[arch-commits] Commit in cryptsetup/repos (6 files)
Christian Hesse
eworm at archlinux.org
Tue Mar 9 13:43:59 UTC 2021
Date: Tuesday, March 9, 2021 @ 13:43:59
Author: eworm
Revision: 409523
archrelease: copy trunk to testing-x86_64
Added:
cryptsetup/repos/testing-x86_64/
cryptsetup/repos/testing-x86_64/0001-fix-partial-reads-from-TTY.patch
(from rev 409522, cryptsetup/trunk/0001-fix-partial-reads-from-TTY.patch)
cryptsetup/repos/testing-x86_64/PKGBUILD
(from rev 409522, cryptsetup/trunk/PKGBUILD)
cryptsetup/repos/testing-x86_64/hooks-encrypt
(from rev 409522, cryptsetup/trunk/hooks-encrypt)
cryptsetup/repos/testing-x86_64/install-encrypt
(from rev 409522, cryptsetup/trunk/install-encrypt)
cryptsetup/repos/testing-x86_64/install-sd-encrypt
(from rev 409522, cryptsetup/trunk/install-sd-encrypt)
---------------------------------------+
0001-fix-partial-reads-from-TTY.patch | 182 ++++++++++++++++++++++++++++++++
PKGBUILD | 58 ++++++++++
hooks-encrypt | 149 ++++++++++++++++++++++++++
install-encrypt | 48 ++++++++
install-sd-encrypt | 49 ++++++++
5 files changed, 486 insertions(+)
Copied: cryptsetup/repos/testing-x86_64/0001-fix-partial-reads-from-TTY.patch (from rev 409522, cryptsetup/trunk/0001-fix-partial-reads-from-TTY.patch)
===================================================================
--- testing-x86_64/0001-fix-partial-reads-from-TTY.patch (rev 0)
+++ testing-x86_64/0001-fix-partial-reads-from-TTY.patch 2021-03-09 13:43:59 UTC (rev 409523)
@@ -0,0 +1,182 @@
+From dfe0135e684cdb85725e065b92a1f32d0f737d86 Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland at gmail.com>
+Date: Sat, 6 Mar 2021 22:37:00 +0100
+Subject: [PATCH 1/2] Fix partial reads from TTY (interactive terminal).
+
+Some stable kernels started to return buffer from terminal
+in partial buffers of maximal size 64 bytes.
+
+This breaks all passphrases longer than 64 characters entered
+through interactive input (for all crypto formats).
+
+(The problem is probably fixed in more recent kernels, but
+the read() call can always return a partial read here.)
+
+This patch also fixes wrong password limit, the last character
+of passphrase of maximal size was never handled.
+Now the maximal passphrase length is really 512 characters.
+
+Fixes: #627.
+(cherry picked from commit ca87b74333082ea04c8ff14450df5580b8c15260)
+Signed-off-by: Christian Hesse <mail at eworm.de>
+---
+ src/utils_password.c | 36 +++++++++++++++++++++++++++++-------
+ tests/compat-test | 36 ++++++++++++++++++++++++++++++++++++
+ 2 files changed, 65 insertions(+), 7 deletions(-)
+
+diff --git a/src/utils_password.c b/src/utils_password.c
+index cbeec1df..8e3e3423 100644
+--- a/src/utils_password.c
++++ b/src/utils_password.c
+@@ -102,18 +102,41 @@ static int tools_check_password(const char *password)
+ }
+
+ /* Password reading helpers */
++
++static ssize_t read_tty_eol(int fd, char *pass, size_t maxlen)
++{
++ bool eol = false;
++ size_t read_size = 0;
++ ssize_t r;
++
++ do {
++ r = read(fd, pass, maxlen - read_size);
++ if ((r == -1 && errno != EINTR) || quit)
++ return -1;
++ if (r >= 0) {
++ if (!r || pass[r-1] == '\n')
++ eol = true;
++ read_size += (size_t)r;
++ pass = pass + r;
++ }
++ } while (!eol && read_size != maxlen);
++
++ return (ssize_t)read_size;
++}
++
++/* The pass buffer is zeroed and has trailing \0 already " */
+ static int untimed_read(int fd, char *pass, size_t maxlen)
+ {
+ ssize_t i;
+
+- i = read(fd, pass, maxlen);
++ i = read_tty_eol(fd, pass, maxlen);
+ if (i > 0) {
+- pass[i-1] = '\0';
++ if (pass[i-1] == '\n')
++ pass[i-1] = '\0';
+ i = 0;
+- } else if (i == 0) { /* EOF */
+- *pass = 0;
++ } else if (i == 0) /* empty input */
+ i = -1;
+- }
++
+ return i;
+ }
+
+@@ -200,10 +223,9 @@ static int crypt_get_key_tty(const char *prompt,
+ log_err(_("Error reading passphrase from terminal."));
+ goto out_err;
+ }
+- pass[key_size_max] = '\0';
+
+ if (verify) {
+- pass_verify = crypt_safe_alloc(key_size_max);
++ pass_verify = crypt_safe_alloc(key_size_max + 1);
+ if (!pass_verify) {
+ log_err(_("Out of memory while reading passphrase."));
+ r = -ENOMEM;
+diff --git a/tests/compat-test b/tests/compat-test
+index 8b038036..3696bb56 100755
+--- a/tests/compat-test
++++ b/tests/compat-test
+@@ -1023,5 +1023,41 @@ EOF
+ [ $? -eq 0 ] || fail "Expect script failed."
+ $CRYPTSETUP remove $DEV_NAME || fail
+
++prepare "[40] Long passphrase from TTY." wipe
++EXPECT_DEV=$(losetup $LOOPDEV | sed -e "s/.*(\(.*\))/\1/")
++
++# Password of maximal length 512 characters
++LONG_PWD=\
++"0123456789abcdef0123456789ABCDEF0123456789abcdef0123456789ABCDEF"\
++"Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do "\
++"eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut e"\
++"nim ad minim veniam, quis nostrud exercitation ullamco laboris n"\
++"isi ut aliquip ex ea commodo consequat. Duis aute irure dolor in"\
++" reprehenderit in voluptate velit esse cillum dolore eu fugiat n"\
++"ulla pariatur. Excepteur sint occaecat cupidatat non proident, s"\
++"unt in culpa qui officia deserunt mollit anim id est laborum.DEF"
++
++echo -n "$LONG_PWD" >$KEYE
++
++expect_run - >/dev/null <<EOF
++proc abort {} { send_error "Timeout. "; exit 2 }
++set timeout 10
++eval spawn $CRYPTSETUP_RAW luksFormat --type luks1 $FAST_PBKDF_OPT -v $LOOPDEV
++expect timeout abort "Are you sure? (Type 'yes' in capital letters):"
++send "YES\n"
++expect timeout abort "Enter passphrase for $EXPECT_DEV:"
++sleep 0.1
++send "$LONG_PWD\n"
++expect timeout abort "Verify passphrase:"
++sleep 0.1
++send "$LONG_PWD\n"
++expect timeout abort "Command successful."
++expect timeout abort eof
++eval spawn $CRYPTSETUP_RAW luksOpen -v $LOOPDEV --test-passphrase --key-file $KEYE
++expect timeout abort "Command successful."
++expect timeout abort eof
++EOF
++[ $? -eq 0 ] || fail "Expect script failed."
++
+ remove_mapping
+ exit 0
+
+From 375ca00ba9cdd3c67be406a6c26bd37c2c90a0a2 Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland at gmail.com>
+Date: Tue, 9 Mar 2021 11:53:52 +0100
+Subject: [PATCH 2/2] Remove superfluous CONST_CAST.
+
+It only confuses cppcheck.
