summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2018-11-22 13:46:36 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2018-11-22 13:46:36 +0000
commitbcf62ab7add9d81ae4bc6252839e4078bc01d25d (patch)
tree32e2f4c68ccd4a96ecb6a8bc1704dc2a9fb5b0bd
parentReleasing progress-linux version 2:2.0.4-2~dschinn1. (diff)
downloadcryptsetup-bcf62ab7add9d81ae4bc6252839e4078bc01d25d.zip
cryptsetup-bcf62ab7add9d81ae4bc6252839e4078bc01d25d.tar.xz
Merging debian version 2:2.0.4-3.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
-rw-r--r--debian/changelog31
-rw-r--r--debian/control2
-rw-r--r--debian/cryptdisks-functions5
-rw-r--r--debian/cryptsetup-run.lintian-overrides2
-rw-r--r--debian/doc/crypttab.xml20
-rw-r--r--debian/functions29
-rw-r--r--debian/initramfs/hooks/cryptroot16
-rw-r--r--debian/initramfs/scripts/local-top/cryptroot17
-rw-r--r--debian/libcryptsetup12.symbols1
-rwxr-xr-xdebian/rules1
-rw-r--r--debian/scripts/decrypt_gnupg2
11 files changed, 88 insertions, 38 deletions
diff --git a/debian/changelog b/debian/changelog
index 8e6a404..5fc30ed 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,34 @@
+cryptsetup (2:2.0.4-3) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * debian/initramfs/hooks/cryptroot:
+ + Make _CRYPTTAB_* variables local to crypttab_find_and_print_entry().
+ (Closes: #907243.)
+ + Silence the warning that honoring CRYPTSETUP="[y|n]" in the config is
+ deprecated when the variable is set to "y". (Keep the warning when it's
+ set to "n" though.) Closes: #908220.
+ * debian/functions: Make get_crypt_type() set variable CRYPTTAB_TYPE to the
+ type of crypt device ("luks" / "plain" / "tcrypt").
+ * debian/initramfs/scripts/local-top/cryptroot: Don't complain that
+ (successful) unlocking of a LUKS device doesn't yield a known file system.
+ The check is preserved for plain dm-crypt devices and tcrypt devices.
+ (Closes: #906283.)
+ * debian/control: Bump Standards-Version to 4.2.1 (no changes necessary).
+ * debian/doc/crypttab.xml: Improve formatting.
+ * debian/cryptsetup-run.lintian-overrides: Remove unused override
+ init.d-script-possible-missing-stop (x2).
+ * debian/libcryptsetup12.symbols: Add "Build-Depends-Package:
+ libcryptsetup-dev" field.
+
+ [ Helmut Grohne ]
+ * Fix FTCBFS: Supply $(CC) from dpkg's buildtools.mk. (Closes: #911042)
+
+ [ Dimitri John Ledkov ]
+ * Implement support for `cryptsetup --sector-size` in crypttab(5).
+ LP: #1776626.
+
+ -- Guilhem Moulin <guilhem@debian.org> Mon, 22 Oct 2018 17:45:35 +0200
+
cryptsetup (2:2.0.4-2~dschinn1) dschinn-backports; urgency=medium
* Uploading to dschinn-backports, remaining changes:
diff --git a/debian/control b/debian/control
index d07969c..f42f4d0 100644
--- a/debian/control
+++ b/debian/control
@@ -29,7 +29,7 @@ Build-Depends: autoconf,
po-debconf,
uuid-dev,
xsltproc
-Standards-Version: 4.2.0
+Standards-Version: 4.2.1
Homepage: https://gitlab.com/cryptsetup/cryptsetup
Vcs-Browser: https://sources.progress-linux.org/distributions/dschinn-backports/packages/cryptsetup
Vcs-Git: https://sources.progress-linux.org/distributions/dschinn-backports/packages/cryptsetup
diff --git a/debian/cryptdisks-functions b/debian/cryptdisks-functions
index 88576a4..e33771c 100644
--- a/debian/cryptdisks-functions
+++ b/debian/cryptdisks-functions
@@ -110,8 +110,9 @@ setup_mapping() {
fi
device_msg "starting"
- local type="$(get_crypt_type)" out tmpdev
- if [ "$type" != "luks" ]; then
+ local out tmpdev
+ get_crypt_type # set CRYPTTAB_TYPE to the type of crypt device
+ if [ "$CRYPTTAB_TYPE" != "luks" ]; then
if ! out="$(/lib/cryptsetup/checks/un_blkid "$CRYPTTAB_SOURCE" 2>/dev/null)" &&
! /lib/cryptsetup/checks/blkid "$CRYPTTAB_SOURCE" swap >/dev/null; then
# fail if the device has a filesystem; unless it's swap,
diff --git a/debian/cryptsetup-run.lintian-overrides b/debian/cryptsetup-run.lintian-overrides
index c549d62..ebe4fe1 100644
--- a/debian/cryptsetup-run.lintian-overrides
+++ b/debian/cryptsetup-run.lintian-overrides
@@ -1,5 +1,3 @@
-cryptsetup-run: init.d-script-possible-missing-stop etc/init.d/cryptdisks 1
-cryptsetup-run: init.d-script-possible-missing-stop etc/init.d/cryptdisks-early 1
cryptsetup-run: init.d-script-does-not-implement-optional-option etc/init.d/cryptdisks status
cryptsetup-run: init.d-script-does-not-implement-optional-option etc/init.d/cryptdisks-early status
cryptsetup-run: no-debconf-config
diff --git a/debian/doc/crypttab.xml b/debian/doc/crypttab.xml
index 7bd848c..0f892c5 100644
--- a/debian/doc/crypttab.xml
+++ b/debian/doc/crypttab.xml
@@ -58,7 +58,7 @@
In case of a <emphasis>keyscript</emphasis>, the value of this field is
given as argument to the keyscript. Values with spaces and special
characters need to be escaped using octal sequences, like for
- <emphasis>fstab(5)</emphasis>.
+ <citerefentry><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
Note that the <emphasis>entire</emphasis> key file will be used as the
passphrase; the passphrase must <emphasis>not</emphasis> be followed by a
newline character.
@@ -103,9 +103,10 @@
brings its own <emphasis>crypttab</emphasis> implementation.
We try to cover the differences between the <emphasis>systemd</emphasis> and
our implementation in this manpage, but if in doubt, better check the
- <emphasis>systemd</emphasis> <emphasis>crypttab(5)</emphasis> manpage, e.g.
- online at
- <emphasis>https://www.freedesktop.org/software/systemd/man/crypttab.html</emphasis>.
+ <emphasis>systemd</emphasis>
+ <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ manpage, e.g. online at
+ <ulink url="https://www.freedesktop.org/software/systemd/man/crypttab.html"/>.
</simpara>
</refsect1>
@@ -134,6 +135,17 @@
</varlistentry>
<varlistentry>
+ <term><emphasis>sector-size</emphasis>=&lt;bytes&gt;</term>
+ <listitem>
+ <simpara>
+ Sector size. See
+ <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ for possible values and the default value of this option.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><emphasis>hash</emphasis>=&lt;hash&gt;</term>
<listitem>
<simpara>
diff --git a/debian/functions b/debian/functions
index 5d798c1..be990bf 100644
--- a/debian/functions
+++ b/debian/functions
@@ -49,6 +49,7 @@ crypttab_parse_options() {
local IFS=',' x OPTION VALUE
unset -v CRYPTTAB_OPTION_cipher \
CRYPTTAB_OPTION_size \
+ CRYPTTAB_OPTION_sector_size \
CRYPTTAB_OPTION_hash \
CRYPTTAB_OPTION_offset \
CRYPTTAB_OPTION_skip \
@@ -137,6 +138,7 @@ crypttab_validate_option() {
case "$o" in
keyfile-offset) OPTION="keyfile_offset";;
keyfile-size) OPTION="keyfile_size";;
+ sector-size) OPTION="sector_size";;
esac
case "$o" in
@@ -145,7 +147,7 @@ crypttab_validate_option() {
[ -n "${VALUE:+x}" ] || return 1
;;
# numeric options >0
- size|keyfile-size)
+ size|keyfile-size|sector-size)
if ! printf '%s' "${VALUE-}" | grep -Exq "0*[1-9][0-9]*"; then
return 1
fi
@@ -257,19 +259,20 @@ run_keyscript() {
}
# get_crypt_type()
-# Return the mapping's type, depending on its
+# Set CRYPTTAB_TYPE to the mapping type, depending on its
# $CRYPTTAB_OPTION_<option> values
get_crypt_type() {
- local type="plain" # assume plain dm-crypt device by default
if [ "${CRYPTTAB_OPTION_tcrypt-}" = "yes" ]; then
- type="tcrypt"
+ CRYPTTAB_TYPE="tcrypt"
elif [ "${CRYPTTAB_OPTION_plain-}" = "yes" ]; then
- type="plain"
+ CRYPTTAB_TYPE="plain"
elif [ "${CRYPTTAB_OPTION_luks-}" = "yes" ] ||
/sbin/cryptsetup isLuks -- "${CRYPTTAB_OPTION_header-$CRYPTTAB_SOURCE}"; then
- type="luks"
+ CRYPTTAB_TYPE="luks"
+ else
+ # assume plain dm-crypt device by default
+ CRYPTTAB_TYPE="plain"
fi
- echo "$type"
}
# unlock_mapping([$keyfile])
@@ -284,8 +287,7 @@ unlock_mapping() {
return 1
fi
- local type="$(get_crypt_type)"
- if [ "$type" = "luks" ] || [ "$type" = "tcrypt" ]; then
+ if [ "$CRYPTTAB_TYPE" = "luks" ] || [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then
# ignored for LUKS and TCRYPT devices
unset -v CRYPTTAB_OPTION_cipher \
CRYPTTAB_OPTION_size \
@@ -293,10 +295,10 @@ unlock_mapping() {
CRYPTTAB_OPTION_offset \
CRYPTTAB_OPTION_skip
fi
- if [ "$type" = "plain" ] || [ "$type" = "tcrypt" ]; then
+ if [ "$CRYPTTAB_TYPE" = "plain" ] || [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then
unset -v CRYPTTAB_OPTION_keyfile_size
fi
- if [ "$type" = "tcrypt" ]; then
+ if [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then
# ignored for TCRYPT devices
unset -v CRYPTTAB_OPTION_keyfile_offset
else
@@ -304,7 +306,7 @@ unlock_mapping() {
unset -v CRYPTTAB_OPTION_veracrypt CRYPTTAB_OPTION_tcrypthidden
fi
- if [ "$type" != "luks" ]; then
+ if [ "$CRYPTTAB_TYPE" != "luks" ]; then
# ignored for non-LUKS devices
unset -v CRYPTTAB_OPTION_keyslot
fi
@@ -313,6 +315,7 @@ unlock_mapping() {
${CRYPTTAB_OPTION_header:+--header="$CRYPTTAB_OPTION_header"} \
${CRYPTTAB_OPTION_cipher:+--cipher="$CRYPTTAB_OPTION_cipher"} \
${CRYPTTAB_OPTION_size:+--key-size="$CRYPTTAB_OPTION_size"} \
+ ${CRYPTTAB_OPTION_sector_size:+--sector-size="$CRYPTTAB_OPTION_sector_size"} \
${CRYPTTAB_OPTION_hash:+--hash="$CRYPTTAB_OPTION_hash"} \
${CRYPTTAB_OPTION_offset:+--offset="$CRYPTTAB_OPTION_offset"} \
${CRYPTTAB_OPTION_skip:+--skip="$CRYPTTAB_OPTION_skip"} \
@@ -324,7 +327,7 @@ unlock_mapping() {
${CRYPTTAB_OPTION_tcrypthidden:+--tcrypt-hidden} \
${CRYPTTAB_OPTION_keyfile_size:+--keyfile-size="$CRYPTTAB_OPTION_keyfile_size"} \
${CRYPTTAB_OPTION_keyfile_offset:+--keyfile-offset="$CRYPTTAB_OPTION_keyfile_offset"} \
- --type="$type" --key-file="$keyfile" \
+ --type="$CRYPTTAB_TYPE" --key-file="$keyfile" \
open -- "$CRYPTTAB_SOURCE" "$CRYPTTAB_NAME"
}
diff --git a/debian/initramfs/hooks/cryptroot b/debian/initramfs/hooks/cryptroot
index c383195..d7fa836 100644
--- a/debian/initramfs/hooks/cryptroot
+++ b/debian/initramfs/hooks/cryptroot
@@ -126,6 +126,7 @@ get_dmcrypt_slaves() {
# Return 0 on success, 1 on error.
crypttab_find_and_print_entry() {
local target="$1"
+ local _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS
if ! grep -Fxqz -e "$target" -- "$DESTDIR/cryptroot/targets"; then
printf '%s\0' "$target" >>"$DESTDIR/cryptroot/targets"
crypttab_find_entry "$target" || return 1
@@ -207,7 +208,9 @@ crypttab_print_entry() {
fi
if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_derived" ]; then
# (recursively) list first the device to derive the key from (so
- # the boot scripts unlock it first)
+ # the boot scripts unlock it first); since _CRYPTTAB_* are local
+ # to crypttab_find_and_print_entry() the new value won't
+ # override the new ones
crypttab_find_and_print_entry "$CRYPTTAB_KEY"
fi
printf '%s %s %s %s\n' \
@@ -385,14 +388,11 @@ if [ -f "/etc/cryptsetup-initramfs/conf-hook" ]; then
. /etc/cryptsetup-initramfs/conf-hook
fi
-# XXX post-Buster: remove this warning and the auto-detection logic below
-if [ -n "${CRYPTSETUP+x}" ]; then
- cryptsetup_message "WARNING: Honoring CRYPTSETUP=[y|n] will deprecated in the future." \
- "Please uninstall the 'cryptsetup-initramfs' package if you don't want the" \
- "cryptsetup initramfs integration."
-fi
-
if [ "${CRYPTSETUP-}" = "n" ] || [ "${CRYPTSETUP-}" = "N" ]; then
+ # XXX post-Buster: remove this warning and the auto-detection logic below
+ cryptsetup_message "WARNING: Honoring CRYPTSETUP=\"n\" will deprecated in the future." \
+ "Please uninstall the 'cryptsetup-initramfs' package instead" \
+ "if you don't want the cryptsetup initramfs integration."
exit 0
fi
diff --git a/debian/initramfs/scripts/local-top/cryptroot b/debian/initramfs/scripts/local-top/cryptroot
index 1a817b4..f3f729d 100644
--- a/debian/initramfs/scripts/local-top/cryptroot
+++ b/debian/initramfs/scripts/local-top/cryptroot
@@ -123,6 +123,7 @@ setup_mapping() {
fi
fi
+ get_crypt_type # set CRYPTTAB_TYPE to the type of crypt device
local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype vg rv
while [ $maxtries -le 0 ] || [ $count -lt $maxtries ]; do
if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
@@ -144,13 +145,15 @@ setup_mapping() {
return 1
fi
- if ! fstype="$(get_fstype "$dev")" || [ "$fstype" = unknown ]; then
- # bad password for plain dm-crypt device? or mkfs not run yet?
- cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown fstype, bad password or options?"
- wait_for_udev 10
- /sbin/cryptsetup remove -- "$CRYPTTAB_NAME"
- sleep 1
- continue
+ if ! fstype="$(get_fstype "$dev")" || [ "$fstype" = "unknown" ]; then
+ if [ "$CRYPTTAB_TYPE" != "luks" ]; then
+ # bad password for plain dm-crypt device? or mkfs not run yet?
+ cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown fstype, bad password or options?"
+ wait_for_udev 10
+ /sbin/cryptsetup remove -- "$CRYPTTAB_NAME"
+ sleep 1
+ continue
+ fi
elif [ "$fstype" = lvm2 ]; then
if [ ! -x /sbin/lvm ]; then
cryptsetup_message "WARNING: $CRYPTTAB_NAME: lvm is not available"
diff --git a/debian/libcryptsetup12.symbols b/debian/libcryptsetup12.symbols
index a286997..983d612 100644
--- a/debian/libcryptsetup12.symbols
+++ b/debian/libcryptsetup12.symbols
@@ -1,4 +1,5 @@
libcryptsetup.so.12 libcryptsetup12 #MINVER#
+* Build-Depends-Package: libcryptsetup-dev
CRYPTSETUP_2.0@CRYPTSETUP_2.0 2:2.0
crypt_activate_by_keyfile@CRYPTSETUP_2.0 2:1.4
crypt_activate_by_keyfile_offset@CRYPTSETUP_2.0 2:1.4.3
diff --git a/debian/rules b/debian/rules
index 53a132e..f782f69 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,6 +7,7 @@
export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow,+pie
DEB_CFLAGS_MAINT_APPEND = -Wall
include /usr/share/dpkg/architecture.mk
+-include /usr/share/dpkg/buildtools.mk
CONFFLAGS =
diff --git a/debian/scripts/decrypt_gnupg b/debian/scripts/decrypt_gnupg
index c349b0a..18ab575 100644
--- a/debian/scripts/decrypt_gnupg
+++ b/debian/scripts/decrypt_gnupg
@@ -6,7 +6,7 @@ decrypt_gpg () {
/usr/bin/gpg -q --batch --no-options \
--no-random-seed-file --no-default-keyring \
--keyring /dev/null --secret-keyring /dev/null \
- --trustdb-name /dev/null --passphrase-fd 0 --decrypt "$1"; then
+ --trustdb-name /dev/null --passphrase-fd 0 --decrypt -- "$1"; then
return 1
fi
return 0