/* Get the PIN via asking user interface. The supplied call-back data are
* passed to the user interface implemented by an application. Only the
* application knows how to interpret the call-back data.
* A (strdup'ed) copy of the PIN code will be stored in the pin variable. */
static int get_pin(ENGINE_CTX *ctx, UI_METHOD *ui_method, void *callback_data)
{
UI *ui;
/* call ui to ask for a pin */
ui = UI_new();
if (ui == NULL) {
fprintf(stderr, "UI_new failed\n");
return 0;
}
if (ui_method != NULL)
UI_set_method(ui, ui_method);
if (callback_data != NULL)
UI_add_user_data(ui, callback_data);
destroy_pin(ctx);
ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH * sizeof(char));
if (ctx->pin == NULL)
return 0;
memset(ctx->pin, 0, MAX_PIN_LENGTH * sizeof(char));
ctx->pin_length = MAX_PIN_LENGTH;
if (!UI_add_input_string(ui, "PKCS#11 token PIN: ",
UI_INPUT_FLAG_DEFAULT_PWD, ctx->pin, 1, MAX_PIN_LENGTH)) {
fprintf(stderr, "UI_add_input_string failed\n");
UI_free(ui);
return 0;
}
if (UI_process(ui)) {
fprintf(stderr, "UI_process failed\n");
UI_free(ui);
return 0;
}
UI_free(ui);
return 1;
}
static int
passwd_cb(char *buf, int size, int rwflag, void *filename)
{
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
UI *ui;
const char *prompt;
ui = UI_new();
if (ui == NULL)
goto err;
prompt = UI_construct_prompt(ui, "passphrase", filename);
UI_add_input_string(ui, prompt, 0, buf, 0, size - 1);
UI_process(ui);
UI_free(ui);
return strlen(buf);
err:
LM_ERR("passwd_cb failed\n");
if (ui)
UI_free(ui);
return 0;
#else
if( des_read_pw_string(buf, size-1, "Enter Private Key password:"******"passwd_cb failed\n");
return 0;
}
return strlen( buf );
#endif
}
static char *tpm_engine_get_auth(UI_METHOD *ui_method, char *auth, int maxlen,
char *input_string, void *cb_data)
{
UI *ui;
DBG("%s", __FUNCTION__);
ui = UI_new();
if (ui_method)
UI_set_method(ui, ui_method);
UI_add_user_data(ui, cb_data);
if (!UI_add_input_string(ui, input_string, 0, auth, 0, maxlen)) {
TSSerr(TPM_F_TPM_ENGINE_GET_AUTH, TPM_R_UI_METHOD_FAILED);
UI_free(ui);
return NULL;
}
if (UI_process(ui)) {
TSSerr(TPM_F_TPM_ENGINE_GET_AUTH, TPM_R_UI_METHOD_FAILED);
UI_free(ui);
return NULL;
}
UI_free(ui);
return auth;
}
static void TestUI(UI *ui)
{
char buffer[64] = {'!'};
if (ui)
{
char answer1 = '!', answer2 = '!';
int ok;
if ((ok = UI_add_info_string(ui, "Info")) < 0)
printf("Error while adding info string\n");
else if ((ok = UI_add_input_string(ui, "Prompt2", 0, &buffer[0], 0,
sizeof(buffer) - 1)) < 0)
printf("Error while adding input string\n");
else if ((ok = UI_dup_input_boolean(ui, "Boolean1",
"\n then hit <enter> or C<enter> to cancel\n",
"o", "c", UI_INPUT_FLAG_ECHO,
&answer1)) < 0)
printf("Error while adding boolean string\n");
else if ((ok = UI_dup_input_boolean(ui, "Boolean2",
"\n then hit <enter> or C<enter> to cancel\n",
"y", "N", UI_INPUT_FLAG_ECHO,
&answer2)) < 0)
printf("Error while adding boolean string\n");
else if ((ok = UI_process(ui)) < 0)
printf("Error during UI_process\n");
printf("Prompt result: %s\n", &buffer[0]);
printf("Answer1: %c\n", answer1);
printf("Answer2: %c\n", answer2);
