eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-05 16:00:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove password callback interface.

Browse Source 
This was a design mistake and should not be handled inside libcryptsetup code.
This commit is contained in:
Milan Broz
2015-08-20 10:38:28 +02:00
parent 5293f5aae1
commit 4aea3b81ee
8 changed files with 14 additions and 251 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
lib/libcryptsetup.h
View File

@@ -155,61 +155,6 @@ void crypt_set_confirm_callback(struct crypt_device *cd,
int (*confirm)(const char *msg, void *usrptr),
void *usrptr);
/**
* Set password query callback. DEPRECATED
*
* If code need @e _interactive_ query for password, this callback is called.
* If not defined, compiled-in default is called (uses terminal input).
*
* Callback should return length of password in buffer
* or negative errno value in case of error.
*
* @param cd crypt device handle
* @param password user defined password callback reference
* @param usrptr provided identification in callback
* @param msg Message for user
* @param buf buffer for password
* @param length size of buffer
*
* @note Note that if this function is defined, verify option is ignored
* (caller which provided callback is responsible for password verification)
* @note Only zero terminated passwords can be entered this way, for complex
* use API functions directly.
* @note Maximal length of password is limited to @e length @e - @e 1 (minimal 511 chars)
* @note This function is DEPRECATED and will be removed in future versions.
*
* @see Callback function is used in these call provided, that certain conditions are met:
* @li crypt_keyslot_add_by_passphrase
* @li crypt_activate_by_passphrase
* @li crypt_resume_by_passphrase
* @li crypt_resume_by_keyfile
* @li crypt_keyslot_add_by_keyfile
* @li crypt_keyslot_add_by_volume_key
*
*/
void crypt_set_password_callback(struct crypt_device *cd,
int (*password)(const char *msg, char *buf, size_t length, void *usrptr),
void *usrptr);
/**
* Set timeout for interactive password entry using default
* password callback. DEPRECATED
*
* @param cd crypt device handle
* @param timeout_sec timeout in seconds
*/
void crypt_set_timeout(struct crypt_device *cd, uint64_t timeout_sec);
/**
* Set number of retries in case password input has been incorrect. DEPRECATED.
*
* @param cd crypt device handle
* @param tries the number
*
* @note This function is DEPRECATED and will be removed in future versions.
*/
void crypt_set_password_retry(struct crypt_device *cd, int tries);
/**
* Set how long should cryptsetup iterate in PBKDF2 function.
* Default value heads towards the iterations which takes around 1 second.
@@ -218,19 +163,6 @@ void crypt_set_password_retry(struct crypt_device *cd, int tries);
* @param iteration_time_ms the time in ms
*/
void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_ms);
/* Don't ask :-) */
void crypt_set_iterarion_time(struct crypt_device *cd, uint64_t iteration_time_ms);
/**
* Set whether passphrase will be verified on input
* (user has to input same passphrase twice). DEPRECATED
*
* @param cd crypt device handle
* @param password_verify @e 0 = false, @e !0 true
*
* @note This function is DEPRECATED and will be removed in future versions.
*/
void crypt_set_password_verify(struct crypt_device *cd, int password_verify);
/**
* Set data device
@@ -540,8 +472,6 @@ int crypt_suspend(struct crypt_device *cd,
* @return unlocked key slot number or negative errno otherwise.
*
* @note Only LUKS device type is supported
* @note If passphrase is @e NULL always use crypt_set_password_callback.
* Internal terminal password query is DEPRECATED and will be removed in next version.
*/
int crypt_resume_by_passphrase(struct crypt_device *cd,
const char *name,
@@ -560,9 +490,6 @@ int crypt_resume_by_passphrase(struct crypt_device *cd,
* @param keyfile_offset number of bytes to skip at start of keyfile
*
* @return unlocked key slot number or negative errno otherwise.
*
* @note If passphrase is @e NULL always use crypt_set_password_callback.
* Internal terminal password query is DEPRECATED and will be removed in next version.
*/
int crypt_resume_by_keyfile_offset(struct crypt_device *cd,
const char *name,
@@ -609,9 +536,6 @@ void crypt_free(struct crypt_device *cd);
* @param new_passphrase_size size of @e new_passphrase (binary data)
*
* @return allocated key slot number or negative errno otherwise.
*
* @note If passphrase is @e NULL always use crypt_set_password_callback.
* Internal terminal password query is DEPRECATED and will be removed in next version.
*/
int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
int keyslot,
@@ -638,9 +562,6 @@ int crypt_keyslot_add_by_passphrase(struct crypt_device *cd,
* @note This function is just internal implementation of luksChange
* command to avoid reading of volume key outside libcryptsetup boundary
* in FIPS mode.
*
* @note If passphrase is @e NULL always use crypt_set_password_callback.
* Internal terminal password query is DEPRECATED and will be removed in next version.
*/
int crypt_keyslot_change_by_passphrase(struct crypt_device *cd,
int keyslot_old,
@@ -665,9 +586,6 @@ int crypt_keyslot_change_by_passphrase(struct crypt_device *cd,
* @param new_keyfile_offset number of bytes to skip at start of new_keyfile
*
* @return allocated key slot number or negative errno otherwise.
*
* @note Note that @e keyfile can be "-" for STDIN. This special handling is DEPRECATED
* and will be removed in next version.
*/
int crypt_keyslot_add_by_keyfile_offset(struct crypt_device *cd,
int keyslot,
@@ -700,9 +618,6 @@ int crypt_keyslot_add_by_keyfile(struct crypt_device *cd,
* @param passphrase_size size of passphrase
*
* @return allocated key slot number or negative errno otherwise.
*
* @note If passphrase is @e NULL always use crypt_set_password_callback.
* Internal terminal password query is DEPRECATED and will be removed in next version.
*/
int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
int keyslot,
@@ -791,9 +706,6 @@ int crypt_get_active_device(struct crypt_device *cd,
* @param flags activation flags
*
* @return unlocked key slot number or negative errno otherwise.
*
* @note If passphrase is @e NULL always use crypt_set_password_callback.
* Internal terminal password query is DEPRECATED and will be removed in next version.
*/
int crypt_activate_by_passphrase(struct crypt_device *cd,
const char *name,

