rpms / systemd

Clone
Source Code
GIT

Blame SOURCES/0305-cryptsetup-rework-how-we-log-about-activation-failur.patch

c7-beta c8s
  1.   c8s
  2.   SOURCES
  3.   0305-cryptsetup-rework-how-we-log-about-activation-failur.patch
Blob History Raw
ddca0b 
From 966ecf0011a02c7823083a7868b8589fdf850be8 Mon Sep 17 00:00:00 2001
ddca0b 
From: Lennart Poettering <lennart@poettering.net>
ddca0b 
Date: Mon, 21 Jan 2019 20:20:35 +0100
ddca0b 
Subject: [PATCH] cryptsetup: rework how we log about activation failures
ddca0b
ddca0b 
First of all let's always log where the errors happen, and not in an
ddca0b 
upper stackframe, in all cases. Previously we'd do this somethis one way
ddca0b 
and sometimes another, which resulted in sometimes duplicate logging and
ddca0b 
sometimes none.
ddca0b
ddca0b 
When we cannot activate something due to bad password the kernel gives
ddca0b 
us EPERM. Let's uniformly return this EAGAIN, so tha the next password
ddca0b 
is tried. (previously this was done in most cases but not in all)
ddca0b
ddca0b 
When we get EPERM let's also explicitly indicate that this probably
ddca0b 
means the password is simply wrong.
ddca0b
ddca0b 
Fixes: #11498
ddca0b 
(cherry picked from commit 6f177c7dc092eb68762b4533d41b14244adb2a73)
ddca0b
ddca0b 
Related: #1776408
ddca0b 
---
ddca0b 
 src/cryptsetup/cryptsetup.c | 36 ++++++++++++++++++++++--------------
ddca0b 
 1 file changed, 22 insertions(+), 14 deletions(-)
ddca0b
ddca0b 
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
ddca0b 
index 53fe04a73f..33c215eaa1 100644
ddca0b 
--- a/src/cryptsetup/cryptsetup.c
ddca0b 
+++ b/src/cryptsetup/cryptsetup.c
ddca0b 
@@ -469,10 +469,15 @@ static int attach_tcrypt(
ddca0b 
                         log_error("Failed to activate using password file '%s'.", key_file);
ddca0b 
                         return -EAGAIN;
ddca0b 
                 }
ddca0b 
-                return r;
ddca0b 
+
ddca0b 
+                return log_error_errno(r, "Failed to load tcrypt superblock on device %s: %m", crypt_get_device_name(cd));
ddca0b 
         }
ddca0b
ddca0b 
-        return crypt_activate_by_volume_key(cd, name, NULL, 0, flags);
ddca0b 
+        r = crypt_activate_by_volume_key(cd, name, NULL, 0, flags);
ddca0b 
+        if (r < 0)
ddca0b 
+                return log_error_errno(r, "Failed to activate tcrypt device %s: %m", crypt_get_device_name(cd));
ddca0b 
+
ddca0b 
+        return 0;
ddca0b 
 }
ddca0b
ddca0b 
 static int attach_luks_or_plain(struct crypt_device *cd,
ddca0b 
@@ -549,22 +554,30 @@ static int attach_luks_or_plain(struct crypt_device *cd,
ddca0b
ddca0b 
         if (key_file) {
ddca0b 
                 r = crypt_activate_by_keyfile_offset(cd, name, arg_key_slot, key_file, arg_keyfile_size, arg_keyfile_offset, flags);
ddca0b 
-                if (r < 0) {
ddca0b 
-                        log_error_errno(r, "Failed to activate with key file '%s': %m", key_file);
ddca0b 
-                        return -EAGAIN;
ddca0b 
+                if (r == -EPERM) {
ddca0b 
+                        log_error_errno(r, "Failed to activate with key file '%s'. (Key data incorrect?)", key_file);
ddca0b 
+                        return -EAGAIN; /* Log actual error, but return EAGAIN */
ddca0b 
                 }
ddca0b 
+                if (r < 0)
ddca0b 
+                        return log_error_errno(r, "Failed to activate with key file '%s': %m", key_file);
ddca0b 
         } else {
ddca0b 
                 char **p;
ddca0b
ddca0b 
+                r = -EINVAL;
ddca0b 
                 STRV_FOREACH(p, passwords) {
ddca0b 
                         if (pass_volume_key)
ddca0b 
                                 r = crypt_activate_by_volume_key(cd, name, *p, arg_key_size, flags);
ddca0b 
                         else
ddca0b 
                                 r = crypt_activate_by_passphrase(cd, name, arg_key_slot, *p, strlen(*p), flags);
ddca0b 
-
ddca0b 
                         if (r >= 0)
ddca0b 
                                 break;
ddca0b 
                 }
ddca0b 
+                if (r == -EPERM) {
ddca0b 
+                        log_error_errno(r, "Failed to activate with specified passphrase. (Passphrase incorrect?)");
ddca0b 
+                        return -EAGAIN; /* log actual error, but return EAGAIN */
ddca0b 
+                }
ddca0b 
+                if (r < 0)
ddca0b 
+                        return log_error_errno(r, "Failed to activate with specified passphrase: %m");
ddca0b 
         }
ddca0b
ddca0b 
         return r;
ddca0b 
@@ -726,16 +739,11 @@ int main(int argc, char *argv[]) {
ddca0b 
                                                          flags);
ddca0b 
                         if (r >= 0)
ddca0b 
                                 break;
ddca0b 
-                        if (r == -EAGAIN) {
ddca0b 
-                                key_file = NULL;
ddca0b 
-                                continue;
ddca0b 
-                        }
ddca0b 
-                        if (r != -EPERM) {
ddca0b 
-                                log_error_errno(r, "Failed to activate: %m");
ddca0b 
+                        if (r != -EAGAIN)
ddca0b 
                                 goto finish;
ddca0b 
-                        }
ddca0b
ddca0b 
-                        log_warning("Invalid passphrase.");
ddca0b 
+                        /* Passphrase not correct? Let's try again! */
ddca0b 
+                        key_file = NULL;
ddca0b 
                 }
ddca0b
ddca0b 
                 if (arg_tries != 0 && tries >= arg_tries) {

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation