summaryrefslogtreecommitdiff
path: root/src/shared/ask-password-api.c
Commit message (Collapse)AuthorAgeFilesLines
* shared/ask-password-api: backspace all chars at onceZbigniew Jędrzejewski-Szmek2019-07-121-23/+23
| | | | | | | | | We'd call loop_write() separately for each char. Let's be nice to serial console users, and write the full string in one go. Coverity was complaining that we're not checking the return value from loop_write(). Rework the code a bit and add voidify. CID#1402323.
* Use _cleanup(free_and_erasep) where appropriateZbigniew Jędrzejewski-Szmek2019-07-101-14/+11
| | | | Replaces #12959.
* ask-password: prevent buffer overrow when reading from keyringThadeu Lima de Souza Cascardo2019-05-151-1/+1
| | | | | | | | | | | | | When we read from keyring, a temporary buffer is allocated in order to determine the size needed for the entire data. However, when zeroing that area, we use the data size returned by the read instead of the lesser size allocate for the buffer. That will cause memory corruption that causes systemd-cryptsetup to crash either when a single large password is used or when multiple passwords have already been pushed to the keyring. Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
* ask-password: add extra paranoid overflow checkLennart Poettering2019-03-201-2/+7
|
* ask-password: erase character read with _cleanup_Lennart Poettering2019-03-201-4/+1
| | | | | This is much nicer, since it means we erase the character regardless how we exit the scope.
* util: split out memcmp()/memset() related calls into memory-util.[ch]Lennart Poettering2019-03-131-1/+1
| | | | Just some source rearranging.
* shared/ask-password-api: when echoing multi-byte characters, print the whole ↵Zbigniew Jędrzejewski-Szmek2019-02-261-1/+4
| | | | | | | sequence This is untested, but I don't see how the previous code could have worked for multibyte characters (with echo on).
* basic/utf8: do not read past end of string when looking for a multi-byte ↵Zbigniew Jędrzejewski-Szmek2019-02-261-6/+6
| | | | | | character Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9341.
* ask-password-api: do not call ask_password_keyring() if keyname == NULLYu Watanabe2018-12-301-1/+1
| | | | Fixes #11295.
* ask-password: make ask_password_keyring() staticYu Watanabe2018-12-301-1/+1
|
* util-lib: split out all temporary file related calls into tmpfiles-util.cLennart Poettering2018-12-021-0/+1
| | | | | | | | This splits out a bunch of functions from fileio.c that have to do with temporary files. Simply to make the header files a bit shorter, and to group things more nicely. No code changes, just some rearranging of source files.
* tree-wide: use IOVEC_MAKE() at many placesLennart Poettering2018-11-271-3/+1
|
* Merge pull request #10594 from poettering/env-reload-fixZbigniew Jędrzejewski-Szmek2018-11-071-1/+1
|\ | | | | change handling of environment block of PID1's manager object
| * strv: wrap strv_new() in a macro so that NULL sentinel is implicitLennart Poettering2018-10-311-1/+1
| |
* | ask-password: fix minor memory leak on error pathLennart Poettering2018-11-061-4/+2
| | | | | | | | CID 1396557
* | ask-password: check keyring in ask_password_tty and ask_password_agentXiang Fan2018-10-311-27/+81
|/ | | | | | | A race condition happens when calling ask_password_auto() multiple times to unlock several disks on boot and effectively no password caching is utilized. This patch fixes it by polling the cache when waiting for the password.
* string-util: introduce explicit_zero_safe()Lennart Poettering2018-10-241-7/+7
| | | | | | | The only real difference is that this wrapper can deal with NULL pointer arguments, but only if the length is also zero. CID 1396277
* tree-wide: introduce setsockopt_int() helper and make use of it everywhereLennart Poettering2018-10-181-3/+4
| | | | | | As suggested by @heftig: https://github.com/systemd/systemd/commit/6d5e65f6454212cd400d0ebda34978a9f20cc26a#commitcomment-30938667
* tree-wide: add a single version of "static const int one = 1"Lennart Poettering2018-10-151-2/+1
| | | | | | | | | | All over the place we define local variables for the various sockopts that take a bool-like "int" value. Sometimes they are const, sometimes static, sometimes both, sometimes neither. Let's clean this up, introduce a common const variable "const_int_one" (as well as one matching "const_int_zero") and use it everywhere, all acorss the codebase.
* tree-wide: port various users over to sockaddr_un_set_path()Lennart Poettering2018-10-151-19/+14
| | | | | CID 1396140 CID 1396141
* tree-wide: remove Lennart's copyright linesLennart Poettering2018-06-141-3/+0
| | | | | | | | | | | These lines are generally out-of-date, incomplete and unnecessary. With SPDX and git repository much more accurate and fine grained information about licensing and authorship is available, hence let's drop the per-file copyright notice. Of course, removing copyright lines of others is problematic, hence this commit only removes my own lines and leaves all others untouched. It might be nicer if sooner or later those could go away too, making git the only and accurate source of authorship information.
* tree-wide: drop 'This file is part of systemd' blurbLennart Poettering2018-06-141-2/+0
| | | | | | | | | | | | | | | | This part of the copyright blurb stems from the GPL use recommendations: https://www.gnu.org/licenses/gpl-howto.en.html The concept appears to originate in times where version control was per file, instead of per tree, and was a way to glue the files together. Ultimately, we nowadays don't live in that world anymore, and this information is entirely useless anyway, as people are very welcome to copy these files into any projects they like, and they shouldn't have to change bits that are part of our copyright header for that. hence, let's just get rid of this old cruft, and shorten our codebase a bit.
* tree-wide: drop license boilerplateZbigniew Jędrzejewski-Szmek2018-04-061-13/+0
| | | | | | | | | | Files which are installed as-is (any .service and other unit files, .conf files, .policy files, etc), are left as is. My assumption is that SPDX identifiers are not yet that well known, so it's better to retain the extended header to avoid any doubt. I also kept any copyright lines. We can probably remove them, but it'd nice to obtain explicit acks from all involved authors before doing that.
* macro: introduce TAKE_PTR() macroLennart Poettering2018-03-221-2/+1
| | | | | | | | | | | | | | | | This macro will read a pointer of any type, return it, and set the pointer to NULL. This is useful as an explicit concept of passing ownership of a memory area between pointers. This takes inspiration from Rust: https://doc.rust-lang.org/std/option/enum.Option.html#method.take and was suggested by Alan Jenkins (@sourcejedi). It drops ~160 lines of code from our codebase, which makes me like it. Also, I think it clarifies passing of ownership, and thus helps readability a bit (at least for the initiated who know the new macro)
* Some comment adjustmentsZbigniew Jędrzejewski-Szmek2018-02-191-1/+1
| | | | Follow up for review of #8184.
* ask-password-api: many fixes to ask_password_tty()Lennart Poettering2018-02-141-20/+67
| | | | | | | | | | | | | | | | | | | A couple of fixes: 1. always bzero_explicit() away what we remove from the passphrase buffer. The UTF-8 code assumes the string remains NUL-terminated, and we hence should enforce that. memzero() would do too here, but let's be paranoid after all this is key material. 2. when clearing '*' characters from string, do so counting UTF-8 codepoints properly. We already have code in place to count UTF-8 codepoints when generating '*' characters, hence we should take the same care when clearing them again. 3. Treat NUL on input as an alternative terminator to newline or EOF. 4. When removing characters from the password always also reset the "codepoint" index properly.
* tty-ask-password-agent: reenable color for boot-time password promptLennart Poettering2018-02-141-4/+8
| | | | | | | The password prompt used to be highlighted, and that was a good thing. Let's fix things to make the prompt highlighted again. Fixes: #3853
* tty-ask-password-agent: don't open terminal multiple timesLennart Poettering2018-02-141-4/+7
| | | | | | | | | We already have the terminal open, hence pass the fd we got to ask_password_tty(), so that it doesn't have to reopen it a second time. This is mostly an optimization, but it has the nice benefit of making us independent from RLIMIT_NOFILE issues and so on, as we don't need to allocate another fd needlessly.
* ask-password: derive pollfd array from enumLennart Poettering2018-02-141-7/+9
| | | | It's prettier that way!
* ask-password: round up when determining sleep timeLennart Poettering2018-02-141-1/+1
| | | | | | We should rather sleep to much than too little. This otherwise might result in a busy loop, because we slept too little and then recheck again coming to the conclusion we need to go to sleep again, and so on.
* ask-password: let's use structure initialization properlyLennart Poettering2018-02-141-5/+8
|
* ask-password: let's (void) cast where appropriateLennart Poettering2018-02-141-13/+13
|
* ask-password: bypass clean-up if we don't need itLennart Poettering2018-02-131-12/+6
|
* ask-password: don't use ttyfd if it is not setLennart Poettering2018-02-131-1/+2
|
* io-util: make flush_fd() return how many bytes where flushedLennart Poettering2018-01-051-1/+1
| | | | | | | | | | | This is useful so that callers know whether anything at all and how much was flushed. This patches through users of this functions to ensure that the return values > 0 which may be returned now are not propagated in public APIs. Also, users that ignore the return value are changed to do so explicitly now.
