diff options
author | V3n3RiX <venerix@redcorelinux.org> | 2021-09-10 04:21:55 +0100 |
---|---|---|
committer | V3n3RiX <venerix@redcorelinux.org> | 2021-09-10 04:21:55 +0100 |
commit | 677b7ba5c317778df2ad7e70df94b9b7eec4adbc (patch) | |
tree | 6c418a1546fff5becab5d8b9ed6803323e7f316e /sys-apps/systemd/files | |
parent | fbda87924e6faa7a1919f1a2b4182490bde5ec5c (diff) |
gentoo resync : 10.09.2021
Diffstat (limited to 'sys-apps/systemd/files')
-rw-r--r-- | sys-apps/systemd/files/249-fido2.patch | 58 | ||||
-rw-r--r-- | sys-apps/systemd/files/249-home-secret-assert.patch | 106 |
2 files changed, 164 insertions, 0 deletions
diff --git a/sys-apps/systemd/files/249-fido2.patch b/sys-apps/systemd/files/249-fido2.patch new file mode 100644 index 000000000000..bbfa4afb540e --- /dev/null +++ b/sys-apps/systemd/files/249-fido2.patch @@ -0,0 +1,58 @@ +From b6aa89b0a399992c8ea762e6ec4f30cff90618f2 Mon Sep 17 00:00:00 2001 +From: pedro martelletto <pedro@yubico.com> +Date: Wed, 8 Sep 2021 10:42:56 +0200 +Subject: [PATCH] explicitly close FIDO2 devices + +FIDO2 device access is serialised by libfido2 using flock(). +Therefore, make sure to close a FIDO2 device once we are done +with it, or we risk opening it again at a later point and +deadlocking. Fixes #20664. +--- + src/shared/libfido2-util.c | 2 ++ + src/shared/libfido2-util.h | 5 ++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c +index 12c644dcfcce..6d18178b68c9 100644 +--- a/src/shared/libfido2-util.c ++++ b/src/shared/libfido2-util.c +@@ -58,6 +58,7 @@ bool (*sym_fido_dev_is_fido2)(const fido_dev_t *) = NULL; + int (*sym_fido_dev_make_cred)(fido_dev_t *, fido_cred_t *, const char *) = NULL; + fido_dev_t* (*sym_fido_dev_new)(void) = NULL; + int (*sym_fido_dev_open)(fido_dev_t *, const char *) = NULL; ++int (*sym_fido_dev_close)(fido_dev_t *) = NULL; + const char* (*sym_fido_strerr)(int) = NULL; + + int dlopen_libfido2(void) { +@@ -106,6 +107,7 @@ int dlopen_libfido2(void) { + DLSYM_ARG(fido_dev_make_cred), + DLSYM_ARG(fido_dev_new), + DLSYM_ARG(fido_dev_open), ++ DLSYM_ARG(fido_dev_close), + DLSYM_ARG(fido_strerr)); + } + +diff --git a/src/shared/libfido2-util.h b/src/shared/libfido2-util.h +index 5640cca5e39b..4ebf8ab77509 100644 +--- a/src/shared/libfido2-util.h ++++ b/src/shared/libfido2-util.h +@@ -60,6 +60,7 @@ extern bool (*sym_fido_dev_is_fido2)(const fido_dev_t *); + extern int (*sym_fido_dev_make_cred)(fido_dev_t *, fido_cred_t *, const char *); + extern fido_dev_t* (*sym_fido_dev_new)(void); + extern int (*sym_fido_dev_open)(fido_dev_t *, const char *); ++extern int (*sym_fido_dev_close)(fido_dev_t *); + extern const char* (*sym_fido_strerr)(int); + + int dlopen_libfido2(void); +@@ -75,8 +76,10 @@ static inline void fido_assert_free_wrapper(fido_assert_t **p) { + } + + static inline void fido_dev_free_wrapper(fido_dev_t **p) { +- if (*p) ++ if (*p) { ++ sym_fido_dev_close(*p); + sym_fido_dev_free(p); ++ } + } + + static inline void fido_cred_free_wrapper(fido_cred_t **p) { diff --git a/sys-apps/systemd/files/249-home-secret-assert.patch b/sys-apps/systemd/files/249-home-secret-assert.patch new file mode 100644 index 000000000000..e6e2a8e7cc78 --- /dev/null +++ b/sys-apps/systemd/files/249-home-secret-assert.patch @@ -0,0 +1,106 @@ +From 6a09dbb89507449d158af6c7097d2c51ce83205f Mon Sep 17 00:00:00 2001 +From: Yu Watanabe <watanabe.yu+github@gmail.com> +Date: Sun, 5 Sep 2021 11:16:26 +0900 +Subject: [PATCH] home: 'secret' argument of handle_generic_user_record_error + may be null + +When RefHome() bus method is called in acquire_home(), secret is NULL. + +Fixes #20639. +--- + src/home/pam_systemd_home.