Package: cryptsetup Version: 2:1.0.4+svn26-1 Severity: normal Tags: +patch Line 262 in setup.c makes get_key() return false if the input is not a tty. This is used on line 634 to abort any further tries at getting a passphrase.
This means that any --key-file is tried once only, which is a reasonable shortcut for reading static files no more than once. However, if --key-file=- there's a script feeding data to cryptsetup and this script most definitely can produce different output. So please allow it to do so! (If a script happens to be idempotent the admin can set tries=1, but the admin can't override the builtin once-only right now.) The fix is quite simple (trivial patch attached): retries are possible also if keyfile is -. regards az -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (990, 'stable'), (980, 'testing'), (970, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.19.2 Locale: LANG=C, LC_CTYPE=de_AT (charmap=ISO-8859-1) Versions of packages cryptsetup depends on: ii dmsetup 2:1.02.08-1 The Linux Kernel Device Mapper use ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries ii libdevma 2:1.02.08-1 The Linux Kernel Device Mapper use ii libgcryp 1.2.3-2 LGPL Crypto library - runtime libr ii libgpg-e 1.4-1 library for common error values an ii libpopt0 1.10-3 lib for parsing cmdline parameters ii libuuid1 1.39+1.40-WIP-2006.11.14+dfsg-2 universally unique id library cryptsetup recommends no packages. -- no debconf information
--- lib/setup.c.orig 2007-04-20 15:29:52.000000000 +1000 +++ lib/setup.c 2007-04-20 15:36:25.000000000 +1000 @@ -259,7 +259,10 @@ *passLen = i; } - return isatty(fd); /* Return true, when password reading can be tried on interactive fds */ + return (options->key_file && !strcmp(options->key_file, "-") + ||isatty(fd); + /* Return true when password reading can be + retried: on interactive fds or from scripts */ out_err: if(pass)
