[thirdparty/systemd.git] / src / shared / cryptsetup-util.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include "alloc-util.h"
#include "cryptsetup-util.h"
#include "dlfcn-util.h"
#include "log.h"
#include "parse-util.h"

#if HAVE_LIBCRYPTSETUP
static void *cryptsetup_dl = NULL;

int (*sym_crypt_activate_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags);
#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
int (*sym_crypt_activate_by_signed_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, const char *signature, size_t signature_size, uint32_t flags);
#endif
int (*sym_crypt_activate_by_volume_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, uint32_t flags);
int (*sym_crypt_deactivate_by_name)(struct crypt_device *cd, const char *name, uint32_t flags);
int (*sym_crypt_format)(struct crypt_device *cd, const char *type, const char *cipher, const char *cipher_mode, const char *uuid, const char *volume_key, size_t volume_key_size, void *params);
void (*sym_crypt_free)(struct crypt_device *cd);
const char *(*sym_crypt_get_cipher)(struct crypt_device *cd);
const char *(*sym_crypt_get_cipher_mode)(struct crypt_device *cd);
uint64_t (*sym_crypt_get_data_offset)(struct crypt_device *cd);
const char *(*sym_crypt_get_device_name)(struct crypt_device *cd);
const char *(*sym_crypt_get_dir)(void);
const char *(*sym_crypt_get_type)(struct crypt_device *cd);
const char *(*sym_crypt_get_uuid)(struct crypt_device *cd);
int (*sym_crypt_get_verity_info)(struct crypt_device *cd, struct crypt_params_verity *vp);
int (*sym_crypt_get_volume_key_size)(struct crypt_device *cd);
int (*sym_crypt_init)(struct crypt_device **cd, const char *device);
int (*sym_crypt_init_by_name)(struct crypt_device **cd, const char *name);
int (*sym_crypt_keyslot_add_by_volume_key)(struct crypt_device *cd, int keyslot, const char *volume_key, size_t volume_key_size, const char *passphrase, size_t passphrase_size);
int (*sym_crypt_keyslot_destroy)(struct crypt_device *cd, int keyslot);
int (*sym_crypt_keyslot_max)(const char *type);
int (*sym_crypt_load)(struct crypt_device *cd, const char *requested_type, void *params);
int (*sym_crypt_resize)(struct crypt_device *cd, const char *name, uint64_t new_size);
int (*sym_crypt_resume_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size);
int (*sym_crypt_set_data_device)(struct crypt_device *cd, const char *device);
void (*sym_crypt_set_debug_level)(int level);
void (*sym_crypt_set_log_callback)(struct crypt_device *cd, void (*log)(int level, const char *msg, void *usrptr), void *usrptr);
#if HAVE_CRYPT_SET_METADATA_SIZE
int (*sym_crypt_set_metadata_size)(struct crypt_device *cd, uint64_t metadata_size, uint64_t keyslots_size);
#endif
int (*sym_crypt_set_pbkdf_type)(struct crypt_device *cd, const struct crypt_pbkdf_type *pbkdf);
int (*sym_crypt_suspend)(struct crypt_device *cd, const char *name);
int (*sym_crypt_token_json_get)(struct crypt_device *cd, int token, const char **json);
int (*sym_crypt_token_json_set)(struct crypt_device *cd, int token, const char *json);
#if HAVE_CRYPT_TOKEN_MAX
int (*sym_crypt_token_max)(const char *type);
#endif
crypt_token_info (*sym_crypt_token_status)(struct crypt_device *cd, int token, const char **type);
int (*sym_crypt_volume_key_get)(struct crypt_device *cd, int keyslot, char *volume_key, size_t *volume_key_size, const char *passphrase, size_t passphrase_size);
#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
int (*sym_crypt_reencrypt_init_by_passphrase)(struct crypt_device *cd, const char *name, const char *passphrase, size_t passphrase_size, int keyslot_old, int keyslot_new, const char *cipher, const char *cipher_mode, const struct crypt_params_reencrypt *params);
#endif
#if HAVE_CRYPT_REENCRYPT
int (*sym_crypt_reencrypt)(struct crypt_device *cd, int (*progress)(uint64_t size, uint64_t offset, void *usrptr));
#endif
int (*sym_crypt_metadata_locking)(struct crypt_device *cd, int enable);
#if HAVE_CRYPT_SET_DATA_OFFSET
int (*sym_crypt_set_data_offset)(struct crypt_device *cd, uint64_t data_offset);
#endif
int (*sym_crypt_header_restore)(struct crypt_device *cd, const char *requested_type, const char *backup_file);
int (*sym_crypt_volume_key_keyring)(struct crypt_device *cd, int enable);

