From 187bfa7b0d17a234b60effb8fd764daed7a5ebcb Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 7 Nov 2024 10:30:34 +0100 Subject: [PATCH] ask-password-api: move tty_fd into AskPasswordRequest structure, too --- src/ask-password/ask-password.c | 1 + src/bootctl/bootctl-install.c | 1 + src/cryptenroll/cryptenroll-password.c | 2 ++ src/cryptenroll/cryptenroll-tpm2.c | 1 + src/cryptsetup/cryptsetup.c | 2 ++ src/firstboot/firstboot.c | 5 +++-- src/home/homectl.c | 4 ++++ src/keyutil/keyutil.c | 2 ++ src/measure/measure.c | 1 + src/pcrlock/pcrlock.c | 1 + src/repart/repart.c | 1 + src/sbsign/sbsign.c | 1 + src/shared/ask-password-api.c | 8 +++++--- src/shared/ask-password-api.h | 3 ++- src/shared/cryptsetup-fido2.c | 1 + src/shared/cryptsetup-tpm2.c | 1 + src/shared/dissect-image.c | 1 + src/shared/libfido2-util.c | 1 + src/shared/pkcs11-util.c | 1 + src/test/test-ask-password-api.c | 3 ++- src/tty-ask-password-agent/tty-ask-password-agent.c | 4 +++- 21 files changed, 37 insertions(+), 8 deletions(-) diff --git a/src/ask-password/ask-password.c b/src/ask-password/ask-password.c index 59eb7acdddb..17e5fa4dc1a 100644 --- a/src/ask-password/ask-password.c +++ b/src/ask-password/ask-password.c @@ -252,6 +252,7 @@ static int run(int argc, char *argv[]) { timeout = arg_timeout > 0 ? usec_add(now(CLOCK_MONOTONIC), arg_timeout) : 0; AskPasswordRequest req = { + .tty_fd = -EBADF, .message = arg_message, .icon = arg_icon, .id = arg_id, diff --git a/src/bootctl/bootctl-install.c b/src/bootctl/bootctl-install.c index 7ad264d8821..0a5b59a5030 100644 --- a/src/bootctl/bootctl-install.c +++ b/src/bootctl/bootctl-install.c @@ -984,6 +984,7 @@ int verb_install(int argc, char *argv[], void *userdata) { arg_private_key_source, arg_private_key, &(AskPasswordRequest) { + .tty_fd = -EBADF, .id = "bootctl-private-key-pin", .keyring = arg_private_key, .credential = "bootctl.private-key-pin", diff --git a/src/cryptenroll/cryptenroll-password.c b/src/cryptenroll/cryptenroll-password.c index f6b53d4a76b..0560eddb664 100644 --- a/src/cryptenroll/cryptenroll-password.c +++ b/src/cryptenroll/cryptenroll-password.c @@ -55,6 +55,7 @@ int load_volume_key_password( return log_oom(); AskPasswordRequest req = { + .tty_fd = -EBADF, .message = question, .icon = "drive-harddisk", .id = id, @@ -130,6 +131,7 @@ int enroll_password( return log_oom(); AskPasswordRequest req = { + .tty_fd = -EBADF, .icon = "drive-harddisk", .id = id, .keyring = "cryptenroll", diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c index ca163ef3c2f..a5750427dc7 100644 --- a/src/cryptenroll/cryptenroll-tpm2.c +++ b/src/cryptenroll/cryptenroll-tpm2.c @@ -119,6 +119,7 @@ static int get_pin(char **ret_pin_str, TPM2Flags *ret_flags) { SYNTHETIC_ERRNO(ENOKEY), "Too many attempts, giving up."); AskPasswordRequest req = { + .tty_fd = -EBADF, .message = "Please enter TPM2 PIN:", .icon = "drive-harddisk", .keyring = "tpm2-pin", diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index 1da9e21d8e2..97acb03baf7 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -906,6 +906,7 @@ static int get_password( return log_oom(); AskPasswordRequest req = { + .tty_fd = -EBADF, .message = text, .icon = "drive-harddisk", .id = id, @@ -1422,6 +1423,7 @@ static int crypt_activate_by_token_pin_ask_password( pins = strv_free_erase(pins); AskPasswordRequest req = { + .tty_fd = -EBADF, .message = message, .icon = "drive-harddisk", .keyring = keyring, diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c index bf9b840a23c..08c80f539a9 100644 --- a/src/firstboot/firstboot.c +++ b/src/firstboot/firstboot.c @@ -735,10 +735,11 @@ static int prompt_root_password(int rfd) { _cleanup_free_ char *error = NULL; AskPasswordRequest req = { + .tty_fd = -EBADF, .message = msg1, }; - r = ask_password_tty(-EBADF, &req, /* until= */ 0, /* flags= */ 0, &a); + r = ask_password_tty(&req, /* until= */ 0, /* flags= */ 0, &a); if (r < 0) return log_error_errno(r, "Failed to query root password: %m"); if (strv_length(a) != 1) @@ -760,7 +761,7 @@ static int prompt_root_password(int rfd) { req.message = msg2; - r = ask_password_tty(-EBADF, &req, /* until= */ 0, /* flags= */ 0, &b); + r = ask_password_tty(&req, /* until= */ 0, /* flags= */ 0, &b); if (r < 0) return log_error_errno(r, "Failed to query root password: %m"); if (strv_length(b) != 1) diff --git a/src/home/homectl.c b/src/home/homectl.c index b3aacbcbcf9..fbb38b64cf2 100644 --- a/src/home/homectl.c +++ b/src/home/homectl.c @@ -263,6 +263,7 @@ static int acquire_existing_password( return log_oom(); AskPasswordRequest req = { + .tty_fd = -EBADF, .message = question, .icon = "user-home", .keyring = "home-password", @@ -321,6 +322,7 @@ static int acquire_recovery_key( return log_oom(); AskPasswordRequest req = { + .tty_fd = -EBADF, .message = question, .icon = "user-home", .keyring = "home-recovery-key", @@ -375,6 +377,7 @@ static int acquire_token_pin( return log_oom(); AskPasswordRequest req = { + .tty_fd = -EBADF, .message = question, .icon = "user-home", .keyring = "token-pin", @@ -1229,6 +1232,7 @@ static int acquire_new_password( return log_oom(); AskPasswordRequest req = { + .tty_fd = -EBADF, .message = question, .icon = "user-home", .keyring = "home-password", diff --git a/src/keyutil/keyutil.c b/src/keyutil/keyutil.c index 70176c76c73..b034c1c40fe 100644 --- a/src/keyutil/keyutil.c +++ b/src/keyutil/keyutil.c @@ -182,6 +182,7 @@ static int verb_validate(int argc, char *argv[], void *userdata) { arg_private_key_source, arg_private_key, &(AskPasswordRequest) { + .tty_fd = -EBADF, .id = "keyutil-private-key-pin", .keyring = arg_private_key, .credential = "keyutil.private-key-pin", @@ -238,6 +239,7 @@ static int verb_public(int argc, char *argv[], void *userdata) { arg_private_key_source, arg_private_key, &(AskPasswordRequest) { + .tty_fd = -EBADF, .id = "keyutil-private-key-pin", .keyring = arg_private_key, .credential = "keyutil.private-key-pin", diff --git a/src/measure/measure.c b/src/measure/measure.c index 22dd1831253..c4ca9dc8da6 100644 --- a/src/measure/measure.c +++ b/src/measure/measure.c @@ -888,6 +888,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) { arg_private_key_source, arg_private_key, &(AskPasswordRequest) { + .tty_fd = -EBADF, .id = "measure-private-key-pin", .keyring = arg_private_key, .credential = "measure.private-key-pin", diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c index 03611d507c4..8f8f6d26481 100644 --- a/src/pcrlock/pcrlock.c +++ b/src/pcrlock/pcrlock.c @@ -4550,6 +4550,7 @@ static int make_policy(bool force, RecoveryPinMode recovery_pin_mode) { _cleanup_(strv_free_erasep) char **l = NULL; AskPasswordRequest req = { + .tty_fd = -EBADF, .message = "Recovery PIN", .id = "pcrlock-recovery-pin", .credential = "pcrlock.recovery-pin", diff --git a/src/repart/repart.c b/src/repart/repart.c index 1a88185c475..a89810fbf57 100644 --- a/src/repart/repart.c +++ b/src/repart/repart.c @@ -8572,6 +8572,7 @@ static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY * arg_private_key_source, arg_private_key, &(AskPasswordRequest) { + .tty_fd = -EBADF, .id = "repart-private-key-pin", .keyring = arg_private_key, .credential = "repart.private-key-pin", diff --git a/src/sbsign/sbsign.c b/src/sbsign/sbsign.c index d17fdfea5ed..538c2ebe63e 100644 --- a/src/sbsign/sbsign.c +++ b/src/sbsign/sbsign.c @@ -203,6 +203,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) { arg_private_key_source, arg_private_key, &(AskPasswordRequest) { + .tty_fd = -EBADF, .id = "sbsign-private-key-pin", .keyring = arg_private_key, .credential = "sbsign.private-key-pin", diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c index e8ba9a2c361..f1e2b06c3dc 100644 --- a/src/shared/ask-password-api.c +++ b/src/shared/ask-password-api.c @@ -463,7 +463,6 @@ int ask_password_plymouth( #define SKIPPED "(skipped)" int ask_password_tty( - int ttyfd, const AskPasswordRequest *req, usec_t until, AskPasswordFlags flags, @@ -526,8 +525,11 @@ int ask_password_tty( CLEANUP_ERASE(passphrase); /* If the caller didn't specify a TTY, then use the controlling tty, if we can. */ - if (ttyfd < 0) + int ttyfd; + if (req->tty_fd < 0) ttyfd = cttyfd = open("/dev/tty", O_RDWR|O_NOCTTY|O_CLOEXEC); + else + ttyfd = req->tty_fd; if (ttyfd >= 0) { if (tcgetattr(ttyfd, &old_termios) < 0) @@ -1128,7 +1130,7 @@ int ask_password_auto( } if (!FLAGS_SET(flags, ASK_PASSWORD_NO_TTY) && isatty_safe(STDIN_FILENO)) - return ask_password_tty(-EBADF, req, until, flags, ret); + return ask_password_tty(req, until, flags, ret); if (!FLAGS_SET(flags, ASK_PASSWORD_NO_AGENT)) return ask_password_agent(req, until, flags, ret); diff --git a/src/shared/ask-password-api.h b/src/shared/ask-password-api.h index c8763700c8c..1abaad2134f 100644 --- a/src/shared/ask-password-api.h +++ b/src/shared/ask-password-api.h @@ -27,9 +27,10 @@ typedef struct AskPasswordRequest { const char *id; /* some identifier used for this prompt for the "ask-password" protocol */ const char *credential; /* $CREDENTIALS_DIRECTORY credential name */ const char *flag_file; /* Once this flag file disappears abort the query */ + int tty_fd; /* If querying on a TTY, the TTY to query on (or -EBADF) */ } AskPasswordRequest; -int ask_password_tty(int tty_fd, const AskPasswordRequest *req, usec_t until, AskPasswordFlags flags, char ***ret); +int ask_password_tty(const AskPasswordRequest *req, usec_t until, AskPasswordFlags flags, char ***ret); int ask_password_plymouth(const AskPasswordRequest *req, usec_t until, AskPasswordFlags flags, char ***ret); int ask_password_agent(const AskPasswordRequest *req, usec_t until, AskPasswordFlags flag, char ***ret); int ask_password_auto(const AskPasswordRequest *req, usec_t until, AskPasswordFlags flag, char ***ret); diff --git a/src/shared/cryptsetup-fido2.c b/src/shared/cryptsetup-fido2.c index 1e1ef6dec02..6e4b120ae6a 100644 --- a/src/shared/cryptsetup-fido2.c +++ b/src/shared/cryptsetup-fido2.c @@ -112,6 +112,7 @@ int acquire_fido2_key( return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable."); static const AskPasswordRequest req = { + .tty_fd = -EBADF, .message = "Please enter security token PIN:", .icon = "drive-harddisk", .keyring = "fido2-pin", diff --git a/src/shared/cryptsetup-tpm2.c b/src/shared/cryptsetup-tpm2.c index bc4fb100bb1..05f0fa2bfa7 100644 --- a/src/shared/cryptsetup-tpm2.c +++ b/src/shared/cryptsetup-tpm2.c @@ -35,6 +35,7 @@ static int get_pin( "Use the '$PIN' environment variable."); AskPasswordRequest req = { + .tty_fd = -EBADF, .message = "Please enter TPM2 PIN:", .icon = "drive-harddisk", .keyring = "tpm2-pin", diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index 39c5c8a21a2..5a65f55fca9 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -3077,6 +3077,7 @@ int dissected_image_decrypt_interactively( z = strv_free_erase(z); static const AskPasswordRequest req = { + .tty_fd = -EBADF, .message = "Please enter image passphrase:", .id = "dissect", .keyring = "dissect", diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c index b518dec7fa8..8e981f4c846 100644 --- a/src/shared/libfido2-util.c +++ b/src/shared/libfido2-util.c @@ -857,6 +857,7 @@ int fido2_generate_hmac_hash( for (;;) { _cleanup_strv_free_erase_ char **pin = NULL; AskPasswordRequest req = { + .tty_fd = -EBADF, .message = "Please enter security token PIN:", .icon = askpw_icon, .keyring = "fido2-pin", diff --git a/src/shared/pkcs11-util.c b/src/shared/pkcs11-util.c index c7fa3eccb27..caec1606ed0 100644 --- a/src/shared/pkcs11-util.c +++ b/src/shared/pkcs11-util.c @@ -380,6 +380,7 @@ int pkcs11_token_login( return log_oom(); AskPasswordRequest req = { + .tty_fd = -EBADF, .message = text, .icon = askpw_icon, .id = id, diff --git a/src/test/test-ask-password-api.c b/src/test/test-ask-password-api.c index efd19696c89..ccf3cee9f38 100644 --- a/src/test/test-ask-password-api.c +++ b/src/test/test-ask-password-api.c @@ -9,11 +9,12 @@ TEST(ask_password) { int r; static const AskPasswordRequest req = { + .tty_fd = -EBADF, .message = "hello?", .keyring = "da key", }; - r = ask_password_tty(-EBADF, &req, /* until= */ 0, /* flags= */ ASK_PASSWORD_CONSOLE_COLOR, &ret); + r = ask_password_tty(&req, /* until= */ 0, /* flags= */ ASK_PASSWORD_CONSOLE_COLOR, &ret); if (r == -ECANCELED) ASSERT_NULL(ret); else { diff --git a/src/tty-ask-password-agent/tty-ask-password-agent.c b/src/tty-ask-password-agent/tty-ask-password-agent.c index 3c38fbbd41e..fdc819754bc 100644 --- a/src/tty-ask-password-agent/tty-ask-password-agent.c +++ b/src/tty-ask-password-agent/tty-ask-password-agent.c @@ -148,11 +148,12 @@ static int agent_ask_password_tty( } AskPasswordRequest req = { + .tty_fd = tty_fd, .message = message, .flag_file = flag_file, }; - r = ask_password_tty(tty_fd, &req, until, flags, ret); + r = ask_password_tty(&req, until, flags, ret); if (arg_console) { assert(tty_fd >= 0); @@ -254,6 +255,7 @@ static int process_one_password_file(const char *filename, FILE *f) { } else { if (arg_plymouth) { AskPasswordRequest req = { + .tty_fd = -EBADF, .message = message, .flag_file = filename, };