shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

dry-run
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details

Browse Source
This commit is contained in:
shimun 2020-10-17 18:27:12 +02:00
parent a264f4c9eb
commit 49a7512743
Signed by: shimun
GPG Key ID: E81D8382DC2F971B
4 changed files with 18 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/cli.rs
View File

@ -358,6 +358,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
name, name,
credentials, credentials,
retries, retries,
dry_run,
} => { } => {
let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option<String>, [u8; 32])> { let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option<String>, [u8; 32])> {
get_input(&secret, &authenticator, args.interactive, q, verify) get_input(&secret, &authenticator, args.interactive, q, verify)
@ -378,8 +379,9 @@ pub fn run_cli() -> Fido2LuksResult<()> {
let mut luks_dev = LuksDevice::load(&luks.device)?; let mut luks_dev = LuksDevice::load(&luks.device)?;
loop { loop {
let slot = if let Some(ref credentials) = credentials.ids { let slot = if let Some(ref credentials) = credentials.ids {
secret(Cow::Borrowed(&credentials.0)) secret(Cow::Borrowed(&credentials.0)).and_then(|(secret, _cred)| {
.and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)) luks_dev.activate(&name, &secret, luks.slot, *dry_run)
})
} else if luks_dev.is_luks2()? && !luks.disable_token { } else if luks_dev.is_luks2()? && !luks.disable_token {
luks_dev.activate_token( luks_dev.activate_token(
&name, &name,
@ -392,6 +394,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
.map(|(secret, cred)| (secret, hex::encode(&cred.id))) .map(|(secret, cred)| (secret, hex::encode(&cred.id)))
}), }),
luks.slot, luks.slot,
*dry_run,
) )
} else if luks_dev.is_luks2()? && luks.disable_token { } else if luks_dev.is_luks2()? && luks.disable_token {
// disable-token is mostly cosmetic in this instance // disable-token is mostly cosmetic in this instance

2
src/cli_args/config.rs
View File

@ -210,7 +210,7 @@ mod test {
fn input_salt_obtain() { fn input_salt_obtain() {
assert_eq!( assert_eq!(
SecretInput::String("abc".into()) SecretInput::String("abc".into())
.obtain_sha256(None) .obtain_sha256(Some(|| Ok("123456".to_string())))
.unwrap(), .unwrap(),
[ [
186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97, 186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,

3
src/cli_args/mod.rs
View File

@ -239,6 +239,9 @@ pub enum Command {
secret: SecretParameters, secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")] #[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32, retries: i32,
/// Don't actually mount the LUKS image
#[structopt(long = "dry-run")]
dry_run: bool,
}, },
/// Generate a new FIDO credential /// Generate a new FIDO credential
#[structopt(name = "credential")] #[structopt(name = "credential")]

11
src/luks.rs
View File

@ -237,10 +237,16 @@ impl LuksDevice {
name: &str, name: &str,
secret: &[u8], secret: &[u8],
slot_hint: Option<u32>, slot_hint: Option<u32>,
dry_run: bool,
) -> Fido2LuksResult<u32> { ) -> Fido2LuksResult<u32> {
self.device self.device
.activate_handle() .activate_handle()
.activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty()) .activate_by_passphrase(
Some(name).filter(|_| !dry_run),
slot_hint,
secret,
CryptActivateFlags::empty(),
)
.map_err(LuksError::activate) .map_err(LuksError::activate)
} }
@ -249,6 +255,7 @@ impl LuksDevice {
name: &str, name: &str,
secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>, secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
slot_hint: Option<u32>, slot_hint: Option<u32>,
dry_run: bool,
) -> Fido2LuksResult<u32> { ) -> Fido2LuksResult<u32> {
if !self.is_luks2()? { if !self.is_luks2()? {
return Err(LuksError::Luks2Required.into()); return Err(LuksError::Luks2Required.into());
@ -292,7 +299,7 @@ impl LuksDevice {
.chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort .chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
); );
for slot in slots { for slot in slots {
match self.activate(name, &secret, slot) { match self.activate(name, &secret, slot, dry_run) {
Err(Fido2LuksError::WrongSecret) => (), Err(Fido2LuksError::WrongSecret) => (),
res => return res, res => return res,
} }