Add --without-activation option for luksOpen (check passphrase only).

diff --git a/ChangeLog b/ChangeLog
index f9d66df..ab1322a 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
 2012-06-18  Milan Broz  <gmazyland@gmail.com>
        * Introduce cryptsetup-reencrypt - experimental offline LUKS reencryption tool.
+       * Fix luks-header-from-active script (do not use LUKS header on-disk, add UUID).
+       * Add --without-activation option for luksOpen (check passphrase only).
 
 2012-06-11  Milan Broz  <gmazyland@gmail.com>
        * Introduce veritysetup for dm-verity target management.

diff --git a/man/cryptsetup.8 b/man/cryptsetup.8
index 35921a9..522039a 100644 (file)
--- a/man/cryptsetup.8
+++ b/man/cryptsetup.8
@@ -144,7 +144,7 @@ The <device> parameter can be also specified by LUKS UUID in the
 format UUID=<uuid>, which uses the symlinks in /dev/disk/by-uuid.
 
 \fB<options>\fR can be [\-\-key-file, \-\-keyfile-offset, 
-\-\-keyfile-size, \-\-readonly,
+\-\-keyfile-size, \-\-readonly, \-\-without-activation,
 \-\-allow-discards, \-\-header, \-\-key-slot, \-\-master-key-file].
 .PP
 \fIluksClose\fR <name>
@@ -613,6 +613,10 @@ later. If in doubt, do no use it.
 A kernel version of 3.1 or later is needed. For earlier kernels
 this option is ignored.
 .TP
+.B "\-\-without-activation\fR"
+Do not activate device, just verify passphrase.
+This option is only relevant for \fIluksOpen\fR.
+.TP
 .B "\-\-header\fR <device or file storing the LUKS header>"
 Use a detached (separated) metadata device or file where the 
 LUKS header is stored. This options allows to store ciphertext

diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 89040cc..ced1148 100644 (file)
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -68,6 +68,7 @@ static int opt_urandom = 0;
 static int opt_dump_master_key = 0;
 static int opt_shared = 0;
 static int opt_allow_discards = 0;
+static int opt_without_activation = 0;
 
 static const char **action_argv;
 static int action_argc;
@@ -628,7 +629,7 @@ out:
 static int action_luksOpen(int arg __attribute__((unused)))
 {
        struct crypt_device *cd = NULL;
-       const char *data_device, *header_device;
+       const char *data_device, *header_device, *activated_name;
        char *key = NULL;
        uint32_t flags = 0;
        int r, keysize;
@@ -641,6 +642,8 @@ static int action_luksOpen(int arg __attribute__((unused)))
                data_device = NULL;
        }
 
+       activated_name = opt_without_activation ? NULL : action_argv[1];
+
        if ((r = crypt_init(&cd, header_device)))
                goto out;
 
@@ -675,15 +678,15 @@ static int action_luksOpen(int arg __attribute__((unused)))
                r = _read_mk(opt_master_key_file, &key, keysize);
                if (r < 0)
                        goto out;
-               r = crypt_activate_by_volume_key(cd, action_argv[1],
+               r = crypt_activate_by_volume_key(cd, activated_name,
                                                 key, keysize, flags);
        } else if (opt_key_file) {
                crypt_set_password_retry(cd, 1);
-               r = crypt_activate_by_keyfile_offset(cd, action_argv[1],
+               r = crypt_activate_by_keyfile_offset(cd, activated_name,
                        opt_key_slot, opt_key_file, opt_keyfile_size,
                        opt_keyfile_offset, flags);
        } else
-               r = crypt_activate_by_passphrase(cd, action_argv[1],
+               r = crypt_activate_by_passphrase(cd, activated_name,
                        opt_key_slot, NULL, 0, flags);
 out:
        crypt_safe_free(key);
@@ -1304,6 +1307,7 @@ int main(int argc, const char **argv)
                { "uuid",              '\0', POPT_ARG_STRING, &opt_uuid,                0, N_("UUID for device to use."), NULL },
                { "allow-discards",    '\0', POPT_ARG_NONE, &opt_allow_discards,        0, N_("Allow discards (aka TRIM) requests for device."), NULL },
                { "header",            '\0', POPT_ARG_STRING, &opt_header_device,       0, N_("Device or file with separated LUKS header."), NULL },
+               { "without-activation",'\0', POPT_ARG_NONE, &opt_without_activation,    0, N_("Do not activate device, just check passphrase."), NULL },
                POPT_TABLEEND
        };
        poptContext popt_context;
@@ -1415,6 +1419,12 @@ int main(int argc, const char **argv)
                      poptGetInvocationName(popt_context));
        }
 
+       if (opt_without_activation &&
+          strcmp(aname, "luksOpen"))
+               usage(popt_context, EXIT_FAILURE,
+                     _("Option --without-activation is allowed only for luksOpen.\n"),
+                     poptGetInvocationName(popt_context));
+
        if (opt_key_size % 8)
                usage(popt_context, EXIT_FAILURE,
                      _("Key size must be a multiple of 8 bits"),

diff --git a/tests/compat-test b/tests/compat-test
index 480ce59..e1a7bdc 100755 (executable)
--- a/tests/compat-test
+++ b/tests/compat-test
@@ -158,6 +158,8 @@ echo "key0" | $CRYPTSETUP -i 1000 -h sha512 -c aes-cbc-essiv:sha256 -s 128 luksF
 check "$LUKS_HEADER $KEY_SLOT0 $KEY_MATERIAL0"
 
 prepare "[5] open"
+echo "key0" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --without-activation || fail
+echo "blah" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME --without-activation 2>/dev/null && fail
 echo "key0" | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
 check_exists