24809677062

Committed 22 Apr 2026 10:05PM UTC coverage: 71.989% (-0.2%) from 72.23%

Build # 24809677062

Build Type

push

github

Committed by

bluca

Commit Message

ukify: fix default path for hwids

The documentation and commit that added this seem to suggest this should
be under /usr/lib/systemd

fixes 117ec9db7

Coverage Stats

321862 of 447097 relevant lines covered (71.99%)

1201427.36 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

84.62

/src/shared/cryptsetup-util.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <stdlib.h>

#include "sd-dlopen.h"
#include "sd-json.h"

#include "alloc-util.h"
#include "cryptsetup-util.h"
#include "dlfcn-util.h"
#include "escape.h"
#include "hexdecoct.h"
#include "hmac.h"
#include "log.h"
#include "parse-util.h"
#include "string-util.h"
#include "strv.h"

#if HAVE_LIBCRYPTSETUP
static void *cryptsetup_dl = NULL;

DLSYM_PROTOTYPE(crypt_activate_by_passphrase) = NULL;
DLSYM_PROTOTYPE(crypt_activate_by_signed_key) = NULL;
DLSYM_PROTOTYPE(crypt_activate_by_volume_key) = NULL;
DLSYM_PROTOTYPE(crypt_deactivate_by_name) = NULL;
DLSYM_PROTOTYPE(crypt_format) = NULL;
DLSYM_PROTOTYPE(crypt_free) = NULL;
DLSYM_PROTOTYPE(crypt_get_cipher) = NULL;
DLSYM_PROTOTYPE(crypt_get_cipher_mode) = NULL;
DLSYM_PROTOTYPE(crypt_get_data_offset) = NULL;
DLSYM_PROTOTYPE(crypt_get_device_name) = NULL;
DLSYM_PROTOTYPE(crypt_get_dir) = NULL;
DLSYM_PROTOTYPE(crypt_get_type) = NULL;
DLSYM_PROTOTYPE(crypt_get_uuid) = NULL;
DLSYM_PROTOTYPE(crypt_get_verity_info) = NULL;
DLSYM_PROTOTYPE(crypt_get_volume_key_size) = NULL;
DLSYM_PROTOTYPE(crypt_header_restore) = NULL;
DLSYM_PROTOTYPE(crypt_init) = NULL;
DLSYM_PROTOTYPE(crypt_init_by_name) = NULL;
DLSYM_PROTOTYPE(crypt_keyslot_add_by_volume_key) = NULL;
DLSYM_PROTOTYPE(crypt_keyslot_destroy) = NULL;
DLSYM_PROTOTYPE(crypt_keyslot_max) = NULL;
DLSYM_PROTOTYPE(crypt_load) = NULL;
DLSYM_PROTOTYPE(crypt_metadata_locking) = NULL;
DLSYM_PROTOTYPE(crypt_persistent_flags_get) = NULL;
DLSYM_PROTOTYPE(crypt_persistent_flags_set) = NULL;
DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase) = NULL;
DLSYM_PROTOTYPE(crypt_reencrypt_run);
DLSYM_PROTOTYPE(crypt_resize) = NULL;
DLSYM_PROTOTYPE(crypt_resume_by_volume_key) = NULL;
DLSYM_PROTOTYPE(crypt_set_data_device) = NULL;
DLSYM_PROTOTYPE(crypt_set_data_offset) = NULL;
DLSYM_PROTOTYPE(crypt_set_debug_level) = NULL;
DLSYM_PROTOTYPE(crypt_set_log_callback) = NULL;
DLSYM_PROTOTYPE(crypt_set_metadata_size) = NULL;
DLSYM_PROTOTYPE(crypt_set_pbkdf_type) = NULL;
DLSYM_PROTOTYPE(crypt_suspend) = NULL;
DLSYM_PROTOTYPE(crypt_token_json_get) = NULL;
DLSYM_PROTOTYPE(crypt_token_json_set) = NULL;
DLSYM_PROTOTYPE(crypt_token_max) = NULL;
#if HAVE_CRYPT_TOKEN_SET_EXTERNAL_PATH
DLSYM_PROTOTYPE(crypt_token_set_external_path) = NULL;
#endif
DLSYM_PROTOTYPE(crypt_token_status) = NULL;
DLSYM_PROTOTYPE(crypt_volume_key_get) = NULL;
DLSYM_PROTOTYPE(crypt_volume_key_keyring) = NULL;
DLSYM_PROTOTYPE(crypt_wipe) = NULL;
DLSYM_PROTOTYPE(crypt_get_integrity_info) = NULL;

static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) {

        switch (level) {
        case CRYPT_LOG_NORMAL:
                level = LOG_NOTICE;
                break;
        case CRYPT_LOG_ERROR:
                level = LOG_ERR;
                break;
        case CRYPT_LOG_VERBOSE:
                level = LOG_INFO;
                break;
        case CRYPT_LOG_DEBUG:
                level = LOG_DEBUG;
                break;
        default:
                log_error("Unknown libcryptsetup log level: %d", level);
                level = LOG_ERR;
        }

        log_full(level, "%s", msg);
}

void cryptsetup_enable_logging(struct crypt_device *cd) {
        /* It's OK to call this with a NULL parameter, in which case libcryptsetup will set the default log
         * function.
         *
         * Note that this is also called from dlopen_cryptsetup(), which we call here too. Sounds like an
         * endless loop, but isn't because we break it via the check for 'cryptsetup_dl' early in
         * dlopen_cryptsetup(). */

        if (dlopen_cryptsetup(LOG_DEBUG) < 0)
                return; /* If this fails, let's gracefully ignore the issue, this is just debug logging after
                         * all, and if this failed we already generated a debug log message that should help
                         * to track things down. */

        sym_crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
        sym_crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);
}

int cryptsetup_set_minimal_pbkdf(struct crypt_device *cd) {

        /* With CRYPT_PBKDF_NO_BENCHMARK flag set .time_ms member is ignored
         * while .iterations must be set at least to recommended minimum value. */

        static const struct crypt_pbkdf_type minimal_pbkdf = {
                .hash = "sha512",
                .type = CRYPT_KDF_PBKDF2,
                .iterations = 1000, /* recommended minimum count for pbkdf2
                                     * according to NIST SP 800-132, ch. 5.2 */
                .flags = CRYPT_PBKDF_NO_BENCHMARK
        };

        int r;

        /* Sets a minimal PKBDF in case we already have a high entropy key. */

        r = dlopen_cryptsetup(LOG_DEBUG);
        if (r < 0)
                return r;

        r = sym_crypt_set_pbkdf_type(cd, &minimal_pbkdf);
        if (r < 0)
                return r;

        return 0;
}

int cryptsetup_get_token_as_json(
                struct crypt_device *cd,
                int idx,
                const char *verify_type,
                sd_json_variant **ret) {

        _cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
        const char *text;
        int r;

        assert(cd);

        /* Extracts and parses the LUKS2 JSON token data from a LUKS2 device. Optionally verifies the type of
         * the token. Returns:
         *
         *      -EINVAL → token index out of range or "type" field missing
         *      -ENOENT → token doesn't exist
         * -EMEDIUMTYPE → "verify_type" specified and doesn't match token's type
         */

        r = dlopen_cryptsetup(LOG_DEBUG);
        if (r < 0)
                return r;

        r = sym_crypt_token_json_get(cd, idx, &text);
        if (r < 0)
                return r;

        r = sd_json_parse(text, 0, &v, NULL, NULL);
        if (r < 0)
                return r;

        if (verify_type) {
                sd_json_variant *w;

                w = sd_json_variant_by_key(v, "type");
                if (!w)
                        return -EINVAL;

                if (!streq_ptr(sd_json_variant_string(w), verify_type))
                        return -EMEDIUMTYPE;
        }

        if (ret)
                *ret = TAKE_PTR(v);

        return 0;
}

int cryptsetup_add_token_json(struct crypt_device *cd, sd_json_variant *v) {
        _cleanup_free_ char *text = NULL;
        int r;

        r = dlopen_cryptsetup(LOG_DEBUG);
        if (r < 0)
                return r;

        r = sd_json_variant_format(v, 0, &text);
        if (r < 0)
                return log_debug_errno(r, "Failed to format token data for LUKS: %m");

        log_debug("Adding token text <%s>", text);

        r = sym_crypt_token_json_set(cd, CRYPT_ANY_TOKEN, text);
        if (r < 0)
                return log_debug_errno(r, "Failed to write token data to LUKS: %m");

        return 0;
}

int cryptsetup_get_volume_key_prefix(
                struct crypt_device *cd,
                const char *volume_name,
                char **ret) {

        _cleanup_free_ char *volume = NULL;
        const char *uuid;
        char *s;

        assert(ret);

        uuid = sym_crypt_get_uuid(cd);
        if (!uuid)
                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to get LUKS UUID.");

        if (volume_name)
                /* avoid ambiguity around ":" once we join things below */
                volume = xescape(volume_name, ":");
        else
                volume = strjoin("luks-", uuid);
        if (!volume)
                return log_oom_debug();

        s = strjoin("cryptsetup:", volume, ":", uuid);
        if (!s)
                return log_oom_debug();

        *ret = s;

        return 0;
}

/* The hash must match what measure_volume_key() extends to the SHA256 bank of the TPM2. */
int cryptsetup_get_volume_key_id(
                struct crypt_device *cd,
                const char *volume_name,
                const void *volume_key,
                size_t volume_key_size,
                char **ret) {

        _cleanup_free_ char *prefix = NULL;
        uint8_t digest[SHA256_DIGEST_SIZE];
        char *hex;
        int r;

        assert(ret);

        r = cryptsetup_get_volume_key_prefix(cd, volume_name, &prefix);
        if (r < 0)
                return log_debug_errno(r, "Failed to get LUKS volume key prefix.");

        hmac_sha256(volume_key, volume_key_size, prefix, strlen(prefix), digest);

        hex = hexmem(digest, sizeof(digest));
        if (!hex)
                return log_oom_debug();

        *ret = hex;

        return 0;
}
#endif

int dlopen_cryptsetup(int log_level) {
#if HAVE_LIBCRYPTSETUP
        int r;

        /* libcryptsetup added crypt_reencrypt() in 2.2.0, and marked it obsolete in 2.4.0, replacing it with
         * crypt_reencrypt_run(), which takes one extra argument but is otherwise identical. The old call is
         * still available though, and given we want to support 2.2.0 for a while longer, we'll use the old
         * symbol if the new one is not available. */

        SD_ELF_NOTE_DLOPEN(
                        "cryptsetup",
                        "Support for disk encryption, integrity, and authentication",
                        SD_ELF_NOTE_DLOPEN_PRIORITY_SUGGESTED,
                        "libcryptsetup.so.12");

        r = dlopen_many_sym_or_warn(
                        &cryptsetup_dl, "libcryptsetup.so.12", log_level,
                        DLSYM_ARG(crypt_activate_by_passphrase),
                        DLSYM_ARG(crypt_activate_by_signed_key),
                        DLSYM_ARG(crypt_activate_by_volume_key),
                        DLSYM_ARG(crypt_deactivate_by_name),
                        DLSYM_ARG(crypt_format),
                        DLSYM_ARG(crypt_free),
                        DLSYM_ARG(crypt_get_cipher),
                        DLSYM_ARG(crypt_get_cipher_mode),
                        DLSYM_ARG(crypt_get_data_offset),
                        DLSYM_ARG(crypt_get_device_name),
                        DLSYM_ARG(crypt_get_dir),
                        DLSYM_ARG(crypt_get_type),
                        DLSYM_ARG(crypt_get_uuid),
                        DLSYM_ARG(crypt_get_verity_info),
                        DLSYM_ARG(crypt_get_volume_key_size),
                        DLSYM_ARG(crypt_header_restore),
                        DLSYM_ARG(crypt_init),
                        DLSYM_ARG(crypt_init_by_name),
                        DLSYM_ARG(crypt_keyslot_add_by_volume_key),
                        DLSYM_ARG(crypt_keyslot_destroy),
                        DLSYM_ARG(crypt_keyslot_max),
                        DLSYM_ARG(crypt_load),
                        DLSYM_ARG(crypt_metadata_locking),
                        DLSYM_ARG(crypt_persistent_flags_get),
                        DLSYM_ARG(crypt_persistent_flags_set),
                        DLSYM_ARG(crypt_reencrypt_init_by_passphrase),
                        DLSYM_ARG(crypt_reencrypt_run),
                        DLSYM_ARG(crypt_resize),
                        DLSYM_ARG(crypt_resume_by_volume_key),
                        DLSYM_ARG(crypt_set_data_device),
                        DLSYM_ARG(crypt_set_data_offset),
                        DLSYM_ARG(crypt_set_debug_level),
                        DLSYM_ARG(crypt_set_log_callback),
                        DLSYM_ARG(crypt_set_metadata_size),
                        DLSYM_ARG(crypt_set_pbkdf_type),
                        DLSYM_ARG(crypt_suspend),
                        DLSYM_ARG(crypt_token_json_get),
                        DLSYM_ARG(crypt_token_json_set),
                        DLSYM_ARG(crypt_token_max),
#if HAVE_CRYPT_TOKEN_SET_EXTERNAL_PATH
                        DLSYM_ARG(crypt_token_set_external_path),
#endif
                        DLSYM_ARG(crypt_token_status),
                        DLSYM_ARG(crypt_volume_key_get),
                        DLSYM_ARG(crypt_volume_key_keyring),
                        DLSYM_ARG(crypt_wipe),
                        DLSYM_ARG(crypt_get_integrity_info));
        if (r <= 0)
                return r;

