Several cleanups for libcryptsetup dependency (#39452)

2026-04-14 00:14:32 +09:00 · 2025-11-02 08:07:15 +09:00
parent d714edd26c db1f63463a
commit ee3cd7890d
7 changed files with 49 additions and 130 deletions
--- a/meson.build
+++ b/meson.build
@@ -1247,53 +1247,30 @@ libcryptsetup = dependency('libcryptsetup',
 libcryptsetup_cflags = libcryptsetup.partial_dependency(includes: true, compile_args: true)

 have = libcryptsetup.found()
-foreach ident : ['crypt_set_metadata_size',
-                 'crypt_activate_by_signed_key',
-                 'crypt_token_max',
-                 'crypt_reencrypt_init_by_passphrase',
-                 'crypt_reencrypt',
-                 'crypt_reencrypt_run',
-                 'crypt_set_data_offset',
-                 'crypt_set_keyring_to_link',
-                 'crypt_resume_by_volume_key',
-                 'crypt_token_set_external_path']
+conf.set10('HAVE_LIBCRYPTSETUP', have)
+
+foreach ident : [
+                'crypt_activate_by_token_pin',   # 2.4
+                'crypt_logf',                    # 2.4
+                'crypt_reencrypt_run',           # 2.4
+                'crypt_token_external_path',     # 2.4
+                'crypt_token_max',               # 2.4
+                'crypt_set_keyring_to_link',     # 2.7
+                'crypt_token_set_external_path', # 2.7
+        ]
+
        have_ident = have and cc.has_function(
                ident,
                prefix : '#include <libcryptsetup.h>',
-                # crypt_reencrypt() raises a deprecation warning so make sure -Wno-deprecated-declarations is
-                # specified otherwise we fail to detect crypt_reencrypt() if -Werror is used.
-                args : '-Wno-deprecated-declarations',
                dependencies : libcryptsetup)
        conf.set10('HAVE_' + ident.to_upper(), have_ident)
 endforeach
-conf.set10('HAVE_LIBCRYPTSETUP', have)

-if meson.version().version_compare('>=1.3.0')
-        have = (cc.has_function(
-                        'crypt_activate_by_token_pin',
-                        prefix : '#include <libcryptsetup.h>',
-                        dependencies : libcryptsetup,
-                        required : libcryptsetup_plugins) and
-                cc.has_function(
-                        'crypt_token_external_path',
-                        prefix : '#include <libcryptsetup.h>',
-                        dependencies : libcryptsetup,
-                        required : libcryptsetup_plugins))
-else
-        if libcryptsetup_plugins.allowed()
-                have = (cc.has_function(
-                                'crypt_activate_by_token_pin',
-                                prefix : '#include <libcryptsetup.h>',
-                                dependencies : libcryptsetup) and
-                        cc.has_function(
-                                'crypt_token_external_path',
-                                prefix : '#include <libcryptsetup.h>',
-                                dependencies : libcryptsetup))
-        else
-                have = false
-        endif
-endif
-conf.set10('HAVE_LIBCRYPTSETUP_PLUGINS', have)
+conf.set10('HAVE_LIBCRYPTSETUP_PLUGINS',
+           libcryptsetup_plugins.allowed() and
+           conf.get('HAVE_CRYPT_ACTIVATE_BY_TOKEN_PIN') == 1 and
+           conf.get('HAVE_CRYPT_LOGF') == 1 and
+           conf.get('HAVE_CRYPT_TOKEN_EXTERNAL_PATH') == 1)

 libcurl = dependency('libcurl',
                     version : '>= 7.32.0',
@@ -1589,8 +1566,7 @@ conf.set10('ENABLE_IMPORTD', have)
 have = get_option('homed').require(
        conf.get('HAVE_OPENSSL') == 1 and
        conf.get('HAVE_LIBFDISK') == 1 and
-        conf.get('HAVE_LIBCRYPTSETUP') == 1 and
-        conf.get('HAVE_CRYPT_RESUME_BY_VOLUME_KEY') == 1,
+        conf.get('HAVE_LIBCRYPTSETUP') == 1,
        error_message : 'openssl, fdisk and libcryptsetup required').allowed()
 conf.set10('ENABLE_HOMED', have)

--- a/src/home/homework-luks.c
+++ b/src/home/homework-luks.c
@@ -1788,12 +1788,10 @@ static int luks_format(
        if (r < 0)
                return log_error_errno(r, "Failed to generate volume key: %m");

-#if HAVE_CRYPT_SET_METADATA_SIZE
        /* Increase the metadata space to 4M, the largest LUKS2 supports */
        r = sym_crypt_set_metadata_size(cd, 4096U*1024U, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to change LUKS2 metadata size: %m");
-#endif

        build_good_pbkdf(&good_pbkdf, hr);
        build_minimal_pbkdf(&minimal_pbkdf, hr);
--- a/src/repart/repart.c
+++ b/src/repart/repart.c
@@ -4968,7 +4968,7 @@ static int partition_target_sync(Context *context, Partition *p, PartitionTarget
 }

 static int partition_encrypt(Context *context, Partition *p, PartitionTarget *target, bool offline) {
-#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && (HAVE_CRYPT_REENCRYPT_RUN || HAVE_CRYPT_REENCRYPT)
+#if HAVE_LIBCRYPTSETUP
        const char *node = partition_target_path(target);
        struct crypt_params_luks2 luks_params = {
                .label = strempty(ASSERT_PTR(p)->new_label),
--- a/src/shared/cryptsetup-util.c
+++ b/src/shared/cryptsetup-util.c
@@ -16,9 +16,7 @@
 static void *cryptsetup_dl = NULL;

 DLSYM_PROTOTYPE(crypt_activate_by_passphrase) = NULL;
-#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
 DLSYM_PROTOTYPE(crypt_activate_by_signed_key) = NULL;
-#endif
 DLSYM_PROTOTYPE(crypt_activate_by_volume_key) = NULL;
 DLSYM_PROTOTYPE(crypt_deactivate_by_name) = NULL;
 DLSYM_PROTOTYPE(crypt_format) = NULL;
@@ -32,22 +30,27 @@ DLSYM_PROTOTYPE(crypt_get_type) = NULL;
 DLSYM_PROTOTYPE(crypt_get_uuid) = NULL;
 DLSYM_PROTOTYPE(crypt_get_verity_info) = NULL;
 DLSYM_PROTOTYPE(crypt_get_volume_key_size) = NULL;
+DLSYM_PROTOTYPE(crypt_header_restore) = NULL;
 DLSYM_PROTOTYPE(crypt_init) = NULL;
 DLSYM_PROTOTYPE(crypt_init_by_name) = NULL;
 DLSYM_PROTOTYPE(crypt_keyslot_add_by_volume_key) = NULL;
 DLSYM_PROTOTYPE(crypt_keyslot_destroy) = NULL;
 DLSYM_PROTOTYPE(crypt_keyslot_max) = NULL;
 DLSYM_PROTOTYPE(crypt_load) = NULL;
-DLSYM_PROTOTYPE(crypt_resize) = NULL;
-#if HAVE_CRYPT_RESUME_BY_VOLUME_KEY
-DLSYM_PROTOTYPE(crypt_resume_by_volume_key) = NULL;
+DLSYM_PROTOTYPE(crypt_metadata_locking) = NULL;
+DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase) = NULL;
+#if HAVE_CRYPT_REENCRYPT_RUN
+DLSYM_PROTOTYPE(crypt_reencrypt_run);
+#else
+DLSYM_PROTOTYPE(crypt_reencrypt);
 #endif
+DLSYM_PROTOTYPE(crypt_resize) = NULL;
+DLSYM_PROTOTYPE(crypt_resume_by_volume_key) = NULL;
 DLSYM_PROTOTYPE(crypt_set_data_device) = NULL;
+DLSYM_PROTOTYPE(crypt_set_data_offset) = NULL;
 DLSYM_PROTOTYPE(crypt_set_debug_level) = NULL;
 DLSYM_PROTOTYPE(crypt_set_log_callback) = NULL;
-#if HAVE_CRYPT_SET_METADATA_SIZE
 DLSYM_PROTOTYPE(crypt_set_metadata_size) = NULL;
-#endif
 DLSYM_PROTOTYPE(crypt_set_pbkdf_type) = NULL;
 DLSYM_PROTOTYPE(crypt_suspend) = NULL;
 DLSYM_PROTOTYPE(crypt_token_json_get) = NULL;
@@ -66,19 +69,6 @@ DLSYM_PROTOTYPE(crypt_token_set_external_path) = NULL;
 #endif
 DLSYM_PROTOTYPE(crypt_token_status) = NULL;
 DLSYM_PROTOTYPE(crypt_volume_key_get) = NULL;
-#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
-DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase) = NULL;
-#endif
-#if HAVE_CRYPT_REENCRYPT_RUN
-DLSYM_PROTOTYPE(crypt_reencrypt_run);
-#elif HAVE_CRYPT_REENCRYPT
-DLSYM_PROTOTYPE(crypt_reencrypt);
-#endif
-DLSYM_PROTOTYPE(crypt_metadata_locking) = NULL;
-#if HAVE_CRYPT_SET_DATA_OFFSET
-DLSYM_PROTOTYPE(crypt_set_data_offset) = NULL;
-#endif
-DLSYM_PROTOTYPE(crypt_header_restore) = NULL;
 DLSYM_PROTOTYPE(crypt_volume_key_keyring) = NULL;

 static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) {
@@ -237,9 +227,7 @@ int dlopen_cryptsetup(void) {
        r = dlopen_many_sym_or_warn(
                        &cryptsetup_dl, "libcryptsetup.so.12", LOG_DEBUG,
                        DLSYM_ARG(crypt_activate_by_passphrase),
-#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
                        DLSYM_ARG(crypt_activate_by_signed_key),
-#endif
                        DLSYM_ARG(crypt_activate_by_volume_key),
                        DLSYM_ARG(crypt_deactivate_by_name),
                        DLSYM_ARG(crypt_format),
@@ -253,22 +241,27 @@ int dlopen_cryptsetup(void) {
                        DLSYM_ARG(crypt_get_uuid),
                        DLSYM_ARG(crypt_get_verity_info),
                        DLSYM_ARG(crypt_get_volume_key_size),
+                        DLSYM_ARG(crypt_header_restore),
                        DLSYM_ARG(crypt_init),
                        DLSYM_ARG(crypt_init_by_name),
                        DLSYM_ARG(crypt_keyslot_add_by_volume_key),
                        DLSYM_ARG(crypt_keyslot_destroy),
                        DLSYM_ARG(crypt_keyslot_max),
                        DLSYM_ARG(crypt_load),
-                        DLSYM_ARG(crypt_resize),
-#if HAVE_CRYPT_RESUME_BY_VOLUME_KEY
-                        DLSYM_ARG(crypt_resume_by_volume_key),
+                        DLSYM_ARG(crypt_metadata_locking),
+                        DLSYM_ARG(crypt_reencrypt_init_by_passphrase),
+#if HAVE_CRYPT_REENCRYPT_RUN
+                        DLSYM_ARG(crypt_reencrypt_run),
+#else
+                        DLSYM_ARG(crypt_reencrypt),
 #endif
+                        DLSYM_ARG(crypt_resize),
+                        DLSYM_ARG(crypt_resume_by_volume_key),
                        DLSYM_ARG(crypt_set_data_device),
+                        DLSYM_ARG(crypt_set_data_offset),
                        DLSYM_ARG(crypt_set_debug_level),
                        DLSYM_ARG(crypt_set_log_callback),
-#if HAVE_CRYPT_SET_METADATA_SIZE
                        DLSYM_ARG(crypt_set_metadata_size),
-#endif
                        DLSYM_ARG(crypt_set_pbkdf_type),
                        DLSYM_ARG(crypt_suspend),
                        DLSYM_ARG(crypt_token_json_get),
@@ -281,19 +274,6 @@ int dlopen_cryptsetup(void) {
 #endif
                        DLSYM_ARG(crypt_token_status),
                        DLSYM_ARG(crypt_volume_key_get),
-#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
-                        DLSYM_ARG(crypt_reencrypt_init_by_passphrase),
-#endif
-#if HAVE_CRYPT_REENCRYPT_RUN
-                        DLSYM_ARG(crypt_reencrypt_run),
-#elif HAVE_CRYPT_REENCRYPT
-                        DLSYM_ARG(crypt_reencrypt),
-#endif
-                        DLSYM_ARG(crypt_metadata_locking),
-#if HAVE_CRYPT_SET_DATA_OFFSET
-                        DLSYM_ARG(crypt_set_data_offset),
-#endif
-                        DLSYM_ARG(crypt_header_restore),
                        DLSYM_ARG(crypt_volume_key_keyring));
        if (r <= 0)
                return r;
--- a/src/shared/cryptsetup-util.h
+++ b/src/shared/cryptsetup-util.h
@@ -16,9 +16,7 @@
 #endif

 extern DLSYM_PROTOTYPE(crypt_activate_by_passphrase);
-#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
 extern DLSYM_PROTOTYPE(crypt_activate_by_signed_key);
-#endif
 extern DLSYM_PROTOTYPE(crypt_activate_by_volume_key);
 extern DLSYM_PROTOTYPE(crypt_deactivate_by_name);
 extern DLSYM_PROTOTYPE(crypt_format);
@@ -32,22 +30,27 @@ extern DLSYM_PROTOTYPE(crypt_get_type);
 extern DLSYM_PROTOTYPE(crypt_get_uuid);
 extern DLSYM_PROTOTYPE(crypt_get_verity_info);
 extern DLSYM_PROTOTYPE(crypt_get_volume_key_size);
+extern DLSYM_PROTOTYPE(crypt_header_restore);
 extern DLSYM_PROTOTYPE(crypt_init);
 extern DLSYM_PROTOTYPE(crypt_init_by_name);
 extern DLSYM_PROTOTYPE(crypt_keyslot_add_by_volume_key);
 extern DLSYM_PROTOTYPE(crypt_keyslot_destroy);
 extern DLSYM_PROTOTYPE(crypt_keyslot_max);
 extern DLSYM_PROTOTYPE(crypt_load);
-extern DLSYM_PROTOTYPE(crypt_resize);
-#if HAVE_CRYPT_RESUME_BY_VOLUME_KEY
-extern DLSYM_PROTOTYPE(crypt_resume_by_volume_key);
+extern DLSYM_PROTOTYPE(crypt_metadata_locking);
+extern DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase);
+#if HAVE_CRYPT_REENCRYPT_RUN
+extern DLSYM_PROTOTYPE(crypt_reencrypt_run);
+#else
+extern DLSYM_PROTOTYPE(crypt_reencrypt);
 #endif
+extern DLSYM_PROTOTYPE(crypt_resize);
+extern DLSYM_PROTOTYPE(crypt_resume_by_volume_key);
 extern DLSYM_PROTOTYPE(crypt_set_data_device);
+extern DLSYM_PROTOTYPE(crypt_set_data_offset);
 extern DLSYM_PROTOTYPE(crypt_set_debug_level);
 extern DLSYM_PROTOTYPE(crypt_set_log_callback);
-#if HAVE_CRYPT_SET_METADATA_SIZE
 extern DLSYM_PROTOTYPE(crypt_set_metadata_size);
-#endif
 extern DLSYM_PROTOTYPE(crypt_set_pbkdf_type);
 extern DLSYM_PROTOTYPE(crypt_suspend);
 extern DLSYM_PROTOTYPE(crypt_token_json_get);
@@ -64,19 +67,6 @@ extern DLSYM_PROTOTYPE(crypt_token_set_external_path);
 #endif
 extern DLSYM_PROTOTYPE(crypt_token_status);
 extern DLSYM_PROTOTYPE(crypt_volume_key_get);
-#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
-extern DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase);
-#endif
-#if HAVE_CRYPT_REENCRYPT_RUN
-extern DLSYM_PROTOTYPE(crypt_reencrypt_run);
-#elif HAVE_CRYPT_REENCRYPT
-extern DLSYM_PROTOTYPE(crypt_reencrypt);
-#endif
-extern DLSYM_PROTOTYPE(crypt_metadata_locking);
-#if HAVE_CRYPT_SET_DATA_OFFSET
-extern DLSYM_PROTOTYPE(crypt_set_data_offset);
-#endif
-extern DLSYM_PROTOTYPE(crypt_header_restore);
 extern DLSYM_PROTOTYPE(crypt_volume_key_keyring);

 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(struct crypt_device *, crypt_free, NULL);
@@ -92,15 +82,6 @@ int cryptsetup_set_minimal_pbkdf(struct crypt_device *cd);

 int cryptsetup_get_token_as_json(struct crypt_device *cd, int idx, const char *verify_type, sd_json_variant **ret);
 int cryptsetup_add_token_json(struct crypt_device *cd, sd_json_variant *v);
-
-#else
-
-/* If libcryptsetup is not available, let's at least define the basic type and NOP destructors for it, to
- * make a little bit less #ifdeferry necessary in main programs. */
-struct crypt_device;
-static inline void sym_crypt_free(struct crypt_device* cd) {}
-static inline void sym_crypt_freep(struct crypt_device** cd) {}
-
 #endif

 int dlopen_cryptsetup(void);
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -2668,13 +2668,11 @@ static int verity_can_reuse(
            memcmp(root_hash_existing, verity->root_hash, verity->root_hash_size) != 0)
                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Error opening verity device, it already exists but root hashes are different.");

-#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
        /* Ensure that, if signatures are supported, we only reuse the device if the previous mount used the
         * same settings, so that a previous unsigned mount will not be reused if the user asks to use
         * signing for the new one, and vice versa. */
        if (!!verity->root_hash_sig != !!(crypt_params.flags & CRYPT_VERITY_ROOT_HASH_SIGNATURE))
                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Error opening verity device, it already exists but signature settings are not the same.");
-#endif

        *ret_cd = TAKE_PTR(cd);
        return 0;
@@ -2820,7 +2818,6 @@ static int do_crypt_activate_verity(
                check_signature = false;

        if (check_signature) {
-#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
                /* First, if we have support for signed keys in the kernel, then try that first. */
                r = sym_crypt_activate_by_signed_key(
                                cd,
@@ -2842,11 +2839,6 @@ static int do_crypt_activate_verity(
                 * -ENOKEY, which means "password required, but I have none". */
                if (r == -ENOKEY)
                        r = -EDESTADDRREQ;
-#else
-                log_debug("Activation of verity device with signature requested, but not supported via the kernel by %s due to missing crypt_activate_by_signed_key(), trying userspace validation instead.",
-                          program_invocation_short_name);
-                r = 0; /* Set for the propagation below */
-#endif

                /* So this didn't work via the kernel, then let's try userspace validation instead. If that
                 * works we'll try to activate without telling the kernel the signature. */
--- a/src/veritysetup/veritysetup.c
+++ b/src/veritysetup/veritysetup.c
@@ -101,10 +101,6 @@ static int parse_roothashsig_option(const char *option, bool strict) {
        else
                return false;

-        if (!HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY)
-                return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
-                                       "Activation of verity device with signature requested, but cryptsetup does not support crypt_activate_by_signed_key().");
-
        free_and_replace(arg_root_hash_signature, rhs);
        arg_root_hash_signature_size = rhss;
        arg_root_hash_signature_auto = set_auto;
@@ -416,7 +412,6 @@ static int verb_attach(int argc, char *argv[], void *userdata) {
                return log_error_errno(r, "Failed to configure data device: %m");

        if (arg_root_hash_signature_size > 0) {
-#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
                r = crypt_activate_by_signed_key(cd, volume, rh, rh_size, arg_root_hash_signature, arg_root_hash_signature_size, arg_activate_flags);
                if (r < 0) {
                        log_info_errno(r, "Unable to activate verity device '%s' with root hash signature (%m), retrying without.", volume);
@@ -427,9 +422,6 @@ static int verb_attach(int argc, char *argv[], void *userdata) {

                        log_info("Activation of verity device '%s' succeeded without root hash signature.", volume);
                }
-#else
-                assert_not_reached();
-#endif
        } else
                r = crypt_activate_by_volume_key(cd, volume, rh, rh_size, arg_activate_flags);
        if (r < 0)