,bsize); + if(r < 0 || r != bsize) { +- fprintf(stderr, "read failed in read_blockwise.\n"); ++ set_error("read failed in read_blockwise()"); + goto out; + } + step = countsize = round_up_modulo(srcLength,device_sector_size)/SECTOR_SIZE; +@@ -121,7 +121,8 @@ static int LUKS_endec_template(char *src + + r = setup_mapping(dmCipherSpec,name,device,hdr->payloadOffset,key,keyLength,sector,srcLength,backend,mode); + if(r < 0) { +- fprintf(stderr,"Failed to setup dm-crypt key mapping.\nCheck kernel for support for the %s cipher spec and verify that %s contains at least %d sectors.\n", ++ if(!get_error()) ++ set_error("Failed to setup dm-crypt key mapping.\nCheck kernel for support for the %s cipher spec and verify that %s contains at least %d sectors", + dmCipherSpec, + device, + sector + div_round_up(srcLength,SECTOR_SIZE)); diff --git a/cryptsetup-luks-uninitialized.diff b/cryptsetup-luks-uninitialized.diff new file mode 100644 index 0000000..c279f23 --- /dev/null +++ b/cryptsetup-luks-uninitialized.diff @@ -0,0 +1,17 @@ +fix segfault when trying to open a non existing device + +Signed-off-by: Ludwig Nussel + +Index: cryptsetup-luks-1.0.4_SVN30/lib/setup.c +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/lib/setup.c ++++ cryptsetup-luks-1.0.4_SVN30/lib/setup.c +@@ -608,7 +608,7 @@ out: + + static int __crypt_luks_open(int arg, struct setup_backend *backend, struct crypt_options *options) + { +- struct luks_masterkey *mk; ++ struct luks_masterkey *mk=NULL; + struct luks_phdr hdr; + char *password; int passwordLen; + struct device_infos infos; diff --git a/cryptsetup-luks-warnings.diff b/cryptsetup-luks-warnings.diff new file mode 100644 index 0000000..10c0521 --- /dev/null +++ b/cryptsetup-luks-warnings.diff @@ -0,0 +1,92 @@ +fix some gcc warnings + +Signed-off-by: Ludwig Nussel + +Index: cryptsetup-luks-1.0.4_SVN30/lib/libdevmapper.c +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/lib/libdevmapper.c ++++ cryptsetup-luks-1.0.4_SVN30/lib/libdevmapper.c +@@ -258,7 +258,7 @@ static int dm_query_device(int details, + options->skip = 0; + options->size = length; + if (details) { +- char *cipher, *key_, *device, *tmp; ++ char *cipher, *key_, *device; + uint64_t val64; + + set_error("Invalid dm table"); +Index: cryptsetup-luks-1.0.4_SVN30/lib/setup.c +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/lib/setup.c ++++ cryptsetup-luks-1.0.4_SVN30/lib/setup.c +@@ -57,8 +57,6 @@ static int setup_enter(struct setup_back + + static int setup_leave(struct setup_backend *backend) + { +- const char *error; +- + if (backend) + backend->exit(); + +Index: cryptsetup-luks-1.0.4_SVN30/lib/utils.c +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/lib/utils.c ++++ cryptsetup-luks-1.0.4_SVN30/lib/utils.c +@@ -173,7 +173,7 @@ ssize_t write_blockwise(int fd, const vo + { + char *padbuf; char *padbuf_base; + char *buf = (char *)orig_buf; +- int r; ++ int r = 0; + int hangover; int solid; int bsize; + + if ((bsize = sector_size(fd)) < 0) +@@ -213,7 +213,7 @@ ssize_t write_blockwise(int fd, const vo + ssize_t read_blockwise(int fd, void *orig_buf, size_t count) { + char *padbuf; char *padbuf_base; + char *buf = (char *)orig_buf; +- int r; ++ int r = 0; + int step; + int bsize; + +Index: cryptsetup-luks-1.0.4_SVN30/luks/keymanage.c +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/luks/keymanage.c ++++ cryptsetup-luks-1.0.4_SVN30/luks/keymanage.c +@@ -417,7 +417,7 @@ static int wipe(const char *device, unsi + int LUKS_del_key(const char *device, unsigned int keyIndex) + { + struct luks_phdr hdr; +- unsigned int i, startOffset, endOffset, stripesLen; ++ unsigned int startOffset, endOffset, stripesLen; + int r; + + r = LUKS_read_phdr(device, &hdr); +Index: cryptsetup-luks-1.0.4_SVN30/luks/random.c +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/luks/random.c ++++ cryptsetup-luks-1.0.4_SVN30/luks/random.c +@@ -13,7 +13,7 @@ + + int getRandom(char *buf, size_t len) + { +- int randomfd, r = 0, index = 0; ++ int randomfd, r = 0; + + //FIXME Run a FIPS test for the random device or include + // PRNG if urandom not avail. +Index: cryptsetup-luks-1.0.4_SVN30/src/cryptsetup.c +=================================================================== +--- cryptsetup-luks-1.0.4_SVN30.orig/src/cryptsetup.c ++++ cryptsetup-luks-1.0.4_SVN30/src/cryptsetup.c +@@ -203,7 +203,8 @@ static int yesDialog(char *msg) + size_t size=0; + fprintf(stderr,"\nWARNING!\n========\n"); + fprintf(stderr,"%s\n\nAre you sure? (Type uppercase yes): ",msg); +- getline(&answer,&size,stdin); ++ if(getline(&answer,&size,stdin) == -1) ++ return 0; + if(strcmp(answer,"YES\n") == 0) + r = 1; + free(answer); diff --git a/cryptsetup-mktar b/cryptsetup-mktar new file mode 100644 index 0000000..afd2039 --- /dev/null +++ b/cryptsetup-mktar @@ -0,0 +1,8 @@ +#!/bin/sh +# repo is at http://luks.endorphin.org/svn/cryptsetup +set -e +SVN_VERSION="1.0.4_SVN`svnversion .`" +rm -rf cryptsetup-luks-${SVN_VERSION} +svn export . cryptsetup-luks-${SVN_VERSION} +tar --owner=root --group=root --force-local -cjf cryptsetup-luks-${SVN_VERSION}.tar.bz2 cryptsetup-luks-${SVN_VERSION} +rm -rf cryptsetup-luks-${SVN_VERSION} diff --git a/cryptsetup.changes b/cryptsetup.changes new file mode 100644 index 0000000..b4e1916 --- /dev/null +++ b/cryptsetup.changes @@ -0,0 +1,155 @@ +------------------------------------------------------------------- +Fri Jun 1 10:07:14 CEST 2007 - lnussel@suse.de + +- rename util-linux-crypto to cryptsetup +- remove dmconvert +- replace svn snapshot with official 1.0.5 release +- don't enable boot.crypto by default + +------------------------------------------------------------------- +Tue May 29 15:58:44 CEST 2007 - lnussel@suse.de + +- fix segfault when trying to open a non existing device +- fix gcc warnings +- add Short-Description to boot.crypto +- use %find_lang + +------------------------------------------------------------------- +Wed May 9 14:52:00 CEST 2007 - lnussel@suse.de + +- boot.crypto: implement 'status' +- boot.crypto: accept argument to start/stop single devices + +------------------------------------------------------------------- +Wed May 9 10:40:28 CEST 2007 - lnussel@suse.de + +- hashalot: add timeout option + +------------------------------------------------------------------- +Wed May 9 09:40:42 CEST 2007 - lnussel@suse.de + +- fix build + +------------------------------------------------------------------- +Tue May 8 15:16:41 CEST 2007 - lnussel@suse.de + +- boot.crypto: switch off splash screen only when needed +- boot.crypto: report status for individual volumes instead of using one global + exit status +- hashalot: exit unsucessfully on empty passphrase + +------------------------------------------------------------------- +Tue May 8 10:43:24 CEST 2007 - lnussel@suse.de + +- boot.crypto: sleep a bit longer before overwriting the prompt +- boot.crypto: add support for pseed and itercountk options +- boot.crypto: skip entries with unsupported/unknown options +- hashalot: add support for itercountk + +------------------------------------------------------------------- +Fri May 4 16:38:11 CEST 2007 - lnussel@suse.de + +- upgrade cryptsetup to current svn revision 30 which includes + previous patches. +- fix background prompt process not getting killed on ctrl-d in + boot.crypto + +------------------------------------------------------------------- +Fri Apr 27 15:46:05 CEST 2007 - lnussel@suse.de + +- upgrade cryptsetup to current svn revision 26. Does no longer hang + when a file is specified instead of a device. +- remove obsolete cryptsetup.sh script +- boot.crypto: + * drop support for cryptoloop, use cryptsetup also for cryptotab + * refactor code and create reusable components for use in cryptotab + and crypttab code path + * run sulogin only during boot if fsck failed + * support crypttab's 'tries' option +- add crypttab manpage based on Debian one + +------------------------------------------------------------------- +Tue Apr 24 17:38:40 CEST 2007 - lnussel@suse.de + +- add boot.crypto (#257884) +- add crypttab and cryptotab as %ghost to filelist + +------------------------------------------------------------------- +Tue Mar 27 10:22:48 CEST 2007 - mkoenig@suse.de + +- move devel .so link to %{libdir} +- run ldconfig, since we have now a shared lib installed + +------------------------------------------------------------------- +Fri Mar 23 16:18:12 CET 2007 - dmueller@suse.de + +- cryptsetup can now link shared since libpopt is + no longer under /usr + +------------------------------------------------------------------- +Fri Mar 9 12:06:53 CET 2007 - lnussel@suse.de + +- add patch to support old loop_fish2 key hash method + +------------------------------------------------------------------- +Thu Dec 7 18:33:01 CET 2006 - mkoenig@suse.de + +- update cryptsetup to version 1.0.4: + * added terminal timeout rewrite + * allow user selection of key slot + * reading binary keys from stdin using the "-" as key file + * fix 64 bit compiler warning issues. + * fix getline problem for 64-bit archs. + +------------------------------------------------------------------- +Fri Oct 13 11:30:19 CEST 2006 - mkoenig@suse.de + +- fix build failure due to missing pthreads + +------------------------------------------------------------------- +Wed Sep 13 12:39:27 CEST 2006 - hvogel@suse.de + +- use the LUKS version of cryptsetup +- split -devel subpackage for libcryptsetup +- remove patches because they are in the new cryptsetup + * cryptsetup-0.1-static.patch + * cryptsetup-0.1-retval.patch + * cryptsetup-0.1-dmi.exists.patch + * cryptsetup-0.1-timeout.patch +- use man page from the new cryptsetup + +------------------------------------------------------------------- +Tue May 16 11:03:08 CEST 2006 - hvogel@suse.de + +- Fix cryptsetup to work when the device does not exist yet + [#175931] + +------------------------------------------------------------------- +Wed Jan 25 21:42:28 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Mon Dec 19 14:46:30 CET 2005 - mmj@suse.de + +- Remove symlinks to hashalot we don't want + +------------------------------------------------------------------- +Thu Oct 13 15:04:29 CEST 2005 - hvogel@suse.de + +- Fix uninitialized var in dmconvert. Add + * dmconvert-0.2-uninitialized.patch +- Fix return value in cryptsetup. Add + * cryptsetup-0.1-retval.patch + +------------------------------------------------------------------- +Wed Jun 29 14:28:32 CEST 2005 - hvogel@suse.de + +- Link cryptsetup static so it can be in /sbin and