added --allow-discards flag
This commit is contained in:
parent
4e7ef4b8b7
commit
f6c2bc4cdb
GPG Key ID:
E81D8382DC2F971B
4
Cargo.lock
generated
4
Cargo.lock
generated
@ -1,5 +1,7 @@
|
|||||||
# This file is automatically @generated by Cargo.
|
# This file is automatically @generated by Cargo.
|
||||||
# It is not intended for manual editing.
|
# It is not intended for manual editing.
|
||||||
|
version = 3
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "addr2line"
|
name = "addr2line"
|
||||||
version = "0.13.0"
|
version = "0.13.0"
|
||||||
@ -404,7 +406,7 @@ dependencies = [
|
|||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "fido2luks"
|
name = "fido2luks"
|
||||||
version = "0.3.0"
|
version = "0.3.0-alpha"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"ctap_hmac",
|
"ctap_hmac",
|
||||||
"failure",
|
"failure",
|
||||||
|
|||||||
@ -433,6 +433,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
|||||||
credentials,
|
credentials,
|
||||||
retries,
|
retries,
|
||||||
dry_run,
|
dry_run,
|
||||||
|
allow_discards,
|
||||||
|
..
|
||||||
} => {
|
} => {
|
||||||
let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option<String>, [u8; 32])> {
|
let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option<String>, [u8; 32])> {
|
||||||
get_input(&secret, &authenticator, args.interactive, q, verify)
|
get_input(&secret, &authenticator, args.interactive, q, verify)
|
||||||
@ -469,7 +471,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
|||||||
});
|
});
|
||||||
secret(Cow::Borrowed(&credentials.0)).and_then(|(secret, cred)| {
|
secret(Cow::Borrowed(&credentials.0)).and_then(|(secret, cred)| {
|
||||||
log(&|| format!("credential used: {}", hex::encode(&cred.id)));
|
log(&|| format!("credential used: {}", hex::encode(&cred.id)));
|
||||||
luks_dev.activate(&name, &secret, luks.slot, *dry_run)
|
luks_dev.activate(&name, &secret, luks.slot, *dry_run, *allow_discards)
|
||||||
})
|
})
|
||||||
} else if luks2 && !luks.disable_token {
|
} else if luks2 && !luks.disable_token {
|
||||||
luks_dev.activate_token(
|
luks_dev.activate_token(
|
||||||
@ -487,6 +489,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
|||||||
}),
|
}),
|
||||||
luks.slot,
|
luks.slot,
|
||||||
*dry_run,
|
*dry_run,
|
||||||
|
*allow_discards,
|
||||||
)
|
)
|
||||||
} else if luks_dev.is_luks2()? && luks.disable_token {
|
} else if luks_dev.is_luks2()? && luks.disable_token {
|
||||||
// disable-token is mostly cosmetic in this instance
|
// disable-token is mostly cosmetic in this instance
|
||||||
|
|||||||
@ -244,6 +244,9 @@ pub enum Command {
|
|||||||
/// Perform the whole procedure without mounting the LUKS volume on success
|
/// Perform the whole procedure without mounting the LUKS volume on success
|
||||||
#[structopt(long = "dry-run")]
|
#[structopt(long = "dry-run")]
|
||||||
dry_run: bool,
|
dry_run: bool,
|
||||||
|
/// Pass SSD trim instructions to the underlying block device
|
||||||
|
#[structopt(long = "allow-discards")]
|
||||||
|
allow_discards: bool,
|
||||||
},
|
},
|
||||||
/// Generate a new FIDO credential
|
/// Generate a new FIDO credential
|
||||||
#[structopt(name = "credential")]
|
#[structopt(name = "credential")]
|
||||||
|
|||||||
19
src/luks.rs
19
src/luks.rs
@ -1,8 +1,8 @@
|
|||||||
use crate::error::*;
|
use crate::error::*;
|
||||||
|
|
||||||
use libcryptsetup_rs::{
|
use libcryptsetup_rs::{
|
||||||
CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
|
CryptActivateFlag, CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo,
|
||||||
TokenInput,
|
EncryptionFormat, KeyslotInfo, TokenInput,
|
||||||
};
|
};
|
||||||
use std::collections::{HashMap, HashSet};
|
use std::collections::{HashMap, HashSet};
|
||||||
use std::path::Path;
|
use std::path::Path;
|
||||||
@ -238,15 +238,15 @@ impl LuksDevice {
|
|||||||
secret: &[u8],
|
secret: &[u8],
|
||||||
slot_hint: Option<u32>,
|
slot_hint: Option<u32>,
|
||||||
dry_run: bool,
|
dry_run: bool,
|
||||||
|
allow_discard: bool,
|
||||||
) -> Fido2LuksResult<u32> {
|
) -> Fido2LuksResult<u32> {
|
||||||
|
let mut flags = CryptActivateFlags::empty();
|
||||||
|
if allow_discard {
|
||||||
|
flags = CryptActivateFlags::new(vec![CryptActivateFlag::AllowDiscards]);
|
||||||
|
}
|
||||||
self.device
|
self.device
|
||||||
.activate_handle()
|
.activate_handle()
|
||||||
.activate_by_passphrase(
|
.activate_by_passphrase(Some(name).filter(|_| !dry_run), slot_hint, secret, flags)
|
||||||
Some(name).filter(|_| !dry_run),
|
|
||||||
slot_hint,
|
|
||||||
secret,
|
|
||||||
CryptActivateFlags::empty(),
|
|
||||||
)
|
|
||||||
.map_err(LuksError::activate)
|
.map_err(LuksError::activate)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -256,6 +256,7 @@ impl LuksDevice {
|
|||||||
secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
|
secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
|
||||||
slot_hint: Option<u32>,
|
slot_hint: Option<u32>,
|
||||||
dry_run: bool,
|
dry_run: bool,
|
||||||
|
allow_discard: bool,
|
||||||
) -> Fido2LuksResult<u32> {
|
) -> Fido2LuksResult<u32> {
|
||||||
if !self.is_luks2()? {
|
if !self.is_luks2()? {
|
||||||
return Err(LuksError::Luks2Required.into());
|
return Err(LuksError::Luks2Required.into());
|
||||||
@ -299,7 +300,7 @@ impl LuksDevice {
|
|||||||
.chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
|
.chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
|
||||||
);
|
);
|
||||||
for slot in slots {
|
for slot in slots {
|
||||||
match self.activate(name, &secret, slot, dry_run) {
|
match self.activate(name, &secret, slot, dry_run, allow_discard) {
|
||||||
Err(Fido2LuksError::WrongSecret) => (),
|
Err(Fido2LuksError::WrongSecret) => (),
|
||||||
res => return res,
|
res => return res,
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user