From: Lennart Poettering Date: Thu, 2 Nov 2023 21:32:36 +0000 (+0100) Subject: cryptsetup: pass AskPasswordFlags down into pkcs11 module X-Git-Tag: v255-rc1~32^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F29840%2Fhead;p=thirdparty%2Fsystemd.git cryptsetup: pass AskPasswordFlags down into pkcs11 module The pkcs11 cryptsetup token module is a bit different from the tpm2 + fido2 ones: it asks for the PIN itself, rather than bubbling up a request to get a PIN. That's because it might need multiple, and because we don't want to destroy a the pkcs11 session half-way and thus risk increasing pin counters. Hence, we sometimes ask for PINs from our code, rather than let the libcryptsetup caller do that. So far we didn't pass the AskPasswordFlags field down into the module though. Fix that. Fixes: #28665 --- diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c b/src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c index 98fd83a014c..8cbb1f7d885 100644 --- a/src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c +++ b/src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c @@ -158,6 +158,7 @@ static int acquire_luks2_key_systemd( data.friendly_name = params->friendly_name; data.headless = params->headless; + data.askpw_flags = params->askpw_flags; data.until = params->until; /* The functions called here log about all errors, except for EAGAIN which means "token not found right now" */ diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index 204ffa9922f..1ebebcb2033 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -1399,7 +1399,8 @@ static int attach_luks2_by_pkcs11_via_plugin( systemd_pkcs11_plugin_params params = { .friendly_name = friendly_name, .until = until, - .headless = headless + .headless = headless, + .askpw_flags = arg_ask_password_flags, }; r = crypt_activate_by_token_pin(cd, name, "systemd-pkcs11", CRYPT_ANY_TOKEN, NULL, 0, ¶ms, flags); diff --git a/src/shared/pkcs11-util.c b/src/shared/pkcs11-util.c index 70469d02062..6e88dc38038 100644 --- a/src/shared/pkcs11-util.c +++ b/src/shared/pkcs11-util.c @@ -291,6 +291,7 @@ int pkcs11_token_login( const char *key_name, const char *credential_name, usec_t until, + AskPasswordFlags ask_password_flags, bool headless, char **ret_used_pin) { @@ -371,7 +372,7 @@ int pkcs11_token_login( return log_oom(); /* We never cache PINs, simply because it's fatal if we use wrong PINs, since usually there are only 3 tries */ - r = ask_password_auto(text, icon_name, id, key_name, credential_name, until, 0, &passwords); + r = ask_password_auto(text, icon_name, id, key_name, credential_name, until, ask_password_flags, &passwords); if (r < 0) return log_error_errno(r, "Failed to query PIN for security token '%s': %m", token_label); } @@ -1058,6 +1059,8 @@ struct pkcs11_acquire_certificate_callback_data { char *pin_used; X509 *cert; const char *askpw_friendly_name, *askpw_icon_name; + AskPasswordFlags askpw_flags; + bool headless; }; static void pkcs11_acquire_certificate_callback_data_release(struct pkcs11_acquire_certificate_callback_data *data) { @@ -1086,7 +1089,19 @@ static int pkcs11_acquire_certificate_callback( /* Called for every token matching our URI */ - r = pkcs11_token_login(m, session, slot_id, token_info, data->askpw_friendly_name, data->askpw_icon_name, "pkcs11-pin", "pkcs11-pin", UINT64_MAX, false, &pin_used); + r = pkcs11_token_login( + m, + session, + slot_id, + token_info, + data->askpw_friendly_name, + data->askpw_icon_name, + "pkcs11-pin", + "pkcs11-pin", + UINT64_MAX, + data->askpw_flags, + data->headless, + &pin_used); if (r < 0) return r; @@ -1325,6 +1340,7 @@ int pkcs11_crypt_device_callback( "pkcs11-pin", "cryptsetup.pkcs11-pin", data->until, + data->askpw_flags, data->headless, NULL); if (r < 0) diff --git a/src/shared/pkcs11-util.h b/src/shared/pkcs11-util.h index ac2ee08535f..5bc23c14c4c 100644 --- a/src/shared/pkcs11-util.h +++ b/src/shared/pkcs11-util.h @@ -8,6 +8,7 @@ # include #endif +#include "ask-password-api.h" #include "macro.h" #include "openssl-util.h" #include "time-util.h" @@ -47,7 +48,7 @@ char *pkcs11_token_manufacturer_id(const CK_TOKEN_INFO *token_info); char *pkcs11_token_model(const CK_TOKEN_INFO *token_info); int pkcs11_token_login_by_pin(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, const CK_TOKEN_INFO *token_info, const char *token_label, const void *pin, size_t pin_size); -int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, const char *icon_name, const char *key_name, const char *credential_name, usec_t until, bool headless, char **ret_used_pin); +int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, const char *icon_name, const char *key_name, const char *credential_name, usec_t until, AskPasswordFlags ask_password_flags, bool headless, char **ret_used_pin); int pkcs11_token_find_x509_certificate(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, P11KitUri *search_uri, CK_OBJECT_HANDLE *ret_object); #if HAVE_OPENSSL @@ -75,6 +76,7 @@ typedef struct { size_t decrypted_key_size; bool free_encrypted_key; bool headless; + AskPasswordFlags askpw_flags; } pkcs11_crypt_device_callback_data; void pkcs11_crypt_device_callback_data_release(pkcs11_crypt_device_callback_data *data); @@ -102,6 +104,7 @@ typedef struct { const char *friendly_name; usec_t until; bool headless; + AskPasswordFlags askpw_flags; } systemd_pkcs11_plugin_params; int pkcs11_list_tokens(void);