Skip to content

Commit

Permalink
Give better error message on Clevis unlock failure
Browse files Browse the repository at this point in the history
This commit fixes a bug in our clevis_decrypt function where it would
report success even on failure. It also provides a better error message
on failure to the user.
  • Loading branch information
jbaublitz committed Jan 8, 2025
1 parent 96dd4b4 commit 7aec887
Show file tree
Hide file tree
Showing 3 changed files with 77 additions and 34 deletions.
4 changes: 2 additions & 2 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

20 changes: 19 additions & 1 deletion src/engine/strat_engine/cmd.rs
Original file line number Diff line number Diff line change
Expand Up @@ -461,6 +461,7 @@ pub fn clevis_decrypt(jwe: &Value) -> StratisResult<SizedKeyMemory> {
.arg("decrypt")
.stdin(Stdio::piped())
.stdout(Stdio::piped())
.stderr(Stdio::piped())
.spawn()?;
let mut clevis_stdin = clevis_child.stdin.take().ok_or_else(|| {
StratisError::Msg(
Expand All @@ -472,7 +473,24 @@ pub fn clevis_decrypt(jwe: &Value) -> StratisResult<SizedKeyMemory> {
clevis_stdin.write_all(jose_output.as_bytes())?;
drop(clevis_stdin);

clevis_child.wait()?;
let result = clevis_child.wait()?;
if result.code() != Some(0) {
match clevis_child.stderr {
Some(mut stderr) => {
let mut msg = String::new();
stderr.read_to_string(&mut msg)?;
return Err(StratisError::Chained(
"Failed to retrieve Clevis passphrase".to_string(),
Box::new(StratisError::Msg(msg.trim().to_string())),
));
}
None => {
return Err(StratisError::Msg(
"Failed to retrieve Clevis passphrase".to_string(),
));
}
}
}

let mut mem = SafeMemHandle::alloc(MAX_STRATIS_PASS_SIZE)?;
let bytes_read = clevis_child
Expand Down
87 changes: 56 additions & 31 deletions src/engine/strat_engine/crypt/shared.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,11 @@

use std::{
fs::OpenOptions,
io::{ErrorKind, Write},
io::Write,
mem::forget,
path::{Path, PathBuf},
slice::from_raw_parts_mut,
sync::{Mutex, OnceLock},
};

use data_encoding::BASE64URL_NOPAD;
Expand All @@ -25,7 +26,7 @@ use libcryptsetup_rs::{
CryptDebugLevel, CryptLogLevel, CryptStatusInfo, CryptWipePattern, EncryptionFormat,
},
},
register, set_debug_level, set_log_callback, CryptDevice, CryptInit, LibcryptErr,
register, set_debug_level, set_log_callback, CryptDevice, CryptInit,
};

use crate::{
Expand All @@ -46,6 +47,8 @@ use crate::{
stratis::{StratisError, StratisResult},
};

static CLEVIS_ERROR: OnceLock<Mutex<Option<StratisError>>> = OnceLock::new();

/// Set up crypt logging to log cryptsetup debug information at the trace level.
pub fn set_up_crypt_logging() {
fn logging_callback(level: CryptLogLevel, msg: &str, _: Option<&mut ()>) {
Expand Down Expand Up @@ -523,29 +526,17 @@ pub fn activate(
)));
}
}
device
.token_handle()
.activate_by_token::<()>(
Some(&name.to_string()),
if unlock_method == UnlockMethod::Keyring {
Some(LUKS2_TOKEN_ID)
} else if unlock_method == UnlockMethod::Clevis {
Some(CLEVIS_LUKS_TOKEN_ID)
} else {
None
},
None,
CryptActivate::empty(),
)
.map_err(|e| match e {
LibcryptErr::IOError(e) => match e.kind() {
ErrorKind::NotFound => StratisError::Msg(format!(
"Token slot for unlock method {unlock_method:?} was empty"
)),
_ => StratisError::from(e),
},
_ => StratisError::from(e),
})?;
activate_by_token(
device,
Some(&name.to_string()),
if unlock_method == UnlockMethod::Keyring {
Some(LUKS2_TOKEN_ID)
} else if unlock_method == UnlockMethod::Clevis {
Some(CLEVIS_LUKS_TOKEN_ID)
} else {
None
},
)?;
}

// Check activation status.
Expand Down Expand Up @@ -733,12 +724,7 @@ pub fn ensure_wiped(
/// No activation will actually occur, only validation.
pub fn check_luks2_token(device: &mut CryptDevice) -> StratisResult<()> {
log_on_failure!(
device.token_handle().activate_by_token::<()>(
None,
Some(LUKS2_TOKEN_ID),
None,
CryptActivate::empty(),
),
activate_by_token(device, None, Some(LUKS2_TOKEN_ID)),
"libcryptsetup reported that the LUKS2 token is unable to \
open the encrypted device; this could be due to a malformed \
LUKS2 keyring token on the device or a missing or inaccessible \
Expand Down Expand Up @@ -844,6 +830,13 @@ unsafe extern "C" fn open(
}
Err(e) => {
error!("{}", e.to_string());
let guard = CLEVIS_ERROR
.get()
.expect("Must have been initialized")
.lock();
if let Ok(mut g) = guard {
*g = Some(e);
}
-1
}
}
Expand All @@ -867,9 +860,41 @@ pub fn register_clevis_token() -> StratisResult<()> {
Some(validate),
Some(dump),
)?;
CLEVIS_ERROR
.set(Mutex::new(None))
.expect("Only initialized here");
Ok(())
}

pub fn activate_by_token(
device: &mut CryptDevice,
device_name: Option<&str>,
token_slot: Option<u32>,
) -> StratisResult<()> {
let res = device.token_handle().activate_by_token::<()>(
device_name,
token_slot,
None,
CryptActivate::empty(),
);
let error = CLEVIS_ERROR
.get()
.expect("Must be initialized")
.lock()
.map(|mut guard| guard.take());
match (error, res) {
(Ok(Some(e)), Err(_)) => Err(StratisError::Chained(
"Failed to unlock using token".to_string(),
Box::new(e),
)),
(Ok(Some(_)), _) => {
unreachable!("failure in callback fails function")
}
(_, Err(e)) => Err(StratisError::from(e)),
(_, Ok(_)) => Ok(()),
}
}

#[cfg(test)]
mod tests {
use super::*;
Expand Down

0 comments on commit 7aec887

Please sign in to comment.