1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #if HAVE_LIBCRYPTSETUP
4 #include "alloc-util.h"
5 #include "cryptsetup-util.h"
6 #include "dlfcn-util.h"
7 #include "log.h"
8 #include "parse-util.h"
9
10 static void *cryptsetup_dl = NULL;
11
12 int (*sym_crypt_activate_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags);
13 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
14 int (*sym_crypt_activate_by_signed_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, const char *signature, size_t signature_size, uint32_t flags);
15 #endif
16 int (*sym_crypt_activate_by_volume_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, uint32_t flags);
17 int (*sym_crypt_deactivate_by_name)(struct crypt_device *cd, const char *name, uint32_t flags);
18 int (*sym_crypt_format)(struct crypt_device *cd, const char *type, const char *cipher, const char *cipher_mode, const char *uuid, const char *volume_key, size_t volume_key_size, void *params);
19 void (*sym_crypt_free)(struct crypt_device *cd);
20 const char *(*sym_crypt_get_cipher)(struct crypt_device *cd);
21 const char *(*sym_crypt_get_cipher_mode)(struct crypt_device *cd);
22 uint64_t (*sym_crypt_get_data_offset)(struct crypt_device *cd);
23 const char *(*sym_crypt_get_device_name)(struct crypt_device *cd);
24 const char *(*sym_crypt_get_dir)(void);
25 const char *(*sym_crypt_get_type)(struct crypt_device *cd);
26 const char *(*sym_crypt_get_uuid)(struct crypt_device *cd);
27 int (*sym_crypt_get_verity_info)(struct crypt_device *cd, struct crypt_params_verity *vp);
28 int (*sym_crypt_get_volume_key_size)(struct crypt_device *cd);
29 int (*sym_crypt_init)(struct crypt_device **cd, const char *device);
30 int (*sym_crypt_init_by_name)(struct crypt_device **cd, const char *name);
31 int (*sym_crypt_keyslot_add_by_volume_key)(struct crypt_device *cd, int keyslot, const char *volume_key, size_t volume_key_size, const char *passphrase, size_t passphrase_size);
32 int (*sym_crypt_keyslot_destroy)(struct crypt_device *cd, int keyslot);
33 int (*sym_crypt_keyslot_max)(const char *type);
34 int (*sym_crypt_load)(struct crypt_device *cd, const char *requested_type, void *params);
35 int (*sym_crypt_resize)(struct crypt_device *cd, const char *name, uint64_t new_size);
36 int (*sym_crypt_resume_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size);
37 int (*sym_crypt_set_data_device)(struct crypt_device *cd, const char *device);
38 void (*sym_crypt_set_debug_level)(int level);
39 void (*sym_crypt_set_log_callback)(struct crypt_device *cd, void (*log)(int level, const char *msg, void *usrptr), void *usrptr);
40 #if HAVE_CRYPT_SET_METADATA_SIZE
41 int (*sym_crypt_set_metadata_size)(struct crypt_device *cd, uint64_t metadata_size, uint64_t keyslots_size);
42 #endif
43 int (*sym_crypt_set_pbkdf_type)(struct crypt_device *cd, const struct crypt_pbkdf_type *pbkdf);
44 int (*sym_crypt_suspend)(struct crypt_device *cd, const char *name);
45 int (*sym_crypt_token_json_get)(struct crypt_device *cd, int token, const char **json);
46 int (*sym_crypt_token_json_set)(struct crypt_device *cd, int token, const char *json);
