[network-manager-openvpn/lr/p11-forward: 3/4] service: respond to PKCS#11 PIN requests



commit 57badd789b36b7b1941fb1b5e1bbefcfee16e3cd
Author: Lubomir Rintel <lkundrak v3 sk>
Date:   Mon Jun 20 13:46:35 2016 +0200

    service: respond to PKCS#11 PIN requests

 shared/nm-service-defines.h |    1 +
 src/nm-openvpn-service.c    |   33 ++++++++++++++++++++++++++++++++-
 2 files changed, 33 insertions(+), 1 deletions(-)
---
diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
index b204bdb..92706ef 100644
--- a/shared/nm-service-defines.h
+++ b/shared/nm-service-defines.h
@@ -71,6 +71,7 @@
 #define NM_OPENVPN_KEY_PASSWORD "password"
 #define NM_OPENVPN_KEY_CERTPASS "cert-pass"
 #define NM_OPENVPN_KEY_HTTP_PROXY_PASSWORD "http-proxy-password"
+#define NM_OPENVPN_KEY_PKCS11_PIN "pkcs11-pin"
 /* Internal auth-dialog -> service token indicating that no secrets are
  * required for the connection.
  */
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index 24fa809..37eb4a0 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -77,6 +77,7 @@ typedef struct {
        char *priv_key_pass;
        char *proxy_username;
        char *proxy_password;
+       char *pkcs11_pin;
        char *pending_auth;
        GIOChannel *socket_channel;
        guint socket_channel_eventid;
@@ -477,6 +478,10 @@ nm_openvpn_disconnect_management_socket (NMOpenvpnPlugin *plugin)
                secret_password_wipe (io_data->proxy_password);
        g_free (io_data->proxy_password);
 
+       if (io_data->pkcs11_pin)
+               secret_password_wipe (io_data->pkcs11_pin);
+       g_free (io_data->pkcs11_pin);
+
        g_free (priv->io_data);
        priv->io_data = NULL;
 }
@@ -597,7 +602,7 @@ handle_auth (NMOpenvpnPluginIOData *io_data,
                                *out_message = _("A username and password are required.");
                }
                handled = TRUE;
-       } else if (!strcmp (requested_auth, "Private Key")) {
+       } else if (strcmp (requested_auth, "Private Key") == 0) {
                if (io_data->priv_key_pass) {
                        char *qpass, *buf;
 
@@ -637,6 +642,25 @@ handle_auth (NMOpenvpnPluginIOData *io_data,
                                *out_message = _("An HTTP Proxy username and password are required.");
                }
                handled = TRUE;
+       } else if (g_str_has_suffix (requested_auth, " token")) {
+               if (io_data->pkcs11_pin) {
+                       char *qpass, *buf;
+
+                       qpass = ovpn_quote_string (io_data->pkcs11_pin);
+                       buf = g_strdup_printf ("password \"%s\" \"%s\"\n", requested_auth, qpass);
+                       secret_password_wipe (qpass);
+                       g_free (qpass);
+
+                       /* Will always write everything in blocking channels (on success) */
+                       g_io_channel_write_chars (io_data->socket_channel, buf, strlen (buf), NULL, NULL);
+                       g_io_channel_flush (io_data->socket_channel, NULL);
+                       g_free (buf);
+               } else {
+                       hints = g_new0 (char *, 2);
+                       hints[i++] = NM_OPENVPN_KEY_PKCS11_PIN;
+                       *out_message = _("A PIN for the security token is required.");
+               }
+               handled = TRUE;
        }
 
        *out_hints = hints;
@@ -1034,6 +1058,13 @@ update_io_data_from_vpn_setting (NMOpenvpnPluginIOData *io_data,
        }
        tmp = nm_setting_vpn_get_secret (s_vpn, NM_OPENVPN_KEY_HTTP_PROXY_PASSWORD);
        io_data->proxy_password = tmp ? g_strdup (tmp) : NULL;
+
+       if (io_data->pkcs11_pin) {
+               secret_password_wipe (io_data->pkcs11_pin);
+               g_free (io_data->pkcs11_pin);
+       }
+       tmp = nm_setting_vpn_get_secret (s_vpn, NM_OPENVPN_KEY_PKCS11_PIN);
+       io_data->pkcs11_pin = tmp ? g_strdup (tmp) : NULL;
 }
 
 #define MAX_GROUPS 128


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]