user-record: rename JSON field "pkcs11Pin" to "tokenPin"
We'd like to use it for FIDO2 tokens too, and the concept is entirely generic, hence let's just reuse the field, but rename it. Read the old name for compatibility, and treat the old name and the new name as identical for most purposes.
This commit is contained in:
Lennart Poettering
parent
d00f318323
commit
c0bde0d240
|
|
@ -864,8 +864,10 @@ The `secret` field of the top-level user record contains the following fields:
|
|||
|
||||
`password` → an array of strings, each containing a plain text password.
|
||||
|
||||
`pkcs11Pin` → an array of strings, each containing a plain text PIN, suitable
|
||||
for unlocking PKCS#11 security tokens that require that.
|
||||
`tokenPin` → an array of strings, each containing a plain text PIN, suitable
|
||||
for unlocking security tokens that require that. (The field `pkcs11Pin` should
|
||||
be considered a compatibility alias for this field, and merged with `tokenPin`
|
||||
in case both are set.)
|
||||
|
||||
`pkcs11ProtectedAuthenticationPathPermitted` → a boolean. If set to true allows
|
||||
the receiver to use the PKCS#11 "protected authentication path" (i.e. a
|
||||
|
|
|
|||
|
|
@ -236,7 +236,7 @@ static int acquire_existing_password(const char *user_name, UserRecord *hr, bool
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int acquire_pkcs11_pin(const char *user_name, UserRecord *hr) {
|
||||
static int acquire_token_pin(const char *user_name, UserRecord *hr) {
|
||||
_cleanup_(strv_free_erasep) char **pin = NULL;
|
||||
_cleanup_free_ char *question = NULL;
|
||||
char *e;
|
||||
|
|
@ -247,9 +247,9 @@ static int acquire_pkcs11_pin(const char *user_name, UserRecord *hr) {
|
|||
|
||||
e = getenv("PIN");
|
||||
if (e) {
|
||||
r = user_record_set_pkcs11_pin(hr, STRV_MAKE(e), false);
|
||||
r = user_record_set_token_pin(hr, STRV_MAKE(e), false);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to store PKCS#11 PIN: %m");
|
||||
return log_error_errno(r, "Failed to store token PIN: %m");
|
||||
|
||||
string_erase(e);
|
||||
|
||||
|
|
@ -263,11 +263,11 @@ static int acquire_pkcs11_pin(const char *user_name, UserRecord *hr) {
|
|||
return log_oom();
|
||||
|
||||
/* We never cache or use cached PINs, since usually there are only very few attempts allowed before the PIN is blocked */
|
||||
r = ask_password_auto(question, "user-home", NULL, "pkcs11-pin", USEC_INFINITY, 0, &pin);
|
||||
r = ask_password_auto(question, "user-home", NULL, "token-pin", USEC_INFINITY, 0, &pin);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to acquire security token PIN: %m");
|
||||
|
||||
r = user_record_set_pkcs11_pin(hr, pin, false);
|
||||
r = user_record_set_token_pin(hr, pin, false);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to store security token PIN: %m");
|
||||
|
||||
|
|
@ -315,7 +315,7 @@ static int handle_generic_user_record_error(
|
|||
|
||||
} else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PIN_NEEDED)) {
|
||||
|
||||
r = acquire_pkcs11_pin(user_name, hr);
|
||||
r = acquire_token_pin(user_name, hr);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
|
@ -334,7 +334,7 @@ static int handle_generic_user_record_error(
|
|||
|
||||
log_notice("Security token PIN incorrect, please try again.");
|
||||
|
||||
r = acquire_pkcs11_pin(user_name, hr);
|
||||
r = acquire_token_pin(user_name, hr);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
|
@ -342,7 +342,7 @@ static int handle_generic_user_record_error(
|
|||
|
||||
log_notice("Security token PIN incorrect, please try again (only a few tries left!).");
|
||||
|
||||
r = acquire_pkcs11_pin(user_name, hr);
|
||||
r = acquire_token_pin(user_name, hr);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
|
@ -350,7 +350,7 @@ static int handle_generic_user_record_error(
|
|||
|
||||
log_notice("Security token PIN incorrect, please try again (only one try left!).");
|
||||
|
||||
r = acquire_pkcs11_pin(user_name, hr);
|
||||
r = acquire_token_pin(user_name, hr);
|
||||
if (r < 0)
|
||||
return r;
|
||||
} else
|
||||
|
|
@ -1005,7 +1005,7 @@ static int encrypt_bytes(
