8fc4d6c12e80bd65c7e97a08877c65804264e807
[platform/upstream/cryptsetup.git] / src / cryptsetup.c
1 /*
2  * cryptsetup - setup cryptographic volumes for dm-crypt
3  *
4  * Copyright (C) 2004, Jana Saout <jana@saout.de>
5  * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
6  * Copyright (C) 2009-2015, Red Hat, Inc. All rights reserved.
7  * Copyright (C) 2009-2015, Milan Broz
8  *
9  * This program is free software; you can redistribute it and/or
10  * modify it under the terms of the GNU General Public License
11  * as published by the Free Software Foundation; either version 2
12  * of the License, or (at your option) any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program; if not, write to the Free Software
21  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23
24 #include "cryptsetup.h"
25
26 static const char *opt_cipher = NULL;
27 static const char *opt_hash = NULL;
28 static int opt_verify_passphrase = 0;
29
30 static const char *opt_key_file = NULL;
31 static int opt_keyfiles_count = 0;
32 static const char *opt_keyfiles[MAX_KEYFILES];
33
34 static const char *opt_master_key_file = NULL;
35 static const char *opt_header_backup_file = NULL;
36 static const char *opt_uuid = NULL;
37 static const char *opt_header_device = NULL;
38 static const char *opt_type = "luks";
39 static int opt_key_size = 0;
40 static long opt_keyfile_size = 0;
41 static long opt_new_keyfile_size = 0;
42 static long opt_keyfile_offset = 0;
43 static long opt_new_keyfile_offset = 0;
44 static int opt_key_slot = CRYPT_ANY_SLOT;
45 static uint64_t opt_size = 0;
46 static uint64_t opt_offset = 0;
47 static uint64_t opt_skip = 0;
48 static int opt_skip_valid = 0;
49 static int opt_readonly = 0;
50 static int opt_iteration_time = DEFAULT_LUKS1_ITER_TIME;
51 static int opt_version_mode = 0;
52 static int opt_timeout = 0;
53 static int opt_tries = 3;
54 static int opt_align_payload = 0;
55 static int opt_random = 0;
56 static int opt_urandom = 0;
57 static int opt_dump_master_key = 0;
58 static int opt_shared = 0;
59 static int opt_allow_discards = 0;
60 static int opt_perf_same_cpu_crypt = 0;
61 static int opt_perf_submit_from_crypt_cpus = 0;
62 static int opt_test_passphrase = 0;
63 static int opt_tcrypt_hidden = 0;
64 static int opt_tcrypt_system = 0;
65 static int opt_tcrypt_backup = 0;
66 static int opt_veracrypt = 0;
67
68 static const char **action_argv;
69 static int action_argc;
70 static const char *null_action_argv[] = {NULL, NULL};
71
72 static const char *uuid_or_device_header(const char **data_device)
73 {
74         if (data_device)
75                 *data_device = opt_header_device ? action_argv[0] : NULL;
76
77         return uuid_or_device(opt_header_device ?: action_argv[0]);
78 }
79
80 static int _verify_passphrase(int def)
81 {
82         /* Batch mode switch off verify - if not overrided by -y */
83         if (opt_verify_passphrase)
84                 def = 1;
85         else if (opt_batch_mode)
86                 def = 0;
87
88         /* Non-tty input doesn't allow verify */
89         if (def && !isatty(STDIN_FILENO)) {
90                 if (opt_verify_passphrase)
91                         log_err(_("Can't do passphrase verification on non-tty inputs.\n"));
92                 def = 0;
93         }
94
95         return def;
96 }
97
98 static void _set_activation_flags(uint32_t *flags)
99 {
100         if (opt_readonly)
101                 *flags |= CRYPT_ACTIVATE_READONLY;
102
103         if (opt_allow_discards)
104                 *flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
105
106         if (opt_perf_same_cpu_crypt)
107                 *flags |= CRYPT_ACTIVATE_SAME_CPU_CRYPT;
108
109         if (opt_perf_submit_from_crypt_cpus)
110                 *flags |= CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS;
111 }
112
113 static int action_open_plain(void)
114 {
115         struct crypt_device *cd = NULL;
116         char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
117         struct crypt_params_plain params = {
118                 .hash = opt_hash ?: DEFAULT_PLAIN_HASH,
119                 .skip = opt_skip,
120                 .offset = opt_offset,
121                 .size = opt_size,
122         };
123         char *password = NULL;
124         size_t passwordLen;
125         size_t key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS) / 8;
126         uint32_t activate_flags = 0;
127         int keyfile_limited = 0;
128         int r;
129
130         r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(PLAIN),
131                                       cipher, NULL, cipher_mode);
132         if (r < 0) {
133                 log_err(_("No known cipher specification pattern detected.\n"));
134                 goto out;
135         }
136
137         if (opt_key_file && strcmp(opt_key_file, "-") != 0)
138                 keyfile_limited = 1;
139
140         /* FIXME: temporary hack, no hashing for keyfiles in plain mode */
141         if (opt_key_file && keyfile_limited) {
142                 params.hash = NULL;
143                 if (!opt_batch_mode && opt_hash)
144                         log_std(_("WARNING: The --hash parameter is being ignored "
145                                  "in plain mode with keyfile specified.\n"));
146         }
147
148         if (params.hash && !strcmp(params.hash, "plain"))
149                 params.hash = NULL;
150
151         if (!opt_batch_mode && !params.hash && opt_key_file && keyfile_limited && opt_keyfile_size)
152                 log_std(_("WARNING: The --keyfile-size option is being ignored, "
153                          "the read size is the same as the encryption key size.\n"));
154
155         if ((r = crypt_init(&cd, action_argv[0])))
156                 goto out;
157
158         crypt_set_timeout(cd, opt_timeout);
159         crypt_set_password_retry(cd, opt_tries);
160
161         r = crypt_format(cd, CRYPT_PLAIN,
162                          cipher, cipher_mode,
163                          NULL, NULL,
164                          key_size,
165                          &params);
166         check_signal(&r);
167         if (r < 0)
168                 goto out;
169
170         if (opt_shared)
171                 activate_flags |= CRYPT_ACTIVATE_SHARED;
172
173         _set_activation_flags(&activate_flags);
174
175         if (opt_key_file) {
176                 /* If no hash, key is read directly, read size is always key_size
177                  * (possible opt_keyfile_size is ignored.
178                  * If hash is specified, opt_keyfile_size is applied.
179                  * The opt_keyfile_offset is applied always.
