]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/cryptsetup/cryptsetup.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
busctl: port "busctl list" to format_table.h
[thirdparty/systemd.git] / src / cryptsetup / cryptsetup.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #include <errno.h>
4 #include <mntent.h>
5 #include <string.h>
6 #include <sys/mman.h>
7 #include <sys/stat.h>
8 #include <sys/types.h>
9 #include <unistd.h>
10
11 #include "sd-device.h"
12
13 #include "alloc-util.h"
14 #include "ask-password-api.h"
15 #include "crypt-util.h"
16 #include "device-util.h"
17 #include "escape.h"
18 #include "fileio.h"
19 #include "log.h"
20 #include "main-func.h"
21 #include "mount-util.h"
22 #include "nulstr-util.h"
23 #include "parse-util.h"
24 #include "path-util.h"
25 #include "pretty-print.h"
26 #include "string-util.h"
27 #include "strv.h"
28
29 /* internal helper */
30 #define ANY_LUKS "LUKS"
31 /* as in src/cryptsetup.h */
32 #define CRYPT_SECTOR_SIZE 512
33 #define CRYPT_MAX_SECTOR_SIZE 4096
34
35 static const char *arg_type = NULL; /* ANY_LUKS, CRYPT_LUKS1, CRYPT_LUKS2, CRYPT_TCRYPT or CRYPT_PLAIN */
36 static char *arg_cipher = NULL;
37 static unsigned arg_key_size = 0;
38 #if HAVE_LIBCRYPTSETUP_SECTOR_SIZE
39 static unsigned arg_sector_size = CRYPT_SECTOR_SIZE;
40 #endif
41 static int arg_key_slot = CRYPT_ANY_SLOT;
42 static unsigned arg_keyfile_size = 0;
43 static uint64_t arg_keyfile_offset = 0;
44 static char *arg_hash = NULL;
45 static char *arg_header = NULL;
46 static unsigned arg_tries = 3;
47 static bool arg_readonly = false;
48 static bool arg_verify = false;
49 static bool arg_discards = false;
50 static bool arg_same_cpu_crypt = false;
51 static bool arg_submit_from_crypt_cpus = false;
52 static bool arg_tcrypt_hidden = false;
53 static bool arg_tcrypt_system = false;
54 #ifdef CRYPT_TCRYPT_VERA_MODES
55 static bool arg_tcrypt_veracrypt = false;
56 #endif
57 static char **arg_tcrypt_keyfiles = NULL;
58 static uint64_t arg_offset = 0;
59 static uint64_t arg_skip = 0;
60 static usec_t arg_timeout = USEC_INFINITY;
61
62 STATIC_DESTRUCTOR_REGISTER(arg_cipher, freep);
63 STATIC_DESTRUCTOR_REGISTER(arg_hash, freep);
64 STATIC_DESTRUCTOR_REGISTER(arg_header, freep);
65 STATIC_DESTRUCTOR_REGISTER(arg_tcrypt_keyfiles, strv_freep);
66
67 /* Options Debian's crypttab knows we don't:
68
69 precheck=
70 check=
71 checkargs=
72 noearly=
73 loud=
74 keyscript=
75 */
76
77 static int parse_one_option(const char *option) {
78 const char *val;
79 int r;
80
81 assert(option);
82
83 /* Handled outside of this tool */
84 if (STR_IN_SET(option, "noauto", "auto", "nofail", "fail", "_netdev"))
85 return 0;
86
87 if ((val = startswith(option, "cipher="))) {
88 r = free_and_strdup(&arg_cipher, val);
89 if (r < 0)
90 return log_oom();
91
92 } else if ((val = startswith(option, "size="))) {
93
94 r = safe_atou(val, &arg_key_size);
95 if (r < 0) {
96 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
97 return 0;
98 }
99
100 if (arg_key_size % 8) {
101 log_error("size= not a multiple of 8, ignoring.");
102 return 0;
103 }
104
105 arg_key_size /= 8;
106
107 } else if ((val = startswith(option, "sector-size="))) {
108
109 #if HAVE_LIBCRYPTSETUP_SECTOR_SIZE
110 r = safe_atou(val, &arg_sector_size);
111 if (r < 0) {
