shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-10 05:18:17 +03:00
Code

home/homework: use FOREACH_ARRAY more

Browse Source 
Prompted by #31932
This commit is contained in:
Mike Yuan 2024-03-25 20:33:18 +08:00 committed by Yu Watanabe
parent 373452ff9f
commit 3b09af2004
1 changed files with 27 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
src/home/homework.c
View File

@ -119,9 +119,9 @@ int user_record_authenticate(
log_info("None of the supplied plaintext passwords unlock the user record's hashed recovery keys."); log_info("None of the supplied plaintext passwords unlock the user record's hashed recovery keys.");
/* Next, test cached PKCS#11 passwords */ /* Next, test cached PKCS#11 passwords */
for (size_t n = 0; n < h->n_pkcs11_encrypted_key; n++) FOREACH_ARRAY(i, h->pkcs11_encrypted_key, h->n_pkcs11_encrypted_key)
STRV_FOREACH(pp, cache->pkcs11_passwords) { STRV_FOREACH(pp, cache->pkcs11_passwords) {
r = test_password_one(h->pkcs11_encrypted_key[n].hashed_password, *pp); r = test_password_one(i->hashed_password, *pp);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to check supplied PKCS#11 password: %m"); return log_error_errno(r, "Failed to check supplied PKCS#11 password: %m");
if (r > 0) { if (r > 0) {
@ -131,10 +131,10 @@ int user_record_authenticate(
} }
/* Next, test cached FIDO2 passwords */ /* Next, test cached FIDO2 passwords */
for (size_t n = 0; n < h->n_fido2_hmac_salt; n++) FOREACH_ARRAY(i, h->fido2_hmac_salt, h->n_fido2_hmac_salt)
/* See if any of the previously calculated passwords work */ /* See if any of the previously calculated passwords work */
STRV_FOREACH(pp, cache->fido2_passwords) { STRV_FOREACH(pp, cache->fido2_passwords) {
r = test_password_one(h->fido2_hmac_salt[n].hashed_password, *pp); r = test_password_one(i->hashed_password, *pp);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to check supplied FIDO2 password: %m"); return log_error_errno(r, "Failed to check supplied FIDO2 password: %m");
if (r > 0) { if (r > 0) {
@ -144,12 +144,12 @@ int user_record_authenticate(
} }
/* Next, let's see if any of the PKCS#11 security tokens are plugged in and help us */ /* Next, let's see if any of the PKCS#11 security tokens are plugged in and help us */
for (size_t n = 0; n < h->n_pkcs11_encrypted_key; n++) { FOREACH_ARRAY(i, h->pkcs11_encrypted_key, h->n_pkcs11_encrypted_key) {
#if HAVE_P11KIT #if HAVE_P11KIT
_cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = { _cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = {
.user_record = h, .user_record = h,
.secret = secret, .secret = secret,
.encrypted_key = h->pkcs11_encrypted_key + n, .encrypted_key = i,
}; };
r = pkcs11_find_token(data.encrypted_key->uri, pkcs11_callback, &data); r = pkcs11_find_token(data.encrypted_key->uri, pkcs11_callback, &data);
@ -183,7 +183,9 @@ int user_record_authenticate(
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to test PKCS#11 password: %m"); return log_error_errno(r, "Failed to test PKCS#11 password: %m");
if (r == 0) if (r == 0)
return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Configured PKCS#11 security token %s does not decrypt encrypted key correctly.", data.encrypted_key->uri); return log_error_errno(SYNTHETIC_ERRNO(EPERM),
"Configured PKCS#11 security token %s does not decrypt encrypted key correctly.",
data.encrypted_key->uri);
log_info("Decrypted password from PKCS#11 security token %s unlocks user record.", data.encrypted_key->uri); log_info("Decrypted password from PKCS#11 security token %s unlocks user record.", data.encrypted_key->uri);
@ -200,11 +202,11 @@ int user_record_authenticate(
} }
/* Next, let's see if any of the FIDO2 security tokens are plugged in and help us */ /* Next, let's see if any of the FIDO2 security tokens are plugged in and help us */
for (size_t n = 0; n < h->n_fido2_hmac_salt; n++) { FOREACH_ARRAY(i, h->fido2_hmac_salt, h->n_fido2_hmac_salt) {
#if HAVE_LIBFIDO2 #if HAVE_LIBFIDO2
_cleanup_(erase_and_freep) char *decrypted_password = NULL; _cleanup_(erase_and_freep) char *decrypted_password = NULL;
r = fido2_use_token(h, secret, h->fido2_hmac_salt + n, &decrypted_password); r = fido2_use_token(h, secret, i, &decrypted_password);
switch (r) { switch (r) {
case -EAGAIN: case -EAGAIN:
need_token = true; need_token = true;
@ -231,11 +233,12 @@ int user_record_authenticate(
if (r < 0) if (r < 0)
return r; return r;
r = test_password_one(h->fido2_hmac_salt[n].hashed_password, decrypted_password); r = test_password_one(i->hashed_password, decrypted_password);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to test FIDO2 password: %m"); return log_error_errno(r, "Failed to test FIDO2 password: %m");
if (r == 0) if (r == 0)
return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Configured FIDO2 security token does not decrypt encrypted key correctly."); return log_error_errno(SYNTHETIC_ERRNO(EPERM),
"Configured FIDO2 security token does not decrypt encrypted key correctly.");
log_info("Decrypted password from FIDO2 security token unlocks user record."); log_info("Decrypted password from FIDO2 security token unlocks user record.");
@ -1118,7 +1121,6 @@ static int user_record_compile_effective_passwords(
char ***ret_effective_passwords) { char ***ret_effective_passwords) {
_cleanup_strv_free_erase_ char **effective = NULL; _cleanup_strv_free_erase_ char **effective = NULL;
size_t n;
int r; int r;
assert(h); assert(h);
@ -1163,17 +1165,16 @@ static int user_record_compile_effective_passwords(
return log_error_errno(SYNTHETIC_ERRNO(ENOKEY), "Missing plaintext password for defined hashed password"); return log_error_errno(SYNTHETIC_ERRNO(ENOKEY), "Missing plaintext password for defined hashed password");
} }
for (n = 0; n < h->n_recovery_key; n++) { FOREACH_ARRAY(i, h->recovery_key, h->n_recovery_key) {
bool found = false; bool found = false;
log_debug("Looking for plaintext recovery key for: %s", h->recovery_key[n].hashed_password); log_debug("Looking for plaintext recovery key for: %s", i->hashed_password);
STRV_FOREACH(j, h->password) { STRV_FOREACH(j, h->password) {
_cleanup_(erase_and_freep) char *mangled = NULL; _cleanup_(erase_and_freep) char *mangled = NULL;
const char *p; const char *p;
if (streq(h->recovery_key[n].type, "modhex64")) { if (streq(i->type, "modhex64")) {
r = normalize_recovery_key(*j, &mangled); r = normalize_recovery_key(*j, &mangled);
if (r == -EINVAL) /* Not properly formatted, probably a regular password. */ if (r == -EINVAL) /* Not properly formatted, probably a regular password. */
continue; continue;
@ -1184,7 +1185,7 @@ static int user_record_compile_effective_passwords(
} else } else
p = *j; p = *j;
r = test_password_one(h->recovery_key[n].hashed_password, p); r = test_password_one(i->hashed_password, p);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to test plaintext recovery key: %m"); return log_error_errno(r, "Failed to test plaintext recovery key: %m");
if (r > 0) { if (r > 0) {
@ -1201,15 +1202,16 @@ static int user_record_compile_effective_passwords(
} }
if (!found) if (!found)
return log_error_errno(SYNTHETIC_ERRNO(EREMOTEIO), "Missing plaintext recovery key for defined recovery key"); return log_error_errno(SYNTHETIC_ERRNO(EREMOTEIO),
"Missing plaintext recovery key for defined recovery key.");
} }
for (n = 0; n < h->n_pkcs11_encrypted_key; n++) { FOREACH_ARRAY(i, h->pkcs11_encrypted_key, h->n_pkcs11_encrypted_key) {
#if HAVE_P11KIT #if HAVE_P11KIT
_cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = { _cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = {
.user_record = h, .user_record = h,
.secret = h, .secret = h,
.encrypted_key = h->pkcs11_encrypted_key + n, .encrypted_key = i,
}; };
r = pkcs11_find_token(data.encrypted_key->uri, pkcs11_callback, &data); r = pkcs11_find_token(data.encrypted_key->uri, pkcs11_callback, &data);
@ -1238,19 +1240,20 @@ static int user_record_compile_effective_passwords(
#endif #endif
} }
for (n = 0; n < h->n_fido2_hmac_salt; n++) { FOREACH_ARRAY(i, h->fido2_hmac_salt, h->n_fido2_hmac_salt) {
#if HAVE_LIBFIDO2 #if HAVE_LIBFIDO2
_cleanup_(erase_and_freep) char *decrypted_password = NULL; _cleanup_(erase_and_freep) char *decrypted_password = NULL;
r = fido2_use_token(h, h, h->fido2_hmac_salt + n, &decrypted_password); r = fido2_use_token(h, h, i, &decrypted_password);
if (r < 0) if (r < 0)
return r; return r;
r = test_password_one(h->fido2_hmac_salt[n].hashed_password, decrypted_password); r = test_password_one(i->hashed_password, decrypted_password);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to test FIDO2 password: %m"); return log_error_errno(r, "Failed to test FIDO2 password: %m");
if (r == 0) if (r == 0)
return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Decrypted password from token is not correct, refusing."); return log_error_errno(SYNTHETIC_ERRNO(EPERM),
"Decrypted password from token is not correct, refusing.");
if (ret_effective_passwords) { if (ret_effective_passwords) {
r = strv_extend(&effective, decrypted_password); r = strv_extend(&effective, decrypted_password);