shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-27 14:03:43 +03:00
Code

homework: mae sure PasswordCache is really optional

Browse Source 
It was supposed to be optional (i.e. there's a reason why we never
assert()ed on it), and in many codepaths it is, let's make sure it is
everywhere.
This commit is contained in:
Lennart Poettering 2021-10-18 15:31:10 +02:00
parent 37a1bf7f76
commit 3361d1ca1b
2 changed files with 29 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
src/home/homework-luks.c
View File

@ -349,7 +349,10 @@ static int luks_setup(
return log_oom();
r = -ENOKEY;
FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, passwords) {
FOREACH_POINTER(list,
cache ? cache->pkcs11_passwords : NULL,
cache ? cache->fido2_passwords : NULL,
passwords) {
r = luks_try_passwords(cd, list, vk, &vks);
if (r != -ENOKEY)
break;
@ -435,7 +438,10 @@ static int luks_open(
return log_oom();
r = -ENOKEY;
FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, passwords) {
FOREACH_POINTER(list,
cache ? cache->pkcs11_passwords : NULL,
cache ? cache->fido2_passwords : NULL,
passwords) {
r = luks_try_passwords(cd, list, vk, &vks);
if (r != -ENOKEY)
break;
@ -1614,8 +1620,7 @@ static int luks_format(
STRV_FOREACH(pp, effective_passwords) {
if (strv_contains(cache->pkcs11_passwords, *pp) ||
strv_contains(cache->fido2_passwords, *pp)) {
if (password_cache_contains(cache, *pp)) { /* is this a fido2 or pkcs11 password? */
log_debug("Using minimal PBKDF for slot %i", slot);
r = sym_crypt_set_pbkdf_type(cd, &minimal_pbkdf);
} else {
@ -3051,7 +3056,11 @@ int home_passwd_luks(
return log_oom();
r = -ENOKEY;
FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, h->password) {
FOREACH_POINTER(list,
cache ? cache->pkcs11_passwords : NULL,
cache ? cache->fido2_passwords : NULL,
h->password) {
r = luks_try_passwords(setup->crypt_device, list, volume_key, &volume_key_size);
if (r != -ENOKEY)
break;
@ -3077,8 +3086,7 @@ int home_passwd_luks(
continue;
}
if (strv_contains(cache->pkcs11_passwords, effective_passwords[i]) ||
strv_contains(cache->fido2_passwords, effective_passwords[i])) {
if (password_cache_contains(cache, effective_passwords[i])) { /* Is this a FIDO2 or PKCS#11 password? */
log_debug("Using minimal PBKDF for slot %zu", i);
r = sym_crypt_set_pbkdf_type(setup->crypt_device, &minimal_pbkdf);
} else {
@ -3203,7 +3211,10 @@ int home_unlock_luks(UserRecord *h, const PasswordCache *cache) {
cryptsetup_enable_logging(cd);
r = -ENOKEY;
FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, h->password) {
FOREACH_POINTER(list,
cache ? cache->pkcs11_passwords : NULL,
cache ? cache->fido2_passwords : NULL,
h->password) {
r = luks_try_resume(cd, dm_name, list);
if (r != -ENOKEY)
break;

11
src/home/homework.h
View File

@ -7,6 +7,7 @@
#include "sd-id128.h"
#include "loop-util.h"
#include "strv.h"
#include "user-record.h"
#include "user-record-util.h"
@ -39,13 +40,21 @@ typedef struct HomeSetup {
} HomeSetup;
typedef struct PasswordCache {
/* Decoding passwords from security tokens is expensive and typically requires user interaction, hence cache any we already figured out. */
/* Decoding passwords from security tokens is expensive and typically requires user interaction,
* hence cache any we already figured out. */
char **pkcs11_passwords;
char **fido2_passwords;
} PasswordCache;
void password_cache_free(PasswordCache *cache);
static inline bool password_cache_contains(const PasswordCache *cache, const char *p) {
if (!cache)
return false;
return strv_contains(cache->pkcs11_passwords, p) || strv_contains(cache->fido2_passwords, p);
}
#define HOME_SETUP_INIT \
{ \
.root_fd = -1, \