src/shared/cryptsetup-util.c

   1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
   2
   3 #if HAVE_LIBCRYPTSETUP
   4 #include "alloc-util.h"
   5 #include "cryptsetup-util.h"
   6 #include "dlfcn-util.h"
   7 #include "log.h"
   8 #include "parse-util.h"
   9
  10 static void *cryptsetup_dl = NULL;
  11
  12 int (*sym_crypt_activate_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags);
  13 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
  14 int (*sym_crypt_activate_by_signed_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, const char *signature, size_t signature_size, uint32_t flags);
  15 #endif
  16 int (*sym_crypt_activate_by_volume_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, uint32_t flags);
  17 int (*sym_crypt_deactivate_by_name)(struct crypt_device *cd, const char *name, uint32_t flags);
  18 int (*sym_crypt_format)(struct crypt_device *cd, const char *type, const char *cipher, const char *cipher_mode, const char *uuid, const char *volume_key, size_t volume_key_size, void *params);
  19 void (*sym_crypt_free)(struct crypt_device *cd);
  20 const char *(*sym_crypt_get_cipher)(struct crypt_device *cd);
  21 const char *(*sym_crypt_get_cipher_mode)(struct crypt_device *cd);
  22 uint64_t (*sym_crypt_get_data_offset)(struct crypt_device *cd);
  23 const char *(*sym_crypt_get_device_name)(struct crypt_device *cd);
  24 const char *(*sym_crypt_get_dir)(void);
  25 const char *(*sym_crypt_get_type)(struct crypt_device *cd);
  26 const char *(*sym_crypt_get_uuid)(struct crypt_device *cd);
  27 int (*sym_crypt_get_verity_info)(struct crypt_device *cd, struct crypt_params_verity *vp);
  28 int (*sym_crypt_get_volume_key_size)(struct crypt_device *cd);
  29 int (*sym_crypt_init)(struct crypt_device **cd, const char *device);
  30 int (*sym_crypt_init_by_name)(struct crypt_device **cd, const char *name);
  31 int (*sym_crypt_keyslot_add_by_volume_key)(struct crypt_device *cd, int keyslot, const char *volume_key, size_t volume_key_size, const char *passphrase, size_t passphrase_size);
  32 int (*sym_crypt_keyslot_destroy)(struct crypt_device *cd, int keyslot);
  33 int (*sym_crypt_keyslot_max)(const char *type);
  34 int (*sym_crypt_load)(struct crypt_device *cd, const char *requested_type, void *params);
  35 int (*sym_crypt_resize)(struct crypt_device *cd, const char *name, uint64_t new_size);
  36 int (*sym_crypt_resume_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size);
  37 int (*sym_crypt_set_data_device)(struct crypt_device *cd, const char *device);
  38 void (*sym_crypt_set_debug_level)(int level);
  39 void (*sym_crypt_set_log_callback)(struct crypt_device *cd, void (*log)(int level, const char *msg, void *usrptr), void *usrptr);
  40 #if HAVE_CRYPT_SET_METADATA_SIZE
  41 int (*sym_crypt_set_metadata_size)(struct crypt_device *cd, uint64_t metadata_size, uint64_t keyslots_size);
  42 #endif
  43 int (*sym_crypt_set_pbkdf_type)(struct crypt_device *cd, const struct crypt_pbkdf_type *pbkdf);
  44 int (*sym_crypt_suspend)(struct crypt_device *cd, const char *name);
  45 int (*sym_crypt_token_json_get)(struct crypt_device *cd, int token, const char **json);
  46 int (*sym_crypt_token_json_set)(struct crypt_device *cd, int token, const char *json);
  47 #if HAVE_CRYPT_TOKEN_MAX
  48 int (*sym_crypt_token_max)(const char *type);
  49 #endif
  50 crypt_token_info (*sym_crypt_token_status)(struct crypt_device *cd, int token, const char **type);
  51 int (*sym_crypt_volume_key_get)(struct crypt_device *cd, int keyslot, char *volume_key, size_t *volume_key_size, const char *passphrase, size_t passphrase_size);
  52
  53 int dlopen_cryptsetup(void) {
  54         _cleanup_(dlclosep) void *dl = NULL;
  55         int r;
  56
  57         if (cryptsetup_dl)
  58                 return 0; /* Already loaded */
  59
  60         dl = dlopen("libcryptsetup.so.12", RTLD_LAZY);
  61         if (!dl)
  62                 return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
  63                                        "libcryptsetup support is not installed: %s", dlerror());
  64
  65         r = dlsym_many_and_warn(
