[pkg-cryptsetup-devel] Bug#748368: cryptsetup: decrypt_keyctl does not ask for password again, if wrong password have given

Dmitriy Matrosov sgf.dma at gmail.com
Fri May 16 15:19:54 UTC 2014


Package: cryptsetup
Version: 2:1.6.4-4
Severity: normal
Tags: patch

Hi.

If i've entered wrong password at decrypt_keyctl prompt, it'll use it in all
following cryptsetup attempts, making all of them fail:

    # cryptdisks_start w7_data
    Starting crypto disk...w7_data (starting)...
    Caching passphrase for /dev/sda3: No device header detected with this passphrase.
    Using cached passphrase for /dev/sda3.
    No device header detected with this passphrase.
    Using cached passphrase for /dev/sda3.
    No device header detected with this passphrase.
    w7_data (failed)...failed.

Attached patch makes decrypt_keyctl to ask for password again, if
CRYPTTAB_TRIED is greater, than 0. So, unlocking may look like:

Try once and press Ctrl-C:

    # cryptdisks_start w7_data
    Starting crypto disk...w7_data (starting)...
    Caching passphrase for /dev/sda3: No device header detected with this passphrase.
    Caching passphrase for /dev/sda3: Error reading passphrase.
    #

It asks for password second time, when 1st attempt fails. Then try to open again:

    # cryptdisks_start w7_data
    Starting crypto disk...w7_data (starting)...
    Using cached passphrase for /dev/sda3.
    No device header detected with this passphrase.
    Caching passphrase for /dev/sda3: w7_data (started)...done.

First, it tries cached (wrong) password. But, when it fails, asks again, and now succeeds.

-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.13-1-amd64 root=/dev/mapper/jessie_root ro quiet

-- /etc/crypttab
jessie_root	/dev/reiji/enc_jessie_root 	reiji 				luks,keyscript=decrypt_keyctl
jessie_usr 	/dev/reiji/enc_jessie_usr 	/etc/keys/jessie_usr.lukskey	luks
jessie_var 	/dev/reiji/enc_jessie_var 	/etc/keys/jessie_var.lukskey 	luks
jessie_tmp 	/dev/reiji/enc_jessie_tmp 	/etc/keys/jessie_tmp.lukskey 	luks
jessie_swap	/dev/reiji/enc_jessie_swap	/dev/urandom 			swap,cipher=aes-xts-plain64,size=256,hash=sha1
home		/dev/reiji/enc_home		/etc/keys/home.lukskey 		luks
backup		/dev/reiji/enc_backup		/etc/keys/backup.lukskey 	luks
w7_backup	/dev/sdb4			reiji				tcrypt,precheck=/bin/true,keyscript=decrypt_keyctl
w7_data		/dev/sda3			reiji				tcrypt,precheck=/bin/true,keyscript=decrypt_keyctl
w7		/dev/sdb2			reiji				tcrypt,tcryptsystem,precheck=/bin/true,keyscript=decrypt_keyctl,check=keyctl_clear

-- /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
UUID=227ce6c3-0de7-4436-9e13-6442a3d7d8f4 /boot           ext3    defaults        0       2

/dev/mapper/jessie_root /               ext4    errors=remount-ro 0       1
/dev/mapper/jessie_usr 	/usr            ext4    defaults        0       2
/dev/mapper/jessie_var 	/var            ext4    defaults        0       2
/dev/mapper/jessie_tmp	/var/tmp        ext4    defaults        0       2

/dev/mapper/jessie_swap none            swap    sw              0       0

/dev/mapper/home 	/home		ext4    defaults        0       2
/dev/mapper/backup  	/var/backups 	ext4 	defaults        0       2

-- lsmod
Module                  Size  Used by
nfsd                  259239  2 
auth_rpcgss            51202  1 nfsd
oid_registry           12419  1 auth_rpcgss
nfs_acl                12511  1 nfsd
nfs                   183626  0 
lockd                  79321  2 nfs,nfsd
fscache                45542  1 nfs
sunrpc                224626  6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl
fuse                   78793  1 
blowfish_generic       12464  0 
blowfish_x86_64        21132  0 
blowfish_common        16487  2 blowfish_generic,blowfish_x86_64
ecb                    12737  0 
des_generic            20851  0 
cast5_avx_x86_64       49760  0 
cast5_generic          20813  1 cast5_avx_x86_64
cast_common            12313  2 cast5_generic,cast5_avx_x86_64
cbc                    12696  0 
twofish_generic        16569  0 
twofish_avx_x86_64     46079  0 
twofish_x86_64_3way    25483  1 twofish_avx_x86_64
twofish_x86_64         12541  2 twofish_avx_x86_64,twofish_x86_64_3way
twofish_common         20585  4 twofish_generic,twofish_avx_x86_64,twofish_x86_64_3way,twofish_x86_64
serpent_avx_x86_64     46241  0 
serpent_sse2_x86_64    50146  0 
serpent_generic        29140  2 serpent_sse2_x86_64,serpent_avx_x86_64
xts                    12679  2 serpent_sse2_x86_64,twofish_x86_64_3way
algif_skcipher         13008  0 
af_alg                 12988  1 algif_skcipher
raid1                  34596  2 
snd_hda_codec_hdmi     40859  1 
x86_pkg_temp_thermal    12951  0 
intel_powerclamp       13063  0 
snd_hda_codec_via      22798  1 
nouveau               999240  1 
snd_hda_intel          43768  0 
snd_hda_codec         146743  3 snd_hda_codec_hdmi,snd_hda_codec_via,snd_hda_intel
snd_hwdep              13148  1 snd_hda_codec
snd_pcm                84153  3 snd_hda_codec_hdmi,snd_hda_codec,snd_hda_intel
snd_page_alloc         17114  2 snd_pcm,snd_hda_intel
intel_rapl             17356  0 
md_mod                103628  2 raid1
snd_timer              26614  1 snd_pcm
snd                    60917  7 snd_hwdep,snd_timer,snd_hda_codec_hdmi,snd_hda_codec_via,snd_pcm,snd_hda_codec,snd_hda_intel
coretemp               12854  0 
kvm_intel             130584  0 
soundcore              13026  1 snd
parport_pc             26300  0 
mxm_wmi                12515  1 nouveau
ttm                    65523  1 nouveau
drm_kms_helper         35695  1 nouveau
drm                   236628  3 ttm,drm_kms_helper,nouveau
iTCO_wdt               12831  0 
mei_me                 13400  0 
iTCO_vendor_support    12649  1 iTCO_wdt
eeepc_wmi              12600  0 
asus_wmi               22866  1 eeepc_wmi
sparse_keymap          12818  1 asus_wmi
rfkill                 18867  1 asus_wmi
kvm                   380332  1 kvm_intel
parport                35749  1 parport_pc
i2c_i801               16965  0 
wmi                    17339  3 mxm_wmi,nouveau,asus_wmi
button                 12944  1 nouveau
video                  17804  2 nouveau,asus_wmi
i2c_algo_bit           12751  1 nouveau
i2c_core               24092  5 drm,i2c_i801,drm_kms_helper,i2c_algo_bit,nouveau
processor              28274  0 
mei                    49922  1 mei_me
lpc_ich                20768  0 
mfd_core               12601  1 lpc_ich
pcspkr                 12595  0 
evdev                  17445  13 
ext4                  465511  7 
crc16                  12343  1 ext4
mbcache                13082  1 ext4
jbd2                   82560  1 ext4
hid_generic            12393  0 
usbhid                 44439  0 
hid                    94034  2 hid_generic,usbhid
dm_crypt               22595  7 
dm_mod                 89365  46 dm_crypt
sg                     29972  0 
sd_mod                 44346  7 
crc_t10dif             12431  1 sd_mod
crct10dif_pclmul       13387  1 
crct10dif_common       12356  2 crct10dif_pclmul,crc_t10dif
crc32_pclmul           12915  0 
crc32c_intel           21809  0 
ghash_clmulni_intel    12978  0 
aesni_intel            50772  14 
aes_x86_64             16719  1 aesni_intel
lrw                    12757  5 serpent_sse2_x86_64,aesni_intel,serpent_avx_x86_64,twofish_avx_x86_64,twofish_x86_64_3way
gf128mul               12970  2 lrw,xts
glue_helper            12695  5 serpent_sse2_x86_64,aesni_intel,serpent_avx_x86_64,twofish_avx_x86_64,twofish_x86_64_3way
ablk_helper            12572  5 serpent_sse2_x86_64,aesni_intel,serpent_avx_x86_64,twofish_avx_x86_64,cast5_avx_x86_64
cryptd                 14516  10 ghash_clmulni_intel,aesni_intel,ablk_helper
ahci                   25096  5 
libahci                27202  1 ahci
libata                168945  2 ahci,libahci
scsi_mod              182938  3 sg,libata,sd_mod
ehci_pci               12472  0 
ehci_hcd               48510  1 ehci_pci
xhci_hcd              107625  0 
e1000e                195024  0 
ptp                    17460  1 e1000e
pps_core               13129  1 ptp
usbcore               154175  4 ehci_hcd,ehci_pci,usbhid,xhci_hcd
usb_common             12440  1 usbcore
fan                    12681  0 
thermal                17468  0 
thermal_sys            27525  6 fan,video,intel_powerclamp,thermal,processor,x86_pkg_temp_thermal


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cryptsetup depends on:
ii  cryptsetup-bin         2:1.6.4-4
ii  debconf [debconf-2.0]  1.5.53
ii  dmsetup                2:1.02.83-2
ii  libc6                  2.18-5

Versions of packages cryptsetup recommends:
ii  busybox                                 1:1.22.0-5
ii  console-setup                           1.102
ii  initramfs-tools [linux-initramfs-tool]  0.115
ii  kbd                                     1.15.5-1

Versions of packages cryptsetup suggests:
pn  dosfstools              <none>
ii  keyutils                1.5.6-1
ii  liblocale-gettext-perl  1.05-8

-- debconf information:
  cryptsetup/prerm_active_mappings: true

-- debsums errors found:
debsums: changed file /lib/cryptsetup/cryptdisks.functions (from cryptsetup package)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: decrypt_keyctl.patch
Type: text/x-diff
Size: 1269 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20140516/e189a1d6/attachment.patch>


More information about the pkg-cryptsetup-devel mailing list