Allow removal of last slot in luksRemoveKey and luksKillSlot.

git-svn-id: https://cryptsetup.googlecode.com/svn/trunk@65 36d66b0a-2a48-0410-832c-cd162a569da5

diff --git a/ChangeLog b/ChangeLog
index 8395021..dbaf79f 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+2009-07-16  Milan Broz  <mbroz@redhat.com>
+       * Allow removal of last slot in luksRemoveKey and luksKillSlot.
+
 2009-07-11  Milan Broz  <mbroz@redhat.com>
 
        * Add --disable-selinux option and fix static build if selinux is required.

diff --git a/lib/setup.c b/lib/setup.c
index 7dc9607..efda6ef 100644 (file)
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -673,7 +673,7 @@ static int luks_remove_helper(int arg, struct setup_backend *backend, struct cry
        const char *device = options->device;
        int keyIndex;
        int openedIndex;
-       int r;
+       int r, last_slot;
 
        if (!LUKS_device_ready(options->device, O_RDWR))
            return -ENOTBLK;
@@ -694,11 +694,10 @@ static int luks_remove_helper(int arg, struct setup_backend *backend, struct cry
            keyIndex = options->key_slot;
        }
 
-       if(LUKS_is_last_keyslot(options->device, keyIndex) && 
-          !(options->icb->yesDialog(_("This is the last keyslot. Device will become unusable after purging this key.")))) {
-               r = -EINVAL;
-               goto out;
-       } 
+       last_slot = LUKS_is_last_keyslot(options->device, keyIndex);
+       if(last_slot && !(options->icb->yesDialog(_("This is the last keyslot. Device will become unusable after purging this key.")))) {
+               r = -EINVAL; goto out;
+       }
 
        if(options->flags & CRYPT_FLAG_VERIFY_ON_DELKEY) {
                options->flags &= ~CRYPT_FLAG_VERIFY_ON_DELKEY;
@@ -712,7 +711,9 @@ static int luks_remove_helper(int arg, struct setup_backend *backend, struct cry
                         options->icb->log(CRYPT_LOG_ERROR,"Failed to access device.\n");
                         r = -EIO; goto out;
                 }
-                hdr.keyblock[keyIndex].active = LUKS_KEY_DISABLED;
+
+               if(!last_slot)
+                       hdr.keyblock[keyIndex].active = LUKS_KEY_DISABLED;
 
                openedIndex = LUKS_open_any_key_with_hdr(device, password, passwordLen, &hdr, &mk, backend);
                 /* Clean up */

diff --git a/luks/Makefile.am b/luks/Makefile.am
index 47d63ed..c914769 100644 (file)
--- a/luks/Makefile.am
+++ b/luks/Makefile.am
@@ -157,7 +157,16 @@ test:
        @../src/cryptsetup -v remove dummy
        @echo "success"
 
-# Format test for ESSIV, and some other parameters. 
+# Delete last slot
+       @echo Case: delete last key
+       @cp $(IMG) $(ORIG_IMG)
+       @echo "key0" | ../src/cryptsetup -v luksFormat $(LOOPDEV)
+       echo "key0" | ../src/cryptsetup -v luksKillSlot $(LOOPDEV) 0
+       @sync
+       echo "key0" | ../src/cryptsetup -v luksOpen $(LOOPDEV) dummy 2>/dev/null || true
+       @echo "success"
+
+# Format test for ESSIV, and some other parameters.
        @echo Case: parameter variation test
        @dd if=/dev/zero of=$(IMG) count=20000
        @cp $(IMG) $(ORIG_IMG)

diff --git a/man/cryptsetup.8 b/man/cryptsetup.8
index 9173e83..c5c63d5 100644 (file)
--- a/man/cryptsetup.8
+++ b/man/cryptsetup.8
@@ -124,7 +124,7 @@ set up a read-only mapping.
 The number of milliseconds to spend with PBKDF2 password processing. This option is only relevant to the LUKS operations as \fIluksFormat\fR or \fIluksAddKey\fR.
 .TP
 .B "\-\-batch-mode, \-q"
-Do not ask for confirmation. This option is only relevant for \fIluksFormat\fR.
+Do not ask for confirmation. Use with care! This option is only relevant for \fIluksFormat\fR,\fIluksAddKey\fR,\fIluksRemoveKey\fR or \fIluksKillSlot\fR.
 .TP
 .B "\-\-timeout, \-t"
 The number of seconds to wait before timeout. This option is relevant every time a password is asked, like \fIcreate\fR, \fIluksOpen\fR, \fIluksFormat\fR or \fIluksAddKey\fR. It has no effect if used in conjunction with \-\-key-file.