Package: cryptsetup
Version: 2:1.6.4-4
Severity: normal
Tags: patch
Hi.
If i've entered wrong password at decrypt_keyctl prompt, it'll use it in all
following cryptsetup attempts, making all of them fail:
# cryptdisks_start w7_data
Starting crypto disk...w7_data (starting)...
Caching passphrase for /dev/sda3: No device header detected with this
passphrase.
Using cached passphrase for /dev/sda3.
No device header detected with this passphrase.
Using cached passphrase for /dev/sda3.
No device header detected with this passphrase.
w7_data (failed)...failed.
Attached patch makes decrypt_keyctl to ask for password again, if
CRYPTTAB_TRIED is greater, than 0. So, unlocking may look like:
Try once and press Ctrl-C:
# cryptdisks_start w7_data
Starting crypto disk...w7_data (starting)...
Caching passphrase for /dev/sda3: No device header detected with this
passphrase.
Caching passphrase for /dev/sda3: Error reading passphrase.
#
It asks for password second time, when 1st attempt fails. Then try to open
again:
# cryptdisks_start w7_data
Starting crypto disk...w7_data (starting)...
Using cached passphrase for /dev/sda3.
No device header detected with this passphrase.
Caching passphrase for /dev/sda3: w7_data (started)...done.
First, it tries cached (wrong) password. But, when it fails, asks again, and
now succeeds.
-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.13-1-amd64 root=/dev/mapper/jessie_root ro quiet
-- /etc/crypttab
jessie_root /dev/reiji/enc_jessie_root reiji
luks,keyscript=decrypt_keyctl
jessie_usr /dev/reiji/enc_jessie_usr /etc/keys/jessie_usr.lukskey
luks
jessie_var /dev/reiji/enc_jessie_var /etc/keys/jessie_var.lukskey
luks
jessie_tmp /dev/reiji/enc_jessie_tmp /etc/keys/jessie_tmp.lukskey
luks
jessie_swap /dev/reiji/enc_jessie_swap /dev/urandom
swap,cipher=aes-xts-plain64,size=256,hash=sha1
home /dev/reiji/enc_home /etc/keys/home.lukskey
luks
backup /dev/reiji/enc_backup /etc/keys/backup.lukskey
luks
w7_backup /dev/sdb4 reiji
tcrypt,precheck=/bin/true,keyscript=decrypt_keyctl
w7_data /dev/sda3 reiji
tcrypt,precheck=/bin/true,keyscript=decrypt_keyctl
w7 /dev/sdb2 reiji
tcrypt,tcryptsystem,precheck=/bin/true,keyscript=decrypt_keyctl,check=keyctl_clear
-- /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
UUID=227ce6c3-0de7-4436-9e13-6442a3d7d8f4 /boot ext3 defaults
0 2
/dev/mapper/jessie_root / ext4 errors=remount-ro 0 1
/dev/mapper/jessie_usr /usr ext4 defaults 0 2
/dev/mapper/jessie_var /var ext4 defaults 0 2
/dev/mapper/jessie_tmp /var/tmp ext4 defaults 0 2
/dev/mapper/jessie_swap none swap sw 0 0
/dev/mapper/home /home ext4 defaults 0 2
/dev/mapper/backup /var/backups ext4 defaults 0 2
-- lsmod
Module Size Used by
nfsd 259239 2
auth_rpcgss 51202 1 nfsd
oid_registry 12419 1 auth_rpcgss
nfs_acl 12511 1 nfsd
nfs 183626 0
lockd 79321 2 nfs,nfsd
fscache 45542 1 nfs
sunrpc 224626 6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl
fuse 78793 1
blowfish_generic 12464 0
blowfish_x86_64 21132 0
blowfish_common 16487 2 blowfish_generic,blowfish_x86_64
ecb 12737 0
des_generic 20851 0
cast5_avx_x86_64 49760 0
cast5_generic 20813 1 cast5_avx_x86_64
cast_common 12313 2 cast5_generic,cast5_avx_x86_64
cbc 12696 0
twofish_generic 16569 0
twofish_avx_x86_64 46079 0
twofish_x86_64_3way 25483 1 twofish_avx_x86_64
twofish_x86_64 12541 2 twofish_avx_x86_64,twofish_x86_64_3way
twofish_common 20585 4
twofish_generic,twofish_avx_x86_64,twofish_x86_64_3way,twofish_x86_64
serpent_avx_x86_64 46241 0
serpent_sse2_x86_64 50146 0
serpent_generic 29140 2 serpent_sse2_x86_64,serpent_avx_x86_64
xts 12679 2 serpent_sse2_x86_64,twofish_x86_64_3way
algif_skcipher 13008 0
af_alg 12988 1 algif_skcipher
raid1 34596 2
snd_hda_codec_hdmi 40859 1
x86_pkg_temp_thermal 12951 0
intel_powerclamp 13063 0
snd_hda_codec_via 22798 1
nouveau 999240 1
snd_hda_intel 43768 0
snd_hda_codec 146743 3
snd_hda_codec_hdmi,snd_hda_codec_via,snd_hda_intel
snd_hwdep 13148 1 snd_hda_codec
snd_pcm 84153 3 snd_hda_codec_hdmi,snd_hda_codec,snd_hda_intel
