#if HAVE_LIBCRYPTSETUP
static void *cryptsetup_dl = NULL;
-int (*sym_crypt_activate_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags);
+DLSYM_PROTOTYPE(crypt_activate_by_passphrase) = NULL;
#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
-int (*sym_crypt_activate_by_signed_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, const char *signature, size_t signature_size, uint32_t flags);
+DLSYM_PROTOTYPE(crypt_activate_by_signed_key) = NULL;
#endif
-int (*sym_crypt_activate_by_volume_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, uint32_t flags);
-int (*sym_crypt_deactivate_by_name)(struct crypt_device *cd, const char *name, uint32_t flags);
-int (*sym_crypt_format)(struct crypt_device *cd, const char *type, const char *cipher, const char *cipher_mode, const char *uuid, const char *volume_key, size_t volume_key_size, void *params);
-void (*sym_crypt_free)(struct crypt_device *cd);
-const char *(*sym_crypt_get_cipher)(struct crypt_device *cd);
-const char *(*sym_crypt_get_cipher_mode)(struct crypt_device *cd);
-uint64_t (*sym_crypt_get_data_offset)(struct crypt_device *cd);
-const char *(*sym_crypt_get_device_name)(struct crypt_device *cd);
-const char *(*sym_crypt_get_dir)(void);
-const char *(*sym_crypt_get_type)(struct crypt_device *cd);
-const char *(*sym_crypt_get_uuid)(struct crypt_device *cd);
-int (*sym_crypt_get_verity_info)(struct crypt_device *cd, struct crypt_params_verity *vp);
-int (*sym_crypt_get_volume_key_size)(struct crypt_device *cd);
-int (*sym_crypt_init)(struct crypt_device **cd, const char *device);
-int (*sym_crypt_init_by_name)(struct crypt_device **cd, const char *name);
-int (*sym_crypt_keyslot_add_by_volume_key)(struct crypt_device *cd, int keyslot, const char *volume_key, size_t volume_key_size, const char *passphrase, size_t passphrase_size);
-int (*sym_crypt_keyslot_destroy)(struct crypt_device *cd, int keyslot);
-int (*sym_crypt_keyslot_max)(const char *type);
-int (*sym_crypt_load)(struct crypt_device *cd, const char *requested_type, void *params);
-int (*sym_crypt_resize)(struct crypt_device *cd, const char *name, uint64_t new_size);
-int (*sym_crypt_resume_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size);
-int (*sym_crypt_set_data_device)(struct crypt_device *cd, const char *device);
-void (*sym_crypt_set_debug_level)(int level);
-void (*sym_crypt_set_log_callback)(struct crypt_device *cd, void (*log)(int level, const char *msg, void *usrptr), void *usrptr);
+DLSYM_PROTOTYPE(crypt_activate_by_volume_key) = NULL;
+DLSYM_PROTOTYPE(crypt_deactivate_by_name) = NULL;
+DLSYM_PROTOTYPE(crypt_format) = NULL;
+DLSYM_PROTOTYPE(crypt_free) = NULL;
+DLSYM_PROTOTYPE(crypt_get_cipher) = NULL;
+DLSYM_PROTOTYPE(crypt_get_cipher_mode) = NULL;
+DLSYM_PROTOTYPE(crypt_get_data_offset) = NULL;
+DLSYM_PROTOTYPE(crypt_get_device_name) = NULL;
+DLSYM_PROTOTYPE(crypt_get_dir) = NULL;
+DLSYM_PROTOTYPE(crypt_get_type) = NULL;
+DLSYM_PROTOTYPE(crypt_get_uuid) = NULL;
+DLSYM_PROTOTYPE(crypt_get_verity_info) = NULL;
+DLSYM_PROTOTYPE(crypt_get_volume_key_size) = NULL;
+DLSYM_PROTOTYPE(crypt_init) = NULL;
+DLSYM_PROTOTYPE(crypt_init_by_name) = NULL;
+DLSYM_PROTOTYPE(crypt_keyslot_add_by_volume_key) = NULL;
+DLSYM_PROTOTYPE(crypt_keyslot_destroy) = NULL;
+DLSYM_PROTOTYPE(crypt_keyslot_max) = NULL;
+DLSYM_PROTOTYPE(crypt_load) = NULL;
+DLSYM_PROTOTYPE(crypt_resize) = NULL;
+#if HAVE_CRYPT_RESUME_BY_VOLUME_KEY
+DLSYM_PROTOTYPE(crypt_resume_by_volume_key) = NULL;
+#endif
+DLSYM_PROTOTYPE(crypt_set_data_device) = NULL;
+DLSYM_PROTOTYPE(crypt_set_debug_level) = NULL;
+DLSYM_PROTOTYPE(crypt_set_log_callback) = NULL;
#if HAVE_CRYPT_SET_METADATA_SIZE
-int (*sym_crypt_set_metadata_size)(struct crypt_device *cd, uint64_t metadata_size, uint64_t keyslots_size);
+DLSYM_PROTOTYPE(crypt_set_metadata_size) = NULL;
#endif
-int (*sym_crypt_set_pbkdf_type)(struct crypt_device *cd, const struct crypt_pbkdf_type *pbkdf);
-int (*sym_crypt_suspend)(struct crypt_device *cd, const char *name);
-int (*sym_crypt_token_json_get)(struct crypt_device *cd, int token, const char **json);
-int (*sym_crypt_token_json_set)(struct crypt_device *cd, int token, const char *json);
+DLSYM_PROTOTYPE(crypt_set_pbkdf_type) = NULL;
+DLSYM_PROTOTYPE(crypt_suspend) = NULL;
+DLSYM_PROTOTYPE(crypt_token_json_get) = NULL;
+DLSYM_PROTOTYPE(crypt_token_json_set) = NULL;
#if HAVE_CRYPT_TOKEN_MAX
-int (*sym_crypt_token_max)(const char *type);
+DLSYM_PROTOTYPE(crypt_token_max) = NULL;
#endif
-crypt_token_info (*sym_crypt_token_status)(struct crypt_device *cd, int token, const char **type);
-int (*sym_crypt_volume_key_get)(struct crypt_device *cd, int keyslot, char *volume_key, size_t *volume_key_size, const char *passphrase, size_t passphrase_size);
-
-int dlopen_cryptsetup(void) {
- int r;
-
- r = dlopen_many_sym_or_warn(
- &cryptsetup_dl, "libcryptsetup.so.12", LOG_DEBUG,
- DLSYM_ARG(crypt_activate_by_passphrase),
-#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
- DLSYM_ARG(crypt_activate_by_signed_key),
+#if HAVE_CRYPT_TOKEN_SET_EXTERNAL_PATH
+DLSYM_PROTOTYPE(crypt_token_set_external_path) = NULL;
#endif
- DLSYM_ARG(crypt_activate_by_volume_key),
- DLSYM_ARG(crypt_deactivate_by_name),
- DLSYM_ARG(crypt_format),
- DLSYM_ARG(crypt_free),
- DLSYM_ARG(crypt_get_cipher),
- DLSYM_ARG(crypt_get_cipher_mode),
- DLSYM_ARG(crypt_get_data_offset),
- DLSYM_ARG(crypt_get_device_name),
- DLSYM_ARG(crypt_get_dir),
- DLSYM_ARG(crypt_get_type),
- DLSYM_ARG(crypt_get_uuid),
- DLSYM_ARG(crypt_get_verity_info),
- DLSYM_ARG(crypt_get_volume_key_size),
- DLSYM_ARG(crypt_init),
- DLSYM_ARG(crypt_init_by_name),
- DLSYM_ARG(crypt_keyslot_add_by_volume_key),
- DLSYM_ARG(crypt_keyslot_destroy),
- DLSYM_ARG(crypt_keyslot_max),
- DLSYM_ARG(crypt_load),
- DLSYM_ARG(crypt_resize),
- DLSYM_ARG(crypt_resume_by_passphrase),
- DLSYM_ARG(crypt_set_data_device),
- DLSYM_ARG(crypt_set_debug_level),
- DLSYM_ARG(crypt_set_log_callback),
-#if HAVE_CRYPT_SET_METADATA_SIZE
- DLSYM_ARG(crypt_set_metadata_size),
+DLSYM_PROTOTYPE(crypt_token_status) = NULL;
+DLSYM_PROTOTYPE(crypt_volume_key_get) = NULL;
+#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
+DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase) = NULL;
#endif
- DLSYM_ARG(crypt_set_pbkdf_type),
- DLSYM_ARG(crypt_suspend),
- DLSYM_ARG(crypt_token_json_get),
- DLSYM_ARG(crypt_token_json_set),
-#if HAVE_CRYPT_TOKEN_MAX
- DLSYM_ARG(crypt_token_max),
+#if HAVE_CRYPT_REENCRYPT_RUN
+DLSYM_PROTOTYPE(crypt_reencrypt_run);
+#elif HAVE_CRYPT_REENCRYPT
