rpms / systemd

Clone
Source Code
GIT

Blame SOURCES/0206-cryptsetup-Add-LUKS2-token-support.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-atomic-beta c8-beta c8s-sig-hyperscale f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 master rpm-master
  1.   c8-beta
  2.   SOURCES
  3.   0206-cryptsetup-Add-LUKS2-token-support.patch
Blob History Raw
e2ec8a 
From 7a597a091de83a861d81166b0e863bf2977c829c Mon Sep 17 00:00:00 2001
e2ec8a 
From: Milan Broz <gmazyland@gmail.com>
e2ec8a 
Date: Mon, 27 May 2019 09:44:14 +0200
e2ec8a 
Subject: [PATCH] cryptsetup: Add LUKS2 token support.
e2ec8a
e2ec8a 
LUKS2 supports so-called tokens. The libcryptsetup internally
e2ec8a 
support keyring token (it tries to open device using specified
e2ec8a 
keyring entry).
e2ec8a 
Only if all token fails (or are not available), it uses a passphrase.
e2ec8a
e2ec8a 
This patch aligns the functionality with the cryptsetup utility
e2ec8a 
(cryptsetup luksOpen tries tokens first) but does not replace
e2ec8a 
the systemd native ask-password function (can be used the same in
e2ec8a 
combination with this patch).
e2ec8a
e2ec8a 
(cherry picked from commit 894bb3ca4c730cc9e9d46ef5004ba4ca5e201d8d)
e2ec8a
e2ec8a 
Resolves: #1719153
e2ec8a 
---
e2ec8a 
 src/cryptsetup/cryptsetup.c | 12 ++++++++++++
e2ec8a 
 1 file changed, 12 insertions(+)
e2ec8a
e2ec8a 
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
e2ec8a 
index a0bd80ea65..4e1b3eff19 100644
e2ec8a 
--- a/src/cryptsetup/cryptsetup.c
e2ec8a 
+++ b/src/cryptsetup/cryptsetup.c
e2ec8a 
@@ -682,6 +682,18 @@ int main(int argc, char *argv[]) {
e2ec8a 
                                 if (r < 0)
e2ec8a 
                                         return log_error_errno(r, "Failed to set LUKS data device %s: %m", argv[3]);
e2ec8a 
                         }
e2ec8a 
+#ifdef CRYPT_ANY_TOKEN
e2ec8a 
+                        /* Tokens are available in LUKS2 only, but it is ok to call (and fail) with LUKS1. */
e2ec8a 
+                        if (!key_file) {
e2ec8a 
+                                r = crypt_activate_by_token(cd, argv[2], CRYPT_ANY_TOKEN, NULL, flags);
e2ec8a 
+                                if (r >= 0) {
e2ec8a 
+                                        log_debug("Volume %s activated with LUKS token id %i.", argv[2], r);
e2ec8a 
+                                        return 0;
e2ec8a 
+                                }
e2ec8a 
+
e2ec8a 
+                                log_debug_errno(r, "Token activation unsuccessful for device %s: %m", crypt_get_device_name(cd));
e2ec8a 
+                        }
e2ec8a 
+#endif
e2ec8a 
                 }
e2ec8a
e2ec8a 
                 for (tries = 0; arg_tries == 0 || tries < arg_tries; tries++) {

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation