libfido2-util: accept cached pin in fido2_generate_hmac_hash()

fido2_generate_hmac_hash() sets req->keyring to "fido2-pin" when calling ask_password_auto(), suggesting that a key by this name can be read from the kernel keyring. But the keyring is never opened because the ASK_PASSWORD_ACCEPT_CACHED flag is not set. Set ASK_PASSWORD_ACCEPT_CACHED to allow automated / scripted setup of encrypted volumes with FIDO2. If the PIN turns out to be invalid, clear ASK_PASSWORD_ACCEPT_CACHED to avoid retrying and possible lockout.
2025-08-15 01:49:58 +03:00 · 2025-02-17 18:40:35 +01:00
parent 250118f3f0
commit 505c2f2137
1 changed files with 5 additions and 1 deletions
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@ -854,6 +854,8 @@ int fido2_generate_hmac_hash(
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                               "Token asks for PIN but doesn't advertise 'clientPin' feature.");

+                AskPasswordFlags askpw_flags = ASK_PASSWORD_ACCEPT_CACHED;
+
                for (;;) {
                        _cleanup_strv_free_erase_ char **pin = NULL;
                        AskPasswordRequest req = {
@ -866,10 +868,12 @@ int fido2_generate_hmac_hash(
                                .hup_fd = -EBADF,
                        };

-                        r = ask_password_auto(&req, /* flags= */ 0, &pin);
+                        r = ask_password_auto(&req, askpw_flags, &pin);
                        if (r < 0)
                                return log_error_errno(r, "Failed to acquire user PIN: %m");

+                        askpw_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
+
                        r = FIDO_ERR_PIN_INVALID;
                        STRV_FOREACH(i, pin) {
                                if (isempty(*i)) {