Don't loop forever if fscrypt unlock doesn't have a tty

This fixes the bug in two places:
1. Limit the number of maximum password attempts (I picked 3 to
   match sudo, but I'm happy to change it to something else).
2. Notice and error out when no input is available when reading a passphrase.

Author: jyn514

actions/callback.go

@@ -86,7 +86,7 @@ func getWrappingKey(info ProtectorInfo, keyFn KeyFunc, retry bool) (*crypto.Key,
 // callback returns an error.
 func unwrapProtectorKey(info ProtectorInfo, keyFn KeyFunc) (*crypto.Key, error) {
 	retry := false
-	for {
+	for i := 0; i < 3; i++ {
 		wrappingKey, err := getWrappingKey(info, keyFn, retry)
 		if err != nil {
 			return nil, err
@@ -108,6 +108,7 @@ func unwrapProtectorKey(info ProtectorInfo, keyFn KeyFunc) (*crypto.Key, error)
 			return nil, err
 		}
 	}
+	return nil, errors.New("giving up after 3 incorrect password attempts")
 }
 
 // ProtectorOption is information about a protector relative to a Policy.

cli-tests/t_unlock.out

@@ -62,6 +62,44 @@ Protected with 1 protector:
 PROTECTOR         LINKED  DESCRIPTION
 desc2  No      custom protector "prot"
 
+# Try to unlock with no stdin
+[ERROR] fscrypt unlock: empty password
+"MNT/dir" is encrypted with fscrypt.
+
+Policy:   desc1
+Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
+Unlocked: No
+
+Protected with 1 protector:
+PROTECTOR         LINKED  DESCRIPTION
+desc2  No      custom protector "prot"
+
+# Try to unlock with only a newline
+[ERROR] fscrypt unlock: empty password
+"MNT/dir" is encrypted with fscrypt.
+
+Policy:   desc1
+Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
+Unlocked: No
+
+Protected with 1 protector:
+PROTECTOR         LINKED  DESCRIPTION
+desc2  No      custom protector "prot"
+
+# Try infinitely many wrong passwords
+Enter custom passphrase for protector "prot": Incorrect Passphrase
+Enter custom passphrase for protector "prot": Incorrect Passphrase
+Enter custom passphrase for protector "prot": [ERROR] fscrypt unlock: giving up after 3 incorrect password attempts
+"MNT/dir" is encrypted with fscrypt.
+
+Policy:   desc1
+Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
+Unlocked: No
+
+Protected with 1 protector:
+PROTECTOR         LINKED  DESCRIPTION
+desc2  No      custom protector "prot"
+
 # Unlock directory
 Enter custom passphrase for protector "prot": "MNT/dir" is now unlocked and ready for use.
 
@@ -90,7 +128,7 @@ desc1  Yes       desc2
                         the policy metadata for "MNT/dir".
                         This directory has either been encrypted with another
                         tool (such as e4crypt), or the file
-                        "MNT/.fscrypt/policies/desc20"
+                        "MNT/.fscrypt/policies/desc26"
                         has been deleted.
 
 # Try to unlock with missing protector metadata
@@ -103,14 +141,14 @@ information.
 [ERROR] fscrypt unlock: inconsistent metadata between encrypted directory
                         "MNT/dir1" and its corresponding
                         metadata file
-                        "MNT/.fscrypt/policies/desc21".
+                        "MNT/.fscrypt/policies/desc27".
 
                         Directory has
-                        descriptor:desc21 padding:32
+                        descriptor:desc27 padding:32
                         contents:AES_256_XTS filenames:AES_256_CTS
                         policy_version:2
 
                         Metadata file has
-                        descriptor:desc23 padding:32
+                        descriptor:desc29 padding:32
                         contents:AES_256_XTS filenames:AES_256_CTS
                         policy_version:2

cli-tests/t_unlock.sh

@@ -38,6 +38,18 @@ _print_header "Try to unlock with wrong passphrase"
 _expect_failure "echo bad | fscrypt unlock --quiet '$dir'"
 fscrypt status "$dir"
 
+_print_header "Try to unlock with no stdin"
+_expect_failure "fscrypt unlock --quiet '$dir' </dev/null"
+fscrypt status "$dir"
+
+_print_header "Try to unlock with only a newline"
+_expect_failure "echo | fscrypt unlock --quiet '$dir'"
+fscrypt status "$dir"
+
+_print_header "Try infinitely many wrong passwords"
+_expect_failure "yes wrong | fscrypt unlock '$dir'"
+fscrypt status "$dir"
+
 _print_header "Unlock directory"
 echo hunter2 | fscrypt unlock "$dir"
 _print_header "=> Check dir status"

crypto/key.go

@@ -242,7 +242,12 @@ func NewKeyFromReader(reader io.Reader) (*Key, error) {
 				}
 			}
 		case io.EOF:
-			// Getting the EOF error means we are done
+			// We got EOF without reading a password.
+			// We don't support empty passwords, so something is wrong (likely we don't have a tty).
+			if totalBytesRead == 0 {
+				return nil, errors.New("empty password")
+			}
+			// Getting the EOF error means we are done.
 			return key.resize(totalBytesRead)
 		default:
 			// Fail if Read() has a failure