Also init_crypto for encrypyed network block devices. (#605600)

3 files changed, 165 insertions, 160 deletions

diff --git a/rc.d/init.d/functions b/rc.d/init.d/functions
index 7417fd7b..203518b9 100644
--- a/rc.d/init.d/functions
+++ b/rc.d/init.d/functions
@@ -604,5 +604,165 @@ is_false() {
     return 1
 }
 
+key_is_random() {
+    [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" \
+	-o "$1" = "/dev/random" ]
+}
+
+find_crypto_mount_point() {
+    local fs_spec fs_file fs_vfstype remaining_fields
+    local fs
+    while read fs_spec fs_file remaining_fields; do
+	if [ "$fs_spec" = "/dev/mapper/$1" ]; then
+	    echo $fs_file
+	    break;
+	fi
+    done < /etc/fstab
+}
+
+# Because of a chicken/egg problem, init_crypto must be run twice.  /var may be
+# encrypted but /var/lib/random-seed is needed to initialize swap.
+init_crypto() {
+    local have_random dst src key opt mode owner params makeswap skip arg opt
+    local param value rc ret mke2fs mdir prompt mount_point
+
+    ret=0
+    have_random=$1
+    while read dst src key opt; do
+	[ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue
+        [ -b "/dev/mapper/$dst" ] && continue;
+	if [ "$have_random" = 0 ] && key_is_random "$key"; then
+	    continue
+	fi
+	if [ -n "$key" -a "x$key" != "xnone" ]; then
+	    if test -e "$key" ; then
+		owner=$(ls -l $key | (read a b owner rest; echo $owner))
+		if ! key_is_random "$key"; then
+		    mode=$(ls -l "$key" | cut -c 5-10)
+		    if [ "$mode" != "------" ]; then
+		       echo $"INSECURE MODE FOR $key"
+		    fi
+		fi
+		if [ "$owner" != root ]; then
+		    echo $"INSECURE OWNER FOR $key"
+		fi
+	    else
+		echo $"Key file for $dst not found, skipping"
+		ret=1
+		continue
+	    fi
+	else
+	    key=""
+	fi
+	params=""
+	makeswap=""
+	mke2fs=""
+	skip=""
+	# Parse the src field for UUID= and convert to real device names
+	if [ "${src%%=*}" == "UUID" ]; then
+		src=$(/sbin/blkid -t "$src" -l -o device)
+	elif [ "${src/^\/dev\/disk\/by-uuid\/}" != "$src" ]; then
+		src=$(__readlink $src)
+	fi
+	# Is it a block device?
+	[ -b "$src" ] || continue
+	# Is it already a device mapper slave? (this is gross)
+	devesc=${src##/dev/}
+	devesc=${devesc//\//!}
+	for d in /sys/block/dm-*/slaves ; do
+	    [ -e $d/$devesc ] && continue 2
+	done
+	# Parse the options field, convert to cryptsetup parameters and
+	# contruct the command line
+	while [ -n "$opt" ]; do
+	    arg=${opt%%,*}
+	    opt=${opt##$arg}
+	    opt=${opt##,}
+	    param=${arg%%=*}
+	    value=${arg##$param=}
+
+	    case "$param" in
+	    cipher)
+		params="$params -c $value"
+		if [ -z "$value" ]; then
