eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-12 11:20:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix cryptsetup resize using LUKS2 tokens.

Browse Source 
Fix a bug where cryptsetup needlessly asked for passphrase
even though volume key was already unlocked via LUKS2 token.

Fixes: #601.
This commit is contained in:
Ondrej Kozina
2020-10-12 12:23:31 +02:00
committed by Milan Broz
parent 745c75b5b0
commit d63d399c17
2 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/cryptsetup.c
View File

@@ -715,7 +715,9 @@ static int action_resize(void)
r = crypt_activate_by_token(cd, NULL, opt_token, NULL, r = crypt_activate_by_token(cd, NULL, opt_token, NULL,
CRYPT_ACTIVATE_KEYRING_KEY); CRYPT_ACTIVATE_KEYRING_KEY);
tools_keyslot_msg(r, UNLOCKED); tools_keyslot_msg(r, UNLOCKED);
if (r < 0 && opt_token_only) if (r >= 0)
goto resize;
else if (opt_token_only)
goto out; goto out;
r = tools_get_key(NULL, &password, &passwordLen, r = tools_get_key(NULL, &password, &passwordLen,
@@ -731,7 +733,7 @@ static int action_resize(void)
tools_keyslot_msg(r, UNLOCKED); tools_keyslot_msg(r, UNLOCKED);
crypt_safe_free(password); crypt_safe_free(password);
} }
resize:
if (opt_device_size) if (opt_device_size)
opt_size = opt_device_size / SECTOR_SIZE; opt_size = opt_device_size / SECTOR_SIZE;

13
tests/compat-test2
View File

@@ -29,6 +29,7 @@ PWDW="rUkL4RUryBom"
TEST_KEYRING_NAME="compattest2_keyring" TEST_KEYRING_NAME="compattest2_keyring"
TEST_TOKEN0="compattest2_desc0" TEST_TOKEN0="compattest2_desc0"
TEST_TOKEN1="compattest2_desc1" TEST_TOKEN1="compattest2_desc1"
TEST_TOKEN2="compattest2_desc2"
VK_FILE="compattest2_vkfile" VK_FILE="compattest2_vkfile"
IMPORT_TOKEN="{\"type\":\"some_type\",\"keyslots\":[],\"base64_data\":\"zxI7vKB1Qwl4VPB4D-N-OgcC14hPCG0IDu8O7eCqaQ\"}" IMPORT_TOKEN="{\"type\":\"some_type\",\"keyslots\":[],\"base64_data\":\"zxI7vKB1Qwl4VPB4D-N-OgcC14hPCG0IDu8O7eCqaQ\"}"
TOKEN_FILE0=test-token-file0 TOKEN_FILE0=test-token-file0
@@ -496,6 +497,18 @@ echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fai
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
if dm_crypt_keyring_support; then if dm_crypt_keyring_support; then
echo | $CRYPTSETUP -q resize --size 100 $DEV_NAME 2>/dev/null && fail echo | $CRYPTSETUP -q resize --size 100 $DEV_NAME 2>/dev/null && fail
if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
test_and_prepare_keyring
load_key user $TEST_TOKEN2 $PWD1 "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
$CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN2 --token-id 1 || fail
$CRYPTSETUP -q resize --size 99 $DEV_NAME <&- || fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "99 sectors" || fail
#replace kernel key with wrong pass
load_key user $TEST_TOKEN2 $PWD2 "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
# must fail due to --token-only
echo $PWD1 | $CRYPTSETUP -q resize --token-only --size 100 $DEV_NAME && fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" && fail
fi
fi fi
echo $PWD1 | $CRYPTSETUP -q resize --size 100 $DEV_NAME || fail echo $PWD1 | $CRYPTSETUP -q resize --size 100 $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail