diff options
| author | Lennart Poettering <lennart@poettering.net> | 2021-05-28 18:18:54 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-06-01 13:31:53 +0200 |
| commit | 17e7561a973495992014dd102135f15eb808ae01 (patch) | |
| tree | 2ee7ecb59582619e814b9662171f75374521d7ea /src/home/user-record-util.c | |
| parent | Merge pull request #17096 from eworm-de/ask-password (diff) | |
| download | systemd-17e7561a973495992014dd102135f15eb808ae01.tar.xz systemd-17e7561a973495992014dd102135f15eb808ae01.zip | |
homectl: store FIDO2 up/uv/clientPin fields in user records too
This catches up homed's FIDO2 support with cryptsetup's: we'll now store
the uv/up/clientPin configuration at enrollment in the user record JSON
data, and use it when authenticating with it.
This also adds explicit "uv" support: we'll only allow it to happen when
the client explicity said it's OK. This is then used by clients to print
a nice message suggesting "uv" has to take place before retrying
allowing it this time. This is modelled after the existing handling for
"up".
Diffstat (limited to 'src/home/user-record-util.c')
| -rw-r--r-- | src/home/user-record-util.c | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/src/home/user-record-util.c b/src/home/user-record-util.c index e244ba5772..4e4f5d2341 100644 --- a/src/home/user-record-util.c +++ b/src/home/user-record-util.c @@ -1065,6 +1065,34 @@ int user_record_set_fido2_user_presence_permitted(UserRecord *h, int b) { return 0; } +int user_record_set_fido2_user_verification_permitted(UserRecord *h, int b) { + _cleanup_(json_variant_unrefp) JsonVariant *w = NULL; + int r; + + assert(h); + + w = json_variant_ref(json_variant_by_key(h->json, "secret")); + + if (b < 0) + r = json_variant_filter(&w, STRV_MAKE("fido2UserVerificationPermitted")); + else + r = json_variant_set_field_boolean(&w, "fido2UserVerificationPermitted", b); + if (r < 0) + return r; + + if (json_variant_is_blank_object(w)) + r = json_variant_filter(&h->json, STRV_MAKE("secret")); + else + r = json_variant_set_field(&h->json, "secret", w); + if (r < 0) + return r; + + h->fido2_user_verification_permitted = b; + + SET_FLAG(h->mask, USER_RECORD_SECRET, !json_variant_is_blank_object(w)); + return 0; +} + static bool per_machine_entry_empty(JsonVariant *v) { const char *k; _unused_ JsonVariant *e; @@ -1167,6 +1195,14 @@ int user_record_merge_secret(UserRecord *h, UserRecord *secret) { return r; } + if (secret->fido2_user_verification_permitted >= 0) { + r = user_record_set_fido2_user_verification_permitted( + h, + secret->fido2_user_verification_permitted); + if (r < 0) + return r; + } + return 0; } |