shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

added --allow-discards flag

Browse Source
This commit is contained in:
shimun 2021-12-28 13:34:19 +01:00
parent 4509cacd6d
commit 210da1ce0f
Signed by: shimun
GPG Key ID: E81D8382DC2F971B
5 changed files with 24 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Cargo.lock generated
View File

@ -410,7 +410,7 @@ dependencies = [
[[package]] [[package]]
name = "fido2luks" name = "fido2luks"
version = "0.2.19" version = "0.2.20"
dependencies = [ dependencies = [
"ctap_hmac", "ctap_hmac",
"failure", "failure",

2
Cargo.toml
View File

@ -1,6 +1,6 @@
[package] [package]
name = "fido2luks" name = "fido2luks"
version = "0.2.19" version = "0.2.20"
authors = ["shimunn <shimun@shimun.net>"] authors = ["shimunn <shimun@shimun.net>"]
edition = "2018" edition = "2018"

7
src/cli.rs
View File

@ -259,6 +259,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret, secret,
name, name,
retries, retries,
allow_discards,
.. ..
} }
| Command::OpenToken { | Command::OpenToken {
@ -267,6 +268,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret, secret,
name, name,
retries, retries,
allow_discards,
} => { } => {
let pin_string; let pin_string;
let pin = if authenticator.pin { let pin = if authenticator.pin {
@ -299,7 +301,9 @@ pub fn run_cli() -> Fido2LuksResult<()> {
loop { loop {
let secret = match &args.command { let secret = match &args.command {
Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0)) Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
.and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)), .and_then(|(secret, _cred)| {
luks_dev.activate(&name, &secret, luks.slot, *allow_discards)
}),
Command::OpenToken { .. } => luks_dev.activate_token( Command::OpenToken { .. } => luks_dev.activate_token(
&name, &name,
Box::new(|credentials: Vec<String>| { Box::new(|credentials: Vec<String>| {
@ -311,6 +315,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
.map(|(secret, cred)| (secret, hex::encode(&cred.id))) .map(|(secret, cred)| (secret, hex::encode(&cred.id)))
}), }),
luks.slot, luks.slot,
*allow_discards,
), ),
_ => unreachable!(), _ => unreachable!(),
}; };

6
src/cli_args/mod.rs
View File

@ -216,6 +216,9 @@ pub enum Command {
secret: SecretParameters, secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")] #[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32, retries: i32,
/// Pass SSD trim instructions to the underlying block device
#[structopt(long = "allow-discards")]
allow_discards: bool,
}, },
/// Open the LUKS device using credentials embedded in the LUKS 2 header /// Open the LUKS device using credentials embedded in the LUKS 2 header
#[structopt(name = "open-token")] #[structopt(name = "open-token")]
@ -230,6 +233,9 @@ pub enum Command {
secret: SecretParameters, secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")] #[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32, retries: i32,
/// Pass SSD trim instructions to the underlying block device
#[structopt(long = "allow-discards")]
allow_discards: bool,
}, },
/// Generate a new FIDO credential /// Generate a new FIDO credential
#[structopt(name = "credential")] #[structopt(name = "credential")]

14
src/luks.rs
View File

@ -1,8 +1,8 @@
use crate::error::*; use crate::error::*;
use libcryptsetup_rs::{ use libcryptsetup_rs::{
CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo, CryptActivateFlag, CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo,
TokenInput, EncryptionFormat, KeyslotInfo, TokenInput,
}; };
use std::collections::{HashMap, HashSet}; use std::collections::{HashMap, HashSet};
use std::path::Path; use std::path::Path;
@ -221,10 +221,15 @@ impl LuksDevice {
name: &str, name: &str,
secret: &[u8], secret: &[u8],
slot_hint: Option<u32>, slot_hint: Option<u32>,
allow_discard: bool,
) -> Fido2LuksResult<u32> { ) -> Fido2LuksResult<u32> {
let mut flags = CryptActivateFlags::empty();
if allow_discard {
flags = CryptActivateFlags::new(vec![CryptActivateFlag::AllowDiscards]);
}
self.device self.device
.activate_handle() .activate_handle()
.activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty()) .activate_by_passphrase(Some(name), slot_hint, secret, flags)
.map_err(LuksError::activate) .map_err(LuksError::activate)
} }
@ -233,6 +238,7 @@ impl LuksDevice {
name: &str, name: &str,
secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>, secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
slot_hint: Option<u32>, slot_hint: Option<u32>,
allow_discard: bool,
) -> Fido2LuksResult<u32> { ) -> Fido2LuksResult<u32> {
if !self.is_luks2()? { if !self.is_luks2()? {
return Err(LuksError::Luks2Required.into()); return Err(LuksError::Luks2Required.into());
@ -276,7 +282,7 @@ impl LuksDevice {
.chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort .chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
); );
for slot in slots { for slot in slots {
match self.activate(name, &secret, slot) { match self.activate(name, &secret, slot, allow_discard) {
Err(Fido2LuksError::WrongSecret) => (), Err(Fido2LuksError::WrongSecret) => (),
res => return res, res => return res,
} }