mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-16 01:16:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update sys-fs/cryptsetup to v2.4.1

Browse Source
This commit is contained in:
Aniruddha Basak 2021-10-22 09:32:48 +00:00
parent de74177fc6
commit e24c9bbff2
9 changed files with 755 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/Manifest vendored
View File

@ -1,3 +1,2 @@
DIST cryptsetup-2.3.4.tar.xz 11114004 BLAKE2B 680e6eeb594737aeb8330b0ac8638e94941bdcc56fc3441b6f1bc4f3d209d768096e23a7f840dc1012f9e63fae0fdbc0e72d735d89e92a621cec88ea59560f19 SHA512 db0bfd795343e575acb7a80ea2b9d32acf08ac970037e5b158a1e4381976552dc292107ce79e55913f49fcf643d4ea7104ed73de7c1e8d424b83d471d20ab60d
DIST cryptsetup-2.3.6.tar.xz 11154148 BLAKE2B 23a7d6fdeed2b8fb0492e800266a263b12dcf2b8c4304bda82e46d2de90b6c05a97a40f0f6f9c337b3dc428d51689d76953de5cc4daed210967cf0ea0ff503d2 SHA512 5b25cc806140d24181a0e4f0e7b0bd3caa8263aa502e8633b41c980f06ecba2e6acbf9c2d9cc4a785d38ce90d86dd8d22c52b28b9ca4a15824c2e8bdb3656665 DIST cryptsetup-2.3.6.tar.xz 11154148 BLAKE2B 23a7d6fdeed2b8fb0492e800266a263b12dcf2b8c4304bda82e46d2de90b6c05a97a40f0f6f9c337b3dc428d51689d76953de5cc4daed210967cf0ea0ff503d2 SHA512 5b25cc806140d24181a0e4f0e7b0bd3caa8263aa502e8633b41c980f06ecba2e6acbf9c2d9cc4a785d38ce90d86dd8d22c52b28b9ca4a15824c2e8bdb3656665
DIST cryptsetup-2.4.0-rc0.tar.xz 11145080 BLAKE2B e6425a54d14d93b712df42e7b9460e23afb8bcb74bbe164522a2399a26d3eb668bfcc6387e5934056cdf46fcf0c136601dc1617dcb96ded6d4251a8335442e27 SHA512 ed80cc7a1763cf0e788bd72eee979640d6133b98a7b294a3fa09c608273eef172c2d56d80802433143d01063a0c142e68ea06465392b273fc2615b8f90273b25 DIST cryptsetup-2.4.1.tar.xz 11171180 BLAKE2B 6b999a19df54276d295eb2f1729be2eefb5fb09cd29aae5f7c0b93c539b4b552f92327f2474e0f4793a3c7f8a264a4ef927178dabfc9ba56012bdf9949ef9ada SHA512 17fc73c180e41acbd4ebeddebaf54f8baeef09fce7f154aa9c55936a58bda7adcc7b1bb257336c22295d7b5af426fc8dfd0e4e644e4a52098bcb8a2adb562ca7

14
sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.3.4-r1.ebuild → sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.3.6-r2.ebuild vendored
View File

@ -3,7 +3,7 @@
EAPI=7 EAPI=7
inherit autotools linux-info inherit autotools linux-info tmpfiles
DESCRIPTION="Tool to setup encrypted devices with dm-crypt" DESCRIPTION="Tool to setup encrypted devices with dm-crypt"
HOMEPAGE="https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md" HOMEPAGE="https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md"
@ -18,7 +18,7 @@ CRYPTO_BACKENDS="gcrypt kernel nettle +openssl"
# and it's missing ripemd160 support so it can't provide full backward compatibility # and it's missing ripemd160 support so it can't provide full backward compatibility
IUSE="${CRYPTO_BACKENDS} +argon2 nls pwquality reencrypt static static-libs +udev urandom" IUSE="${CRYPTO_BACKENDS} +argon2 nls pwquality reencrypt static static-libs +udev urandom"
REQUIRED_USE="^^ ( ${CRYPTO_BACKENDS//+/} ) REQUIRED_USE="^^ ( ${CRYPTO_BACKENDS//+/} )
static? ( !gcrypt )" #496612 static? ( !gcrypt !udev )" #496612
LIB_DEPEND=" LIB_DEPEND="
dev-libs/json-c:=[static-libs(+)] dev-libs/json-c:=[static-libs(+)]
@ -30,13 +30,13 @@ LIB_DEPEND="
nettle? ( >=dev-libs/nettle-2.4[static-libs(+)] ) nettle? ( >=dev-libs/nettle-2.4[static-libs(+)] )
openssl? ( dev-libs/openssl:0=[static-libs(+)] ) openssl? ( dev-libs/openssl:0=[static-libs(+)] )
pwquality? ( dev-libs/libpwquality[static-libs(+)] ) pwquality? ( dev-libs/libpwquality[static-libs(+)] )
sys-fs/lvm2[static-libs(+)] sys-fs/lvm2[static-libs(+)]"
udev? ( virtual/libudev[static-libs(-)] )"
# We have to always depend on ${LIB_DEPEND} rather than put behind # We have to always depend on ${LIB_DEPEND} rather than put behind
# !static? () because we provide a shared library which links against # !static? () because we provide a shared library which links against
# these other packages. #414665 # these other packages. #414665
RDEPEND="static-libs? ( ${LIB_DEPEND} ) RDEPEND="static-libs? ( ${LIB_DEPEND} )
${LIB_DEPEND//\[static-libs\([+-]\)\]}" ${LIB_DEPEND//\[static-libs\([+-]\)\]}
udev? ( virtual/libudev:= )"
DEPEND="${RDEPEND} DEPEND="${RDEPEND}
static? ( ${LIB_DEPEND} )" static? ( ${LIB_DEPEND} )"
BDEPEND=" BDEPEND="
@ -121,3 +121,7 @@ src_install() {
newconfd "${FILESDIR}"/1.6.7-dmcrypt.confd dmcrypt newconfd "${FILESDIR}"/1.6.7-dmcrypt.confd dmcrypt
newinitd "${FILESDIR}"/1.6.7-dmcrypt.rc dmcrypt newinitd "${FILESDIR}"/1.6.7-dmcrypt.rc dmcrypt
} }
pkg_postinst() {
tmpfiles_process cryptsetup.conf
}

