2 * LUKS - Linux Unified Key Setup v2, token handling
4 * Copyright (C) 2016-2020 Red Hat, Inc. All rights reserved.
5 * Copyright (C) 2016-2020 Milan Broz
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 2
10 * of the License, or (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 #include "luks2_internal.h"
27 extern const crypt_token_handler keyring_handler;
29 static token_handler token_handlers[LUKS2_TOKENS_MAX] = {
30 /* keyring builtin token */
32 .get = token_keyring_get,
33 .set = token_keyring_set,
38 static int is_builtin_candidate(const char *type)
40 return !strncmp(type, LUKS2_BUILTIN_TOKEN_PREFIX, LUKS2_BUILTIN_TOKEN_PREFIX_LEN);
43 int crypt_token_register(const crypt_token_handler *handler)
47 if (is_builtin_candidate(handler->name)) {
48 log_dbg(NULL, "'" LUKS2_BUILTIN_TOKEN_PREFIX "' is reserved prefix for builtin tokens.");
52 for (i = 0; i < LUKS2_TOKENS_MAX && token_handlers[i].h; i++) {
53 if (!strcmp(token_handlers[i].h->name, handler->name)) {
54 log_dbg(NULL, "Keyslot handler %s is already registered.", handler->name);
59 if (i == LUKS2_TOKENS_MAX)
62 token_handlers[i].h = handler;
66 static const token_handler
67 *LUKS2_token_handler_type_internal(struct crypt_device *cd, const char *type)
71 for (i = 0; i < LUKS2_TOKENS_MAX && token_handlers[i].h; i++)
72 if (!strcmp(token_handlers[i].h->name, type))
73 return token_handlers + i;
78 static const crypt_token_handler
79 *LUKS2_token_handler_type(struct crypt_device *cd, const char *type)
81 const token_handler *th = LUKS2_token_handler_type_internal(cd, type);
83 return th ? th->h : NULL;
86 static const token_handler
87 *LUKS2_token_handler_internal(struct crypt_device *cd, int token)
89 struct luks2_hdr *hdr;
90 json_object *jobj1, *jobj2;
95 if (!(hdr = crypt_get_hdr(cd, CRYPT_LUKS2)))
98 if (!(jobj1 = LUKS2_get_token_jobj(hdr, token)))
101 if (!json_object_object_get_ex(jobj1, "type", &jobj2))
104 return LUKS2_token_handler_type_internal(cd, json_object_get_string(jobj2));
107 static const crypt_token_handler
108 *LUKS2_token_handler(struct crypt_device *cd, int token)
110 const token_handler *th = LUKS2_token_handler_internal(cd, token);
112 return th ? th->h : NULL;
115 static int LUKS2_token_find_free(struct luks2_hdr *hdr)
119 for (i = 0; i < LUKS2_TOKENS_MAX; i++)
120 if (!LUKS2_get_token_jobj(hdr, i))
126 int LUKS2_token_create(struct crypt_device *cd,
127 struct luks2_hdr *hdr,
132 const crypt_token_handler *h;
133 const token_handler *th;
134 json_object *jobj_tokens, *jobj_type, *jobj;
135 enum json_tokener_error jerr;
138 if (token == CRYPT_ANY_TOKEN) {
141 token = LUKS2_token_find_free(hdr);
144 if (token < 0 || token >= LUKS2_TOKENS_MAX)
147 if (!json_object_object_get_ex(hdr->jobj, "tokens", &jobj_tokens))
150 snprintf(num, sizeof(num), "%d", token);
154 json_object_object_del(jobj_tokens, num);
157 jobj = json_tokener_parse_verbose(json, &jerr);
159 log_dbg(cd, "Token JSON parse failed.");
