From: Lennart Poettering Date: Wed, 17 Sep 2025 08:22:02 +0000 (+0200) Subject: creds-util: tweak error code generation in decrypt_credential_and_warn() a bit, and... X-Git-Tag: v259-rc1~502^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9be0a94b9848096ad465eb3fc76fa9adc7118ab6;p=thirdparty%2Fsystemd.git creds-util: tweak error code generation in decrypt_credential_and_warn() a bit, and add a comment listing it Let's make some specific condition more recognizable via error codes of their own, and in particular remove confusion between EREMOTE as returned by tpm2_unseal() and by us. --- diff --git a/src/creds/creds.c b/src/creds/creds.c index f890593ea5c..380fd316d47 100644 --- a/src/creds/creds.c +++ b/src/creds/creds.c @@ -1411,7 +1411,7 @@ static int vl_method_decrypt(sd_varlink *link, sd_json_variant *parameters, sd_v if (r == -EBADMSG) return sd_varlink_error(link, "io.systemd.Credentials.BadFormat", NULL); - if (r == -EREMOTE) + if (r == -EDESTADDRREQ) return sd_varlink_error(link, "io.systemd.Credentials.NameMismatch", NULL); if (r == -ESTALE) return sd_varlink_error(link, "io.systemd.Credentials.TimeMismatch", NULL); diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c index 9426f003943..1e5cd937b46 100644 --- a/src/shared/creds-util.c +++ b/src/shared/creds-util.c @@ -1201,6 +1201,19 @@ int decrypt_credential_and_warn( assert(iovec_is_valid(input)); assert(ret); + /* Relevant error codes: + * + * -EBADMSG → Corrupted file + * -EOPNOTSUPP → Unsupported file type (could be: requires TPM but we have no TPM) + * -EHOSTDOWN → Need PCR signature file, but couldn't find it + * -EHWPOISON → Attempt to decode NULL key (and CREDENTIAL_ALLOW_NULL is off), but the system has a TPM and SecureBoot is on + * -EMEDIUMTYPE → File has unexpected scope, i.e. user-scoped credential is attempted to be unlocked in system scope, or vice versa + * -EDESTADDRREQ → Credential is incorrectly named (i.e. the authenticated name does not match the actual name) + * -ESTALE → Credential's valdity has passed + * -ESRCH → User specified for scope does not exist on this system + * + * (plus the various error codes tpm2_unseal() returns) */ + h = (struct encrypted_credential_header*) input->iov_base; /* The ID must fit in, for the current and all future formats */ @@ -1218,8 +1231,10 @@ int decrypt_credential_and_warn( if (with_tpm2_pk) { r = tpm2_load_pcr_signature(tpm2_signature_path, &signature_json); + if (r == -ENOENT) + return log_error_errno(SYNTHETIC_ERRNO(EHOSTDOWN), "Couldn't find PCR signature file: %m"); if (r < 0) - return log_error_errno(r, "Failed to load pcr signature: %m"); + return log_error_errno(r, "Failed to load PCR signature: %m"); } if (with_null && !FLAGS_SET(flags, CREDENTIAL_ALLOW_NULL)) { @@ -1234,7 +1249,7 @@ int decrypt_credential_and_warn( if (efi_has_tpm2()) { if (is_efi_secure_boot()) - return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), + return log_error_errno(SYNTHETIC_ERRNO(EHWPOISON), "Credential uses fixed key for fallback use when TPM2 is absent — but TPM2 is present, and SecureBoot is enabled, refusing."); log_warning("Credential uses fixed key for use when TPM2 is absent, but TPM2 is present! Accepting anyway, since SecureBoot is disabled."); @@ -1486,7 +1501,7 @@ int decrypt_credential_and_warn( if (r < 0 && r != -ENXIO) log_debug_errno(r, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NAME: %m"); if (r != 0) - return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Embedded credential name '%s' does not match filename '%s', refusing.", embedded_name, validate_name); + return log_error_errno(SYNTHETIC_ERRNO(EDESTADDRREQ), "Embedded credential name '%s' does not match filename '%s', refusing.", embedded_name, validate_name); log_debug("Embedded credential name '%s' does not match expected name '%s', but configured to use credential anyway.", embedded_name, validate_name); } @@ -1640,7 +1655,7 @@ int ipc_decrypt_credential(const char *validate_name, usec_t validate_timestamp, if (streq(error_id, "io.systemd.Credentials.BadFormat")) return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Bad credential format."); if (streq(error_id, "io.systemd.Credentials.NameMismatch")) - return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Name in credential doesn't match expectations."); + return log_error_errno(SYNTHETIC_ERRNO(EDESTADDRREQ), "Name in credential doesn't match expectations."); if (streq(error_id, "io.systemd.Credentials.TimeMismatch")) return log_error_errno(SYNTHETIC_ERRNO(ESTALE), "Outside of credential validity time window."); if (streq(error_id, "io.systemd.Credentials.NoSuchUser")) diff --git a/src/test/test-creds.c b/src/test/test-creds.c index 070b02fa90a..384c10c70e5 100644 --- a/src/test/test-creds.c +++ b/src/test/test-creds.c @@ -164,7 +164,7 @@ static void test_encrypt_decrypt_with(sd_id128_t mode, uid_t uid) { &encrypted, CREDENTIAL_ALLOW_NULL, &decrypted); - ASSERT_ERROR(r, EREMOTE); /* name didn't match */ + ASSERT_ERROR(r, EDESTADDRREQ); /* name didn't match */ r = decrypt_credential_and_warn( "foo",