diff options
author | Lennart Poettering <lennart@poettering.net> | 2022-04-21 15:07:45 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-04-21 15:07:45 +0200 |
commit | 6a25ce43800c3beb715ed6067af9b06b341b7db5 (patch) | |
tree | fc2c5623127070d5928af58ec46906d2149af27c | |
parent | 6ae16e01b59e4e06ecb14db55e9f34396b398014 (diff) | |
parent | fa998da2df66c16b3b24cc8a8fdcb23506faecdd (diff) | |
download | systemd-6a25ce43800c3beb715ed6067af9b06b341b7db5.tar.gz |
Merge pull request #23148 from poettering/creds-util-mini-tweaks
creds-util: two minor tweaks
-rw-r--r-- | src/shared/creds-util.c | 38 |
1 files changed, 26 insertions, 12 deletions
diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c index 95540979ad..ac53693eb0 100644 --- a/src/shared/creds-util.c +++ b/src/shared/creds-util.c @@ -94,9 +94,30 @@ struct credential_host_secret_format { uint8_t data[CREDENTIAL_HOST_SECRET_SIZE]; } _packed_; +static void warn_not_encrypted(int fd, CredentialSecretFlags flags, const char *dirname, const char *filename) { + int r; + + assert(fd >= 0); + assert(dirname); + assert(filename); + + if (!FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED)) + return; + + r = fd_is_encrypted(fd); + if (r < 0) + log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.", + dirname, filename); + else if (r == 0) + log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.", + dirname, filename); +} + static int make_credential_host_secret( int dfd, const sd_id128_t machine_id, + CredentialSecretFlags flags, + const char *dirname, const char *fn, void **ret_data, size_t *ret_size) { @@ -142,6 +163,8 @@ static int make_credential_host_secret( goto finish; } + warn_not_encrypted(fd, flags, dirname, fn); + if (t) { r = rename_noreplace(dfd, t, dfd, fn); if (r < 0) @@ -248,7 +271,7 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t * "Failed to open %s/%s: %m", dirname, filename); - r = make_credential_host_secret(dfd, machine_id, filename, ret, ret_size); + r = make_credential_host_secret(dfd, machine_id, flags, dirname, filename, ret, ret_size); if (r == -EEXIST) { log_debug_errno(r, "Credential secret %s/%s appeared while we were creating it, rereading.", dirname, filename); @@ -257,7 +280,6 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t * if (r < 0) return log_debug_errno(r, "Failed to create credential secret %s/%s: %m", dirname, filename); - return 0; } @@ -302,15 +324,7 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t * if (sd_id128_equal(machine_id, f->machine_id)) { size_t sz; - if (FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED)) { - r = fd_is_encrypted(fd); - if (r < 0) - log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.", - dirname, filename); - else if (r == 0) - log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.", - dirname, filename); - } + warn_not_encrypted(fd, flags, dirname, filename); sz = l - offsetof(struct credential_host_secret_format, data); assert(sz > 0); @@ -570,7 +584,7 @@ int encrypt_credential_and_warn( else if (!sd_id128_equal(with_key, _CRED_AUTO)) return r; - log_debug_errno(r, "TPM2 sealing didn't work, not using: %m"); + log_notice_errno(r, "TPM2 sealing didn't work, continuing without TPM2: %m"); } assert(tpm2_blob_size <= CREDENTIAL_FIELD_SIZE_MAX); |