diff options
| author | Lennart Poettering <lennart@poettering.net> | 2024-11-07 10:41:56 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2025-01-02 16:38:25 +0100 |
| commit | c4a02a526d46151905906808aef80e0b53a3853e (patch) | |
| tree | 9e8ac9b67eca60d8e6c93665eec2015786d35d95 | |
| parent | ask-password-api: move tty_fd into AskPasswordRequest structure, too (diff) | |
| download | systemd-c4a02a526d46151905906808aef80e0b53a3853e.tar.xz systemd-c4a02a526d46151905906808aef80e0b53a3853e.zip | |
ask-password-api: move timeout into AskPasswordRequest structure too
| -rw-r--r-- | src/ask-password/ask-password.c | 3 | ||||
| -rw-r--r-- | src/bootctl/bootctl-install.c | 1 | ||||
| -rw-r--r-- | src/cryptenroll/cryptenroll-password.c | 8 | ||||
| -rw-r--r-- | src/cryptenroll/cryptenroll-tpm2.c | 3 | ||||
| -rw-r--r-- | src/cryptsetup/cryptsetup.c | 8 | ||||
| -rw-r--r-- | src/firstboot/firstboot.c | 5 | ||||
| -rw-r--r-- | src/home/homectl.c | 12 | ||||
| -rw-r--r-- | src/keyutil/keyutil.c | 2 | ||||
| -rw-r--r-- | src/measure/measure.c | 1 | ||||
| -rw-r--r-- | src/pcrlock/pcrlock.c | 2 | ||||
| -rw-r--r-- | src/repart/repart.c | 1 | ||||
| -rw-r--r-- | src/sbsign/sbsign.c | 1 | ||||
| -rw-r--r-- | src/shared/ask-password-api.c | 22 | ||||
| -rw-r--r-- | src/shared/ask-password-api.h | 9 | ||||
| -rw-r--r-- | src/shared/cryptsetup-fido2.c | 5 | ||||
| -rw-r--r-- | src/shared/cryptsetup-tpm2.c | 3 | ||||
| -rw-r--r-- | src/shared/dissect-image.c | 3 | ||||
| -rw-r--r-- | src/shared/libfido2-util.c | 3 | ||||
| -rw-r--r-- | src/shared/openssl-util.c | 2 | ||||
| -rw-r--r-- | src/shared/pkcs11-util.c | 3 | ||||
| -rw-r--r-- | src/test/test-ask-password-api.c | 3 | ||||
| -rw-r--r-- | src/tty-ask-password-agent/tty-ask-password-agent.c | 6 |
22 files changed, 62 insertions, 44 deletions
diff --git a/src/ask-password/ask-password.c b/src/ask-password/ask-password.c index 17e5fa4dc1..d3afc37781 100644 --- a/src/ask-password/ask-password.c +++ b/src/ask-password/ask-password.c @@ -258,9 +258,10 @@ static int run(int argc, char *argv[]) { .id = arg_id, .keyring = arg_key_name, .credential = arg_credential_name ?: "password", + .until = timeout, }; - r = ask_password_auto(&req, timeout, arg_flags, &l); + r = ask_password_auto(&req, arg_flags, &l); if (r < 0) return log_error_errno(r, "Failed to query password: %m"); diff --git a/src/bootctl/bootctl-install.c b/src/bootctl/bootctl-install.c index 0a5b59a503..76deba56e7 100644 --- a/src/bootctl/bootctl-install.c +++ b/src/bootctl/bootctl-install.c @@ -988,6 +988,7 @@ int verb_install(int argc, char *argv[], void *userdata) { .id = "bootctl-private-key-pin", .keyring = arg_private_key, .credential = "bootctl.private-key-pin", + .until = USEC_INFINITY, }, &private_key, &ui); diff --git a/src/cryptenroll/cryptenroll-password.c b/src/cryptenroll/cryptenroll-password.c index 0560eddb66..56a3bb4456 100644 --- a/src/cryptenroll/cryptenroll-password.c +++ b/src/cryptenroll/cryptenroll-password.c @@ -61,6 +61,7 @@ int load_volume_key_password( .id = id, .keyring = "cryptenroll", .credential = "cryptenroll.passphrase", + .until = USEC_INFINITY, }; for (;;) { @@ -70,7 +71,7 @@ int load_volume_key_password( return log_error_errno(SYNTHETIC_ERRNO(ENOKEY), "Too many attempts, giving up."); - r = ask_password_auto(&req, USEC_INFINITY, ask_password_flags, &passwords); + r = ask_password_auto(&req, ask_password_flags, &passwords); if (r < 0) return log_error_errno(r, "Failed to query password: %m"); @@ -136,6 +137,7 @@ int enroll_password( .id = id, .keyring = "cryptenroll", .credential = "cryptenroll.new-passphrase", + .until = USEC_INFINITY, }; for (;;) { @@ -152,7 +154,7 @@ int enroll_password( req.message = question; - r = ask_password_auto(&req, USEC_INFINITY, /* flags= */ 0, &passwords); + r = ask_password_auto(&req, /* flags= */ 0, &passwords); if (r < 0) return log_error_errno(r, "Failed to query password: %m"); @@ -165,7 +167,7 @@ int enroll_password( req.message = question; - r = ask_password_auto(&req, USEC_INFINITY, /* flags= */ 0, &passwords2); + r = ask_password_auto(&req, /* flags= */ 0, &passwords2); if (r < 0) return log_error_errno(r, "Failed to query password: %m"); diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c index a5750427dc..42d5a9cd03 100644 --- a/src/cryptenroll/cryptenroll-tpm2.c +++ b/src/cryptenroll/cryptenroll-tpm2.c @@ -124,12 +124,12 @@ static int get_pin(char **ret_pin_str, TPM2Flags *ret_flags) { .icon = "drive-harddisk", .keyring = "tpm2-pin", .credential = "cryptenroll.new-tpm2-pin", + .until = USEC_INFINITY, }; pin = strv_free_erase(pin); r = ask_password_auto( &req, - /* until= */ USEC_INFINITY, /* flags= */ 0, &pin); if (r < 0) @@ -140,7 +140,6 @@ static int get_pin(char **ret_pin_str, TPM2Flags *ret_flags) { r = ask_password_auto( &req, - USEC_INFINITY, /* flags= */ 0, &pin2); if (r < 0) diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index 97acb03baf..cb3b591186 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -912,12 +912,13 @@ static int get_password( .id = id, .keyring = "cryptsetup", .credential = "cryptsetup.passphrase", + .until = until, }; if (ignore_cached) flags &= ~ASK_PASSWORD_ACCEPT_CACHED; - r = ask_password_auto(&req, until, flags, &passwords); + r = ask_password_auto(&req, flags, &passwords); if (r < 0) return log_error_errno(r, "Failed to query password: %m"); @@ -938,7 +939,7 @@ static int get_password( req.message = text; req.id = id; - r = ask_password_auto(&req, until, flags, &passwords2); + r = ask_password_auto(&req, flags, &passwords2); if (r < 0) return log_error_errno(r, "Failed to query verification password: %m"); @@ -1428,9 +1429,10 @@ static int crypt_activate_by_token_pin_ask_password( .icon = "drive-harddisk", .keyring = keyring, .credential = credential, + .until = until, }; - r = ask_password_auto(&req, until, flags, &pins); + r = ask_password_auto(&req, flags, &pins); if (r < 0) return r; diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c index 08c80f539a..5658255358 100644 --- a/src/firstboot/firstboot.c +++ b/src/firstboot/firstboot.c @@ -737,9 +737,10 @@ static int prompt_root_password(int rfd) { AskPasswordRequest req = { .tty_fd = -EBADF, .message = msg1, + .until = USEC_INFINITY, }; - r = ask_password_tty(&req, /* until= */ 0, /* flags= */ 0, &a); + r = ask_password_tty(&req, /* flags= */ 0, &a); if (r < 0) return log_error_errno(r, "Failed to query root password: %m"); if (strv_length(a) != 1) @@ -761,7 +762,7 @@ static int prompt_root_password(int rfd) { req.message = msg2; - r = ask_password_tty(&req, /* until= */ 0, /* flags= */ 0, &b); + r = ask_password_tty(&req, /* flags= */ 0, &b); if (r < 0) return log_error_errno(r, "Failed to query root password: %m"); if (strv_length(b) != 1) diff --git a/src/home/homectl.c b/src/home/homectl.c index fbb38b64cf..611fb966fe 100644 --- a/src/home/homectl.c +++ b/src/home/homectl.c @@ -268,9 +268,10 @@ static int acquire_existing_password( .icon = "user-home", .keyring = "home-password", .credential = "home.password", + .until = USEC_INFINITY, }; - r = ask_password_auto(&req, USEC_INFINITY, flags, &password); + r = ask_password_auto(&req, flags, &password); if (r == -EUNATCH) { /* EUNATCH is returned if no password was found and asking interactively was * disabled via the flags. Not an error for us. */ log_debug_errno(r, "No passwords acquired."); @@ -327,9 +328,10 @@ static int acquire_recovery_key( .icon = "user-home", .keyring = "home-recovery-key", .credential = "home.recovery-key", + .until = USEC_INFINITY, }; - r = ask_password_auto(&req, USEC_INFINITY, flags, &recovery_key); + r = ask_password_auto(&req, flags, &recovery_key); if (r == -EUNATCH) { /* EUNATCH is returned if no recovery key was found and asking interactively was * disabled via the flags. Not an error for us. */ log_debug_errno(r, "No recovery keys acquired."); @@ -382,9 +384,10 @@ static int acquire_token_pin( .icon = "user-home", .keyring = "token-pin", .credential = "home.token-pin", + .until = USEC_INFINITY, }; - r = ask_password_auto(&req, USEC_INFINITY, flags, &pin); + r = ask_password_auto(&req, flags, &pin); if (r == -EUNATCH) { /* EUNATCH is returned if no PIN was found and asking interactively was disabled * via the flags. Not an error for us. */ log_debug_errno(r, "No security token PINs acquired."); @@ -1237,11 +1240,11 @@ static int acquire_new_password( .icon = "user-home", .keyring = "home-password", .credential = "home.new-password", + .until = USEC_INFINITY, }; r = ask_password_auto( &req, - USEC_INFINITY, /* flags= */ 0, /* no caching, we want to collect a new password here after all */ &first); if (r < 0) @@ -1257,7 +1260,6 @@ static int acquire_new_password( r = ask_password_auto( &req, - USEC_INFINITY, /* flags= */ 0, /* no caching */ &second); if (r < 0) diff --git a/src/keyutil/keyutil.c b/src/keyutil/keyutil.c index b034c1c40f..bae7421572 100644 --- a/src/keyutil/keyutil.c +++ b/src/keyutil/keyutil.c @@ -186,6 +186,7 @@ static int verb_validate(int argc, char *argv[], void *userdata) { .id = "keyutil-private-key-pin", .keyring = arg_private_key, .credential = "keyutil.private-key-pin", + .until = USEC_INFINITY, }, &private_key, &ui); @@ -243,6 +244,7 @@ static int verb_public(int argc, char *argv[], void *userdata) { .id = "keyutil-private-key-pin", .keyring = arg_private_key, .credential = "keyutil.private-key-pin", + .until = USEC_INFINITY, }, &private_key, &ui); diff --git a/src/measure/measure.c b/src/measure/measure.c index c4ca9dc8da..fbd039da79 100644 --- a/src/measure/measure.c +++ b/src/measure/measure.c @@ -892,6 +892,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) { .id = "measure-private-key-pin", .keyring = arg_private_key, .credential = "measure.private-key-pin", + .until = USEC_INFINITY, }, &privkey, &ui); diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c index bbf2ae856c..b22ee57788 100644 --- a/src/pcrlock/pcrlock.c +++ b/src/pcrlock/pcrlock.c @@ -4555,11 +4555,11 @@ static int make_policy(bool force, RecoveryPinMode recovery_pin_mode) { .message = "Recovery PIN", .id = "pcrlock-recovery-pin", .credential = "pcrlock.recovery-pin", + .until = USEC_INFINITY, }; r = ask_password_auto( &req, - /* until= */ 0, /* flags= */ 0, &l); if (r < 0) diff --git a/src/repart/repart.c b/src/repart/repart.c index a89810fbf5..b381d4808a 100644 --- a/src/repart/repart.c +++ b/src/repart/repart.c @@ -8576,6 +8576,7 @@ static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY * .id = "repart-private-key-pin", .keyring = arg_private_key, .credential = "repart.private-key-pin", + .until = USEC_INFINITY, }, &private_key, &ui); diff --git a/src/sbsign/sbsign.c b/src/sbsign/sbsign.c index 538c2ebe63..5c5c884c98 100644 --- a/src/sbsign/sbsign.c +++ b/src/sbsign/sbsign.c @@ -207,6 +207,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) { .id = "sbsign-private-key-pin", .keyring = arg_private_key, .credential = "sbsign.private-key-pin", + .until = USEC_INFINITY, }, &private_key, &ui); diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c index f1e2b06c3d..39e6277b37 100644 --- a/src/shared/ask-password-api.c +++ b/src/shared/ask-password-api.c @@ -309,7 +309,6 @@ static int backspace_string(int ttyfd, const char *str) { int ask_password_plymouth( const AskPasswordRequest *req, - usec_t until, AskPasswordFlags flags, char ***ret) { @@ -369,8 +368,8 @@ int ask_password_plymouth( for (;;) { usec_t timeout; - if (until > 0) - timeout = usec_sub_unsigned(until, now(CLOCK_MONOTONIC)); + if (req->until > 0) + timeout = usec_sub_unsigned(req->until, now(CLOCK_MONOTONIC)); else timeout = USEC_INFINITY; @@ -464,7 +463,6 @@ int ask_password_plymouth( int ask_password_tty( const AskPasswordRequest *req, - usec_t until, AskPasswordFlags flags, char ***ret) { @@ -584,8 +582,8 @@ int ask_password_tty( usec_t timeout; ssize_t n; - if (until > 0) - timeout = usec_sub_unsigned(until, now(CLOCK_MONOTONIC)); + if (req->until > 0) + timeout = usec_sub_unsigned(req->until, now(CLOCK_MONOTONIC)); else timeout = USEC_INFINITY; @@ -799,7 +797,6 @@ static int create_socket(const char *askpwdir, char **ret) { int ask_password_agent( const AskPasswordRequest *req, - usec_t until, AskPasswordFlags flags, char ***ret) { @@ -894,7 +891,7 @@ int ask_password_agent( socket_name, FLAGS_SET(flags, ASK_PASSWORD_ACCEPT_CACHED), FLAGS_SET(flags, ASK_PASSWORD_ECHO), - until, + req->until, FLAGS_SET(flags, ASK_PASSWORD_SILENT)); if (req) { @@ -946,8 +943,8 @@ int ask_password_agent( usec_t timeout; ssize_t n; - if (until > 0) - timeout = usec_sub_unsigned(until, now(CLOCK_MONOTONIC)); + if (req->until > 0) + timeout = usec_sub_unsigned(req->until, now(CLOCK_MONOTONIC)); else timeout = USEC_INFINITY; @@ -1106,7 +1103,6 @@ static int ask_password_credential(const AskPasswordRequest *req, AskPasswordFla int ask_password_auto( const AskPasswordRequest *req, - usec_t until, AskPasswordFlags flags, char ***ret) { @@ -1130,10 +1126,10 @@ int ask_password_auto( } if (!FLAGS_SET(flags, ASK_PASSWORD_NO_TTY) && isatty_safe(STDIN_FILENO)) - return ask_password_tty(req, until, flags, ret); + return ask_password_tty(req, flags, ret); if (!FLAGS_SET(flags, ASK_PASSWORD_NO_AGENT)) - return