static RSA *
read_key(ENGINE *engine, const char *rsa_key)
{
unsigned char buf[1024 * 4];
const unsigned char *p;
size_t size;
RSA *rsa;
FILE *f;
f = fopen(rsa_key, "rb");
if (f == NULL)
err(1, "could not open file %s", rsa_key);
rk_cloexec_file(f);
size = fread(buf, 1, sizeof(buf), f);
fclose(f);
if (size == 0)
err(1, "failed to read file %s", rsa_key);
if (size == sizeof(buf))
err(1, "key too long in file %s!", rsa_key);
p = buf;
rsa = d2i_RSAPrivateKey(NULL, &p, size);
if (rsa == NULL)
err(1, "failed to parse key in file %s", rsa_key);
RSA_set_method(rsa, ENGINE_get_RSA(engine));
if (!key_blinding)
rsa->flags |= RSA_FLAG_NO_BLINDING;
return rsa;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_rc_store(krb5_context context,
krb5_rcache id,
krb5_donot_replay *rep)
{
struct rc_entry ent, tmp;
time_t t;
FILE *f;
int ret;
size_t count;
ent.stamp = time(NULL);
checksum_authenticator(rep, ent.data);
f = fopen(id->name, "r");
if(f == NULL) {
char buf[128];
ret = errno;
rk_strerror_r(ret, buf, sizeof(buf));
krb5_set_error_message(context, ret, "open(%s): %s", id->name, buf);
return ret;
}
rk_cloexec_file(f);
count = fread(&tmp, sizeof(ent), 1, f);
if(count != 1)
return KRB5_RC_IO_UNKNOWN;
t = ent.stamp - tmp.stamp;
while(fread(&tmp, sizeof(ent), 1, f)){
if(tmp.stamp < t)
continue;
if(memcmp(tmp.data, ent.data, sizeof(ent.data)) == 0){
fclose(f);
krb5_clear_error_message (context);
return KRB5_RC_REPLAY;
}
}
if(ferror(f)){
char buf[128];
ret = errno;
fclose(f);
rk_strerror_r(ret, buf, sizeof(buf));
krb5_set_error_message(context, ret, "%s: %s",
id->name, buf);
return ret;
}
fclose(f);
f = fopen(id->name, "a");
if(f == NULL) {
char buf[128];
rk_strerror_r(errno, buf, sizeof(buf));
krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN,
"open(%s): %s", id->name, buf);
return KRB5_RC_IO_UNKNOWN;
}
fwrite(&ent, 1, sizeof(ent), f);
fclose(f);
return 0;
}
static krb5_error_code
check_one_file(krb5_context context,
const char *filename,
const char *owner,
krb5_boolean is_system_location,
krb5_const_principal principal,
krb5_boolean *result)
{
FILE *f;
char buf[BUFSIZ];
krb5_error_code ret;
*result = FALSE;
f = fopen(filename, "r");
if (f == NULL)
return errno;
rk_cloexec_file(f);
ret = check_owner_file(context, filename, f, owner);
if (ret)
goto out;
while (fgets(buf, sizeof(buf), f) != NULL) {
krb5_principal tmp;
char *newline = buf + strcspn(buf, "\n");
if (*newline != '\n') {
int c;
c = fgetc(f);
if (c != EOF) {
while (c != EOF && c != '\n')
c = fgetc(f);
/* line was too long, so ignore it */
continue;
}
}
*newline = '\0';
ret = krb5_parse_name(context, buf, &tmp);
if (ret)
continue;
*result = krb5_principal_compare(context, principal, tmp);
krb5_free_principal(context, tmp);
if (*result) {
fclose (f);
return 0;
}
}
out:
fclose(f);
return 0;
}
static int
from_file(const char *fn, const char *target_domain,
char **domainp, char **usernamep, struct ntlm_buf *key)
{
char *str, buf[1024];
FILE *f;
*domainp = NULL;
f = fopen(fn, "r");
if (f == NULL)
return ENOENT;
rk_cloexec_file(f);
while (fgets(buf, sizeof(buf), f) != NULL) {
char *d, *u, *p;