112 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
113 return 0;
114 }
115
116 if (arg_sector_size % 2) {
117 log_error("sector-size= not a multiple of 2, ignoring.");
118 return 0;
119 }
120
121 if (arg_sector_size < CRYPT_SECTOR_SIZE || arg_sector_size > CRYPT_MAX_SECTOR_SIZE) {
122 log_error("sector-size= is outside of %u and %u, ignoring.", CRYPT_SECTOR_SIZE, CRYPT_MAX_SECTOR_SIZE);
123 return 0;
124 }
125 #else
126 log_error("sector-size= is not supported, compiled with old libcryptsetup.");
127 return 0;
128 #endif
129
130 } else if ((val = startswith(option, "key-slot="))) {
131
132 arg_type = ANY_LUKS;
133 r = safe_atoi(val, &arg_key_slot);
134 if (r < 0) {
135 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
136 return 0;
137 }
138
139 } else if ((val = startswith(option, "tcrypt-keyfile="))) {
140
141 arg_type = CRYPT_TCRYPT;
142 if (path_is_absolute(val)) {
143 if (strv_extend(&arg_tcrypt_keyfiles, val) < 0)
144 return log_oom();
145 } else
146 log_error("Key file path \"%s\" is not absolute. Ignoring.", val);
147
148 } else if ((val = startswith(option, "keyfile-size="))) {
149
150 r = safe_atou(val, &arg_keyfile_size);
151 if (r < 0) {
152 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
153 return 0;
154 }
155
156 } else if ((val = startswith(option, "keyfile-offset="))) {
157 uint64_t off;
158
159 r = safe_atou64(val, &off);
160 if (r < 0) {
161 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
162 return 0;
163 }
164
165 if ((size_t) off != off) {
166 /* https://gitlab.com/cryptsetup/cryptsetup/issues/359 */
167 log_error("keyfile-offset= value would truncated to %zu, ignoring.", (size_t) off);
168 return 0;
169 }
170
171 arg_keyfile_offset = off;
172
173 } else if ((val = startswith(option, "hash="))) {
174 r = free_and_strdup(&arg_hash, val);
175 if (r < 0)
176 return log_oom();
177
178 } else if ((val = startswith(option, "header="))) {
179 arg_type = ANY_LUKS;
180
181 if (!path_is_absolute(val))
182 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
183 "Header path \"%s\" is not absolute, refusing.", val);
184
185 if (arg_header)
186 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
187 "Duplicate header= option, refusing.");
188
189 arg_header = strdup(val);
190 if (!arg_header)
191 return log_oom();
192
193 } else if ((val = startswith(option, "tries="))) {
194
195 r = safe_atou(val, &arg_tries);
196 if (r < 0) {
197 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
198 return 0;
199 }
200
201 } else if (STR_IN_SET(option, "readonly", "read-only"))
202 arg_readonly = true;
203 else if (streq(option, "verify"))
204 arg_verify = true;
205 else if (STR_IN_SET(option, "allow-discards", "discard"))
206 arg_discards = true;
207 else if (streq(option, "same-cpu-crypt"))
208 arg_same_cpu_crypt = true;
209 else if (streq(option, "submit-from-crypt-cpus"))
210 arg_submit_from_crypt_cpus = true;
211 else if (streq(option, "luks"))
212 arg_type = ANY_LUKS;
213 else if (streq(option, "tcrypt"))
214 arg_type = CRYPT_TCRYPT;
215 else if (streq(option, "tcrypt-hidden")) {
216 arg_type = CRYPT_TCRYPT;
217 arg_tcrypt_hidden = true;
218 } else if (streq(option, "tcrypt-system")) {
219 arg_type = CRYPT_TCRYPT;
220 arg_tcrypt_system = true;
221 } else if (streq(option, "tcrypt-veracrypt")) {
