diff options
Diffstat (limited to 'askpass')
| -rwxr-xr-x | askpass | 58 |
1 files changed, 58 insertions, 0 deletions
@@ -0,0 +1,58 @@ +#!/bin/sh + +DIVERTED_ASKPASS=${DIVERTED_ASKPASS:-/lib/cryptsetup/askpass.cryptsetup} +NUKE_PASSWORD_HASH_PATH=${NUKE_PASSWORD_HASH_PATH:-/etc/cryptsetup-nuke-password/password_hash} +CRYPT_HELPER=${CRYPT_HELPER:-/usr/lib/cryptsetup-nuke-password/crypt} + +sanity_checks() { + local cryptsetup="$(which cryptsetup 2>/dev/null)" + if [ -z "$cryptsetup" ]; then + echo "$0: WARNING: cryptsetup not found in PATH" >&2 + return 1 + fi + if [ ! -e "$CRYPTTAB_SOURCE" ]; then + echo "$0: WARNING: \$CRYPTTAB_SOURCE (value: $CRYPTTAB_SOURCE) does not exist" >&2 + return 1 + fi + if [ ! -x "$CRYPT_HELPER" ]; then + echo "$0: WARNING: $CRYPT_HELPER is not executable" >&2 + return 1 + fi + return 0 +} + +hash_is_matching() { + local pass="$1" + local pass_hash + + if [ ! -r $NUKE_PASSWORD_HASH_PATH ]; then + # No hash, no match + return 1 + fi + pass_hash=$(cat $NUKE_PASSWORD_HASH_PATH) + if echo -n "$pass" | $CRYPT_HELPER --check "$pass_hash"; then + # User typed the nuke password! + return 0 + else + return 1 + fi +} + +nuke_cryptsetup_partition() { + local partition="$1" + cryptsetup --batch-mode erase "$partition" +} + +if [ ! -x "$DIVERTED_ASKPASS" ]; then + echo "ERROR: $DIVERTED_ASKPASS is not available/executable" >&2 + exit 1 +fi + +PASSWORD=$($DIVERTED_ASKPASS "$1") + +if sanity_checks && hash_is_matching "$PASSWORD"; then + nuke_cryptsetup_partition "$CRYPTTAB_SOURCE" +fi + +# Forward the password +echo -n "$PASSWORD" |