git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
clevis
1
0
Fork 0
Files Pull Requests 0
Tree: a539f02c81
Branches Tags
clevis
/
src
/
pins
/
sss
/
clevis-decrypt-sss.c

clevis-decrypt-sss.c 8.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334 
  1. /* vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: */
    2. 

  2. /*
    3. 

  3.  * Copyright (c) 2015 Red Hat, Inc.
    4. 

  4.  * Author: Nathaniel McCallum <npmccallum@redhat.com>
    5. 

  5.  *
    6. 

  6.  * This program is free software: you can redistribute it and/or modify
    7. 

  7.  * it under the terms of the GNU General Public License as published by
    8. 

  8.  * the Free Software Foundation, either version 3 of the License, or
    9. 

  9.  * (at your option) any later version.
    10. 

  10.  *
    11. 

  11.  * This program is distributed in the hope that it will be useful,
    12. 

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    13. 

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    14. 

  14.  * GNU General Public License for more details.
    15. 

  15.  *
    16. 

  16.  * You should have received a copy of the GNU General Public License
    17. 

  17.  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    18. 

  18.  *
    19. 

  19.  * Additional permission under GPLv3 section 7:
    20. 

  20.  *
    21. 

  21.  * In the following paragraph, "GPL" means the GNU General Public
    22. 

  22.  * License, version 3 or any later version, and "Non-GPL Code" means
    23. 

  23.  * code that is governed neither by the GPL nor a license
    24. 

  24.  * compatible with the GPL.
    25. 

  25.  *
    26. 

  26.  * You may link the code of this Program with Non-GPL Code and convey
    27. 

  27.  * linked combinations including the two, provided that such Non-GPL
    28. 

  28.  * Code only links to the code of this Program through those well
    29. 

  29.  * defined interfaces identified in the file named EXCEPTION found in
    30. 

  30.  * the source code files (the "Approved Interfaces"). The files of
    31. 

  31.  * Non-GPL Code may instantiate templates or use macros or inline
    32. 

  32.  * functions from the Approved Interfaces without causing the resulting
    33. 

  33.  * work to be covered by the GPL. Only the copyright holders of this
    34. 

  34.  * Program may make changes or additions to the list of Approved
    35. 

  35.  * Interfaces.
    36. 

  36.  */
    37. 

  37. 

  38. #define _GNU_SOURCE
    39. 

  39. #include "sss.h"
    40. 

  40. 

  41. #include <jose/b64.h>
    42. 

  42. #include <jose/jwe.h>
    43. 

  43. 

  44. #include <sys/epoll.h>
    45. 

  45. #include <sys/types.h>
    46. 

  46. #include <sys/wait.h>
    47. 

  47. 

  48. #include <libgen.h>
    49. 

  49. #include <errno.h>
    50. 

  50. #include <fcntl.h>
    51. 

  51. #include <limits.h>
    52. 

  52. #include <unistd.h>
    53. 

  53. #include <signal.h>
    54. 

  54. #include <stdbool.h>
    55. 

  55. #include <stdint.h>
    56. 

  56. #include <string.h>
    57. 

  57. #include <ctype.h>
    58. 

  58. 

  59. struct pin {
    60. 

  60.     struct pin *prev;
    61. 

  61.     struct pin *next;
    62. 

  62.     uint8_t *pt;
    63. 

  63.     size_t ptl;
    64. 

  64.     FILE *file;
    65. 

  65.     pid_t pid;
    66. 

  66. };
    67. 

  67. 

  68. static size_t
    69. 

  69. nchldrn(const struct pin *pins, bool response)
    70. 

  70. {
    71. 

  71.     size_t n = 0;
    72. 

  72. 

  73.     for (const struct pin *p = pins->next; p != pins; p = p->next) {
    74. 

  74.         if (response && p->pt)
    75. 

  75.             n++;
    76. 

  76.         else if (!response)
    77. 

  77.             n++;
    78. 

  78.     }
    79. 

  79. 

  80.     return n;
    81. 

  81. }
    82. 

  82. 

  83. static json_t *
    84. 

  84. compact_field(FILE *file)
    85. 

  85. {
    86. 

  86.     json_t *str = NULL;
    87. 

  87.     char *buf = NULL;
    88. 

  88.     size_t used = 0;
    89. 

  89.     size_t size = 0;
    90. 

  90. 

  91.     for (int c = fgetc(file); c != EOF && c != '.' && !isspace(c); c = fgetc(file)) {
    92. 

  92.         if (used >= size) {
    93. 

  93.             char *tmp = NULL;
    94. 

  94. 

  95.             size += 4096;
    96. 

  96.             tmp = realloc(buf, size);
    97. 

  97.             if (!tmp)
    98. 

  98.                 goto error;
    99. 

  99. 

  100.             buf = tmp;
    101. 

  101.         }
    102. 

  102. 

  103.         buf[used++] = c;
    104. 

  104.     }
    105. 

  105. 

  106.     str = json_stringn(buf ? buf : "", buf ? used : 0);
    107. 

  107. 

  108. error:
    109. 

  109.     free(buf);
    110. 

  110.     return str;
    111. 

  111. }
    112. 

  112. 

  113. static json_t *
    114. 

  114. compact_jwe(FILE *file)
    115. 

  115. {
    116. 

  116.     json_auto_t *jwe = NULL;
    117. 

  117. 

  118.     jwe = json_object();
    119. 

  119.     if (!jwe)
    120. 

  120.         return NULL;
    121. 

  121. 

  122.     if (json_object_set_new(jwe, "protected", compact_field(file)) < 0)
    123. 

  123.         return NULL;
    124. 

  124. 

  125.     if (json_object_set_new(jwe, "encrypted_key", compact_field(file)) < 0)
    126. 

  126.         return NULL;
    127. 

  127. 

  128.     if (json_object_set_new(jwe, "iv", compact_field(file)) < 0)
    129. 

  129.         return NULL;
    130. 

  130. 

  131.     return json_incref(jwe);
    132. 

  132. }
    133. 

  133. 

  134. int
    135. 

  135. main(int argc, char *argv[])
    136. 

  136. {
    137. 

  137.     struct pin chldrn = { &chldrn, &chldrn };
    138. 

  138.     json_auto_t *pins = NULL;
    139. 

  139.     json_auto_t *hdr = NULL;
    140. 

  140.     json_auto_t *jwe = NULL;
    141. 

  141.     int ret = EXIT_FAILURE;
    142. 

  142.     json_t *p = NULL;
    143. 

  143.     json_int_t t = 1;
    144. 

  144.     int epoll = -1;
    145. 

  145.     size_t pl = 0;
    146. 

  146. 

  147.     if (argc == 2 && strcmp(argv[1], "--summary") == 0)
    148. 

  148.         return EXIT_FAILURE;
    149. 

  149. 

  150.     if (isatty(STDIN_FILENO) || argc != 1)
    151. 

  151.         goto usage;
    152. 

  152. 

  153.     epoll = epoll_create1(EPOLL_CLOEXEC);
    154. 

  154.     if (epoll < 0)
    155. 

  155.         return ret;
    156. 

  156. 

  157.     jwe = compact_jwe(stdin);
    158. 

  158.     if (!jwe)
    159. 

  159.         goto egress;
    160. 

  160. 

  161.     hdr = jose_jwe_hdr(jwe, jwe);
    162. 

  162.     if (!hdr)
    163. 

  163.         goto egress;
    164. 

  164. 

  165.     if (json_unpack(hdr, "{s:{s:{s:I,s:o,s:O}}}",
    166. 

  166.                     "clevis", "sss", "t", &t, "p", &p, "jwe", &pins) != 0)
    167. 

  167.         goto egress;
    168. 

  168. 

  169.     if (t < 1)
    170. 

  170.         goto egress;
    171. 

  171. 

  172.     pl = jose_b64_dec(p, NULL, 0);
    173. 

  173.     if (pl == SIZE_MAX)
    174. 

  174.         goto egress;
    175. 

  175. 

  176.     for (size_t i = 0; i < json_array_size(pins); i++) {
    177. 

  177.         char *args[] = { "clevis", "decrypt", NULL };
    178. 

  178.         const json_t *val = json_array_get(pins, i);
    179. 

  179.         struct pin *pin = NULL;
    180. 

  180. 

  181.         if (!json_is_string(val))
    182. 

  182.             goto egress;
    183. 

  183. 

  184.         pin = calloc(1, sizeof(*pin));
    185. 

  185.         if (!pin)
    186. 

  186.             goto egress;
    187. 

  187. 

  188.         chldrn.next->prev = pin;
    189. 

  189.         pin->next = chldrn.next;
    190. 

  190.         pin->prev = &chldrn;
    191. 

  191.         chldrn.next = pin;
    192. 

  192. 

  193.         pin->file = call(args, json_string_value(val),
    194. 

  194.                          json_string_length(val), &pin->pid);
    195. 

  195.         if (!pin->file)
    196. 

  196.             goto egress;
    197. 

  197. 

  198.         if (epoll_ctl(epoll, EPOLL_CTL_ADD, fileno(pin->file),
    199. 

  199.                       &(struct epoll_event) {
    200. 

  200.                           .events = EPOLLIN | EPOLLPRI,
    201. 

  201.                           .data.fd = fileno(pin->file)
    202. 

  202.                       }) < 0)
    203. 

  203.             goto egress;
    204. 

  204.     }
    205. 

  205. 

  206.     json_decref(pins);
    207. 

  207.     pins = json_array();
    208. 

  208.     if (!pins)
    209. 

  209.         goto egress;
    210. 

  210. 

  211.     for (struct epoll_event e; true; ) {
    212. 

  212.         int r = 0;
    213. 

  213. 

  214.         r = epoll_wait(epoll, &e, 1, -1);
    215. 

  215.         if (r != 1)
    216. 

  216.             break;
    217. 

  217. 

  218.         for (struct pin *pin = chldrn.next; pin != &chldrn; pin = pin->next) {
    219. 

  219.             if (!pin->file || e.data.fd != fileno(pin->file))
    220. 

  220.                 continue;
    221. 

  221. 

  222.             if (e.events & (EPOLLIN | EPOLLPRI)) {
    223. 

  223.                 const size_t ptl = pl * 2;
    224. 

  224. 

  225.                 pin->pt = malloc(ptl);
    226. 

  226.                 if (!pin->pt)
    227. 

  227.                     goto egress;
    228. 

  228. 

  229.                 while (!feof(pin->file)) {
    230. 

  230.                     uint8_t buf[ptl];
    231. 

  231.                     size_t rd = 0;
    232. 

  232. 

  233.                     rd = fread(buf, 1, sizeof(buf), pin->file);
    234. 

  234.                     if (ferror(pin->file) || pin->ptl + rd > ptl) {
    235. 

  235.                         pin->ptl = 0;
    236. 

  236.                         break;
    237. 

  237.                     }
    238. 

  238. 

  239.                     memcpy(&pin->pt[pin->ptl], buf, rd);
    240. 

  240.                     pin->ptl += rd;
    241. 

  241.                 }
    242. 

  242. 

  243.                 if (pin->ptl != ptl) {
    244. 

  244.                     free(pin->pt);
    245. 

  245.                     pin->pt = NULL;
    246. 

  246.                     goto egress;
    247. 

  247.                 }
    248. 

  248.             }
    249. 

  249. 

  250.             fclose(pin->file);
    251. 

  251.             pin->file = NULL;
    252. 

  252. 

