Merge pull request #21034 from poettering/homed-password-cache-tweaks

homed: minor tweaks to the PasswordCache logic
author: Lennart Poettering <lennart@poettering.net> 2021-10-18 22:46:16 +0200
committer: GitHub <noreply@github.com> 2021-10-18 22:46:16 +0200
commit: ec3f41e09cadf1d7ef473e134d344fc6ec4dc9f2 (patch)
tree: 63410f0a05e12b3ab9c5ca6574051fce37739aaf /src/home
parent: Merge pull request #21028 from poettering/watchdog-fixlets (diff)
parent: homework: mae sure PasswordCache is really optional (diff)
download: systemd-ec3f41e09cadf1d7ef473e134d344fc6ec4dc9f2.tar.xz
systemd-ec3f41e09cadf1d7ef473e134d344fc6ec4dc9f2.zip
5 files changed, 40 insertions, 20 deletions
diff --git a/src/home/homework-fscrypt.c b/src/home/homework-fscrypt.c
index 37903b8fff..899d4e10c6 100644
--- a/src/home/homework-fscrypt.c
+++ b/src/home/homework-fscrypt.c
@@ -280,7 +280,7 @@ static int fscrypt_setup(
 
 int home_setup_fscrypt(
                 UserRecord *h,
-                PasswordCache *cache,
+                const PasswordCache *cache,
                 HomeSetup *setup) {
 
         _cleanup_(erase_and_freep) void *volume_key = NULL;
@@ -584,7 +584,7 @@ int home_create_fscrypt(
 int home_passwd_fscrypt(
                 UserRecord *h,
                 HomeSetup *setup,
-                PasswordCache *cache,               /* the passwords acquired via PKCS#11/FIDO2 security tokens */
+                const PasswordCache *cache,         /* the passwords acquired via PKCS#11/FIDO2 security tokens */
                 char **effective_passwords          /* new passwords */) {
 
         _cleanup_(erase_and_freep) void *volume_key = NULL;
diff --git a/src/home/homework-fscrypt.h b/src/home/homework-fscrypt.h
index d8e0b8a2d1..736bcb9dcd 100644
--- a/src/home/homework-fscrypt.h
+++ b/src/home/homework-fscrypt.h
@@ -4,7 +4,7 @@
 #include "homework.h"
 #include "user-record.h"
 
-int home_setup_fscrypt(UserRecord *h, PasswordCache *cache, HomeSetup *setup);
+int home_setup_fscrypt(UserRecord *h, const PasswordCache *cache, HomeSetup *setup);
 int home_create_fscrypt(UserRecord *h, char **effective_passwords, UserRecord **ret_home);
 
-int home_passwd_fscrypt(UserRecord *h, HomeSetup *setup, PasswordCache *cache, char **effective_passwords);
+int home_passwd_fscrypt(UserRecord *h, HomeSetup *setup, const PasswordCache *cache, char **effective_passwords);
diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c
index 4464296c96..05e2950b4b 100644
--- a/src/home/homework-luks.c
+++ b/src/home/homework-luks.c
@@ -349,7 +349,10 @@ static int luks_setup(
                 return log_oom();
 
         r = -ENOKEY;
-        FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, passwords) {
+        FOREACH_POINTER(list,
+                        cache ? cache->pkcs11_passwords : NULL,
+                        cache ? cache->fido2_passwords : NULL,
+                        passwords) {
                 r = luks_try_passwords(cd, list, vk, &vks);
                 if (r != -ENOKEY)
                         break;
@@ -384,7 +387,7 @@ static int luks_setup(
 static int luks_open(
                 const char *dm_name,
                 char **passwords,
-                PasswordCache *cache,
+                const PasswordCache *cache,
                 struct crypt_device **ret,
                 sd_id128_t *ret_found_uuid,
                 void **ret_volume_key,
@@ -435,7 +438,10 @@ static int luks_open(
                 return log_oom();
 
         r = -ENOKEY;
-        FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, passwords) {
+        FOREACH_POINTER(list,
+                        cache ? cache->pkcs11_passwords : NULL,
+                        cache ? cache->fido2_passwords : NULL,
+                        passwords) {
                 r = luks_try_passwords(cd, list, vk, &vks);
                 if (r != -ENOKEY)
                         break;
@@ -1648,8 +1654,7 @@ static int luks_format(
 
         STRV_FOREACH(pp, effective_passwords) {
 
-                if (strv_contains(cache->pkcs11_passwords, *pp) ||
-                    strv_contains(cache->fido2_passwords, *pp)) {
+                if (password_cache_contains(cache, *pp)) { /* is this a fido2 or pkcs11 password? */
                         log_debug("Using minimal PBKDF for slot %i", slot);
                         r = sym_crypt_set_pbkdf_type(cd, &minimal_pbkdf);
                 } else {
@@ -1986,7 +1991,7 @@ static int home_truncate(
 
 int home_create_luks(
                 UserRecord *h,
-                PasswordCache *cache,
+                const PasswordCache *cache,
                 char **effective_passwords,
                 UserRecord **ret_home) {
 
@@ -3053,7 +3058,7 @@ int home_resize_luks(
 int home_passwd_luks(
                 UserRecord *h,
                 HomeSetup *setup,
-                PasswordCache *cache,      /* the passwords acquired via PKCS#11/FIDO2 security tokens */
+                const PasswordCache *cache,      /* the passwords acquired via PKCS#11/FIDO2 security tokens */
                 char **effective_passwords /* new passwords */) {
 
         size_t volume_key_size, max_key_slots, n_effective;
@@ -3090,7 +3095,11 @@ int home_passwd_luks(
                 return log_oom();
 
         r = -ENOKEY;
-        FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, h->password) {
+        FOREACH_POINTER(list,
+                        cache ? cache->pkcs11_passwords : NULL,
+                        cache ? cache->fido2_passwords : NULL,
+                        h->password) {
+
                 r = luks_try_passwords(setup->crypt_device, list, volume_key, &volume_key_size);
                 if (r != -ENOKEY)
                         break;
@@ -3116,8 +3125,7 @@ int home_passwd_luks(
                         continue;
                 }
 
-                if (strv_contains(cache->pkcs11_passwords, effective_passwords[i]) ||
-                    strv_contains(cache->fido2_passwords, effective_passwords[i])) {
+                if (password_cache_contains(cache, effective_passwords[i])) { /* Is this a FIDO2 or PKCS#11 password? */
                         log_debug("Using minimal PBKDF for slot %zu", i);
                         r = sym_crypt_set_pbkdf_type(setup->crypt_device, &minimal_pbkdf);
                 } else {
@@ -3218,7 +3226,7 @@ static int luks_try_resume(
         return -ENOKEY;
 }
 
-int home_unlock_luks(UserRecord *h, PasswordCache *cache) {
+int home_unlock_luks(UserRecord *h, const PasswordCache *cache) {
         _cleanup_free_ char *dm_name = NULL, *dm_node = NULL;
         _cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
         char **list;
@@ -3242,7 +3250,10 @@ int home_unlock_luks(UserRecord *h, PasswordCache *cache) {
         cryptsetup_enable_logging(cd);
 
         r = -ENOKEY;
-        FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, h->password) {
+        FOREACH_POINTER(list,
+                        cache ? cache->pkcs11_passwords : NULL,
+                        cache ? cache->fido2_passwords : NULL,
+                        h->password) {
                 r = luks_try_resume(cd, dm_name, list);
                 if (r != -ENOKEY)
                         break;
diff --git a/src/home/homework-luks.h b/src/home/homework-luks.h
index 5345170ac5..f8d22bb647 100644
--- a/src/home/homework-luks.h
+++ b/src/home/homework-luks.h
@@ -13,16 +13,16 @@ int home_trim_luks(UserRecord *h);
 
 int home_store_header_identity_luks(UserRecord *h, HomeSetup *setup, UserRecord *old_home);
 
-int home_create_luks(UserRecord *h, PasswordCache *cache, char **effective_passwords, UserRecord **ret_home);
+int home_create_luks(UserRecord *h, const PasswordCache *cache, char **effective_passwords, UserRecord **ret_home);
 
 int home_get_state_luks(UserRecord *h, HomeSetup *setup);
 
 int home_resize_luks(UserRecord *h, HomeSetupFlags flags, PasswordCache *cache, HomeSetup *setup, UserRecord **ret_home);
 
-int home_passwd_luks(UserRecord *h, HomeSetup *setup, PasswordCache *cache, char **effective_passwords);
+int home_passwd_luks(UserRecord *h, HomeSetup *setup, const PasswordCache *cache, char **effective_passwords);
 
 int home_lock_luks(UserRecord *h);
-int home_unlock_luks(UserRecord *h, PasswordCache *cache);
+int home_unlock_luks(UserRecord *h, const PasswordCache *cache);
 
 static inline uint64_t luks_volume_key_size_convert(struct crypt_device *cd) {
         int k;
diff --git a/src/home/homework.h b/src/home/homework.h
index 9331452e3e..5fa4b653e2 100644
--- a/src/home/homework.h
+++ b/src/home/homework.h
@@ -7,6 +7,7 @@
 #include "sd-id128.h"
 
 #include "loop-util.h"
+#include "strv.h"
 #include "user-record.h"
 #include "user-record-util.h"
 
@@ -39,13 +40,21 @@ typedef struct HomeSetup {
 } HomeSetup;
 
 typedef struct PasswordCache {
-        /* Decoding passwords from security tokens is expensive and typically requires user interaction, hence cache any we already figured out. */
+        /* Decoding passwords from security tokens is expensive and typically requires user interaction,
+         * hence cache any we already figured out. */
         char **pkcs11_passwords;
         char **fido2_passwords;
 } PasswordCache;
 
 void password_cache_free(PasswordCache *cache);
 
+static inline bool password_cache_contains(const PasswordCache *cache, const char *p) {
+        if (!cache)
+                return false;
+
+        return strv_contains(cache->pkcs11_passwords, p) || strv_contains(cache->fido2_passwords, p);
+}
+
 #define HOME_SETUP_INIT                                 \
         {                                               \
                 .root_fd = -1,                          \
author	Lennart Poettering <lennart@poettering.net>	2021-10-18 22:46:16 +0200
committer	GitHub <noreply@github.com>	2021-10-18 22:46:16 +0200
commit	ec3f41e09cadf1d7ef473e134d344fc6ec4dc9f2 (patch)
tree	63410f0a05e12b3ab9c5ca6574051fce37739aaf /src/home
parent	Merge pull request #21028 from poettering/watchdog-fixlets (diff)
parent	homework: mae sure PasswordCache is really optional (diff)
download	systemd-ec3f41e09cadf1d7ef473e134d344fc6ec4dc9f2.tar.xz systemd-ec3f41e09cadf1d7ef473e134d344fc6ec4dc9f2.zip