From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 4 Nov 2020 16:22:39 +0000 (+0100)
Subject: cryptsetup: port PKCS#11 code to read key file with read_full_file()
X-Git-Tag: v248-rc1~615^2~5
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4d1bb8f39702630c52d6b3599e4fc96ee31b84aa;p=thirdparty%2Fsystemd.git

cryptsetup: port PKCS#11 code to read key file with read_full_file()

Now that we can read from offsets/with size, let's port the cryptsetup
PKCS#11 key file logic over to read_full_file_full().
---

diff --git a/src/cryptsetup/cryptsetup-pkcs11.c b/src/cryptsetup/cryptsetup-pkcs11.c
index 50db46f8d1b..b645ff28e01 100644
--- a/src/cryptsetup/cryptsetup-pkcs11.c
+++ b/src/cryptsetup/cryptsetup-pkcs11.c
@@ -10,13 +10,14 @@
 #include "alloc-util.h"
 #include "ask-password-api.h"
 #include "cryptsetup-pkcs11.h"
-#include "cryptsetup-keyfile.h"
 #include "escape.h"
 #include "fd-util.h"
+#include "fileio.h"
 #include "format-util.h"
 #include "macro.h"
 #include "memory-util.h"
 #include "pkcs11-util.h"
+#include "random-util.h"
 #include "stat-util.h"
 #include "strv.h"
 
@@ -95,6 +96,7 @@ static int pkcs11_callback(
 }
 
 int decrypt_pkcs11_key(
+                const char *volume_name,
                 const char *friendly_name,
                 const char *pkcs11_uri,
                 const char *key_file,         /* We either expect key_file and associated parameters to be set (for file keys) … */
@@ -126,7 +128,19 @@ int decrypt_pkcs11_key(
 
                 data.free_encrypted_key = false;
         } else {
-                r = load_key_file(key_file, NULL, key_file_size, key_file_offset, &data.encrypted_key, &data.encrypted_key_size);
+                _cleanup_free_ char *bindname = NULL;
+
+                /* If we read the key via AF_UNIX, make this client recognizable */
+                if (asprintf(&bindname, "@%" PRIx64"/cryptsetup-pkcs11/%s", random_u64(), volume_name) < 0)
+                        return log_oom();
+
+                r = read_full_file_full(
+                                AT_FDCWD, key_file,
+                                key_file_offset == 0 ? UINT64_MAX : key_file_offset,
+                                key_file_size == 0 ? SIZE_MAX : key_file_size,
+                                READ_FULL_FILE_CONNECT_SOCKET,
+                                bindname,
+                                (char**) &data.encrypted_key, &data.encrypted_key_size);
                 if (r < 0)
                         return r;
 
diff --git a/src/cryptsetup/cryptsetup-pkcs11.h b/src/cryptsetup/cryptsetup-pkcs11.h
index 266c8e1b3e6..522ed28bd3c 100644
--- a/src/cryptsetup/cryptsetup-pkcs11.h
+++ b/src/cryptsetup/cryptsetup-pkcs11.h
@@ -9,6 +9,7 @@
 #if HAVE_P11KIT
 
 int decrypt_pkcs11_key(
+                const char *volume_name,
                 const char *friendly_name,
                 const char *pkcs11_uri,
                 const char *key_file,
@@ -23,6 +24,7 @@ int decrypt_pkcs11_key(
 #else
 
 static inline int decrypt_pkcs11_key(
+                const char *volume_name,
                 const char *friendly_name,
                 const char *pkcs11_uri,
                 const char *key_file,
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 5f9d7bb3bbb..7f95749f2fa 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -636,6 +636,7 @@ static int attach_luks_or_plain_or_bitlk(
                         bool processed = false;
 
                         r = decrypt_pkcs11_key(
+                                        name,
                                         friendly,
                                         arg_pkcs11_uri,
                                         key_file, arg_keyfile_size, arg_keyfile_offset,