diff options
Diffstat (limited to 'bin')
-rw-r--r-- | bin/Makefile | 10 | ||||
-rw-r--r-- | bin/worker.c | 418 |
2 files changed, 425 insertions, 3 deletions
diff --git a/bin/Makefile b/bin/Makefile index 8cfb3a5..a7c1efe 100644 --- a/bin/Makefile +++ b/bin/Makefile @@ -6,7 +6,10 @@ RM := rm CFLAGS += -std=gnu11 -O2 -fPIC -Wall -Werror LDFLAGS += -Wl,-z,now -Wl,-z,relro -pie -all: ykfde ykfde-cpio +all: worker ykfde ykfde-cpio + +worker: worker.c ../config.h + $(CC) $(CFLAGS) -liniparser -lkeyutils -lykpers-1 -lyubikey $(LDFLAGS) -o worker worker.c ykfde: ykfde.c ../config.h ../version.h $(CC) $(CFLAGS) -lcryptsetup -liniparser -lkeyutils -lykpers-1 -lyubikey $(LDFLAGS) -o ykfde ykfde.c @@ -14,9 +17,10 @@ ykfde: ykfde.c ../config.h ../version.h ykfde-cpio: ykfde-cpio.c ../config.h ../version.h $(CC) $(CFLAGS) -larchive $(LDFLAGS) -o ykfde-cpio ykfde-cpio.c -install: ykfde ykfde-cpio +install: worker ykfde ykfde-cpio + $(INSTALL) -D -m0755 worker $(DESTDIR)/usr/lib/ykfde/worker $(INSTALL) -D -m0755 ykfde $(DESTDIR)/usr/bin/ykfde $(INSTALL) -D -m0755 ykfde-cpio $(DESTDIR)/usr/bin/ykfde-cpio clean: - $(RM) -f ykfde ykfde-cpio + $(RM) -f worker ykfde ykfde-cpio diff --git a/bin/worker.c b/bin/worker.c new file mode 100644 index 0000000..ef0cefc --- /dev/null +++ b/bin/worker.c @@ -0,0 +1,418 @@ +/* + * (C) 2014-2017 by Christian Hesse <mail@eworm.de> + * + * This software may be used and distributed according to the terms + * of the GNU General Public License, incorporated herein by reference. + * + * compile with: + * $ gcc -o ykfde ykfde.c -liniparser -lkeyutils -lykpers-1 -lyubikey + * + * test with: + * $ systemd-ask-password --no-tty "Please enter passphrase for disk foobar..." + */ + +#include <dirent.h> +#include <errno.h> +#include <fcntl.h> +#include <stddef.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/poll.h> +#include <sys/socket.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <sys/un.h> +#include <unistd.h> + +#include <iniparser.h> + +#include <keyutils.h> + +#include <yubikey.h> +#include <ykpers-1/ykdef.h> +#include <ykpers-1/ykcore.h> + +#include "../config.h" + +/* Yubikey supports write of 64 byte challenge to slot, + * returns HMAC-SHA1 response. + * + * Lengths are defined in ykpers-1/ykdef.h: + * SHA1_MAX_BLOCK_SIZE 64 + * SHA1_DIGEST_SIZE 20 + * + * For passphrase we use hex encoded digest, that is + * twice the length of binary digest. */ +#define CHALLENGELEN SHA1_MAX_BLOCK_SIZE +#define RESPONSELEN SHA1_MAX_BLOCK_SIZE +#define PASSPHRASELEN SHA1_DIGEST_SIZE * 2 + +#define ASK_PATH "/run/systemd/ask-password/" +#define ASK_MESSAGE "Please enter passphrase for disk" + +/*** send_on_socket ***/ +static int send_on_socket(int fd, const char *socket_name, const void *packet, size_t size) { + union { + struct sockaddr sa; + struct sockaddr_un un; + } sa = { + .un.sun_family = AF_UNIX, + }; + + strncpy(sa.un.sun_path, socket_name, sizeof(sa.un.sun_path)); + + if (sendto(fd, packet, size, MSG_NOSIGNAL, &sa.sa, offsetof(struct sockaddr_un, sun_path) + strlen(socket_name)) < 0) { + perror("sendto() failed"); + return EXIT_FAILURE; + } + + return EXIT_SUCCESS; +} + +/*** yk_open_and_check ***/ +static YK_KEY * yk_open_and_check(const unsigned int expected, unsigned int * serial) { + YK_KEY * yk; + + if ((yk = yk_open_first_key()) == NULL) { + if (errno != EAGAIN) + perror("yk_open_first_key() failed"); + goto out1; + } + + if (serial != NULL) { + /* read the serial number from key */ + if (yk_get_serial(yk, 0, 0, serial) == 0) { + perror("yk_get_serial() failed"); + goto out2; + } + + if (expected > 0 && expected != *serial) { + fprintf(stderr, "Opened Yubikey with unexpected serial number (%d != %d)...