180                  */
181                 r = crypt_activate_by_keyfile_offset(cd, action_argv[1],
182                         CRYPT_ANY_SLOT, opt_key_file,
183                         params.hash ? opt_keyfile_size : key_size, opt_keyfile_offset,
184                         activate_flags);
185         } else {
186                 r = tools_get_key(_("Enter passphrase: "),
187                                   &password, &passwordLen,
188                                   opt_keyfile_offset, opt_keyfile_size,
189                                   NULL, opt_timeout,
190                                   _verify_passphrase(0), 0,
191                                   cd);
192                 if (r < 0)
193                         goto out;
194
195                 r = crypt_activate_by_passphrase(cd, action_argv[1],
196                         CRYPT_ANY_SLOT, password, passwordLen, activate_flags);
197         }
198 out:
199         crypt_free(cd);
200         crypt_safe_free(password);
201
202         return r;
203 }
204
205 static int action_open_loopaes(void)
206 {
207         struct crypt_device *cd = NULL;
208         struct crypt_params_loopaes params = {
209                 .hash = opt_hash ?: NULL,
210                 .offset = opt_offset,
211                 .skip = opt_skip_valid ? opt_skip : opt_offset,
212         };
213         unsigned int key_size = (opt_key_size ?: DEFAULT_LOOPAES_KEYBITS) / 8;
214         uint32_t activate_flags = 0;
215         int r;
216
217         if (!opt_key_file) {
218                 log_err(_("Option --key-file is required.\n"));
219                 return -EINVAL;
220         }
221
222         _set_activation_flags(&activate_flags);
223
224         if ((r = crypt_init(&cd, action_argv[0])))
225                 goto out;
226
227         r = crypt_format(cd, CRYPT_LOOPAES, opt_cipher ?: DEFAULT_LOOPAES_CIPHER,
228                          NULL, NULL, NULL, key_size, &params);
229         check_signal(&r);
230         if (r < 0)
231                 goto out;
232
233         r = crypt_activate_by_keyfile_offset(cd, action_argv[1], CRYPT_ANY_SLOT,
234                                       opt_key_file, opt_keyfile_size,
235                                       opt_keyfile_offset, activate_flags);
236 out:
237         crypt_free(cd);
238
239         return r;
240 }
241
242 static int tcrypt_load(struct crypt_device *cd, struct crypt_params_tcrypt *params)
243 {
244         int r, tries = opt_tries, eperm = 0;
245
246         do {
247                 /* TCRYPT header is encrypted, get passphrase now */
248                 r = tools_get_key(_("Enter passphrase: "),
249                                   CONST_CAST(char**)&params->passphrase,
250                                   &params->passphrase_size, 0, 0, NULL, opt_timeout,
251                                  _verify_passphrase(0), 0, cd);
252                 if (r < 0)
253                         continue;
254
255                 if (opt_tcrypt_hidden)
256                         params->flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
257
258                 if (opt_tcrypt_system)
259                         params->flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
260
261                 if (opt_tcrypt_backup)
262                         params->flags |= CRYPT_TCRYPT_BACKUP_HEADER;
263
264                 r = crypt_load(cd, CRYPT_TCRYPT, params);
265
266                 if (r == -EPERM) {
267                         log_err(_("No device header detected with this passphrase.\n"));
268                         eperm = 1;
269                 }
270
271                 if (r < 0) {
272                         crypt_safe_free(CONST_CAST(char*)params->passphrase);
273                         params->passphrase = NULL;
274                         params->passphrase_size = 0;
275                 }
276                 check_signal(&r);
277         } while (r == -EPERM && (--tries > 0));
278
279         /* Report wrong passphrase if at least one try failed */
280         if (eperm && r == -EPIPE)
281                 r = -EPERM;
282
283         return r;
284 }
285
286 static int action_open_tcrypt(void)
287 {
288         struct crypt_device *cd = NULL;
289         struct crypt_params_tcrypt params = {
290                 .keyfiles = opt_keyfiles,
291                 .keyfiles_count = opt_keyfiles_count,
292                 .flags = CRYPT_TCRYPT_LEGACY_MODES |
293                          (opt_veracrypt ? CRYPT_TCRYPT_VERA_MODES : 0),
294         };
295         const char *activated_name;
296         uint32_t activate_flags = 0;
297         int r;
298
299         activated_name = opt_test_passphrase ? NULL : action_argv[1];
300
301         if ((r = crypt_init(&cd, action_argv[0])))
302                 goto out;
303
304         r = tcrypt_load(cd, &params);
305         if (r < 0)
306                 goto out;
307
308         _set_activation_flags(&activate_flags);
309
310         if (activated_name)
311                 r = crypt_activate_by_volume_key(cd, activated_name, NULL, 0, activate_flags);
312 out:
313         crypt_free(cd);
314         crypt_safe_free(CONST_CAST(char*)params.passphrase);
315         return r;
316 }
317
318 static int tcryptDump_with_volume_key(struct crypt_device *cd)
319 {
320         char *vk = NULL;
321         size_t vk_size;
322         unsigned i;
323         int r;
324
325         crypt_set_confirm_callback(cd, yesDialog, NULL);
326         if (!yesDialog(
327             _("Header dump with volume key is sensitive information\n"
328               "which allows access to encrypted partition without passphrase.\n"
329               "This dump should be always stored encrypted on safe place."),
330               NULL))
331                 return -EPERM;
332
333         vk_size = crypt_get_volume_key_size(cd);
334         vk = crypt_safe_alloc(vk_size);
335         if (!vk)
336                 return -ENOMEM;
337
338         r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size, NULL, 0);
339         if (r < 0)
340                 goto out;
341
342         log_std("TCRYPT header information for %s\n", crypt_get_device_name(cd));
343         log_std("Cipher chain:  \t%s\n", crypt_get_cipher(cd));
344         log_std("Cipher mode:   \t%s\n", crypt_get_cipher_mode(cd));
345         log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
346         log_std("MK bits:       \t%d\n", (int)vk_size * 8);
347         log_std("MK dump:\t");
348
349         for(i = 0; i < vk_size; i++) {
350                 if (i && !(i % 16))
351                         log_std("\n\t\t");
352                 log_std("%02hhx ", (char)vk[i]);
353         }
354         log_std("\n");
355 out:
356         crypt_safe_free(vk);
357         return r;
358 }
359
360 static int action_tcryptDump(void)
361 {
362         struct crypt_device *cd = NULL;
363         struct crypt_params_tcrypt params = {
364                 .keyfiles = opt_keyfiles,
365                 .keyfiles_count = opt_keyfiles_count,
366                 .flags = CRYPT_TCRYPT_LEGACY_MODES |
367                          (opt_veracrypt ? CRYPT_TCRYPT_VERA_MODES : 0),
368         };
369         int r;
370
371         if ((r = crypt_init(&cd, action_argv[0])))
372                 goto out;
373
374         r = tcrypt_load(cd, &params);
375         if (r < 0)
376                 goto out;
377
378         if (opt_dump_master_key)
379                 r = tcryptDump_with_volume_key(cd);
380         else
381                 r = crypt_dump(cd);
382 out:
383         crypt_free(cd);
384         crypt_safe_free(CONST_CAST(char*)params.passphrase);
385         return r;
386 }
387
388 static int action_close(void)
389 {
390         struct crypt_device *cd = NULL;
391         int r;
392
393         r = crypt_init_by_name(&cd, action_argv[0]);
394         if (r == 0)
395                 r = crypt_deactivate(cd, action_argv[0]);
396
397         crypt_free(cd);
398         return r;
399 }
400
401 static int action_resize(void)
402 {
403         struct crypt_device *cd = NULL;
404         int r;
405
406         r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
407         if (r == 0)
408                 r = crypt_resize(cd, action_argv[0], opt_size);
409
410         crypt_free(cd);
411         return r;
412 }
413
414 static int action_status(void)
415 {
416         crypt_status_info ci;
417         struct crypt_active_device cad;
418         struct crypt_device *cd = NULL;
419         char *backing_file;
420         const char *device;
421         int path = 0, r = 0;
422
423         /* perhaps a path, not a dm device name */
424         if (strchr(action_argv[0], '/'))
425                 path = 1;
426
427         ci = crypt_status(NULL, action_argv[0]);
428         switch (ci) {
429         case CRYPT_INVALID:
430                 r = -EINVAL;
431                 break;
432         case CRYPT_INACTIVE:
433                 if (path)
434                         log_std("%s is inactive.\n", action_argv[0]);
435                 else
436                         log_std("%s/%s is inactive.\n", crypt_get_dir(), action_argv[0]);
437                 r = -ENODEV;
438                 break;
439         case CRYPT_ACTIVE:
440         case CRYPT_BUSY:
441                 if (path)
442                         log_std("%s is active%s.\n", action_argv[0],
443                                 ci == CRYPT_BUSY ? " and is in use" : "");
444                 else
445                         log_std("%s/%s is active%s.\n", crypt_get_dir(), action_argv[0],
446                                 ci == CRYPT_BUSY ? " and is in use" : "");
447
448                 r = crypt_init_by_name_and_header(&cd, action_argv[0], opt_header_device);
449                 if (r < 0)
450                         goto out;
451
452                 log_std("  type:    %s\n", crypt_get_type(cd) ?: "n/a");
453
454                 r = crypt_get_active_device(cd, action_argv[0], &cad);