/* Unfortunately libcryptsetup provides neither an environment variable to redirect where to look for token
 * modules, nor does it have an API to change the token lookup path at runtime. The maintainers suggest using
 * ELF interposition instead (see https://gitlab.com/cryptsetup/cryptsetup/-/issues/846). Hence let's do
 * that: let's interpose libcryptsetup's crypt_token_external_path() function with our own, that *does*
 * honour an environment variable where to look for tokens. This is tremendously useful for debugging
 * libcryptsetup tokens: set the environment variable to your build dir and you can easily test token modules
 * without jumping through various hoops. */

/* Do this only on new enough compilers that actually support the "symver" attribute. Given this is a debug
 * feature, let's simply not bother on older compilers */
#if BUILD_MODE_DEVELOPER && defined(__has_attribute) && __has_attribute(symver)
const char *my_crypt_token_external_path(void); /* prototype for our own implementation */

/* We use the "symver" attribute to mark this implementation as the default implementation, and drop the
 * SD_SHARED namespace we by default attach to our symbols via a version script. */
__attribute__((symver("crypt_token_external_path@@")))
_public_ const char *my_crypt_token_external_path(void) {
        const char *e;

        e = secure_getenv("SYSTEMD_CRYPTSETUP_TOKEN_PATH");
        if (e)
                return e;

        /* Now chain invoke the original implementation. */
        if (cryptsetup_dl) {
                typeof(crypt_token_external_path) *func;
                func = (typeof(crypt_token_external_path)*) dlsym(cryptsetup_dl, "crypt_token_external_path");
                if (func)
                        return func();
        }

        return NULL;
}
#endif

static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) {

        switch (level) {
        case CRYPT_LOG_NORMAL:
                level = LOG_NOTICE;
                break;
        case CRYPT_LOG_ERROR:
                level = LOG_ERR;
                break;
        case CRYPT_LOG_VERBOSE:
                level = LOG_INFO;
                break;
        case CRYPT_LOG_DEBUG:
                level = LOG_DEBUG;
                break;
        default:
                log_error("Unknown libcryptsetup log level: %d", level);
                level = LOG_ERR;
        }

        log_full(level, "%s", msg);
}

void cryptsetup_enable_logging(struct crypt_device *cd) {
        /* It's OK to call this with a NULL parameter, in which case libcryptsetup will set the default log
         * function.
         *
         * Note that this is also called from dlopen_cryptsetup(), which we call here too. Sounds like an
         * endless loop, but isn't because we break it via the check for 'cryptsetup_dl' early in
         * dlopen_cryptsetup(). */

        if (dlopen_cryptsetup() < 0)
                return; /* If this fails, let's gracefully ignore the issue, this is just debug logging after
                         * all, and if this failed we already generated a debug log message that should help
                         * to track things down. */

        sym_crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
        sym_crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);
}

int cryptsetup_set_minimal_pbkdf(struct crypt_device *cd) {

        /* With CRYPT_PBKDF_NO_BENCHMARK flag set .time_ms member is ignored
         * while .iterations must be set at least to recommended minimum value. */

        static const struct crypt_pbkdf_type minimal_pbkdf = {
                .hash = "sha512",
                .type = CRYPT_KDF_PBKDF2,
                .iterations = 1000, /* recommended minimum count for pbkdf2
                                     * according to NIST SP 800-132, ch. 5.2 */
                .flags = CRYPT_PBKDF_NO_BENCHMARK
        };

        int r;

        /* Sets a minimal PKBDF in case we already have a high entropy key. */

        r = dlopen_cryptsetup();
        if (r < 0)
                return r;

        r = sym_crypt_set_pbkdf_type(cd, &minimal_pbkdf);
        if (r < 0)
                return r;

        return 0;
}

int cryptsetup_get_token_as_json(
                struct crypt_device *cd,
                int idx,
                const char *verify_type,
                JsonVariant **ret) {

        _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
        const char *text;
        int r;

        assert(cd);

        /* Extracts and parses the LUKS2 JSON token data from a LUKS2 device. Optionally verifies the type of
         * the token. Returns:
         *
         *      -EINVAL → token index out of range or "type" field missing
         *      -ENOENT → token doesn't exist
         * -EMEDIUMTYPE → "verify_type" specified and doesn't match token's type
         */

        r = dlopen_cryptsetup();
        if (r < 0)
                return r;

        r = sym_crypt_token_json_get(cd, idx, &text);
        if (r < 0)
                return r;

        r = json_parse(text, 0, &v, NULL, NULL);
        if (r < 0)
                return r;

        if (verify_type) {
                JsonVariant *w;

                w = json_variant_by_key(v, "type");
                if (!w)
                        return -EINVAL;

                if (!streq_ptr(json_variant_string(w), verify_type))
                        return -EMEDIUMTYPE;
        }

        if (ret)
                *ret = TAKE_PTR(v);

        return 0;
}

int cryptsetup_add_token_json(struct crypt_device *cd, JsonVariant *v) {
        _cleanup_free_ char *text = NULL;
        int r;

        r = dlopen_cryptsetup();
        if (r < 0)
                return r;

        r = json_variant_format(v, 0, &text);
        if (r < 0)
                return log_debug_errno(r, "Failed to format token data for LUKS: %m");

        log_debug("Adding token text <%s>", text);

        r = sym_crypt_token_json_set(cd, CRYPT_ANY_TOKEN, text);
        if (r < 0)
                return log_debug_errno(r, "Failed to write token data to LUKS: %m");

        return 0;
}
#endif

int dlopen_cryptsetup(void) {
#if HAVE_LIBCRYPTSETUP
        int r;

        /* libcryptsetup added crypt_reencrypt() in 2.2.0, and marked it obsolete in 2.4.0, replacing it with
         * crypt_reencrypt_run(), which takes one extra argument but is otherwise identical. The old call is
         * still available though, and given we want to support 2.2.0 for a while longer, we'll stick to the
         * old symbol. However, the old symbols now has a GCC deprecation decorator, hence let's turn off
         * warnings about this for now. */

        DISABLE_WARNING_DEPRECATED_DECLARATIONS;

        r = dlopen_many_sym_or_warn(
                        &cryptsetup_dl, "libcryptsetup.so.12", LOG_DEBUG,
                        DLSYM_ARG(crypt_activate_by_passphrase),
#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
                        DLSYM_ARG(crypt_activate_by_signed_key),
#endif
                        DLSYM_ARG(crypt_activate_by_volume_key),
                        DLSYM_ARG(crypt_deactivate_by_name),
                        DLSYM_ARG(crypt_format),
                        DLSYM_ARG(crypt_free),
                        DLSYM_ARG(crypt_get_cipher),
                        DLSYM_ARG(crypt_get_cipher_mode),
                        DLSYM_ARG(crypt_get_data_offset),
                        DLSYM_ARG(crypt_get_device_name),
                        DLSYM_ARG(crypt_get_dir),
                        DLSYM_ARG(crypt_get_type),
                        DLSYM_ARG(crypt_get_uuid),
                        DLSYM_ARG(crypt_get_verity_info),
                        DLSYM_ARG(crypt_get_volume_key_size),
                        DLSYM_ARG(crypt_init),
                        DLSYM_ARG(crypt_init_by_name),
                        DLSYM_ARG(crypt_keyslot_add_by_volume_key),
                        DLSYM_ARG(crypt_keyslot_destroy),
                        DLSYM_ARG(crypt_keyslot_max),
                        DLSYM_ARG(crypt_load),
                        DLSYM_ARG(crypt_resize),
                        DLSYM_ARG(crypt_resume_by_passphrase),
                        DLSYM_ARG(crypt_set_data_device),
                        DLSYM_ARG(crypt_set_debug_level),
                        DLSYM_ARG(crypt_set_log_callback),
#if HAVE_CRYPT_SET_METADATA_SIZE
                        DLSYM_ARG(crypt_set_metadata_size),
#endif
                        DLSYM_ARG(crypt_set_pbkdf_type),
                        DLSYM_ARG(crypt_suspend),
                        DLSYM_ARG(crypt_token_json_get),
                        DLSYM_ARG(crypt_token_json_set),
#if HAVE_CRYPT_TOKEN_MAX
                        DLSYM_ARG(crypt_token_max),
#endif
                        DLSYM_ARG(crypt_token_status),
                        DLSYM_ARG(crypt_volume_key_get),
#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
                        DLSYM_ARG(crypt_reencrypt_init_by_passphrase),
#endif
#if HAVE_CRYPT_REENCRYPT
                        DLSYM_ARG(crypt_reencrypt),
#endif
                        DLSYM_ARG(crypt_metadata_locking),
#if HAVE_CRYPT_SET_DATA_OFFSET
                        DLSYM_ARG(crypt_set_data_offset),
#endif
                        DLSYM_ARG(crypt_header_restore),
                        DLSYM_ARG(crypt_volume_key_keyring));
        if (r <= 0)
                return r;

