diff options
Diffstat (limited to 'src/shared/cryptsetup-fido2.c')
| -rw-r--r-- | src/shared/cryptsetup-fido2.c | 42 |
1 files changed, 25 insertions, 17 deletions
diff --git a/src/shared/cryptsetup-fido2.c b/src/shared/cryptsetup-fido2.c index 285b82a..5ab5cef 100644 --- a/src/shared/cryptsetup-fido2.c +++ b/src/shared/cryptsetup-fido2.c @@ -24,11 +24,11 @@ int acquire_fido2_key( const void *key_data, size_t key_data_size, usec_t until, - bool headless, Fido2EnrollFlags required, + const char *askpw_credential, + AskPasswordFlags askpw_flags, void **ret_decrypted_key, - size_t *ret_decrypted_key_size, - AskPasswordFlags ask_password_flags) { + size_t *ret_decrypted_key_size) { _cleanup_(erase_and_freep) char *envpw = NULL; _cleanup_strv_free_erase_ char **pins = NULL; @@ -38,11 +38,11 @@ int acquire_fido2_key( size_t salt_size; int r; - if ((required & (FIDO2ENROLL_PIN | FIDO2ENROLL_UP | FIDO2ENROLL_UV)) && headless) + if ((required & (FIDO2ENROLL_PIN | FIDO2ENROLL_UP | FIDO2ENROLL_UV)) && FLAGS_SET(askpw_flags, ASK_PASSWORD_HEADLESS)) return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "Local verification is required to unlock this volume, but the 'headless' parameter was set."); - ask_password_flags |= ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED; + askpw_flags |= ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED; assert(cid); assert(key_file || key_data); @@ -115,15 +115,22 @@ int acquire_fido2_key( device_exists = true; /* that a PIN is needed/wasn't correct means that we managed to * talk to a device */ - if (headless) + if (FLAGS_SET(askpw_flags, ASK_PASSWORD_HEADLESS)) return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable."); + static const AskPasswordRequest req = { + .message = "Please enter security token PIN:", + .icon = "drive-harddisk", + .keyring = "fido2-pin", + .credential = "cryptsetup.fido2-pin", + }; + pins = strv_free_erase(pins); - r = ask_password_auto("Please enter security token PIN:", "drive-harddisk", NULL, "fido2-pin", "cryptsetup.fido2-pin", until, ask_password_flags, &pins); + r = ask_password_auto(&req, until, askpw_flags, &pins); if (r < 0) return log_error_errno(r, "Failed to ask for user password: %m"); - ask_password_flags &= ~ASK_PASSWORD_ACCEPT_CACHED; + askpw_flags &= ~ASK_PASSWORD_ACCEPT_CACHED; } } @@ -133,10 +140,10 @@ int acquire_fido2_key_auto( const char *friendly_name, const char *fido2_device, usec_t until, - bool headless, + const char *askpw_credential, + AskPasswordFlags askpw_flags, void **ret_decrypted_key, - size_t *ret_decrypted_key_size, - AskPasswordFlags ask_password_flags) { + size_t *ret_decrypted_key_size) { _cleanup_free_ void *cid = NULL; size_t cid_size = 0; @@ -150,7 +157,7 @@ int acquire_fido2_key_auto( /* Loads FIDO2 metadata from LUKS2 JSON token headers. */ - for (int token = 0; token < sym_crypt_token_max(CRYPT_LUKS2); token ++) { + for (int token = 0; token < sym_crypt_token_max(CRYPT_LUKS2); token++) { _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; JsonVariant *w; _cleanup_free_ void *salt = NULL; @@ -177,7 +184,7 @@ int acquire_fido2_key_auto( return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "FIDO2 token data lacks 'fido2-credential' field."); - r = unbase64mem(json_variant_string(w), SIZE_MAX, &cid, &cid_size); + r = unbase64mem(json_variant_string(w), &cid, &cid_size); if (r < 0) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid base64 data in 'fido2-credential' field."); @@ -189,7 +196,7 @@ int acquire_fido2_key_auto( assert(!salt); assert(salt_size == 0); - r = unbase64mem(json_variant_string(w), SIZE_MAX, &salt, &salt_size); + r = unbase64mem(json_variant_string(w), &salt, &salt_size); if (r < 0) return log_error_errno(r, "Failed to decode base64 encoded salt."); @@ -254,10 +261,11 @@ int acquire_fido2_key_auto( /* key_file_offset= */ 0, salt, salt_size, until, - headless, required, - ret_decrypted_key, ret_decrypted_key_size, - ask_password_flags); + "cryptsetup.fido2-pin", + askpw_flags, + ret_decrypted_key, + ret_decrypted_key_size); if (ret == 0) break; } |