}
}
int EVP_read_pw_string_min(char *buf, int min, int len, const char *prompt,
int verify)
{
int ret = -1;
char buff[BUFSIZ];
UI *ui;
if ((prompt == NULL) && (prompt_string[0] != '\0'))
prompt = prompt_string;
ui = UI_new();
if (ui == NULL)
return ret;
if (UI_add_input_string(ui, prompt, 0, buf, min,
(len >= BUFSIZ) ? BUFSIZ - 1 : len) < 0
|| (verify
&& UI_add_verify_string(ui, prompt, 0, buff, min,
(len >= BUFSIZ) ? BUFSIZ - 1 : len,
buf) < 0))
goto end;
ret = UI_process(ui);
OPENSSL_cleanse(buff, BUFSIZ);
end:
UI_free(ui);
return ret;
}
/* For historical reasons, the standard function for reading passwords is
* in the DES library -- if someone ever wants to disable DES,
* this function will fail */
int EVP_read_pw_string(char *buf, int len, const char *prompt, int verify)
{
int ret;
char buff[BUFSIZ];
UI *ui;
if ((prompt == NULL) && (prompt_string[0] != '\0'))
prompt=prompt_string;
ui = UI_new();
UI_add_input_string(ui,prompt,0,buf,0,(len>=BUFSIZ)?BUFSIZ-1:len);
if (verify)
UI_add_verify_string(ui,prompt,0,
buff,0,(len>=BUFSIZ)?BUFSIZ-1:len,buf);
ret = UI_process(ui);
UI_free(ui);
OPENSSL_cleanse(buff,BUFSIZ);
return ret;
}
/*
* Authenticate a private the key operation if needed
*/
int pkcs11_authenticate(PKCS11_KEY *key)
{
PKCS11_KEY_private *kpriv = PRIVKEY(key);
PKCS11_TOKEN *token = KEY2TOKEN(key);
PKCS11_SLOT *slot = TOKEN2SLOT(token);
PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
PKCS11_CTX *ctx = SLOT2CTX(slot);
char pin[MAX_PIN_LENGTH+1];
UI *ui;
int rv;
/* Handle CKF_PROTECTED_AUTHENTICATION_PATH */
if (token->secureLogin) {
rv = CRYPTOKI_call(ctx,
C_Login(spriv->session, CKU_CONTEXT_SPECIFIC, NULL, 0));
return rv == CKR_USER_ALREADY_LOGGED_IN ? 0 : rv;
}
/* Call UI to ask for a PIN */
ui = UI_new_method(kpriv->ui_method);
if (ui == NULL)
return PKCS11_UI_FAILED;
if (kpriv->ui_user_data != NULL)
UI_add_user_data(ui, kpriv->ui_user_data);
memset(pin, 0, MAX_PIN_LENGTH+1);
if (!UI_add_input_string(ui, "PKCS#11 key PIN: ",
UI_INPUT_FLAG_DEFAULT_PWD, pin, 4, MAX_PIN_LENGTH)) {
UI_free(ui);
return PKCS11_UI_FAILED;
}
if (UI_process(ui)) {
UI_free(ui);
return PKCS11_UI_FAILED;
}
UI_free(ui);
/* Login with the PIN */
rv = CRYPTOKI_call(ctx,
C_Login(spriv->session, CKU_CONTEXT_SPECIFIC,
(CK_UTF8CHAR *)pin, strlen(pin)));
OPENSSL_cleanse(pin, MAX_PIN_LENGTH+1);
return rv == CKR_USER_ALREADY_LOGGED_IN ? 0 : rv;
}
static char *file_get_pass(const UI_METHOD *ui_method, char *pass,
size_t maxsize, const char *prompt_info, void *data)
{
UI *ui = UI_new();
char *prompt = NULL;
if (ui == NULL) {
OSSL_STOREerr(OSSL_STORE_F_FILE_GET_PASS, ERR_R_MALLOC_FAILURE);
return NULL;
}
if (ui_method != NULL)
UI_set_method(ui, ui_method);
UI_add_user_data(ui, data);
if ((prompt = UI_construct_prompt(ui, "pass phrase",
prompt_info)) == NULL) {
OSSL_STOREerr(OSSL_STORE_F_FILE_GET_PASS, ERR_R_MALLOC_FAILURE);
pass = NULL;
} else if (!UI_add_input_string(ui, prompt, UI_INPUT_FLAG_DEFAULT_PWD,
pass, 0, maxsize - 1)) {
OSSL_STOREerr(OSSL_STORE_F_FILE_GET_PASS, ERR_R_UI_LIB);
pass = NULL;
} else {
switch (UI_process(ui)) {
case -2:
