X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fcryptsetup%2Fcryptsetup.c;h=347394db8ea802001e21e4daa5a86d48e52f96d3;hb=39887731d4a36292674f92effa30e5941419c201;hp=51d4f99edc0bd513683051bb801cdaa3fcdc67c8;hpb=7f602784de4fd378120e8ebfe6d830862b9cae03;p=elogind.git diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index 51d4f99ed..347394db8 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -44,7 +44,7 @@ static unsigned opt_tries = 0; static bool opt_readonly = false; static bool opt_verify = false; static bool opt_discards = false; -static usec_t opt_timeout = DEFAULT_TIMEOUT_USEC; +static usec_t opt_timeout = 0; /* Options Debian's crypttab knows we don't: @@ -461,10 +461,7 @@ int main(int argc, char *argv[]) { k = crypt_load(cd, CRYPT_LUKS1, NULL); if ((!opt_type && k < 0) || streq_ptr(opt_type, CRYPT_PLAIN)) { - struct crypt_params_plain params; - - zero(params); - params.hash = hash; + struct crypt_params_plain params = { .hash = hash }; /* for CRYPT_PLAIN limit reads * from keyfile to key length, and @@ -500,10 +497,25 @@ int main(int argc, char *argv[]) { crypt_get_volume_key_size(cd)*8, argv[3]); - if (key_file) - k = crypt_activate_by_keyfile_offset(cd, argv[2], CRYPT_ANY_SLOT, key_file, opt_keyfile_size, - opt_keyfile_offset, flags); - else { + if (key_file) { + struct stat st; + + /* Ideally we'd do this on the open + * fd, but since this is just a + * warning it's OK to do this in two + * steps */ + if (stat(key_file, &st) >= 0 && (st.st_mode & 0005)) + log_warning("Key file %s is world-readable. That's certainly not a good idea.", key_file); + + k = crypt_activate_by_keyfile_offset( + cd, argv[2], CRYPT_ANY_SLOT, key_file, opt_keyfile_size, + opt_keyfile_offset, flags); + if (k < 0) { + log_error("Failed to activate with key file '%s': %s", key_file, strerror(-k)); + key_file = NULL; + continue; + } + } else { char **p; STRV_FOREACH(p, passwords) {