]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/cryptsetup-util.c
projects / thirdparty / systemd.git / blob
? search:


19241015fb1eb815cb30275919e4dfc02a29ca81
[thirdparty/systemd.git] / src / shared / cryptsetup-util.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include "alloc-util.h"
4 #include "cryptsetup-util.h"
5 #include "dlfcn-util.h"
6 #include "log.h"
7 #include "parse-util.h"
8
9 #if HAVE_LIBCRYPTSETUP
10 static void *cryptsetup_dl = NULL;
11
12 int (*sym_crypt_activate_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags);
13 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
14 int (*sym_crypt_activate_by_signed_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, const char *signature, size_t signature_size, uint32_t flags);
15 #endif
16 int (*sym_crypt_activate_by_volume_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, uint32_t flags);
17 int (*sym_crypt_deactivate_by_name)(struct crypt_device *cd, const char *name, uint32_t flags);
18 int (*sym_crypt_format)(struct crypt_device *cd, const char *type, const char *cipher, const char *cipher_mode, const char *uuid, const char *volume_key, size_t volume_key_size, void *params);
19 void (*sym_crypt_free)(struct crypt_device *cd);
20 const char *(*sym_crypt_get_cipher)(struct crypt_device *cd);
21 const char *(*sym_crypt_get_cipher_mode)(struct crypt_device *cd);
22 uint64_t (*sym_crypt_get_data_offset)(struct crypt_device *cd);
23 const char *(*sym_crypt_get_device_name)(struct crypt_device *cd);
24 const char *(*sym_crypt_get_dir)(void);
25 const char *(*sym_crypt_get_type)(struct crypt_device *cd);
26 const char *(*sym_crypt_get_uuid)(struct crypt_device *cd);
27 int (*sym_crypt_get_verity_info)(struct crypt_device *cd, struct crypt_params_verity *vp);
28 int (*sym_crypt_get_volume_key_size)(struct crypt_device *cd);
29 int (*sym_crypt_init)(struct crypt_device **cd, const char *device);
30 int (*sym_crypt_init_by_name)(struct crypt_device **cd, const char *name);
31 int (*sym_crypt_keyslot_add_by_volume_key)(struct crypt_device *cd, int keyslot, const char *volume_key, size_t volume_key_size, const char *passphrase, size_t passphrase_size);
32 int (*sym_crypt_keyslot_destroy)(struct crypt_device *cd, int keyslot);
33 int (*sym_crypt_keyslot_max)(const char *type);
34 int (*sym_crypt_load)(struct crypt_device *cd, const char *requested_type, void *params);
35 int (*sym_crypt_resize)(struct crypt_device *cd, const char *name, uint64_t new_size);
36 int (*sym_crypt_resume_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size);
37 int (*sym_crypt_set_data_device)(struct crypt_device *cd, const char *device);
38 void (*sym_crypt_set_debug_level)(int level);
39 void (*sym_crypt_set_log_callback)(struct crypt_device *cd, void (*log)(int level, const char *msg, void *usrptr), void *usrptr);
40 #if HAVE_CRYPT_SET_METADATA_SIZE
41 int (*sym_crypt_set_metadata_size)(struct crypt_device *cd, uint64_t metadata_size, uint64_t keyslots_size);
42 #endif
43 int (*sym_crypt_set_pbkdf_type)(struct crypt_device *cd, const struct crypt_pbkdf_type *pbkdf);
44 int (*sym_crypt_suspend)(struct crypt_device *cd, const char *name);
45 int (*sym_crypt_token_json_get)(struct crypt_device *cd, int token, const char **json);
46 int (*sym_crypt_token_json_set)(struct crypt_device *cd, int token, const char *json);
47 #if HAVE_CRYPT_TOKEN_MAX
48 int (*sym_crypt_token_max)(const char *type);
49 #endif
50 crypt_token_info (*sym_crypt_token_status)(struct crypt_device *cd, int token, const char **type);
51 int (*sym_crypt_volume_key_get)(struct crypt_device *cd, int keyslot, char *volume_key, size_t *volume_key_size, const char *passphrase, size_t passphrase_size);
52 #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
53 int (*sym_crypt_reencrypt_init_by_passphrase)(struct crypt_device *cd, const char *name, const char *passphrase, size_t passphrase_size, int keyslot_old, int keyslot_new, const char *cipher, const char *cipher_mode, const struct crypt_params_reencrypt *params);
54 #endif
55 #if HAVE_CRYPT_REENCRYPT
56 int (*sym_crypt_reencrypt)(struct crypt_device *cd, int (*progress)(uint64_t size, uint64_t offset, void *usrptr));
57 #endif
58 int (*sym_crypt_metadata_locking)(struct crypt_device *cd, int enable);
59 #if HAVE_CRYPT_SET_DATA_OFFSET
60 int (*sym_crypt_set_data_offset)(struct crypt_device *cd, uint64_t data_offset);
61 #endif
62 int (*sym_crypt_header_restore)(struct crypt_device *cd, const char *requested_type, const char *backup_file);
63 int (*sym_crypt_volume_key_keyring)(struct crypt_device *cd, int enable);
64
65 /* Unfortunately libcryptsetup provides neither an environment variable to redirect where to look for token
66 * modules, nor does it have an API to change the token lookup path at runtime. The maintainers suggest using
67 * ELF interposition instead (see https://gitlab.com/cryptsetup/cryptsetup/-/issues/846). Hence let's do
68 * that: let's interpose libcryptsetup's crypt_token_external_path() function with our own, that *does*
69 * honour an environment variable where to look for tokens. This is tremendously useful for debugging
70 * libcryptsetup tokens: set the environment variable to your build dir and you can easily test token modules
71 * without jumping through various hoops. */
72
73 /* Do this only on new enough compilers that actually support the "symver" attribute. Given this is a debug
74 * feature, let's simply not bother on older compilers */
75 #if defined __has_attribute
76 #if __has_attribute(symver)
77 const char *my_crypt_token_external_path(void); /* prototype for our own implementation */
78
79 /* We use the "symver" attribute to mark this implementation as the default implementation, and drop the
80 * SD_SHARED namespace we by default attach to our symbols via a version script. */
81 __attribute__((symver("crypt_token_external_path@@")))
82 _public_ const char *my_crypt_token_external_path(void) {
83 const char *e;
84
85 e = secure_getenv("SYSTEMD_CRYPTSETUP_TOKEN_PATH");
86 if (e)
87 return e;
88
89 /* Now chain invoke the original implementation. */
90 if (cryptsetup_dl) {
91 typeof(crypt_token_external_path) *func;
92 func = (typeof(crypt_token_external_path)*) dlsym(cryptsetup_dl, "crypt_token_external_path");
93 if (func)
94 return func();
95 }
96
97 return NULL;
98 }
99 #endif
100 #endif
101
102 static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) {
103
104 switch (level) {
105 case CRYPT_LOG_NORMAL:
106 level = LOG_NOTICE;
107 break;
108 case CRYPT_LOG_ERROR:
109 level = LOG_ERR;
110 break;
111 case CRYPT_LOG_VERBOSE:
112 level = LOG_INFO;
113 break;
114 case CRYPT_LOG_DEBUG:
115 level = LOG_DEBUG;
116 break;
117 default:
118 log_error("Unknown libcryptsetup log level: %d", level);
119 level = LOG_ERR;
120 }
121
122 log_full(level, "%s", msg);
123 }
124
125 void cryptsetup_enable_logging(struct crypt_device *cd) {
126 /* It's OK to call this with a NULL parameter, in which case libcryptsetup will set the default log
127 * function.
