From df5e54545ee8ffe655af51841f6f63782686d3d8 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Sun, 13 Jun 2021 20:32:40 +0200
Subject: [PATCH] Add API and CLI option to disable token plugins.

This could be useful for debugging external plugins
or ot intentionally disable loading of a token library.
---
 lib/libcryptsetup.h       |  8 +++++++-
 lib/libcryptsetup.sym     |  1 +
 lib/luks2/luks2_token.c   | 20 +++++++++++++++-----
 man/cryptsetup.8          | 11 +++++++----
 src/cryptsetup.c          |  6 ++++++
 src/cryptsetup_arg_list.h |  2 ++
 src/utils_arg_names.h     |  1 +
 tests/ssh-plugin-test     |  1 +
 8 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h
index 4b66fe04..49cd9e16 100644
--- a/lib/libcryptsetup.h
+++ b/lib/libcryptsetup.h
@@ -2256,11 +2256,17 @@ int crypt_token_register(const crypt_token_handler *handler);
 
 /**
  * Report external token handlers (plugins) support
- 
+ * 
  * @return @e 0 when enabled or negative errno value otherwise.
  */
 int crypt_token_external_support(void);
 
+/**
+ * Disable external token handlers (plugins) support
+ * If disabled, it cannot be enabled again.
+ */
+void crypt_token_external_disable(void);
+
 /** ABI version for external token in libcryptsetup-token-<name>.so */
 #define CRYPT_TOKEN_ABI_VERSION1    "CRYPTSETUP_TOKEN_1.0"
 
diff --git a/lib/libcryptsetup.sym b/lib/libcryptsetup.sym
index 688e00be..76eda403 100644
--- a/lib/libcryptsetup.sym
+++ b/lib/libcryptsetup.sym
@@ -143,4 +143,5 @@ CRYPTSETUP_2.4 {
 		crypt_dump_json;
 		crypt_format;
 		crypt_token_external_support;
+		crypt_token_external_disable;
 } CRYPTSETUP_2.0;
diff --git a/lib/luks2/luks2_token.c b/lib/luks2/luks2_token.c
index 36858e02..ee6b5ec5 100644
--- a/lib/luks2/luks2_token.c
+++ b/lib/luks2/luks2_token.c
@@ -25,6 +25,12 @@
 
 #include "luks2_internal.h"
 
+#if USE_EXTERNAL_TOKENS
+static bool external_tokens_enabled = true;
+#else
+static bool external_tokens_enabled = false;
+#endif
+
 static struct crypt_token_handler_internal token_handlers[LUKS2_TOKENS_MAX] = {
 	/* keyring builtin token */
 	{
@@ -38,13 +44,14 @@ static struct crypt_token_handler_internal token_handlers[LUKS2_TOKENS_MAX] = {
 	}
 };
 
+void crypt_token_external_disable(void)
+{
+	external_tokens_enabled = false;
+}
+
 int crypt_token_external_support(void)
 {
-#if USE_EXTERNAL_TOKENS
-	return 0;
-#else
-	return -ENOTSUP;
-#endif
+	return external_tokens_enabled ? 0 : -ENOTSUP;
 }
 
 #if USE_EXTERNAL_TOKENS
@@ -127,6 +134,9 @@ crypt_token_load_external(struct crypt_device *cd, const char *name, struct cryp
 	char buf[512];
 	int r;
 
+	if (!external_tokens_enabled)
+		return -ENOTSUP;
+
 	if (!ret || !name)
 		return -EINVAL;
 
diff --git a/man/cryptsetup.8 b/man/cryptsetup.8
index 7196b37b..67ee8d87 100644
--- a/man/cryptsetup.8
+++ b/man/cryptsetup.8
@@ -130,7 +130,7 @@ The kernel keyring is used by default for LUKS2 devices.
 
 With LUKS2 device additional \fB<options>\fR can be [\-\-token\-id, \-\-token\-only,
 \-\-key\-slot, \-\-key\-file, \-\-keyfile\-size, \-\-keyfile\-offset, \-\-timeout,
-\-\-disable\-locks, \-\-disable\-keyring].
+\-\-disable\-external\-tokens, \-\-disable\-locks, \-\-disable\-keyring].
 
 .PP
 \fIrefresh\fR <name>
@@ -320,8 +320,8 @@ the command prompts for it interactively.
 \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
 \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
 \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
-\-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks, \-\-type, \-\-refresh,
-\-\-serialize\-memory\-hard\-pbkdf].
+\-\-token\-only, \-\-disable\-external\-tokens, \-\-disable\-keyring, \-\-disable\-locks,
+\-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf].
 .PP
 \fIluksSuspend\fR <name>
 .IP
@@ -571,7 +571,7 @@ Action \fIexport\fR writes requested token json to a file passed with \-\-json\-
 to standard output.
 
 \fB<options>\fR can be [\-\-header, \-\-token\-id, \-\-key\-slot, \-\-key\-description,
-\-\-disable\-locks, \-\-disable\-keyring, \-\-json\-file].
+\-\-disable\-external\-tokens, \-\-disable\-locks, \-\-disable\-keyring, \-\-json\-file].
 .PP
 \fIconvert\fR <device> \-\-type <format>
 .IP
@@ -1298,6 +1298,9 @@ Defers device removal in \fIclose\fR command until the last user closes it.
 .B "\-\-cancel\-deferred"
 Removes a previously configured deferred device removal in \fIclose\fR command.
 .TP
+.B "\-\-disable\-external\-tokens"
+Disable loading of plugins for external LUKS2 tokens.
+.TP
 .B "\-\-disable\-locks"
 Disable lock protection for metadata on disk.
 This option is valid only for LUKS2 and ignored for other formats.
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index f321d8d2..0e900e17 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -3503,6 +3503,9 @@ static void help(poptContext popt_context,
 		log_std(_("\nDefault compiled-in metadata format is %s (for luksFormat action).\n"),
 			  crypt_get_default_type());
 
+		log_std(_("\nLUKS2 external token plugin support is %s.\n"),
+			  crypt_token_external_support() ? _("disabled") : _("compiled-in"));
+
 		pbkdf_luks1 = crypt_get_pbkdf_default(CRYPT_LUKS1);
 		pbkdf_luks2 = crypt_get_pbkdf_default(CRYPT_LUKS2);
 		log_std(_("\nDefault compiled-in key and passphrase parameters:\n"
@@ -3991,6 +3994,9 @@ int main(int argc, const char **argv)
 	if (ARG_SET(OPT_DISABLE_KEYRING_ID))
 		(void) crypt_volume_key_keyring(NULL, 0);
 
+	if (ARG_SET(OPT_DISABLE_EXTERNAL_TOKENS_ID))
+		(void) crypt_token_external_disable();
+
 	if (ARG_SET(OPT_DISABLE_LOCKS_ID) && crypt_metadata_locking(NULL, 0)) {
 		log_std(_("Cannot disable metadata locking."));
 		r = EXIT_FAILURE;
diff --git a/src/cryptsetup_arg_list.h b/src/cryptsetup_arg_list.h
index c688048c..d73f564b 100644
--- a/src/cryptsetup_arg_list.h
+++ b/src/cryptsetup_arg_list.h
@@ -43,6 +43,8 @@ ARG(OPT_DEVICE_SIZE, '\0', POPT_ARG_STRING, N_("Use only specified device size (
 
 ARG(OPT_DECRYPT, '\0', POPT_ARG_NONE, N_("Decrypt LUKS2 device (remove encryption)."), NULL, CRYPT_ARG_BOOL, {}, {})
 
+ARG(OPT_DISABLE_EXTERNAL_TOKENS, '\0', POPT_ARG_NONE, N_("Disable loading of external LUKS2 token plugins"), NULL, CRYPT_ARG_BOOL, {}, {})
+
 ARG(OPT_DISABLE_KEYRING, '\0', POPT_ARG_NONE, N_("Disable loading volume keys via kernel keyring"), NULL, CRYPT_ARG_BOOL, {}, {})
 
 ARG(OPT_DISABLE_LOCKS, '\0', POPT_ARG_NONE, N_("Disable locking of on-disk metadata"), NULL, CRYPT_ARG_BOOL, {}, {})
diff --git a/src/utils_arg_names.h b/src/utils_arg_names.h
index 6f142eae..53be52d3 100644
--- a/src/utils_arg_names.h
+++ b/src/utils_arg_names.h
@@ -41,6 +41,7 @@
 #define OPT_DEFERRED			"deferred"
 #define OPT_DEVICE_SIZE			"device-size"
 #define OPT_DECRYPT			"decrypt"
+#define OPT_DISABLE_EXTERNAL_TOKENS	"disable-external-tokens"
 #define OPT_DISABLE_KEYRING		"disable-keyring"
 #define OPT_DISABLE_LOCKS		"disable-locks"
 #define OPT_DUMP_JSON			"dump-json-metadata"
diff --git a/tests/ssh-plugin-test b/tests/ssh-plugin-test
index c01f9310..9cad9762 100755
--- a/tests/ssh-plugin-test
+++ b/tests/ssh-plugin-test
@@ -138,6 +138,7 @@ ssh_check
 create_user
 ssh_setup
 
+$CRYPTSETUP luksOpen --token-only --disable-external-tokens -r $LOOPDEV $MAP && fail "Tokens should be disabled"
 $CRYPTSETUP luksOpen -r $LOOPDEV $MAP -q >/dev/null 2>&1 <&-
 [ $? -ne 0 ] && fail "Failed to open $LOOPDEV using SSH token"
 echo "[OK]"