diff options
Diffstat (limited to 'tokens')
-rw-r--r-- | tokens/Makemodule.am | 29 | ||||
-rw-r--r-- | tokens/libcryptsetup-token.sym | 9 | ||||
-rw-r--r-- | tokens/ssh/cryptsetup-ssh.c | 420 | ||||
-rw-r--r-- | tokens/ssh/libcryptsetup-token-ssh.c | 193 | ||||
-rw-r--r-- | tokens/ssh/ssh-utils.c | 177 | ||||
-rw-r--r-- | tokens/ssh/ssh-utils.h | 29 |
6 files changed, 857 insertions, 0 deletions
diff --git a/tokens/Makemodule.am b/tokens/Makemodule.am new file mode 100644 index 0000000..4be7bc5 --- /dev/null +++ b/tokens/Makemodule.am @@ -0,0 +1,29 @@ +EXTRA_DIST += tokens/libcryptsetup-token.sym + +TOKENS_LDFLAGS = $(AM_LDFLAGS) -no-undefined -avoid-version \ + -Wl,--version-script=$(top_srcdir)/tokens/libcryptsetup-token.sym + +tokendir = ${EXTERNAL_LUKS2_TOKENS_PATH} + +if SSHPLUGIN_TOKEN +libcryptsetup_token_ssh_la_LDFLAGS = $(TOKENS_LDFLAGS) +libcryptsetup_token_ssh_la_SOURCES = tokens/ssh/libcryptsetup-token-ssh.c \ + tokens/ssh/ssh-utils.c \ + tokens/ssh/ssh-utils.h +libcryptsetup_token_ssh_la_LIBADD = libcryptsetup.la @LIBSSH_LIBS@ @JSON_C_LIBS@ +token_LTLIBRARIES = libcryptsetup-token-ssh.la + +cryptsetup_ssh_SOURCES = tokens/ssh/cryptsetup-ssh.c \ + tokens/ssh/ssh-utils.c \ + tokens/ssh/ssh-utils.h \ + src/utils_tools.c \ + src/utils_password.c \ + lib/utils_io.c \ + lib/utils_loop.c +cryptsetup_ssh_LDADD = -lm libcryptsetup.la @LIBSSH_LIBS@ @JSON_C_LIBS@ @POPT_LIBS@ \ + @PWQUALITY_LIBS@ @PASSWDQC_LIBS@ @ARGP_LIBS@ + +cryptsetup_ssh_CFLAGS = $(AM_CFLAGS) + +sbin_PROGRAMS += cryptsetup-ssh +endif diff --git a/tokens/libcryptsetup-token.sym b/tokens/libcryptsetup-token.sym new file mode 100644 index 0000000..17ec599 --- /dev/null +++ b/tokens/libcryptsetup-token.sym @@ -0,0 +1,9 @@ +CRYPTSETUP_TOKEN_1.0 { + global: cryptsetup_token_open; + cryptsetup_token_open_pin; + cryptsetup_token_buffer_free; + cryptsetup_token_validate; + cryptsetup_token_dump; + cryptsetup_token_version; + local: *; +}; diff --git a/tokens/ssh/cryptsetup-ssh.c b/tokens/ssh/cryptsetup-ssh.c new file mode 100644 index 0000000..7c0bf02 --- /dev/null +++ b/tokens/ssh/cryptsetup-ssh.c @@ -0,0 +1,420 @@ +/* + * Example of LUKS2 token storing third party metadata (EXPERIMENTAL EXAMPLE) + * + * Copyright (C) 2016-2023 Milan Broz + * Copyright (C) 2021-2023 Vojtech Trefny + * + * Use: + * - generate ssh example token + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <fcntl.h> +#include <argp.h> +#include <json-c/json.h> +#include <termios.h> +#include <stdbool.h> +#include "libcryptsetup.h" +#include "ssh-utils.h" +#include "../src/cryptsetup.h" + +#define TOKEN_NAME "ssh" + +#define l_err(cd, x...) crypt_logf(cd, CRYPT_LOG_ERROR, x) +#define l_dbg(cd, x...) crypt_logf(cd, CRYPT_LOG_DEBUG, x) + +#define OPT_SSH_SERVER 1 +#define OPT_SSH_USER 2 +#define OPT_SSH_PATH 3 +#define OPT_KEY_PATH 4 +#define OPT_DEBUG 5 +#define OPT_DEBUG_JSON 6 +#define OPT_KEY_SLOT 7 + +void tools_cleanup(void) +{ +} + + +static int token_add( + const char *device, + const char *server, + const char *user, + const char *path, + const char *keypath, + int keyslot) + +{ + struct crypt_device *cd; + json_object *jobj = NULL; + json_object *jobj_keyslots = NULL; + const char *string_token; + int r, token; + + r = crypt_init(&cd, device); + if (r) + return r; + + r = crypt_load(cd, CRYPT_LUKS2, NULL); + if (r) { + l_err(cd, _("Device %s is not a valid LUKS device."), device); + goto out; + } + + r = -EINVAL; + jobj = json_object_new_object(); + if (!jobj) + goto out; + + /* type is mandatory field in all tokens and must match handler name member */ + json_object_object_add(jobj, "type", json_object_new_string(TOKEN_NAME)); + + jobj_keyslots = json_object_new_array(); + + /* mandatory array field (may be empty and assigned later */ + json_object_object_add(jobj, "keyslots", jobj_keyslots); + + /* custom metadata */ + json_object_object_add(jobj, "ssh_server", json_object_new_string(server)); + json_object_object_add(jobj, "ssh_user", json_object_new_string(user)); + json_object_object_add(jobj, "ssh_path", json_object_new_string(path)); + json_object_object_add(jobj, "ssh_keypath", json_object_new_string(keypath)); + + string_token = json_object_to_json_string_ext(jobj, JSON_C_TO_STRING_PLAIN); + if (!string_token) { + r = -EINVAL; + goto out; + } + + l_dbg(cd, "Token JSON: %s", string_token); + + r = crypt_token_json_set(cd, CRYPT_ANY_TOKEN, string_token); + if (r < 0) { + l_err(cd, _("Failed to write ssh token json.")); + goto out; + } + + token = r; + r = crypt_token_assign_keyslot(cd, token, keyslot); + if (r != token) { + crypt_token_json_set(cd, token, NULL); + r = -EINVAL; + } +out: + json_object_put(jobj); + crypt_free(cd); + return r; +} + +const char *argp_program_version = "cryptsetup-ssh " PACKAGE_VERSION; + +static char doc[] = N_("Experimental cryptsetup plugin for unlocking LUKS2 devices with token connected " \ + "to an SSH server\v" \ + "This plugin currently allows only adding a token to an existing key slot.\n\n" \ + "Specified SSH server must contain a key file on the specified path with " \ + "a passphrase for an existing key slot on the device.\n" \ + "Provided credentials will be used by cryptsetup to get the password when " \ + "opening the device using the token.\n\n" \ + "Note: The information provided when adding the token (SSH server address, user and paths) " \ + "will be stored in the LUKS2 header in plaintext."); + +static char args_doc[] = N_("<action> <device>"); + +static struct argp_option options[] = { + {0, 0, 0, 0, N_("Options for the 'add' action:")}, + {"ssh-server", OPT_SSH_SERVER, "STRING", 0, N_("IP address/URL of the remote server for this token")}, + {"ssh-user", OPT_SSH_USER, "STRING", 0, N_("Username used for the remote server")}, + {"ssh-path", OPT_SSH_PATH, "STRING", 0, N_("Path to the key file on the remote server")}, + {"ssh-keypath", OPT_KEY_PATH, "STRING", 0, N_("Path to the SSH key for connecting to the remote server")}, + {"key-slot", OPT_KEY_SLOT, "NUM", 0, N_("Keyslot to assign the token to. If not specified, token will "\ + "be assigned to the first keyslot matching provided passphrase.")}, + {0, 0, 0, 0, N_("Generic options:")}, + {"verbose", 'v', 0, 0, N_("Shows more detailed error messages")}, + {"debug", OPT_DEBUG, 0, 0, N_("Show debug messages")}, + {"debug-json", OPT_DEBUG_JSON, 0, 0, N_("Show debug messages including JSON metadata")}, + { NULL, 0, 0, 0, NULL } +}; + +struct arguments { + char *device; + char *action; + char *ssh_server; + char *ssh_user; + char *ssh_path; + char *ssh_keypath; + int keyslot; + int verbose; + int debug; + int debug_json; +}; + +static error_t +parse_opt (int key, char *arg, struct argp_state *state) { + struct arguments *arguments = state->input; + + switch (key) { + case OPT_SSH_SERVER: + arguments->ssh_server = arg; + break; + case OPT_SSH_USER: + arguments->ssh_user = arg; + break; + case OPT_SSH_PATH: + arguments->ssh_path = arg; + break; + case OPT_KEY_PATH: + arguments->ssh_keypath = arg; + break; + case OPT_KEY_SLOT: + arguments->keyslot = atoi(arg); + break; + case 'v': + arguments->verbose = 1; + break; + case OPT_DEBUG: + arguments->debug = 1; + break; + case OPT_DEBUG_JSON: + arguments->debug = 1; + arguments->debug_json = 1; + break; + case ARGP_KEY_NO_ARGS: + argp_usage(state); + break; + case ARGP_KEY_ARG: + arguments->action = arg; + arguments->device = state->argv[state->next]; + state->next = state->argc; + break; + default: + return ARGP_ERR_UNKNOWN; + } + + return 0; +} + +static struct argp argp = { options, parse_opt, args_doc, doc }; + + +static void _log(int level, const char *msg, void *usrptr) +{ + struct arguments *arguments = (struct arguments *)usrptr; + + switch (level) { + case CRYPT_LOG_NORMAL: + fprintf(stdout, "%s", msg); + break; + case CRYPT_LOG_VERBOSE: + if (arguments && arguments->verbose) + fprintf(stdout, "%s", msg); + break; + case CRYPT_LOG_ERROR: + fprintf(stderr, "%s", msg); + break; + case CRYPT_LOG_DEBUG_JSON: + if (arguments && arguments->debug_json) + fprintf(stdout, "# %s", msg); + break; + case CRYPT_LOG_DEBUG: + if (arguments && arguments->debug) + fprintf(stdout, "# %s", msg); + break; + } +} + +static int get_keyslot_for_passphrase(struct arguments *arguments, const char *pin) +{ + int r = 0; + ssh_key pkey; + ssh_session ssh; + char *password = NULL; + size_t password_len = 0; + struct crypt_device *cd = NULL; + char *ssh_pass = NULL; + size_t key_size = 0; + char *prompt = NULL; + + r = crypt_init(&cd, arguments->device); + if (r < 0) + return r; + crypt_set_log_callback(cd, &_log, arguments); + + r = ssh_pki_import_privkey_file(arguments->ssh_keypath, pin, NULL, NULL, &pkey); + if (r != SSH_OK) { + if (r == SSH_EOF) { + crypt_log(cd, CRYPT_LOG_ERROR, _("Failed to open and import private key:\n")); + crypt_free(cd); + return -EINVAL; + } else { + _log(CRYPT_LOG_ERROR, _("Failed to import private key (password protected?).\n"), NULL); + /* TRANSLATORS: SSH credentials prompt, e.g. "user@server's password: " */ + r = asprintf(&prompt, _("%s@%s's password: "), arguments->ssh_user, arguments->ssh_server); + if (r < 0) { + crypt_safe_free(ssh_pass); + crypt_free(cd); + return -EINVAL; + } + + r = tools_get_key(prompt, &ssh_pass, &key_size, 0, 0, NULL, 0, 0, 0, cd); + if (r < 0) { + free(prompt); + crypt_safe_free(ssh_pass); + crypt_free(cd); + return -EINVAL; + } + + /* now try again with the password */ + r = get_keyslot_for_passphrase(arguments, ssh_pass); + + crypt_safe_free(ssh_pass); + crypt_free(cd); + free(prompt); + + return r; + } + } + + ssh = sshplugin_session_init(cd, arguments->ssh_server, arguments->ssh_user); + if (!ssh) { + ssh_key_free(pkey); + crypt_free(cd); + return -EINVAL; + } + + r = sshplugin_public_key_auth(cd, ssh, pkey); + ssh_key_free(pkey); + + if (r != SSH_AUTH_SUCCESS) { + crypt_free(cd); + return r; + } + + r = sshplugin_download_password(cd, ssh, arguments->ssh_path, &password, &password_len); + if (r < 0) { + ssh_disconnect(ssh); + ssh_free(ssh); + crypt_free(cd); + return r; + } + + ssh_disconnect(ssh); + ssh_free(ssh); + + r = crypt_load(cd, CRYPT_LUKS2, NULL); + if (r < 0) { + crypt_safe_memzero(password, password_len); + free(password); + crypt_free(cd); + return r; + } + + r = crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT, password, password_len, 0); + if (r < 0) { + crypt_safe_memzero(password, password_len); + free(password); + crypt_free(cd); + return r; + } + + arguments->keyslot = r; + + crypt_safe_memzero(password, password_len); + free(password); + crypt_free(cd); + + return 0; +} + +int main(int argc, char *argv[]) +{ + int ret = 0; + struct arguments arguments = { 0 }; + arguments.keyslot = CRYPT_ANY_SLOT; + + setlocale(LC_ALL, ""); + bindtextdomain(PACKAGE, LOCALEDIR); + textdomain(PACKAGE); + + ret = argp_parse (&argp, argc, argv, 0, 0, &arguments); + if (ret != 0) { + printf(_("Failed to parse arguments.\n")); + return EXIT_FAILURE; + } + + crypt_set_log_callback(NULL, _log, &arguments); + if (arguments.debug) + crypt_set_debug_level(CRYPT_DEBUG_ALL); + if (arguments.debug_json) + crypt_set_debug_level(CRYPT_DEBUG_JSON); + + if (arguments.action == NULL) { + printf(_("An action must be specified\n")); + return EXIT_FAILURE; + } + + if (strcmp("add", arguments.action) == 0) { + if (!arguments.device) { + printf(_("Device must be specified for '%s' action.\n"), arguments.action); + return EXIT_FAILURE; + } + + if (!arguments.ssh_server) { + printf(_("SSH server must be specified for '%s' action.\n"), arguments.action); + return EXIT_FAILURE; + } + + if (!arguments.ssh_user) { + printf(_("SSH user must be specified for '%s' action.\n"), arguments.action); + return EXIT_FAILURE; + } + + if (!arguments.ssh_path) { + printf(_("SSH path must be specified for '%s' action.\n"), arguments.action); + return EXIT_FAILURE; + } + + if (!arguments.ssh_keypath) { + printf(_("SSH key path must be specified for '%s' action.\n"), arguments.action); + return EXIT_FAILURE; + } + + if (arguments.keyslot == CRYPT_ANY_SLOT) { + ret = get_keyslot_for_passphrase(&arguments, NULL); + if (ret != 0) { + printf(_("Failed open %s using provided credentials.\n"), arguments.device); + return EXIT_FAILURE; + } + } + + ret = token_add(arguments.device, + arguments.ssh_server, + arguments.ssh_user, + arguments.ssh_path, + arguments.ssh_keypath, + arguments.keyslot); + if (ret < 0) + return EXIT_FAILURE; + else + return EXIT_SUCCESS; + } else { + printf(_("Only 'add' action is currently supported by this plugin.\n")); + return EXIT_FAILURE; + } +} diff --git a/tokens/ssh/libcryptsetup-token-ssh.c b/tokens/ssh/libcryptsetup-token-ssh.c new file mode 100644 index 0000000..639b25d --- /dev/null +++ b/tokens/ssh/libcryptsetup-token-ssh.c @@ -0,0 +1,193 @@ +/* + * Example of LUKS2 ssh token handler (EXPERIMENTAL) + * + * Copyright (C) 2016-2023 Milan Broz + * Copyright (C) 2020-2023 Vojtech Trefny + * + * Use: + * - generate LUKS device + * - store passphrase used in previous step remotely (single line w/o \r\n) + * - add new token using this example + * - activate device by token + * + * This file is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this file; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <json-c/json.h> +#include "libcryptsetup.h" +#include "ssh-utils.h" + +#define TOKEN_NAME "ssh" +#define TOKEN_VERSION_MAJOR "1" +#define TOKEN_VERSION_MINOR "0" + +#define SERVER_ARG "plugin-ssh-server" +#define USER_ARG "plugin-ssh-user" +#define PATH_ARG "plugin-ssh-path" +#define KEYPATH_ARG "plugin-ssh-keypath" + +#define l_dbg(cd, x...) crypt_logf(cd, CRYPT_LOG_DEBUG, x) + + +const char *cryptsetup_token_version(void); +int cryptsetup_token_open_pin(struct crypt_device *cd, int token, const char *pin, + size_t pin_size, char **password, size_t *password_len, void *usrptr); +int cryptsetup_token_open(struct crypt_device *cd, int token, + char **password, size_t *password_len, void *usrptr); +void cryptsetup_token_dump(struct crypt_device *cd, const char *json); +int cryptsetup_token_validate(struct crypt_device *cd, const char *json); + + +const char *cryptsetup_token_version(void) +{ + return TOKEN_VERSION_MAJOR "." TOKEN_VERSION_MINOR; +} + +static json_object *get_token_jobj(struct crypt_device *cd, int token) +{ + const char *json_slot; + + /* libcryptsetup API call */ + if (crypt_token_json_get(cd, token, &json_slot)) + return NULL; + + return json_tokener_parse(json_slot); +} + +int cryptsetup_token_open_pin(struct crypt_device *cd, int token, const char *pin, + size_t pin_size __attribute__((unused)), char **password, size_t *password_len, + void *usrptr __attribute__((unused))) +{ + int r; + json_object *jobj_server, *jobj_user, *jobj_path, *jobj_token, *jobj_keypath; + ssh_key pkey; + ssh_session ssh; + + jobj_token = get_token_jobj(cd, token); + if (!jobj_token) + return -ENOMEM; + + json_object_object_get_ex(jobj_token, "ssh_server", &jobj_server); + json_object_object_get_ex(jobj_token, "ssh_user", &jobj_user); + json_object_object_get_ex(jobj_token, "ssh_path", &jobj_path); + json_object_object_get_ex(jobj_token, "ssh_keypath",&jobj_keypath); + + r = ssh_pki_import_privkey_file(json_object_get_string(jobj_keypath), pin, NULL, NULL, &pkey); + if (r != SSH_OK) { + json_object_put(jobj_token); + if (r == SSH_EOF) { + crypt_log(cd, CRYPT_LOG_ERROR, "Failed to open and import private key.\n"); + return -EINVAL; + } + crypt_log(cd, CRYPT_LOG_ERROR, "Failed to import private key (password protected?).\n"); + return -EAGAIN; + } + + ssh = sshplugin_session_init(cd, json_object_get_string(jobj_server), + json_object_get_string(jobj_user)); + if (!ssh) { + json_object_put(jobj_token); + ssh_key_free(pkey); + return -EINVAL; + } + + r = sshplugin_public_key_auth(cd, ssh, pkey); + ssh_key_free(pkey); + + if (r == SSH_AUTH_SUCCESS) + r = sshplugin_download_password(cd, ssh, json_object_get_string(jobj_path), + password, password_len); + + ssh_disconnect(ssh); + ssh_free(ssh); + json_object_put(jobj_token); + + return r ? -EINVAL : r; +} + +int cryptsetup_token_open(struct crypt_device *cd, int token, + char **password, size_t *password_len, void *usrptr) +{ + return cryptsetup_token_open_pin(cd, token, NULL, 0, password, password_len, usrptr); +} + +void cryptsetup_token_dump(struct crypt_device *cd, const char *json) +{ + json_object *jobj_token, *jobj_server, *jobj_user, *jobj_path, *jobj_keypath; + char buf[4096]; + + jobj_token = json_tokener_parse(json); + if (!jobj_token) + return; + + json_object_object_get_ex(jobj_token, "ssh_server", &jobj_server); + json_object_object_get_ex(jobj_token, "ssh_user", &jobj_user); + json_object_object_get_ex(jobj_token, "ssh_path", &jobj_path); + json_object_object_get_ex(jobj_token, "ssh_keypath",&jobj_keypath); + + if (snprintf(buf, sizeof(buf) - 1, "\tssh_server: %s\n\tssh_user: %s\n" + "\tssh_path: %s\n\tssh_key_path: %s\n", + json_object_get_string(jobj_server), + json_object_get_string(jobj_user), + json_object_get_string(jobj_path), + json_object_get_string(jobj_keypath)) > 0) + crypt_log(cd, CRYPT_LOG_NORMAL, buf); + + json_object_put(jobj_token); +} + +int cryptsetup_token_validate(struct crypt_device *cd, const char *json) +{ + enum json_tokener_error jerr; + json_object *jobj_token, *jobj; + int r = -EINVAL; + + jobj_token = json_tokener_parse_verbose(json, &jerr); + if (!jobj_token) + return -EINVAL; + + if (!json_object_object_get_ex(jobj_token, "ssh_server", &jobj) || + !json_object_is_type(jobj, json_type_string)) { + l_dbg(cd, "ssh_server element is missing or not string."); + goto out; + } + + if (!json_object_object_get_ex(jobj_token, "ssh_user", &jobj) || + !json_object_is_type(jobj, json_type_string)) { + l_dbg(cd, "ssh_user element is missing or not string."); + goto out; + } + + if (!json_object_object_get_ex(jobj_token, "ssh_path", &jobj) || + !json_object_is_type(jobj, json_type_string)) { + l_dbg(cd, "ssh_path element is missing or not string."); + goto out; + } + + if (!json_object_object_get_ex(jobj_token, "ssh_keypath", &jobj) || + !json_object_is_type(jobj, json_type_string)) { + l_dbg(cd, "ssh_keypath element is missing or not string."); + goto out; + } + + r = 0; +out: + json_object_put(jobj_token); + return r; +} diff --git a/tokens/ssh/ssh-utils.c b/tokens/ssh/ssh-utils.c new file mode 100644 index 0000000..564d858 --- /dev/null +++ b/tokens/ssh/ssh-utils.c @@ -0,0 +1,177 @@ +/* + * ssh plugin utilities + * + * Copyright (C) 2016-2023 Milan Broz + * Copyright (C) 2020-2023 Vojtech Trefny + * + * This file is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this file; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> +#include <libssh/libssh.h> +#include <libssh/sftp.h> +#include <fcntl.h> +#include <libcryptsetup.h> +#include "ssh-utils.h" +#include "../lib/nls.h" + +#define KEYFILE_LENGTH_MAX 8192 + +int sshplugin_download_password(struct crypt_device *cd, ssh_session ssh, + const char *path, char **password, size_t *password_len) +{ + char *pass = NULL; + size_t pass_len; + int r; + sftp_attributes sftp_attr = NULL; + sftp_session sftp = NULL; + sftp_file file = NULL; + + sftp = sftp_new(ssh); + if (!sftp) { + crypt_log(cd, CRYPT_LOG_ERROR, _("Cannot create sftp session: ")); + r = SSH_FX_FAILURE; + goto out; + } + + r = sftp_init(sftp); + if (r != SSH_OK) { + crypt_log(cd, CRYPT_LOG_ERROR, _("Cannot init sftp session: ")); + goto out; + } + + file = sftp_open(sftp, path, O_RDONLY, 0); + if (!file) { + crypt_log(cd, CRYPT_LOG_ERROR, _("Cannot open sftp session: ")); + r = SSH_FX_FAILURE; + goto out; + } + + sftp_attr = sftp_fstat(file); + if (!sftp_attr) { + crypt_log(cd, CRYPT_LOG_ERROR, _("Cannot stat sftp file: ")); + r = SSH_FX_FAILURE; + goto out; + } + + pass_len = sftp_attr->size > KEYFILE_LENGTH_MAX ? KEYFILE_LENGTH_MAX : sftp_attr->size; + pass = malloc(pass_len); + if (!pass) { + crypt_log(cd, CRYPT_LOG_ERROR, _("Not enough memory.\n")); + r = SSH_FX_FAILURE; + goto out; + } + + r = sftp_read(file, pass, pass_len); + if (r < 0 || (size_t)r != pass_len) { + crypt_log(cd, CRYPT_LOG_ERROR, _("Cannot read remote key: ")); + r = SSH_FX_FAILURE; + goto out; + } + + *password = pass; + *password_len = pass_len; + + r = SSH_OK; +out: + if (r != SSH_OK) { + crypt_log(cd, CRYPT_LOG_ERROR, ssh_get_error(ssh)); + crypt_log(cd, CRYPT_LOG_ERROR, "\n"); + free(pass); + } + + if (sftp_attr) + sftp_attributes_free(sftp_attr); + + if (file) + sftp_close(file); + if (sftp) + sftp_free(sftp); + return r == SSH_OK ? 0 : -EINVAL; +} + +ssh_session sshplugin_session_init(struct crypt_device *cd, const char *host, const char *user) +{ + int r, port = 22; + ssh_session ssh = ssh_new(); + if (!ssh) + return NULL; + + ssh_options_set(ssh, SSH_OPTIONS_HOST, host); + ssh_options_set(ssh, SSH_OPTIONS_USER, user); + ssh_options_set(ssh, SSH_OPTIONS_PORT, &port); + + crypt_log(cd, CRYPT_LOG_NORMAL, "SSH token initiating ssh session.\n"); + + r = ssh_connect(ssh); + if (r != SSH_OK) { + crypt_log(cd, CRYPT_LOG_ERROR, _("Connection failed: ")); + goto out; + } + +#if HAVE_DECL_SSH_SESSION_IS_KNOWN_SERVER + r = ssh_session_is_known_server(ssh); +#else + r = ssh_is_server_known(ssh); +#endif + if (r != SSH_SERVER_KNOWN_OK) { + crypt_log(cd, CRYPT_LOG_ERROR, _("Server not known: ")); + r = SSH_AUTH_ERROR; + goto out; + } + + r = SSH_OK; + + /* initialise list of authentication methods. yes, according to official libssh docs... */ + ssh_userauth_none(ssh, NULL); +out: + if (r != SSH_OK) { + crypt_log(cd, CRYPT_LOG_ERROR, ssh_get_error(ssh)); + crypt_log(cd, CRYPT_LOG_ERROR, "\n"); + ssh_disconnect(ssh); + ssh_free(ssh); + ssh = NULL; + } + + return ssh; +} + +int sshplugin_public_key_auth(struct crypt_device *cd, ssh_session ssh, const ssh_key pkey) +{ + int r; + + crypt_log(cd, CRYPT_LOG_DEBUG, "Trying public key authentication method.\n"); + + if (!(ssh_userauth_list(ssh, NULL) & SSH_AUTH_METHOD_PUBLICKEY)) { + crypt_log(cd, CRYPT_LOG_ERROR, _("Public key auth method not allowed on host.\n")); + return SSH_AUTH_ERROR; + } + + r = ssh_userauth_try_publickey(ssh, NULL, pkey); + if (r == SSH_AUTH_SUCCESS) { + crypt_log(cd, CRYPT_LOG_DEBUG, "Public key method accepted.\n"); + r = ssh_userauth_publickey(ssh, NULL, pkey); + } + + if (r != SSH_AUTH_SUCCESS) { + crypt_log(cd, CRYPT_LOG_ERROR, _("Public key authentication error: ")); + crypt_log(cd, CRYPT_LOG_ERROR, ssh_get_error(ssh)); + crypt_log(cd, CRYPT_LOG_ERROR, "\n"); + } + + return r; +} diff --git a/tokens/ssh/ssh-utils.h b/tokens/ssh/ssh-utils.h new file mode 100644 index 0000000..a491275 --- /dev/null +++ b/tokens/ssh/ssh-utils.h @@ -0,0 +1,29 @@ +/* + * ssh plugin utilities + * + * Copyright (C) 2016-2023 Milan Broz + * Copyright (C) 2020-2023 Vojtech Trefny + * + * This file is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this file; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include <libssh/libssh.h> +#include <libssh/sftp.h> +#include <libcryptsetup.h> + +int sshplugin_download_password(struct crypt_device *cd, ssh_session ssh, + const char *path, char **password, size_t *password_len); +ssh_session sshplugin_session_init(struct crypt_device *cd, const char *host, const char *user); +int sshplugin_public_key_auth(struct crypt_device *cd, ssh_session ssh, const ssh_key pkey); |