Split out of #37344.
/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#include "alloc-util.h"
#include "ask-password-api.h"
#include "cryptenroll-fido2.h"
#include "cryptsetup-fido2.h"
+#include "cryptsetup-util.h"
#include "fido2-util.h"
#include "glyph-util.h"
#include "hexdecoct.h"
#include "iovec-util.h"
#include "json-util.h"
#include "libfido2-util.h"
-#include "memory-util.h"
#include "pretty-print.h"
-#include "random-util.h"
+#include "string-util.h"
int load_volume_key_fido2(
struct crypt_device *cd,
void *ret_vk,
size_t *ret_vks) {
+#if HAVE_LIBFIDO2
_cleanup_(erase_and_freep) void *decrypted_key = NULL;
_cleanup_(erase_and_freep) char *passphrase = NULL;
size_t decrypted_key_size;
return log_error_errno(r, "Unlocking via FIDO2 device failed: %m");
return r;
+#else
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "FIDO2 unlocking not supported.");
+#endif
}
int enroll_fido2(
const char *salt_file,
bool parameters_in_header) {
+#if HAVE_LIBFIDO2
_cleanup_(iovec_done_erase) struct iovec salt = {};
_cleanup_(erase_and_freep) void *secret = NULL;
_cleanup_(erase_and_freep) char *base64_encoded = NULL;
log_info("New FIDO2 token enrolled as key slot %i.", keyslot);
return keyslot;
+#else
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "FIDO2 key enrollment not supported.");
+#endif
}
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
-#include <sys/types.h>
+#include "forward.h"
-#include "cryptsetup-util.h"
-#include "libfido2-util.h"
-#include "log.h"
-
-#if HAVE_LIBFIDO2
int load_volume_key_fido2(struct crypt_device *cd, const char *cd_node, const char *device, void *ret_vk, size_t *ret_vks);
int enroll_fido2(struct crypt_device *cd, const struct iovec *volume_key, const char *device, Fido2EnrollFlags lock_with, int cred_alg, const char *salt_file, bool parameters_in_header);
-
-#else
-static inline int load_volume_key_fido2(struct crypt_device *cd, const char *cd_node, const char *device, void *ret_vk, size_t *ret_vks) {
- return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
- "FIDO2 unlocking not supported.");
-}
-
-static inline int enroll_fido2(struct crypt_device *cd, const struct iovec *volume_key, const char *device, Fido2EnrollFlags lock_with, int cred_alg, const char *salt_file, bool parameters_in_header) {
- return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
- "FIDO2 key enrollment not supported.");
-}
-#endif
#include "sd-json.h"
+#include "alloc-util.h"
#include "cryptenroll.h"
#include "cryptenroll-list.h"
+#include "cryptsetup-util.h"
#include "format-table.h"
#include "json-util.h"
#include "log.h"
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
-#include "cryptsetup-util.h"
+#include "forward.h"
int list_enrolled(struct crypt_device *cd);
/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#include "alloc-util.h"
#include "ask-password-api.h"
#include "cryptenroll-password.h"
+#include "cryptsetup-util.h"
#include "env-util.h"
#include "errno-util.h"
#include "escape.h"
#include "iovec-util.h"
#include "log.h"
-#include "memory-util.h"
#include "password-quality-util.h"
+#include "string-util.h"
#include "strv.h"
int load_volume_key_password(
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
-#include <sys/types.h>
-
-#include "cryptsetup-util.h"
+#include "forward.h"
int load_volume_key_password(struct crypt_device *cd, const char* cd_node, void *ret_vk, size_t *ret_vks);
int enroll_password(struct crypt_device *cd, const struct iovec *volume_key);
/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#include "alloc-util.h"
#include "cryptenroll-pkcs11.h"
+#include "cryptsetup-util.h"
#include "hexdecoct.h"
#include "json-util.h"
-#include "memory-util.h"
#include "openssl-util.h"
#include "pkcs11-util.h"
+#if HAVE_P11KIT && HAVE_OPENSSL
static int uri_set_private_class(const char *uri, char **ret_uri) {
_cleanup_(sym_p11_kit_uri_freep) P11KitUri *p11kit_uri = NULL;
_cleanup_free_ char *private_uri = NULL;
*ret_uri = TAKE_PTR(private_uri);
return 0;
}
+#endif
-int enroll_pkcs11(
- struct crypt_device *cd,
- const struct iovec *volume_key,
- const char *uri) {
-
+int enroll_pkcs11(struct crypt_device *cd, const struct iovec *volume_key,const char *uri) {
+#if HAVE_P11KIT && HAVE_OPENSSL
_cleanup_(erase_and_freep) void *decrypted_key = NULL;
_cleanup_(erase_and_freep) char *base64_encoded = NULL;
_cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
log_info("New PKCS#11 token enrolled as key slot %i.", keyslot);
return keyslot;
+#else
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "PKCS#11 key enrollment not supported.");
+#endif
}
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
-#include <sys/types.h>
+#include "forward.h"
-#include "cryptsetup-util.h"
-#include "log.h"
-
-#if HAVE_P11KIT && HAVE_OPENSSL
int enroll_pkcs11(struct crypt_device *cd, const struct iovec *volume_key, const char *uri);
-#else
-static inline int enroll_pkcs11(struct crypt_device *cd, const struct iovec *volume_key, const char *uri) {
- return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
- "PKCS#11 key enrollment not supported.");
-}
-#endif
/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#include "alloc-util.h"
#include "ansi-color.h"
#include "cryptenroll-recovery.h"
+#include "cryptsetup-util.h"
#include "glyph-util.h"
#include "iovec-util.h"
#include "json-util.h"
#include "log.h"
-#include "memory-util.h"
#include "qrcode-util.h"
#include "recovery-key.h"
-#include "terminal-util.h"
int enroll_recovery(
struct crypt_device *cd,
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
-#include <sys/types.h>
-
-#include "cryptsetup-util.h"
+#include "forward.h"
int enroll_recovery(struct crypt_device *cd, const struct iovec *volume_key);
#include "ask-password-api.h"
#include "cryptenroll-tpm2.h"
#include "cryptsetup-tpm2.h"
+#include "cryptsetup-util.h"
#include "env-util.h"
#include "errno-util.h"
-#include "fileio.h"
#include "hexdecoct.h"
#include "json-util.h"
#include "log.h"
#include "memory-util.h"
#include "random-util.h"
#include "sha256.h"
+#include "strv.h"
#include "tpm2-util.h"
+#if HAVE_TPM2
static int search_policy_hash(
struct crypt_device *cd,
const struct iovec policy_hash[],
return 0;
}
+#endif
int load_volume_key_tpm2(
struct crypt_device *cd,
void *ret_vk,
size_t *ret_vks) {
+#if HAVE_TPM2
_cleanup_(iovec_done_erase) struct iovec decrypted_key = {};
_cleanup_(erase_and_freep) char *passphrase = NULL;
ssize_t passphrase_size;
return log_error_errno(r, "Unlocking via TPM2 device failed: %m");
return r;
+#else
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "TPM2 unlocking not supported.");
+#endif
}
int enroll_tpm2(struct crypt_device *cd,
const char *pcrlock_path,
int *ret_slot_to_wipe) {
+#if HAVE_TPM2
_cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL, *signature_json = NULL;
_cleanup_(erase_and_freep) char *base64_encoded = NULL;
_cleanup_(iovec_done) struct iovec srk = {}, pubkey = {};
*ret_slot_to_wipe = slot_to_wipe;
return keyslot;
+#else
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "TPM2 key enrollment not supported.");
+#endif
}
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
-#include <sys/types.h>
+#include "forward.h"
-#include "cryptsetup-util.h"
-#include "log.h"
-#include "tpm2-util.h"
-
-#if HAVE_TPM2
int load_volume_key_tpm2(struct crypt_device *cd, const char *cd_node, const char *device, void *ret_vk, size_t *ret_vks);
int enroll_tpm2(struct crypt_device *cd, const struct iovec *volume_key, const char *device, uint32_t seal_key_handle, const char *device_key, Tpm2PCRValue *hash_pcr_values, size_t n_hash_pcr_values, const char *pubkey_path, bool load_pcr_pubkey, uint32_t pubkey_pcr_mask, const char *signature_path, bool use_pin, const char *pcrlock_path, int *ret_slot_to_wipe);
-#else
-static inline int load_volume_key_tpm2(struct crypt_device *cd, const char *cd_node, const char *device, void *ret_vk, size_t *ret_vks) {
- return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
- "TPM2 unlocking not supported.");
-}
-
-static inline int enroll_tpm2(struct crypt_device *cd, const struct iovec *volume_key, const char *device, uint32_t seal_key_handle, const char *device_key, Tpm2PCRValue *hash_pcr_values, size_t n_hash_pcr_values, const char *pubkey_path, bool load_pcr_pubkey, uint32_t pubkey_pcr_mask, const char *signature_path, bool use_pin, const char *pcrlock_path, int *ret_slot_to_wipe) {
- return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
- "TPM2 key enrollment not supported.");
-}
-#endif
/* SPDX-License-Identifier: LGPL-2.1-or-later */
-#include "sd-json.h"
-
+#include "alloc-util.h"
#include "cryptenroll.h"
#include "cryptenroll-wipe.h"
+#include "cryptsetup-util.h"
#include "json-util.h"
#include "log.h"
-#include "memory-util.h"
#include "parse-util.h"
#include "set.h"
#include "sort-util.h"
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
-#include "cryptenroll.h"
-#include "cryptsetup-util.h"
+#include "forward.h"
+
+typedef enum WipeScope WipeScope;
int wipe_slots(struct crypt_device *cd,
const int explicit_slots[],
#include <getopt.h>
#include <sys/mman.h>
-#include "ask-password-api.h"
+#include "sd-device.h"
+
#include "blockdev-list.h"
#include "blockdev-util.h"
#include "build.h"
#include "cryptenroll-tpm2.h"
#include "cryptenroll-wipe.h"
#include "cryptsetup-util.h"
-#include "devnum-util.h"
-#include "env-util.h"
-#include "escape.h"
#include "extract-word.h"
#include "fileio.h"
#include "libfido2-util.h"
+#include "log.h"
#include "main-func.h"
-#include "memory-util.h"
#include "pager.h"
#include "parse-argument.h"
#include "parse-util.h"
-#include "path-util.h"
#include "pkcs11-util.h"
#include "pretty-print.h"
#include "string-table.h"
-#include "strv.h"
-#include "terminal-util.h"
+#include "string-util.h"
#include "tpm2-pcr.h"
+#include "tpm2-util.h"
static EnrollType arg_enroll_type = _ENROLL_TYPE_INVALID;
static char *arg_unlock_keyfile = NULL;
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
-#include <errno.h>
+#include "forward.h"
typedef enum EnrollType {
ENROLL_PASSWORD,
endif
systemd_cryptenroll_sources = files(
+ 'cryptenroll.c',
+ 'cryptenroll-fido2.c',
'cryptenroll-list.c',
'cryptenroll-password.c',
+ 'cryptenroll-pkcs11.c',
'cryptenroll-recovery.c',
+ 'cryptenroll-tpm2.c',
'cryptenroll-wipe.c',
- 'cryptenroll.c',
)
-if conf.get('HAVE_P11KIT') == 1 and conf.get('HAVE_OPENSSL') == 1
- systemd_cryptenroll_sources += files('cryptenroll-pkcs11.c')
-endif
-
-if conf.get('HAVE_LIBFIDO2') == 1
- systemd_cryptenroll_sources += files('cryptenroll-fido2.c')
-endif
-
-if conf.get('HAVE_TPM2') == 1
- systemd_cryptenroll_sources += files('cryptenroll-tpm2.c')
-endif
-
executables += [
executable_template + {
'name' : 'systemd-cryptenroll',
projects / thirdparty / systemd.git / commitdiff
