cryptsetup: Add LUKS2 token support.

LUKS2 supports so-called tokens. The libcryptsetup internally
support keyring token (it tries to open device using specified
keyring entry).
Only if all token fails (or are not available), it uses a passphrase.

This patch aligns the functionality with the cryptsetup utility
(cryptsetup luksOpen tries tokens first) but does not replace
the systemd native ask-password function (can be used the same in
combination with this patch).

diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 1f891764b6a6738251eec4371166caf5d1a07e63..af95b418162f6c3a6c5f6fa44f14c00794ea99ad 100644 (file)
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -715,6 +715,18 @@ static int run(int argc, char *argv[]) {
                                 if (r < 0)
                                         return log_error_errno(r, "Failed to set LUKS data device %s: %m", argv[3]);
                         }
+#ifdef CRYPT_ANY_TOKEN
+                        /* Tokens are available in LUKS2 only, but it is ok to call (and fail) with LUKS1. */
+                        if (!key_file) {
+                                r = crypt_activate_by_token(cd, argv[2], CRYPT_ANY_TOKEN, NULL, flags);
+                                if (r >= 0) {
+                                        log_debug("Volume %s activated with LUKS token id %i.", argv[2], r);
+                                        return 0;
+                                }
+
+                                log_debug_errno(r, "Token activation unsuccessful for device %s: %m", crypt_get_device_name(cd));
+                        }
+#endif
                 }
 
                 for (tries = 0; arg_tries == 0 || tries < arg_tries; tries++) {