From: Martin Wilck <mwilck@suse.com>
Date: Mon, 17 Feb 2025 17:40:35 +0000 (+0100)
Subject: libfido2-util: accept cached pin in fido2_generate_hmac_hash()
X-Git-Tag: v258-rc1~1230
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=505c2f21377019c058de16aa9e2d8db005e97e6f;p=thirdparty%2Fsystemd.git

libfido2-util: accept cached pin in fido2_generate_hmac_hash()

fido2_generate_hmac_hash() sets req->keyring to "fido2-pin" when
calling ask_password_auto(), suggesting that a key by this name
can be read from the kernel keyring. But the keyring is never
opened because the ASK_PASSWORD_ACCEPT_CACHED flag is not set.

Set ASK_PASSWORD_ACCEPT_CACHED to allow automated / scripted
setup of encrypted volumes with FIDO2. If the PIN turns out to
be invalid, clear ASK_PASSWORD_ACCEPT_CACHED to avoid retrying
and possible lockout.
---

diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c
index 101641e7fe4..4259d57c54b 100644
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@@ -854,6 +854,8 @@ int fido2_generate_hmac_hash(
                         return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                "Token asks for PIN but doesn't advertise 'clientPin' feature.");
 
+                AskPasswordFlags askpw_flags = ASK_PASSWORD_ACCEPT_CACHED;
+
                 for (;;) {
                         _cleanup_strv_free_erase_ char **pin = NULL;
                         AskPasswordRequest req = {
@@ -866,10 +868,12 @@ int fido2_generate_hmac_hash(
                                 .hup_fd = -EBADF,
                         };
 
-                        r = ask_password_auto(&req, /* flags= */ 0, &pin);
+                        r = ask_password_auto(&req, askpw_flags, &pin);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to acquire user PIN: %m");
 
+                        askpw_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
+
                         r = FIDO_ERR_PIN_INVALID;
                         STRV_FOREACH(i, pin) {
                                 if (isempty(*i)) {