Add more ways to use a password with the token

Signed-off-by: Peter Jones <pjones@redhat.com>

src/cms_common.c

@@ -164,6 +164,8 @@ cms_context_fini(cms_context *cms)
 	case PW_DEVICE:
 	case PW_FROMFILEDB:
 	case PW_FROMENV:
+	case PW_FROMFILE:
+	case PW_FROMFD:
 	case PW_SOURCE_MAX:
 		break;
 	case PW_DATABASE:
@@ -306,8 +308,16 @@ void cms_set_pw_data(cms_context *cms, secuPWData *pwdata)
 	case PW_SOURCE_MAX:
 		break;
 
-	case PW_FROMENV:
+	case PW_FROMFD:
+		if (cms->pwdata.intdata >= 0 &&
+		    !(pwdata->source == PW_FROMFD &&
+		      cms->pwdata.intdata == pwdata->intdata))
+			close(cms->pwdata.intdata);
+		break;
+
 	case PW_FROMFILEDB:
+	case PW_FROMENV:
+	case PW_FROMFILE:
 	case PW_PLAINTEXT:
 		memset(cms->pwdata.data, 0, strlen(cms->pwdata.data));
 		xfree(cms->pwdata.data);

src/cms_common.h

@@ -80,6 +80,10 @@ typedef enum {
 	PW_DATABASE = 5,
 	// pwdata->data is the name of an environment variable
 	PW_FROMENV = 6,
+	// pwdata->data is the path of a file
+	PW_FROMFILE = 7,
+	// pwdata->intdata is a file descriptor
+	PW_FROMFD = 8,
 
 	// used only for bounds checking
 	PW_SOURCE_MAX
@@ -91,6 +95,7 @@ typedef struct {
 
 	struct pw_database pwdb;
 	char *data;
+	long intdata;
 } secuPWData;
 
 struct cms_context;

src/daemon.c

@@ -229,6 +229,7 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size)
 	memset(&pwdata, 0, sizeof(pwdata));
 	pwdata.source = pwdata.orig_source = PW_PLAINTEXT;
 	pwdata.data = pin;
+	pwdata.intdata = -1;
 
 	cms_set_pw_callback(ctx->cms, get_password_passthrough);
 	cms_set_pw_data(ctx->cms, &pwdata);

src/password.c

@@ -35,6 +35,8 @@ static const char * const pw_source_names[] = {
 	[PW_FROMFILEDB] = "PW_FROMFILEDB",
 	[PW_DATABASE] = "PW_DATABASE",
 	[PW_FROMENV] = "PW_FROMENV",
+	[PW_FROMFILE] = "PW_FROMFILE",
+	[PW_FROMFD] = "PW_FROMFD",
 
 	[PW_SOURCE_MAX] = "PW_SOURCE_MAX"
 };
@@ -241,6 +243,12 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
 
 	ingress();
 	dprintf("token_name: %s", token_name);
+	if (cms->pwdata.source != PW_FROMFILEDB) {
+		cms->log(cms, LOG_ERR,
+			 "Got to %s() but no file is specified.\n",
+			 __func__);
+		goto err;
+	}
 	path = cms->pwdata.data;
 
 	if (!path || retry)
@@ -375,6 +383,7 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
 	secuPWData pwxtrn = { .source = PW_DEVICE, .orig_source = PW_DEVICE, .data = NULL };
 	char *pw;
 	int rc;
+	FILE *in;
 
 	ingress();
 
@@ -400,6 +409,7 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
 		pw_source_names[pwdata->orig_source], pwdata->orig_source);
 	dprintf("pwdata->data:%p (\"%s\")", pwdata->data,
 		pwdata->data ? pwdata->data : "(null)");
+	dprintf("pwdata->intdata:%ld", pwdata->intdata);
 
 	if (retry) {
 		warnx("Incorrect password/PIN entered.");
@@ -425,7 +435,6 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
 		return pw;
 
 	case PW_DEVICE:
-		dprintf("pwdata->source:PW_DEVICE");
 		rc = asprintf(&prompt,
 			      "Press Enter, then enter PIN for \"%s\" on external device.\n",
 			      PK11_GetTokenName(slot));
@@ -442,10 +451,6 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
 		 * once, then keep it in memory (duh).
 		 */
 		pw = SECU_FilePasswd(slot, retry, cms);
-		if (pw != NULL) {
-			pwdata->source = PW_PLAINTEXT;
-			pwdata->data = strdup(pw);
-		}
 		/* it's already been dup'ed */
 		egress();
 		return pw;
@@ -460,6 +465,31 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
 		pwdata->source = PW_PLAINTEXT;
 		goto PW_PLAINTEXT;
 
+	case PW_FROMFILE:
+		dprintf("pwdata->source:PW_FROMFILE");
+		in = fopen(pwdata->data, "r");
+		if (!in)
+			return NULL;
+		pw = get_password(in, NULL, NULL, NULL);
+		fclose(in);
+		pwdata->source = PW_PLAINTEXT;
+		pwdata->data = pw;
+		goto PW_PLAINTEXT;
+
+	case PW_FROMFD:
+		dprintf("pwdata->source:PW_FROMFD");
+		rc = pwdata->intdata;
+		in = fdopen(pwdata->intdata, "r");
+		if (!in)
+			return NULL;
+		pw = get_password(in, NULL, NULL, NULL);
+		fclose(in);
+		close(rc);
+		pwdata->source = PW_PLAINTEXT;
+		pwdata->data = pw;
+		pwdata->intdata = -1;
+		goto PW_PLAINTEXT;
+
 	PW_PLAINTEXT:
 	case PW_PLAINTEXT:
 		egress();

src/pesign.c

@@ -61,7 +61,10 @@ long verbosity(void)
 }
 
 enum {
-	POPT_RET_PWDB = 0x40000001
+	POPT_RET_PWDB = 0x40000001,
+	POPT_RET_ENV = 0x40000002,
+	POPT_RET_PINFD = 0x40000003,
+	POPT_RET_PINFILE = 0x40000004,
 };
 
 int
@@ -92,6 +95,7 @@ main(int argc, char *argv[])
 	secuPWData pwdata;
 
 	memset(&pwdata, 0, sizeof(pwdata));
+	pwdata.intdata = -1;
 
 	setenv("NSS_DEFAULT_DB_TYPE", "sql", 0);
 
@@ -266,7 +270,27 @@ main(int argc, char *argv[])
 		 .arg = &ctxp->verbose,
 		 .val = 2,
 		 .descrip = "be very verbose" },
-
+		{.longName = "pinfd",
+		 .shortName = '\0',
+		 .argInfo = POPT_ARG_INT,
+		 .arg = &pwdata.intdata,
+		 .val = POPT_RET_PINFD,
+		 .descrip = "read file descriptor for pin information",
+		 .argDescrip = "<file descriptor>" },
+		{.longName = "pinfile",
+		 .shortName = '\0',
+		 .argInfo = POPT_ARG_STRING,
+		 .arg = &pwdata.data,
+		 .val = POPT_RET_PINFILE,
+		 .descrip = "read named file for pin information",
+		 .argDescrip = "<pin file name>" },
+		{.longName = "pinenv",
+		 .shortName = '\0',
+		 .argInfo = POPT_ARG_STRING,
+		 .arg = &pwdata.data,
+		 .val = POPT_RET_ENV,
+		 .descrip = "read file descriptor for pin information",
+		 .argDescrip = "<file descriptor>" },
 		{.longName = "padding",
 		 .shortName = 'P',
 		 .argInfo = POPT_ARG_VAL,
@@ -289,6 +313,7 @@ main(int argc, char *argv[])
 		 .shortName = '\0',
 		 .argInfo = POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN,
 		 .arg = &pwdata.data,
+		 .val = POPT_RET_PWDB,
 		 .descrip = "file to read passwords from.",
 		 .argDescrip = "<pwfile>" },
 		POPT_AUTOALIAS
@@ -315,6 +340,47 @@ main(int argc, char *argv[])
 				errx(1, "--pwfile requires a file name as an argument");
 			pwdata.source = PW_FROMFILEDB;
 			pwdata.data = strdup(pwdata.data);
+			pwdata.intdata = -1;
+			if (!pwdata.data)
+				err(1, "could not allocate memory");
+			continue;
+
+		case POPT_RET_ENV:
+			dprintf("POPT_RET_ENV:\"%s\"", pwdata.data ? pwdata.data : "(null)");
+			if (pwdata.source != PW_SOURCE_INVALID)
+				errx(1, "only one password/pin method can be used at a time");
+			if (pwdata.data == NULL)
+				errx(1, "--pinenv requires an environment variable name as an argument");
+			pwdata.source = PW_FROMENV;
+			pwdata.data = strdup(pwdata.data);
+			pwdata.intdata = -1;
+			if (!pwdata.data)
+				err(1, "could not allocate memory");
+			continue;
+
+		case POPT_RET_PINFD:
+			dprintf("POPT_RET_PINFD:\"%s\"", pwdata.data ? pwdata.data : "(null)");
+			if (pwdata.source != PW_SOURCE_INVALID)
+				errx(1, "only one password/pin method can be used at a time");
+			if (pwdata.data == NULL)
+				errx(1, "--pinfd requires a file descriptor as an argument");
+			errno = 0;
+			pwdata.source = PW_FROMFD;
+			pwdata.intdata = strtol(pwdata.data, NULL, 0);
+			if ((pwdata.intdata == LONG_MIN || pwdata.intdata == LONG_MAX) && errno != 0)
+				err(1, "file descriptor needed, got \"%s\"", pwdata.data ? pwdata.data : "(null)");
+			pwdata.data = NULL;
+			continue;
+
+		case POPT_RET_PINFILE:
+			dprintf("POPT_RET_PINFILE:\"%s\"", pwdata.data ? pwdata.data : "(null)");
+			if (pwdata.source != PW_SOURCE_INVALID)
+				errx(1, "only one password/pin method can be used at a time");
+			if (pwdata.data == NULL)
+				errx(1, "--pinfile requires a file name as an argument");
+			pwdata.source = PW_FROMFILE;
+			pwdata.data = strdup(pwdata.data);
+			pwdata.intdata = -1;
 			if (!pwdata.data)
 				err(1, "could not allocate memory");
 			continue;
@@ -481,7 +547,6 @@ main(int argc, char *argv[])
 	if (digest_name && digest_name != orig_digest_name)
 		free(digest_name);
 
-
 	if (ctxp->sign) {
 		if (!ctxp->cms_ctx->certname) {
 			fprintf(stderr, "pesign: signing requested but no "