}
static int fscrypt_setup(
- char **pkcs11_decrypted_passwords,
+ const PasswordCache *cache,
char **password,
HomeSetup *setup,
void **ret_volume_key,
_cleanup_free_ char *value = NULL;
size_t salt_size, encrypted_size;
const char *nr, *e;
+ char **list;
int n;
/* Check if this xattr has the format 'trusted.fscrypt_slot<nr>' where '<nr>' is a 32bit unsigned integer */
if (r < 0)
return log_error_errno(r, "Failed to decode encrypted key of %s: %m", xa);
- r = fscrypt_slot_try_many(
- pkcs11_decrypted_passwords,
- salt, salt_size,
- encrypted, encrypted_size,
- setup->fscrypt_key_descriptor,
- ret_volume_key, ret_volume_key_size);
- if (r == -ENOANO)
+ r = -ENOANO;
+ FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, password) {
r = fscrypt_slot_try_many(
- password,
+ list,
salt, salt_size,
encrypted, encrypted_size,
setup->fscrypt_key_descriptor,
ret_volume_key, ret_volume_key_size);
+ if (r != -ENOANO)
+ break;
+ }
if (r < 0) {
if (r != -ENOANO)
return r;
int home_prepare_fscrypt(
UserRecord *h,
bool already_activated,
- char ***pkcs11_decrypted_passwords,
+ PasswordCache *cache,
HomeSetup *setup) {
_cleanup_(erase_and_freep) void *volume_key = NULL;
memcpy(setup->fscrypt_key_descriptor, policy.master_key_descriptor, FS_KEY_DESCRIPTOR_SIZE);
r = fscrypt_setup(
- pkcs11_decrypted_passwords ? *pkcs11_decrypted_passwords : NULL,
+ cache,
h->password,
setup,
&volume_key,
int home_passwd_fscrypt(
UserRecord *h,
HomeSetup *setup,
- char **pkcs11_decrypted_passwords, /* the passwords acquired via PKCS#11 security tokens */
+ PasswordCache *cache, /* the passwords acquired via PKCS#11/FIDO2 security tokens */
char **effective_passwords /* new passwords */) {
_cleanup_(erase_and_freep) void *volume_key = NULL;
assert(setup);
r = fscrypt_setup(
- pkcs11_decrypted_passwords,
+ cache,
h->password,
setup,
&volume_key,