95 lines
4.7 KiB
Diff
95 lines
4.7 KiB
Diff
|
From 0cd99eaa34a27209a271e00213d1ba2a54cc807f Mon Sep 17 00:00:00 2001
|
|||
|
|
From: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
|
|||
|
|
Date: Thu, 25 Apr 2024 12:14:25 +0200
|
|||
|
|
Subject: [PATCH] cryptsetup-tokens: fix pin asserts
|
|||
|
|
MIME-Version: 1.0
|
|||
|
|
Content-Type: text/plain; charset=UTF-8
|
|||
|
|
Content-Transfer-Encoding: 8bit
|
|||
|
|
|
|||
|
|
If a user only presses ENTER when the PIN is requested (without actually typing
|
|||
|
|
the PIN), an assertion is reached and no other unlock method is requested.
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
sh-5.2# systemctl status systemd-cryptsetup@cr_root
|
|||
|
|
× systemd-cryptsetup@cr_root.service - Cryptography Setup for cr_root
|
|||
|
|
Loaded: loaded (/etc/crypttab; generated)
|
|||
|
|
Drop-In: /etc/systemd/system/systemd-cryptsetup@.service.d
|
|||
|
|
└─pcr-signature.conf
|
|||
|
|
Active: failed (Result: core-dump) since Thu 2024-04-25 08:44:30 UTC; 10min ago
|
|||
|
|
Docs: man:crypttab(5)
|
|||
|
|
man:systemd-cryptsetup-generator(8)
|
|||
|
|
man:systemd-cryptsetup@.service(8)
|
|||
|
|
Process: 559 ExecStartPre=/usr/bin/pcr-signature.sh (code=exited, status=0/SUCCESS)
|
|||
|
|
Process: 604 ExecStart=/usr/bin/systemd-cryptsetup attach cr_root /dev/disk/by-uuid/a8cbd937-6975-4e61-9120-ce5c03138700 none x-initrd.attach,tpm2-device=auto (code=dumped, signal=ABRT)
|
|||
|
|
Main PID: 604 (code=dumped, signal=ABRT)
|
|||
|
|
CPU: 19ms
|
|||
|
|
|
|||
|
|
Apr 25 08:44:29 localhost systemd[1]: Starting Cryptography Setup for cr_root...
|
|||
|
|
Apr 25 08:44:30 localhost systemd-cryptsetup[604]: Assertion '!pin || pin_size > 0' failed at src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c:60, function cryptsetup_token_open_pin(). Aborting.
|
|||
|
|
Apr 25 08:44:30 localhost systemd[1]: systemd-cryptsetup@cr_root.service: Main process exited, code=dumped, status=6/ABRT
|
|||
|
|
Apr 25 08:44:30 localhost systemd[1]: systemd-cryptsetup@cr_root.service: Failed with result 'core-dump'.
|
|||
|
|
Apr 25 08:44:30 localhost systemd[1]: Failed to start Cryptography Setup for cr_root.
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
In this case, `cryptsetup_token_open_pin()` receives an empty (non-NULL) `pin`
|
|||
|
|
with `pin_size` equals to 0.
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
🔐 Please enter LUKS2 token PIN:
|
|||
|
|
|
|||
|
|
Breakpoint 3, cryptsetup_token_open_pin (cd=0x5555555744c0, token=0, pin=0x5555555b3cc0 "", pin_size=0, ret_password=0x7fffffffd380,
|
|||
|
|
ret_password_len=0x7fffffffd378, usrptr=0x0) at ../src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c:42
|
|||
|
|
42 void *usrptr /* plugin defined parameter passed to crypt_activate_by_token*() API */) {
|
|||
|
|
(gdb) continue
|
|||
|
|
Assertion '!pin || pin_size > 0' failed at src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c:60, function cryptsetup_token_open_pin(). Aborting.
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
(cherry picked from commit 5cef6b5393871a99ad17799197b26da9196f7035)
|
|||
|
|
|
|||
|
|
Related: RHEL-36276
|
|||
|
|
---
|
|||
|
|
.../cryptsetup-tokens/cryptsetup-token-systemd-fido2.c | 2 +-
|
|||
|
|
.../cryptsetup-tokens/cryptsetup-token-systemd-pkcs11.c | 2 +-
|
|||
|
|
.../cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c | 2 +-
|
|||
|
|
3 files changed, 3 insertions(+), 3 deletions(-)
|
|||
|
|
|
|||
|
|
diff --git a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-fido2.c b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-fido2.c
|
|||
|
|
index 3027804065..63f9688e88 100644
|
|||
|
|
--- a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-fido2.c
|
|||
|
|
+++ b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-fido2.c
|
|||
|
|
@@ -34,7 +34,7 @@ _public_ int cryptsetup_token_open_pin(
|
|||
|
|
const char *json;
|
|||
|
|
_cleanup_(erase_and_freep) char *pin_string = NULL;
|
|||
|
|
|
|||
|
|
- assert(!pin || pin_size);
|
|||
|
|
+ assert(pin || pin_size == 0);
|
|||
|
|
assert(token >= 0);
|
|||
|
|
|
|||
|
|
/* This must not fail at this moment (internal error) */
|
|||
|
|
diff --git a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-pkcs11.c b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-pkcs11.c
|
|||
|
|
index c3e7fbd061..63dbb1943f 100644
|
|||
|
|
--- a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-pkcs11.c
|
|||
|
|
+++ b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-pkcs11.c
|
|||
|
|
@@ -33,7 +33,7 @@ _public_ int cryptsetup_token_open_pin(
|
|||
|
|
const char *json;
|
|||
|
|
int r;
|
|||
|
|
|
|||
|
|
- assert(!pin || pin_size);
|
|||
|
|
+ assert(pin || pin_size == 0);
|
|||
|
|
assert(token >= 0);
|
|||
|
|
|
|||
|
|
/* This must not fail at this moment (internal error) */
|
|||
|
|
diff --git a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c
|
|||
|
|
index 94d568c17f..883ccf3a0b 100644
|
|||
|
|
--- a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c
|
|||
|
|
+++ b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c
|
|||
|
|
@@ -57,7 +57,7 @@ _public_ int cryptsetup_token_open_pin(
|
|||
|
|
int r;
|
|||
|
|
|
|||
|
|
assert(token >= 0);
|
|||
|
|
- assert(!pin || pin_size > 0);
|
|||
|
|
+ assert(pin || pin_size == 0);
|
|||
|
|
assert(ret_password);
|
|||
|
|
assert(ret_password_len);
|
|||
|
|
|