you can get + /usr over nfs or even crypted + +------------------------------------------------------------------- +Mon May 9 17:23:39 CEST 2005 - hvogel@suse.de + +- New package, Version 2.12q + diff --git a/cryptsetup.spec b/cryptsetup.spec new file mode 100644 index 0000000..d2b7a2a --- /dev/null +++ b/cryptsetup.spec @@ -0,0 +1,274 @@ +# +# spec file for package cryptsetup (Version 1.0.5) +# +# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. +# This file and all modifications and additions to the pristine +# package are under the same license as the package itself. +# +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + +# norootforbuild + +Name: cryptsetup +URL: http://luks.endorphin.org/dm-crypt +BuildRequires: device-mapper-devel e2fsprogs-devel libgcrypt-devel popt-devel +# hashalot version +%define haver 0.3 +License: BSD License and BSD-like, GNU General Public License (GPL) +Group: System/Base +Autoreqprov: on +Version: 1.0.5 +Release: 1 +Summary: Set up dm-crypt based encrypted block devices +Source: cryptsetup-1.0.5.tar.bz2 +Source1: hashalot-%haver.tar.bz2 +Source50: boot.crypto +Source90: Makefile.doc +Source91: crypttab.5.txt +# make -f Makefile.doc +Source92: crypttab.5 +# use this to create the tarball from svn +Source99: cryptsetup-mktar +Patch1: cryptsetup-luks-uninitialized.diff +Patch2: cryptsetup-luks-implicit-declarations.diff +Patch3: cryptsetup-luks-warnings.diff +Patch4: cryptsetup-luks-libnostderr.diff +Patch10: hashalot-fixes.diff +Patch11: hashalot-libgcrypt.diff +Patch12: hashalot-ctrl-d.diff +Patch13: hashalot-timeout.diff +Patch14: hashalot-manpage.diff +BuildRoot: %{_tmppath}/%{name}-%{version}-build +Provides: aaa_base:/etc/init.d/boot.crypto +Obsoletes: util-linux-crypto <= 2.12r +# we need losetup +Requires: util-linux + +%description +cryptsetup is used to conveniently setup up dm-crypt based +device-mapper targets. It can set up targets to read cryptoloop +compatible volumes as well as LUKS formatted ones. The package +additionally includes support for automatically setting up encrypted +volumes at boot time via the config file /etc/crypttab + + + +Authors: +-------- + Clemens Fruhwirth + Christophe Saout + Ben Slusky + +%package devel +Summary: Set up dm-crypt based encrypted block devices +Group: System/Base +Requires: %name = %version +Requires: device-mapper-devel libgcrypt-devel libgpg-error-devel e2fsprogs-devel glibc-devel + +%description devel +cryptsetup is used to conveniently setup up dm-crypt based +device-mapper targets. It can set up targets to read cryptoloop +compatible volumes as well as LUKS formatted ones. The package +additionally includes support for automatically setting up encrypted +volumes at boot time via the config file /etc/crypttab + + + +Authors: +-------- + Clemens Fruhwirth + Christophe Saout + Ben Slusky + +%prep +%setup -q -b 1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +pushd ../hashalot-%haver +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +popd + +%build +# cryptsetup build +%{?suse_update_config:%{suse_update_config}} +autoreconf -f -i +CFLAGS="$RPM_OPT_FLAGS" ./configure --prefix=%_prefix --mandir=%_mandir \ + --libdir=/%_lib \ + --bindir=/sbin --sbindir=/sbin \ + --disable-static --enable-shared +make +# +# hashalot build +pushd ../hashalot-%haver +autoreconf -f -i +%{?suse_update_config:%{suse_update_config}} +CFLAGS="$RPM_OPT_FLAGS" ./configure --prefix=%_prefix --sbindir=/sbin --mandir=%_mandir +make +popd + +%install +make install DESTDIR=$RPM_BUILD_ROOT +# move devel .so link to %{libdir} +rm -f $RPM_BUILD_ROOT/%{_lib}/libcryptsetup.so +mkdir -p $RPM_BUILD_ROOT%{_libdir} +ln -s /%{_lib}/libcryptsetup.so.0.0.0 $RPM_BUILD_ROOT%{_libdir}/libcryptsetup.so +# don't want this file in /lib (FHS compat check), and can't move it to /usr/lib +rm -f $RPM_BUILD_ROOT/%_lib/*.la +# +# hashalot install +pushd ../hashalot-%haver +make install DESTDIR=$RPM_BUILD_ROOT +popd +# remove unwanted symlinks +rm -f $RPM_BUILD_ROOT/sbin/{rmd160,sha256,sha384,sha512} +# +# +# boot.crypto +install -d -m 755 %{buildroot}/etc/init.d +install -m 755 %{SOURCE50} %{buildroot}/etc/init.d/boot.crypto +# maybe install templates instead? +install -m 644 /dev/null %{buildroot}/etc/cryptotab +install -m 644 /dev/null %{buildroot}/etc/crypttab +# man page +install -d -m755 %{buildroot}%{_mandir}/man5 +install -m644 %{SOURCE92} %{buildroot}%{_mandir}/man5 +# +%find_lang %name --all-name + +%pre +# hack to catch update case from aaa_base/util-linux-crypto +if [ -f /etc/init.d/boot.d/S??boot.crypto ]; then + touch /var/run/cryptsetup.boot.crypto.enabled +fi + +%post +/sbin/ldconfig +%{fillup_and_insserv boot.crypto} +if [ -e /var/run/cryptsetup.boot.crypto.enabled ]; then + rm -f /var/run/cryptsetup.boot.crypto.enabled + %{fillup_and_insserv -fY boot.crypto} +fi + +%postun +/sbin/ldconfig +%{insserv_cleanup} + +%clean +rm -rf $RPM_BUILD_ROOT + +%files -f %name.lang +%defattr(-,root,root) +%ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/crypttab +%ghost %verify(not md5 size mtime) %config(noreplace,missingok) /etc/cryptotab +/etc/init.d/boot.crypto +/sbin/cryptsetup +/sbin/hashalot +%_datadir/locale/de/LC_MESSAGES/cryptsetup.mo +%_mandir/man1/hashalot.1.gz +%_mandir/man8/cryptsetup.8.gz +%_mandir/man5/crypttab.5.gz +/%_lib/libcryptsetup.so.0 +/%_lib/libcryptsetup.so.0.0.0 + +%files devel +%defattr(-,root,root) +%_includedir/libcryptsetup.h +%{_libdir}/libcryptsetup.so + +%changelog +* Fri Jun 01 2007 - lnussel@suse.de +- rename util-linux-crypto to cryptsetup +- remove dmconvert +- replace svn snapshot with official 1.0.5 release +- don't enable boot.crypto by default +* Tue May 29 2007 - lnussel@suse.de +- fix segfault when trying to open a non existing device +- fix gcc warnings +- add Short-Description to boot.crypto +- use %%find_lang +* Wed May 09 2007 - lnussel@suse.de +- boot.crypto: implement 'status' +- boot.crypto: accept argument to start/stop single devices +* Wed May 09 2007 - lnussel@suse.de +- hashalot: add timeout option +* Wed May 09 2007 - lnussel@suse.de +- fix build +* Tue May 08 2007 - lnussel@suse.de +- boot.crypto: switch off splash screen only when needed +- boot.crypto: report status for individual volumes instead of using one global + exit status +- hashalot: exit unsucessfully on empty passphrase +* Tue May 08 2007 - lnussel@suse.de +- boot.crypto: sleep a bit longer before overwriting the prompt +- boot.crypto: add support for pseed and itercountk options +- boot.crypto: skip entries with unsupported/unknown options +- hashalot: add support for itercountk +* Fri May 04 2007 - lnussel@suse.de +- upgrade cryptsetup to current svn revision 30 which includes + previous patches. +- fix background prompt process not getting killed on ctrl-d in + boot.crypto +* Fri Apr 27 2007 - lnussel@suse.de +- upgrade cryptsetup to current svn revision 26. Does no longer hang + when a file is specified instead of a device. +- remove obsolete cryptsetup.sh script +- boot.crypto: + * drop support for cryptoloop, use cryptsetup also for cryptotab + * refactor code and create reusable components for use in cryptotab + and crypttab code path + * run sulogin only during boot if fsck failed + * support crypttab's 'tries' option +- add crypttab manpage based on Debian one +* Tue Apr 24 2007 - lnussel@suse.de +- add boot.crypto (#257884) +- add crypttab and cryptotab as %%ghost to filelist +* Tue Mar 27 2007 - mkoenig@suse.de +- move devel .so link to %%{libdir} +- run ldconfig, since we have now a shared lib installed +* Fri Mar 23 2007 - dmueller@suse.de +- cryptsetup can now link shared since libpopt is + no longer under /usr +* Fri Mar 09 2007 - lnussel@suse.de +- add patch to support old loop_fish2 key hash method +* Thu Dec 07 2006 - mkoenig@suse.de +- update cryptsetup to version 1.0.4: + * added terminal timeout rewrite + * allow user selection of key slot + * reading binary keys from stdin using the "-" as key file + * fix 64 bit compiler warning issues. + * fix getline problem for 64-bit archs. +* Fri Oct 13 2006 - mkoenig@suse.de +- fix build failure due to missing pthreads +* Wed Sep 13 2006 - hvogel@suse.de +- use the LUKS version of cryptsetup +- split -devel subpackage for libcryptsetup +- remove patches because they are in the new cryptsetup + * cryptsetup-0.1-static.patch + * cryptsetup-0.1-retval.patch + * cryptsetup-0.1-dmi.exists.patch + * cryptsetup-0.1-timeout.patch +- use man page from the new cryptsetup +* Tue May 16 2006 - hvogel@suse.de +- Fix cryptsetup to work when the device does not exist yet + [#175931] +* Wed Jan 25 2006 - mls@suse.de +- converted neededforbuild to BuildRequires +* Mon Dec 19 2005 - mmj@suse.de +- Remove symlinks to hashalot we don't want +* Thu Oct 13 2005 - hvogel@suse.de +- Fix uninitialized var in dmconvert. Add + * dmconvert-0.2-uninitialized.patch +- Fix return value in cryptsetup. Add + * cryptsetup-0.1-retval.patch +* Wed Jun 29 2005 - hvogel@suse.de +- Link cryptsetup static so it can be in /sbin and you can get + /usr over nfs or even crypted +* Mon May 09 2005 - hvogel@suse.de +- New package, Version 2.12q diff --git a/crypttab.5 b/crypttab.5 new file mode 100644 index 0000000..aa87ce9 --- /dev/null +++ b/crypttab.5 @@ -0,0 +1,201 @@ +.\" Title: crypttab +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.71.1 +.\" Date: 05/09/2007 +.\" Manual: +.\" Source: +.\" +.TH "CRYPTTAB" "5" "05/09/2007" "" "" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +crypttab \- static information about crypted filesystems +.SH "SYNOPSIS" +.PP +\fBcrypttab\fR +.RS 4 + +\fI\fR +\fI\fR +\fI\fR +\fI\fR +.RE +.SH "DESCRIPTION" +The file \fB/etc/crypttab\fR contains descriptive informations about encrypted volumes. Each volume is described on a separate line; columns on each line are separated by tabs or spaces. Lines starting with "\fI#\fR" are comments, empty lines are ignored. The order of records in \fBcrypttab\fR is important because the \fB/etc/init.d/boot.crypto\fR script sequentially iterates through \fBcrypttab\fR entries. All four columns are mandatory, missing or excessive columns will lead to unspecified behaviour. +.sp +.TP 4 +\(bu +The first column, +\fItarget device\fR +specifies the mapped +\fIdevice name\fR. It must be a plain filename without any directories. A mapped device +\fB/dev/mapper/\fR\fIdevice name\fR +will be created by +\fBcryptsetup(8)\fR +crypting data from and onto the +\fIsource device\fR. +To actually mount that device it needs to be listed in \fB/etc/fstab\fR. +.sp +.TP 4 +\(bu +The second column +\fIsource device\fR +specifies the block special device that should hold the encrypted data. +.TP 4 +\(bu +The third column +\fIkey file\fR +specifies the file to use for decrypting the encrypted data of the +\fIsource device\fR. +It can also be a device name (e.g. \fB/dev/urandom\fR, which is useful for encrypted swap devices). Warning: luks does not support infinite streams (like \fB/dev/urandom\fR), it requires a fixed size key. +.sp +If the \fIkey file\fR is the string \fBnone\fR, the key data (i.e. a password or passphrase) will be read interactively from the console. In this case the options precheck, check, checkargs and tries may be useful. +.sp +.TP 4 +\(bu +The fourth field +\fIoptions\fR +specifies the cryptsetup options associated with the encryption process. At minimum, the field should contain the string +\fBluks\fR +or the +\fIcipher\fR, +\fIhash\fR +and +\fIsize\fR +options. +Options have to be specified in the format: \fIkey\fR=\fIvalue\fR[,\fIkey\fR=\fIvalue\fR \&...] +.sp +.SH "OPTIONS" +.PP +\fBcipher\fR= +.RS 4 +Encryption algorithm. See +\fBcryptsetup \-c\fR. +.RE +.PP +\fBsize\fR= +.RS 4 +Encryption key size. See +\fBcryptsetup \-s\fR. +.RE +.PP +\fBhash\fR= +.RS 4 +Hash algorithm. See +\fBcryptsetup \-h\fR. +.RE +.PP +\fBverify\fR +.RS 4 +Verify password. See +\fBcryptsetup \-y\fR. +.RE +.PP +\fBreadonly\fR +.RS 4 +The backing device is read\-only (eg: a dvd). +.RE +.PP +\fBluks\fR +.RS 4 +Use device with luks extensions. +.RE +.PP +\fBswap\fR +.RS 4 +Run +\fBmkswap\fR +on the created device. +.RE +.PP +\fBtmp\fR +.RS 4 +Run +\fBmkfs\fR +on the created device. The file system to use is specified in +\fB/etc/fstab\fR. If +\fB/etc/fstab\fR +does not list the mapped device, ext2 is used as fallback. +.RE +.PP +\fBprecheck\fR= +.RS 4 +Check the source device by suitable program; if the check fails the device is not created; is a script to check the source device. The source device is given as argument to the script. +.RE +.PP +\fBcheck\fR[=] +.RS 4 +Check the content of the mapped device by a suitable program; if the check fails the device is removed. The specified program is run giving the decrypted volume (target device) as first and the value of the checkargs option as second argument. Cryptdisks searches for the given program in /lib/cryptsetup/checks/. If no program is specified, vol_id is used. +.RE +.PP +\fBcheckargs\fR= +.RS 4 +Pass as second argument to the check script +.RE +.PP +\fBtries\fR= +.RS 4 +Prompt for the passphrase at most times if the entered passphrase was wrong. Defaults is 3. Only works for LUKS volumes. +.RE +.PP +\fBtimeout\fR= +.RS 4 +Time out interactive password prompts after seconds. +.RE +.PP +\fBloop\fR +.RS 4 +Always attach a loop device before mapping the device. Normally a loop device is used automatically only for image files. Useful if the block size of the physical device does not match the block size of the contained file system. E.g. ext2 on a CD. +.RE +.PP +\fBnoauto\fR +.RS 4 +Causes boot.crypto to skip this record during boot +.RE +.PP +\fBpseed=\fR +.RS 4 +Set a string that is appended to the passphrase after hashing. Using different seeds for volumes with the same passphrase makes dictionary attacks harder. Use for compatability with loop\-AES. +.RE +.PP +\fBitercountk=\fR +.RS 4 +Encrypts the hashed password thousand times using AES\-256. Use for compatability with loop\-AES. +.RE +.PP +\fBloud\fR, \fBssl\fR, \fBgpg\fR, \fBkeyscript\fR +.RS 4 +not supported. Listed here as they are supported by Debian. +.RE +.SH "CHECKSCRIPTS" +TODO +.sp +.SH "EXAMPLES" +.PP +\fBEncrypted swap device\fR +.RS 4 +cswap /dev/sda6 /dev/random swap +.RE +.PP +\fBEncrypted luks volume with interactive password\fR +.RS 4 +cdisk0 /dev/hda1 none luks +.RE +.PP +\fBEncrypted luks volume with interactive password, use a custom check script, no retries\fR +.RS 4 +cdisk2 /dev/hdc1 none luks,check=customscript,checkargs=foo,tries=1 +.RE +.PP +\fBEncrypted volume with interactive password and a cryptoloop compatible twofish256 cipher\fR +.RS 4 +cdisk3 /dev/sda3 none cipher=twofish\-cbc\-plain,size=256,hash=sha512 +.RE +.SH "SEE ALSO" +cryptsetup(8), /etc/crypttab, fstab(8) +.sp +.SH "AUTHOR" +Manual page converted to asciidoc by Michael Gebetsroither . Originally written by Bastian Kleineidam for the Debian distribution of cryptsetup. Improved by Jonas Meurer . Modified for SUSE Linux by Ludwig Nussel . Parts of this manual were taken and adapted from the fstab(5) manual page. +.sp diff --git a/crypttab.5.txt b/crypttab.5.txt new file mode 100644 index 0000000..5647dfc --- /dev/null +++ b/crypttab.5.txt @@ -0,0 +1,178 @@ +CRYPTTAB(5) +=========== + +NAME +---- +crypttab - static information about crypted filesystems + + +SYNOPSIS +-------- +*crypttab*:: +'' '' '' '' + + +DESCRIPTION +----------- +The file */etc/crypttab* contains descriptive informations about +encrypted volumes. Each volume is described on a separate line; +columns on each line are separated by tabs or spaces. Lines starting +with "'#'" are comments, empty lines are ignored. The order of +records in *crypttab* is important because the +*/etc/init.d/boot.crypto* script sequentially iterates through +*crypttab* entries. All four columns