* tree-wide: use !strv_isempty() instead of strv_length() > 0Yu Watanabe2017-12-191-1/+1
|
* tree-wide: make use of new STRLEN() macro everywhere (#7639)Lennart Poettering2017-12-141-2/+4
| | | | | Let's employ coccinelle to do this for us. Follow-up for #7625.
* Add SPDX license identifiers to source files under the LGPLZbigniew Jędrzejewski-Szmek2017-11-191-0/+1
| | | | | This follows what the kernel is doing, c.f. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5fd54ace4721fc5ce2bb5aef6318fcf17f421460.
* tree-wide: use IN_SET macro (#6977)Yu Watanabe2017-10-041-1/+1
|
* tree-wide: use IN_SET where possibleAndreas Rammhold2017-10-021-3/+2
| | | | | In addition to the changes from #6933 this handles cases that could be matched with the included cocci file.
* tree-wide: make use of getpid_cached() wherever we canLennart Poettering2017-07-201-1/+2
| | | | | | | This moves pretty much all uses of getpid() over to getpid_raw(). I didn't specifically check whether the optimization is worth it for each replacement, but in order to keep things simple and systematic I switched over everything at once.
* treewide: replace homegrown memory_erase with explicit_bzeroZbigniew Jędrzejewski-Szmek2017-02-051-5/+5
| | | | | | | | explicit_bzero was added in glibc 2.25. Make use of it. explicit_bzero is hardcoded to zero the memory, so string erase now truncates the string, instead of overwriting it with 'x'. This causes a visible difference only in the journalctl case.
* Rename formats-util.h to format-util.hZbigniew Jędrzejewski-Szmek2016-11-071-1/+1
| | | | | | We don't have plural in the name of any other -util files and this inconsistency trips me up every time I try to type this file name from memory. "formats-util" is even hard to pronounce.
* fileio: simplify mkostemp_safe() (#4090)Topi Miettinen2016-09-131-1/+1
| | | | | | According to its manual page, flags given to mkostemp(3) shouldn't include O_RDWR, O_CREAT or O_EXCL flags as these are always included. Beyond those, the only flag that all callers (except a few tests where it probably doesn't matter) use is O_CLOEXEC, so set that unconditionally.
* basic/strv: add an extra NUL after strings in strv_make_nulstrZbigniew Jędrzejewski-Szmek2016-07-171-5/+1
| | | | | | | | | | | | | | | | | | | | strv_make_nulstr was creating a nulstr which was not a valid nulstr, because it was missing the terminating NUL. This didn't cause any issues, because strv_parse_nulstr correctly parsed the result, using the separately specified length. But it's confusing to have something called nulstr which really isn't. It is likely that somebody will try to use strv_make_nulstr() in some other place, incorrectly. This patch changes strv_parse_nulstr() to produce a valid nulstr, and changes the output length parameter to be the minimum number of bytes which can be later on parsed by strv_parse_nulstr(). This allows the only user in ask-password-api to be slightly simplified. Based-on-patch-by: Jean-Sébastien Bour <jean-sebastien@bour.name> Fixes #3689.
* tree-wide: check colors_enabled() before outputting ANSI color stringsLennart Poettering2016-05-301-2/+4
|
* tree-wide: introduce new SOCKADDR_UN_LEN() macro, and use it everywhereLennart Poettering2016-05-051-1/+1
| | | | | | | | | | The macro determines the right length of a AF_UNIX "struct sockaddr_un" to pass to connect() or bind(). It automatically figures out if the socket refers to an abstract namespace socket, or a socket in the file system, and properly handles the full length of the path field. This macro is not only safer, but also simpler to use, than the usual offsetof() + strlen() logic.
* tree-wide: remove Emacs lines from all filesDaniel Mack2016-02-101-2/+0
| | | | | This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.
* ask-password-api: only emit a star on valid unicode codepointZbigniew Jędrzejewski-Szmek2016-01-261-4/+10
| | | | https://bugzilla.redhat.com/show_bug.cgi?id=1301984
* Use negative_errno() to assert errno is positive after a few system callsZbigniew Jędrzejewski-Szmek2016-01-181-1/+1
| | | | | | | | This is not particularly intrusive because it happens in simple utility functions. It helps gcc understand that error codes are negative. This gets a rid of most of the remaining warnings.
View Lorry Controller Status