Add crypt_token_set_external_path API.

It can be used to override system library where libcryptsetup looks for external token handlers (plugins). The parameter is required to be absolute path and it is set per process context. Fixes: #846.
2025-12-05 16:00:05 +01:00 · 2023-11-09 15:33:05 +01:00
parent 31f82fd37c
commit 0328d61f29
3 changed files with 46 additions and 1 deletions
--- a/lib/libcryptsetup.h
+++ b/lib/libcryptsetup.h
@@ -2767,6 +2767,17 @@ int crypt_token_register(const crypt_token_handler *handler);
 */
 const char *crypt_token_external_path(void);

+/**
+ * Override configured external token handlers path for the library.
+ *
+ * @param path Abosulte path (starts with '/') to new external token handlers directory or @e NULL.
+ *
+ * @note if @e path is @e NULL the external token path is reset to default path.
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ */
+int crypt_token_set_external_path(const char *path);
+
 /**
 * Disable external token handlers (plugins) support
 * If disabled, it cannot be enabled again.
--- a/lib/libcryptsetup.sym
+++ b/lib/libcryptsetup.sym
@@ -176,6 +176,7 @@ CRYPTSETUP_2.7 {
 		crypt_keyslot_context_init_by_vk_in_keyring;
 		crypt_keyslot_context_init_by_signed_key;
 		crypt_resume_by_keyslot_context;
+		crypt_token_set_external_path;
 		crypt_set_keyring_to_link;
 		crypt_wipe_hw_opal;
 } CRYPTSETUP_2.6;
--- a/lib/luks2/luks2_token.c
+++ b/lib/luks2/luks2_token.c
@@ -25,7 +25,9 @@
 #include "luks2_internal.h"

 #if USE_EXTERNAL_TOKENS
+#define TOKENS_PATH_MAX PATH_MAX
 static bool external_tokens_enabled = true;
+static char external_tokens_path[TOKENS_PATH_MAX] = EXTERNAL_LUKS2_TOKENS_PATH;
 #else
 static bool external_tokens_enabled = false;
 #endif
@@ -51,9 +53,40 @@ void crypt_token_external_disable(void)

 const char *crypt_token_external_path(void)
 {
-	return external_tokens_enabled ? EXTERNAL_LUKS2_TOKENS_PATH : NULL;
+#if USE_EXTERNAL_TOKENS
+	return external_tokens_enabled ? external_tokens_path : NULL;
+#else
+	return NULL;
+#endif
 }

+#if USE_EXTERNAL_TOKENS
+int crypt_token_set_external_path(const char *path)
+{
+	int r;
+	char tokens_path[TOKENS_PATH_MAX];
+
+	if (!path)
+		path = EXTERNAL_LUKS2_TOKENS_PATH;
+	else if (*path != '/')
+		return -EINVAL;
+
+	r = snprintf(tokens_path, sizeof(tokens_path), "%s", path);
+	if (r < 0 || (size_t)r >= sizeof(tokens_path))
+		return -EINVAL;
+
+	(void)strcpy(external_tokens_path, tokens_path);
+
+	return 0;
+}
+#else
+#pragma GCC diagnostic ignored "-Wunused-parameter"
+int crypt_token_set_external_path(const char *path)
+{
+	return -ENOTSUP;
+}
+#endif
+
 static bool token_validate_v1(struct crypt_device *cd, const crypt_token_handler *h)
 {
 	if (!h)