5
lib/libcryptsetup.sym
View File

@@ -5,12 +5,7 @@ CRYPTSETUP_1.0 {
crypt_init_by_name_and_header;
crypt_set_log_callback;
crypt_set_confirm_callback;
crypt_set_password_callback;
crypt_set_timeout;
crypt_set_password_retry;
crypt_set_iterarion_time;
crypt_set_iteration_time;
crypt_set_password_verify;
crypt_set_uuid;
crypt_set_data_device;

37
lib/setup.c
View File

@@ -43,10 +43,7 @@ struct crypt_device {
struct device *metadata_device;
struct volume_key *volume_key;
uint64_t timeout;
uint64_t iteration_time;
int tries;
int password_verify;
int rng_type;
// FIXME: private binary headers and access it properly
@@ -93,8 +90,6 @@ struct crypt_device {
void *log_usrptr;
int (*confirm)(const char *msg, void *usrptr);
void *confirm_usrptr;
int (*password)(const char *msg, char *buf, size_t length, void *usrptr);
void *password_usrptr;
/* last error message */
char error[MAX_ERROR_LENGTH];
@@ -476,14 +471,6 @@ void crypt_set_confirm_callback(struct crypt_device *cd,
cd->confirm_usrptr = usrptr;
}
void crypt_set_password_callback(struct crypt_device *cd,
int (*password)(const char *msg, char *buf, size_t length, void *usrptr),
void *usrptr)
{
cd->password = password;
cd->password_usrptr = usrptr;
}
static void _get_error(char *error, char *buf, size_t size)
{
if (!buf || size < 1)
@@ -535,8 +522,6 @@ int crypt_init(struct crypt_device **cd, const char *device)
dm_backend_init();
h->iteration_time = 1000;
h->password_verify = 0;
h->tries = 3;
h->rng_type = crypt_random_default_key_rng();
*cd = h;
return 0;
@@ -2212,33 +2197,11 @@ int crypt_volume_key_verify(struct crypt_device *cd,
return r;
}
void crypt_set_timeout(struct crypt_device *cd, uint64_t timeout_sec)
{
log_dbg("Timeout set to %" PRIu64 " miliseconds.", timeout_sec);
cd->timeout = timeout_sec;
}
void crypt_set_password_retry(struct crypt_device *cd, int tries)
{
log_dbg("Password retry count set to %d.", tries);
cd->tries = tries;
}
void crypt_set_iteration_time(struct crypt_device *cd, uint64_t iteration_time_ms)
{
log_dbg("Iteration time set to %" PRIu64 " miliseconds.", iteration_time_ms);
cd->iteration_time = iteration_time_ms;
}
void crypt_set_iterarion_time(struct crypt_device *cd, uint64_t iteration_time_ms)
{
crypt_set_iteration_time(cd, iteration_time_ms);
}
void crypt_set_password_verify(struct crypt_device *cd, int password_verify)
{
log_dbg("Password verification %s.", password_verify ? "enabled" : "disabled");
cd->password_verify = password_verify ? 1 : 0;
}
void crypt_set_rng_type(struct crypt_device *cd, int rng_type)
{

12
python/pycryptsetup-test.py
View File

@@ -40,9 +40,6 @@ def askyes(txt):
print("Question:", txt)
return 1
def askpassword(txt):
return PASSWORD
def print_status(c):
r = c.status()
print("status :",end="")
@@ -64,8 +61,7 @@ c = pycryptsetup.CryptSetup(
device = IMG,
name = DEVICE,
yesDialog = askyes,
logFunc = log,
passwordDialog = askpassword)
logFunc = log)
#c.debugLevel(pycryptsetup.CRYPT_DEBUG_ALL);
c.debugLevel(pycryptsetup.CRYPT_DEBUG_NONE);
@@ -108,16 +104,14 @@ c = pycryptsetup.CryptSetup(
device = IMG,
name = DEVICE,
yesDialog = askyes,
logFunc = log,
passwordDialog = askpassword)
logFunc = log)
print("activate:", c.activate(name = DEVICE, passphrase = PASSWORD))
c2 = pycryptsetup.CryptSetup(
name = DEVICE,
yesDialog = askyes,
logFunc = log,
passwordDialog = askpassword)
logFunc = log)
info = c2.info()
print("cipher :", info["cipher"])

58
python/pycryptsetup.c
View File

@@ -58,7 +58,6 @@ typedef struct {
/* Callbacks */
PyObject *yesDialogCB;
PyObject *cmdLineLogCB;
PyObject *passwordDialogCB;
} CryptSetupObject;
static int yesDialog(const char *msg, void *this)
@@ -88,41 +87,6 @@ static int yesDialog(const char *msg, void *this)
return 1;
}
static int passwordDialog(const char *msg, char *buf, size_t length, void *this)
{
CryptSetupObject *self = this;
PyObject *result, *arglist;
size_t len;
char *res = NULL;
if(self->passwordDialogCB){
arglist = Py_BuildValue("(s)", msg);
if (!arglist)
return -ENOMEM;
result = PyEval_CallObject(self->passwordDialogCB, arglist);
Py_DECREF(arglist);
if (!result)
return -EINVAL;
if (!PyArg_Parse(result, "z", &res)) {
Py_DECREF(result);
return -EINVAL;
}
strncpy(buf, res, length - 1);
len = strlen(res);
memset(res, 0, len);
Py_DECREF(result);
return (int)len;
}
return -EINVAL;
}
static void cmdLineLog(int cls, const char *msg, void *this)
{
CryptSetupObject *self = this;
@@ -144,7 +108,6 @@ static void CryptSetup_dealloc(CryptSetupObject* self)
/* free the callbacks */
Py_XDECREF(self->yesDialogCB);
Py_XDECREF(self->cmdLineLogCB);
Py_XDECREF(self->passwordDialogCB);
free(self->activated_as);
@@ -160,7 +123,6 @@ static PyObject *CryptSetup_new(PyTypeObject *type, PyObject *args, PyObject *kw
if (self) {
self->yesDialogCB = NULL;
self->passwordDialogCB = NULL;
self->cmdLineLogCB = NULL;
self->activated_as = NULL;
}
@@ -181,8 +143,8 @@ static PyObject *PyObjectResult(int is)
static char
CryptSetup_HELP[] =
"CryptSetup object\n\n\
constructor takes one to five arguments:\n\
__init__(device, name, yesDialog, passwordDialog, logFunc)\n\n\
constructor takes one to four arguments:\n\
__init__(device, name, yesDialog, logFunc)\n\n\
yesDialog - python function with func(text) signature, \n\
which asks the user question text and returns 1\n\
of the answer was positive or 0 if not\n\
@@ -190,16 +152,15 @@ constructor takes one to five arguments:\n\
static int CryptSetup_init(CryptSetupObject* self, PyObject *args, PyObject *kwds)
{
static const char *kwlist[] = {"device", "name", "yesDialog", "passwordDialog", "logFunc", NULL};
static const char *kwlist[] = {"device", "name", "yesDialog", "logFunc", NULL};
PyObject *yesDialogCB = NULL,
*passwordDialogCB = NULL,
*cmdLineLogCB = NULL,
*tmp = NULL;
char *device = NULL, *deviceName = NULL;
int r;
if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzOOO", CONST_CAST(char**)kwlist, &device, &deviceName,
&yesDialogCB, &passwordDialogCB, &cmdLineLogCB))
if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzOO", CONST_CAST(char**)kwlist, &device, &deviceName,
