diff options
author | Luca Boccassi <luca.boccassi@microsoft.com> | 2021-04-12 21:06:59 +0100 |
---|---|---|
committer | Luca Boccassi <bluca@debian.org> | 2021-05-07 21:36:27 +0100 |
commit | cde2f8605e0c3842f9a87785dd758f955f2d04ba (patch) | |
tree | 26d259cdb23f9ace361340a87d584ab379259fde /src/shared/libfido2-util.h | |
parent | cd5f57bda71dc9485d7eddf6cfcbfba843f5126c (diff) | |
download | systemd-cde2f8605e0c3842f9a87785dd758f955f2d04ba.tar.gz |
FIDO2: support pin-less LUKS enroll/unlock
Closes: https://github.com/systemd/systemd/issues/19246
Some FIDO2 devices allow the user to choose whether to use a PIN or not
and will HMAC with a different secret depending on the choice.
Some other devices (or some device-specific configuration) can instead
make it mandatory.
Allow the cryptenroll user to choose whether to use a PIN or not, but
fail immediately if it is a hard requirement.
Record the choice in the JSON-encoded LUKS header metadata so that the
right set of options can be used on unlock.
Diffstat (limited to 'src/shared/libfido2-util.h')
-rw-r--r-- | src/shared/libfido2-util.h | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/shared/libfido2-util.h b/src/shared/libfido2-util.h index 3648ea44c7..c22deebfcc 100644 --- a/src/shared/libfido2-util.h +++ b/src/shared/libfido2-util.h @@ -3,6 +3,12 @@ #include "macro.h" +typedef enum Fido2EnrollFlags { + FIDO2ENROLL_PIN = 1 << 0, + _FIDO2ENROLL_TYPE_MAX, + _FIDO2ENROLL_TYPE_INVALID = -EINVAL, +} Fido2EnrollFlags; + #if HAVE_LIBFIDO2 #include <fido.h> @@ -81,6 +87,7 @@ int fido2_use_hmac_hash( size_t cid_size, char **pins, bool up, /* user presence permitted */ + Fido2EnrollFlags required, void **ret_hmac, size_t *ret_hmac_size); @@ -93,6 +100,7 @@ int fido2_generate_hmac_hash( const char *user_display_name, const char *user_icon, const char *askpw_icon_name, + Fido2EnrollFlags lock_with, void **ret_cid, size_t *ret_cid_size, void **ret_salt, size_t *ret_salt_size, void **ret_secret, size_t *ret_secret_size, |