buf[strcspn(buf, "\r\n")] = '\0';
if (buf[0] == '#')
continue;
str = NULL;
d = strtok_r(buf, ":", &str);
free(*domainp);
*domainp = NULL;
if (d && target_domain != NULL && strcasecmp(target_domain, d) != 0)
continue;
*domainp = strdup(d);
if (*domainp == NULL)
return ENOMEM;
u = strtok_r(NULL, ":", &str);
p = strtok_r(NULL, ":", &str);
if (u == NULL || p == NULL)
continue;
*usernamep = strdup(u);
if (*usernamep == NULL)
return ENOMEM;
heim_ntlm_nt_key(p, key);
memset(buf, 0, sizeof(buf));
fclose(f);
return 0;
}
memset(buf, 0, sizeof(buf));
fclose(f);
return ENOENT;
}
static int
file_store(hx509_context context,
hx509_certs certs, void *data, int flags, hx509_lock lock)
{
struct ks_file *f = data;
struct store_ctx sc;
int ret;
sc.f = fopen(f->fn, "w");
if (sc.f == NULL) {
hx509_set_error_string(context, 0, ENOENT,
"Failed to open file %s for writing");
return ENOENT;
}
rk_cloexec_file(sc.f);
sc.format = f->format;
ret = hx509_certs_iter(context, f->certs, store_func, &sc);
fclose(sc.f);
return ret;
}
static krb5_error_code
check_one_file(krb5_context context,
const char *filename,
struct passwd *pwd,
krb5_principal principal,
krb5_boolean *result)
{
FILE *f;
char buf[BUFSIZ];
krb5_error_code ret;
struct stat st;
*result = FALSE;
f = fopen (filename, "r");
if (f == NULL)
return errno;
rk_cloexec_file(f);
/* check type and mode of file */
if (fstat(fileno(f), &st) != 0) {
fclose (f);
return errno;
}
if (S_ISDIR(st.st_mode)) {
fclose (f);
return EISDIR;
}
if (st.st_uid != pwd->pw_uid && st.st_uid != 0) {
fclose (f);
return EACCES;
}
if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) {
fclose (f);
return EACCES;
}
while (fgets (buf, sizeof(buf), f) != NULL) {
krb5_principal tmp;
char *newline = buf + strcspn(buf, "\n");
if(*newline != '\n') {
int c;
c = fgetc(f);
if(c != EOF) {
while(c != EOF && c != '\n')
c = fgetc(f);
/* line was too long, so ignore it */
continue;
}
}
*newline = '\0';
ret = krb5_parse_name (context, buf, &tmp);
if (ret)
continue;
*result = krb5_principal_compare (context, principal, tmp);
krb5_free_principal (context, tmp);
if (*result) {
fclose (f);
return 0;
}
}
fclose (f);
return 0;
}
static int
read_string(const char *preprompt, const char *prompt,
char *buf, size_t len, int echo)
{
struct sigaction sigs[NSIG];
int oksigs[NSIG];
struct sigaction sa;
FILE *tty;
int ret = 0;
int of = 0;
int i;
int c;
char *p;
struct termios t_new, t_old;
memset(&oksigs, 0, sizeof(oksigs));
memset(&sa, 0, sizeof(sa));
sa.sa_handler = intr;
sigemptyset(&sa.sa_mask);
sa.sa_flags = 0;
for(i = 1; i < sizeof(sigs) / sizeof(sigs[0]); i++)
if (i != SIGALRM)
if (sigaction(i, &sa, &sigs[i]) == 0)
oksigs[i] = 1;
if((tty = fopen("/dev/tty", "r")) != NULL)
rk_cloexec_file(tty);
else
tty = stdin;
fprintf(stderr, "%s%s", preprompt, prompt);
fflush(stderr);
if(echo == 0) {
tcgetattr(fileno(tty), &t_old);
memcpy(&t_new, &t_old, sizeof(t_new));
t_new.c_lflag &= ~ECHO;
tcsetattr(fileno(tty), TCSANOW, &t_new);
}
intr_flag = 0;
p = buf;
while(intr_flag == 0) {
c = getc(tty);
if(c == EOF) {
if(!ferror(tty))
ret = 1;
break;
}
if(c == '\n')
break;
if(of == 0)
*p++ = c;
