From f8c33b1274057500fbceb3cd1888ce48823ac51e Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sun, 26 Oct 2025 13:12:01 +0900 Subject: [PATCH] libcryptsetup: drop several unnecessary checks for existences of functions by libcryptsetyp The functions crypt_set_metadata_size() and friends are supported since libcryptsetup-2.0. This also merges checks for functions used for supporting libcryptsetup plugins with others. Moreover, check existence of one more function (crypt_logf) that is used in libcryptsetup plugins. --- meson.build | 60 +++++++++++------------------------ src/home/homework-luks.c | 2 -- src/repart/repart.c | 2 +- src/shared/cryptsetup-util.c | 24 ++------------ src/shared/cryptsetup-util.h | 12 +------ src/shared/dissect-image.c | 8 ----- src/veritysetup/veritysetup.c | 8 ----- 7 files changed, 22 insertions(+), 94 deletions(-) diff --git a/meson.build b/meson.build index 8bd21e64373..24efc9f7c3b 100644 --- a/meson.build +++ b/meson.build @@ -1247,53 +1247,30 @@ libcryptsetup = dependency('libcryptsetup', libcryptsetup_cflags = libcryptsetup.partial_dependency(includes: true, compile_args: true) have = libcryptsetup.found() -foreach ident : ['crypt_set_metadata_size', - 'crypt_activate_by_signed_key', - 'crypt_token_max', - 'crypt_reencrypt_init_by_passphrase', - 'crypt_reencrypt', - 'crypt_reencrypt_run', - 'crypt_set_data_offset', - 'crypt_set_keyring_to_link', - 'crypt_resume_by_volume_key', - 'crypt_token_set_external_path'] +conf.set10('HAVE_LIBCRYPTSETUP', have) + +foreach ident : [ + 'crypt_activate_by_token_pin', # 2.4 + 'crypt_logf', # 2.4 + 'crypt_reencrypt_run', # 2.4 + 'crypt_token_external_path', # 2.4 + 'crypt_token_max', # 2.4 + 'crypt_set_keyring_to_link', # 2.7 + 'crypt_token_set_external_path', # 2.7 + ] + have_ident = have and cc.has_function( ident, prefix : '#include ', - # crypt_reencrypt() raises a deprecation warning so make sure -Wno-deprecated-declarations is - # specified otherwise we fail to detect crypt_reencrypt() if -Werror is used. - args : '-Wno-deprecated-declarations', dependencies : libcryptsetup) conf.set10('HAVE_' + ident.to_upper(), have_ident) endforeach -conf.set10('HAVE_LIBCRYPTSETUP', have) -if meson.version().version_compare('>=1.3.0') - have = (cc.has_function( - 'crypt_activate_by_token_pin', - prefix : '#include ', - dependencies : libcryptsetup, - required : libcryptsetup_plugins) and - cc.has_function( - 'crypt_token_external_path', - prefix : '#include ', - dependencies : libcryptsetup, - required : libcryptsetup_plugins)) -else - if libcryptsetup_plugins.allowed() - have = (cc.has_function( - 'crypt_activate_by_token_pin', - prefix : '#include ', - dependencies : libcryptsetup) and - cc.has_function( - 'crypt_token_external_path', - prefix : '#include ', - dependencies : libcryptsetup)) - else - have = false - endif -endif -conf.set10('HAVE_LIBCRYPTSETUP_PLUGINS', have) +conf.set10('HAVE_LIBCRYPTSETUP_PLUGINS', + libcryptsetup_plugins.allowed() and + conf.get('HAVE_CRYPT_ACTIVATE_BY_TOKEN_PIN') == 1 and + conf.get('HAVE_CRYPT_LOGF') == 1 and + conf.get('HAVE_CRYPT_TOKEN_EXTERNAL_PATH') == 1) libcurl = dependency('libcurl', version : '>= 7.32.0', @@ -1589,8 +1566,7 @@ conf.set10('ENABLE_IMPORTD', have) have = get_option('homed').require( conf.get('HAVE_OPENSSL') == 1 and conf.get('HAVE_LIBFDISK') == 