cd_node,
device,
/* until= */ 0,
- /* headless= */ false,
"cryptenroll.fido2-pin",
ASK_PASSWORD_PUSH_CACHE|ASK_PASSWORD_ACCEPT_CACHED,
&decrypted_key,
assert_se(node = crypt_get_device_name(cd));
- r = pkcs11_acquire_public_key(uri, "volume enrollment operation", "drive-harddisk", "cryptenroll.pkcs11-pin", &pkey, NULL);
+ r = pkcs11_acquire_public_key(
+ uri,
+ "volume enrollment operation",
+ "drive-harddisk",
+ "cryptenroll.pkcs11-pin",
+ /* askpw_flags= */ 0,
+ &pkey,
+ /* ret_pin_used= */ NULL);
if (r < 0)
return r;
&pcrlock_nv,
tpm2_flags,
/* until= */ 0,
- /* headless= */ false,
"cryptenroll.tpm2-pin",
/* askpw_flags= */ 0,
&decrypted_key);
const void *key_data, /* … or key_data and key_data_size (for literal keys) */
size_t key_data_size,
usec_t until,
- bool headless,
+ AskPasswordFlags askpw_flags,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size) {
_cleanup_(pkcs11_crypt_device_callback_data_release) pkcs11_crypt_device_callback_data data = {
.friendly_name = friendly_name,
+ .askpw_flags = askpw_flags,
.until = until,
- .headless = headless,
};
int r;
const void *key_data,
size_t key_data_size,
usec_t until,
- bool headless,
+ AskPasswordFlags askpw_flags,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size);
const void *key_data,
size_t key_data_size,
usec_t until,
- bool headless,
+ AskPasswordFlags askpw_flags,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size) {
assert(params);
data.friendly_name = params->friendly_name;
- data.headless = params->headless;
data.askpw_credential = params->askpw_credential;
data.askpw_flags = params->askpw_flags;
data.until = params->until;
static char *arg_tpm2_signature = NULL;
static bool arg_tpm2_pin = false;
static char *arg_tpm2_pcrlock = NULL;
-static bool arg_headless = false;
static usec_t arg_token_timeout_usec = 30*USEC_PER_SEC;
static unsigned arg_tpm2_measure_pcr = UINT_MAX; /* This and the following field is about measuring the unlocked volume key to the local TPM */
static char **arg_tpm2_measure_banks = NULL;
return 0;
}
- arg_headless = r;
+ SET_FLAG(arg_ask_password_flags, ASK_PASSWORD_HEADLESS, r);
} else if (streq(option, "headless"))
- arg_headless = true;
+ arg_ask_password_flags |= ASK_PASSWORD_HEADLESS;
else if ((val = startswith(option, "token-timeout="))) {
assert(src);
assert(ret);
- if (arg_headless)
+ if (FLAGS_SET(arg_ask_password_flags, ASK_PASSWORD_HEADLESS))
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "Password querying disabled via 'headless' option.");
friendly = friendly_disk_name(src, vol);
const char *name,
const char *type,
usec_t until,
- bool headless,
void *userdata,
uint32_t activation_flags,
const char *message,
return r;
}
- if (headless)
+ if (FLAGS_SET(arg_ask_password_flags, ASK_PASSWORD_HEADLESS))
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable.");
for (;;) {
struct crypt_device *cd,
const char *name,
usec_t until,
- bool headless,
void *userdata,
uint32_t activation_flags) {
name,
"systemd-fido2",
until,
- headless,
userdata,
activation_flags,
"Please enter security token PIN:",
for (;;) {
if (use_libcryptsetup_plugin && !arg_fido2_cid) {
- r = attach_luks2_by_fido2_via_plugin(cd, name, until, arg_headless, arg_fido2_device, flags);
+ r = attach_luks2_by_fido2_via_plugin(cd, name, until, arg_fido2_device, flags);
if (IN_SET(r, -ENOTUNIQ, -ENXIO, -ENOENT))
return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
"Automatic FIDO2 metadata discovery was not possible because missing or not unique, falling back to traditional unlocking.");
key_file, arg_keyfile_size, arg_keyfile_offset,
key_data, key_data_size,
until,
- arg_headless,
required,
"cryptsetup.fido2-pin",
arg_ask_password_flags,
friendly,
arg_fido2_device,
until,
- arg_headless,
"cryptsetup.fido2-pin",
arg_ask_password_flags,
&decrypted_key,
const char *name,
const char *friendly_name,
usec_t until,
- bool headless,
const char *askpw_credential,
uint32_t flags) {
systemd_pkcs11_plugin_params params = {
.friendly_name = friendly_name,
.until = until,
- .headless = headless,
.askpw_credential = askpw_credential,
.askpw_flags = arg_ask_password_flags,
};
name,
friendly,
until,
- arg_headless,
"cryptsetup.pkcs11-pin",
flags);
else {
key_file, arg_keyfile_size, arg_keyfile_offset,
key_data, key_data_size,
until,
- arg_headless,
+ arg_ask_password_flags,
&decrypted_key, &decrypted_key_size);
if (r >= 0)
break;
struct crypt_device *cd,
const char *name,
usec_t until,
- bool headless,
uint32_t flags) {
#if HAVE_LIBCRYPTSETUP_PLUGINS
name,
"systemd-tpm2",
until,
- headless,
¶ms,
flags,
"Please enter TPM2 PIN:",
/* pcrlock_nv= */ NULL,
arg_tpm2_pin ? TPM2_FLAGS_USE_PIN : 0,
until,
- arg_headless,
"cryptsetup.tpm2-pin",
arg_ask_password_flags,
&decrypted_key);
return -EAGAIN; /* Mangle error code: let's make any form of TPM2 failure non-fatal. */
}
} else {
- r = attach_luks2_by_tpm2_via_plugin(cd, name, until, arg_headless, flags);
+ r = attach_luks2_by_tpm2_via_plugin(cd, name, until, flags);
if (r >= 0)
return 0;
/* EAGAIN means: no tpm2 chip found
&pcrlock_nv,
tpm2_flags,
until,
- arg_headless,
"cryptsetup.tpm2-pin",
arg_ask_password_flags,
&decrypted_key);
volume,
/* type= */ NULL,
until,
- arg_headless,
/* userdata= */ NULL,
flags,
"Please enter LUKS2 token PIN:",
assert(v);
- r = pkcs11_acquire_public_key(uri, "home directory operation", "user-home", "home.token-pin", &pkey, &pin);
+ r = pkcs11_acquire_public_key(
+ uri,
+ "home directory operation",
+ "user-home",
+ "home.token-pin",
+ /* askpw_flags= */ 0,
+ &pkey,
+ &pin);
if (r < 0)
return r;
assert(ret);
+ if (FLAGS_SET(flags, ASK_PASSWORD_HEADLESS))
+ return -ENOEXEC;
+
const char *message = req && req->message ? req->message : "Password:";
if (flag_file) {
assert(ret);
+ if (FLAGS_SET(flags, ASK_PASSWORD_HEADLESS))
+ return -ENOEXEC;
+
if (FLAGS_SET(flags, ASK_PASSWORD_NO_TTY))
return -EUNATCH;
assert(ret);
+ if (FLAGS_SET(flags, ASK_PASSWORD_HEADLESS))
+ return -ENOEXEC;
+
if (FLAGS_SET(flags, ASK_PASSWORD_NO_AGENT))
return -EUNATCH;
ASK_PASSWORD_CONSOLE_COLOR = 1 << 6, /* Use color if /dev/console points to a console that supports color */
ASK_PASSWORD_NO_CREDENTIAL = 1 << 7, /* never use $CREDENTIALS_DIRECTORY data */
ASK_PASSWORD_HIDE_EMOJI = 1 << 8, /* hide the lock and key emoji */
+ ASK_PASSWORD_HEADLESS = 1 << 9, /* headless mode: never query interactively */
} AskPasswordFlags;
/* Encapsulates the mostly static fields of a password query */
const void *key_data,
size_t key_data_size,
usec_t until,
- bool headless,
Fido2EnrollFlags required,
const char *askpw_credential,