+(cherry picked from commit 476cd2f764aa61ae78ef5cca5394b36bedb4d379)
+Signed-off-by: Christian Hesse <mail at eworm.de>
+---
+ src/cryptsetup.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/cryptsetup.c b/src/cryptsetup.c
+index 6e3120e4..8d439096 100644
+--- a/src/cryptsetup.c
++++ b/src/cryptsetup.c
+@@ -472,7 +472,7 @@ static int tcrypt_load(struct crypt_device *cd, struct crypt_params_tcrypt *para
+ unsigned long long tmp_pim_ull = 0;
+
+ r = tools_get_key(_("Enter VeraCrypt PIM: "),
+- CONST_CAST(char**)&tmp_pim_nptr,
++ &tmp_pim_nptr,
+ &tmp_pim_size, 0, 0, opt_keyfile_stdin, opt_timeout,
+ _verify_passphrase(0), 0, cd);
+ if (r < 0)
+@@ -489,7 +489,7 @@ static int tcrypt_load(struct crypt_device *cd, struct crypt_params_tcrypt *para
+ log_err(_("Invalid PIM value: outside of range."));
+ r = -ERANGE;
+ }
+- crypt_safe_free(CONST_CAST(char*)tmp_pim_nptr);
++ crypt_safe_free(tmp_pim_nptr);
+ if (r < 0)
+ continue;
+
+diff --git a/src/utils_password.c b/src/utils_password.c
+index b77c48e..1e14f46 100644
+--- a/src/utils_password.c
++++ b/src/utils_password.c
+@@ -21,6 +21,7 @@
+
+ #include "cryptsetup.h"
+ #include <termios.h>
++#include <stdbool.h>
+
+ int opt_force_password = 0;
+
Copied: cryptsetup/repos/testing-x86_64/PKGBUILD (from rev 409522, cryptsetup/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD (rev 0)
+++ testing-x86_64/PKGBUILD 2021-03-09 13:43:59 UTC (rev 409523)
@@ -0,0 +1,58 @@
+# Maintainer: Bartłomiej Piotrowski <bpiotrowski at archlinux.org>
+# Contributor: Thomas Bächler <thomas at archlinux.org>
+
+pkgname=cryptsetup
+pkgver=2.3.4
+pkgrel=3
+pkgdesc='Userspace setup tool for transparent encryption of block devices using dm-crypt'
+arch=(x86_64)
+license=('GPL')
+url='https://gitlab.com/cryptsetup/cryptsetup/'
+depends=('device-mapper' 'libdevmapper.so' 'openssl' 'popt' 'util-linux-libs'
+ 'libuuid.so' 'json-c' 'libjson-c.so' 'argon2' 'libargon2.so')
+makedepends=('util-linux')
+provides=('libcryptsetup.so')
+options=('!emptydirs')
+validpgpkeys=('2A2918243FDE46648D0686F9D9B0577BD93E98FC') # Milan Broz <gmazyland at gmail.com>
+source=("https://www.kernel.org/pub/linux/utils/cryptsetup/v${pkgver%.*}/${pkgname}-${pkgver}.tar."{xz,sign}
+ '0001-fix-partial-reads-from-TTY.patch'
+ 'hooks-encrypt'
+ 'install-encrypt'
+ 'install-sd-encrypt')
+sha256sums=('9d16eebb96b53b514778e813019b8dd15fea9fec5aafde9fae5febf59df83773'
+ 'SKIP'
+ 'cefa7d7f7d4a05c354da9b6f0cb9d764191a1aa870d989724633daee137a16ff'
+ 'c17e7e0a3dc9567dc6492e6520abac8b04b570e6318bc6ac8965a1839984b0c2'
+ 'd325dc239ecc9a5324407b0782da6df2573e8491251836d6c4e65fa61339ce57'
+ '31d816b3650a57512a5f9b52c1995fa65a161faa8b37975d07c9a1b8e1a119db')
+
+prepare() {
+ cd "${srcdir}"/$pkgname-${pkgver}
+
+ patch -Np1 < ../0001-fix-partial-reads-from-TTY.patch
+}
+
+build() {
+ cd "${srcdir}"/$pkgname-${pkgver}
+
+ ./configure \
+ --prefix=/usr \
+ --sbindir=/usr/bin \
+ --enable-libargon2 \
+ --disable-static
+ make
+}
+
+package() {
+ cd "${srcdir}"/$pkgname-${pkgver}
+
+ make DESTDIR="${pkgdir}" install
+
+ # install docs
+ install -D -m0644 -t "${pkgdir}"/usr/share/doc/cryptsetup/ FAQ docs/{Keyring,LUKS2-locking}.txt
+
+ # install hook
+ install -D -m0644 "${srcdir}"/hooks-encrypt "${pkgdir}"/usr/lib/initcpio/hooks/encrypt
+ install -D -m0644 "${srcdir}"/install-encrypt "${pkgdir}"/usr/lib/initcpio/install/encrypt
+ install -D -m0644 "${srcdir}"/install-sd-encrypt "${pkgdir}"/usr/lib/initcpio/install/sd-encrypt
+}
Copied: cryptsetup/repos/testing-x86_64/hooks-encrypt (from rev 409522, cryptsetup/trunk/hooks-encrypt)
===================================================================
--- testing-x86_64/hooks-encrypt (rev 0)
+++ testing-x86_64/hooks-encrypt 2021-03-09 13:43:59 UTC (rev 409523)
@@ -0,0 +1,149 @@
+#!/usr/bin/ash
+
+run_hook() {
+ modprobe -a -q dm-crypt >/dev/null 2>&1
+ [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
+
+ # Get keyfile if specified
+ ckeyfile="/crypto_keyfile.bin"
+ if [ -n "$cryptkey" ]; then
+ IFS=: read ckdev ckarg1 ckarg2 <<EOF
+$cryptkey
+EOF
+
+ if [ "$ckdev" = "rootfs" ]; then
+ ckeyfile=$ckarg1
+ elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then
+ case ${ckarg1} in
+ *[!0-9]*)
+ # Use a file on the device
+ # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
+ mkdir /ckey
+ mount -r -t "$ckarg1" "$resolved" /ckey
+ dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1
+ umount /ckey
+ ;;
+ *)
+ # Read raw data from the block device
+ # ckarg1 is numeric: ckarg1=offset, ckarg2=length
+ dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1
+ ;;
+ esac
+ fi
+ [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
+ fi
+
+ if [ -n "${cryptdevice}" ]; then
+ DEPRECATED_CRYPT=0
+ IFS=: read cryptdev cryptname cryptoptions <<EOF
+$cryptdevice
+EOF
+ else
+ DEPRECATED_CRYPT=1
+ cryptdev="${root}"
+ cryptname="root"
+ fi
+
+ # This may happen if third party hooks do the crypt setup
+ if [ -b "/dev/mapper/${cryptname}" ]; then
+ echo "Device ${cryptname} already exists, not doing any crypt setup."
+ return 0
+ fi
+
+ warn_deprecated() {
+ echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
+ echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
+ }
+
+ set -f
+ OLDIFS="$IFS"; IFS=,
+ for cryptopt in ${cryptoptions}; do
+ case ${cryptopt} in
+ allow-discards)
+ cryptargs="${cryptargs} --allow-discards"
+ ;;
+ *)
+ echo "Encryption option '${cryptopt}' not known, ignoring." >&2
+ ;;
+ esac
+ done
+ set +f
+ IFS="$OLDIFS"
+ unset OLDIFS
+
+ if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then
+ if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
+ [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
+ dopassphrase=1
+ # If keyfile exists, try to use that
+ if [ -f ${ckeyfile} ]; then
+ if eval cryptsetup --key-file ${ckeyfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then
+ dopassphrase=0
+ else
+ echo "Invalid keyfile. Reverting to passphrase."
+ fi
+ fi
+ # Ask for a passphrase
+ if [ ${dopassphrase} -gt 0 ]; then
+ echo ""
+ echo "A password is required to access the ${cryptname} volume:"
+
+ #loop until we get a real password
+ while ! eval cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do
+ sleep 2;
+ done
+ fi
+ if [ -e "/dev/mapper/${cryptname}" ]; then
+ if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+ export root="/dev/mapper/root"
+ fi
+ else
+ err "Password succeeded, but ${cryptname} creation failed, aborting..."
+ return 1
+ fi
+ elif [ -n "${crypto}" ]; then
+ [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
+ msg "Non-LUKS encrypted device found..."
+ if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then
+ err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
+ err "Non-LUKS decryption not attempted..."
+ return 1
+ fi
+ exe="cryptsetup open --type plain $resolved $cryptname $cryptargs"
+ IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF
+$crypto
+EOF
+ [ -n "$c_hash" ] && exe="$exe --hash '$c_hash'"
+ [ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'"
+ [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'"
+ [ -n "$c_offset" ] && exe="$exe --offset '$c_offset'"
+ [ -n "$c_skip" ] && exe="$exe --skip '$c_skip'"
+ if [ -f "$ckeyfile" ]; then
+ exe="$exe --key-file $ckeyfile"
+ else
+ echo ""
+ echo "A password is required to access the ${cryptname} volume:"
+ fi
+ eval "$exe $CSQUIET"
+
+ if [ $? -ne 0 ]; then
+ err "Non-LUKS device decryption failed. verify format: "
+ err " crypto=hash:cipher:keysize:offset:skip"
+ return 1
+ fi
+ if [ -e "/dev/mapper/${cryptname}" ]; then
+ if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+ export root="/dev/mapper/root"
+ fi
+ else
+ err "Password succeeded, but ${cryptname} creation failed, aborting..."
