diff --git a/docs/USER_RECORD.md b/docs/USER_RECORD.md index 7b6fe47665..2ed043734f 100644 --- a/docs/USER_RECORD.md +++ b/docs/USER_RECORD.md @@ -864,8 +864,10 @@ The `secret` field of the top-level user record contains the following fields: `password` → an array of strings, each containing a plain text password. -`pkcs11Pin` → an array of strings, each containing a plain text PIN, suitable -for unlocking PKCS#11 security tokens that require that. +`tokenPin` → an array of strings, each containing a plain text PIN, suitable +for unlocking security tokens that require that. (The field `pkcs11Pin` should +be considered a compatibility alias for this field, and merged with `tokenPin` +in case both are set.) `pkcs11ProtectedAuthenticationPathPermitted` → a boolean. If set to true allows the receiver to use the PKCS#11 "protected authentication path" (i.e. a diff --git a/src/home/homectl.c b/src/home/homectl.c index 8b91f08edf..e69fa63fa3 100644 --- a/src/home/homectl.c +++ b/src/home/homectl.c @@ -236,7 +236,7 @@ static int acquire_existing_password(const char *user_name, UserRecord *hr, bool return 0; } -static int acquire_pkcs11_pin(const char *user_name, UserRecord *hr) { +static int acquire_token_pin(const char *user_name, UserRecord *hr) { _cleanup_(strv_free_erasep) char **pin = NULL; _cleanup_free_ char *question = NULL; char *e; @@ -247,9 +247,9 @@ static int acquire_pkcs11_pin(const char *user_name, UserRecord *hr) { e = getenv("PIN"); if (e) { - r = user_record_set_pkcs11_pin(hr, STRV_MAKE(e), false); + r = user_record_set_token_pin(hr, STRV_MAKE(e), false); if (r < 0) - return log_error_errno(r, "Failed to store PKCS#11 PIN: %m"); + return log_error_errno(r, "Failed to store token PIN: %m"); string_erase(e); @@ -263,11 +263,11 @@ static int acquire_pkcs11_pin(const char *user_name, UserRecord *hr) { return log_oom(); /* We never cache or use cached PINs, since usually there are only very few attempts allowed before the PIN is blocked */ - r = ask_password_auto(question, "user-home", NULL, "pkcs11-pin", USEC_INFINITY, 0, &pin); + r = ask_password_auto(question, "user-home", NULL, "token-pin", USEC_INFINITY, 0, &pin); if (r < 0) return log_error_errno(r, "Failed to acquire security token PIN: %m"); - r = user_record_set_pkcs11_pin(hr, pin, false); + r = user_record_set_token_pin(hr, pin, false); if (r < 0) return log_error_errno(r, "Failed to store security token PIN: %m"); @@ -315,7 +315,7 @@ static int handle_generic_user_record_error( } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PIN_NEEDED)) { - r = acquire_pkcs11_pin(user_name, hr); + r = acquire_token_pin(user_name, hr); if (r < 0) return r; @@ -334,7 +334,7 @@ static int handle_generic_user_record_error( log_notice("Security token PIN incorrect, please try again."); - r = acquire_pkcs11_pin(user_name, hr); + r = acquire_token_pin(user_name, hr); if (r < 0) return r; @@ -342,7 +342,7 @@ static int handle_generic_user_record_error( log_notice("Security token PIN incorrect, please try again (only a few tries left!)."); - r = acquire_pkcs11_pin(user_name, hr); + r = acquire_token_pin(user_name, hr); if (r < 0) return r; @@ -350,7 +350,7 @@ static int handle_generic_user_record_error( log_notice("Security token PIN incorrect, please try again (only one try left!)