teknoraver / rpms / systemd

Forked from rpms/systemd 2 months ago
Clone

Blame SOURCES/0305-cryptsetup-rework-how-we-log-about-activation-failur.patch

b9a53a
From 966ecf0011a02c7823083a7868b8589fdf850be8 Mon Sep 17 00:00:00 2001
b9a53a
From: Lennart Poettering <lennart@poettering.net>
b9a53a
Date: Mon, 21 Jan 2019 20:20:35 +0100
b9a53a
Subject: [PATCH] cryptsetup: rework how we log about activation failures
b9a53a
b9a53a
First of all let's always log where the errors happen, and not in an
b9a53a
upper stackframe, in all cases. Previously we'd do this somethis one way
b9a53a
and sometimes another, which resulted in sometimes duplicate logging and
b9a53a
sometimes none.
b9a53a
b9a53a
When we cannot activate something due to bad password the kernel gives
b9a53a
us EPERM. Let's uniformly return this EAGAIN, so tha the next password
b9a53a
is tried. (previously this was done in most cases but not in all)
b9a53a
b9a53a
When we get EPERM let's also explicitly indicate that this probably
b9a53a
means the password is simply wrong.
b9a53a
b9a53a
Fixes: #11498
b9a53a
(cherry picked from commit 6f177c7dc092eb68762b4533d41b14244adb2a73)
b9a53a
b9a53a
Related: #1776408
b9a53a
---
b9a53a
 src/cryptsetup/cryptsetup.c | 36 ++++++++++++++++++++++--------------
b9a53a
 1 file changed, 22 insertions(+), 14 deletions(-)
b9a53a
b9a53a
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
b9a53a
index 53fe04a73f..33c215eaa1 100644
b9a53a
--- a/src/cryptsetup/cryptsetup.c
b9a53a
+++ b/src/cryptsetup/cryptsetup.c
b9a53a
@@ -469,10 +469,15 @@ static int attach_tcrypt(
b9a53a
                         log_error("Failed to activate using password file '%s'.", key_file);
b9a53a
                         return -EAGAIN;
b9a53a
                 }
b9a53a
-                return r;
b9a53a
+
b9a53a
+                return log_error_errno(r, "Failed to load tcrypt superblock on device %s: %m", crypt_get_device_name(cd));
b9a53a
         }
b9a53a
 
b9a53a
-        return crypt_activate_by_volume_key(cd, name, NULL, 0, flags);
b9a53a
+        r = crypt_activate_by_volume_key(cd, name, NULL, 0, flags);
b9a53a
+        if (r < 0)
b9a53a
+                return log_error_errno(r, "Failed to activate tcrypt device %s: %m", crypt_get_device_name(cd));
b9a53a
+
b9a53a
+        return 0;
b9a53a
 }
b9a53a
 
b9a53a
 static int attach_luks_or_plain(struct crypt_device *cd,
b9a53a
@@ -549,22 +554,30 @@ static int attach_luks_or_plain(struct crypt_device *cd,
b9a53a
 
b9a53a
         if (key_file) {
b9a53a
                 r = crypt_activate_by_keyfile_offset(cd, name, arg_key_slot, key_file, arg_keyfile_size, arg_keyfile_offset, flags);
b9a53a
-                if (r < 0) {
b9a53a
-                        log_error_errno(r, "Failed to activate with key file '%s': %m", key_file);
b9a53a
-                        return -EAGAIN;
b9a53a
+                if (r == -EPERM) {
b9a53a
+                        log_error_errno(r, "Failed to activate with key file '%s'. (Key data incorrect?)", key_file);
b9a53a
+                        return -EAGAIN; /* Log actual error, but return EAGAIN */
b9a53a
                 }
b9a53a
+                if (r < 0)
b9a53a
+                        return log_error_errno(r, "Failed to activate with key file '%s': %m", key_file);
b9a53a
         } else {
b9a53a
                 char **p;
b9a53a
 
b9a53a
+                r = -EINVAL;
b9a53a
                 STRV_FOREACH(p, passwords) {
b9a53a
                         if (pass_volume_key)
b9a53a
                                 r = crypt_activate_by_volume_key(cd, name, *p, arg_key_size, flags);
b9a53a
                         else
b9a53a
                                 r = crypt_activate_by_passphrase(cd, name, arg_key_slot, *p, strlen(*p), flags);
b9a53a
-
b9a53a
                         if (r >= 0)
b9a53a
                                 break;
b9a53a
                 }
b9a53a
+                if (r == -EPERM) {
b9a53a
+                        log_error_errno(r, "Failed to activate with specified passphrase. (Passphrase incorrect?)");
b9a53a
+                        return -EAGAIN; /* log actual error, but return EAGAIN */
b9a53a
+                }
b9a53a
+                if (r < 0)
b9a53a
+                        return log_error_errno(r, "Failed to activate with specified passphrase: %m");
b9a53a
         }
b9a53a
 
b9a53a
         return r;
b9a53a
@@ -726,16 +739,11 @@ int main(int argc, char *argv[]) {
b9a53a
                                                          flags);
b9a53a
                         if (r >= 0)
b9a53a
                                 break;
b9a53a
-                        if (r == -EAGAIN) {
b9a53a
-                                key_file = NULL;
b9a53a
-                                continue;
b9a53a
-                        }
b9a53a
-                        if (r != -EPERM) {
b9a53a
-                                log_error_errno(r, "Failed to activate: %m");
b9a53a
+                        if (r != -EAGAIN)
b9a53a
                                 goto finish;
b9a53a
-                        }
b9a53a
 
b9a53a
-                        log_warning("Invalid passphrase.");
b9a53a
+                        /* Passphrase not correct? Let's try again! */
b9a53a
+                        key_file = NULL;
b9a53a
                 }
b9a53a
 
b9a53a
                 if (arg_tries != 0 && tries >= arg_tries) {