summaryrefslogtreecommitdiffstats
path: root/modules.d/90crypt/crypt-lib.sh
blob: 766982821625c656cee98cb2df507252fe012d85 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
#!/bin/sh

command -v getarg > /dev/null || . /lib/dracut-lib.sh

# check if the crypttab contains an entry for a LUKS UUID
crypttab_contains() {
    local luks="$1"
    local dev="$2"
    local l d rest
    if [ -f /etc/crypttab ]; then
        while read -r l d rest || [ -n "$l" ]; do
            strstr "${l##luks-}" "${luks##luks-}" && return 0
            strstr "$d" "${luks##luks-}" && return 0
            if [ -n "$dev" ]; then
                for _dev in $(devnames "$d"); do
                    [ "$dev" -ef "$_dev" ] && return 0
                done
            fi
            if [ -e /etc/block_uuid.map ]; then
                # search for line starting with $d
                _line=$(sed -n "\,^$d .*$,{p}" /etc/block_uuid.map)
                [ -z "$_line" ] && continue
                # get second column with uuid
                _uuid="$(echo "$_line" | sed 's,^.* \(.*$\),\1,')"
                strstr "$_uuid" "${luks##luks-}" && return 0
            fi
        done < /etc/crypttab
    fi
    return 1
}

# ask_for_password
#
# Wraps around plymouth ask-for-password and adds fallback to tty password ask
# if plymouth is not present.
#
# --cmd command
#   Command to execute. Required.
# --prompt prompt
#   Password prompt. Note that function already adds ':' at the end.
#   Recommended.
# --tries n
#   How many times repeat command on its failure.  Default is 3.
# --ply-[cmd|prompt|tries]
#   Command/prompt/tries specific for plymouth password ask only.
# --tty-[cmd|prompt|tries]
#   Command/prompt/tries specific for tty password ask only.
# --tty-echo-off
#   Turn off input echo before tty command is executed and turn on after.
#   It's useful when password is read from stdin.
ask_for_password() {
    local ply_cmd
    local ply_prompt
    local ply_tries=3
    local tty_cmd
    local tty_prompt
    local tty_tries=3
    local ret

    while [ $# -gt 0 ]; do
        case "$1" in
            --cmd)
                ply_cmd="$2"
                tty_cmd="$2"
                shift
                ;;
            --ply-cmd)
                ply_cmd="$2"
                shift
                ;;
            --tty-cmd)
                tty_cmd="$2"
                shift
                ;;
            --prompt)
                ply_prompt="$2"
                tty_prompt="$2"
                shift
                ;;
            --ply-prompt)
                ply_prompt="$2"
                shift
                ;;
            --tty-prompt)
                tty_prompt="$2"
                shift
                ;;
            --tries)
                ply_tries="$2"
                tty_tries="$2"
                shift
                ;;
            --ply-tries)
                ply_tries="$2"
                shift
                ;;
            --tty-tries)
                tty_tries="$2"
                shift
                ;;
            --tty-echo-off) tty_echo_off=yes ;;
        esac
        shift
    done

    {
        flock -s 9
        # Prompt for password with plymouth, if installed and running.
        if type plymouth > /dev/null 2>&1 && plymouth --ping 2> /dev/null; then
            plymouth ask-for-password \
                --prompt "$ply_prompt" --number-of-tries="$ply_tries" \
                --command="$ply_cmd"
            ret=$?
        else
            if [ "$tty_echo_off" = yes ]; then
                stty_orig="$(stty -g)"
                stty -echo
            fi

            local i=1
            while [ $i -le "$tty_tries" ]; do
                [ -n "$tty_prompt" ] \
                    && printf "%s" "$tty_prompt [$i/$tty_tries]:" >&2
                eval "$tty_cmd" && ret=0 && break
                ret=$?
                i=$((i + 1))
                [ -n "$tty_prompt" ] && printf '\n' >&2
            done

            [ "$tty_echo_off" = yes ] && stty "$stty_orig"
        fi
    } 9> /.console_lock

    [ $ret -ne 0 ] && echo "Wrong password" >&2
    return $ret
}

# Try to mount specified device (by path, by UUID or by label) and check
# the path with 'test'.
#
# example:
# test_dev -f LABEL="nice label" /some/file1
test_dev() {
    local test_op="$1"
    local dev="$2"
    local f="$3"
    local ret=1
    local mount_point

    mount_point=$(mkuniqdir /mnt testdev)
    [ -n "$dev" ] && [ -n "$*" ] || return 1
    [ -d "$mount_point" ] || die 'Mount point does not exist!'

