From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 19 Feb 2024 16:30:56 +0000 (+0100)
Subject: libfido2: tweak credential to read fido2 PIN from
X-Git-Tag: v256-rc1~797^2~7
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=251c71b62bb2f43dd6815c9a99e2d059a0ce2aef;p=thirdparty%2Fsystemd.git

libfido2: tweak credential to read fido2 PIN from

Querying a fido2 PIN via askpw for enrolling is currently used in two
places: cryptenroll and homectl. So far we sloppily used the same fixed
credential name "fido2-pin" in both cases. Let's tweak that and make the
credential name match the other credentials cryptenroll or home query,
i.e. using the cryptenroll.* and home.* namespaces.

This is particular done in light of #31370, which wants to make the
credential name public. We really should get the name in order before
making it public.
---

diff --git a/src/cryptenroll/cryptenroll-fido2.c b/src/cryptenroll/cryptenroll-fido2.c
index 2baeb92e07f..7e35dca9c50 100644
--- a/src/cryptenroll/cryptenroll-fido2.c
+++ b/src/cryptenroll/cryptenroll-fido2.c
@@ -97,6 +97,7 @@ int enroll_fido2(
                         /* user_display_name= */ node,
                         /* user_icon_name= */ NULL,
                         /* askpw_icon_name= */ "drive-harddisk",
+                        /* askpw_credential= */ "cryptenroll.fido2-pin",
                         lock_with,
                         cred_alg,
                         &cid, &cid_size,
diff --git a/src/home/homectl-fido2.c b/src/home/homectl-fido2.c
index 3cbdf912aae..384461a1ca5 100644
--- a/src/home/homectl-fido2.c
+++ b/src/home/homectl-fido2.c
@@ -167,6 +167,7 @@ int identity_add_fido2_parameters(
                         /* user_display_name= */ rn ? json_variant_string(rn) : NULL,
                         /* user_icon_name= */ NULL,
                         /* askpw_icon_name= */ "user-home",
+                        /* askpw_credential= */ "home.token-pin",
                         lock_with,
                         cred_alg,
                         &cid, &cid_size,
diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c
index 18ad00097a9..f5df5793697 100644
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@@ -686,7 +686,8 @@ int fido2_generate_hmac_hash(
                 const char *user_name,
                 const char *user_display_name,
                 const char *user_icon,
-                const char *askpw_icon_name,
+                const char *askpw_icon,
+                const char *askpw_credential,
                 Fido2EnrollFlags lock_with,
                 int cred_alg,
                 void **ret_cid, size_t *ret_cid_size,
@@ -840,9 +841,9 @@ int fido2_generate_hmac_hash(
                         _cleanup_strv_free_erase_ char **pin = NULL;
                         AskPasswordRequest req = {
                                 .message = "Please enter security token PIN:",
-                                .icon = askpw_icon_name,
+                                .icon = askpw_icon,
                                 .keyring = "fido2-pin",
-                                .credential = "fido2-pin",
+                                .credential = askpw_credential,
                         };
 
                         r = ask_password_auto(&req, USEC_INFINITY, /* flags= */ 0, &pin);
diff --git a/src/shared/libfido2-util.h b/src/shared/libfido2-util.h
index 4cfc95f712a..3520ab4ec3f 100644
--- a/src/shared/libfido2-util.h
+++ b/src/shared/libfido2-util.h
@@ -109,7 +109,8 @@ int fido2_generate_hmac_hash(
                 const char *user_name,
                 const char *user_display_name,
                 const char *user_icon,
-                const char *askpw_icon_name,
+                const char *askpw_icon,
+                const char *askpw_credential,
                 Fido2EnrollFlags lock_with,
                 int cred_alg,
                 void **ret_cid, size_t *ret_cid_size,