123
sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.3.6.ebuild vendored
View File

@ -1,123 +0,0 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
inherit autotools linux-info
DESCRIPTION="Tool to setup encrypted devices with dm-crypt"
HOMEPAGE="https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md"
SRC_URI="https://www.kernel.org/pub/linux/utils/${PN}/v$(ver_cut 1-2)/${P/_/-}.tar.xz"
LICENSE="GPL-2+"
SLOT="0/12" # libcryptsetup.so version
[[ ${PV} != *_rc* ]] && \
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv ~s390 sparc x86"
CRYPTO_BACKENDS="gcrypt kernel nettle +openssl"
# we don't support nss since it doesn't allow cryptsetup to be built statically
# and it's missing ripemd160 support so it can't provide full backward compatibility
IUSE="${CRYPTO_BACKENDS} +argon2 nls pwquality reencrypt static static-libs +udev urandom"
REQUIRED_USE="^^ ( ${CRYPTO_BACKENDS//+/} )
static? ( !gcrypt )" #496612
LIB_DEPEND="
dev-libs/json-c:=[static-libs(+)]
dev-libs/libgpg-error[static-libs(+)]
dev-libs/popt[static-libs(+)]
>=sys-apps/util-linux-2.31-r1[static-libs(+)]
argon2? ( app-crypt/argon2:=[static-libs(+)] )
gcrypt? ( dev-libs/libgcrypt:0=[static-libs(+)] )
nettle? ( >=dev-libs/nettle-2.4[static-libs(+)] )
openssl? ( dev-libs/openssl:0=[static-libs(+)] )
pwquality? ( dev-libs/libpwquality[static-libs(+)] )
sys-fs/lvm2[static-libs(+)]
udev? ( virtual/libudev[static-libs(-)] )"
# We have to always depend on ${LIB_DEPEND} rather than put behind
# !static? () because we provide a shared library which links against
# these other packages. #414665
RDEPEND="static-libs? ( ${LIB_DEPEND} )
${LIB_DEPEND//\[static-libs\([+-]\)\]}"
DEPEND="${RDEPEND}
static? ( ${LIB_DEPEND} )"
BDEPEND="
virtual/pkgconfig
"
S="${WORKDIR}/${P/_/-}"
PATCHES=( "${FILESDIR}"/${PN}-2.0.4-fix-static-pwquality-build.patch )
pkg_setup() {
local CONFIG_CHECK="~DM_CRYPT ~CRYPTO ~CRYPTO_CBC ~CRYPTO_SHA256"
local WARNING_DM_CRYPT="CONFIG_DM_CRYPT:\tis not set (required for cryptsetup)\n"
local WARNING_CRYPTO_SHA256="CONFIG_CRYPTO_SHA256:\tis not set (required for cryptsetup)\n"
local WARNING_CRYPTO_CBC="CONFIG_CRYPTO_CBC:\tis not set (required for kernel 2.6.19)\n"
local WARNING_CRYPTO="CONFIG_CRYPTO:\tis not set (required for cryptsetup)\n"
check_extra_config
}
src_prepare() {
sed -i '/^LOOPDEV=/s:$: || exit 0:' tests/{compat,mode}-test || die
default
eautoreconf
}
src_configure() {
if use kernel ; then
ewarn "Note that kernel backend is very slow for this type of operation"
ewarn "and is provided mainly for embedded systems wanting to avoid"
ewarn "userspace crypto libraries."
fi
local myeconfargs=(
--disable-internal-argon2
--enable-shared
--sbindir=/sbin
# for later use
--with-default-luks-format=LUKS2
--with-tmpfilesdir="${EPREFIX}/usr/lib/tmpfiles.d"
--with-crypto_backend=$(for x in ${CRYPTO_BACKENDS//+/} ; do usev ${x} ; done)
$(use_enable argon2 libargon2)
$(use_enable nls)
$(use_enable pwquality)
$(use_enable reencrypt cryptsetup-reencrypt)
$(use_enable static static-cryptsetup)
$(use_enable static-libs static)
$(use_enable udev)
$(use_enable !urandom dev-random)
$(usex argon2 '' '--with-luks2-pbkdf=pbkdf2')
)
econf "${myeconfargs[@]}"
}
src_test() {
if [[ ! -e /dev/mapper/control ]] ; then
ewarn "No /dev/mapper/control found -- skipping tests"
return 0
fi
local p
for p in /dev/mapper /dev/loop* ; do
addwrite ${p}
done
default
}
src_install() {
default
if use static ; then
mv "${ED}"/sbin/cryptsetup{.static,} || die
mv "${ED}"/sbin/veritysetup{.static,} || die
if use reencrypt ; then
mv "${ED}"/sbin/cryptsetup-reencrypt{.static,} || die
fi
fi
find "${ED}" -type f -name "*.la" -delete || die
dodoc docs/v*ReleaseNotes
newconfd "${FILESDIR}"/1.6.7-dmcrypt.confd dmcrypt
newinitd "${FILESDIR}"/1.6.7-dmcrypt.rc dmcrypt
}

34
sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.4.0_rc0.ebuild → sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.4.1-r1.ebuild vendored
View File

@ -3,7 +3,7 @@
EAPI=7 EAPI=7
inherit autotools linux-info inherit autotools linux-info tmpfiles
DESCRIPTION="Tool to setup encrypted devices with dm-crypt" DESCRIPTION="Tool to setup encrypted devices with dm-crypt"
HOMEPAGE="https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md" HOMEPAGE="https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md"
@ -16,28 +16,30 @@ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~
CRYPTO_BACKENDS="gcrypt kernel nettle +openssl" CRYPTO_BACKENDS="gcrypt kernel nettle +openssl"
# we don't support nss since it doesn't allow cryptsetup to be built statically # we don't support nss since it doesn't allow cryptsetup to be built statically
# and it's missing ripemd160 support so it can't provide full backward compatibility # and it's missing ripemd160 support so it can't provide full backward compatibility
IUSE="${CRYPTO_BACKENDS} +argon2 nls pwquality reencrypt static static-libs +udev urandom ssh" IUSE="${CRYPTO_BACKENDS} +argon2 nls pwquality reencrypt ssh static static-libs +udev urandom"
REQUIRED_USE="^^ ( ${CRYPTO_BACKENDS//+/} ) REQUIRED_USE="^^ ( ${CRYPTO_BACKENDS//+/} )
static? ( !gcrypt )" #496612 static? ( !gcrypt !udev )" #496612
LIB_DEPEND=" LIB_DEPEND="
dev-libs/json-c:=[static-libs(+)] dev-libs/json-c:=[static-libs(+)]
dev-libs/libgpg-error[static-libs(+)]
dev-libs/popt[static-libs(+)] dev-libs/popt[static-libs(+)]
>=sys-apps/util-linux-2.31-r1[static-libs(+)] >=sys-apps/util-linux-2.31-r1[static-libs(+)]
argon2? ( app-crypt/argon2:=[static-libs(+)] ) argon2? ( app-crypt/argon2:=[static-libs(+)] )
gcrypt? ( dev-libs/libgcrypt:0=[static-libs(+)] ) gcrypt? (
dev-libs/libgcrypt:0=[static-libs(+)]
dev-libs/libgpg-error[static-libs(+)]
)
nettle? ( >=dev-libs/nettle-2.4[static-libs(+)] ) nettle? ( >=dev-libs/nettle-2.4[static-libs(+)] )
openssl? ( dev-libs/openssl:0=[static-libs(+)] ) openssl? ( dev-libs/openssl:0=[static-libs(+)] )
pwquality? ( dev-libs/libpwquality[static-libs(+)] ) pwquality? ( dev-libs/libpwquality[static-libs(+)] )
ssh? ( net-libs/libssh[static-libs(+)] ) ssh? ( net-libs/libssh[static-libs(+)] )
sys-fs/lvm2[static-libs(+)] sys-fs/lvm2[static-libs(+)]"
udev? ( virtual/libudev[static-libs(-)] )"
# We have to always depend on ${LIB_DEPEND} rather than put behind # We have to always depend on ${LIB_DEPEND} rather than put behind
# !static? () because we provide a shared library which links against # !static? () because we provide a shared library which links against
# these other packages. #414665 # these other packages. #414665
RDEPEND="static-libs? ( ${LIB_DEPEND} ) RDEPEND="static-libs? ( ${LIB_DEPEND} )
${LIB_DEPEND//\[static-libs\([+-]\)\]}" ${LIB_DEPEND//\[static-libs\([+-]\)\]}
udev? ( virtual/libudev:= )"
DEPEND="${RDEPEND} DEPEND="${RDEPEND}
static? ( ${LIB_DEPEND} )" static? ( ${LIB_DEPEND} )"
BDEPEND=" BDEPEND="
@ -46,7 +48,12 @@ BDEPEND="
S="${WORKDIR}/${P/_/-}" S="${WORKDIR}/${P/_/-}"
PATCHES=( "${FILESDIR}"/${PN}-2.0.4-fix-static-pwquality-build.patch ) PATCHES=(
"${FILESDIR}"/cryptsetup-2.4.1-external-tokens.patch
# Remove autotools/eautoreconf when this patch is dropped.
"${FILESDIR}"/cryptsetup-2.4.1-fix-static-pwquality-build.patch
)
pkg_setup() { pkg_setup() {
local CONFIG_CHECK="~DM_CRYPT ~CRYPTO ~CRYPTO_CBC ~CRYPTO_SHA256" local CONFIG_CHECK="~DM_CRYPT ~CRYPTO ~CRYPTO_CBC ~CRYPTO_SHA256"
@ -82,6 +89,7 @@ src_configure() {
$(use_enable nls) $(use_enable nls)
$(use_enable pwquality) $(use_enable pwquality)
$(use_enable reencrypt cryptsetup-reencrypt) $(use_enable reencrypt cryptsetup-reencrypt)
$(use_enable !static external-tokens)
$(use_enable static static-cryptsetup) $(use_enable static static-cryptsetup)
$(use_enable static-libs static) $(use_enable static-libs static)
$(use_enable udev) $(use_enable udev)
@ -124,6 +132,10 @@ src_install() {
dodoc docs/v*ReleaseNotes dodoc docs/v*ReleaseNotes
newconfd "${FILESDIR}"/1.6.7-dmcrypt.confd dmcrypt newconfd "${FILESDIR}"/2.4.0-dmcrypt.confd dmcrypt
newinitd "${FILESDIR}"/1.6.7-dmcrypt.rc dmcrypt newinitd "${FILESDIR}"/2.4.0-dmcrypt.rc dmcrypt
}
pkg_postinst() {
tmpfiles_process cryptsetup.conf
} }

112
sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/files/2.4.0-dmcrypt.confd vendored Normal file
View File

@ -0,0 +1,112 @@
# /etc/conf.d/dmcrypt
# For people who run dmcrypt on top of some other layer (like raid),
# use rc_need to specify that requirement. See the runscript(8) man
# page for more information.
#--------------------
# Instructions
#--------------------
# Note regarding the syntax of this file. This file is *almost* bash,
# but each line is evaluated separately. Separate swaps/targets can be
# specified. The init-script which reads this file assumes that a
# swap= or target= line starts a new section, similar to lilo or grub
# configuration.
# Note when using gpg keys and /usr on a separate partition, you will
# have to copy /usr/bin/gpg to /bin/gpg so that it will work properly
# and ensure that gpg has been compiled statically.
# See http://bugs.gentoo.org/90482 for more information.
# Note that the init-script which reads this file detects whether your
# partition is LUKS or not. No mkfs is run unless you specify a makefs
# option.
# Global options:
#----------------
# How long to wait for each timeout (in seconds).
dmcrypt_key_timeout=1
# Max number of checks to perform (see dmcrypt_key_timeout).
#dmcrypt_max_timeout=300
# Number of password retries.
dmcrypt_retries=5
# Arguments:
#-----------
# target=<name> == Mapping name for partition.
# swap=<name> == Mapping name for swap partition.
# source='<dev>' == Real device for partition.
# Note: You can (and should) specify a tag like UUID
# for blkid (see -t option). This is safer than using
# the full path to the device.
# key='</path/to/keyfile>[:<mode>]' == Fullpath from / or from inside removable media.
# remdev='<dev>' == Device that will be assigned to removable media.
# gpg_options='<opts>' == Default are --quiet --decrypt
# options='<opts>' == cryptsetup, for LUKS you can only use --readonly
# loop_file='<file>' == Loopback file.
# Note: If you omit $source, then a free loopback will
# be looked up automatically.
# pre_mount='cmds' == commands to execute before mounting partition.
# post_mount='cmds' == commands to execute after mounting partition.
# wait=5 == wait given amount of seconds for source to appear
#-----------
# Supported Modes
# gpg == decrypt and pipe key into cryptsetup.
# Note: new-line character must not be part of key.
# Command to erase \n char: 'cat key | tr -d '\n' > cleanKey'
#--------------------
# dm-crypt examples
#--------------------
## swap
# Swap partitions. These should come first so that no keys make their
# way into unencrypted swap.
# If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom
# If no makefs is given then mkswap will be assumed
#swap=crypt-swap
#source='/dev/hda2'
## /home with passphrase
#target=crypt-home
#source='/dev/hda5'
## /home with regular keyfile
#target=crypt-home
#source='/dev/hda5'
#key='/full/path/to/homekey'
## /home with gpg protected key
#target=crypt-home
#source='/dev/hda5'
#key='/full/path/to/homekey:gpg'
## /home with regular keyfile on removable media(such as usb-stick)
#target=crypt-home
#source='/dev/hda5'
#key='/full/path/to/homekey'
#remdev='/dev/sda1'
## /home with gpg protected key on removable media(such as usb-stick)
#target=crypt-home
#source='/dev/hda5'
#key='/full/path/to/homekey:gpg'
#remdev='/dev/sda1'
## /tmp with regular keyfile
#target=crypt-tmp
#source='/dev/hda6'
#key='/full/path/to/tmpkey'
#pre_mount='/sbin/mkreiserfs -f -f ${dev}'
#post_mount='chown root:root ${mount_point}; chmod 1777 ${mount_point}'
## Loopback file example
#target='crypt-loop-home'
#source='/dev/loop0'
#loop_file='/mnt/crypt/home'
# The file must be terminated by a newline. Or leave this comment last.

350
sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/files/2.4.0-dmcrypt.rc vendored Normal file
View File

@ -0,0 +1,350 @@
#!/sbin/openrc-run
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
depend() {
use modules
before checkfs fsck
if grep -qs ^swap= "${conf_file}" ; then
before swap
fi
}
# We support multiple dmcrypt instances based on $SVCNAME
conf_file="/etc/conf.d/${SVCNAME}"
# Get splash helpers if available.
if [ -e /sbin/splash-functions.sh ] ; then
. /sbin/splash-functions.sh
fi
# Setup mappings for an individual target/swap
# Note: This relies on variables localized in the main body below.
dm_crypt_execute() {
local dev ret mode foo source_dev
if [ -z "${target}" -a -z "${swap}" ] ; then
return
fi
# Set up default values.
: ${dmcrypt_key_timeout:=1}
: ${dmcrypt_max_timeout:=300}
: ${dmcrypt_retries:=5}
: ${wait:=5}
# Handle automatic look up of the source path.
if [ -z "${source}" -a -n "${loop_file}" ] ; then
source=$(losetup --show -f "${loop_file}")
fi
case ${source} in
*=*)
i=0
while [ ${i} -lt ${wait} ]; do
if source_dev="$(blkid -l -t "${source}" -o device)"; then
source="${source_dev}"
break
fi
: $((i += 1))
einfo "waiting for source \"${source}\" for ${target}..."
sleep 1
done
;;
esac
if [ -z "${source}" ] || [ ! -e "${source}" ] ; then
ewarn "source \"${source}\" for ${target} missing, skipping..."
return
fi
if [ -n "${target}" ] ; then
# let user set options, otherwise leave empty
: ${options:=' '}
elif [ -n "${swap}" ] ; then
if cryptsetup isLuks ${source} 2>/dev/null ; then
ewarn "The swap you have defined is a LUKS partition. Aborting crypt-swap setup."
return
fi
target=${swap}
# swap contents do not need to be preserved between boots, luks not required.
# suspend2 users should have initramfs's init handling their swap partition either way.
: ${options:='-c aes -h sha1 -d /dev/urandom'}
: ${pre_mount:='mkswap ${dev}'}
fi
if [ -n "${loop_file}" ] ; then
dev="/dev/mapper/${target}"
ebegin " Setting up loop device ${source}"
losetup ${source} ${loop_file}
fi
# cryptsetup:
# open <device> <name> # <device> is $source
# create <name> <device> # <name> is $target
local arg1="create" arg2="${target}" arg3="${source}"
if cryptsetup isLuks ${source} 2>/dev/null ; then
arg1="open"
arg2="${source}"
arg3="${target}"
fi
# Older versions reported:
# ${target} is active:
# Newer versions report:
# ${target} is active[ and is in use.]
if cryptsetup status ${target} | egrep -q ' is active' ; then
einfo "dm-crypt mapping ${target} is already configured"
return
fi
splash svc_input_begin ${SVCNAME} >/dev/null 2>&1
# Handle keys
if [ -n "${key}" ] ; then
read_abort() {
# some colors
local ans savetty resettty
[ -z "${NORMAL}" ] && eval $(eval_ecolors)
einfon " $1? (${WARN}yes${NORMAL}/${GOOD}No${NORMAL}) "
shift
# This is ugly as s**t. But POSIX doesn't provide `read -t`, so
# we end up having to implement our own crap with stty/etc...
savetty=$(stty -g)
resettty='stty ${savetty}; trap - EXIT HUP INT TERM'
trap 'eval "${resettty}"' EXIT HUP INT TERM
stty -icanon
stty min 0 time "$(( $2 * 10 ))"
ans=$(dd count=1 bs=1 2>/dev/null) || ans=''
eval "${resettty}"
if [ -z "${ans}" ] ; then
printf '\r'
else
echo
fi
case ${ans} in
[yY]) return 0;;
*) return 1;;
esac
}
# Notes: sed not used to avoid case where /usr partition is encrypted.
mode=${key##*:} && ( [ "${mode}" = "${key}" ] || [ -z "${mode}" ] ) && mode=reg
key=${key%:*}
case "${mode}" in
gpg|reg)
# handle key on removable device
if [ -n "${remdev}" ] ; then
# temp directory to mount removable device
local mntrem="${RC_SVCDIR}/dm-crypt-remdev.$$"
if [ ! -d "${mntrem}" ] ; then
if ! mkdir -p "${mntrem}" ; then
ewarn "${source} will not be decrypted ..."
einfo "Reason: Unable to create temporary mount point '${mntrem}'"
return
fi
fi
i=0
einfo "Please insert removable device for ${target}"
while [ ${i} -lt ${dmcrypt_max_timeout} ] ; do
foo=""
if mount -n -o ro "${remdev}" "${mntrem}" 2>/dev/null >/dev/null ; then
# keyfile exists?
if [ ! -e "${mntrem}${key}" ] ; then
umount -n "${mntrem}"
rmdir "${mntrem}"
einfo "Cannot find ${key} on removable media."
read_abort "Abort" ${dmcrypt_key_timeout} && return
else
key="${mntrem}${key}"
break
fi
else
[ -e "${remdev}" ] \
&& foo="mount failed" \
|| foo="mount source not found"
fi
: $((i += 1))
read_abort "Stop waiting after $i attempts (${foo})" -t 1 && return
done
else # keyfile ! on removable device
if [ ! -e "${key}" ] ; then
ewarn "${source} will not be decrypted ..."
einfo "Reason: keyfile ${key} does not exist."
return
fi
fi
;;
*)
ewarn "${source} will not be decrypted ..."
einfo "Reason: mode ${mode} is invalid."
return
;;
esac
else
mode=none
fi
ebegin " ${target} using: ${options} ${arg1} ${arg2} ${arg3}"
if [ "${mode}" = "gpg" ] ; then
: ${gpg_options:='-q -d'}
# gpg available ?
if command -v gpg >/dev/null ; then
i=0
while [ ${i} -lt ${dmcrypt_retries} ] ; do
# paranoid, don't store key in a variable, pipe it so it stays very little in ram unprotected.
# save stdin stdout stderr "values"
timeout ${dmcrypt_max_timeout} gpg ${gpg_options} ${key} 2>/dev/null | \
cryptsetup --key-file - ${options} ${arg1} ${arg2} ${arg3}
ret=$?
# The timeout command exits 124 when it times out.
[ ${ret} -eq 0 -o ${ret} -eq 124 ] && break
: $(( i += 1 ))
done
eend ${ret} "failure running cryptsetup"
else
ewarn "${source} will not be decrypted ..."
einfo "Reason: cannot find gpg application."
einfo "You have to install app-crypt/gnupg first."
einfo "If you have /usr on its own partition, try copying gpg to /bin ."
fi
else
if [ "${mode}" = "reg" ] ; then
cryptsetup ${options} -d ${key} ${arg1} ${arg2} ${arg3}
ret=$?
eend ${ret} "failure running cryptsetup"
else
cryptsetup ${options} ${arg1} ${arg2} ${arg3}
ret=$?
eend ${ret} "failure running cryptsetup"
fi
fi
if [ -d "${mntrem}" ] ; then
umount -n ${mntrem} 2>/dev/null >/dev/null
rmdir ${mntrem} 2>/dev/null >/dev/null
fi
splash svc_input_end ${SVCNAME} >/dev/null 2>&1
if [ ${ret} -ne 0 ] ; then
cryptfs_status=1
else
if [ -n "${pre_mount}" ] ; then
dev="/dev/mapper/${target}"
eval ebegin \"" pre_mount: ${pre_mount}"\"
eval "${pre_mount}" > /dev/null
ewend $? || cryptfs_status=1
fi
fi
}
# Lookup optional bootparams
get_bootparam_val() {
# We're given something like:
# foo=bar=cow
# Return the "bar=cow" part.
case $1 in
*=*)
echo "${1#*=}"
;;
esac
}
start() {
local header=true cryptfs_status=0
local gpg_options key loop_file target targetline options pre_mount post_mount source swap remdev
local x
for x in $(cat /proc/cmdline) ; do
case "${x}" in
key_timeout=*)
dmcrypt_key_timeout=$(get_bootparam_val "${x}")
;;
esac
done
while read targetline <&3 ; do
case ${targetline} in
# skip comments and blank lines
""|"#"*) continue ;;
# skip service-specific openrc configs #377927
rc_*) continue ;;
esac
${header} && ebegin "Setting up dm-crypt mappings"
header=false
# check for the start of a new target/swap
case ${targetline} in
target=*|swap=*)
# If we have a target queued up, then execute it
dm_crypt_execute
# Prepare for the next target/swap by resetting variables
unset gpg_options key loop_file target options pre_mount post_mount source swap remdev wait
;;
gpg_options=*|remdev=*|key=*|loop_file=*|options=*|pre_mount=*|post_mount=*|wait=*|source=*)
if [ -z "${target}${swap}" ] ; then
ewarn "Ignoring setting outside target/swap section: ${targetline}"
continue
fi
;;
dmcrypt_*=*)
# ignore global options
continue
;;
*)
ewarn "Skipping invalid line in ${conf_file}: ${targetline}"
;;
esac
# Queue this setting for the next call to dm_crypt_execute
eval "${targetline}"
done 3< ${conf_file}
# If we have a target queued up, then execute it
dm_crypt_execute
ewend ${cryptfs_status} "Failed to setup dm-crypt devices"
}
stop() {
local line header
# Break down all mappings
header=true
egrep "^(target|swap)=" ${conf_file} | \
while read line ; do
${header} && einfo "Removing dm-crypt mappings"
header=false
target= swap=
eval ${line}
[ -n "${swap}" ] && target=${swap}
if [ -z "${target}" ] ; then
ewarn "invalid line in ${conf_file}: ${line}"
continue
fi
ebegin " ${target}"
cryptsetup remove ${target}
eend $?
done
# Break down loop devices
header=true
grep '^source=./dev/loop' ${conf_file} | \
while read line ; do
${header} && einfo "Detaching dm-crypt loop devices"
header=false
source=
eval ${line}
ebegin " ${source}"
losetup -d "${source}"
eend $?
done
return 0
}

34
sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/files/cryptsetup-2.4.1-external-tokens.patch vendored Normal file
View File

@ -0,0 +1,34 @@
From a1b577c085cc9ef6b95c4556ec8815070828ee6c Mon Sep 17 00:00:00 2001
From: Hector Martin <marcan@marcan.st>
Date: Fri, 17 Sep 2021 05:44:18 +0000
Subject: [PATCH] Do not attempt to unload external tokens if
USE_EXTERNAL_TOKENS is disabled.
This allows building a static binary as long as --disable-external-tokens is used
---
lib/luks2/luks2_token.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/luks2/luks2_token.c b/lib/luks2/luks2_token.c
index d34cebf5..88d84418 100644
--- a/lib/luks2/luks2_token.c
+++ b/lib/luks2/luks2_token.c
@@ -245,6 +245,7 @@ int crypt_token_register(const crypt_token_handler *handler)
void crypt_token_unload_external_all(struct crypt_device *cd)
{
+#if USE_EXTERNAL_TOKENS
int i;
for (i = LUKS2_TOKENS_MAX - 1; i >= 0; i--) {
@@ -258,6 +259,7 @@ void crypt_token_unload_external_all(struct crypt_device *cd)
if (dlclose(CONST_CAST(void *)token_handlers[i].u.v2.dlhandle))
log_dbg(cd, "%s", dlerror());
}
+#endif
}
static const void
--
GitLab

225
sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/files/cryptsetup-2.4.1-fix-static-pwquality-build.patch vendored Normal file
View File

