]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/cryptsetup/cryptsetup.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
cryptsetup: minor coding style clean-ups
[thirdparty/systemd.git] / src / cryptsetup / cryptsetup.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
e23a0ce8 2
7f4e0805 3#include <errno.h>
07630cea 4#include <mntent.h>
07630cea 5#include <sys/mman.h>
ca78ad1d
ZJS		 6#include <sys/stat.h>
7#include <sys/types.h>
8#include <unistd.h>
e23a0ce8 9
4f5dd394
LP		 10#include "sd-device.h"
11
b5efdb8a 12#include "alloc-util.h"
4f5dd394 13#include "ask-password-api.h"
294bd454 14#include "crypt-util.h"
4f5dd394
LP		 15#include "device-util.h"
16#include "escape.h"
8cf3ca80 17#include "fileio.h"
ed4ad488 18#include "fstab-util.h"
e23a0ce8 19#include "log.h"
3a40f366 20#include "main-func.h"
4349cd7c 21#include "mount-util.h"
d8b4d14d 22#include "nulstr-util.h"
6bedfcbb 23#include "parse-util.h"
9eb977db 24#include "path-util.h"
d8b4d14d 25#include "pretty-print.h"
07630cea 26#include "string-util.h"
21bc923a 27#include "strv.h"
7f4e0805 28
b3b4ebab
OK		 29/* internal helper */
30#define ANY_LUKS "LUKS"
a9fc6406
DJL		 31/* as in src/cryptsetup.h */
32#define CRYPT_SECTOR_SIZE 512
33#define CRYPT_MAX_SECTOR_SIZE 4096
b3b4ebab
OK		 34
35static const char *arg_type = NULL; /* ANY_LUKS, CRYPT_LUKS1, CRYPT_LUKS2, CRYPT_TCRYPT or CRYPT_PLAIN */
f75cac37
LP		 36static char *arg_cipher = NULL;
37static unsigned arg_key_size = 0;
a9fc6406 38static unsigned arg_sector_size = CRYPT_SECTOR_SIZE;
f75cac37
LP		 39static int arg_key_slot = CRYPT_ANY_SLOT;
40static unsigned arg_keyfile_size = 0;
dc0a3555 41static uint64_t arg_keyfile_offset = 0;
f75cac37 42static char *arg_hash = NULL;
7376e835 43static char *arg_header = NULL;
f75cac37
LP		 44static unsigned arg_tries = 3;
45static bool arg_readonly = false;
46static bool arg_verify = false;
47static bool arg_discards = false;
2c65512e
YW		 48static bool arg_same_cpu_crypt = false;
49static bool arg_submit_from_crypt_cpus = false;
f75cac37
LP		 50static bool arg_tcrypt_hidden = false;
51static bool arg_tcrypt_system = false;
52028838 52static bool arg_tcrypt_veracrypt = false;
f75cac37 53static char **arg_tcrypt_keyfiles = NULL;
4eac2773
MP		 54static uint64_t arg_offset = 0;
55static uint64_t arg_skip = 0;
0864d311 56static usec_t arg_timeout = USEC_INFINITY;
7f4e0805 57
3a40f366
YW		 58STATIC_DESTRUCTOR_REGISTER(arg_cipher, freep);
59STATIC_DESTRUCTOR_REGISTER(arg_hash, freep);
60STATIC_DESTRUCTOR_REGISTER(arg_header, freep);
61STATIC_DESTRUCTOR_REGISTER(arg_tcrypt_keyfiles, strv_freep);
62
1fc76335
LP		 63/* Options Debian's crypttab knows we don't:
64
1fc76335
LP		 65 precheck=
66 check=
67 checkargs=
68 noearly=
69 loud=
70 keyscript=
71*/
72
7f4e0805 73static int parse_one_option(const char *option) {
fb4650aa
ZJS		 74 const char *val;
75 int r;
76
7f4e0805
LP		 77 assert(option);
78
79 /* Handled outside of this tool */
50d2eba2 80 if (STR_IN_SET(option, "noauto", "auto", "nofail", "fail", "_netdev", "keyfile-timeout"))
81 return 0;
82
83 if (startswith(option, "keyfile-timeout="))
7f4e0805
LP		 84 return 0;
85
fb4650aa
ZJS		 86 if ((val = startswith(option, "cipher="))) {
87 r = free_and_strdup(&arg_cipher, val);
88 if (r < 0)
4b93637f 89 return log_oom();
7f4e0805 90
fb4650aa 91 } else if ((val = startswith(option, "size="))) {
7f4e0805 92
fb4650aa
ZJS		 93 r = safe_atou(val, &arg_key_size);
94 if (r < 0) {
95 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
7f4e0805
LP		 96 return 0;
97 }
98
6131a78b
DH		 99 if (arg_key_size % 8) {
100 log_error("size= not a multiple of 8, ignoring.");
101 return 0;
102 }
103
104 arg_key_size /= 8;
105
a9fc6406
DJL		 106 } else if ((val = startswith(option, "sector-size="))) {
107
a9fc6406
DJL		 108 r = safe_atou(val, &arg_sector_size);
109 if (r < 0) {
110 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
111 return 0;
112 }
113
114 if (arg_sector_size % 2) {
115 log_error("sector-size= not a multiple of 2, ignoring.");
116 return 0;
117 }
118
119 if (arg_sector_size < CRYPT_SECTOR_SIZE || arg_sector_size > CRYPT_MAX_SECTOR_SIZE) {
120 log_error("sector-size= is outside of %u and %u, ignoring.", CRYPT_SECTOR_SIZE, CRYPT_MAX_SECTOR_SIZE);
121 return 0;
122 }
a9fc6406 123
fb4650aa 124 } else if ((val = startswith(option, "key-slot="))) {
b4a11878 125
b3b4ebab 126 arg_type = ANY_LUKS;
fb4650aa
ZJS		 127 r = safe_atoi(val, &arg_key_slot);
128 if (r < 0) {
129 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
b4a11878
CS		 130 return 0;
131 }
132
fb4650aa 133 } else if ((val = startswith(option, "tcrypt-keyfile="))) {
8cf3ca80 134
f75cac37 135 arg_type = CRYPT_TCRYPT;
fb4650aa
ZJS		 136 if (path_is_absolute(val)) {
137 if (strv_extend(&arg_tcrypt_keyfiles, val) < 0)
4b93637f
LP		 138 return log_oom();
139 } else
fb4650aa 140 log_error("Key file path \"%s\" is not absolute. Ignoring.", val);
8cf3ca80 141
fb4650aa 142 } else if ((val = startswith(option, "keyfile-size="))) {
4271d823 143
fb4650aa
ZJS		 144 r = safe_atou(val, &arg_keyfile_size);
145 if (r < 0) {
146 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
4271d823
TG		 147 return 0;
148 }
149
fb4650aa 150 } else if ((val = startswith(option, "keyfile-offset="))) {
880a599e 151
d90874b4 152 r = safe_atou64(val, &arg_keyfile_offset);
fb4650aa
ZJS		 153 if (r < 0) {
154 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
880a599e
TG		 155 return 0;
156 }
157
fb4650aa
ZJS		 158 } else if ((val = startswith(option, "hash="))) {
159 r = free_and_strdup(&arg_hash, val);
160 if (r < 0)
4b93637f 161 return log_oom();
7f4e0805 162
fb4650aa 163 } else if ((val = startswith(option, "header="))) {
b3b4ebab 164 arg_type = ANY_LUKS;
7376e835 165
baaa35ad
ZJS		 166 if (!path_is_absolute(val))
167 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
168 "Header path \"%s\" is not absolute, refusing.", val);
7376e835 169
baaa35ad
ZJS		 170 if (arg_header)
171 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
172 "Duplicate header= option, refusing.");
7376e835 173
fb4650aa 174 arg_header = strdup(val);
7376e835
AC		 175 if (!arg_header)
176 return log_oom();
177
fb4650aa 178 } else if ((val = startswith(option, "tries="))) {
7f4e0805 179
fb4650aa
ZJS		 180 r = safe_atou(val, &arg_tries);
181 if (r < 0) {
182 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
7f4e0805
LP		 183 return 0;
184 }
185
f75cac37
LP		 186 } else if (STR_IN_SET(option, "readonly", "read-only"))
187 arg_readonly = true;
7f4e0805 188 else if (streq(option, "verify"))
f75cac37
LP		 189 arg_verify = true;
190 else if (STR_IN_SET(option, "allow-discards", "discard"))
191 arg_discards = true;
2c65512e
YW		 192 else if (streq(option, "same-cpu-crypt"))
193 arg_same_cpu_crypt = true;
194 else if (streq(option, "submit-from-crypt-cpus"))
195 arg_submit_from_crypt_cpus = true;
260ab287 196 else if (streq(option, "luks"))
b3b4ebab 197 arg_type = ANY_LUKS;
8cf3ca80 198 else if (streq(option, "tcrypt"))
f75cac37 199 arg_type = CRYPT_TCRYPT;
8cf3ca80 200 else if (streq(option, "tcrypt-hidden")) {
f75cac37
LP		 201 arg_type = CRYPT_TCRYPT;
202 arg_tcrypt_hidden = true;
8cf3ca80 203 } else if (streq(option, "tcrypt-system")) {
f75cac37
LP		 204 arg_type = CRYPT_TCRYPT;
205 arg_tcrypt_system = true;
52028838 206 } else if (streq(option, "tcrypt-veracrypt")) {
52028838
GH		 207 arg_type = CRYPT_TCRYPT;
208 arg_tcrypt_veracrypt = true;
f75cac37
LP		 209 } else if (STR_IN_SET(option, "plain", "swap", "tmp"))
210 arg_type = CRYPT_PLAIN;
fb4650aa 211 else if ((val = startswith(option, "timeout="))) {
7f4e0805 212
0004f698 213 r = parse_sec_fix_0(val, &arg_timeout);
fb4650aa
ZJS		 214 if (r < 0) {
215 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
7f4e0805
LP		 216 return 0;
217 }
218
fb4650aa 219 } else if ((val = startswith(option, "offset="))) {
4eac2773 220
fb4650aa
ZJS		 221 r = safe_atou64(val, &arg_offset);
222 if (r < 0)
223 return log_error_errno(r, "Failed to parse %s: %m", option);
4eac2773 224
fb4650aa 225 } else if ((val = startswith(option, "skip="))) {
4eac2773 226
fb4650aa
ZJS		 227 r = safe_atou64(val, &arg_skip);
228 if (r < 0)
229 return log_error_errno(r, "Failed to parse %s: %m", option);
4eac2773 230
41e6f28a 231 } else if (!streq(option, "none"))
fb4650aa 232 log_warning("Encountered unknown /etc/crypttab option '%s', ignoring.", option);
7f4e0805
LP		 233
234 return 0;
235}
236
237static int parse_options(const char *options) {
a2a5291b 238 const char *word, *state;
7f4e0805 239 size_t l;
74b1c371 240 int r;
7f4e0805
LP		 241
242 assert(options);
243
a2a5291b 244 FOREACH_WORD_SEPARATOR(word, l, options, ",", state) {
74b1c371 245 _cleanup_free_ char *o;
7f4e0805 246
a2a5291b 247 o = strndup(word, l);
74b1c371 248 if (!o)
7f4e0805 249 return -ENOMEM;
7f4e0805 250 r = parse_one_option(o);
7f4e0805
LP		 251 if (r < 0)
252 return r;
253 }
254
4eac2773 255 /* sanity-check options */
9c5253ff
LP		 256 if (arg_type && !streq(arg_type, CRYPT_PLAIN)) {
257 if (arg_offset != 0)
4eac2773 258 log_warning("offset= ignored with type %s", arg_type);
9c5253ff 259 if (arg_skip != 0)
4eac2773
MP		 260 log_warning("skip= ignored with type %s", arg_type);
261 }
262
7f4e0805
LP		 263 return 0;
264}
265
1ca208fb 266static char* disk_description(const char *path) {
f75cac37 267 static const char name_fields[] =
74b1c371
LP		 268 "ID_PART_ENTRY_NAME\0"
269 "DM_NAME\0"
270 "ID_MODEL_FROM_DATABASE\0"
f75cac37 271 "ID_MODEL\0";
74b1c371 272
4afd3348 273 _cleanup_(sd_device_unrefp) sd_device *device = NULL;
2c740afd 274 const char *i, *name;
b1a2da0a 275 struct stat st;
b1a2da0a
LP		 276
277 assert(path);
278
279 if (stat(path, &st) < 0)
280 return NULL;
281
282 if (!S_ISBLK(st.st_mode))
283 return NULL;
284
2c740afd 285 if (sd_device_new_from_devnum(&device, 'b', st.st_rdev) < 0)
1ca208fb 286 return NULL;
b1a2da0a 287
2c740afd
YW		 288 NULSTR_FOREACH(i, name_fields)
289 if (sd_device_get_property_value(device, i, &name) >= 0 &&
290 !isempty(name))
1ca208fb 291 return strdup(name);
b1a2da0a 292
1ca208fb 293 return NULL;
b1a2da0a
LP		 294}
295
b61e476f 296static char *disk_mount_point(const char *label) {
e7d90b71 297 _cleanup_free_ char *device = NULL;
5862d652 298 _cleanup_endmntent_ FILE *f = NULL;
b61e476f
LP		 299 struct mntent *m;
300
301 /* Yeah, we don't support native systemd unit files here for now */
302
303 if (asprintf(&device, "/dev/mapper/%s", label) < 0)
5862d652 304 return NULL;
b61e476f 305
ed4ad488 306 f = setmntent(fstab_path(), "re");
e0295d26 307 if (!f)
5862d652 308 return NULL;
b61e476f
LP		 309
310 while ((m = getmntent(f)))
5862d652
ZJS		 311 if (path_equal(m->mnt_fsname, device))
312 return strdup(m->mnt_dir);
b61e476f 313
5862d652 314 return NULL;
b61e476f
LP		 315}
316
1602b008 317static int get_password(const char *vol, const char *src, usec_t until, bool accept_cached, char ***ret) {
ea7e7c1e 318 _cleanup_free_ char *description = NULL, *name_buffer = NULL, *mount_point = NULL, *text = NULL, *disk_path = NULL;
ab84f5b9 319 _cleanup_strv_free_erase_ char **passwords = NULL;
e51b9486 320 const char *name = NULL;
e287086b
LP		 321 char **p, *id;
322 int r = 0;
e7d90b71 323
e51b9486
HH		 324 assert(vol);
325 assert(src);
1602b008 326 assert(ret);
e7d90b71 327
e51b9486
HH		 328 description = disk_description(src);
329 mount_point = disk_mount_point(vol);
330
ea7e7c1e
MS		 331 disk_path = cescape(src);
332 if (!disk_path)
333 return log_oom();
334
ece174c5 335 if (description && streq(vol, description))
e51b9486
HH		 336 /* If the description string is simply the
337 * volume name, then let's not show this
338 * twice */
97b11eed 339 description = mfree(description);
e51b9486
HH		 340
341 if (mount_point && description)
342 r = asprintf(&name_buffer, "%s (%s) on %s", description, vol, mount_point);
343 else if (mount_point)
344 r = asprintf(&name_buffer, "%s on %s", vol, mount_point);
345 else if (description)
346 r = asprintf(&name_buffer, "%s (%s)", description, vol);
347
348 if (r < 0)
349 return log_oom();
350
351 name = name_buffer ? name_buffer : vol;
352
a1c111c2 353 if (asprintf(&text, "Please enter passphrase for disk %s:", name) < 0)
e7d90b71
JJ		 354 return log_oom();
355
ea7e7c1e 356 id = strjoina("cryptsetup:", disk_path);
9fa1de96 357
ab84f5b9
ZJS		 358 r = ask_password_auto(text, "drive-harddisk", id, "cryptsetup", until,
359 ASK_PASSWORD_PUSH_CACHE | (accept_cached*ASK_PASSWORD_ACCEPT_CACHED),
360 &passwords);
23bbb0de
MS		 361 if (r < 0)
362 return log_error_errno(r, "Failed to query password: %m");
e7d90b71 363
f75cac37 364 if (arg_verify) {
ab84f5b9
ZJS		 365 _cleanup_strv_free_erase_ char **passwords2 = NULL;
366
1602b008 367 assert(strv_length(passwords) == 1);
e7d90b71 368
a1c111c2 369 if (asprintf(&text, "Please enter passphrase for disk %s (verification):", name) < 0)
ab84f5b9 370 return log_oom();
e7d90b71 371
ea7e7c1e 372 id = strjoina("cryptsetup-verification:", disk_path);
9fa1de96 373
e287086b 374 r = ask_password_auto(text, "drive-harddisk", id, "cryptsetup", until, ASK_PASSWORD_PUSH_CACHE, &passwords2);
ab84f5b9
ZJS		 375 if (r < 0)
376 return log_error_errno(r, "Failed to query verification password: %m");
e7d90b71
JJ		 377
378 assert(strv_length(passwords2) == 1);
379
1602b008 380 if (!streq(passwords[0], passwords2[0])) {
e7d90b71 381 log_warning("Passwords did not match, retrying.");
ab84f5b9 382 return -EAGAIN;
e7d90b71
JJ		 383 }
384 }
385
1602b008 386 strv_uniq(passwords);
e7d90b71 387
1602b008 388 STRV_FOREACH(p, passwords) {
e7d90b71
JJ		 389 char *c;
390
f75cac37 391 if (strlen(*p)+1 >= arg_key_size)
e7d90b71
JJ		 392 continue;
393
394 /* Pad password if necessary */
1602b008 395 c = new(char, arg_key_size);
ab84f5b9
ZJS		 396 if (!c)
397 return log_oom();
e7d90b71 398
f75cac37 399 strncpy(c, *p, arg_key_size);
d135419e 400 free_and_replace(*p, c);
e7d90b71
JJ		 401 }
402
ae2a15bc 403 *ret = TAKE_PTR(passwords);
1602b008 404
ab84f5b9 405 return 0;
e7d90b71
JJ		 406}
407
1602b008
LP		 408static int attach_tcrypt(
409 struct crypt_device *cd,
410 const char *name,
411 const char *key_file,
412 char **passwords,
413 uint32_t flags) {
414
8cf3ca80
JJ		 415 int r = 0;
416 _cleanup_free_ char *passphrase = NULL;
417 struct crypt_params_tcrypt params = {
418 .flags = CRYPT_TCRYPT_LEGACY_MODES,
f75cac37
LP		 419 .keyfiles = (const char **)arg_tcrypt_keyfiles,
420 .keyfiles_count = strv_length(arg_tcrypt_keyfiles)
8cf3ca80
JJ		 421 };
422
423 assert(cd);
424 assert(name);
f268f57f 425 assert(key_file || (passwords && passwords[0]));
8cf3ca80 426
f75cac37 427 if (arg_tcrypt_hidden)
8cf3ca80
JJ		 428 params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
429
f75cac37 430 if (arg_tcrypt_system)
8cf3ca80
JJ		 431 params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
432
52028838
GH		 433 if (arg_tcrypt_veracrypt)
434 params.flags |= CRYPT_TCRYPT_VERA_MODES;
52028838 435
8cf3ca80
JJ		 436 if (key_file) {
437 r = read_one_line_file(key_file, &passphrase);
438 if (r < 0) {
da927ba9 439 log_error_errno(r, "Failed to read password file '%s': %m", key_file);
b7a0fead 440 return -EAGAIN; /* log with the actual error, but return EAGAIN */
8cf3ca80
JJ		 441 }
442
443 params.passphrase = passphrase;
444 } else
445 params.passphrase = passwords[0];
446 params.passphrase_size = strlen(params.passphrase);
447
448 r = crypt_load(cd, CRYPT_TCRYPT, &params);
449 if (r < 0) {
6f177c7d
LP		 450 if (key_file && r == -EPERM) {
451 log_error_errno(r, "Failed to activate using password file '%s'. (Key data not correct?)", key_file);
452 return -EAGAIN; /* log the actual error, but return EAGAIN */
453 }
454
455 return log_error_errno(r, "Failed to load tcrypt superblock on device %s: %m", crypt_get_device_name(cd));
8cf3ca80
JJ		 456 }
457
6f177c7d
LP		 458 r = crypt_activate_by_volume_key(cd, name, NULL, 0, flags);
459 if (r < 0)
460 return log_error_errno(r, "Failed to activate tcrypt device %s: %m", crypt_get_device_name(cd));
461
462 return 0;
8cf3ca80
JJ		 463}
464
9c5253ff
LP		 465static int attach_luks_or_plain(
466 struct crypt_device *cd,
467 const char *name,
468 const char *key_file,
469 char **passwords,
470 uint32_t flags) {
471
10fb4e35
JJ		 472 int r = 0;
473 bool pass_volume_key = false;
474
475 assert(cd);
476 assert(name);
477 assert(key_file || passwords);
478
2e4beb87 479 if ((!arg_type && !crypt_get_type(cd)) || streq_ptr(arg_type, CRYPT_PLAIN)) {
4eac2773
MP		 480 struct crypt_params_plain params = {
481 .offset = arg_offset,
482 .skip = arg_skip,
a9fc6406 483 .sector_size = arg_sector_size,
4eac2773 484 };
10fb4e35
JJ		 485 const char *cipher, *cipher_mode;
486 _cleanup_free_ char *truncated_cipher = NULL;
487
f75cac37 488 if (arg_hash) {
10fb4e35 489 /* plain isn't a real hash type. it just means "use no hash" */
f75cac37
LP		 490 if (!streq(arg_hash, "plain"))
491 params.hash = arg_hash;
8a52210c
ZJS		 492 } else if (!key_file)
493 /* for CRYPT_PLAIN, the behaviour of cryptsetup
494 * package is to not hash when a key file is provided */
10fb4e35
JJ		 495 params.hash = "ripemd160";
496
f75cac37 497 if (arg_cipher) {
10fb4e35
JJ		 498 size_t l;
499
f75cac37
LP		 500 l = strcspn(arg_cipher, "-");
501 truncated_cipher = strndup(arg_cipher, l);
10fb4e35
JJ		 502 if (!truncated_cipher)
503 return log_oom();
504
505 cipher = truncated_cipher;
f75cac37 506 cipher_mode = arg_cipher[l] ? arg_cipher+l+1 : "plain";
10fb4e35
JJ		 507 } else {
508 cipher = "aes";
509 cipher_mode = "cbc-essiv:sha256";
510 }
511
aed68083 512 /* for CRYPT_PLAIN limit reads from keyfile to key length, and ignore keyfile-size */
6131a78b 513 arg_keyfile_size = arg_key_size;
10fb4e35 514
30747265 515 /* In contrast to what the name crypt_format() might suggest this doesn't actually format
aed68083 516 * anything, it just configures encryption parameters when used for plain mode. */
1602b008 517 r = crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, arg_keyfile_size, &params);
2e4beb87
MB		 518 if (r < 0)
519 return log_error_errno(r, "Loading of cryptographic parameters failed: %m");
10fb4e35
JJ		 520
521 /* hash == NULL implies the user passed "plain" */
522 pass_volume_key = (params.hash == NULL);
523 }
10fb4e35
JJ		 524
525 log_info("Set cipher %s, mode %s, key size %i bits for device %s.",
526 crypt_get_cipher(cd),
527 crypt_get_cipher_mode(cd),
528 crypt_get_volume_key_size(cd)*8,
529 crypt_get_device_name(cd));
530
531 if (key_file) {
d90874b4 532 r = crypt_activate_by_keyfile_device_offset(cd, name, arg_key_slot, key_file, arg_keyfile_size, arg_keyfile_offset, flags);
6f177c7d
LP		 533 if (r == -EPERM) {
534 log_error_errno(r, "Failed to activate with key file '%s'. (Key data incorrect?)", key_file);
535 return -EAGAIN; /* Log actual error, but return EAGAIN */
c20db388
RG		 536 }
537 if (r == -EINVAL) {
538 log_error_errno(r, "Failed to activate with key file '%s'. (Key file missing?)", key_file);
539 return -EAGAIN; /* Log actual error, but return EAGAIN */
10fb4e35 540 }
6f177c7d
LP		 541 if (r < 0)
542 return log_error_errno(r, "Failed to activate with key file '%s': %m", key_file);
9c5253ff 543
10fb4e35
JJ		 544 } else {
545 char **p;
546
6f177c7d 547 r = -EINVAL;
10fb4e35
JJ		 548 STRV_FOREACH(p, passwords) {
549 if (pass_volume_key)
f75cac37 550 r = crypt_activate_by_volume_key(cd, name, *p, arg_key_size, flags);
10fb4e35 551 else
f75cac37 552 r = crypt_activate_by_passphrase(cd, name, arg_key_slot, *p, strlen(*p), flags);
10fb4e35
JJ		 553 if (r >= 0)
554 break;
555 }
6f177c7d
LP		 556 if (r == -EPERM) {
557 log_error_errno(r, "Failed to activate with specified passphrase. (Passphrase incorrect?)");
558 return -EAGAIN; /* log actual error, but return EAGAIN */
559 }
560 if (r < 0)
561 return log_error_errno(r, "Failed to activate with specified passphrase: %m");
10fb4e35
JJ		 562 }
563
564 return r;
565}
566
dd5e696d 567static int help(void) {
37ec0fdd
LP		 568 _cleanup_free_ char *link = NULL;
569 int r;
570
571 r = terminal_urlify_man("systemd-cryptsetup@.service", "8", &link);
572 if (r < 0)
573 return log_oom();
dd5e696d
LP		 574
575 printf("%s attach VOLUME SOURCEDEVICE [PASSWORD] [OPTIONS]\n"
576 "%s detach VOLUME\n\n"
37ec0fdd
LP		 577 "Attaches or detaches an encrypted block device.\n"
578 "\nSee the %s for details.\n"
579 , program_invocation_short_name
580 , program_invocation_short_name
581 , link
582 );
dd5e696d
LP		 583
584 return 0;
585}
586
d5d1ae15
LP		 587static uint32_t determine_flags(void) {
588 uint32_t flags = 0;
589
590 if (arg_readonly)
591 flags |= CRYPT_ACTIVATE_READONLY;
592
593 if (arg_discards)
594 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
595
596 if (arg_same_cpu_crypt)
597 flags |= CRYPT_ACTIVATE_SAME_CPU_CRYPT;
598
599 if (arg_submit_from_crypt_cpus)
600 flags |= CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS;
601
602 return flags;
603}
604
3a40f366 605static int run(int argc, char *argv[]) {
294bd454 606 _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
3a40f366 607 int r;
e23a0ce8 608
3a40f366
YW		 609 if (argc <= 1)
610 return help();
dd5e696d 611
e23a0ce8
LP		 612 if (argc < 3) {
613 log_error("This program requires at least two arguments.");
3a40f366 614 return -EINVAL;
e23a0ce8
LP		 615 }
616
6bf3c61c 617 log_setup_service();
e23a0ce8 618
8c71b2cd 619 crypt_set_log_callback(NULL, cryptsetup_log_glue, NULL);
568a8404
IS		 620 if (DEBUG_LOGGING)
621 /* libcryptsetup won't even consider debug messages by default */
622 crypt_set_debug_level(CRYPT_DEBUG_ALL);
623
4c12626c
LP		 624 umask(0022);
625
260ab287 626 if (streq(argv[1], "attach")) {
7f4e0805 627 uint32_t flags = 0;
10fb4e35 628 unsigned tries;
260ab287 629 usec_t until;
e2d480b9 630 crypt_status_info status;
e51b9486 631 const char *key_file = NULL;
7f4e0805 632
b61e476f
LP		 633 /* Arguments: systemd-cryptsetup attach VOLUME SOURCE-DEVICE [PASSWORD] [OPTIONS] */
634
0ffff81a
LP		 635 if (argc < 4)
636 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "attach requires at least two arguments.");
7f4e0805 637
1fc76335
LP		 638 if (argc >= 5 &&
639 argv[4][0] &&
640 !streq(argv[4], "-") &&
641 !streq(argv[4], "none")) {
7f4e0805
LP		 642
643 if (!path_is_absolute(argv[4]))
44ce4255 644 log_warning("Password file path '%s' is not absolute. Ignoring.", argv[4]);
7f4e0805
LP		 645 else
646 key_file = argv[4];
647 }
648
74b1c371 649 if (argc >= 6 && argv[5][0] && !streq(argv[5], "-")) {
3a40f366
YW		 650 r = parse_options(argv[5]);
651 if (r < 0)
652 return r;
74b1c371 653 }
e23a0ce8 654
b853f6e9 655 /* A delicious drop of snake oil */
9c5253ff 656 (void) mlockall(MCL_FUTURE);
b853f6e9 657
7376e835
AC		 658 if (arg_header) {
659 log_debug("LUKS header: %s", arg_header);
5f4bfe56 660 r = crypt_init(&cd, arg_header);
7376e835 661 } else
5f4bfe56 662 r = crypt_init(&cd, argv[3]);
3a40f366
YW		 663 if (r < 0)
664 return log_error_errno(r, "crypt_init() failed: %m");
e23a0ce8 665
691c2e2e 666 crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
7f4e0805 667
260ab287 668 status = crypt_status(cd, argv[2]);
3742095b 669 if (IN_SET(status, CRYPT_ACTIVE, CRYPT_BUSY)) {
260ab287 670 log_info("Volume %s already active.", argv[2]);
3a40f366 671 return 0;
7f4e0805
LP		 672 }
673
d5d1ae15 674 flags = determine_flags();
2c65512e 675
0864d311 676 if (arg_timeout == USEC_INFINITY)
7dcda352 677 until = 0;
0864d311
AS		 678 else
679 until = now(CLOCK_MONOTONIC) + arg_timeout;
260ab287 680
6131a78b 681 arg_key_size = (arg_key_size > 0 ? arg_key_size : (256 / 8));
e2d480b9 682
10fb4e35
JJ		 683 if (key_file) {
684 struct stat st;
e2d480b9 685
10fb4e35
JJ		 686 /* Ideally we'd do this on the open fd, but since this is just a
687 * warning it's OK to do this in two steps. */
3f4d56a0
MP		 688 if (stat(key_file, &st) >= 0 && S_ISREG(st.st_mode) && (st.st_mode & 0005))
689 log_warning("Key file %s is world-readable. This is not a good idea!", key_file);
e2d480b9
LP		 690 }
691
ea9a9d49
MB		 692 if (!arg_type || STR_IN_SET(arg_type, ANY_LUKS, CRYPT_LUKS1)) {
693 r = crypt_load(cd, CRYPT_LUKS, NULL);
694 if (r < 0)
695 return log_error_errno(r, "Failed to load LUKS superblock on device %s: %m", crypt_get_device_name(cd));
696
697 if (arg_header) {
698 r = crypt_set_data_device(cd, argv[3]);
699 if (r < 0)
700 return log_error_errno(r, "Failed to set LUKS data device %s: %m", argv[3]);
701 }
d90874b4 702
894bb3ca
MB		 703 /* Tokens are available in LUKS2 only, but it is ok to call (and fail) with LUKS1. */
704 if (!key_file) {
705 r = crypt_activate_by_token(cd, argv[2], CRYPT_ANY_TOKEN, NULL, flags);
706 if (r >= 0) {
707 log_debug("Volume %s activated with LUKS token id %i.", argv[2], r);
708 return 0;
709 }
710
711 log_debug_errno(r, "Token activation unsuccessful for device %s: %m", crypt_get_device_name(cd));
712 }
ea9a9d49
MB		 713 }
714
f75cac37 715 for (tries = 0; arg_tries == 0 || tries < arg_tries; tries++) {
ab84f5b9 716 _cleanup_strv_free_erase_ char **passwords = NULL;
260ab287
LP		 717
718 if (!key_file) {
5f4bfe56
LP		 719 r = get_password(argv[2], argv[3], until, tries == 0 && !arg_verify, &passwords);
720 if (r == -EAGAIN)
e7d90b71 721 continue;
5f4bfe56 722 if (r < 0)
3a40f366 723 return r;
260ab287
LP		 724 }
725
f75cac37 726 if (streq_ptr(arg_type, CRYPT_TCRYPT))
5f4bfe56 727 r = attach_tcrypt(cd, argv[2], key_file, passwords, flags);
8cf3ca80 728 else
9c5253ff 729 r = attach_luks_or_plain(cd, argv[2], key_file, passwords, flags);
5f4bfe56 730 if (r >= 0)
260ab287 731 break;
6f177c7d
LP		 732 if (r != -EAGAIN)
733 return r;
260ab287 734
6f177c7d
LP		 735 /* Passphrase not correct? Let's try again! */
736 key_file = NULL;
7f4e0805
LP		 737 }
738
0ffff81a
LP		 739 if (arg_tries != 0 && tries >= arg_tries)
740 return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Too many attempts to activate; giving up.");
7f4e0805
LP		 741
742 } else if (streq(argv[1], "detach")) {
7f4e0805 743
5f4bfe56
LP		 744 r = crypt_init_by_name(&cd, argv[2]);
745 if (r == -ENODEV) {
a0bfc9c2 746 log_info("Volume %s already inactive.", argv[2]);
3a40f366 747 return 0;
7f4e0805 748 }
3a40f366
YW		 749 if (r < 0)
750 return log_error_errno(r, "crypt_init_by_name() failed: %m");
7f4e0805 751
691c2e2e 752 crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
7f4e0805 753
5f4bfe56 754 r = crypt_deactivate(cd, argv[2]);
3a40f366
YW		 755 if (r < 0)
756 return log_error_errno(r, "Failed to deactivate: %m");
e23a0ce8 757
0ffff81a
LP		 758 } else
759 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown verb %s.", argv[1]);
e23a0ce8 760
3a40f366 761 return 0;
e23a0ce8 762}
3a40f366
YW		 763
764DEFINE_MAIN_FUNCTION(run);
Unnamed repository; edit this file 'description' to name the repository.