libfido2-util: accept cached pin in fido2_generate_hmac_hash()

fido2_generate_hmac_hash() sets req->keyring to "fido2-pin" when
calling ask_password_auto(), suggesting that a key by this name
can be read from the kernel keyring. But the keyring is never
opened because the ASK_PASSWORD_ACCEPT_CACHED flag is not set.

Set ASK_PASSWORD_ACCEPT_CACHED to allow automated / scripted
setup of encrypted volumes with FIDO2. If the PIN turns out to
be invalid, clear ASK_PASSWORD_ACCEPT_CACHED to avoid retrying
and possible lockout.

diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c
index 101641e7fe4596b1cd2c777bec35ded4c5759b0f..4259d57c54bd2fe86cfa152d45a64b36f2ff2631 100644 (file)
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@@ -854,6 +854,8 @@ int fido2_generate_hmac_hash(
                         return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                "Token asks for PIN but doesn't advertise 'clientPin' feature.");
 
+                AskPasswordFlags askpw_flags = ASK_PASSWORD_ACCEPT_CACHED;
+
                 for (;;) {
                         _cleanup_strv_free_erase_ char **pin = NULL;
                         AskPasswordRequest req = {
@@ -866,10 +868,12 @@ int fido2_generate_hmac_hash(
                                 .hup_fd = -EBADF,
                         };
 
-                        r = ask_password_auto(&req, /* flags= */ 0, &pin);
+                        r = ask_password_auto(&req, askpw_flags, &pin);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to acquire user PIN: %m");
 
+                        askpw_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
+
                         r = FIDO_ERR_PIN_INVALID;
                         STRV_FOREACH(i, pin) {
                                 if (isempty(*i)) {