455                 if (r < 0)
456                         goto out;
457
458                 log_std("  cipher:  %s-%s\n", crypt_get_cipher(cd), crypt_get_cipher_mode(cd));
459                 log_std("  keysize: %d bits\n", crypt_get_volume_key_size(cd) * 8);
460                 device = crypt_get_device_name(cd);
461                 log_std("  device:  %s\n", device);
462                 if (crypt_loop_device(device)) {
463                         backing_file = crypt_loop_backing_file(device);
464                         log_std("  loop:    %s\n", backing_file);
465                         free(backing_file);
466                 }
467                 log_std("  offset:  %" PRIu64 " sectors\n", cad.offset);
468                 log_std("  size:    %" PRIu64 " sectors\n", cad.size);
469                 if (cad.iv_offset)
470                         log_std("  skipped: %" PRIu64 " sectors\n", cad.iv_offset);
471                 log_std("  mode:    %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
472                                            "readonly" : "read/write");
473                 if (cad.flags & (CRYPT_ACTIVATE_ALLOW_DISCARDS|
474                                  CRYPT_ACTIVATE_ALLOW_DISCARDS|
475                                  CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS))
476                         log_std("  flags:   %s%s%s\n",
477                                 (cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) ? "discards " : "",
478                                 (cad.flags & CRYPT_ACTIVATE_SAME_CPU_CRYPT) ? "same_cpu_crypt " : "",
479                                 (cad.flags & CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS) ? "submit_from_crypt_cpus" : "");
480         }
481 out:
482         crypt_free(cd);
483         if (r == -ENOTSUP)
484                 r = 0;
485         return r;
486 }
487
488 static int action_benchmark_kdf(const char *hash)
489 {
490         uint64_t kdf_iters;
491         int r;
492
493         r = crypt_benchmark_kdf(NULL, "pbkdf2", hash, "foo", 3, "bar", 3,
494                                 &kdf_iters);
495         if (r < 0)
496                 log_std("PBKDF2-%-9s     N/A\n", hash);
497         else
498                 log_std("PBKDF2-%-9s %7" PRIu64 " iterations per second\n",
499                         hash, kdf_iters);
500         return r;
501 }
502
503 static int benchmark_cipher_loop(const char *cipher, const char *cipher_mode,
504                                  size_t volume_key_size, size_t iv_size,
505                                  double *encryption_mbs, double *decryption_mbs)
506 {
507         int r, buffer_size = 1024 * 1024;
508
509         do {
510                 r = crypt_benchmark(NULL, cipher, cipher_mode,
511                                     volume_key_size, iv_size, buffer_size,
512                                     encryption_mbs, decryption_mbs);
513                 if (r == -ERANGE) {
514                         if (buffer_size < 1024 * 1024 * 65)
515                                 buffer_size *= 2;
516                         else {
517                                 log_err(_("Result of benchmark is not reliable.\n"));
518                                 r = -ENOENT;
519                         }
520                 }
521         } while (r == -ERANGE);
522
523         return r;
524 }
525
526 static int action_benchmark(void)
527 {
528         static struct {
529                 const char *cipher;
530                 const char *mode;
531                 size_t key_size;
532                 size_t iv_size;
533         } bciphers[] = {
534                 { "aes",     "cbc", 16, 16 },
535                 { "serpent", "cbc", 16, 16 },
536                 { "twofish", "cbc", 16, 16 },
537                 { "aes",     "cbc", 32, 16 },
538                 { "serpent", "cbc", 32, 16 },
539                 { "twofish", "cbc", 32, 16 },
540                 { "aes",     "xts", 32, 16 },
541                 { "serpent", "xts", 32, 16 },
542                 { "twofish", "xts", 32, 16 },
543                 { "aes",     "xts", 64, 16 },
544                 { "serpent", "xts", 64, 16 },
545                 { "twofish", "xts", 64, 16 },
546                 {  NULL, NULL, 0, 0 }
547         };
548         static const char *bkdfs[] = {
549                 "sha1", "sha256", "sha512", "ripemd160", "whirlpool", NULL
550         };
551         char cipher[MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
552         double enc_mbr = 0, dec_mbr = 0;
553         int key_size = (opt_key_size ?: DEFAULT_PLAIN_KEYBITS);
554         int iv_size = 16, skipped = 0;
555         char *c;
556         int i, r;
557
558         log_std(_("# Tests are approximate using memory only (no storage IO).\n"));
559         if (opt_hash) {
560                 r = action_benchmark_kdf(opt_hash);
561         } else if (opt_cipher) {
562                 r = crypt_parse_name_and_mode(opt_cipher, cipher, NULL, cipher_mode);
563                 if (r < 0) {
564                         log_err(_("No known cipher specification pattern detected.\n"));
565                         return r;
566                 }
567                 if ((c  = strchr(cipher_mode, '-')))
568                         *c = '\0';
569
570                 /* FIXME: not really clever :) */
571                 if (strstr(cipher, "des") ||
572                     strstr(cipher, "blowfish") ||
573                     strstr(cipher, "cast5"))
574                         iv_size = 8;
575
576                 if (!strcmp(cipher_mode, "ecb"))
577                         iv_size = 0;
578
579                 r = benchmark_cipher_loop(cipher, cipher_mode,
580                                           key_size / 8, iv_size,
581                                           &enc_mbr, &dec_mbr);
582                 if (!r) {
583                         log_std(N_("#  Algorithm | Key |  Encryption |  Decryption\n"));
584                         log_std("%8s-%s  %4db  %6.1f MiB/s  %6.1f MiB/s\n",
585                                 cipher, cipher_mode, key_size, enc_mbr, dec_mbr);
586                 } else if (r == -ENOENT)
587                         log_err(_("Cipher %s is not available.\n"), opt_cipher);
588         } else {
589                 for (i = 0; bkdfs[i]; i++) {
590                         r = action_benchmark_kdf(bkdfs[i]);
591                         check_signal(&r);
592                         if (r == -EINTR)
593                                 break;
594                 }
595                 for (i = 0; bciphers[i].cipher; i++) {
596                         r = benchmark_cipher_loop(bciphers[i].cipher, bciphers[i].mode,
597                                             bciphers[i].key_size, bciphers[i].iv_size,
598                                             &enc_mbr, &dec_mbr);
599                         check_signal(&r);
600                         if (r == -ENOTSUP || r == -EINTR)
601                                 break;
602                         if (r == -ENOENT)
603                                 skipped++;
604                         if (i == 0)
605                                 log_std(N_("#  Algorithm | Key |  Encryption |  Decryption\n"));
606
607                         snprintf(cipher, MAX_CIPHER_LEN, "%s-%s",
608                                  bciphers[i].cipher, bciphers[i].mode);
609                         if (!r)
610                                 log_std("%12s  %4zub  %6.1f MiB/s  %6.1f MiB/s\n",
611                                         cipher, bciphers[i].key_size*8, enc_mbr, dec_mbr);
612                         else
613                                 log_std("%12s  %4zub %13s %13s\n", cipher,
614                                         bciphers[i].key_size*8, _("N/A"), _("N/A"));
615                 }
616                 if (skipped && skipped == i)
617                         r = -ENOTSUP;
618         }
619
620         if (r == -ENOTSUP) {
621                 log_err(_("Required kernel crypto interface not available.\n"));
622 #ifdef ENABLE_AF_ALG
623                 log_err( _("Ensure you have algif_skcipher kernel module loaded.\n"));
624 #endif
625         }
626         return r;
627 }
628
629 static int _read_mk(const char *file, char **key, int keysize)
630 {
631         int fd;
632
633         *key = crypt_safe_alloc(keysize);
634         if (!*key)
635                 return -ENOMEM;
636
637         fd = open(file, O_RDONLY);
638         if (fd == -1) {
639                 log_err(_("Cannot read keyfile %s.\n"), file);
640                 goto fail;
641         }
642         if ((read(fd, *key, keysize) != keysize)) {
643                 log_err(_("Cannot read %d bytes from keyfile %s.\n"), keysize, file);
644                 close(fd);
645                 goto fail;
646         }
647         close(fd);
648         return 0;
649 fail:
650         crypt_safe_free(*key);
651         *key = NULL;
652         return -EINVAL;
653 }
654
655 static int action_luksRepair(void)
656 {
657         struct crypt_device *cd = NULL;
658         int r;
659
660         if ((r = crypt_init(&cd, action_argv[0])))
661                 goto out;
662
663         /* Currently only LUKS1 allows repair */
664         crypt_set_log_callback(cd, quiet_log, NULL);
665         r = crypt_load(cd, CRYPT_LUKS1, NULL);
666         crypt_set_log_callback(cd, tool_log, NULL);
667         if (r == 0) {
668                 log_verbose(_("No known problems detected for LUKS header.\n"));
669                 goto out;
670         }
671
672         r = yesDialog(_("Really try to repair LUKS device header?"),
673                        NULL) ? 0 : -EINVAL;
674         if (r == 0)
675                 r = crypt_repair(cd, CRYPT_LUKS1, NULL);
676 out:
677         crypt_free(cd);
678         return r;
679 }
680
681 static int action_luksFormat(void)
682 {
683         int r = -EINVAL, keysize;
