From c0bde0d2402b203207d1ec2f998e661ee0fe177c Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 14 Apr 2020 19:05:09 +0200 Subject: [PATCH] user-record: rename JSON field "pkcs11Pin" to "tokenPin" We'd like to use it for FIDO2 tokens too, and the concept is entirely generic, hence let's just reuse the field, but rename it. Read the old name for compatibility, and treat the old name and the new name as identical for most purposes. --- docs/USER_RECORD.md | 6 ++++-- src/home/homectl.c | 26 +++++++++++++------------- src/home/homework-pkcs11.c | 6 +++--- src/home/pam_systemd_home.c | 8 ++++---- src/home/user-record-util.c | 16 ++++++++-------- src/home/user-record-util.h | 2 +- src/shared/user-record.c | 5 +++-- src/shared/user-record.h | 2 +- 8 files changed, 37 insertions(+), 34 deletions(-) diff --git a/docs/USER_RECORD.md b/docs/USER_RECORD.md index 7b6fe47665a..2ed043734f5 100644 --- a/docs/USER_RECORD.md +++ b/docs/USER_RECORD.md @@ -864,8 +864,10 @@ The `secret` field of the top-level user record contains the following fields: `password` → an array of strings, each containing a plain text password. -`pkcs11Pin` → an array of strings, each containing a plain text PIN, suitable -for unlocking PKCS#11 security tokens that require that. +`tokenPin` → an array of strings, each containing a plain text PIN, suitable +for unlocking security tokens that require that. (The field `pkcs11Pin` should +be considered a compatibility alias for this field, and merged with `tokenPin` +in case both are set.) `pkcs11ProtectedAuthenticationPathPermitted` → a boolean. If set to true allows the receiver to use the PKCS#11 "protected authentication path" (i.e. a diff --git a/src/home/homectl.c b/src/home/homectl.c index 8b91f08edf3..e69fa63fa32 100644 --- a/src/home/homectl.c +++ b/src/home/homectl.c @@ -236,7 +236,7 @@ static int acquire_existing_password(const char *user_name, UserRecord *hr, bool return 0; } -static int acquire_pkcs11_pin(const char *user_name, UserRecord *hr) { +static int acquire_token_pin(const char *user_name, UserRecord *hr) { _cleanup_(strv_free_erasep) char **pin = NULL; _cleanup_free_ char *question = NULL; char *e; @@ -247,9 +247,9 @@ static int acquire_pkcs11_pin(const char *user_name, UserRecord *hr) { e = getenv("PIN"); if (e) { - r = user_record_set_pkcs11_pin(hr, STRV_MAKE(e), false); + r = user_record_set_token_pin(hr, STRV_MAKE(e), false); if (r < 0) - return log_error_errno(r, "Failed to store PKCS#11 PIN: %m"); + return log_error_errno(r, "Failed to store token PIN: %m"); string_erase(e); @@ -263,11 +263,11 @@ static int acquire_pkcs11_pin(const char *user_name, UserRecord *hr) { return log_oom(); /* We never cache or use cached PINs, since usually there are only very few attempts allowed before the PIN is blocked */ - r = ask_password_auto(question, "user-home", NULL, "pkcs11-pin", USEC_INFINITY, 0, &pin); + r = ask_password_auto(question, "user-home", NULL, "token-pin", USEC_INFINITY, 0, &pin); if (r < 0) return log_error_errno(r, "Failed to acquire security token PIN: %m"); - r = user_record_set_pkcs11_pin(hr, pin, false); + r = user_record_set_token_pin(hr, pin, false); if (r < 0) return log_error_errno(r, "Failed to store security token PIN: %m"); @@ -315,7 +315,7 @@ static int handle_generic_user_record_error( } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PIN_NEEDED)) { - r = acquire_pkcs11_pin(user_name, hr); + r = acquire_token_pin(user_name, hr); if (r < 0) return r; @@ -334,7 +334,7 @@ static int handle_generic_user_record_error( log_notice("Security token PIN incorrect, please try again."); - r = acquire_pkcs11_pin(user_name, hr); + r = acquire_token_pin(user_name, hr); if (r < 0) return r; @@ -342,7 +342,7 @@ static int handle_generic_user_record_error( log_notice("Security token PIN incorrect, please try again (only a few tries left!)."); - r = acquire_pkcs11_pin(user_name, hr); + r = acquire_token_pin(user_name, hr); if (r < 0) return r; @@ -350,7 +350,7 @@ static int handle_generic_user_record_error( log_notice("Security token PIN incorrect, please try again (only one try left!)."); - r = acquire_pkcs11_pin(user_name, hr); + r = acquire_token_pin(user_name, hr); if (r < 0) return r; } else @@ -1005,7 +1005,7 @@ static int encrypt_bytes( return 0; } -static int add_pkcs11_pin(JsonVariant **v, const char *pin) { +static int add_token_pin(JsonVariant **v, const char *pin) { _cleanup_(json_variant_unrefp) JsonVariant *w = NULL, *l = NULL; _cleanup_(strv_free_erasep) char **pins = NULL; int r; @@ -1016,7 +1016,7 @@ static int add_pkcs11_pin(JsonVariant **v, const char *pin) { return 0; w = json_variant_ref(json_variant_by_key(*v, "secret")); - l = json_variant_ref(json_variant_by_key(w, "pkcs11Pin")); + l = json_variant_ref(json_variant_by_key(w, "tokenPin")); r = json_variant_strv(l, &pins); if (r < 0) @@ -1039,7 +1039,7 @@ static int add_pkcs11_pin(JsonVariant **v, const char *pin) { json_variant_sensitive(l); - r = json_variant_set_field(&w, "pkcs11Pin", l); + r = json_variant_set_field(&w, "tokenPin", l); if (r < 0) return log_error_errno(r, "Failed to update PIN field: %m"); @@ -1212,7 +1212,7 @@ static int add_pkcs11_key_data(JsonVariant **v, const char *uri) { /* If we acquired the PIN also include it in the secret section of the record, so that systemd-homed * can use it if it needs to, given that it likely needs to decrypt the key again to pass to LUKS or * fscrypt. */ - r = add_pkcs11_pin(v, pin); + r = add_token_pin(v, pin); if (r < 0) return r; diff --git a/src/home/homework-pkcs11.c b/src/home/homework-pkcs11.c index 915bc0e57ec..3a03fb7200d 100644 --- a/src/home/homework-pkcs11.c +++ b/src/home/homework-pkcs11.c @@ -62,10 +62,10 @@ int pkcs11_callback( goto decrypt; } - if (strv_isempty(data->secret->pkcs11_pin)) - return log_error_errno(SYNTHETIC_ERRNO(ENOANO), "Security Token requires PIN."); + if (strv_isempty(data->secret->token_pin)) + return log_error_errno(SYNTHETIC_ERRNO(ENOANO), "Security token requires PIN."); - STRV_FOREACH(i, data->secret->pkcs11_pin) { + STRV_FOREACH(i, data->secret->token_pin) { rv = m->C_Login(session, CKU_USER, (CK_UTF8CHAR*) *i, strlen(*i)); if (rv == CKR_OK) { log_info("Successfully logged into security token '%s' with PIN.", token_label); diff --git a/src/home/pam_systemd_home.c b/src/home/pam_systemd_home.c index 34dfd134fc3..80797b4dd59 100644 --- a/src/home/pam_systemd_home.c +++ b/src/home/pam_systemd_home.c @@ -359,7 +359,7 @@ static int handle_generic_user_record_error( return PAM_AUTHTOK_ERR; } - r = user_record_set_pkcs11_pin(secret, STRV_MAKE(newp), false); + r = user_record_set_token_pin(secret, STRV_MAKE(newp), false); if (r < 0) { pam_syslog(handle, LOG_ERR, "Failed to store PIN: %s", strerror_safe(r)); return PAM_SERVICE_ERR; @@ -388,7 +388,7 @@ static int handle_generic_user_record_error( return PAM_AUTHTOK_ERR; } - r = user_record_set_pkcs11_pin(secret, STRV_MAKE(newp), false); + r = user_record_set_token_pin(secret, STRV_MAKE(newp), false); if (r < 0) { pam_syslog(handle, LOG_ERR, "Failed to store PIN: %s", strerror_safe(r)); return PAM_SERVICE_ERR; @@ -407,7 +407,7 @@ static int handle_generic_user_record_error( return PAM_AUTHTOK_ERR; } - r = user_record_set_pkcs11_pin(secret, STRV_MAKE(newp), false); + r = user_record_set_token_pin(secret, STRV_MAKE(newp), false); if (r < 0) { pam_syslog(handle, LOG_ERR, "Failed to store PIN: %s", strerror_safe(r)); return PAM_SERVICE_ERR; @@ -426,7 +426,7 @@ static int handle_generic_user_record_error( return PAM_AUTHTOK_ERR; } - r = user_record_set_pkcs11_pin(secret, STRV_MAKE(newp), false); + r = user_record_set_token_pin(secret, STRV_MAKE(newp), false); if (r < 0) { pam_syslog(handle, LOG_ERR, "Failed to store PIN: %s", strerror_safe(r)); return PAM_SERVICE_ERR; diff --git a/src/home/user-record-util.c b/src/home/user-record-util.c index 8f51f8d6e82..f58f9e07090 100644 --- a/src/home/user-record-util.c +++ b/src/home/user-record-util.c @@ -887,7 +887,7 @@ int user_record_set_password(UserRecord *h, char **password, bool prepend) { return 0; } -int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) { +int user_record_set_token_pin(UserRecord *h, char **pin, bool prepend) { _cleanup_(json_variant_unrefp) JsonVariant *w = NULL; _cleanup_(strv_free_erasep) char **e = NULL; int r; @@ -899,17 +899,17 @@ int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) { if (!e) return -ENOMEM; - r = strv_extend_strv(&e, h->pkcs11_pin, true); + r = strv_extend_strv(&e, h->token_pin, true); if (r < 0) return r; strv_uniq(e); - if (strv_equal(h->pkcs11_pin, e)) + if (strv_equal(h->token_pin, e)) return 0; } else { - if (strv_equal(h->pkcs11_pin, pin)) + if (strv_equal(h->token_pin, pin)) return 0; e = strv_copy(pin); @@ -922,7 +922,7 @@ int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) { w = json_variant_ref(json_variant_by_key(h->json, "secret")); if (strv_isempty(e)) - r = json_variant_filter(&w, STRV_MAKE("pkcs11Pin")); + r = json_variant_filter(&w, STRV_MAKE("tokenPin")); else { _cleanup_(json_variant_unrefp) JsonVariant *l = NULL; @@ -932,7 +932,7 @@ int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) { json_variant_sensitive(l); - r = json_variant_set_field(&w, "pkcs11Pin", l); + r = json_variant_set_field(&w, "tokenPin", l); } if (r < 0) return r; @@ -943,7 +943,7 @@ int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) { if (r < 0) return r; - strv_free_and_replace(h->pkcs11_pin, e); + strv_free_and_replace(h->token_pin, e); SET_FLAG(h->mask, USER_RECORD_SECRET, !json_variant_is_blank_object(w)); return 0; @@ -1062,7 +1062,7 @@ int user_record_merge_secret(UserRecord *h, UserRecord *secret) { if (r < 0) return r; - r = user_record_set_pkcs11_pin(h, secret->pkcs11_pin, true); + r = user_record_set_token_pin(h, secret->token_pin, true); if (r < 0) return r; diff --git a/src/home/user-record-util.h b/src/home/user-record-util.h index 6afc8df19a7..c20018fcbae 100644 --- a/src/home/user-record-util.h +++ b/src/home/user-record-util.h @@ -47,7 +47,7 @@ int user_record_set_disk_size(UserRecord *h, uint64_t disk_size); int user_record_set_password(UserRecord *h, char **password, bool prepend); int user_record_make_hashed_password(UserRecord *h, char **password, bool extend); int user_record_set_hashed_password(UserRecord *h, char **hashed_password); -int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend); +int user_record_set_token_pin(UserRecord *h, char **pin, bool prepend); int user_record_set_pkcs11_protected_authentication_path_permitted(UserRecord *h, int b); int user_record_set_password_change_now(UserRecord *h, int b); int user_record_merge_secret(UserRecord *h, UserRecord *secret); diff --git a/src/shared/user-record.c b/src/shared/user-record.c index f6f67eabc0a..d4dbecaae9d 100644 --- a/src/shared/user-record.c +++ b/src/shared/user-record.c @@ -120,7 +120,7 @@ static UserRecord* user_record_free(UserRecord *h) { strv_free_erase(h->hashed_password); strv_free_erase(h->ssh_authorized_keys); strv_free_erase(h->password); - strv_free_erase(h->pkcs11_pin); + strv_free_erase(h->token_pin); free(h->cifs_service); free(h->cifs_user_name); @@ -620,7 +620,8 @@ static int dispatch_secret(const char *name, JsonVariant *variant, JsonDispatchF static const JsonDispatch secret_dispatch_table[] = { { "password", _JSON_VARIANT_TYPE_INVALID, json_dispatch_strv, offsetof(UserRecord, password), 0 }, - { "pkcs11Pin", _JSON_VARIANT_TYPE_INVALID, json_dispatch_strv, offsetof(UserRecord, pkcs11_pin), 0 }, + { "tokenPin", _JSON_VARIANT_TYPE_INVALID, json_dispatch_strv, offsetof(UserRecord, token_pin), 0 }, + { "pkcs11Pin", /* legacy alias */ _JSON_VARIANT_TYPE_INVALID, json_dispatch_strv, offsetof(UserRecord, token_pin), 0 }, { "pkcs11ProtectedAuthenticationPathPermitted", JSON_VARIANT_BOOLEAN, json_dispatch_tristate, offsetof(UserRecord, pkcs11_protected_authentication_path_permitted), 0 }, {}, }; diff --git a/src/shared/user-record.h b/src/shared/user-record.h index 9fd10610d92..9cc849c0830 100644 --- a/src/shared/user-record.h +++ b/src/shared/user-record.h @@ -239,7 +239,7 @@ typedef struct UserRecord { char **hashed_password; char **ssh_authorized_keys; char **password; - char **pkcs11_pin; + char **token_pin; char *cifs_domain; char *cifs_user_name; -- 2.39.2