1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 #include "alloc-util.h"
4 #include "cryptsetup-util.h"
5 #include "dlfcn-util.h"
7 #include "parse-util.h"
10 static void *cryptsetup_dl
= NULL
;
12 int (*sym_crypt_activate_by_passphrase
)(struct crypt_device
*cd
, const char *name
, int keyslot
, const char *passphrase
, size_t passphrase_size
, uint32_t flags
);
13 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
14 int (*sym_crypt_activate_by_signed_key
)(struct crypt_device
*cd
, const char *name
, const char *volume_key
, size_t volume_key_size
, const char *signature
, size_t signature_size
, uint32_t flags
);
16 int (*sym_crypt_activate_by_volume_key
)(struct crypt_device
*cd
, const char *name
, const char *volume_key
, size_t volume_key_size
, uint32_t flags
);
17 int (*sym_crypt_deactivate_by_name
)(struct crypt_device
*cd
, const char *name
, uint32_t flags
);
18 int (*sym_crypt_format
)(struct crypt_device
*cd
, const char *type
, const char *cipher
, const char *cipher_mode
, const char *uuid
, const char *volume_key
, size_t volume_key_size
, void *params
);
19 void (*sym_crypt_free
)(struct crypt_device
*cd
);
20 const char *(*sym_crypt_get_cipher
)(struct crypt_device
*cd
);
21 const char *(*sym_crypt_get_cipher_mode
)(struct crypt_device
*cd
);
22 uint64_t (*sym_crypt_get_data_offset
)(struct crypt_device
*cd
);
23 const char *(*sym_crypt_get_device_name
)(struct crypt_device
*cd
);
24 const char *(*sym_crypt_get_dir
)(void);
25 const char *(*sym_crypt_get_type
)(struct crypt_device
*cd
);
26 const char *(*sym_crypt_get_uuid
)(struct crypt_device
*cd
);
27 int (*sym_crypt_get_verity_info
)(struct crypt_device
*cd
, struct crypt_params_verity
*vp
);
28 int (*sym_crypt_get_volume_key_size
)(struct crypt_device
*cd
);
29 int (*sym_crypt_init
)(struct crypt_device
**cd
, const char *device
);
30 int (*sym_crypt_init_by_name
)(struct crypt_device
**cd
, const char *name
);
31 int (*sym_crypt_keyslot_add_by_volume_key
)(struct crypt_device
*cd
, int keyslot
, const char *volume_key
, size_t volume_key_size
, const char *passphrase
, size_t passphrase_size
);
32 int (*sym_crypt_keyslot_destroy
)(struct crypt_device
*cd
, int keyslot
);
33 int (*sym_crypt_keyslot_max
)(const char *type
);
34 int (*sym_crypt_load
)(struct crypt_device
*cd
, const char *requested_type
, void *params
);
35 int (*sym_crypt_resize
)(struct crypt_device
*cd
, const char *name
, uint64_t new_size
);
36 int (*sym_crypt_resume_by_passphrase
)(struct crypt_device
*cd
, const char *name
, int keyslot
, const char *passphrase
, size_t passphrase_size
);
37 int (*sym_crypt_set_data_device
)(struct crypt_device
*cd
, const char *device
);
38 void (*sym_crypt_set_debug_level
)(int level
);
39 void (*sym_crypt_set_log_callback
)(struct crypt_device
*cd
, void (*log
)(int level
, const char *msg
, void *usrptr
), void *usrptr
);
40 #if HAVE_CRYPT_SET_METADATA_SIZE
41 int (*sym_crypt_set_metadata_size
)(struct crypt_device
*cd
, uint64_t metadata_size
, uint64_t keyslots_size
);
43 int (*sym_crypt_set_pbkdf_type
)(struct crypt_device
*cd
, const struct crypt_pbkdf_type
*pbkdf
);
44 int (*sym_crypt_suspend
)(struct crypt_device
*cd
, const char *name
);
45 int (*sym_crypt_token_json_get
)(struct crypt_device
*cd
, int token
, const char **json
);
46 int (*sym_crypt_token_json_set
)(struct crypt_device
*cd
, int token
, const char *json
);
47 #if HAVE_CRYPT_TOKEN_MAX
48 int (*sym_crypt_token_max
)(const char *type
);
50 crypt_token_info (*sym_crypt_token_status
)(struct crypt_device
*cd
, int token
, const char **type
);
51 int (*sym_crypt_volume_key_get
)(struct crypt_device
*cd
, int keyslot
, char *volume_key
, size_t *volume_key_size
, const char *passphrase
, size_t passphrase_size
);
52 #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
53 int (*sym_crypt_reencrypt_init_by_passphrase
)(struct crypt_device
*cd
, const char *name
, const char *passphrase
, size_t passphrase_size
, int keyslot_old
, int keyslot_new
, const char *cipher
, const char *cipher_mode
, const struct crypt_params_reencrypt
*params
);
55 #if HAVE_CRYPT_REENCRYPT
56 int (*sym_crypt_reencrypt
)(struct crypt_device
*cd
, int (*progress