163 if (LUKS2_token_validate(cd, hdr->jobj, jobj, num)) {
164 json_object_put(jobj);
168 json_object_object_get_ex(jobj, "type", &jobj_type);
169 if (is_builtin_candidate(json_object_get_string(jobj_type))) {
170 th = LUKS2_token_handler_type_internal(cd, json_object_get_string(jobj_type));
171 if (!th || !th->set) {
172 log_dbg(cd, "%s is builtin token candidate with missing handler", json_object_get_string(jobj_type));
173 json_object_put(jobj);
178 h = LUKS2_token_handler_type(cd, json_object_get_string(jobj_type));
180 if (h && h->validate && h->validate(cd, json)) {
181 json_object_put(jobj);
182 log_dbg(cd, "Token type %s validation failed.", h->name);
186 json_object_object_add(jobj_tokens, num, jobj);
187 if (LUKS2_check_json_size(cd, hdr)) {
188 log_dbg(cd, "Not enough space in header json area for new token.");
189 json_object_object_del(jobj_tokens, num);
195 return LUKS2_hdr_write(cd, hdr) ?: token;
200 crypt_token_info LUKS2_token_status(struct crypt_device *cd,
201 struct luks2_hdr *hdr,
206 const token_handler *th;
207 json_object *jobj_type, *jobj_token;
209 if (token < 0 || token >= LUKS2_TOKENS_MAX)
210 return CRYPT_TOKEN_INVALID;
212 if (!(jobj_token = LUKS2_get_token_jobj(hdr, token)))
213 return CRYPT_TOKEN_INACTIVE;
215 json_object_object_get_ex(jobj_token, "type", &jobj_type);
216 tmp = json_object_get_string(jobj_type);
218 if ((th = LUKS2_token_handler_type_internal(cd, tmp))) {
221 return th->set ? CRYPT_TOKEN_INTERNAL : CRYPT_TOKEN_EXTERNAL;
227 return is_builtin_candidate(tmp) ? CRYPT_TOKEN_INTERNAL_UNKNOWN : CRYPT_TOKEN_EXTERNAL_UNKNOWN;
230 int LUKS2_builtin_token_get(struct crypt_device *cd,
231 struct luks2_hdr *hdr,
236 const token_handler *th = LUKS2_token_handler_type_internal(cd, type);
239 assert(th && th->get);
241 return th->get(LUKS2_get_token_jobj(hdr, token), params) ?: token;
244 int LUKS2_builtin_token_create(struct crypt_device *cd,
245 struct luks2_hdr *hdr,
251 const token_handler *th;
253 json_object *jobj_token, *jobj_tokens;
255 th = LUKS2_token_handler_type_internal(cd, type);
257 // at this point all builtin handlers must exist and have validate fn defined
258 assert(th && th->set && th->h->validate);
260 if (token == CRYPT_ANY_TOKEN) {
261 if ((token = LUKS2_token_find_free(hdr)) < 0)
262 log_err(cd, _("No free token slot."));
264 if (token < 0 || token >= LUKS2_TOKENS_MAX)
267 r = th->set(&jobj_token, params);
269 log_err(cd, _("Failed to create builtin token %s."), type);
273 // builtin tokens must produce valid json
274 r = LUKS2_token_validate(cd, hdr->jobj, jobj_token, "new");
276 r = th->h->validate(cd, json_object_to_json_string_ext(jobj_token,
277 JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE));
280 json_object_object_get_ex(hdr->jobj, "tokens", &jobj_tokens);
281 json_object_object_add_by_uint(jobj_tokens, token, jobj_token);
282 if (LUKS2_check_json_size(cd, hdr)) {
283 log_dbg(cd, "Not enough space in header json area for new %s token.", type);
284 json_object_object_del_by_uint(jobj_tokens, token);
289 return LUKS2_hdr_write(cd, hdr) ?: token;
294 static int LUKS2_token_open(struct crypt_device *cd,
295 struct luks2_hdr *hdr,
302 const crypt_token_handler *h;
305 if (!(h = LUKS2_token_handler(cd, token)))
309 if (LUKS2_token_json_get(cd, hdr, token, &json))
312 if (h->validate(cd, json)) {
313 log_dbg(cd, "Token %d (%s) validation failed.", token, h->name);
318 r = h->open(cd, token, buffer, buffer_len, usrptr);
320 log_dbg(cd, "Token %d (%s) open failed with %d.", token, h->name, r);
325 static void LUKS2_token_buffer_free(struct crypt_device *cd,
330 const crypt_token_handler *h = LUKS2_token_handler(cd, token);
333 h->buffer_free(buffer, buffer_len);
335 crypt_safe_memzero(buffer, buffer_len);
340 static int LUKS2_keyslot_open_by_token(struct crypt_device *cd,
341 struct luks2_hdr *hdr,
346 struct volume_key **vk)
348 const crypt_token_handler *h;
349 json_object *jobj_token, *jobj_token_keyslots, *jobj;
350 unsigned int num = 0;
353 if (!(h = LUKS2_token_handler(cd, token)))
356 jobj_token = LUKS2_get_token_jobj(hdr, token);
360 json_object_object_get_ex(jobj_token, "keyslots", &jobj_token_keyslots);
361 if (!jobj_token_keyslots)
364 /* Try to open keyslot referenced in token */
366 for (i = 0; i < (int) json_object_array_length(jobj_token_keyslots) && r < 0; i++) {
367 jobj = json_object_array_get_idx(jobj_token_keyslots, i);
368 num = atoi(json_object_get_string(jobj));
369 log_dbg(cd, "Trying to open keyslot %u with token %d (type %s).", num, token, h->name);
370 r = LUKS2_keyslot_open(cd, num, segment, buffer, buffer_len, vk);
379 int LUKS2_token_open_and_activate(struct crypt_device *cd,
380 struct luks2_hdr *hdr,
389 struct volume_key *vk = NULL;
391 r = LUKS2_token_open(cd, hdr, token, &buffer, &buffer_len, usrptr);
395 r = LUKS2_keyslot_open_by_token(cd, hdr, token,
396 (flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY) ?
397 CRYPT_ANY_SEGMENT : CRYPT_DEFAULT_SEGMENT,
398 buffer, buffer_len, &vk);
400 LUKS2_token_buffer_free(cd, token, buffer, buffer_len);
407 if ((name || (flags & CRYPT_ACTIVATE_KEYRING_KEY)) && crypt_use_keyring_for_vk(cd)) {
408 if (!(r = LUKS2_volume_key_load_in_keyring_by_keyslot(cd, hdr, vk, keyslot)))
409 flags |= CRYPT_ACTIVATE_KEYRING_KEY;
413 r = LUKS2_activate(cd, name, vk, flags);
416 crypt_drop_keyring_key(cd, vk);
417 crypt_free_volume_key(vk);
419 return r < 0 ? r : keyslot;
422 int LUKS2_token_open_and_activate_any(struct crypt_device *cd,
423 struct luks2_hdr *hdr,
428 json_object *tokens_jobj;
430 int keyslot, token, r = -EINVAL;
431 struct volume_key *vk = NULL;
433 json_object_object_get_ex(hdr->jobj, "tokens", &tokens_jobj);
435 json_object_object_foreach(tokens_jobj, slot, val) {
439 r = LUKS2_token_open(cd, hdr, token, &buffer, &buffer_len, NULL);
443 r = LUKS2_keyslot_open_by_token(cd, hdr, token,
444 (flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY) ?
445 CRYPT_ANY_SEGMENT : CRYPT_DEFAULT_SEGMENT,
446 buffer, buffer_len, &vk);
447 LUKS2_token_buffer_free(cd, token, buffer, buffer_len);
454 if (r >= 0 && (name || (flags & CRYPT_ACTIVATE_KEYRING_KEY)) && crypt_use_keyring_for_vk(cd)) {
455 if (!(r = LUKS2_volume_key_load_in_keyring_by_keyslot(cd, hdr, vk, keyslot)))
456 flags |= CRYPT_ACTIVATE_KEYRING_KEY;
460 r = LUKS2_activate(cd, name, vk, flags);
463 crypt_drop_keyring_key(cd, vk);
464 crypt_free_volume_key(vk);
466 return r < 0 ? r : keyslot;
469 void LUKS2_token_dump(struct crypt_device *cd, int token)
471 const crypt_token_handler *h;
472 json_object *jobj_token;
474 h = LUKS2_token_handler(cd, token);
476 jobj_token = LUKS2_get_token_jobj(crypt_get_hdr(cd, CRYPT_LUKS2), token);
478 h->dump(cd, json_object_to_json_string_ext(jobj_token,
479 JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE));
483 int LUKS2_token_json_get(struct crypt_device *cd, struct luks2_hdr *hdr,
484 int token, const char **json)
486 json_object *jobj_token;
488 jobj_token = LUKS2_get_token_jobj(hdr, token);
492 *json = json_object_to_json_string_ext(jobj_token,
493 JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE);
497 static int assign_one_keyslot(struct crypt_device *cd, struct luks2_hdr *hdr,
498 int token, int keyslot, int assign)
500 json_object *jobj1, *jobj_token, *jobj_token_keyslots;
503 log_dbg(cd, "Keyslot %i %s token %i.", keyslot, assign ? "assigned to" : "unassigned from", token);
505 jobj_token = LUKS2_get_token_jobj(hdr, token);
509 json_object_object_get_ex(jobj_token, "keyslots", &jobj_token_keyslots);
510 if (!jobj_token_keyslots)
513 snprintf(num, sizeof(num), "%d", keyslot);
515 jobj1 = LUKS2_array_jobj(jobj_token_keyslots, num);
517 json_object_array_add(jobj_token_keyslots, json_object_new_string(num));
519 jobj1 = LUKS2_array_remove(jobj_token_keyslots, num);
521 json_object_object_add(jobj_token, "keyslots", jobj1);
527 static int assign_one_token(struct crypt_device *cd, struct luks2_hdr *hdr,
528 int keyslot, int token, int assign)
530 json_object *jobj_keyslots;
533 if (!LUKS2_get_token_jobj(hdr, token))
536 if (keyslot == CRYPT_ANY_SLOT) {
537 json_object_object_get_ex(hdr->jobj, "keyslots", &jobj_keyslots);
539 json_object_object_foreach(jobj_keyslots, key, val) {
541 r = assign_one_keyslot(cd, hdr, token, atoi(key), assign);
546 r = assign_one_keyslot(cd, hdr, token, keyslot, assign);
551 int LUKS2_token_assign(struct crypt_device *cd, struct luks2_hdr *hdr,
552 int keyslot, int token, int assign, int commit)
554 json_object *jobj_tokens;
557 if (token == CRYPT_ANY_TOKEN) {
558 json_object_object_get_ex(hdr->jobj, "tokens", &jobj_tokens);
560 json_object_object_foreach(jobj_tokens, key, val) {
562 r = assign_one_token(cd, hdr, keyslot, atoi(key), assign);
567 r = assign_one_token(cd, hdr, keyslot, token, assign);
572 // FIXME: do not write header in nothing changed
574 return LUKS2_hdr_write(cd, hdr) ?: token;
579 int LUKS2_token_is_assigned(struct crypt_device *cd, struct luks2_hdr *hdr,
580 int keyslot, int token)
583 json_object *jobj_token, *jobj_token_keyslots, *jobj;
585 if (keyslot < 0 || keyslot >= LUKS2_KEYSLOTS_MAX || token < 0 || token >= LUKS2_TOKENS_MAX)
588 jobj_token = LUKS2_get_token_jobj(hdr, token);
592 json_object_object_get_ex(jobj_token, "keyslots", &jobj_token_keyslots);
594 for (i = 0; i < (int) json_object_array_length(jobj_token_keyslots); i++) {
595 jobj = json_object_array_get_idx(jobj_token_keyslots, i);
596 if (keyslot == atoi(json_object_get_string(jobj)))
603 int LUKS2_tokens_count(struct luks2_hdr *hdr)
605 json_object *jobj_tokens = LUKS2_get_tokens_jobj(hdr);
609 return json_object_object_length(jobj_tokens);