@ -0,0 +1,225 @@
From 26cc1644b489578c76ec6f576614ca885c00a35d Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Wed, 6 Oct 2021 12:27:25 +0200
Subject: [PATCH 1/2] Do not link integritysetup and veritysetup with
pwquality.
These tools do not read passphrases, no need to link to these libraries.
Just move the helper code that introduced this dependence as a side-effect.
Fixes: #677
---
src/Makemodule.am | 6 -----
src/utils_password.c | 56 --------------------------------------------
src/utils_tools.c | 56 ++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 56 insertions(+), 62 deletions(-)
diff --git a/src/Makemodule.am b/src/Makemodule.am
index a6dc50cf..f2b896bf 100644
--- a/src/Makemodule.am
+++ b/src/Makemodule.am
@@ -52,7 +52,6 @@ veritysetup_SOURCES = \
src/utils_arg_names.h \
src/utils_arg_macros.h \
src/utils_tools.c \
- src/utils_password.c \
src/veritysetup.c \
src/veritysetup_args.h \
src/veritysetup_arg_list.h \
@@ -61,8 +60,6 @@ veritysetup_SOURCES = \
veritysetup_LDADD = $(LDADD) \
libcryptsetup.la \
@POPT_LIBS@ \
- @PWQUALITY_LIBS@ \
- @PASSWDQC_LIBS@ \
@BLKID_LIBS@
sbin_PROGRAMS += veritysetup
@@ -91,7 +88,6 @@ integritysetup_SOURCES = \
src/utils_arg_names.h \
src/utils_arg_macros.h \
src/utils_tools.c \
- src/utils_password.c \
src/utils_blockdev.c \
src/integritysetup.c \
src/integritysetup_args.h \
@@ -101,8 +97,6 @@ integritysetup_SOURCES = \
integritysetup_LDADD = $(LDADD) \
libcryptsetup.la \
@POPT_LIBS@ \
- @PWQUALITY_LIBS@ \
- @PASSWDQC_LIBS@ \
@UUID_LIBS@ \
@BLKID_LIBS@
diff --git a/src/utils_password.c b/src/utils_password.c
index 58f3a7b3..65618b9c 100644
--- a/src/utils_password.c
+++ b/src/utils_password.c
@@ -318,59 +318,3 @@ void tools_passphrase_msg(int r)
else if (r == -ENOENT)
log_err(_("No usable keyslot is available."));
}
-
-int tools_read_mk(const char *file, char **key, int keysize)
-{
- int fd = -1, r = -EINVAL;
-
- if (keysize <= 0 || !key)
- return -EINVAL;
-
- *key = crypt_safe_alloc(keysize);
- if (!*key)
- return -ENOMEM;
-
- fd = open(file, O_RDONLY);
- if (fd == -1) {
- log_err(_("Cannot read keyfile %s."), file);
- goto out;
- }
-
- if (read_buffer(fd, *key, keysize) != keysize) {
- log_err(_("Cannot read %d bytes from keyfile %s."), keysize, file);
- goto out;
- }
- r = 0;
-out:
- if (fd != -1)
- close(fd);
-
- if (r) {
- crypt_safe_free(*key);
- *key = NULL;
- }
-
- return r;
-}
-
-int tools_write_mk(const char *file, const char *key, int keysize)
-{
- int fd, r = -EINVAL;
-
- if (keysize <= 0 || !key)
- return -EINVAL;
-
- fd = open(file, O_CREAT|O_EXCL|O_WRONLY, S_IRUSR);
- if (fd < 0) {
- log_err(_("Cannot open keyfile %s for write."), file);
- return r;
- }
-
- if (write_buffer(fd, key, keysize) == keysize)
- r = 0;
- else
- log_err(_("Cannot write to keyfile %s."), file);
-
- close(fd);
- return r;
-}
diff --git a/src/utils_tools.c b/src/utils_tools.c
index dbd83695..cf66e4c4 100644
--- a/src/utils_tools.c
+++ b/src/utils_tools.c
@@ -493,3 +493,59 @@ int tools_reencrypt_progress(uint64_t size, uint64_t offset, void *usrptr)
return r;
}
+
+int tools_read_mk(const char *file, char **key, int keysize)
+{
+ int fd = -1, r = -EINVAL;
+
+ if (keysize <= 0 || !key)
+ return -EINVAL;
+
+ *key = crypt_safe_alloc(keysize);
+ if (!*key)
+ return -ENOMEM;
+
+ fd = open(file, O_RDONLY);
+ if (fd == -1) {
+ log_err(_("Cannot read keyfile %s."), file);
+ goto out;
+ }
+
+ if (read_buffer(fd, *key, keysize) != keysize) {
+ log_err(_("Cannot read %d bytes from keyfile %s."), keysize, file);
+ goto out;
+ }
+ r = 0;
+out:
+ if (fd != -1)
+ close(fd);
+
+ if (r) {
+ crypt_safe_free(*key);
+ *key = NULL;
+ }
+
+ return r;
+}
+
+int tools_write_mk(const char *file, const char *key, int keysize)
+{
+ int fd, r = -EINVAL;
+
+ if (keysize <= 0 || !key)
+ return -EINVAL;
+
+ fd = open(file, O_CREAT|O_EXCL|O_WRONLY, S_IRUSR);
+ if (fd < 0) {
+ log_err(_("Cannot open keyfile %s for write."), file);
+ return r;
+ }
+
+ if (write_buffer(fd, key, keysize) == keysize)
+ r = 0;
+ else
+ log_err(_("Cannot write to keyfile %s."), file);
+
+ close(fd);
+ return r;
+}
--
GitLab
From d20beacba060f34e3ab0d71d191f59434031e98f Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Wed, 6 Oct 2021 12:45:20 +0200
Subject: [PATCH 2/2] Remove redundant link to uuid lib for static build.
Veritysetup does not need to link this library at all, for others
we have link already in flags.
---
src/Makemodule.am | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/Makemodule.am b/src/Makemodule.am
index f2b896bf..49e0c5aa 100644
--- a/src/Makemodule.am
+++ b/src/Makemodule.am
@@ -71,8 +71,7 @@ veritysetup_static_LDFLAGS = $(AM_LDFLAGS) -all-static
veritysetup_static_LDADD = \
$(veritysetup_LDADD) \
@CRYPTO_STATIC_LIBS@ \
- @DEVMAPPER_STATIC_LIBS@ \
- @UUID_LIBS@
+ @DEVMAPPER_STATIC_LIBS@
endif
endif
@@ -109,8 +108,7 @@ integritysetup_static_LDFLAGS = $(AM_LDFLAGS) -all-static
integritysetup_static_LDADD = \
$(integritysetup_LDADD) \
@CRYPTO_STATIC_LIBS@ \
- @DEVMAPPER_STATIC_LIBS@ \
- @UUID_LIBS@
+ @DEVMAPPER_STATIC_LIBS@
endif
endif
--
GitLab

2
sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/metadata.xml vendored
View File

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata> <pkgmetadata>
<maintainer type="project"> <maintainer type="project">
<email>base-system@gentoo.org</email> <email>base-system@gentoo.org</email>