File manager

File manager - Edit - /home/newsbmcs.com/public_html/static/img/logo/cryptsetup.zip

Back
PK��ZYB�Xt��t��scripts/decrypt_openscnu�ȯ��#!/bin/sh # Why not use "openct-tool rwait" instead of polling opensc-tool exit status? # Well openct daemon has to be running which interferes with pcscd since both # implement reader drivers, my particular CCID reader (SCM SCR331-LC1) doesn't # work with the CCID driver in openct, however it does work with pcscd. # Why not use "opensc-tool --wait" instead of polling opensc-tool exit status? # Although opensc-tool --help reports that there is a --wait option, it doesn't # seem to be implemented. check_card() { cardfound=0 if /usr/bin/opensc-tool -n >/dev/null 2>&1; then cardfound=1 fi } wait_card() { check_card if [ $cardfound = 0 ] ; then echo "Waiting for Smart Card..." >&2 tries=0 while [ $cardfound = 0 ] && [ $tries -lt 60 ] ; do sleep 1 check_card tries=$(($tries + 1)) done if [ $cardfound = 0 ] ; then echo 'Failed to find Smart Card card!' >&2 exit 1 fi fi } wait_card if [ -x /bin/plymouth ] && plymouth --ping; then # Get pin number from plymouth /usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw \ --pin "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME: ")" else # Get pin number from console /usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw </dev/console 2>/dev/console fi exit $? PK��Z$��=��scripts/decrypt_keyctlnu�ȯ��#!/bin/sh # decrypt_keyctl - to use in /etc/crypttab as keyscript # Allows to cache passwords for cryptdevices for 60s # The same password is used for for cryptdevices with the same identifier. # The keyfile parameter, which is the third field from /etc/crypttab, is # used as identifier in this keyscript. # # sample crypttab entries: # test1 /dev/sda1 test_pw luks,keyscript=decrypt_keyctl # test2 /dev/sda2 test_pw luks,keyscript=decrypt_keyctl # test3 /dev/sda3 test_other_pw luks,keyscript=decrypt_keyctl # # test1 and test2 have the same identifier thus test2 does not need a password # typed in manually die() { echo "$@" >&2 exit 1 } if [ -z "${CRYPTTAB_KEY:-}" ] \|\| [ "$CRYPTTAB_KEY" = "none" ]; then # store the passphrase in the key name used by systemd-ask-password ID_="cryptsetup" else # the keyfile given from crypttab is used as identifier in the keyring # including the prefix "cryptsetup:" ID_="cryptsetup:$CRYPTTAB_KEY" fi TIMEOUT_='60' ASKPASS_='/lib/cryptsetup/askpass' PROMPT_="Caching passphrase for ${CRYPTTAB_NAME}: " if ! KID_="$(keyctl search @u user "$ID_" 2>/dev/null)" \|\| \ [ -z "$KID_" ] \|\| [ "$CRYPTTAB_TRIED" -gt 0 ]; then # key not found or wrong, ask the user KEY_="$($ASKPASS_ "$PROMPT_")" \|\| die "Error executing $ASKPASS_" if [ -n "$KID_" ]; then # I have cached wrong password and now i may use either `keyctl update` # to update $KID_ or just unlink old key, and add new. With `update` i # may hit "Key has expired", though. So i'll go "unlink and add" way. keyctl unlink "$KID_" @u KID_="" fi KID_="$(printf "%s" "$KEY_" \| keyctl padd user "$ID_" @u)" [ -n "$KID_" ] \|\| die "Error adding passphrase to kernel keyring" if ! keyctl timeout "$KID_" "$TIMEOUT_"; then keyctl unlink "$KID_" @u die "Error setting timeout on key ($KID_), removing" fi else echo "Using cached passphrase for ${CRYPTTAB_NAME}." >&2 fi keyctl pipe "$KID_" PK��Z�(sR��R��scripts/decrypt_derivednu�ȯ��#!/bin/sh # WARNING: If you use the decrypt_derived keyscript for devices with # persistent data (i.e. not swap or temp devices), then you will lose # access to that data permanently if something damages the LUKS header # of the LUKS device you derive from. The same applies if you luksFormat # the device, even if you use the same passphrase(s). A LUKS header # backup, or better a backup of the data on the derived device may be # a good idea. See the Cryptsetup FAQ on how to do this right. if [ -z "$1" ]; then echo "$0: must be executed with a crypto device as argument" >&2 exit 1 fi unset -v keys count keys="$(dmsetup table --target crypt --showkeys -- "$1" 2>/dev/null \| cut -s -d' ' -f5)" count="$(printf '%s' "$keys" \| wc -l)" if [ -n "$keys" ] && [ $count -le 1 ]; then if [ "${keys#:}" = "$keys" ]; then printf '%s' "$keys" exit 0 else echo "$0: device $1 uses the kernel keyring" >&2 fi elif [ $count -eq 0 ]; then echo "$0: device $1 doesn't exist or isn't a crypto device" >&2 else echo "$0: more than one device match" >&2 fi exit 1 PK��Z[��>89��89��scripts/passdevnu�ȯ��ELF��>�� @��1��@�8� �@��@��@��@�� ,��<��<�� (��-��=��=��8��8��8��0��0��h��h��h��D��D��S�td��8��8��8��0��0��P�td��P"��P"��P"��<��<��Q�td��R�td��,��<��<��/lib64/ld-linux-x86-64.so.2�� GNU��GNU�palj��mQ�E2ʑ 65A��GNU��e�m��U��)��%�� J��8��c��A�� q��\��j��P��I��v��P�� "��"��__cxa_finalize�__libc_start_main�stderr�__vfprintf_chk�__stack_chk_fail�fwrite�exit�getenv�strtol�strchr�access�stat�__fprintf_chk�mkdtemp�fork�waitpid�strlen�malloc�__sprintf_chk�open�read�close�free�umount�rmdir�sleep�execl�libc.so.6�GLIBC_2.33�GLIBC_2.4�GLIBC_2.34�GLIBC_2.3.4�GLIBC_2.2.5�_ITM_deregisterTMCloneTable�__gmon_start__�_ITM_registerTMCloneTable��ii ��ti �� ui ��<��<��@��@��?��?��?��?��?��?��?��?��?�� ?��(?��0?��8?�� @?�� H?��P?��X?�� `?��h?��p?��x?��?��?��?��?��?��?��?��?��?��?��H��H��/��H��t��H��5�.��%�.��h��h��h��h��h��h��h��h��q��h��a��h ��Q��h ��A��h��1��h��!��h ��h��h��h��h��h��h��h��h��h��h��q��h��a��%%.��D��%--��D��%%-��D��%-��D��%-��D��% -��D��%-��D��%�,��D��%�,��D��%�,��D��%�,��D��%�,��D��%�,��D��%�,��D��%�,��D��%�,��D��%�,��D��%�,��D��%�,��D��%�,��D��%�,��D��%�,��D��%�,��D��%},��D��%u,��D��%m,��D��AWAVAUATUSH��H��fo��dH�%(��H��$8��1��D$0XXX�)D$ ��tH�O,��H�=N��H��>��$��H�=��H��H��H��t1�� ~�,��L�c�:��L��E��H��8��x��H�X�:��1�H��H��t�8�t �x��E��H��L��H�="��1��E1�1�L��n��L��$��L��L��A�Ņ��J��$��%��=�`��tJL��H�%��H�<+��H�81��E��H�!