  66                         dl,
  67                         LOG_DEBUG,
  68                         DLSYM_ARG(crypt_activate_by_passphrase),
  69 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
  70                         DLSYM_ARG(crypt_activate_by_signed_key),
  71 #endif
  72                         DLSYM_ARG(crypt_activate_by_volume_key),
  73                         DLSYM_ARG(crypt_deactivate_by_name),
  74                         DLSYM_ARG(crypt_format),
  75                         DLSYM_ARG(crypt_free),
  76                         DLSYM_ARG(crypt_get_cipher),
  77                         DLSYM_ARG(crypt_get_cipher_mode),
  78                         DLSYM_ARG(crypt_get_data_offset),
  79                         DLSYM_ARG(crypt_get_device_name),
  80                         DLSYM_ARG(crypt_get_dir),
  81                         DLSYM_ARG(crypt_get_type),
  82                         DLSYM_ARG(crypt_get_uuid),
  83                         DLSYM_ARG(crypt_get_verity_info),
  84                         DLSYM_ARG(crypt_get_volume_key_size),
  85                         DLSYM_ARG(crypt_init),
  86                         DLSYM_ARG(crypt_init_by_name),
  87                         DLSYM_ARG(crypt_keyslot_add_by_volume_key),
  88                         DLSYM_ARG(crypt_keyslot_destroy),
  89                         DLSYM_ARG(crypt_keyslot_max),
  90                         DLSYM_ARG(crypt_load),
  91                         DLSYM_ARG(crypt_resize),
  92                         DLSYM_ARG(crypt_resume_by_passphrase),
  93                         DLSYM_ARG(crypt_set_data_device),
  94                         DLSYM_ARG(crypt_set_debug_level),
  95                         DLSYM_ARG(crypt_set_log_callback),
  96 #if HAVE_CRYPT_SET_METADATA_SIZE
  97                         DLSYM_ARG(crypt_set_metadata_size),
  98 #endif
  99                         DLSYM_ARG(crypt_set_pbkdf_type),
 100                         DLSYM_ARG(crypt_suspend),
 101                         DLSYM_ARG(crypt_token_json_get),
 102                         DLSYM_ARG(crypt_token_json_set),
 103 #if HAVE_CRYPT_TOKEN_MAX
 104                         DLSYM_ARG(crypt_token_max),
 105 #endif
 106                         DLSYM_ARG(crypt_token_status),
 107                         DLSYM_ARG(crypt_volume_key_get),
 108                         NULL);
 109         if (r < 0)
 110                 return r;
 111
 112         /* Note that we never release the reference here, because there's no real reason to, after all this
 113          * was traditionally a regular shared library dependency which lives forever too. */
 114         cryptsetup_dl = TAKE_PTR(dl);
 115
 116         /* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that
 117          * libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set
 118          * whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some
 119          * other code loaded into this process also changes the global log functions of libcryptsetup, who
 120          * knows? And if so, we still want our own objects to log via our own infra, at the very least.) */
 121         cryptsetup_enable_logging(NULL);
 122         return 1;
 123 }
 124
 125 static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) {
 126
 127         switch (level) {
 128         case CRYPT_LOG_NORMAL:
 129                 level = LOG_NOTICE;
 130                 break;
 131         case CRYPT_LOG_ERROR:
 132                 level = LOG_ERR;
 133                 break;
 134         case CRYPT_LOG_VERBOSE:
 135                 level = LOG_INFO;
 136                 break;
 137         case CRYPT_LOG_DEBUG:
 138                 level = LOG_DEBUG;
 139                 break;
 140         default:
 141                 log_error("Unknown libcryptsetup log level: %d", level);
 142                 level = LOG_ERR;
 143         }
 144
 145         log_full(level, "%s", msg);
 146 }
 147
 148 void cryptsetup_enable_logging(struct crypt_device *cd) {
 149         /* It's OK to call this with a NULL parameter, in which case libcryptsetup will set the defaut log
 150          * function.