128 *
129 * Note that this is also called from dlopen_cryptsetup(), which we call here too. Sounds like an
130 * endless loop, but isn't because we break it via the check for 'cryptsetup_dl' early in
131 * dlopen_cryptsetup(). */
132
133 if (dlopen_cryptsetup() < 0)
134 return; /* If this fails, let's gracefully ignore the issue, this is just debug logging after
135 * all, and if this failed we already generated a debug log message that should help
136 * to track things down. */
137
138 sym_crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
139 sym_crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);
140 }
141
142 int cryptsetup_set_minimal_pbkdf(struct crypt_device *cd) {
143
144 /* With CRYPT_PBKDF_NO_BENCHMARK flag set .time_ms member is ignored
145 * while .iterations must be set at least to recommended minimum value. */
146
147 static const struct crypt_pbkdf_type minimal_pbkdf = {
148 .hash = "sha512",
149 .type = CRYPT_KDF_PBKDF2,
150 .iterations = 1000, /* recommended minimum count for pbkdf2
151 * according to NIST SP 800-132, ch. 5.2 */
152 .flags = CRYPT_PBKDF_NO_BENCHMARK
153 };
154
155 int r;
156
157 /* Sets a minimal PKBDF in case we already have a high entropy key. */
158
159 r = dlopen_cryptsetup();
160 if (r < 0)
161 return r;
162
163 r = sym_crypt_set_pbkdf_type(cd, &minimal_pbkdf);
164 if (r < 0)
165 return r;
166
167 return 0;
168 }
169
170 int cryptsetup_get_token_as_json(
171 struct crypt_device *cd,
172 int idx,
173 const char *verify_type,
174 JsonVariant **ret) {
175
176 _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
177 const char *text;
178 int r;
179
180 assert(cd);
181
182 /* Extracts and parses the LUKS2 JSON token data from a LUKS2 device. Optionally verifies the type of
183 * the token. Returns:
184 *
185 * -EINVAL → token index out of range or "type" field missing
186 * -ENOENT → token doesn't exist
187 * -EMEDIUMTYPE → "verify_type" specified and doesn't match token's type
188 */
189
190 r = dlopen_cryptsetup();
191 if (r < 0)
192 return r;
193
194 r = sym_crypt_token_json_get(cd, idx, &text);
195 if (r < 0)
196 return r;
197
198 r = json_parse(text, 0, &v, NULL, NULL);
199 if (r < 0)
200 return r;
201
202 if (verify_type) {
203 JsonVariant *w;
204
205 w = json_variant_by_key(v, "type");
206 if (!w)
207 return -EINVAL;
208
209 if (!streq_ptr(json_variant_string(w), verify_type))
210 return -EMEDIUMTYPE;
211 }
212
213 if (ret)
214 *ret = TAKE_PTR(v);
215
216 return 0;
217 }
218
219 int cryptsetup_add_token_json(struct crypt_device *cd, JsonVariant *v) {
220 _cleanup_free_ char *text = NULL;
221 int r;
222
223 r = dlopen_cryptsetup();
224 if (r < 0)
225 return r;
226
227 r = json_variant_format(v, 0, &text);
228 if (r < 0)
229 return log_debug_errno(r, "Failed to format token data for LUKS: %m");
230
231 log_debug("Adding token text <%s>", text);
232
233 r = sym_crypt_token_json_set(cd, CRYPT_ANY_TOKEN, text);
234 if (r < 0)
235 return log_debug_errno(r, "Failed to write token data to LUKS: %m");
236
237 return 0;
238 }
239 #endif
240
241 int dlopen_cryptsetup(void) {
242 #if HAVE_LIBCRYPTSETUP
243 int r;
244
245 /* libcryptsetup added crypt_reencrypt() in 2.2.0, and marked it obsolete in 2.4.0, replacing it with
246 * crypt_reencrypt_run(), which takes one extra argument but is otherwise identical. The old call is
247 * still available though, and given we want to support 2.2.0 for a while longer, we'll stick to the
248 * old symbol. However, the old symbols now has a GCC deprecation decorator, hence let's turn off
