diff options
author | Ondrej Kozina <okozina@redhat.com> | 2024-01-23 11:55:08 +0100 |
---|---|---|
committer | Ondrej Kozina <okozina@redhat.com> | 2024-01-23 11:55:12 +0100 |
commit | 7eca077490c6f061b78a09eaf596804354be1ad2 (patch) | |
tree | 0c24045630a1b73b18bf9351b6d2a48f46295542 | |
parent | 8dd3266599b2048b7a68f8254a84d493d97d986e (diff) | |
download | cryptsetup-7eca077490c6f061b78a09eaf596804354be1ad2.tar.gz |
Replace code for missing key error in API.
While trying to activate device in LUKS2 reencryption
we originally used -ENOKEY error code for case
where one or more volume keys could not be unlocked or
were not provided direclty by (CRYPT_KC_TYPE_KEY or
CRYPT_KC_TYPE_VK_KEYRING) keyslot contexts.
We missed the fact the error code was already previously
used for signaling case when dm subsystem could not load
device table due to key in kernel keyring could not be
read from kernel. It's propagated by libdevmapper.
For it we replace -ENOKEY with -ESRCH for signaling the missing
keyslot context or volume key for devices in LUKS2 reencryption.
-rw-r--r-- | lib/libcryptsetup.h | 7 | ||||
-rw-r--r-- | lib/setup.c | 2 | ||||
-rw-r--r-- | tests/api-test-2.c | 4 |
3 files changed, 7 insertions, 6 deletions
diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h index f1d65f74..0584c77c 100644 --- a/lib/libcryptsetup.h +++ b/lib/libcryptsetup.h @@ -1628,11 +1628,12 @@ int crypt_persistent_flags_get(struct crypt_device *cd, * reencryption), more than one keyslot context is required (e.g. one for the old * volume key and one for the new volume key). The order of the keyslot * contexts does not matter. When less keyslot contexts are supplied than - * required to unlock the device an -ENOKEY error code is returned and you + * required to unlock the device an -ESRCH error code is returned and you * should call the function again with an additional keyslot context specified. * - * NOTE: the API at the moment works for one keyslot context only, the second - * keyslot context is just an API placeholder + * NOTE: the API at the moment fully works for single keyslot context only, + * the additional keyslot context currently works only with + * @e CRYPT_KC_TYPE_VK_KEYRING or @e CRYPT_KC_TYPE_KEY contexts. * * @param cd crypt device handle * @param name name of device to create, if @e NULL only check passphrase diff --git a/lib/setup.c b/lib/setup.c index 43ae23e6..ed77dc14 100644 --- a/lib/setup.c +++ b/lib/setup.c @@ -5699,7 +5699,7 @@ const char *name, } if (unlocked_keys < required_keys) - r = -ENOKEY; + r = -ESRCH; } } else if (isTCRYPT(cd->type)) { r = 0; diff --git a/tests/api-test-2.c b/tests/api-test-2.c index c8032a24..29cdb987 100644 --- a/tests/api-test-2.c +++ b/tests/api-test-2.c @@ -5598,8 +5598,8 @@ static void KeyslotContextAndKeyringLink(void) OK_(crypt_keyslot_context_init_by_vk_in_keyring(cd, TEST_KEY_VK_USER_NAME , &kc)); OK_(crypt_keyslot_context_init_by_vk_in_keyring(cd, TEST_KEY_VK_USER2_NAME, &kc2)); - EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), -ENOKEY); - EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc2, CRYPT_ANY_SLOT, NULL, 0), -ENOKEY); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc, CRYPT_ANY_SLOT, NULL, 0), -ESRCH); + EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, kc2, CRYPT_ANY_SLOT, NULL, 0), -ESRCH); EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, NULL, CRYPT_ANY_SLOT, kc, 0), -EINVAL); EQ_(crypt_activate_by_keyslot_context(cd, NULL, CRYPT_ANY_SLOT, NULL, CRYPT_ANY_SLOT, kc2, 0), -EINVAL); |