diff options
| author | Lennart Poettering <lennart@poettering.net> | 2022-04-14 23:18:49 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2022-04-21 10:50:09 +0200 |
| commit | d2cba923be4c661975f2cbfe3b303aa3f106c679 (patch) | |
| tree | 12469c00e331ea874a19ad0d9cc77c0a1079d586 /src | |
| parent | main: voidify call to kmod_setup() (diff) | |
| download | systemd-d2cba923be4c661975f2cbfe3b303aa3f106c679.tar.xz systemd-d2cba923be4c661975f2cbfe3b303aa3f106c679.zip | |
creds-util: also warn about unencrypted creds host key if we are creating it
Previously we'd only warn when we consume it, but it's even more
relevant to warn if we save it to an unencrypted storage location.
Diffstat (limited to 'src')
| -rw-r--r-- | src/shared/creds-util.c | 36 |
1 files changed, 25 insertions, 11 deletions
diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c index 95540979ad..7691f36089 100644 --- a/src/shared/creds-util.c +++ b/src/shared/creds-util.c @@ -94,9 +94,30 @@ struct credential_host_secret_format { uint8_t data[CREDENTIAL_HOST_SECRET_SIZE]; } _packed_; +static void warn_not_encrypted(int fd, CredentialSecretFlags flags, const char *dirname, const char *filename) { + int r; + + assert(fd >= 0); + assert(dirname); + assert(filename); + + if (!FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED)) + return; + + r = fd_is_encrypted(fd); + if (r < 0) + log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.", + dirname, filename); + else if (r == 0) + log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.", + dirname, filename); +} + static int make_credential_host_secret( int dfd, const sd_id128_t machine_id, + CredentialSecretFlags flags, + const char *dirname, const char *fn, void **ret_data, size_t *ret_size) { @@ -142,6 +163,8 @@ static int make_credential_host_secret( goto finish; } + warn_not_encrypted(fd, flags, dirname, fn); + if (t) { r = rename_noreplace(dfd, t, dfd, fn); if (r < 0) @@ -248,7 +271,7 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t * "Failed to open %s/%s: %m", dirname, filename); - r = make_credential_host_secret(dfd, machine_id, filename, ret, ret_size); + r = make_credential_host_secret(dfd, machine_id, flags, dirname, filename, ret, ret_size); if (r == -EEXIST) { log_debug_errno(r, "Credential secret %s/%s appeared while we were creating it, rereading.", dirname, filename); @@ -257,7 +280,6 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t * if (r < 0) return log_debug_errno(r, "Failed to create credential secret %s/%s: %m", dirname, filename); - return 0; } @@ -302,15 +324,7 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t * if (sd_id128_equal(machine_id, f->machine_id)) { size_t sz; - if (FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED)) { - r = fd_is_encrypted(fd); - if (r < 0) - log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.", - dirname, filename); - else if (r == 0) - log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.", - dirname, filename); - } + warn_not_encrypted(fd, flags, dirname, filename); sz = l - offsetof(struct credential_host_secret_format, data); assert(sz > 0); |