        REENABLE_WARNING;

        /* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that
         * libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set
         * whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some
         * other code loaded into this process also changes the global log functions of libcryptsetup, who
         * knows? And if so, we still want our own objects to log via our own infra, at the very least.) */
        cryptsetup_enable_logging(NULL);
        return 1;
#else
        return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "cryptsetup support is not compiled in.");
#endif
}

int cryptsetup_get_keyslot_from_token(JsonVariant *v) {
        int keyslot, r;
        JsonVariant *w;

        /* Parses the "keyslots" field of a LUKS2 token object. The field can be an array, but here we assume
         * that it contains a single element only, since that's the only way we ever generate it
         * ourselves. */

        w = json_variant_by_key(v, "keyslots");
        if (!w)
                return -ENOENT;
        if (!json_variant_is_array(w) || json_variant_elements(w) != 1)
                return -EMEDIUMTYPE;

        w = json_variant_by_index(w, 0);
        if (!w)
                return -ENOENT;
        if (!json_variant_is_string(w))
                return -EMEDIUMTYPE;

        r = safe_atoi(json_variant_string(w), &keyslot);
        if (r < 0)
                return r;
        if (keyslot < 0)
                return -EINVAL;

        return keyslot;
}
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
691c2e2e	2
0d12936d	3	#include "alloc-util.h"
1e2f3230	4	#include "cryptsetup-util.h"
0d12936d	5	#include "dlfcn-util.h"
691c2e2e	6	#include "log.h"
4098bc13	7	#include "parse-util.h"
691c2e2e	8
fdf6c27c	9	#if HAVE_LIBCRYPTSETUP
0d12936d LP	10	static void *cryptsetup_dl = NULL;
	11
	12	int (sym_crypt_activate_by_passphrase)(struct crypt_device cd, const char name, int keyslot, const char passphrase, size_t passphrase_size, uint32_t flags);
	13	#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
	14	int (sym_crypt_activate_by_signed_key)(struct crypt_device cd, const char name, const char volume_key, size_t volume_key_size, const char *signature, size_t signature_size, uint32_t flags);
	15	#endif
	16	int (sym_crypt_activate_by_volume_key)(struct crypt_device cd, const char name, const char volume_key, size_t volume_key_size, uint32_t flags);
	17	int (sym_crypt_deactivate_by_name)(struct crypt_device cd, const char *name, uint32_t flags);
	18	int (sym_crypt_format)(struct crypt_device cd, const char type, const char cipher, const char cipher_mode, const char uuid, const char volume_key, size_t volume_key_size, void params);
	19	void (sym_crypt_free)(struct crypt_device cd);
71eceff6 LP	20	const char (sym_crypt_get_cipher)(struct crypt_device *cd);
	21	const char (sym_crypt_get_cipher_mode)(struct crypt_device *cd);
	22	uint64_t (sym_crypt_get_data_offset)(struct crypt_device cd);
	23	const char (sym_crypt_get_device_name)(struct crypt_device *cd);
0d12936d	24	const char (sym_crypt_get_dir)(void);
71eceff6 LP	25	const char (sym_crypt_get_type)(struct crypt_device *cd);
71eceff6 LP	26	const char (sym_crypt_get_uuid)(struct crypt_device *cd);
0d12936d	27	int (sym_crypt_get_verity_info)(struct crypt_device cd, struct crypt_params_verity *vp);
71eceff6	28	int (sym_crypt_get_volume_key_size)(struct crypt_device cd);
0d12936d LP	29	int (sym_crypt_init)(struct crypt_device cd, const char device);
	30	int (sym_crypt_init_by_name)(struct crypt_device cd, const char name);
	31	int (sym_crypt_keyslot_add_by_volume_key)(struct crypt_device cd, int keyslot, const char volume_key, size_t volume_key_size, const char passphrase, size_t passphrase_size);
71eceff6 LP	32	int (sym_crypt_keyslot_destroy)(struct crypt_device cd, int keyslot);
71eceff6 LP	33	int (sym_crypt_keyslot_max)(const char type);
0d12936d LP	34	int (sym_crypt_load)(struct crypt_device cd, const char requested_type, void params);
0d12936d LP	35	int (sym_crypt_resize)(struct crypt_device cd, const char *name, uint64_t new_size);
71eceff6	36	int (sym_crypt_resume_by_passphrase)(struct crypt_device cd, const char name, int keyslot, const char passphrase, size_t passphrase_size);
0d12936d LP	37	int (sym_crypt_set_data_device)(struct crypt_device cd, const char *device);
	38	void (*sym_crypt_set_debug_level)(int level);
	39	void (sym_crypt_set_log_callback)(struct crypt_device cd, void (log)(int level, const char msg, void usrptr), void usrptr);
71eceff6 LP	40	#if HAVE_CRYPT_SET_METADATA_SIZE
	41	int (sym_crypt_set_metadata_size)(struct crypt_device cd, uint64_t metadata_size, uint64_t keyslots_size);
	42	#endif
	43	int (sym_crypt_set_pbkdf_type)(struct crypt_device cd, const struct crypt_pbkdf_type *pbkdf);
	44	int (sym_crypt_suspend)(struct crypt_device cd, const char *name);
	45	int (sym_crypt_token_json_get)(struct crypt_device cd, int token, const char **json);
	46	int (sym_crypt_token_json_set)(struct crypt_device cd, int token, const char *json);
3c2c8e62 LB	47	#if HAVE_CRYPT_TOKEN_MAX
	48	int (sym_crypt_token_max)(const char type);
	49	#endif
71eceff6 LP	50	crypt_token_info (sym_crypt_token_status)(struct crypt_device cd, int token, const char **type);
71eceff6 LP	51	int (sym_crypt_volume_key_get)(struct crypt_device cd, int keyslot, char volume_key, size_t volume_key_size, const char *passphrase, size_t passphrase_size);
48a09a8f DDM	52	#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
	53	int (sym_crypt_reencrypt_init_by_passphrase)(struct crypt_device cd, const char name, const char passphrase, size_t passphrase_size, int keyslot_old, int keyslot_new, const char cipher, const char cipher_mode, const struct crypt_params_reencrypt *params);
	54	#endif
	55	#if HAVE_CRYPT_REENCRYPT
	56	int (sym_crypt_reencrypt)(struct crypt_device cd, int (progress)(uint64_t size, uint64_t offset, void usrptr));
	57	#endif
	58	int (sym_crypt_metadata_locking)(struct crypt_device cd, int enable);
	59	#if HAVE_CRYPT_SET_DATA_OFFSET
	60	int (sym_crypt_set_data_offset)(struct crypt_device cd, uint64_t data_offset);
	61	#endif
	62	int (sym_crypt_header_restore)(struct crypt_device cd, const char requested_type, const char backup_file);
	63	int (sym_crypt_volume_key_keyring)(struct crypt_device cd, int enable);
0d12936d	64
0631eac9 LP	65	/* Unfortunately libcryptsetup provides neither an environment variable to redirect where to look for token
	66	* modules, nor does it have an API to change the token lookup path at runtime. The maintainers suggest using
	67	* ELF interposition instead (see https://gitlab.com/cryptsetup/cryptsetup/-/issues/846). Hence let's do
	68	* that: let's interpose libcryptsetup's crypt_token_external_path() function with our own, that does
	69	* honour an environment variable where to look for tokens. This is tremendously useful for debugging
	70	* libcryptsetup tokens: set the environment variable to your build dir and you can easily test token modules
	71	* without jumping through various hoops. */
	72
	73	/* Do this only on new enough compilers that actually support the "symver" attribute. Given this is a debug
	74	* feature, let's simply not bother on older compilers */
25757715	75	#if BUILD_MODE_DEVELOPER && defined(__has_attribute) && __has_attribute(symver)
0631eac9 LP	76	const char my_crypt_token_external_path(void); / prototype for our own implementation */
	77
	78	/* We use the "symver" attribute to mark this implementation as the default implementation, and drop the
	79	* SD_SHARED namespace we by default attach to our symbols via a version script. */
	80	__attribute__((symver("crypt_token_external_path@@")))
	81	_public_ const char *my_crypt_token_external_path(void) {
	82	const char *e;
	83
	84	e = secure_getenv("SYSTEMD_CRYPTSETUP_TOKEN_PATH");
	85	if (e)
	86	return e;
	87
	88	/* Now chain invoke the original implementation. */
	89	if (cryptsetup_dl) {
	90	typeof(crypt_token_external_path) *func;
	91	func = (typeof(crypt_token_external_path)*) dlsym(cryptsetup_dl, "crypt_token_external_path");
	92	if (func)
	93	return func();
	94	}
	95
	96	return NULL;
	97	}
	98	#endif
0631eac9	99
efc3b12f	100	static void cryptsetup_log_glue(int level, const char msg, void usrptr) {
0d12936d	101
aa2cc005 JJ	102	switch (level) {
	103	case CRYPT_LOG_NORMAL:
	104	level = LOG_NOTICE;
	105	break;
	106	case CRYPT_LOG_ERROR:
	107	level = LOG_ERR;
	108	break;
	109	case CRYPT_LOG_VERBOSE:
	110	level = LOG_INFO;
	111	break;
	112	case CRYPT_LOG_DEBUG:
	113	level = LOG_DEBUG;
	114	break;
	115	default:
	116	log_error("Unknown libcryptsetup log level: %d", level);
	117	level = LOG_ERR;
	118	}
	119
	120	log_full(level, "%s", msg);
691c2e2e	121	}
efc3b12f LB	122
efc3b12f LB	123	void cryptsetup_enable_logging(struct crypt_device *cd) {
7bbcaee3	124	/* It's OK to call this with a NULL parameter, in which case libcryptsetup will set the default log
e9252fae LP	125	* function.
	126	*
	127	* Note that this is also called from dlopen_cryptsetup(), which we call here too. Sounds like an
	128	* endless loop, but isn't because we break it via the check for 'cryptsetup_dl' early in
	129	* dlopen_cryptsetup(). */
	130
	131	if (dlopen_cryptsetup() < 0)
	132	return; /* If this fails, let's gracefully ignore the issue, this is just debug logging after
	133	* all, and if this failed we already generated a debug log message that should help
	134	* to track things down. */
0d12936d LP	135
	136	sym_crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
	137	sym_crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);
efc3b12f LB	138	}
efc3b12f LB	139
4760384d LP	140	int cryptsetup_set_minimal_pbkdf(struct crypt_device *cd) {
4760384d LP	141
358b1f68 OK	142	/* With CRYPT_PBKDF_NO_BENCHMARK flag set .time_ms member is ignored
	143	* while .iterations must be set at least to recommended minimum value. */
	144
4760384d LP	145	static const struct crypt_pbkdf_type minimal_pbkdf = {
	146	.hash = "sha512",
	147	.type = CRYPT_KDF_PBKDF2,
358b1f68 OK	148	.iterations = 1000, /* recommended minimum count for pbkdf2
	149	* according to NIST SP 800-132, ch. 5.2 */
	150	.flags = CRYPT_PBKDF_NO_BENCHMARK
4760384d LP	151	};
	152
	153	int r;
	154
	155	/* Sets a minimal PKBDF in case we already have a high entropy key. */
	156
	157	r = dlopen_cryptsetup();
	158	if (r < 0)
	159	return r;
	160
	161	r = sym_crypt_set_pbkdf_type(cd, &minimal_pbkdf);
	162	if (r < 0)
	163	return r;
	164
	165	return 0;
	166	}
	167
4098bc13 LP	168	int cryptsetup_get_token_as_json(
	169	struct crypt_device *cd,
	170	int idx,
	171	const char *verify_type,
	172	JsonVariant **ret) {
	173
	174	_cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
	175	const char *text;
	176	int r;
	177
	178	assert(cd);
	179
	180	/* Extracts and parses the LUKS2 JSON token data from a LUKS2 device. Optionally verifies the type of
	181	* the token. Returns:
	182	*
	183	* -EINVAL → token index out of range or "type" field missing
	184	* -ENOENT → token doesn't exist
	185	* -EMEDIUMTYPE → "verify_type" specified and doesn't match token's type
	186	*/
	187
	188	r = dlopen_cryptsetup();
	189	if (r < 0)
	190	return r;
	191
	192	r = sym_crypt_token_json_get(cd, idx, &text);
	193	if (r < 0)
	194	return r;
	195
	196	r = json_parse(text, 0, &v, NULL, NULL);
	197	if (r < 0)
	198	return r;
	199
	200	if (verify_type) {
	201	JsonVariant *w;
	202
	203	w = json_variant_by_key(v, "type");
	204	if (!w)
	205	return -EINVAL;
	206
	207	if (!streq_ptr(json_variant_string(w), verify_type))
	208	return -EMEDIUMTYPE;
	209	}
	210
	211	if (ret)
	212	*ret = TAKE_PTR(v);
	213
	214	return 0;
	215	}
	216
fdf6c27c LP	217	int cryptsetup_add_token_json(struct crypt_device cd, JsonVariant v) {
	218	_cleanup_free_ char *text = NULL;
	219	int r;
	220
	221	r = dlopen_cryptsetup();
	222	if (r < 0)
	223	return r;
	224
	225	r = json_variant_format(v, 0, &text);
	226	if (r < 0)
	227	return log_debug_errno(r, "Failed to format token data for LUKS: %m");
	228
	229	log_debug("Adding token text <%s>", text);
	230
	231	r = sym_crypt_token_json_set(cd, CRYPT_ANY_TOKEN, text);
	232	if (r < 0)
	233	return log_debug_errno(r, "Failed to write token data to LUKS: %m");
	234
	235	return 0;
	236	}
	237	#endif
	238
bbf73b00 DDM	239	int dlopen_cryptsetup(void) {
	240	#if HAVE_LIBCRYPTSETUP
	241	int r;
	242
7736a71f LP	243	/* libcryptsetup added crypt_reencrypt() in 2.2.0, and marked it obsolete in 2.4.0, replacing it with
	244	* crypt_reencrypt_run(), which takes one extra argument but is otherwise identical. The old call is
	245	* still available though, and given we want to support 2.2.0 for a while longer, we'll stick to the
6c2d70ce	246	* old symbol. However, the old symbols now has a GCC deprecation decorator, hence let's turn off
7736a71f LP	247	* warnings about this for now. */
	248
	249	DISABLE_WARNING_DEPRECATED_DECLARATIONS;
	250
bbf73b00 DDM	251	r = dlopen_many_sym_or_warn(
	252	&cryptsetup_dl, "libcryptsetup.so.12", LOG_DEBUG,
	253	DLSYM_ARG(crypt_activate_by_passphrase),
	254	#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
	255	DLSYM_ARG(crypt_activate_by_signed_key),
	256	#endif
	257	DLSYM_ARG(crypt_activate_by_volume_key),
	258	DLSYM_ARG(crypt_deactivate_by_name),
	259	DLSYM_ARG(crypt_format),
	260	DLSYM_ARG(crypt_free),
	261	DLSYM_ARG(crypt_get_cipher),
	262	DLSYM_ARG(crypt_get_cipher_mode),
	263	DLSYM_ARG(crypt_get_data_offset),
	264	DLSYM_ARG(crypt_get_device_name),
	265	DLSYM_ARG(crypt_get_dir),
	266	DLSYM_ARG(crypt_get_type),
	267	DLSYM_ARG(crypt_get_uuid),
	268	DLSYM_ARG(crypt_get_verity_info),
	269	DLSYM_ARG(crypt_get_volume_key_size),
	270	DLSYM_ARG(crypt_init),
	271	DLSYM_ARG(crypt_init_by_name),
	272	DLSYM_ARG(crypt_keyslot_add_by_volume_key),
	273	DLSYM_ARG(crypt_keyslot_destroy),
	274	DLSYM_ARG(crypt_keyslot_max),
	275	DLSYM_ARG(crypt_load),
	276	DLSYM_ARG(crypt_resize),
	277	DLSYM_ARG(crypt_resume_by_passphrase),
	278	DLSYM_ARG(crypt_set_data_device),
	279	DLSYM_ARG(crypt_set_debug_level),
	280	DLSYM_ARG(crypt_set_log_callback),
	281	#if HAVE_CRYPT_SET_METADATA_SIZE
	282	DLSYM_ARG(crypt_set_metadata_size),
	283	#endif
	284	DLSYM_ARG(crypt_set_pbkdf_type),
	285	DLSYM_ARG(crypt_suspend),
	286	DLSYM_ARG(crypt_token_json_get),
	287	DLSYM_ARG(crypt_token_json_set),
	288	#if HAVE_CRYPT_TOKEN_MAX
	289	DLSYM_ARG(crypt_token_max),
	290	#endif
	291	DLSYM_ARG(crypt_token_status),
48a09a8f DDM	292	DLSYM_ARG(crypt_volume_key_get),
	293	#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
	294	DLSYM_ARG(crypt_reencrypt_init_by_passphrase),
	295	#endif
	296	#if HAVE_CRYPT_REENCRYPT
	297	DLSYM_ARG(crypt_reencrypt),
	298	#endif
	299	DLSYM_ARG(crypt_metadata_locking),
	300	#if HAVE_CRYPT_SET_DATA_OFFSET
	301	DLSYM_ARG(crypt_set_data_offset),
	302	#endif
	303	DLSYM_ARG(crypt_header_restore),
	304	DLSYM_ARG(crypt_volume_key_keyring));
bbf73b00 DDM	305	if (r <= 0)
	306	return r;
	307
7736a71f LP	308	REENABLE_WARNING;
7736a71f LP	309
bbf73b00 DDM	310	/* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that
	311	* libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set
	312	* whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some
	313	* other code loaded into this process also changes the global log functions of libcryptsetup, who
	314	* knows? And if so, we still want our own objects to log via our own infra, at the very least.) */
	315	cryptsetup_enable_logging(NULL);
	316	return 1;
	317	#else
	318	return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "cryptsetup support is not compiled in.");
	319	#endif
	320	}
	321
4098bc13 LP	322	int cryptsetup_get_keyslot_from_token(JsonVariant *v) {
	323	int keyslot, r;
	324	JsonVariant *w;
	325
	326	/* Parses the "keyslots" field of a LUKS2 token object. The field can be an array, but here we assume
	327	* that it contains a single element only, since that's the only way we ever generate it
	328	* ourselves. */
	329
	330	w = json_variant_by_key(v, "keyslots");
	331	if (!w)
	332	return -ENOENT;
	333	if (!json_variant_is_array(w) \|\| json_variant_elements(w) != 1)
	334	return -EMEDIUMTYPE;
	335
	336	w = json_variant_by_index(w, 0);
	337	if (!w)
	338	return -ENOENT;
	339	if (!json_variant_is_string(w))
	340	return -EMEDIUMTYPE;
	341
	342	r = safe_atoi(json_variant_string(w), &keyslot);
	343	if (r < 0)
	344	return r;
	345	if (keyslot < 0)
	346	return -EINVAL;
	347
	348	return keyslot;
	349	}