Add initial LUKS key management support

CMakeLists.txt

@@ -60,9 +60,9 @@ add_custom_target(install-apidox
   WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}/cmake/")
 
 
-##### user requested options ####################
+##### user requested OPTIONs ####################
 
-OPTION( WITH_ALL_OPTIONS "Enable all optional support" OFF )
+OPTION( WITH_ALL_OPTIONS "Enable all OPTIONal support" OFF )
 
 OPTION( TDE_MALLOC "Use own malloc implementation" OFF )
 OPTION( TDE_MALLOC_DEBUG "Enable debugging in fast malloc" OFF )
@@ -85,19 +85,21 @@ OPTION( WITH_PCRE "Enable pcre regex support for kjs" ON )
 OPTION( WITH_GCC_VISIBILITY "Enable fvisibility and fvisibility-inlines-hidden" ${WITH_ALL_OPTIONS} )
 OPTION( WITH_INOTIFY "Enable inotify support for tdeio" ON )
 OPTION( WITH_GAMIN "Enable FAM/GAMIN support" ${WITH_ALL_OPTIONS} )
-option( WITH_TDEHWLIB "Enable TDE hwlib globally" ON )
+OPTION( WITH_TDEHWLIB "Enable TDE hwlib globally" ON )
-option( WITH_TDEHWLIB_DAEMONS "Enable daemons for TDE hwlib" ${WITH_TDEHWLIB} )
+OPTION( WITH_TDEHWLIB_DAEMONS "Enable daemons for TDE hwlib" ${WITH_TDEHWLIB} )
-option( WITH_HAL "Enable HAL support" OFF )
+OPTION( WITH_HAL "Enable HAL support" OFF )
-option( WITH_DEVKITPOWER "Enable DeviceKit Power support" OFF )
+OPTION( WITH_DEVKITPOWER "Enable DeviceKit Power support" OFF )
-option( WITH_LOGINDPOWER "Enable Logind/Systemd Power support" OFF )
+OPTION( WITH_LOGINDPOWER "Enable Logind/Systemd Power support" OFF )
-option( WITH_UPOWER "Enable uPower support" ${WITH_ALL_OPTIONS} )
+OPTION( WITH_UPOWER "Enable uPower support" ${WITH_ALL_OPTIONS} )
-option( WITH_UDISKS "Enable uDisks support" ${WITH_ALL_OPTIONS} )
+OPTION( WITH_UDISKS "Enable uDisks support" ${WITH_ALL_OPTIONS} )
-option( WITH_UDISKS2 "Enable uDisks2 support" ${WITH_ALL_OPTIONS} )
+OPTION( WITH_UDISKS2 "Enable uDisks2 support" ${WITH_ALL_OPTIONS} )
-option( WITH_CONSOLEKIT "Enable ConsoleKit support" ${WITH_ALL_OPTIONS} )
+OPTION( WITH_CONSOLEKIT "Enable ConsoleKit support" ${WITH_ALL_OPTIONS} )
 OPTION( WITH_NETWORK_MANAGER_BACKEND "Enable network-manager support" OFF )
 OPTION( WITH_SUDO_TDESU_BACKEND "Use sudo as backend for tdesu (default is su)" OFF )
 OPTION( WITH_OLD_XDG_STD "Use the pre R14.0.0 XDG standard where both TDE and KDE are recognized in desktop files" OFF )
-option( WITH_PCSC "Enable PC/SC SmartCard support" ${WITH_ALL_OPTIONS} )
+OPTION( WITH_PCSC "Enable PC/SC SmartCard support" ${WITH_ALL_OPTIONS} )
+OPTION( WITH_PKCS "Enable PKCS support" ${WITH_ALL_OPTIONS} )
+OPTION( WITH_CRYPTSETUP "Enable cryptsetup support" ${WITH_ALL_OPTIONS} )
 OPTION( WITH_LZMA "Enable support for LZMA/XZ" ${WITH_ALL_OPTIONS} )
 OPTION( WITH_LIBBFD "Enable pretty backtraces with libbfd from GNU binutils" OFF )
 OPTION( WITH_XRANDR "Build the tderandr library" ON )
@@ -615,7 +617,7 @@ set( HAVE_LIBZ 1 )
 
 find_package( BZip2 )
 if( NOT BZIP2_FOUND )
-  # FIXME I'm not sure if bzip2 are required; maybe is optional?
+  # FIXME I'm not sure if bzip2 are required; maybe is OPTIONal?
   message(FATAL_ERROR "\nbzip2 are required, but not found on your system" )
 endif( NOT BZIP2_FOUND )
 
@@ -667,6 +669,36 @@ if( WITH_PCSC )
 endif( WITH_PCSC )
 
 
+##### check for pkcs ############################
+
+if( WITH_PKCS )
+  pkg_search_module( LIBPKCS11-HELPER libpkcs11-helper-1 )
+  if( NOT LIBPKCS11-HELPER_FOUND )
+      message(FATAL_ERROR "\nPKCS support was requested, but libpkcs11-helper-1 was not found on your system" )
+  endif( NOT LIBPKCS11-HELPER_FOUND )
+  find_library( OPENSC_PKCS11_PROVIDER_LIBRARY NAMES opensc-pkcs11.so )
+  if( OPENSC_PKCS11_PROVIDER_LIBRARY )
+    set( OPENSC_PKCS11_PROVIDER_FOUND 1 )
+    message( STATUS "Found OpenSC PKCS11 provider: ${OPENSC_PKCS11_PROVIDER_LIBRARY}" )
+  endif( OPENSC_PKCS11_PROVIDER_LIBRARY )
+  if( NOT OPENSC_PKCS11_PROVIDER_FOUND )
+    tde_message_fatal( "PKCS is requested, but not OpenSC PKCS11 provider was not found on your system" )
+  endif( NOT OPENSC_PKCS11_PROVIDER_FOUND )
+  set( HAVE_PKCS 1 )
+endif( )
+
+
+##### check for pkcs ############################
+
+if( WITH_CRYPTSETUP )
+  pkg_search_module( LIBCRYPTSETUP libcryptsetup )
+  if( NOT LIBCRYPTSETUP_FOUND )
+      message(FATAL_ERROR "\ncryptsetup support was requested, but libcryptsetup was not found on your system" )
+  endif( NOT LIBCRYPTSETUP_FOUND )
+  set( HAVE_CRYPTSETUP 1 )
+endif( )
+
+
 ##### check for jpeg ############################
 
 find_package( JPEG )

tdecore/tdehw/CMakeLists.txt

@@ -68,6 +68,12 @@ if( WITH_PKCS )
   list( APPEND TDEHW_CUSTOM_LIBRARIES ${LIBPKCS11-HELPER_LIBRARIES} )
 endif( )
 
+if( WITH_CRYPTSETUP )
+  add_definitions( -DWITH_CRYPTSETUP )
+  list( APPEND TDEHW_CUSTOM_INCLUDE_DIRS ${LIBCRYPTSETUP_INCLUDE_DIRS} )
+  list( APPEND TDEHW_CUSTOM_LIBRARIES ${LIBCRYPTSETUP_LIBRARIES} )
+endif( )
+
 if( WITH_NETWORK_MANAGER_BACKEND )
   list( APPEND TDEHW_CUSTOM_INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/networkbackends/network-manager )
   list( APPEND TDEHW_CUSTOM_LIBRARIES network_manager_backend-static )

tdecore/tdehw/tdestoragedevice.cpp

@@ -39,6 +39,10 @@
 
 #include "config.h"
 
+#if defined(WITH_CRYPTSETUP)
+	#include <libcryptsetup.h>
+#endif
+
 // uDisks2 integration
 #if defined(WITH_UDISKS) || defined(WITH_UDISKS2)
  	#include <tqdbusdata.h>
@@ -59,20 +63,200 @@
 	TQT_DBusData convertDBUSDataToVariantData(TQT_DBusData);
 #endif // defined(WITH_UDISKS) || defined(WITH_UDISKS2)
 
-TDEStorageDevice::TDEStorageDevice(TDEGenericDeviceType::TDEGenericDeviceType dt, TQString dn) : TDEGenericDevice(dt, dn), m_mediaInserted(true) {
+#if defined(WITH_CRYPTSETUP)
+int TDEStorageDevice::cryptsetup_password_entry_callback(const char *msg, char *buf, size_t length, void *usrptr) {
+	TDEStorageDevice* sdevice = (TDEStorageDevice*)usrptr;
+
+	unsigned int passwd_len = sdevice->m_cryptDevicePassword.size();
+	if (passwd_len < length) {
+		memcpy(buf, sdevice->m_cryptDevicePassword.data(), length);
+		return passwd_len;
+	}
+	else {
+		return -1;
+	}
+}
+#endif
+
+TDEStorageDevice::TDEStorageDevice(TDEGenericDeviceType::TDEGenericDeviceType dt, TQString dn) : TDEGenericDevice(dt, dn), m_mediaInserted(true), m_cryptDevice(NULL) {
 	m_diskType = TDEDiskDeviceType::Null;
 	m_diskStatus = TDEDiskDeviceStatus::Null;
 }
 
