]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/cryptsetup/cryptsetup.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #11827 from keszybz/pkgconfig-variables
[thirdparty/systemd.git] / src / cryptsetup / cryptsetup.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
e23a0ce8 2
7f4e0805 3#include <errno.h>
07630cea
LP		 4#include <mntent.h>
5#include <string.h>
6#include <sys/mman.h>
e23a0ce8 7
4f5dd394
LP		 8#include "sd-device.h"
9
b5efdb8a 10#include "alloc-util.h"
4f5dd394 11#include "ask-password-api.h"
294bd454 12#include "crypt-util.h"
4f5dd394
LP		 13#include "device-util.h"
14#include "escape.h"
8cf3ca80 15#include "fileio.h"
e23a0ce8 16#include "log.h"
3a40f366 17#include "main-func.h"
4349cd7c 18#include "mount-util.h"
6bedfcbb 19#include "parse-util.h"
9eb977db 20#include "path-util.h"
07630cea 21#include "string-util.h"
21bc923a 22#include "strv.h"
294bf0c3 23#include "pretty-print.h"
4f5dd394 24#include "util.h"
7f4e0805 25
b3b4ebab
OK		 26/* internal helper */
27#define ANY_LUKS "LUKS"
a9fc6406
DJL		 28/* as in src/cryptsetup.h */
29#define CRYPT_SECTOR_SIZE 512
30#define CRYPT_MAX_SECTOR_SIZE 4096
b3b4ebab
OK		 31
32static const char *arg_type = NULL; /* ANY_LUKS, CRYPT_LUKS1, CRYPT_LUKS2, CRYPT_TCRYPT or CRYPT_PLAIN */
f75cac37
LP		 33static char *arg_cipher = NULL;
34static unsigned arg_key_size = 0;
645461f0 35#if HAVE_LIBCRYPTSETUP_SECTOR_SIZE
a9fc6406 36static unsigned arg_sector_size = CRYPT_SECTOR_SIZE;
645461f0 37#endif
f75cac37
LP		 38static int arg_key_slot = CRYPT_ANY_SLOT;
39static unsigned arg_keyfile_size = 0;
dc0a3555 40static uint64_t arg_keyfile_offset = 0;
f75cac37 41static char *arg_hash = NULL;
7376e835 42static char *arg_header = NULL;
f75cac37
LP		 43static unsigned arg_tries = 3;
44static bool arg_readonly = false;
45static bool arg_verify = false;
46static bool arg_discards = false;
47static bool arg_tcrypt_hidden = false;
48static bool arg_tcrypt_system = false;
2e914ef4 49#ifdef CRYPT_TCRYPT_VERA_MODES
52028838 50static bool arg_tcrypt_veracrypt = false;
2e914ef4 51#endif
f75cac37 52static char **arg_tcrypt_keyfiles = NULL;
4eac2773
MP		 53static uint64_t arg_offset = 0;
54static uint64_t arg_skip = 0;
0864d311 55static usec_t arg_timeout = USEC_INFINITY;
7f4e0805 56
3a40f366
YW		 57STATIC_DESTRUCTOR_REGISTER(arg_cipher, freep);
58STATIC_DESTRUCTOR_REGISTER(arg_hash, freep);
59STATIC_DESTRUCTOR_REGISTER(arg_header, freep);
60STATIC_DESTRUCTOR_REGISTER(arg_tcrypt_keyfiles, strv_freep);
61
1fc76335
LP		 62/* Options Debian's crypttab knows we don't:
63
1fc76335
LP		 64 precheck=
65 check=
66 checkargs=
67 noearly=
68 loud=
69 keyscript=
70*/
71
7f4e0805 72static int parse_one_option(const char *option) {
fb4650aa
ZJS		 73 const char *val;
74 int r;
75
7f4e0805
LP		 76 assert(option);
77
78 /* Handled outside of this tool */
f7576eb9 79 if (STR_IN_SET(option, "noauto", "auto", "nofail", "fail", "_netdev"))
7f4e0805
LP		 80 return 0;
81
fb4650aa
ZJS		 82 if ((val = startswith(option, "cipher="))) {
83 r = free_and_strdup(&arg_cipher, val);
84 if (r < 0)
4b93637f 85 return log_oom();
7f4e0805 86
fb4650aa 87 } else if ((val = startswith(option, "size="))) {
7f4e0805 88
fb4650aa
ZJS		 89 r = safe_atou(val, &arg_key_size);
90 if (r < 0) {
91 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
7f4e0805
LP		 92 return 0;
93 }
94
6131a78b
DH		 95 if (arg_key_size % 8) {
96 log_error("size= not a multiple of 8, ignoring.");
97 return 0;
98 }
99
100 arg_key_size /= 8;
101
a9fc6406
DJL		 102 } else if ((val = startswith(option, "sector-size="))) {
103
104#if HAVE_LIBCRYPTSETUP_SECTOR_SIZE
105 r = safe_atou(val, &arg_sector_size);
106 if (r < 0) {
107 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
108 return 0;
109 }
110
111 if (arg_sector_size % 2) {
112 log_error("sector-size= not a multiple of 2, ignoring.");
113 return 0;
114 }
115
116 if (arg_sector_size < CRYPT_SECTOR_SIZE || arg_sector_size > CRYPT_MAX_SECTOR_SIZE) {
117 log_error("sector-size= is outside of %u and %u, ignoring.", CRYPT_SECTOR_SIZE, CRYPT_MAX_SECTOR_SIZE);
118 return 0;
119 }
120#else
121 log_error("sector-size= is not supported, compiled with old libcryptsetup.");
122 return 0;
123#endif
124
fb4650aa 125 } else if ((val = startswith(option, "key-slot="))) {
b4a11878 126
b3b4ebab 127 arg_type = ANY_LUKS;
fb4650aa
ZJS		 128 r = safe_atoi(val, &arg_key_slot);
129 if (r < 0) {
130 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
b4a11878
CS		 131 return 0;
132 }
133
fb4650aa 134 } else if ((val = startswith(option, "tcrypt-keyfile="))) {
8cf3ca80 135
f75cac37 136 arg_type = CRYPT_TCRYPT;
fb4650aa
ZJS		 137 if (path_is_absolute(val)) {
138 if (strv_extend(&arg_tcrypt_keyfiles, val) < 0)
4b93637f
LP		 139 return log_oom();
140 } else
fb4650aa 141 log_error("Key file path \"%s\" is not absolute. Ignoring.", val);
8cf3ca80 142
fb4650aa 143 } else if ((val = startswith(option, "keyfile-size="))) {
4271d823 144
fb4650aa
ZJS		 145 r = safe_atou(val, &arg_keyfile_size);
146 if (r < 0) {
147 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
4271d823
TG		 148 return 0;
149 }
150
fb4650aa 151 } else if ((val = startswith(option, "keyfile-offset="))) {
dc0a3555 152 uint64_t off;
880a599e 153
dc0a3555 154 r = safe_atou64(val, &off);
fb4650aa
ZJS		 155 if (r < 0) {
156 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
880a599e
TG		 157 return 0;
158 }
159
dc0a3555
ZJS		 160 if ((size_t) off != off) {
161 /* https://gitlab.com/cryptsetup/cryptsetup/issues/359 */
162 log_error("keyfile-offset= value would truncated to %zu, ignoring.", (size_t) off);
163 return 0;
164 }
165
166 arg_keyfile_offset = off;
167
fb4650aa
ZJS		 168 } else if ((val = startswith(option, "hash="))) {
169 r = free_and_strdup(&arg_hash, val);
170 if (r < 0)
4b93637f 171 return log_oom();
7f4e0805 172
fb4650aa 173 } else if ((val = startswith(option, "header="))) {
b3b4ebab 174 arg_type = ANY_LUKS;
7376e835 175
baaa35ad
ZJS		 176 if (!path_is_absolute(val))
177 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
178 "Header path \"%s\" is not absolute, refusing.", val);
7376e835 179
baaa35ad
ZJS		 180 if (arg_header)
181 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
182 "Duplicate header= option, refusing.");
7376e835 183
fb4650aa 184 arg_header = strdup(val);
7376e835
AC		 185 if (!arg_header)
186 return log_oom();
187
fb4650aa 188 } else if ((val = startswith(option, "tries="))) {
7f4e0805 189
fb4650aa
ZJS		 190 r = safe_atou(val, &arg_tries);
191 if (r < 0) {
192 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
7f4e0805
LP		 193 return 0;
194 }
195
f75cac37
LP		 196 } else if (STR_IN_SET(option, "readonly", "read-only"))
197 arg_readonly = true;
7f4e0805 198 else if (streq(option, "verify"))
f75cac37
LP		 199 arg_verify = true;
200 else if (STR_IN_SET(option, "allow-discards", "discard"))
201 arg_discards = true;
260ab287 202 else if (streq(option, "luks"))
b3b4ebab 203 arg_type = ANY_LUKS;
8cf3ca80 204 else if (streq(option, "tcrypt"))
f75cac37 205 arg_type = CRYPT_TCRYPT;
8cf3ca80 206 else if (streq(option, "tcrypt-hidden")) {
f75cac37
LP		 207 arg_type = CRYPT_TCRYPT;
208 arg_tcrypt_hidden = true;
8cf3ca80 209 } else if (streq(option, "tcrypt-system")) {
f75cac37
LP		 210 arg_type = CRYPT_TCRYPT;
211 arg_tcrypt_system = true;
52028838
GH		 212 } else if (streq(option, "tcrypt-veracrypt")) {
213#ifdef CRYPT_TCRYPT_VERA_MODES
214 arg_type = CRYPT_TCRYPT;
215 arg_tcrypt_veracrypt = true;
216#else
baaa35ad
ZJS		 217 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
218 "This version of cryptsetup does not support tcrypt-veracrypt; refusing.");
52028838 219#endif
f75cac37
LP		 220 } else if (STR_IN_SET(option, "plain", "swap", "tmp"))
221 arg_type = CRYPT_PLAIN;
fb4650aa 222 else if ((val = startswith(option, "timeout="))) {
7f4e0805 223
0004f698 224 r = parse_sec_fix_0(val, &arg_timeout);
fb4650aa
ZJS		 225 if (r < 0) {
226 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
7f4e0805
LP		 227 return 0;
228 }
229
fb4650aa 230 } else if ((val = startswith(option, "offset="))) {
4eac2773 231
fb4650aa
ZJS		 232 r = safe_atou64(val, &arg_offset);
233 if (r < 0)
234 return log_error_errno(r, "Failed to parse %s: %m", option);
4eac2773 235
fb4650aa 236 } else if ((val = startswith(option, "skip="))) {
4eac2773 237
fb4650aa
ZJS		 238 r = safe_atou64(val, &arg_skip);
239 if (r < 0)
240 return log_error_errno(r, "Failed to parse %s: %m", option);
4eac2773 241
41e6f28a 242 } else if (!streq(option, "none"))
fb4650aa 243 log_warning("Encountered unknown /etc/crypttab option '%s', ignoring.", option);
7f4e0805
LP		 244
245 return 0;
246}
247
248static int parse_options(const char *options) {
a2a5291b 249 const char *word, *state;
7f4e0805 250 size_t l;
74b1c371 251 int r;
7f4e0805
LP		 252
253 assert(options);
254
a2a5291b 255 FOREACH_WORD_SEPARATOR(word, l, options, ",", state) {
74b1c371 256 _cleanup_free_ char *o;
7f4e0805 257
a2a5291b 258 o = strndup(word, l);
74b1c371 259 if (!o)
7f4e0805 260 return -ENOMEM;
7f4e0805 261 r = parse_one_option(o);
7f4e0805
LP		 262 if (r < 0)
263 return r;
264 }
265
4eac2773
MP		 266 /* sanity-check options */
267 if (arg_type != NULL && !streq(arg_type, CRYPT_PLAIN)) {
268 if (arg_offset)
269 log_warning("offset= ignored with type %s", arg_type);
270 if (arg_skip)
271 log_warning("skip= ignored with type %s", arg_type);
272 }
273
7f4e0805
LP		 274 return 0;
275}
276
1ca208fb 277static char* disk_description(const char *path) {
f75cac37 278 static const char name_fields[] =
74b1c371
LP		 279 "ID_PART_ENTRY_NAME\0"
280 "DM_NAME\0"
281 "ID_MODEL_FROM_DATABASE\0"
f75cac37 282 "ID_MODEL\0";
74b1c371 283
4afd3348 284 _cleanup_(sd_device_unrefp) sd_device *device = NULL;
