Add --without-activation option for luksOpen (check passphrase only).

2025-12-06 08:20:07 +01:00 · 2012-06-19 15:34:36 +02:00
parent c4a533c3d5
commit a38fcafcff
4 changed files with 23 additions and 5 deletions
--- a/2
+++ b/2
@@ -1,5 +1,7 @@
 2012-06-18  Milan Broz  <gmazyland@gmail.com>
 	* Introduce cryptsetup-reencrypt - experimental offline LUKS reencryption tool.
+	* Fix luks-header-from-active script (do not use LUKS header on-disk, add UUID).
+	* Add --without-activation option for luksOpen (check passphrase only).

 2012-06-11  Milan Broz  <gmazyland@gmail.com>
 	* Introduce veritysetup for dm-verity target management.
--- a/man/cryptsetup.8
+++ b/man/cryptsetup.8
@@ -144,7 +144,7 @@ The <device> parameter can be also specified by LUKS UUID in the
 format UUID=<uuid>, which uses the symlinks in /dev/disk/by-uuid.

 \fB<options>\fR can be [\-\-key-file, \-\-keyfile-offset, 
-\-\-keyfile-size, \-\-readonly,
+\-\-keyfile-size, \-\-readonly, \-\-without-activation,
 \-\-allow-discards, \-\-header, \-\-key-slot, \-\-master-key-file].
 .PP
 \fIluksClose\fR <name>
@@ -613,6 +613,10 @@ later. If in doubt, do no use it.
 A kernel version of 3.1 or later is needed. For earlier kernels
 this option is ignored.
 .TP
+.B "\-\-without-activation\fR"
+Do not activate device, just verify passphrase.
+This option is only relevant for \fIluksOpen\fR.
+.TP
 .B "\-\-header\fR <device or file storing the LUKS header>"
 Use a detached (separated) metadata device or file where the 
 LUKS header is stored. This options allows to store ciphertext
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -68,6 +68,7 @@ static int opt_urandom = 0;
 static int opt_dump_master_key = 0;
 static int opt_shared = 0;
 static int opt_allow_discards = 0;
+static int opt_without_activation = 0;

 static const char **action_argv;
 static int action_argc;
@@ -628,7 +629,7 @@ out:
 static int action_luksOpen(int arg __attribute__((unused)))
 {
 	struct crypt_device *cd = NULL;
-	const char *data_device, *header_device;
+	const char *data_device, *header_device, *activated_name;
 	char *key = NULL;
 	uint32_t flags = 0;
 	int r, keysize;
@@ -641,6 +642,8 @@ static int action_luksOpen(int arg __attribute__((unused)))
 		data_device = NULL;
 	}

+	activated_name = opt_without_activation ? NULL : action_argv[1];
+
 	if ((r = crypt_init(&cd, header_device)))
 		goto out;

@@ -675,15 +678,15 @@ static int action_luksOpen(int arg __attribute__((unused)))
 		r = _read_mk(opt_master_key_file, &key, keysize);
 		if (r < 0)
 			goto out;
-		r = crypt_activate_by_volume_key(cd, action_argv[1],
+		r = crypt_activate_by_volume_key(cd, activated_name,
 						 key, keysize, flags);
 	} else if (opt_key_file) {
 		crypt_set_password_retry(cd, 1);
-		r = crypt_activate_by_keyfile_offset(cd, action_argv[1],
+		r = crypt_activate_by_keyfile_offset(cd, activated_name,
 			opt_key_slot, opt_key_file, opt_keyfile_size,
 			opt_keyfile_offset, flags);
 	} else
-		r = crypt_activate_by_passphrase(cd, action_argv[1],
+		r = crypt_activate_by_passphrase(cd, activated_name,
 			opt_key_slot, NULL, 0, flags);
 out:
 	crypt_safe_free(key);
@@ -1304,6 +1307,7 @@ int main(int argc, const char **argv)
 		{ "uuid",              '\0', POPT_ARG_STRING, &opt_uuid,                0, N_("UUID for device to use."), NULL },
 		{ "allow-discards",    '\0', POPT_ARG_NONE, &opt_allow_discards,        0, N_("Allow discards (aka TRIM) requests for device."), NULL },
 		{ "header",            '\0', POPT_ARG_STRING, &opt_header_device,       0, N_("Device or file with separated LUKS header."), NULL },
+		{ "without-activation",'\0', POPT_ARG_NONE, &opt_without_activation,    0, N_("Do not activate device, just check passphrase."), NULL },
 		POPT_TABLEEND
 	};
 	poptContext popt_context;
@@ -1415,6 +1419,12 @@ int main(int argc, const char **argv)
 		      poptGetInvocationName(popt_context));
 	}

+	if (opt_without_activation &&
+	   strcmp(aname, "luksOpen"))
+		usage(popt_context, EXIT_FAILURE,
+		      _("Option --without-activation is allowed only for luksOpen.\n"),
+		      poptGetInvocationName(popt_context));
+
 	if (opt_key_size % 8)
 		usage(popt_context, EXIT_FAILURE,
 		      _("Key size must be a multiple of 8 bits"),
--- a/tests/compat-test
+++ b/tests/compat-test
@@ -158,6 +158,8 @@ echo "key0" | $CRYPTSETUP -i 1000 -h sha512 -c aes-cbc-essiv:sha256 -s 128 luksF
 check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0"

 prepare "[5] open"
+echo "key0" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --without-activation || fail
+echo "blah" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --without-activation 2>/dev/null && fail
 echo "key0" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
 check_exists