Add --external-tokens-path parameter in cryptsetup.

11 files changed, 82 insertions, 6 deletions

diff --git a/man/common_options.adoc b/man/common_options.adoc
index 25a8dd6c..bc6fb57f 100644
--- a/man/common_options.adoc
+++ b/man/common_options.adoc
@@ -1234,6 +1234,12 @@ Enlarge data offset to specified value by shrinking device size.
 You cannot shrink device more than by 64 MiB (131072 sectors).
 endif::[]
 
+ifdef::ACTION_RESIZE,ACTION_OPEN,ACTION_LUKSADDKEY,ACTION_LUKSDUMP,ACTION_LUKSRESUME,ACTION_TOKEN[]
+*--external-tokens-path* _absolute_path_::
+Override system directory path where cryptsetup searches for external token
+handlers (or token plugins). It must be absolute path (starting with '/' character).
+endif::[]
+
 ifdef::COMMON_OPTIONS[]
 *--batch-mode, -q*::
 Suppresses all confirmation questions. Use with care!
diff --git a/man/cryptsetup-luksAddKey.8.adoc b/man/cryptsetup-luksAddKey.8.adoc
index 82884922..306ef643 100644
--- a/man/cryptsetup-luksAddKey.8.adoc
+++ b/man/cryptsetup-luksAddKey.8.adoc
@@ -38,7 +38,7 @@ algorithm is always the same for all keyslots.
 --hash, --header, --disable-locks, --iter-time, --pbkdf,
 --pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel, --unbound, --type,
 --keyslot-cipher, --keyslot-key-size, --key-size, --timeout, --token-id,
---token-type, --token-only, --new-token-id, --verify-passphrase].
+--token-type, --token-only, --new-token-id, --verify-passphrase, --external-tokens-path].
 
 include::man/common_options.adoc[]
 
diff --git a/man/cryptsetup-luksDump.8.adoc b/man/cryptsetup-luksDump.8.adoc
index f9f3910e..b1b3907b 100644
--- a/man/cryptsetup-luksDump.8.adoc
+++ b/man/cryptsetup-luksDump.8.adoc
@@ -40,7 +40,7 @@ use --dump-json-metadata option.
 
 *<options>* can be [--dump-volume-key, --dump-json-metadata, --key-file,
 --keyfile-offset, --keyfile-size, --header, --disable-locks,
---volume-key-file, --type, --unbound, --key-slot, --timeout].
+--volume-key-file, --type, --unbound, --key-slot, --timeout, --external-tokens-path].
 
 *WARNING:* If --dump-volume-key is used with --key-file and the argument
 to --key-file is '-', no validation question will be asked and no
diff --git a/man/cryptsetup-luksResume.8.adoc b/man/cryptsetup-luksResume.8.adoc
index 98285dba..ba9f690e 100644
--- a/man/cryptsetup-luksResume.8.adoc
+++ b/man/cryptsetup-luksResume.8.adoc
@@ -23,7 +23,8 @@ interactively for a passphrase if no token is usable (LUKS2 only) or
 *<options>* can be [--key-file, --keyfile-size, --keyfile-offset,
 --key-slot, --header, --disable-keyring, --disable-locks, --token-id,
 --token-only, --token-type, --disable-external-tokens, --type, --tries,
---timeout, --verify-passphrase, --volume-key-keyring, --link-vk-to-keyring].
+--timeout, --verify-passphrase, --volume-key-keyring, --link-vk-to-keyring,
+--external-tokens-path].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-open.8.adoc b/man/cryptsetup-open.8.adoc
index b3e6741b..73a5dc56 100644
--- a/man/cryptsetup-open.8.adoc
+++ b/man/cryptsetup-open.8.adoc
@@ -78,7 +78,8 @@ matching PIN protected token.
 --volume-key-file, --token-id, --token-only, --token-type,
 --disable-external-tokens, --disable-keyring, --disable-locks, --type,
 --refresh, --serialize-memory-hard-pbkdf, --unbound, --tries, --timeout,
---verify-passphrase, --persistent, --volume-key-keyring, --link-vk-to-keyring].
+--verify-passphrase, --persistent, --volume-key-keyring, --link-vk-to-keyring,
+--external-tokens-path].
 
