mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-05 16:00:05 +01:00
Add PIN processing to tokens.
This commit is contained in:
Milan Broz
@@ -2102,6 +2102,27 @@ typedef int (*crypt_token_open_func) (
|
||||
size_t *buffer_len,
|
||||
void *usrptr);
|
||||
|
||||
/**
|
||||
* Token handler open with passphrase/PIN function prototype.
|
||||
* This function retrieves password from a token and return allocated buffer
|
||||
* containing this password. This buffer has to be deallocated by calling
|
||||
* free() function and content should be wiped before deallocation.
|
||||
*
|
||||
* @param cd crypt device handle
|
||||
* @param token token id
|
||||
* @param pin passphrase (or PIN) to unlock token
|
||||
* @param buffer returned allocated buffer with password
|
||||
* @param buffer_len length of the buffer
|
||||
* @param usrptr user data in @link crypt_activate_by_token @endlink
|
||||
*/
|
||||
typedef int (*crypt_token_open_pin_func) (
|
||||
struct crypt_device *cd,
|
||||
int token,
|
||||
const char *pin,
|
||||
char **buffer,
|
||||
size_t *buffer_len,
|
||||
void *usrptr);
|
||||
|
||||
/**
|
||||
* Token handler buffer free function prototype.
|
||||
* This function is used by library to free the buffer with keyslot
|
||||
@@ -2148,6 +2169,7 @@ typedef struct {
|
||||
crypt_token_buffer_free_func buffer_free; /**< token handler buffer_free function (optional) */
|
||||
crypt_token_validate_func validate; /**< token handler validate function (optional) */
|
||||
crypt_token_dump_func dump; /**< token handler dump function (optional) */
|
||||
crypt_token_open_pin_func open_pin; /**< open with passphrase function (optional) */
|
||||
} crypt_token_handler;
|
||||
|
||||
/**
|
||||
@@ -2183,12 +2205,34 @@ int crypt_token_load(const char *name);
|
||||
* @param flags activation flags
|
||||
*
|
||||
* @return unlocked key slot number or negative errno otherwise.
|
||||
*
|
||||
* @note EAGAIN errno means that token is PIN protected and you should call
|
||||
* @link crypt_activate_by_pin_token @endlink with PIN
|
||||
*/
|
||||
int crypt_activate_by_token(struct crypt_device *cd,
|
||||
const char *name,
|
||||
int token,
|
||||
void *usrptr,
|
||||
uint32_t flags);
|
||||
|
||||
/**
|
||||
* Activate device or check key using a token with PIN.
|
||||
*
|
||||
* @param cd crypt device handle
|
||||
* @param name name of device to create, if @e NULL only check token
|
||||
* @param token requested token to check or CRYPT_ANY_TOKEN to check all
|
||||
* @param pin passphrase (or PIN) to unlock token
|
||||
* @param usrptr provided identification in callback
|
||||
* @param flags activation flags
|
||||
*
|
||||
* @return unlocked key slot number or negative errno otherwise.
|
||||
*/
|
||||
int crypt_activate_by_pin_token(struct crypt_device *cd,
|
||||
const char *name,
|
||||
int token,
|
||||
const char *pin,
|
||||
void *usrptr,
|
||||
uint32_t flags);
|
||||
/** @} */
|
||||
|
||||
/**
|
||||
|
||||
@@ -58,6 +58,7 @@ CRYPTSETUP_2.0 {
|
||||
crypt_token_load;
|
||||
|
||||
crypt_activate_by_token;
|
||||
crypt_activate_by_pin_token;
|
||||
|
||||
crypt_keyslot_destroy;
|
||||
crypt_activate_by_passphrase;
|
||||
|
||||
@@ -257,12 +257,14 @@ int LUKS2_token_open_and_activate(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr,
|
||||
int token,
|
||||
const char *name,
|
||||
const char *pin,
|
||||
uint32_t flags,
|
||||
void *usrptr);
|
||||
|
||||
int LUKS2_token_open_and_activate_any(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr,
|
||||
const char *name,
|
||||
const char *pin,
|
||||
uint32_t flags);
|
||||
|
||||
int LUKS2_token_keyring_get(struct crypt_device *cd,
|
||||
|
||||
@@ -116,6 +116,9 @@ int crypt_token_register(const crypt_token_handler *handler)
|
||||
{
|
||||
int i, r;
|
||||
|
||||
if (!handler->name || !handler->open)
|
||||
return -EINVAL;
|
||||
|
||||
r = crypt_token_find_free(handler->name, &i);
|
||||
if (r < 0)
|
||||
return r;
|
||||
@@ -307,6 +310,7 @@ crypt_token_info LUKS2_token_status(struct crypt_device *cd,
|
||||
static int LUKS2_token_open(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr,
|
||||
int token,
|
||||
const char *pin,
|
||||
char **buffer,
|
||||
size_t *buffer_len,
|
||||
void *usrptr)
|
||||
@@ -328,6 +332,11 @@ static int LUKS2_token_open(struct crypt_device *cd,
|
||||
}
|
||||
}
|
||||
|
||||
if (pin && !h->open_pin)
|
||||
r = -ENOENT;
|
||||
else if (pin)
|
||||
r = h->open_pin(cd, token, pin, buffer, buffer_len, usrptr);
|
||||
else
|
||||
r = h->open(cd, token, buffer, buffer_len, usrptr);
|
||||
if (r < 0)
|
||||
log_dbg(cd, "Token %d (%s) open failed with %d.", token, h->name, r);
|
||||
@@ -393,6 +402,7 @@ int LUKS2_token_open_and_activate(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr,
|
||||
int token,
|
||||
const char *name,
|
||||
const char *pin,
|
||||
uint32_t flags,
|
||||
void *usrptr)
|
||||
{
|
||||
@@ -401,7 +411,7 @@ int LUKS2_token_open_and_activate(struct crypt_device *cd,
|
||||
size_t buffer_len;
|
||||
struct volume_key *vk = NULL;
|
||||
|
||||
r = LUKS2_token_open(cd, hdr, token, &buffer, &buffer_len, usrptr);
|
||||
r = LUKS2_token_open(cd, hdr, token, pin, &buffer, &buffer_len, usrptr);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
@@ -435,6 +445,7 @@ int LUKS2_token_open_and_activate(struct crypt_device *cd,
|
||||
int LUKS2_token_open_and_activate_any(struct crypt_device *cd,
|
||||
struct luks2_hdr *hdr,
|
||||
const char *name,
|
||||
const char *pin,
|
||||
uint32_t flags)
|
||||
{
|
||||
char *buffer;
|
||||
@@ -449,7 +460,7 @@ int LUKS2_token_open_and_activate_any(struct crypt_device *cd,
|
||||
UNUSED(val);
|
||||
token = atoi(slot);
|
||||
|
||||
r = LUKS2_token_open(cd, hdr, token, &buffer, &buffer_len, NULL);
|
||||
r = LUKS2_token_open(cd, hdr, token, pin, &buffer, &buffer_len, NULL);
|
||||
if (r < 0)
|
||||
continue;
|
||||
|
||||
|
||||
14
lib/setup.c
14
lib/setup.c
@@ -5529,8 +5529,8 @@ void crypt_set_luks2_reencrypt(struct crypt_device *cd, struct luks2_reencrypt *
|
||||
/*
|
||||
* Token handling
|
||||
*/
|
||||
int crypt_activate_by_token(struct crypt_device *cd,
|
||||
const char *name, int token, void *usrptr, uint32_t flags)
|
||||
int crypt_activate_by_pin_token(struct crypt_device *cd, const char *name, int token,
|
||||
const char *pin, void *usrptr, uint32_t flags)
|
||||
{
|
||||
int r;
|
||||
|
||||
@@ -5547,9 +5547,15 @@ int crypt_activate_by_token(struct crypt_device *cd,
|
||||
return -EINVAL;
|
||||
|
||||
if (token == CRYPT_ANY_TOKEN)
|
||||
return LUKS2_token_open_and_activate_any(cd, &cd->u.luks2.hdr, name, flags);
|
||||
return LUKS2_token_open_and_activate_any(cd, &cd->u.luks2.hdr, name, pin, flags);
|
||||
|
||||
return LUKS2_token_open_and_activate(cd, &cd->u.luks2.hdr, token, name, flags, usrptr);
|
||||
return LUKS2_token_open_and_activate(cd, &cd->u.luks2.hdr, token, name, pin, flags, usrptr);
|
||||
}
|
||||
|
||||
int crypt_activate_by_token(struct crypt_device *cd,
|
||||
const char *name, int token, void *usrptr, uint32_t flags)
|
||||
{
|
||||
return crypt_activate_by_pin_token(cd, name, token, NULL, usrptr, flags);
|
||||
}
|
||||
|
||||
int crypt_token_json_get(struct crypt_device *cd, int token, const char **json)
|
||||
|
||||
@@ -1495,6 +1495,18 @@ static int action_open_luks(void)
|
||||
} else {
|
||||
r = crypt_activate_by_token(cd, activated_name, opt_token, NULL, activate_flags);
|
||||
tools_keyslot_msg(r, UNLOCKED);
|
||||
|
||||
/* Token requires PIN, but ask only there will be no password query later */
|
||||
if (opt_token_only && r == -EAGAIN) {
|
||||
r = tools_get_key(_("Enter token PIN:"), &password, &passwordLen, 0, 0, NULL,
|
||||
opt_timeout, _verify_passphrase(0), 0, cd);
|
||||
if (r < 0)
|
||||
goto out;
|
||||
r = crypt_activate_by_pin_token(cd, activated_name, opt_token,
|
||||
password, NULL, activate_flags);
|
||||
tools_keyslot_msg(r, UNLOCKED);
|
||||
}
|
||||
|
||||
if (r >= 0 || opt_token_only)
|
||||
goto out;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user