."); - r = acquire_pkcs11_pin(user_name, hr); + r = acquire_token_pin(user_name, hr); if (r < 0) return r; } else @@ -1005,7 +1005,7 @@ static int encrypt_bytes( return 0; } -static int add_pkcs11_pin(JsonVariant **v, const char *pin) { +static int add_token_pin(JsonVariant **v, const char *pin) { _cleanup_(json_variant_unrefp) JsonVariant *w = NULL, *l = NULL; _cleanup_(strv_free_erasep) char **pins = NULL; int r; @@ -1016,7 +1016,7 @@ static int add_pkcs11_pin(JsonVariant **v, const char *pin) { return 0; w = json_variant_ref(json_variant_by_key(*v, "secret")); - l = json_variant_ref(json_variant_by_key(w, "pkcs11Pin")); + l = json_variant_ref(json_variant_by_key(w, "tokenPin")); r = json_variant_strv(l, &pins); if (r < 0) @@ -1039,7 +1039,7 @@ static int add_pkcs11_pin(JsonVariant **v, const char *pin) { json_variant_sensitive(l); - r = json_variant_set_field(&w, "pkcs11Pin", l); + r = json_variant_set_field(&w, "tokenPin", l); if (r < 0) return log_error_errno(r, "Failed to update PIN field: %m"); @@ -1212,7 +1212,7 @@ static int add_pkcs11_key_data(JsonVariant **v, const char *uri) { /* If we acquired the PIN also include it in the secret section of the record, so that systemd-homed * can use it if it needs to, given that it likely needs to decrypt the key again to pass to LUKS or * fscrypt. */ - r = add_pkcs11_pin(v, pin); + r = add_token_pin(v, pin); if (r < 0) return r; diff --git a/src/home/homework-pkcs11.c b/src/home/homework-pkcs11.c index 915bc0e57e..3a03fb7200 100644 --- a/src/home/homework-pkcs11.c +++ b/src/home/homework-pkcs11.c @@ -62,10 +62,10 @@ int pkcs11_callback( goto decrypt; } - if (strv_isempty(data->secret->pkcs11_pin)) - return log_error_errno(SYNTHETIC_ERRNO(ENOANO), "Security Token requires PIN."); + if (strv_isempty(data->secret->token_pin)) + return log_error_errno(SYNTHETIC_ERRNO(ENOANO), "Security token requires PIN."); - STRV_FOREACH(i, data->secret->pkcs11_pin) { + STRV_FOREACH(i, data->secret->token_pin) { rv = m->C_Login(session, CKU_USER, (CK_UTF8CHAR*) *i, strlen(*i)); if (rv == CKR_OK) { log_info("Successfully logged into security token '%s' with PIN.", token_label); diff --git a/src/home/pam_systemd_home.c b/src/home/pam_systemd_home.c index 34dfd134fc..80797b4dd5 100644 --- a/src/home/pam_systemd_home.c +++ b/src/home/pam_systemd_home.c @@ -359,7 +359,7 @@ static int handle_generic_user_record_error( return PAM_AUTHTOK_ERR; } - r = user_record_set_pkcs11_pin(secret, STRV_MAKE(newp), false); + r = user_record_set_token_pin(secret, STRV_MAKE(newp), false); if (r < 0) { pam_syslog(handle, LOG_ERR, "Failed to store PIN: %s", strerror_safe(r)); return PAM_SERVICE_ERR; @@ -388,7 +388,7 @@ static int handle_generic_user_record_error( return PAM_AUTHTOK_ERR; } - r = user_record_set_pkcs11_pin(secret, STRV_MAKE(newp), false); + r = user_record_set_token_pin(secret, STRV_MAKE(newp), false); if (r < 0) { pam_syslog(handle, LOG_ERR, "Failed to store PIN: %s", strerror_safe(r)); return PAM_SERVICE_ERR; @@ -407,7 +407,7 @@ static int handle_generic_user_record_error( return PAM_AUTHTOK_ERR; } - r = user_record_set_pkcs11_pin(secret, STRV_MAKE(newp), false); + r = user_record_set_token_pin(secret, STRV_MAKE(newp), false); if (r < 0) { pam_syslog(handle, LOG_ERR, "Failed to store PIN: %s", strerror_safe(r)); return PAM_SERVICE_ERR; @@ -426,7 +426,7 @@ static int handle_generic_user_record_error( return PAM_AUTHTOK_ERR; } - r = user_record_set_pkcs11_pin(secret, STRV_MAKE(newp), false); + r = user_record_set_token_pin(secret, STRV_MAKE(newp), false); if (r < 0) { pam_syslog(handle, LOG_ERR, "Failed to store PIN: %s", strerror_safe(r)); return PAM_SERVICE_ERR; diff --git a/src/home/user-record-util.c b/src/home/user-record-util.c index 8f51f8d6e8..f58f9e0709 100644 --- a/src/home/user-record-util.c +++ b/src/home/user-record-util.c @@ -887,7 +887,7 @@ int user_record_set_password(UserRecord *h, char **password, bool prepend) { return 0; } -int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) { +int user_record_set_token_pin(UserRecord *h, char **pin, bool prepend) { _cleanup_(json_variant_unrefp) JsonVariant *w = NULL; _cleanup_(strv_free_erasep) char **e = NULL; int r; @@ -899,17 +899,17 @@ int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) { if (!e) return -ENOMEM; - r = strv_extend_strv(&e, h->pkcs11_pin, true); + r = strv_extend_strv(&e, h->token_pin, true); if (r < 0) return r; strv_uniq(e); - if (strv_equal(h->pkcs11_pin, e)) + if (strv_equal(h->token_pin, e)) return 0; } else { - if (strv_equal(h->pkcs11_pin, pin)) + if (strv_equal(h->token_pin, pin)) return 0; e = strv_copy(pin); @@ -922,7 +922,7 @@ int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) { w = json_variant_ref(json_variant_by_key(h->json, "secret")); if (strv_isempty(e)) - r = json_variant_filter(&w, STRV_MAKE("pkcs11Pin")); + r = json_variant_filter(&w, STRV_MAKE("tokenPin")); else { _cleanup_(json_variant_unrefp) JsonVariant *l = NULL; @@ -932,7 +932,7 @@ int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) { json_variant_sensitive(l); - r = json_variant_set_field(&w, "pkcs11Pin", l); + r = json_variant_set_field(&w, "tokenPin", l); } if (r < 0) return r; @@ -943,7 +943,7 @@ int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend) { if (r < 0) return r; - strv_free_and_replace(h->pkcs11_pin, e); + strv_free_and_replace(h->token_pin, e); SET_FLAG(h->mask, USER_RECORD_SECRET, !json_variant_is_blank_object(w)); return 0; @@ -1062,7 +1062,7 @@ int user_record_merge_secret(UserRecord *h, UserRecord *secret) { if (r < 0) return r; - r = user_record_set_pkcs11_pin(h, secret->pkcs11_pin, true); + r = user_record_set_token_pin(h, secret->token_pin, true); if (r < 0) return r; diff --git a/src/home/user-record-util.h b/src/home/user-record-util.h index 6afc8df19a..c20018fcba 100644 --- a/src/home/user-record-util.h +++ b/src/home/user-record-util.h @@ -47,7 +47,7 @@ int user_record_set_disk_size(UserRecord *h, uint64_t disk_size); int user_record_set_password(UserRecord *h, char **password, bool prepend); int user_record_make_hashed_password(UserRecord *h, char **password, bool extend); int user_record_set_hashed_password(UserRecord *h, char **hashed_password); -int user_record_set_pkcs11_pin(UserRecord *h, char **pin, bool prepend); +int user_record_set_token_pin(UserRecord *h, char **pin, bool prepend); int user_record_set_pkcs11_protected_authentication_path_permitted(UserRecord *h, int b); int user_record_set_password_change_now(UserRecord *h, int b); int user_record_merge_secret(UserRecord *h, UserRecord *secret); diff --git a/src/shared/user-record.c b/src/shared/user-record.c index f6f67eabc0..d4dbecaae9 100644 --- a/src/shared/user-record.c +++ b/src/shared/user-record.c @@ -120,7 +120,7 @@ static UserRecord* user_record_free(UserRecord *h) { strv_free_erase(h->hashed_password); strv_free_erase(h->ssh_authorized_keys); strv_free_erase(h->password); - strv_free_erase(h->pkcs11_pin); + strv_free_erase(h->token_pin); free(h->cifs_service); free(h->cifs_user_name); @@ -620,7 +620,8 @@ static int dispatch_secret(const char *name, JsonVariant *variant, JsonDispatchF static const JsonDispatch secret_dispatch_table[] = { { "password", _JSON_VARIANT_TYPE_INVALID, json_dispatch_strv, offsetof(UserRecord, password), 0 }, - { "pkcs11Pin", _JSON_VARIANT_TYPE_INVALID, json_dispatch_strv, offsetof(UserRecord, pkcs11_pin), 0 }, + { "tokenPin", _JSON_VARIANT_TYPE_INVALID, json_dispatch_strv, offsetof(UserRecord, token_pin), 0 }, + { "pkcs11Pin", /* legacy alias */ _JSON_VARIANT_TYPE_INVALID, json_dispatch_strv, offsetof(UserRecord, token_pin), 0 }, { "pkcs11ProtectedAuthenticationPathPermitted", JSON_VARIANT_BOOLEAN, json_dispatch_tristate, offsetof(UserRecord, pkcs11_protected_authentication_path_permitted), 0 }, {}, }; diff --git a/src/shared/user-record.h b/src/shared/user-record.h index 9fd10610d9..9cc849c083 100644 --- a/src/shared/user-record.h +++ b/src/shared/user-record.h @@ -239,7 +239,7 @@ typedef struct UserRecord { char **hashed_password; char **ssh_authorized_keys; char **password; - char **pkcs11_pin; + char **token_pin; char *cifs_domain; char *cifs_user_name;