shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-09 01:18:19 +03:00
Code

Merge pull request #29840 from poettering/cryptsetup-tweaks-nore

Browse Source 
two cryptsetup bugfixes and some clean-ups
This commit is contained in:
Lennart Poettering 2023-11-03 14:40:15 +01:00 committed by GitHub
commit 2037642930
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 53 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c
View File

@ -158,6 +158,7 @@ static int acquire_luks2_key_systemd(
data.friendly_name = params->friendly_name;
data.headless = params->headless;
data.askpw_flags = params->askpw_flags;
data.until = params->until;
/* The functions called here log about all errors, except for EAGAIN which means "token not found right now" */

45
src/cryptsetup/cryptsetup.c
View File

@ -1175,20 +1175,20 @@ static int crypt_activate_by_token_pin_ask_password(
const char *type,
usec_t until,
bool headless,
void *usrptr,
void *userdata,
uint32_t activation_flags,
const char *message,
const char *key_name,
const char *credential_name) {
#if HAVE_LIBCRYPTSETUP_PLUGINS
AskPasswordFlags flags = ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED;
AskPasswordFlags flags = arg_ask_password_flags | ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED;
_cleanup_strv_free_erase_ char **pins = NULL;
int r;
r = crypt_activate_by_token_pin(cd, name, type, CRYPT_ANY_TOKEN, NULL, 0, usrptr, activation_flags);
r = crypt_activate_by_token_pin(cd, name, type, CRYPT_ANY_TOKEN, /* pin=*/ NULL, /* pin_size= */ 0, userdata, activation_flags);
if (r > 0) /* returns unlocked keyslot id on success */
r = 0;
return 0;
if (r != -ENOANO) /* needs pin or pin is wrong */
return r;
@ -1197,9 +1197,9 @@ static int crypt_activate_by_token_pin_ask_password(
return r;
STRV_FOREACH(p, pins) {
r = crypt_activate_by_token_pin(cd, name, type, CRYPT_ANY_TOKEN, *p, strlen(*p), usrptr, activation_flags);
r = crypt_activate_by_token_pin(cd, name, type, CRYPT_ANY_TOKEN, *p, strlen(*p), userdata, activation_flags);
if (r > 0) /* returns unlocked keyslot id on success */
r = 0;
return 0;
if (r != -ENOANO) /* needs pin or pin is wrong */
return r;
}
@ -1209,14 +1209,14 @@ static int crypt_activate_by_token_pin_ask_password(
for (;;) {
pins = strv_free_erase(pins);
r = ask_password_auto(message, "drive-harddisk", NULL, key_name, credential_name, until, flags, &pins);
r = ask_password_auto(message, "drive-harddisk", /* id= */ NULL, key_name, credential_name, until, flags, &pins);
if (r < 0)
return r;
STRV_FOREACH(p, pins) {
r = crypt_activate_by_token_pin(cd, name, type, CRYPT_ANY_TOKEN, *p, strlen(*p), usrptr, activation_flags);
r = crypt_activate_by_token_pin(cd, name, type, CRYPT_ANY_TOKEN, *p, strlen(*p), userdata, activation_flags);
if (r > 0) /* returns unlocked keyslot id on success */
r = 0;
return 0;
if (r != -ENOANO) /* needs pin or pin is wrong */
return r;
}
@ -1234,7 +1234,7 @@ static int attach_luks2_by_fido2_via_plugin(
const char *name,
usec_t until,
bool headless,
void *usrptr,
void *userdata,
uint32_t activation_flags) {
return crypt_activate_by_token_pin_ask_password(
@ -1243,7 +1243,7 @@ static int attach_luks2_by_fido2_via_plugin(
"systemd-fido2",
until,
headless,
usrptr,
userdata,
activation_flags,
"Please enter security token PIN:",
"fido2-pin",
@ -1399,7 +1399,8 @@ static int attach_luks2_by_pkcs11_via_plugin(
systemd_pkcs11_plugin_params params = {
.friendly_name = friendly_name,
.until = until,
.headless = headless
.headless = headless,
.askpw_flags = arg_ask_password_flags,
};
r = crypt_activate_by_token_pin(cd, name, "systemd-pkcs11", CRYPT_ANY_TOKEN, NULL, 0, &params, flags);
@ -1578,6 +1579,20 @@ static int make_tpm2_device_monitor(
return 0;
}
static bool use_token_plugins(void) {
int r;
/* Disable tokens if we shall measure, since we won't get access to the volume key then. */
if (arg_tpm2_measure_pcr != UINT_MAX)
return false;
r = getenv_bool("SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE");
if (r < 0 && r != -ENXIO)
log_debug_errno(r, "Failed to parse $SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE value, ignoring: %m");
return r != 0;
}
static int attach_luks2_by_tpm2_via_plugin(
struct crypt_device *cd,
const char *name,
@ -2260,14 +2275,14 @@ static int run(int argc, char *argv[]) {
}
/* Tokens are available in LUKS2 only, but it is ok to call (and fail) with LUKS1. */
if (!key_file && !key_data && getenv_bool("SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE") != 0) {
if (!key_file && !key_data && use_token_plugins()) {
r = crypt_activate_by_token_pin_ask_password(
cd,
volume,
NULL,
/* type= */ NULL,
until,
arg_headless,
NULL,
/* userdata= */ NULL,
flags,
"Please enter LUKS2 token PIN:",
"luks2-pin",

20
src/shared/pkcs11-util.c
View File

@ -291,6 +291,7 @@ int pkcs11_token_login(
const char *key_name,
const char *credential_name,
usec_t until,
AskPasswordFlags ask_password_flags,
bool headless,
char **ret_used_pin) {
@ -371,7 +372,7 @@ int pkcs11_token_login(
return log_oom();
/* We never cache PINs, simply because it's fatal if we use wrong PINs, since usually there are only 3 tries */
r = ask_password_auto(text, icon_name, id, key_name, credential_name, until, 0, &passwords);
r = ask_password_auto(text, icon_name, id, key_name, credential_name, until, ask_password_flags, &passwords);
if (r < 0)
return log_error_errno(r, "Failed to query PIN for security token '%s': %m", token_label);
}
@ -1058,6 +1059,8 @@ struct pkcs11_acquire_certificate_callback_data {
char *pin_used;
X509 *cert;
const char *askpw_friendly_name, *askpw_icon_name;
AskPasswordFlags askpw_flags;
bool headless;
};
static void pkcs11_acquire_certificate_callback_data_release(struct pkcs11_acquire_certificate_callback_data *data) {
@ -1086,7 +1089,19 @@ static int pkcs11_acquire_certificate_callback(
/* Called for every token matching our URI */
r = pkcs11_token_login(m, session, slot_id, token_info, data->askpw_friendly_name, data->askpw_icon_name, "pkcs11-pin", "pkcs11-pin", UINT64_MAX, false, &pin_used);
r = pkcs11_token_login(
m,
session,
slot_id,
token_info,
data->askpw_friendly_name,
data->askpw_icon_name,
"pkcs11-pin",
"pkcs11-pin",
UINT64_MAX,
data->askpw_flags,
data->headless,
&pin_used);
if (r < 0)
return r;
@ -1325,6 +1340,7 @@ int pkcs11_crypt_device_callback(
"pkcs11-pin",
"cryptsetup.pkcs11-pin",
data->until,
data->askpw_flags,
data->headless,
NULL);
if (r < 0)

5
src/shared/pkcs11-util.h
View File

@ -8,6 +8,7 @@
# include <p11-kit/uri.h>
#endif
#include "ask-password-api.h"
#include "macro.h"
#include "openssl-util.h"
#include "time-util.h"
@ -47,7 +48,7 @@ char *pkcs11_token_manufacturer_id(const CK_TOKEN_INFO *token_info);
char *pkcs11_token_model(const CK_TOKEN_INFO *token_info);
int pkcs11_token_login_by_pin(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, const CK_TOKEN_INFO *token_info, const char *token_label, const void *pin, size_t pin_size);
int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, const char *icon_name, const char *key_name, const char *credential_name, usec_t until, bool headless, char **ret_used_pin);
int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, const char *icon_name, const char *key_name, const char *credential_name, usec_t until, AskPasswordFlags ask_password_flags, bool headless, char **ret_used_pin);
int pkcs11_token_find_x509_certificate(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, P11KitUri *search_uri, CK_OBJECT_HANDLE *ret_object);
#if HAVE_OPENSSL
@ -75,6 +76,7 @@ typedef struct {
size_t decrypted_key_size;
bool free_encrypted_key;
bool headless;
AskPasswordFlags askpw_flags;
} pkcs11_crypt_device_callback_data;
void pkcs11_crypt_device_callback_data_release(pkcs11_crypt_device_callback_data *data);
@ -102,6 +104,7 @@ typedef struct {
const char *friendly_name;
usec_t until;
bool headless;
AskPasswordFlags askpw_flags;
} systemd_pkcs11_plugin_params;
int pkcs11_list_tokens(void);