gentoo resync : 10.09.2021

2 files changed, 164 insertions, 0 deletions

diff --git a/sys-apps/systemd/files/249-fido2.patch b/sys-apps/systemd/files/249-fido2.patch
new file mode 100644
index 000000000000..bbfa4afb540e
--- /dev/null
+++ b/sys-apps/systemd/files/249-fido2.patch
@@ -0,0 +1,58 @@
+From b6aa89b0a399992c8ea762e6ec4f30cff90618f2 Mon Sep 17 00:00:00 2001
+From: pedro martelletto <pedro@yubico.com>
+Date: Wed, 8 Sep 2021 10:42:56 +0200
+Subject: [PATCH] explicitly close FIDO2 devices
+
+FIDO2 device access is serialised by libfido2 using flock().
+Therefore, make sure to close a FIDO2 device once we are done
+with it, or we risk opening it again at a later point and
+deadlocking. Fixes #20664.
+---
+ src/shared/libfido2-util.c | 2 ++
+ src/shared/libfido2-util.h | 5 ++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c
+index 12c644dcfcce..6d18178b68c9 100644
+--- a/src/shared/libfido2-util.c
++++ b/src/shared/libfido2-util.c
+@@ -58,6 +58,7 @@ bool (*sym_fido_dev_is_fido2)(const fido_dev_t *) = NULL;
+ int (*sym_fido_dev_make_cred)(fido_dev_t *, fido_cred_t *, const char *) = NULL;
+ fido_dev_t* (*sym_fido_dev_new)(void) = NULL;
+ int (*sym_fido_dev_open)(fido_dev_t *, const char *) = NULL;
++int (*sym_fido_dev_close)(fido_dev_t *) = NULL;
+ const char* (*sym_fido_strerr)(int) = NULL;
+ 
+ int dlopen_libfido2(void) {
+@@ -106,6 +107,7 @@ int dlopen_libfido2(void) {
+                         DLSYM_ARG(fido_dev_make_cred),
+                         DLSYM_ARG(fido_dev_new),
+                         DLSYM_ARG(fido_dev_open),
++                        DLSYM_ARG(fido_dev_close),
+                         DLSYM_ARG(fido_strerr));
+ }
+ 
+diff --git a/src/shared/libfido2-util.h b/src/shared/libfido2-util.h
+index 5640cca5e39b..4ebf8ab77509 100644
+--- a/src/shared/libfido2-util.h
++++ b/src/shared/libfido2-util.h
+@@ -60,6 +60,7 @@ extern bool (*sym_fido_dev_is_fido2)(const fido_dev_t *);
+ extern int (*sym_fido_dev_make_cred)(fido_dev_t *, fido_cred_t *, const char *);
+ extern fido_dev_t* (*sym_fido_dev_new)(void);
+ extern int (*sym_fido_dev_open)(fido_dev_t *, const char *);
++extern int (*sym_fido_dev_close)(fido_dev_t *);
+ extern const char* (*sym_fido_strerr)(int);
+ 
+ int dlopen_libfido2(void);
+@@ -75,8 +76,10 @@ static inline void fido_assert_free_wrapper(fido_assert_t **p) {
+ }
+ 
+ static inline void fido_dev_free_wrapper(fido_dev_t **p) {
+-        if (*p)
++        if (*p) {
++                sym_fido_dev_close(*p);
+                 sym_fido_dev_free(p);
++        }
+ }
+ 
+ static inline void fido_cred_free_wrapper(fido_cred_t **p) {
diff --git a/sys-apps/systemd/files/249-home-secret-assert.patch b/sys-apps/systemd/files/249-home-secret-assert.patch
new file mode 100644
index 000000000000..e6e2a8e7cc78
--- /dev/null
+++ b/sys-apps/systemd/files/249-home-secret-assert.patch
@@ -0,0 +1,106 @@
+From 6a09dbb89507449d158af6c7097d2c51ce83205f Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Sun, 5 Sep 2021 11:16:26 +0900
+Subject: [PATCH] home: 'secret' argument of handle_generic_user_record_error
+ may be null
+
+When RefHome() bus method is called in acquire_home(), secret is NULL.