OSSL_STOREerr(OSSL_STORE_F_FILE_GET_PASS,
OSSL_STORE_R_UI_PROCESS_INTERRUPTED_OR_CANCELLED);
pass = NULL;
break;
case -1:
OSSL_STOREerr(OSSL_STORE_F_FILE_GET_PASS, ERR_R_UI_LIB);
pass = NULL;
break;
default:
break;
}
}
OPENSSL_free(prompt);
UI_free(ui);
return pass;
}
/*
* Test wrapping old style PEM password callback in a UI method through the
* use of UI utility functions
*/
static int test_old()
{
UI_METHOD *ui_method = NULL;
UI *ui = NULL;
char defpass[] = "password";
char pass[16];
int ok = 0;
if ((ui_method =
UI_UTIL_wrap_read_pem_callback(test_pem_password_cb, 0)) == NULL
|| (ui = UI_new_method(ui_method)) == NULL)
goto err;
/* The wrapper passes the UI userdata as the callback userdata param */
UI_add_user_data(ui, defpass);
if (!UI_add_input_string(ui, "prompt", UI_INPUT_FLAG_DEFAULT_PWD,
pass, 0, sizeof(pass) - 1))
goto err;
switch (UI_process(ui)) {
case -2:
BIO_printf(bio_err, "test_old: UI process interrupted or cancelled\n");
/* fall through */
case -1:
goto err;
default:
break;
}
if (strcmp(pass, defpass) == 0)
ok = 1;
else
BIO_printf(bio_err, "test_old: password failure\n");
err:
if (!ok)
ERR_print_errors_fp(stderr);
UI_free(ui);
UI_destroy_method(ui_method);
return ok;
}
static int passwd_cb(char *buf, int size, int rwflag, void *filename)
{
UI *ui;
const char *prompt;
ui = UI_new();
if (ui == NULL)
goto err;
prompt = UI_construct_prompt(ui, "passphrase", filename);
UI_add_input_string(ui, prompt, 0, buf, 0, size - 1);
UI_process(ui);
UI_free(ui);
return strlen(buf);
err:
LM_ERR("passwd_cb failed\n");
if (ui)
UI_free(ui);
return 0;
}
/*
* Test wrapping old style PEM password callback in a UI method through the
* use of UI utility functions
*/
static int test_old(void)
{
UI_METHOD *ui_method = NULL;
UI *ui = NULL;
char defpass[] = "password";
char pass[16];
int ok = 0;
if (!TEST_ptr(ui_method =
UI_UTIL_wrap_read_pem_callback( test_pem_password_cb, 0))
|| !TEST_ptr(ui = UI_new_method(ui_method)))
goto err;
/* The wrapper passes the UI userdata as the callback userdata param */
UI_add_user_data(ui, defpass);
if (!UI_add_input_string(ui, "prompt", UI_INPUT_FLAG_DEFAULT_PWD,
pass, 0, sizeof(pass) - 1))
goto err;
switch (UI_process(ui)) {
case -2:
TEST_info("test_old: UI process interrupted or cancelled");
/* fall through */
case -1:
goto err;
default:
break;
}
if (TEST_str_eq(pass, defpass))
ok = 1;
err:
UI_free(ui);
UI_destroy_method(ui_method);
return ok;
}
int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt,
int verify)
{
int ok = 0;
UI *ui;
if (size < 1)
return -1;
ui = UI_new();
if (ui != NULL) {
ok = UI_add_input_string(ui, prompt, 0, buf, 0, size - 1);
if (ok >= 0 && verify)
ok = UI_add_verify_string(ui, prompt, 0, buff, 0, size - 1, buf);
if (ok >= 0)
ok = UI_process(ui);
UI_free(ui);
}
if (ok > 0)
ok = 0;
return (ok);
}
static int hwcrhk_get_pass(const char *prompt_info,
int *len_io, char *buf,
HWCryptoHook_PassphraseContext *ppctx,
HWCryptoHook_CallerContext *cactx)
{
pem_password_cb *callback = NULL;
void *callback_data = NULL;
UI_METHOD *ui_method = NULL;
/* Despite what the documentation says prompt_info can be
* an empty string.
