|
|
1ff636 |
From 6c45bdd261e027ea78eabb81feaa70f3774bcf2f Mon Sep 17 00:00:00 2001
|
|
|
1ff636 |
From: Harald Hoyer <harald@redhat.com>
|
|
|
1ff636 |
Date: Mon, 1 Jun 2015 17:26:27 +0200
|
|
|
1ff636 |
Subject: [PATCH] cryptsetup: craft a unique ID with the source device
|
|
|
1ff636 |
|
|
|
1ff636 |
If cryptsetup is called with a source device as argv[3], then craft the
|
|
|
1ff636 |
ID for the password agent with a unique device path.
|
|
|
1ff636 |
|
|
|
1ff636 |
If possible "/dev/block/<maj>:<min>" is used, otherwise the original
|
|
|
1ff636 |
argv[3] is used.
|
|
|
1ff636 |
|
|
|
1ff636 |
This enables password agents like petera [1] to provide a password
|
|
|
1ff636 |
according to the source device. The original ID did not carry enough
|
|
|
1ff636 |
information and was more targeted for a human readable string, which
|
|
|
1ff636 |
is specified in the "Message" field anyway.
|
|
|
1ff636 |
|
|
|
1ff636 |
With this patch the ID of the ask.XXX ini file looks like this:
|
|
|
1ff636 |
ID=cryptsetup:/dev/block/<maj>:<min>
|
|
|
1ff636 |
|
|
|
1ff636 |
[1] https://github.com/npmccallum/petera
|
|
|
1ff636 |
|
|
|
1ff636 |
Cherry-picked from: e51b9486d1b59e72c293028fed1384f4e4ef09aa
|
|
|
1ff636 |
Resolves: #1226333
|
|
|
1ff636 |
---
|
|
|
23b3cf |
src/cryptsetup/cryptsetup.c | 90 ++++++++++++++++++++++++-------------
|
|
|
1ff636 |
1 file changed, 58 insertions(+), 32 deletions(-)
|
|
|
1ff636 |
|
|
|
1ff636 |
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
|
|
|
181b3f |
index 3f613d9b6..5dedb073e 100644
|
|
|
1ff636 |
--- a/src/cryptsetup/cryptsetup.c
|
|
|
1ff636 |
+++ b/src/cryptsetup/cryptsetup.c
|
|
|
1ff636 |
@@ -217,6 +217,23 @@ static void log_glue(int level, const char *msg, void *usrptr) {
|
|
|
1ff636 |
log_debug("%s", msg);
|
|
|
1ff636 |
}
|
|
|
1ff636 |
|
|
|
1ff636 |
+static int disk_major_minor(const char *path, char **ret) {
|
|
|
1ff636 |
+ struct stat st;
|
|
|
1ff636 |
+
|
|
|
1ff636 |
+ assert(path);
|
|
|
1ff636 |
+
|
|
|
1ff636 |
+ if (stat(path, &st) < 0)
|
|
|
1ff636 |
+ return -errno;
|
|
|
1ff636 |
+
|
|
|
1ff636 |
+ if (!S_ISBLK(st.st_mode))
|
|
|
1ff636 |
+ return -EINVAL;
|
|
|
1ff636 |
+
|
|
|
1ff636 |
+ if (asprintf(ret, "/dev/block/%d:%d", major(st.st_rdev), minor(st.st_rdev)) < 0)
|
|
|
1ff636 |
+ return -errno;
|
|
|
1ff636 |
+
|
|
|
1ff636 |
+ return 0;
|
|
|
1ff636 |
+}
|
|
|
1ff636 |
+
|
|
|
1ff636 |
static char* disk_description(const char *path) {
|
|
|
1ff636 |
|
|
|
1ff636 |
static const char name_fields[] =
|
|
|
1ff636 |
@@ -278,20 +295,55 @@ static char *disk_mount_point(const char *label) {
|
|
|
1ff636 |
return NULL;
|
|
|
1ff636 |
}
|
|
|
1ff636 |
|
|
|
1ff636 |
-static int get_password(const char *name, usec_t until, bool accept_cached, char ***passwords) {
|
|
|
1ff636 |
- int r;
|
|
|
1ff636 |
+static int get_password(const char *vol, const char *src, usec_t until, bool accept_cached, char ***passwords) {
|
|
|
1ff636 |
+ int r = 0;
|
|
|
1ff636 |
char **p;
|
|
|
1ff636 |
_cleanup_free_ char *text = NULL;
|
|
|
1ff636 |
_cleanup_free_ char *escaped_name = NULL;
|
|
|
1ff636 |
char *id;
|
|
|
1ff636 |
+ const char *name = NULL;
|
|
|
1ff636 |
+ _cleanup_free_ char *description = NULL, *name_buffer = NULL,
|
|
|
1ff636 |
+ *mount_point = NULL, *maj_min = NULL;
|
|
|
1ff636 |
|
|
|
1ff636 |
- assert(name);
|
|
|
1ff636 |
+ assert(vol);
|
|
|
1ff636 |
+ assert(src);
|
|
|
1ff636 |
assert(passwords);
|
|
|
1ff636 |
|
|
|
1ff636 |
+ description = disk_description(src);
|
|
|
1ff636 |
+ mount_point = disk_mount_point(vol);
|
|
|
1ff636 |
+
|
|
|
1ff636 |
+ if (description && streq(vol, description)) {
|
|
|
1ff636 |
