static int
passwd_cb(char *buf, int size, int rwflag, void *filename)
{
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
UI *ui;
const char *prompt;
ui = UI_new();
if (ui == NULL)
goto err;
prompt = UI_construct_prompt(ui, "passphrase", filename);
UI_add_input_string(ui, prompt, 0, buf, 0, size - 1);
UI_process(ui);
UI_free(ui);
return strlen(buf);
err:
LM_ERR("passwd_cb failed\n");
if (ui)
UI_free(ui);
return 0;
#else
if( des_read_pw_string(buf, size-1, "Enter Private Key password:"******"passwd_cb failed\n");
return 0;
}
return strlen( buf );
#endif
}
/* Get the PIN via asking user interface. The supplied call-back data are
* passed to the user interface implemented by an application. Only the
* application knows how to interpret the call-back data.
* A (strdup'ed) copy of the PIN code will be stored in the pin variable. */
static int get_pin(ENGINE_CTX *ctx, UI_METHOD *ui_method, void *callback_data)
{
UI *ui;
/* call ui to ask for a pin */
ui = UI_new();
if (ui == NULL) {
fprintf(stderr, "UI_new failed\n");
return 0;
}
if (ui_method != NULL)
UI_set_method(ui, ui_method);
if (callback_data != NULL)
UI_add_user_data(ui, callback_data);
destroy_pin(ctx);
ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH * sizeof(char));
if (ctx->pin == NULL)
return 0;
memset(ctx->pin, 0, MAX_PIN_LENGTH * sizeof(char));
ctx->pin_length = MAX_PIN_LENGTH;
if (!UI_add_input_string(ui, "PKCS#11 token PIN: ",
UI_INPUT_FLAG_DEFAULT_PWD, ctx->pin, 1, MAX_PIN_LENGTH)) {
fprintf(stderr, "UI_add_input_string failed\n");
UI_free(ui);
return 0;
}
if (UI_process(ui)) {
fprintf(stderr, "UI_process failed\n");
UI_free(ui);
return 0;
}
UI_free(ui);
return 1;
}
static char *tpm_engine_get_auth(UI_METHOD *ui_method, char *auth, int maxlen,
char *input_string, void *cb_data)
{
UI *ui;
DBG("%s", __FUNCTION__);
ui = UI_new();
if (ui_method)
UI_set_method(ui, ui_method);
UI_add_user_data(ui, cb_data);
if (!UI_add_input_string(ui, input_string, 0, auth, 0, maxlen)) {
TSSerr(TPM_F_TPM_ENGINE_GET_AUTH, TPM_R_UI_METHOD_FAILED);
UI_free(ui);
return NULL;
}
if (UI_process(ui)) {
TSSerr(TPM_F_TPM_ENGINE_GET_AUTH, TPM_R_UI_METHOD_FAILED);
UI_free(ui);
return NULL;
}
UI_free(ui);
return auth;
}
int EVP_read_pw_string_min(char *buf, int min, int len, const char *prompt,
int verify)
{
int ret = -1;
char buff[BUFSIZ];
UI *ui;
if ((prompt == NULL) && (prompt_string[0] != '\0'))
prompt = prompt_string;
ui = UI_new();
if (ui == NULL)
return ret;
if (UI_add_input_string(ui, prompt, 0, buf, min,
(len >= BUFSIZ) ? BUFSIZ - 1 : len) < 0
|| (verify
&& UI_add_verify_string(ui, prompt, 0, buff, min,
(len >= BUFSIZ) ? BUFSIZ - 1 : len,
buf) < 0))
goto end;
ret = UI_process(ui);
OPENSSL_cleanse(buff, BUFSIZ);
end:
UI_free(ui);
return ret;
}
int main(void)
{
char buffer1[64], buffer2[64];
UI_METHOD *ui_method;
UI *ui;
printf("Testing UI_UTIL_read_pw:\n");
if (UI_UTIL_read_pw(&buffer1[0], &buffer2[0], sizeof(buffer1) - 1, "Prompt", 1) == 0)
printf("Password: \"%s\"\n", &buffer1[0]);
else
printf("Error getting password\n");
printf("Testing UI with default UI method:\n");
if((ui = UI_new()) != NULL)
{
TestUI(ui);
UI_free(ui);
}
else
printf("Couldn't setup method\n");
printf("Testing UI with UI method with wrappers:\n");