        /* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that
         * libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set
         * whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some
         * other code loaded into this process also changes the global log functions of libcryptsetup, who
         * knows? And if so, we still want our own objects to log via our own infra, at the very least.) */
        cryptsetup_enable_logging(NULL);

        const char *e = secure_getenv("SYSTEMD_CRYPTSETUP_TOKEN_PATH");
        if (e) {
#if HAVE_CRYPT_TOKEN_SET_EXTERNAL_PATH
                r = sym_crypt_token_set_external_path(e);
                if (r < 0)
                        log_debug_errno(r, "Failed to set the libcryptsetup external token path to '%s', ignoring: %m", e);
#else
                log_debug("libcryptsetup version does not support setting the external token path, not setting it to '%s'.", e);
#endif
        }

        return 1;
#else
        return log_full_errno(log_level, SYNTHETIC_ERRNO(EOPNOTSUPP),
                              "libcryptsetup support is not compiled in.");
#endif
}

int cryptsetup_get_keyslot_from_token(sd_json_variant *v) {
        int keyslot, r;
        sd_json_variant *w;

        /* Parses the "keyslots" field of a LUKS2 token object. The field can be an array, but here we assume
         * that it contains a single element only, since that's the only way we ever generate it
         * ourselves. */

        w = sd_json_variant_by_key(v, "keyslots");
        if (!w)
                return -ENOENT;
        if (!sd_json_variant_is_array(w) || sd_json_variant_elements(w) != 1)
                return -EMEDIUMTYPE;

        w = sd_json_variant_by_index(w, 0);
        if (!w)
                return -ENOENT;
        if (!sd_json_variant_is_string(w))
                return -EMEDIUMTYPE;

        r = safe_atoi(sd_json_variant_string(w), &keyslot);
        if (r < 0)
                return r;
        if (keyslot < 0)
                return -EINVAL;

        return keyslot;
}

const char* mangle_none(const char *s) {
        /* A helper that turns cryptsetup/integritysetup/veritysetup "options" strings into NULL if they are effectively empty */
        return isempty(s) || STR_IN_SET(s, "-", "none") ? NULL : s;
}

1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3	#include <stdlib.h>
4
5	#include "sd-dlopen.h"
6	#include "sd-json.h"
7
8	#include "alloc-util.h"
9	#include "cryptsetup-util.h"
10	#include "dlfcn-util.h"
11	#include "escape.h"
12	#include "hexdecoct.h"
13	#include "hmac.h"
14	#include "log.h"
15	#include "parse-util.h"
16	#include "string-util.h"
17	#include "strv.h"
18
19	#if HAVE_LIBCRYPTSETUP
20	static void *cryptsetup_dl = NULL;
21
22	DLSYM_PROTOTYPE(crypt_activate_by_passphrase) = NULL;
23	DLSYM_PROTOTYPE(crypt_activate_by_signed_key) = NULL;
24	DLSYM_PROTOTYPE(crypt_activate_by_volume_key) = NULL;
25	DLSYM_PROTOTYPE(crypt_deactivate_by_name) = NULL;
26	DLSYM_PROTOTYPE(crypt_format) = NULL;
27	DLSYM_PROTOTYPE(crypt_free) = NULL;
28	DLSYM_PROTOTYPE(crypt_get_cipher) = NULL;
29	DLSYM_PROTOTYPE(crypt_get_cipher_mode) = NULL;
30	DLSYM_PROTOTYPE(crypt_get_data_offset) = NULL;
31	DLSYM_PROTOTYPE(crypt_get_device_name) = NULL;
32	DLSYM_PROTOTYPE(crypt_get_dir) = NULL;
33	DLSYM_PROTOTYPE(crypt_get_type) = NULL;
34	DLSYM_PROTOTYPE(crypt_get_uuid) = NULL;
35	DLSYM_PROTOTYPE(crypt_get_verity_info) = NULL;
36	DLSYM_PROTOTYPE(crypt_get_volume_key_size) = NULL;
37	DLSYM_PROTOTYPE(crypt_header_restore) = NULL;
38	DLSYM_PROTOTYPE(crypt_init) = NULL;
39	DLSYM_PROTOTYPE(crypt_init_by_name) = NULL;
40	DLSYM_PROTOTYPE(crypt_keyslot_add_by_volume_key) = NULL;
41	DLSYM_PROTOTYPE(crypt_keyslot_destroy) = NULL;
42	DLSYM_PROTOTYPE(crypt_keyslot_max) = NULL;
43	DLSYM_PROTOTYPE(crypt_load) = NULL;
44	DLSYM_PROTOTYPE(crypt_metadata_locking) = NULL;
45	DLSYM_PROTOTYPE(crypt_persistent_flags_get) = NULL;
46	DLSYM_PROTOTYPE(crypt_persistent_flags_set) = NULL;
47	DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase) = NULL;
48	DLSYM_PROTOTYPE(crypt_reencrypt_run);
49	DLSYM_PROTOTYPE(crypt_resize) = NULL;
50	DLSYM_PROTOTYPE(crypt_resume_by_volume_key) = NULL;
51	DLSYM_PROTOTYPE(crypt_set_data_device) = NULL;
52	DLSYM_PROTOTYPE(crypt_set_data_offset) = NULL;
53	DLSYM_PROTOTYPE(crypt_set_debug_level) = NULL;
54	DLSYM_PROTOTYPE(crypt_set_log_callback) = NULL;
55	DLSYM_PROTOTYPE(crypt_set_metadata_size) = NULL;
56	DLSYM_PROTOTYPE(crypt_set_pbkdf_type) = NULL;
57	DLSYM_PROTOTYPE(crypt_suspend) = NULL;
58	DLSYM_PROTOTYPE(crypt_token_json_get) = NULL;
59	DLSYM_PROTOTYPE(crypt_token_json_set) = NULL;
60	DLSYM_PROTOTYPE(crypt_token_max) = NULL;
61	#if HAVE_CRYPT_TOKEN_SET_EXTERNAL_PATH
62	DLSYM_PROTOTYPE(crypt_token_set_external_path) = NULL;
63	#endif
64	DLSYM_PROTOTYPE(crypt_token_status) = NULL;
65	DLSYM_PROTOTYPE(crypt_volume_key_get) = NULL;
66	DLSYM_PROTOTYPE(crypt_volume_key_keyring) = NULL;
67	DLSYM_PROTOTYPE(crypt_wipe) = NULL;
68	DLSYM_PROTOTYPE(crypt_get_integrity_info) = NULL;
69
70	static void cryptsetup_log_glue(int level, const char msg, void usrptr) {	35,437✔
71
72	switch (level) {	35,437✔
73	case CRYPT_LOG_NORMAL:
74	level = LOG_NOTICE;
75	break;
76	case CRYPT_LOG_ERROR:	41✔
77	level = LOG_ERR;	41✔
78	break;	41✔
79	case CRYPT_LOG_VERBOSE:	×
80	level = LOG_INFO;	×
81	break;	×
82	case CRYPT_LOG_DEBUG:	35,396✔
83	level = LOG_DEBUG;	35,396✔
84	break;	35,396✔
85	default:
86	log_error("Unknown libcryptsetup log level: %d", level);	×
87	level = LOG_ERR;
88	}
89
90	log_full(level, "%s", msg);	35,437✔
91	}	35,437✔
92
