homework: mae sure PasswordCache is really optional

It was supposed to be optional (i.e. there's a reason why we never
assert()ed on it), and in many codepaths it is, let's make sure it is
everywhere.

diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c
index 48ac20c96666d8930b8f6a740a6a9b0a5ad47540..169a9633a8b03eac9368681d1f2d13f811bc89b8 100644 (file)
--- a/src/home/homework-luks.c
+++ b/src/home/homework-luks.c
@@ -349,7 +349,10 @@ static int luks_setup(
                 return log_oom();
 
         r = -ENOKEY;
-        FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, passwords) {
+        FOREACH_POINTER(list,
+                        cache ? cache->pkcs11_passwords : NULL,
+                        cache ? cache->fido2_passwords : NULL,
+                        passwords) {
                 r = luks_try_passwords(cd, list, vk, &vks);
                 if (r != -ENOKEY)
                         break;
@@ -435,7 +438,10 @@ static int luks_open(
                 return log_oom();
 
         r = -ENOKEY;
-        FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, passwords) {
+        FOREACH_POINTER(list,
+                        cache ? cache->pkcs11_passwords : NULL,
+                        cache ? cache->fido2_passwords : NULL,
+                        passwords) {
                 r = luks_try_passwords(cd, list, vk, &vks);
                 if (r != -ENOKEY)
                         break;
@@ -1614,8 +1620,7 @@ static int luks_format(
 
         STRV_FOREACH(pp, effective_passwords) {
 
-                if (strv_contains(cache->pkcs11_passwords, *pp) ||
-                    strv_contains(cache->fido2_passwords, *pp)) {
+                if (password_cache_contains(cache, *pp)) { /* is this a fido2 or pkcs11 password? */
                         log_debug("Using minimal PBKDF for slot %i", slot);
                         r = sym_crypt_set_pbkdf_type(cd, &minimal_pbkdf);
                 } else {
@@ -3051,7 +3056,11 @@ int home_passwd_luks(
                 return log_oom();
 
         r = -ENOKEY;
-        FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, h->password) {
+        FOREACH_POINTER(list,
+                        cache ? cache->pkcs11_passwords : NULL,
+                        cache ? cache->fido2_passwords : NULL,
+                        h->password) {
+
                 r = luks_try_passwords(setup->crypt_device, list, volume_key, &volume_key_size);
                 if (r != -ENOKEY)
                         break;
@@ -3077,8 +3086,7 @@ int home_passwd_luks(
                         continue;
                 }
 
-                if (strv_contains(cache->pkcs11_passwords, effective_passwords[i]) ||
-                    strv_contains(cache->fido2_passwords, effective_passwords[i])) {
+                if (password_cache_contains(cache, effective_passwords[i])) { /* Is this a FIDO2 or PKCS#11 password? */
                         log_debug("Using minimal PBKDF for slot %zu", i);
                         r = sym_crypt_set_pbkdf_type(setup->crypt_device, &minimal_pbkdf);
                 } else {
@@ -3203,7 +3211,10 @@ int home_unlock_luks(UserRecord *h, const PasswordCache *cache) {
         cryptsetup_enable_logging(cd);
 
         r = -ENOKEY;
-        FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, h->password) {
+        FOREACH_POINTER(list,
+                        cache ? cache->pkcs11_passwords : NULL,
+                        cache ? cache->fido2_passwords : NULL,
+                        h->password) {
                 r = luks_try_resume(cd, dm_name, list);
                 if (r != -ENOKEY)
                         break;

diff --git a/src/home/homework.h b/src/home/homework.h
index 9331452e3ea9241b5068fe316a5bf4e0126f6bea..5fa4b653e2b9dac828964229b47ab67cb816e8c6 100644 (file)
--- a/src/home/homework.h
+++ b/src/home/homework.h
@@ -7,6 +7,7 @@
 #include "sd-id128.h"
 
 #include "loop-util.h"
+#include "strv.h"
 #include "user-record.h"
 #include "user-record-util.h"
 
@@ -39,13 +40,21 @@ typedef struct HomeSetup {
 } HomeSetup;
 
 typedef struct PasswordCache {
-        /* Decoding passwords from security tokens is expensive and typically requires user interaction, hence cache any we already figured out. */
+        /* Decoding passwords from security tokens is expensive and typically requires user interaction,
+         * hence cache any we already figured out. */
         char **pkcs11_passwords;
         char **fido2_passwords;
 } PasswordCache;
 
 void password_cache_free(PasswordCache *cache);
 
+static inline bool password_cache_contains(const PasswordCache *cache, const char *p) {
+        if (!cache)
+                return false;
+
+        return strv_contains(cache->pkcs11_passwords, p) || strv_contains(cache->fido2_passwords, p);
+}
+
 #define HOME_SETUP_INIT                                 \
         {                                               \
                 .root_fd = -1,                          \