+DLSYM_PROTOTYPE(crypt_reencrypt);
#endif
- DLSYM_ARG(crypt_token_status),
- DLSYM_ARG(crypt_volume_key_get));
- if (r <= 0)
- return r;
-
- /* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that
- * libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set
- * whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some
- * other code loaded into this process also changes the global log functions of libcryptsetup, who
- * knows? And if so, we still want our own objects to log via our own infra, at the very least.) */
- cryptsetup_enable_logging(NULL);
- return 1;
-}
+DLSYM_PROTOTYPE(crypt_metadata_locking) = NULL;
+#if HAVE_CRYPT_SET_DATA_OFFSET
+DLSYM_PROTOTYPE(crypt_set_data_offset) = NULL;
+#endif
+DLSYM_PROTOTYPE(crypt_header_restore) = NULL;
+DLSYM_PROTOTYPE(crypt_volume_key_keyring) = NULL;
static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) {
struct crypt_device *cd,
int idx,
const char *verify_type,
- JsonVariant **ret) {
+ sd_json_variant **ret) {
- _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
+ _cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
const char *text;
int r;
if (r < 0)
return r;
- r = json_parse(text, 0, &v, NULL, NULL);
+ r = sd_json_parse(text, 0, &v, NULL, NULL);
if (r < 0)
return r;
if (verify_type) {
- JsonVariant *w;
+ sd_json_variant *w;
- w = json_variant_by_key(v, "type");
+ w = sd_json_variant_by_key(v, "type");
if (!w)
return -EINVAL;
- if (!streq_ptr(json_variant_string(w), verify_type))
+ if (!streq_ptr(sd_json_variant_string(w), verify_type))
return -EMEDIUMTYPE;
}
return 0;
}
-int cryptsetup_add_token_json(struct crypt_device *cd, JsonVariant *v) {
+int cryptsetup_add_token_json(struct crypt_device *cd, sd_json_variant *v) {
_cleanup_free_ char *text = NULL;
int r;
if (r < 0)
return r;
- r = json_variant_format(v, 0, &text);
+ r = sd_json_variant_format(v, 0, &text);
if (r < 0)
return log_debug_errno(r, "Failed to format token data for LUKS: %m");
}
#endif
-int cryptsetup_get_keyslot_from_token(JsonVariant *v) {
+int dlopen_cryptsetup(void) {
+#if HAVE_LIBCRYPTSETUP
+ int r;
+
+ /* libcryptsetup added crypt_reencrypt() in 2.2.0, and marked it obsolete in 2.4.0, replacing it with
+ * crypt_reencrypt_run(), which takes one extra argument but is otherwise identical. The old call is
+ * still available though, and given we want to support 2.2.0 for a while longer, we'll use the old
+ * symbol if the new one is not available. */
+
+ ELF_NOTE_DLOPEN("cryptsetup",
+ "Support for disk encryption, integrity, and authentication",
+ ELF_NOTE_DLOPEN_PRIORITY_SUGGESTED,
+ "libcryptsetup.so.12");
+
+ r = dlopen_many_sym_or_warn(
+ &cryptsetup_dl, "libcryptsetup.so.12", LOG_DEBUG,
+ DLSYM_ARG(crypt_activate_by_passphrase),
+#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
+ DLSYM_ARG(crypt_activate_by_signed_key),
+#endif
+ DLSYM_ARG(crypt_activate_by_volume_key),
+ DLSYM_ARG(crypt_deactivate_by_name),
+ DLSYM_ARG(crypt_format),
+ DLSYM_ARG(crypt_free),
+ DLSYM_ARG(crypt_get_cipher),
+ DLSYM_ARG(crypt_get_cipher_mode),
+ DLSYM_ARG(crypt_get_data_offset),
+ DLSYM_ARG(crypt_get_device_name),
+ DLSYM_ARG(crypt_get_dir),
+ DLSYM_ARG(crypt_get_type),
+ DLSYM_ARG(crypt_get_uuid),
+ DLSYM_ARG(crypt_get_verity_info),
