shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-10 16:58:28 +03:00
Code

ask-password-api: move timeout into AskPasswordRequest structure too

Browse Source
This commit is contained in:
Lennart Poettering 2024-11-07 10:41:56 +01:00
parent 187bfa7b0d
commit ebe40c02f8
22 changed files with 62 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/ask-password/ask-password.c
View File

@ -258,9 +258,10 @@ static int run(int argc, char *argv[]) {
.id = arg_id,
.keyring = arg_key_name,
.credential = arg_credential_name ?: "password",
.until = timeout,
};
r = ask_password_auto(&req, timeout, arg_flags, &l);
r = ask_password_auto(&req, arg_flags, &l);
if (r < 0)
return log_error_errno(r, "Failed to query password: %m");

1
src/bootctl/bootctl-install.c
View File

@ -988,6 +988,7 @@ int verb_install(int argc, char *argv[], void *userdata) {
.id = "bootctl-private-key-pin",
.keyring = arg_private_key,
.credential = "bootctl.private-key-pin",
.until = USEC_INFINITY,
},
&private_key,
&ui);

8
src/cryptenroll/cryptenroll-password.c
View File

@ -61,6 +61,7 @@ int load_volume_key_password(
.id = id,
.keyring = "cryptenroll",
.credential = "cryptenroll.passphrase",
.until = USEC_INFINITY,
};
for (;;) {
@ -70,7 +71,7 @@ int load_volume_key_password(
return log_error_errno(SYNTHETIC_ERRNO(ENOKEY),
"Too many attempts, giving up.");
r = ask_password_auto(&req, USEC_INFINITY, ask_password_flags, &passwords);
r = ask_password_auto(&req, ask_password_flags, &passwords);
if (r < 0)
return log_error_errno(r, "Failed to query password: %m");
@ -136,6 +137,7 @@ int enroll_password(
.id = id,
.keyring = "cryptenroll",
.credential = "cryptenroll.new-passphrase",
.until = USEC_INFINITY,
};
for (;;) {
@ -152,7 +154,7 @@ int enroll_password(
req.message = question;
r = ask_password_auto(&req, USEC_INFINITY, /* flags= */ 0, &passwords);
r = ask_password_auto(&req, /* flags= */ 0, &passwords);
if (r < 0)
return log_error_errno(r, "Failed to query password: %m");
@ -165,7 +167,7 @@ int enroll_password(
req.message = question;
r = ask_password_auto(&req, USEC_INFINITY, /* flags= */ 0, &passwords2);
r = ask_password_auto(&req, /* flags= */ 0, &passwords2);
if (r < 0)
return log_error_errno(r, "Failed to query password: %m");

3
src/cryptenroll/cryptenroll-tpm2.c
View File

@ -124,12 +124,12 @@ static int get_pin(char **ret_pin_str, TPM2Flags *ret_flags) {
.icon = "drive-harddisk",
.keyring = "tpm2-pin",
.credential = "cryptenroll.new-tpm2-pin",
.until = USEC_INFINITY,
};
pin = strv_free_erase(pin);
r = ask_password_auto(
&req,
/* until= */ USEC_INFINITY,
/* flags= */ 0,
&pin);
if (r < 0)
@ -140,7 +140,6 @@ static int get_pin(char **ret_pin_str, TPM2Flags *ret_flags) {
r = ask_password_auto(
&req,
USEC_INFINITY,
/* flags= */ 0,
&pin2);
if (r < 0)

8
src/cryptsetup/cryptsetup.c
View File

@ -912,12 +912,13 @@ static int get_password(
.id = id,
.keyring = "cryptsetup",
.credential = "cryptsetup.passphrase",
.until = until,
};
if (ignore_cached)
flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
r = ask_password_auto(&req, until, flags, &passwords);
r = ask_password_auto(&req, flags, &passwords);
if (r < 0)
return log_error_errno(r, "Failed to query password: %m");
@ -938,7 +939,7 @@ static int get_password(
req.message = text;
req.id = id;
r = ask_password_auto(&req, until, flags, &passwords2);
r = ask_password_auto(&req, flags, &passwords2);
if (r < 0)
return log_error_errno(r, "Failed to query verification password: %m");
@ -1428,9 +1429,10 @@ static int crypt_activate_by_token_pin_ask_password(
.icon = "drive-harddisk",
.keyring = keyring,
.credential = credential,
.until = until,
};
r = ask_password_auto(&req, until, flags, &pins);
r = ask_password_auto(&req, flags, &pins);
if (r < 0)
return r;

5
src/firstboot/firstboot.c
View File

@ -737,9 +737,10 @@ static int prompt_root_password(int rfd) {
AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = msg1,
.until = USEC_INFINITY,
};
r = ask_password_tty(&req, /* until= */ 0, /* flags= */ 0, &a);
r = ask_password_tty(&req, /* flags= */ 0, &a);
if (r < 0)
return log_error_errno(r, "Failed to query root password: %m");
if (strv_length(a) != 1)
@ -761,7 +762,7 @@ static int prompt_root_password(int rfd) {
req.message = msg2;
r = ask_password_tty(&req, /* until= */ 0, /* flags= */ 0, &b);
r = ask_password_tty(&req, /* flags= */ 0, &b);
if (r < 0)
return log_error_errno(r, "Failed to query root password: %m");
if (strv_length(b) != 1)

12
src/home/homectl.c
View File

@ -268,9 +268,10 @@ static int acquire_existing_password(
.icon = "user-home",
.keyring = "home-password",
.credential = "home.password",
.until = USEC_INFINITY,
};
r = ask_password_auto(&req, USEC_INFINITY, flags, &password);
r = ask_password_auto(&req, flags, &password);
if (r == -EUNATCH) { /* EUNATCH is returned if no password was found and asking interactively was
* disabled via the flags. Not an error for us. */
log_debug_errno(r, "No passwords acquired.");
@ -327,9 +328,10 @@ static int acquire_recovery_key(
.icon = "user-home",
.keyring = "home-recovery-key",
.credential = "home.recovery-key",
.until = USEC_INFINITY,
};
r = ask_password_auto(&req, USEC_INFINITY, flags, &recovery_key);
r = ask_password_auto(&req, flags, &recovery_key);
if (r == -EUNATCH) { /* EUNATCH is returned if no recovery key was found and asking interactively was
* disabled via the flags. Not an error for us. */
log_debug_errno(r, "No recovery keys acquired.");
@ -382,9 +384,10 @@ static int acquire_token_pin(
.icon = "user-home",
.keyring = "token-pin",
.credential = "home.token-pin",
.until = USEC_INFINITY,
};
r = ask_password_auto(&req, USEC_INFINITY, flags, &pin);
r = ask_password_auto(&req, flags, &pin);
if (r == -EUNATCH) { /* EUNATCH is returned if no PIN was found and asking interactively was disabled
* via the flags. Not an error for us. */
log_debug_errno(r, "No security token PINs acquired.");
@ -1237,11 +1240,11 @@ static int acquire_new_password(
.icon = "user-home",
.keyring = "home-password",
.credential = "home.new-password",
.until = USEC_INFINITY,
};
r = ask_password_auto(
&req,
USEC_INFINITY,
/* flags= */ 0, /* no caching, we want to collect a new password here after all */
&first);
if (r < 0)
@ -1257,7 +1260,6 @@ static int acquire_new_password(
r = ask_password_auto(
&req,
USEC_INFINITY,
/* flags= */ 0, /* no caching */
&second);
if (r < 0)

2
src/keyutil/keyutil.c
View File

@ -186,6 +186,7 @@ static int verb_validate(int argc, char *argv[], void *userdata) {
.id = "keyutil-private-key-pin",
.keyring = arg_private_key,
.credential = "keyutil.private-key-pin",
.until = USEC_INFINITY,
},
&private_key,
&ui);
@ -243,6 +244,7 @@ static int verb_public(int argc, char *argv[], void *userdata) {
.id = "keyutil-private-key-pin",
.keyring = arg_private_key,
.credential = "keyutil.private-key-pin",
.until = USEC_INFINITY,
},
&private_key,
&ui);

1
src/measure/measure.c
View File

@ -892,6 +892,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
.id = "measure-private-key-pin",
.keyring = arg_private_key,
.credential = "measure.private-key-pin",
.until = USEC_INFINITY,
},
&privkey,
&ui);

2
src/pcrlock/pcrlock.c
View File

@ -4554,11 +4554,11 @@ static int make_policy(bool force, RecoveryPinMode recovery_pin_mode) {
.message = "Recovery PIN",
.id = "pcrlock-recovery-pin",
.credential = "pcrlock.recovery-pin",
.until = USEC_INFINITY,
};
r = ask_password_auto(
&req,
/* until= */ 0,
/* flags= */ 0,
&l);
if (r < 0)

1
src/repart/repart.c
View File

@ -8576,6 +8576,7 @@ static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY *
.id = "repart-private-key-pin",
.keyring = arg_private_key,
.credential = "repart.private-key-pin",
.until = USEC_INFINITY,
},
&private_key,
&ui);

1
src/sbsign/sbsign.c
View File

@ -207,6 +207,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
.id = "sbsign-private-key-pin",
.keyring = arg_private_key,
.credential = "sbsign.private-key-pin",
.until = USEC_INFINITY,
},
&private_key,
&ui);

22
src/shared/ask-password-api.c
View File

@ -309,7 +309,6 @@ static int backspace_string(int ttyfd, const char *str) {
int ask_password_plymouth(
const AskPasswordRequest *req,
usec_t until,
AskPasswordFlags flags,
char ***ret) {
@ -369,8 +368,8 @@ int ask_password_plymouth(
for (;;) {
usec_t timeout;
if (until > 0)
timeout = usec_sub_unsigned(until, now(CLOCK_MONOTONIC));
if (req->until > 0)
timeout = usec_sub_unsigned(req->until, now(CLOCK_MONOTONIC));
else
timeout = USEC_INFINITY;
@ -464,7 +463,6 @@ int ask_password_plymouth(
int ask_password_tty(
const AskPasswordRequest *req,
usec_t until,
AskPasswordFlags flags,
char ***ret) {
@ -584,8 +582,8 @@ int ask_password_tty(
usec_t timeout;
ssize_t n;
if (until > 0)
timeout = usec_sub_unsigned(until, now(CLOCK_MONOTONIC));
if (req->until > 0)
timeout = usec_sub_unsigned(req->until, now(CLOCK_MONOTONIC));
else
timeout = USEC_INFINITY;
@ -799,7 +797,6 @@ static int create_socket(const char *askpwdir, char **ret) {
int ask_password_agent(
const AskPasswordRequest *req,
usec_t until,
AskPasswordFlags flags,
char ***ret) {
@ -894,7 +891,7 @@ int ask_password_agent(
socket_name,
FLAGS_SET(flags, ASK_PASSWORD_ACCEPT_CACHED),
FLAGS_SET(flags, ASK_PASSWORD_ECHO),
until,
req->until,
FLAGS_SET(flags, ASK_PASSWORD_SILENT));
if (req) {
@ -946,8 +943,8 @@ int ask_password_agent(
usec_t timeout;
ssize_t n;
if (until > 0)
timeout = usec_sub_unsigned(until, now(CLOCK_MONOTONIC));
if (req->until > 0)
timeout = usec_sub_unsigned(req->until, now(CLOCK_MONOTONIC));
else
timeout = USEC_INFINITY;
@ -1106,7 +1103,6 @@ static int ask_password_credential(const AskPasswordRequest *req, AskPasswordFla
int ask_password_auto(
const AskPasswordRequest *req,
usec_t until,
AskPasswordFlags flags,
char ***ret) {
@ -1130,10 +1126,10 @@ int ask_password_auto(
}
if (!FLAGS_SET(flags, ASK_PASSWORD_NO_TTY) && isatty_safe(STDIN_FILENO))
return ask_password_tty(req, until, flags, ret);
return ask_password_tty(req, flags, ret);
if (!FLAGS_SET(flags, ASK_PASSWORD_NO_AGENT))
return ask_password_agent(req, until, flags, ret);
return ask_password_agent(req, flags, ret);
return -EUNATCH;
}

9
src/shared/ask-password-api.h
View File

@ -28,11 +28,12 @@ typedef struct AskPasswordRequest {
const char *credential; /* $CREDENTIALS_DIRECTORY credential name */
const char *flag_file; /* Once this flag file disappears abort the query */
int tty_fd; /* If querying on a TTY, the TTY to query on (or -EBADF) */
usec_t until; /* CLOCK_MONOTONIC time until which to show the prompt */
} AskPasswordRequest;
int ask_password_tty(const AskPasswordRequest *req, usec_t until, AskPasswordFlags flags, char ***ret);
int ask_password_plymouth(const AskPasswordRequest *req, usec_t until, AskPasswordFlags flags, char ***ret);
int ask_password_agent(const AskPasswordRequest *req, usec_t until, AskPasswordFlags flag, char ***ret);
int ask_password_auto(const AskPasswordRequest *req, usec_t until, AskPasswordFlags flag, char ***ret);
int ask_password_tty(const AskPasswordRequest *req, AskPasswordFlags flags, char ***ret);
int ask_password_plymouth(const AskPasswordRequest *req, AskPasswordFlags flags, char ***ret);
int ask_password_agent(const AskPasswordRequest *req, AskPasswordFlags flag, char ***ret);
int ask_password_auto(const AskPasswordRequest *req, AskPasswordFlags flag, char ***ret);
int acquire_user_ask_password_directory(char **ret);

5
src/shared/cryptsetup-fido2.c
View File

@ -111,16 +111,17 @@ int acquire_fido2_key(
if (FLAGS_SET(askpw_flags, ASK_PASSWORD_HEADLESS))
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable.");
static const AskPasswordRequest req = {
AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = "Please enter security token PIN:",
.icon = "drive-harddisk",
.keyring = "fido2-pin",
.credential = "cryptsetup.fido2-pin",
.until = until,
};
pins = strv_free_erase(pins);
r = ask_password_auto(&req, until, askpw_flags, &pins);
r = ask_password_auto(&req, askpw_flags, &pins);
if (r < 0)
return log_error_errno(r, "Failed to ask for user password: %m");

3
src/shared/cryptsetup-tpm2.c
View File

@ -40,10 +40,11 @@ static int get_pin(
.icon = "drive-harddisk",
.keyring = "tpm2-pin",
.credential = askpw_credential,
.until = until,
};
pin = strv_free_erase(pin);
r = ask_password_auto(&req, until, askpw_flags, &pin);
r = ask_password_auto(&req, askpw_flags, &pin);
if (r < 0)
return log_error_errno(r, "Failed to ask for user pin: %m");
assert(strv_length(pin) == 1);

3
src/shared/dissect-image.c
View File

@ -3082,9 +3082,10 @@ int dissected_image_decrypt_interactively(
.id = "dissect",
.keyring = "dissect",
.credential = "dissect.passphrase",
.until = USEC_INFINITY,
};
r = ask_password_auto(&req, USEC_INFINITY, /* flags= */ 0, &z);
r = ask_password_auto(&req, /* flags= */ 0, &z);
if (r < 0)
return log_error_errno(r, "Failed to query for passphrase: %m");

3
src/shared/libfido2-util.c
View File

@ -862,9 +862,10 @@ int fido2_generate_hmac_hash(
.icon = askpw_icon,
.keyring = "fido2-pin",
.credential = askpw_credential,
.until = USEC_INFINITY,
};
r = ask_password_auto(&req, USEC_INFINITY, /* flags= */ 0, &pin);
r = ask_password_auto(&req, /* flags= */ 0, &pin);
if (r < 0)
return log_error_errno(r, "Failed to acquire user PIN: %m");

2
src/shared/openssl-util.c
View File

@ -1399,7 +1399,7 @@ static int openssl_ask_password_ui_read(UI *ui, UI_STRING *uis) {
req->message = UI_get0_output_string(uis);
_cleanup_(strv_freep) char **l = NULL;
r = ask_password_auto(req, /*until=*/ 0, ASK_PASSWORD_ACCEPT_CACHED|ASK_PASSWORD_PUSH_CACHE, &l);
r = ask_password_auto(req, ASK_PASSWORD_ACCEPT_CACHED|ASK_PASSWORD_PUSH_CACHE, &l);
if (r < 0) {
log_error_errno(r, "Failed to query for PIN: %m");
return 0;

3
src/shared/pkcs11-util.c
View File

@ -386,10 +386,11 @@ int pkcs11_token_login(
.id = id,
.keyring = askpw_keyring,
.credential = askpw_credential,
.until = until,
};
/* We never cache PINs, simply because it's fatal if we use wrong PINs, since usually there are only 3 tries */
r = ask_password_auto(&req, until, askpw_flags, &passwords);
r = ask_password_auto(&req, askpw_flags, &passwords);
if (r < 0)
return log_error_errno(r, "Failed to query PIN for security token '%s': %m", token_label);
}

3
src/test/test-ask-password-api.c
View File

@ -12,9 +12,10 @@ TEST(ask_password) {
.tty_fd = -EBADF,
.message = "hello?",
.keyring = "da key",
.until = USEC_INFINITY,
};
r = ask_password_tty(&req, /* until= */ 0, /* flags= */ ASK_PASSWORD_CONSOLE_COLOR, &ret);
r = ask_password_tty(&req, /* flags= */ ASK_PASSWORD_CONSOLE_COLOR, &ret);
if (r == -ECANCELED)
ASSERT_NULL(ret);
else {

6
src/tty-ask-password-agent/tty-ask-password-agent.c
View File

@ -151,9 +151,10 @@ static int agent_ask_password_tty(
.tty_fd = tty_fd,
.message = message,
.flag_file = flag_file,
.until = until,
};
r = ask_password_tty(&req, until, flags, ret);
r = ask_password_tty(&req, flags, ret);
if (arg_console) {
assert(tty_fd >= 0);
@ -258,9 +259,10 @@ static int process_one_password_file(const char *filename, FILE *f) {
.tty_fd = -EBADF,
.message = message,
.flag_file = filename,
.until = not_after,
};
r = ask_password_plymouth(&req, not_after, flags, &passwords);
r = ask_password_plymouth(&req, flags, &passwords);
} else
r = agent_ask_password_tty(message, not_after, flags, filename, &passwords);
if (r < 0) {