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int add_pkcs11_pin(JsonVariant **v, const char *pin) {
|
||||
static int add_token_pin(JsonVariant **v, const char *pin) {
|
||||
_cleanup_(json_variant_unrefp) JsonVariant *w = NULL, *l = NULL;
|
||||
_cleanup_(strv_free_erasep) char **pins = NULL;
|
||||
int r;
|
||||
|
|
@ -1016,7 +1016,7 @@ static int add_pkcs11_pin(JsonVariant **v, const char *pin) {
|
|||
return 0;
|
||||
|
||||
w = json_variant_ref(json_variant_by_key(*v, "secret"));
|
||||
l = json_variant_ref(json_variant_by_key(w, "pkcs11Pin"));
|
||||
l = json_variant_ref(json_variant_by_key(w, "tokenPin"));
|
||||
|
||||
r = json_variant_strv(l, &pins);
|
||||
if (r < 0)
|
||||
|
|
@ -1039,7 +1039,7 @@ static int add_pkcs11_pin(JsonVariant **v, const char *pin) {
|
|||
|
||||
json_variant_sensitive(l);
|
||||
|
||||
r = json_variant_set_field(&w, "pkcs11Pin", l);
|
||||
r = json_variant_set_field(&w, "tokenPin", l);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to update PIN field: %m");
|
||||
|
||||
|
|
@ -1212,7 +1212,7 @@ static int add_pkcs11_key_data(JsonVariant **v, const char *uri) {
|
|||
/* If we acquired the PIN also include it in the secret section of the record, so that systemd-homed
|
||||
* can use it if it needs to, given that it likely needs to decrypt the key again to pass to LUKS or
|
||||
* fscrypt. */
|
||||
r = add_pkcs11_pin(v, pin);
|
||||
r = add_token_pin(v, pin);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
|
|
|||
|
|
@ -62,10 +62,10 @@ int pkcs11_callback(
|
|||
goto decrypt;
|
||||
}
|
||||
|
||||
if (strv_isempty(data->secret->pkcs11_pin))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(ENOANO), "Security Token requires PIN.");
|
||||
if (strv_isempty(data->secret->token_pin))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(ENOANO), "Security token requires PIN.");
|
||||
|
||||
STRV_FOREACH(i, data->secret->pkcs11_pin) {
|
||||
STRV_FOREACH(i, data->secret->token_pin) {
|
||||
rv = m->C_Login(session, CKU_USER, (CK_UTF8CHAR*) *i, strlen(*i));
|
||||
if (rv == CKR_OK) {
|
||||
log_info("Successfully logged into security token '%s' with PIN.", token_label);
|
||||
|
|
|
|||
|
|
@ -359,7 +359,7 @@ static int handle_generic_user_record_error(
|
|||
return PAM_AUTHTOK_ERR;
|
||||
}
|
||||
|
||||
r = user_record_set_pkcs11_pin(secret, STRV_MAKE(newp), false);
|
||||
r = user_record_set_token_pin(secret, STRV_MAKE(newp), false);
|
||||
if (r < 0) {
|
||||
pam_syslog(handle, LOG_ERR, "Failed to store PIN: %s", strerror_safe(r));
|
||||
return PAM_SERVICE_ERR;
|
||||
|
|
@ -388,7 +388,7 @@ static int handle_generic_user_record_error(
|
|||
return PAM_AUTHTOK_ERR;
|
||||
}
|
||||
|
||||
r = user_record_set_pkcs11_pin(secret, STRV_MAKE(newp), false);
|
||||
r = user_record_set_token_pin(secret, STRV_MAKE(newp), false);
|
||||
if (r < 0) {
|
||||
pam_syslog(handle, LOG_ERR, "Failed to store PIN: %s", strerror_safe(r));
|
||||
return PAM_SERVICE_ERR;
|
||||
|
|
@ -407,7 +407,7 @@ static int handle_generic_user_record_error(
|
|||
return PAM_AUTHTOK_ERR;
|
||||
}
|
||||
|
||||
r = user_record_set_pkcs11_pin(secret, STRV_MAKE(newp), false);
|
||||
r = user_record_set_token_pin(secret, STRV_MAKE(newp), false);
|
||||
if (r < 0) {
|
||||
pam_syslog(handle, LOG_ERR, "Failed to store PIN: %s", strerror_safe(r));
|
||||
return PAM_SERVICE_ERR;
|
||||
|
|
@ -426,7 +426,7 @@ static int handle_generic_user_record_error(
|
|||
return PAM_AUTHTOK_ERR;
|
||||
}
|
||||
|
||||
r = user_record_set_pkcs11_pin(secret, STRV_MAKE(newp), false);
|
||||
r = user_record_set_token_pin(secret, STRV_MAKE(newp), false);
|
||||
if (r < 0) {
|
||||
pam_syslog(handle, LOG_ERR, "Failed to store PIN: %s", strerror_safe(r));
|
||||
return PAM_SERVICE_ERR;
|
||||
|
|
|
|||
|
|
@ -887,7 +887,7 @@ int user_record_set_password(UserRecord *h, char **password, bool prepend) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) {
|
||||
int user_record_set_token_pin(UserRecord *h, char **pin, bool prepend) {
|
||||
_cleanup_(json_variant_unrefp) JsonVariant *w = NULL;
|
||||
_cleanup_(strv_free_erasep) char **e = NULL;
|
||||
int r;
|
||||
|
|