684         const char *header_device;
685         char *msg = NULL, *key = NULL, cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN];
686         char *password = NULL;
687         size_t passwordLen;
688         struct crypt_device *cd = NULL;
689         struct crypt_params_luks1 params = {
690                 .hash = opt_hash ?: DEFAULT_LUKS1_HASH,
691                 .data_alignment = opt_align_payload,
692                 .data_device = opt_header_device ? action_argv[0] : NULL,
693         };
694
695         header_device = opt_header_device ?: action_argv[0];
696
697         if(asprintf(&msg, _("This will overwrite data on %s irrevocably."),
698                     header_device) == -1) {
699                 log_err(_("memory allocation error in action_luksFormat"));
700                 r = -ENOMEM;
701                 goto out;
702         }
703         r = yesDialog(msg, NULL) ? 0 : -EINVAL;
704         free(msg);
705         if (r < 0)
706                 goto out;
707
708         r = crypt_parse_name_and_mode(opt_cipher ?: DEFAULT_CIPHER(LUKS1),
709                                       cipher, NULL, cipher_mode);
710         if (r < 0) {
711                 log_err(_("No known cipher specification pattern detected.\n"));
712                 goto out;
713         }
714
715         if ((r = crypt_init(&cd, header_device))) {
716                 if (opt_header_device)
717                         log_err(_("Cannot use %s as on-disk header.\n"), header_device);
718                 goto out;
719         }
720
721         keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
722
723         crypt_set_timeout(cd, opt_timeout);
724         if (opt_iteration_time)
725                 crypt_set_iteration_time(cd, opt_iteration_time);
726
727         if (opt_random)
728                 crypt_set_rng_type(cd, CRYPT_RNG_RANDOM);
729         else if (opt_urandom)
730                 crypt_set_rng_type(cd, CRYPT_RNG_URANDOM);
731
732         r = tools_get_key(_("Enter passphrase: "), &password, &passwordLen,
733                           opt_keyfile_offset, opt_keyfile_size, opt_key_file,
734                           opt_timeout, _verify_passphrase(1), 1, cd);
735         if (r < 0)
736                 goto out;
737
738         if (opt_master_key_file) {
739                 r = _read_mk(opt_master_key_file, &key, keysize);
740                 if (r < 0)
741                         goto out;
742         }
743
744         r = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode,
745                          opt_uuid, key, keysize, &params);
746         check_signal(&r);
747         if (r < 0)
748                 goto out;
749
750         r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot,
751                                             key, keysize,
752                                             password, passwordLen);
753 out:
754         crypt_free(cd);
755         crypt_safe_free(key);
756         crypt_safe_free(password);
757
758         return r;
759 }
760
761 static int action_open_luks(void)
762 {
763         struct crypt_device *cd = NULL;
764         const char *data_device, *header_device, *activated_name;
765         char *key = NULL;
766         uint32_t activate_flags = 0;
767         int r, keysize;
768
769         header_device = uuid_or_device_header(&data_device);
770
771         activated_name = opt_test_passphrase ? NULL : action_argv[1];
772
773         if ((r = crypt_init(&cd, header_device)))
774                 goto out;
775
776         if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
777                 goto out;
778
779         if (data_device &&
780             (r = crypt_set_data_device(cd, data_device)))
781                 goto out;
782
783         if (!data_device && (crypt_get_data_offset(cd) < 8)) {
784                 log_err(_("Reduced data offset is allowed only for detached LUKS header.\n"));
785                 r = -EINVAL;
786                 goto out;
787         }
788
789         crypt_set_timeout(cd, opt_timeout);
790         crypt_set_password_retry(cd, opt_tries);
791         crypt_set_password_verify(cd, _verify_passphrase(0));
792
793         if (opt_iteration_time)
794                 crypt_set_iteration_time(cd, opt_iteration_time);
795
796         _set_activation_flags(&activate_flags);
797
798         if (opt_master_key_file) {
799                 keysize = crypt_get_volume_key_size(cd);
800                 r = _read_mk(opt_master_key_file, &key, keysize);
801                 if (r < 0)
802                         goto out;
803                 r = crypt_activate_by_volume_key(cd, activated_name,
804                                                  key, keysize, activate_flags);
805         } else if (opt_key_file) {
806                 crypt_set_password_retry(cd, 1);
807                 r = crypt_activate_by_keyfile_offset(cd, activated_name,
808                         opt_key_slot, opt_key_file, opt_keyfile_size,
809                         opt_keyfile_offset, activate_flags);
810         } else
811                 r = crypt_activate_by_passphrase(cd, activated_name,
812                         opt_key_slot, NULL, 0, activate_flags);
813 out:
814         crypt_safe_free(key);
815         crypt_free(cd);
816         return r;
817 }
818
819 static int verify_keyslot(struct crypt_device *cd, int key_slot,
820                           char *msg_last, char *msg_pass,
821                           const char *key_file, int keyfile_offset,
822                           int keyfile_size)
823 {
824         crypt_keyslot_info ki;
825         char *password = NULL;
826         size_t passwordLen;
827         int i, r;
828
829         ki = crypt_keyslot_status(cd, key_slot);
830         if (ki == CRYPT_SLOT_ACTIVE_LAST && msg_last && !yesDialog(msg_last, NULL))
831                 return -EPERM;
832
833         r = tools_get_key(msg_pass, &password, &passwordLen,
834                           keyfile_offset, keyfile_size, key_file, opt_timeout,
835                           _verify_passphrase(0), 0, cd);
836         if(r < 0)
837                 goto out;
838
839         if (ki == CRYPT_SLOT_ACTIVE_LAST) {
840                 /* check the last keyslot */
841                 r = crypt_activate_by_passphrase(cd, NULL, key_slot,
842                                                  password, passwordLen, 0);
843         } else {
844                 /* try all other keyslots */
845                 for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
846                         if (i == key_slot)
847                                 continue;
848                         ki = crypt_keyslot_status(cd, key_slot);
849                         if (ki == CRYPT_SLOT_ACTIVE)
850                         r = crypt_activate_by_passphrase(cd, NULL, i,
851                                                          password, passwordLen, 0);
852                         if (r == i)
853                                 break;
854                 }
855         }
856
857         if (r == -EPERM)
858                 log_err(_("No key available with this passphrase.\n"));
859 out:
860         crypt_safe_free(password);
861         return r;
862 }
863
864 static int action_luksKillSlot(void)
865 {
866         struct crypt_device *cd = NULL;
867         int r;
868
869         if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
870                 goto out;
871
872         crypt_set_confirm_callback(cd, yesDialog, NULL);
873         crypt_set_timeout(cd, opt_timeout);
874
875         if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
876                 goto out;
877
878         switch (crypt_keyslot_status(cd, opt_key_slot)) {
879         case CRYPT_SLOT_ACTIVE_LAST:
880         case CRYPT_SLOT_ACTIVE:
881                 log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
882                 break;
883         case CRYPT_SLOT_INACTIVE:
884                 log_err(_("Key %d not active. Can't wipe.\n"), opt_key_slot);
885         case CRYPT_SLOT_INVALID:
886                 r = -EINVAL;
887                 goto out;
888         }
889
890         if (!opt_batch_mode) {
891                 r = verify_keyslot(cd, opt_key_slot,
892                         _("This is the last keyslot. Device will become unusable after purging this key."),
893                         _("Enter any remaining passphrase: "),
894                         opt_key_file, opt_keyfile_offset, opt_keyfile_size);
895                 if (r < 0)
896                         goto out;
897         }
898
899         r = crypt_keyslot_destroy(cd, opt_key_slot);
900 out:
901         crypt_free(cd);
902         return r;
903 }
904
905 static int action_luksRemoveKey(void)
906 {
907         struct crypt_device *cd = NULL;
908         char *password = NULL;
909         size_t passwordLen;
910         int r;
911
912         if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
913                 goto out;
914
915         crypt_set_confirm_callback(cd, yesDialog, NULL);
916         crypt_set_timeout(cd, opt_timeout);
917
918         if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
919                 goto out;
920
921         r = tools_get_key(_("Enter passphrase to be deleted: "),
922                       &password, &passwordLen,
923                       opt_keyfile_offset, opt_keyfile_size, opt_key_file,
924                       opt_timeout,
925                       _verify_passphrase(0), 0,
926                       cd);
927         if(r < 0)
928                 goto out;
929
930         r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
931                                          password, passwordLen, 0);
932         check_signal(&r);
933         if (r < 0)
934                 goto out;
935
936         opt_key_slot = r;
937         log_verbose(_("Key slot %d selected for deletion.\n"), opt_key_slot);
938