1 and - conf.get('HAVE_LIBCRYPTSETUP') == 1 and - conf.get('HAVE_CRYPT_RESUME_BY_VOLUME_KEY') == 1, + conf.get('HAVE_LIBCRYPTSETUP') == 1, error_message : 'openssl, fdisk and libcryptsetup required').allowed() conf.set10('ENABLE_HOMED', have) diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c index 25b3c191dda..4cecc9d264c 100644 --- a/src/home/homework-luks.c +++ b/src/home/homework-luks.c @@ -1788,12 +1788,10 @@ static int luks_format( if (r < 0) return log_error_errno(r, "Failed to generate volume key: %m"); -#if HAVE_CRYPT_SET_METADATA_SIZE /* Increase the metadata space to 4M, the largest LUKS2 supports */ r = sym_crypt_set_metadata_size(cd, 4096U*1024U, 0); if (r < 0) return log_error_errno(r, "Failed to change LUKS2 metadata size: %m"); -#endif build_good_pbkdf(&good_pbkdf, hr); build_minimal_pbkdf(&minimal_pbkdf, hr); diff --git a/src/repart/repart.c b/src/repart/repart.c index 1ca825f39dc..b5e54e6f27f 100644 --- a/src/repart/repart.c +++ b/src/repart/repart.c @@ -4809,7 +4809,7 @@ static int partition_target_sync(Context *context, Partition *p, PartitionTarget } static int partition_encrypt(Context *context, Partition *p, PartitionTarget *target, bool offline) { -#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && (HAVE_CRYPT_REENCRYPT_RUN || HAVE_CRYPT_REENCRYPT) +#if HAVE_LIBCRYPTSETUP const char *node = partition_target_path(target); struct crypt_params_luks2 luks_params = { .label = strempty(ASSERT_PTR(p)->new_label), diff --git a/src/shared/cryptsetup-util.c b/src/shared/cryptsetup-util.c index b8281679dc3..9ff9cfb6e6d 100644 --- a/src/shared/cryptsetup-util.c +++ b/src/shared/cryptsetup-util.c @@ -16,9 +16,7 @@ static void *cryptsetup_dl = NULL; DLSYM_PROTOTYPE(crypt_activate_by_passphrase) = NULL; -#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY DLSYM_PROTOTYPE(crypt_activate_by_signed_key) = NULL; -#endif DLSYM_PROTOTYPE(crypt_activate_by_volume_key) = NULL; DLSYM_PROTOTYPE(crypt_deactivate_by_name) = NULL; DLSYM_PROTOTYPE(crypt_format) = NULL; @@ -39,15 +37,11 @@ DLSYM_PROTOTYPE(crypt_keyslot_destroy) = NULL; DLSYM_PROTOTYPE(crypt_keyslot_max) = NULL; DLSYM_PROTOTYPE(crypt_load) = NULL; DLSYM_PROTOTYPE(crypt_resize) = NULL; -#if HAVE_CRYPT_RESUME_BY_VOLUME_KEY DLSYM_PROTOTYPE(crypt_resume_by_volume_key) = NULL; -#endif DLSYM_PROTOTYPE(crypt_set_data_device) = NULL; DLSYM_PROTOTYPE(crypt_set_debug_level) = NULL; DLSYM_PROTOTYPE(crypt_set_log_callback) = NULL; -#if HAVE_CRYPT_SET_METADATA_SIZE DLSYM_PROTOTYPE(crypt_set_metadata_size) = NULL; -#endif DLSYM_PROTOTYPE(crypt_set_pbkdf_type) = NULL; DLSYM_PROTOTYPE(crypt_suspend) = NULL; DLSYM_PROTOTYPE(crypt_token_json_get) = NULL; @@ -66,18 +60,14 @@ DLSYM_PROTOTYPE(crypt_token_set_external_path) = NULL; #endif DLSYM_PROTOTYPE(crypt_token_status) = NULL; DLSYM_PROTOTYPE(crypt_volume_key_get) = NULL; -#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase) = NULL; -#endif #if HAVE_CRYPT_REENCRYPT_RUN DLSYM_PROTOTYPE(crypt_reencrypt_run); -#elif HAVE_CRYPT_REENCRYPT +#else DLSYM_PROTOTYPE(crypt_reencrypt); #endif DLSYM_PROTOTYPE(crypt_metadata_locking) = NULL; -#if HAVE_CRYPT_SET_DATA_OFFSET DLSYM_PROTOTYPE(crypt_set_data_offset) = NULL; -#endif DLSYM_PROTOTYPE(crypt_header_restore) = NULL; DLSYM_PROTOTYPE(crypt_volume_key_keyring) = NULL; @@ -237,9 +227,7 @@ int