cli.c

源码开放的加密软件。最新版本！！可以在一个文件内部创建多样化的加密磁盘并且将其配置为一个可以通过一个驱动器盘符访问的虚拟磁盘.任何存储在该虚拟磁盘上的文件可以被自动地实时加密,并且只有当使用正确的密码

" -l, --list [MAPPED_VOLUME]          List mapped volumes\n"
"     --properties [VOLUME_PATH]      Display properties of volume\n"
"     --restore-header FILE [VOLUME]  Restore header of VOLUME from FILE\n"
"     --test                          Test algorithms\n"
" -V, --version                       Display program version and legal notices\n"
"\nOptions:\n"
"     --cluster SIZE                  Cluster size\n"
"     --display-keys                  Display encryption keys\n"
"     --display-password              Display password while typing\n"
"     --disable-progress              Disable progress display\n"
"     --encryption EA                 Encryption algorithm\n"
"     --filesystem TYPE               Filesystem type\n"
"     --hash HASH                     Hash algorithm\n"
" -k, --keyfile FILE|DIR              Keyfile for volume\n"
"     --keyfile-add FILE|DIR          New keyfile for volume\n"
" -K, --keyfile-protected FILE|DIR    Keyfile for protected volume\n"
" -M, --mount-options OPTIONS         Mount options\n"
" -N, --device-number NUMBER          Map volume as device number\n"
"     --overwrite                     Overwrite files without confirmation\n"
" -p, --password PASSWORD             Password for volume\n"
"     --password-tries NUMBER         Password entry tries\n"
" -P, --protect-hidden                Protect hidden volume\n"
"     --random-source FILE            Random number generator input file\n"
"     --quick                         Use quick format\n"
"     --update-time                   Do not preserve timestamps\n"
" -r, --read-only                     Map/Mount volume as read-only\n"
"     --size SIZE                     Volume size\n"
"     --type TYPE                     Volume type\n"
" -u, --user-mount                    Set default user and group ID on mount\n"
" -v, --verbose                       Verbose output\n"
"\n MAPPED_VOLUME = DEVICE_NUMBER | DEVICE_NAME | MOUNT_POINT | VOLUME_PATH\n"
"For a detailed help, use --help or see truecrypt(1) man page.\n"
"For more information, visit <http://www.truecrypt.org/docs/>.\n"
);
}


