src/cryptsetup.c

   1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
   2
   3 /***
   4   This file is part of systemd.
   5
   6   Copyright 2010 Lennart Poettering
   7
   8   systemd is free software; you can redistribute it and/or modify it
   9   under the terms of the GNU General Public License as published by
  10   the Free Software Foundation; either version 2 of the License, or
  11   (at your option) any later version.
  12
  13   systemd is distributed in the hope that it will be useful, but
  14   WITHOUT ANY WARRANTY; without even the implied warranty of
  15   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  16   General Public License for more details.
  17
  18   You should have received a copy of the GNU General Public License
  19   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  20 ***/
  21
  22 #include <string.h>
  23 #include <errno.h>
  24
  25 #include <libcryptsetup.h>
  26
  27 #include "log.h"
  28 #include "util.h"
  29 #include "ask-password-api.h"
  30
  31 static const char *opt_type = NULL; /* LUKS1 or PLAIN */
  32 static char *opt_cipher = NULL;
  33 static unsigned opt_key_size = 0;
  34 static char *opt_hash = NULL;
  35 static unsigned opt_tries = 0;
  36 static bool opt_readonly = false;
  37 static bool opt_verify = false;
  38 static usec_t opt_timeout = 0;
  39
  40 static int parse_one_option(const char *option) {
  41         assert(option);
  42
  43         /* Handled outside of this tool */
  44         if (streq(option, "noauto"))
  45                 return 0;
  46
  47         if (startswith(option, "cipher=")) {
  48                 char *t;
  49
  50                 if (!(t = strdup(option+7)))
  51                         return -ENOMEM;
  52
  53                 free(opt_cipher);
  54                 opt_cipher = t;
  55
  56         } else if (startswith(option, "size=")) {
  57
  58                 if (safe_atou(option+5, &opt_key_size) < 0) {
  59                         log_error("size= parse failure, ignoring.");
  60                         return 0;
  61                 }
  62
  63         } else if (startswith(option, "hash=")) {
  64                 char *t;
  65
  66                 if (!(t = strdup(option+5)))
  67                         return -ENOMEM;
  68
  69                 free(opt_hash);
  70                 opt_hash = t;
  71
  72         } else if (startswith(option, "tries=")) {
  73
  74                 if (safe_atou(option+6, &opt_tries) < 0) {
  75                         log_error("tries= parse failure, ignoring.");
  76                         return 0;
  77                 }
  78
  79         } else if (streq(option, "readonly"))
  80                 opt_readonly = true;
  81         else if (streq(option, "verify"))
  82                 opt_verify = true;
  83         else if (streq(option, "luks"))
  84                 opt_type = CRYPT_LUKS1;
  85         else if (streq(option, "plain") ||
  86                  streq(option, "swap") ||
  87                  streq(option, "tmp"))
  88                 opt_type = CRYPT_PLAIN;
  89         else if (startswith(option, "timeout=")) {
  90
  91                 if (parse_usec(option+8, &opt_timeout) < 0) {
  92                         log_error("timeout= parse failure, ignoring.");
  93                         return 0;
  94                 }
  95
  96         } else
  97                 log_error("Encountered unknown /etc/crypttab option '%s', ignoring.", option);
  98
  99         return 0;
 100 }
 101
 102 static int parse_options(const char *options) {
 103         char *state;
 104         char *w;
 105         size_t l;
 106
 107         assert(options);
 108
 109         FOREACH_WORD_SEPARATOR(w, l, options, ",", state) {
 110                 char *o;
 111                 int r;
 112
 113                 if (!(o = strndup(w, l)))
 114                         return -ENOMEM;
 115
 116                 r = parse_one_option(o);
 117                 free(o);
 118
 119                 if (r < 0)
 120                         return r;
 121         }
 122
 123         return 0;
 124 }
 125
 126 static void log_glue(int level, const char *msg, void *usrptr) {
 127         log_debug("%s", msg);
 128 }
 129
 130 int main(int argc, char *argv[]) {
 131         int r = EXIT_FAILURE;
 132         struct crypt_device *cd = NULL;
 133         char *password = NULL, *truncated_cipher = NULL;
 134         const char *cipher = NULL, *cipher_mode = NULL, *hash = NULL;
 135
 136         if (argc < 3) {
 137                 log_error("This program requires at least two arguments.");
 138                 return EXIT_FAILURE;
 139         }
 140
 141         log_set_target(LOG_TARGET_AUTO);
 142         log_parse_environment();
 143         log_open();
 144
 145         if (streq(argv[1], "attach")) {
 146                 uint32_t flags = 0;
 147                 int k;
 148                 unsigned try;
 149                 const char *key_file = NULL;
 150                 usec_t until;
 151                 crypt_status_info status;
 152
 153                 if (argc < 4) {
 154                         log_error("attach requires at least two arguments.");
 155                         goto finish;
 156                 }
 157
 158                 if (argc >= 5 && argv[4][0] && !streq(argv[4], "-")) {
 159
 160                         if (!path_is_absolute(argv[4]))
 161                                 log_error("Password file path %s is not absolute. Ignoring.", argv[4]);
 162                         else
 163                                 key_file = argv[4];
 164                 }
 165
 166                 if (argc >= 6 && argv[5][0] && !streq(argv[5], "-"))
 167                         parse_options(argv[5]);
 168
 169                 if ((k = crypt_init(&cd, argv[3]))) {
 170                         log_error("crypt_init() failed: %s", strerror(-k));
 171                         goto finish;
 172                 }
 173
 174                 crypt_set_log_callback(cd, log_glue, NULL);
 175
 176                 status = crypt_status(cd, argv[2]);
 177                 if (status == CRYPT_ACTIVE || status == CRYPT_BUSY) {
 178                         log_info("Volume %s already active.", argv[2]);
 179                         r = EXIT_SUCCESS;
 180                         goto finish;
 181                 }
 182
 183                 if (opt_readonly)
 184                         flags |= CRYPT_ACTIVATE_READONLY;
 185
 186                 until = now(CLOCK_MONOTONIC) + (opt_timeout > 0 ? opt_timeout : 60 * USEC_PER_SEC);
 187
 188                 opt_tries = opt_tries > 0 ? opt_tries : 3;
 189                 opt_key_size = (opt_key_size > 0 ? opt_key_size : 256);
 190                 hash = opt_hash ? opt_hash : "ripemd160";
 191
 192                 if (opt_cipher) {
 193                         size_t l;
 194
 195                         l = strcspn(opt_cipher, "-");
 196
 197                         if (!(truncated_cipher = strndup(opt_cipher, l))) {
 198                                 log_error("Out of memory");
 199                                 goto finish;
 200                         }
 201
 202                         cipher = truncated_cipher;
 203                         cipher_mode = opt_cipher[l] ? opt_cipher+l+1 : "plain";
 204                 } else {
 205                         cipher = "aes";
 206                         cipher_mode = "cbc-essiv:sha256";
 207                 }
 208
 209                 for (try = 0; try < opt_tries; try++) {
 210                         bool pass_volume_key = false;
 211
 212                         free(password);
 213                         password = NULL;
 214
 215                         if (!key_file) {
 216
 217                                 if ((k = ask_password_auto("Please enter passphrase for disk:", "drive-harddisk", until, &password)) < 0) {
 218                                         log_error("Failed to query password: %s", strerror(-k));
 219                                         goto finish;
 220                                 }
 221
 222                                 if (opt_verify) {
 223                                         char *password2 = NULL;
 224
 225                                         if ((k = ask_password_auto("Please enter passphrase for disk (verification):", "drive-harddisk", until, &password2)) < 0) {
 226                                                 log_error("Failed to query verification password: %s", strerror(-k));
 227                                                 goto finish;
 228                                         }
 229
 230                                         if (!streq(password, password2)) {
 231                                                 log_warning("Passwords did not match, retrying.");
 232                                                 free(password2);
 233                                                 continue;
 234                                         }
 235
 236                                         free(password2);
 237                                 }
 238
 239                                 if (strlen(password)+1 < opt_key_size) {
 240                                         char *c;
 241
 242                                         /* Pad password if necessary */
 243
 244                                         if (!(c = new(char, opt_key_size))) {
 245                                                 log_error("Out of memory.");
 246                                                 goto finish;
 247                                         }
 248
 249                                         strncpy(c, password, opt_key_size);
 250                                         free(password);
 251                                         password = c;
 252                                 }
 253                         }
 254
 255                         if (!opt_type || streq(opt_type, CRYPT_LUKS1))
 256                                 k = crypt_load(cd, CRYPT_LUKS1, NULL);
 257
 258                         if ((!opt_type && k < 0) || streq_ptr(opt_type, CRYPT_PLAIN)) {
 259                                 struct crypt_params_plain params;
 260
 261                                 zero(params);
 262                                 params.hash = hash;
 263
 264                                 /* In contrast to what the name
 265                                  * crypt_setup() might suggest this
 266                                  * doesn't actually format anything,
 267                                  * it just configures encryption
 268                                  * parameters when used for plain
 269                                  * mode. */
 270                                 k = crypt_format(cd, CRYPT_PLAIN,
 271                                                  cipher,
 272                                                  cipher_mode,
 273                                                  NULL,
 274                                                  NULL,
 275                                                  opt_key_size / 8,
 276                                                  &params);
 277
 278                                 pass_volume_key = streq(hash, "plain");
 279                         }
 280
 281                         if (k < 0) {
 282                                 log_error("Loading of cryptographic parameters failed: %s", strerror(-k));
 283                                 goto finish;
 284                         }
 285
 286                         log_info("Set cipher %s, mode %s, key size %i bits for device %s.",
 287                                  crypt_get_cipher(cd),
 288                                  crypt_get_cipher_mode(cd),
 289                                  crypt_get_volume_key_size(cd)*8,
 290                                  argv[3]);
 291
 292                         if (key_file)
 293                                 k = crypt_activate_by_keyfile(cd, argv[2], CRYPT_ANY_SLOT, key_file, opt_key_size, flags);
 294                         else if (pass_volume_key)
 295                                 k = crypt_activate_by_volume_key(cd, argv[2], password, opt_key_size, flags);
 296                         else
 297                                 k = crypt_activate_by_passphrase(cd, argv[2], CRYPT_ANY_SLOT, password, strlen(password), flags);
 298
 299                         if (k >= 0)
 300                                 break;
 301
 302                         if (k != -EPERM) {
 303                                 log_error("Failed to activate: %s", strerror(-k));
 304                                 goto finish;
 305                         }
 306
 307                         log_warning("Invalid passphrase.");
 308                 }
 309
 310                 if (try >= opt_tries) {
 311                         log_error("Too many attempts.");
 312                         r = EXIT_FAILURE;
 313                 }
 314
 315         } else if (streq(argv[1], "detach")) {
 316                 int k;
 317
 318                 if ((k = crypt_init_by_name(&cd, argv[2]))) {
 319                         log_error("crypt_init() failed: %s", strerror(-k));
 320                         goto finish;
 321                 }
 322
 323                 crypt_set_log_callback(cd, log_glue, NULL);
 324
 325                 if ((k = crypt_deactivate(cd, argv[2])) < 0) {
 326                         log_error("Failed to deactivate: %s", strerror(-k));
 327                         goto finish;
 328                 }
 329
 330         } else {
 331                 log_error("Unknown verb %s.", argv[1]);
 332                 goto finish;
 333         }
 334
 335         r = EXIT_SUCCESS;
 336
 337 finish:
 338
 339         if (cd)
 340                 crypt_free(cd);
 341
 342         free(opt_cipher);
 343         free(opt_hash);
 344
 345         free(truncated_cipher);
 346
 347         free(password);
 348
 349         return r;
 350 }