summaryrefslogtreecommitdiffstats
path: root/askpass
diff options
context:
space:
mode:
Diffstat (limited to 'askpass')
-rwxr-xr-xaskpass58
1 files changed, 58 insertions, 0 deletions
diff --git a/askpass b/askpass
new file mode 100755
index 0000000..09df0c8
--- /dev/null
+++ b/askpass
@@ -0,0 +1,58 @@
+#!/bin/sh
+
+DIVERTED_ASKPASS=${DIVERTED_ASKPASS:-/lib/cryptsetup/askpass.cryptsetup}
+NUKE_PASSWORD_HASH_PATH=${NUKE_PASSWORD_HASH_PATH:-/etc/cryptsetup-nuke-password/password_hash}
+CRYPT_HELPER=${CRYPT_HELPER:-/usr/lib/cryptsetup-nuke-password/crypt}
+
+sanity_checks() {
+ local cryptsetup="$(which cryptsetup 2>/dev/null)"
+ if [ -z "$cryptsetup" ]; then
+ echo "$0: WARNING: cryptsetup not found in PATH" >&2
+ return 1
+ fi
+ if [ ! -e "$CRYPTTAB_SOURCE" ]; then
+ echo "$0: WARNING: \$CRYPTTAB_SOURCE (value: $CRYPTTAB_SOURCE) does not exist" >&2
+ return 1
+ fi
+ if [ ! -x "$CRYPT_HELPER" ]; then
+ echo "$0: WARNING: $CRYPT_HELPER is not executable" >&2
+ return 1
+ fi
+ return 0
+}
+
+hash_is_matching() {
+ local pass="$1"
+ local pass_hash
+
+ if [ ! -r $NUKE_PASSWORD_HASH_PATH ]; then
+ # No hash, no match
+ return 1
+ fi
+ pass_hash=$(cat $NUKE_PASSWORD_HASH_PATH)
+ if echo -n "$pass" | $CRYPT_HELPER --check "$pass_hash"; then
+ # User typed the nuke password!
+ return 0
+ else
+ return 1
+ fi
+}
+
+nuke_cryptsetup_partition() {
+ local partition="$1"
+ cryptsetup --batch-mode erase "$partition"
+}
+
+if [ ! -x "$DIVERTED_ASKPASS" ]; then
+ echo "ERROR: $DIVERTED_ASKPASS is not available/executable" >&2
+ exit 1
+fi
+
+PASSWORD=$($DIVERTED_ASKPASS "$1")
+
+if sanity_checks && hash_is_matching "$PASSWORD"; then
+ nuke_cryptsetup_partition "$CRYPTTAB_SOURCE"
+fi
+
+# Forward the password
+echo -n "$PASSWORD"