if((ui_method = UI_create_method((char *)"Test method")) != NULL)
{
if((ui = UI_new_method(ui_method)) != NULL)
{
UI_method_set_opener(ui_method, ui_open);
UI_method_set_reader(ui_method, ui_read);
UI_method_set_writer(ui_method, ui_write);
UI_method_set_closer(ui_method, ui_close);
TestUI(ui);
UI_free(ui);
}
else
printf("Couldn't setup method\n");
UI_destroy_method(ui_method);
}
else
printf("Couldn't create method\n");
return(0);
}
/*
* Authenticate a private the key operation if needed
*/
int pkcs11_authenticate(PKCS11_KEY *key)
{
PKCS11_KEY_private *kpriv = PRIVKEY(key);
PKCS11_TOKEN *token = KEY2TOKEN(key);
PKCS11_SLOT *slot = TOKEN2SLOT(token);
PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
PKCS11_CTX *ctx = SLOT2CTX(slot);
char pin[MAX_PIN_LENGTH+1];
UI *ui;
int rv;
/* Handle CKF_PROTECTED_AUTHENTICATION_PATH */
if (token->secureLogin) {
rv = CRYPTOKI_call(ctx,
C_Login(spriv->session, CKU_CONTEXT_SPECIFIC, NULL, 0));
return rv == CKR_USER_ALREADY_LOGGED_IN ? 0 : rv;
}
/* Call UI to ask for a PIN */
ui = UI_new_method(kpriv->ui_method);
if (ui == NULL)
return PKCS11_UI_FAILED;
if (kpriv->ui_user_data != NULL)
UI_add_user_data(ui, kpriv->ui_user_data);
memset(pin, 0, MAX_PIN_LENGTH+1);
if (!UI_add_input_string(ui, "PKCS#11 key PIN: ",
UI_INPUT_FLAG_DEFAULT_PWD, pin, 4, MAX_PIN_LENGTH)) {
UI_free(ui);
return PKCS11_UI_FAILED;
}
if (UI_process(ui)) {
UI_free(ui);
return PKCS11_UI_FAILED;
}
UI_free(ui);
/* Login with the PIN */
rv = CRYPTOKI_call(ctx,
C_Login(spriv->session, CKU_CONTEXT_SPECIFIC,
(CK_UTF8CHAR *)pin, strlen(pin)));
OPENSSL_cleanse(pin, MAX_PIN_LENGTH+1);
return rv == CKR_USER_ALREADY_LOGGED_IN ? 0 : rv;
}
static int passwd_cb(char *buf, int size, int rwflag, void *filename)
{
UI *ui;
const char *prompt;
ui = UI_new();
if (ui == NULL)
goto err;
prompt = UI_construct_prompt(ui, "passphrase", filename);
UI_add_input_string(ui, prompt, 0, buf, 0, size - 1);
UI_process(ui);
UI_free(ui);
return strlen(buf);
err:
LM_ERR("passwd_cb failed\n");
if (ui)
UI_free(ui);
return 0;
}
/* For historical reasons, the standard function for reading passwords is
* in the DES library -- if someone ever wants to disable DES,
* this function will fail */
int EVP_read_pw_string(char *buf, int len, const char *prompt, int verify)
{
int ret;
char buff[BUFSIZ];
UI *ui;
if ((prompt == NULL) && (prompt_string[0] != '\0'))
prompt=prompt_string;
ui = UI_new();
UI_add_input_string(ui,prompt,0,buf,0,(len>=BUFSIZ)?BUFSIZ-1:len);
if (verify)
UI_add_verify_string(ui,prompt,0,
buff,0,(len>=BUFSIZ)?BUFSIZ-1:len,buf);
ret = UI_process(ui);
UI_free(ui);
OPENSSL_cleanse(buff,BUFSIZ);
return ret;
}
static char *file_get_pass(const UI_METHOD *ui_method, char *pass,
size_t maxsize, const char *prompt_info, void *data)
{
UI *ui = UI_new();
char *prompt = NULL;
if (ui == NULL) {
OSSL_STOREerr(OSSL_STORE_F_FILE_GET_PASS, ERR_R_MALLOC_FAILURE);
return NULL;
}
if (ui_method != NULL)
UI_set_method(ui, ui_method);
UI_add_user_data(ui, data);
if ((prompt = UI_construct_prompt(ui, "pass phrase",
prompt_info)) == NULL) {
OSSL_STOREerr(OSSL_STORE_F_FILE_GET_PASS, ERR_R_MALLOC_FAILURE);
pass = NULL;
} else if (!UI_add_input_string(ui, prompt, UI_INPUT_FLAG_DEFAULT_PWD,
pass, 0, maxsize - 1)) {
OSSL_STOREerr(OSSL_STORE_F_FILE_GET_PASS, ERR_R_UI_LIB);