static void DumpHelp ()
{
	fprintf (stdout,
"Manages encrypted TrueCrypt volumes, which can be mapped as virtual block\n"
"devices and used as any other standard block device. All data being read\n"
"from a mapped TrueCrypt volume is transparently decrypted and all data being\n"
"written to it is transparently encrypted.\n"
"\n"
"Usage: truecrypt [OPTIONS] VOLUME_PATH [MOUNT_DIRECTORY]\n"
"   or: truecrypt [OPTIONS] -i\n"
"   or: truecrypt [OPTIONS] -c | --create | -C | --change [VOLUME_PATH]\n"
"   or: truecrypt [OPTIONS] -d | --dismount | -l | --list [MAPPED_VOLUME]\n"
"   or: truecrypt [OPTIONS] --backup-headers | --restore-header FILE [VOLUME]\n"
"   or: truecrypt [OPTIONS] --properties [VOLUME_PATH]\n"
"   or: truecrypt [OPTIONS] --keyfile-create FILE\n"
"   or: truecrypt -h | --help | --test | -V | --version\n"
"\n"
"Options:\n"
"\n"
"VOLUME_PATH [MOUNT_DIRECTORY]\n"
" Open a TrueCrypt volume specified by VOLUME_PATH and map it as a block device\n"
" /dev/mapper/truecryptN. N is the first available device number if not\n"
" otherwise specified with -N. Filesystem of the mapped volume is mounted at\n"
" MOUNT_DIRECTORY if specified. To open a hidden volume, specify its password\n"
" and/or keyfiles (the outer volume cannot be mapped at the same time).\n"
" See also EXAMPLES and options --display-password, --filesystem, -k, -M, -p, -P,\n"
" --password-tries, -r, -u, --update-time. Note that passing some of the options\n"
" may affect security (see options -i and -p for more information).\n"
" This command requires administrator privileges (sudo(8) is used if available).\n"
"\n"
"--backup-headers BACKUP_FILE [VOLUME_PATH]\n"
" Backup headers of a volume specified by VOLUME_PATH to a file BACKUP_FILE.\n"
" Volume path is requested from user if not specified on command line. Both\n"
" normal/outer and hidden volume headers are stored in the backup file even\n"
" if there is no hidden volume within the volume (to preserve plausible\n"
" deniability). When restoring the volume header, it is possible to select\n"
" which header is to be restored. See also --restore-header.\n"
"\n"
"-c, --create [VOLUME_PATH]\n"
" Create a new volume. Most options are requested from user if not specified\n"
" on command line. Hidden volume can be created only in an existing file or\n"
" device. Size of the hidden volume should not exceed the free space of the\n"
" filesystem on the outer volume. Hidden volume protection (see option -P)\n"
" should be used to update the outer volume contents after the hidden volume\n"
" is created. WARNING: To prevent data corruption, you should follow the\n"
" instructions in the EXAMPLES section on how to create a hidden volume.\n"
" See also options --cluster, --disable-progress, --display-keys,\n"
" --encryption, -k, --filesystem, --hash, -p, --random-source, --quick, --size,\n"
" --type. Note that passing some of the options may affect security (see option\n"
" -p for more information).\n"
"\n"
"-C, --change [VOLUME_PATH]\n"
" Change a password and/or keyfile(s) of a volume. Volume path and passwords are\n"
" requested from user if not specified on command line. PKCS-5 PRF HMAC hash\n"
" algorithm can be changed with option --hash. See also options -k,\n"
" --keyfile-add, -p, --random-source, -v.\n"
"\n"
"-d, --dismount [MAPPED_VOLUME]\n"
" Dismount and unmap mapped volumes. If MAPPED_VOLUME is not specified, all\n"
" volumes are dismounted and unmapped. See below for a description of\n"
" MAPPED_VOLUME.\n"
" This command requires administrator privileges (sudo(8) is used if available).\n"
"\n"
"-h, --help\n"
" Display help information.\n"
"\n"
"-i, --interactive\n"
" Map and mount a volume interactively. Options which may affect security are\n"
" requested from the user. See option -p for more information.\n"
" This command requires administrator privileges (sudo(8) is used if available).\n"
"\n"
"-l, --list [MAPPED_VOLUME]\n"
" Display a list of mapped volumes. If MAPPED_VOLUME is not specified, all\n"
" volumes are listed. By default, the list contains only volume path and mapped\n"
" device name pairs. A more detailed list can be enabled by verbose output\n"
" option (-v). See below for a description of MAPPED_VOLUME.\n"
" This command requires administrator privileges (sudo(8) is used if available).\n"
"\n"
"--keyfile-create FILE\n"
" Create a new keyfile using the random number generator. FILE argument specifies\n"
" the output file.\n"
"\n"
"--properties [VOLUME_PATH]\n"