snd_page_alloc 17114 2 snd_pcm,snd_hda_intel
intel_rapl 17356 0
md_mod 103628 2 raid1
snd_timer 26614 1 snd_pcm
snd 60917 7
snd_hwdep,snd_timer,snd_hda_codec_hdmi,snd_hda_codec_via,snd_pcm,snd_hda_codec,snd_hda_intel
coretemp 12854 0
kvm_intel 130584 0
soundcore 13026 1 snd
parport_pc 26300 0
mxm_wmi 12515 1 nouveau
ttm 65523 1 nouveau
drm_kms_helper 35695 1 nouveau
drm 236628 3 ttm,drm_kms_helper,nouveau
iTCO_wdt 12831 0
mei_me 13400 0
iTCO_vendor_support 12649 1 iTCO_wdt
eeepc_wmi 12600 0
asus_wmi 22866 1 eeepc_wmi
sparse_keymap 12818 1 asus_wmi
rfkill 18867 1 asus_wmi
kvm 380332 1 kvm_intel
parport 35749 1 parport_pc
i2c_i801 16965 0
wmi 17339 3 mxm_wmi,nouveau,asus_wmi
button 12944 1 nouveau
video 17804 2 nouveau,asus_wmi
i2c_algo_bit 12751 1 nouveau
i2c_core 24092 5 drm,i2c_i801,drm_kms_helper,i2c_algo_bit,nouveau
processor 28274 0
mei 49922 1 mei_me
lpc_ich 20768 0
mfd_core 12601 1 lpc_ich
pcspkr 12595 0
evdev 17445 13
ext4 465511 7
crc16 12343 1 ext4
mbcache 13082 1 ext4
jbd2 82560 1 ext4
hid_generic 12393 0
usbhid 44439 0
hid 94034 2 hid_generic,usbhid
dm_crypt 22595 7
dm_mod 89365 46 dm_crypt
sg 29972 0
sd_mod 44346 7
crc_t10dif 12431 1 sd_mod
crct10dif_pclmul 13387 1
crct10dif_common 12356 2 crct10dif_pclmul,crc_t10dif
crc32_pclmul 12915 0
crc32c_intel 21809 0
ghash_clmulni_intel 12978 0
aesni_intel 50772 14
aes_x86_64 16719 1 aesni_intel
lrw 12757 5
serpent_sse2_x86_64,aesni_intel,serpent_avx_x86_64,twofish_avx_x86_64,twofish_x86_64_3way
gf128mul 12970 2 lrw,xts
glue_helper 12695 5
serpent_sse2_x86_64,aesni_intel,serpent_avx_x86_64,twofish_avx_x86_64,twofish_x86_64_3way
ablk_helper 12572 5
serpent_sse2_x86_64,aesni_intel,serpent_avx_x86_64,twofish_avx_x86_64,cast5_avx_x86_64
cryptd 14516 10 ghash_clmulni_intel,aesni_intel,ablk_helper
ahci 25096 5
libahci 27202 1 ahci
libata 168945 2 ahci,libahci
scsi_mod 182938 3 sg,libata,sd_mod
ehci_pci 12472 0
ehci_hcd 48510 1 ehci_pci
xhci_hcd 107625 0
e1000e 195024 0
ptp 17460 1 e1000e
pps_core 13129 1 ptp
usbcore 154175 4 ehci_hcd,ehci_pci,usbhid,xhci_hcd
usb_common 12440 1 usbcore
fan 12681 0
thermal 17468 0
thermal_sys 27525 6
fan,video,intel_powerclamp,thermal,processor,x86_pkg_temp_thermal
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cryptsetup depends on:
ii cryptsetup-bin 2:1.6.4-4
ii debconf [debconf-2.0] 1.5.53
ii dmsetup 2:1.02.83-2
ii libc6 2.18-5
Versions of packages cryptsetup recommends:
ii busybox 1:1.22.0-5
ii console-setup 1.102
ii initramfs-tools [linux-initramfs-tool] 0.115
ii kbd 1.15.5-1
Versions of packages cryptsetup suggests:
pn dosfstools <none>
ii keyutils 1.5.6-1
ii liblocale-gettext-perl 1.05-8
-- debconf information:
cryptsetup/prerm_active_mappings: true
-- debsums errors found:
debsums: changed file /lib/cryptsetup/cryptdisks.functions (from cryptsetup
package)
diff --git a/src/decrypt_keyctl b/src/decrypt_keyctl
index c4dbacb..8b0a15d 100755
--- a/src/decrypt_keyctl
+++ b/src/decrypt_keyctl
@@ -32,8 +32,8 @@ test -x "$STTY_" && PW_READER_='stty' # 1. backup method
test -x "$ASKPASS_" && PW_READER_='askpass' # prefered method
KID_=$(keyctl search @u user "$ID_" 2>/dev/null)
-if [ $? -ne 0 ] || [ -z "$KID_" ]; then
- # key not found, ask the user
+if [ $? -ne 0 ] || [ -z "$KID_" ] || [ "$CRYPTTAB_TRIED" -gt 0 ]; then
+ # key not found or i've cached wrong key, ask the user
case "$PW_READER_" in
askpass)
KEY_=$($ASKPASS_ "$PROMPT_") || die "Error executing $ASKPASS_"
@@ -66,6 +66,13 @@ if [ $? -ne 0 ] || [ -z "$KID_" ]; then
fi
;;
esac
+ if [ -n "$KID_" ]; then
+ # I have cached wrong password and now i may use either `keyctl update`
+ # to update $KID_ or just unlink old key, and add new. With `update` i
+ # may hit "Key has expired", though. So i'll go "unlink and add" way.
+ keyctl unlink $KID_ @u
+ KID_=""
+ fi
KID_=$(echo -n "$KEY_" |keyctl padd user "$ID_" @u)
[ -z "$KID_" ] && die "Error adding passphrase to kernel keyring"
if ! keyctl timeout $KID_ $TIMEOUT_; then