47 #if HAVE_CRYPT_TOKEN_MAX
48 int (*sym_crypt_token_max)(const char *type);
49 #endif
50 crypt_token_info (*sym_crypt_token_status)(struct crypt_device *cd, int token, const char **type);
51 int (*sym_crypt_volume_key_get)(struct crypt_device *cd, int keyslot, char *volume_key, size_t *volume_key_size, const char *passphrase, size_t passphrase_size);
52
dlopen_cryptsetup(void)53 int dlopen_cryptsetup(void) {
54 int r;
55
56 r = dlopen_many_sym_or_warn(
57 &cryptsetup_dl, "libcryptsetup.so.12", LOG_DEBUG,
58 DLSYM_ARG(crypt_activate_by_passphrase),
59 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
60 DLSYM_ARG(crypt_activate_by_signed_key),
61 #endif
62 DLSYM_ARG(crypt_activate_by_volume_key),
63 DLSYM_ARG(crypt_deactivate_by_name),
64 DLSYM_ARG(crypt_format),
65 DLSYM_ARG(crypt_free),
66 DLSYM_ARG(crypt_get_cipher),
67 DLSYM_ARG(crypt_get_cipher_mode),
68 DLSYM_ARG(crypt_get_data_offset),
69 DLSYM_ARG(crypt_get_device_name),
70 DLSYM_ARG(crypt_get_dir),
71 DLSYM_ARG(crypt_get_type),
72 DLSYM_ARG(crypt_get_uuid),
73 DLSYM_ARG(crypt_get_verity_info),
74 DLSYM_ARG(crypt_get_volume_key_size),
75 DLSYM_ARG(crypt_init),
76 DLSYM_ARG(crypt_init_by_name),
77 DLSYM_ARG(crypt_keyslot_add_by_volume_key),
78 DLSYM_ARG(crypt_keyslot_destroy),
79 DLSYM_ARG(crypt_keyslot_max),
80 DLSYM_ARG(crypt_load),
81 DLSYM_ARG(crypt_resize),
82 DLSYM_ARG(crypt_resume_by_passphrase),
83 DLSYM_ARG(crypt_set_data_device),
84 DLSYM_ARG(crypt_set_debug_level),
85 DLSYM_ARG(crypt_set_log_callback),
86 #if HAVE_CRYPT_SET_METADATA_SIZE
87 DLSYM_ARG(crypt_set_metadata_size),
88 #endif
89 DLSYM_ARG(crypt_set_pbkdf_type),
90 DLSYM_ARG(crypt_suspend),
91 DLSYM_ARG(crypt_token_json_get),
92 DLSYM_ARG(crypt_token_json_set),
93 #if HAVE_CRYPT_TOKEN_MAX
94 DLSYM_ARG(crypt_token_max),
95 #endif
96 DLSYM_ARG(crypt_token_status),
97 DLSYM_ARG(crypt_volume_key_get));
98 if (r <= 0)
99 return r;
100
101 /* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that
102 * libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set
103 * whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some
104 * other code loaded into this process also changes the global log functions of libcryptsetup, who
105 * knows? And if so, we still want our own objects to log via our own infra, at the very least.) */
106 cryptsetup_enable_logging(NULL);
107 return 1;
108 }
109
cryptsetup_log_glue(int level,const char * msg,void * usrptr)110 static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) {
111
112 switch (level) {
113 case CRYPT_LOG_NORMAL:
114 level = LOG_NOTICE;
115 break;
116 case CRYPT_LOG_ERROR:
117 level = LOG_ERR;
118 break;
119 case CRYPT_LOG_VERBOSE:
120 level = LOG_INFO;
121 break;
122 case CRYPT_LOG_DEBUG:
123 level = LOG_DEBUG;
124 break;
125 default:
126 log_error("Unknown libcryptsetup log level: %d", level);
127 level = LOG_ERR;
128 }
129
130 log_full(level, "%s", msg);
131 }
132
cryptsetup_enable_logging(struct crypt_device * cd)133 void cryptsetup_enable_logging(struct crypt_device *cd) {
134 /* It's OK to call this with a NULL parameter, in which case libcryptsetup will set the default log
135 * function.
136 *
137 * Note that this is also called from dlopen_cryptsetup(), which we call here too. Sounds like an
138 * endless loop, but isn't because we break it via the check for 'cryptsetup_dl' early in
139 * dlopen_cryptsetup(). */
140
141 if (dlopen_cryptsetup() < 0)
142 return; /* If this fails, let's gracefully ignore the issue, this is just debug logging after
143 * all, and if this failed we already generated a debug log message that should help
144 * to track things down. */
145
146 sym_crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
147 sym_crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);
148 }
149
cryptsetup_set_minimal_pbkdf(struct crypt_device * cd)150 int cryptsetup_set_minimal_pbkdf(struct crypt_device *cd) {
151
152 /* With CRYPT_PBKDF_NO_BENCHMARK flag set .time_ms member is ignored
153 * while .iterations must be set at least to recommended minimum value. */
154
155 static const struct crypt_pbkdf_type minimal_pbkdf = {
156 .hash = "sha512",
157 .type = CRYPT_KDF_PBKDF2,
158 .iterations = 1000, /* recommended minimum count for pbkdf2
159 * according to NIST SP 800-132, ch. 5.2 */
160 .flags = CRYPT_PBKDF_NO_BENCHMARK
161 };
162
163 int r;
164
165 /* Sets a minimal PKBDF in case we already have a high entropy key. */
166
167 r = dlopen_cryptsetup();
168 if (r < 0)
169 return r;
170
171 r = sym_crypt_set_pbkdf_type(cd, &minimal_pbkdf);
172 if (r < 0)
173 return r;
174
175 return 0;
176 }
177
cryptsetup_get_token_as_json(struct crypt_device * cd,int idx,const char * verify_type,JsonVariant ** ret)178 int cryptsetup_get_token_as_json(
179 struct crypt_device *cd,
180 int idx,
181 const char *verify_type,
182 JsonVariant **ret) {
183
184 _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
185 const char *text;
186 int r;
187
188 assert(cd);
189
190 /* Extracts and parses the LUKS2 JSON token data from a LUKS2 device. Optionally verifies the type of
191 * the token. Returns:
192 *
193 * -EINVAL → token index out of range or "type" field missing
194 * -ENOENT → token doesn't exist
195 * -EMEDIUMTYPE → "verify_type" specified and doesn't match token's type
196 */
197
198 r = dlopen_cryptsetup();
199 if (r < 0)
200 return r;
201
202 r = sym_crypt_token_json_get(cd, idx, &text);
203 if (r < 0)
204 return r;
205
206 r = json_parse(text, 0, &v, NULL, NULL);
207 if (r < 0)
208 return r;
209
210 if (verify_type) {
211 JsonVariant *w;
212
213 w = json_variant_by_key(v, "type");
214 if (!w)
215 return -EINVAL;
216
217 if (!streq_ptr(json_variant_string(w), verify_type))
218 return -EMEDIUMTYPE;
219 }
220
221 if (ret)
222 *ret = TAKE_PTR(v);
223
224 return 0;
225 }
226
cryptsetup_get_keyslot_from_token(JsonVariant * v)227 int cryptsetup_get_keyslot_from_token(JsonVariant *v) {
228 int keyslot, r;
229 JsonVariant *w;
230
231 /* Parses the "keyslots" field of a LUKS2 token object. The field can be an array, but here we assume
232 * that it contains a single element only, since that's the only way we ever generate it
233 * ourselves. */
234
235 w = json_variant_by_key(v, "keyslots");
236 if (!w)
237 return -ENOENT;
238 if (!json_variant_is_array(w) || json_variant_elements(w) != 1)
239 return -EMEDIUMTYPE;
240
241 w = json_variant_by_index(w, 0);
242 if (!w)
243 return -ENOENT;
244 if (!json_variant_is_string(w))
245 return -EMEDIUMTYPE;
246
247 r = safe_atoi(json_variant_string(w), &keyslot);
248 if (r < 0)
249 return r;
250 if (keyslot < 0)
251 return -EINVAL;
252
253 return keyslot;
254 }
255
cryptsetup_add_token_json(struct crypt_device * cd,JsonVariant * v)256 int cryptsetup_add_token_json(struct crypt_device *cd, JsonVariant *v) {
257 _cleanup_free_ char *text = NULL;
258 int r;
259
260 r = dlopen_cryptsetup();
261 if (r < 0)
262 return r;
263
264 r = json_variant_format(v, 0, &text);
265 if (r < 0)
266 return log_debug_errno(r, "Failed to format token data for LUKS: %m");
267
268 log_debug("Adding token text <%s>", text);
269
270 r = sym_crypt_token_json_set(cd, CRYPT_ANY_TOKEN, text);
271 if (r < 0)
272 return log_debug_errno(r, "Failed to write token data to LUKS: %m");
273
274 return 0;
275 }
276 #endif
277