" Display properties of a volume specified by VOLUME_PATH.\n"
"\n"
"--restore-header BACKUP_FILE [VOLUME_PATH]\n"
" Restore header of a volume specified by VOLUME_PATH from a file BACKUP_FILE.\n"
" Volume path is requested from user if not specified on command line.\n"
" Type of the restored volume header (normal/hidden) is requested from user if\n"
" not specified with --type. See also --backup-headers.\n"
"\n"
"--test\n"
" Test all internal algorithms used in the process of encryption and decryption.\n"
"\n"
"-V, --version\n"
" Display program version and legal notices.\n"
"\n"
"MAPPED_VOLUME:\n"
" Specifies a mapped or mounted volume. One of the following forms can be used:\n\n"
" 1) Path to the encrypted TrueCrypt volume.\n\n"
" 2) Mount directory of the volume's filesystem (if mounted).\n\n"
" 3) Device number of the mapped volume.\n\n"
" 4) Device name of the mapped volume.\n\n"
"\n"
"--cluster SIZE\n"
" Use specified cluster size when creating a new volume. SIZE defines the number\n"
" of sectors per cluster.\n"
"\n"
"--disable-progress\n"
" Disable display of progress information during creation of a new volume.\n"
"\n"
"--display-keys\n"
" Display encryption keys generated during creation of a new volume.\n"
"\n"
"--display-password\n"
" Display password characters while typing.\n"
"\n"
"--encryption ENCRYPTION_ALGORITHM\n"
" Use specified encryption algorithm when creating a new volume.\n"
"\n"
"--filesystem TYPE\n"
" Filesystem type to mount. The TYPE argument is passed to mount(8) command\n"
" with option -t. Default type is 'auto'. When creating a new volume, this\n"
" option specifies the filesystem to be created on the new volume.\n"
"\n"
"--hash HASH\n"
" Use specified hash algorithm when creating a new volume or changing password\n"
" and/or keyfiles.\n"
"\n"
"-k, --keyfile FILE | DIRECTORY\n"
" Use specified keyfile to open a volume to be mapped (or when changing password\n"
" and/or keyfiles). When a directory is specified, all files inside it will be\n"
" used (non-recursively). Additional keyfiles can be specified with multiple -k\n"
" options. Empty keyfile (-k '') disables interactive requests for keyfiles\n"
" (e.g., when creating a new volume). See also option -K.\n"
"\n"
"-K, --keyfile-protected FILE | DIRECTORY\n"
" Use specified keyfile to open a hidden volume to be protected. This option\n"
" may be used only when mounting an outer volume with hidden volume protected.\n"
" See also options -k and -P.\n"
"\n"
"--keyfile-add FILE | DIRECTORY\n"
" Add specified keyfile to a volume when changing its password and/or keyfiles.\n"
" This option must be also used to keep all previous keyfiles asigned to a\n"
" volume. See EXAMPLES for more information.\n"
"\n"
"-M, --mount-options OPTIONS\n"
" Filesystem mount options. The OPTIONS argument is passed to mount(8)\n"
" command with option -o. See also options -r and -u.\n"
"\n"
"-N, --device-number N\n"
" Use device number N when mapping a volume as a block device\n"
" /dev/mapper/truecryptN. Default is the first available device.\n"
"\n"
"--overwrite\n"
" Overwrite files without prompting the user for confirmation.\n"
"\n"
"-p, --password PASSWORD\n"
" Use specified password to open a volume. Additional passwords can be\n"
" specified with multiple -p options. An empty password can also be specified\n"
" ('' in most shells). Note that passing a password on the command line is\n"
" potentially insecure as the password may be visible in the process list\n"
" (see ps(1)) and/or stored in a command history file. \n"
" \n"
"--password-tries NUMBER\n"
" Prompt NUMBER of times for a password until the correct password is entered.\n"
" Default is to prompt three times.\n"
"\n"
"-P, --protect-hidden\n"
" Write-protect a hidden volume when mapping an outer volume. Before mapping the\n"
" outer volume, the user will be prompted for a password to open the hidden\n"
" volume. The size and position of the hidden volume is then determined and the\n"
" outer volume is mapped with all sectors belonging to the hidden volume\n"
" protected against write operations. When a write to the protected area is\n"
" prevented, the whole volume is switched to read-only mode. Verbose list command\n"
" (-vl) can be used to query the state of the hidden volume protection. Warning\n"
" message is displayed when a volume switched to read-only is being dismounted.\n"
" See also options -r and -i.\n"
"\n"
"--quick\n"
