[thirdparty/systemd.git] / src / cryptsetup / cryptsetup.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <string.h>
#include <errno.h>
#include <sys/mman.h>
#include <mntent.h>

#include <libcryptsetup.h>
#include <libudev.h>

#include "log.h"
#include "util.h"
#include "strv.h"
#include "ask-password-api.h"
#include "def.h"

static const char *opt_type = NULL; /* LUKS1 or PLAIN */
static char *opt_cipher = NULL;
static unsigned opt_key_size = 0;
static char *opt_hash = NULL;
static unsigned opt_tries = 0;
static bool opt_readonly = false;
static bool opt_verify = false;
static usec_t opt_timeout = DEFAULT_TIMEOUT_USEC;

/* Options Debian's crypttab knows we don't:

    offset=
    skip=
    precheck=
    check=
    checkargs=
    noearly=
    loud=
    keyscript=
*/

static int parse_one_option(const char *option) {
        assert(option);

        /* Handled outside of this tool */
        if (streq(option, "noauto"))
                return 0;

        if (startswith(option, "cipher=")) {
                char *t;

                if (!(t = strdup(option+7)))
                        return -ENOMEM;

                free(opt_cipher);
                opt_cipher = t;

        } else if (startswith(option, "size=")) {

                if (safe_atou(option+5, &opt_key_size) < 0) {
                        log_error("size= parse failure, ignoring.");
                        return 0;
                }

        } else if (startswith(option, "hash=")) {
                char *t;

                if (!(t = strdup(option+5)))
                        return -ENOMEM;

                free(opt_hash);
                opt_hash = t;

        } else if (startswith(option, "tries=")) {

                if (safe_atou(option+6, &opt_tries) < 0) {
                        log_error("tries= parse failure, ignoring.");
                        return 0;
                }

        } else if (streq(option, "readonly"))
                opt_readonly = true;
        else if (streq(option, "verify"))
                opt_verify = true;
        else if (streq(option, "luks"))
                opt_type = CRYPT_LUKS1;
        else if (streq(option, "plain") ||
                 streq(option, "swap") ||
                 streq(option, "tmp"))
                opt_type = CRYPT_PLAIN;
        else if (startswith(option, "timeout=")) {

                if (parse_usec(option+8, &opt_timeout) < 0) {
                        log_error("timeout= parse failure, ignoring.");
                        return 0;
                }

        } else if (!streq(option, "none"))
                log_error("Encountered unknown /etc/crypttab option '%s', ignoring.", option);

        return 0;
}

static int parse_options(const char *options) {
        char *state;
        char *w;
        size_t l;

        assert(options);

        FOREACH_WORD_SEPARATOR(w, l, options, ",", state) {
                char *o;
                int r;

                if (!(o = strndup(w, l)))
                        return -ENOMEM;

                r = parse_one_option(o);
                free(o);

                if (r < 0)
                        return r;
        }

        return 0;
}

static void log_glue(int level, const char *msg, void *usrptr) {
        log_debug("%s", msg);
}

static char *disk_description(const char *path) {
        struct udev *udev = NULL;
        struct udev_device *device = NULL;
        struct stat st;
        char *description = NULL;
        const char *model;

        assert(path);

        if (stat(path, &st) < 0)
                return NULL;

        if (!S_ISBLK(st.st_mode))
                return NULL;

        if (!(udev = udev_new()))
                return NULL;

        if (!(device = udev_device_new_from_devnum(udev, 'b', st.st_rdev)))
                goto finish;

        if ((model = udev_device_get_property_value(device, "ID_MODEL_FROM_DATABASE")) ||
            (model = udev_device_get_property_value(device, "ID_MODEL")) ||
            (model = udev_device_get_property_value(device, "DM_NAME")))
                description = strdup(model);

finish:
        if (device)
                udev_device_unref(device);

        if (udev)
                udev_unref(udev);

        return description;
}

static char *disk_mount_point(const char *label) {
        char *mp = NULL, *device = NULL;
        FILE *f = NULL;
        struct mntent *m;

        /* Yeah, we don't support native systemd unit files here for now */

        if (asprintf(&device, "/dev/mapper/%s", label) < 0)
                goto finish;

        if (!(f = setmntent("/etc/fstab", "r")))
                goto finish;

        while ((m = getmntent(f)))
                if (path_equal(m->mnt_fsname, device)) {
                        mp = strdup(m->mnt_dir);
                        break;
                }

finish:
        if (f)
                endmntent(f);

        free(device);

        return mp;
}

static int help(void) {

        printf("%s attach VOLUME SOURCEDEVICE [PASSWORD] [OPTIONS]\n"
               "%s detach VOLUME\n\n"
               "Attaches or detaches an encrypted block device.\n",
               program_invocation_short_name,
               program_invocation_short_name);

        return 0;
}

int main(int argc, char *argv[]) {
        int r = EXIT_FAILURE;
        struct crypt_device *cd = NULL;
        char **passwords = NULL, *truncated_cipher = NULL;
        const char *cipher = NULL, *cipher_mode = NULL, *hash = NULL, *name = NULL;
        char *description = NULL, *name_buffer = NULL, *mount_point = NULL;
        unsigned keyfile_size = 0;

        if (argc <= 1) {
                help();
                return EXIT_SUCCESS;
        }

        if (argc < 3) {
                log_error("This program requires at least two arguments.");
                return EXIT_FAILURE;
        }

        log_set_target(LOG_TARGET_AUTO);
        log_parse_environment();
        log_open();

        umask(0022);

        if (streq(argv[1], "attach")) {
                uint32_t flags = 0;
                int k;
                unsigned try;
                const char *key_file = NULL;
                usec_t until;
                crypt_status_info status;

                /* Arguments: systemd-cryptsetup attach VOLUME SOURCE-DEVICE [PASSWORD] [OPTIONS] */

                if (argc < 4) {
                        log_error("attach requires at least two arguments.");
                        goto finish;
                }

                if (argc >= 5 &&
                    argv[4][0] &&
                    !streq(argv[4], "-") &&
                    !streq(argv[4], "none")) {

                        if (!path_is_absolute(argv[4]))
                                log_error("Password file path %s is not absolute. Ignoring.", argv[4]);
                        else
                                key_file = argv[4];
                }

                if (argc >= 6 && argv[5][0] && !streq(argv[5], "-"))
                        parse_options(argv[5]);

                /* A delicious drop of snake oil */
                mlockall(MCL_FUTURE);

                description = disk_description(argv[3]);
                mount_point = disk_mount_point(argv[2]);

                if (description && streq(argv[2], description)) {
                        /* If the description string is simply the
                         * volume name, then let's not show this
                         * twice */
                        free(description);
                        description = NULL;
                }

                if (mount_point && description)
                        asprintf(&name_buffer, "%s (%s) on %s", description, argv[2], mount_point);
                else if (mount_point)
                        asprintf(&name_buffer, "%s on %s", argv[2], mount_point);
                else if (description)
                        asprintf(&name_buffer, "%s (%s)", description, argv[2]);

                name = name_buffer ? name_buffer : argv[2];

                if ((k = crypt_init(&cd, argv[3]))) {
                        log_error("crypt_init() failed: %s", strerror(-k));
                        goto finish;
                }

                crypt_set_log_callback(cd, log_glue, NULL);

                status = crypt_status(cd, argv[2]);
                if (status == CRYPT_ACTIVE || status == CRYPT_BUSY) {
                        log_info("Volume %s already active.", argv[2]);
                        r = EXIT_SUCCESS;
                        goto finish;
                }

                if (opt_readonly)
                        flags |= CRYPT_ACTIVATE_READONLY;

                if (opt_timeout > 0)
                        until = now(CLOCK_MONOTONIC) + opt_timeout;
                else
                        until = 0;

                opt_tries = opt_tries > 0 ? opt_tries : 3;
                opt_key_size = (opt_key_size > 0 ? opt_key_size : 256);
                hash = opt_hash ? opt_hash : "ripemd160";

                if (opt_cipher) {
                        size_t l;

                        l = strcspn(opt_cipher, "-");

                        if (!(truncated_cipher = strndup(opt_cipher, l))) {
                                log_error("Out of memory");
                                goto finish;
                        }

                        cipher = truncated_cipher;
                        cipher_mode = opt_cipher[l] ? opt_cipher+l+1 : "plain";
                } else {
                        cipher = "aes";
                        cipher_mode = "cbc-essiv:sha256";
                }

                for (try = 0; try < opt_tries; try++) {
                        bool pass_volume_key = false;

                        strv_free(passwords);
                        passwords = NULL;

                        if (!key_file) {
                                char *text;
                                char **p;

                                if (asprintf(&text, "Please enter passphrase for disk %s!", name) < 0) {
                                        log_error("Out of memory");
                                        goto finish;
                                }

                                k = ask_password_auto(text, "drive-harddisk", until, try == 0 && !opt_verify, &passwords);
                                free(text);

                                if (k < 0) {
                                        log_error("Failed to query password: %s", strerror(-k));
                                        goto finish;
                                }

                                if (opt_verify) {
                                        char **passwords2 = NULL;

                                        assert(strv_length(passwords) == 1);

                                        if (asprintf(&text, "Please enter passphrase for disk %s! (verification)", name) < 0) {
                                                log_error("Out of memory");
                                                goto finish;
                                        }

                                        k = ask_password_auto(text, "drive-harddisk", until, false, &passwords2);
                                        free(text);

                                        if (k < 0) {
                                                log_error("Failed to query verification password: %s", strerror(-k));
                                                goto finish;
                                        }

                                        assert(strv_length(passwords2) == 1);

                                        if (!streq(passwords[0], passwords2[0])) {
                                                log_warning("Passwords did not match, retrying.");
                                                strv_free(passwords2);
                                                continue;
                                        }

                                        strv_free(passwords2);
                                }

                                strv_uniq(passwords);

                                STRV_FOREACH(p, passwords) {
                                        char *c;

                                        if (strlen(*p)+1 >= opt_key_size)
                                                continue;

                                        /* Pad password if necessary */
                                        if (!(c = new(char, opt_key_size))) {
                                                log_error("Out of memory.");
                                                goto finish;
                                        }

                                        strncpy(c, *p, opt_key_size);
                                        free(*p);
                                        *p = c;
                                }
                        }

                        k = 0;

                        if (!opt_type || streq(opt_type, CRYPT_LUKS1))
                                k = crypt_load(cd, CRYPT_LUKS1, NULL);

                        if ((!opt_type && k < 0) || streq_ptr(opt_type, CRYPT_PLAIN)) {
                                struct crypt_params_plain params;

                                zero(params);
                                params.hash = hash;

                                /* In contrast to what the name
                                 * crypt_setup() might suggest this
                                 * doesn't actually format anything,
                                 * it just configures encryption
                                 * parameters when used for plain
                                 * mode. */
                                k = crypt_format(cd, CRYPT_PLAIN,
                                                 cipher,
                                                 cipher_mode,
                                                 NULL,
                                                 NULL,
                                                 opt_key_size / 8,
                                                 &params);

                                pass_volume_key = streq(hash, "plain");

                               /* for CRYPT_PLAIN limit reads
                                * from keyfile to key length */
                                keyfile_size = opt_key_size / 8;
                        }

                        if (k < 0) {
                                log_error("Loading of cryptographic parameters failed: %s", strerror(-k));
                                goto finish;
                        }

                        log_info("Set cipher %s, mode %s, key size %i bits for device %s.",
                                 crypt_get_cipher(cd),
                                 crypt_get_cipher_mode(cd),
                                 crypt_get_volume_key_size(cd)*8,
                                 argv[3]);

                        if (key_file)
                                k = crypt_activate_by_keyfile(cd, argv[2], CRYPT_ANY_SLOT, key_file, keyfile_size, flags);
                        else {
                                char **p;

                                STRV_FOREACH(p, passwords) {

                                        if (pass_volume_key)
                                                k = crypt_activate_by_volume_key(cd, argv[2], *p, opt_key_size, flags);
                                        else
                                                k = crypt_activate_by_passphrase(cd, argv[2], CRYPT_ANY_SLOT, *p, strlen(*p), flags);

                                        if (k >= 0)
                                                break;
                                }
                        }

                        if (k >= 0)
                                break;

                        if (k != -EPERM) {
                                log_error("Failed to activate: %s", strerror(-k));
                                goto finish;
                        }

                        log_warning("Invalid passphrase.");
                }

                if (try >= opt_tries) {
                        log_error("Too many attempts.");
                        r = EXIT_FAILURE;
                        goto finish;
                }

        } else if (streq(argv[1], "detach")) {
                int k;

                if ((k = crypt_init_by_name(&cd, argv[2]))) {
                        log_error("crypt_init() failed: %s", strerror(-k));
                        goto finish;
                }

                crypt_set_log_callback(cd, log_glue, NULL);

                if ((k = crypt_deactivate(cd, argv[2])) < 0) {
                        log_error("Failed to deactivate: %s", strerror(-k));
                        goto finish;
                }

        } else {
                log_error("Unknown verb %s.", argv[1]);
                goto finish;
        }

        r = EXIT_SUCCESS;

finish:

        if (cd)
                crypt_free(cd);

        free(opt_cipher);
        free(opt_hash);

        free(truncated_cipher);

        strv_free(passwords);

        free(description);
        free(mount_point);
        free(name_buffer);

        return r;
}
Commit	Line	Data
e23a0ce8 LP	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2010 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	9	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	10	the Free Software Foundation; either version 2.1 of the License, or
e23a0ce8 LP	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	16	Lesser General Public License for more details.
e23a0ce8	17
5430f7f2	18	You should have received a copy of the GNU Lesser General Public License
e23a0ce8 LP	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include <string.h>
7f4e0805	23	#include <errno.h>
b853f6e9	24	#include <sys/mman.h>
b61e476f	25	#include <mntent.h>
7f4e0805 LP	26
7f4e0805 LP	27	#include <libcryptsetup.h>
b1a2da0a	28	#include <libudev.h>
e23a0ce8 LP	29
	30	#include "log.h"
	31	#include "util.h"
21bc923a	32	#include "strv.h"
7f4e0805	33	#include "ask-password-api.h"
f6a6225e	34	#include "def.h"
7f4e0805	35
260ab287	36	static const char opt_type = NULL; / LUKS1 or PLAIN */
7f4e0805	37	static char *opt_cipher = NULL;
260ab287	38	static unsigned opt_key_size = 0;
7f4e0805	39	static char *opt_hash = NULL;
260ab287	40	static unsigned opt_tries = 0;
7f4e0805 LP	41	static bool opt_readonly = false;
7f4e0805 LP	42	static bool opt_verify = false;
90724929	43	static usec_t opt_timeout = DEFAULT_TIMEOUT_USEC;
7f4e0805	44
1fc76335 LP	45	/* Options Debian's crypttab knows we don't:
	46
	47	offset=
	48	skip=
	49	precheck=
	50	check=
	51	checkargs=
	52	noearly=
	53	loud=
	54	keyscript=
	55	*/
	56
7f4e0805 LP	57	static int parse_one_option(const char *option) {
	58	assert(option);
	59
	60	/* Handled outside of this tool */
260ab287	61	if (streq(option, "noauto"))
7f4e0805 LP	62	return 0;
	63
	64	if (startswith(option, "cipher=")) {
	65	char *t;
	66
	67	if (!(t = strdup(option+7)))
	68	return -ENOMEM;
	69
	70	free(opt_cipher);
	71	opt_cipher = t;
	72
	73	} else if (startswith(option, "size=")) {
	74
260ab287	75	if (safe_atou(option+5, &opt_key_size) < 0) {
7f4e0805 LP	76	log_error("size= parse failure, ignoring.");
	77	return 0;
	78	}
	79
	80	} else if (startswith(option, "hash=")) {
	81	char *t;
	82
	83	if (!(t = strdup(option+5)))
	84	return -ENOMEM;
	85
	86	free(opt_hash);
	87	opt_hash = t;
	88
	89	} else if (startswith(option, "tries=")) {
	90
	91	if (safe_atou(option+6, &opt_tries) < 0) {
	92	log_error("tries= parse failure, ignoring.");
	93	return 0;
	94	}
	95
	96	} else if (streq(option, "readonly"))
	97	opt_readonly = true;
	98	else if (streq(option, "verify"))
	99	opt_verify = true;
260ab287 LP	100	else if (streq(option, "luks"))
	101	opt_type = CRYPT_LUKS1;
	102	else if (streq(option, "plain") \|\|
	103	streq(option, "swap") \|\|
	104	streq(option, "tmp"))
	105	opt_type = CRYPT_PLAIN;
7f4e0805 LP	106	else if (startswith(option, "timeout=")) {
7f4e0805 LP	107
260ab287	108	if (parse_usec(option+8, &opt_timeout) < 0) {
7f4e0805 LP	109	log_error("timeout= parse failure, ignoring.");
	110	return 0;
	111	}
	112
41e6f28a	113	} else if (!streq(option, "none"))
7f4e0805 LP	114	log_error("Encountered unknown /etc/crypttab option '%s', ignoring.", option);
	115
	116	return 0;
	117	}
	118
	119	static int parse_options(const char *options) {
	120	char *state;
	121	char *w;
	122	size_t l;
	123
	124	assert(options);
	125
	126	FOREACH_WORD_SEPARATOR(w, l, options, ",", state) {
	127	char *o;
	128	int r;
	129
	130	if (!(o = strndup(w, l)))
	131	return -ENOMEM;
	132
	133	r = parse_one_option(o);
	134	free(o);
	135
	136	if (r < 0)
	137	return r;
	138	}
	139
	140	return 0;
	141	}
	142
	143	static void log_glue(int level, const char msg, void usrptr) {
260ab287	144	log_debug("%s", msg);
7f4e0805	145	}
e23a0ce8	146
b1a2da0a LP	147	static char disk_description(const char path) {
	148	struct udev *udev = NULL;
	149	struct udev_device *device = NULL;
	150	struct stat st;
	151	char *description = NULL;
	152	const char *model;
	153
	154	assert(path);
	155
	156	if (stat(path, &st) < 0)
	157	return NULL;
	158
	159	if (!S_ISBLK(st.st_mode))
	160	return NULL;
	161
	162	if (!(udev = udev_new()))
	163	return NULL;
	164
	165	if (!(device = udev_device_new_from_devnum(udev, 'b', st.st_rdev)))
	166	goto finish;
	167
	168	if ((model = udev_device_get_property_value(device, "ID_MODEL_FROM_DATABASE")) \|\|
b61e476f LP	169	(model = udev_device_get_property_value(device, "ID_MODEL")) \|\|
b61e476f LP	170	(model = udev_device_get_property_value(device, "DM_NAME")))
b1a2da0a LP	171	description = strdup(model);
	172
	173	finish:
	174	if (device)
	175	udev_device_unref(device);
	176
	177	if (udev)
	178	udev_unref(udev);
	179
	180	return description;
	181	}
	182
b61e476f LP	183	static char disk_mount_point(const char label) {
	184	char mp = NULL, device = NULL;
	185	FILE *f = NULL;
	186	struct mntent *m;
	187
	188	/* Yeah, we don't support native systemd unit files here for now */
	189
	190	if (asprintf(&device, "/dev/mapper/%s", label) < 0)
	191	goto finish;
	192
	193	if (!(f = setmntent("/etc/fstab", "r")))
	194	goto finish;
	195
	196	while ((m = getmntent(f)))
	197	if (path_equal(m->mnt_fsname, device)) {
	198	mp = strdup(m->mnt_dir);
	199	break;
	200	}
	201
	202	finish:
	203	if (f)
	204	endmntent(f);
	205
	206	free(device);
	207
	208	return mp;
	209	}
	210
dd5e696d LP	211	static int help(void) {
	212
	213	printf("%s attach VOLUME SOURCEDEVICE [PASSWORD] [OPTIONS]\n"
	214	"%s detach VOLUME\n\n"
	215	"Attaches or detaches an encrypted block device.\n",
	216	program_invocation_short_name,
	217	program_invocation_short_name);
	218
	219	return 0;
	220	}
	221
e23a0ce8	222	int main(int argc, char *argv[]) {
7f4e0805 LP	223	int r = EXIT_FAILURE;
7f4e0805 LP	224	struct crypt_device *cd = NULL;
21bc923a	225	char *passwords = NULL, truncated_cipher = NULL;
b1a2da0a	226	const char cipher = NULL, cipher_mode = NULL, hash = NULL, name = NULL;
b61e476f	227	char description = NULL, name_buffer = NULL, *mount_point = NULL;
2d745456	228	unsigned keyfile_size = 0;
e23a0ce8	229
dd5e696d LP	230	if (argc <= 1) {
	231	help();
	232	return EXIT_SUCCESS;
	233	}
	234
e23a0ce8 LP	235	if (argc < 3) {
	236	log_error("This program requires at least two arguments.");
	237	return EXIT_FAILURE;
	238	}
	239
bb7df0da	240	log_set_target(LOG_TARGET_AUTO);
e23a0ce8 LP	241	log_parse_environment();
	242	log_open();
	243
4c12626c LP	244	umask(0022);
4c12626c LP	245
260ab287	246	if (streq(argv[1], "attach")) {
7f4e0805 LP	247	uint32_t flags = 0;
7f4e0805 LP	248	int k;
260ab287	249	unsigned try;
7f4e0805	250	const char *key_file = NULL;
260ab287	251	usec_t until;
e2d480b9	252	crypt_status_info status;
7f4e0805	253
b61e476f LP	254	/* Arguments: systemd-cryptsetup attach VOLUME SOURCE-DEVICE [PASSWORD] [OPTIONS] */
b61e476f LP	255
7f4e0805 LP	256	if (argc < 4) {
	257	log_error("attach requires at least two arguments.");
	258	goto finish;
	259	}
	260
1fc76335 LP	261	if (argc >= 5 &&
	262	argv[4][0] &&
	263	!streq(argv[4], "-") &&
	264	!streq(argv[4], "none")) {
7f4e0805 LP	265
	266	if (!path_is_absolute(argv[4]))
	267	log_error("Password file path %s is not absolute. Ignoring.", argv[4]);
	268	else
	269	key_file = argv[4];
	270	}
	271
	272	if (argc >= 6 && argv[5][0] && !streq(argv[5], "-"))
	273	parse_options(argv[5]);
e23a0ce8	274
b853f6e9 LP	275	/* A delicious drop of snake oil */
	276	mlockall(MCL_FUTURE);
	277
b1a2da0a	278	description = disk_description(argv[3]);
b61e476f LP	279	mount_point = disk_mount_point(argv[2]);
	280
	281	if (description && streq(argv[2], description)) {
	282	/* If the description string is simply the
	283	* volume name, then let's not show this
	284	* twice */
	285	free(description);
	286	description = NULL;
	287	}
	288
	289	if (mount_point && description)
	290	asprintf(&name_buffer, "%s (%s) on %s", description, argv[2], mount_point);
	291	else if (mount_point)
	292	asprintf(&name_buffer, "%s on %s", argv[2], mount_point);
	293	else if (description)
	294	asprintf(&name_buffer, "%s (%s)", description, argv[2]);
	295
	296	name = name_buffer ? name_buffer : argv[2];
b1a2da0a	297
7f4e0805 LP	298	if ((k = crypt_init(&cd, argv[3]))) {
	299	log_error("crypt_init() failed: %s", strerror(-k));
	300	goto finish;
	301	}
e23a0ce8	302
7f4e0805	303	crypt_set_log_callback(cd, log_glue, NULL);
7f4e0805	304
260ab287 LP	305	status = crypt_status(cd, argv[2]);
	306	if (status == CRYPT_ACTIVE \|\| status == CRYPT_BUSY) {
	307	log_info("Volume %s already active.", argv[2]);
	308	r = EXIT_SUCCESS;
7f4e0805 LP	309	goto finish;
	310	}
	311
	312	if (opt_readonly)
	313	flags \|= CRYPT_ACTIVATE_READONLY;
	314
7dcda352 LP	315	if (opt_timeout > 0)
	316	until = now(CLOCK_MONOTONIC) + opt_timeout;
	317	else
	318	until = 0;
260ab287 LP	319
	320	opt_tries = opt_tries > 0 ? opt_tries : 3;
	321	opt_key_size = (opt_key_size > 0 ? opt_key_size : 256);
260ab287 LP	322	hash = opt_hash ? opt_hash : "ripemd160";
260ab287 LP	323
e2d480b9 LP	324	if (opt_cipher) {
	325	size_t l;
	326
	327	l = strcspn(opt_cipher, "-");
	328
	329	if (!(truncated_cipher = strndup(opt_cipher, l))) {
	330	log_error("Out of memory");
	331	goto finish;
	332	}
	333
	334	cipher = truncated_cipher;
	335	cipher_mode = opt_cipher[l] ? opt_cipher+l+1 : "plain";
	336	} else {
	337	cipher = "aes";
	338	cipher_mode = "cbc-essiv:sha256";
	339	}
	340
260ab287 LP	341	for (try = 0; try < opt_tries; try++) {
	342	bool pass_volume_key = false;
	343
21bc923a LP	344	strv_free(passwords);
21bc923a LP	345	passwords = NULL;
260ab287 LP	346
260ab287 LP	347	if (!key_file) {
494856b5	348	char *text;
21bc923a	349	char **p;
260ab287	350
1cd4a9f0	351	if (asprintf(&text, "Please enter passphrase for disk %s!", name) < 0) {
494856b5 LP	352	log_error("Out of memory");
	353	goto finish;
	354	}
	355
21bc923a	356	k = ask_password_auto(text, "drive-harddisk", until, try == 0 && !opt_verify, &passwords);
494856b5 LP	357	free(text);
	358
	359	if (k < 0) {
260ab287 LP	360	log_error("Failed to query password: %s", strerror(-k));
	361	goto finish;
	362	}
	363
	364	if (opt_verify) {
21bc923a LP	365	char **passwords2 = NULL;
	366
	367	assert(strv_length(passwords) == 1);
260ab287	368
1cd4a9f0	369	if (asprintf(&text, "Please enter passphrase for disk %s! (verification)", name) < 0) {
494856b5 LP	370	log_error("Out of memory");
	371	goto finish;
	372	}
	373
21bc923a	374	k = ask_password_auto(text, "drive-harddisk", until, false, &passwords2);
494856b5 LP	375	free(text);
	376
	377	if (k < 0) {
260ab287 LP	378	log_error("Failed to query verification password: %s", strerror(-k));
	379	goto finish;
	380	}
	381
21bc923a LP	382	assert(strv_length(passwords2) == 1);
	383
	384	if (!streq(passwords[0], passwords2[0])) {
260ab287	385	log_warning("Passwords did not match, retrying.");
21bc923a	386	strv_free(passwords2);
260ab287 LP	387	continue;
	388	}
	389
21bc923a	390	strv_free(passwords2);
260ab287 LP	391	}
260ab287 LP	392
b61e476f LP	393	strv_uniq(passwords);
b61e476f LP	394
21bc923a	395	STRV_FOREACH(p, passwords) {
260ab287 LP	396	char *c;
260ab287 LP	397
21bc923a LP	398	if (strlen(*p)+1 >= opt_key_size)
21bc923a LP	399	continue;
260ab287	400
21bc923a	401	/* Pad password if necessary */
260ab287 LP	402	if (!(c = new(char, opt_key_size))) {
	403	log_error("Out of memory.");
	404	goto finish;
	405	}
	406
21bc923a LP	407	strncpy(c, *p, opt_key_size);
	408	free(*p);
	409	*p = c;
260ab287 LP	410	}
	411	}
	412
7dcda352 LP	413	k = 0;
7dcda352 LP	414
260ab287 LP	415	if (!opt_type \|\| streq(opt_type, CRYPT_LUKS1))
	416	k = crypt_load(cd, CRYPT_LUKS1, NULL);
	417
	418	if ((!opt_type && k < 0) \|\| streq_ptr(opt_type, CRYPT_PLAIN)) {
	419	struct crypt_params_plain params;
	420
	421	zero(params);
	422	params.hash = hash;
	423
	424	/* In contrast to what the name
	425	* crypt_setup() might suggest this
	426	* doesn't actually format anything,
	427	* it just configures encryption
	428	* parameters when used for plain
	429	* mode. */
	430	k = crypt_format(cd, CRYPT_PLAIN,
	431	cipher,
	432	cipher_mode,
	433	NULL,
	434	NULL,
	435	opt_key_size / 8,
	436	&params);
	437
	438	pass_volume_key = streq(hash, "plain");
2d745456 MB	439
	440	/* for CRYPT_PLAIN limit reads
	441	* from keyfile to key length */
	442	keyfile_size = opt_key_size / 8;
260ab287 LP	443	}
	444
	445	if (k < 0) {
	446	log_error("Loading of cryptographic parameters failed: %s", strerror(-k));
	447	goto finish;
	448	}
	449
	450	log_info("Set cipher %s, mode %s, key size %i bits for device %s.",
	451	crypt_get_cipher(cd),
	452	crypt_get_cipher_mode(cd),
	453	crypt_get_volume_key_size(cd)*8,
	454	argv[3]);
	455
	456	if (key_file)
2d745456	457	k = crypt_activate_by_keyfile(cd, argv[2], CRYPT_ANY_SLOT, key_file, keyfile_size, flags);
21bc923a LP	458	else {
	459	char **p;
	460
	461	STRV_FOREACH(p, passwords) {
	462
	463	if (pass_volume_key)
	464	k = crypt_activate_by_volume_key(cd, argv[2], *p, opt_key_size, flags);
	465	else
	466	k = crypt_activate_by_passphrase(cd, argv[2], CRYPT_ANY_SLOT, p, strlen(p), flags);
	467
	468	if (k >= 0)
	469	break;
	470	}
	471	}
260ab287 LP	472
	473	if (k >= 0)
	474	break;
	475
	476	if (k != -EPERM) {
	477	log_error("Failed to activate: %s", strerror(-k));
	478	goto finish;
	479	}
	480
	481	log_warning("Invalid passphrase.");
7f4e0805 LP	482	}
7f4e0805 LP	483
260ab287 LP	484	if (try >= opt_tries) {
	485	log_error("Too many attempts.");
	486	r = EXIT_FAILURE;
bd40a2d8	487	goto finish;
7f4e0805 LP	488	}
	489
	490	} else if (streq(argv[1], "detach")) {
	491	int k;
	492
	493	if ((k = crypt_init_by_name(&cd, argv[2]))) {
	494	log_error("crypt_init() failed: %s", strerror(-k));
	495	goto finish;
	496	}
	497
	498	crypt_set_log_callback(cd, log_glue, NULL);
	499
	500	if ((k = crypt_deactivate(cd, argv[2])) < 0) {
	501	log_error("Failed to deactivate: %s", strerror(-k));
	502	goto finish;
	503	}
e23a0ce8 LP	504
	505	} else {
	506	log_error("Unknown verb %s.", argv[1]);
	507	goto finish;
	508	}
	509
7f4e0805 LP	510	r = EXIT_SUCCESS;
7f4e0805 LP	511
e23a0ce8	512	finish:
7f4e0805 LP	513
	514	if (cd)
	515	crypt_free(cd);
	516
260ab287	517	free(opt_cipher);
260ab287 LP	518	free(opt_hash);
260ab287 LP	519
e2d480b9 LP	520	free(truncated_cipher);
e2d480b9 LP	521
21bc923a	522	strv_free(passwords);
260ab287	523
b1a2da0a	524	free(description);
b61e476f LP	525	free(mount_point);
b61e476f LP	526	free(name_buffer);
b1a2da0a	527
e23a0ce8 LP	528	return r;
e23a0ce8 LP	529	}