diff options
| author | Eric Biggers <ebiggers@google.com> | 2020-01-27 19:24:30 -0800 |
|---|---|---|
| committer | Eric Biggers <ebiggers@google.com> | 2020-01-27 19:24:30 -0800 |
| commit | d5b8bdcfba528c0c0e9f8052a705e454b26cb28f (patch) | |
| tree | 01e13351a05cb91154a52da3799be11821d61b9d /actions | |
| parent | 45c27d59ee40f3945837ea827f29f6896414157f (diff) | |
actions/recovery: ensure recovery passphrase is really custom_passphrase
If the login protector was just created by the same 'fscrypt encrypt'
command, then policy.Context.Config.Source will be pam_passphrase. This
needs to be overridden to custom_passphrase when creating the protector
for the recovery passphrase.
This fixes the following error:
fscrypt encrypt: login protectors do not need a name
Resolves https://github.com/google/fscrypt/issues/187
Update https://github.com/google/fscrypt/issues/186
Diffstat (limited to 'actions')
| -rw-r--r-- | actions/recovery.go | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/actions/recovery.go b/actions/recovery.go index b086705..32d0030 100644 --- a/actions/recovery.go +++ b/actions/recovery.go @@ -26,8 +26,19 @@ import ( "github.com/pkg/errors" "github.com/google/fscrypt/crypto" + "github.com/google/fscrypt/metadata" ) +// modifiedContextWithSource returns a copy of ctx with the protector source +// replaced by source. +func modifiedContextWithSource(ctx *Context, source metadata.SourceType) *Context { + modifiedConfig := *ctx.Config + modifiedConfig.Source = source + modifiedCtx := *ctx + modifiedCtx.Config = &modifiedConfig + return &modifiedCtx +} + // AddRecoveryPassphrase randomly generates a recovery passphrase and adds it as // a custom_passphrase protector for the given Policy. func AddRecoveryPassphrase(policy *Policy, dirname string) (*crypto.Key, *Protector, error) { @@ -49,6 +60,7 @@ func AddRecoveryPassphrase(policy *Policy, dirname string) (*crypto.Key, *Protec return passphrase.Clone() } var recoveryProtector *Protector + customCtx := modifiedContextWithSource(policy.Context, metadata.SourceType_custom_passphrase) seq := 1 for { // Automatically generate a name for the recovery protector. @@ -56,7 +68,7 @@ func AddRecoveryPassphrase(policy *Policy, dirname string) (*crypto.Key, *Protec if seq != 1 { name += " (" + strconv.Itoa(seq) + ")" } - recoveryProtector, err = CreateProtector(policy.Context, name, getPassphraseFn) + recoveryProtector, err = CreateProtector(customCtx, name, getPassphraseFn) if err == nil { break } |