+
+Fixes #20639.
+---
+ src/home/pam_systemd_home.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/src/home/pam_systemd_home.c b/src/home/pam_systemd_home.c
+index 836ed0d5e96d..a04d50208a8e 100644
+--- a/src/home/pam_systemd_home.c
++++ b/src/home/pam_systemd_home.c
+@@ -281,7 +281,6 @@ static int handle_generic_user_record_error(
+                 const sd_bus_error *error) {
+ 
+         assert(user_name);
+-        assert(secret);
+         assert(error);
+ 
+         int r;
+@@ -301,6 +300,8 @@ static int handle_generic_user_record_error(
+         } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD)) {
+                 _cleanup_(erase_and_freep) char *newp = NULL;
+ 
++                assert(secret);
++
+                 /* This didn't work? Ask for an (additional?) password */
+ 
+                 if (strv_isempty(secret->password))
+@@ -326,6 +327,8 @@ static int handle_generic_user_record_error(
+         } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD_AND_NO_TOKEN)) {
+                 _cleanup_(erase_and_freep) char *newp = NULL;
+ 
++                assert(secret);
++
+                 if (strv_isempty(secret->password)) {
+                         (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token of user %s not inserted.", user_name);
+                         r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Try again with password: ");
+@@ -350,6 +353,8 @@ static int handle_generic_user_record_error(
+         } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PIN_NEEDED)) {
+                 _cleanup_(erase_and_freep) char *newp = NULL;
+ 
++                assert(secret);
++
+                 r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Security token PIN: ");
+                 if (r != PAM_SUCCESS)
+                         return PAM_CONV_ERR; /* no logging here */
+@@ -367,6 +372,8 @@ static int handle_generic_user_record_error(
+ 
+         } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PROTECTED_AUTHENTICATION_PATH_NEEDED)) {
+ 
++                assert(secret);
++
+                 (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please authenticate physically on security token of user %s.", user_name);
+ 
+                 r = user_record_set_pkcs11_protected_authentication_path_permitted(secret, true);
+@@ -377,6 +384,8 @@ static int handle_generic_user_record_error(
+ 
+         } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_PRESENCE_NEEDED)) {
+ 
++                assert(secret);
++
+                 (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please confirm presence on security token of user %s.", user_name);
+ 
+                 r = user_record_set_fido2_user_presence_permitted(secret, true);
+@@ -387,6 +396,8 @@ static int handle_generic_user_record_error(
+ 
+         } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_VERIFICATION_NEEDED)) {
+ 
++                assert(secret);
++
+                 (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please verify user on security token of user %s.", user_name);
+ 
+                 r = user_record_set_fido2_user_verification_permitted(secret, true);
+@@ -403,6 +414,8 @@ static int handle_generic_user_record_error(
+         } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN)) {
+                 _cleanup_(erase_and_freep) char *newp = NULL;
+ 
++                assert(secret);
++
+                 (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN incorrect for user %s.", user_name);
+                 r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: ");
+                 if (r != PAM_SUCCESS)
+@@ -422,6 +435,8 @@ static int handle_generic_user_record_error(
+         } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN_FEW_TRIES_LEFT)) {
+                 _cleanup_(erase_and_freep) char *newp = NULL;
+ 
++                assert(secret);
++
+                 (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN of user %s incorrect (only a few tries left!)", user_name);
+                 r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: ");
+                 if (r != PAM_SUCCESS)
+@@ -441,6 +456,8 @@ static int handle_generic_user_record_error(
+         } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN_ONE_TRY_LEFT)) {
+                 _cleanup_(erase_and_freep) char *newp = NULL;
+ 
++                assert(secret);
++
+                 (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN of user %s incorrect (only one try left!)", user_name);
+                 r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: ");
+                 if (r != PAM_SUCCESS)