AskPasswordFlags askpw_flags,
size_t salt_size;
int r;
- if ((required & (FIDO2ENROLL_PIN | FIDO2ENROLL_UP | FIDO2ENROLL_UV)) && headless)
+ if ((required & (FIDO2ENROLL_PIN | FIDO2ENROLL_UP | FIDO2ENROLL_UV)) && FLAGS_SET(askpw_flags, ASK_PASSWORD_HEADLESS))
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG),
"Local verification is required to unlock this volume, but the 'headless' parameter was set.");
device_exists = true; /* that a PIN is needed/wasn't correct means that we managed to
* talk to a device */
- if (headless)
+ if (FLAGS_SET(askpw_flags, ASK_PASSWORD_HEADLESS))
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable.");
static const AskPasswordRequest req = {
const char *friendly_name,
const char *fido2_device,
usec_t until,
- bool headless,
const char *askpw_credential,
AskPasswordFlags askpw_flags,
void **ret_decrypted_key,
/* key_file_offset= */ 0,
salt, salt_size,
until,
- headless,
required,
"cryptsetup.fido2-pin",
askpw_flags,
const void *key_data,
size_t key_data_size,
usec_t until,
- bool headless,
Fido2EnrollFlags required,
const char *askpw_credential,
AskPasswordFlags askpw_flags,
const char *friendly_name,
const char *fido2_device,
usec_t until,
- bool headless,
const char *askpw_credential,
AskPasswordFlags askpw_flags,
void **ret_decrypted_key,
const void *key_data,
size_t key_data_size,
usec_t until,
- bool headless,
Fido2EnrollFlags required,
const char *askpw_credential,
AskPasswordFlags askpw_flags,
const char *friendly_name,
const char *fido2_device,
usec_t until,
- bool headless,
const char *askpw_credential,
AskPasswordFlags askpw_flags,
void **ret_decrypted_key,
static int get_pin(
usec_t until,
- bool headless,
const char *askpw_credential,
AskPasswordFlags askpw_flags,
char **ret_pin_str) {
if (r < 0)
return log_error_errno(r, "Failed to acquire PIN from environment: %m");
if (!r) {
- if (headless)
+ if (FLAGS_SET(askpw_flags, ASK_PASSWORD_HEADLESS))
return log_error_errno(
SYNTHETIC_ERRNO(ENOPKG),
"PIN querying disabled via 'headless' option. "
};
pin = strv_free_erase(pin);
- r = ask_password_auto(
- &req,
- until,
- askpw_flags,
- &pin);
+ r = ask_password_auto(&req, until, askpw_flags, &pin);
if (r < 0)
return log_error_errno(r, "Failed to ask for user pin: %m");
assert(strv_length(pin) == 1);
const struct iovec *pcrlock_nv,
TPM2Flags flags,
usec_t until,
- bool headless,
const char *askpw_credential,
AskPasswordFlags askpw_flags,
struct iovec *ret_decrypted_key) {
if (i <= 0)
return -EACCES;
- r = get_pin(until, headless, askpw_credential, askpw_flags, &pin_str);
+ r = get_pin(until, askpw_credential, askpw_flags, &pin_str);
if (r < 0)
return r;
const struct iovec *pcrlock_nv,
TPM2Flags flags,
usec_t until,
- bool headless,
const char *askpw_credential,
AskPasswordFlags askpw_flags,
struct iovec *ret_decrypted_key);
const struct iovec *pcrlock_nv,
TPM2Flags flags,
usec_t until,
- bool headless,
const char *askpw_credential,
AskPasswordFlags askpw_flags,
struct iovec *ret_decrypted_key) {
const char *askpw_keyring,
const char *askpw_credential,
usec_t until,
- AskPasswordFlags ask_password_flags,
- bool headless,
+ AskPasswordFlags askpw_flags,
char **ret_used_pin) {
_cleanup_free_ char *token_uri_string = NULL, *token_uri_escaped = NULL, *id = NULL, *token_label = NULL;
