From d2cba923be4c661975f2cbfe3b303aa3f106c679 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 14 Apr 2022 23:18:49 +0200 Subject: [PATCH] creds-util: also warn about unencrypted creds host key if we are creating it Previously we'd only warn when we consume it, but it's even more relevant to warn if we save it to an unencrypted storage location. --- src/shared/creds-util.c | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c index 95540979ad6..7691f360894 100644 --- a/src/shared/creds-util.c +++ b/src/shared/creds-util.c @@ -94,9 +94,30 @@ struct credential_host_secret_format { uint8_t data[CREDENTIAL_HOST_SECRET_SIZE]; } _packed_; +static void warn_not_encrypted(int fd, CredentialSecretFlags flags, const char *dirname, const char *filename) { + int r; + + assert(fd >= 0); + assert(dirname); + assert(filename); + + if (!FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED)) + return; + + r = fd_is_encrypted(fd); + if (r < 0) + log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.", + dirname, filename); + else if (r == 0) + log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.", + dirname, filename); +} + static int make_credential_host_secret( int dfd, const sd_id128_t machine_id, + CredentialSecretFlags flags, + const char *dirname, const char *fn, void **ret_data, size_t *ret_size) { @@ -142,6 +163,8 @@ static int make_credential_host_secret( goto finish; } + warn_not_encrypted(fd, flags, dirname, fn); + if (t) { r = rename_noreplace(dfd, t, dfd, fn); if (r < 0) @@ -248,7 +271,7 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t * "Failed to open %s/%s: %m", dirname, filename); - r = make_credential_host_secret(dfd, machine_id, filename, ret, ret_size); + r = make_credential_host_secret(dfd, machine_id, flags, dirname, filename, ret, ret_size); if (r == -EEXIST) { log_debug_errno(r, "Credential secret %s/%s appeared while we were creating it, rereading.", dirname, filename); @@ -257,7 +280,6 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t * if (r < 0) return log_debug_errno(r, "Failed to create credential secret %s/%s: %m", dirname, filename); - return 0; } @@ -302,15 +324,7 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t * if (sd_id128_equal(machine_id, f->machine_id)) { size_t sz; - if (FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED)) { - r = fd_is_encrypted(fd); - if (r < 0) - log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.", - dirname, filename); - else if (r == 0) - log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.", - dirname, filename); - } + warn_not_encrypted(fd, flags, dirname, filename); sz = l - offsetof(struct credential_host_secret_format, data); assert(sz > 0); -- 2.47.3