    if mount -r "$dev" "$mount_point" > /dev/null 2>&1; then
        test "$test_op" "${mount_point}/${f}"
        ret=$?
        umount "$mount_point"
    fi

    rmdir "$mount_point"

    return $ret
}

# match_dev devpattern dev
#
# Returns true if 'dev' matches 'devpattern'.  Both 'devpattern' and 'dev' are
# expanded to kernel names and then compared.  If name of 'dev' is on list of
# names of devices matching 'devpattern', the test is positive.  'dev' and
# 'devpattern' may be anything which function 'devnames' recognizes.
#
# If 'devpattern' is empty or '*' then function just returns true.
#
# Example:
#   match_dev UUID=123 /dev/dm-1
# Returns true if /dev/dm-1 UUID starts with "123".
match_dev() {
    [ -z "$1" ] || [ "$1" = '*' ] && return 0
    local devlist
    local dev

    devlist="$(devnames "$1")" || return 255
    dev="$(devnames "$2")" || return 255

    strstr "
$devlist
" "
$dev
"
}

# getkey keysfile for_dev
#
# Reads file <keysfile> produced by probe-keydev and looks for first line to
# which device <for_dev> matches.  The successful result is printed in format
# "<keydev>:<keypath>".  When nothing found, just false is returned.
#
# Example:
#   getkey /tmp/luks.keys /dev/sdb1
# May print:
#   /dev/sdc1:/keys/some.key
getkey() {
    local keys_file="$1"
    local for_dev="$2"
    local luks_dev
    local key_dev
    local key_path

    [ -z "$keys_file" ] || [ -z "$for_dev" ] && die 'getkey: wrong usage!'
    [ -f "$keys_file" ] || return 1

    while IFS=: read -r luks_dev key_dev key_path _ || [ -n "$luks_dev" ]; do
        if match_dev "$luks_dev" "$for_dev"; then
            echo "${key_dev}:${key_path}"
            return 0
        fi
    done < "$keys_file"

    return 1
}

# readkey keypath keydev device
#
# Mounts <keydev>, reads key from file <keypath>, optionally processes it (e.g.
# if encrypted with GPG) and prints to standard output which is supposed to be
# read by cryptsetup.  <device> is just passed to helper function for
# informational purpose.
readkey() {
    local keypath="$1"
    local keydev="$2"
    local device="$3"

    # No mounting needed if the keyfile resides inside the initrd
    if [ "/" = "$keydev" ]; then
        local mntp=/
    else
        # This creates a unique single mountpoint for *, or several for explicitly
        # given LUKS devices. It accomplishes unlocking multiple LUKS devices with
        # a single password entry.
        local mntp
        mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')"

        if [ ! -d "$mntp" ]; then
            mkdir -p "$mntp"
            mount -r "$keydev" "$mntp" || die 'Mounting rem. dev. failed!'
        fi
    fi

    case "${keypath##*.}" in
        gpg)
            if [ -f /lib/dracut-crypt-gpg-lib.sh ]; then
                . /lib/dracut-crypt-gpg-lib.sh
                gpg_decrypt "$mntp" "$keypath" "$keydev" "$device"
            else
                die "No GPG support to decrypt '$keypath' on '$keydev'."
            fi
            ;;
        img)
            if [ -f /lib/dracut-crypt-loop-lib.sh ]; then
                . /lib/dracut-crypt-loop-lib.sh
                loop_decrypt "$mntp" "$keypath" "$keydev" "$device"
                printf "%s\n" "umount \"$mntp\"; rmdir \"$mntp\";" > "${hookdir}/cleanup/crypt-loop-cleanup-99-${mntp##*/}".sh
                return 0
            else
                die "No loop file support to decrypt '$keypath' on '$keydev'."
            fi
            ;;
        *) cat "$mntp/$keypath" ;;
    esac

    # No unmounting if the keyfile resides inside the initrd
    if [ "/" != "$keydev" ]; then
        # General unmounting mechanism, modules doing custom cleanup should return earlier
        # and install a pre-pivot cleanup hook
        umount "$mntp"
        rmdir "$mntp"
    fi
}