*/
if (prompt_info && !*prompt_info)
prompt_info = NULL;
if (cactx)
{
if (cactx->ui_method)
ui_method = cactx->ui_method;
if (cactx->password_callback)
callback = cactx->password_callback;
if (cactx->callback_data)
callback_data = cactx->callback_data;
}
if (ppctx)
{
if (ppctx->ui_method)
{
ui_method = ppctx->ui_method;
callback = NULL;
}
if (ppctx->callback_data)
callback_data = ppctx->callback_data;
}
if (callback == NULL && ui_method == NULL)
{
HWCRHKerr(HWCRHK_F_HWCRHK_GET_PASS,HWCRHK_R_NO_CALLBACK);
return -1;
}
if (ui_method)
{
UI *ui = UI_new_method(ui_method);
if (ui)
{
int ok;
char *prompt = UI_construct_prompt(ui,
"pass phrase", prompt_info);
ok = UI_add_input_string(ui,prompt,
UI_INPUT_FLAG_DEFAULT_PWD,
buf,0,(*len_io) - 1);
UI_add_user_data(ui, callback_data);
UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
if (ok >= 0)
do
{
ok=UI_process(ui);
}
while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
if (ok >= 0)
*len_io = strlen(buf);
UI_free(ui);
OPENSSL_free(prompt);
}
}
else
{
*len_io = callback(buf, *len_io, 0, callback_data);
}
if(!*len_io)
return -1;
return 0;
}
int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
{
UI *ui = NULL;
int res = 0;
const char *prompt_info = NULL;
const char *password = NULL;
PW_CB_DATA *cb_data = (PW_CB_DATA *)cb_tmp;
if (cb_data)
{
if (cb_data->password)
password = (const char*)cb_data->password;
if (cb_data->prompt_info)
prompt_info = cb_data->prompt_info;
}
if (password)
{
res = strlen(password);
if (res > bufsiz)
res = bufsiz;
memcpy(buf, password, res);
return res;
}
ui = UI_new_method(ui_method);
if (ui)
{
int ok = 0;
char *buff = NULL;
int ui_flags = 0;
char *prompt = NULL;
prompt = UI_construct_prompt(ui, "pass phrase",
prompt_info);
ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
if (ok >= 0)
ok = UI_add_input_string(ui,prompt,ui_flags,buf,
PW_MIN_LENGTH,BUFSIZ-1);
if (ok >= 0 && verify)
{
buff = (char *)OPENSSL_malloc(bufsiz);
ok = UI_add_verify_string(ui,prompt,ui_flags,buff,
PW_MIN_LENGTH,BUFSIZ-1, buf);
}
if (ok >= 0)
do
{
ok = UI_process(ui);
}
while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
if (buff)
{
OPENSSL_cleanse(buff,(unsigned int)bufsiz);
OPENSSL_free(buff);
}
if (ok >= 0)
res = strlen(buf);
if (ok == -1)
{
BIO_printf(bio_err, "User interface error\n");
ERR_print_errors(bio_err);
OPENSSL_cleanse(buf,(unsigned int)bufsiz);
res = 0;
}
if (ok == -2)
{
BIO_printf(bio_err,"aborted!\n");
OPENSSL_cleanse(buf,(unsigned int)bufsiz);
res = 0;
}
UI_free(ui);
OPENSSL_free(prompt);
}
return res;
}
