static bool opt_readonly = false;
static bool opt_verify = false;
static bool opt_discards = false;
-static usec_t opt_timeout = DEFAULT_TIMEOUT_USEC;
+static usec_t opt_timeout = 0;
/* Options Debian's crypttab knows we don't:
opt_type = CRYPT_PLAIN;
else if (startswith(option, "timeout=")) {
- if (parse_usec(option+8, &opt_timeout) < 0) {
+ if (parse_sec(option+8, &opt_timeout) < 0) {
log_error("timeout= parse failure, ignoring.");
return 0;
}
k = crypt_load(cd, CRYPT_LUKS1, NULL);
if ((!opt_type && k < 0) || streq_ptr(opt_type, CRYPT_PLAIN)) {
- struct crypt_params_plain params;
-
- zero(params);
- params.hash = hash;
+ struct crypt_params_plain params = { .hash = hash };
/* for CRYPT_PLAIN limit reads
* from keyfile to key length, and
crypt_get_volume_key_size(cd)*8,
argv[3]);
- if (key_file)
- k = crypt_activate_by_keyfile_offset(cd, argv[2], CRYPT_ANY_SLOT, key_file, opt_keyfile_size,
- opt_keyfile_offset, flags);
- else {
+ if (key_file) {
+ struct stat st;
+
+ /* Ideally we'd do this on the open
+ * fd, but since this is just a
+ * warning it's OK to do this in two
+ * steps */
+ if (stat(key_file, &st) >= 0 && (st.st_mode & 0005))
+ log_warning("Key file %s is world-readable. That's certainly not a good idea.", key_file);
+
+ k = crypt_activate_by_keyfile_offset(
+ cd, argv[2], CRYPT_ANY_SLOT, key_file, opt_keyfile_size,
+ opt_keyfile_offset, flags);
+ if (k < 0) {
+ log_error("Failed to activate with key file '%s': %s", key_file, strerror(-k));
+ key_file = NULL;
+ continue;
+ }
+ } else {
char **p;
STRV_FOREACH(p, passwords) {
~ianmdlvl / elogind.git / blobdiff