dcavalca / rpms / systemd

Forked from rpms/systemd 3 months ago
Clone
4bff0a
From 7a597a091de83a861d81166b0e863bf2977c829c Mon Sep 17 00:00:00 2001
4bff0a
From: Milan Broz <gmazyland@gmail.com>
4bff0a
Date: Mon, 27 May 2019 09:44:14 +0200
4bff0a
Subject: [PATCH] cryptsetup: Add LUKS2 token support.
4bff0a
4bff0a
LUKS2 supports so-called tokens. The libcryptsetup internally
4bff0a
support keyring token (it tries to open device using specified
4bff0a
keyring entry).
4bff0a
Only if all token fails (or are not available), it uses a passphrase.
4bff0a
4bff0a
This patch aligns the functionality with the cryptsetup utility
4bff0a
(cryptsetup luksOpen tries tokens first) but does not replace
4bff0a
the systemd native ask-password function (can be used the same in
4bff0a
combination with this patch).
4bff0a
4bff0a
(cherry picked from commit 894bb3ca4c730cc9e9d46ef5004ba4ca5e201d8d)
4bff0a
4bff0a
Resolves: #1719153
4bff0a
---
4bff0a
 src/cryptsetup/cryptsetup.c | 12 ++++++++++++
4bff0a
 1 file changed, 12 insertions(+)
4bff0a
4bff0a
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
4bff0a
index a0bd80ea65..4e1b3eff19 100644
4bff0a
--- a/src/cryptsetup/cryptsetup.c
4bff0a
+++ b/src/cryptsetup/cryptsetup.c
4bff0a
@@ -682,6 +682,18 @@ int main(int argc, char *argv[]) {
4bff0a
                                 if (r < 0)
4bff0a
                                         return log_error_errno(r, "Failed to set LUKS data device %s: %m", argv[3]);
4bff0a
                         }
4bff0a
+#ifdef CRYPT_ANY_TOKEN
4bff0a
+                        /* Tokens are available in LUKS2 only, but it is ok to call (and fail) with LUKS1. */
4bff0a
+                        if (!key_file) {
4bff0a
+                                r = crypt_activate_by_token(cd, argv[2], CRYPT_ANY_TOKEN, NULL, flags);
4bff0a
+                                if (r >= 0) {
4bff0a
+                                        log_debug("Volume %s activated with LUKS token id %i.", argv[2], r);
4bff0a
+                                        return 0;
4bff0a
+                                }
4bff0a
+
4bff0a
+                                log_debug_errno(r, "Token activation unsuccessful for device %s: %m", crypt_get_device_name(cd));
4bff0a
+                        }
4bff0a
+#endif
4bff0a
                 }
4bff0a
 
4bff0a
                 for (tries = 0; arg_tries == 0 || tries < arg_tries; tries++) {