93	void cryptsetup_enable_logging(struct crypt_device *cd) {	12,354✔
94	/* It's OK to call this with a NULL parameter, in which case libcryptsetup will set the default log
95	* function.
96	*
97	* Note that this is also called from dlopen_cryptsetup(), which we call here too. Sounds like an
98	* endless loop, but isn't because we break it via the check for 'cryptsetup_dl' early in
99	* dlopen_cryptsetup(). */
100
101	if (dlopen_cryptsetup(LOG_DEBUG) < 0)	12,354✔
102	return; /* If this fails, let's gracefully ignore the issue, this is just debug logging after
103	* all, and if this failed we already generated a debug log message that should help
104	* to track things down. */
105
106	sym_crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);	12,354✔
107	sym_crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);	12,424✔
108	}
109
110	int cryptsetup_set_minimal_pbkdf(struct crypt_device *cd) {	45✔
111
112	/* With CRYPT_PBKDF_NO_BENCHMARK flag set .time_ms member is ignored
113	* while .iterations must be set at least to recommended minimum value. */
114
115	static const struct crypt_pbkdf_type minimal_pbkdf = {	45✔
116	.hash = "sha512",
117	.type = CRYPT_KDF_PBKDF2,
118	.iterations = 1000, /* recommended minimum count for pbkdf2
119	* according to NIST SP 800-132, ch. 5.2 */
120	.flags = CRYPT_PBKDF_NO_BENCHMARK
121	};
122
123	int r;	45✔
124
125	/* Sets a minimal PKBDF in case we already have a high entropy key. */
126
127	r = dlopen_cryptsetup(LOG_DEBUG);	45✔
128	if (r < 0)	45✔
129	return r;
130
131	r = sym_crypt_set_pbkdf_type(cd, &minimal_pbkdf);	45✔
132	if (r < 0)	45✔
133	return r;	×
134
135	return 0;
136	}
137
138	int cryptsetup_get_token_as_json(	5,621✔
139	struct crypt_device *cd,
140	int idx,
141	const char *verify_type,
142	sd_json_variant **ret) {
143
144	_cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;	5,621✔
145	const char *text;	5,621✔
146	int r;	5,621✔
147
148	assert(cd);	5,621✔
149
150	/* Extracts and parses the LUKS2 JSON token data from a LUKS2 device. Optionally verifies the type of
151	* the token. Returns:
152	*
153	* -EINVAL → token index out of range or "type" field missing
154	* -ENOENT → token doesn't exist
155	* -EMEDIUMTYPE → "verify_type" specified and doesn't match token's type
156	*/
157
158	r = dlopen_cryptsetup(LOG_DEBUG);	5,621✔
159	if (r < 0)	5,621✔
160	return r;
161
162	r = sym_crypt_token_json_get(cd, idx, &text);	5,621✔
163	if (r < 0)	5,621✔
164	return r;
165
166	r = sd_json_parse(text, 0, &v, NULL, NULL);	403✔
167	if (r < 0)	403✔
168	return r;
169
170	if (verify_type) {	403✔
171	sd_json_variant *w;	240✔
172
173	w = sd_json_variant_by_key(v, "type");	240✔
174	if (!w)	240✔
175	return -EINVAL;
176
177	if (!streq_ptr(sd_json_variant_string(w), verify_type))	240✔
178	return -EMEDIUMTYPE;
179	}
180
181	if (ret)	179✔
182	*ret = TAKE_PTR(v);	179✔
183
184	return 0;
185	}
186
187	int cryptsetup_add_token_json(struct crypt_device cd, sd_json_variant v) {	45✔
188	_cleanup_free_ char *text = NULL;	45✔
189	int r;	45✔
190
191	r = dlopen_cryptsetup(LOG_DEBUG);	45✔
192	if (r < 0)	45✔
193	return r;
194
195	r = sd_json_variant_format(v, 0, &text);	45✔
196	if (r < 0)	45✔
197	return log_debug_errno(r, "Failed to format token data for LUKS: %m");	×
198
199	log_debug("Adding token text <%s>", text);	45✔
200
