Skip to content

Commit

Permalink
Add more ways to use a password with the token
Browse files Browse the repository at this point in the history
Signed-off-by: Peter Jones <[email protected]>
  • Loading branch information
vathpela committed Nov 8, 2021
1 parent e4af617 commit 1a4481e
Show file tree
Hide file tree
Showing 5 changed files with 120 additions and 9 deletions.
12 changes: 11 additions & 1 deletion src/cms_common.c
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,8 @@ cms_context_fini(cms_context *cms)
case PW_DEVICE:
case PW_FROMFILEDB:
case PW_FROMENV:
case PW_FROMFILE:
case PW_FROMFD:
case PW_SOURCE_MAX:
break;
case PW_DATABASE:
Expand Down Expand Up @@ -306,8 +308,16 @@ void cms_set_pw_data(cms_context *cms, secuPWData *pwdata)
case PW_SOURCE_MAX:
break;

case PW_FROMENV:
case PW_FROMFD:
if (cms->pwdata.intdata >= 0 &&
!(pwdata->source == PW_FROMFD &&
cms->pwdata.intdata == pwdata->intdata))
close(cms->pwdata.intdata);
break;

case PW_FROMFILEDB:
case PW_FROMENV:
case PW_FROMFILE:
case PW_PLAINTEXT:
memset(cms->pwdata.data, 0, strlen(cms->pwdata.data));
xfree(cms->pwdata.data);
Expand Down
5 changes: 5 additions & 0 deletions src/cms_common.h
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,10 @@ typedef enum {
PW_DATABASE = 5,
// pwdata->data is the name of an environment variable
PW_FROMENV = 6,
// pwdata->data is the path of a file
PW_FROMFILE = 7,
// pwdata->intdata is a file descriptor
PW_FROMFD = 8,

// used only for bounds checking
PW_SOURCE_MAX
Expand All @@ -91,6 +95,7 @@ typedef struct {

struct pw_database pwdb;
char *data;
long intdata;
} secuPWData;

struct cms_context;
Expand Down
1 change: 1 addition & 0 deletions src/daemon.c
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,7 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size)
memset(&pwdata, 0, sizeof(pwdata));
pwdata.source = pwdata.orig_source = PW_PLAINTEXT;
pwdata.data = pin;
pwdata.intdata = -1;

cms_set_pw_callback(ctx->cms, get_password_passthrough);
cms_set_pw_data(ctx->cms, &pwdata);
Expand Down
40 changes: 35 additions & 5 deletions src/password.c
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ static const char * const pw_source_names[] = {
[PW_FROMFILEDB] = "PW_FROMFILEDB",
[PW_DATABASE] = "PW_DATABASE",
[PW_FROMENV] = "PW_FROMENV",
[PW_FROMFILE] = "PW_FROMFILE",
[PW_FROMFD] = "PW_FROMFD",

[PW_SOURCE_MAX] = "PW_SOURCE_MAX"
};
Expand Down Expand Up @@ -241,6 +243,12 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)

ingress();
dprintf("token_name: %s", token_name);
if (cms->pwdata.source != PW_FROMFILEDB) {
cms->log(cms, LOG_ERR,
"Got to %s() but no file is specified.\n",
__func__);
goto err;
}
path = cms->pwdata.data;

if (!path || retry)
Expand Down Expand Up @@ -375,6 +383,7 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
secuPWData pwxtrn = { .source = PW_DEVICE, .orig_source = PW_DEVICE, .data = NULL };
char *pw;
int rc;
FILE *in;

ingress();

Expand All @@ -400,6 +409,7 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
pw_source_names[pwdata->orig_source], pwdata->orig_source);
dprintf("pwdata->data:%p (\"%s\")", pwdata->data,
pwdata->data ? pwdata->data : "(null)");
dprintf("pwdata->intdata:%ld", pwdata->intdata);

if (retry) {
warnx("Incorrect password/PIN entered.");
Expand All @@ -425,7 +435,6 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
return pw;

case PW_DEVICE:
dprintf("pwdata->source:PW_DEVICE");
rc = asprintf(&prompt,
"Press Enter, then enter PIN for \"%s\" on external device.\n",
PK11_GetTokenName(slot));
Expand All @@ -442,10 +451,6 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
* once, then keep it in memory (duh).
*/
pw = SECU_FilePasswd(slot, retry, cms);
if (pw != NULL) {
pwdata->source = PW_PLAINTEXT;
pwdata->data = strdup(pw);
}
/* it's already been dup'ed */
egress();
return pw;
Expand All @@ -460,6 +465,31 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
pwdata->source = PW_PLAINTEXT;
goto PW_PLAINTEXT;

case PW_FROMFILE:
dprintf("pwdata->source:PW_FROMFILE");
in = fopen(pwdata->data, "r");
if (!in)
return NULL;
pw = get_password(in, NULL, NULL, NULL);
fclose(in);
pwdata->source = PW_PLAINTEXT;
pwdata->data = pw;
goto PW_PLAINTEXT;

case PW_FROMFD:
dprintf("pwdata->source:PW_FROMFD");
rc = pwdata->intdata;
in = fdopen(pwdata->intdata, "r");
if (!in)
return NULL;
pw = get_password(in, NULL, NULL, NULL);
fclose(in);
close(rc);
pwdata->source = PW_PLAINTEXT;
pwdata->data = pw;
pwdata->intdata = -1;
goto PW_PLAINTEXT;