of = (p == buf + len);
}
if(of)
p--;
*p = 0;
if(echo == 0) {
fprintf(stderr, "\n");
tcsetattr(fileno(tty), TCSANOW, &t_old);
}
if(tty != stdin)
fclose(tty);
for(i = 1; i < sizeof(sigs) / sizeof(sigs[0]); i++)
if (oksigs[i])
sigaction(i, &sigs[i], NULL);
if(ret)
return -3;
if(intr_flag)
return -2;
if(of)
return -1;
return 0;
}
static CK_RV
read_conf_file(const char *fn, CK_USER_TYPE userType, const char *pin)
{
char buf[1024], *type, *s, *p;
FILE *f;
CK_RV ret = CKR_OK;
CK_RV failed = CKR_OK;
if (fn == NULL) {
st_logf("Can't open configuration file. No file specified\n");
return CKR_GENERAL_ERROR;
}
f = fopen(fn, "r");
if (f == NULL) {
st_logf("can't open configuration file %s\n", fn);
return CKR_GENERAL_ERROR;
}
rk_cloexec_file(f);
while(fgets(buf, sizeof(buf), f) != NULL) {
buf[strcspn(buf, "\n")] = '\0';
st_logf("line: %s\n", buf);
p = buf;
while (isspace((unsigned char)*p))
p++;
if (*p == '#')
continue;
while (isspace((unsigned char)*p))
p++;
s = NULL;
type = strtok_r(p, "\t", &s);
if (type == NULL)
continue;
if (strcasecmp("certificate", type) == 0) {
char *cert, *id, *label;
id = strtok_r(NULL, "\t", &s);
if (id == NULL) {
st_logf("no id\n");
continue;
}
st_logf("id: %s\n", id);
label = strtok_r(NULL, "\t", &s);
if (label == NULL) {
st_logf("no label\n");
continue;
}
cert = strtok_r(NULL, "\t", &s);
if (cert == NULL) {
st_logf("no certfiicate store\n");
continue;
}
st_logf("adding: %s: %s in file %s\n", id, label, cert);
ret = add_certificate(cert, pin, id, label);
if (ret)
failed = ret;
} else if (strcasecmp("debug", type) == 0) {
char *name;
name = strtok_r(NULL, "\t", &s);
if (name == NULL) {
st_logf("no filename\n");
continue;
}
if (soft_token.logfile)
fclose(soft_token.logfile);
if (strcasecmp(name, "stdout") == 0)
soft_token.logfile = stdout;
else {
soft_token.logfile = fopen(name, "a");
if (soft_token.logfile)
rk_cloexec_file(soft_token.logfile);
}
if (soft_token.logfile == NULL)
st_logf("failed to open file: %s\n", name);
} else if (strcasecmp("app-fatal", type) == 0) {
char *name;
name = strtok_r(NULL, "\t", &s);
if (name == NULL) {
st_logf("argument to app-fatal\n");
continue;
}
if (strcmp(name, "true") == 0 || strcmp(name, "on") == 0)
soft_token.flags.app_error_fatal = 1;
else if (strcmp(name, "false") == 0 || strcmp(name, "off") == 0)
soft_token.flags.app_error_fatal = 0;
else
st_logf("unknown app-fatal: %s\n", name);
} else {
st_logf("unknown type: %s\n", type);
}
}
fclose(f);
return failed;
}
static int
file_init_common(hx509_context context,
hx509_certs certs, void **data, int flags,
const char *residue, hx509_lock lock, outformat format)
{
char *p, *pnext;
struct ks_file *f = NULL;
hx509_private_key *keys = NULL;
int ret;
struct pem_ctx pem_ctx;
pem_ctx.flags = flags;
pem_ctx.c = NULL;
*data = NULL;
if (lock == NULL)
lock = _hx509_empty_lock;
f = calloc(1, sizeof(*f));
if (f == NULL) {
hx509_clear_error_string(context);
return ENOMEM;
}
f->format = format;
f->fn = strdup(residue);
if (f->fn == NULL) {
hx509_clear_error_string(context);
ret = ENOMEM;
goto out;
}
/*
* XXX this is broken, the function should parse the file before
* overwriting it
*/
if (flags & HX509_CERTS_CREATE) {
ret = hx509_certs_init(context, "MEMORY:ks-file-create",
0, lock, &f->certs);
if (ret)
goto out;
*data = f;
return 0;
}
ret = _hx509_collector_alloc(context, lock, &pem_ctx.c);
if (ret)
goto out;
for (p = f->fn; p != NULL; p = pnext) {
FILE *f;
pnext = strchr(p, ',');
if (pnext)
*pnext++ = '\0';
if ((f = fopen(p, "r")) == NULL) {
ret = ENOENT;
hx509_set_error_string(context, 0, ret,
"Failed to open PEM file \"%s\": %s",
p, strerror(errno));
goto out;
}
rk_cloexec_file(f);
ret = hx509_pem_read(context, f, pem_func, &pem_ctx);
fclose(f);
if (ret != 0 && ret != HX509_PARSING_KEY_FAILED)
goto out;
else if (ret == HX509_PARSING_KEY_FAILED) {
size_t length;
void *ptr;
int i;
ret = rk_undumpdata(p, &ptr, &length);
if (ret) {
hx509_clear_error_string(context);
goto out;
}
for (i = 0; i < sizeof(formats)/sizeof(formats[0]); i++) {
ret = (*formats[i].func)(context, p, pem_ctx.c, NULL, ptr, length);
if (ret == 0)
break;
}
rk_xfree(ptr);
if (ret)
goto out;
}
}
ret = _hx509_collector_collect_certs(context, pem_ctx.c, &f->certs);
if (ret)
goto out;
ret = _hx509_collector_collect_private_keys(context, pem_ctx.c, &keys);
if (ret == 0) {
int i;
for (i = 0; keys[i]; i++)
_hx509_certs_keys_add(context, f->certs, keys[i]);
_hx509_certs_keys_free(context, keys);
}
out:
if (ret == 0)
*data = f;
else {
if (f->fn)
free(f->fn);
free(f);
}
if (pem_ctx.c)
_hx509_collector_free(pem_ctx.c);
return ret;
}
static int
read_string(const char *preprompt, const char *prompt,
char *buf, size_t len, int flags)
{
struct sigaction sigs[NSIG];
int oksigs[NSIG];
struct sigaction sa;
FILE *tty;
int ret = 0;
int of = 0;
size_t i;
int c;
char *p;
struct termios t_new, t_old;
memset(&oksigs, 0, sizeof(oksigs));
memset(&sa, 0, sizeof(sa));
sa.sa_handler = intr;
sigemptyset(&sa.sa_mask);
sa.sa_flags = 0;
for(i = 1; i < sizeof(sigs) / sizeof(sigs[0]); i++)
if (i != SIGALRM)
if (sigaction(i, &sa, &sigs[i]) == 0)
oksigs[i] = 1;
/*
* Don't use /dev/tty for now since server tools want to to
* read/write from stdio when setting up and interacting with the
* Kerberos subsystem.
*
* When <rdar://problem/7308846> is in we can remove this, this is
* to make transiation easier for server folks.
*/
if((flags & FLAG_USE_STDIO) != 0)
tty = stdin;
else if ((tty = fopen("/dev/tty", "r")) != NULL)
rk_cloexec_file(tty);
else
tty = stdin;
fprintf(stderr, "%s%s", preprompt, prompt);
fflush(stderr);
if((flags & FLAG_ECHO) == 0){
tcgetattr(fileno(tty), &t_old);
memcpy(&t_new, &t_old, sizeof(t_new));
t_new.c_lflag &= ~ECHO;
tcsetattr(fileno(tty), TCSANOW, &t_new);
}
intr_flag = 0;
p = buf;
while(intr_flag == 0){
c = getc(tty);
if(c == EOF){
if(!ferror(tty))
ret = 1;
break;
}
if(c == '\n')
break;
if(of == 0)
*p++ = c;
of = (p == buf + len);
}
if(of)
p--;
*p = 0;
if((flags & FLAG_ECHO) == 0){
fprintf(stderr, "\n");
tcsetattr(fileno(tty), TCSANOW, &t_old);
}
if(tty != stdin)
fclose(tty);
for(i = 1; i < sizeof(sigs) / sizeof(sigs[0]); i++)
if (oksigs[i])
sigaction(i, &sigs[i], NULL);
if(ret)
return -3;
if(intr_flag)
return -2;
if(of)
return -1;
return 0;
}