+��H�=��H��H�\|$ ��H�D$H��H��L�t$H�D$@H��H�D$HH��H�D$PH��H�D$XH��H�D$`H��H�D$hH��H�D$pH��H�D$xH��H��$��H��H��$��H��H��$��Ņ��v��u�f��<�S��1�L��T$�Ѓ�uހ��3��H�\|$�C��H��H��8��H�\|��H��H��L�D$H��1�H��I��H� N�� 1�H��L��H��3��O��L��$��M��1�H��1��^��A�ƅ��L��L��1��I��H��u$�`��L��I�t�D��H)��H��H�L9�r�D��H��H�\$H��+��H��1��A��!L��I�t��H)��H��H�L9�r�L��1��A��A��{��H��(��L��H�� H�81��H�\|$��o��L��H�=Z ��1��@�1�L��n��E��t߅��H�x� ��1��Ņ��H��L��H�=��1��I��H�=W ��1��9��A��L��H��H��(��H�=v ��H��H��H�\|$��H��'��%��H�=��H��u��H��'��H�=w ��H��L��k��D��H�r'��H�= ��H��a��m��H�M'��H�=��H��<��H��H�('��H�=��H��#��H�'��H�=��H��L��H�\$L��1�Mc�H�=��H�- ��H��1��1�1�H��1��i��1Ҿ��H��1��X��1Ҿ��H��1��G��H��j�H�=��SH��L� ��H� ��ATH��PN�D�`1��_��H�� !��H�"&��H�=w��H��%��H��%��H�=R��H��\��1�I��^H��H��PTE1�1�H�=!��%��f.��H�=�%��H��%��H9�tH�n%��H��t ��H�=�%��H�5�%��H)�H��H��?H��H�H�tH�=%��H��t��fD��=E%��u+UH�=%��H��tH�=&%��d��%��]��w��H��H�t$(H�T$0H�L$8L�D$@L�L$H��t7)D$P)L$`)T$p)�$��)�$��)�$��)�$��)�$��dH�%(��H�D$1��=�$��t@H��$��H��H��H�D$H�D$ H�D$H�K$��$��H�8�D$0��,��H�D$dH+%(��uH��_��H��H��Incorrect number of arguments ��Failed to create temporary directory ��noatime,nodiratime,nodev,noexec,nosuid,ro��Path is %p and filepath is %p �DEBUG�Invalid key path �Waiting for %s �Unable to stat %s �%s is no block device �ext4�ext3�ext2�vfat�btrfs�reiserfs�xfs�jfs�ntfs�iso9660�udf�Mounting %s at %s �/dev/null�-o�-t�-n�/bin/mount�Failed to allocate memory �%s/%s�Keyfile doesn't exist �Unable to stat keyfile �Invalid keyfile size �Failed to open keyfile �Failed to read entire key �Failed to write entire key �Failed to mount %s �Timeout is %i ��/tmp/passdev.XXX;<��p��p��X��zR�x��p��&��D��$��4��X��FJw��?:3$"��\��t��G�� AH��$��F�B�B �B(�A0�A8�G��H�S�H�P�� <��<��o�� j��>��X�� o��o��o��o��B��o��=��0��@��P��`��p�� 0��@��P��`��p��@��/usr/lib/debug/.dwz/x86_64-linux-gnu/cryptsetup.debug��ͦ��U�i�)^]��61166c6af99bae1c6d51cb4532ca910a363541.debug��߯\|�.shstrtab�.interp�.note.gnu.property�.note.gnu.build-id�.note.ABI-tag�.gnu.hash�.dynsym�.dynstr�.gnu.version�.gnu.version_r�.rela.dyn�.rela.plt�.init�.plt.got�.plt.sec�.text�.fini�.rodata�.eh_frame_hdr�.eh_frame�.init_array�.fini_array�.dynamic�.data�.bss�.gnu_debugaltlink�.gnu_debuglink��8��8��0��&��h��h��$��9�� G��o��$��Q��Y��j��a��o��B��B��@��n��o��`��}��B�� X�� `��`�� P��P"��P"��<��"��"��<��,��<��,��=��-��>��.��@��0��@��0��0��J��\0��4��0��"��PK��Z��i:��:��scripts/decrypt_gnupgnu�ȯ��#!/bin/sh decrypt_gpg () { echo "Performing GPG symmetric decryption ..." >&2 if ! /lib/cryptsetup/askpass "Enter passphrase for key $1: " \| \ /usr/bin/gpg -q --batch --no-options \ --no-random-seed-file --no-default-keyring \ --keyring /dev/null --secret-keyring /dev/null \ --trustdb-name /dev/null --passphrase-fd 0 --decrypt -- "$1"; then return 1 fi return 0 } if [ ! -x /usr/bin/gpg ]; then echo "$0: /usr/bin/gpg is not available" >&2 exit 1 fi if [ -z "$1" ]; then echo "$0: missing key as argument" >&2 exit 1 fi decrypt_gpg "$1" exit $? PK��Zzz;��scripts/decrypt_gnupg-scnu�ȯ��#!/bin/sh if [ -d "/cryptroot/gnupghome" ]; then export GNUPGHOME="/cryptroot/gnupghome" fi run_gpg() { gpg --no-options --trust-model=always "$@" } decrypt_gpg () { local console _ if ! GPG_TTY="$(tty)"; then read console _ </proc/consoles GPG_TTY="/dev/$console" fi export GPG_TTY if ! run_gpg --decrypt -- "$1"; then return 1 fi return 0 } # `gpg-connect-agent LEARN /bye` is another (lighter) way, but it's # harder to retrieve the return code if ! run_gpg --batch --quiet --no-tty --card-status >/dev/null; then echo "Please insert OpenPGP SmartCard..." >&2 until run_gpg --batch --quiet --no-tty --card-status; do sleep 1 done >/dev/null 2>&1 fi if [ ! -x /usr/bin/gpg ]; then echo "$0: /usr/bin/gpg is not available" >&2 exit 1 fi if [ -z "$1" ] \|\| [ ! -f "$1" ]; then echo "$0: missing key as argument" >&2 exit 1 fi decrypt_gpg "$1" exit $? PK��Z��7�[��[��scripts/decrypt_sslnu�ȯ��#!/bin/sh # # Script to decrypt the key which is encrypted with openssl. # See /usr/share/doc/cryptsetup/examples/gen-ssl-key to create such a key. # decrypt_ssl () { echo "" >&2 echo "Decrypting ssl key $1..." >&2 if ! /usr/bin/openssl enc -aes-256-cbc -d -salt -in "$1" 2>/dev/null; then return 1 fi return 0 } decrypt_ssl "$1" exit $? PK��ZKh��Y��Y��askpassnu�ȯ��ELF��>��&��@��hR��@�8� �@��@��@��@�� @��@��@��L��\��\��@��L��\��\��8��8��8��0��0��h��h��h��D��D��S�td��8��8��8��0��0��P�td��@��@��@��Q�td��R�td��L��\��\��/lib64/ld-linux-x86-64.so.2�� GNU��GNU��u��8@DA�J'i�T��GNU��-��-��e�m��1��'�� m��]��=��W��M��"��@�� &��~��I��8��F��h�� b��R��"��__cxa_finalize�__libc_start_main�read�__errno_location�realloc�lstat�access�pipe�fork�close�dup2�execl�exit�__stack_chk_fail�kill�memset�free�system�strdup�strlen�mkfifo�tcsetattr�stderr�fputc�klogctl�stdin�__getdelim�clearerr�isatty�freopen�stdout�tcgetattr�fwrite�strstr�fputs�__fprintf_chk�sigfillset�sigprocmask�__fdelt_chk�select�libc.so.6�GLIBC_2.3.4�GLIBC_2.33�GLIBC_2.15�GLIBC_2.4�GLIBC_2.34�GLIBC_2.2.5�_ITM_deregisterTMCloneTable�__gmon_start__�_ITM_registerTMCloneTable��P��ti ��Z��f��q��ii ��\|��ui ��\��'��\��p'��`��`�� `��"@��(`��)��0`��(��8`��P+��H`��@��P`��-��X`��P)��``��+��p`��U@��x`�� ,��`��)��`����`��@��`��0/��`��.��`��.��_��_��_��_��_��_��'��_��-��_��,��^��^��^��^��^�� ^�� ^��^��^�� ^��^��^��^��_��_��_��_�� _��(_��0_��8_��@_��H_��P_��X_��`_��h_�� p_��!��x_��"��_��#��_��$��_��%��_��&��_��(��_��)��_����_��+��H��H��?��H��t��H��5b>��%c>��h��h��h��h��h��h��h��h��q��h��a��h ��Q��h ��A��h��1��h��!��h ��h��h��h��h��h��h��h��h��h��h��q��h��a��h��Q��h��A��h��1��h��!��h��h��h��h ��h!��h"��h#��h$��%e=��D��%�;��D��%�;��D��%�;��D��%�;��D��%�;��D��%�;��D��%�;��D��%�;��D��%�;��D��%�;��D��%�;��D��%�;��D��%�;��D��%�;��D��%�;��D��%�;��D��%};��D��%u;��D��%m;��D��%e;��D��%];��D��%U;��D��%M;��D��%E;��D��%=;��D��%5;��D��%-;��D��%%;��D��%;��D��%;��D��% ;��D��%;��D��%�:��D��%�:��D��%�:��D��%�:��D��%�:��D��AWAVAUATI��USH��(��dH�%(��H��$��1�H�$��H�D$��t1H��:��L�H� ��H��H�81��H��H�l$L�5�:��H��L��w��H��1�1��I��{"�t!I�\|$�S�C$��{ ��C!�C"u H��(H9�u�L��$��A��L��1�L��H�E1��{"�t(Hc{$��x �@��K$L��H��H �Đ��AD9�DM�H��(H9�u�E��t'E1�1�1�L��D��(t��8t�� 6��C!��C"��\��L��{"�t@Hc{$��x8��{$I��L��H��J#�Đ��tH��H�t$�S��tH�t$H��uf�H��(H9�u��H�$��$��H��u�� 1��f.��@��1�I��^H��H��PTE1�1�H�=��8��f.��H�=�9��H��9��H9�tH��8��H��t ��H�=�9��H�5�9��H)�H��H��?H��H�H�tH��8��H��t��fD��=E9��u+UH�=j8��H��tH�=v8��d��9��]��w��AUA��ATI��UH��SH��H��H�2H�U�I�<$H9�u�X��H�U�H�3I�<$H)�H�D��H��y��8t�1�H��[]A\A]��H�3H�H�3H��u��H��H�u��I�$H��H��t H�U�H�3�H�E��1�H��UH� �8��H��H�5�8��SH��H��8��H��u H��[]��H��8��H� �8��H��t&H�t��> u��H� �8��H�Q�H� �8��H�8��H�M�H�H��[]Ð��UH� <8��H��H�5B8��SH��H�/8��H��tH�#8��H�U�H�8��H�H��[]�fD��UH� �7��H��H�5�7��SH��H��7��H��F��tH��7��H�U�H��7��H�H��[]�fD��ATI��H�=T��UH��H��dH�%(��H��$8��1�H��$��H�t$H�='��H�D$H9�$��H�-��H��@��H�\|$�>��;7��xruE�\|$��\|$��xE1�L��H��H��H��1��0��fD��\|$��D$H��$8��dH+%(��u'H��H��]A\Ë\|$��\|$��@��U��=s6�� x��^��H�=O6��H��t;H�36��1��$��H�=56��x��H�%6��H�6��H��5��]�D��U��=#6��x��H�=�5��H��t;H��5��1��H�=�5��H��5��H��5��H��5��]�D��H��x��H�=h5��H��t;H�L5��1��U��H�=N5��H�>5��H�+5��H�5��H��ATL�%#��UH��L��H��dH�%(��H�D$1��>��H�=����H����H��H��_��H�H�L�H�D��9:��:��H��4��uH�<$��\|$����x!E1�I��H� \|��L��H�{��L��1��[��H��\|$�7��$H�T$dH+%(��ucH��]A\�@��]��U�H��H��fD�� 9��:��+��<$��\|$��L��ff.��UH�-��H��t ��8uH��1�]�i��f��]�f��U��H�=3��H��t0H�3��1��H�=�3��s�H��2��H��2��=�2��uD��x@H��2��2��H��1�� H�0��1�1��]��]�ff.��ATL�%+1��H�=t2��UH�պ ��SI�$H��H�5T2��H��xJH� K2��uH�U��H�[]A\��H��H�@�H�4�> u��H��H� 2��f��I�<$��[1�]A\��AWI��1�AVAUATUSH��XdH�%(��H�D$H1��d��L�%;��L��H�Q0��H�5%��L��H��H��H�'0��L�-��L��L��H��H��\��H�-0��L��L��H�U��s�H��=��1��.��1�H�5�0��-��H��0��H��1�fo�0��fo �0��H�D$0��0��)$fo�0��D$8�D$)L$��)T$ ��D$��A�ƅ��H�-�/��L�%:��L�-n��Df.��H�޺��L��L)�Hc��H��teH�M��L��H��tJL�{L��L��H�M�H��H��u�H��L��D��x 1�1��0��"f��H��/��1��A��H�D$HdH+%(��uH��XD��[]A\A]A^A_��USH��.��H��H��{"�t�{!�t�{$�S�C!��C$��C"�H��(H9�u�H��[]��H��H��/sys/fs/cgroup�/sys/fs/cgroup/systemd�/bin/systemd-ask-password�--timeout=0�/bin/plymouth�/bin/plymouth --ping�--prompt�ask-for-password�/lib/cryptsetup/passfifo�/dev/console�r�a�\n�incorrect number of arguments�Error: %s Usage: %s PROMPT �;��,��,��h��\��\�4��P��,�h��<��\�\��zR�x��&��D��$��4��P��`��FJw��?:3$"��\��t��P��8��B�E�D �D(�G0H (A ABBD�0��E�R�N M AADDAA$��h�J��E�R�N bAA�$��$��J��E�R�N bAA�(��L��<��F�K�G�� ABA��x��k��E�e�� k��E�e��t�]��HT(��F�M�J0 ABE�� G��E�m NF��P��E�� HA4��4��F�O�I �s ABDrCB��L��l��(� ��F�G�B �B(�A0�A8�D�� 8D0A(B BBBA��$��E��A�A�R nAA�0��`��F�B�B �B(�D0�A8�G��'��p'��P�� 1��\��\��o��(�� ^��x��` �� o��o��h ��o��o�� o��\��0 ��@ ��P ��` ��p �� !��!�� !��0!��@!��P!��`!��p!��!��!��!��!��!��!��!��!��"��"�� "��0"��@"��P"��`"��p"��`��"@��)��(��P+��@��-��P)��+��U@�� ,��)����@��0/��.��.��/usr/lib/debug/.dwz/x86_64-linux-gnu/cryptsetup.debug��ͦ��U�i�)^]��f1d61e75fcaa38194002444111f34a2769fd54.debug��Lx��.shstrtab�.interp�.note.gnu.property�.note.gnu.build-id�.note.ABI-tag�.gnu.hash�.dynsym�.dynstr�.gnu.version�.gnu.version_r�.rela.dyn�.rela.plt�.init�.plt.got�.plt.sec�.text�.fini�.rodata�.eh_frame_hdr�.eh_frame�.init_array�.fini_array�.dynamic�.data�.bss�.gnu_debugaltlink�.gnu_debuglink��8��8��0��&��h��h��$��9�� G��o��$��Q��P��Y��(��(��a��o�� \��n��o��h ��h ��p��}�� B��` ��` ��x�� `��"��"��"��"��P��$��$��1��1�� @��@��@��@��A��A��\��L��\��L��\��L��^��N��`��P�� `��P�� P��J��Q��4��@Q��"��PK��Z݈��i��i�� functionsnu��[��if [ "${0#/usr/share/initramfs-tools/hooks/}" != "$0" ] \|\| [ "${0#/etc/initramfs-tools/hooks/}" != "$0" ]; then # called from an initramfs-tools hook script TABFILE="$DESTDIR/cryptroot/crypttab" elif [ "${0#/scripts/}" != "$0" ]; then # called at initramfs stage from a boot script TABFILE="/cryptroot/crypttab" CRYPTROOT_COUNT_FILE="/run/cryptroot.initrd.cnt" else TABFILE="${TABFILE-/etc/crypttab}" fi export DM_DEFAULT_NAME_MANGLING_MODE=hex # for dmsetup(8) # Logging helpers. Send the argument list to plymouth(1), or fold it # and print it to the standard error. cryptsetup_message() { local IFS=' ' if [ "${0#/scripts/}" != "$0" ] && [ -x /bin/plymouth ] && plymouth --ping; then plymouth message --text="cryptsetup: $" elif [ ${#} -lt 70 ]; then echo "cryptsetup: $" >&2 else # use busybox's fold(1) and sed(1) at initramfs stage echo "cryptsetup: $" \| fold -s \| sed '1! s/^/ /' >&2 fi return 0 } # crypttab_parse_options([--export], [--quiet], [--missing-path={ignore\|warn\|fail}]) # Parse $_CRYPTTAB_OPTIONS, a comma-separated option string from the # crypttab(5) 4th column, and sets corresponding variables # CRYPTTAB_OPTION_<option>=<value> (which are added to the environment # if --export is set). If --path-exists isn't set to "ignore" (the # default), then options taking a file name, such as header=<path>, # need to point to an existing path, otherwise a warning is printed; # and an error is raised if the value is set to "fail". # For error and warning messages, CRYPTTAB_NAME, (resp. CRYPTTAB_KEY) # should be set to the (unmangled) mapped device name (resp. key # file). # Moreover CRYPTTAB_TYPE is set the device type. # Return 1 on parsing error, 0 otherwise (incl. if unknown options # were encountered). crypttab_parse_options() { local quiet="n" export="n" missing_path="ignore" while [ $# -gt 0 ]; do case "$1" in --quiet) quiet="y";; --export) export="y";; --missing-path=) missing_path="${1#--missing-path=}";; ) cryptsetup_message "WARNING: crypttab_parse_options(): unknown option $1" esac shift done local IFS=',' x OPTION VALUE unset -v CRYPTTAB_OPTION_cipher \ CRYPTTAB_OPTION_size \ CRYPTTAB_OPTION_sector_size \ CRYPTTAB_OPTION_hash \ CRYPTTAB_OPTION_offset \ CRYPTTAB_OPTION_skip \ CRYPTTAB_OPTION_verify \ CRYPTTAB_OPTION_readonly \ CRYPTTAB_OPTION_discard \ CRYPTTAB_OPTION_plain \ CRYPTTAB_OPTION_luks \ CRYPTTAB_OPTION_tcrypt \ CRYPTTAB_OPTION_veracrypt \ CRYPTTAB_OPTION_bitlk \ CRYPTTAB_OPTION_swap \ CRYPTTAB_OPTION_tmp \ CRYPTTAB_OPTION_check \ CRYPTTAB_OPTION_checkargs \ CRYPTTAB_OPTION_tries \ CRYPTTAB_OPTION_initramfs \ CRYPTTAB_OPTION_noearly \ CRYPTTAB_OPTION_noauto \ CRYPTTAB_OPTION_loud \ CRYPTTAB_OPTION_quiet \ CRYPTTAB_OPTION_keyscript \ CRYPTTAB_OPTION_keyslot \ CRYPTTAB_OPTION_header \ CRYPTTAB_OPTION_tcrypthidden \ CRYPTTAB_OPTION_same_cpu_crypt \ CRYPTTAB_OPTION_submit_from_crypt_cpus \ CRYPTTAB_OPTION_no_read_workqueue \ CRYPTTAB_OPTION_no_write_workqueue # use $_CRYPTTAB_OPTIONS not $CRYPTTAB_OPTIONS as options values may # contain '\054' which is decoded to ',' in the latter for x in $_CRYPTTAB_OPTIONS; do OPTION="${x%%=}" VALUE="${x#=}" if [ "$x" = "$OPTION" ]; then unset -v VALUE else VALUE="$(printf '%b' "$VALUE")" fi if ! crypttab_validate_option; then if [ "$quiet" = "n" ]; then cryptsetup_message "ERROR: $CRYPTTAB_NAME: invalid value for '${x%%=}' option, skipping" fi return 1 elif [ -z "${OPTION+x}" ]; then continue fi if [ "$export" = "y" ]; then export "CRYPTTAB_OPTION_$OPTION"="${VALUE-yes}" else eval "CRYPTTAB_OPTION_$OPTION"='${VALUE-yes}' fi done IFS=" " if ! _get_crypt_type; then # set CRYPTTAB_TYPE to the type of crypt device CRYPTTAB_TYPE="plain" if [ "$quiet" = "n" ]; then cryptsetup_message "WARNING: $CRYPTTAB_NAME: couldn't determine device type," \ "assuming default ($CRYPTTAB_TYPE)." fi fi if [ "$quiet" = "n" ] && [ -n "${CRYPTTAB_OPTION_header+x}" ] && [ "$CRYPTTAB_TYPE" != "luks" ]; then cryptsetup_message "WARNING: $CRYPTTAB_NAME: Headers are only supported for LUKS devices." fi if [ "$CRYPTTAB_TYPE" = "plain" ]; then # the compiled-in default for these are subject to change options='cipher size' if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ] \|\| [ "$CRYPTTAB_KEY" = "none" ]; then options="$options hash" # --hash is being ignored in plain mode with keyfile specified fi for o in $options; do if [ "$quiet" = "n" ] && eval [ -z "\${CRYPTTAB_OPTION_$o+x}" ]; then cryptsetup_message "WARNING: Option '$o' missing in crypttab for plain dm-crypt" \ "mapping $CRYPTTAB_NAME. Please read /usr/share/doc/cryptsetup-initramfs/README.initramfs.gz and" \ "add the correct '$o' option to your crypttab(5)." fi done fi } # crypttab_validate_option() # Validate $OPTION=$VALUE (or flag $OPTION if VALUE is unset). return # 1 on error, unsets OPTION for unknown or useless options. crypttab_validate_option() { # option aliases case "$OPTION" in read-only) OPTION="readonly";; key-slot) OPTION="keyslot";; tcrypt-hidden) OPTION="tcrypthidden";; tcrypt-veracrypt) OPTION="veracrypt";; esac # sanitize the option name so CRYPTTAB_OPTION_$OPTION is a valid variable name local o="$OPTION" case "$o" in keyfile-offset) OPTION="keyfile_offset";; keyfile-size) OPTION="keyfile_size";; sector-size) OPTION="sector_size";; same-cpu-crypt) OPTION="same_cpu_crypt";; submit-from-crypt-cpus) OPTION="submit_from_crypt_cpus";; no-read-workqueue) OPTION="no_read_workqueue";; no-write-workqueue) OPTION="no_write_workqueue";; esac case "$o" in # value must be a non-empty string cipher\|hash) [ -n "${VALUE:+x}" ] \|\| return 1 ;; # value must be a non-empty string, and an existing path if --missing-path is set header) [ -n "${VALUE:+x}" ] \|\| return 1 if [ "$missing_path" != "ignore" ]; then if [ ! -e "$VALUE" ]; then cryptsetup_message "WARNING: $CRYPTTAB_NAME: $VALUE does not exist"; [ "$missing_path" = "warn" ] \|\| return 1 fi fi ;; # numeric options >0 size\|keyfile-size\|sector-size) if ! printf '%s' "${VALUE-}" \| grep -Exq "0[1-9][0-9]"; then return 1 fi ;; # numeric options >=0 offset\|skip\|tries\|keyslot\|keyfile-offset) if ! printf '%s' "${VALUE-}" \| grep -Exq "[0-9]+"; then return 1 fi ;; tmp) if [ -z "${VALUE+x}" ]; then VALUE="ext4" # 'tmp flag' elif [ -z "$VALUE" ]; then return 1 fi ;; check) if [ -z "${VALUE+x}" ]; then if [ -n "${CRYPTDISKS_CHECK-}" ]; then VALUE="$CRYPTDISKS_CHECK" else unset -v OPTION return 0 fi fi if [ "${VALUE#/}" = "$VALUE" ]; then VALUE="/lib/cryptsetup/checks/$VALUE" fi if [ ! -x "$VALUE" ] \|\| [ ! -f "$VALUE" ]; then return 1 fi ;; checkargs) [ -n "${VALUE+x}" ] \|\| return 1 # must have a value (possibly empty) ;; keyscript) [ -n "${VALUE:+x}" ] \|\| return 1 # must have a value if [ "${VALUE#/}" = "$VALUE" ]; then VALUE="/lib/cryptsetup/scripts/$VALUE" fi if [ ! -x "$VALUE" ] \|\| [ ! -f "$VALUE" ]; then return 1 fi ;; # and now the flags verify) ;; loud) ;; quiet) ;; initramfs) ;; noearly) ;; noauto) ;; readonly) ;; discard) ;; plain) ;; luks) ;; swap) ;; tcrypt) ;; veracrypt) ;; tcrypthidden) ;; bitlk) ;; same-cpu-crypt) ;; submit-from-crypt-cpus) ;; no-read-workqueue) ;; no-write-workqueue) ;; ) if [ "${quiet:-n}" = "n" ]; then cryptsetup_message "WARNING: $CRYPTTAB_NAME: ignoring unknown option '$o'"; fi unset -v OPTION ;; esac } # crypttab_resolve_source() # Resolve the CRYPTTAB_SOURCE variable, containing value of the second # field of a crypttab(5)-like file. # On error (non-existing source), CRYPTTAB_SOURCE is not changed and 1 # is returned. crypttab_resolve_source() { # return immediately if source is a regular file [ ! -f "$CRYPTTAB_SOURCE" ] \|\| return 0 # otherwise resolve the block device specification local dev="$CRYPTTAB_SOURCE" dev="$(_resolve_device_spec "$dev")" && CRYPTTAB_SOURCE="$dev" \|\| return 1 } # run_keyscript($tried_count) # exec()'ute `$CRYPTTAB_OPTION_keyscript "$CRYPTTAB_KEY"`. # If $CRYPTTAB_OPTION_keyscript is unset or null and $CRYPTTAB_KEY is # "none" (meaning the passphrase is to be read interactively from the # console), then use `/lib/cryptsetup/askpass` as keyscript with a # suitable prompt message instead. # Since the shell process is replaced with the $CRYPTTAB_OPTION_keyscript # program, run_keyscript() must be used on the left-hand side of a # pipe, or similar. run_keyscript() { local keyscript keyscriptarg="$CRYPTTAB_KEY" export CRYPTTAB_NAME CRYPTTAB_SOURCE CRYPTTAB_OPTIONS export _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_OPTIONS export CRYPTTAB_TRIED="$1" if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ] && \ [ "$CRYPTTAB_OPTION_keyscript" != "/lib/cryptsetup/askpass" ]; then # 'keyscript' option is present: export its argument as $CRYPTTAB_KEY export CRYPTTAB_KEY _CRYPTTAB_KEY keyscript="$CRYPTTAB_OPTION_keyscript" elif [ "$keyscriptarg" = "none" ]; then # don't export the prompt message as CRYPTTAB_KEY keyscript="/lib/cryptsetup/askpass" keyscriptarg="Please unlock disk $CRYPTTAB_NAME: " fi exec "$keyscript" "$keyscriptarg" } # _get_crypt_type() # Set CRYPTTAB_TYPE to the mapping