+		    echo $"$dst: no value for cipher option, skipping"
+		    skip="yes"
+		fi
+	    ;;
+	    size)
+		params="$params -s $value"
+		if [ -z "$value" ]; then
+		    echo $"$dst: no value for size option, skipping"
+		    skip="yes"
+		fi
+	    ;;
+	    hash)
+		params="$params -h $value"
+		if [ -z "$value" ]; then
+		    echo $"$dst: no value for hash option, skipping"
+		    skip="yes"
+		fi
+	    ;;
+	    verify)
+	        params="$params -y"
+	    ;;
+	    swap)
+		makeswap=yes
+		;;
+	    tmp)
+		mke2fs=yes
+	    esac
+	done
+	if [ "$skip" = "yes" ]; then
+	    ret=1
+	    continue
+	fi
+	if [ -z "$makeswap" ] && cryptsetup isLuks "$src" 2>/dev/null ; then
+	    if key_is_random "$key"; then
+		echo $"$dst: LUKS requires non-random key, skipping"
+		ret=1
+		continue
+	    fi
+	    if [ -n "$params" ]; then
+		echo "$dst: options are invalid for LUKS partitions," \
+		    "ignoring them"
+	    fi
+	    if [ -n "$key" ]; then
+		/sbin/cryptsetup -d $key luksOpen "$src" "$dst" <&1 2>/dev/null && success || failure
+		rc=$?
+	    else
+		mount_point="$(find_crypto_mount_point $dst)"
+		[ -n "$mount_point" ] || mount_point=${src##*/}
+		prompt=$(printf $"%s is password protected" "$mount_point")
+		plymouth ask-for-password --prompt "$prompt" --command="/sbin/cryptsetup luksOpen -T1 $src $dst" <&1
+		rc=$?
+	    fi
+	else
+	    [ -z "$key" ] && plymouth --hide-splash
+	    /sbin/cryptsetup $params ${key:+-d $key} create "$dst" "$src" <&1 2>/dev/null && success || failure
+	    rc=$?
+	    [ -z "$key" ] && plymouth --show-splash
+	fi
+	if [ $rc -ne 0 ]; then
+	    ret=1
+	    continue
+	fi
+	if [ -b "/dev/mapper/$dst" ]; then
+	    if [ "$makeswap" = "yes" ]; then
+		mkswap "/dev/mapper/$dst" 2>/dev/null >/dev/null
+	    fi
+	    if [ "$mke2fs" = "yes" ]; then
+		if mke2fs "/dev/mapper/$dst" 2>/dev/null >/dev/null \
+		    && mdir=$(mktemp -d /tmp/mountXXXXXX); then
+		    mount "/dev/mapper/$dst" "$mdir" && chmod 1777 "$mdir"
+		    umount "$mdir"
+		    rmdir "$mdir"
+		fi
+	    fi
+	fi
+    done < /etc/crypttab
+    return $ret
+}
+
 # A sed expression to filter out the files that is_ignored_file recognizes
 __sed_discard_ignored_files='/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave\)$/d'
diff --git a/rc.d/init.d/netfs b/rc.d/init.d/netfs
index 9fe131d4..a235e464 100755
--- a/rc.d/init.d/netfs
+++ b/rc.d/init.d/netfs
@@ -58,6 +58,11 @@ case "$1" in
 		       action $"Setting up Logical Volume Management:" /sbin/lvm vgchange -a y
 		fi
 	    fi
+
+	    if [ -f /etc/crypttab ]; then
+	        init_crypto 1
+	    fi
+
 	    STRING=$"Checking network-attached filesystems"
 	    
 	    echo $STRING
diff --git a/rc.d/rc.sysinit b/rc.d/rc.sysinit
index 527050bd..0c489bf4 100755
--- a/rc.d/rc.sysinit
+++ b/rc.d/rc.sysinit
@@ -85,166 +85,6 @@ relabel_selinux() {
     reboot -f
 }
 
-key_is_random() {
-    [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" \
-	-o "$1" = "/dev/random" ]
-}
-
-find_crypto_mount_point() {
-    local fs_spec fs_file fs_vfstype remaining_fields
-    local fs
-    while read fs_spec fs_file remaining_fields; do
-	if [ "$fs_spec" = "/dev/mapper/$1" ]; then
-	    echo $fs_file
-	    break;
-	fi
-    done < /etc/fstab
-}
-
-# Because of a chicken/egg problem, init_crypto must be run twice.  /var may be
-# encrypted but /var/lib/random-seed is needed to initialize swap.
-init_crypto() {
-    local have_random dst src key opt mode owner params makeswap skip arg opt
-    local param value rc ret mke2fs mdir prompt mount_point
-
-    ret=0
-    have_random=$1
-    while read dst src key opt; do
-	[ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue
-        [ -b "/dev/mapper/$dst" ] && continue;
-	if [ "$have_random" = 0 ] && key_is_random "$key"; then
-	    continue
-	fi
-	if [ -n "$key" -a "x$key" != "xnone" ]; then
-	    if test -e "$key" ; then
-		owner=$(ls -l $key | (read a b owner rest; echo $owner))
-		if ! key_is_random "$key"; then
-		    mode=$(ls -l "$key" | cut -c 5-10)
-		    if [ "$mode" != "------" ]; then
-		       echo $"INSECURE MODE FOR $key"
-		    fi
-		fi
-		if [ "$owner" != root ]; then
-		    echo $"INSECURE OWNER FOR $key"
-		fi
-	    else
-		echo $"Key file for $dst not found, skipping"
-		ret=1
-		continue
-	    fi
-	else
-	    key=""
-	fi
-	params=""
-	makeswap=""
-	mke2fs=""
-	skip=""
-	# Parse the src field for UUID= and convert to real device names
-	if [ "${src%%=*}" == "UUID" ]; then
-		src=$(/sbin/blkid -t "$src" -l -o device)
-	elif [ "${src/^\/dev\/disk\/by-uuid\/}" != "$src" ]; then
-		src=$(__readlink $src)
-	fi
-	# Is it a block device?
-	[ -b "$src" ] || continue
-	# Is it already a device mapper slave? (this is gross)
-	devesc=${src##/dev/}
-	devesc=${devesc//\//!}
-	for d in /sys/block/dm-*/slaves ; do
-	    [ -e $d/$devesc ] && continue 2
-	done
-	# Parse the options field, convert to cryptsetup parameters and
-	# contruct the command line
-	while [ -n "$opt" ]; do
-	    arg=${opt%%,*}
-	    opt=${opt##$arg}
-	    opt=${opt##,}
-	    param=${arg%%=*}
-	    value=${arg##$param=}
-
-	    case "$param" in
-	    cipher)
-		params="$params -c $value"
-		if [ -z "$value" ]; then
-		    echo $"$dst: no value for cipher option, skipping"
-		    skip="yes"
-		fi
-	    ;;
-	    size)
-		params="$params -s $value"
-		if [ -z "$value" ]; then
-		    echo $"$dst: no value for size option, skipping"
-		    skip="yes"
-		fi
-	    ;;
-	    hash)
-		params="$params -h $value"
-		if [ -z "$value" ]; then
-		    echo $"$dst: no value for hash option, skipping"
-		    skip="yes"
-		fi
-	    ;;
-	    verify)
-	        params="$params -y"
-	    ;;
-	    swap)
-		makeswap=yes
-		;;
-	    tmp)
-		mke2fs=yes
-	    esac
-	done
-	if [ "$skip" = "yes" ]; then
-	    ret=1
-	    continue
-	fi
-	if [ -z "$makeswap" ] && cryptsetup isLuks "$src" 2>/dev/null ; then
-	    if key_is_random "$key"; then
-		echo $"$dst: LUKS requires non-random key, skipping"
-		ret=1
-		continue
-	    fi
-	    if [ -n "$params" ]; then
-		echo "$dst: options are invalid for LUKS partitions," \
-		    "ignoring them"
-	    fi
-	    if [ -n "$key" ]; then
-		/sbin/cryptsetup -d $key luksOpen "$src" "$dst" <&1 2>/dev/null && success || failure
-		rc=$?
-	    else
-		mount_point="$(find_crypto_mount_point $dst)"
-		[ -n "$mount_point" ] || mount_point=${src##*/}
-		prompt=$(printf $"%s is password protected" "$mount_point")
-		plymouth ask-for-password --prompt "$prompt" --command="/sbin/cryptsetup luksOpen -T1 $src $dst" <&1
-		rc=$?
-	    fi
-	else
-	    [ -z "$key" ] && plymouth --hide-splash
-	    /sbin/cryptsetup $params ${key:+-d $key} create "$dst" "$src" <&1 2>/dev/null && success || failure
-	    rc=$?
-	    [ -z "$key" ] && plymouth --show-splash
-	fi
-	if [ $rc -ne 0 ]; then
-	    ret=1
-	    continue
-	fi
-	if [ -b "/dev/mapper/$dst" ]; then
-	    if [ "$makeswap" = "yes" ]; then
-		mkswap "/dev/mapper/$dst" 2>/dev/null >/dev/null
-	    fi
-	    if [ "$mke2fs" = "yes" ]; then
-		if mke2fs "/dev/mapper/$dst" 2>/dev/null >/dev/null \
-		    && mdir=$(mktemp -d /tmp/mountXXXXXX); then
-		    mount "/dev/mapper/$dst" "$mdir" && chmod 1777 "$mdir"
-		    umount "$mdir"
-		    rmdir "$mdir"
-		fi
-	    fi
-	fi
-    done < /etc/crypttab
-    return $ret
-}
-
 # Print a text banner.
 echo -en $"\t\tWelcome to "
 read -r system_release < /etc/system-release