]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/cryptsetup-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #32709 from bluca/machined_ssh
[thirdparty/systemd.git] / src / shared / cryptsetup-util.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include "alloc-util.h"
4 #include "cryptsetup-util.h"
5 #include "dlfcn-util.h"
6 #include "log.h"
7 #include "parse-util.h"
8
9 #if HAVE_LIBCRYPTSETUP
10 static void *cryptsetup_dl = NULL;
11
12 DLSYM_FUNCTION(crypt_activate_by_passphrase);
13 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
14 DLSYM_FUNCTION(crypt_activate_by_signed_key);
15 #endif
16 DLSYM_FUNCTION(crypt_activate_by_volume_key);
17 DLSYM_FUNCTION(crypt_deactivate_by_name);
18 DLSYM_FUNCTION(crypt_format);
19 DLSYM_FUNCTION(crypt_free);
20 DLSYM_FUNCTION(crypt_get_cipher);
21 DLSYM_FUNCTION(crypt_get_cipher_mode);
22 DLSYM_FUNCTION(crypt_get_data_offset);
23 DLSYM_FUNCTION(crypt_get_device_name);
24 DLSYM_FUNCTION(crypt_get_dir);
25 DLSYM_FUNCTION(crypt_get_type);
26 DLSYM_FUNCTION(crypt_get_uuid);
27 DLSYM_FUNCTION(crypt_get_verity_info);
28 DLSYM_FUNCTION(crypt_get_volume_key_size);
29 DLSYM_FUNCTION(crypt_init);
30 DLSYM_FUNCTION(crypt_init_by_name);
31 DLSYM_FUNCTION(crypt_keyslot_add_by_volume_key);
32 DLSYM_FUNCTION(crypt_keyslot_destroy);
33 DLSYM_FUNCTION(crypt_keyslot_max);
34 DLSYM_FUNCTION(crypt_load);
35 DLSYM_FUNCTION(crypt_resize);
36 #if HAVE_CRYPT_RESUME_BY_VOLUME_KEY
37 DLSYM_FUNCTION(crypt_resume_by_volume_key);
38 #endif
39 DLSYM_FUNCTION(crypt_set_data_device);
40 DLSYM_FUNCTION(crypt_set_debug_level);
41 DLSYM_FUNCTION(crypt_set_log_callback);
42 #if HAVE_CRYPT_SET_METADATA_SIZE
43 DLSYM_FUNCTION(crypt_set_metadata_size);
44 #endif
45 DLSYM_FUNCTION(crypt_set_pbkdf_type);
46 DLSYM_FUNCTION(crypt_suspend);
47 DLSYM_FUNCTION(crypt_token_json_get);
48 DLSYM_FUNCTION(crypt_token_json_set);
49 #if HAVE_CRYPT_TOKEN_MAX
50 DLSYM_FUNCTION(crypt_token_max);
51 #endif
52 DLSYM_FUNCTION(crypt_token_status);
53 DLSYM_FUNCTION(crypt_volume_key_get);
54 #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
55 DLSYM_FUNCTION(crypt_reencrypt_init_by_passphrase);
56 #endif
57 #if HAVE_CRYPT_REENCRYPT
58 DISABLE_WARNING_DEPRECATED_DECLARATIONS;
59 DLSYM_FUNCTION(crypt_reencrypt);
60 REENABLE_WARNING;
61 #endif
62 DLSYM_FUNCTION(crypt_metadata_locking);
63 #if HAVE_CRYPT_SET_DATA_OFFSET
64 DLSYM_FUNCTION(crypt_set_data_offset);
65 #endif
66 DLSYM_FUNCTION(crypt_header_restore);
67 DLSYM_FUNCTION(crypt_volume_key_keyring);
68
69 /* Unfortunately libcryptsetup provides neither an environment variable to redirect where to look for token
70 * modules, nor does it have an API to change the token lookup path at runtime. The maintainers suggest using
71 * ELF interposition instead (see https://gitlab.com/cryptsetup/cryptsetup/-/issues/846). Hence let's do
72 * that: let's interpose libcryptsetup's crypt_token_external_path() function with our own, that *does*
73 * honour an environment variable where to look for tokens. This is tremendously useful for debugging
74 * libcryptsetup tokens: set the environment variable to your build dir and you can easily test token modules
75 * without jumping through various hoops. */
76
77 /* Do this only on new enough compilers that actually support the "symver" attribute. Given this is a debug
78 * feature, let's simply not bother on older compilers */
79 #if BUILD_MODE_DEVELOPER && defined(__has_attribute) && __has_attribute(symver)
80 const char *my_crypt_token_external_path(void); /* prototype for our own implementation */
81
82 /* We use the "symver" attribute to mark this implementation as the default implementation, and drop the
83 * SD_SHARED namespace we by default attach to our symbols via a version script. */
84 __attribute__((symver("crypt_token_external_path@@")))
85 _public_ const char *my_crypt_token_external_path(void) {
86 const char *e;
87
88 e = secure_getenv("SYSTEMD_CRYPTSETUP_TOKEN_PATH");
89 if (e)
90 return e;
91
92 /* Now chain invoke the original implementation. */
93 if (cryptsetup_dl) {
94 typeof(crypt_token_external_path) *func;
95 func = (typeof(crypt_token_external_path)*) dlsym(cryptsetup_dl, "crypt_token_external_path");
96 if (func)
97 return func();
98 }
99
100 return NULL;
101 }
102 #endif
103
104 static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) {
105
106 switch (level) {
107 case CRYPT_LOG_NORMAL:
108 level = LOG_NOTICE;
109 break;
110 case CRYPT_LOG_ERROR:
111 level = LOG_ERR;
112 break;
113 case CRYPT_LOG_VERBOSE:
114 level = LOG_INFO;
115 break;
116 case CRYPT_LOG_DEBUG:
117 level = LOG_DEBUG;
118 break;
119 default:
120 log_error("Unknown libcryptsetup log level: %d", level);
121 level = LOG_ERR;
122 }
123
124 log_full(level, "%s", msg);
125 }
126
127 void cryptsetup_enable_logging(struct crypt_device *cd) {
128 /* It's OK to call this with a NULL parameter, in which case libcryptsetup will set the default log
129 * function.
130 *
131 * Note that this is also called from dlopen_cryptsetup(), which we call here too. Sounds like an
132 * endless loop, but isn't because we break it via the check for 'cryptsetup_dl' early in
133 * dlopen_cryptsetup(). */
134
135 if (dlopen_cryptsetup() < 0)
136 return; /* If this fails, let's gracefully ignore the issue, this is just debug logging after
137 * all, and if this failed we already generated a debug log message that should help
138 * to track things down. */
139
140 sym_crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
141 sym_crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);
142 }
143
144 int cryptsetup_set_minimal_pbkdf(struct crypt_device *cd) {
145
146 /* With CRYPT_PBKDF_NO_BENCHMARK flag set .time_ms member is ignored
147 * while .iterations must be set at least to recommended minimum value. */
148
149 static const struct crypt_pbkdf_type minimal_pbkdf = {
150 .hash = "sha512",
151 .type = CRYPT_KDF_PBKDF2,
152 .iterations = 1000, /* recommended minimum count for pbkdf2
153 * according to NIST SP 800-132, ch. 5.2 */
154 .flags = CRYPT_PBKDF_NO_BENCHMARK
155 };
156
157 int r;
158
159 /* Sets a minimal PKBDF in case we already have a high entropy key. */
160
161 r = dlopen_cryptsetup();
162 if (r < 0)
163 return r;
164
165 r = sym_crypt_set_pbkdf_type(cd, &minimal_pbkdf);
166 if (r < 0)
167 return r;
168
169 return 0;
170 }
171
172 int cryptsetup_get_token_as_json(
173 struct crypt_device *cd,
174 int idx,
175 const char *verify_type,
176 JsonVariant **ret) {
177
178 _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
179 const char *text;
180 int r;
181
182 assert(cd);
183
184 /* Extracts and parses the LUKS2 JSON token data from a LUKS2 device. Optionally verifies the type of
185 * the token. Returns:
186 *
187 * -EINVAL → token index out of range or "type" field missing
188 * -ENOENT → token doesn't exist
189 * -EMEDIUMTYPE → "verify_type" specified and doesn't match token's type
190 */
191
192 r = dlopen_cryptsetup();
193 if (r < 0)
194 return r;
195
196 r = sym_crypt_token_json_get(cd, idx, &text);
197 if (r < 0)
198 return r;
199
200 r = json_parse(text, 0, &v, NULL, NULL);
201 if (r < 0)
202 return r;
203
204 if (verify_type) {
205 JsonVariant *w;
206
207 w = json_variant_by_key(v, "type");
208 if (!w)
209 return -EINVAL;
210
211 if (!streq_ptr(json_variant_string(w), verify_type))
212 return -EMEDIUMTYPE;
213 }
214
215 if (ret)
216 *ret = TAKE_PTR(v);
217
218 return 0;
219 }
220
221 int cryptsetup_add_token_json(struct crypt_device *cd, JsonVariant *v) {
222 _cleanup_free_ char *text = NULL;
223 int r;
224
225 r = dlopen_cryptsetup();
226 if (r < 0)
227 return r;
228
229 r = json_variant_format(v, 0, &text);
230 if (r < 0)
231 return log_debug_errno(r, "Failed to format token data for LUKS: %m");
232
233 log_debug("Adding token text <%s>", text);
234
235 r = sym_crypt_token_json_set(cd, CRYPT_ANY_TOKEN, text);
236 if (r < 0)
237 return log_debug_errno(r, "Failed to write token data to LUKS: %m");
238
239 return 0;
240 }
241 #endif
242
243 int dlopen_cryptsetup(void) {
244 #if HAVE_LIBCRYPTSETUP
245 int r;
246
247 /* libcryptsetup added crypt_reencrypt() in 2.2.0, and marked it obsolete in 2.4.0, replacing it with
248 * crypt_reencrypt_run(), which takes one extra argument but is otherwise identical. The old call is
249 * still available though, and given we want to support 2.2.0 for a while longer, we'll stick to the
250 * old symbol. However, the old symbols now has a GCC deprecation decorator, hence let's turn off
251 * warnings about this for now. */
252
253 DISABLE_WARNING_DEPRECATED_DECLARATIONS;