" Use quick format when creating a new volume. This option can be used only\n"
" when creating a device-hosted volume. Quick format is always used when\n"
" creating a hidden volume.\n"
"\n"
"--random-source FILE\n"
" Use FILE as a source of random numbers. Standard input is used if '-' is\n"
" specified.\n"
"\n"
"-r, --read-only\n"
" Map and mount a volume as read-only. Write operations to the volume may not\n"
" fail immediately due to the write buffering performed by the system, but the\n"
" physical write will still be prevented.\n"
"\n"
"--size SIZE\n"
" Use specified size when creating a new volume. SIZE is defined as number of\n"
" bytes or, when a size suffix K/M/G is used, Kilobytes/Megabytes/Gigabytes.\n"
" Note that size must be a multiple of 512 bytes.\n"
"\n"
"--type TYPE\n"
" Use specified volume type when creating a new volume or restoring a volume\n"
" header. TYPE can be 'normal' or 'hidden'.\n"
"\n"
"-u, --user-mount\n"
" Make a volume being mounted accessible in a non-administrator account. Some\n"
" filesystems (e.g., FAT) do not support Unix-style access control and it is\n"
" necessary to use this option when mounting them. Ownership of the mounted\n"
" filesystem is determined by environment variables set by sudo(8) command.\n"
" Note that Unix-style filesystems (e.g., ext2) do not support this option.\n"
"\n"
"--update-time\n"
" Do not preserve access and modification timestamps of file containers.\n"
" By default, timestamps are restored after a volume is unmapped.\n"
"\n"
"-v, --verbose\n"
" Enable verbose output. Multiple -v options can be specified to increase the\n"
" level of verbosity.\n"
"\n"
"Examples:\n"
"\n"
"truecrypt /root/volume.tc /mnt/tc\n"
" Map a volume /root/volume.tc and mount its filesystem at directory /mnt/tc.\n"
"\n"
"truecrypt -u /dev/hda2 /mnt/tc\n"
" Map a volume /dev/hda2 (first ATA disk, primary partition 2) and mount its\n"
" filesystem at /mnt/tc. Default user-id is set, which is useful when mounting\n"
" a filesystem, such as FAT, for use in a non-administrative account.\n"
"\n"
"truecrypt -i\n"
" Map and mount a volume. Options are requested interactively.\n"
"\n"
"truecrypt -d\n"
" Dismount and unmap all mapped volumes.\n"
"\n"
"truecrypt -d /root/volume.tc\n"
" Dismount and unmap a volume /root/volume.tc.\n"
"\n"
"truecrypt -d /mnt/tc\n"
" Dismount and unmap a volume mounted at /mnt/tc.\n"
"\n"
"truecrypt -vl\n"
" Display a detailed list of all mapped volumes.\n"
" \n"
"truecrypt -N 1 /dev/hdc1 && mkfs /dev/mapper/truecrypt1\n"
" Map a volume /dev/hdc1 and create a new filesystem on it.\n"
"\n"
"truecrypt -P /dev/hdc1 /mnt/tc\n"
" Map and mount outer volume /dev/hdc1 and protect hidden volume within it.\n"
"\n"
"truecrypt -p '' -p '' -k key1 -k key2 -K key_hidden -P volume.tc\n"
" Map outer volume ./volume.tc and protect hidden volume within it.\n"
" The outer volume is opened with keyfiles ./key1 and ./key2 and the\n"
" hidden volume with ./key_hidden. Passwords for both volumes are empty.\n"
"\n"
"truecrypt -c\n"
" Create a new volume. Options are requested interactively."
"\n"
"truecrypt -c /dev/hda2\n"
" Create a new volume hosted at the second primary partition of the first\n"
" ATA disk.\n"
"\n"
"truecrypt -k keyfile --size 10M --encryption AES --hash SHA-1 -c vol.tc\n"
" Create a new volume. Options which are not specified on command line are\n"
" requested from the user.\n"
"\n"
"truecrypt --keyfile-add keyfile -C volume.tc\n"
" Change password and add a new keyfile to volume.\n"
"\n"
"truecrypt -k keyfile -C volume.tc\n"
" Change password and remove a keyfile from volume.\n"
"\n"
"truecrypt -k keyfile --keyfile-add keyfile -C volume.tc\n"
" Change password and keep previous keyfile.\n"
"\n"
"Creating a hidden volume without risking data corruption:\n"
" 1) Create an outer volume:\n"
"    truecrypt --type normal --size 100M -c volume.tc\n"
" 2) Create a hidden volume:\n"
"    truecrypt --type hidden --size 50M -c volume.tc\n"
" 3) Mount the outer volume with the hidden volume protected:\n"
"    truecrypt -P volume.tc /mnt/tc\n"
" 4) Copy files to the outer volume:\n"
"    cp outer_volume_file.txt /mnt/tc\n"
" 5) Dismount the outer volume:\n"
"    truecrypt -d volume.tc\n"
" 6) If a warning message has been displayed in 5), start again from 1). Either\n"
" a larger outer volume should be created in 1), or less data should be copied\n"
" to the outer volume in 4).\n"
"\n"
"Report bugs at <http://www.truecrypt.org/bugs/>.\n"
	);
}


static BOOL DumpMountList (int devNo)
{
	BOOL found = FALSE;
	int i;

	if (!CheckKernelModuleVersion (FALSE, TRUE)
		|| !GetMountList (FALSE)
		|| (devNo == -1 && MountList[0].DeviceNumber == -1))
	{
		error ("No volumes mapped\n");
		return FALSE;
	}

	for (i = 0; MountList[i].DeviceNumber != -1; i++)
	{
		MountListEntry *e = &MountList[i];

		if (devNo != -1 && e->DeviceNumber != devNo)
			continue;

		found = TRUE;

		if (Verbose == 0)
		{
			printf (TC_MAP_DEV "%d %s\n",
				e->DeviceNumber,
				e->VolumePath);
		}
		else
		{
			char eaName[128];
			EAGetName (eaName, e->EA);

			printf (TC_MAP_DEV "%d:\n"
					" Volume: %s\n"
					" Type: %s\n"
					" Size: %llu bytes\n"
					" Encryption algorithm: %s\n"
					" Mode of operation: %s\n"
					" Read-only: %s\n"
					" Hidden volume protected: %s\n\n",
				e->DeviceNumber,
				e->VolumePath,
				e->Hidden ? "Hidden" : "Normal",
				e->VolumeSize,
				eaName,
				EAGetModeName (e->EA, e->Mode, TRUE),
				(e->Flags & TC_READ_ONLY) ? "Yes" : "No",
				(e->Flags & TC_PROTECTION_ACTIVATED) ? "Yes - damage prevented" : (
					(e->Flags & TC_HIDDEN_VOLUME_PROTECTION) ? "Yes" : "No" )
				);
		}
	}

	if (!found)
	{
		if (devNo == -1)
			error ("No volumes mapped\n");
		else
			error (TC_MAP_DEV "%d not mapped\n", devNo);

		return FALSE;
	}

	return TRUE;
}


static BOOL EnumMountPoints (char *device, char *mountPoint)
{
	static FILE *m = NULL;
	char mp[TC_MAX_PATH], *p;

	if (device == NULL)
	{
		fclose (m);
		m = NULL;
		return TRUE;
	}

	if (m == NULL)
	{
		m = fopen ("/proc/mounts", "r");
		if (m == NULL)
		{
			perror ("fopen /proc/mounts");
			return FALSE;
		} 
	}

	if (fscanf (m, "%" TC_MAX_PATH_STR "s %" TC_MAX_PATH_STR "s %*s %*s %*s %*s",
		device, mp) != 2)
	{
		fclose (m);
		m = NULL;
		return FALSE;
	}