\n", expected, *serial); + goto out2; + } + } + + return yk; + +out2: + /* close Yubikey */ + if (yk_close_key(yk) == 0) + perror("yk_close_key() failed"); + +out1: + return NULL; +} + +/*** read_challenge ***/ +static int read_challenge(const unsigned int serial, char * challenge) { + int rc = EXIT_FAILURE; + char challengefilename[sizeof(CHALLENGEDIR) + 11 /* "/challenge-" */ + 10 /* unsigned int in char */ + 1]; + int challengefile; + + snprintf(challengefilename, sizeof(challengefilename), CHALLENGEDIR "/challenge-%d", serial); + + /* check if challenge file exists */ + if (access(challengefilename, R_OK) == -1) { + goto out1; + } + + /* read challenge from file */ + if ((challengefile = open(challengefilename, O_RDONLY)) < 0) { + perror("Failed opening challenge file for reading"); + goto out1; + } + + if (read(challengefile, challenge, CHALLENGELEN) < 0) { + perror("Failed reading challenge from file"); + goto out2; + } + + rc = EXIT_SUCCESS; + +out2: + close(challengefile); + +out1: + return rc; +} + +/*** get_second_factor ***/ +static char * get_second_factor(void) { + key_serial_t key; + void * payload = NULL; + + /* get second factor from key store + * If this fails it is not critical... possibly we just do not + * use second factor. */ + key = keyctl_search(KEY_SPEC_USER_KEYRING, "user", "ykfde-2f", 0); + + if (key > 0) { + /* if we have a key id we have a key - so this should succeed */ + if (keyctl_read_alloc(key, &payload) < 0) { + perror("Failed reading payload from key"); + return NULL; + } + + return payload; + } + + return NULL; +} + +/*** get_response ***/ +static int get_response(const unsigned int serial, uint8_t slot, char * challenge, char * passphrase) { + YK_KEY * yk; + char response[RESPONSELEN]; + char * second_factor; + size_t second_factor_len; + /* iniparser */ + dictionary * ini; + char section_ykslot[10 /* unsigned int in char */ + 1 + sizeof(CONFYKSLOT) + 1]; + + memset(response, 0, RESPONSELEN); + + if ((second_factor = get_second_factor()) != NULL) { + /* we replace part of the challenge with the second factor */ + second_factor_len = strlen(second_factor); + memcpy(challenge, second_factor, second_factor_len < CHALLENGELEN / 2 ? + second_factor_len : CHALLENGELEN / 2); + memset(second_factor, 0, second_factor_len); + free(second_factor); + } + + /* try to read config file + * If anything here fails we do not care... slot 2 is the default. */ + if ((ini = iniparser_load(CONFIGFILE)) != NULL) { + /* first try the general setting */ + slot = iniparser_getint(ini, "general:" CONFYKSLOT, slot); + + sprintf(section_ykslot, "%d:" CONFYKSLOT, serial); + + /* then probe for setting with serial number */ + slot = iniparser_getint(ini, section_ykslot, slot); + + switch (slot) { + case 1: + case SLOT_CHAL_HMAC1: + slot = SLOT_CHAL_HMAC1; + break; + case 2: + case SLOT_CHAL_HMAC2: + default: + slot = SLOT_CHAL_HMAC2; + break; + } + + iniparser_freedict(ini); + } + + /* open Yubikey and check serial */ + if ((yk = yk_open_and_check(serial, NULL)) == NULL) { + fprintf(stderr, "yk_open_and_check() failed\n"); + goto out1; + } + + /* do challenge/response and encode to hex */ + if (yk_challenge_response(yk, slot, true, + CHALLENGELEN, (unsigned char *) challenge, + RESPONSELEN, (unsigned char *) response) == 0) { + perror("yk_challenge_response() failed"); + goto out2; + } + + yubikey_hex_encode((char *) passphrase, (char *) response, SHA1_DIGEST_SIZE); + +out2: + /* close Yubikey */ + if (yk_close_key(yk) == 0) + perror("yk_close_key() failed"); + +out1: + memset(response, 0, RESPONSELEN); + + return EXIT_SUCCESS; +} + +/*** add_keyring ***/ +static int add_keyring(const char * passphrase) { + key_serial_t key; + + /* add key to kernel key store + * Put it into session keyring first, set permissions and + * move it to user keyring. */ + if ((key = add_key("user", "cryptsetup", passphrase, + PASSPHRASELEN, KEY_SPEC_SESSION_KEYRING)) < 0) { + perror("add_key() failed"); + return -1; + } + + if (keyctl_set_timeout(key, 150) < 0) { + perror("keyctl_set_timeout() failed"); + return -1; + } + + if (keyctl_setperm(key, KEY_POS_ALL|KEY_USR_ALL) < 0) { + perror("keyctl_setperm() failed"); + return -1; + } + + if (keyctl_link(key, KEY_SPEC_USER_KEYRING) < 0) { + perror("keyctl_link() failed"); + return -1; + } + + if (keyctl_unlink(key, KEY_SPEC_SESSION_KEYRING) < 0) { + perror("keyctl_unlink() failed"); + return -1; + } + + return EXIT_SUCCESS; +} + +/*** answer_askpass ***/ +static int answer_askpass(const char * ask_file, const char * passphrase) { + int rc = EXIT_FAILURE, fd_askpass; + const char * ask_message, * ask_socket; + /* iniparser */ + dictionary * ini; + + if ((ini = iniparser_load(ask_file)) == NULL) { + perror("cannot parse file"); + goto out1; + } + + ask_message = iniparser_getstring(ini, "Ask:Message", NULL); + + if (strncmp(ask_message, ASK_MESSAGE, strlen(ASK_MESSAGE)) != 0) + goto out2; + + if ((ask_socket = iniparser_getstring(ini, "Ask:Socket", NULL)) == NULL) { + perror("Could not get socket name"); + goto out2; + } + + if ((fd_askpass = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0)) < 0) { + perror("socket() failed"); + goto out2; + } + + if (send_on_socket(fd_askpass, ask_socket, passphrase, PASSPHRASELEN + 1) < 0) { + perror("send_on_socket() failed"); + goto out3; + } + + rc = EXIT_SUCCESS; + +out3: + close(fd_askpass); + +out2: + iniparser_freedict(ini); + +out1: + return rc; +} + +/*** walk_askpass ***/ +static int walk_askpass(const char * passphrase) { + int rc = EXIT_FAILURE; + DIR * dir; + struct dirent * ent; + + /* change to directory so we do not have to assemble complete/absolute path */ + if (chdir(ASK_PATH) != 0) { + perror("chdir() failed"); + return rc; + } + + /* Is the request already there? */ + if ((dir = opendir(ASK_PATH)) != NULL) { + while ((ent = readdir(dir)) != NULL) { + if (strncmp(ent->d_name, "ask.", 4) == 0) { + if ((rc = answer_askpass(ent->d_name, passphrase)) == EXIT_SUCCESS) + goto out; + } + } + } else { + perror ("opendir() failed"); + return EXIT_FAILURE; + } + + rc = EXIT_SUCCESS; + +out: + closedir(dir); + + return rc; +} + +/*** main ***/ +int main(int argc, char **argv) { + int8_t rc = EXIT_FAILURE; + /* Yubikey */ + YK_KEY * yk; + uint8_t slot = SLOT_CHAL_HMAC2; + unsigned int serial = 0; + /* challenge and passphrase */ + char challenge[CHALLENGELEN + 1]; + char passphrase[PASSPHRASELEN + 2]; + +#ifdef DEBUG + /* reopening stderr to /dev/console may help debugging... */ + FILE * tmp = freopen("/dev/console", "w", stderr); + (void) tmp; +#endif + + /* initialize static memory */ + memset(challenge, 0, CHALLENGELEN + 1); + memset(passphrase, 0, PASSPHRASELEN + 2); + + *passphrase = '+'; + + /* init and open first Yubikey */ + if (yk_init() == 0) { + perror("yk_init() failed"); + goto out10; + } + + /* open Yubikey and get serial */ + if ((yk = yk_open_and_check(0, &serial)) == NULL) { + if (errno == EAGAIN) + rc = EXIT_SUCCESS; + goto out30; + } + + /* close Yubikey */ + if (yk_close_key(yk) == 0) { + perror("yk_close_key() failed"); + goto out30; + } + + if ((rc = read_challenge(serial, challenge)) < 0) + goto out30; + + if ((rc = get_response(serial, slot, challenge, passphrase + 1)) < 0) + goto out30; + + if ((rc = add_keyring(passphrase + 1)) < 0) + goto out30; + + if ((rc = walk_askpass(passphrase)) < 0) + goto out30; + +out30: + /* release Yubikey */ + if (yk_release() == 0) + perror("yk_release() failed"); + +out10: + /* wipe challenge from memory */ + memset(challenge, 0, CHALLENGELEN + 1); + memset(passphrase, 0, PASSPHRASELEN + 2); + + return rc; +} + +// vim: set syntax=c: |