254
255 ELF_NOTE_DLOPEN("cryptsetup",
256 "Support for disk encryption, integrity, and authentication",
257 ELF_NOTE_DLOPEN_PRIORITY_SUGGESTED,
258 "libcryptsetup.so.12");
259
260 r = dlopen_many_sym_or_warn(
261 &cryptsetup_dl, "libcryptsetup.so.12", LOG_DEBUG,
262 DLSYM_ARG(crypt_activate_by_passphrase),
263 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
264 DLSYM_ARG(crypt_activate_by_signed_key),
265 #endif
266 DLSYM_ARG(crypt_activate_by_volume_key),
267 DLSYM_ARG(crypt_deactivate_by_name),
268 DLSYM_ARG(crypt_format),
269 DLSYM_ARG(crypt_free),
270 DLSYM_ARG(crypt_get_cipher),
271 DLSYM_ARG(crypt_get_cipher_mode),
272 DLSYM_ARG(crypt_get_data_offset),
273 DLSYM_ARG(crypt_get_device_name),
274 DLSYM_ARG(crypt_get_dir),
275 DLSYM_ARG(crypt_get_type),
276 DLSYM_ARG(crypt_get_uuid),
277 DLSYM_ARG(crypt_get_verity_info),
278 DLSYM_ARG(crypt_get_volume_key_size),
279 DLSYM_ARG(crypt_init),
280 DLSYM_ARG(crypt_init_by_name),
281 DLSYM_ARG(crypt_keyslot_add_by_volume_key),
282 DLSYM_ARG(crypt_keyslot_destroy),
283 DLSYM_ARG(crypt_keyslot_max),
284 DLSYM_ARG(crypt_load),
285 DLSYM_ARG(crypt_resize),
286 #if HAVE_CRYPT_RESUME_BY_VOLUME_KEY
287 DLSYM_ARG(crypt_resume_by_volume_key),
288 #endif
289 DLSYM_ARG(crypt_set_data_device),
290 DLSYM_ARG(crypt_set_debug_level),
291 DLSYM_ARG(crypt_set_log_callback),
292 #if HAVE_CRYPT_SET_METADATA_SIZE
293 DLSYM_ARG(crypt_set_metadata_size),
294 #endif
295 DLSYM_ARG(crypt_set_pbkdf_type),
296 DLSYM_ARG(crypt_suspend),
297 DLSYM_ARG(crypt_token_json_get),
298 DLSYM_ARG(crypt_token_json_set),
299 #if HAVE_CRYPT_TOKEN_MAX
300 DLSYM_ARG(crypt_token_max),
301 #endif
302 DLSYM_ARG(crypt_token_status),
303 DLSYM_ARG(crypt_volume_key_get),
304 #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
305 DLSYM_ARG(crypt_reencrypt_init_by_passphrase),
306 #endif
307 #if HAVE_CRYPT_REENCRYPT
308 DLSYM_ARG(crypt_reencrypt),
309 #endif
310 DLSYM_ARG(crypt_metadata_locking),
311 #if HAVE_CRYPT_SET_DATA_OFFSET
312 DLSYM_ARG(crypt_set_data_offset),
313 #endif
314 DLSYM_ARG(crypt_header_restore),
315 DLSYM_ARG(crypt_volume_key_keyring));
316 if (r <= 0)
317 return r;
318
319 REENABLE_WARNING;
320
321 /* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that
322 * libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set
323 * whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some
324 * other code loaded into this process also changes the global log functions of libcryptsetup, who
325 * knows? And if so, we still want our own objects to log via our own infra, at the very least.) */
326 cryptsetup_enable_logging(NULL);
327 return 1;
328 #else
329 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "cryptsetup support is not compiled in.");
330 #endif
331 }
332
333 int cryptsetup_get_keyslot_from_token(JsonVariant *v) {
334 int keyslot, r;
335 JsonVariant *w;
336
337 /* Parses the "keyslots" field of a LUKS2 token object. The field can be an array, but here we assume
338 * that it contains a single element only, since that's the only way we ever generate it
339 * ourselves. */
340
341 w = json_variant_by_key(v, "keyslots");
342 if (!w)
343 return -ENOENT;
344 if (!json_variant_is_array(w) || json_variant_elements(w) != 1)
345 return -EMEDIUMTYPE;
346
347 w = json_variant_by_index(w, 0);
348 if (!w)
349 return -ENOENT;
350 if (!json_variant_is_string(w))
351 return -EMEDIUMTYPE;
352
353 r = safe_atoi(json_variant_string(w), &keyslot);
354 if (r < 0)
355 return r;
356 if (keyslot < 0)
357 return -EINVAL;
358
359 return keyslot;
360 }
Unnamed repository; edit this file 'description' to name the repository.