	// Convert escaped characters
	p = mp;
	while (*p)
	{
		if (p[0] == '\\' && p[1] && p[2] && p[3])
		{
			char c;
			if (sscanf (p + 1, "%o", &c) == 1)
			{
				*mountPoint++ = c;
				p += 4;
				continue;
			}
		}
		*mountPoint++ = *p++;
	}
	*mountPoint = 0;

	return TRUE;
}


static BOOL DismountFileSystem (char *device)
{
	char mountedDevice[TC_MAX_PATH], mountPoint[TC_MAX_PATH];
	BOOL result = TRUE;

	while (EnumMountPoints (mountedDevice, mountPoint))
	{
		if (strcmp (mountedDevice, device) == 0)
		{
			if (!Execute (FALSE, "umount", mountPoint, NULL))
				result = FALSE;
			else if (Verbose >= 1)
				printf ("Dismounted %s\n", mountPoint);
		}
	}

	return result;
}


// devNo: -1 = Dismount all volumes
static BOOL DismountVolume (int devNo)
{
	char mapDevice[TC_MAX_PATH];
	int nMountedVolumes = 0;
	int i;
	BOOL found = FALSE;
	BOOL status = TRUE;

	if (!CheckKernelModuleVersion (FALSE, TRUE)
		|| !GetMountList (FALSE)
		|| (devNo == -1 && MountList[0].DeviceNumber == -1))
	{
		error ("No volumes mapped\n");
		return FALSE;
	}

	// Flush write buffers before dismount if there are
	// mounted volumes with hidden volume protection 
	for (i = 0; MountList[i].DeviceNumber != -1; i++)
	{
		if (MountList[i].Flags & TC_HIDDEN_VOLUME_PROTECTION)
		{
			sync ();
			MountListValid = FALSE;
			GetMountList (FALSE);
			break;
		}
	}

	for (i = 0; MountList[i].DeviceNumber != -1; i++)
	{
		MountListEntry *e = &MountList[i];
		nMountedVolumes++;

		if (devNo == -1 || e->DeviceNumber == devNo)
		{
			BOOL dismounted = FALSE;
			found = TRUE;

			snprintf (mapDevice, sizeof (mapDevice), TC_MAP_DEV "%d", e->DeviceNumber);

			if (e->Flags & TC_PROTECTION_ACTIVATED)
				printf ("WARNING: Write to the hidden volume %s has been prevented!\n", e->VolumePath);

			if (DismountFileSystem (mapDevice))
			{
				int t = 10;
				char name[32];
				snprintf (name, sizeof (name), "truecrypt%d", e->DeviceNumber);

				while (t--)
				{
					dismounted = Execute (t > 0, "dmsetup", "remove", name, NULL);
					if (dismounted)
						break;

					usleep (200 * 1000);
				}

				if (dismounted && IsFile (e->VolumePath))
				{
					if (!DeleteLoopDevice (e->DeviceMinor))
						status = FALSE;

					RestoreFileTime (e->VolumePath,
						(UpdateTime || e->ModTime == 0) ? time (NULL) : (time_t) e->ModTime,
						(UpdateTime || e->AcTime == 0) ? time (NULL) : (time_t) e->AcTime);
				}
			}

			if (!dismounted)
			{
				error ("Cannot dismount %s\n", mapDevice);
				status = FALSE;
			}
			else
			{
				nMountedVolumes--;
				if (Verbose >= 1)
					printf ("Unmapped %s\n", mapDevice);
			}

			if (devNo != -1)
				break;
		}
	}

	if (!found)
	{
		error (TC_MAP_DEV "%d not mapped\n", devNo);
		return FALSE;
	}

	if (nMountedVolumes == 0)
	{
		// Ignore errors as volumes may be mounted asynchronously
		UnloadKernelModule (TRUE);
	}

	return status;
}


// Convert a string to device number
// text: device number or name or mo