key lookup failure should always return EACCES
spa_do_crypt_abd() already maps a missing key to EACCES. However spa_do_crypt_mac_abd(), spa_do_crypt_objset_mac_abd(), and spa_crypt_get_salt() still return the raw spa_keystore_lookup_key() error (ENOENT). This is inconsistent As we want to treat all “no key” failures as a permission failure. Standardize on EACCES for the unloaded-key case. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Alek Pinchuk <alek.pinchuk@connectwise.com> Closes #18448
This commit is contained in:
+1
-1
@@ -1874,7 +1874,7 @@ arc_hdr_authenticate(arc_buf_hdr_t *hdr, spa_t *spa, uint64_t dsobj)
|
||||
|
||||
if (ret == 0)
|
||||
arc_hdr_clear_flags(hdr, ARC_FLAG_NOAUTH);
|
||||
else if (ret == ENOENT)
|
||||
else if (ret == EACCES)
|
||||
ret = 0;
|
||||
|
||||
if (free_abd)
|
||||
|
||||
+17
-36
@@ -2677,23 +2677,16 @@ int
|
||||
spa_crypt_get_salt(spa_t *spa, uint64_t dsobj, uint8_t *salt)
|
||||
{
|
||||
int ret;
|
||||
dsl_crypto_key_t *dck = NULL;
|
||||
dsl_crypto_key_t *dck;
|
||||
|
||||
/* look up the key from the spa's keystore */
|
||||
ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck);
|
||||
if (ret != 0)
|
||||
goto error;
|
||||
return (SET_ERROR(EACCES));
|
||||
|
||||
ret = zio_crypt_key_get_salt(&dck->dck_key, salt);
|
||||
if (ret != 0)
|
||||
goto error;
|
||||
|
||||
spa_keystore_dsl_key_rele(spa, dck, FTAG);
|
||||
return (0);
|
||||
|
||||
error:
|
||||
if (dck != NULL)
|
||||
spa_keystore_dsl_key_rele(spa, dck, FTAG);
|
||||
return (ret);
|
||||
}
|
||||
|
||||
@@ -2708,9 +2701,7 @@ spa_do_crypt_objset_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj,
|
||||
abd_t *abd, uint_t datalen, boolean_t byteswap)
|
||||
{
|
||||
int ret;
|
||||
dsl_crypto_key_t *dck = NULL;
|
||||
void *buf = abd_borrow_buf_copy(abd, datalen);
|
||||
objset_phys_t *osp = buf;
|
||||
dsl_crypto_key_t *dck;
|
||||
uint8_t portable_mac[ZIO_OBJSET_MAC_LEN];
|
||||
uint8_t local_mac[ZIO_OBJSET_MAC_LEN];
|
||||
const uint8_t zeroed_mac[ZIO_OBJSET_MAC_LEN] = {0};
|
||||
@@ -2718,15 +2709,19 @@ spa_do_crypt_objset_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj,
|
||||
/* look up the key from the spa's keystore */
|
||||
ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck);
|
||||
if (ret != 0)
|
||||
goto error;
|
||||
return (SET_ERROR(EACCES));
|
||||
|
||||
void *buf = abd_borrow_buf_copy(abd, datalen);
|
||||
objset_phys_t *osp = buf;
|
||||
|
||||
/* calculate both HMACs */
|
||||
ret = zio_crypt_do_objset_hmacs(&dck->dck_key, buf, datalen,
|
||||
byteswap, portable_mac, local_mac);
|
||||
if (ret != 0)
|
||||
goto error;
|
||||
|
||||
spa_keystore_dsl_key_rele(spa, dck, FTAG);
|
||||
if (ret != 0) {
|
||||
abd_return_buf(abd, buf, datalen);
|
||||
return (ret);
|
||||
}
|
||||
|
||||
/* if we are generating encode the HMACs in the objset_phys_t */
|
||||
if (generate) {
|
||||
@@ -2760,14 +2755,7 @@ spa_do_crypt_objset_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj,
|
||||
}
|
||||
|
||||
abd_return_buf(abd, buf, datalen);
|
||||
|
||||
return (0);
|
||||
|
||||
error:
|
||||
if (dck != NULL)
|
||||
spa_keystore_dsl_key_rele(spa, dck, FTAG);
|
||||
abd_return_buf(abd, buf, datalen);
|
||||
return (ret);
|
||||
}
|
||||
|
||||
int
|
||||
@@ -2775,23 +2763,22 @@ spa_do_crypt_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj, abd_t *abd,
|
||||
uint_t datalen, uint8_t *mac)
|
||||
{
|
||||
int ret;
|
||||
dsl_crypto_key_t *dck = NULL;
|
||||
uint8_t *buf = abd_borrow_buf_copy(abd, datalen);
|
||||
dsl_crypto_key_t *dck;
|
||||
uint8_t digestbuf[ZIO_DATA_MAC_LEN];
|
||||
|
||||
/* look up the key from the spa's keystore */
|
||||
ret = spa_keystore_lookup_key(spa, dsobj, FTAG, &dck);
|
||||
if (ret != 0)
|
||||
goto error;
|
||||
return (SET_ERROR(EACCES));
|
||||
|
||||
uint8_t *buf = abd_borrow_buf_copy(abd, datalen);
|
||||
/* perform the hmac */
|
||||
ret = zio_crypt_do_hmac(&dck->dck_key, buf, datalen,
|
||||
digestbuf, ZIO_DATA_MAC_LEN);
|
||||
if (ret != 0)
|
||||
goto error;
|
||||
|
||||
abd_return_buf(abd, buf, datalen);
|
||||
spa_keystore_dsl_key_rele(spa, dck, FTAG);
|
||||
abd_return_buf(abd, buf, datalen);
|
||||
if (ret != 0)
|
||||
return (ret);
|
||||
|
||||
/*
|
||||
* Truncate and fill in mac buffer if we were asked to generate a MAC.
|
||||
@@ -2806,12 +2793,6 @@ spa_do_crypt_mac_abd(boolean_t generate, spa_t *spa, uint64_t dsobj, abd_t *abd,
|
||||
return (SET_ERROR(ECKSUM));
|
||||
|
||||
return (0);
|
||||
|
||||
error:
|
||||
if (dck != NULL)
|
||||
spa_keystore_dsl_key_rele(spa, dck, FTAG);
|
||||
abd_return_buf(abd, buf, datalen);
|
||||
return (ret);
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
Reference in New Issue
Block a user