if (!passwords)
return log_oom();
- } else if (headless)
+ } else if (FLAGS_SET(askpw_flags, ASK_PASSWORD_HEADLESS))
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the 'PIN' environment variable.");
else {
_cleanup_free_ char *text = NULL;
};
/* We never cache PINs, simply because it's fatal if we use wrong PINs, since usually there are only 3 tries */
- r = ask_password_auto(&req, until, ask_password_flags, &passwords);
+ r = ask_password_auto(&req, until, askpw_flags, &passwords);
if (r < 0)
return log_error_errno(r, "Failed to query PIN for security token '%s': %m", token_label);
}
EVP_PKEY *pkey;
const char *askpw_friendly_name, *askpw_icon, *askpw_credential;
AskPasswordFlags askpw_flags;
- bool headless;
};
static void pkcs11_acquire_public_key_callback_data_release(struct pkcs11_acquire_public_key_callback_data *data) {
data->askpw_credential,
UINT64_MAX,
data->askpw_flags,
- data->headless,
&pin_used);
if (r < 0)
return r;
const char *askpw_friendly_name,
const char *askpw_icon,
const char *askpw_credential,
+ AskPasswordFlags askpw_flags,
EVP_PKEY **ret_pkey,
char **ret_pin_used) {
.askpw_friendly_name = askpw_friendly_name,
.askpw_icon = askpw_icon,
.askpw_credential = askpw_credential,
+ .askpw_flags = askpw_flags,
};
int r;
data->askpw_credential,
data->until,
data->askpw_flags,
- data->headless,
NULL);
if (r < 0)
return r;
char *pkcs11_token_model(const CK_TOKEN_INFO *token_info);
int pkcs11_token_login_by_pin(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, const CK_TOKEN_INFO *token_info, const char *token_label, const void *pin, size_t pin_size);
-int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, const char *icon_name, const char *key_name, const char *credential_name, usec_t until, AskPasswordFlags ask_password_flags, bool headless, char **ret_used_pin);
+int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, const char *icon_name, const char *key_name, const char *credential_name, usec_t until, AskPasswordFlags ask_password_flags, char **ret_used_pin);
int pkcs11_token_find_related_object(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE prototype, CK_OBJECT_CLASS class, CK_OBJECT_HANDLE *ret_object);
int pkcs11_token_find_x509_certificate(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, P11KitUri *search_uri, CK_OBJECT_HANDLE *ret_object);
int pkcs11_find_token(const char *pkcs11_uri, pkcs11_find_token_callback_t callback, void *userdata);
#if HAVE_OPENSSL
-int pkcs11_acquire_public_key(const char *uri, const char *askpw_friendly_name, const char *askpw_icon, const char *askpw_credential, EVP_PKEY **ret_pkey, char **ret_pin_used);
+int pkcs11_acquire_public_key(const char *uri, const char *askpw_friendly_name, const char *askpw_icon, const char *askpw_credential, AskPasswordFlags askpw_flags, EVP_PKEY **ret_pkey, char **ret_pin_used);
#endif
typedef struct {
void *decrypted_key;
size_t decrypted_key_size;
bool free_encrypted_key;
- bool headless;
const char *askpw_credential;
AskPasswordFlags askpw_flags;
} pkcs11_crypt_device_callback_data;
typedef struct {
const char *friendly_name;
usec_t until;
- bool headless;
const char *askpw_credential;
AskPasswordFlags askpw_flags;
} systemd_pkcs11_plugin_params;
projects / systemd / .git / commitdiff