&yesDialogCB, &cmdLineLogCB))
return -1;
if (device) {
@@ -235,14 +196,6 @@ static int CryptSetup_init(CryptSetupObject* self, PyObject *args, PyObject *kwd
crypt_set_confirm_callback(self->device, yesDialog, self);
}
if (passwordDialogCB) {
tmp = self->passwordDialogCB;
Py_INCREF(passwordDialogCB);
self->passwordDialogCB = passwordDialogCB;
Py_XDECREF(tmp);
crypt_set_password_callback(self->device, passwordDialog, self);
}
if (cmdLineLogCB) {
tmp = self->cmdLineLogCB;
Py_INCREF(cmdLineLogCB);
@@ -658,7 +611,6 @@ static PyObject *CryptSetup_iterationTime(CryptSetupObject* self, PyObject *args
static PyMemberDef CryptSetup_members[] = {
{CONST_CAST(char*)"yesDialogCB", T_OBJECT_EX, offsetof(CryptSetupObject, yesDialogCB), 0, CONST_CAST(char*)"confirmation dialog callback"},
{CONST_CAST(char*)"cmdLineLogCB", T_OBJECT_EX, offsetof(CryptSetupObject, cmdLineLogCB), 0, CONST_CAST(char*)"logging callback"},
{CONST_CAST(char*)"passwordDialogCB", T_OBJECT_EX, offsetof(CryptSetupObject, passwordDialogCB), 0, CONST_CAST(char*)"password dialog callback"},
{NULL}
};

18
src/cryptsetup.c
View File

@@ -151,9 +151,6 @@ static int action_open_plain(void)
if ((r = crypt_init(&cd, action_argv[0])))
goto out;
crypt_set_timeout(cd, opt_timeout);
crypt_set_password_retry(cd, opt_tries);
r = crypt_format(cd, CRYPT_PLAIN,
cipher, cipher_mode,
NULL, NULL,
@@ -720,7 +717,6 @@ static int action_luksFormat(void)
keysize = (opt_key_size ?: DEFAULT_LUKS1_KEYBITS) / 8;
crypt_set_timeout(cd, opt_timeout);
if (opt_iteration_time)
crypt_set_iteration_time(cd, opt_iteration_time);
@@ -786,10 +782,6 @@ static int action_open_luks(void)
goto out;
}
crypt_set_timeout(cd, opt_timeout);
crypt_set_password_retry(cd, opt_tries);
crypt_set_password_verify(cd, _verify_passphrase(0));
if (opt_iteration_time)
crypt_set_iteration_time(cd, opt_iteration_time);
@@ -803,7 +795,6 @@ static int action_open_luks(void)
r = crypt_activate_by_volume_key(cd, activated_name,
key, keysize, activate_flags);
} else if (opt_key_file) {
crypt_set_password_retry(cd, 1);
r = crypt_activate_by_keyfile_offset(cd, activated_name,
opt_key_slot, opt_key_file, opt_keyfile_size,
opt_keyfile_offset, activate_flags);
@@ -870,7 +861,6 @@ static int action_luksKillSlot(void)
goto out;
crypt_set_confirm_callback(cd, yesDialog, NULL);
crypt_set_timeout(cd, opt_timeout);
if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
goto out;
@@ -913,7 +903,6 @@ static int action_luksRemoveKey(void)
goto out;
crypt_set_confirm_callback(cd, yesDialog, NULL);
crypt_set_timeout(cd, opt_timeout);
if ((r = crypt_load(cd, CRYPT_LUKS1, NULL)))
goto out;
@@ -973,9 +962,6 @@ static int action_luksAddKey(void)
opt_force_password = 1;
keysize = crypt_get_volume_key_size(cd);
/* FIXME: lib cannot properly set verification for new/old passphrase */
crypt_set_password_verify(cd, _verify_passphrase(0));
crypt_set_timeout(cd, opt_timeout);
if (opt_iteration_time)
crypt_set_iteration_time(cd, opt_iteration_time);
@@ -1233,10 +1219,6 @@ static int action_luksResume(void)
if ((r = crypt_init_by_name_and_header(&cd, action_argv[0], uuid_or_device(opt_header_device))))
goto out;
crypt_set_timeout(cd, opt_timeout);
crypt_set_password_retry(cd, opt_tries);
crypt_set_password_verify(cd, _verify_passphrase(0));
if (opt_key_file)
r = crypt_resume_by_keyfile_offset(cd, action_argv[0], CRYPT_ANY_SLOT,
opt_key_file, opt_keyfile_size, opt_keyfile_offset);

2
src/cryptsetup_reencrypt.c
View File

@@ -499,7 +499,6 @@ static int backup_luks_headers(struct reenc_ctx *rc)
(r = crypt_load(cd, CRYPT_LUKS1, NULL)))
goto out;
crypt_set_confirm_callback(cd, NULL, NULL);
if ((r = crypt_header_backup(cd, CRYPT_LUKS1, rc->header_file_org)))
goto out;
log_verbose(_("LUKS header backup of device %s created.\n"), rc->device);
@@ -646,7 +645,6 @@ static int restore_luks_header(struct reenc_ctx *rc)
r = crypt_init(&cd, rc->device);
if (r == 0) {
crypt_set_confirm_callback(cd, NULL, NULL);
r = crypt_header_restore(cd, CRYPT_LUKS1, rc->header_file_new);
}

45
tests/api-test.c
View File

@@ -850,27 +850,6 @@ static void AddDevicePlain(void)
crypt_free(cd);
}
#define CALLBACK_ERROR "calback_error xyz"
static int pass_callback_err(const char *msg, char *buf, size_t length, void *usrptr)
{
struct crypt_device *cd = usrptr;
assert(cd);
assert(length);
assert(msg);
crypt_log(cd, CRYPT_LOG_ERROR, CALLBACK_ERROR);
return -EINVAL;
}
static int pass_callback_ok(const char *msg, char *buf, size_t length, void *usrptr)
{
assert(length);
assert(msg);
strcpy(buf, PASSPHRASE);
return strlen(buf);
}
static void CallbacksTest(void)
{
struct crypt_device *cd;
@@ -897,25 +876,13 @@ static void CallbacksTest(void)
OK_(crypt_deactivate(cd, CDEVICE_1));
reset_log();
crypt_set_password_callback(cd, pass_callback_err, cd);
FAIL_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, NULL, 0, 0), "callback fails");
EQ_(strncmp(global_log, CALLBACK_ERROR, strlen(CALLBACK_ERROR)), 0);
crypt_set_password_callback(cd, pass_callback_ok, NULL);
OK_(crypt_activate_by_passphrase(cd, CDEVICE_1, CRYPT_ANY_SLOT, NULL, 0, 0));
EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
OK_(crypt_deactivate(cd, CDEVICE_1));
// Check error reporting.
// This must fail and create error message
crypt_deactivate(cd, CDEVICE_1);
// Here context must be the same
crypt_get_error(buf1, sizeof(buf1));
crypt_last_error(cd, buf2, sizeof(buf2));
OK_(!*buf1);
OK_(!*buf2);
OK_(strcmp(buf1, buf2));
//FIXME: password callback test was here
//crypt_get_error(buf1, sizeof(buf1));
//crypt_last_error(cd, buf2, sizeof(buf2));
//OK_(!*buf1);
//OK_(!*buf2);
//OK_(strcmp(buf1, buf2));
crypt_get_error(buf1, sizeof(buf1));
crypt_last_error(cd, buf2, sizeof(buf2));