201	r = sym_crypt_token_json_set(cd, CRYPT_ANY_TOKEN, text);	45✔
202	if (r < 0)	45✔
203	return log_debug_errno(r, "Failed to write token data to LUKS: %m");	×
204
205	return 0;
206	}
207
208	int cryptsetup_get_volume_key_prefix(	7✔
209	struct crypt_device *cd,
210	const char *volume_name,
211	char **ret) {
212
213	_cleanup_free_ char *volume = NULL;	7✔
214	const char *uuid;	7✔
215	char *s;	7✔
216
217	assert(ret);	7✔
218
219	uuid = sym_crypt_get_uuid(cd);	7✔
220	if (!uuid)	7✔
221	return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to get LUKS UUID.");	×
222
223	if (volume_name)	7✔
224	/* avoid ambiguity around ":" once we join things below */
225	volume = xescape(volume_name, ":");	7✔
226	else
227	volume = strjoin("luks-", uuid);	×
228	if (!volume)	7✔
229	return log_oom_debug();	×
230
231	s = strjoin("cryptsetup:", volume, ":", uuid);	7✔
232	if (!s)	7✔
233	return log_oom_debug();	×
234
235	*ret = s;	7✔
236
237	return 0;	7✔
238	}
239
240	/* The hash must match what measure_volume_key() extends to the SHA256 bank of the TPM2. */
241	int cryptsetup_get_volume_key_id(	7✔
242	struct crypt_device *cd,
243	const char *volume_name,
244	const void *volume_key,
245	size_t volume_key_size,
246	char **ret) {
247
248	_cleanup_free_ char *prefix = NULL;	7✔
249	uint8_t digest[SHA256_DIGEST_SIZE];	7✔
250	char *hex;	7✔
251	int r;	7✔
252
253	assert(ret);	7✔
254
255	r = cryptsetup_get_volume_key_prefix(cd, volume_name, &prefix);	7✔
256	if (r < 0)	7✔
257	return log_debug_errno(r, "Failed to get LUKS volume key prefix.");	×
258
259	hmac_sha256(volume_key, volume_key_size, prefix, strlen(prefix), digest);	7✔
260
261	hex = hexmem(digest, sizeof(digest));	7✔
262	if (!hex)	7✔
263	return log_oom_debug();	×
264
265	*ret = hex;	7✔
266
267	return 0;	7✔
268	}
269	#endif
270
271	int dlopen_cryptsetup(int log_level) {	31,206✔
272	#if HAVE_LIBCRYPTSETUP
273	int r;	31,206✔
274
275	/* libcryptsetup added crypt_reencrypt() in 2.2.0, and marked it obsolete in 2.4.0, replacing it with
276	* crypt_reencrypt_run(), which takes one extra argument but is otherwise identical. The old call is
277	* still available though, and given we want to support 2.2.0 for a while longer, we'll use the old
278	* symbol if the new one is not available. */
279
280	SD_ELF_NOTE_DLOPEN(	31,206✔
281	"cryptsetup",
282	"Support for disk encryption, integrity, and authentication",
283	SD_ELF_NOTE_DLOPEN_PRIORITY_SUGGESTED,
284	"libcryptsetup.so.12");
285
286	r = dlopen_many_sym_or_warn(	31,206✔
287	&cryptsetup_dl, "libcryptsetup.so.12", log_level,
288	DLSYM_ARG(crypt_activate_by_passphrase),
289	DLSYM_ARG(crypt_activate_by_signed_key),
290	DLSYM_ARG(crypt_activate_by_volume_key),
291	DLSYM_ARG(crypt_deactivate_by_name),
292	DLSYM_ARG(crypt_format),
293	DLSYM_ARG(crypt_free),
294	DLSYM_ARG(crypt_get_cipher),
295	DLSYM_ARG(crypt_get_cipher_mode),
296	DLSYM_ARG(crypt_get_data_offset),
297	DLSYM_ARG(crypt_get_device_name),
298	DLSYM_ARG(crypt_get_dir),
299	DLSYM_ARG(crypt_get_type),
300	DLSYM_ARG(crypt_get_uuid),
301	DLSYM_ARG(crypt_get_verity_info),
302	DLSYM_ARG(crypt_get_volume_key_size),
303	DLSYM_ARG(crypt_header_restore),
304	DLSYM_ARG(crypt_init),
305	DLSYM_ARG(crypt_init_by_name),
306	DLSYM_ARG(crypt_keyslot_add_by_volume_key),
307	DLSYM_ARG(crypt_keyslot_destroy),
308	DLSYM_ARG(crypt_keyslot_max),
309	DLSYM_ARG(crypt_load),
310	DLSYM_ARG(crypt_metadata_locking),
311	DLSYM_ARG(crypt_persistent_flags_get),
312	DLSYM_ARG(crypt_persistent_flags_set),
313	DLSYM_ARG(crypt_reencrypt_init_by_passphrase),
314	DLSYM_ARG(crypt_reencrypt_run),
315	DLSYM_ARG(crypt_resize),
316	DLSYM_ARG(crypt_resume_by_volume_key),
317	DLSYM_ARG(crypt_set_data_device),
318	DLSYM_ARG(crypt_set_data_offset),
319	DLSYM_ARG(crypt_set_debug_level),
320	DLSYM_ARG(crypt_set_log_callback),
321	DLSYM_ARG(crypt_set_metadata_size),
322	DLSYM_ARG(crypt_set_pbkdf_type),
323	DLSYM_ARG(crypt_suspend),
324	DLSYM_ARG(crypt_token_json_get),
325	DLSYM_ARG(crypt_token_json_set),
326	DLSYM_ARG(crypt_token_max),
327	#if HAVE_CRYPT_TOKEN_SET_EXTERNAL_PATH
328	DLSYM_ARG(crypt_token_set_external_path),
329	#endif
330	DLSYM_ARG(crypt_token_status),
331	DLSYM_ARG(crypt_volume_key_get),
332	DLSYM_ARG(crypt_volume_key_keyring),
333	DLSYM_ARG(crypt_wipe),
334	DLSYM_ARG(crypt_get_integrity_info));
335	if (r <= 0)	31,206✔
336	return r;
337
338	/* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that
339	* libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set
340	* whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some
341	* other code loaded into this process also changes the global log functions of libcryptsetup, who
342	* knows? And if so, we still want our own objects to log via our own infra, at the very least.) */
343	cryptsetup_enable_logging(NULL);	11,411✔
344
345	const char *e = secure_getenv("SYSTEMD_CRYPTSETUP_TOKEN_PATH");	11,411✔
346	if (e) {	11,411✔
347	#if HAVE_CRYPT_TOKEN_SET_EXTERNAL_PATH
348	r = sym_crypt_token_set_external_path(e);	×
349	if (r < 0)	×
350	log_debug_errno(r, "Failed to set the libcryptsetup external token path to '%s', ignoring: %m", e);	×
351	#else
352	log_debug("libcryptsetup version does not support setting the external token path, not setting it to '%s'.", e);
353	#endif
354	}
355
356	return 1;
357	#else
358	return log_full_errno(log_level, SYNTHETIC_ERRNO(EOPNOTSUPP),
359	"libcryptsetup support is not compiled in.");
360	#endif
361	}
362
363	int cryptsetup_get_keyslot_from_token(sd_json_variant *v) {	16✔
364	int keyslot, r;	16✔
365	sd_json_variant *w;	16✔
366
367	/* Parses the "keyslots" field of a LUKS2 token object. The field can be an array, but here we assume
368	* that it contains a single element only, since that's the only way we ever generate it
369	* ourselves. */
370
371	w = sd_json_variant_by_key(v, "keyslots");	16✔
372	if (!w)	16✔
373	return -ENOENT;	16✔
374	if (!sd_json_variant_is_array(w) \|\| sd_json_variant_elements(w) != 1)	16✔
375	return -EMEDIUMTYPE;	×
376
377	w = sd_json_variant_by_index(w, 0);	16✔
378	if (!w)	16✔
379	return -ENOENT;
380	if (!sd_json_variant_is_string(w))	16✔
381	return -EMEDIUMTYPE;
382
383	r = safe_atoi(sd_json_variant_string(w), &keyslot);	16✔
384	if (r < 0)	16✔
385	return r;
386	if (keyslot < 0)	16✔
387	return -EINVAL;	×
388
389	return keyslot;
390	}
391
392	const char* mangle_none(const char *s) {	200✔
393	/* A helper that turns cryptsetup/integritysetup/veritysetup "options" strings into NULL if they are effectively empty */
394	return isempty(s) \|\| STR_IN_SET(s, "-", "none") ? NULL : s;	400✔
395	}

systemd / systemd / 24809677062

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous