From: Sebastian Blunt Date: Thu, 3 Jun 2021 07:10:38 +0000 (-0700) Subject: Rename crypttab opt silent to password-echo X-Git-Tag: v249-rc1~87 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2cbca51a711961c534f12e708e7c0bed99420d99;p=thirdparty%2Fsystemd.git Rename crypttab opt silent to password-echo Use the option name 'password-echo' instead of the generic term 'silent'. Make the option take an argument for better control over echoing behavior. Related discussion in https://github.com/systemd/systemd/pull/19619 --- diff --git a/man/crypttab.xml b/man/crypttab.xml index e98151ca75b..b130c32b115 100644 --- a/man/crypttab.xml +++ b/man/crypttab.xml @@ -529,11 +529,19 @@ - - - If an encryption password or security token PIN is - read from console, no asterisks will be shown while typing the pin or - password. + + + Controls whether to echo passwords or security token PINs + that are read from console. Takes a boolean or the special string masked. + The default is . + + If enabled, the typed characters are echoed literally. If disabled, + the typed characters are not echoed in any form, the user will not get + feedback on their input. If set to masked, an asterisk + (*) is echoed for each character typed. Regardless of + which mode is chosen, if the user hits the tabulator key (↹) + at any time, or the backspace key (⌫) before any other + data has been entered, then echo is turned off. diff --git a/src/cryptsetup/cryptsetup-fido2.c b/src/cryptsetup/cryptsetup-fido2.c index 7e347f4bf05..dfaded3cdb7 100644 --- a/src/cryptsetup/cryptsetup-fido2.c +++ b/src/cryptsetup/cryptsetup-fido2.c @@ -27,9 +27,8 @@ int acquire_fido2_key( Fido2EnrollFlags required, void **ret_decrypted_key, size_t *ret_decrypted_key_size, - bool silent) { + AskPasswordFlags ask_password_flags) { - AskPasswordFlags flags = ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED | (silent*ASK_PASSWORD_SILENT); _cleanup_strv_free_erase_ char **pins = NULL; _cleanup_free_ void *loaded_salt = NULL; const char *salt; @@ -37,6 +36,8 @@ int acquire_fido2_key( char *e; int r; + ask_password_flags |= ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED; + assert(cid); assert(key_file || key_data); @@ -96,11 +97,11 @@ int acquire_fido2_key( if (headless) return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable."); - r = ask_password_auto("Please enter security token PIN:", "drive-harddisk", NULL, "fido2-pin", "cryptsetup.fido2-pin", until, flags, &pins); + r = ask_password_auto("Please enter security token PIN:", "drive-harddisk", NULL, "fido2-pin", "cryptsetup.fido2-pin", until, ask_password_flags, &pins); if (r < 0) return log_error_errno(r, "Failed to ask for user password: %m"); - flags &= ~ASK_PASSWORD_ACCEPT_CACHED; + ask_password_flags &= ~ASK_PASSWORD_ACCEPT_CACHED; } } diff --git a/src/cryptsetup/cryptsetup-fido2.h b/src/cryptsetup/cryptsetup-fido2.h index a7623116816..204f1e06c68 100644 --- a/src/cryptsetup/cryptsetup-fido2.h +++ b/src/cryptsetup/cryptsetup-fido2.h @@ -27,7 +27,7 @@ int acquire_fido2_key( Fido2EnrollFlags required, void **ret_decrypted_key, size_t *ret_decrypted_key_size, - bool silent); + AskPasswordFlags ask_password_flags); int find_fido2_auto_data( struct crypt_device *cd, @@ -58,7 +58,7 @@ static inline int acquire_fido2_key( Fido2EnrollFlags required, void **ret_decrypted_key, size_t *ret_decrypted_key_size, - bool silent) { + AskPasswordFlags ask_password_flags) { return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "FIDO2 token support not available."); diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index b64b47393d0..dd84018c174 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -58,7 +58,7 @@ static char *arg_header = NULL; static unsigned arg_tries = 3; static bool arg_readonly = false; static bool arg_verify = false; -static bool arg_silent = false; +static AskPasswordFlags arg_ask_password_flags = 0; static bool arg_discards = false; static bool arg_same_cpu_crypt = false; static bool arg_submit_from_crypt_cpus = false; @@ -235,9 +235,20 @@ static int parse_one_option(const char *option) { arg_readonly = true; else if (streq(option, "verify")) arg_verify = true; - else if (streq(option, "silent")) - arg_silent = true; - else if (STR_IN_SET(option, "allow-discards", "discard")) + else if ((val = startswith(option, "password-echo="))) { + if (streq(val, "masked")) + arg_ask_password_flags &= ~(ASK_PASSWORD_ECHO|ASK_PASSWORD_SILENT); + else { + r = parse_boolean(val); + if (r < 0) { + log_warning_errno(r, "Invalid password-echo= option \"%s\", ignoring.", val); + return 0; + } + + SET_FLAG(arg_ask_password_flags, ASK_PASSWORD_ECHO, r); + SET_FLAG(arg_ask_password_flags, ASK_PASSWORD_SILENT, !r); + } + } else if (STR_IN_SET(option, "allow-discards", "discard")) arg_discards = true; else if (streq(option, "same-cpu-crypt")) arg_same_cpu_crypt = true; @@ -543,7 +554,7 @@ static int get_password( _cleanup_strv_free_erase_ char **passwords = NULL; char **p, *id; int r = 0; - AskPasswordFlags flags = ASK_PASSWORD_PUSH_CACHE | (arg_silent*ASK_PASSWORD_SILENT); + AskPasswordFlags flags = arg_ask_password_flags | ASK_PASSWORD_PUSH_CACHE; assert(vol); assert(src); @@ -811,7 +822,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2( arg_headless, required, &decrypted_key, &decrypted_key_size, - arg_silent); + arg_ask_password_flags); if (r >= 0) break; if (r != -EAGAIN) /* EAGAIN means: token not found */