[systemd-devel] Systemd ask-password unable to handle cryptsetup passwords with \0 character inside ?

Lennart Poettering lennart at poettering.net
Tue Jun 7 13:26:51 UTC 2016


On Tue, 31.05.16 20:40, Raphaƫl Gertz (systemd-devel at rapsys.eu) wrote:

> Hi,
> 
> My question is relative to the file
> systemd/src/shared/ask-password-api.c+651 :
> l = strv_parse_nulstr(passphrase+1, n-1);
> 
> On documentation
> https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/ it is
> specified that message should follow this pattern :
> +passwordhere\0
> or
> -\0
> With trailing \0 optional in both case.
> 
> If I am right it seems all password sent through AF_UNIX/SOCK_DGRAM are
> split using \0 character and cached as differents passwords.

Yes, that is correct.

> I am trying to create a cgi which send password or keyfile through this
> system.
> 
> Cryptsetup can accept two case of password, a 512 max length passphrase in
> interactive mode or a 8192 * 1024 keyfile.
> (I have read the source code to find that)
> 
> There seems to have nothing disallowing to have a password like "toto\0" or
> a keyfile containing "toto\0".
> 
> How am I supposed to submit password with \0 character inside or even worse
> case with a \0 at end ?

This is simply not supported right now. the ask-password logic is
really for passwords only, not for keyfiles. There's no API currently
to cover anything else. Sorry.

There have been suggestions to improve the situation here, and cover
more ground, but this never materialized, because the assumption was
to move this all to a proper D-Bus API instead of the AF_UNIX-based
logic it is right now. Given that this is early-boot stuff the
this could only be delivered with kdbus however, but that was a big
failure, hence this never readlly happened. Not sure where this really
leaves us.

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list