|
 |
5d2ee9 |
From 966ecf0011a02c7823083a7868b8589fdf850be8 Mon Sep 17 00:00:00 2001
|
|
|
5d2ee9 |
From: Lennart Poettering <lennart@poettering.net>
|
|
|
5d2ee9 |
Date: Mon, 21 Jan 2019 20:20:35 +0100
|
|
|
5d2ee9 |
Subject: [PATCH] cryptsetup: rework how we log about activation failures
|
|
|
5d2ee9 |
|
|
|
5d2ee9 |
First of all let's always log where the errors happen, and not in an
|
|
|
5d2ee9 |
upper stackframe, in all cases. Previously we'd do this somethis one way
|
|
|
5d2ee9 |
and sometimes another, which resulted in sometimes duplicate logging and
|
|
|
5d2ee9 |
sometimes none.
|
|
|
5d2ee9 |
|
|
|
5d2ee9 |
When we cannot activate something due to bad password the kernel gives
|
|
|
5d2ee9 |
us EPERM. Let's uniformly return this EAGAIN, so tha the next password
|
|
|
5d2ee9 |
is tried. (previously this was done in most cases but not in all)
|
|
|
5d2ee9 |
|
|
|
5d2ee9 |
When we get EPERM let's also explicitly indicate that this probably
|
|
|
5d2ee9 |
means the password is simply wrong.
|
|
|
5d2ee9 |
|
|
|
5d2ee9 |
Fixes: #11498
|
|
|
5d2ee9 |
(cherry picked from commit 6f177c7dc092eb68762b4533d41b14244adb2a73)
|
|
|
5d2ee9 |
|
|
|
5d2ee9 |
Related: #1776408
|
|
|
5d2ee9 |
---
|
|
|
5d2ee9 |
src/cryptsetup/cryptsetup.c | 36 ++++++++++++++++++++++--------------
|
|
|
5d2ee9 |
1 file changed, 22 insertions(+), 14 deletions(-)
|
|
|
5d2ee9 |
|
|
|
5d2ee9 |
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
|
|
|
5d2ee9 |
index 53fe04a73f..33c215eaa1 100644
|
|
|
5d2ee9 |
--- a/src/cryptsetup/cryptsetup.c
|
|
|
5d2ee9 |
+++ b/src/cryptsetup/cryptsetup.c
|
|
|
5d2ee9 |
@@ -469,10 +469,15 @@ static int attach_tcrypt(
|
|
|
5d2ee9 |
log_error("Failed to activate using password file '%s'.", key_file);
|
|
|
5d2ee9 |
return -EAGAIN;
|
|
|
5d2ee9 |
}
|
|
|
5d2ee9 |
- return r;
|
|
|
5d2ee9 |
+
|
|
|
5d2ee9 |
+ return log_error_errno(r, "Failed to load tcrypt superblock on device %s: %m", crypt_get_device_name(cd));
|
|
|
5d2ee9 |
}
|
|
|
5d2ee9 |
|
|
|
5d2ee9 |
- return crypt_activate_by_volume_key(cd, name, NULL, 0, flags);
|
|
|
5d2ee9 |
+ r = crypt_activate_by_volume_key(cd, name, NULL, 0, flags);
|
|
|
5d2ee9 |
+ if (r < 0)
|
|
|
5d2ee9 |
+ return log_error_errno(r, "Failed to activate tcrypt device %s: %m", crypt_get_device_name(cd));
|
|
|
5d2ee9 |
+
|
|
|
5d2ee9 |
+ return 0;
|
|
|
5d2ee9 |
}
|
|
|
5d2ee9 |
|
|
|
5d2ee9 |
static int attach_luks_or_plain(struct crypt_device *cd,
|
|
|
5d2ee9 |
@@ -549,22 +554,30 @@ static int attach_luks_or_plain(struct crypt_device *cd,
|
|
|
5d2ee9 |
|
|
|
5d2ee9 |
if (key_file) {
|
|
|
5d2ee9 |
r = crypt_activate_by_keyfile_offset(cd, name, arg_key_slot, key_file, arg_keyfile_size, arg_keyfile_offset, flags);
|
|
|
5d2ee9 |
- if (r < 0) {
|
|
|
5d2ee9 |
- log_error_errno(r, "Failed to activate with key file '%s': %m", key_file);
|
|
|
5d2ee9 |
- return -EAGAIN;
|
|
|
5d2ee9 |
+ if (r == -EPERM) {
|
|
|
5d2ee9 |
+ log_error_errno(r, "Failed to activate with key file '%s'. (Key data incorrect?)", key_file);
|
|
|
5d2ee9 |
+ return -EAGAIN; /* Log actual error, but return EAGAIN */
|
|
|
5d2ee9 |
}
|
|
|
5d2ee9 |
+ if (r < 0)
|
|
|
5d2ee9 |
+ return log_error_errno(r, "Failed to activate with key file '%s': %m", key_file);
|
|
|
5d2ee9 |
} else {
|
|
|
5d2ee9 |
char **p;
|
|
|
5d2ee9 |
|
|
|
5d2ee9 |
+ r = -EINVAL;
|
|
|
5d2ee9 |
STRV_FOREACH(p, passwords) {
|
|
|
5d2ee9 |
if (pass_volume_key)
|
|
|
5d2ee9 |
r = crypt_activate_by_volume_key(cd, name, *p, arg_key_size, flags);
|
|
|
5d2ee9 |
else
|
|
|
5d2ee9 |
r = crypt_activate_by_passphrase(cd, name, arg_key_slot, *p, strlen(*p), flags);
|
|
|
5d2ee9 |
-
|
|
|
5d2ee9 |
if (r >= 0)
|
|
|
5d2ee9 |
break;
|
|
|
5d2ee9 |
}
|
|
|
5d2ee9 |
+ if (r == -EPERM) {
|
|
|
5d2ee9 |
+ log_error_errno(r, "Failed to activate with specified passphrase. (Passphrase incorrect?)");
|
|
|
5d2ee9 |
+ return -EAGAIN; /* log actual error, but return EAGAIN */
|
|
|
5d2ee9 |
+ }
|
|
|
5d2ee9 |
+ if (r < 0)
|
|
|
5d2ee9 |
+ return log_error_errno(r, "Failed to activate with specified passphrase: %m");
|
|
|
5d2ee9 |
}
|
|
|
5d2ee9 |
|
|
|
5d2ee9 |
return r;
|
|
|
5d2ee9 |
@@ -726,16 +739,11 @@ int main(int argc, char *argv[]) {
|
|
|
5d2ee9 |
flags);
|
|
|
5d2ee9 |
if (r >= 0)
|
|
|
5d2ee9 |
break;
|
|
|
5d2ee9 |
- if (r == -EAGAIN) {
|
|
|
5d2ee9 |
- key_file = NULL;
|
|
|
5d2ee9 |
- continue;
|
|
|
5d2ee9 |
- }
|
|
|
5d2ee9 |
- if (r != -EPERM) {
|
|
|
5d2ee9 |
- log_error_errno(r, "Failed to activate: %m");
|
|
|
5d2ee9 |
+ if (r != -EAGAIN)
|
|
|
5d2ee9 |
goto finish;
|
|
|
5d2ee9 |
- }
|
|
|
5d2ee9 |
|
|
|
5d2ee9 |
- log_warning("Invalid passphrase.");
|
|
|
5d2ee9 |
+ /* Passphrase not correct? Let's try again! */
|
|
|
5d2ee9 |
+ key_file = NULL;
|
|
|
5d2ee9 |
}
|
|
|
5d2ee9 |
|
|
|
5d2ee9 |
if (arg_tries != 0 && tries >= arg_tries) {
|