add tries, and timeout

This commit is contained in:
Vivian 2023-12-19 10:21:13 +01:00
parent f114554dd7
commit 302625f2fb
3 changed files with 29 additions and 13 deletions

View file

@ -19,6 +19,7 @@
doCheck = false; doCheck = false;
buildInputs = with pkgs; [ openssl tpm2-tss ];
nativeBuildInputs = with pkgs; [ nativeBuildInputs = with pkgs; [
llvmPackages.libclang llvmPackages.libclang
llvmPackages.libcxxClang llvmPackages.libcxxClang
@ -26,7 +27,6 @@
pkg-config pkg-config
]; ];
LIBCLANG_PATH = "${pkgs.llvmPackages.libclang.lib}/lib"; LIBCLANG_PATH = "${pkgs.llvmPackages.libclang.lib}/lib";
buildInputs = with pkgs; [ openssl tpm2-tss ];
preBuild = '' preBuild = ''
export BINDGEN_EXTRA_CLANG_ARGS="$(< ${stdenv.cc}/nix-support/libc-crt1-cflags) \ export BINDGEN_EXTRA_CLANG_ARGS="$(< ${stdenv.cc}/nix-support/libc-crt1-cflags) \
@ -53,7 +53,7 @@
''; '';
}; };
devShell = pkgs.mkShell { devShells.default = pkgs.mkShell {
shellHook = "${packages.default.preBuild}"; shellHook = "${packages.default.preBuild}";
inherit (packages.default) nativeBuildInputs buildInputs LIBCLANG_PATH; inherit (packages.default) nativeBuildInputs buildInputs LIBCLANG_PATH;
}; };

View file

@ -8,6 +8,8 @@ use std::io::{Read, Write};
use std::os::unix::net::UnixStream; use std::os::unix::net::UnixStream;
use std::path::PathBuf; use std::path::PathBuf;
use std::process::exit; use std::process::exit;
use std::thread::sleep;
use std::time::Duration;
use tpm::tpm_objects::TPM2Config; use tpm::tpm_objects::TPM2Config;
fn get_control_socket() -> Option<PathBuf> { fn get_control_socket() -> Option<PathBuf> {
@ -25,6 +27,7 @@ fn get_control_socket() -> Option<PathBuf> {
} }
#[derive(Debug, Clone, Copy)] #[derive(Debug, Clone, Copy)]
#[allow(dead_code)]
enum ControlOp { enum ControlOp {
Initialize = 0, Initialize = 0,
Unlock = 1, Unlock = 1,
@ -52,6 +55,7 @@ impl ControlResult {
match num { match num {
0 => Some(Self::Ok), 0 => Some(Self::Ok),
1 => Some(Self::Denied), 1 => Some(Self::Denied),
2 => Some(Self::Failed),
3 => Some(Self::NoDaemon), 3 => Some(Self::NoDaemon),
_ => None, _ => None,
} }
@ -122,7 +126,14 @@ struct Cli {
#[derive(Subcommand)] #[derive(Subcommand)]
enum Commands { enum Commands {
/// Unlock gnome keyring using encrypted password stored in tpm /// Unlock gnome keyring using encrypted password stored in tpm
Unlock, Unlock {
#[arg(default_value_t = 5)]
tries: usize,
// timeout in seconds
#[arg(default_value_t = 1)]
timeout: u64,
},
/// Enroll a password into the tpm to use when unlocking /// Enroll a password into the tpm to use when unlocking
Enroll, Enroll,
} }
@ -137,15 +148,21 @@ fn main() -> color_eyre::Result<()> {
.ok_or_else(|| eyre!("Token path not found"))?; .ok_or_else(|| eyre!("Token path not found"))?;
match cli.command { match cli.command {
Commands::Unlock => { Commands::Unlock { tries, timeout } => {
if token_path.exists() { if token_path.exists() {
let token = read_to_string(token_path)?; let token = read_to_string(token_path)?;
for _ in 0..tries {
let password = let password =
tpm::perform_decrypt(token.as_bytes()).map_err(|err| eyre!("{err:?}"))?; tpm::perform_decrypt(token.as_bytes()).map_err(|err| eyre!("{err:?}"))?;
let res = unlock_keyring(password.as_slice())?; let res = unlock_keyring(password.as_slice())?;
if res != ControlResult::Ok { if res == ControlResult::Ok {
break;
} else {
eprintln!("Failed to unlock keyring: {res:?}"); eprintln!("Failed to unlock keyring: {res:?}");
exit(2); }
sleep(Duration::from_secs(timeout));
} }
} else { } else {
bail!("password token file not found") bail!("password token file not found")

View file

@ -1,6 +1,5 @@
// Copyright 2020 Patrick Uiterwijk // Adapted from https://github.com/fedora-iot/clevis-pin-tpm2/
// // by Patrick Uiterwijk under the MIT License
// Licensed under the MIT license
use std::convert::{TryFrom, TryInto}; use std::convert::{TryFrom, TryInto};