From 877afd22819c0f3afbe34976842393904ef9adb5 Mon Sep 17 00:00:00 2001 From: Ondrej Kozina Date: Fri, 21 May 2021 15:39:54 +0200 Subject: [PATCH] Replace original token activation retcode -EAGAIN with -ENOANO. crypt_activate_by_token (and _pin variant) now returns -ENOANO instead -EAGAIN in case token handler identifies specific token requires PIN to sucessfully complete token based activation. -EAGAIN is now used for special case when additional system resources are missing (HW token, other device, system daemon, etc). --- lib/libcryptsetup.h | 38 ++++++++++++++++++++++++++++++++------ src/cryptsetup.c | 2 +- 2 files changed, 33 insertions(+), 7 deletions(-) diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h index 7ece9599..b7d02920 100644 --- a/lib/libcryptsetup.h +++ b/lib/libcryptsetup.h @@ -2156,6 +2156,15 @@ int crypt_token_is_assigned(struct crypt_device *cd, * @param buffer returned allocated buffer with password * @param buffer_len length of the buffer * @param usrptr user data in @link crypt_activate_by_token @endlink + * + * @return 0 on success (token passed LUKS2 keyslot passphrase in buffer) or + * negative errno otherwise. + * + * @note Negative ENOANO errno means that token is PIN protected and caller should + * use @link crypt_activate_by_token_pin @endlink with PIN provided. + * + * @note Negative EAGAIN errno means token handler requires additional hardware + * not present in the system. */ typedef int (*crypt_token_open_func) ( struct crypt_device *cd, @@ -2177,6 +2186,15 @@ typedef int (*crypt_token_open_func) ( * @param buffer returned allocated buffer with password * @param buffer_len length of the buffer * @param usrptr user data in @link crypt_activate_by_token @endlink + * + * @return 0 on success (token passed LUKS2 keyslot passphrase in buffer) or + * negative errno otherwise. + * + * @note Negative ENOANO errno means that token is PIN protected and PIN was + * missing or wrong. + * + * @note Negative EAGAIN errno means token handler requires additional hardware + * not present in the system. */ typedef int (*crypt_token_open_pin_func) ( struct crypt_device *cd, @@ -2293,10 +2311,13 @@ void crypt_token_external_disable(void); * passphrase did not unlock any keyslot associated with the token. * * @note ENOENT errno means no token (or subsequently assigned keyslot) was - * eligible to unlock device. + * eligible to unlock device. * - * @note EAGAIN errno means that token is PIN protected and you should call + * @note ENOANO errno means that token is PIN protected and you should call * @link crypt_activate_by_token_pin @endlink with PIN + * + * @note Negative EAGAIN errno means token handler requires additional hardware + * not present in the system. */ int crypt_activate_by_token(struct crypt_device *cd, const char *name, @@ -2318,12 +2339,17 @@ int crypt_activate_by_token(struct crypt_device *cd, * * @return unlocked key slot number or negative errno otherwise. * - * @note EPERM errno means pin did not match or token provided passphrase - * successfully, but passphrase did not unlock any keyslot associated - * with the token. + * @note EPERM errno means token provided passphrase successfully, but + * passphrase did not unlock any keyslot associated with the token. * * @note ENOENT errno means no token (or subsequently assigned keyslot) was - * eligible to unlock device. + * eligible to unlock device. + * + * @note ENOANO errno means that token is PIN protected and was either missing + * (NULL) or wrong. + * + * @note Negative EAGAIN errno means token handler requires additional hardware + * not present in the system. */ int crypt_activate_by_token_pin(struct crypt_device *cd, const char *name, diff --git a/src/cryptsetup.c b/src/cryptsetup.c index 55aa8196..a8b72c37 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -1538,7 +1538,7 @@ static int action_open_luks(void) tools_keyslot_msg(r, UNLOCKED); /* Token requires PIN, but ask only there will be no password query later */ - if (ARG_SET(OPT_TOKEN_ONLY_ID) && r == -EAGAIN) { + if (ARG_SET(OPT_TOKEN_ONLY_ID) && r == -ENOANO) { r = tools_get_key(_("Enter token PIN:"), &password, &passwordLen, 0, 0, NULL, ARG_UINT32(OPT_TIMEOUT_ID), _verify_passphrase(0), 0, cd); if (r < 0)