Commit 787066c2 authored by Milan Broz's avatar Milan Broz

Report error if no LUKS keyslots are available.

Also fix LUKS1 keyslot function to proper return -ENOENT errno in this case.

This change means, that user can distinguish between bad passphrase and
no keyslot available. (But this information was avalilable with luksDump
even before the change.)
parent 71ab6cb8
......@@ -1024,7 +1024,7 @@ int LUKS_open_key_with_hdr(int keyIndex,
struct volume_key **vk,
struct crypt_device *ctx)
{
unsigned int i;
unsigned int i, tried = 0;
int r;
*vk = crypt_alloc_volume_key(hdr->keyBytes, NULL);
......@@ -1034,7 +1034,7 @@ int LUKS_open_key_with_hdr(int keyIndex,
return (r < 0) ? r : keyIndex;
}
for(i = 0; i < LUKS_NUMKEYS; i++) {
for (i = 0; i < LUKS_NUMKEYS; i++) {
r = LUKS_open_key(i, password, passwordLen, hdr, *vk, ctx);
if(r == 0)
return i;
......@@ -1043,9 +1043,11 @@ int LUKS_open_key_with_hdr(int keyIndex,
former meaning password wrong, latter key slot inactive */
if ((r != -EPERM) && (r != -ENOENT))
return r;
if (r == -EPERM)
tried++;
}
/* Warning, early returns above */
return -EPERM;
return tried ? -EPERM : -ENOENT;
}
int LUKS_del_key(unsigned int keyIndex,
......
......@@ -283,6 +283,8 @@ void tools_passphrase_msg(int r)
{
if (r == -EPERM)
log_err(_("No key available with this passphrase."));
else if (r == -ENOENT)
log_err(_("No usable keyslot is available."));
}
int tools_read_mk(const char *file, char **key, int keysize)
......
......@@ -200,9 +200,9 @@ echo $PWD0 | $CRYPTSETUP luksRemoveKey $IMG || fail
echo $PWD2 | $CRYPTSETUP luksRemoveKey $IMG || fail
# check if keys were deleted
echo $PWD0 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
[ $? -ne 2 ] && fail "luksOpen should return EPERM exit code"
[ $? -ne 1 ] && fail "luksOpen should return ENOENT exit code"
echo $PWD2 | $CRYPTSETUP luksOpen $IMG --test-passphrase 2>/dev/null && fail
[ $? -ne 2 ] && fail "luksOpen should return EPERM exit code"
[ $? -ne 1 ] && fail "luksOpen should return ENOENT exit code"
echo "[6] kill slot"
# format new luks device with active keys PWD1, PWD2
echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks1 $IMG $FAST_PBKDF_OPT || fail
......@@ -652,7 +652,7 @@ prepare "[27] luksOpen with specified key slot number" wipe
# first, let's try passphrase option
echo $PWD3 | $CRYPTSETUP luksFormat --type luks1 $FAST_PBKDF_OPT -S 5 $LOOPDEV || fail
check $LUKS_HEADER $KEY_SLOT5 $KEY_MATERIAL5
echo $PWD3 | $CRYPTSETUP luksOpen -S 4 $LOOPDEV $DEV_NAME && fail
echo $PWD3 | $CRYPTSETUP luksOpen -S 4 $LOOPDEV $DEV_NAME 2>/dev/null && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
echo $PWD3 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME || fail
check_exists
......@@ -848,7 +848,7 @@ eval spawn $CRYPTSETUP luksOpen -v $LOOPDEV -T 1 --test-passphrase
expect timeout abort "Enter passphrase for $LOOPDEV:"
sleep 0.1
send "$PWD0\n"
expect timeout abort "No key available with this passphrase."
expect timeout abort "No usable keyslot is available."
expect timeout abort eof
exit
EOF
......
......@@ -609,7 +609,7 @@ $CRYPTSETUP -q luksClose $DEV_NAME || fail
prepare "[27] luksOpen with specified key slot number" wipe
# first, let's try passphrase option
echo $PWD3 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT -S 5 --type luks2 $LOOPDEV || fail
echo $PWD3 | $CRYPTSETUP luksOpen -S 4 $LOOPDEV $DEV_NAME && fail
echo $PWD3 | $CRYPTSETUP luksOpen -S 4 $LOOPDEV $DEV_NAME 2>/dev/null && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
echo $PWD3 | $CRYPTSETUP luksOpen -S 5 $LOOPDEV $DEV_NAME || fail
check_exists
......@@ -634,16 +634,16 @@ $CRYPTSETUP luksOpen -S 5 -d $KEY1 $LOOPDEV $DEV_NAME 2>/dev/null && fail
prepare "" new
echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME && fail
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME && fail
echo $PWD1 | $CRYPTSETUP open $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
[ -b /dev/mapper/$DEV_NAME ] && fail
echo $PWD0 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
$CRYPTSETUP luksKillSlot -q $HEADER_KEYU 0
$CRYPTSETUP luksDump $HEADER_KEYU | grep -q "0: luks2" && fail
echo $PWD1 | $CRYPTSETUP open -S1 --test-passphrase $HEADER_KEYU || fail
echo $PWD1 | $CRYPTSETUP open --test-passphrase $HEADER_KEYU || fail
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME && fail
echo $PWD1 | $CRYPTSETUP open -S1 $HEADER_KEYU $DEV_NAME 2>/dev/null && fail
prepare "[28] Detached LUKS header" wipe
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment