device,
/* until= */ 0,
/* headless= */ false,
+ "cryptenroll.fido2-pin",
+ ASK_PASSWORD_PUSH_CACHE|ASK_PASSWORD_ACCEPT_CACHED,
&decrypted_key,
- &decrypted_key_size,
- ASK_PASSWORD_PUSH_CACHE|ASK_PASSWORD_ACCEPT_CACHED);
+ &decrypted_key_size);
if (r == -EAGAIN)
return log_error_errno(r, "FIDO2 token does not exist, or UV is blocked. Please try again.");
if (r < 0)
tpm2_flags,
/* until= */ 0,
/* headless= */ false,
- /* ask_password_flags= */ 0,
+ "cryptenroll.tpm2-pin",
+ /* askpw_flags= */ 0,
&decrypted_key);
if (IN_SET(r, -EACCES, -ENOLCK))
return log_notice_errno(SYNTHETIC_ERRNO(EAGAIN), "TPM2 PIN unlock failed");
until,
arg_headless,
required,
- &decrypted_key, &decrypted_key_size,
- arg_ask_password_flags);
+ "cryptsetup.fido2-pin",
+ arg_ask_password_flags,
+ &decrypted_key,
+ &decrypted_key_size);
else
r = acquire_fido2_key_auto(
cd,
arg_fido2_device,
until,
arg_headless,
- &decrypted_key, &decrypted_key_size,
- arg_ask_password_flags);
+ "cryptsetup.fido2-pin",
+ arg_ask_password_flags,
+ &decrypted_key,
+ &decrypted_key_size);
if (r >= 0)
break;
}
arg_tpm2_pin ? TPM2_FLAGS_USE_PIN : 0,
until,
arg_headless,
+ "cryptsetup.tpm2-pin",
arg_ask_password_flags,
&decrypted_key);
if (r >= 0)
tpm2_flags,
until,
arg_headless,
+ "cryptsetup.tpm2-pin",
arg_ask_password_flags,
&decrypted_key);
if (IN_SET(r, -EACCES, -ENOLCK))
usec_t until,
bool headless,
Fido2EnrollFlags required,
+ const char *askpw_credential,
+ AskPasswordFlags askpw_flags,
void **ret_decrypted_key,
- size_t *ret_decrypted_key_size,
- AskPasswordFlags ask_password_flags) {
+ size_t *ret_decrypted_key_size) {
_cleanup_(erase_and_freep) char *envpw = NULL;
_cleanup_strv_free_erase_ char **pins = NULL;
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG),
"Local verification is required to unlock this volume, but the 'headless' parameter was set.");
- ask_password_flags |= ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED;
+ askpw_flags |= ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED;
assert(cid);
assert(key_file || key_data);
};
pins = strv_free_erase(pins);
- r = ask_password_auto(&req, until, ask_password_flags, &pins);
+ r = ask_password_auto(&req, until, askpw_flags, &pins);
if (r < 0)
return log_error_errno(r, "Failed to ask for user password: %m");
- ask_password_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
+ askpw_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
}
}
const char *fido2_device,
usec_t until,
bool headless,
+ const char *askpw_credential,
+ AskPasswordFlags askpw_flags,
void **ret_decrypted_key,
- size_t *ret_decrypted_key_size,
- AskPasswordFlags ask_password_flags) {
+ size_t *ret_decrypted_key_size) {
_cleanup_free_ void *cid = NULL;
size_t cid_size = 0;
until,
headless,
required,
- ret_decrypted_key, ret_decrypted_key_size,
- ask_password_flags);
+ "cryptsetup.fido2-pin",
+ askpw_flags,
+ ret_decrypted_key,
+ ret_decrypted_key_size);
if (ret == 0)
break;
}
usec_t until,
bool headless,
Fido2EnrollFlags required,
+ const char *askpw_credential,
+ AskPasswordFlags askpw_flags,
void **ret_decrypted_key,
- size_t *ret_decrypted_key_size,
- AskPasswordFlags ask_password_flags);
+ size_t *ret_decrypted_key_size);
int acquire_fido2_key_auto(
struct crypt_device *cd,
const char *fido2_device,
usec_t until,
bool headless,
+ const char *askpw_credential,
+ AskPasswordFlags askpw_flags,
void **ret_decrypted_key,
- size_t *ret_decrypted_key_size,
- AskPasswordFlags ask_password_flags);
+ size_t *ret_decrypted_key_size);
#else
usec_t until,
bool headless,
Fido2EnrollFlags required,
+ const char *askpw_credential,
+ AskPasswordFlags askpw_flags,
void **ret_decrypted_key,
- size_t *ret_decrypted_key_size,
- AskPasswordFlags ask_password_flags) {
+ size_t *ret_decrypted_key_size) {
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"FIDO2 token support not available.");
const char *fido2_device,
usec_t until,
bool headless,
+ const char *askpw_credential,
+ AskPasswordFlags askpw_flags,
void **ret_decrypted_key,
- size_t *ret_decrypted_key_size,
- AskPasswordFlags ask_password_flags) {
+ size_t *ret_decrypted_key_size) {
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"FIDO2 token support not available.");
#include "sha256.h"
#include "tpm2-util.h"
-static int get_pin(usec_t until, AskPasswordFlags ask_password_flags, bool headless, char **ret_pin_str) {
+static int get_pin(
+ usec_t until,
+ bool headless,
+ const char *askpw_credential,
+ AskPasswordFlags askpw_flags,
+ char **ret_pin_str) {
_cleanup_(erase_and_freep) char *pin_str = NULL;
_cleanup_strv_free_erase_ char **pin = NULL;
int r;
"PIN querying disabled via 'headless' option. "
"Use the '$PIN' environment variable.");
- static const AskPasswordRequest req = {
+ AskPasswordRequest req = {
.message = "Please enter TPM2 PIN:",
.icon = "drive-harddisk",
.keyring = "tpm2-pin",
- .credential = "cryptsetup.tpm2-pin",
+ .credential = askpw_credential,
};
pin = strv_free_erase(pin);
r = ask_password_auto(
&req,
until,
- ask_password_flags,
+ askpw_flags,
&pin);
if (r < 0)
return log_error_errno(r, "Failed to ask for user pin: %m");
TPM2Flags flags,
usec_t until,
bool headless,
- AskPasswordFlags ask_password_flags,
+ const char *askpw_credential,
+ AskPasswordFlags askpw_flags,
struct iovec *ret_decrypted_key) {
_cleanup_(json_variant_unrefp) JsonVariant *signature_json = NULL;
if (i <= 0)
return -EACCES;
- r = get_pin(until, ask_password_flags, headless, &pin_str);
+ r = get_pin(until, headless, askpw_credential, askpw_flags, &pin_str);
if (r < 0)
return r;
TPM2Flags flags,
usec_t until,
bool headless,
- AskPasswordFlags ask_password_flags,
+ const char *askpw_credential,
+ AskPasswordFlags askpw_flags,
struct iovec *ret_decrypted_key);
int find_tpm2_auto_data(
TPM2Flags flags,
usec_t until,
bool headless,
- AskPasswordFlags ask_password_flags,
+ const char *askpw_credential,
+ AskPasswordFlags askpw_flags,
struct iovec *ret_decrypted_key) {
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
projects / systemd / .git / commitdiff