src/cryptsetup.c

   1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
   2
   3 /***
   4   This file is part of systemd.
   5
   6   Copyright 2010 Lennart Poettering
   7
   8   systemd is free software; you can redistribute it and/or modify it
   9   under the terms of the GNU General Public License as published by
  10   the Free Software Foundation; either version 2 of the License, or
  11   (at your option) any later version.
  12
  13   systemd is distributed in the hope that it will be useful, but
  14   WITHOUT ANY WARRANTY; without even the implied warranty of
  15   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  16   General Public License for more details.
  17
  18   You should have received a copy of the GNU General Public License
  19   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  20 ***/
  21
  22 #include <string.h>
  23 #include <errno.h>
  24
  25 #include <libcryptsetup.h>
  26
  27 #include "log.h"
  28 #include "util.h"
  29 #include "ask-password-api.h"
  30
  31 static const char *opt_type = NULL; /* LUKS1 or PLAIN */
  32 static char *opt_cipher = NULL;
  33 static unsigned opt_key_size = 0;
  34 static char *opt_hash = NULL;
  35 static unsigned opt_tries = 0;
  36 static bool opt_readonly = false;
  37 static bool opt_verify = false;
  38 static usec_t opt_timeout = 0;
  39
  40 /* Options Debian's crypttab knows we don't:
  41
  42     offset=
  43     skip=
  44     precheck=
  45     check=
  46     checkargs=
  47     noearly=
  48     loud=
  49     keyscript=
  50 */
  51
  52 static int parse_one_option(const char *option) {
  53         assert(option);
  54
  55         /* Handled outside of this tool */
  56         if (streq(option, "noauto"))
  57                 return 0;
  58
  59         if (startswith(option, "cipher=")) {
  60                 char *t;
  61
  62                 if (!(t = strdup(option+7)))
  63                         return -ENOMEM;
  64
  65                 free(opt_cipher);
  66                 opt_cipher = t;
  67
  68         } else if (startswith(option, "size=")) {
  69
  70                 if (safe_atou(option+5, &opt_key_size) < 0) {
  71                         log_error("size= parse failure, ignoring.");
  72                         return 0;
  73                 }
  74
  75         } else if (startswith(option, "hash=")) {
  76                 char *t;
  77
  78                 if (!(t = strdup(option+5)))
  79                         return -ENOMEM;
  80
  81                 free(opt_hash);
  82                 opt_hash = t;
  83
  84         } else if (startswith(option, "tries=")) {
  85
  86                 if (safe_atou(option+6, &opt_tries) < 0) {
  87                         log_error("tries= parse failure, ignoring.");
  88                         return 0;
  89                 }
  90
  91         } else if (streq(option, "readonly"))
  92                 opt_readonly = true;
  93         else if (streq(option, "verify"))
  94                 opt_verify = true;
  95         else if (streq(option, "luks"))
  96                 opt_type = CRYPT_LUKS1;
  97         else if (streq(option, "plain") ||
  98                  streq(option, "swap") ||
  99                  streq(option, "tmp"))
 100                 opt_type = CRYPT_PLAIN;
 101         else if (startswith(option, "timeout=")) {
 102
 103                 if (parse_usec(option+8, &opt_timeout) < 0) {
 104                         log_error("timeout= parse failure, ignoring.");
 105                         return 0;
 106                 }
 107
 108         } else
 109                 log_error("Encountered unknown /etc/crypttab option '%s', ignoring.", option);
 110
 111         return 0;
 112 }
 113
 114 static int parse_options(const char *options) {
 115         char *state;
 116         char *w;
 117         size_t l;
 118
 119         assert(options);
 120
 121         FOREACH_WORD_SEPARATOR(w, l, options, ",", state) {
 122                 char *o;
 123                 int r;
 124
 125                 if (!(o = strndup(w, l)))
 126                         return -ENOMEM;
 127
 128                 r = parse_one_option(o);
 129                 free(o);
 130
 131                 if (r < 0)
 132                         return r;
 133         }
 134
 135         return 0;
 136 }
 137
 138 static void log_glue(int level, const char *msg, void *usrptr) {
 139         log_debug("%s", msg);
 140 }
 141
 142 int main(int argc, char *argv[]) {
 143         int r = EXIT_FAILURE;
 144         struct crypt_device *cd = NULL;
 145         char *password = NULL, *truncated_cipher = NULL;
 146         const char *cipher = NULL, *cipher_mode = NULL, *hash = NULL;
 147
 148         if (argc < 3) {
 149                 log_error("This program requires at least two arguments.");
 150                 return EXIT_FAILURE;
 151         }
 152
 153         log_set_target(LOG_TARGET_AUTO);
 154         log_parse_environment();
 155         log_open();
 156
 157         if (streq(argv[1], "attach")) {
 158                 uint32_t flags = 0;
 159                 int k;
 160                 unsigned try;
 161                 const char *key_file = NULL;
 162                 usec_t until;
 163                 crypt_status_info status;
 164
 165                 if (argc < 4) {
 166                         log_error("attach requires at least two arguments.");
 167                         goto finish;
 168                 }
 169
 170                 if (argc >= 5 &&
 171                     argv[4][0] &&
 172                     !streq(argv[4], "-") &&
 173                     !streq(argv[4], "none")) {
 174
 175                         if (!path_is_absolute(argv[4]))
 176                                 log_error("Password file path %s is not absolute. Ignoring.", argv[4]);
 177                         else
 178                                 key_file = argv[4];
 179                 }
 180
 181                 if (argc >= 6 && argv[5][0] && !streq(argv[5], "-"))
 182                         parse_options(argv[5]);
 183
 184                 if ((k = crypt_init(&cd, argv[3]))) {
 185                         log_error("crypt_init() failed: %s", strerror(-k));
 186                         goto finish;
 187                 }
 188
 189                 crypt_set_log_callback(cd, log_glue, NULL);
 190
 191                 status = crypt_status(cd, argv[2]);
 192                 if (status == CRYPT_ACTIVE || status == CRYPT_BUSY) {
 193                         log_info("Volume %s already active.", argv[2]);
 194                         r = EXIT_SUCCESS;
 195                         goto finish;
 196                 }
 197
 198                 if (opt_readonly)
 199                         flags |= CRYPT_ACTIVATE_READONLY;
 200
 201                 until = now(CLOCK_MONOTONIC) + (opt_timeout > 0 ? opt_timeout : 60 * USEC_PER_SEC);
 202
 203                 opt_tries = opt_tries > 0 ? opt_tries : 3;
 204                 opt_key_size = (opt_key_size > 0 ? opt_key_size : 256);
 205                 hash = opt_hash ? opt_hash : "ripemd160";
 206
 207                 if (opt_cipher) {
 208                         size_t l;
 209
 210                         l = strcspn(opt_cipher, "-");
 211
 212                         if (!(truncated_cipher = strndup(opt_cipher, l))) {
 213                                 log_error("Out of memory");
 214                                 goto finish;
 215                         }
 216
 217                         cipher = truncated_cipher;
 218                         cipher_mode = opt_cipher[l] ? opt_cipher+l+1 : "plain";
 219                 } else {
 220                         cipher = "aes";
 221                         cipher_mode = "cbc-essiv:sha256";
 222                 }
 223
 224                 for (try = 0; try < opt_tries; try++) {
 225                         bool pass_volume_key = false;
 226
 227                         free(password);
 228                         password = NULL;
 229
 230                         if (!key_file) {
 231
 232                                 if ((k = ask_password_auto("Please enter passphrase for disk:", "drive-harddisk", until, &password)) < 0) {
 233                                         log_error("Failed to query password: %s", strerror(-k));
 234                                         goto finish;
 235                                 }
 236
 237                                 if (opt_verify) {
 238                                         char *password2 = NULL;
 239
 240                                         if ((k = ask_password_auto("Please enter passphrase for disk (verification):", "drive-harddisk", until, &password2)) < 0) {
 241                                                 log_error("Failed to query verification password: %s", strerror(-k));
 242                                                 goto finish;
 243                                         }
 244
 245                                         if (!streq(password, password2)) {
 246                                                 log_warning("Passwords did not match, retrying.");
 247                                                 free(password2);
 248                                                 continue;
 249                                         }
 250
 251                                         free(password2);
 252                                 }
 253
 254                                 if (strlen(password)+1 < opt_key_size) {
 255                                         char *c;
 256
 257                                         /* Pad password if necessary */
 258
 259                                         if (!(c = new(char, opt_key_size))) {
 260                                                 log_error("Out of memory.");
 261                                                 goto finish;
 262                                         }
 263
 264                                         strncpy(c, password, opt_key_size);
 265                                         free(password);
 266                                         password = c;
 267                                 }
 268                         }
 269
 270                         if (!opt_type || streq(opt_type, CRYPT_LUKS1))
 271                                 k = crypt_load(cd, CRYPT_LUKS1, NULL);
 272
 273                         if ((!opt_type && k < 0) || streq_ptr(opt_type, CRYPT_PLAIN)) {
 274                                 struct crypt_params_plain params;
 275
 276                                 zero(params);
 277                                 params.hash = hash;
 278
 279                                 /* In contrast to what the name
 280                                  * crypt_setup() might suggest this
 281                                  * doesn't actually format anything,
 282                                  * it just configures encryption
 283                                  * parameters when used for plain
 284                                  * mode. */
 285                                 k = crypt_format(cd, CRYPT_PLAIN,
 286                                                  cipher,
 287                                                  cipher_mode,
 288                                                  NULL,
 289                                                  NULL,
 290                                                  opt_key_size / 8,
 291                                                  &params);
 292
 293                                 pass_volume_key = streq(hash, "plain");
 294                         }
 295
 296                         if (k < 0) {
 297                                 log_error("Loading of cryptographic parameters failed: %s", strerror(-k));
 298                                 goto finish;
 299                         }
 300
 301                         log_info("Set cipher %s, mode %s, key size %i bits for device %s.",
 302                                  crypt_get_cipher(cd),
 303                                  crypt_get_cipher_mode(cd),
 304                                  crypt_get_volume_key_size(cd)*8,
 305                                  argv[3]);
 306
 307                         if (key_file)
 308                                 k = crypt_activate_by_keyfile(cd, argv[2], CRYPT_ANY_SLOT, key_file, opt_key_size, flags);
 309                         else if (pass_volume_key)
 310                                 k = crypt_activate_by_volume_key(cd, argv[2], password, opt_key_size, flags);
 311                         else
 312                                 k = crypt_activate_by_passphrase(cd, argv[2], CRYPT_ANY_SLOT, password, strlen(password), flags);
 313
 314                         if (k >= 0)
 315                                 break;
 316
 317                         if (k != -EPERM) {
 318                                 log_error("Failed to activate: %s", strerror(-k));
 319                                 goto finish;
 320                         }
 321
 322                         log_warning("Invalid passphrase.");
 323                 }
 324
 325                 if (try >= opt_tries) {
 326                         log_error("Too many attempts.");
 327                         r = EXIT_FAILURE;
 328                 }
 329
 330         } else if (streq(argv[1], "detach")) {
 331                 int k;
 332
 333                 if ((k = crypt_init_by_name(&cd, argv[2]))) {
 334                         log_error("crypt_init() failed: %s", strerror(-k));
 335                         goto finish;
 336                 }
 337
 338                 crypt_set_log_callback(cd, log_glue, NULL);
 339
 340                 if ((k = crypt_deactivate(cd, argv[2])) < 0) {
 341                         log_error("Failed to deactivate: %s", strerror(-k));
 342                         goto finish;
 343                 }
 344
 345         } else {
 346                 log_error("Unknown verb %s.", argv[1]);
 347                 goto finish;
 348         }
 349
 350         r = EXIT_SUCCESS;
 351
 352 finish:
 353
 354         if (cd)
 355                 crypt_free(cd);
 356
 357         free(opt_cipher);
 358         free(opt_hash);
 359
 360         free(truncated_cipher);
 361
 362         free(password);
 363
 364         return r;
 365 }