[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-commits
Subject: [ksecrets] src/runtime: Some refactoring and notes
From: Valentin Rusu <kde () rusu ! info>
Date: 2015-08-15 14:17:46
Message-ID: E1ZQcHK-0008TQ-Bc () scm ! kde ! org
[Download RAW message or body]
Git commit 4e3eaa8a9fd55ecca1c0bf43bf54f76397d4a923 by Valentin Rusu.
Committed on 14/08/2015 at 10:02.
Pushed by vrusu into branch 'master'.
Some refactoring and notes
M +1 -0 src/runtime/ksecrets_store/CMakeLists.txt
A +36 -0 src/runtime/ksecrets_store/defines.h [License: LGPL (v2+)]
M +4 -98 src/runtime/ksecrets_store/ksecrets_credentials.cpp
A +116 -0 src/runtime/ksecrets_store/ksecrets_crypt.cpp [License: LGPL (v2+)]
M +0 -2 src/runtime/ksecrets_store/ksecrets_store.cpp
M +6 -0 src/runtime/pam_ksecrets/pam_ksecrets.c
http://commits.kde.org/ksecrets/4e3eaa8a9fd55ecca1c0bf43bf54f76397d4a923
diff --git a/src/runtime/ksecrets_store/CMakeLists.txt \
b/src/runtime/ksecrets_store/CMakeLists.txt index 36fd30d..688f065 100644
--- a/src/runtime/ksecrets_store/CMakeLists.txt
+++ b/src/runtime/ksecrets_store/CMakeLists.txt
@@ -9,6 +9,7 @@ ecm_setup_version(${KF5_VERSION} VARIABLE_PREFIX KSECRETS_BACKEND
PACKAGE_VERSION_FILE \
"${CMAKE_CURRENT_BINARY_DIR}/KF5SecretsStoreConfigVersion.cmake")
set(ksecrets_store_SRC
+ ksecrets_crypt.cpp
ksecrets_credentials.cpp
ksecrets_store.cpp)
diff --git a/src/runtime/ksecrets_store/defines.h b/src/runtime/ksecrets_store/defines.h
new file mode 100644
index 0000000..6e6e4a9
--- /dev/null
+++ b/src/runtime/ksecrets_store/defines.h
@@ -0,0 +1,36 @@
+/*
+ This file is part of the KDE Libraries
+
+ Copyright (C) 2015 Valentin Rusu (valir@kde.org)
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Library General Public
+ License as published by the Free Software Foundation; either
+ version 2 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+
+ You should have received a copy of the GNU Library General Public License
+ along with this library; see the file COPYING.LIB. If not, write to
+ the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ Boston, MA 02110-1301, USA.
+*/
+#ifndef KSECRETS_DEFINES_H
+#define KSECRETS_DEFINES_H
+
+#include <syslog.h>
+
+#define KSS_LOG_DEBUG (LOG_AUTH | LOG_DEBUG)
+#define KSS_LOG_INFO (LOG_AUTH | LOG_INFO)
+#define KSS_LOG_ERR (LOG_AUTH | LOG_ERR)
+
+#define KSECRETS_ITERATIONS 50000
+
+#define FALSE 0
+#define TRUE 1
+#define UNUSED(x) (void)(x)
+
+#endif
diff --git a/src/runtime/ksecrets_store/ksecrets_credentials.cpp \
b/src/runtime/ksecrets_store/ksecrets_credentials.cpp index 135db0a..53180c0 100644
--- a/src/runtime/ksecrets_store/ksecrets_credentials.cpp
+++ b/src/runtime/ksecrets_store/ksecrets_credentials.cpp
@@ -19,6 +19,7 @@
*/
#include "ksecrets_credentials.h"
#include "ksecrets_store.h"
+#include "defines.h"
#include <unistd.h>
#include <errno.h>
@@ -33,106 +34,11 @@ extern "C" {
#include <keyutils.h>
}
-#define GCRPYT_NO_DEPRECATED
-#include <gcrypt.h>
-#define GCRYPT_REQUIRED_VERSION "1.6.0"
+const char* get_keyname_encrypting();
+const char* get_keyname_mac();
+int kss_keys_already_there();
-#define KSS_LOG_DEBUG (LOG_AUTH | LOG_DEBUG)
-#define KSS_LOG_INFO (LOG_AUTH | LOG_INFO)
-#define KSS_LOG_ERR (LOG_AUTH | LOG_ERR)
-
-#define KSECRETS_ITERATIONS 50000
-
-/* these functions are implemented in config.cpp next to this file */
-extern "C" const char* prepare_secret_file_location(const char*);
-extern "C" const char* get_keyname_encrypting();
-extern "C" const char* get_keyname_mac();
-
-#define FALSE 0
-#define TRUE 1
-#define UNUSED(x) (void)(x)
-
-extern "C"
-int KSECRETS_STORE_EXPORT kss_init_gcry()
-{
- syslog(KSS_LOG_DEBUG, "ksecrets: setting-up grypt library");
- if (!gcry_check_version(GCRYPT_REQUIRED_VERSION)) {
- syslog(KSS_LOG_ERR, "ksecrets_store: libcrypt version is too old");
- return 0;
- }
-
- gcry_error_t gcryerr;
- gcryerr = gcry_control(GCRYCTL_INIT_SECMEM, 32768, 0);
- if (gcryerr != 0) {
- syslog(KSS_LOG_ERR, "ksecrets_store: cannot get secure memory: %d", gcryerr);
- return 0;
- }
-
- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
- syslog(KSS_LOG_DEBUG, "gcrypt library now set-up");
- return 1;
-}
-
-extern "C"
-int KSECRETS_STORE_EXPORT kss_derive_keys(const char* salt, const char* password, char* \
encryption_key, char* mac_key, size_t keySize)
-{
- gpg_error_t gcryerr;
-
- syslog(KSS_LOG_INFO, "kss_set_credentials: attempting keys generation");
- if (0 == password) {
- syslog(KSS_LOG_INFO, "NULL password given. ksecrets will not be available.");
- return FALSE;
- }
-
- /* generate both encryption and MAC key in one go */
- char keys[2 * keySize];
- gcryerr = gcry_kdf_derive(password, strlen(password), GCRY_KDF_ITERSALTED_S2K, \
GCRY_MD_SHA512, salt, 8, KSECRETS_ITERATIONS, 2 * keySize, keys);
- if (gcryerr) {
- syslog(KSS_LOG_ERR, "key derivation failed: code 0x%0x: %s/%s", gcryerr, \
gcry_strsource(gcryerr), gcry_strerror(gcryerr));
- return FALSE;
- }
-
- memcpy(encryption_key, keys, keySize);
- memcpy(mac_key, keys + keySize, keySize);
- syslog(KSS_LOG_INFO, "successuflly generated ksecrets keys from user password.");
-
- return TRUE;
-}
-
-extern "C"
-int KSECRETS_STORE_EXPORT kss_store_keys(const char* encryption_key, const char* mac_key, \
size_t keySize)
-{
- key_serial_t ks;
- const char* key_name = get_keyname_encrypting();
- ks = add_key("user", key_name, encryption_key, keySize, KEY_SPEC_SESSION_KEYRING);
- if (-1 == ks) {
- syslog(KSS_LOG_ERR, "ksecrets: cannot store encryption key in kernel keyring: errno=%d \
(%m)", errno);
- return FALSE;
- }
- syslog(KSS_LOG_DEBUG, "ksecrets: encrpyting key now in kernel keyring with id %d and desc \
%s", ks, key_name);
-
- key_name = get_keyname_mac();
- ks = add_key("user", key_name, mac_key, keySize, KEY_SPEC_SESSION_KEYRING);
- if (-1 == ks) {
- syslog(KSS_LOG_ERR, "ksecrets: cannot store mac key in kernel keyring: errno=%d (%m)", \
errno);
- return FALSE;
- }
- syslog(KSS_LOG_DEBUG, "ksecrets: mac key now in kernel keyring with id %d and desc %s", \
ks, key_name);
- return TRUE;
-}
-
-int kss_keys_already_there()
-{
- key_serial_t key;
- key = request_key("user", get_keyname_encrypting(), 0, KEY_SPEC_SESSION_KEYRING);
- if (-1 == key) {
- syslog(KSS_LOG_DEBUG, "request_key failed with errno %d (%m), so assuming ksecrets not \
yet loaded", errno);
- return FALSE;
- }
- syslog(KSS_LOG_DEBUG, "ksecrets: keys already in keyring");
- return TRUE;
-}
extern "C"
int KSECRETS_STORE_EXPORT kss_set_credentials(const char* user_name, const char* password, \
const char* path)
diff --git a/src/runtime/ksecrets_store/ksecrets_crypt.cpp \
b/src/runtime/ksecrets_store/ksecrets_crypt.cpp new file mode 100644
index 0000000..c087cbb
--- /dev/null
+++ b/src/runtime/ksecrets_store/ksecrets_crypt.cpp
@@ -0,0 +1,116 @@
+/*
+ This file is part of the KDE Libraries
+
+ Copyright (C) 2015 Valentin Rusu (valir@kde.org)
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Library General Public
+ License as published by the Free Software Foundation; either
+ version 2 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+
+ You should have received a copy of the GNU Library General Public License
+ along with this library; see the file COPYING.LIB. If not, write to
+ the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ Boston, MA 02110-1301, USA.
+*/
+
+#include "defines.h"
+
+#include <sys/types.h>
+#include <errno.h>
+
+extern "C" {
+#include <keyutils.h>
+}
+
+#define GCRPYT_NO_DEPRECATED
+#include <gcrypt.h>
+
+#define GCRYPT_REQUIRED_VERSION "1.6.0"
+
+const char* get_keyname_encrypting();
+const char* get_keyname_mac();
+
+int kss_init_gcry()
+{
+ syslog(KSS_LOG_DEBUG, "ksecrets: setting-up grypt library");
+ if (!gcry_check_version(GCRYPT_REQUIRED_VERSION)) {
+ syslog(KSS_LOG_ERR, "ksecrets_store: libcrypt version is too old");
+ return 0;
+ }
+
+ gcry_error_t gcryerr;
+ gcryerr = gcry_control(GCRYCTL_INIT_SECMEM, 32768, 0);
+ if (gcryerr != 0) {
+ syslog(KSS_LOG_ERR, "ksecrets_store: cannot get secure memory: %d", gcryerr);
+ return 0;
+ }
+
+ gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
+ syslog(KSS_LOG_DEBUG, "gcrypt library now set-up");
+ return 1;
+}
+
+int kss_derive_keys(const char* salt, const char* password, char* encryption_key, char* \
mac_key, size_t keySize) +{
+ gpg_error_t gcryerr;
+
+ syslog(KSS_LOG_INFO, "kss_set_credentials: attempting keys generation");
+ if (0 == password) {
+ syslog(KSS_LOG_INFO, "NULL password given. ksecrets will not be available.");
+ return FALSE;
+ }
+
+ /* generate both encryption and MAC key in one go */
+ char keys[2 * keySize];
+ gcryerr = gcry_kdf_derive(password, strlen(password), GCRY_KDF_ITERSALTED_S2K, \
GCRY_MD_SHA512, salt, 8, KSECRETS_ITERATIONS, 2 * keySize, keys); + if (gcryerr) {
+ syslog(KSS_LOG_ERR, "key derivation failed: code 0x%0x: %s/%s", gcryerr, \
gcry_strsource(gcryerr), gcry_strerror(gcryerr)); + return FALSE;
+ }
+
+ memcpy(encryption_key, keys, keySize);
+ memcpy(mac_key, keys + keySize, keySize);
+ syslog(KSS_LOG_INFO, "successuflly generated ksecrets keys from user password.");
+
+ return TRUE;
+}
+
+int kss_store_keys(const char* encryption_key, const char* mac_key, size_t keySize)
+{
+ key_serial_t ks;
+ const char* key_name = get_keyname_encrypting();
+ ks = add_key("user", key_name, encryption_key, keySize, KEY_SPEC_SESSION_KEYRING);
+ if (-1 == ks) {
+ syslog(KSS_LOG_ERR, "ksecrets: cannot store encryption key in kernel keyring: errno=%d \
(%m)", errno); + return FALSE;
+ }
+ syslog(KSS_LOG_DEBUG, "ksecrets: encrpyting key now in kernel keyring with id %d and desc \
%s", ks, key_name); +
+ key_name = get_keyname_mac();
+ ks = add_key("user", key_name, mac_key, keySize, KEY_SPEC_SESSION_KEYRING);
+ if (-1 == ks) {
+ syslog(KSS_LOG_ERR, "ksecrets: cannot store mac key in kernel keyring: errno=%d (%m)", \
errno); + return FALSE;
+ }
+ syslog(KSS_LOG_DEBUG, "ksecrets: mac key now in kernel keyring with id %d and desc %s", \
ks, key_name); + return TRUE;
+}
+
+int kss_keys_already_there()
+{
+ key_serial_t key;
+ key = request_key("user", get_keyname_encrypting(), 0, KEY_SPEC_SESSION_KEYRING);
+ if (-1 == key) {
+ syslog(KSS_LOG_DEBUG, "request_key failed with errno %d (%m), so assuming ksecrets not \
yet loaded", errno); + return FALSE;
+ }
+ syslog(KSS_LOG_DEBUG, "ksecrets: keys already in keyring");
+ return TRUE;
+}
+
diff --git a/src/runtime/ksecrets_store/ksecrets_store.cpp \
b/src/runtime/ksecrets_store/ksecrets_store.cpp index 290ee00..4f8dde9 100644
--- a/src/runtime/ksecrets_store/ksecrets_store.cpp
+++ b/src/runtime/ksecrets_store/ksecrets_store.cpp
@@ -40,13 +40,11 @@
const char* keyNameEncrypting = nullptr;
const char* keyNameMac = nullptr;
-extern "C" {
bool kss_init_gcry();
bool kss_derive_keys(const char* salt, const char* password, char* encryption_key, char* \
mac_key, size_t); bool kss_store_keys(const char* encryption_key, const char* mac_key, size_t \
keySize); const char* get_keyname_encrypting() { return keyNameEncrypting; }
const char* get_keyname_mac() { return keyNameMac; }
-}
KSecretsStorePrivate::KSecretsStorePrivate(KSecretsStore* b)
: b_(b)
diff --git a/src/runtime/pam_ksecrets/pam_ksecrets.c b/src/runtime/pam_ksecrets/pam_ksecrets.c
index bb97632..c32cfc1 100644
--- a/src/runtime/pam_ksecrets/pam_ksecrets.c
+++ b/src/runtime/pam_ksecrets/pam_ksecrets.c
@@ -54,6 +54,12 @@ PAM_EXTERN int pam_sm_authenticate(
* If nothing is specified, then the default path will be
* $HOME/.local/share/ksecrets/ksecrets.data
*
+ * FIXME see how this could be simplified or how one could add a configuration
+ * file handling here. Handling configuration files is DE specific and this
+ * pam module tries to stay as generic as possible. Perhaps we could add here
+ * a DE-specific plugin that would retrieve values from the DE-specific configuration
+ * files, using the DE-specific configuration handling libraries.
+ *
* The location should point to an actual file. If it's a symlink, then the
* store handling routine will fail.
*/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic