ebox unlock is slow with many configs

Using e.g. pivy-box key unlock  on an ebox with many primary
configs can be very slow, as we may enumerate all PIV tokens
on the system for every single non-present device in the list
(which may take 1-2 sec sometimes).

With this change, we try agent keys first and then cache
enumeration results so that things take far less time.

On an ebox with 8 primary configs, where the config on the
system is the last one, this takes unlock from ~9sec to 0.25sec
with an agent or ~1sec without.

Author: arekinath

ebox-cmd.c

@@ -60,12 +60,13 @@
 
 #include "words.h"
 
-int ebox_authfd;
+int ebox_authfd = -1;
 SCARDCONTEXT ebox_ctx;
 boolean_t ebox_ctx_init = B_FALSE;
 char *ebox_pin;
 uint ebox_min_retries = 1;
 boolean_t ebox_batch = B_FALSE;
+struct piv_token *ebox_enum_tokens = NULL;
 
 #if defined(__sun)
 static GetLine *sungl = NULL;
@@ -232,6 +233,12 @@ local_unlock_agent(struct piv_ecdh_box *box)
 	struct sshbuf *datab = NULL;
 	boolean_t found = B_FALSE;
 
+	if (ebox_authfd == -1 &&
+	    (rc = ssh_get_authentication_socket(&ebox_authfd)) == -1) {
+		err = ssherrf("ssh_get_authentication_socket", rc);
+		goto out;
+	}
+
 	pubkey = piv_box_pubkey(box);
 
 	rc = ssh_fetch_identitylist(ebox_authfd, &idl);
@@ -368,7 +375,8 @@ local_unlock(struct piv_ecdh_box *box, struct sshkey *cak, const char *name)
 	struct piv_slot *slot, *cakslot;
 	struct piv_token *tokens = NULL, *token;
 
-	if (ssh_get_authentication_socket(&ebox_authfd) != -1) {
+	if (ebox_authfd != -1 ||
+	    ssh_get_authentication_socket(&ebox_authfd) != -1) {
 		agerr = local_unlock_agent(box);
 		if (agerr == ERRF_OK)
 			return (ERRF_OK);
@@ -392,14 +400,27 @@ local_unlock(struct piv_ecdh_box *box, struct sshkey *cak, const char *name)
 		}
 	}
 
-	err = piv_find(ebox_ctx, piv_box_guid(box), GUID_LEN, &tokens);
-	if (errf_caused_by(err, "NotFoundError")) {
-		errf_free(err);
-		err = piv_enumerate(ebox_ctx, &tokens);
-		if (err && agerr) {
-			err = errf("AgentError", agerr, "ssh-agent unlock "
-			    "failed, and no PIV tokens were detected on "
-			    "the local system");
+	/*
+	 * We might try to call local_unlock on a whole lot of configs in a
+	 * row (looking for one that works). If we resort to enumerating all
+	 * the tokens on the system at any point, cache them in
+	 * ebox_enum_tokens so that things are a bit faster.
+	 */
+	if (ebox_enum_tokens != NULL) {
+		tokens = ebox_enum_tokens;
+		err = NULL;
+	} else {
+		err = piv_find(ebox_ctx, piv_box_guid(box), GUID_LEN, &tokens);
+		if (errf_caused_by(err, "NotFoundError")) {
+			errf_free(err);
+			err = piv_enumerate(ebox_ctx, &tokens);
+			if (err && agerr) {
+				err = errf("AgentError", agerr, "ssh-agent "
+				"unlock failed, and no PIV tokens were "
+				"detected on the local system");
+			} else {
+				ebox_enum_tokens = tokens;
+			}
 		}
 	}
 	errf_free(agerr);

piv.c

@@ -244,6 +244,7 @@ struct piv_token {
 
 	struct piv_slot *pt_slots;
 	struct piv_slot *pt_last_slot;
+	boolean_t pt_did_read_all;
 
 	/* YubicoPIV specific stuff */
 	boolean_t pt_ykpiv;			/* Supports YubicoPIV? */
@@ -3109,6 +3110,8 @@ piv_read_all_certs(struct piv_token *tk)
 			errf_free(err);
 	}
 
