actions/recovery: ensure recovery passphrase is really custom_passphrase

If the login protector was just created by the same 'fscrypt encrypt' command, then policy.Context.Config.Source will be pam_passphrase. This needs to be overridden to custom_passphrase when creating the protector for the recovery passphrase. This fixes the following error: fscrypt encrypt: login protectors do not need a name Resolves #187 Update #186
google · Jan 28, 2020 · d5b8bdc · d5b8bdc
1 parent 45c27d5
commit d5b8bdc
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/actions/recovery.go b/actions/recovery.go
@@ -26,8 +26,19 @@ import (
 	"github.com/pkg/errors"
 
 	"github.com/google/fscrypt/crypto"
+	"github.com/google/fscrypt/metadata"
 )
 
+// modifiedContextWithSource returns a copy of ctx with the protector source
+// replaced by source.
+func modifiedContextWithSource(ctx *Context, source metadata.SourceType) *Context {
+	modifiedConfig := *ctx.Config
+	modifiedConfig.Source = source
+	modifiedCtx := *ctx
+	modifiedCtx.Config = &modifiedConfig
+	return &modifiedCtx
+}
+
 // AddRecoveryPassphrase randomly generates a recovery passphrase and adds it as
 // a custom_passphrase protector for the given Policy.
 func AddRecoveryPassphrase(policy *Policy, dirname string) (*crypto.Key, *Protector, error) {
@@ -49,14 +60,15 @@ func AddRecoveryPassphrase(policy *Policy, dirname string) (*crypto.Key, *Protec
 		return passphrase.Clone()
 	}
 	var recoveryProtector *Protector
+	customCtx := modifiedContextWithSource(policy.Context, metadata.SourceType_custom_passphrase)
 	seq := 1
 	for {
 		// Automatically generate a name for the recovery protector.
 		name := "Recovery passphrase for " + dirname
 		if seq != 1 {
 			name += " (" + strconv.Itoa(seq) + ")"
 		}
-		recoveryProtector, err = CreateProtector(policy.Context, name, getPassphraseFn)
+		recoveryProtector, err = CreateProtector(customCtx, name, getPassphraseFn)
 		if err == nil {
 			break
 		}