Imported Upstream version 219

1 files changed, 45 insertions, 7 deletions

diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 21b1260f1b..3f613d9b65 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -43,6 +43,7 @@ static int arg_key_slot = CRYPT_ANY_SLOT;
 static unsigned arg_keyfile_size = 0;
 static unsigned arg_keyfile_offset = 0;
 static char *arg_hash = NULL;
+static char *arg_header = NULL;
 static unsigned arg_tries = 3;
 static bool arg_readonly = false;
 static bool arg_verify = false;
@@ -68,7 +69,7 @@ static int parse_one_option(const char *option) {
         assert(option);
 
         /* Handled outside of this tool */
-        if (streq(option, "noauto") || streq(option, "nofail"))
+        if (STR_IN_SET(option, "noauto", "auto", "nofail", "fail"))
                 return 0;
 
         if (startswith(option, "cipher=")) {
@@ -136,6 +137,23 @@ static int parse_one_option(const char *option) {
                 free(arg_hash);
                 arg_hash = t;
 
+        } else if (startswith(option, "header=")) {
+                arg_type = CRYPT_LUKS1;
+
+                if (!path_is_absolute(option+7)) {
+                        log_error("Header path '%s' is not absolute, refusing.", option+7);
+                        return -EINVAL;
+                }
+
+                if (arg_header) {
+                        log_error("Duplicate header= options, refusing.");
+                        return -EINVAL;
+                }
+
+                arg_header = strdup(option+7);
+                if (!arg_header)
+                        return log_oom();
+
         } else if (startswith(option, "tries=")) {
 
                 if (safe_atou(option+6, &arg_tries) < 0) {
@@ -277,7 +295,7 @@ static int get_password(const char *name, usec_t until, bool accept_cached, char
         if (!escaped_name)
                 return log_oom();
 
-        id = strappenda("cryptsetup:", escaped_name);
+        id = strjoina("cryptsetup:", escaped_name);
 
         r = ask_password_auto(text, "drive-harddisk", id, until, accept_cached, passwords);
         if (r < 0)
@@ -291,7 +309,7 @@ static int get_password(const char *name, usec_t until, bool accept_cached, char
                 if (asprintf(&text, "Please enter passphrase for disk %s! (verification)", name) < 0)
                         return log_oom();
 
-                id = strappenda("cryptsetup-verification:", escaped_name);
+                id = strjoina("cryptsetup-verification:", escaped_name);
 
                 r = ask_password_auto(text, "drive-harddisk", id, until, false, &passwords2);
                 if (r < 0)
@@ -375,6 +393,7 @@ static int attach_tcrypt(struct crypt_device *cd,
 static int attach_luks_or_plain(struct crypt_device *cd,
                                 const char *name,
                                 const char *key_file,
+                                const char *data_device,
                                 char **passwords,
                                 uint32_t flags) {
         int r = 0;
@@ -384,8 +403,16 @@ static int attach_luks_or_plain(struct crypt_device *cd,
         assert(name);
         assert(key_file || passwords);
 
-        if (!arg_type || streq(arg_type, CRYPT_LUKS1))
+        if (!arg_type || streq(arg_type, CRYPT_LUKS1)) {
                 r = crypt_load(cd, CRYPT_LUKS1, NULL);
+                if (r < 0) {
+                        log_error("crypt_load() failed on device %s.\n", crypt_get_device_name(cd));
+                        return r;
+                }
+
+                if (data_device)
+                        r = crypt_set_data_device(cd, data_device);
+        }
 
         if ((!arg_type && r < 0) || streq_ptr(arg_type, CRYPT_PLAIN)) {
                 struct crypt_params_plain params = {};
@@ -559,7 +586,12 @@ int main(int argc, char *argv[]) {
                 }
                 name = name_buffer ? name_buffer : argv[2];
 
-                k = crypt_init(&cd, argv[3]);
+                if (arg_header) {
+                        log_debug("LUKS header: %s", arg_header);
+                        k = crypt_init(&cd, arg_header);
+                } else
+                        k = crypt_init(&cd, argv[3]);
+
                 if (k) {
                         log_error_errno(k, "crypt_init() failed: %m");
                         goto finish;
@@ -592,7 +624,7 @@ int main(int argc, char *argv[]) {
 
                         /* Ideally we'd do this on the open fd, but since this is just a
                          * warning it's OK to do this in two steps. */
-                        if (stat(key_file, &st) >= 0 && (st.st_mode & 0005))
+                        if (stat(key_file, &st) >= 0 && S_ISREG(st.st_mode) && (st.st_mode & 0005))
                                 log_warning("Key file %s is world-readable. This is not a good idea!", key_file);
                 }
 
@@ -610,7 +642,12 @@ int main(int argc, char *argv[]) {
                         if (streq_ptr(arg_type, CRYPT_TCRYPT))
                                 k = attach_tcrypt(cd, argv[2], key_file, passwords, flags);
                         else
-                                k = attach_luks_or_plain(cd, argv[2], key_file, passwords, flags);
+                                k = attach_luks_or_plain(cd,
+                                                         argv[2],
+                                                         key_file,
+                                                         arg_header ? argv[3] : NULL,
+                                                         passwords,
+                                                         flags);
                         if (k >= 0)
                                 break;
                         else if (k == -EAGAIN) {
@@ -661,6 +698,7 @@ finish:
 
         free(arg_cipher);
         free(arg_hash);
+        free(arg_header);
         strv_free(arg_tcrypt_keyfiles);
 
         return r;