 TDEStorageDevice::~TDEStorageDevice() {
+#if defined(WITH_CRYPTSETUP)
+	if (m_cryptDevice) {
+		crypt_free(m_cryptDevice);
+		m_cryptDevice = NULL;
+	}
+#endif
 }
 
 TDEDiskDeviceType::TDEDiskDeviceType TDEStorageDevice::diskType() {
 	return m_diskType;
 }
 
+void TDEStorageDevice::internalGetLUKSKeySlotStatus() {
+	unsigned int i;
+	crypt_keyslot_info keyslot_status;
+	TDELUKSKeySlotStatus::TDELUKSKeySlotStatus tde_keyslot_status;
+
+	m_cryptKeyslotStatus.clear();
+	for (i = 0; i < m_cryptKeySlotCount; i++) {
+		keyslot_status = crypt_keyslot_status(m_cryptDevice, i);
+		tde_keyslot_status = TDELUKSKeySlotStatus::Invalid;
+		if (keyslot_status == CRYPT_SLOT_INACTIVE) {
+			tde_keyslot_status = TDELUKSKeySlotStatus::Inactive;
+		}
+		else if (keyslot_status == CRYPT_SLOT_ACTIVE) {
+			tde_keyslot_status = TDELUKSKeySlotStatus::Active;
+		}
+		else if (keyslot_status == CRYPT_SLOT_ACTIVE_LAST) {
+			tde_keyslot_status = TDELUKSKeySlotStatus::Active | TDELUKSKeySlotStatus::Last;
+		}
+		m_cryptKeyslotStatus.append(tde_keyslot_status);
+	}
+}
+
+void TDEStorageDevice::internalInitializeLUKSIfNeeded() {
+#if defined(WITH_CRYPTSETUP)
+	int ret;
+
+	if (m_diskType & TDEDiskDeviceType::LUKS) {
+		if (!m_cryptDevice) {
+			TQString node = deviceNode();
+			if (node != "") {
+				ret = crypt_init(&m_cryptDevice, node.ascii());
+				if (ret == 0) {
+					crypt_set_password_callback(m_cryptDevice, TDEStorageDevice::cryptsetup_password_entry_callback, this);
+					ret = crypt_load(m_cryptDevice, NULL, NULL);
+					if (ret == 0) {
+						int keyslot_count;
+						m_cryptDeviceType = crypt_get_type(m_cryptDevice);
+						keyslot_count = crypt_keyslot_max(m_cryptDeviceType.ascii());
+						if (keyslot_count < 0) {
+							m_cryptKeySlotCount = 0;
+						}
+						else {
+							m_cryptKeySlotCount = keyslot_count;
+						}
+						internalGetLUKSKeySlotStatus();
+					}
+				}
+				else {
+					m_cryptDevice = NULL;
+				}
+			}
+		}
+	}
+	else {
+		if (m_cryptDevice) {
+			crypt_free(m_cryptDevice);
+			m_cryptDevice = NULL;
+		}
+	}
+#endif
+}
+
+void TDEStorageDevice::cryptSetOperationsUnlockPassword(TQByteArray password) {
+	m_cryptDevicePassword = password;
+}
+
+void TDEStorageDevice::cryptClearOperationsUnlockPassword() {
+	m_cryptDevicePassword.resize(0);
+}
+
+bool TDEStorageDevice::cryptOperationsUnlockPasswordSet() {
+	if (m_cryptDevicePassword.size() > 0) {
+		return true;
+	}
+	else {
+		return false;
+	}
+}
+
+TDELUKSResult::TDELUKSResult TDEStorageDevice::cryptAddKey(unsigned int keyslot, TQByteArray password) {
+#if defined(WITH_CRYPTSETUP)
+	int ret;
+
+	if (m_cryptDevice) {
+		if (keyslot < m_cryptKeySlotCount) {
+			ret = crypt_keyslot_add_by_passphrase(m_cryptDevice, keyslot, m_cryptDevicePassword.data(), m_cryptDevicePassword.size(), password.data(), password.size());
+			if (ret < 0) {
+				return TDELUKSResult::KeyslotOpFailed;
+			}
+			else {
+				internalGetLUKSKeySlotStatus();
+				return TDELUKSResult::Success;
+			}
+		}
+		else {
+			return TDELUKSResult::InvalidKeyslot;
+		}
+	}
+	else {
+		return TDELUKSResult::LUKSNotFound;
+	}
+#else
+	return TDELUKSResult::LUKSNotSupported;
+#endif
+}
+
+TDELUKSResult::TDELUKSResult TDEStorageDevice::cryptDelKey(unsigned int keyslot) {
+#if defined(WITH_CRYPTSETUP)
+	int ret;
+
+	if (m_cryptDevice) {
+		if (keyslot < m_cryptKeySlotCount) {
+			ret = crypt_keyslot_destroy(m_cryptDevice, keyslot);
+			if (ret < 0) {
+				return TDELUKSResult::KeyslotOpFailed;
+			}
+			else {
+				internalGetLUKSKeySlotStatus();
+				return TDELUKSResult::Success;
+			}
+		}
+		else {
+			return TDELUKSResult::InvalidKeyslot;
+		}
+	}
+	else {
+		return TDELUKSResult::LUKSNotFound;
+	}
+#else
+	return TDELUKSResult::LUKSNotSupported;
+#endif
+}
+
+unsigned int TDEStorageDevice::cryptKeySlotCount() {
+	return m_cryptKeySlotCount;
+}
+
+TDELUKSKeySlotStatusList TDEStorageDevice::cryptKeySlotStatus() {
+	return m_cryptKeyslotStatus;
+}
+
+TQString TDEStorageDevice::cryptKeySlotFriendlyName(TDELUKSKeySlotStatus::TDELUKSKeySlotStatus status) {
+	if (status & TDELUKSKeySlotStatus::Inactive) {
+		return i18n("Inactive");
+	}
+	else if (status & TDELUKSKeySlotStatus::Active) {
+		return i18n("Active");
+	}
+	else {
+		return i18n("Unknown");
+	}
+}
+
+void TDEStorageDevice::internalSetDeviceNode(TQString sn) {
+	TDEGenericDevice::internalSetDeviceNode(sn);
+	internalInitializeLUKSIfNeeded();
+}
+
 void TDEStorageDevice::internalSetDiskType(TDEDiskDeviceType::TDEDiskDeviceType dt) {
 	m_diskType = dt;
+	internalInitializeLUKSIfNeeded();
 }
 
