mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-02-04 17:47:03 +03:00
Merge pull request #21034 from poettering/homed-password-cache-tweaks
homed: minor tweaks to the PasswordCache logic
This commit is contained in:
Lennart Poettering
GitHub
commit
ec3f41e09c
@ -280,7 +280,7 @@ static int fscrypt_setup(
|
||||
|
||||
int home_setup_fscrypt(
|
||||
UserRecord *h,
|
||||
PasswordCache *cache,
|
||||
const PasswordCache *cache,
|
||||
HomeSetup *setup) {
|
||||
|
||||
_cleanup_(erase_and_freep) void *volume_key = NULL;
|
||||
@ -584,7 +584,7 @@ int home_create_fscrypt(
|
||||
int home_passwd_fscrypt(
|
||||
UserRecord *h,
|
||||
HomeSetup *setup,
|
||||
PasswordCache *cache, /* the passwords acquired via PKCS#11/FIDO2 security tokens */
|
||||
const PasswordCache *cache, /* the passwords acquired via PKCS#11/FIDO2 security tokens */
|
||||
char **effective_passwords /* new passwords */) {
|
||||
|
||||
_cleanup_(erase_and_freep) void *volume_key = NULL;
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
#include "homework.h"
|
||||
#include "user-record.h"
|
||||
|
||||
int home_setup_fscrypt(UserRecord *h, PasswordCache *cache, HomeSetup *setup);
|
||||
int home_setup_fscrypt(UserRecord *h, const PasswordCache *cache, HomeSetup *setup);
|
||||
int home_create_fscrypt(UserRecord *h, char **effective_passwords, UserRecord **ret_home);
|
||||
|
||||
int home_passwd_fscrypt(UserRecord *h, HomeSetup *setup, PasswordCache *cache, char **effective_passwords);
|
||||
int home_passwd_fscrypt(UserRecord *h, HomeSetup *setup, const PasswordCache *cache, char **effective_passwords);
|
||||
|
||||
@ -349,7 +349,10 @@ static int luks_setup(
|
||||
return log_oom();
|
||||
|
||||
r = -ENOKEY;
|
||||
FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, passwords) {
|
||||
FOREACH_POINTER(list,
|
||||
cache ? cache->pkcs11_passwords : NULL,
|
||||
cache ? cache->fido2_passwords : NULL,
|
||||
passwords) {
|
||||
r = luks_try_passwords(cd, list, vk, &vks);
|
||||
if (r != -ENOKEY)
|
||||
break;
|
||||
@ -384,7 +387,7 @@ static int luks_setup(
|
||||
static int luks_open(
|
||||
const char *dm_name,
|
||||
char **passwords,
|
||||
PasswordCache *cache,
|
||||
const PasswordCache *cache,
|
||||
struct crypt_device **ret,
|
||||
sd_id128_t *ret_found_uuid,
|
||||
void **ret_volume_key,
|
||||
@ -435,7 +438,10 @@ static int luks_open(
|
||||
return log_oom();
|
||||
|
||||
r = -ENOKEY;
|
||||
FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, passwords) {
|
||||
FOREACH_POINTER(list,
|
||||
cache ? cache->pkcs11_passwords : NULL,
|
||||
cache ? cache->fido2_passwords : NULL,
|
||||
passwords) {
|
||||
r = luks_try_passwords(cd, list, vk, &vks);
|
||||
if (r != -ENOKEY)
|
||||
break;
|
||||
@ -1648,8 +1654,7 @@ static int luks_format(
|
||||
|
||||
STRV_FOREACH(pp, effective_passwords) {
|
||||
|
||||
if (strv_contains(cache->pkcs11_passwords, *pp) ||
|
||||
strv_contains(cache->fido2_passwords, *pp)) {
|
||||
if (password_cache_contains(cache, *pp)) { /* is this a fido2 or pkcs11 password? */
|
||||
log_debug("Using minimal PBKDF for slot %i", slot);
|
||||
r = sym_crypt_set_pbkdf_type(cd, &minimal_pbkdf);
|
||||
} else {
|
||||
@ -1986,7 +1991,7 @@ static int home_truncate(
|
||||
|
||||
int home_create_luks(
|
||||
UserRecord *h,
|
||||
PasswordCache *cache,
|
||||
const PasswordCache *cache,
|
||||
char **effective_passwords,
|
||||
UserRecord **ret_home) {
|
||||
|
||||
@ -3053,7 +3058,7 @@ int home_resize_luks(
|
||||
int home_passwd_luks(
|
||||
UserRecord *h,
|
||||
HomeSetup *setup,
|
||||
PasswordCache *cache, /* the passwords acquired via PKCS#11/FIDO2 security tokens */
|
||||
const PasswordCache *cache, /* the passwords acquired via PKCS#11/FIDO2 security tokens */
|
||||
char **effective_passwords /* new passwords */) {
|
||||
|
||||
size_t volume_key_size, max_key_slots, n_effective;
|
||||
@ -3090,7 +3095,11 @@ int home_passwd_luks(
|
||||
return log_oom();
|
||||
|
||||
r = -ENOKEY;
|
||||
FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, h->password) {
|
||||
FOREACH_POINTER(list,
|
||||
cache ? cache->pkcs11_passwords : NULL,
|
||||
cache ? cache->fido2_passwords : NULL,
|
||||
h->password) {
|
||||
|
||||
r = luks_try_passwords(setup->crypt_device, list, volume_key, &volume_key_size);
|
||||
if (r != -ENOKEY)
|
||||
break;
|
||||
@ -3116,8 +3125,7 @@ int home_passwd_luks(
|
||||
continue;
|
||||
}
|
||||
|
||||
if (strv_contains(cache->pkcs11_passwords, effective_passwords[i]) ||
|
||||
strv_contains(cache->fido2_passwords, effective_passwords[i])) {
|
||||
if (password_cache_contains(cache, effective_passwords[i])) { /* Is this a FIDO2 or PKCS#11 password? */
|
||||
log_debug("Using minimal PBKDF for slot %zu", i);
|
||||
r = sym_crypt_set_pbkdf_type(setup->crypt_device, &minimal_pbkdf);
|
||||
} else {
|
||||
@ -3218,7 +3226,7 @@ static int luks_try_resume(
|
||||
return -ENOKEY;
|
||||
}
|
||||
|
||||
int home_unlock_luks(UserRecord *h, PasswordCache *cache) {
|
||||
int home_unlock_luks(UserRecord *h, const PasswordCache *cache) {
|
||||
_cleanup_free_ char *dm_name = NULL, *dm_node = NULL;
|
||||
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
|
||||
char **list;
|
||||
@ -3242,7 +3250,10 @@ int home_unlock_luks(UserRecord *h, PasswordCache *cache) {
|
||||
cryptsetup_enable_logging(cd);
|
||||
|
||||
r = -ENOKEY;
|
||||
FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, h->password) {
|
||||
FOREACH_POINTER(list,
|
||||
cache ? cache->pkcs11_passwords : NULL,
|
||||
cache ? cache->fido2_passwords : NULL,
|
||||
h->password) {
|
||||
r = luks_try_resume(cd, dm_name, list);
|
||||
if (r != -ENOKEY)
|
||||
break;
|
||||
|
||||
@ -13,16 +13,16 @@ int home_trim_luks(UserRecord *h);
|
||||
|
||||
int home_store_header_identity_luks(UserRecord *h, HomeSetup *setup, UserRecord *old_home);
|
||||
|
||||
int home_create_luks(UserRecord *h, PasswordCache *cache, char **effective_passwords, UserRecord **ret_home);
|
||||
int home_create_luks(UserRecord *h, const PasswordCache *cache, char **effective_passwords, UserRecord **ret_home);
|
||||
|
||||
int home_get_state_luks(UserRecord *h, HomeSetup *setup);
|
||||
|
||||
int home_resize_luks(UserRecord *h, HomeSetupFlags flags, PasswordCache *cache, HomeSetup *setup, UserRecord **ret_home);
|
||||
|
||||
int home_passwd_luks(UserRecord *h, HomeSetup *setup, PasswordCache *cache, char **effective_passwords);
|
||||
int home_passwd_luks(UserRecord *h, HomeSetup *setup, const PasswordCache *cache, char **effective_passwords);
|
||||
|
||||
int home_lock_luks(UserRecord *h);
|
||||
int home_unlock_luks(UserRecord *h, PasswordCache *cache);
|
||||
int home_unlock_luks(UserRecord *h, const PasswordCache *cache);
|
||||
|
||||
static inline uint64_t luks_volume_key_size_convert(struct crypt_device *cd) {
|
||||
int k;
|
||||
|
||||
@ -7,6 +7,7 @@
|
||||
#include "sd-id128.h"
|
||||
|
||||
#include "loop-util.h"
|
||||
#include "strv.h"
|
||||
#include "user-record.h"
|
||||
#include "user-record-util.h"
|
||||
|
||||
@ -39,13 +40,21 @@ typedef struct HomeSetup {
|
||||
} HomeSetup;
|
||||
|
||||
typedef struct PasswordCache {
|
||||
/* Decoding passwords from security tokens is expensive and typically requires user interaction, hence cache any we already figured out. */
|
||||
/* Decoding passwords from security tokens is expensive and typically requires user interaction,
|
||||
* hence cache any we already figured out. */
|
||||
char **pkcs11_passwords;
|
||||
char **fido2_passwords;
|
||||
} PasswordCache;
|
||||
|
||||
void password_cache_free(PasswordCache *cache);
|
||||
|
||||
static inline bool password_cache_contains(const PasswordCache *cache, const char *p) {
|
||||
if (!cache)
|
||||
return false;
|
||||
|
||||
return strv_contains(cache->pkcs11_passwords, p) || strv_contains(cache->fido2_passwords, p);
|
||||
}
|
||||
|
||||
#define HOME_SETUP_INIT \
|
||||
{ \
|
||||
.root_fd = -1, \
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user