are mandatory, missing or +excessive columns will lead to unspecified behaviour. + +- The first column, 'target device' specifies the mapped 'device +name'. It must be a plain filename without any directories. A mapped +device */dev/mapper/*'device name' will be created by +*cryptsetup(8)* crypting data from and onto the 'source device'. + +To actually mount that device it needs to be listed in */etc/fstab*. + +- The second column 'source device' specifies the block special +device that should hold the encrypted data. + +- The third column 'key file' specifies the file to use for +decrypting the encrypted data of the 'source device'. + +It can also be a device name (e.g. */dev/urandom*, which is useful +for encrypted swap devices). Warning: luks does not support infinite +streams (like */dev/urandom*), it requires a fixed size key. + +If the 'key file' is the string *none*, the key data (i.e. a +password or passphrase) will be read interactively from the console. +In this case the options precheck, check, checkargs and tries may be +useful. + +- The fourth field 'options' specifies the cryptsetup options +associated with the encryption process. At minimum, the field should +contain the string *luks* or the 'cipher', 'hash' and 'size' +options. + +Options have to be specified in the format: 'key'='value'[,'key'='value' ...] + + +OPTIONS +------- + +*cipher*=:: +Encryption algorithm. See *cryptsetup -c*. + +*size*=:: +Encryption key size. See *cryptsetup -s*. + +*hash*=:: +Hash algorithm. See *cryptsetup -h*. + +*verify*:: +Verify password. See *cryptsetup -y*. + +*readonly*:: +The backing device is read-only (eg: a dvd). + +*luks*:: +Use device with luks extensions. + +*swap*:: +Run *mkswap* on the created device. + +*tmp*:: +Run *mkfs* on the created device. The file system to use is +specified in */etc/fstab*. If */etc/fstab* does not list the mapped +device, ext2 is used as fallback. + +*precheck*=:: +Check the source device by suitable program; if the check fails the device is +not created; is a script to check the source device. The source +device is given as argument to the script. + +*check*[=]:: +Check the content of the mapped device by a suitable program; if the +check fails the device is removed. The specified program is +run giving the decrypted volume (target device) as first and the +value of the checkargs option as second argument. Cryptdisks +searches for the given program in /lib/cryptsetup/checks/. If no +program is specified, vol_id is used. + +*checkargs*=:: +Pass as second argument to the check script + +*tries*=:: +Prompt for the passphrase at most times if the entered +passphrase was wrong. Defaults is 3. Only works for LUKS volumes. + +*timeout*=:: +Time out interactive password prompts after seconds. + +*loop*:: +Always attach a loop device before mapping the device. Normally a +loop device is used automatically only for image files. Useful if +the block size of the physical device does not match the block size +of the contained file system. E.g. ext2 on a CD. + +*noauto*:: +Causes boot.crypto to skip this record during boot + +*pseed=*:: +Set a string that is appended to the passphrase after hashing. +Using different seeds for volumes with the same passphrase makes +dictionary attacks harder. Use for compatability with loop-AES. + +*itercountk=*:: +Encrypts the hashed password thousand times using AES-256. Use +for compatability with loop-AES. + +*loud*, *ssl*, *gpg*, *keyscript*:: +not supported. Listed here as they are supported by Debian. + +CHECKSCRIPTS +------------ +TODO +///// +*vol_id*:: +Checks for any known filesystem. Supports a filesystem type as argument via +: +no checkargs - succeeds if any valid filesystem is found on the device. +"none" - succeeds if no valid filesystem is found on the device. +"ext3" [or any other filesystem type like xfs, swap, crypto_LUKS, whatever] - succeeds +if an ext3 [or another given] filesystem type is found on the device. + +*ext3*:: +Checks for a valid ext2/ext3 filesystem. + +*xfs*:: +Checks for a valid xfs filesystem. + +*swap*:: +Checks for partition type 'swap'. Only useful as . +//// + +EXAMPLES +-------- +*Encrypted swap device*:: +cswap /dev/sda6 /dev/random swap + +*Encrypted luks volume with interactive password*:: +cdisk0 /dev/hda1 none luks + +*Encrypted luks volume with interactive password, use a custom check script, no retries*:: +cdisk2 /dev/hdc1 none luks,check=customscript,checkargs=foo,tries=1 + +*Encrypted volume with interactive password and a cryptoloop compatible twofish256 cipher*:: +cdisk3 /dev/sda3 none cipher=twofish-cbc-plain,size=256,hash=sha512 + +SEE ALSO +-------- +cryptsetup(8), /etc/crypttab, fstab(8) + + +AUTHOR +------ +Manual page converted to asciidoc by Michael Gebetsroither +. Originally written by +Bastian Kleineidam for the Debian distribution +of cryptsetup. Improved by Jonas Meurer . +Modified for SUSE Linux by Ludwig Nussel . +Parts of this manual were taken and adapted from the fstab(5) manual +page. diff --git a/hashalot-0.3.tar.bz2 b/hashalot-0.3.tar.bz2 new file mode 100644 index 0000000..c3c7c9d --- /dev/null +++ b/hashalot-0.3.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5958c371ba2469150b19f4c3a66bb374a7b1e287df4d0bfeb5e7c480da15424d +size 68508 diff --git a/hashalot-ctrl-d.diff b/hashalot-ctrl-d.diff new file mode 100644 index 0000000..c7beff5 --- /dev/null +++ b/hashalot-ctrl-d.diff @@ -0,0 +1,19 @@ +exit unsucessfully on empty passphrase + +Signed-off-by: Ludwig Nussel + +Index: hashalot-0.3/hashalot.c +=================================================================== +--- hashalot-0.3/hashalot.c.orig ++++ hashalot-0.3/hashalot.c +@@ -275,6 +275,10 @@ main(int argc, char *argv[]) + + /* here we acquire the precious passphrase... */ + pass = xgetpass("Enter passphrase: "); ++ if(!*pass) { ++ exit(EXIT_FAILURE); ++ } ++ + if (salt) + pass = salt_passphrase(pass, salt); + hashlen = func(passhash, hashlen, pass, strlen(pass)); diff --git a/hashalot-fixes.diff b/hashalot-fixes.diff new file mode 100644 index 0000000..1829599 --- /dev/null +++ b/hashalot-fixes.diff @@ -0,0 +1,37 @@ +- print help text to stdout so it can be read via pager +- use proper length in phash_rmd160() + +Signed-off-by: Ludwig Nussel + +Index: hashalot-0.3/hashalot.c +=================================================================== +--- hashalot-0.3/hashalot.c.orig ++++ hashalot-0.3/hashalot.c +@@ -42,7 +42,7 @@ phash_rmd160(char dest[], size_t dest_le + tmp[PASSWDBUFFLEN - 1] = '\0'; + + rmd160_hash_buffer(key, src, src_len); +- rmd160_hash_buffer(key + RMD160_HASH_SIZE, tmp, src_len + 1 /* dangerous! */); ++ rmd160_hash_buffer(key + RMD160_HASH_SIZE, tmp, strlen(tmp)); + + memcpy(dest, key, dest_len); + +@@ -95,7 +95,7 @@ show_usage(const char argv0[]) + { + struct func_table_t *p = func_table; + +- fprintf (stderr, ++ fprintf (stdout, + "usage:\n" + " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] HASHTYPE\n" + " or\n" +@@ -106,7 +106,8 @@ show_usage(const char argv0[]) + for (; p->name; ++p) + fprintf (stderr, "%s ", p->name); + +- fprintf (stderr, "\n"); ++ ++ fprintf (stdout, "\n"); + + return 1; + } diff --git a/hashalot-libgcrypt.diff b/hashalot-libgcrypt.diff new file mode 100644 index 0000000..5aca911 --- /dev/null +++ b/hashalot-libgcrypt.diff @@ -0,0 +1,156 @@ +add support for -C (itercountk) option of loop-AES if libgcrypt is available + +Signed-off-by: Ludwig Nussel + +Index: hashalot-0.3/Makefile.am +=================================================================== +--- hashalot-0.3/Makefile.am.orig ++++ hashalot-0.3/Makefile.am +@@ -3,6 +3,9 @@ sbin_PROGRAMS = hashalot + + man_MANS = hashalot.1 + ++hashalot_CFLAGS = $(LIBGCRYPT_CFLAGS) ++hashalot_LDFLAGS = $(LIBGCRYPT_LIBS) ++ + hashalot_SOURCES = hashalot.c rmd160.c rmd160.h sha512.c sha512.h + + install-exec-hook: +Index: hashalot-0.3/configure.ac +=================================================================== +--- hashalot-0.3/configure.ac.orig ++++ hashalot-0.3/configure.ac +@@ -8,5 +8,6 @@ AC_PROG_LN_S + AC_HEADER_STDC + AC_CHECK_HEADERS(libgen.h stdio.h stdlib.h string.h unistd.h assert.h sys/types.h sys/mman.h endian.h , , [ AC_MSG_ERROR(required header not found)]) + AC_CHECK_FUNCS(getopt snprintf , , [ AC_MSG_ERROR(required function not found)]) ++AM_PATH_LIBGCRYPT(,[AC_DEFINE([HAVE_LIBGCRYPT], 1)]) + + AC_OUTPUT(Makefile) +Index: hashalot-0.3/hashalot.c +=================================================================== +--- hashalot-0.3/hashalot.c.orig ++++ hashalot-0.3/hashalot.c +@@ -25,6 +25,10 @@ + #include + #include + ++#if HAVE_LIBGCRYPT ++#include ++#endif ++ + #include "rmd160.h" + #include "sha512.h" + +@@ -97,9 +101,9 @@ show_usage(const char argv0[]) + + fprintf (stdout, + "usage:\n" +- " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] HASHTYPE\n" ++ " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n" + " or\n" +- " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ]\n" ++ " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n" + "\n" + "supported values for HASHTYPE: "); + +@@ -214,8 +218,9 @@ main(int argc, char *argv[]) + size_t hashlen = 0; + phash_func_t func; + int hex_output = 0, c; ++ unsigned long itercountk = 0; + +- while ((c = getopt(argc, argv, "n:s:x")) != -1) { ++ while ((c = getopt(argc, argv, "n:s:xC:")) != -1) { + switch (c) { + case 'n': + hashlen = strtoul(optarg, &p, 0); +@@ -233,6 +238,9 @@ main(int argc, char *argv[]) + case 'x': + hex_output++; + break; ++ case 'C': ++ itercountk = atoi(optarg); ++ break; + default: + show_usage(argv[0]); + exit(EXIT_FAILURE); +@@ -257,6 +265,8 @@ main(int argc, char *argv[]) + * plus a newline, plus a null */ + passhash = xmalloc(2*hashlen + 2); + ++ memset(passhash, 0, 2*hashlen+2); ++ + /* try to lock memory so it doesn't get swapped out for sure */ + if (mlockall(MCL_CURRENT | MCL_FUTURE) == -1) { + perror("mlockall"); +@@ -268,6 +278,69 @@ main(int argc, char *argv[]) + if (salt) + pass = salt_passphrase(pass, salt); + hashlen = func(passhash, hashlen, pass, strlen(pass)); ++ ++ if(itercountk) /* from loop-AES */ ++ { ++#if HAVE_LIBGCRYPT ++ gcry_cipher_hd_t ctx; ++ gcry_error_t err; ++ char tmp[32]; ++ char out[32]; ++ ++ if(hashlen > 32) { ++ fprintf(stderr, "WARNING: hashlen truncated to 32\n"); ++ hashlen = 32; ++ } ++ ++ if(!gcry_check_version("1.1.0")) { ++ fprintf(stderr, "libgcrypt initialization failed\n"); ++ exit(EXIT_FAILURE); ++ } ++ ++ memset(out, 0, sizeof(out)); ++ memcpy(out, passhash, hashlen); ++ ++ err = gcry_cipher_open(&ctx, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CBC, 0); ++ if(err) ++ { ++ fprintf(stderr, "can't initialize AES: %s\n", gcry_strerror (err)); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* ++ * Set up AES-256 encryption key using same password and hash function ++ * as before but with password bit 0 flipped before hashing. That key ++ * is then used to encrypt actual loop key 'itercountk' thousand times. ++ */ ++ pass[0] ^= 1; ++ func(&tmp[0], 32, pass, strlen(pass)); ++ gcry_cipher_setkey(ctx, &tmp[0], 32); ++ itercountk *= 1000; ++ while(itercountk > 0) { ++ gcry_cipher_reset(ctx); ++ gcry_cipher_setiv(ctx, NULL, 0); ++ /* encrypt both 128bit blocks with AES-256 */ ++ gcry_cipher_encrypt(ctx, &out[ 0], 16, &out[ 0], 16); ++ gcry_cipher_reset(ctx); ++ gcry_cipher_setiv(ctx, NULL, 0); ++ gcry_cipher_encrypt(ctx, &out[16], 16, &out[16], 16); ++ /* exchange upper half of first block with lower half of second block */ ++ memcpy(&tmp[0], &out[8], 8); ++ memcpy(&out[8], &out[16], 8); ++ memcpy(&out[16], &tmp[0], 8); ++ itercountk--; ++ } ++ memset(&tmp[0], 0, sizeof(tmp)); ++ ++ memcpy(passhash, out, hashlen); ++ ++ gcry_cipher_close(ctx); ++#else ++ fprintf(stderr, "libgcrypt support is required for option -C\n"); ++ exit(EXIT_FAILURE); ++#endif ++ ++ } + memset (pass, 0, strlen (pass)); /* paranoia */ + free(pass); + diff --git a/hashalot-manpage.diff b/hashalot-manpage.diff new file mode 100644 index 0000000..80ce900 --- /dev/null +++ b/hashalot-manpage.diff @@ -0,0 +1,39 @@ +document -C and -t options in manpage + +Signed-off-by: Ludwig Nussel + +Index: hashalot-0.3/hashalot.1 +=================================================================== +--- hashalot-0.3/hashalot.1.orig ++++ hashalot-0.3/hashalot.1 +@@ -2,9 +2,9 @@ + .SH NAME + hashalot \- read a passphrase and print a hash + .SH SYNOPSIS +-.B hashalot [ \-s SALT ] [ \-x ] [ \-n #BYTES ] HASHTYPE ++.B hashalot [ \-t secs ] [ \-s SALT ] [ \-x ] [ \-n #BYTES ] [ \-C itercountk ] HASHTYPE + .br +-.B HASHTYPE [ \-s SALT ] [ \-x ] [ \-n #BYTES ] ++.B HASHTYPE [ \-t secs ] [ \-s SALT ] [ \-x ] [ \-n #BYTES ] [ \-C itercountk ] + .SH DESCRIPTION + .PP + \fIhashalot\fP is a small tool that reads a passphrase from standard +@@ -36,6 +36,18 @@ option can be used to limit (or increase + default is as appropriate for the specified hash algorithm: 20 bytes for + RIPEMD160, 32 bytes for SHA256, etc. The default for the "rmd160compat" + hash is 16 bytes, for compatibility with the old kerneli.org utilities. ++.PP ++The ++.B \-t ++option specifies a timeout for reading the passphrase from the terminal. ++.PP ++The ++.B \-C ++option specifies that the hashed password has to be encrypted ++itercountk thousand times using AES-256. Use for compatability with ++loop-AES. ++.PP ++The options \-t and \-C are currently SUSE specific + .SH AUTHOR + Ben Slusky + .PP diff --git a/hashalot-timeout.diff b/hashalot-timeout.diff new file mode 100644 index 0000000..1f5fe32 --- /dev/null +++ b/hashalot-timeout.diff @@ -0,0 +1,89 @@ +add timeout option -t + +Signed-off-by: Ludwig Nussel + +Index: hashalot-0.3/hashalot.c +=================================================================== +--- hashalot-0.3/hashalot.c.orig ++++ hashalot-0.3/hashalot.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -36,6 +37,12 @@ + + typedef int (*phash_func_t)(char dest[], size_t dest_len, const char src[], size_t src_len); + ++static int got_timeout; ++void alrm_handler(int num) ++{ ++ got_timeout = 1; ++} ++ + static int + phash_rmd160(char dest[], size_t dest_len, const char src[], size_t src_len) + { +@@ -101,9 +108,9 @@ show_usage(const char argv0[]) + + fprintf (stdout, + "usage:\n" +- " hashalot [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n" ++ " hashalot [ -t secs ] [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ] HASHTYPE\n" + " or\n" +- " HASHTYPE [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n" ++ " HASHTYPE [ -t secs ] [ -x ] [ -s SALT ] [ -n _#bytes_ ] [ -C itercountk ]\n" + "\n" + "supported values for HASHTYPE: "); + +@@ -219,8 +226,9 @@ main(int argc, char *argv[]) + phash_func_t func; + int hex_output = 0, c; + unsigned long itercountk = 0; ++ unsigned timeout = 0; + +- while ((c = getopt(argc, argv, "n:s:xC:")) != -1) { ++ while ((c = getopt(argc, argv, "n:s:xC:t:")) != -1) { + switch (c) { + case 'n': + hashlen = strtoul(optarg, &p, 0); +@@ -235,6 +243,9 @@ main(int argc, char *argv[]) + case 's': + salt = optarg; + break; ++ case 't': ++ timeout = atoi(optarg); ++ break; + case 'x': + hex_output++; + break; +@@ -273,12 +284,25 @@ main(int argc, char *argv[]) + fputs("Warning: couldn't lock memory, are you root?\n", stderr); + } + ++ if(timeout) { ++ struct sigaction sa; ++ sa.sa_handler = alrm_handler; ++ sigemptyset (&sa.sa_mask); ++ sa.sa_flags = 0; ++ sigaction(SIGALRM, &sa, NULL); ++ alarm(timeout); ++ } ++ + /* here we acquire the precious passphrase... */ + pass = xgetpass("Enter passphrase: "); +- if(!*pass) { ++ if(got_timeout || !*pass) { + exit(EXIT_FAILURE); + } + ++ if(timeout) { ++ alarm(0); ++ } ++ + if (salt) + pass = salt_passphrase(pass, salt); + hashlen = func(passhash, hashlen, pass, strlen(pass)); diff --git a/ready b/ready new file mode 100644 index 0000000..473a0f4