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/src/home/pam_systemd_home.c b/src/home/pam_systemd_home.c +index 836ed0d5e96d..a04d50208a8e 100644 +--- a/src/home/pam_systemd_home.c ++++ b/src/home/pam_systemd_home.c +@@ -281,7 +281,6 @@ static int handle_generic_user_record_error( + const sd_bus_error *error) { + + assert(user_name); +- assert(secret); + assert(error); + + int r; +@@ -301,6 +300,8 @@ static int handle_generic_user_record_error( + } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD)) { + _cleanup_(erase_and_freep) char *newp = NULL; + ++ assert(secret); ++ + /* This didn't work? Ask for an (additional?) password */ + + if (strv_isempty(secret->password)) +@@ -326,6 +327,8 @@ static int handle_generic_user_record_error( + } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD_AND_NO_TOKEN)) { + _cleanup_(erase_and_freep) char *newp = NULL; + ++ assert(secret); ++ + if (strv_isempty(secret->password)) { + (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token of user %s not inserted.", user_name); + r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Try again with password: "); +@@ -350,6 +353,8 @@ static int handle_generic_user_record_error( + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PIN_NEEDED)) { + _cleanup_(erase_and_freep) char *newp = NULL; + ++ assert(secret); ++ + r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Security token PIN: "); + if (r != PAM_SUCCESS) + return PAM_CONV_ERR; /* no logging here */ +@@ -367,6 +372,8 @@ static int handle_generic_user_record_error( + + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PROTECTED_AUTHENTICATION_PATH_NEEDED)) { + ++ assert(secret); ++ + (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please authenticate physically on security token of user %s.", user_name); + + r = user_record_set_pkcs11_protected_authentication_path_permitted(secret, true); +@@ -377,6 +384,8 @@ static int handle_generic_user_record_error( + + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_PRESENCE_NEEDED)) { + ++ assert(secret); ++ + (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please confirm presence on security token of user %s.", user_name); + + r = user_record_set_fido2_user_presence_permitted(secret, true); +@@ -387,6 +396,8 @@ static int handle_generic_user_record_error( + + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_VERIFICATION_NEEDED)) { + ++ assert(secret); ++ + (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please verify user on security token of user %s.", user_name); + + r = user_record_set_fido2_user_verification_permitted(secret, true); +@@ -403,6 +414,8 @@ static int handle_generic_user_record_error( + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN)) { + _cleanup_(erase_and_freep) char *newp = NULL; + ++ assert(secret); ++ + (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN incorrect for user %s.", user_name); + r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: "); + if (r != PAM_SUCCESS) +@@ -422,6 +435,8 @@ static int handle_generic_user_record_error( + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN_FEW_TRIES_LEFT)) { + _cleanup_(erase_and_freep) char *newp = NULL; + ++ assert(secret); ++ + (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN of user %s incorrect (only a few tries left!)", user_name); + r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: "); + if (r != PAM_SUCCESS) +@@ -441,6 +456,8 @@ static int handle_generic_user_record_error( + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN_ONE_TRY_LEFT)) { + _cleanup_(erase_and_freep) char *newp = NULL; + ++ assert(secret); ++ + (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN of user %s incorrect (only one try left!)", user_name); + r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: "); + if (r != PAM_SUCCESS) |