From ef22a990570cd3658c7a693796e4470994b86fb9 Mon Sep 17 00:00:00 2001
From: Tails developers <amnesia@boum.org>
Date: Sat, 12 Nov 2011 05:56:06 +0100
Subject: [PATCH] Changing persistent-encryption to accept a list TYPE...
 instead.

The comma-separated list TYPE... specifies which types of encryption
to allow for persistent media, and whether to allow plaintext media.
The possible TYPEs are the old {none, luks}, with default "none". The
only change is that this allow plaintext and encrypted media to be
used simultaneously.
---
 scripts/live         | 10 +++++---
 scripts/live-helpers | 67 ++++++++++++++++++++++++++++++++--------------------
 2 files changed, 48 insertions(+), 29 deletions(-)

diff --git a/scripts/live b/scripts/live
index 970853c..c28314f 100755
--- a/scripts/live
+++ b/scripts/live
@@ -395,19 +395,23 @@ Arguments ()
 		export UNIONTYPE
 	fi
 
-	if [ "${PERSISTENT_ENCRYPTION}" = "luks" ]
+	if [ -z "${PERSISTENT_ENCRYPTION}" ]
+	then
+		PERSISTENT_ENCRYPTION="none"
+		export PERSISTENT_ENCRYPTION
+	elif echo ${PERSISTENT_ENCRYPTION} | grep -qw luks
 	then
 		if ! modprobe dm-crypt
 		then
 			log_warning_msg "Unable to load module dm-crypt"
-			PERSISTENT_ENCRYPTION="none"
+			PERSISTENT_ENCRYPTION=$(echo ${PERSISTENT_ENCRYPTION} | sed -e 's/\<luks,\|,\?luks$//g')
 			export PERSISTENT_ENCRYPTION
 		fi
 
 		if [ ! -x /lib/cryptsetup/askpass ] || [ ! -x /sbin/cryptsetup ]
 		then
 			log_warning_msg "cryptsetup in unavailable"
-			PERSISTENT_ENCRYPTION="none"
+			PERSISTENT_ENCRYPTION=$(echo ${PERSISTENT_ENCRYPTION} | sed -e 's/\<luks,\|,\?luks$//g')
 			export PERSISTENT_ENCRYPTION
 		fi
 	fi
diff --git a/scripts/live-helpers b/scripts/live-helpers
index 33d2ee7..9e45517 100644
--- a/scripts/live-helpers
+++ b/scripts/live-helpers
@@ -311,6 +311,37 @@ try_mount ()
 	fi
 }
 
+open_luks_device ()
+{
+	dev="${1}"
+	name="$(basename ${dev})"
+	opts="--key-file=-"
+
+	load_keymap
+
+	while true
+	do
+		/lib/cryptsetup/askpass "Enter passphrase for ${dev}: " | \
+			/sbin/cryptsetup -T 1 luksOpen ${dev} ${name} ${opts}
+
+		if [ 0 -eq ${?} ]
+		then
+			luks_device="/dev/mapper/${name}"
+			echo ${luks_device}
+			return 0
+		fi
+
+		echo >&6
+		echo -n "There was an error decrypting ${dev} ... Retry? [Y/n] " >&6
+		read answer
+
+		if [ "$(echo "${answer}" | cut -b1 | tr A-Z a-z)" = "n" ]
+		then
+			return 2
+		fi
+	done
+}
+
 find_persistent_media ()
 {
 	# Scans devices for overlays and snapshots, and returns a whitespace
@@ -344,36 +375,20 @@ find_persistent_media ()
 		luks_device=""
 
 		# Checking for a luks device
-		if [ "${PERSISTENT_ENCRYPTION}" = "luks" ]
+		if echo ${PERSISTENT_ENCRYPTION} | grep -qw luks && \
+		   /sbin/cryptsetup isLuks ${dev}
 		then
-			if ! /sbin/cryptsetup isLuks ${dev}
+			if luks_device=$(open_luks_device "${dev}")
 			then
-				# skip device since we strictly want luks devices
+				dev="${luks_device}"
+			else
+				# skip $dev since we failed/chose not to open it
 				continue
 			fi
-
-			load_keymap
-
-			while true
-			do
-				/lib/cryptsetup/askpass "Enter passphrase for ${dev}: " | /sbin/cryptsetup -T 1 luksOpen ${dev} $(basename ${dev}) --key-file=-
-
-				if [ 0 -eq ${?} ]
-				then
-					luks_device="/dev/mapper/$(basename ${dev})"
-					dev="${luks_device}"
-					break
-				fi
-
-				echo >&6
-				echo -n "There was an error decrypting ${dev} ... Retry? [Y/n] " >&6
-				read answer
-
-				if [ "$(echo "${answer}" | cut -b1 | tr A-Z a-z)" = "n" ]
-				then
-					break
-				fi
-			done
+		elif echo ${PERSISTENT_ENCRYPTION} | grep -qwv none
+		then
+			# skip $dev since we don't allow unencrypted storage
+			continue
 		fi
 
 		if echo ${PERSISTENT_STORAGE} | grep -qw filesystem
-- 
2.1.4