PW_PLAINTEXT:
case PW_PLAINTEXT:
egress();
Expand Down
71 changes: 68 additions & 3 deletions src/pesign.c
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,10 @@ long verbosity(void)
}

enum {
POPT_RET_PWDB = 0x40000001
POPT_RET_PWDB = 0x40000001,
POPT_RET_ENV = 0x40000002,
POPT_RET_PINFD = 0x40000003,
POPT_RET_PINFILE = 0x40000004,
};

int
Expand Down Expand Up @@ -92,6 +95,7 @@ main(int argc, char *argv[])
secuPWData pwdata;

memset(&pwdata, 0, sizeof(pwdata));
pwdata.intdata = -1;

setenv("NSS_DEFAULT_DB_TYPE", "sql", 0);

Expand Down Expand Up @@ -266,7 +270,27 @@ main(int argc, char *argv[])
.arg = &ctxp->verbose,
.val = 2,
.descrip = "be very verbose" },

{.longName = "pinfd",
.shortName = '\0',
.argInfo = POPT_ARG_INT,
.arg = &pwdata.intdata,
.val = POPT_RET_PINFD,
.descrip = "read file descriptor for pin information",
.argDescrip = "<file descriptor>" },
{.longName = "pinfile",
.shortName = '\0',
.argInfo = POPT_ARG_STRING,
.arg = &pwdata.data,
.val = POPT_RET_PINFILE,
.descrip = "read named file for pin information",
.argDescrip = "<pin file name>" },
{.longName = "pinenv",
.shortName = '\0',
.argInfo = POPT_ARG_STRING,
.arg = &pwdata.data,
.val = POPT_RET_ENV,
.descrip = "read file descriptor for pin information",
.argDescrip = "<file descriptor>" },
{.longName = "padding",
.shortName = 'P',
.argInfo = POPT_ARG_VAL,
Expand All @@ -289,6 +313,7 @@ main(int argc, char *argv[])
.shortName = '\0',
.argInfo = POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN,
.arg = &pwdata.data,
.val = POPT_RET_PWDB,
.descrip = "file to read passwords from.",
.argDescrip = "<pwfile>" },
POPT_AUTOALIAS
Expand All @@ -315,6 +340,47 @@ main(int argc, char *argv[])
errx(1, "--pwfile requires a file name as an argument");
pwdata.source = PW_FROMFILEDB;
pwdata.data = strdup(pwdata.data);
pwdata.intdata = -1;
if (!pwdata.data)
err(1, "could not allocate memory");
continue;

case POPT_RET_ENV:
dprintf("POPT_RET_ENV:\"%s\"", pwdata.data ? pwdata.data : "(null)");
if (pwdata.source != PW_SOURCE_INVALID)
errx(1, "only one password/pin method can be used at a time");
if (pwdata.data == NULL)
errx(1, "--pinenv requires an environment variable name as an argument");
pwdata.source = PW_FROMENV;
pwdata.data = strdup(pwdata.data);
pwdata.intdata = -1;
if (!pwdata.data)
err(1, "could not allocate memory");
continue;

case POPT_RET_PINFD:
dprintf("POPT_RET_PINFD:\"%s\"", pwdata.data ? pwdata.data : "(null)");
if (pwdata.source != PW_SOURCE_INVALID)
errx(1, "only one password/pin method can be used at a time");
if (pwdata.data == NULL)
errx(1, "--pinfd requires a file descriptor as an argument");
errno = 0;
pwdata.source = PW_FROMFD;
pwdata.intdata = strtol(pwdata.data, NULL, 0);
if ((pwdata.intdata == LONG_MIN || pwdata.intdata == LONG_MAX) && errno != 0)
err(1, "file descriptor needed, got \"%s\"", pwdata.data ? pwdata.data : "(null)");
pwdata.data = NULL;
continue;

case POPT_RET_PINFILE:
dprintf("POPT_RET_PINFILE:\"%s\"", pwdata.data ? pwdata.data : "(null)");
if (pwdata.source != PW_SOURCE_INVALID)
errx(1, "only one password/pin method can be used at a time");
if (pwdata.data == NULL)
errx(1, "--pinfile requires a file name as an argument");
pwdata.source = PW_FROMFILE;
pwdata.data = strdup(pwdata.data);
pwdata.intdata = -1;
if (!pwdata.data)
err(1, "could not allocate memory");
continue;
Expand Down Expand Up @@ -481,7 +547,6 @@ main(int argc, char *argv[])
if (digest_name && digest_name != orig_digest_name)
free(digest_name);


if (ctxp->sign) {
if (!ctxp->cms_ctx->certname) {
fprintf(stderr, "pesign: signing requested but no "
Expand Down

0 comments on commit 1a4481e

Please sign in to comment.