From 0328d61f29ba9559949af2905be75bbd61f18c7d Mon Sep 17 00:00:00 2001 From: Ondrej Kozina Date: Thu, 9 Nov 2023 15:33:05 +0100 Subject: [PATCH] Add crypt_token_set_external_path API. It can be used to override system library where libcryptsetup looks for external token handlers (plugins). The parameter is required to be absolute path and it is set per process context. Fixes: #846. --- lib/libcryptsetup.h | 11 +++++++++++ lib/libcryptsetup.sym | 1 + lib/luks2/luks2_token.c | 35 ++++++++++++++++++++++++++++++++++- 3 files changed, 46 insertions(+), 1 deletion(-) diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h index f52d4456..008ed726 100644 --- a/lib/libcryptsetup.h +++ b/lib/libcryptsetup.h @@ -2767,6 +2767,17 @@ int crypt_token_register(const crypt_token_handler *handler); */ const char *crypt_token_external_path(void); +/** + * Override configured external token handlers path for the library. + * + * @param path Abosulte path (starts with '/') to new external token handlers directory or @e NULL. + * + * @note if @e path is @e NULL the external token path is reset to default path. + * + * @return @e 0 on success or negative errno value otherwise. + */ +int crypt_token_set_external_path(const char *path); + /** * Disable external token handlers (plugins) support * If disabled, it cannot be enabled again. diff --git a/lib/libcryptsetup.sym b/lib/libcryptsetup.sym index 68faffe6..89d64680 100644 --- a/lib/libcryptsetup.sym +++ b/lib/libcryptsetup.sym @@ -176,6 +176,7 @@ CRYPTSETUP_2.7 { crypt_keyslot_context_init_by_vk_in_keyring; crypt_keyslot_context_init_by_signed_key; crypt_resume_by_keyslot_context; + crypt_token_set_external_path; crypt_set_keyring_to_link; crypt_wipe_hw_opal; } CRYPTSETUP_2.6; diff --git a/lib/luks2/luks2_token.c b/lib/luks2/luks2_token.c index b87a1e4d..cf3be2be 100644 --- a/lib/luks2/luks2_token.c +++ b/lib/luks2/luks2_token.c @@ -25,7 +25,9 @@ #include "luks2_internal.h" #if USE_EXTERNAL_TOKENS +#define TOKENS_PATH_MAX PATH_MAX static bool external_tokens_enabled = true; +static char external_tokens_path[TOKENS_PATH_MAX] = EXTERNAL_LUKS2_TOKENS_PATH; #else static bool external_tokens_enabled = false; #endif @@ -51,9 +53,40 @@ void crypt_token_external_disable(void) const char *crypt_token_external_path(void) { - return external_tokens_enabled ? EXTERNAL_LUKS2_TOKENS_PATH : NULL; +#if USE_EXTERNAL_TOKENS + return external_tokens_enabled ? external_tokens_path : NULL; +#else + return NULL; +#endif } +#if USE_EXTERNAL_TOKENS +int crypt_token_set_external_path(const char *path) +{ + int r; + char tokens_path[TOKENS_PATH_MAX]; + + if (!path) + path = EXTERNAL_LUKS2_TOKENS_PATH; + else if (*path != '/') + return -EINVAL; + + r = snprintf(tokens_path, sizeof(tokens_path), "%s", path); + if (r < 0 || (size_t)r >= sizeof(tokens_path)) + return -EINVAL; + + (void)strcpy(external_tokens_path, tokens_path); + + return 0; +} +#else +#pragma GCC diagnostic ignored "-Wunused-parameter" +int crypt_token_set_external_path(const char *path) +{ + return -ENOTSUP; +} +#endif + static bool token_validate_v1(struct crypt_device *cd, const crypt_token_handler *h) { if (!h)