type, depending on its # $CRYPTTAB_OPTION_<option> values # Return a non-zero status if the mapping couldn't be determined _get_crypt_type() { local s="$CRYPTTAB_SOURCE" t="" blk_t if [ "${CRYPTTAB_OPTION_luks-}" = "yes" ]; then t="luks" elif [ "${CRYPTTAB_OPTION_tcrypt-}" = "yes" ]; then t="tcrypt" elif [ "${CRYPTTAB_OPTION_plain-}" = "yes" ]; then t="plain" elif [ "${CRYPTTAB_OPTION_bitlk-}" = "yes" ]; then t="bitlk" elif [ -n "${CRYPTTAB_OPTION_header+x}" ]; then # detached headers are only supported for LUKS devices if [ -e "$CRYPTTAB_OPTION_header" ] && /sbin/cryptsetup isLuks -- "$CRYPTTAB_OPTION_header"; then t="luks" fi elif [ -f "$s" ] \|\| s="$(_resolve_device_spec "$CRYPTTAB_SOURCE")"; then if /sbin/cryptsetup isLuks -- "$s"; then t="luks" elif blk_t="$(blkid -s TYPE -o value -- "$s")" && [ "$blk_t" = "BitLocker" ]; then t="bitlk" fi fi [ -n "$t" ] \|\| return 1 CRYPTTAB_TYPE="$t" } # unlock_mapping([$keyfile]) # Run cryptsetup(8) with suitable options and arguments to unlock # $CRYPTTAB_SOURCE and setup dm-crypt managed device-mapper mapping # $CRYPTTAB_NAME. unlock_mapping() { local keyfile="${1:--}" if [ "$CRYPTTAB_TYPE" = "luks" ] \|\| [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then # ignored for LUKS and TCRYPT devices unset -v CRYPTTAB_OPTION_cipher \ CRYPTTAB_OPTION_size \ CRYPTTAB_OPTION_hash \ CRYPTTAB_OPTION_offset \ CRYPTTAB_OPTION_skip fi if [ "$CRYPTTAB_TYPE" = "plain" ] \|\| [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then unset -v CRYPTTAB_OPTION_keyfile_size fi if [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then # ignored for TCRYPT devices unset -v CRYPTTAB_OPTION_keyfile_offset else # ignored for non-TCRYPT devices unset -v CRYPTTAB_OPTION_veracrypt CRYPTTAB_OPTION_tcrypthidden fi if [ "$CRYPTTAB_TYPE" != "luks" ]; then # ignored for non-LUKS devices unset -v CRYPTTAB_OPTION_keyslot fi /sbin/cryptsetup -T1 \ ${CRYPTTAB_OPTION_header:+--header="$CRYPTTAB_OPTION_header"} \ ${CRYPTTAB_OPTION_cipher:+--cipher="$CRYPTTAB_OPTION_cipher"} \ ${CRYPTTAB_OPTION_size:+--key-size="$CRYPTTAB_OPTION_size"} \ ${CRYPTTAB_OPTION_sector_size:+--sector-size="$CRYPTTAB_OPTION_sector_size"} \ ${CRYPTTAB_OPTION_hash:+--hash="$CRYPTTAB_OPTION_hash"} \ ${CRYPTTAB_OPTION_offset:+--offset="$CRYPTTAB_OPTION_offset"} \ ${CRYPTTAB_OPTION_skip:+--skip="$CRYPTTAB_OPTION_skip"} \ ${CRYPTTAB_OPTION_verify:+--verify-passphrase} \ ${CRYPTTAB_OPTION_readonly:+--readonly} \ ${CRYPTTAB_OPTION_discard:+--allow-discards} \ ${CRYPTTAB_OPTION_veracrypt:+--veracrypt} \ ${CRYPTTAB_OPTION_keyslot:+--key-slot="$CRYPTTAB_OPTION_keyslot"} \ ${CRYPTTAB_OPTION_tcrypthidden:+--tcrypt-hidden} \ ${CRYPTTAB_OPTION_keyfile_size:+--keyfile-size="$CRYPTTAB_OPTION_keyfile_size"} \ ${CRYPTTAB_OPTION_keyfile_offset:+--keyfile-offset="$CRYPTTAB_OPTION_keyfile_offset"} \ ${CRYPTTAB_OPTION_same_cpu_crypt:+--perf-same_cpu_crypt} \ ${CRYPTTAB_OPTION_submit_from_crypt_cpus:+--perf-submit_from_crypt_cpus} \ ${CRYPTTAB_OPTION_no_read_workqueue:+--perf-no_read_workqueue} \ ${CRYPTTAB_OPTION_no_write_workqueue:+--perf-no_write_workqueue} \ --type="$CRYPTTAB_TYPE" --key-file="$keyfile" \ open -- "$CRYPTTAB_SOURCE" "$CRYPTTAB_NAME" } # resume_mapping([$keyfile]) # Run cryptsetup(8) with suitable options and arguments to resume # $CRYPTTAB_NAME. resume_mapping() { local keyfile="${1:--}" if [ "$CRYPTTAB_TYPE" != "luks" ]; then cryptsetup_message "ERROR: $CRYPTTAB_NAME: unable to resume non-luks device" return 1 fi /sbin/cryptsetup -T1 \ ${CRYPTTAB_OPTION_header:+--header="$CRYPTTAB_OPTION_header"} \ ${CRYPTTAB_OPTION_keyslot:+--key-slot="$CRYPTTAB_OPTION_keyslot"} \ ${CRYPTTAB_OPTION_keyfile_size:+--keyfile-size="$CRYPTTAB_OPTION_keyfile_size"} \ ${CRYPTTAB_OPTION_keyfile_offset:+--keyfile-offset="$CRYPTTAB_OPTION_keyfile_offset"} \ --type="$CRYPTTAB_TYPE" --key-file="$keyfile" \ luksResume "$CRYPTTAB_NAME" } # resume_device($device) # Resume $device with endless retries. Used by cryptsetup-suspend-wrapper. resume_device() { local device="$1" # check if device is really suspended if dmsetup info -c --noheadings -o suspended -- "$device" 2>/dev/null \| grep -Fxq "Active"; then cryptsetup_message "ERROR: $CRYPTTAB_NAME: device was not suspendend" sleep 5 return 1 fi crypttab_find_entry "$device" crypttab_parse_options --quiet _get_crypt_type # Loop endlessly until the resume command succeeded while true; do if [ "$CRYPTTAB_KEY" != "none" ]; then resume_mapping "$CRYPTTAB_KEY" && break \|\| true else run_keyscript 1 \| resume_mapping && break \|\| true fi done } # crypttab_key_check() # Sanity checks for keyfile $CRYPTTAB_KEY. CRYPTTAB_NAME and # CRYPTTAB_OPTION_<option> must be set appropriately. crypttab_key_check() { if [ ! -f "$CRYPTTAB_KEY" ] && [ ! -b "$CRYPTTAB_KEY" ] && [ ! -c "$CRYPTTAB_KEY" ] ; then cryptsetup_message "WARNING: $CRYPTTAB_NAME: keyfile '$CRYPTTAB_KEY' not found" return 0 fi if [ "$CRYPTTAB_KEY" = "/dev/random" ] \|\| [ "$CRYPTTAB_KEY" = "/dev/urandom" ]; then if [ -n "${CRYPTTAB_OPTION_luks+x}" ] \|\| [ -n "${CRYPTTAB_OPTION_tcrypt+x}" ]; then cryptsetup_message "WARNING: $CRYPTTAB_NAME: has random data as key" return 1 else return 0 fi fi local mode="$(stat -L -c"%04a" -- "$CRYPTTAB_KEY")" if [ $(stat -L -c"%u" -- "$CRYPTTAB_KEY") -ne 0 ] \|\| [ "${mode%00}" = "$mode" ]; then cryptsetup_message "WARNING: $CRYPTTAB_NAME: key file $CRYPTTAB_KEY has" \ "insecure ownership, see /usr/share/doc/cryptsetup/README.Debian.gz." fi } # _resolve_device_spec($spec) # Resolve LABEL=<label>, UUID=<uuid>, PARTUUID=<partuuid> and # PARTLABEL=<partlabel> to a block special device. If $spec is # already a (link to a block special device) then it is echoed as is. # Return 1 if $spec doesn't correspond to a block special device. _resolve_device_spec() { local spec="$1" case "$spec" in UUID=\|LABEL=\|PARTUUID=\|PARTLABEL=) # don't use /dev/disk/by-label/... to avoid gessing udev mangling spec="$(blkid -l -t "$spec" -o device)" \|\| spec= ;; esac [ -b "$spec" ] && printf '%s\n' "$spec" \|\| return 1 } # dm_blkdevname($name) # Print the mapped device name, or return 1 if the the device doesn't exist. dm_blkdevname() { local name="$1" dev # /dev/mapper/$name isn't reliable due to udev mangling if dev="$(dmsetup info -c --noheadings -o blkdevname -- "$name" 2>/dev/null)" && [ -n "$dev" ] && [ -b "/dev/$dev" ]; then echo "/dev/$dev" return 0 else return 1 fi } # dm_active_crypt_devices() # Print list of active dm-crypt devices. dm_active_crypt_devices() { # XXX: that's not robust wrt udev mangling of special characters such as blank or colons dmsetup table --target crypt \| sed -n 's/:.//p' } # crypttab_find_entry([--quiet], $target) # Search in the crypttab(5) for the given $target, and sets the # variables CRYPTTAB_NAME, CRYPTTAB_SOURCE, CRYPTTAB_KEY and # CRYPTTAB_OPTIONS accordingly. (In addition _CRYPTTAB_NAME, # _CRYPTTAB_SOURCE, _CRYPTTAB_KEY and _CRYPTTAB_OPTIONS are set to the # unmangled values before decoding the escape sequence.) If there are # duplicates then only the first match is considered. # Return 0 if a match is found, and 1 otherwise. crypttab_find_entry() { local target="$1" quiet="n" IFS if [ "$target" = "--quiet" ] && [ $# -eq 2 ]; then quiet="y" target="$2" fi if [ -f "$TABFILE" ]; then while IFS=" " read -r _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS; do if [ "${_CRYPTTAB_NAME#\#}" != "$_CRYPTTAB_NAME" ] \|\| [ -z "$_CRYPTTAB_NAME" ]; then # ignore comments and empty lines continue fi # unmangle names CRYPTTAB_NAME="$(printf '%b' "$_CRYPTTAB_NAME")" if [ -z "$_CRYPTTAB_SOURCE" ] \|\| [ -z "$_CRYPTTAB_KEY" ]; then cryptsetup_message "WARNING: '$CRYPTTAB_NAME' is missing some arguments, see crypttab(5)" continue elif [ "$CRYPTTAB_NAME" = "$target" ]; then CRYPTTAB_SOURCE="$( printf '%b' "$_CRYPTTAB_SOURCE" )" CRYPTTAB_KEY="$( printf '%b' "$_CRYPTTAB_KEY" )" CRYPTTAB_OPTIONS="$(printf '%b' "$_CRYPTTAB_OPTIONS")" return 0 fi done <"$TABFILE" fi if [ "$quiet" = "n" ]; then cryptsetup_message "WARNING: target '$target' not found in $TABFILE" fi return 1 } # crypttab_foreach_entry($callback) # Iterate through the crypttab(5) and run the given $callback for each # entry found. Variables CRYPTTAB_NAME, CRYPTTAB_SOURCE, CRYPTTAB_KEY # and CRYPTTAB_OPTIONS are set accordingly and available to the # $callback. (In addition _CRYPTTAB_NAME, _CRYPTTAB_SOURCE, # _CRYPTTAB_KEY and _CRYPTTAB_OPTIONS are set to the original values # before decoding the escape sequence.) # Return 0 if a match is found, and 1 otherwise. crypttab_foreach_entry() { local callback="$1" IFS local _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS \ CRYPTTAB_NAME CRYPTTAB_SOURCE CRYPTTAB_KEY CRYPTTAB_OPTIONS [ -f "$TABFILE" ] \|\| return while IFS=" " read -r _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS <&9; do if [ "${_CRYPTTAB_NAME#\#}" != "$_CRYPTTAB_NAME" ] \|\| [ -z "$_CRYPTTAB_NAME" ]; then # ignore comments and empty lines continue fi # unmangle names CRYPTTAB_NAME="$(printf '%b' "$_CRYPTTAB_NAME")" if [ -z "$_CRYPTTAB_SOURCE" ] \|\| [ -z "$_CRYPTTAB_KEY" ]; then cryptsetup_message "WARNING: '$CRYPTTAB_NAME' is missing some arguments, see crypttab(5)" continue fi CRYPTTAB_SOURCE="$( printf '%b' "$_CRYPTTAB_SOURCE" )" CRYPTTAB_KEY="$( printf '%b' "$_CRYPTTAB_KEY" )" CRYPTTAB_OPTIONS="$(printf '%b' "$_CRYPTTAB_OPTIONS")" "$callback" 9<&- done 9<"$TABFILE" } # _device_uuid($device) # Print the UUID attribute of given block special $device. Return 0 # on success, 1 on error. _device_uuid() { local device="$1" uuid if uuid="$(blkid -s UUID -o value -- "$device")" && [ -n "$uuid" ]; then printf '%s\n' "$uuid" else return 1 fi } # _resolve_device({$device \| $spec}) # Take a path to (or spec for) a block special device, and set DEV to # the (symlink to block) device, and MAJ (resp. MIN) to its major-ID # (resp. minor ID) decimal value. On error these variables are not # changed and 1 is returned. _resolve_device() { local spec="$1" dev devno maj min if dev="$(_resolve_device_spec "$spec")" && devno="$(stat -L -c"%t:%T" -- "$dev" 2>/dev/null)" && maj="${devno%:}" && min="${devno#:}" && [ "$devno" = "$maj:$min" ] && [ -n "$maj" ] && [ -n "$min" ] && maj=$(( 0x$maj )) && min=$(( 0x$min )) && [ $maj -gt 0 ]; then DEV="$dev" MAJ="$maj" MIN="$min" return 0 else cryptsetup_message "ERROR: Couldn't resolve device $spec" fi return 1 } # get_mnt_devno($mountpoint) # Print the major:minor device ID(s) holding the file system currently # mounted currenty mounted on $mountpoint. # Return 0 on success, 1 on error (if $mountpoint is not a mountpoint). # devno will be empty if the filesystem must be excluded. get_mnt_devno() { local wantmount="$1" devnos="" uuid dev local out spec fstype DEV MAJ MIN # use awk rather than a `while read; do done` loop here as /proc/mounts # can be many thousands lines long and the `read` builtin goes one # read(2) at the time which slows down execution time, see MR !36 out="$(awk -v mp="$wantmount" -- ' BEGIN { FS = "[ \t]" ret = "" } !/^\s(#\|$)/ { # decode octal sequences; per procfs(5) the format of /proc/mounts # is analogous to fstab(5) head = "" while (match($2, /\\[0-7]{3}/)) { oct = substr($2, RSTART+1, RLENGTH-1) dec = (substr(oct, 1, 1) * 8 + substr(oct, 2, 1)) * 8 + substr(oct, 3, 1) head = head substr($2, 1, RSTART-1) sprintf("%c", dec) $2 = substr($2, RSTART+RLENGTH) } if (head $2 == mp) { # take the last mountpoint if used several times (shadowed) ret = $1 " " $3 } } END { print ret }' </proc/mounts)" \|\| out="" spec="$(printf '%b' "${out% }")" if [ -n "$out" ]; then fstype="${out## }" if [ "$fstype" = "zfs" ]; then # Ignore ZFS entries as they don't have a major/minor and won't # be imported when local-top cryptroot script will ran. # Returns success with empty devno printf '' return 0 fi if _resolve_device "$spec"; then # _resolve_device() already warns on error if [ "$fstype" = "btrfs" ]; then # btrfs can span over multiple devices if uuid="$(_device_uuid "$DEV")"; then for dev in "/sys/fs/$fstype/$uuid/devices"//dev; do devnos="${devnos:+$devnos }$(cat "$dev")" done else cryptsetup_message "ERROR: $spec: Couldn't determine UUID" fi elif [ -n "$fstype" ]; then devnos="$MAJ:$MIN" fi fi fi if [ -z "${devnos:+x}" ]; then return 1 # not found else printf '%s' "$devnos" fi } # foreach_cryptdev($callback, $maj:$min, [$maj:$min ..]) # Run $callback on the (unmangled) name of each dm-crypt device # recursively holding $maj:$min (typically corresponding to an md, # linear, or dm-crypt device). Slaves that aren't dm-crypt devices # are ignored. foreach_cryptdev() { local callback="$1" devno base shift for devno in "$@"; do base="/sys/dev/block/$devno" if [ ! -d "$base" ]; then cryptsetup_message "ERROR: Couldn't find sysfs directory for $devno" return 1 fi _foreach_cryptdev "$callback" "$base" done } _foreach_cryptdev() { local callback="$1" d="$2" devno maj min name slave [ -d "$d/slaves" ] \|\| return 0 if [ -d "$d/dm" ] && devno="$(cat "$d/dev")" && maj="${devno%:}" && min="${devno#:}" && [ "$devno" = "$maj:$min" ] && [ -n "$maj" ] && [ -n "$min" ] && [ "$(dmsetup info -c --noheadings -o subsystem -j "$maj" -m "$min")" = "CRYPT" ] && name="$(dmsetup info -c --noheadings -o unmangled_name -j "$maj" -m "$min")"; then "$callback" "$name" fi for slave in "$d/slaves"/; do if [ -d "$slave" ] && slave="$(realpath -e -- "$slave")"; then _foreach_cryptdev "$callback" "$slave" fi done } # vim: set filetype=sh : PK��ZĖbʓ��checks/swapnu�ȯ��#!/bin/sh echo "WARNING: The check script $0 is deprecated. Please use check script blkid instead." >&2 /lib/cryptsetup/checks/blkid "$1" "swap" PK��Z�Ƥ��checks/blkidnu�ȯ��#!/bin/sh # this script depends on /sbin/blkid from the util-linux package # usage: blkid <device> <fs_type> [<offset>] # <device> may be any device that should be checked. # if no <fs_type> is given, the check fails if no valid filesystem is found. # if <fs_type> is given, the check fails when no filesystem type <fs_type> # is found on the device. if <fs_type> is 'none', the check fails if any # know filesystem is found. if test ! -x "/sbin/blkid"; then echo " - WARNING: blkid from util-linux is not available, impossible to run checks." exit 1 fi dev="$1" fs="$2" offset="${3-}" blkid="$(/sbin/blkid -o value -s TYPE -p ${offset:+-O "$offset"} -- "$dev")" # blkid output is empty if $dev has an unknown filesystem if [ -z "$blkid" ] && [ -z "$fs" ]; then echo " - The device $dev does not contain a known filesystem${offset:+" at offset $offset"}." exit 1 elif [ -n "$blkid" ] && [ "$fs" = "none" ]; then echo " - The device $dev contains a filesystem type $blkid${offset:+" at offset $offset"}." exit 1 elif [ -n "$fs" ] && [ "$blkid" != "$fs" ]; then echo " - The device $dev does not contain a filesystem type $fs${offset:+" at offset $offset"}." exit 1 fi PK��Z(�'w��checks/ext2nu�ȯ��#!/bin/sh echo "WARNING: The check script $0 is deprecated. Please use check script blkid instead." >&2 not_fs="" for fs in ext2 ext3 ext4 ext4dev; do /lib/cryptsetup/checks/blkid "$1" "$fs" >/dev/null \|\| not_fs="$not_fs $fs" done if [ "$not_fs" = " ext2 ext3 ext4 ext4dev" ]; then echo " - The device $1 does not contain a valid ext2, ext3, ext4 or ext4dev filesystem." exit 1 fi PK��Z�� checks/xfsnu�ȯ��#!/bin/sh echo "WARNING: The check script $0 is deprecated. Please use check script blkid instead." >&2 /lib/cryptsetup/checks/blkid "$1" "xfs" PK��Zлxİ��checks/un_blkidnu�ȯ��#!/bin/sh # this script depends on /sbin/blkid from the util-linux package # usage: un_blkid <device> <fs_type> [<offset>] # <device> may be any device that should be checked. # if no <fs_type> is given, the check fails for any valid filesystem # if <fs_type> is given, the check fails when a filesystem type <fs_type> # is found on the device. if test ! -x "/sbin/blkid"; then echo " - WARNING: blkid from util-linux is not available, impossible to run checks." exit 1 fi dev="$1" fs="$2" offset="${3-}" blkid="$(/sbin/blkid -o value -s TYPE -p ${offset:+-O "$offset"} -- "$dev")" # blkid output is empty if $dev has an unknown filesystem if [ -n "$blkid" ] && [ -z "$fs" ]; then echo " - The device $dev contains a filesystem type $blkid${offset:+" at offset $offset"}." exit 1 elif [ -n "$fs" ] && [ "$blkid" = "$fs" ]; then echo " - The device $dev contains a filesystem type $fs${offset:+" at offset $offset"}." exit 1 fi PK��Z�AŰ�!��!��cryptdisks-functionsnu��[��# # This file is for inclusion with # . /lib/cryptsetup/cryptdisks-functions # and should not be executed directly. PATH="/usr/sbin:/usr/bin:/sbin:/bin" CRYPTDISKS_ENABLE="Yes" #set -x # Sanity check #1 [ -x /sbin/cryptsetup ] \|\| exit 0 . /lib/lsb/init-functions . /lib/cryptsetup/functions if [ -r /etc/default/cryptdisks ]; then . /etc/default/cryptdisks fi MOUNT="$CRYPTDISKS_MOUNT" # do_start() # Unlock all devices in the crypttab(5) do_start() { [ -s "$TABFILE" ] \|\| return 0 # Create locking directory before invoking cryptsetup(8) to avoid warnings mkdir -pm0700 /run/cryptsetup modprobe -qb dm-mod \|\| true modprobe -qb dm-crypt \|\| true dmsetup mknodes >/dev/null 2>&1 \|\| true if [ "$INITSTATE" != "init" ]; then log_action_begin_msg "Starting $INITSTATE crypto disks" fi mount_fs crypttab_foreach_entry _do_start_callback umount_fs log_action_end_msg 0 } _do_start_callback() { setup_mapping \|\| log_action_end_msg $? } # mount_fs() # Premounts file systems mount_fs() { local point MOUNTED="" for point in $MOUNT; do if mount "$point" >/dev/null; then MOUNTED="$MOUNTED $point" fi done } # Postunmounts file systems umount_fs() { local point for point in $MOUNTED; do umount "$point" >/dev/null done } # setup_mapping() # Set up a crypttab(5) mapping defined by $CRYPTTAB_NAME, # $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS. setup_mapping() { if dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then device_msg "running" return 0 fi local loud="${DEFAULT_LOUD:-}" crypttab_parse_options --export --missing-path=fail \|\| return 1 if [ -n "${CRYPTTAB_OPTION_quiet+x}" ]; then loud="no" elif [ -n "${CRYPTTAB_OPTION_loud+x}" ]; then loud="yes" fi if [ -z "${FORCE_START-}" ]; then if [ "$INITSTATE" = "early" -a -n "${CRYPTTAB_OPTION_noearly+x}" ] \|\| [ "$INITSTATE" != "manual" -a -n "${CRYPTTAB_OPTION_noauto+x}" ]; then device_msg "ignored" return 0 fi fi if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then if ! crypttab_key_check; then device_msg "invalid key" return 1 fi CRYPTTAB_OPTION_tries=1 fi if ! crypttab_resolve_source; then if [ "$loud" = "yes" ]; then device_msg "skipped, device $CRYPTTAB_SOURCE does not exist" fi return 1 fi device_msg "starting" local offset_bytes="" if [ -n "${CRYPTTAB_OPTION_offset+x}" ] && [ ${#CRYPTTAB_OPTION_offset} -le 7 ] && [ $CRYPTTAB_OPTION_offset -lt 4194304 ]; then # silently ignore large offset values which might cause the multiplication to overflow... offset_bytes=$((CRYPTTAB_OPTION_offset * 512)) fi local out tmpdev if [ "$CRYPTTAB_TYPE" != "luks" ] && [ "$CRYPTTAB_TYPE" != "bitlk" ]; then # fail if the device has a filesystem and the disk encryption format doesn't # verify the key digest (unlike LUKS); unless it's swap, otherwise people can't # easily convert an existing plainttext swap partition to an encrypted one if ! out="$(/lib/cryptsetup/checks/un_blkid "$CRYPTTAB_SOURCE" "" ${CRYPTTAB_OPTION_offset+"$offset_bytes"} 2>/dev/null)" && ! /lib/cryptsetup/checks/blkid "$CRYPTTAB_SOURCE" swap ${CRYPTTAB_OPTION_offset+"$offset_bytes"} >/dev/null; then log_warning_msg "$CRYPTTAB_NAME: the precheck for '$CRYPTTAB_SOURCE' failed: $out" return 1 fi fi local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype rv local target="$CRYPTTAB_NAME" CRYPTTAB_NAME="${CRYPTTAB_NAME}_unformatted" # XXX potential conflict while [ $maxtries -le 0 ] \|\| [ $count -lt $maxtries ]; do if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then # unlock via keyfile unlock_mapping "$CRYPTTAB_KEY" else # unlock interactively or via keyscript CRYPTTAB_NAME="$target" run_keyscript "$count" \| unlock_mapping fi rv=$? count=$(( $count + 1 )) if [ $rv -ne 0 ] \|\| ! tmpdev="$(dm_blkdevname "$CRYPTTAB_NAME")"; then continue fi if [ -n "${CRYPTTAB_OPTION_check+x}" ] && \ ! "$CRYPTTAB_OPTION_check" "$tmpdev" ${CRYPTTAB_OPTION_checkargs+"$CRYPTTAB_OPTION_checkargs"}; then log_warning_msg "$target: the check for '$CRYPTTAB_NAME' failed" cryptsetup remove -- "$CRYPTTAB_NAME" continue fi if [ "${CRYPTTAB_OPTION_swap+x}" ]; then if out="$(/lib/cryptsetup/checks/un_blkid "$tmpdev" "" ${CRYPTTAB_OPTION_offset+"$offset_bytes"} 2>/dev/null)" \|\| /lib/cryptsetup/checks/blkid "$tmpdev" swap ${CRYPTTAB_OPTION_offset+"$offset_bytes"} >/dev/null 2>&1; then mkswap "$tmpdev" >/dev/null 2>&1 else log_warning_msg "$target: the check for '$CRYPTTAB_NAME' failed. $CRYPTTAB_NAME contains data: $out" cryptsetup remove -- "$CRYPTTAB_NAME" return 1 fi elif [ "${CRYPTTAB_OPTION_tmp+x}" ]; then local tmpdir="$(mktemp --tmpdir="/run/cryptsetup" --directory)" rv=0 if ! mkfs -t "$CRYPTTAB_OPTION_tmp" -q "$tmpdev" >/dev/null 2>&1 \|\| ! mount -t "$CRYPTTAB_OPTION_tmp" "$tmpdev" "$tmpdir" \|\| ! chmod 1777 "$tmpdir"; then rv=1 fi umount "$tmpdir" \|\| true rmdir "$tmpdir" \|\| true [ $rv -eq 0 ] \|\| return $rv fi if command -v udevadm >/dev/null 2>&1; then udevadm settle fi dmsetup rename -- "$CRYPTTAB_NAME" "$target" device_msg "$target" "started" return 0 done device_msg "$target" "failed" return 1 } # Removes all mappings in crypttab, except the ones holding the root # file system or /usr do_stop() { local devno_rootfs devno_usr dmsetup mknodes log_action_begin_msg "Stopping $INITSTATE crypto disks" devno_rootfs="$(get_mnt_devno /)" \|\| devno_rootfs="" devno_usr="$(get_mnt_devno /usr)" \|\| devno_usr="" crypttab_foreach_entry _do_stop_callback log_action_end_msg 0 } _do_stop_callback() { local i rv=0 skip="n" # traverse the device tree for each crypttab(5) entry, that's # suboptimal but we can't use mapped device names as they might # contain any character other than NUL. shouldn't be much overhead # anyway as the device tree is likely not that long foreach_cryptdev _do_stop_skipped $devno_rootfs $devno_usr if [ "$skip" = "n" ]; then for i in 1 2 4 8 16 32; do remove_mapping "$CRYPTTAB_NAME" 3<&- && break \|\| rv=$? if [ $rv -eq 1 ] \|\| [ $rv -eq 2 -a $i -gt 16 ]; then log_action_end_msg $rv break fi log_action_cont_msg "$CRYPTTAB_NAME busy..." sleep $i done fi } _do_stop_skipped() { if [ "$1" = "$CRYPTTAB_NAME" ]; then skip="y" fi } # device_msg([$name], $message) # Convenience function to handle $VERBOSE device_msg() { local name message if [ $# -eq 1 ]; then name="$CRYPTTAB_NAME" message="$1" else name="$1" message="$2" fi if [ "$VERBOSE" != "no" ]; then log_action_cont_msg "$name ($message)" fi } # remove_mapping($target) # Remove mapping $target remove_mapping() { local CRYPTTAB_NAME="$1" if ! dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then device_msg "stopped" return 0 fi if [ "$(dmsetup info --noheadings -c -o subsystem -- "$CRYPTTAB_NAME")" != "CRYPT" ]; then device_msg "error" return 1 fi local opencount="$(dmsetup info -c --noheadings -o open -- "$CRYPTTAB_NAME" 2>/dev/null \|\| true)" if [ -z "$opencount" ]; then device_msg "error" return 1 elif [ "$opencount" != "0" ]; then device_msg "busy" if [ "$INITSTATE" = "early" ] \|\| [ "$INITSTATE" = "manual" ]; then return 1 elif [ "$INITSTATE" = "remaining" ]; then return 2 fi return 0 fi if cryptsetup remove -- "$CRYPTTAB_NAME"; then device_msg "stopping" return 0 else device_msg "error" return 1 fi } # vim: set filetype=sh : PK��ZYB�Xt��t��scripts/decrypt_openscnu�ȯ��PK��Z$��=��scripts/decrypt_keyctlnu�ȯ��PK��Z�(sR��R�� scripts/decrypt_derivednu�ȯ��PK��Z[��>89��89��scripts/passdevnu�ȯ��PK��Z��i:��:�� L��scripts/decrypt_gnupgnu�ȯ��PK��Zzz;��N��scripts/decrypt_gnupg-scnu�ȯ��PK��Z��7�[��[��R��scripts/decrypt_sslnu�ȯ��PK��ZKh��Y��Y��(T��askpassnu�ȯ��PK��Z݈��i��i�� G��functionsnu��[��PK��ZĖbʓ��checks/swapnu�ȯ��PK��Z�Ƥ��checks/blkidnu�ȯ��PK��Z(�'w��checks/ext2nu�ȯ��PK��Z�� checks/xfsnu�ȯ��PK��Zлxİ��Q �checks/un_blkidnu�ȯ��PK��Z�AŰ�!��!��@$�cryptdisks-functionsnu��[��PK��)F��

| ver. 1.4 | Github | . | PHP 8.2.28 | Generation time: 0.02 | proxy | phpinfo | Settings