249 * warnings about this for now. */
250
251 DISABLE_WARNING_DEPRECATED_DECLARATIONS;
252
253 r = dlopen_many_sym_or_warn(
254 &cryptsetup_dl, "libcryptsetup.so.12", LOG_DEBUG,
255 DLSYM_ARG(crypt_activate_by_passphrase),
256 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
257 DLSYM_ARG(crypt_activate_by_signed_key),
258 #endif
259 DLSYM_ARG(crypt_activate_by_volume_key),
260 DLSYM_ARG(crypt_deactivate_by_name),
261 DLSYM_ARG(crypt_format),
262 DLSYM_ARG(crypt_free),
263 DLSYM_ARG(crypt_get_cipher),
264 DLSYM_ARG(crypt_get_cipher_mode),
265 DLSYM_ARG(crypt_get_data_offset),
266 DLSYM_ARG(crypt_get_device_name),
267 DLSYM_ARG(crypt_get_dir),
268 DLSYM_ARG(crypt_get_type),
269 DLSYM_ARG(crypt_get_uuid),
270 DLSYM_ARG(crypt_get_verity_info),
271 DLSYM_ARG(crypt_get_volume_key_size),
272 DLSYM_ARG(crypt_init),
273 DLSYM_ARG(crypt_init_by_name),
274 DLSYM_ARG(crypt_keyslot_add_by_volume_key),
275 DLSYM_ARG(crypt_keyslot_destroy),
276 DLSYM_ARG(crypt_keyslot_max),
277 DLSYM_ARG(crypt_load),
278 DLSYM_ARG(crypt_resize),
279 DLSYM_ARG(crypt_resume_by_passphrase),
280 DLSYM_ARG(crypt_set_data_device),
281 DLSYM_ARG(crypt_set_debug_level),
282 DLSYM_ARG(crypt_set_log_callback),
283 #if HAVE_CRYPT_SET_METADATA_SIZE
284 DLSYM_ARG(crypt_set_metadata_size),
285 #endif
286 DLSYM_ARG(crypt_set_pbkdf_type),
287 DLSYM_ARG(crypt_suspend),
288 DLSYM_ARG(crypt_token_json_get),
289 DLSYM_ARG(crypt_token_json_set),
290 #if HAVE_CRYPT_TOKEN_MAX
291 DLSYM_ARG(crypt_token_max),
292 #endif
293 DLSYM_ARG(crypt_token_status),
294 DLSYM_ARG(crypt_volume_key_get),
295 #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
296 DLSYM_ARG(crypt_reencrypt_init_by_passphrase),
297 #endif
298 #if HAVE_CRYPT_REENCRYPT
299 DLSYM_ARG(crypt_reencrypt),
300 #endif
301 DLSYM_ARG(crypt_metadata_locking),
302 #if HAVE_CRYPT_SET_DATA_OFFSET
303 DLSYM_ARG(crypt_set_data_offset),
304 #endif
305 DLSYM_ARG(crypt_header_restore),
306 DLSYM_ARG(crypt_volume_key_keyring));
307 if (r <= 0)
308 return r;
309
310 REENABLE_WARNING;
311
312 /* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that
313 * libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set
314 * whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some
315 * other code loaded into this process also changes the global log functions of libcryptsetup, who
316 * knows? And if so, we still want our own objects to log via our own infra, at the very least.) */
317 cryptsetup_enable_logging(NULL);
318 return 1;
319 #else
320 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "cryptsetup support is not compiled in.");
321 #endif
322 }
323
324 int cryptsetup_get_keyslot_from_token(JsonVariant *v) {
325 int keyslot, r;
326 JsonVariant *w;
327
328 /* Parses the "keyslots" field of a LUKS2 token object. The field can be an array, but here we assume
329 * that it contains a single element only, since that's the only way we ever generate it
330 * ourselves. */
331
332 w = json_variant_by_key(v, "keyslots");
333 if (!w)
334 return -ENOENT;
335 if (!json_variant_is_array(w) || json_variant_elements(w) != 1)
336 return -EMEDIUMTYPE;
337
338 w = json_variant_by_index(w, 0);
339 if (!w)
340 return -ENOENT;
341 if (!json_variant_is_string(w))
342 return -EMEDIUMTYPE;
343
344 r = safe_atoi(json_variant_string(w), &keyslot);
345 if (r < 0)
346 return r;
347 if (keyslot < 0)
348 return -EINVAL;
349
350 return keyslot;
351 }
Unnamed repository; edit this file 'description' to name the repository.