+ /* If the description string is simply the
|
|
|
1ff636 |
+ * volume name, then let's not show this
|
|
|
1ff636 |
+ * twice */
|
|
|
1ff636 |
+ free(description);
|
|
|
1ff636 |
+ description = NULL;
|
|
|
1ff636 |
+ }
|
|
|
1ff636 |
+
|
|
|
1ff636 |
+ if (mount_point && description)
|
|
|
1ff636 |
+ r = asprintf(&name_buffer, "%s (%s) on %s", description, vol, mount_point);
|
|
|
1ff636 |
+ else if (mount_point)
|
|
|
1ff636 |
+ r = asprintf(&name_buffer, "%s on %s", vol, mount_point);
|
|
|
1ff636 |
+ else if (description)
|
|
|
1ff636 |
+ r = asprintf(&name_buffer, "%s (%s)", description, vol);
|
|
|
1ff636 |
+
|
|
|
1ff636 |
+ if (r < 0)
|
|
|
1ff636 |
+ return log_oom();
|
|
|
1ff636 |
+
|
|
|
1ff636 |
+ name = name_buffer ? name_buffer : vol;
|
|
|
1ff636 |
+
|
|
|
1ff636 |
if (asprintf(&text, "Please enter passphrase for disk %s!", name) < 0)
|
|
|
1ff636 |
return log_oom();
|
|
|
1ff636 |
|
|
|
1ff636 |
- escaped_name = cescape(name);
|
|
|
1ff636 |
+ if (src)
|
|
|
1ff636 |
+ (void) disk_major_minor(src, &maj_min);
|
|
|
1ff636 |
+
|
|
|
1ff636 |
+ if (maj_min) {
|
|
|
1ff636 |
+ escaped_name = maj_min;
|
|
|
1ff636 |
+ maj_min = NULL;
|
|
|
1ff636 |
+ } else
|
|
|
1ff636 |
+ escaped_name = cescape(name);
|
|
|
1ff636 |
+
|
|
|
1ff636 |
if (!escaped_name)
|
|
|
1ff636 |
return log_oom();
|
|
|
1ff636 |
|
|
|
1ff636 |
@@ -532,8 +584,7 @@ int main(int argc, char *argv[]) {
|
|
|
1ff636 |
unsigned tries;
|
|
|
1ff636 |
usec_t until;
|
|
|
1ff636 |
crypt_status_info status;
|
|
|
1ff636 |
- const char *key_file = NULL, *name = NULL;
|
|
|
1ff636 |
- _cleanup_free_ char *description = NULL, *name_buffer = NULL, *mount_point = NULL;
|
|
|
1ff636 |
+ const char *key_file = NULL;
|
|
|
1ff636 |
|
|
|
1ff636 |
/* Arguments: systemd-cryptsetup attach VOLUME SOURCE-DEVICE [PASSWORD] [OPTIONS] */
|
|
|
1ff636 |
|
|
|
1ff636 |
@@ -561,31 +612,6 @@ int main(int argc, char *argv[]) {
|
|
|
1ff636 |
/* A delicious drop of snake oil */
|
|
|
1ff636 |
mlockall(MCL_FUTURE);
|
|
|
1ff636 |
|
|
|
1ff636 |
- description = disk_description(argv[3]);
|
|
|
1ff636 |
- mount_point = disk_mount_point(argv[2]);
|
|
|
1ff636 |
-
|
|
|
1ff636 |
- if (description && streq(argv[2], description)) {
|
|
|
1ff636 |
- /* If the description string is simply the
|
|
|
1ff636 |
- * volume name, then let's not show this
|
|
|
1ff636 |
- * twice */
|
|
|
1ff636 |
- free(description);
|
|
|
1ff636 |
- description = NULL;
|
|
|
1ff636 |
- }
|
|
|
1ff636 |
-
|
|
|
1ff636 |
- k = 0;
|
|
|
1ff636 |
- if (mount_point && description)
|
|
|
1ff636 |
- k = asprintf(&name_buffer, "%s (%s) on %s", description, argv[2], mount_point);
|
|
|
1ff636 |
- else if (mount_point)
|
|
|
1ff636 |
- k = asprintf(&name_buffer, "%s on %s", argv[2], mount_point);
|
|
|
1ff636 |
- else if (description)
|
|
|
1ff636 |
- k = asprintf(&name_buffer, "%s (%s)", description, argv[2]);
|
|
|
1ff636 |
-
|
|
|
1ff636 |
- if (k < 0) {
|
|
|
1ff636 |
- log_oom();
|
|
|
1ff636 |
- goto finish;
|
|
|
1ff636 |
- }
|
|
|
1ff636 |
- name = name_buffer ? name_buffer : argv[2];
|
|
|
1ff636 |
-
|
|
|
1ff636 |
if (arg_header) {
|
|
|
1ff636 |
log_debug("LUKS header: %s", arg_header);
|
|
|
1ff636 |
k = crypt_init(&cd, arg_header);
|
|
|
1ff636 |
@@ -632,7 +658,7 @@ int main(int argc, char *argv[]) {
|
|
|
1ff636 |
_cleanup_strv_free_ char **passwords = NULL;
|
|
|
1ff636 |
|
|
|
1ff636 |
if (!key_file) {
|
|
|
1ff636 |
- k = get_password(name, until, tries == 0 && !arg_verify, &passwords);
|
|
|
1ff636 |
+ k = get_password(argv[2], argv[3], until, tries == 0 && !arg_verify, &passwords);
|
|
|
1ff636 |
if (k == -EAGAIN)
|
|
|
1ff636 |
continue;
|
|
|
1ff636 |
else if (k < 0)
|