dlopen_cryptsetup(void) { r = dlopen_many_sym_or_warn( &cryptsetup_dl, "libcryptsetup.so.12", LOG_DEBUG, DLSYM_ARG(crypt_activate_by_passphrase), -#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY DLSYM_ARG(crypt_activate_by_signed_key), -#endif DLSYM_ARG(crypt_activate_by_volume_key), DLSYM_ARG(crypt_deactivate_by_name), DLSYM_ARG(crypt_format), @@ -260,15 +248,11 @@ int dlopen_cryptsetup(void) { DLSYM_ARG(crypt_keyslot_max), DLSYM_ARG(crypt_load), DLSYM_ARG(crypt_resize), -#if HAVE_CRYPT_RESUME_BY_VOLUME_KEY DLSYM_ARG(crypt_resume_by_volume_key), -#endif DLSYM_ARG(crypt_set_data_device), DLSYM_ARG(crypt_set_debug_level), DLSYM_ARG(crypt_set_log_callback), -#if HAVE_CRYPT_SET_METADATA_SIZE DLSYM_ARG(crypt_set_metadata_size), -#endif DLSYM_ARG(crypt_set_pbkdf_type), DLSYM_ARG(crypt_suspend), DLSYM_ARG(crypt_token_json_get), @@ -281,18 +265,14 @@ int dlopen_cryptsetup(void) { #endif DLSYM_ARG(crypt_token_status), DLSYM_ARG(crypt_volume_key_get), -#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE DLSYM_ARG(crypt_reencrypt_init_by_passphrase), -#endif #if HAVE_CRYPT_REENCRYPT_RUN DLSYM_ARG(crypt_reencrypt_run), -#elif HAVE_CRYPT_REENCRYPT +#else DLSYM_ARG(crypt_reencrypt), #endif DLSYM_ARG(crypt_metadata_locking), -#if HAVE_CRYPT_SET_DATA_OFFSET DLSYM_ARG(crypt_set_data_offset), -#endif DLSYM_ARG(crypt_header_restore), DLSYM_ARG(crypt_volume_key_keyring)); if (r <= 0) diff --git a/src/shared/cryptsetup-util.h b/src/shared/cryptsetup-util.h index 3c043292e6d..b2b3aead1ba 100644 --- a/src/shared/cryptsetup-util.h +++ b/src/shared/cryptsetup-util.h @@ -16,9 +16,7 @@ #endif extern DLSYM_PROTOTYPE(crypt_activate_by_passphrase); -#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY extern DLSYM_PROTOTYPE(crypt_activate_by_signed_key); -#endif extern DLSYM_PROTOTYPE(crypt_activate_by_volume_key); extern DLSYM_PROTOTYPE(crypt_deactivate_by_name); extern DLSYM_PROTOTYPE(crypt_format); @@ -39,15 +37,11 @@ extern DLSYM_PROTOTYPE(crypt_keyslot_destroy); extern DLSYM_PROTOTYPE(crypt_keyslot_max); extern DLSYM_PROTOTYPE(crypt_load); extern DLSYM_PROTOTYPE(crypt_resize); -#if HAVE_CRYPT_RESUME_BY_VOLUME_KEY extern DLSYM_PROTOTYPE(crypt_resume_by_volume_key); -#endif extern DLSYM_PROTOTYPE(crypt_set_data_device); extern DLSYM_PROTOTYPE(crypt_set_debug_level); extern DLSYM_PROTOTYPE(crypt_set_log_callback); -#if HAVE_CRYPT_SET_METADATA_SIZE extern DLSYM_PROTOTYPE(crypt_set_metadata_size); -#endif extern DLSYM_PROTOTYPE(crypt_set_pbkdf_type); extern DLSYM_PROTOTYPE(crypt_suspend); extern DLSYM_PROTOTYPE(crypt_token_json_get); @@ -64,18 +58,14 @@ extern DLSYM_PROTOTYPE(crypt_token_set_external_path); #endif extern DLSYM_PROTOTYPE(crypt_token_status); extern DLSYM_PROTOTYPE(crypt_volume_key_get); -#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE extern DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase); -#endif #if HAVE_CRYPT_REENCRYPT_RUN extern DLSYM_PROTOTYPE(crypt_reencrypt_run); -#elif HAVE_CRYPT_REENCRYPT +#else extern DLSYM_PROTOTYPE(crypt_reencrypt); #endif extern DLSYM_PROTOTYPE(crypt_metadata_locking); -#if HAVE_CRYPT_SET_DATA_OFFSET extern DLSYM_PROTOTYPE(crypt_set_data_offset); -#endif extern DLSYM_PROTOTYPE(crypt_header_restore); extern DLSYM_PROTOTYPE(crypt_volume_key_keyring); diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index f00e1cf3559..9843510faf1 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -2668,13 +2668,11 @@ static int verity_can_reuse( memcmp(root_hash_existing, verity->root_hash, verity->root_hash_size) != 0) return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Error opening verity device, it already exists but root hashes are different."); -#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY /* Ensure that, if signatures are supported, we only reuse the device if the previous mount used the * same settings, so that a previous unsigned mount will not be reused if the user asks to use * signing for the new one, and vice versa. */ if (!!verity->root_hash_sig != !!(crypt_params.flags & CRYPT_VERITY_ROOT_HASH_SIGNATURE)) return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Error opening verity device, it already exists but signature settings are not the same."); -#endif *ret_cd = TAKE_PTR(cd); return 0; @@ -2820,7 +2818,6 @@ static int do_crypt_activate_verity( check_signature = false; if (check_signature) { -#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY /* First, if we have support for signed keys in the kernel, then try that first. */ r = sym_crypt_activate_by_signed_key( cd, @@ -2842,11 +2839,6 @@ static int do_crypt_activate_verity( * -ENOKEY, which means "password required, but I have none". */ if (r == -ENOKEY) r = -EDESTADDRREQ; -#else - log_debug("Activation of verity device with signature requested, but not supported via the kernel by %s due to missing crypt_activate_by_signed_key(), trying userspace validation instead.", - program_invocation_short_name); - r = 0; /* Set for the propagation below */ -#endif /* So this didn't work via the kernel, then let's try userspace validation instead. If that * works we'll try to activate without telling the kernel the signature. */ diff --git a/src/veritysetup/veritysetup.c b/src/veritysetup/veritysetup.c index c356150ea3b..586af5c6238 100644 --- a/src/veritysetup/veritysetup.c +++ b/src/veritysetup/veritysetup.c @@ -101,10 +101,6 @@ static int parse_roothashsig_option(const char *option, bool strict) { else return false; - if (!HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY) - return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), - "Activation of verity device with signature requested, but cryptsetup does not support crypt_activate_by_signed_key()."); - free_and_replace(arg_root_hash_signature, rhs); arg_root_hash_signature_size = rhss; arg_root_hash_signature_auto = set_auto; @@ -416,7 +412,6 @@ static int verb_attach(int argc, char *argv[], void *userdata) { return log_error_errno(r, "Failed to configure data device: %m"); if (arg_root_hash_signature_size > 0) { -#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY r = crypt_activate_by_signed_key(cd, volume, rh, rh_size, arg_root_hash_signature, arg_root_hash_signature_size, arg_activate_flags); if (r < 0) { log_info_errno(r, "Unable to activate verity device '%s' with root hash signature (%m), retrying without.", volume); @@ -427,9 +422,6 @@ static int verb_attach(int argc, char *argv[], void *userdata) { log_info("Activation of verity device '%s' succeeded without root hash signature.", volume); } -#else - assert_not_reached(); -#endif } else r = crypt_activate_by_volume_key(cd, volume, rh, rh_size, arg_activate_flags); if (r < 0) -- 2.47.3