systemd/SOURCES/0206-cryptsetup-Add-LUKS2-t...

From 7a597a091de83a861d81166b0e863bf2977c829c Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 27 May 2019 09:44:14 +0200
Subject: [PATCH] cryptsetup: Add LUKS2 token support.

LUKS2 supports so-called tokens. The libcryptsetup internally
support keyring token (it tries to open device using specified
keyring entry).
Only if all token fails (or are not available), it uses a passphrase.

This patch aligns the functionality with the cryptsetup utility
(cryptsetup luksOpen tries tokens first) but does not replace
the systemd native ask-password function (can be used the same in
combination with this patch).

(cherry picked from commit 894bb3ca4c730cc9e9d46ef5004ba4ca5e201d8d)

Resolves: #1719153
---
 src/cryptsetup/cryptsetup.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index a0bd80ea65..4e1b3eff19 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -682,6 +682,18 @@ int main(int argc, char *argv[]) {
                                 if (r < 0)
                                         return log_error_errno(r, "Failed to set LUKS data device %s: %m", argv[3]);
                         }
+#ifdef CRYPT_ANY_TOKEN
+                        /* Tokens are available in LUKS2 only, but it is ok to call (and fail) with LUKS1. */
+                        if (!key_file) {
+                                r = crypt_activate_by_token(cd, argv[2], CRYPT_ANY_TOKEN, NULL, flags);
+                                if (r >= 0) {
+                                        log_debug("Volume %s activated with LUKS token id %i.", argv[2], r);
+                                        return 0;
+                                }
+
+                                log_debug_errno(r, "Token activation unsuccessful for device %s: %m", crypt_get_device_name(cd));
+                        }
+#endif
                 }
 
                 for (tries = 0; arg_tries == 0 || tries < arg_tries; tries++) {
import systemd-239-81.el8 8 months ago			`From 7a597a091de83a861d81166b0e863bf2977c829c Mon Sep 17 00:00:00 2001`
			`From: Milan Broz <gmazyland@gmail.com>`
			`Date: Mon, 27 May 2019 09:44:14 +0200`
			`Subject: [PATCH] cryptsetup: Add LUKS2 token support.`

			`LUKS2 supports so-called tokens. The libcryptsetup internally`
			`support keyring token (it tries to open device using specified`
			`keyring entry).`
			`Only if all token fails (or are not available), it uses a passphrase.`

			`This patch aligns the functionality with the cryptsetup utility`
			`(cryptsetup luksOpen tries tokens first) but does not replace`
			`the systemd native ask-password function (can be used the same in`
			`combination with this patch).`

			`(cherry picked from commit 894bb3ca4c730cc9e9d46ef5004ba4ca5e201d8d)`

			`Resolves: #1719153`
			`---`
			`src/cryptsetup/cryptsetup.c \| 12 ++++++++++++`
			`1 file changed, 12 insertions(+)`

			`diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c`
			`index a0bd80ea65..4e1b3eff19 100644`
			`--- a/src/cryptsetup/cryptsetup.c`
			`+++ b/src/cryptsetup/cryptsetup.c`
			`@@ -682,6 +682,18 @@ int main(int argc, char *argv[]) {`
			`if (r < 0)`
			`return log_error_errno(r, "Failed to set LUKS data device %s: %m", argv[3]);`
			`}`
			`+#ifdef CRYPT_ANY_TOKEN`
			`+ /* Tokens are available in LUKS2 only, but it is ok to call (and fail) with LUKS1. */`
			`+ if (!key_file) {`
			`+ r = crypt_activate_by_token(cd, argv[2], CRYPT_ANY_TOKEN, NULL, flags);`
			`+ if (r >= 0) {`
			`+ log_debug("Volume %s activated with LUKS token id %i.", argv[2], r);`
			`+ return 0;`
			`+ }`
			`+`
			`+ log_debug_errno(r, "Token activation unsuccessful for device %s: %m", crypt_get_device_name(cd));`
			`+ }`
			`+#endif`
			`}`

			`for (tries = 0; arg_tries == 0 \|\| tries < arg_tries; tries++) {`