222 #ifdef CRYPT_TCRYPT_VERA_MODES
223 arg_type = CRYPT_TCRYPT;
224 arg_tcrypt_veracrypt = true;
225 #else
226 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
227 "This version of cryptsetup does not support tcrypt-veracrypt; refusing.");
228 #endif
229 } else if (STR_IN_SET(option, "plain", "swap", "tmp"))
230 arg_type = CRYPT_PLAIN;
231 else if ((val = startswith(option, "timeout="))) {
232
233 r = parse_sec_fix_0(val, &arg_timeout);
234 if (r < 0) {
235 log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
236 return 0;
237 }
238
239 } else if ((val = startswith(option, "offset="))) {
240
241 r = safe_atou64(val, &arg_offset);
242 if (r < 0)
243 return log_error_errno(r, "Failed to parse %s: %m", option);
244
245 } else if ((val = startswith(option, "skip="))) {
246
247 r = safe_atou64(val, &arg_skip);
248 if (r < 0)
249 return log_error_errno(r, "Failed to parse %s: %m", option);
250
251 } else if (!streq(option, "none"))
252 log_warning("Encountered unknown /etc/crypttab option '%s', ignoring.", option);
253
254 return 0;
255 }
256
257 static int parse_options(const char *options) {
258 const char *word, *state;
259 size_t l;
260 int r;
261
262 assert(options);
263
264 FOREACH_WORD_SEPARATOR(word, l, options, ",", state) {
265 _cleanup_free_ char *o;
266
267 o = strndup(word, l);
268 if (!o)
269 return -ENOMEM;
270 r = parse_one_option(o);
271 if (r < 0)
272 return r;
273 }
274
275 /* sanity-check options */
276 if (arg_type != NULL && !streq(arg_type, CRYPT_PLAIN)) {
277 if (arg_offset)
278 log_warning("offset= ignored with type %s", arg_type);
279 if (arg_skip)
280 log_warning("skip= ignored with type %s", arg_type);
281 }
282
283 return 0;
284 }
285
286 static char* disk_description(const char *path) {
287 static const char name_fields[] =
288 "ID_PART_ENTRY_NAME\0"
289 "DM_NAME\0"
290 "ID_MODEL_FROM_DATABASE\0"
291 "ID_MODEL\0";
292
293 _cleanup_(sd_device_unrefp) sd_device *device = NULL;
294 const char *i, *name;
295 struct stat st;
296
297 assert(path);
298
299 if (stat(path, &st) < 0)
300 return NULL;
301
302 if (!S_ISBLK(st.st_mode))
303 return NULL;
304
305 if (sd_device_new_from_devnum(&device, 'b', st.st_rdev) < 0)
306 return NULL;
307
308 NULSTR_FOREACH(i, name_fields)
309 if (sd_device_get_property_value(device, i, &name) >= 0 &&
310 !isempty(name))
311 return strdup(name);
312
313 return NULL;
314 }
315
316 static char *disk_mount_point(const char *label) {
317 _cleanup_free_ char *device = NULL;
318 _cleanup_endmntent_ FILE *f = NULL;
319 struct mntent *m;
320
321 /* Yeah, we don't support native systemd unit files here for now */
322
323 if (asprintf(&device, "/dev/mapper/%s", label) < 0)
324 return NULL;
325
326 f = setmntent("/etc/fstab", "re");
327 if (!f)
328 return NULL;
329
330 while ((m = getmntent(f)))
331 if (path_equal(m->mnt_fsname, device))
332 return strdup(m->mnt_dir);
333
334 return NULL;
335 }
336
337 static int get_password(const char *vol, const char *src, usec_t until, bool accept_cached, char ***ret) {
338 _cleanup_free_ char *description = NULL, *name_buffer = NULL, *mount_point = NULL, *text = NULL, *disk_path = NULL;
339 _cleanup_strv_free_erase_ char **passwords = NULL;
340 const char *name = NULL;
341 char **p, *id;
342 int r = 0;
343
344 assert(vol);
345 assert(src);
346 assert(ret);
347
348 description = disk_description(src);
349 mount_point = disk_mount_point(vol);
350
351 disk_path = cescape(src);
352 if (!disk_path)
353 return log_oom();
354
355 if (description && streq(vol, description))
356 /* If the description string is simply the
357 * volume name, then let's not show this
358 * twice */
359 description = mfree(description);
360
361 if (mount_point && description)
362 r = asprintf(&name_buffer, "%s (%s) on %s", description, vol, mount_point);
363 else if (mount_point)
364 r = asprintf(&name_buffer, "%s on %s", vol, mount_point);
365 else if (description)
366 r = asprintf(&name_buffer, "%s (%s)", description, vol);
367
368 if (r < 0)
369 return log_oom();
370
371 name = name_buffer ? name_buffer : vol;
372
373 if (asprintf(&text, "Please enter passphrase for disk %s:", name) < 0)
374 return log_oom();
375
376 id = strjoina("cryptsetup:", disk_path);
377
378 r = ask_password_auto(text, "drive-harddisk", id, "cryptsetup", until,
379 ASK_PASSWORD_PUSH_CACHE | (accept_cached*ASK_PASSWORD_ACCEPT_CACHED),
380 &passwords);
381 if (r < 0)
382 return log_error_errno(r, "Failed to query password: %m");
383
384 if (arg_verify) {
385 _cleanup_strv_free_erase_ char **passwords2 = NULL;
386
387 assert(strv_length(passwords) == 1);
388
389 if (asprintf(&text, "Please enter passphrase for disk %s (verification):", name) < 0)
390 return log_oom();
391
392 id = strjoina("cryptsetup-verification:", disk_path);
393
394 r = ask_password_auto(text, "drive-harddisk", id, "cryptsetup", until, ASK_PASSWORD_PUSH_CACHE, &passwords2);
395 if (r < 0)
396 return log_error_errno(r, "Failed to query verification password: %m");
397
398 assert(strv_length(passwords2) == 1);
399
400 if (!streq(passwords[0], passwords2[0])) {
401 log_warning("Passwords did not match, retrying.");
402 return -EAGAIN;
403 }
404 }
405
406 strv_uniq(passwords);
407
408 STRV_FOREACH(p, passwords) {
409 char *c;
410
411 if (strlen(*p)+1 >= arg_key_size)
412 continue;
413
414 /* Pad password if necessary */
415 c = new(char, arg_key_size);
416 if (!c)
417 return log_oom();
418
419 strncpy(c, *p, arg_key_size);
420 free_and_replace(*p, c);
421 }
422
423 *ret = TAKE_PTR(passwords);
424
425 return 0;
426 }
427
428 static int attach_tcrypt(
429 struct crypt_device *cd,
430 const char *name,
431 const char *key_file,
432 char **passwords,
433 uint32_t flags) {
434
435 int r = 0;
436 _cleanup_free_ char *passphrase = NULL;
437 struct crypt_params_tcrypt params = {
438 .flags = CRYPT_TCRYPT_LEGACY_MODES,
439 .keyfiles = (const char **)arg_tcrypt_keyfiles,
440 .keyfiles_count = strv_length(arg_tcrypt_keyfiles)
441 };
442
443 assert(cd);
444 assert(name);
445 assert(key_file || (passwords && passwords[0]));
446
447 if (arg_tcrypt_hidden)
448 params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
449
450 if (arg_tcrypt_system)
451 params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
452
453 #ifdef CRYPT_TCRYPT_VERA_MODES
454 if (arg_tcrypt_veracrypt)
455 params.flags |= CRYPT_TCRYPT_VERA_MODES;
456 #endif
457
458 if (key_file) {
459 r = read_one_line_file(key_file, &passphrase);
460 if (r < 0) {
461 log_error_errno(r, "Failed to read password file '%s': %m", key_file);
462 return -EAGAIN; /* log with the actual error, but return EAGAIN */
463 }
464
465 params.passphrase = passphrase;
466 } else
467 params.passphrase = passwords[0];
468 params.passphrase_size = strlen(params.passphrase);
469
470 r = crypt_load(cd, CRYPT_TCRYPT, &params);
471 if (r < 0) {
472 if (key_file && r == -EPERM) {
473 log_error_errno(r, "Failed to activate using password file '%s'. (Key data not correct?)", key_file);
474 return -EAGAIN; /* log the actual error, but return EAGAIN */
475 }
476
477 return log_error_errno(r, "Failed to load tcrypt superblock on device %s: %m", crypt_get_device_name(cd));
478 }
479
480 r = crypt_activate_by_volume_key(cd, name, NULL, 0, flags);
481 if (r < 0)
482 return log_error_errno(r, "Failed to activate tcrypt device %s: %m", crypt_get_device_name(cd));
483
484 return 0;
485 }
486
487 static int attach_luks_or_plain(struct crypt_device *cd,
488 const char *name,
489 const char *key_file,
490 char **passwords,
491 uint32_t flags) {
492 int r = 0;
493 bool pass_volume_key = false;
494
495 assert(cd);
496 assert(name);
497 assert(key_file || passwords);
498
499 if ((!arg_type && !crypt_get_type(cd)) || streq_ptr(arg_type, CRYPT_PLAIN)) {
500 struct crypt_params_plain params = {
501 .offset = arg_offset,
502 .skip = arg_skip,
503 #if HAVE_LIBCRYPTSETUP_SECTOR_SIZE
504 .sector_size = arg_sector_size,
505 #endif
506 };
507 const char *cipher, *cipher_mode;
508 _cleanup_free_ char *truncated_cipher = NULL;
509
510 if (arg_hash) {
511 /* plain isn't a real hash type. it just means "use no hash" */
512 if (!streq(arg_hash, "plain"))
513 params.hash = arg_hash;
514 } else if (!key_file)
515 /* for CRYPT_PLAIN, the behaviour of cryptsetup
516 * package is to not hash when a key file is provided */
517 params.hash = "ripemd160";
518
519 if (arg_cipher) {
520 size_t l;
521
522 l = strcspn(arg_cipher, "-");
523 truncated_cipher = strndup(arg_cipher, l);
524 if (!truncated_cipher)
525 return log_oom();
526
527 cipher = truncated_cipher;
528 cipher_mode = arg_cipher[l] ? arg_cipher+l+1 : "plain";
529 } else {
530 cipher = "aes";
531 cipher_mode = "cbc-essiv:sha256";
532 }
533
534 /* for CRYPT_PLAIN limit reads from keyfile to key length, and ignore keyfile-size */
535 arg_keyfile_size = arg_key_size;
536
537 /* In contrast to what the name crypt_format() might suggest this doesn't actually format
538 * anything, it just configures encryption parameters when used for plain mode. */
539 r = crypt_format(cd, CRYPT_PLAIN, cipher, cipher_mode, NULL, NULL, arg_keyfile_size, &params);
540 if (r < 0)
541 return log_error_errno(r, "Loading of cryptographic parameters failed: %m");
542
543 /* hash == NULL implies the user passed "plain" */
544 pass_volume_key = (params.hash == NULL);
545 }
546
547 log_info("Set cipher %s, mode %s, key size %i bits for device %s.",
548 crypt_get_cipher(cd),
549 crypt_get_cipher_mode(cd),
550 crypt_get_volume_key_size(cd)*8,
551 crypt_get_device_name(cd));
552
553 if (key_file) {
554 r = crypt_activate_by_keyfile_offset(cd, name, arg_key_slot, key_file, arg_keyfile_size, arg_keyfile_offset, flags);
555 if (r == -EPERM) {
556 log_error_errno(r, "Failed to activate with key file '%s'. (Key data incorrect?)", key_file);
557 return -EAGAIN; /* Log actual error, but return EAGAIN */
558 }
559 if (r == -EINVAL) {