+ return 1
+ fi
+ else
+ err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
+ fi
+ fi
+ rm -f ${ckeyfile}
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
Copied: cryptsetup/repos/testing-x86_64/install-encrypt (from rev 409522, cryptsetup/trunk/install-encrypt)
===================================================================
--- testing-x86_64/install-encrypt (rev 0)
+++ testing-x86_64/install-encrypt 2021-03-09 13:43:59 UTC (rev 409523)
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+build() {
+ local mod
+
+ add_module "dm-crypt"
+ add_module "dm-integrity"
+ if [[ $CRYPTO_MODULES ]]; then
+ for mod in $CRYPTO_MODULES; do
+ add_module "$mod"
+ done
+ else
+ add_all_modules "/crypto/"
+ fi
+
+ add_binary "cryptsetup"
+ add_binary "dmsetup"
+ add_file "/usr/lib/udev/rules.d/10-dm.rules"
+ add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
+ add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
+ add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
+
+ # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1
+ add_binary "/usr/lib/libgcc_s.so.1"
+
+ add_runscript
+}
+
+help() {
+ cat <<HELPEOF
+This hook allows for an encrypted root device. Users should specify the device
+to be unlocked using 'cryptdevice=device:dmname' on the kernel command line,
+where 'device' is the path to the raw device, and 'dmname' is the name given to
+the device after unlocking, and will be available as /dev/mapper/dmname.
+
+For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on
+the kernel cmdline, where 'device' represents the raw block device where the key
+exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is
+the absolute path of the keyfile within the device.
+
+Without specifying a keyfile, you will be prompted for the password at runtime.
+This means you must have a keyboard available to input it, and you may need
+the keymap hook as well to ensure that the keyboard is using the layout you
+expect.
+HELPEOF
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
Copied: cryptsetup/repos/testing-x86_64/install-sd-encrypt (from rev 409522, cryptsetup/trunk/install-sd-encrypt)
===================================================================
--- testing-x86_64/install-sd-encrypt (rev 0)
+++ testing-x86_64/install-sd-encrypt 2021-03-09 13:43:59 UTC (rev 409523)
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+build() {
+ local mod
+
+ add_module "dm-crypt"
+ add_module "dm-integrity"
+ if [[ $CRYPTO_MODULES ]]; then
+ for mod in $CRYPTO_MODULES; do
+ add_module "$mod"
+ done
+ else
+ add_all_modules "/crypto/"
+ fi
+
+ add_binary "dmsetup"
+ add_file "/usr/lib/udev/rules.d/10-dm.rules"
+ add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
+ add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
+ add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
+
+ add_systemd_unit "cryptsetup.target"
+ add_binary "/usr/lib/systemd/system-generators/systemd-cryptsetup-generator"
+ add_binary "/usr/lib/systemd/systemd-cryptsetup"
+
+ add_systemd_unit "systemd-ask-password-console.path"
+ add_systemd_unit "systemd-ask-password-console.service"
+
+ # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1
+ add_binary "/usr/lib/libgcc_s.so.1"
+
+ # add mkswap for creating swap space on the fly (see 'swap' in crypttab(5))
+ add_binary "mkswap"
+
+ [[ -f /etc/crypttab.initramfs ]] && add_file "/etc/crypttab.initramfs" "/etc/crypttab"
+}
+
+help() {
+ cat <<HELPEOF
+This hook allows for an encrypted root device with systemd initramfs.
+
+See the manpage of systemd-cryptsetup-generator(8) for available kernel
+command line options. Alternatively, if the file /etc/crypttab.initramfs
+exists, it will be added to the initramfs as /etc/crypttab. See the
+crypttab(5) manpage for more information on crypttab syntax.
+HELPEOF
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
More information about the arch-commits
mailing list