pass = NULL;
} else {
switch (UI_process(ui)) {
case -2:
OSSL_STOREerr(OSSL_STORE_F_FILE_GET_PASS,
OSSL_STORE_R_UI_PROCESS_INTERRUPTED_OR_CANCELLED);
pass = NULL;
break;
case -1:
OSSL_STOREerr(OSSL_STORE_F_FILE_GET_PASS, ERR_R_UI_LIB);
pass = NULL;
break;
default:
break;
}
}
OPENSSL_free(prompt);
UI_free(ui);
return pass;
}
/*
* Test wrapping old style PEM password callback in a UI method through the
* use of UI utility functions
*/
static int test_old()
{
UI_METHOD *ui_method = NULL;
UI *ui = NULL;
char defpass[] = "password";
char pass[16];
int ok = 0;
if ((ui_method =
UI_UTIL_wrap_read_pem_callback(test_pem_password_cb, 0)) == NULL
|| (ui = UI_new_method(ui_method)) == NULL)
goto err;
/* The wrapper passes the UI userdata as the callback userdata param */
UI_add_user_data(ui, defpass);
if (!UI_add_input_string(ui, "prompt", UI_INPUT_FLAG_DEFAULT_PWD,
pass, 0, sizeof(pass) - 1))
goto err;
switch (UI_process(ui)) {
case -2:
BIO_printf(bio_err, "test_old: UI process interrupted or cancelled\n");
/* fall through */
case -1:
goto err;
default:
break;
}
if (strcmp(pass, defpass) == 0)
ok = 1;
else
BIO_printf(bio_err, "test_old: password failure\n");
err:
if (!ok)
ERR_print_errors_fp(stderr);
UI_free(ui);
UI_destroy_method(ui_method);
return ok;
}
/*
* Test wrapping old style PEM password callback in a UI method through the
* use of UI utility functions
*/
static int test_old(void)
{
UI_METHOD *ui_method = NULL;
UI *ui = NULL;
char defpass[] = "password";
char pass[16];
int ok = 0;
if (!TEST_ptr(ui_method =
UI_UTIL_wrap_read_pem_callback( test_pem_password_cb, 0))
|| !TEST_ptr(ui = UI_new_method(ui_method)))
goto err;
/* The wrapper passes the UI userdata as the callback userdata param */
UI_add_user_data(ui, defpass);
if (!UI_add_input_string(ui, "prompt", UI_INPUT_FLAG_DEFAULT_PWD,
pass, 0, sizeof(pass) - 1))
goto err;
switch (UI_process(ui)) {
case -2:
TEST_info("test_old: UI process interrupted or cancelled");
/* fall through */
case -1:
goto err;
default:
break;
}
if (TEST_str_eq(pass, defpass))
ok = 1;
err:
UI_free(ui);
UI_destroy_method(ui_method);
return ok;
}
int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt,
int verify)
{
int ok = 0;
UI *ui;
if (size < 1)
return -1;
ui = UI_new();
if (ui != NULL) {
ok = UI_add_input_string(ui, prompt, 0, buf, 0, size - 1);
if (ok >= 0 && verify)
ok = UI_add_verify_string(ui, prompt, 0, buff, 0, size - 1, buf);
if (ok >= 0)
ok = UI_process(ui);
UI_free(ui);
}
if (ok > 0)
ok = 0;
return (ok);
}
static int hwcrhk_insert_card(const char *prompt_info,
const char *wrong_info,
HWCryptoHook_PassphraseContext *ppctx,
HWCryptoHook_CallerContext *cactx)
{
int ok = -1;
UI *ui;
void *callback_data = NULL;
UI_METHOD *ui_method = NULL;
if (cactx)
{
if (cactx->ui_method)
ui_method = cactx->ui_method;
if (cactx->callback_data)
callback_data = cactx->callback_data;
}
if (ppctx)
{
if (ppctx->ui_method)
ui_method = ppctx->ui_method;
if (ppctx->callback_data)
callback_data = ppctx->callback_data;
}
if (ui_method == NULL)
{
HWCRHKerr(HWCRHK_F_HWCRHK_INSERT_CARD,
HWCRHK_R_NO_CALLBACK);
return -1;
}
ui = UI_new_method(ui_method);
if (ui)
{
char answer;
char buf[BUFSIZ];
/* Despite what the documentation says wrong_info can be
* an empty string.
