From: Forest <forestix@nom.one>
To: Grub-devel@gnu.org
Subject: [PATCH] cryptodisk: allow the user to retry failed passphrases
Date: Fri, 29 Mar 2024 23:48:00 -0700 [thread overview]
Message-ID: <27df0jtgqhlnloor3pm9q89uhnnqlach4n@sonic.net> (raw)
Hi, folks.
I have long wished that GRUB would give me a chance to retry whenever I
make a typo in a LUKS passphrase, rather than immediately dumping me into
the rescue shell, so I finally took a crack at it myself.
Would this be a welcome addition?
The patch is a bit easier to read in a viewer that ignores whitespace,
since a good chunk of the changed lines are from reordering and indenting
existing code.
Signed-off-by: Forest <forestix@nom.one>
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -1063,6 +1063,7 @@
grub_cryptodisk_dev_t cr;
struct cryptodisk_read_hook_ctx read_hook_data = {0};
int askpass = 0;
+ int tries;
char *part = NULL;
dev = grub_cryptodisk_get_by_source_disk (source);
@@ -1114,33 +1115,48 @@
if (!dev)
continue;
- if (!cargs->key_len)
+ if (cargs->key_len)
+ {
+ ret = cr->recover_key (source, dev, cargs);
+ if (ret != GRUB_ERR_NONE)
+ goto error;
+ }
+ else
{
/* Get the passphrase from the user, if no key data. */
askpass = 1;
- part = grub_partition_get_name (source->partition);
- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
- source->partition != NULL ? "," : "",
- part != NULL ? part : N_("UNKNOWN"),
- dev->uuid);
- grub_free (part);
-
cargs->key_data = grub_malloc (GRUB_CRYPTODISK_MAX_PASSPHRASE);
if (cargs->key_data == NULL)
goto error_no_close;
- if (!grub_password_get ((char *) cargs->key_data, GRUB_CRYPTODISK_MAX_PASSPHRASE))
+ for (tries = GRUB_CRYPTODISK_PASSPHRASE_TRIES; tries > 0; tries--)
{
- grub_error (GRUB_ERR_BAD_ARGUMENT, "passphrase not supplied");
- goto error;
+ part = grub_partition_get_name (source->partition);
+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+ source->partition != NULL ? "," : "",
+ part != NULL ? part : N_("UNKNOWN"),
+ dev->uuid);
+ grub_free (part);
+
+ if (!grub_password_get ((char *) cargs->key_data, GRUB_CRYPTODISK_MAX_PASSPHRASE))
+ {
+ grub_error (GRUB_ERR_BAD_ARGUMENT, "passphrase not supplied");
+ goto error;
+ }
+ cargs->key_len = grub_strlen ((char *) cargs->key_data);
+
+ ret = cr->recover_key (source, dev, cargs);
+ if (ret == GRUB_ERR_NONE)
+ break;
+ if (ret != GRUB_ERR_ACCESS_DENIED || tries == 1)
+ goto error;
+ grub_puts_ (N_("Invalid passphrase."));
+
+ /* Clear the last error to avoid recover_key() retry failure. */
+ grub_errno = GRUB_ERR_NONE;
}
- cargs->key_len = grub_strlen ((char *) cargs->key_data);
}
- ret = cr->recover_key (source, dev, cargs);
- if (ret != GRUB_ERR_NONE)
- goto error;
-
ret = grub_cryptodisk_insert (dev, name, source);
if (ret != GRUB_ERR_NONE)
goto error;
--- a/include/grub/cryptodisk.h
+++ b/include/grub/cryptodisk.h
@@ -64,6 +64,9 @@
#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
+/* Number of passphrase attempts the user is allowed. Must be > 0. */
+#define GRUB_CRYPTODISK_PASSPHRASE_TRIES 3
+
struct grub_cryptodisk;
typedef gcry_err_code_t
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
next reply other threads:[~2024-03-30 6:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-30 6:48 Forest [this message]
2024-04-04 7:50 ` [PATCH] cryptodisk: allow the user to retry failed passphrases Glenn Washburn
2024-04-07 21:40 ` Forest
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=27df0jtgqhlnloor3pm9q89uhnnqlach4n@sonic.net \
--to=forestix@nom.one \
--cc=Grub-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).