Fix token assignement API.

There was a bug in both crypt_token_assign_keyslot and
crypt_token_unsassign_keyslot where CRYPT_ANY_TOKEN
special value could be passed in token parameter.

It would correctly assign/unassign all tokens to/from
the specified keyslot (or from any in case of CRYPT_ANY_SLOT),
but it returned -1 (CRYPT_ANY_TOKEN) which fited error return
values as per API documentation.

We fixed that by not supporting CRYPT_ANY_TOKEN since it does
not make much sense. It can be workarounded by iterating over
all available tokens and calling crypt_token_assign_keyslot or
crypt_token_unassign_keyslot accodingly.

Fixes: #914.

lib/libcryptsetup.h

@@ -2601,11 +2601,11 @@ int crypt_token_luks2_keyring_get(struct crypt_device *cd,
  * (There can be more keyslots assigned to one token id.)
  *
  * @param cd crypt device handle
- * @param token token id
+ * @param token specific token id
  * @param keyslot keyslot to be assigned to token (CRYPT_ANY SLOT
  * 	  assigns all active keyslots to token)
  *
- * @return allocated token id or negative errno otherwise.
+ * @return requested token id to be assigned or negative errno otherwise.
  */
 int crypt_token_assign_keyslot(struct crypt_device *cd,
 	int token,
@@ -2616,11 +2616,11 @@ int crypt_token_assign_keyslot(struct crypt_device *cd,
  * (There can be more keyslots assigned to one token id.)
  *
  * @param cd crypt device handle
- * @param token token id
+ * @param token specific token id
  * @param keyslot keyslot to be unassigned from token (CRYPT_ANY SLOT
  * 	  unassigns all active keyslots from token)
  *
- * @return allocated token id or negative errno otherwise.
+ * @return requested token id to be unassigned or negative errno otherwise.
  */
 int crypt_token_unassign_keyslot(struct crypt_device *cd,
 	int token,

lib/setup.c

@@ -6882,6 +6882,9 @@ int crypt_token_assign_keyslot(struct crypt_device *cd, int token, int keyslot)
 	if ((r = onlyLUKS2(cd)))
 		return r;
 
+	if (token == CRYPT_ANY_TOKEN)
+		return -EINVAL;
+
 	return LUKS2_token_assign(cd, &cd->u.luks2.hdr, keyslot, token, 1, 1);
 }
 
@@ -6892,6 +6895,9 @@ int crypt_token_unassign_keyslot(struct crypt_device *cd, int token, int keyslot
 	if ((r = onlyLUKS2(cd)))
 		return r;
 
+	if (token == CRYPT_ANY_TOKEN)
+		return -EINVAL;
+
 	return LUKS2_token_assign(cd, &cd->u.luks2.hdr, keyslot, token, 0, 1);
 }
 

tests/api-test-2.c

@@ -2149,8 +2149,12 @@ static void Tokens(void)
 	EQ_(crypt_token_json_get(cd, 2, &dummy), 2);
 
 	// exercise assign/unassign keyslots API
+	FAIL_(crypt_token_unassign_keyslot(cd, CRYPT_ANY_TOKEN, 1), "Token id must be specific.");
+	OK_(crypt_token_is_assigned(cd, 2, 1));
 	EQ_(crypt_token_unassign_keyslot(cd, 2, 1), 2);
 	FAIL_(crypt_activate_by_token(cd, CDEVICE_1, 2, passptr1, 0), "Token assigned to no keyslot");
+	FAIL_(crypt_token_assign_keyslot(cd, CRYPT_ANY_TOKEN, 0), "Token id must be specific.");
+	FAIL_(crypt_token_is_assigned(cd, 2, 0), "Token 2 must not be assigned to keyslot 0.");
 	EQ_(crypt_token_assign_keyslot(cd, 2, 0), 2);
 	FAIL_(crypt_activate_by_token(cd, CDEVICE_1, 2, passptr1, 0), "Wrong passphrase");
 	EQ_(crypt_activate_by_token(cd, CDEVICE_1, 2, passptr, 0), 0);