560 log_error_errno(r, "Failed to activate with key file '%s'. (Key file missing?)", key_file);
561 return -EAGAIN; /* Log actual error, but return EAGAIN */
562 }
563 if (r < 0)
564 return log_error_errno(r, "Failed to activate with key file '%s': %m", key_file);
565 } else {
566 char **p;
567
568 r = -EINVAL;
569 STRV_FOREACH(p, passwords) {
570 if (pass_volume_key)
571 r = crypt_activate_by_volume_key(cd, name, *p, arg_key_size, flags);
572 else
573 r = crypt_activate_by_passphrase(cd, name, arg_key_slot, *p, strlen(*p), flags);
574 if (r >= 0)
575 break;
576 }
577 if (r == -EPERM) {
578 log_error_errno(r, "Failed to activate with specified passphrase. (Passphrase incorrect?)");
579 return -EAGAIN; /* log actual error, but return EAGAIN */
580 }
581 if (r < 0)
582 return log_error_errno(r, "Failed to activate with specified passphrase: %m");
583 }
584
585 return r;
586 }
587
588 static int help(void) {
589 _cleanup_free_ char *link = NULL;
590 int r;
591
592 r = terminal_urlify_man("systemd-cryptsetup@.service", "8", &link);
593 if (r < 0)
594 return log_oom();
595
596 printf("%s attach VOLUME SOURCEDEVICE [PASSWORD] [OPTIONS]\n"
597 "%s detach VOLUME\n\n"
598 "Attaches or detaches an encrypted block device.\n"
599 "\nSee the %s for details.\n"
600 , program_invocation_short_name
601 , program_invocation_short_name
602 , link
603 );
604
605 return 0;
606 }
607
608 static uint32_t determine_flags(void) {
609 uint32_t flags = 0;
610
611 if (arg_readonly)
612 flags |= CRYPT_ACTIVATE_READONLY;
613
614 if (arg_discards)
615 flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
616
617 if (arg_same_cpu_crypt)
618 flags |= CRYPT_ACTIVATE_SAME_CPU_CRYPT;
619
620 if (arg_submit_from_crypt_cpus)
621 flags |= CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS;
622
623 return flags;
624 }
625
626 static int run(int argc, char *argv[]) {
627 _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
628 int r;
629
630 if (argc <= 1)
631 return help();
632
633 if (argc < 3) {
634 log_error("This program requires at least two arguments.");
635 return -EINVAL;
636 }
637
638 log_setup_service();
639
640 crypt_set_log_callback(NULL, cryptsetup_log_glue, NULL);
641 if (DEBUG_LOGGING)
642 /* libcryptsetup won't even consider debug messages by default */
643 crypt_set_debug_level(CRYPT_DEBUG_ALL);
644
645 umask(0022);
646
647 if (streq(argv[1], "attach")) {
648 uint32_t flags = 0;
649 unsigned tries;
650 usec_t until;
651 crypt_status_info status;
652 const char *key_file = NULL;
653
654 /* Arguments: systemd-cryptsetup attach VOLUME SOURCE-DEVICE [PASSWORD] [OPTIONS] */
655
656 if (argc < 4)
657 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "attach requires at least two arguments.");
658
659 if (argc >= 5 &&
660 argv[4][0] &&
661 !streq(argv[4], "-") &&
662 !streq(argv[4], "none")) {
663
664 if (!path_is_absolute(argv[4]))
665 log_warning("Password file path '%s' is not absolute. Ignoring.", argv[4]);
666 else
667 key_file = argv[4];
668 }
669
670 if (argc >= 6 && argv[5][0] && !streq(argv[5], "-")) {
671 r = parse_options(argv[5]);
672 if (r < 0)
673 return r;
674 }
675
676 /* A delicious drop of snake oil */
677 mlockall(MCL_FUTURE);
678
679 if (arg_header) {
680 log_debug("LUKS header: %s", arg_header);
681 r = crypt_init(&cd, arg_header);
682 } else
683 r = crypt_init(&cd, argv[3]);
684 if (r < 0)
685 return log_error_errno(r, "crypt_init() failed: %m");
686
687 crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
688
689 status = crypt_status(cd, argv[2]);
690 if (IN_SET(status, CRYPT_ACTIVE, CRYPT_BUSY)) {
691 log_info("Volume %s already active.", argv[2]);
692 return 0;
693 }
694
695 flags = determine_flags();
696
697 if (arg_timeout == USEC_INFINITY)
698 until = 0;
699 else
700 until = now(CLOCK_MONOTONIC) + arg_timeout;
701
702 arg_key_size = (arg_key_size > 0 ? arg_key_size : (256 / 8));
703
704 if (key_file) {
705 struct stat st;
706
707 /* Ideally we'd do this on the open fd, but since this is just a
708 * warning it's OK to do this in two steps. */
709 if (stat(key_file, &st) >= 0 && S_ISREG(st.st_mode) && (st.st_mode & 0005))
710 log_warning("Key file %s is world-readable. This is not a good idea!", key_file);
711 }
712
713 if (!arg_type || STR_IN_SET(arg_type, ANY_LUKS, CRYPT_LUKS1)) {
714 r = crypt_load(cd, CRYPT_LUKS, NULL);
715 if (r < 0)
716 return log_error_errno(r, "Failed to load LUKS superblock on device %s: %m", crypt_get_device_name(cd));
717
718 if (arg_header) {
719 r = crypt_set_data_device(cd, argv[3]);
720 if (r < 0)
721 return log_error_errno(r, "Failed to set LUKS data device %s: %m", argv[3]);
722 }
723 #ifdef CRYPT_ANY_TOKEN
724 /* Tokens are available in LUKS2 only, but it is ok to call (and fail) with LUKS1. */
725 if (!key_file) {
726 r = crypt_activate_by_token(cd, argv[2], CRYPT_ANY_TOKEN, NULL, flags);
727 if (r >= 0) {
728 log_debug("Volume %s activated with LUKS token id %i.", argv[2], r);
729 return 0;
730 }
731
732 log_debug_errno(r, "Token activation unsuccessful for device %s: %m", crypt_get_device_name(cd));
733 }
734 #endif
735 }
736
737 for (tries = 0; arg_tries == 0 || tries < arg_tries; tries++) {
738 _cleanup_strv_free_erase_ char **passwords = NULL;
739
740 if (!key_file) {
741 r = get_password(argv[2], argv[3], until, tries == 0 && !arg_verify, &passwords);
742 if (r == -EAGAIN)
743 continue;
744 if (r < 0)
745 return r;
746 }
747
748 if (streq_ptr(arg_type, CRYPT_TCRYPT))
749 r = attach_tcrypt(cd, argv[2], key_file, passwords, flags);
750 else
751 r = attach_luks_or_plain(cd,
752 argv[2],
753 key_file,
754 passwords,
755 flags);
756 if (r >= 0)
757 break;
758 if (r != -EAGAIN)
759 return r;
760
761 /* Passphrase not correct? Let's try again! */
762 key_file = NULL;
763 }
764
765 if (arg_tries != 0 && tries >= arg_tries)
766 return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Too many attempts to activate; giving up.");
767
768 } else if (streq(argv[1], "detach")) {
769
770 r = crypt_init_by_name(&cd, argv[2]);
771 if (r == -ENODEV) {
772 log_info("Volume %s already inactive.", argv[2]);
773 return 0;
774 }
775 if (r < 0)
776 return log_error_errno(r, "crypt_init_by_name() failed: %m");
777
778 crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
779
780 r = crypt_deactivate(cd, argv[2]);
781 if (r < 0)
782 return log_error_errno(r, "Failed to deactivate: %m");
783
784 } else
785 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown verb %s.", argv[1]);
786
787 return 0;
788 }
789
790 DEFINE_MAIN_FUNCTION(run);
Unnamed repository; edit this file 'description' to name the repository.