939         if (crypt_keyslot_status(cd, opt_key_slot) == CRYPT_SLOT_ACTIVE_LAST &&
940             !yesDialog(_("This is the last keyslot. "
941                           "Device will become unusable after purging this key."),
942                         NULL)) {
943                 r = -EPERM;
944                 goto out;
945         }
946
947         r = crypt_keyslot_destroy(cd, opt_key_slot);
948 out:
949         crypt_safe_free(password);
950         crypt_free(cd);
951         return r;
952 }
953
954 static int action_luksAddKey(void)
955 {
956         int r = -EINVAL, keysize = 0;
957         char *key = NULL;
958         const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
959         char *password = NULL, *password_new = NULL;
960         size_t password_size = 0, password_new_size = 0;
961         struct crypt_device *cd = NULL;
962
963         if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
964                 goto out;
965
966         crypt_set_confirm_callback(cd, yesDialog, NULL);
967
968         if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
969                 goto out;
970
971         keysize = crypt_get_volume_key_size(cd);
972         /* FIXME: lib cannot properly set verification for new/old passphrase */
973         crypt_set_password_verify(cd, _verify_passphrase(0));
974         crypt_set_timeout(cd, opt_timeout);
975         if (opt_iteration_time)
976                 crypt_set_iteration_time(cd, opt_iteration_time);
977
978         if (opt_master_key_file) {
979                 r = _read_mk(opt_master_key_file, &key, keysize);
980                 if (r < 0)
981                         goto out;
982
983                 r = crypt_volume_key_verify(cd, key, keysize);
984                 check_signal(&r);
985                 if (r < 0)
986                         goto out;
987
988                 r = tools_get_key(_("Enter new passphrase for key slot: "),
989                                   &password_new, &password_new_size,
990                                   opt_new_keyfile_offset, opt_new_keyfile_size,
991                                   opt_new_key_file, opt_timeout,
992                                   _verify_passphrase(1), 1, cd);
993                 if (r < 0)
994                         goto out;
995
996                 r = crypt_keyslot_add_by_volume_key(cd, opt_key_slot, key, keysize,
997                                                     password_new, password_new_size);
998         } else if (opt_key_file || opt_new_key_file) {
999                 r = crypt_keyslot_add_by_keyfile_offset(cd, opt_key_slot,
1000                         opt_key_file, opt_keyfile_size, opt_keyfile_offset,
1001                         opt_new_key_file, opt_new_keyfile_size, opt_new_keyfile_offset);
1002         } else {
1003                 r = tools_get_key(_("Enter any existing passphrase: "),
1004                               &password, &password_size, 0, 0, NULL,
1005                               opt_timeout, _verify_passphrase(0), 0, cd);
1006
1007                 if (r < 0)
1008                         goto out;
1009
1010                 /* Check password before asking for new one */
1011                 r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT,
1012                                                  password, password_size, 0);
1013                 check_signal(&r);
1014                 if (r < 0)
1015                         goto out;
1016
1017                 r = tools_get_key(_("Enter new passphrase for key slot: "),
1018                                   &password_new, &password_new_size, 0, 0, NULL,
1019                                   opt_timeout, _verify_passphrase(1), 1, cd);
1020                 if (r < 0)
1021                         goto out;
1022
1023                 r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot,
1024                                                     password, password_size,
1025                                                     password_new, password_new_size);
1026         }
1027 out:
1028         crypt_safe_free(password);
1029         crypt_safe_free(password_new);
1030         crypt_safe_free(key);
1031         crypt_free(cd);
1032         return r;
1033 }
1034
1035 static int action_luksChangeKey(void)
1036 {
1037         const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL);
1038         struct crypt_device *cd = NULL;
1039         char *password = NULL, *password_new = NULL;
1040         size_t password_size = 0, password_new_size = 0;
1041         int r;
1042
1043         if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
1044                 goto out;
1045
1046         if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1047                 goto out;
1048
1049         if (opt_iteration_time)
1050                 crypt_set_iteration_time(cd, opt_iteration_time);
1051
1052         r = tools_get_key(_("Enter passphrase to be changed: "),
1053                       &password, &password_size,
1054                       opt_keyfile_offset, opt_keyfile_size, opt_key_file,
1055                       opt_timeout, _verify_passphrase(0), 0, cd);
1056         if (r < 0)
1057                 goto out;
1058
1059         /* Check password before asking for new one */
1060         r = crypt_activate_by_passphrase(cd, NULL, opt_key_slot,
1061                                          password, password_size, 0);
1062         check_signal(&r);
1063         if (r < 0)
1064                 goto out;
1065
1066         r = tools_get_key(_("Enter new passphrase: "),
1067                           &password_new, &password_new_size,
1068                           opt_new_keyfile_offset, opt_new_keyfile_size,
1069                           opt_new_key_file,
1070                           opt_timeout, _verify_passphrase(1), 1, cd);
1071         if (r < 0)
1072                 goto out;
1073
1074         r = crypt_keyslot_change_by_passphrase(cd, opt_key_slot, opt_key_slot,
1075                 password, password_size, password_new, password_new_size);
1076 out:
1077         crypt_safe_free(password);
1078         crypt_safe_free(password_new);
1079         crypt_free(cd);
1080         return r;
1081 }
1082
1083 static int action_isLuks(void)
1084 {
1085         struct crypt_device *cd = NULL;
1086         int r;
1087
1088         /* FIXME: argc > max should be checked for other operations as well */
1089         if (action_argc > 1) {
1090                 log_err(_("Only one device argument for isLuks operation is supported.\n"));
1091                 return -ENODEV;
1092         }
1093
1094         if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
1095                 goto out;
1096
1097         crypt_set_log_callback(cd, quiet_log, NULL);
1098         r = crypt_load(cd, CRYPT_LUKS1, NULL);
1099 out:
1100         crypt_free(cd);
1101         return r;
1102 }
1103
1104 static int action_luksUUID(void)
1105 {
1106         struct crypt_device *cd = NULL;
1107         const char *existing_uuid = NULL;
1108         int r;
1109
1110         if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
1111                 goto out;
1112
1113         crypt_set_confirm_callback(cd, yesDialog, NULL);
1114
1115         if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1116                 goto out;
1117
1118         if (opt_uuid)
1119                 r = crypt_set_uuid(cd, opt_uuid);
1120         else {
1121                 existing_uuid = crypt_get_uuid(cd);
1122                 log_std("%s\n", existing_uuid ?: "");
1123                 r = existing_uuid ? 0 : 1;
1124         }
1125 out:
1126         crypt_free(cd);
1127         return r;
1128 }
1129
1130 static int luksDump_with_volume_key(struct crypt_device *cd)
1131 {
1132         char *vk = NULL, *password = NULL;
1133         size_t passwordLen = 0;
1134         size_t vk_size;
1135         unsigned i;
1136         int r;
1137
1138         crypt_set_confirm_callback(cd, yesDialog, NULL);
1139         if (!yesDialog(
1140             _("Header dump with volume key is sensitive information\n"
1141               "which allows access to encrypted partition without passphrase.\n"
1142               "This dump should be always stored encrypted on safe place."),
1143               NULL))
1144                 return -EPERM;
1145
1146         vk_size = crypt_get_volume_key_size(cd);
1147         vk = crypt_safe_alloc(vk_size);
1148         if (!vk)
1149                 return -ENOMEM;
1150
1151         r = tools_get_key(_("Enter passphrase: "), &password, &passwordLen,
1152                           opt_keyfile_offset, opt_keyfile_size, opt_key_file,
1153                           opt_timeout, 0, 0, cd);
1154         if (r < 0)
1155                 goto out;
1156
1157         r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, vk, &vk_size,
1158                                  password, passwordLen);
1159         check_signal(&r);
1160         if (r < 0)
1161                 goto out;
1162
1163         log_std("LUKS header information for %s\n", crypt_get_device_name(cd));
1164         log_std("Cipher name:   \t%s\n", crypt_get_cipher(cd));
1165         log_std("Cipher mode:   \t%s\n", crypt_get_cipher_mode(cd));
1166         log_std("Payload offset:\t%d\n", (int)crypt_get_data_offset(cd));
1167         log_std("UUID:          \t%s\n", crypt_get_uuid(cd));
1168         log_std("MK bits:       \t%d\n", (int)vk_size * 8);
1169         log_std("MK dump:\t");
1170
1171         for(i = 0; i < vk_size; i++) {
1172                 if (i && !(i % 16))
1173                         log_std("\n\t\t");
1174                 log_std("%02hhx ", (char)vk[i]);
1175         }
1176         log_std("\n");
1177
1178 out:
1179         crypt_safe_free(password);
1180         crypt_safe_free(vk);
1181         return r;
1182 }
1183
1184 static int action_luksDump(void)
1185 {
1186         struct crypt_device *cd = NULL;
1187         int r;
1188
1189         if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
1190                 goto out;
1191
1192         if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1193                 goto out;
1194
1195         if (opt_dump_master_key)
1196                 r = luksDump_with_volume_key(cd);
1197         else
1198                 r = crypt_dump(cd);
1199 out:
1200         crypt_free(cd);
1201         return r;
1202 }
1203
1204 static int action_luksSuspend(void)
1205 {
1206         struct crypt_device *cd = NULL;
1207         int r;
1208
1209         r = crypt_init_by_name_and_header(&cd, action_argv[0], uuid_or_device(opt_header_device));
1210         if (!r)
1211                 r = crypt_suspend(cd, action_argv[0]);
1212
1213         crypt_free(cd);
1214         return r;
1215 }
1216
1217 static int action_luksResume(void)
1218 {
1219         struct crypt_device *cd = NULL;
1220         int r;
1221
1222         if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], uuid_or_device(opt_header_device))))
1223                 goto out;
1224
1225         crypt_set_timeout(cd, opt_timeout);
1226         crypt_set_password_retry(cd, opt_tries);
1227         crypt_set_password_verify(cd, _verify_passphrase(0));
1228
1229         if (opt_key_file)
1230                 r = crypt_resume_by_keyfile_offset(cd, action_argv[0], CRYPT_ANY_SLOT,
1231                         opt_key_file, opt_keyfile_size, opt_keyfile_offset);
1232         else
1233                 r = crypt_resume_by_passphrase(cd, action_argv[0], CRYPT_ANY_SLOT,
1234                                                NULL, 0);
1235 out:
1236         crypt_free(cd);
1237         return r;
1238 }
1239
1240 static int action_luksBackup(void)
1241 {
1242         struct crypt_device *cd = NULL;
1243         int r;
1244
1245         if (!opt_header_backup_file) {
1246                 log_err(_("Option --header-backup-file is required.\n"));
1247                 return -EINVAL;
1248         }
1249
1250         if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
1251                 goto out;
1252
1253         crypt_set_confirm_callback(cd, yesDialog, NULL);
1254
1255         r = crypt_header_backup(cd, CRYPT_LUKS1, opt_header_backup_file);
1256 out:
1257         crypt_free(cd);
1258         return r;
1259 }
1260
1261 static int action_luksRestore(void)
1262 {
1263         struct crypt_device *cd = NULL;
1264         int r = 0;
1265
1266         if (!opt_header_backup_file) {
1267                 log_err(_("Option --header-backup-file is required.\n"));
1268                 return -EINVAL;
1269         }
1270
1271         if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
1272                 goto out;
1273
1274         crypt_set_confirm_callback(cd, yesDialog, NULL);
1275         r = crypt_header_restore(cd, CRYPT_LUKS1, opt_header_backup_file);
1276 out:
1277         crypt_free(cd);
1278         return r;
1279 }
1280
1281 static int action_open(void)
1282 {
1283         if (!opt_type)
1284                 return -EINVAL;
1285
1286         if (!strcmp(opt_type, "luks") || !strcmp(opt_type, "luks1")) {
1287                 if (action_argc < 2 && !opt_test_passphrase)
1288                         goto args;
1289                 return action_open_luks();
1290         } else if (!strcmp(opt_type, "plain")) {
1291                 if (action_argc < 2)
1292                         goto args;
1293                 return action_open_plain();
1294         } else if (!strcmp(opt_type, "loopaes")) {
1295                 if (action_argc < 2)
1296                         goto args;
1297                 return action_open_loopaes();
1298         } else if (!strcmp(opt_type, "tcrypt")) {
1299                 if (action_argc < 2 && !opt_test_passphrase)
1300                         goto args;
1301                 return action_open_tcrypt();
1302         }
1303
1304         log_err(_("Unrecognized metadata device type %s.\n"), opt_type);
1305         return -EINVAL;
1306 args:
1307         log_err(_("Command requires device and mapped name as arguments.\n"));
1308         return -EINVAL;
1309 }
1310
1311 static int action_luksErase(void)
1312 {
1313         struct crypt_device *cd = NULL;
1314         crypt_keyslot_info ki;
1315         char *msg = NULL;
1316         int i, r;
1317
1318         if ((r = crypt_init(&cd, uuid_or_device_header(NULL))))
1319                 goto out;
1320
1321         crypt_set_confirm_callback(cd, yesDialog, NULL);
1322
1323         if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
1324                 goto out;
1325
1326         if(asprintf(&msg, _("This operation will erase all keyslots on device %s.\n"
1327                             "Device will become unusable after this operation."),
1328                             uuid_or_device_header(NULL)) == -1) {
1329                 r = -ENOMEM;
1330                 goto out;
1331         }
1332
1333         if (!yesDialog(msg, NULL)) {
1334                 r = -EPERM;
1335                 goto out;
1336         }
1337
1338         for (i = 0; i < crypt_keyslot_max(CRYPT_LUKS1); i++) {
1339                 ki = crypt_keyslot_status(cd, i);
1340                 if (ki == CRYPT_SLOT_ACTIVE || ki == CRYPT_SLOT_ACTIVE_LAST) {
1341                         r = crypt_keyslot_destroy(cd, i);
1342                         if (r < 0)
1343                                 goto out;
1344                 }
1345         }
1346 out:
1347         free(msg);
1348         crypt_free(cd);
1349         return r;
1350 }
1351
1352 static struct action_type {
1353         const char *type;
1354         int (*handler)(void);
1355         int required_action_argc;
1356         int required_memlock;
1357         const char *arg_desc;
1358         const char *desc;
1359 } action_types[] = {
1360         { "open",         action_open,         1, 1, N_("<device> [--type <type>] [<name>]"),N_("open device as mapping <name>") },
1361         { "close",        action_close,        1, 1, N_("<name>"), N_("close device (remove mapping)") },
1362         { "resize",       action_resize,       1, 1, N_("<name>"), N_("resize active device") },
1363         { "status",       action_status,       1, 0, N_("<name>"), N_("show device status") },
1364         { "benchmark",    action_benchmark,    0, 0, N_("<name>"), N_("benchmark cipher") },
1365         { "repair",       action_luksRepair,   1, 1, N_("<device>"), N_("try to repair on-disk metadata") },
1366         { "erase",        action_luksErase ,   1, 1, N_("<device>"), N_("erase all keyslots (remove encryption key)") },
1367         { "luksFormat",   action_luksFormat,   1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") },
1368         { "luksAddKey",   action_luksAddKey,   1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") },
1369         { "luksRemoveKey",action_luksRemoveKey,1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") },
1370         { "luksChangeKey",action_luksChangeKey,1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") },
1371         { "luksKillSlot", action_luksKillSlot, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") },
1372         { "luksUUID",     action_luksUUID,     1, 0, N_("<device>"), N_("print UUID of LUKS device") },
1373         { "isLuks",       action_isLuks,       1, 0, N_("<device>"), N_("tests <device> for LUKS partition header") },
1374         { "luksDump",     action_luksDump,     1, 1, N_("<device>"), N_("dump LUKS partition information") },
1375         { "tcryptDump",   action_tcryptDump,   1, 1, N_("<device>"), N_("dump TCRYPT device information") },
1376         { "luksSuspend",  action_luksSuspend,  1, 1, N_("<device>"), N_("Suspend LUKS device and wipe key (all IOs are frozen).") },
1377         { "luksResume",   action_luksResume,   1, 1, N_("<device>"), N_("Resume suspended LUKS device.") },
1378         { "luksHeaderBackup", action_luksBackup,1,1, N_("<device>"), N_("Backup LUKS device header and keyslots") },
1379         { "luksHeaderRestore",action_luksRestore,1,1,N_("<device>"), N_("Restore LUKS device header and keyslots") },
1380         {}
1381 };
1382
1383 static void help(poptContext popt_context,
1384                  enum poptCallbackReason reason __attribute__((unused)),
1385                  struct poptOption *key,
1386                  const char *arg __attribute__((unused)),
1387                  void *data __attribute__((unused)))
1388 {
1389         if (key->shortName == '?') {
1390                 struct action_type *action;
1391
1392                 log_std("%s\n",PACKAGE_STRING);
1393
1394                 poptPrintHelp(popt_context, stdout, 0);
1395
1396                 log_std(_("\n"
1397                          "<action> is one of:\n"));
1398
1399                 for(action = action_types; action->type; action++)
1400                         log_std("\t%s %s - %s\n", action->type, _(action->arg_desc), _(action->desc));
1401
1402                 log_std(_("\n"
1403                           "You can also use old <action> syntax aliases:\n"
1404                           "\topen: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen\n"
1405                           "\tclose: remove (plainClose), luksClose, loopaesClose, tcryptClose\n"));
1406                 log_std(_("\n"
1407                          "<name> is the device to create under %s\n"
1408                          "<device> is the encrypted device\n"
1409                          "<key slot> is the LUKS key slot number to modify\n"
1410                          "<key file> optional key file for the new key for luksAddKey action\n"),
1411                         crypt_get_dir());
1412
1413                 log_std(_("\nDefault compiled-in key and passphrase parameters:\n"
1414                          "\tMaximum keyfile size: %dkB, "
1415                          "Maximum interactive passphrase length %d (characters)\n"
1416                          "Default PBKDF2 iteration time for LUKS: %d (ms)\n"),
1417                          DEFAULT_KEYFILE_SIZE_MAXKB, DEFAULT_PASSPHRASE_SIZE_MAX,
1418                          DEFAULT_LUKS1_ITER_TIME);
1419
1420                 log_std(_("\nDefault compiled-in device cipher parameters:\n"
1421                          "\tloop-AES: %s, Key %d bits\n"
1422                          "\tplain: %s, Key: %d bits, Password hashing: %s\n"
1423                          "\tLUKS1: %s, Key: %d bits, LUKS header hashing: %s, RNG: %s\n"),
1424                          DEFAULT_LOOPAES_CIPHER, DEFAULT_LOOPAES_KEYBITS,
1425                          DEFAULT_CIPHER(PLAIN), DEFAULT_PLAIN_KEYBITS, DEFAULT_PLAIN_HASH,
1426                          DEFAULT_CIPHER(LUKS1), DEFAULT_LUKS1_KEYBITS, DEFAULT_LUKS1_HASH,
1427                          DEFAULT_RNG);
1428                 exit(EXIT_SUCCESS);
1429         } else
1430                 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
1431 }
1432
1433 static void help_args(struct action_type *action, poptContext popt_context)
1434 {
1435         char buf[128];
1436
1437         snprintf(buf, sizeof(buf), _("%s: requires %s as arguments"), action->type, action->arg_desc);
1438         usage(popt_context, EXIT_FAILURE, buf, poptGetInvocationName(popt_context));
1439 }
1440
1441 static int run_action(struct action_type *action)
1442 {
1443         int r;
1444
1445         log_dbg("Running command %s.", action->type);
1446
1447         if (action->required_memlock)
1448                 crypt_memory_lock(NULL, 1);
1449
1450         set_int_handler(0);
1451         r = action->handler();
1452
1453         if (action->required_memlock)
1454                 crypt_memory_lock(NULL, 0);
1455
1456         /* Some functions returns keyslot # */
1457         if (r > 0)
1458                 r = 0;
1459         check_signal(&r);
1460
1461         show_status(r);
1462         return translate_errno(r);
1463 }
1464
1465 int main(int argc, const char **argv)
1466 {
1467         static char *popt_tmp;
1468         static struct poptOption popt_help_options[] = {
1469                 { NULL,    '\0', POPT_ARG_CALLBACK, help, 0, NULL,                         NULL },
1470                 { "help",  '?',  POPT_ARG_NONE,     NULL, 0, N_("Show this help message"), NULL },
1471                 { "usage", '\0', POPT_ARG_NONE,     NULL, 0, N_("Display brief usage"),    NULL },
1472                 POPT_TABLEEND
1473         };
1474         static struct poptOption popt_options[] = {
1475                 { NULL,                '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
1476                 { "version",           '\0', POPT_ARG_NONE, &opt_version_mode,          0, N_("Print package version"), NULL },
1477                 { "verbose",           'v',  POPT_ARG_NONE, &opt_verbose,               0, N_("Shows more detailed error messages"), NULL },
1478                 { "debug",             '\0', POPT_ARG_NONE, &opt_debug,                 0, N_("Show debug messages"), NULL },
1479                 { "cipher",            'c',  POPT_ARG_STRING, &opt_cipher,              0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
1480                 { "hash",              'h',  POPT_ARG_STRING, &opt_hash,                0, N_("The hash used to create the encryption key from the passphrase"), NULL },
1481                 { "verify-passphrase", 'y',  POPT_ARG_NONE, &opt_verify_passphrase,     0, N_("Verifies the passphrase by asking for it twice"), NULL },
1482                 { "key-file",          'd',  POPT_ARG_STRING, &opt_key_file,            5, N_("Read the key from a file."), NULL },
1483                 { "master-key-file",  '\0',  POPT_ARG_STRING, &opt_master_key_file,     0, N_("Read the volume (master) key from file."), NULL },
1484                 { "dump-master-key",  '\0',  POPT_ARG_NONE, &opt_dump_master_key,       0, N_("Dump volume (master) key instead of keyslots info."), NULL },
1485                 { "key-size",          's',  POPT_ARG_INT, &opt_key_size,               0, N_("The size of the encryption key"), N_("BITS") },
1486                 { "keyfile-size",      'l',  POPT_ARG_LONG, &opt_keyfile_size,          0, N_("Limits the read from keyfile"), N_("bytes") },
1487                 { "keyfile-offset",   '\0',  POPT_ARG_LONG, &opt_keyfile_offset,        0, N_("Number of bytes to skip in keyfile"), N_("bytes") },
1488                 { "new-keyfile-size", '\0',  POPT_ARG_LONG, &opt_new_keyfile_size,      0, N_("Limits the read from newly added keyfile"), N_("bytes") },
1489                 { "new-keyfile-offset",'\0', POPT_ARG_LONG, &opt_new_keyfile_offset,    0, N_("Number of bytes to skip in newly added keyfile"), N_("bytes") },
1490                 { "key-slot",          'S',  POPT_ARG_INT, &opt_key_slot,               0, N_("Slot number for new key (default is first free)"), NULL },
1491                 { "size",              'b',  POPT_ARG_STRING, &popt_tmp,                1, N_("The size of the device"), N_("SECTORS") },
1492                 { "offset",            'o',  POPT_ARG_STRING, &popt_tmp,                2, N_("The start offset in the backend device"), N_("SECTORS") },
1493                 { "skip",              'p',  POPT_ARG_STRING, &popt_tmp,                3, N_("How many sectors of the encrypted data to skip at the beginning"), N_("SECTORS") },
1494                 { "readonly",          'r',  POPT_ARG_NONE, &opt_readonly,              0, N_("Create a readonly mapping"), NULL },
1495                 { "iter-time",         'i',  POPT_ARG_INT, &opt_iteration_time,         0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
1496                 { "batch-mode",        'q',  POPT_ARG_NONE, &opt_batch_mode,            0, N_("Do not ask for confirmation"), NULL },
1497                 { "timeout",           't',  POPT_ARG_INT, &opt_timeout,                0, N_("Timeout for interactive passphrase prompt (in seconds)"), N_("secs") },
1498                 { "tries",             'T',  POPT_ARG_INT, &opt_tries,                  0, N_("How often the input of the passphrase can be retried"), NULL },
1499                 { "align-payload",     '\0', POPT_ARG_INT, &opt_align_payload,          0, N_("Align payload at <n> sector boundaries - for luksFormat"), N_("SECTORS") },
1500                 { "header-backup-file",'\0', POPT_ARG_STRING, &opt_header_backup_file,  0, N_("File with LUKS header and keyslots backup."), NULL },
1501                 { "use-random",        '\0', POPT_ARG_NONE, &opt_random,                0, N_("Use /dev/random for generating volume key."), NULL },
1502                 { "use-urandom",       '\0', POPT_ARG_NONE, &opt_urandom,               0, N_("Use /dev/urandom for generating volume key."), NULL },
1503                 { "shared",            '\0', POPT_ARG_NONE, &opt_shared,                0, N_("Share device with another non-overlapping crypt segment."), NULL },
1504                 { "uuid",              '\0', POPT_ARG_STRING, &opt_uuid,                0, N_("UUID for device to use."), NULL },
1505                 { "allow-discards",    '\0', POPT_ARG_NONE, &opt_allow_discards,        0, N_("Allow discards (aka TRIM) requests for device."), NULL },
1506                 { "header",            '\0', POPT_ARG_STRING, &opt_header_device,       0, N_("Device or file with separated LUKS header."), NULL },
1507                 { "test-passphrase",   '\0', POPT_ARG_NONE, &opt_test_passphrase,       0, N_("Do not activate device, just check passphrase."), NULL },
1508                 { "tcrypt-hidden",     '\0', POPT_ARG_NONE, &opt_tcrypt_hidden,         0, N_("Use hidden header (hidden TCRYPT device)."), NULL },
1509                 { "tcrypt-system",     '\0', POPT_ARG_NONE, &opt_tcrypt_system,         0, N_("Device is system TCRYPT drive (with bootloader)."), NULL },
1510                 { "tcrypt-backup",     '\0', POPT_ARG_NONE, &opt_tcrypt_backup,         0, N_("Use backup (secondary) TCRYPT header."), NULL },
1511                 { "veracrypt",         '\0', POPT_ARG_NONE, &opt_veracrypt,             0, N_("Scan also for VeraCrypt compatible device."), NULL },
1512                 { "type",               'M', POPT_ARG_STRING, &opt_type,                0, N_("Type of device metadata: luks, plain, loopaes, tcrypt."), NULL },
1513                 { "force-password",    '\0', POPT_ARG_NONE, &opt_force_password,        0, N_("Disable password quality check (if enabled)."), NULL },
1514                 { "perf-same_cpu_crypt",'\0', POPT_ARG_NONE, &opt_perf_same_cpu_crypt,  0, N_("Use dm-crypt same_cpu_crypt performance compatibility option."), NULL },
1515                 { "perf-submit_from_crypt_cpus",'\0', POPT_ARG_NONE, &opt_perf_submit_from_crypt_cpus,0,N_("Use dm-crypt submit_from_crypt_cpus performance compatibility option."), NULL },
1516                 POPT_TABLEEND
1517         };
1518         poptContext popt_context;
1519         struct action_type *action;
1520         const char *aname;
1521         int r;
1522
1523         crypt_set_log_callback(NULL, tool_log, NULL);
1524
1525         setlocale(LC_ALL, "");
1526         bindtextdomain(PACKAGE, LOCALEDIR);
1527         textdomain(PACKAGE);
1528
1529         popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
1530         poptSetOtherOptionHelp(popt_context,
1531                                _("[OPTION...] <action> <action-specific>"));
1532
1533         while((r = poptGetNextOpt(popt_context)) > 0) {
1534                 unsigned long long ull_value;
1535                 char *endp;
1536
1537                 if (r == 5) {
1538                         if (opt_keyfiles_count < MAX_KEYFILES)
1539                                 opt_keyfiles[opt_keyfiles_count++] = poptGetOptArg(popt_context);
1540                         continue;
1541                 }
1542
1543                 errno = 0;
1544                 ull_value = strtoull(popt_tmp, &endp, 0);
1545                 if (*endp || !*popt_tmp ||
1546                     (errno == ERANGE && ull_value == ULLONG_MAX) ||
1547                     (errno != 0 && ull_value == 0))
1548                         r = POPT_ERROR_BADNUMBER;
1549
1550                 switch(r) {
1551                         case 1:
1552                                 opt_size = ull_value;
1553                                 break;
1554                         case 2:
1555                                 opt_offset = ull_value;
1556                                 break;
1557                         case 3:
1558                                 opt_skip = ull_value;
1559                                 opt_skip_valid = 1;
1560                                 break;
1561                 }
1562
1563                 if (r < 0)
1564                         break;
1565         }
1566
1567         if (r < -1)
1568                 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
1569                       poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
1570
1571         if (crypt_fips_mode())
1572                 crypt_log(NULL, CRYPT_LOG_VERBOSE, _("Running in FIPS mode.\n"));
1573
1574         if (opt_version_mode) {
1575                 log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
1576                 poptFreeContext(popt_context);
1577                 exit(EXIT_SUCCESS);
1578         }
1579
1580         if (!(aname = poptGetArg(popt_context)))
1581                 usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
1582                       poptGetInvocationName(popt_context));
1583
1584         action_argc = 0;
1585         action_argv = poptGetArgs(popt_context);
1586         /* Make return values of poptGetArgs more consistent in case of remaining argc = 0 */
1587         if(!action_argv)
1588                 action_argv = null_action_argv;
1589
1590         /* Count args, somewhat unnice, change? */
1591         while(action_argv[action_argc] != NULL)
1592                 action_argc++;
1593
1594         /* Handle aliases */
1595         if (!strcmp(aname, "create")) {
1596                 /* create command had historically switched arguments */
1597                 if (action_argv[0] && action_argv[1]) {
1598                         const char *tmp = action_argv[0];
1599                         action_argv[0] = action_argv[1];
1600                         action_argv[1] = tmp;
1601                 }
1602                 aname = "open";
1603                 opt_type = "plain";
1604         } else if (!strcmp(aname, "plainOpen")) {
1605                 aname = "open";
1606                 opt_type = "plain";
1607         } else if (!strcmp(aname, "luksOpen")) {
1608                 aname = "open";
1609                 opt_type = "luks";
1610         } else if (!strcmp(aname, "loopaesOpen")) {
1611                 aname = "open";
1612                 opt_type = "loopaes";
1613         } else if (!strcmp(aname, "tcryptOpen")) {
1614                 aname = "open";
1615                 opt_type = "tcrypt";
1616         } else if (!strcmp(aname, "tcryptDump")) {
1617                 opt_type = "tcrypt";
1618         } else if (!strcmp(aname, "remove") ||
1619                    !strcmp(aname, "plainClose") ||
1620                    !strcmp(aname, "luksClose") ||
1621                    !strcmp(aname, "loopaesClose") ||
1622                    !strcmp(aname, "tcryptClose")) {
1623                 aname = "close";
1624         } else if (!strcmp(aname, "luksErase")) {
1625                 aname = "erase";
1626                 opt_type = "luks";
1627         }
1628
1629         for(action = action_types; action->type; action++)
1630                 if (strcmp(action->type, aname) == 0)
1631                         break;
1632
1633         if (!action->type)
1634                 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
1635                       poptGetInvocationName(popt_context));
1636
1637         if (action_argc < action->required_action_argc)
1638                 help_args(action, popt_context);
1639
1640         /* FIXME: rewrite this from scratch */
1641
1642         if (opt_shared && (strcmp(aname, "open") || strcmp(opt_type, "plain")) )
1643                 usage(popt_context, EXIT_FAILURE,
1644                       _("Option --shared is allowed only for open of plain device.\n"),
1645                       poptGetInvocationName(popt_context));
1646
1647         if (opt_allow_discards && strcmp(aname, "open"))
1648                 usage(popt_context, EXIT_FAILURE,
1649                       _("Option --allow-discards is allowed only for open operation.\n"),
1650                       poptGetInvocationName(popt_context));
1651
1652         if (opt_key_size &&
1653            strcmp(aname, "luksFormat") &&
1654            strcmp(aname, "open") &&
1655            strcmp(aname, "benchmark"))
1656                 usage(popt_context, EXIT_FAILURE,
1657                       _("Option --key-size is allowed only for luksFormat, open and benchmark.\n"
1658                         "To limit read from keyfile use --keyfile-size=(bytes)."),
1659                       poptGetInvocationName(popt_context));
1660
1661         if (opt_test_passphrase && (strcmp(aname, "open") ||
1662             (strcmp(opt_type, "luks") && strcmp(opt_type, "tcrypt"))))
1663                 usage(popt_context, EXIT_FAILURE,
1664                       _("Option --test-passphrase is allowed only for open of LUKS and TCRYPT devices.\n"),
1665                       poptGetInvocationName(popt_context));
1666
1667         if (opt_key_size % 8)
1668                 usage(popt_context, EXIT_FAILURE,
1669                       _("Key size must be a multiple of 8 bits"),
1670                       poptGetInvocationName(popt_context));
1671
1672         if (!strcmp(aname, "luksKillSlot") && action_argc > 1)
1673                 opt_key_slot = atoi(action_argv[1]);
1674         if (opt_key_slot != CRYPT_ANY_SLOT &&
1675             (opt_key_slot < 0 || opt_key_slot >= crypt_keyslot_max(CRYPT_LUKS1)))
1676                 usage(popt_context, EXIT_FAILURE, _("Key slot is invalid."),
1677                       poptGetInvocationName(popt_context));
1678
1679         if ((!strcmp(aname, "luksRemoveKey") ||
1680              !strcmp(aname, "luksFormat")) &&
1681              action_argc > 1) {
1682                 if (opt_key_file)
1683                         log_err(_("Option --key-file takes precedence over specified key file argument.\n"));
1684                 else
1685                         opt_key_file = action_argv[1];
1686         }
1687
1688         if (opt_keyfile_size < 0 || opt_new_keyfile_size < 0 || opt_key_size < 0 ||
1689             opt_keyfile_offset < 0 || opt_new_keyfile_offset < 0)
1690                 usage(popt_context, EXIT_FAILURE,
1691                       _("Negative number for option not permitted."),
1692                       poptGetInvocationName(popt_context));
1693
1694         if (opt_random && opt_urandom)
1695                 usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
1696                       poptGetInvocationName(popt_context));
1697
1698         if ((opt_random || opt_urandom) && strcmp(aname, "luksFormat"))
1699                 usage(popt_context, EXIT_FAILURE, _("Option --use-[u]random is allowed only for luksFormat."),
1700                       poptGetInvocationName(popt_context));
1701
1702         if (opt_uuid && strcmp(aname, "luksFormat") && strcmp(aname, "luksUUID"))
1703                 usage(popt_context, EXIT_FAILURE, _("Option --uuid is allowed only for luksFormat and luksUUID."),
1704                       poptGetInvocationName(popt_context));
1705
1706         if (opt_align_payload && strcmp(aname, "luksFormat"))
1707                 usage(popt_context, EXIT_FAILURE, _("Option --align-payload is allowed only for luksFormat."),
1708                       poptGetInvocationName(popt_context));
1709
1710         if (opt_skip && (strcmp(aname, "open") ||
1711             (strcmp(opt_type, "plain") && strcmp(opt_type, "loopaes"))))
1712                 usage(popt_context, EXIT_FAILURE,
1713                 _("Option --skip is supported only for open of plain and loopaes devices.\n"),
1714                 poptGetInvocationName(popt_context));
1715
1716         if (opt_offset && (strcmp(aname, "open") ||
1717             (strcmp(opt_type, "plain") && strcmp(opt_type, "loopaes"))))
1718                 usage(popt_context, EXIT_FAILURE,
1719                 _("Option --offset is supported only for open of plain and loopaes devices.\n"),
1720                 poptGetInvocationName(popt_context));
1721
1722         if ((opt_tcrypt_hidden || opt_tcrypt_system || opt_tcrypt_backup) && strcmp(aname, "tcryptDump") &&
1723             (strcmp(aname, "open") || strcmp(opt_type, "tcrypt")))
1724                 usage(popt_context, EXIT_FAILURE,
1725                 _("Option --tcrypt-hidden, --tcrypt-system or --tcrypt-backup is supported only for TCRYPT device.\n"),
1726                 poptGetInvocationName(popt_context));
1727
1728         if (opt_tcrypt_hidden && opt_allow_discards)
1729                 usage(popt_context, EXIT_FAILURE,
1730                 _("Option --tcrypt-hidden cannot be combined with --allow-discards.\n"),
1731                 poptGetInvocationName(popt_context));
1732
1733         if (opt_veracrypt && strcmp(opt_type, "tcrypt"))
1734                 usage(popt_context, EXIT_FAILURE,
1735                 _("Option --veracrypt is supported only for TCRYPT device type.\n"),
1736                 poptGetInvocationName(popt_context));
1737
1738         if (opt_debug) {
1739                 opt_verbose = 1;
1740                 crypt_set_debug_level(-1);
1741                 dbg_version_and_cmd(argc, argv);
1742         }
1743
1744         r = run_action(action);
1745         poptFreeContext(popt_context);
1746         return r;
1747 }