 === loopAES
 *open --type loopaes <device> <name> --key-file <keyfile>* +
diff --git a/man/cryptsetup-resize.8.adoc b/man/cryptsetup-resize.8.adoc
index 4cff4826..b9a55022 100644
--- a/man/cryptsetup-resize.8.adoc
+++ b/man/cryptsetup-resize.8.adoc
@@ -36,7 +36,7 @@ keyring is used by default for LUKS2 devices.
 *<options>* can be [--size, --device-size, --token-id, --token-only,
 --token-type, --key-slot, --key-file, --keyfile-size, --keyfile-offset,
 --timeout, --disable-external-tokens, --disable-locks, --disable-keyring,
---verify-passphrase, --timeout].
+--verify-passphrase, --timeout, --external-tokens-path].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/man/cryptsetup-token.8.adoc b/man/cryptsetup-token.8.adoc
index 7a3a0694..5fa6af8b 100644
--- a/man/cryptsetup-token.8.adoc
+++ b/man/cryptsetup-token.8.adoc
@@ -49,7 +49,7 @@ replace the existing token.
 
 *<options>* can be [--header, --token-id, --key-slot, --key-description,
 --disable-external-tokens, --disable-locks, --disable-keyring,
---json-file, --token-replace, --unbound].
+--json-file, --token-replace, --unbound, --external-tokens-path].
 
 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 44003eba..3624c569 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -878,6 +878,15 @@ static int action_resize(void)
 	else if (ARG_SET(OPT_SIZE_ID))
 		dev_size = ARG_UINT64(OPT_SIZE_ID);
 
+	if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
+		r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
+		if (r < 0) {
+			log_err(_("Failed to set external tokens path %s."),
+				ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
+			goto out;
+		}
+	}
+
 	if (cad.flags & CRYPT_ACTIVATE_KEYRING_KEY) {
 		if (ARG_SET(OPT_DISABLE_KEYRING_ID)) {
 			r = -EINVAL;
@@ -1809,6 +1818,15 @@ static int action_open_luks(void)
 
 	set_activation_flags(&activate_flags);
 
+	if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
+		r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
+		if (r < 0) {
+			log_err(_("Failed to set external tokens path %s."),
+				ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
+			goto out;
+		}
+	}
+
 	if (ARG_SET(OPT_LINK_VK_TO_KEYRING_ID)) {
 		r = parse_vk_and_keyring_description(cd, ARG_STR(OPT_LINK_VK_TO_KEYRING_ID));
 		if (r < 0)
@@ -2056,6 +2074,15 @@ static int luksAddUnboundKey(void)
 		goto out;
 	}
 
+	if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
+		r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
+		if (r < 0) {
+			log_err(_("Failed to set external tokens path %s."),
+				ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
+			goto out;
+		}
+	}
+
 	r = _set_keyslot_encryption_params(cd);
 	if (r < 0)
 		goto out;
@@ -2201,6 +2228,15 @@ static int action_luksAddKey(void)
 	if (r < 0)
 		goto out;
 
+	if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
+		r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
+		if (r < 0) {
+			log_err(_("Failed to set external tokens path %s."),
+				ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
+			goto out;
+		}
+	}
+
 	/* Never call pwquality if using null cipher */
 	if (crypt_is_cipher_null(crypt_get_cipher(cd)))
 		ARG_SET_TRUE(OPT_FORCE_PASSWORD_ID);
@@ -2639,6 +2675,15 @@ static int action_luksDump(void)
 		goto out;
 	}
 
+	if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
+		r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
+		if (r < 0) {
+			log_err(_("Failed to set external tokens path %s."),
+				ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
+			goto out;
+		}
+	}
+
 	if (ARG_SET(OPT_DUMP_VOLUME_KEY_ID))
 		r = luksDump_with_volume_key(cd);
 	else if (ARG_SET(OPT_UNBOUND_ID))
@@ -2712,6 +2757,15 @@ static int action_luksResume(void)
 		goto out;
 	}
 
+	if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
+		r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
+		if (r < 0) {
+			log_err(_("Failed to set external tokens path %s."),
+				ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
+			goto out;
+		}
+	}
+
 	/* try to resume LUKS2 device by token first */
 	r = _try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_TOKEN_ID_ID),
 			      action_argv[0], ARG_STR(OPT_TOKEN_TYPE_ID), 0,
@@ -3230,6 +3284,16 @@ static int action_token(void)
 		return r;
 	}
 
+	if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
+		r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
+		if (r < 0) {
+			log_err(_("Failed to set external tokens path %s."),
+				ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
+			crypt_free(cd);
+			return r;
+		}
+	}
+
 	r = -EINVAL;
 
 	if (!strcmp(action_argv[0], "add")) {
diff --git a/src/cryptsetup_arg_list.h b/src/cryptsetup_arg_list.h
index 00a7563a..b5e44d8b 100644
--- a/src/cryptsetup_arg_list.h
+++ b/src/cryptsetup_arg_list.h
@@ -59,6 +59,8 @@ ARG(OPT_DUMP_VOLUME_KEY, '\0', POPT_ARG_NONE, N_("Dump volume key instead of key
 
 ARG(OPT_ENCRYPT, '\0', POPT_ARG_NONE, N_("Encrypt LUKS2 device (in-place encryption)"), NULL, CRYPT_ARG_BOOL, {}, {})
 
+ARG(OPT_EXTERNAL_TOKENS_PATH, '\0', POPT_ARG_STRING, N_("Path to directory with external token handlers (plugins)."), NULL, CRYPT_ARG_STRING, {}, OPT_EXTERNAL_TOKENS_PATH_ACTIONS)
+
 ARG(OPT_FORCE_PASSWORD, '\0', POPT_ARG_NONE, N_("Disable password quality check (if enabled)"), NULL, CRYPT_ARG_BOOL, {}, {})
 
 ARG(OPT_FORCE_OFFLINE_REENCRYPT, '\0', POPT_ARG_NONE, N_("Force offline LUKS2 reencryption and bypass active device detection"), NULL, CRYPT_ARG_BOOL, {}, OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS)
diff --git a/src/cryptsetup_args.h b/src/cryptsetup_args.h
index 7aaa025d..d9b8edd5 100644
--- a/src/cryptsetup_args.h
+++ b/src/cryptsetup_args.h
@@ -61,6 +61,7 @@
 #define OPT_DISABLE_BLKID_ACTIONS		{ FORMAT_ACTION, REENCRYPT_ACTION }
 #define OPT_DISABLE_VERACRYPT_ACTIONS		{ OPEN_ACTION, TCRYPTDUMP_ACTION }
 #define OPT_ERASE_ACTIONS			{ ERASE_ACTION }
+#define OPT_EXTERNAL_TOKENS_PATH_ACTIONS	{ RESIZE_ACTION, OPEN_ACTION, ADDKEY_ACTION, LUKSDUMP_ACTION, RESUME_ACTION, TOKEN_ACTION }
 #define OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS	{ REENCRYPT_ACTION }
 #define OPT_HOTZONE_SIZE_ACTIONS		{ REENCRYPT_ACTION }
 #define OPT_HW_OPAL_ACTIONS			{ FORMAT_ACTION }
diff --git a/src/utils_arg_names.h b/src/utils_arg_names.h
index bbac47ee..56d8affd 100644
--- a/src/utils_arg_names.h
+++ b/src/utils_arg_names.h
@@ -50,6 +50,7 @@
 #define OPT_DUMP_MASTER_KEY		"dump-master-key"
 #define OPT_DUMP_VOLUME_KEY		"dump-volume-key"
 #define OPT_ENCRYPT			"encrypt"
+#define OPT_EXTERNAL_TOKENS_PATH	"external-tokens-path"
 #define OPT_FEC_DEVICE			"fec-device"
 #define OPT_FEC_OFFSET			"fec-offset"
 #define OPT_FEC_ROOTS			"fec-roots"