2c740afd 285 const char *i, *name;
b1a2da0a 286 struct stat st;
b1a2da0a
LP		 287
288 assert(path);
289
290 if (stat(path, &st) < 0)
291 return NULL;
292
293 if (!S_ISBLK(st.st_mode))
294 return NULL;
295
2c740afd 296 if (sd_device_new_from_devnum(&device, 'b', st.st_rdev) < 0)
1ca208fb 297 return NULL;
b1a2da0a 298
2c740afd
YW		 299 NULSTR_FOREACH(i, name_fields)
300 if (sd_device_get_property_value(device, i, &name) >= 0 &&
301 !isempty(name))
1ca208fb 302 return strdup(name);
b1a2da0a 303
1ca208fb 304 return NULL;
b1a2da0a
LP		 305}
306
b61e476f 307static char *disk_mount_point(const char *label) {
e7d90b71 308 _cleanup_free_ char *device = NULL;
5862d652 309 _cleanup_endmntent_ FILE *f = NULL;
b61e476f
LP		 310 struct mntent *m;
311
312 /* Yeah, we don't support native systemd unit files here for now */
313
314 if (asprintf(&device, "/dev/mapper/%s", label) < 0)
5862d652 315 return NULL;
b61e476f 316
9ffcff0e 317 f = setmntent("/etc/fstab", "re");
e0295d26 318 if (!f)
5862d652 319 return NULL;
b61e476f
LP		 320
321 while ((m = getmntent(f)))
5862d652
ZJS		 322 if (path_equal(m->mnt_fsname, device))
323 return strdup(m->mnt_dir);
b61e476f 324
5862d652 325 return NULL;
b61e476f
LP		 326}
327
1602b008 328static int get_password(const char *vol, const char *src, usec_t until, bool accept_cached, char ***ret) {
ea7e7c1e 329 _cleanup_free_ char *description = NULL, *name_buffer = NULL, *mount_point = NULL, *text = NULL, *disk_path = NULL;
ab84f5b9 330 _cleanup_strv_free_erase_ char **passwords = NULL;
e51b9486 331 const char *name = NULL;
e287086b
LP		 332 char **p, *id;
333 int r = 0;
e7d90b71 334
e51b9486
HH		 335 assert(vol);
336 assert(src);
1602b008 337 assert(ret);
e7d90b71 338
e51b9486
HH		 339 description = disk_description(src);
340 mount_point = disk_mount_point(vol);
341
ea7e7c1e
MS		 342 disk_path = cescape(src);
343 if (!disk_path)
344 return log_oom();
345
ece174c5 346 if (description && streq(vol, description))
e51b9486
HH		 347 /* If the description string is simply the
348 * volume name, then let's not show this
349 * twice */
97b11eed 350 description = mfree(description);
e51b9486
HH		 351
352 if (mount_point && description)
353 r = asprintf(&name_buffer, "%s (%s) on %s", description, vol, mount_point);
354 else if (mount_point)
355 r = asprintf(&name_buffer, "%s on %s", vol, mount_point);
356 else if (description)
357 r = asprintf(&name_buffer, "%s (%s)", description, vol);
358
359 if (r < 0)
360 return log_oom();
361
362 name = name_buffer ? name_buffer : vol;
363
a1c111c2 364 if (asprintf(&text, "Please enter passphrase for disk %s:", name) < 0)
e7d90b71
JJ		 365 return log_oom();
366
ea7e7c1e 367 id = strjoina("cryptsetup:", disk_path);
9fa1de96 368
ab84f5b9
ZJS		 369 r = ask_password_auto(text, "drive-harddisk", id, "cryptsetup", until,
370 ASK_PASSWORD_PUSH_CACHE | (accept_cached*ASK_PASSWORD_ACCEPT_CACHED),
371 &passwords);
23bbb0de
MS		 372 if (r < 0)
373 return log_error_errno(r, "Failed to query password: %m");
e7d90b71 374
f75cac37 375 if (arg_verify) {
ab84f5b9
ZJS		 376 _cleanup_strv_free_erase_ char **passwords2 = NULL;
377
1602b008 378 assert(strv_length(passwords) == 1);
e7d90b71 379
a1c111c2 380 if (asprintf(&text, "Please enter passphrase for disk %s (verification):", name) < 0)
ab84f5b9 381 return log_oom();
e7d90b71 382
ea7e7c1e 383 id = strjoina("cryptsetup-verification:", disk_path);
9fa1de96 384
e287086b 385 r = ask_password_auto(text, "drive-harddisk", id, "cryptsetup", until, ASK_PASSWORD_PUSH_CACHE, &passwords2);
ab84f5b9
ZJS		 386 if (r < 0)
387 return log_error_errno(r, "Failed to query verification password: %m");
e7d90b71
JJ		 388
389 assert(strv_length(passwords2) == 1);
390
1602b008 391 if (!streq(passwords[0], passwords2[0])) {
e7d90b71 392 log_warning("Passwords did not match, retrying.");
ab84f5b9 393 return -EAGAIN;
e7d90b71
JJ		 394 }
395 }
396
1602b008 397 strv_uniq(passwords);
e7d90b71 398
1602b008 399 STRV_FOREACH(p, passwords) {
e7d90b71
JJ		 400 char *c;
401
f75cac37 402 if (strlen(*p)+1 >= arg_key_size)
e7d90b71
JJ		 403 continue;
404
405 /* Pad password if necessary */
1602b008 406 c = new(char, arg_key_size);
ab84f5b9
ZJS		 407 if (!c)
408 return log_oom();
e7d90b71 409
f75cac37 410 strncpy(c, *p, arg_key_size);
d135419e 411 free_and_replace(*p, c);
e7d90b71
JJ		 412 }
413
ae2a15bc 414 *ret = TAKE_PTR(passwords);
1602b008 415
ab84f5b9 416 return 0;
e7d90b71
JJ		 417}
418
1602b008
LP		 419static int attach_tcrypt(
420 struct crypt_device *cd,
421 const char *name,
422 const char *key_file,
423 char **passwords,
424 uint32_t flags) {
425
8cf3ca80
JJ		 426 int r = 0;
427 _cleanup_free_ char *passphrase = NULL;
428 struct crypt_params_tcrypt params = {
429 .flags = CRYPT_TCRYPT_LEGACY_MODES,
f75cac37
LP		 430 .keyfiles = (const char **)arg_tcrypt_keyfiles,
431 .keyfiles_count = strv_length(arg_tcrypt_keyfiles)
8cf3ca80
JJ		 432 };
433
434 assert(cd);
435 assert(name);
f268f57f 436 assert(key_file || (passwords && passwords[0]));
8cf3ca80 437
f75cac37 438 if (arg_tcrypt_hidden)
8cf3ca80
JJ		 439 params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
440
f75cac37 441 if (arg_tcrypt_system)
8cf3ca80
JJ		 442 params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
443
52028838
GH		 444#ifdef CRYPT_TCRYPT_VERA_MODES
445 if (arg_tcrypt_veracrypt)
446 params.flags |= CRYPT_TCRYPT_VERA_MODES;
447#endif
448
8cf3ca80
JJ		 449 if (key_file) {
450 r = read_one_line_file(key_file, &passphrase);
451 if (r < 0) {
da927ba9 452 log_error_errno(r, "Failed to read password file '%s': %m", key_file);
b7a0fead 453 return -EAGAIN; /* log with the actual error, but return EAGAIN */
8cf3ca80
JJ		 454 }
455
456 params.passphrase = passphrase;
457 } else
458 params.passphrase = passwords[0];
459 params.passphrase_size = strlen(params.passphrase);
460
461 r = crypt_load(cd, CRYPT_TCRYPT, &params);
462 if (r < 0) {
6f177c7d
LP		 463 if (key_file && r == -EPERM) {
464 log_error_errno(r, "Failed to activate using password file '%s'. (Key data not correct?)", key_file);
465 return -EAGAIN; /* log the actual error, but return EAGAIN */
466 }
467
468 return log_error_errno(r, "Failed to load tcrypt superblock on device %s: %m", crypt_get_device_name(cd));
8cf3ca80
JJ		 469 }
470
6f177c7d
LP		 471 r = crypt_activate_by_volume_key(cd, name, NULL, 0, flags);
472 if (r < 0)
473 return log_error_errno(r, "Failed to activate tcrypt device %s: %m", crypt_get_device_name(cd));
474
475 return 0;
8cf3ca80
JJ		 476}
477
10fb4e35
JJ		 478static int attach_luks_or_plain(struct crypt_device *cd,
479 const char *name,
480 const char *key_file,
7376e835 481 const char *data_device,
10fb4e35
JJ		 482 char **passwords,
483 uint32_t flags) {
484 int r = 0;
485 bool pass_volume_key = false;
486
487 assert(cd);
488 assert(name);
489 assert(key_file || passwords);
490
b3b4ebab
OK		 491 if (!arg_type || STR_IN_SET(arg_type, ANY_LUKS, CRYPT_LUKS1)) {
492 r = crypt_load(cd, CRYPT_LUKS, NULL);
0ffff81a 493 if (r < 0)
6f177c7d 494 return log_error_errno(r, "Failed to load LUKS superblock on device %s: %m", crypt_get_device_name(cd));
7376e835
AC		 495
496 if (data_device)
497 r = crypt_set_data_device(cd, data_device);
498 }
10fb4e35 499
f75cac37 500 if ((!arg_type && r < 0) || streq_ptr(arg_type, CRYPT_PLAIN)) {
4eac2773
MP		 501 struct crypt_params_plain params = {
502 .offset = arg_offset,
503 .skip = arg_skip,
a9fc6406
DJL		 504#if HAVE_LIBCRYPTSETUP_SECTOR_SIZE
505 .sector_size = arg_sector_size,
506#endif
4eac2773 507 };
10fb4e35
JJ		 508 const char *cipher, *cipher_mode;
509 _cleanup_free_ char *truncated_cipher = NULL;
510
f75cac37 511 if (arg_hash) {
10fb4e35 512 /* plain isn't a real hash type. it just means "use no hash" */
f75cac37
LP		 513 if (!streq(arg_hash, "plain"))
514 params.hash = arg_hash;
8a52210c
ZJS		 515 } else if (!key_file)
516 /* for CRYPT_PLAIN, the behaviour of cryptsetup
517 * package is to not hash when a key file is provided */
10fb4e35
JJ		 518 params.hash = "ripemd160";
519
f75cac37 520 if (arg_cipher) {
10fb4e35
JJ		 521 size_t l;
522
f75cac37
LP		 523 l = strcspn(arg_cipher, "-");
524 truncated_cipher = strndup(arg_cipher, l);
10fb4e35
JJ		 525 if (!truncated_cipher)
526 return log_oom();
527
528 cipher = truncated_cipher;
f75cac37 529 cipher_mode = arg_cipher[l] ? arg_cipher+l+1 : "plain";
10fb4e35
JJ		 530 } else {
531 cipher = "aes";
532 cipher_mode = "cbc-essiv:sha256";
533 }
534
aed68083 535 /* for CRYPT_PLAIN limit reads from keyfile to key length, and ignore keyfile-size */
6131a78b 536 arg_keyfile_size = arg_key_size;
10fb4e35 537
aed68083
LP		 538 /* In contrast to what the name crypt_setup() might suggest this doesn't actually format
539 * anything, it just configures encryption parameters when used for plain mode. */
1602b008 540 r = crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, arg_keyfile_size, &params);
10fb4e35
JJ		 541
542 /* hash == NULL implies the user passed "plain" */
543 pass_volume_key = (params.hash == NULL);
544 }
23bbb0de
MS		 545 if (r < 0)
546 return log_error_errno(r, "Loading of cryptographic parameters failed: %m");
10fb4e35
JJ		 547
548 log_info("Set cipher %s, mode %s, key size %i bits for device %s.",
549 crypt_get_cipher(cd),
550 crypt_get_cipher_mode(cd),
551 crypt_get_volume_key_size(cd)*8,
552 crypt_get_device_name(cd));
553
554 if (key_file) {
1602b008 555 r = crypt_activate_by_keyfile_offset(cd, name, arg_key_slot, key_file, arg_keyfile_size, arg_keyfile_offset, flags);
6f177c7d
LP		 556 if (r == -EPERM) {
557 log_error_errno(r, "Failed to activate with key file '%s'. (Key data incorrect?)", key_file);
558 return -EAGAIN; /* Log actual error, but return EAGAIN */
c20db388
RG		 559 }
560 if (r == -EINVAL) {
