udisks2: fix LUKS2 auto-unlock failure with TPM2 pin#550
Merged
sergio-correia merged 3 commits intolatchset:masterfrom Apr 20, 2026
Merged
udisks2: fix LUKS2 auto-unlock failure with TPM2 pin#550sergio-correia merged 3 commits intolatchset:masterfrom
sergio-correia merged 3 commits intolatchset:masterfrom
Conversation
snprintf() returns the number of characters written excluding the null terminator. The pkt->used-- was intended to "remove the null terminator" from the count, but since snprintf already excludes it, this incorrectly truncated the last byte of actual JWE data. This caused LUKS2 auto-unlock via udisks2 to always fail with the TPM2 pin: the Rust clevis-pin-tpm2 strictly validates base64url encoding and rejects the truncated authentication tag. The Tang pin appeared unaffected because the jose C library is lenient about truncated base64url input. Also fix the boundary check to use >= instead of >, which would have accepted a JWE that was silently truncated by snprintf when the output exactly filled the buffer. Assisted-by: Claude Opus 4.6 Signed-off-by: Sergio Correia <scorreia@redhat.com>
Extract token_to_jwe() and pkt_t into a separate compilation unit (token-to-jwe.c/h) so they can be tested independently without pulling in udisks2, luksmeta, or audit dependencies. The test verifies the critical invariant that pkt->used equals strlen(pkt->data) after conversion — the exact condition violated by the off-by-one bug fixed in the previous commit. Assisted-by: Claude Opus 4.6 Signed-off-by: Sergio Correia <scorreia@redhat.com>
The check used `r == sizeof(msg)` which only catches exact-fit truncation. When snprintf would have written more than sizeof(msg) characters, it returns a value greater than sizeof(msg), and the old check would miss it. Use `>= sizeof(msg)` to catch all truncation cases, matching the fix applied to token_to_jwe(). Assisted-by: Claude Opus 4.6 Signed-off-by: Sergio Correia <scorreia@redhat.com>
sarroutbi
reviewed
Apr 20, 2026
sarroutbi
reviewed
Apr 20, 2026
Collaborator
sarroutbi
left a comment
sarroutbi
left a comment
There was a problem hiding this comment.
Minor comment (https://github.com/latchset/clevis/pull/550/changes#diff-eeb31586df586f1ee075b14e094ab501873bafeb263cc8eb939d214748141030R25).
Rest of changes LGTM
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
token_to_jwe()had an off-by-one error:pkt->used--was meant to exclude the null terminator from the byte count, butsnprintf()already excludes it. This truncated the last byte of the JWE authentication tag before piping it toclevis decrypt.The Rust
clevis-pin-tpm2strictly validates base64url encoding and rejected the truncated tag ("Encoded text cannot have a 6-bit remainder"), causing TPM2 auto-unlock via udisks2 to always fail on LUKS2 devices. Tang was unaffected because the C jose library tolerates truncated base64url input.