teknoraver / rpms / systemd

Forked from rpms/systemd 2 months ago
Clone

Blame SOURCES/0305-cryptsetup-rework-how-we-log-about-activation-failur.patch

c2dfb7
From 966ecf0011a02c7823083a7868b8589fdf850be8 Mon Sep 17 00:00:00 2001
c2dfb7
From: Lennart Poettering <lennart@poettering.net>
c2dfb7
Date: Mon, 21 Jan 2019 20:20:35 +0100
c2dfb7
Subject: [PATCH] cryptsetup: rework how we log about activation failures
c2dfb7
c2dfb7
First of all let's always log where the errors happen, and not in an
c2dfb7
upper stackframe, in all cases. Previously we'd do this somethis one way
c2dfb7
and sometimes another, which resulted in sometimes duplicate logging and
c2dfb7
sometimes none.
c2dfb7
c2dfb7
When we cannot activate something due to bad password the kernel gives
c2dfb7
us EPERM. Let's uniformly return this EAGAIN, so tha the next password
c2dfb7
is tried. (previously this was done in most cases but not in all)
c2dfb7
c2dfb7
When we get EPERM let's also explicitly indicate that this probably
c2dfb7
means the password is simply wrong.
c2dfb7
c2dfb7
Fixes: #11498
c2dfb7
(cherry picked from commit 6f177c7dc092eb68762b4533d41b14244adb2a73)
c2dfb7
c2dfb7
Related: #1776408
c2dfb7
---
c2dfb7
 src/cryptsetup/cryptsetup.c | 36 ++++++++++++++++++++++--------------
c2dfb7
 1 file changed, 22 insertions(+), 14 deletions(-)
c2dfb7
c2dfb7
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
c2dfb7
index 53fe04a73f..33c215eaa1 100644
c2dfb7
--- a/src/cryptsetup/cryptsetup.c
c2dfb7
+++ b/src/cryptsetup/cryptsetup.c
c2dfb7
@@ -469,10 +469,15 @@ static int attach_tcrypt(
c2dfb7
                         log_error("Failed to activate using password file '%s'.", key_file);
c2dfb7
                         return -EAGAIN;
c2dfb7
                 }
c2dfb7
-                return r;
c2dfb7
+
c2dfb7
+                return log_error_errno(r, "Failed to load tcrypt superblock on device %s: %m", crypt_get_device_name(cd));
c2dfb7
         }
c2dfb7
 
c2dfb7
-        return crypt_activate_by_volume_key(cd, name, NULL, 0, flags);
c2dfb7
+        r = crypt_activate_by_volume_key(cd, name, NULL, 0, flags);
c2dfb7
+        if (r < 0)
c2dfb7
+                return log_error_errno(r, "Failed to activate tcrypt device %s: %m", crypt_get_device_name(cd));
c2dfb7
+
c2dfb7
+        return 0;
c2dfb7
 }
c2dfb7
 
c2dfb7
 static int attach_luks_or_plain(struct crypt_device *cd,
c2dfb7
@@ -549,22 +554,30 @@ static int attach_luks_or_plain(struct crypt_device *cd,
c2dfb7
 
c2dfb7
         if (key_file) {
c2dfb7
                 r = crypt_activate_by_keyfile_offset(cd, name, arg_key_slot, key_file, arg_keyfile_size, arg_keyfile_offset, flags);
c2dfb7
-                if (r < 0) {
c2dfb7
-                        log_error_errno(r, "Failed to activate with key file '%s': %m", key_file);
c2dfb7
-                        return -EAGAIN;
c2dfb7
+                if (r == -EPERM) {
c2dfb7
+                        log_error_errno(r, "Failed to activate with key file '%s'. (Key data incorrect?)", key_file);
c2dfb7
+                        return -EAGAIN; /* Log actual error, but return EAGAIN */
c2dfb7
                 }
c2dfb7
+                if (r < 0)
c2dfb7
+                        return log_error_errno(r, "Failed to activate with key file '%s': %m", key_file);
c2dfb7
         } else {
c2dfb7
                 char **p;
c2dfb7
 
c2dfb7
+                r = -EINVAL;
c2dfb7
                 STRV_FOREACH(p, passwords) {
c2dfb7
                         if (pass_volume_key)
c2dfb7
                                 r = crypt_activate_by_volume_key(cd, name, *p, arg_key_size, flags);
c2dfb7
                         else
c2dfb7
                                 r = crypt_activate_by_passphrase(cd, name, arg_key_slot, *p, strlen(*p), flags);
c2dfb7
-
c2dfb7
                         if (r >= 0)
c2dfb7
                                 break;
c2dfb7
                 }
c2dfb7
+                if (r == -EPERM) {
c2dfb7
+                        log_error_errno(r, "Failed to activate with specified passphrase. (Passphrase incorrect?)");
c2dfb7
+                        return -EAGAIN; /* log actual error, but return EAGAIN */
c2dfb7
+                }
c2dfb7
+                if (r < 0)
c2dfb7
+                        return log_error_errno(r, "Failed to activate with specified passphrase: %m");
c2dfb7
         }
c2dfb7
 
c2dfb7
         return r;
c2dfb7
@@ -726,16 +739,11 @@ int main(int argc, char *argv[]) {
c2dfb7
                                                          flags);
c2dfb7
                         if (r >= 0)
c2dfb7
                                 break;
c2dfb7
-                        if (r == -EAGAIN) {
c2dfb7
-                                key_file = NULL;
c2dfb7
-                                continue;
c2dfb7
-                        }
c2dfb7
-                        if (r != -EPERM) {
c2dfb7
-                                log_error_errno(r, "Failed to activate: %m");
c2dfb7
+                        if (r != -EAGAIN)
c2dfb7
                                 goto finish;
c2dfb7
-                        }
c2dfb7
 
c2dfb7
-                        log_warning("Invalid passphrase.");
c2dfb7
+                        /* Passphrase not correct? Let's try again! */
c2dfb7
+                        key_file = NULL;
c2dfb7
                 }
c2dfb7
 
c2dfb7
                 if (arg_tries != 0 && tries >= arg_tries) {