561 log_error_errno(r, "Failed to activate with key file '%s'. (Key file missing?)", key_file);
562 return -EAGAIN; /* Log actual error, but return EAGAIN */
10fb4e35 563 }
6f177c7d
LP		 564 if (r < 0)
565 return log_error_errno(r, "Failed to activate with key file '%s': %m", key_file);
10fb4e35
JJ		 566 } else {
567 char **p;
568
6f177c7d 569 r = -EINVAL;
10fb4e35
JJ		 570 STRV_FOREACH(p, passwords) {
571 if (pass_volume_key)
f75cac37 572 r = crypt_activate_by_volume_key(cd, name, *p, arg_key_size, flags);
10fb4e35 573 else
f75cac37 574 r = crypt_activate_by_passphrase(cd, name, arg_key_slot, *p, strlen(*p), flags);
10fb4e35
JJ		 575 if (r >= 0)
576 break;
577 }
6f177c7d
LP		 578 if (r == -EPERM) {
579 log_error_errno(r, "Failed to activate with specified passphrase. (Passphrase incorrect?)");
580 return -EAGAIN; /* log actual error, but return EAGAIN */
581 }
582 if (r < 0)
583 return log_error_errno(r, "Failed to activate with specified passphrase: %m");
10fb4e35
JJ		 584 }
585
586 return r;
587}
588
dd5e696d 589static int help(void) {
37ec0fdd
LP		 590 _cleanup_free_ char *link = NULL;
591 int r;
592
593 r = terminal_urlify_man("systemd-cryptsetup@.service", "8", &link);
594 if (r < 0)
595 return log_oom();
dd5e696d
LP		 596
597 printf("%s attach VOLUME SOURCEDEVICE [PASSWORD] [OPTIONS]\n"
598 "%s detach VOLUME\n\n"
37ec0fdd
LP		 599 "Attaches or detaches an encrypted block device.\n"
600 "\nSee the %s for details.\n"
601 , program_invocation_short_name
602 , program_invocation_short_name
603 , link
604 );
dd5e696d
LP		 605
606 return 0;
607}
608
3a40f366 609static int run(int argc, char *argv[]) {
294bd454 610 _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
3a40f366 611 int r;
e23a0ce8 612
3a40f366
YW		 613 if (argc <= 1)
614 return help();
dd5e696d 615
e23a0ce8
LP		 616 if (argc < 3) {
617 log_error("This program requires at least two arguments.");
3a40f366 618 return -EINVAL;
e23a0ce8
LP		 619 }
620
6bf3c61c 621 log_setup_service();
e23a0ce8 622
4c12626c
LP		 623 umask(0022);
624
260ab287 625 if (streq(argv[1], "attach")) {
7f4e0805 626 uint32_t flags = 0;
10fb4e35 627 unsigned tries;
260ab287 628 usec_t until;
e2d480b9 629 crypt_status_info status;
e51b9486 630 const char *key_file = NULL;
7f4e0805 631
b61e476f
LP		 632 /* Arguments: systemd-cryptsetup attach VOLUME SOURCE-DEVICE [PASSWORD] [OPTIONS] */
633
0ffff81a
LP		 634 if (argc < 4)
635 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "attach requires at least two arguments.");
7f4e0805 636
1fc76335
LP		 637 if (argc >= 5 &&
638 argv[4][0] &&
639 !streq(argv[4], "-") &&
640 !streq(argv[4], "none")) {
7f4e0805
LP		 641
642 if (!path_is_absolute(argv[4]))
44ce4255 643 log_warning("Password file path '%s' is not absolute. Ignoring.", argv[4]);
7f4e0805
LP		 644 else
645 key_file = argv[4];
646 }
647
74b1c371 648 if (argc >= 6 && argv[5][0] && !streq(argv[5], "-")) {
3a40f366
YW		 649 r = parse_options(argv[5]);
650 if (r < 0)
651 return r;
74b1c371 652 }
e23a0ce8 653
b853f6e9
LP		 654 /* A delicious drop of snake oil */
655 mlockall(MCL_FUTURE);
656
7376e835
AC		 657 if (arg_header) {
658 log_debug("LUKS header: %s", arg_header);
5f4bfe56 659 r = crypt_init(&cd, arg_header);
7376e835 660 } else
5f4bfe56 661 r = crypt_init(&cd, argv[3]);
3a40f366
YW		 662 if (r < 0)
663 return log_error_errno(r, "crypt_init() failed: %m");
e23a0ce8 664
691c2e2e 665 crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
7f4e0805 666
260ab287 667 status = crypt_status(cd, argv[2]);
3742095b 668 if (IN_SET(status, CRYPT_ACTIVE, CRYPT_BUSY)) {
260ab287 669 log_info("Volume %s already active.", argv[2]);
3a40f366 670 return 0;
7f4e0805
LP		 671 }
672
f75cac37 673 if (arg_readonly)
7f4e0805
LP		 674 flags |= CRYPT_ACTIVATE_READONLY;
675
f75cac37 676 if (arg_discards)
2a2aab60
MM		 677 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
678
0864d311 679 if (arg_timeout == USEC_INFINITY)
7dcda352 680 until = 0;
0864d311
AS		 681 else
682 until = now(CLOCK_MONOTONIC) + arg_timeout;
260ab287 683
6131a78b 684 arg_key_size = (arg_key_size > 0 ? arg_key_size : (256 / 8));
e2d480b9 685
10fb4e35
JJ		 686 if (key_file) {
687 struct stat st;
e2d480b9 688
10fb4e35
JJ		 689 /* Ideally we'd do this on the open fd, but since this is just a
690 * warning it's OK to do this in two steps. */
3f4d56a0
MP		 691 if (stat(key_file, &st) >= 0 && S_ISREG(st.st_mode) && (st.st_mode & 0005))
692 log_warning("Key file %s is world-readable. This is not a good idea!", key_file);
e2d480b9
LP		 693 }
694
f75cac37 695 for (tries = 0; arg_tries == 0 || tries < arg_tries; tries++) {
ab84f5b9 696 _cleanup_strv_free_erase_ char **passwords = NULL;
260ab287
LP		 697
698 if (!key_file) {
5f4bfe56
LP		 699 r = get_password(argv[2], argv[3], until, tries == 0 && !arg_verify, &passwords);
700 if (r == -EAGAIN)
e7d90b71 701 continue;
5f4bfe56 702 if (r < 0)
3a40f366 703 return r;
260ab287
LP		 704 }
705
f75cac37 706 if (streq_ptr(arg_type, CRYPT_TCRYPT))
5f4bfe56 707 r = attach_tcrypt(cd, argv[2], key_file, passwords, flags);
8cf3ca80 708 else
5f4bfe56 709 r = attach_luks_or_plain(cd,
7376e835
AC		 710 argv[2],
711 key_file,
712 arg_header ? argv[3] : NULL,
713 passwords,
714 flags);
5f4bfe56 715 if (r >= 0)
260ab287 716 break;
6f177c7d
LP		 717 if (r != -EAGAIN)
718 return r;
260ab287 719
6f177c7d
LP		 720 /* Passphrase not correct? Let's try again! */
721 key_file = NULL;
7f4e0805
LP		 722 }
723
0ffff81a
LP		 724 if (arg_tries != 0 && tries >= arg_tries)
725 return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Too many attempts to activate; giving up.");
7f4e0805
LP		 726
727 } else if (streq(argv[1], "detach")) {
7f4e0805 728
5f4bfe56
LP		 729 r = crypt_init_by_name(&cd, argv[2]);
730 if (r == -ENODEV) {
a0bfc9c2 731 log_info("Volume %s already inactive.", argv[2]);
3a40f366 732 return 0;
7f4e0805 733 }
3a40f366
YW		 734 if (r < 0)
735 return log_error_errno(r, "crypt_init_by_name() failed: %m");
7f4e0805 736
691c2e2e 737 crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
7f4e0805 738
5f4bfe56 739 r = crypt_deactivate(cd, argv[2]);
3a40f366
YW		 740 if (r < 0)
741 return log_error_errno(r, "Failed to deactivate: %m");
e23a0ce8 742
0ffff81a
LP		 743 } else
744 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown verb %s.", argv[1]);
e23a0ce8 745
3a40f366 746 return 0;
e23a0ce8 747}
3a40f366
YW		 748
749DEFINE_MAIN_FUNCTION(run);
Unnamed repository; edit this file 'description' to name the repository.