eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-18 14:20:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

Unify password verification option.

Browse Source 
Support password verification with quiet flag if possible. (1.2.0)
This commit is contained in:
Milan Broz
2012-03-16 16:17:03 +01:00
parent 9bce441a1e
commit 075fb8d261
5 changed files with 42 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@@ -1,3 +1,7 @@
2012-03-16 Milan Broz <mbroz@redhat.com>
* Unify password verification option.
* Support password verification with quiet flag if possible. (1.2.0)
2012-02-11 Milan Broz <mbroz@redhat.com> 2012-02-11 Milan Broz <mbroz@redhat.com>
* Add --master-key-file option to luksOpen (open using volume key). * Add --master-key-file option to luksOpen (open using volume key).

9
man/cryptsetup.8
View File

@@ -247,6 +247,9 @@ and it is full 64bit version of plain IV. For more info please see FAQ.
.B "\-\-verify-passphrase, \-y" .B "\-\-verify-passphrase, \-y"
query for passwords twice. Useful when creating a (regular) mapping query for passwords twice. Useful when creating a (regular) mapping
for the first time, or when running \fIluksFormat\fR. for the first time, or when running \fIluksFormat\fR.
Password verification option is ignored if requested on non terminal
input (like pipe of file).
.TP .TP
.B "\-\-key-file, \-d" .B "\-\-key-file, \-d"
use file as key material. use file as key material.
@@ -347,8 +350,10 @@ This option is only relevant to the LUKS operations as
Note that 0 means default. Note that 0 means default.
.TP .TP
.B "\-\-batch-mode, \-q" .B "\-\-batch-mode, \-q"
Do not ask for confirmation. Use with care! This option is only relevant Do not ask for confirmation. Use with care!
for \fIluksFormat\fR, \fIluksAddKey\fR, \fIluksRemoveKey\fR or \fIluksKillSlot\fR.
If \-y option is not specified, batch mode option also switches off
passphrase verification for \fIluksFormat\fR.
.TP .TP
.B "\-\-timeout, \-t" .B "\-\-timeout, \-t"
The number of seconds to wait before timeout. This option is relevant every The number of seconds to wait before timeout. This option is relevant every

38
src/cryptsetup.c
View File

@@ -152,7 +152,7 @@ static int _yesDialog(const char *msg, void *usrptr __attribute__((unused)))
size_t size = 0; size_t size = 0;
int r = 1; int r = 1;
if(isatty(0) && !opt_batch_mode) { if(isatty(STDIN_FILENO) && !opt_batch_mode) {
log_std("\nWARNING!\n========\n"); log_std("\nWARNING!\n========\n");
log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg); log_std("%s\n\nAre you sure? (Type uppercase yes): ", msg);
if(getline(&answer, &size, stdin) == -1) { if(getline(&answer, &size, stdin) == -1) {
@@ -199,6 +199,24 @@ static void _quiet_log(int level, const char *msg, void *usrptr)
_log(level, msg, usrptr); _log(level, msg, usrptr);
} }
static int _verify_passphrase(int def)
{
/* Batch mode switch off verify - if not overrided by -y */
if (opt_verify_passphrase)
def = 1;
else if (opt_batch_mode)
def = 0;
/* Non-tty input doesn't allow verify */
if (def && !isatty(STDIN_FILENO)) {
if (opt_verify_passphrase)
log_err(_("Can't do passphrase verification on non-tty inputs.\n"));
def = 0;
}
return def;
}
static void show_status(int errcode) static void show_status(int errcode)
{ {
char error[256], *error_; char error[256], *error_;
@@ -294,7 +312,7 @@ static int action_create(int arg __attribute__((unused)))
r = crypt_get_key(_("Enter passphrase: "), r = crypt_get_key(_("Enter passphrase: "),
&password, &passwordLen, opt_keyfile_size, &password, &passwordLen, opt_keyfile_size,
NULL, opt_timeout, NULL, opt_timeout,
opt_batch_mode ? 0 : opt_verify_passphrase, _verify_passphrase(0),
cd); cd);
if (r < 0) if (r < 0)
goto out; goto out;
@@ -510,7 +528,6 @@ static int action_luksFormat(int arg __attribute__((unused)))
keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8; keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
crypt_set_password_verify(cd, 1);
crypt_set_timeout(cd, opt_timeout); crypt_set_timeout(cd, opt_timeout);
if (opt_iteration_time) if (opt_iteration_time)
crypt_set_iteration_time(cd, opt_iteration_time); crypt_set_iteration_time(cd, opt_iteration_time);
@@ -522,7 +539,7 @@ static int action_luksFormat(int arg __attribute__((unused)))
r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen, r = crypt_get_key(_("Enter LUKS passphrase: "), &password, &passwordLen,
opt_keyfile_size, opt_key_file, opt_timeout, opt_keyfile_size, opt_key_file, opt_timeout,
opt_batch_mode ? 0 : 1 /* always verify */, cd); _verify_passphrase(1), cd);
if (r < 0) if (r < 0)
goto out; goto out;
@@ -582,6 +599,7 @@ static int action_luksOpen(int arg __attribute__((unused)))
crypt_set_timeout(cd, opt_timeout); crypt_set_timeout(cd, opt_timeout);
crypt_set_password_retry(cd, opt_tries); crypt_set_password_retry(cd, opt_tries);
crypt_set_password_verify(cd, _verify_passphrase(0));
if (opt_iteration_time) if (opt_iteration_time)
crypt_set_iteration_time(cd, opt_iteration_time); crypt_set_iteration_time(cd, opt_iteration_time);
@@ -628,7 +646,7 @@ static int verify_keyslot(struct crypt_device *cd, int key_slot,
r = crypt_get_key(msg_pass, &password, &passwordLen, r = crypt_get_key(msg_pass, &password, &passwordLen,
keyfile_size, key_file, opt_timeout, keyfile_size, key_file, opt_timeout,
opt_batch_mode ? 0 : opt_verify_passphrase, cd); _verify_passphrase(0), cd);
if(r < 0) if(r < 0)
goto out; goto out;
@@ -718,7 +736,7 @@ static int action_luksRemoveKey(int arg __attribute__((unused)))
&password, &passwordLen, &password, &passwordLen,
opt_keyfile_size, opt_key_file, opt_keyfile_size, opt_key_file,
opt_timeout, opt_timeout,
opt_batch_mode ? 0 : opt_verify_passphrase, _verify_passphrase(0),
cd); cd);
if(r < 0) if(r < 0)
goto out; goto out;
@@ -762,7 +780,8 @@ static int action_luksAddKey(int arg __attribute__((unused)))
goto out; goto out;
keysize = crypt_get_volume_key_size(cd); keysize = crypt_get_volume_key_size(cd);
crypt_set_password_verify(cd, opt_verify_passphrase ? 1 : 0); /* FIXME: lib cannot properly set verification for new/old passphrase */
crypt_set_password_verify(cd, _verify_passphrase(0));
crypt_set_timeout(cd, opt_timeout); crypt_set_timeout(cd, opt_timeout);
if (opt_iteration_time) if (opt_iteration_time)
crypt_set_iteration_time(cd, opt_iteration_time); crypt_set_iteration_time(cd, opt_iteration_time);
@@ -819,7 +838,7 @@ static int action_luksChangeKey(int arg __attribute__((unused)))
r = crypt_get_key(_("Enter LUKS passphrase to be changed: "), r = crypt_get_key(_("Enter LUKS passphrase to be changed: "),
&password, &passwordLen, &password, &passwordLen,
opt_keyfile_size, opt_key_file, opt_timeout, opt_keyfile_size, opt_key_file, opt_timeout,
opt_batch_mode ? 0 : opt_verify_passphrase, cd); _verify_passphrase(0), cd);
if (r < 0) if (r < 0)
goto out; goto out;
@@ -856,7 +875,7 @@ static int action_luksChangeKey(int arg __attribute__((unused)))
r = crypt_get_key(_("Enter new LUKS passphrase: "), r = crypt_get_key(_("Enter new LUKS passphrase: "),
&password, &passwordLen, &password, &passwordLen,
opt_new_keyfile_size, opt_new_key_file, opt_new_keyfile_size, opt_new_key_file,
opt_timeout, opt_batch_mode ? 0 : 1, cd); opt_timeout, _verify_passphrase(0), cd);
if (r < 0) if (r < 0)
goto out; goto out;
@@ -1021,6 +1040,7 @@ static int action_luksResume(int arg __attribute__((unused)))
crypt_set_timeout(cd, opt_timeout); crypt_set_timeout(cd, opt_timeout);
crypt_set_password_retry(cd, opt_tries); crypt_set_password_retry(cd, opt_tries);
crypt_set_password_verify(cd, _verify_passphrase(0));
if (opt_key_file) if (opt_key_file)
r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT, r = crypt_resume_by_keyfile(cd, action_argv[0], CRYPT_ANY_SLOT,

2
tests/compat-test
View File

@@ -313,7 +313,7 @@ echo "key0" | $CRYPTSETUP -q create $DEV_NAME --hash sha1 --size 100 $LOOPDEV ||
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail
$CRYPTSETUP -q remove $DEV_NAME || fail $CRYPTSETUP -q remove $DEV_NAME || fail
# verify is ignored on non-tty input # verify is ignored on non-tty input
echo "key0" | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase || fail echo "key0" | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase 2>/dev/null || fail
$CRYPTSETUP -q remove $DEV_NAME || fail $CRYPTSETUP -q remove $DEV_NAME || fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size 255 2>/dev/null && fail
$CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 --key-size -1 2>/dev/null && fail