*/
if (wrong_info && *wrong_info)
BIO_snprintf(buf, sizeof(buf)-1,
"Current card: \"%s\"\n", wrong_info);
else
buf[0] = 0;
ok = UI_dup_info_string(ui, buf);
if (ok >= 0 && prompt_info)
{
BIO_snprintf(buf, sizeof(buf)-1,
"Insert card \"%s\"", prompt_info);
ok = UI_dup_input_boolean(ui, buf,
"\n then hit <enter> or C<enter> to cancel\n",
"\r\n", "Cc", UI_INPUT_FLAG_ECHO, &answer);
}
UI_add_user_data(ui, callback_data);
if (ok >= 0)
ok = UI_process(ui);
UI_free(ui);
if (ok == -2 || (ok >= 0 && answer == 'C'))
ok = 1;
else if (ok < 0)
ok = -1;
else
ok = 0;
}
return ok;
}
static int hwcrhk_get_pass(const char *prompt_info,
int *len_io, char *buf,
HWCryptoHook_PassphraseContext *ppctx,
HWCryptoHook_CallerContext *cactx)
{
pem_password_cb *callback = NULL;
void *callback_data = NULL;
UI_METHOD *ui_method = NULL;
/* Despite what the documentation says prompt_info can be
* an empty string.
*/
if (prompt_info && !*prompt_info)
prompt_info = NULL;
if (cactx)
{
if (cactx->ui_method)
ui_method = cactx->ui_method;
if (cactx->password_callback)
callback = cactx->password_callback;
if (cactx->callback_data)
callback_data = cactx->callback_data;
}
if (ppctx)
{
if (ppctx->ui_method)
{
ui_method = ppctx->ui_method;
callback = NULL;
}
if (ppctx->callback_data)
callback_data = ppctx->callback_data;
}
if (callback == NULL && ui_method == NULL)
{
HWCRHKerr(HWCRHK_F_HWCRHK_GET_PASS,HWCRHK_R_NO_CALLBACK);
return -1;
}
if (ui_method)
{
UI *ui = UI_new_method(ui_method);
if (ui)
{
int ok;
char *prompt = UI_construct_prompt(ui,
"pass phrase", prompt_info);
ok = UI_add_input_string(ui,prompt,
UI_INPUT_FLAG_DEFAULT_PWD,
buf,0,(*len_io) - 1);
UI_add_user_data(ui, callback_data);
UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
if (ok >= 0)
do
{
ok=UI_process(ui);
}
while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
if (ok >= 0)
*len_io = strlen(buf);
UI_free(ui);
OPENSSL_free(prompt);
}
}
else
{
*len_io = callback(buf, *len_io, 0, callback_data);
}
if(!*len_io)
return -1;
return 0;
}
int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
{
UI *ui = NULL;
int res = 0;
const char *prompt_info = NULL;
const char *password = NULL;
PW_CB_DATA *cb_data = (PW_CB_DATA *)cb_tmp;
if (cb_data)
{
if (cb_data->password)
password = (const char*)cb_data->password;
if (cb_data->prompt_info)
prompt_info = cb_data->prompt_info;
}
if (password)
{
res = strlen(password);
if (res > bufsiz)
res = bufsiz;
memcpy(buf, password, res);
return res;
}
ui = UI_new_method(ui_method);
if (ui)
{
int ok = 0;
char *buff = NULL;
int ui_flags = 0;
char *prompt = NULL;
prompt = UI_construct_prompt(ui, "pass phrase",
prompt_info);
ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
if (ok >= 0)
ok = UI_add_input_string(ui,prompt,ui_flags,buf,
PW_MIN_LENGTH,BUFSIZ-1);
if (ok >= 0 && verify)
{
buff = (char *)OPENSSL_malloc(bufsiz);
ok = UI_add_verify_string(ui,prompt,ui_flags,buff,
PW_MIN_LENGTH,BUFSIZ-1, buf);
}
if (ok >= 0)
do
{
ok = UI_process(ui);
}
while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
if (buff)
{
OPENSSL_cleanse(buff,(unsigned int)bufsiz);
OPENSSL_free(buff);
}
if (ok >= 0)
res = strlen(buf);
if (ok == -1)
{
BIO_printf(bio_err, "User interface error\n");
ERR_print_errors(bio_err);
OPENSSL_cleanse(buf,(unsigned int)bufsiz);
res = 0;
}
if (ok == -2)
{
BIO_printf(bio_err,"aborted!\n");
OPENSSL_cleanse(buf,(unsigned int)bufsiz);
res = 0;
}
UI_free(ui);
OPENSSL_free(prompt);
}
return res;
}
/* Asks user to verify certificate data before proceeding */
static VerifyStatus verify_trust(X509 *cert)
{
char vfy_trust = 'y';
VerifyStatus ret = Accept;
PKG_ERR *err;
UI *ui = NULL;
err = pkgerr_new();
/* print cert data */
if (print_cert(err, cert, KEYSTORE_FORMAT_TEXT,
get_subject_display_name(cert), B_TRUE, stdout) != 0) {
log_pkgerr(LOG_MSG_ERR, err);
ret = VerifyFailed;
goto cleanup;
}
if ((ui = UI_new()) == NULL) {
log_msg(LOG_MSG_ERR, MSG_MEM);
ret = VerifyFailed;
goto cleanup;
}
/*
* The prompt is internationalized, but the valid
* response values are fixed, to avoid any complex
* multibyte processing that results in bugs
*/
if (UI_add_input_boolean(ui, MSG_VERIFY_TRUST,
"",
"yY", "nN",
UI_INPUT_FLAG_ECHO, &vfy_trust) <= 0) {
log_msg(LOG_MSG_ERR, MSG_MEM);
ret = VerifyFailed;
goto cleanup;
}
if (UI_process(ui) != 0) {
log_msg(LOG_MSG_ERR, MSG_MEM);
ret = VerifyFailed;
goto cleanup;
}
if (vfy_trust != 'y') {
ret = Reject;
goto cleanup;
}
/*
* if the cert does not appear to be a CA cert
* r is not self-signed, verify that as well
*/
if (!is_ca_cert(cert)) {
UI_free(ui);
if ((ui = UI_new()) == NULL) {
log_msg(LOG_MSG_ERR, MSG_MEM);
ret = VerifyFailed;
goto cleanup;
}
if (UI_add_input_boolean(ui,
MSG_VERIFY_NOT_CA,
"",
"yY", "nN",
UI_INPUT_FLAG_ECHO, &vfy_trust) <= 0) {
ret = VerifyFailed;
goto cleanup;
}
if (UI_process(ui) != 0) {
log_msg(LOG_MSG_ERR, MSG_MEM);
ret = VerifyFailed;
goto cleanup;
}
if (vfy_trust != 'y') {
ret = Reject;
goto cleanup;
}
}
cleanup:
if (ui != NULL)
UI_free(ui);
if (err != NULL)
pkgerr_free(err);
return (ret);
}
