log_info("None of the supplied plaintext passwords unlock the user record's hashed recovery keys.");
/* Next, test cached PKCS#11 passwords */
- for (size_t n = 0; n < h->n_pkcs11_encrypted_key; n++)
+ FOREACH_ARRAY(i, h->pkcs11_encrypted_key, h->n_pkcs11_encrypted_key)
STRV_FOREACH(pp, cache->pkcs11_passwords) {
- r = test_password_one(h->pkcs11_encrypted_key[n].hashed_password, *pp);
+ r = test_password_one(i->hashed_password, *pp);
if (r < 0)
return log_error_errno(r, "Failed to check supplied PKCS#11 password: %m");
if (r > 0) {
}
/* Next, test cached FIDO2 passwords */
- for (size_t n = 0; n < h->n_fido2_hmac_salt; n++)
+ FOREACH_ARRAY(i, h->fido2_hmac_salt, h->n_fido2_hmac_salt)
/* See if any of the previously calculated passwords work */
STRV_FOREACH(pp, cache->fido2_passwords) {
- r = test_password_one(h->fido2_hmac_salt[n].hashed_password, *pp);
+ r = test_password_one(i->hashed_password, *pp);
if (r < 0)
return log_error_errno(r, "Failed to check supplied FIDO2 password: %m");
if (r > 0) {
}
/* Next, let's see if any of the PKCS#11 security tokens are plugged in and help us */
- for (size_t n = 0; n < h->n_pkcs11_encrypted_key; n++) {
+ FOREACH_ARRAY(i, h->pkcs11_encrypted_key, h->n_pkcs11_encrypted_key) {
#if HAVE_P11KIT
_cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = {
.user_record = h,
.secret = secret,
- .encrypted_key = h->pkcs11_encrypted_key + n,
+ .encrypted_key = i,
};
r = pkcs11_find_token(data.encrypted_key->uri, pkcs11_callback, &data);
if (r < 0)
return log_error_errno(r, "Failed to test PKCS#11 password: %m");
if (r == 0)
- return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Configured PKCS#11 security token %s does not decrypt encrypted key correctly.", data.encrypted_key->uri);
+ return log_error_errno(SYNTHETIC_ERRNO(EPERM),
+ "Configured PKCS#11 security token %s does not decrypt encrypted key correctly.",
+ data.encrypted_key->uri);
log_info("Decrypted password from PKCS#11 security token %s unlocks user record.", data.encrypted_key->uri);
}
/* Next, let's see if any of the FIDO2 security tokens are plugged in and help us */
- for (size_t n = 0; n < h->n_fido2_hmac_salt; n++) {
+ FOREACH_ARRAY(i, h->fido2_hmac_salt, h->n_fido2_hmac_salt) {
#if HAVE_LIBFIDO2
_cleanup_(erase_and_freep) char *decrypted_password = NULL;
- r = fido2_use_token(h, secret, h->fido2_hmac_salt + n, &decrypted_password);
+ r = fido2_use_token(h, secret, i, &decrypted_password);
switch (r) {
case -EAGAIN:
need_token = true;
if (r < 0)
return r;
- r = test_password_one(h->fido2_hmac_salt[n].hashed_password, decrypted_password);
+ r = test_password_one(i->hashed_password, decrypted_password);
if (r < 0)
return log_error_errno(r, "Failed to test FIDO2 password: %m");
if (r == 0)
- return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Configured FIDO2 security token does not decrypt encrypted key correctly.");
+ return log_error_errno(SYNTHETIC_ERRNO(EPERM),
+ "Configured FIDO2 security token does not decrypt encrypted key correctly.");
log_info("Decrypted password from FIDO2 security token unlocks user record.");
char ***ret_effective_passwords) {
_cleanup_strv_free_erase_ char **effective = NULL;
- size_t n;
int r;
assert(h);
return log_error_errno(SYNTHETIC_ERRNO(ENOKEY), "Missing plaintext password for defined hashed password");
}
- for (n = 0; n < h->n_recovery_key; n++) {
+ FOREACH_ARRAY(i, h->recovery_key, h->n_recovery_key) {
bool found = false;
- log_debug("Looking for plaintext recovery key for: %s", h->recovery_key[n].hashed_password);
+ log_debug("Looking for plaintext recovery key for: %s", i->hashed_password);
STRV_FOREACH(j, h->password) {
_cleanup_(erase_and_freep) char *mangled = NULL;
const char *p;
- if (streq(h->recovery_key[n].type, "modhex64")) {
-
+ if (streq(i->type, "modhex64")) {
r = normalize_recovery_key(*j, &mangled);
if (r == -EINVAL) /* Not properly formatted, probably a regular password. */
continue;
} else
p = *j;
- r = test_password_one(h->recovery_key[n].hashed_password, p);
+ r = test_password_one(i->hashed_password, p);
if (r < 0)
return log_error_errno(r, "Failed to test plaintext recovery key: %m");
if (r > 0) {
}
if (!found)
- return log_error_errno(SYNTHETIC_ERRNO(EREMOTEIO), "Missing plaintext recovery key for defined recovery key");
+ return log_error_errno(SYNTHETIC_ERRNO(EREMOTEIO),
+ "Missing plaintext recovery key for defined recovery key.");
}
- for (n = 0; n < h->n_pkcs11_encrypted_key; n++) {
+ FOREACH_ARRAY(i, h->pkcs11_encrypted_key, h->n_pkcs11_encrypted_key) {
#if HAVE_P11KIT
_cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = {
.user_record = h,
.secret = h,
- .encrypted_key = h->pkcs11_encrypted_key + n,
+ .encrypted_key = i,
};
r = pkcs11_find_token(data.encrypted_key->uri, pkcs11_callback, &data);
#endif
}
- for (n = 0; n < h->n_fido2_hmac_salt; n++) {
+ FOREACH_ARRAY(i, h->fido2_hmac_salt, h->n_fido2_hmac_salt) {
#if HAVE_LIBFIDO2
_cleanup_(erase_and_freep) char *decrypted_password = NULL;
- r = fido2_use_token(h, h, h->fido2_hmac_salt + n, &decrypted_password);
+ r = fido2_use_token(h, h, i, &decrypted_password);
if (r < 0)
return r;
- r = test_password_one(h->fido2_hmac_salt[n].hashed_password, decrypted_password);
+ r = test_password_one(i->hashed_password, decrypted_password);
if (r < 0)
return log_error_errno(r, "Failed to test FIDO2 password: %m");
if (r == 0)
- return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Decrypted password from token is not correct, refusing.");
+ return log_error_errno(SYNTHETIC_ERRNO(EPERM),
+ "Decrypted password from token is not correct, refusing.");
if (ret_effective_passwords) {
r = strv_extend(&effective, decrypted_password);
projects / thirdparty / systemd.git / commitdiff
