Discussion:
cryptsetup luksOpen return code with failed passphrase - redux for FC5
Marc Schwartz
2006-06-10 11:20:08 UTC
Permalink
Hi all,

I know that this has been reported here for Debian (last month by Dick
Middleton), but wanted to give a heads up to those running on FC5, which
I now am.

The current RPM on FC5 is:

cryptsetup-luks-1.0.3-0.rc2


The return code for the function is fixed at 0, which will cause
problems when testing for a bad passphrase, such as for those using the
'luksopen' script from the wiki.

For example:

# /sbin/cryptsetup luksOpen /dev/sda1 sda1 ; echo "RETURNCODE: $?"
Enter LUKS passphrase:
Command failed: No key available with this passphrase.

RETURNCODE: 0


As a result, the test in the luksopen script:

j=3
while [ "$j" -gt 0 ] && ! cryptsetup luksOpen "$dev" "$map" ; do
let "--j"
done

will actually pass on the first failed passphrase attempt and not cycle
to re-try, proceeding to the next device in the main loop.

A bugzilla report has been filed previously on this for luksClose and I
added my $0.02:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194434

I do not see an updated RPM for FC5 in the testing update repos as of yet.

HTH,

Marc Schwartz
Marc Schwartz
2006-06-10 12:27:55 UTC
Permalink
Post by Marc Schwartz
Hi all,
I know that this has been reported here for Debian (last month by Dick
Middleton), but wanted to give a heads up to those running on FC5, which
I now am.
cryptsetup-luks-1.0.3-0.rc2
The return code for the function is fixed at 0, which will cause
problems when testing for a bad passphrase, such as for those using the
'luksopen' script from the wiki.
# /sbin/cryptsetup luksOpen /dev/sda1 sda1 ; echo "RETURNCODE: $?"
Command failed: No key available with this passphrase.
RETURNCODE: 0
j=3
while [ "$j" -gt 0 ] && ! cryptsetup luksOpen "$dev" "$map" ; do
let "--j"
done
will actually pass on the first failed passphrase attempt and not cycle
to re-try, proceeding to the next device in the main loop.
BTW, here is a possible workaround for those using the luksopen script
and who are having this problem.

Rather than testing the cryptsetup exit code for a failure as above,
test to see if the /dev/mapper device exists. If not, then re-try the
passphrase:

j=3
while [ "$j" -gt 0 ] && [ ! -e /dev/mapper/"$map" ] ; do
cryptsetup luksOpen "$dev" "$map"
let "--j"
done

I have posted this on the wiki for luksopen for others to use.

HTH,

Marc Schwartz
Jonas Meurer
2006-06-11 09:19:51 UTC
Permalink
Post by Marc Schwartz
Hi all,
I know that this has been reported here for Debian (last month by Dick
Middleton), but wanted to give a heads up to those running on FC5, which
I now am.
cryptsetup-luks-1.0.3-0.rc2
The return code for the function is fixed at 0, which will cause
problems when testing for a bad passphrase, such as for those using the
'luksopen' script from the wiki.
we have a patch for fixing that in debian. i attached it.
the patch is against cryptsetup-luks 1.0.3.

...
jonas
Marc Schwartz
2006-06-11 10:26:58 UTC
Permalink
Post by Jonas Meurer
Post by Marc Schwartz
Hi all,
I know that this has been reported here for Debian (last month by Dick
Middleton), but wanted to give a heads up to those running on FC5, which
I now am.
cryptsetup-luks-1.0.3-0.rc2
The return code for the function is fixed at 0, which will cause
problems when testing for a bad passphrase, such as for those using the
'luksopen' script from the wiki.
we have a patch for fixing that in debian. i attached it.
the patch is against cryptsetup-luks 1.0.3.
Jonas,

Thanks for that.

Any objections if I attach the patch to the FC Bugzilla report?

Regards,

Marc

Loading...