From 4b09fcb6cb8dd6ce10a6184634cbe90b915331f3 Mon Sep 17 00:00:00 2001
From: shimun <shimun@shimun.net>
Date: Tue, 13 Oct 2020 21:25:42 +0200
Subject: [PATCH] honour disable-token

---
 CHANGELOG.md | 0
 src/cli.rs   | 9 ++++++---
 2 files changed, 6 insertions(+), 3 deletions(-)
 create mode 100644 CHANGELOG.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..e69de29
diff --git a/src/cli.rs b/src/cli.rs
index 1b5d208..5698574 100644
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -33,7 +33,7 @@ fn derive_secret(
     timeout: u64,
     pin: Option<&str>,
 ) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
-    if credentials.len() == 0 {
+    if credentials.is_empty() {
         return Err(Fido2LuksError::InsufficientCredentials);
     }
     let timeout = Duration::from_secs(timeout);
@@ -419,7 +419,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                 let slot = if let Some(ref credentials) = credentials.ids {
                     secret(Cow::Borrowed(&credentials.0))
                         .and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot))
-                } else if luks_dev.is_luks2()? {
+                } else if luks_dev.is_luks2()? && !luks.disable_token {
                     luks_dev.activate_token(
                         &name,
                         Box::new(|credentials: Vec<String>| {
@@ -432,8 +432,11 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                         }),
                         luks.slot,
                     )
+                } else if luks_dev.is_luks2()? && luks.disable_token {
+                    // disable-token is mostly cosmetic in this instance
+                    return Err(Fido2LuksError::InsufficientCredentials);
                 } else {
-                    return Err(Fido2LuksError::WrongSecret); // creds or luks2
+                    return Err(Fido2LuksError::WrongSecret);
                 };
                 match slot {
                     Err(e) => {