shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-02-10 13:57:25 +03:00
Code

Merge pull request #21034 from poettering/homed-password-cache-tweaks

Browse Source 
homed: minor tweaks to the PasswordCache logic
This commit is contained in:
Lennart Poettering 2021-10-18 22:46:16 +02:00 committed by GitHub
commit ec3f41e09c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 40 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/home/homework-fscrypt.c
View File

@ -280,7 +280,7 @@ static int fscrypt_setup(
int home_setup_fscrypt( int home_setup_fscrypt(
UserRecord *h, UserRecord *h,
PasswordCache *cache, const PasswordCache *cache,
HomeSetup *setup) { HomeSetup *setup) {
_cleanup_(erase_and_freep) void *volume_key = NULL; _cleanup_(erase_and_freep) void *volume_key = NULL;
@ -584,7 +584,7 @@ int home_create_fscrypt(
int home_passwd_fscrypt( int home_passwd_fscrypt(
UserRecord *h, UserRecord *h,
HomeSetup *setup, HomeSetup *setup,
PasswordCache *cache, /* the passwords acquired via PKCS#11/FIDO2 security tokens */ const PasswordCache *cache, /* the passwords acquired via PKCS#11/FIDO2 security tokens */
char **effective_passwords /* new passwords */) { char **effective_passwords /* new passwords */) {
_cleanup_(erase_and_freep) void *volume_key = NULL; _cleanup_(erase_and_freep) void *volume_key = NULL;

4
src/home/homework-fscrypt.h
View File

@ -4,7 +4,7 @@
#include "homework.h" #include "homework.h"
#include "user-record.h" #include "user-record.h"
int home_setup_fscrypt(UserRecord *h, PasswordCache *cache, HomeSetup *setup); int home_setup_fscrypt(UserRecord *h, const PasswordCache *cache, HomeSetup *setup);
int home_create_fscrypt(UserRecord *h, char **effective_passwords, UserRecord **ret_home); int home_create_fscrypt(UserRecord *h, char **effective_passwords, UserRecord **ret_home);
int home_passwd_fscrypt(UserRecord *h, HomeSetup *setup, PasswordCache *cache, char **effective_passwords); int home_passwd_fscrypt(UserRecord *h, HomeSetup *setup, const PasswordCache *cache, char **effective_passwords);

35
src/home/homework-luks.c
View File

@ -349,7 +349,10 @@ static int luks_setup(
return log_oom(); return log_oom();
r = -ENOKEY; r = -ENOKEY;
FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, passwords) { FOREACH_POINTER(list,
cache ? cache->pkcs11_passwords : NULL,
cache ? cache->fido2_passwords : NULL,
passwords) {
r = luks_try_passwords(cd, list, vk, &vks); r = luks_try_passwords(cd, list, vk, &vks);
if (r != -ENOKEY) if (r != -ENOKEY)
break; break;
@ -384,7 +387,7 @@ static int luks_setup(
static int luks_open( static int luks_open(
const char *dm_name, const char *dm_name,
char **passwords, char **passwords,
PasswordCache *cache, const PasswordCache *cache,
struct crypt_device **ret, struct crypt_device **ret,
sd_id128_t *ret_found_uuid, sd_id128_t *ret_found_uuid,
void **ret_volume_key, void **ret_volume_key,
@ -435,7 +438,10 @@ static int luks_open(
return log_oom(); return log_oom();
r = -ENOKEY; r = -ENOKEY;
FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, passwords) { FOREACH_POINTER(list,
cache ? cache->pkcs11_passwords : NULL,
cache ? cache->fido2_passwords : NULL,
passwords) {
r = luks_try_passwords(cd, list, vk, &vks); r = luks_try_passwords(cd, list, vk, &vks);
if (r != -ENOKEY) if (r != -ENOKEY)
break; break;
@ -1648,8 +1654,7 @@ static int luks_format(
STRV_FOREACH(pp, effective_passwords) { STRV_FOREACH(pp, effective_passwords) {
if (strv_contains(cache->pkcs11_passwords, *pp) || if (password_cache_contains(cache, *pp)) { /* is this a fido2 or pkcs11 password? */
strv_contains(cache->fido2_passwords, *pp)) {
log_debug("Using minimal PBKDF for slot %i", slot); log_debug("Using minimal PBKDF for slot %i", slot);
r = sym_crypt_set_pbkdf_type(cd, &minimal_pbkdf); r = sym_crypt_set_pbkdf_type(cd, &minimal_pbkdf);
} else { } else {
@ -1986,7 +1991,7 @@ static int home_truncate(
int home_create_luks( int home_create_luks(
UserRecord *h, UserRecord *h,
PasswordCache *cache, const PasswordCache *cache,
char **effective_passwords, char **effective_passwords,
UserRecord **ret_home) { UserRecord **ret_home) {
@ -3053,7 +3058,7 @@ int home_resize_luks(
int home_passwd_luks( int home_passwd_luks(
UserRecord *h, UserRecord *h,
HomeSetup *setup, HomeSetup *setup,
PasswordCache *cache, /* the passwords acquired via PKCS#11/FIDO2 security tokens */ const PasswordCache *cache, /* the passwords acquired via PKCS#11/FIDO2 security tokens */
char **effective_passwords /* new passwords */) { char **effective_passwords /* new passwords */) {
size_t volume_key_size, max_key_slots, n_effective; size_t volume_key_size, max_key_slots, n_effective;
@ -3090,7 +3095,11 @@ int home_passwd_luks(
return log_oom(); return log_oom();
r = -ENOKEY; r = -ENOKEY;
FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, h->password) { FOREACH_POINTER(list,
cache ? cache->pkcs11_passwords : NULL,
cache ? cache->fido2_passwords : NULL,
h->password) {
r = luks_try_passwords(setup->crypt_device, list, volume_key, &volume_key_size); r = luks_try_passwords(setup->crypt_device, list, volume_key, &volume_key_size);
if (r != -ENOKEY) if (r != -ENOKEY)
break; break;
@ -3116,8 +3125,7 @@ int home_passwd_luks(
continue; continue;
} }
if (strv_contains(cache->pkcs11_passwords, effective_passwords[i]) || if (password_cache_contains(cache, effective_passwords[i])) { /* Is this a FIDO2 or PKCS#11 password? */
strv_contains(cache->fido2_passwords, effective_passwords[i])) {
log_debug("Using minimal PBKDF for slot %zu", i); log_debug("Using minimal PBKDF for slot %zu", i);
r = sym_crypt_set_pbkdf_type(setup->crypt_device, &minimal_pbkdf); r = sym_crypt_set_pbkdf_type(setup->crypt_device, &minimal_pbkdf);
} else { } else {
@ -3218,7 +3226,7 @@ static int luks_try_resume(
return -ENOKEY; return -ENOKEY;
} }
int home_unlock_luks(UserRecord *h, PasswordCache *cache) { int home_unlock_luks(UserRecord *h, const PasswordCache *cache) {
_cleanup_free_ char *dm_name = NULL, *dm_node = NULL; _cleanup_free_ char *dm_name = NULL, *dm_node = NULL;
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL; _cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
char **list; char **list;
@ -3242,7 +3250,10 @@ int home_unlock_luks(UserRecord *h, PasswordCache *cache) {
cryptsetup_enable_logging(cd); cryptsetup_enable_logging(cd);
r = -ENOKEY; r = -ENOKEY;
FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, h->password) { FOREACH_POINTER(list,
cache ? cache->pkcs11_passwords : NULL,
cache ? cache->fido2_passwords : NULL,
h->password) {
r = luks_try_resume(cd, dm_name, list); r = luks_try_resume(cd, dm_name, list);
if (r != -ENOKEY) if (r != -ENOKEY)
break; break;

6
src/home/homework-luks.h
View File

@ -13,16 +13,16 @@ int home_trim_luks(UserRecord *h);
int home_store_header_identity_luks(UserRecord *h, HomeSetup *setup, UserRecord *old_home); int home_store_header_identity_luks(UserRecord *h, HomeSetup *setup, UserRecord *old_home);
int home_create_luks(UserRecord *h, PasswordCache *cache, char **effective_passwords, UserRecord **ret_home); int home_create_luks(UserRecord *h, const PasswordCache *cache, char **effective_passwords, UserRecord **ret_home);
int home_get_state_luks(UserRecord *h, HomeSetup *setup); int home_get_state_luks(UserRecord *h, HomeSetup *setup);
int home_resize_luks(UserRecord *h, HomeSetupFlags flags, PasswordCache *cache, HomeSetup *setup, UserRecord **ret_home); int home_resize_luks(UserRecord *h, HomeSetupFlags flags, PasswordCache *cache, HomeSetup *setup, UserRecord **ret_home);
int home_passwd_luks(UserRecord *h, HomeSetup *setup, PasswordCache *cache, char **effective_passwords); int home_passwd_luks(UserRecord *h, HomeSetup *setup, const PasswordCache *cache, char **effective_passwords);
int home_lock_luks(UserRecord *h); int home_lock_luks(UserRecord *h);
int home_unlock_luks(UserRecord *h, PasswordCache *cache); int home_unlock_luks(UserRecord *h, const PasswordCache *cache);
static inline uint64_t luks_volume_key_size_convert(struct crypt_device *cd) { static inline uint64_t luks_volume_key_size_convert(struct crypt_device *cd) {
int k; int k;

11
src/home/homework.h
View File

@ -7,6 +7,7 @@
#include "sd-id128.h" #include "sd-id128.h"
#include "loop-util.h" #include "loop-util.h"
#include "strv.h"
#include "user-record.h" #include "user-record.h"
#include "user-record-util.h" #include "user-record-util.h"
@ -39,13 +40,21 @@ typedef struct HomeSetup {
} HomeSetup; } HomeSetup;
typedef struct PasswordCache { typedef struct PasswordCache {
/* Decoding passwords from security tokens is expensive and typically requires user interaction, hence cache any we already figured out. */ /* Decoding passwords from security tokens is expensive and typically requires user interaction,
* hence cache any we already figured out. */
char **pkcs11_passwords; char **pkcs11_passwords;
char **fido2_passwords; char **fido2_passwords;
} PasswordCache; } PasswordCache;
void password_cache_free(PasswordCache *cache); void password_cache_free(PasswordCache *cache);
static inline bool password_cache_contains(const PasswordCache *cache, const char *p) {
if (!cache)
return false;
return strv_contains(cache->pkcs11_passwords, p) || strv_contains(cache->fido2_passwords, p);
}
#define HOME_SETUP_INIT \ #define HOME_SETUP_INIT \
{ \ { \
.root_fd = -1, \ .root_fd = -1, \