 bool TDEStorageDevice::isDiskOfType(TDEDiskDeviceType::TDEDiskDeviceType tf) {

tdecore/tdehw/tdestoragedevice.h

@@ -22,6 +22,8 @@
 
 #include "tdegenericdevice.h"
 
+struct crypt_device;
+
 // Keep readDiskDeviceSubtypeFromString() in tdehardwaredevices.cpp in sync with this enum
 namespace TDEDiskDeviceType {
 #if __cplusplus >= 201103L
@@ -125,6 +127,45 @@ inline TDEDiskDeviceStatus operator~(TDEDiskDeviceStatus a)
 }
 };
 
+namespace TDELUKSKeySlotStatus {
+enum TDELUKSKeySlotStatus {
+	Invalid =		0x00000000,
+	Inactive =		0x00000001,
+	Active =		0x00000002,
+	Last =			0x00000004,
+	Other =			0x80000000
+};
+
+inline TDELUKSKeySlotStatus operator|(TDELUKSKeySlotStatus a, TDELUKSKeySlotStatus b)
+{
+	return static_cast<TDELUKSKeySlotStatus>(static_cast<int>(a) | static_cast<int>(b));
+}
+
+inline TDELUKSKeySlotStatus operator&(TDELUKSKeySlotStatus a, TDELUKSKeySlotStatus b)
+{
+	return static_cast<TDELUKSKeySlotStatus>(static_cast<int>(a) & static_cast<int>(b));
+}
+
+inline TDELUKSKeySlotStatus operator~(TDELUKSKeySlotStatus a)
+{
+	return static_cast<TDELUKSKeySlotStatus>(~static_cast<int>(a));
+}
+};
+
+typedef TQValueList<TDELUKSKeySlotStatus::TDELUKSKeySlotStatus> TDELUKSKeySlotStatusList;
+
+namespace TDELUKSResult {
+enum TDELUKSResult {
+	Invalid =		0x00000000,
+	Success = 		0x00000001,
+	LUKSNotSupported =	0x00000002,
+	LUKSNotFound = 		0x00000003,
+	InvalidKeyslot = 	0x00000004,
+	KeyslotOpFailed = 	0x00000005,
+	Other =			0x80000000
+};
+};
+
 typedef TQMap<TQString,TQString> TDEStorageMountOptions;
 
 class TDECORE_EXPORT TDEStorageDevice : public TDEGenericDevice
@@ -305,7 +346,73 @@ class TDECORE_EXPORT TDEStorageDevice : public TDEGenericDevice
 		 */
 		static TQString determineFileSystemType(TQString path);
 
+		/**
+		 * Set the unlock password to use in subsequent LUKS operations
+		 * @see cryptClearOperationsUnlockPassword
+		 *
+		 * @param password LUKS unlock password for any keyslot
+		 */
+		void cryptSetOperationsUnlockPassword(TQByteArray password);
+
+		/**
+		 * Erases the unlock password from application memory cache
+		 * @see cryptSetOperationsUnlockPassword
+		 */
+		void cryptClearOperationsUnlockPassword();
+
+		/**
+		 * @return true if unlock password is in the application memory cache
+		 * @see cryptSetOperationsUnlockPassword
+		 * @see cryptClearOperationsUnlockPassword
+		 */
+		bool cryptOperationsUnlockPasswordSet();
+
+		/**
+		 * Adds a new key to the specific keyslot, overwriting the existing key if present
+		 *
+		 * @param keyslot New keyslot number
+		 * @param password New keyslot password
+		 * @return TDELUKSResult::TDELUKSResult containing the status code returned
+		 * from the operation, or TDELUKSResult::LUKSNotSupported if LUKS support unavailable
+		 * @return TDELUKSResult::Success on success
+		 */
+		TDELUKSResult::TDELUKSResult cryptAddKey(unsigned int keyslot, TQByteArray password);
+
+		/**
+		 * Permanently deletes the associated key from a specific keyslot
+		 *
+		 * @param keyslot Keyslot number
+		 * @return TDELUKSResult::TDELUKSResult containing the status code returned
+		 * from the operation, or TDELUKSResult::LUKSNotSupported if LUKS support unavailable
+		 * @return TDELUKSResult::Success on success
+		 */
+		TDELUKSResult::TDELUKSResult cryptDelKey(unsigned int keyslot);
+
+		/**
+		 * @return the maximum number of key slots available
+		 */
+		unsigned int cryptKeySlotCount();
+
+		/**
+		 * @return TDELUKSKeySlotStatusList with the status of all keyslots
+		 */
+		TDELUKSKeySlotStatusList cryptKeySlotStatus();
+
+		/**
+		 * @param status Keyslot status
+		 * @return a TQString with the friendly name of the given slot status
+		 */
+		TQString cryptKeySlotFriendlyName(TDELUKSKeySlotStatus::TDELUKSKeySlotStatus status);
+
 	protected:
+		/**
+		 * @param a TQString with the system device node, if any
+		 * @internal
+		 *
+		 * This method is non-portable, so be careful!
+		 */
+		void internalSetDeviceNode(TQString sn);
+
 		/**
 		 * @param a TQString with the disk or partition label, if any
 		 * @internal
@@ -360,6 +467,22 @@ class TDECORE_EXPORT TDEStorageDevice : public TDEGenericDevice
 		 */
 		void internalSetSlaveDevices(TQStringList sd);
 
+		/**
+		 * @internal
+		 */
+		void internalInitializeLUKSIfNeeded();
+
+		/**
+		 * @internal
+		 */
+		void internalGetLUKSKeySlotStatus();
+
+	private:
+		/**
+		 * @internal
+		 */
+		static int cryptsetup_password_entry_callback(const char*, char *, size_t, void *);
+
 	private:
 		TDEDiskDeviceType::TDEDiskDeviceType m_diskType;
 		TDEDiskDeviceStatus::TDEDiskDeviceStatus m_diskStatus;
@@ -371,6 +494,11 @@ class TDECORE_EXPORT TDEStorageDevice : public TDEGenericDevice
 		TQString m_mountPath;
 		TQStringList m_holdingDevices;
 		TQStringList m_slaveDevices;
+		struct crypt_device* m_cryptDevice;
+		TQByteArray m_cryptDevicePassword;
+		TQString m_cryptDeviceType;
+		unsigned int m_cryptKeySlotCount;
+		TDELUKSKeySlotStatusList m_cryptKeyslotStatus;
 
 	friend class TDEHardwareDevices;
 };