+ DLSYM_ARG(crypt_get_volume_key_size),
+ DLSYM_ARG(crypt_init),
+ DLSYM_ARG(crypt_init_by_name),
+ DLSYM_ARG(crypt_keyslot_add_by_volume_key),
+ DLSYM_ARG(crypt_keyslot_destroy),
+ DLSYM_ARG(crypt_keyslot_max),
+ DLSYM_ARG(crypt_load),
+ DLSYM_ARG(crypt_resize),
+#if HAVE_CRYPT_RESUME_BY_VOLUME_KEY
+ DLSYM_ARG(crypt_resume_by_volume_key),
+#endif
+ DLSYM_ARG(crypt_set_data_device),
+ DLSYM_ARG(crypt_set_debug_level),
+ DLSYM_ARG(crypt_set_log_callback),
+#if HAVE_CRYPT_SET_METADATA_SIZE
+ DLSYM_ARG(crypt_set_metadata_size),
+#endif
+ DLSYM_ARG(crypt_set_pbkdf_type),
+ DLSYM_ARG(crypt_suspend),
+ DLSYM_ARG(crypt_token_json_get),
+ DLSYM_ARG(crypt_token_json_set),
+#if HAVE_CRYPT_TOKEN_MAX
+ DLSYM_ARG(crypt_token_max),
+#endif
+#if HAVE_CRYPT_TOKEN_SET_EXTERNAL_PATH
+ DLSYM_ARG(crypt_token_set_external_path),
+#endif
+ DLSYM_ARG(crypt_token_status),
+ DLSYM_ARG(crypt_volume_key_get),
+#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
+ DLSYM_ARG(crypt_reencrypt_init_by_passphrase),
+#endif
+#if HAVE_CRYPT_REENCRYPT_RUN
+ DLSYM_ARG(crypt_reencrypt_run),
+#elif HAVE_CRYPT_REENCRYPT
+ DLSYM_ARG(crypt_reencrypt),
+#endif
+ DLSYM_ARG(crypt_metadata_locking),
+#if HAVE_CRYPT_SET_DATA_OFFSET
+ DLSYM_ARG(crypt_set_data_offset),
+#endif
+ DLSYM_ARG(crypt_header_restore),
+ DLSYM_ARG(crypt_volume_key_keyring));
+ if (r <= 0)
+ return r;
+
+ /* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that
+ * libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set
+ * whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some
+ * other code loaded into this process also changes the global log functions of libcryptsetup, who
+ * knows? And if so, we still want our own objects to log via our own infra, at the very least.) */
+ cryptsetup_enable_logging(NULL);
+
+ const char *e = secure_getenv("SYSTEMD_CRYPTSETUP_TOKEN_PATH");
+ if (e) {
+#if HAVE_CRYPT_TOKEN_SET_EXTERNAL_PATH
+ r = sym_crypt_token_set_external_path(e);
+ if (r < 0)
+ log_debug_errno(r, "Failed to set the libcryptsetup external token path to '%s', ignoring: %m", e);
+#else
+ log_debug("libcryptsetup version does not support setting the external token path, not setting it to '%s'.", e);
+#endif
+ }
+
+ return 1;
+#else
+ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "cryptsetup support is not compiled in.");
+#endif
+}
+
+int cryptsetup_get_keyslot_from_token(sd_json_variant *v) {
int keyslot, r;
- JsonVariant *w;
+ sd_json_variant *w;
/* Parses the "keyslots" field of a LUKS2 token object. The field can be an array, but here we assume
* that it contains a single element only, since that's the only way we ever generate it
* ourselves. */
- w = json_variant_by_key(v, "keyslots");
+ w = sd_json_variant_by_key(v, "keyslots");
if (!w)
return -ENOENT;
- if (!json_variant_is_array(w) || json_variant_elements(w) != 1)
+ if (!sd_json_variant_is_array(w) || sd_json_variant_elements(w) != 1)
return -EMEDIUMTYPE;
- w = json_variant_by_index(w, 0);
+ w = sd_json_variant_by_index(w, 0);
if (!w)
return -ENOENT;
- if (!json_variant_is_string(w))
+ if (!sd_json_variant_is_string(w))
return -EMEDIUMTYPE;
- r = safe_atoi(json_variant_string(w), &keyslot);
+ r = safe_atoi(sd_json_variant_string(w), &keyslot);
if (r < 0)
return r;
if (keyslot < 0)