  253.             waitpid(pin->pid, NULL, 0);
    254. 

  254.             pin->pid = 0;
    255. 

  255. 

  256.             if (!pin->pt) {
    257. 

  257.                 pin->next->prev = pin->prev;
    258. 

  258.                 pin->prev->next = pin->next;
    259. 

  259.                 free(pin);
    260. 

  260.             }
    261. 

  261. 

  262.             break;
    263. 

  263.         }
    264. 

  264. 

  265.         if (nchldrn(&chldrn, false) < (size_t) t ||
    266. 

  266.             nchldrn(&chldrn, true) >= (size_t) t)
    267. 

  267.             break;
    268. 

  268.     }
    269. 

  269. 

  270.     if (nchldrn(&chldrn, true) >= (size_t) t) {
    271. 

  271.         jose_io_auto_t *out = NULL;
    272. 

  272.         jose_io_auto_t *dec = NULL;
    273. 

  273.         jose_io_auto_t *b64 = NULL;
    274. 

  274.         json_auto_t *cek = NULL;
    275. 

  275.         const uint8_t *xy[t];
    276. 

  276.         size_t i = 0;
    277. 

  277. 

  278.         for (struct pin *pin = chldrn.next; pin != &chldrn; pin = pin->next) {
    279. 

  279.             if (pin->pt && i < (size_t) t)
    280. 

  280.                 xy[i++] = pin->pt;
    281. 

  281.         }
    282. 

  282. 

  283.         cek = json_pack("{s:s,s:o}", "kty", "oct", "k", sss_recover(p, t, xy));
    284. 

  284.         if (!cek)
    285. 

  285.             goto egress;
    286. 

  286. 

  287.         out = jose_io_file(NULL, stdout);
    288. 

  288.         dec = jose_jwe_dec_cek_io(NULL, jwe, cek, out);
    289. 

  289.         b64 = jose_b64_dec_io(dec);
    290. 

  290.         if (!out || !dec || !b64)
    291. 

  291.             goto egress;
    292. 

  292. 

  293.         for (int b = fgetc(stdin); b != EOF && b != '.'; b = fgetc(stdin)) {
    294. 

  294.             char c = b;
    295. 

  295.             if (!b64->feed(b64, &c, 1))
    296. 

  296.                 goto egress;
    297. 

  297.         }
    298. 

  298. 

  299.         if (json_object_set_new(jwe, "tag", compact_field(stdin)) < 0)
    300. 

  300.             goto egress;
    301. 

  301. 

  302.         if (!b64->done(b64))
    303. 

  303.             goto egress;
    304. 

  304. 

  305.         ret = EXIT_SUCCESS;
    306. 

  306.     }
    307. 

  307. 

  308. egress:
    309. 

  309.     while (chldrn.next != &chldrn) {
    310. 

  310.         struct pin *pin = chldrn.next;
    311. 

  311. 

  312.         if (pin->file)
    313. 

  313.             fclose(pin->file);
    314. 

  314. 

  315.         if (pin->pid > 0) {
    316. 

  316.             kill(pin->pid, SIGTERM);
    317. 

  317.             waitpid(pin->pid, NULL, 0);
    318. 

  318.         }
    319. 

  319. 

  320.         pin->next->prev = pin->prev;
    321. 

  321.         pin->prev->next = pin->next;
    322. 

  322.         free(pin->pt);
    323. 

  323.         free(pin);
    324. 

  324.     }
    325. 

  325. 

  326.     close(epoll);
    327. 

  327.     return ret;
    328. 

  328. 

  329. usage:
    330. 

  330.     fprintf(stderr, "\n");
    331. 

  331.     fprintf(stderr, "Usage: clevis decrypt sss < JWE > PLAINTEXT\n");
    332. 

  332.     fprintf(stderr, "\n");
    333. 

  333.     return EXIT_FAILURE;
    334. 

  334. }
    335.