diff --git a/man/common_options.adoc b/man/common_options.adoc index 0b23335a..fd250922 100644 --- a/man/common_options.adoc +++ b/man/common_options.adoc @@ -441,7 +441,7 @@ it is requested. Reencrypt only the LUKS1 header and keyslots. Skips data in-place reencryption. endif::[] -ifdef::ACTION_LUKSFORMAT,ACTION_LUKSDUMP,ACTION_RESIZE,ACTION_TOKEN[] +ifdef::ACTION_OPEN,ACTION_LUKSFORMAT,ACTION_LUKSDUMP,ACTION_RESIZE,ACTION_TOKEN[] *--key-description *:: Set key description in keyring that will be used for passphrase retrieval. endif::[] diff --git a/src/cryptsetup.c b/src/cryptsetup.c index 04509b3c..f6cc5b46 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -409,7 +409,7 @@ static int tcrypt_load(struct crypt_device *cd, struct crypt_params_tcrypt *para { int r, tries, eperm = 0; - tries = set_tries_tty(); + tries = set_tries_tty(false); do { /* TCRYPT header is encrypted, get passphrase now */ r = tools_get_key(NULL, CONST_CAST(char**)¶ms->passphrase, @@ -555,7 +555,7 @@ static int action_open_bitlk(void) r = crypt_activate_by_volume_key(cd, activated_name, key, keysize, activate_flags); } else { - tries = set_tries_tty(); + tries = set_tries_tty(false); do { r = tools_get_key(NULL, &password, &passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID), @@ -837,7 +837,7 @@ static int action_open_fvault2(void) goto out; r = crypt_activate_by_volume_key(cd, activated_name, key, keysize, activate_flags); } else { - tries = set_tries_tty(); + tries = set_tries_tty(false); do { r = tools_get_key(NULL, &password, &passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), @@ -1889,7 +1889,7 @@ static int action_open_luks(void) char *password = NULL; size_t passwordLen; struct stat st; - struct crypt_keyslot_context *kc1 = NULL, *kc2 = NULL; + struct crypt_keyslot_context *kc = NULL, *kc1 = NULL, *kc2 = NULL; if (ARG_SET(OPT_REFRESH_ID)) { activated_name = action_argc > 1 ? action_argv[1] : action_argv[0]; @@ -1987,21 +1987,22 @@ static int action_open_luks(void) r = _try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_TOKEN_ID_ID), activated_name, ARG_STR(OPT_TOKEN_TYPE_ID), activate_flags, - set_tries_tty(), true, ARG_SET(OPT_TOKEN_ONLY_ID)); + set_tries_tty(false), true, ARG_SET(OPT_TOKEN_ONLY_ID)); if (r >= 0 || r == -EEXIST || quit || ARG_SET(OPT_TOKEN_ONLY_ID)) goto out; - tries = set_tries_tty(); + tries = set_tries_tty(true); do { - r = tools_get_key(NULL, &password, &passwordLen, - ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID), - ARG_UINT32(OPT_TIMEOUT_ID), verify_passphrase(0), 0, cd); + r = init_keyslot_context(cd, &password, &passwordLen, verify_passphrase(0), false, false, &kc); if (r < 0) goto out; - r = crypt_activate_by_passphrase(cd, activated_name, - ARG_INT32(OPT_KEY_SLOT_ID), password, passwordLen, activate_flags); + r = crypt_activate_by_keyslot_context(cd, activated_name, ARG_INT32(OPT_KEY_SLOT_ID), + kc, CRYPT_ANY_SLOT, NULL, activate_flags); + crypt_keyslot_context_free(kc); + kc = NULL; + tools_keyslot_msg(r, UNLOCKED); tools_passphrase_msg(r); check_signal(&r); @@ -2896,7 +2897,7 @@ static int action_luksResume(void) /* try to resume LUKS2 device by token first */ r = _try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_TOKEN_ID_ID), action_argv[0], ARG_STR(OPT_TOKEN_TYPE_ID), 0, - set_tries_tty(), false, ARG_SET(OPT_TOKEN_ONLY_ID)); + set_tries_tty(false), false, ARG_SET(OPT_TOKEN_ONLY_ID)); if (r >= 0 || quit || ARG_SET(OPT_TOKEN_ONLY_ID)) goto out; @@ -2912,7 +2913,7 @@ static int action_luksResume(void) goto out; } - tries = set_tries_tty(); + tries = set_tries_tty(false); do { r = tools_get_key(NULL, &password, &passwordLen, ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID), diff --git a/src/cryptsetup_args.h b/src/cryptsetup_args.h index 9d97e7f5..42af648c 100644 --- a/src/cryptsetup_args.h +++ b/src/cryptsetup_args.h @@ -71,7 +71,7 @@ #define OPT_ITER_TIME_ACTIONS { BENCHMARK_ACTION, FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, REENCRYPT_ACTION } #define OPT_IV_LARGE_SECTORS_ACTIONS { OPEN_ACTION } #define OPT_KEEP_KEY_ACTIONS { REENCRYPT_ACTION } -#define OPT_KEY_DESCRIPTION_ACTIONS { TOKEN_ACTION, LUKSDUMP_ACTION, FORMAT_ACTION, RESIZE_ACTION } +#define OPT_KEY_DESCRIPTION_ACTIONS { TOKEN_ACTION, LUKSDUMP_ACTION, FORMAT_ACTION, RESIZE_ACTION, OPEN_ACTION } #define OPT_KEY_SIZE_ACTIONS { OPEN_ACTION, BENCHMARK_ACTION, FORMAT_ACTION, REENCRYPT_ACTION, ADDKEY_ACTION } #define OPT_KEY_SLOT_ACTIONS { OPEN_ACTION, REENCRYPT_ACTION, CONFIG_ACTION, FORMAT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION, LUKSDUMP_ACTION, TOKEN_ACTION, RESUME_ACTION } #define OPT_KEYSLOT_CIPHER_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION, ADDKEY_ACTION, CHANGEKEY_ACTION, CONVERTKEY_ACTION } diff --git a/src/utils_luks.c b/src/utils_luks.c index 5c51a5a2..79ccbe87 100644 --- a/src/utils_luks.c +++ b/src/utils_luks.c @@ -141,8 +141,11 @@ int set_pbkdf_params(struct crypt_device *cd, const char *dev_type) return crypt_set_pbkdf_type(cd, &pbkdf); } -int set_tries_tty(void) +int set_tries_tty(bool keyring) { + if (keyring && ARG_SET(OPT_KEY_DESCRIPTION_ID)) + return 1; + return (tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)) && isatty(STDIN_FILENO)) ? ARG_UINT32(OPT_TRIES_ID) : 1; } diff --git a/src/utils_luks.h b/src/utils_luks.h index 6183b262..ebc9878b 100644 --- a/src/utils_luks.h +++ b/src/utils_luks.h @@ -24,6 +24,7 @@ #define UTILS_LUKS_H #include +#include const char *luksType(const char *type); @@ -37,7 +38,7 @@ void set_activation_flags(uint32_t *flags); int set_pbkdf_params(struct crypt_device *cd, const char *dev_type); -int set_tries_tty(void); +int set_tries_tty(bool keyring); int get_adjusted_key_size(const char *cipher_mode, uint32_t default_size_bits, int integrity_keysize); diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c index 0d908bcf..2796d2df 100644 --- a/src/utils_reencrypt.c +++ b/src/utils_reencrypt.c @@ -960,7 +960,7 @@ static int init_passphrase(struct keyslot_passwords *kp, size_t keyslot_password return -ENOENT; } - retry_count = set_tries_tty(); + retry_count = set_tries_tty(false); while (retry_count--) { r = tools_get_key(msg, &password, &passwordLen, 0, 0,