26546993077

Committed 27 May 2026 08:34PM UTC coverage: 72.995% (+0.3%) from 72.667%

Build # 26546993077

Build Type

push

github

Committed by

bluca

Commit Message

test-pressure: set timeout to make not wait forever

If this runs on a slow or busy machine, then we may not get enough
pressure to trigger the event sources. In such case, the test does not
finish. It is problematic when the test is _not_ run with 'meson test',
e.g. debian/ubuntu CIs.

Let's introduce a timeout for each event loop, and skip test cases
gracefully.

Coverage Stats

8 of 12 new or added lines in 1 file covered. (66.67%)

19671 existing lines in 226 files now uncovered.

337119 of 461841 relevant lines covered (72.99%)

1326365.62 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/src/cryptsetup/cryptsetup-pkcs11.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include "sd-json.h"

#include "alloc-util.h"
#include "ask-password-api.h"
#include "cryptsetup-pkcs11.h"
#include "cryptsetup-util.h"
#include "fileio.h"
#include "iovec-util.h"
#include "log.h"
#include "pkcs11-util.h"
#include "random-util.h"

int decrypt_pkcs11_key(
                const char *volume_name,
                const char *friendly_name,
                const char *pkcs11_uri,
                Pkcs11RsaPadding rsa_padding,
                const char *key_file,         /* We either expect key_file and associated parameters to be set (for file keys) … */
                size_t key_file_size,
                uint64_t key_file_offset,
                const struct iovec *key_data, /* … or literal keys via key_data */
                usec_t until,
                AskPasswordFlags askpw_flags,
                void **ret_decrypted_key,
                size_t *ret_decrypted_key_size) {
#if HAVE_P11KIT
        _cleanup_(pkcs11_crypt_device_callback_data_release) pkcs11_crypt_device_callback_data data = {
                .friendly_name = friendly_name,
                .askpw_flags = askpw_flags,
                .until = until,
                .rsa_padding = rsa_padding,
        };
        int r;

        assert(friendly_name);
        assert(pkcs11_uri);
        assert(key_file || iovec_is_set(key_data));
        assert(ret_decrypted_key);
        assert(ret_decrypted_key_size);

        /* The functions called here log about all errors, except for EAGAIN which means "token not found right now" */

        if (iovec_is_set(key_data)) {
                data.encrypted_key = (void*) key_data->iov_base;
                data.encrypted_key_size = key_data->iov_len;

                data.free_encrypted_key = false;
        } else {
                _cleanup_free_ char *bindname = NULL;

                /* If we read the key via AF_UNIX, make this client recognizable */
                if (asprintf(&bindname, "@%" PRIx64"/cryptsetup-pkcs11/%s", random_u64(), volume_name) < 0)
                        return log_oom();

                r = read_full_file_full(
                                AT_FDCWD, key_file,
                                key_file_offset == 0 ? UINT64_MAX : key_file_offset,
                                key_file_size == 0 ? SIZE_MAX : key_file_size,
                                READ_FULL_FILE_CONNECT_SOCKET,
                                bindname,
                                (char**) &data.encrypted_key, &data.encrypted_key_size);
                if (r < 0)
                        return r;

                data.free_encrypted_key = true;
        }

        r = pkcs11_find_token(pkcs11_uri, pkcs11_crypt_device_callback, &data);
        if (r < 0)
                return r;

        *ret_decrypted_key = TAKE_PTR(data.decrypted_key);
        *ret_decrypted_key_size = data.decrypted_key_size;

        return 0;
#else
        return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "PKCS#11 Token support not available.");
#endif
}

int find_pkcs11_auto_data(
                struct crypt_device *cd,
                char **ret_uri,
                void **ret_encrypted_key,
                size_t *ret_encrypted_key_size,
                Pkcs11RsaPadding *ret_rsa_padding,
                int *ret_keyslot) {

#if HAVE_P11KIT
        _cleanup_free_ char *uri = NULL;
        _cleanup_free_ void *key = NULL;
        int r, keyslot = -1;
        size_t key_size = 0;
        Pkcs11RsaPadding rsa_padding = PKCS11_RSA_PADDING_PKCS1V15;

        assert(cd);
        assert(ret_uri);
        assert(ret_encrypted_key);
        assert(ret_encrypted_key_size);
        assert(ret_rsa_padding);
        assert(ret_keyslot);

        /* Loads PKCS#11 metadata from LUKS2 JSON token headers. */

        for (int token = 0; token < sym_crypt_token_max(CRYPT_LUKS2); token++) {
                _cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
                sd_json_variant *w;
                int ks;

                r = cryptsetup_get_token_as_json(cd, token, "systemd-pkcs11", &v);
                if (IN_SET(r, -ENOENT, -EINVAL, -EMEDIUMTYPE))
                        continue;
                if (r < 0)
                        return log_error_errno(r, "Failed to read JSON token data off disk: %m");

                ks = cryptsetup_get_keyslot_from_token(v);
                if (ks < 0) {
                        /* Handle parsing errors of the keyslots field gracefully, since it's not 'owned' by
                         * us, but by the LUKS2 spec */
                        log_warning_errno(ks, "Failed to extract keyslot index from PKCS#11 JSON data token %i, skipping: %m", token);
                        continue;
                }

                if (uri)
                        return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ),
                                               "Multiple PKCS#11 tokens enrolled, cannot automatically determine token.");

                assert(keyslot < 0);
                keyslot = ks;

                w = sd_json_variant_by_key(v, "pkcs11-uri");
                if (!w || !sd_json_variant_is_string(w))
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                               "PKCS#11 token data lacks 'pkcs11-uri' field.");

                uri = strdup(sd_json_variant_string(w));
                if (!uri)
                        return log_oom();

                if (!pkcs11_uri_valid(uri))
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                               "PKCS#11 token data contains invalid PKCS#11 URI.");

                w = sd_json_variant_by_key(v, "pkcs11-key");
                if (!w)
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                               "PKCS#11 token data lacks 'pkcs11-key' field.");

                assert(!key);
                assert(key_size == 0);
                r = sd_json_variant_unbase64(w, &key, &key_size);
                if (r < 0)
                        return log_error_errno(r, "Failed to decode base64 encoded key: %m");

                /* Optional padding-scheme tag. Absent in legacy tokens (which used PKCS#1 v1.5). */
                w = sd_json_variant_by_key(v, "pkcs11-padding");
                if (w) {
                        Pkcs11RsaPadding p;

                        if (!sd_json_variant_is_string(w))
                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                       "PKCS#11 token field 'pkcs11-padding' is not a string.");
                        p = pkcs11_rsa_padding_from_string(sd_json_variant_string(w));
                        if (p < 0)
                                return log_error_errno(p,
                                                       "PKCS#11 token field 'pkcs11-padding' has unsupported value '%s'.",
                                                       sd_json_variant_string(w));
                        rsa_padding = p;
                }
        }

        if (!uri)
                return log_error_errno(SYNTHETIC_ERRNO(ENXIO),
                                       "No valid PKCS#11 token data found.");

        log_info("Automatically discovered security PKCS#11 token '%s' unlocks volume.", uri);

        *ret_uri = TAKE_PTR(uri);
        *ret_encrypted_key = TAKE_PTR(key);
        *ret_encrypted_key_size = key_size;
        *ret_rsa_padding = rsa_padding;
        *ret_keyslot = keyslot;
        return 0;
#else
        return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "PKCS#11 Token support not available.");
#endif
}

