return log_oom();
r = -ENOKEY;
- FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, passwords) {
+ FOREACH_POINTER(list,
+ cache ? cache->pkcs11_passwords : NULL,
+ cache ? cache->fido2_passwords : NULL,
+ passwords) {
r = luks_try_passwords(cd, list, vk, &vks);
if (r != -ENOKEY)
break;
static int luks_open(
const char *dm_name,
char **passwords,
- PasswordCache *cache,
+ const PasswordCache *cache,
struct crypt_device **ret,
sd_id128_t *ret_found_uuid,
void **ret_volume_key,
return log_oom();
r = -ENOKEY;
- FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, passwords) {
+ FOREACH_POINTER(list,
+ cache ? cache->pkcs11_passwords : NULL,
+ cache ? cache->fido2_passwords : NULL,
+ passwords) {
r = luks_try_passwords(cd, list, vk, &vks);
if (r != -ENOKEY)
break;
STRV_FOREACH(pp, effective_passwords) {
- if (strv_contains(cache->pkcs11_passwords, *pp) ||
- strv_contains(cache->fido2_passwords, *pp)) {
+ if (password_cache_contains(cache, *pp)) { /* is this a fido2 or pkcs11 password? */
log_debug("Using minimal PBKDF for slot %i", slot);
r = sym_crypt_set_pbkdf_type(cd, &minimal_pbkdf);
} else {
int home_create_luks(
UserRecord *h,
- PasswordCache *cache,
+ const PasswordCache *cache,
char **effective_passwords,
UserRecord **ret_home) {
int home_passwd_luks(
UserRecord *h,
HomeSetup *setup,
- PasswordCache *cache, /* the passwords acquired via PKCS#11/FIDO2 security tokens */
+ const PasswordCache *cache, /* the passwords acquired via PKCS#11/FIDO2 security tokens */
char **effective_passwords /* new passwords */) {
size_t volume_key_size, max_key_slots, n_effective;
return log_oom();
r = -ENOKEY;
- FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, h->password) {
+ FOREACH_POINTER(list,
+ cache ? cache->pkcs11_passwords : NULL,
+ cache ? cache->fido2_passwords : NULL,
+ h->password) {
+
r = luks_try_passwords(setup->crypt_device, list, volume_key, &volume_key_size);
if (r != -ENOKEY)
break;
continue;
}
- if (strv_contains(cache->pkcs11_passwords, effective_passwords[i]) ||
- strv_contains(cache->fido2_passwords, effective_passwords[i])) {
+ if (password_cache_contains(cache, effective_passwords[i])) { /* Is this a FIDO2 or PKCS#11 password? */
log_debug("Using minimal PBKDF for slot %zu", i);
r = sym_crypt_set_pbkdf_type(setup->crypt_device, &minimal_pbkdf);
} else {
return -ENOKEY;
}
-int home_unlock_luks(UserRecord *h, PasswordCache *cache) {
+int home_unlock_luks(UserRecord *h, const PasswordCache *cache) {
_cleanup_free_ char *dm_name = NULL, *dm_node = NULL;
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
char **list;
cryptsetup_enable_logging(cd);
r = -ENOKEY;
- FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, h->password) {
+ FOREACH_POINTER(list,
+ cache ? cache->pkcs11_passwords : NULL,
+ cache ? cache->fido2_passwords : NULL,
+ h->password) {
r = luks_try_resume(cd, dm_name, list);
if (r != -ENOKEY)
break;
int home_store_header_identity_luks(UserRecord *h, HomeSetup *setup, UserRecord *old_home);
-int home_create_luks(UserRecord *h, PasswordCache *cache, char **effective_passwords, UserRecord **ret_home);
+int home_create_luks(UserRecord *h, const PasswordCache *cache, char **effective_passwords, UserRecord **ret_home);
int home_get_state_luks(UserRecord *h, HomeSetup *setup);
int home_resize_luks(UserRecord *h, HomeSetupFlags flags, PasswordCache *cache, HomeSetup *setup, UserRecord **ret_home);
-int home_passwd_luks(UserRecord *h, HomeSetup *setup, PasswordCache *cache, char **effective_passwords);
+int home_passwd_luks(UserRecord *h, HomeSetup *setup, const PasswordCache *cache, char **effective_passwords);
int home_lock_luks(UserRecord *h);
-int home_unlock_luks(UserRecord *h, PasswordCache *cache);
+int home_unlock_luks(UserRecord *h, const PasswordCache *cache);
static inline uint64_t luks_volume_key_size_convert(struct crypt_device *cd) {
int k;
#include "sd-id128.h"
#include "loop-util.h"
+#include "strv.h"
#include "user-record.h"
#include "user-record-util.h"
} HomeSetup;
typedef struct PasswordCache {
- /* Decoding passwords from security tokens is expensive and typically requires user interaction, hence cache any we already figured out. */
+ /* Decoding passwords from security tokens is expensive and typically requires user interaction,
+ * hence cache any we already figured out. */
char **pkcs11_passwords;
char **fido2_passwords;
} PasswordCache;
void password_cache_free(PasswordCache *cache);
+static inline bool password_cache_contains(const PasswordCache *cache, const char *p) {
+ if (!cache)
+ return false;
+
+ return strv_contains(cache->pkcs11_passwords, p) || strv_contains(cache->fido2_passwords, p);
+}
+
#define HOME_SETUP_INIT \
{ \
.root_fd = -1, \