@ -899,17 +899,17 @@ int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) {
|
|||
if (!e)
|
||||
return -ENOMEM;
|
||||
|
||||
r = strv_extend_strv(&e, h->pkcs11_pin, true);
|
||||
r = strv_extend_strv(&e, h->token_pin, true);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
strv_uniq(e);
|
||||
|
||||
if (strv_equal(h->pkcs11_pin, e))
|
||||
if (strv_equal(h->token_pin, e))
|
||||
return 0;
|
||||
|
||||
} else {
|
||||
if (strv_equal(h->pkcs11_pin, pin))
|
||||
if (strv_equal(h->token_pin, pin))
|
||||
return 0;
|
||||
|
||||
e = strv_copy(pin);
|
||||
|
|
@ -922,7 +922,7 @@ int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) {
|
|||
w = json_variant_ref(json_variant_by_key(h->json, "secret"));
|
||||
|
||||
if (strv_isempty(e))
|
||||
r = json_variant_filter(&w, STRV_MAKE("pkcs11Pin"));
|
||||
r = json_variant_filter(&w, STRV_MAKE("tokenPin"));
|
||||
else {
|
||||
_cleanup_(json_variant_unrefp) JsonVariant *l = NULL;
|
||||
|
||||
|
|
@ -932,7 +932,7 @@ int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) {
|
|||
|
||||
json_variant_sensitive(l);
|
||||
|
||||
r = json_variant_set_field(&w, "pkcs11Pin", l);
|
||||
r = json_variant_set_field(&w, "tokenPin", l);
|
||||
}
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
|
@ -943,7 +943,7 @@ int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) {
|
|||
if (r < 0)
|
||||
return r;
|
||||
|
||||
strv_free_and_replace(h->pkcs11_pin, e);
|
||||
strv_free_and_replace(h->token_pin, e);
|
||||
|
||||
SET_FLAG(h->mask, USER_RECORD_SECRET, !json_variant_is_blank_object(w));
|
||||
return 0;
|
||||
|
|
@ -1062,7 +1062,7 @@ int user_record_merge_secret(UserRecord *h, UserRecord *secret) {
|
|||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = user_record_set_pkcs11_pin(h, secret->pkcs11_pin, true);
|
||||
r = user_record_set_token_pin(h, secret->token_pin, true);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ int user_record_set_disk_size(UserRecord *h, uint64_t disk_size);
|
|||
int user_record_set_password(UserRecord *h, char **password, bool prepend);
|
||||
int user_record_make_hashed_password(UserRecord *h, char **password, bool extend);
|
||||
int user_record_set_hashed_password(UserRecord *h, char **hashed_password);
|
||||
int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend);
|
||||
int user_record_set_token_pin(UserRecord *h, char **pin, bool prepend);
|
||||
int user_record_set_pkcs11_protected_authentication_path_permitted(UserRecord *h, int b);
|
||||
int user_record_set_password_change_now(UserRecord *h, int b);
|
||||
int user_record_merge_secret(UserRecord *h, UserRecord *secret);
|
||||
|
|
|
|||
|
|
@ -120,7 +120,7 @@ static UserRecord* user_record_free(UserRecord *h) {
|
|||
strv_free_erase(h->hashed_password);
|
||||
strv_free_erase(h->ssh_authorized_keys);
|
||||
strv_free_erase(h->password);
|
||||
strv_free_erase(h->pkcs11_pin);
|
||||
strv_free_erase(h->token_pin);
|
||||
|
||||
free(h->cifs_service);
|
||||
free(h->cifs_user_name);
|
||||
|
|
@ -620,7 +620,8 @@ static int dispatch_secret(const char *name, JsonVariant *variant, JsonDispatchF
|
|||
|
||||
static const JsonDispatch secret_dispatch_table[] = {
|
||||
{ "password", _JSON_VARIANT_TYPE_INVALID, json_dispatch_strv, offsetof(UserRecord, password), 0 },
|
||||
{ "pkcs11Pin", _JSON_VARIANT_TYPE_INVALID, json_dispatch_strv, offsetof(UserRecord, pkcs11_pin), 0 },
|
||||
{ "tokenPin", _JSON_VARIANT_TYPE_INVALID, json_dispatch_strv, offsetof(UserRecord, token_pin), 0 },
|
||||
{ "pkcs11Pin", /* legacy alias */ _JSON_VARIANT_TYPE_INVALID, json_dispatch_strv, offsetof(UserRecord, token_pin), 0 },
|
||||
{ "pkcs11ProtectedAuthenticationPathPermitted", JSON_VARIANT_BOOLEAN, json_dispatch_tristate, offsetof(UserRecord, pkcs11_protected_authentication_path_permitted), 0 },
|
||||
{},
|
||||
};
|
||||
|
|
|
|||
|
|
@ -239,7 +239,7 @@ typedef struct UserRecord {
|
|||
char **hashed_password;
|
||||
char **ssh_authorized_keys;
|
||||
char **password;
|
||||
char **pkcs11_pin;
|
||||
char **token_pin;
|
||||
|
||||
char *cifs_domain;
|
||||
char *cifs_user_name;
|
||||
|
|
|
|||
Loading…
Reference in New Issue