ask_password_agent(req, until, flags, ret); + return ask_password_agent(req, flags, ret); return -EUNATCH; } diff --git a/src/shared/ask-password-api.h b/src/shared/ask-password-api.h index 1abaad2134..fe453522fc 100644 --- a/src/shared/ask-password-api.h +++ b/src/shared/ask-password-api.h @@ -28,11 +28,12 @@ typedef struct AskPasswordRequest { const char *credential; /* $CREDENTIALS_DIRECTORY credential name */ const char *flag_file; /* Once this flag file disappears abort the query */ int tty_fd; /* If querying on a TTY, the TTY to query on (or -EBADF) */ + usec_t until; /* CLOCK_MONOTONIC time until which to show the prompt (if zero: forever) */ } AskPasswordRequest; -int ask_password_tty(const AskPasswordRequest *req, usec_t until, AskPasswordFlags flags, char ***ret); -int ask_password_plymouth(const AskPasswordRequest *req, usec_t until, AskPasswordFlags flags, char ***ret); -int ask_password_agent(const AskPasswordRequest *req, usec_t until, AskPasswordFlags flag, char ***ret); -int ask_password_auto(const AskPasswordRequest *req, usec_t until, AskPasswordFlags flag, char ***ret); +int ask_password_tty(const AskPasswordRequest *req, AskPasswordFlags flags, char ***ret); +int ask_password_plymouth(const AskPasswordRequest *req, AskPasswordFlags flags, char ***ret); +int ask_password_agent(const AskPasswordRequest *req, AskPasswordFlags flag, char ***ret); +int ask_password_auto(const AskPasswordRequest *req, AskPasswordFlags flag, char ***ret); int acquire_user_ask_password_directory(char **ret); diff --git a/src/shared/cryptsetup-fido2.c b/src/shared/cryptsetup-fido2.c index 6e4b120ae6..070908d525 100644 --- a/src/shared/cryptsetup-fido2.c +++ b/src/shared/cryptsetup-fido2.c @@ -111,16 +111,17 @@ int acquire_fido2_key( if (FLAGS_SET(askpw_flags, ASK_PASSWORD_HEADLESS)) return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable."); - static const AskPasswordRequest req = { + AskPasswordRequest req = { .tty_fd = -EBADF, .message = "Please enter security token PIN:", .icon = "drive-harddisk", .keyring = "fido2-pin", .credential = "cryptsetup.fido2-pin", + .until = until, }; pins = strv_free_erase(pins); - r = ask_password_auto(&req, until, askpw_flags, &pins); + r = ask_password_auto(&req, askpw_flags, &pins); if (r < 0) return log_error_errno(r, "Failed to ask for user password: %m"); diff --git a/src/shared/cryptsetup-tpm2.c b/src/shared/cryptsetup-tpm2.c index 05f0fa2bfa..7a1275eb38 100644 --- a/src/shared/cryptsetup-tpm2.c +++ b/src/shared/cryptsetup-tpm2.c @@ -40,10 +40,11 @@ static int get_pin( .icon = "drive-harddisk", .keyring = "tpm2-pin", .credential = askpw_credential, + .until = until, }; pin = strv_free_erase(pin); - r = ask_password_auto(&req, until, askpw_flags, &pin); + r = ask_password_auto(&req, askpw_flags, &pin); if (r < 0) return log_error_errno(r, "Failed to ask for user pin: %m"); assert(strv_length(pin) == 1); diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index 5a65f55fca..3feda770af 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -3082,9 +3082,10 @@ int dissected_image_decrypt_interactively( .id = "dissect", .keyring = "dissect", .credential = "dissect.passphrase", + .until = USEC_INFINITY, }; - r = ask_password_auto(&req, USEC_INFINITY, /* flags= */ 0, &z); + r = ask_password_auto(&req, /* flags= */ 0, &z); if (r < 0) return log_error_errno(r, "Failed to query for passphrase: %m"); diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c index 8e981f4c84..200068dce4 100644 --- a/src/shared/libfido2-util.c +++ b/src/shared/libfido2-util.c @@ -862,9 +862,10 @@ int fido2_generate_hmac_hash( .icon = askpw_icon, .keyring = "fido2-pin", .credential = askpw_credential, + .until = USEC_INFINITY, }; - r = ask_password_auto(&req, USEC_INFINITY, /* flags= */ 0, &pin); + r = ask_password_auto(&req, /* flags= */ 0, &pin); if (r < 0) return log_error_errno(r, "Failed to acquire user PIN: %m"); diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c index 417f842546..b60fc67b26 100644 --- a/src/shared/openssl-util.c +++ b/src/shared/openssl-util.c @@ -1399,7 +1399,7 @@ static int openssl_ask_password_ui_read(UI *ui, UI_STRING *uis) { req->message = UI_get0_output_string(uis); _cleanup_(strv_freep) char **l = NULL; - r = ask_password_auto(req, /*until=*/ 0, ASK_PASSWORD_ACCEPT_CACHED|ASK_PASSWORD_PUSH_CACHE, &l); + r = ask_password_auto(req, ASK_PASSWORD_ACCEPT_CACHED|ASK_PASSWORD_PUSH_CACHE, &l); if (r < 0) { log_error_errno(r, "Failed to query for PIN: %m"); return 0; diff --git a/src/shared/pkcs11-util.c b/src/shared/pkcs11-util.c index caec1606ed..8d14b2f8f7 100644 --- a/src/shared/pkcs11-util.c +++ b/src/shared/pkcs11-util.c @@ -386,10 +386,11 @@ int pkcs11_token_login( .id = id, .keyring = askpw_keyring, .credential = askpw_credential, + .until = until, }; /* We never cache PINs, simply because it's fatal if we use wrong PINs, since usually there are only 3 tries */ - r = ask_password_auto(&req, until, askpw_flags, &passwords); + r = ask_password_auto(&req, askpw_flags, &passwords); if (r < 0) return log_error_errno(r, "Failed to query PIN for security token '%s': %m", token_label); } diff --git a/src/test/test-ask-password-api.c b/src/test/test-ask-password-api.c index ccf3cee9f3..38afe0c6ef 100644 --- a/src/test/test-ask-password-api.c +++ b/src/test/test-ask-password-api.c @@ -12,9 +12,10 @@ TEST(ask_password) { .tty_fd = -EBADF, .message = "hello?", .keyring = "da key", + .until = USEC_INFINITY, }; - r = ask_password_tty(&req, /* until= */ 0, /* flags= */ ASK_PASSWORD_CONSOLE_COLOR, &ret); + r = ask_password_tty(&req, /* flags= */ ASK_PASSWORD_CONSOLE_COLOR, &ret); if (r == -ECANCELED) ASSERT_NULL(ret); else { diff --git a/src/tty-ask-password-agent/tty-ask-password-agent.c b/src/tty-ask-password-agent/tty-ask-password-agent.c index fdc819754b..31292d5acf 100644 --- a/src/tty-ask-password-agent/tty-ask-password-agent.c +++ b/src/tty-ask-password-agent/tty-ask-password-agent.c @@ -151,9 +151,10 @@ static int agent_ask_password_tty( .tty_fd = tty_fd, .message = message, .flag_file = flag_file, + .until = until, }; - r = ask_password_tty(&req, until, flags, ret); + r = ask_password_tty(&req, flags, ret); if (arg_console) { assert(tty_fd >= 0); @@ -258,9 +259,10 @@ static int process_one_password_file(const char *filename, FILE *f) { .tty_fd = -EBADF, .message = message, .flag_file = filename, + .until = not_after, }; - r = ask_password_plymouth(&req, not_after, flags, &passwords); + r = ask_password_plymouth(&req, flags, &passwords); } else r = agent_ask_password_tty(message, not_after, flags, filename, &passwords); if (r < 0) { |