diff options
| author | Lennart Poettering <lennart@poettering.net> | 2021-10-18 15:31:10 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-10-18 15:35:41 +0200 |
| commit | 3361d1ca1b527bc811db543689e77a53f970ca97 (patch) | |
| tree | e263cf03593649eb5346fe86486ba16a61056988 | |
| parent | 37a1bf7f76c5a58a3f3dac3241d1ba292d370b42 (diff) | |
| download | systemd-3361d1ca1b527bc811db543689e77a53f970ca97.tar.gz | |
homework: mae sure PasswordCache is really optional
It was supposed to be optional (i.e. there's a reason why we never
assert()ed on it), and in many codepaths it is, let's make sure it is
everywhere.
| -rw-r--r-- | src/home/homework-luks.c | 27 | ||||
| -rw-r--r-- | src/home/homework.h | 11 |
2 files changed, 29 insertions, 9 deletions
diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c index 48ac20c966..169a9633a8 100644 --- a/src/home/homework-luks.c +++ b/src/home/homework-luks.c @@ -349,7 +349,10 @@ static int luks_setup( return log_oom(); r = -ENOKEY; - FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, passwords) { + FOREACH_POINTER(list, + cache ? cache->pkcs11_passwords : NULL, + cache ? cache->fido2_passwords : NULL, + passwords) { r = luks_try_passwords(cd, list, vk, &vks); if (r != -ENOKEY) break; @@ -435,7 +438,10 @@ static int luks_open( return log_oom(); r = -ENOKEY; - FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, passwords) { + FOREACH_POINTER(list, + cache ? cache->pkcs11_passwords : NULL, + cache ? cache->fido2_passwords : NULL, + passwords) { r = luks_try_passwords(cd, list, vk, &vks); if (r != -ENOKEY) break; @@ -1614,8 +1620,7 @@ static int luks_format( STRV_FOREACH(pp, effective_passwords) { - if (strv_contains(cache->pkcs11_passwords, *pp) || - strv_contains(cache->fido2_passwords, *pp)) { + if (password_cache_contains(cache, *pp)) { /* is this a fido2 or pkcs11 password? */ log_debug("Using minimal PBKDF for slot %i", slot); r = sym_crypt_set_pbkdf_type(cd, &minimal_pbkdf); } else { @@ -3051,7 +3056,11 @@ int home_passwd_luks( return log_oom(); r = -ENOKEY; - FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, h->password) { + FOREACH_POINTER(list, + cache ? cache->pkcs11_passwords : NULL, + cache ? cache->fido2_passwords : NULL, + h->password) { + r = luks_try_passwords(setup->crypt_device, list, volume_key, &volume_key_size); if (r != -ENOKEY) break; @@ -3077,8 +3086,7 @@ int home_passwd_luks( continue; } - if (strv_contains(cache->pkcs11_passwords, effective_passwords[i]) || - strv_contains(cache->fido2_passwords, effective_passwords[i])) { + if (password_cache_contains(cache, effective_passwords[i])) { /* Is this a FIDO2 or PKCS#11 password? */ log_debug("Using minimal PBKDF for slot %zu", i); r = sym_crypt_set_pbkdf_type(setup->crypt_device, &minimal_pbkdf); } else { @@ -3203,7 +3211,10 @@ int home_unlock_luks(UserRecord *h, const PasswordCache *cache) { cryptsetup_enable_logging(cd); r = -ENOKEY; - FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, h->password) { + FOREACH_POINTER(list, + cache ? cache->pkcs11_passwords : NULL, + cache ? cache->fido2_passwords : NULL, + h->password) { r = luks_try_resume(cd, dm_name, list); if (r != -ENOKEY) break; diff --git a/src/home/homework.h b/src/home/homework.h index 9331452e3e..5fa4b653e2 100644 --- a/src/home/homework.h +++ b/src/home/homework.h @@ -7,6 +7,7 @@ #include "sd-id128.h" #include "loop-util.h" +#include "strv.h" #include "user-record.h" #include "user-record-util.h" @@ -39,13 +40,21 @@ typedef struct HomeSetup { } HomeSetup; typedef struct PasswordCache { - /* Decoding passwords from security tokens is expensive and typically requires user interaction, hence cache any we already figured out. */ + /* Decoding passwords from security tokens is expensive and typically requires user interaction, + * hence cache any we already figured out. */ char **pkcs11_passwords; char **fido2_passwords; } PasswordCache; void password_cache_free(PasswordCache *cache); +static inline bool password_cache_contains(const PasswordCache *cache, const char *p) { + if (!cache) + return false; + + return strv_contains(cache->pkcs11_passwords, p) || strv_contains(cache->fido2_passwords, p); +} + #define HOME_SETUP_INIT \ { \ .root_fd = -1, \ |