summaryrefslogtreecommitdiffstats
path: root/src/shared/cryptsetup-fido2.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-12 03:50:40 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-12 03:50:40 +0000
commitfc53809803cd2bc2434e312b19a18fa36776da12 (patch)
treeb4b43bd6538f51965ce32856e9c053d0f90919c8 /src/shared/cryptsetup-fido2.c
parentAdding upstream version 255.5. (diff)
downloadsystemd-fc53809803cd2bc2434e312b19a18fa36776da12.tar.xz
systemd-fc53809803cd2bc2434e312b19a18fa36776da12.zip
Adding upstream version 256.upstream/256
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/shared/cryptsetup-fido2.c')
-rw-r--r--src/shared/cryptsetup-fido2.c42
1 files changed, 25 insertions, 17 deletions
diff --git a/src/shared/cryptsetup-fido2.c b/src/shared/cryptsetup-fido2.c
index 285b82a..5ab5cef 100644
--- a/src/shared/cryptsetup-fido2.c
+++ b/src/shared/cryptsetup-fido2.c
@@ -24,11 +24,11 @@ int acquire_fido2_key(
const void *key_data,
size_t key_data_size,
usec_t until,
- bool headless,
Fido2EnrollFlags required,
+ const char *askpw_credential,
+ AskPasswordFlags askpw_flags,
void **ret_decrypted_key,
- size_t *ret_decrypted_key_size,
- AskPasswordFlags ask_password_flags) {
+ size_t *ret_decrypted_key_size) {
_cleanup_(erase_and_freep) char *envpw = NULL;
_cleanup_strv_free_erase_ char **pins = NULL;
@@ -38,11 +38,11 @@ int acquire_fido2_key(
size_t salt_size;
int r;
- if ((required & (FIDO2ENROLL_PIN | FIDO2ENROLL_UP | FIDO2ENROLL_UV)) && headless)
+ if ((required & (FIDO2ENROLL_PIN | FIDO2ENROLL_UP | FIDO2ENROLL_UV)) && FLAGS_SET(askpw_flags, ASK_PASSWORD_HEADLESS))
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG),
"Local verification is required to unlock this volume, but the 'headless' parameter was set.");
- ask_password_flags |= ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED;
+ askpw_flags |= ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED;
assert(cid);
assert(key_file || key_data);
@@ -115,15 +115,22 @@ int acquire_fido2_key(
device_exists = true; /* that a PIN is needed/wasn't correct means that we managed to
* talk to a device */
- if (headless)
+ if (FLAGS_SET(askpw_flags, ASK_PASSWORD_HEADLESS))
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable.");
+ static const AskPasswordRequest req = {
+ .message = "Please enter security token PIN:",
+ .icon = "drive-harddisk",
+ .keyring = "fido2-pin",
+ .credential = "cryptsetup.fido2-pin",
+ };
+
pins = strv_free_erase(pins);
- r = ask_password_auto("Please enter security token PIN:", "drive-harddisk", NULL, "fido2-pin", "cryptsetup.fido2-pin", until, ask_password_flags, &pins);
+ r = ask_password_auto(&req, until, askpw_flags, &pins);
if (r < 0)
return log_error_errno(r, "Failed to ask for user password: %m");
- ask_password_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
+ askpw_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
}
}
@@ -133,10 +140,10 @@ int acquire_fido2_key_auto(
const char *friendly_name,
const char *fido2_device,
usec_t until,
- bool headless,
+ const char *askpw_credential,
+ AskPasswordFlags askpw_flags,
void **ret_decrypted_key,
- size_t *ret_decrypted_key_size,
- AskPasswordFlags ask_password_flags) {
+ size_t *ret_decrypted_key_size) {
_cleanup_free_ void *cid = NULL;
size_t cid_size = 0;
@@ -150,7 +157,7 @@ int acquire_fido2_key_auto(
/* Loads FIDO2 metadata from LUKS2 JSON token headers. */
- for (int token = 0; token < sym_crypt_token_max(CRYPT_LUKS2); token ++) {
+ for (int token = 0; token < sym_crypt_token_max(CRYPT_LUKS2); token++) {
_cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
JsonVariant *w;
_cleanup_free_ void *salt = NULL;
@@ -177,7 +184,7 @@ int acquire_fido2_key_auto(
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"FIDO2 token data lacks 'fido2-credential' field.");
- r = unbase64mem(json_variant_string(w), SIZE_MAX, &cid, &cid_size);
+ r = unbase64mem(json_variant_string(w), &cid, &cid_size);
if (r < 0)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Invalid base64 data in 'fido2-credential' field.");
@@ -189,7 +196,7 @@ int acquire_fido2_key_auto(
assert(!salt);
assert(salt_size == 0);
- r = unbase64mem(json_variant_string(w), SIZE_MAX, &salt, &salt_size);
+ r = unbase64mem(json_variant_string(w), &salt, &salt_size);
if (r < 0)
return log_error_errno(r, "Failed to decode base64 encoded salt.");
@@ -254,10 +261,11 @@ int acquire_fido2_key_auto(
/* key_file_offset= */ 0,
salt, salt_size,
until,
- headless,
required,
- ret_decrypted_key, ret_decrypted_key_size,
- ask_password_flags);
+ "cryptsetup.fido2-pin",
+ askpw_flags,
+ ret_decrypted_key,
+ ret_decrypted_key_size);
if (ret == 0)
break;
}