shared/libfido2: show number of retries before lockout

For a good user experience, users expect to be informed of how many
attempts they have before being locked out of their FIDO2 device.

By displaying such information in advance, the user can make strategy to
obtain the accurate PIN or wait when they are close to an authority who
can provide them for a recovery key.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

diff --git a/po/systemd.pot b/po/systemd.pot
index 4811515959d8a670a8ce5c8c150aa1828f108150..842c5038580780ac5091ce058dacfb9e12499f74 100644 (file)
--- a/po/systemd.pot
+++ b/po/systemd.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: systemd\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-30 00:13+0200\n"
+"POT-Creation-Date: 2026-06-01 11:49+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -1264,14 +1264,20 @@ msgid ""
 "Authentication is required to freeze or thaw the processes of '$(unit)' unit."
 msgstr ""
 
-#: src/shared/libfido2-util.c:497 src/shared/libfido2-util.c:554
+#: src/shared/libfido2-util.c:500 src/shared/libfido2-util.c:557
 msgid "Please confirm presence on security token to unlock."
 msgstr ""
 
-#: src/shared/libfido2-util.c:513
+#: src/shared/libfido2-util.c:516
 msgid "Please verify user on security token to unlock."
 msgstr ""
 
-#: src/shared/libfido2-util.c:926
+#: src/shared/libfido2-util.c:936
+#, c-format
+msgid ""
+"Please enter security token PIN (remaining attempts before lock-out: %d):"
+msgstr ""
+
+#: src/shared/libfido2-util.c:948
 msgid "Please enter security token PIN:"
 msgstr ""

diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c
index 5e6a29016d1c8f82d527c3f294c168dd650d67a9..5f69dc8924917ae1e63b0b05858ebbe5dd865790 100644 (file)
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@@ -15,6 +15,7 @@
 #include "iovec-util.h"
 #include "locale-util.h"
 #include "plymouth-util.h"
+#include "stdio-util.h"
 #include "string-util.h"
 #include "strv.h"
 #include "unistd.h"
@@ -58,6 +59,7 @@ DLSYM_PROTOTYPE(fido_dev_close) = NULL;
 DLSYM_PROTOTYPE(fido_dev_free) = NULL;
 DLSYM_PROTOTYPE(fido_dev_get_assert) = NULL;
 DLSYM_PROTOTYPE(fido_dev_get_cbor_info) = NULL;
+DLSYM_PROTOTYPE(fido_dev_get_retry_count) = NULL;
 DLSYM_PROTOTYPE(fido_dev_info_free) = NULL;
 DLSYM_PROTOTYPE(fido_dev_info_manifest) = NULL;
 DLSYM_PROTOTYPE(fido_dev_info_manufacturer_string) = NULL;
@@ -126,6 +128,7 @@ int dlopen_libfido2(int log_level) {
                         DLSYM_ARG(fido_dev_free),
                         DLSYM_ARG(fido_dev_get_assert),
                         DLSYM_ARG(fido_dev_get_cbor_info),
+                        DLSYM_ARG(fido_dev_get_retry_count),
                         DLSYM_ARG(fido_dev_info_free),
                         DLSYM_ARG(fido_dev_info_manifest),
                         DLSYM_ARG(fido_dev_info_manufacturer_string),
@@ -921,9 +924,29 @@ int fido2_generate_hmac_hash(
 
                 for (;;) {
                         _cleanup_strv_free_erase_ char **pin = NULL;
+                        _cleanup_free_ char *ask_pin_msg = NULL;
+                        int pin_retries = -1;
+
+                        r = sym_fido_dev_get_retry_count(d, &pin_retries);
+                        if (r != FIDO_OK) {
+                                log_warning("Failed to obtain number of retries before lock-out for PIN "
+                                            "authentication, ignoring: %s", sym_fido_strerr(r));
+                                pin_retries = -1;
+                        }
+
+                        if (pin_retries >= 0) {
+                                ask_pin_msg = asprintf_safe(_("Please enter security token PIN "
+                                                            "(remaining attempts before lock-out: %d):"),
+                                                            pin_retries);
+                                if (!ask_pin_msg)
+                                        return log_oom();
+                        }
+
                         AskPasswordRequest req = {
                                 .tty_fd = -EBADF,
-                                .message = _("Please enter security token PIN:"),
+                                .message = pin_retries >= 0
+                                        ? ask_pin_msg
+                                        : _("Please enter security token PIN:"),
                                 .icon = askpw_icon,
                                 .keyring = "fido2-pin",
                                 .credential = askpw_credential,

diff --git a/src/shared/libfido2-util.h b/src/shared/libfido2-util.h
index 4f88100be700e1d49afbdad9942aa5726b48b4f1..bbf6d1ca66a0814087957288eb68743d90d8a620 100644 (file)
--- a/src/shared/libfido2-util.h
+++ b/src/shared/libfido2-util.h
@@ -57,6 +57,7 @@ extern DLSYM_PROTOTYPE(fido_dev_close);
 extern DLSYM_PROTOTYPE(fido_dev_free);
 extern DLSYM_PROTOTYPE(fido_dev_get_assert);
 extern DLSYM_PROTOTYPE(fido_dev_get_cbor_info);
+extern DLSYM_PROTOTYPE(fido_dev_get_retry_count);
 extern DLSYM_PROTOTYPE(fido_dev_info_free);
 extern DLSYM_PROTOTYPE(fido_dev_info_manifest);
 extern DLSYM_PROTOTYPE(fido_dev_info_manufacturer_string);