 151          *
 152          * Note that this is also called from dlopen_cryptsetup(), which we call here too. Sounds like an
 153          * endless loop, but isn't because we break it via the check for 'cryptsetup_dl' early in
 154          * dlopen_cryptsetup(). */
 155
 156         if (dlopen_cryptsetup() < 0)
 157                 return; /* If this fails, let's gracefully ignore the issue, this is just debug logging after
 158                          * all, and if this failed we already generated a debug log message that should help
 159                          * to track things down. */
 160
 161         sym_crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
 162         sym_crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);
 163 }
 164
 165 int cryptsetup_set_minimal_pbkdf(struct crypt_device *cd) {
 166
 167         /* With CRYPT_PBKDF_NO_BENCHMARK flag set .time_ms member is ignored
 168          * while .iterations must be set at least to recommended minimum value. */
 169
 170         static const struct crypt_pbkdf_type minimal_pbkdf = {
 171                 .hash = "sha512",
 172                 .type = CRYPT_KDF_PBKDF2,
 173                 .iterations = 1000, /* recommended minimum count for pbkdf2
 174                                      * according to NIST SP 800-132, ch. 5.2 */
 175                 .flags = CRYPT_PBKDF_NO_BENCHMARK
 176         };
 177
 178         int r;
 179
 180         /* Sets a minimal PKBDF in case we already have a high entropy key. */
 181
 182         r = dlopen_cryptsetup();
 183         if (r < 0)
 184                 return r;
 185
 186         r = sym_crypt_set_pbkdf_type(cd, &minimal_pbkdf);
 187         if (r < 0)
 188                 return r;
 189
 190         return 0;
 191 }
 192
 193 int cryptsetup_get_token_as_json(
 194                 struct crypt_device *cd,
 195                 int idx,
 196                 const char *verify_type,
 197                 JsonVariant **ret) {
 198
 199         _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
 200         const char *text;
 201         int r;
 202
 203         assert(cd);
 204
 205         /* Extracts and parses the LUKS2 JSON token data from a LUKS2 device. Optionally verifies the type of
 206          * the token. Returns:
 207          *
 208          *      -EINVAL → token index out of range or "type" field missing
 209          *      -ENOENT → token doesn't exist
 210          * -EMEDIUMTYPE → "verify_type" specified and doesn't match token's type
 211          */
 212
 213         r = dlopen_cryptsetup();
 214         if (r < 0)
 215                 return r;
 216
 217         r = sym_crypt_token_json_get(cd, idx, &text);
 218         if (r < 0)
 219                 return r;
 220
 221         r = json_parse(text, 0, &v, NULL, NULL);
 222         if (r < 0)
 223                 return r;
 224
 225         if (verify_type) {
 226                 JsonVariant *w;
 227
 228                 w = json_variant_by_key(v, "type");
 229                 if (!w)
 230                         return -EINVAL;
 231
 232                 if (!streq_ptr(json_variant_string(w), verify_type))
 233                         return -EMEDIUMTYPE;
 234         }
 235
 236         if (ret)
 237                 *ret = TAKE_PTR(v);
 238
 239         return 0;
 240 }
 241
 242 int cryptsetup_get_keyslot_from_token(JsonVariant *v) {
 243         int keyslot, r;
 244         JsonVariant *w;
 245
 246         /* Parses the "keyslots" field of a LUKS2 token object. The field can be an array, but here we assume
 247          * that it contains a single element only, since that's the only way we ever generate it
 248          * ourselves. */
 249
 250         w = json_variant_by_key(v, "keyslots");
 251         if (!w)
 252                 return -ENOENT;
 253         if (!json_variant_is_array(w) || json_variant_elements(w) != 1)
 254                 return -EMEDIUMTYPE;
 255
 256         w = json_variant_by_index(w, 0);
 257         if (!w)
 258                 return -ENOENT;
 259         if (!json_variant_is_string(w))
 260                 return -EMEDIUMTYPE;
 261
 262         r = safe_atoi(json_variant_string(w), &keyslot);
 263         if (r < 0)
 264                 return r;
 265         if (keyslot < 0)
 266                 return -EINVAL;
 267
 268         return keyslot;
 269 }
 270
 271 int cryptsetup_add_token_json(struct crypt_device *cd, JsonVariant *v) {
 272         _cleanup_free_ char *text = NULL;
 273         int r;
 274
 275         r = dlopen_cryptsetup();
 276         if (r < 0)
 277                 return r;
 278
 279         r = json_variant_format(v, 0, &text);
 280         if (r < 0)
 281                 return log_debug_errno(r, "Failed to format token data for LUKS: %m");
 282
 283         log_debug("Adding token text <%s>", text);
 284
 285         r = sym_crypt_token_json_set(cd, CRYPT_ANY_TOKEN, text);
 286         if (r < 0)
 287                 return log_debug_errno(r, "Failed to write token data to LUKS: %m");
 288
 289         return 0;
 290 }
 291 #endif