From: Raito Bezarius <masterancpp@gmail.com>
Date: Fri, 29 May 2026 22:10:21 +0000 (+0200)
Subject: shared/libfido2: show number of retries before lockout
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4ae7000bad8006cd9881a96e8f7bd89aaf63b533;p=thirdparty%2Fsystemd.git

shared/libfido2: show number of retries before lockout

For a good user experience, users expect to be informed of how many
attempts they have before being locked out of their FIDO2 device.

By displaying such information in advance, the user can make strategy to
obtain the accurate PIN or wait when they are close to an authority who
can provide them for a recovery key.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---

diff --git a/po/systemd.pot b/po/systemd.pot
index 4811515959d..842c5038580 100644
--- a/po/systemd.pot
+++ b/po/systemd.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: systemd\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-30 00:13+0200\n"
+"POT-Creation-Date: 2026-06-01 11:49+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -1264,14 +1264,20 @@ msgid ""
 "Authentication is required to freeze or thaw the processes of '$(unit)' unit."
 msgstr ""
 
-#: src/shared/libfido2-util.c:497 src/shared/libfido2-util.c:554
+#: src/shared/libfido2-util.c:500 src/shared/libfido2-util.c:557
 msgid "Please confirm presence on security token to unlock."
 msgstr ""
 
-#: src/shared/libfido2-util.c:513
+#: src/shared/libfido2-util.c:516
 msgid "Please verify user on security token to unlock."
 msgstr ""
 
-#: src/shared/libfido2-util.c:926
+#: src/shared/libfido2-util.c:936
+#, c-format
+msgid ""
+"Please enter security token PIN (remaining attempts before lock-out: %d):"
+msgstr ""
+
+#: src/shared/libfido2-util.c:948
 msgid "Please enter security token PIN:"
 msgstr ""
diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c
index 5e6a29016d1..5f69dc89249 100644
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@@ -15,6 +15,7 @@
 #include "iovec-util.h"
 #include "locale-util.h"
 #include "plymouth-util.h"
+#include "stdio-util.h"
 #include "string-util.h"
 #include "strv.h"
 #include "unistd.h"
@@ -58,6 +59,7 @@ DLSYM_PROTOTYPE(fido_dev_close) = NULL;
 DLSYM_PROTOTYPE(fido_dev_free) = NULL;
 DLSYM_PROTOTYPE(fido_dev_get_assert) = NULL;
 DLSYM_PROTOTYPE(fido_dev_get_cbor_info) = NULL;
+DLSYM_PROTOTYPE(fido_dev_get_retry_count) = NULL;
 DLSYM_PROTOTYPE(fido_dev_info_free) = NULL;
 DLSYM_PROTOTYPE(fido_dev_info_manifest) = NULL;
 DLSYM_PROTOTYPE(fido_dev_info_manufacturer_string) = NULL;
@@ -126,6 +128,7 @@ int dlopen_libfido2(int log_level) {
                         DLSYM_ARG(fido_dev_free),
                         DLSYM_ARG(fido_dev_get_assert),
                         DLSYM_ARG(fido_dev_get_cbor_info),
+                        DLSYM_ARG(fido_dev_get_retry_count),
                         DLSYM_ARG(fido_dev_info_free),
                         DLSYM_ARG(fido_dev_info_manifest),
                         DLSYM_ARG(fido_dev_info_manufacturer_string),
@@ -921,9 +924,29 @@ int fido2_generate_hmac_hash(
 
                 for (;;) {
                         _cleanup_strv_free_erase_ char **pin = NULL;
+                        _cleanup_free_ char *ask_pin_msg = NULL;
+                        int pin_retries = -1;
+
+                        r = sym_fido_dev_get_retry_count(d, &pin_retries);
+                        if (r != FIDO_OK) {
+                                log_warning("Failed to obtain number of retries before lock-out for PIN "
+                                            "authentication, ignoring: %s", sym_fido_strerr(r));
+                                pin_retries = -1;
+                        }
+
+                        if (pin_retries >= 0) {
+                                ask_pin_msg = asprintf_safe(_("Please enter security token PIN "
+                                                            "(remaining attempts before lock-out: %d):"),
+                                                            pin_retries);
+                                if (!ask_pin_msg)
+                                        return log_oom();
+                        }
+
                         AskPasswordRequest req = {
                                 .tty_fd = -EBADF,
-                                .message = _("Please enter security token PIN:"),
+                                .message = pin_retries >= 0
+                                        ? ask_pin_msg
+                                        : _("Please enter security token PIN:"),
                                 .icon = askpw_icon,
                                 .keyring = "fido2-pin",
                                 .credential = askpw_credential,
diff --git a/src/shared/libfido2-util.h b/src/shared/libfido2-util.h
index 4f88100be70..bbf6d1ca66a 100644
--- a/src/shared/libfido2-util.h
+++ b/src/shared/libfido2-util.h
@@ -57,6 +57,7 @@ extern DLSYM_PROTOTYPE(fido_dev_close);
 extern DLSYM_PROTOTYPE(fido_dev_free);
 extern DLSYM_PROTOTYPE(fido_dev_get_assert);
 extern DLSYM_PROTOTYPE(fido_dev_get_cbor_info);
+extern DLSYM_PROTOTYPE(fido_dev_get_retry_count);
 extern DLSYM_PROTOTYPE(fido_dev_info_free);
 extern DLSYM_PROTOTYPE(fido_dev_info_manifest);
 extern DLSYM_PROTOTYPE(fido_dev_info_manufacturer_string);