1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3	#include "sd-json.h"
4
5	#include "alloc-util.h"
6	#include "ask-password-api.h"
7	#include "cryptsetup-pkcs11.h"
8	#include "cryptsetup-util.h"
9	#include "fileio.h"
10	#include "iovec-util.h"
11	#include "log.h"
12	#include "pkcs11-util.h"
13	#include "random-util.h"
14
15	int decrypt_pkcs11_key(	×
16	const char *volume_name,
17	const char *friendly_name,
18	const char *pkcs11_uri,
19	Pkcs11RsaPadding rsa_padding,
20	const char key_file, / We either expect key_file and associated parameters to be set (for file keys) … */
21	size_t key_file_size,
22	uint64_t key_file_offset,
23	const struct iovec key_data, / … or literal keys via key_data */
24	usec_t until,
25	AskPasswordFlags askpw_flags,
26	void **ret_decrypted_key,
27	size_t *ret_decrypted_key_size) {
28	#if HAVE_P11KIT
UNCOV 29	_cleanup_(pkcs11_crypt_device_callback_data_release) pkcs11_crypt_device_callback_data data = {	×
30	.friendly_name = friendly_name,
31	.askpw_flags = askpw_flags,
32	.until = until,
33	.rsa_padding = rsa_padding,
34	};
35	int r;	×
36
37	assert(friendly_name);	×
38	assert(pkcs11_uri);	×
39	assert(key_file \|\| iovec_is_set(key_data));	×
UNCOV 40	assert(ret_decrypted_key);	×
UNCOV 41	assert(ret_decrypted_key_size);	×
42
43	/* The functions called here log about all errors, except for EAGAIN which means "token not found right now" */
44
45	if (iovec_is_set(key_data)) {	×
UNCOV 46	data.encrypted_key = (void*) key_data->iov_base;	×
47	data.encrypted_key_size = key_data->iov_len;	×
48
49	data.free_encrypted_key = false;	×
50	} else {
UNCOV 51	_cleanup_free_ char *bindname = NULL;	×
52
53	/* If we read the key via AF_UNIX, make this client recognizable */
UNCOV 54	if (asprintf(&bindname, "@%" PRIx64"/cryptsetup-pkcs11/%s", random_u64(), volume_name) < 0)	×
55	return log_oom();	×
56
UNCOV 57	r = read_full_file_full(	×
58	AT_FDCWD, key_file,
59	key_file_offset == 0 ? UINT64_MAX : key_file_offset,
60	key_file_size == 0 ? SIZE_MAX : key_file_size,
61	READ_FULL_FILE_CONNECT_SOCKET,
62	bindname,
63	(char**) &data.encrypted_key, &data.encrypted_key_size);
UNCOV 64	if (r < 0)	×
65	return r;
66
UNCOV 67	data.free_encrypted_key = true;	×
68	}
69
UNCOV 70	r = pkcs11_find_token(pkcs11_uri, pkcs11_crypt_device_callback, &data);	×
UNCOV 71	if (r < 0)	×
72	return r;
73
UNCOV 74	*ret_decrypted_key = TAKE_PTR(data.decrypted_key);	×
75	*ret_decrypted_key_size = data.decrypted_key_size;	×
76
UNCOV 77	return 0;	×
78	#else
79	return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "PKCS#11 Token support not available.");
80	#endif
81	}
82
UNCOV 83	int find_pkcs11_auto_data(	×
84	struct crypt_device *cd,
85	char **ret_uri,
86	void **ret_encrypted_key,
87	size_t *ret_encrypted_key_size,
88	Pkcs11RsaPadding *ret_rsa_padding,
89	int *ret_keyslot) {
90
91	#if HAVE_P11KIT
92	_cleanup_free_ char *uri = NULL;	×
UNCOV 93	_cleanup_free_ void *key = NULL;	×
94	int r, keyslot = -1;	×
95	size_t key_size = 0;	×
96	Pkcs11RsaPadding rsa_padding = PKCS11_RSA_PADDING_PKCS1V15;	×
97
98	assert(cd);	×
UNCOV 99	assert(ret_uri);	×
UNCOV 100	assert(ret_encrypted_key);	×
UNCOV 101	assert(ret_encrypted_key_size);	×
102	assert(ret_rsa_padding);	×
103	assert(ret_keyslot);	×
104
105	/* Loads PKCS#11 metadata from LUKS2 JSON token headers. */
106
107	for (int token = 0; token < sym_crypt_token_max(CRYPT_LUKS2); token++) {	×
108	_cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;	×
109	sd_json_variant *w;	×
110	int ks;	×
111
UNCOV 112	r = cryptsetup_get_token_as_json(cd, token, "systemd-pkcs11", &v);	×
113	if (IN_SET(r, -ENOENT, -EINVAL, -EMEDIUMTYPE))	×
114	continue;	×
UNCOV 115	if (r < 0)	×
UNCOV 116	return log_error_errno(r, "Failed to read JSON token data off disk: %m");	×
117
118	ks = cryptsetup_get_keyslot_from_token(v);	×
UNCOV 119	if (ks < 0) {	×
120	/* Handle parsing errors of the keyslots field gracefully, since it's not 'owned' by
121	* us, but by the LUKS2 spec */
122	log_warning_errno(ks, "Failed to extract keyslot index from PKCS#11 JSON data token %i, skipping: %m", token);	×
UNCOV 123	continue;	×
124	}
125
126	if (uri)	×
UNCOV 127	return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ),	×
128	"Multiple PKCS#11 tokens enrolled, cannot automatically determine token.");
129
130	assert(keyslot < 0);	×
UNCOV 131	keyslot = ks;	×
132
133	w = sd_json_variant_by_key(v, "pkcs11-uri");	×
134	if (!w \|\| !sd_json_variant_is_string(w))	×
135	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),	×
136	"PKCS#11 token data lacks 'pkcs11-uri' field.");
137
138	uri = strdup(sd_json_variant_string(w));	×
UNCOV 139	if (!uri)	×
UNCOV 140	return log_oom();	×
141
142	if (!pkcs11_uri_valid(uri))	×
143	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),	×
144	"PKCS#11 token data contains invalid PKCS#11 URI.");
145
146	w = sd_json_variant_by_key(v, "pkcs11-key");	×
147	if (!w)	×
148	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),	×
149	"PKCS#11 token data lacks 'pkcs11-key' field.");
150
UNCOV 151	assert(!key);	×
UNCOV 152	assert(key_size == 0);	×
153	r = sd_json_variant_unbase64(w, &key, &key_size);	×
154	if (r < 0)	×
UNCOV 155	return log_error_errno(r, "Failed to decode base64 encoded key: %m");	×
156
157	/* Optional padding-scheme tag. Absent in legacy tokens (which used PKCS#1 v1.5). */
UNCOV 158	w = sd_json_variant_by_key(v, "pkcs11-padding");	×
159	if (w) {	×
160	Pkcs11RsaPadding p;	×
161
162	if (!sd_json_variant_is_string(w))	×
163	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),	×
164	"PKCS#11 token field 'pkcs11-padding' is not a string.");
UNCOV 165	p = pkcs11_rsa_padding_from_string(sd_json_variant_string(w));	×
UNCOV 166	if (p < 0)	×
UNCOV 167	return log_error_errno(p,	×
168	"PKCS#11 token field 'pkcs11-padding' has unsupported value '%s'.",
169	sd_json_variant_string(w));
170	rsa_padding = p;
171	}
172	}
173
UNCOV 174	if (!uri)	×
UNCOV 175	return log_error_errno(SYNTHETIC_ERRNO(ENXIO),	×
176	"No valid PKCS#11 token data found.");
177
UNCOV 178	log_info("Automatically discovered security PKCS#11 token '%s' unlocks volume.", uri);	×
179
UNCOV 180	*ret_uri = TAKE_PTR(uri);	×
UNCOV 181	*ret_encrypted_key = TAKE_PTR(key);	×
UNCOV 182	*ret_encrypted_key_size = key_size;	×
UNCOV 183	*ret_rsa_padding = rsa_padding;	×
UNCOV 184	*ret_keyslot = keyslot;	×
UNCOV 185	return 0;	×
186	#else
187	return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "PKCS#11 Token support not available.");
188	#endif
189	}

systemd / systemd / 26546993077

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous