From owner-svn-src-head@freebsd.org  Sat Feb 17 05:26:28 2018
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B8B9DF10123;
 Sat, 17 Feb 2018 05:26:28 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 68B69878F8;
 Sat, 17 Feb 2018 05:26:28 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 631541859C;
 Sat, 17 Feb 2018 05:26:28 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w1H5QSnn082886;
 Sat, 17 Feb 2018 05:26:28 GMT (envelope-from kevans@FreeBSD.org)
Received: (from kevans@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w1H5QSit082885;
 Sat, 17 Feb 2018 05:26:28 GMT (envelope-from kevans@FreeBSD.org)
Message-Id: <201802170526.w1H5QSit082885@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: kevans set sender to
 kevans@FreeBSD.org using -f
From: Kyle Evans <kevans@FreeBSD.org>
Date: Sat, 17 Feb 2018 05:26:28 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r329433 - head/stand/lua
X-SVN-Group: head
X-SVN-Commit-Author: kevans
X-SVN-Commit-Paths: head/stand/lua
X-SVN-Commit-Revision: 329433
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Feb 2018 05:26:29 -0000

Author: kevans
Date: Sat Feb 17 05:26:28 2018
New Revision: 329433
URL: https://svnweb.freebsd.org/changeset/base/329433

Log:
  stand/lua: Add optional GELI passphrase prompt
  
  Prompt for GELI passphrase when geom_eli_passphrase_prompt has been set to
  "YES" in loader.conf(5).
  
  This entailed breaking out the password prompt into its own function that
  can be reused between the password compare bits and this prompt that simply
  takes the entered password and passes it along in the environment as
  kern.geom.eli.passphrase.
  
  I've also added a TODO to re-evaluate later if we want the "password
  masking" -- it is currently not functional, so one still can't observe the
  length of the password typed at the prompt.

Modified:
  head/stand/lua/password.lua

Modified: head/stand/lua/password.lua
==============================================================================
--- head/stand/lua/password.lua	Sat Feb 17 05:02:38 2018	(r329432)
+++ head/stand/lua/password.lua	Sat Feb 17 05:26:28 2018	(r329433)
@@ -40,7 +40,8 @@ function password.read()
 		if ch == core.KEY_ENTER then
 			break;
 		end
-
+		-- XXX TODO: Evaluate if we really want this or not, as a
+		-- security consideration of sorts
 		if (ch == core.KEY_BACKSPACE) or (ch == core.KEY_DELETE) then
 			if n > 0 then
 				n = n - 1;
@@ -58,22 +59,35 @@ end
 
 function password.check()
 	screen.defcursor();
-	local function compare(prompt, pwd)
-		if (pwd == nil) then
-			return;
-		end
+	-- pwd is optionally supplied if we want to check it
+	local function do_prompt(prompt, pwd)
 		while true do
 			loader.printc(prompt);
-			if (pwd == password.read()) then
-				break;
+			local read_pwd = password.read();
+			if (not pwd) or (pwd == read_pwd) then
+				return read_pwd;
 			end
 			print("\n\nloader: incorrect password!\n");
 			loader.delay(3*1000*1000);
 		end
+		-- Throw an extra newline out after the password prompt
+		print("")
 	end
+	local function compare(prompt, pwd)
+		if (pwd == nil) then
+			return;
+		end
+		do_prompt(prompt, pwd);
+	end
 
 	local boot_pwd = loader.getenv("bootlock_password");
 	compare("Boot password: ", boot_pwd);
+
+	local geli_pass_prompt = loader.getenv("geom_eli_passphrase_prompt");
+	if (geli_pass_prompt:lower() == "yes") then
+		local passphrase = do_prompt("GELI Passphrase: ");
+		loader.setenv("kern.geom.eli.passphrase", passphrase)
+	end
 
 	local pwd = loader.getenv("password");
 	if (pwd ~=nil) then