)(uint64_t size
, uint64_t offset
, void *usrptr
));
58 int (*sym_crypt_metadata_locking
)(struct crypt_device
*cd
, int enable
);
59 #if HAVE_CRYPT_SET_DATA_OFFSET
60 int (*sym_crypt_set_data_offset
)(struct crypt_device
*cd
, uint64_t data_offset
);
62 int (*sym_crypt_header_restore
)(struct crypt_device
*cd
, const char *requested_type
, const char *backup_file
);
63 int (*sym_crypt_volume_key_keyring
)(struct crypt_device
*cd
, int enable
);
65 /* Unfortunately libcryptsetup provides neither an environment variable to redirect where to look for token
66 * modules, nor does it have an API to change the token lookup path at runtime. The maintainers suggest using
67 * ELF interposition instead (see https://gitlab.com/cryptsetup/cryptsetup/-/issues/846). Hence let's do
68 * that: let's interpose libcryptsetup's crypt_token_external_path() function with our own, that *does*
69 * honour an environment variable where to look for tokens. This is tremendously useful for debugging
70 * libcryptsetup tokens: set the environment variable to your build dir and you can easily test token modules
71 * without jumping through various hoops. */
73 /* Do this only on new enough compilers that actually support the "symver" attribute. Given this is a debug
74 * feature, let's simply not bother on older compilers */
75 #if defined __has_attribute
76 #if __has_attribute(symver)
77 const char *my_crypt_token_external_path(void); /* prototype for our own implementation */
79 /* We use the "symver" attribute to mark this implementation as the default implementation, and drop the
80 * SD_SHARED namespace we by default attach to our symbols via a version script. */
81 __attribute__((symver("crypt_token_external_path@@")))
82 _public_
const char *my_crypt_token_external_path(void) {
85 e
= secure_getenv("SYSTEMD_CRYPTSETUP_TOKEN_PATH");
89 /* Now chain invoke the original implementation. */
91 typeof(crypt_token_external_path
) *func
;
92 func
= (typeof(crypt_token_external_path
)*) dlsym(cryptsetup_dl
, "crypt_token_external_path");
102 static void cryptsetup_log_glue(int level
, const char *msg
, void *usrptr
) {
105 case CRYPT_LOG_NORMAL
:
108 case CRYPT_LOG_ERROR
:
111 case CRYPT_LOG_VERBOSE
:
114 case CRYPT_LOG_DEBUG
:
118 log_error("Unknown libcryptsetup log level: %d", level
);
122 log_full(level
, "%s", msg
);
125 void cryptsetup_enable_logging(struct crypt_device
*cd
) {
126 /* It's OK to call this with a NULL parameter, in which case libcryptsetup will set the default log
129 * Note that this is also called from dlopen_cryptsetup(), which we call here too. Sounds like an
130 * endless loop, but isn't because we break it via the check for 'cryptsetup_dl' early in
131 * dlopen_cryptsetup(). */
133 if (dlopen_cryptsetup() < 0)
134 return; /* If this fails, let's gracefully ignore the issue, this is just debug logging after
135 * all, and if this failed we already generated a debug log message that should help
136 * to track things down. */
138 sym_crypt_set_log_callback(cd
, cryptsetup_log_glue
, NULL
);
139 sym_crypt_set_debug_level(DEBUG_LOGGING
? CRYPT_DEBUG_ALL
: CRYPT_DEBUG_NONE
);
142 int cryptsetup_set_minimal_pbkdf(struct crypt_device
*cd
) {
144 /* With CRYPT_PBKDF_NO_BENCHMARK flag set .time_ms member is ignored
145 * while .iterations must be set at least to recommended minimum value. */
147 static const struct crypt_pbkdf_type minimal_pbkdf
= {
149 .type
= CRYPT_KDF_PBKDF2
,
150 .iterations
= 1000, /* recommended minimum count for pbkdf2
151 * according to NIST SP 800-132, ch. 5.2 */
152 .flags
= CRYPT_PBKDF_NO_BENCHMARK
157 /* Sets a minimal PKBDF in case we already have a high entropy key. */
159 r
= dlopen_cryptsetup();
163 r
= sym_crypt_set_pbkdf_type(cd
, &minimal_pbkdf
);
170 int cryptsetup_get_token_as_json(
171 struct crypt_device
*cd
,
173 const char *verify_type
,
176 _cleanup_(json_variant_unrefp
) JsonVariant
*v
= NULL
;
182 /* Extracts and parses the LUKS2 JSON token data from a LUKS2 device. Optionally verifies the type of
183 * the token. Returns:
185 * -EINVAL → token index out of range or "type" field missing
186 * -ENOENT → token doesn't exist
187 * -EMEDIUMTYPE → "verify_type" specified and doesn't match token's type
190 r
= dlopen_cryptsetup();
194 r
= sym_crypt_token_json_get(cd
, idx
, &text
);
198 r
= json_parse(text
, 0, &v
, NULL
, NULL
);
205 w
= json_variant_by_key(v
, "type");
209 if (!streq_ptr(json_variant_string(w
), verify_type
))
219 int cryptsetup_add_token_json(struct crypt_device
*cd
, JsonVariant
*v
) {
220 _cleanup_free_
char *text
= NULL
;
223 r
= dlopen_cryptsetup();
227 r
= json_variant_format(v
, 0, &text
);
229 return log_debug_errno(r
, "Failed to format token data for LUKS: %m");
231 log_debug("Adding token text <%s>", text
);
233 r
= sym_crypt_token_json_set(cd
, CRYPT_ANY_TOKEN
, text
);
235 return log_debug_errno(r
, "Failed to write token data to LUKS: %m");
241 int dlopen_cryptsetup(void) {
242 #if HAVE_LIBCRYPTSETUP
245 /* libcryptsetup added crypt_reencrypt() in 2.2.0, and marked it obsolete in 2.4.0, replacing it with
246 * crypt_reencrypt_run(), which takes one extra argument but is otherwise identical. The old call is
247 * still available though, and given we want to support 2.2.0 for a while longer, we'll stick to the
248 * old symbol. However, the old symbols now has a GCC deprecation decorator, hence let's turn off
249 * warnings about this for now. */
251 DISABLE_WARNING_DEPRECATED_DECLARATIONS
;
253 r
= dlopen_many_sym_or_warn(
254 &cryptsetup_dl
, "libcryptsetup.so.12", LOG_DEBUG
,
255 DLSYM_ARG(crypt_activate_by_passphrase
),
256 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
257 DLSYM_ARG(crypt_activate_by_signed_key
),
259 DLSYM_ARG(crypt_activate_by_volume_key
),
260 DLSYM_ARG(crypt_deactivate_by_name
),
261 DLSYM_ARG(crypt_format
),
262 DLSYM_ARG(crypt_free
),
263 DLSYM_ARG(crypt_get_cipher
),
264 DLSYM_ARG(crypt_get_cipher_mode
),
265 DLSYM_ARG(crypt_get_data_offset
),
266 DLSYM_ARG(crypt_get_device_name
),
267 DLSYM_ARG(crypt_get_dir
),
268 DLSYM_ARG(crypt_get_type
),
269 DLSYM_ARG(crypt_get_uuid
),
270 DLSYM_ARG(crypt_get_verity_info
),
271 DLSYM_ARG(crypt_get_volume_key_size
),
272 DLSYM_ARG(crypt_init
),
273 DLSYM_ARG(crypt_init_by_name
),
274 DLSYM_ARG(crypt_keyslot_add_by_volume_key
),
275 DLSYM_ARG(crypt_keyslot_destroy
),
276 DLSYM_ARG(crypt_keyslot_max
),
277 DLSYM_ARG(crypt_load
),
278 DLSYM_ARG(crypt_resize
),
279 DLSYM_ARG(crypt_resume_by_passphrase
),
280 DLSYM_ARG(crypt_set_data_device
),
281 DLSYM_ARG(crypt_set_debug_level
),
282 DLSYM_ARG(crypt_set_log_callback
),
283 #if HAVE_CRYPT_SET_METADATA_SIZE
284 DLSYM_ARG(crypt_set_metadata_size
),
286 DLSYM_ARG(crypt_set_pbkdf_type
),
287 DLSYM_ARG(crypt_suspend
),
288 DLSYM_ARG(crypt_token_json_get
),
289 DLSYM_ARG(crypt_token_json_set
),
290 #if HAVE_CRYPT_TOKEN_MAX
291 DLSYM_ARG(crypt_token_max
),
293 DLSYM_ARG(crypt_token_status
),
294 DLSYM_ARG(crypt_volume_key_get
),
295 #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
296 DLSYM_ARG(crypt_reencrypt_init_by_passphrase
),
298 #if HAVE_CRYPT_REENCRYPT
299 DLSYM_ARG(crypt_reencrypt
),
301 DLSYM_ARG(crypt_metadata_locking
),
302 #if HAVE_CRYPT_SET_DATA_OFFSET
303 DLSYM_ARG(crypt_set_data_offset
),
305 DLSYM_ARG(crypt_header_restore
),
306 DLSYM_ARG(crypt_volume_key_keyring
));
312 /* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that
313 * libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set
314 * whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some
315 * other code loaded into this process also changes the global log functions of libcryptsetup, who
316 * knows? And if so, we still want our own objects to log via our own infra, at the very least.) */
317 cryptsetup_enable_logging(NULL
);
320 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "cryptsetup support is not compiled in.");
324 int cryptsetup_get_keyslot_from_token(JsonVariant
*v
) {
328 /* Parses the "keyslots" field of a LUKS2 token object. The field can be an array, but here we assume
329 * that it contains a single element only, since that's the only way we ever generate it
332 w
= json_variant_by_key(v
, "keyslots");
335 if (!json_variant_is_array(w
) || json_variant_elements(w
) != 1)
338 w
= json_variant_by_index(w
, 0);
341 if (!json_variant_is_string(w
))
344 r
= safe_atoi(json_variant_string(w
), &keyslot
);