+	tk->pt_did_read_all = B_TRUE;
+
 	return (ERRF_OK);
 }
 
@@ -4759,13 +4762,15 @@ piv_box_find_token(struct piv_token *tks, struct piv_ecdh_box *box,
 	 * token available.
 	 */
 	for (pt = tks; pt != NULL; pt = pt->pt_next) {
-		if (piv_txn_begin(pt))
-			continue;
-		if (piv_select(pt) || piv_read_all_certs(pt)) {
+		if (!pt->pt_did_read_all) {
+			if (piv_txn_begin(pt))
+				continue;
+			if (piv_select(pt) || piv_read_all_certs(pt)) {
+				piv_txn_end(pt);
+				continue;
+			}
 			piv_txn_end(pt);
-			continue;
 		}
-		piv_txn_end(pt);
 
 		s = NULL;
 		while ((s = piv_slot_next(pt, s)) != NULL) {

pivy-box.c

@@ -871,6 +871,25 @@ interactive_unlock_ebox(struct ebox *ebox)
 	struct answer *a;
 	char k = '0';
 
+	/* Try to use the pivy-agent to unlock first if we have one. */
+	config = NULL;
+	while ((config = ebox_next_config(ebox, config)) != NULL) {
+		tconfig = ebox_config_tpl(config);
+		if (ebox_tpl_config_type(tconfig) == EBOX_PRIMARY) {
+			part = ebox_config_next_part(config, NULL);
+			tpart = ebox_part_tpl(part);
+			error = local_unlock_agent(ebox_part_box(part));
+			if (error) {
+				errf_free(error);
+				continue;
+			}
+			error = ebox_unlock(ebox, config);
+			if (error)
+				return (error);
+			goto done;
+		}
+	}
+
 	config = NULL;
 	while ((config = ebox_next_config(ebox, config)) != NULL) {
 		tconfig = ebox_config_tpl(config);

pivy-luks.c

@@ -88,6 +88,26 @@ unlock_or_recover(struct ebox *ebox, const char *descr, boolean_t *recovered)
 	struct answer *a;
 	char k = '0';
 
+	/* Try to use the pivy-agent to unlock first if we have one. */
+	config = NULL;
+	while ((config = ebox_next_config(ebox, config)) != NULL) {
+		tconfig = ebox_config_tpl(config);
+		if (ebox_tpl_config_type(tconfig) == EBOX_PRIMARY) {
+			part = ebox_config_next_part(config, NULL);
+			tpart = ebox_part_tpl(part);
+			error = local_unlock_agent(ebox_part_box(part));
+			if (error) {
+				errf_free(error);
+				continue;
+			}
+			error = ebox_unlock(ebox, config);
+			if (error)
+				return (error);
+			*recovered = B_FALSE;
+			goto done;
+		}
+	}
+
 	config = NULL;
 	while ((config = ebox_next_config(ebox, config)) != NULL) {
 		tconfig = ebox_config_tpl(config);

pivy-zfs.c

@@ -90,6 +90,26 @@ unlock_or_recover(struct ebox *ebox, const char *descr, boolean_t *recovered)
 	struct answer *a;
 	char k = '0';
 
+	/* Try to use the pivy-agent to unlock first if we have one. */
+	config = NULL;
+	while ((config = ebox_next_config(ebox, config)) != NULL) {
+		tconfig = ebox_config_tpl(config);
+		if (ebox_tpl_config_type(tconfig) == EBOX_PRIMARY) {
+			part = ebox_config_next_part(config, NULL);
+			tpart = ebox_part_tpl(part);
+			error = local_unlock_agent(ebox_part_box(part));
+			if (error) {
+				errf_free(error);
+				continue;
+			}
+			error = ebox_unlock(ebox, config);
+			if (error)
+				return (error);
+			*recovered = B_FALSE;
+			goto done;
+		}
+	}
+
 	config = NULL;
 	while ((config = ebox_next_config(ebox, config)) != NULL) {
 		tconfig = ebox_config_tpl(config);