From e6cc278009192926d1fe0e9a87c8d69047dbdb7f Mon Sep 17 00:00:00 2001 From: William Brown Date: Mar 07 2018 22:21:57 +0000 Subject: Merge #49589 `merge svrcore into 389-ds-base` --- diff --git a/Makefile.am b/Makefile.am index a47201a..9ba52b9 100644 --- a/Makefile.am +++ b/Makefile.am @@ -26,7 +26,6 @@ CMOCKA_INCLUDES = @cmocka_inc@ PROFILING_DEFINES = @profiling_defs@ NSPR_INCLUDES = @nspr_inc@ -SVRCORE_INCLUDES = @svrcore_inc@ SASL_INCLUDES = @sasl_inc@ EVENT_INCLUDES = @event_inc@ @@ -70,6 +69,8 @@ endif NUNCSTANS_INCLUDES = -I$(srcdir)/src/nunc-stans/include/ NUNC_STANS_ON = 1 +SVRCORE_INCLUDES = -I$(srcdir)/src/svrcore/src/ + # the -U undefines these symbols - should use the corresponding DS_ ones instead - see configure.ac DS_DEFINES = -DBUILD_NUM=$(BUILDNUM) -DVENDOR="\"$(vendor)\"" -DBRAND="\"$(brand)\"" -DCAPBRAND="\"$(capbrand)\"" \ -UPACKAGE_VERSION -UPACKAGE_TARNAME -UPACKAGE_STRING -UPACKAGE_BUGREPORT @@ -142,7 +143,6 @@ ldaplib_defs = @ldaplib_defs@ DB_LINK = @db_lib@ -ldb-@db_libver@ SASL_LINK = @sasl_lib@ -lsasl2 -SVRCORE_LINK = @svrcore_lib@ -lsvrcore ICU_LINK = @icu_lib@ -licui18n -licuuc -licudata PCRE_LINK = @pcre_lib@ -lpcre NETSNMP_LINK = @netsnmp_lib@ @netsnmp_link@ @@ -331,6 +331,7 @@ bin_PROGRAMS = dbscan \ server_LTLIBRARIES = libsds.la libnunc-stans.la libldaputil.la libslapd.la libns-dshttpd.la +lib_LTLIBRARIES = libsvrcore.la # this is how to add optional plugins if enable_pam_passthru @@ -934,7 +935,8 @@ cockpitcss_DATA = src/cockpit/389-console/css/ds.css \ pkgconfig_DATA = src/pkgconfig/dirsrv.pc \ src/pkgconfig/libsds.pc \ - src/pkgconfig/nunc-stans.pc + src/pkgconfig/nunc-stans.pc \ + src/pkgconfig/svrcore.pc #------------------------ # header files @@ -946,6 +948,8 @@ serverinc_HEADERS = ldap/servers/plugins/replication/repl-session-plugin.h \ src/nunc-stans/include/nunc-stans.h \ src/libsds/include/sds.h +include_HEADERS = src/svrcore/src/svrcore.h + #------------------------ # man pages #------------------------ @@ -1118,6 +1122,26 @@ libldaputil_la_LDFLAGS = $(AM_LDFLAGS) #//////////////////////////////////////////////////////////////// #------------------------ +# libsvrcore +#------------------------ +libsvrcore_la_SOURCES = \ + src/svrcore/src/alt.c \ + src/svrcore/src/cache.c \ + src/svrcore/src/errors.c \ + src/svrcore/src/file.c \ + src/svrcore/src/ntgetpin.c \ + src/svrcore/src/ntresource.h \ + src/svrcore/src/pin.c \ + src/svrcore/src/pk11.c \ + src/svrcore/src/std.c \ + src/svrcore/src/systemd-ask-pass.c \ + src/svrcore/src/std-systemd.c \ + src/svrcore/src/user.c + +libsvrcore_la_LDFLAGS = $(AM_LDFLAGS) +libsvrcore_la_CPPFLAGS = $(AM_CPPFLAGS) $(SVRCORE_INCLUDES) $(DSPLUGIN_CPPFLAGS) + +#------------------------ # libsds #------------------------ libsds_la_SOURCES = src/libsds/sds/core/utils.c \ @@ -1363,8 +1387,8 @@ libslapd_la_SOURCES = ldap/servers/slapd/add.c \ ldap/servers/slapd/slapi_pal.c \ $(libavl_a_SOURCES) -libslapd_la_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) $(SASL_INCLUDES) @db_inc@ $(SVRCORE_INCLUDES) @kerberos_inc@ @pcre_inc@ $(SDS_CPPFLAGS) -libslapd_la_LIBADD = $(LDAPSDK_LINK) $(SASL_LINK) $(SVRCORE_LINK) $(NSS_LINK) $(NSPR_LINK) $(KERBEROS_LINK) $(PCRE_LINK) $(THREADLIB) $(SYSTEMD_LINK) libsds.la +libslapd_la_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) $(SASL_INCLUDES) @db_inc@ @kerberos_inc@ @pcre_inc@ $(SDS_CPPFLAGS) $(SVRCORE_INCLUDES) +libslapd_la_LIBADD = $(LDAPSDK_LINK) $(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) $(KERBEROS_LINK) $(PCRE_LINK) $(THREADLIB) $(SYSTEMD_LINK) libsds.la libsvrcore.la libslapd_la_LDFLAGS = $(AM_LDFLAGS) $(SLAPD_LDFLAGS) @@ -1616,7 +1640,7 @@ libpbe_plugin_la_SOURCES = ldap/servers/plugins/rever/pbe.c \ ldap/servers/plugins/rever/rever.c libpbe_plugin_la_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) $(SVRCORE_INCLUDES) -libpbe_plugin_la_LIBADD = libslapd.la $(NSS_LINK) +libpbe_plugin_la_LIBADD = libslapd.la libsvrcore.la $(NSS_LINK) libpbe_plugin_la_DEPENDENCIES = libslapd.la libpbe_plugin_la_LDFLAGS = -avoid-version @@ -2006,7 +2030,7 @@ ldif_LDADD = $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK_NOTHR) $(SASL_LINK) migratecred_SOURCES = ldap/servers/slapd/tools/migratecred.c migratecred_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) -migratecred_LDADD = libslapd.la $(NSPR_LINK) $(NSS_LINK) $(SVRCORE_LINK) $(LDAPSDK_LINK) $(SASL_LINK) +migratecred_LDADD = libslapd.la libsvrcore.la $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK) migratecred_DEPENDENCIES = libslapd.la #------------------------ @@ -2015,7 +2039,7 @@ migratecred_DEPENDENCIES = libslapd.la mmldif_SOURCES = ldap/servers/slapd/tools/mmldif.c mmldif_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) -mmldif_LDADD = libslapd.la $(NSPR_LINK) $(NSS_LINK) $(SVRCORE_LINK) $(LDAPSDK_LINK_NOTHR) $(SASL_LINK) +mmldif_LDADD = libslapd.la libsvrcore.la $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK_NOTHR) $(SASL_LINK) mmldif_DEPENDENCIES = libslapd.la #------------------------ @@ -2067,8 +2091,8 @@ ns_slapd_SOURCES = ldap/servers/slapd/abandon.c \ $(GETSOCKETPEER) ns_slapd_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) $(SASL_INCLUDES) $(SVRCORE_INCLUDES) -ns_slapd_LDADD = libnunc-stans.la libslapd.la libldaputil.la $(LDAPSDK_LINK) $(NSS_LINK) $(LIBADD_DL) \ - $(NSPR_LINK) $(SASL_LINK) $(SVRCORE_LINK) $(LIBNSL) $(LIBSOCKET) $(THREADLIB) $(SYSTEMD_LINK) $(EVENT_LINK) +ns_slapd_LDADD = libnunc-stans.la libslapd.la libldaputil.la libsvrcore.la $(LDAPSDK_LINK) $(NSS_LINK) $(LIBADD_DL) \ + $(NSPR_LINK) $(SASL_LINK) $(LIBNSL) $(LIBSOCKET) $(THREADLIB) $(SYSTEMD_LINK) $(EVENT_LINK) ns_slapd_DEPENDENCIES = libslapd.la libnunc-stans.la # We need to link ns-slapd with the C++ compiler on HP-UX since we load # some C++ shared libraries (such as icu). @@ -2084,7 +2108,7 @@ endif pwdhash_SOURCES = ldap/servers/slapd/tools/pwenc.c pwdhash_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) -pwdhash_LDADD = libslapd.la $(NSPR_LINK) $(NSS_LINK) $(SVRCORE_LINK) $(LDAPSDK_LINK) $(SASL_LINK) +pwdhash_LDADD = libslapd.la libsvrcore.la $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK) pwdhash_DEPENDENCIES = libslapd.la #------------------------ @@ -2128,14 +2152,14 @@ test_slapd_SOURCES = test/main.c \ test/plugins/pwdstorage/pbkdf2.c # We need to link a lot of plugins for this test. -test_slapd_LDADD = libslapd.la \ +test_slapd_LDADD = libslapd.la \ libpwdstorage-plugin.la \ $(NSS_LINK) $(NSPR_LINK) test_slapd_LDFLAGS = $(AM_CPPFLAGS) $(CMOCKA_LINKS) ### WARNING: Slap.h needs cert.h, which requires the -I/lib/ldaputil!!! ### WARNING: Slap.h pulls ssl.h, which requires nss!!!! # We need to pull in plugin header paths too: -test_slapd_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) $(DSINTERNAL_CPPFLAGS) \ +test_slapd_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) $(DSINTERNAL_CPPFLAGS) \ -I$(srcdir)/ldap/servers/plugins/pwdstorage test_libsds_SOURCES = src/libsds/test/test_sds.c \ @@ -2388,7 +2412,7 @@ rpms: rpmbrprep srpm: rpmbrprep cd $(RPMBUILD); \ rpmbuild --define "_topdir $(RPMBUILD)" \ - -bs SPECS/389-ds-base.spec + -bs SPECS/389-ds-base.spec if HAVE_DOXYGEN diff --git a/configure.ac b/configure.ac index 0ed57e1..8330542 100644 --- a/configure.ac +++ b/configure.ac @@ -802,7 +802,6 @@ m4_include(m4/openldap.m4) m4_include(m4/mozldap.m4) m4_include(m4/db.m4) m4_include(m4/sasl.m4) -m4_include(m4/svrcore.m4) m4_include(m4/icu.m4) m4_include(m4/netsnmp.m4) m4_include(m4/kerberos.m4) @@ -863,7 +862,7 @@ AC_DEFINE([LDAP_ERROR_LOGGING], [1], [LDAP error logging flag]) # AC_CONFIG_FILES([ldap/admin/src/defaults.inf]) -AC_CONFIG_FILES([src/pkgconfig/dirsrv.pc src/pkgconfig/nunc-stans.pc src/pkgconfig/libsds.pc]) +AC_CONFIG_FILES([src/pkgconfig/dirsrv.pc src/pkgconfig/nunc-stans.pc src/pkgconfig/libsds.pc src/pkgconfig/svrcore.pc]) AC_CONFIG_FILES([Makefile rpm/389-ds-base.spec ]) diff --git a/m4/svrcore.m4 b/m4/svrcore.m4 deleted file mode 100644 index f50f4a9..0000000 --- a/m4/svrcore.m4 +++ /dev/null @@ -1,112 +0,0 @@ -# BEGIN COPYRIGHT BLOCK -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# -# License: GPL (version 3 or any later version). -# See LICENSE for details. -# END COPYRIGHT BLOCK -# -# Configure paths for SVRCORE - -AC_CHECKING(for SVRCORE) - -AC_MSG_CHECKING(for --with-svrcore) -AC_ARG_WITH(svrcore, - AS_HELP_STRING([--with-svrcore@<:@=PATH@:>@],[Use system installed SVRCORE - optional path for SVRCORE]), - dnl = Look in the standard system locations - [ - if test "$withval" = "yes"; then - AC_MSG_RESULT(yes) - - elif test "$withval" = "no"; then - AC_MSG_RESULT(no) - AC_MSG_ERROR([SVRCORE is required.]) - - dnl = Check the user provided location - elif test -d "$withval" -a -d "$withval/lib" -a -d "$withval/include" ; then - AC_MSG_RESULT([using $withval]) - - if test -f "$withval/include/svrcore.h"; then - svrcore_inc="-I$withval/include" - else - AC_MSG_ERROR(svrcore.h not found) - fi - - svrcore_lib="-L$withval/lib" - else - AC_MSG_RESULT(yes) - AC_MSG_ERROR([SVRCORE not found in $withval]) - fi - ], - AC_MSG_RESULT(yes)) - -AC_MSG_CHECKING(for --with-svrcore-inc) -AC_ARG_WITH(svrcore-inc, - AS_HELP_STRING([--with-svrcore-inc=PATH],[SVRCORE include file directory]), - [ - if test -f "$withval"/svrcore.h; then - AC_MSG_RESULT([using $withval]) - svrcore_inc="-I$withval" - else - echo - AC_MSG_ERROR([$withval/svrcore.h not found]) - fi - ], - AC_MSG_RESULT(no)) - -AC_MSG_CHECKING(for --with-svrcore-lib) -AC_ARG_WITH(svrcore-lib, - AS_HELP_STRING([--with-svrcore-lib=PATH],[SVRCORE library directory]), - [ - if test -d "$withval"; then - AC_MSG_RESULT([using $withval]) - svrcore_lib="-L$withval" - else - echo - AC_MSG_ERROR([$withval not found]) - fi - ], - AC_MSG_RESULT(no)) - -dnl svrcore not given - look for pkg-config -if test -z "$svrcore_inc" -o -z "$svrcore_lib"; then - AC_PATH_PROG(PKG_CONFIG, pkg-config) - AC_MSG_CHECKING(for SVRCORE with pkg-config) - if test -n "$PKG_CONFIG"; then - if $PKG_CONFIG --exists svrcore; then - svrcore_inc=`$PKG_CONFIG --cflags-only-I svrcore` - svrcore_lib=`$PKG_CONFIG --libs-only-L svrcore` - AC_MSG_RESULT([using system svrcore]) - fi - fi -fi - -if test -z "$svrcore_inc" -o -z "$svrcore_lib"; then -dnl just see if SVRCORE is already a system library - AC_CHECK_LIB([svrcore], [SVRCORE_GetRegisteredPinObj], [havesvrcore=1], - [], [$nss_inc $nspr_inc $nss_lib -lnss3 -lsoftokn3 $nspr_lib -lplds4 -lplc4 -lnspr4]) - if test -n "$havesvrcore" ; then -dnl just see if SVRCORE is already a system header file - save_cppflags="$CPPFLAGS" - CPPFLAGS="$nss_inc $nspr_inc" - AC_CHECK_HEADER([svrcore.h], [havesvrcore=1], [havesvrcore=]) - CPPFLAGS="$save_cppflags" - fi -dnl for SVRCORE to be present, both the library and the header must exist - if test -z "$havesvrcore" ; then - AC_MSG_ERROR([SVRCORE not found, specify with --with-svrcore.]) - fi -fi - -dnl = Check for svrcore.h in the normal locations -if test -z "$svrcore_inc" -o -z "$svrcore_lib"; then - if test -f /usr/include/svrcore.h; then - svrcore_inc="-I/usr/include" - svrcore_lib="-L/usr/lib" - else - AC_MSG_ERROR([SVRCORE not found, specify with --with-svrcore.]) - fi -fi - -AC_SUBST(svrcore_inc) -AC_SUBST(svrcore_lib) diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in index 7a93ee3..ebe1bcd 100644 --- a/rpm/389-ds-base.spec.in +++ b/rpm/389-ds-base.spec.in @@ -22,6 +22,9 @@ %global use_perl __PERL_ON__ +%define nspr_version 4.6 +%define nss_version 3.11 + %if %{use_asan} %global use_tcmalloc 0 %global variant base-asan @@ -64,7 +67,6 @@ Provides: ldif2ldbm # Attach the buildrequires to the top level package: BuildRequires: nspr-devel BuildRequires: nss-devel -BuildRequires: svrcore-devel >= 4.1.2 BuildRequires: openldap-devel BuildRequires: libdb-devel BuildRequires: cyrus-sasl-devel @@ -95,6 +97,8 @@ BuildRequires: libasan BuildRequires: cargo BuildRequires: rust %endif +BuildRequires: pkgconfig +BuildRequires: pkgconfig(systemd) # Needed to support regeneration of the autotool artifacts. BuildRequires: autoconf BuildRequires: automake @@ -180,6 +184,9 @@ Please see http://seclists.org/oss-sec/2016/q1/363 for more information. %package libs Summary: Core libraries for 389 Directory Server (%{variant}) Group: System Environment/Daemons +Provides: svrcore = 4.1.4 +Obsoletes: svrcore <= 4.1.3 +Conflicts: svrcore # You can work this out by running LDD on libslapd.so to see what it needs in # isolation. Requires: nss @@ -205,11 +212,13 @@ package to be installed with just the -libs package and without the main package %package devel Summary: Development libraries for 389 Directory Server (%{variant}) Group: Development/Libraries +Provides: svrcore-devel = 4.1.4 +Obsoletes: svrcore-devel <= 4.1.3 +Conflicts: svrcore-devel Requires: %{name}-libs = %{version}-%{release} Requires: pkgconfig Requires: nspr-devel Requires: nss-devel -Requires: svrcore-devel Requires: openldap-devel # systemd-libs contains the headers iirc. Requires: systemd-libs @@ -277,7 +286,7 @@ CLANG_FLAGS="--enable-clang" %{?with_tmpfiles_d: TMPFILES_FLAG="--with-tmpfiles-d=%{with_tmpfiles_d}"} # hack hack hack https://bugzilla.redhat.com/show_bug.cgi?id=833529 -NSSARGS="--with-svrcore-inc=%{_includedir} --with-svrcore-lib=%{_libdir} --with-nss-lib=%{_libdir} --with-nss-inc=%{_includedir}/nss3" +NSSARGS="--with-nss-lib=%{_libdir} --with-nss-inc=%{_includedir}/nss3" %if %{use_asan} && !%{use_rust} ASAN_FLAGS="--enable-asan --enable-debug" @@ -354,6 +363,8 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/*.a rm -f $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/*.la rm -f $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/plugins/*.a rm -f $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/plugins/*.la +rm -f $RPM_BUILD_ROOT%{_libdir}/libsvrcore.a +rm -f $RPM_BUILD_ROOT%{_libdir}/libsvrcore.la %if %{use_perl} @@ -564,18 +575,24 @@ fi %defattr(-,root,root,-) %doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel %{_mandir}/man3/* +%{_includedir}/svrcore.h %{_includedir}/%{pkgname} +%{_libdir}/libsvrcore.so %{_libdir}/%{pkgname}/libslapd.so %{_libdir}/%{pkgname}/libns-dshttpd.so %{_libdir}/%{pkgname}/libnunc-stans.so %{_libdir}/%{pkgname}/libsds.so %{_libdir}/%{pkgname}/libldaputil.so -%{_libdir}/pkgconfig/* +%{_libdir}/pkgconfig/svrcore.pc +%{_libdir}/pkgconfig/dirsrv.pc +%{_libdir}/pkgconfig/libsds.pc +%{_libdir}/pkgconfig/nunc-stans.pc %files libs %defattr(-,root,root,-) %doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel %dir %{_libdir}/%{pkgname} +%{_libdir}/libsvrcore.so.* %{_libdir}/%{pkgname}/libslapd.so.* %{_libdir}/%{pkgname}/libns-dshttpd-*.so %{_libdir}/%{pkgname}/libnunc-stans.so.* diff --git a/src/pkgconfig/svrcore.pc.in b/src/pkgconfig/svrcore.pc.in new file mode 100644 index 0000000..b09d629 --- /dev/null +++ b/src/pkgconfig/svrcore.pc.in @@ -0,0 +1,11 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ + +Name: svrcore +Description: Svrcore - Secure PIN handling using NSS crypto +Version: @PACKAGE_VERSION@ +Requires: nspr, nss +Libs: -lsvrcore +Cflags: -I${includedir} diff --git a/src/svrcore/AUTHORS b/src/svrcore/AUTHORS new file mode 100644 index 0000000..b391368 --- /dev/null +++ b/src/svrcore/AUTHORS @@ -0,0 +1,3 @@ + +2016 William Brown + diff --git a/src/svrcore/COPYING b/src/svrcore/COPYING new file mode 100644 index 0000000..bc6a2a4 --- /dev/null +++ b/src/svrcore/COPYING @@ -0,0 +1,2 @@ +This file intentionally left empty. Do not use the one generated +by autoreconf. See LICENSE for license information. diff --git a/src/svrcore/ChangeLog b/src/svrcore/ChangeLog new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/src/svrcore/ChangeLog diff --git a/src/svrcore/INSTALL b/src/svrcore/INSTALL new file mode 100644 index 0000000..2099840 --- /dev/null +++ b/src/svrcore/INSTALL @@ -0,0 +1,370 @@ +Installation Instructions +************************* + +Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation, +Inc. + + Copying and distribution of this file, with or without modification, +are permitted in any medium without royalty provided the copyright +notice and this notice are preserved. This file is offered as-is, +without warranty of any kind. + +Basic Installation +================== + + Briefly, the shell command `./configure && make && make install' +should configure, build, and install this package. The following +more-detailed instructions are generic; see the `README' file for +instructions specific to this package. Some packages provide this +`INSTALL' file but do not implement all of the features documented +below. The lack of an optional feature in a given package is not +necessarily a bug. More recommendations for GNU packages can be found +in *note Makefile Conventions: (standards)Makefile Conventions. + + The `configure' shell script attempts to guess correct values for +various system-dependent variables used during compilation. It uses +those values to create a `Makefile' in each directory of the package. +It may also create one or more `.h' files containing system-dependent +definitions. Finally, it creates a shell script `config.status' that +you can run in the future to recreate the current configuration, and a +file `config.log' containing compiler output (useful mainly for +debugging `configure'). + + It can also use an optional file (typically called `config.cache' +and enabled with `--cache-file=config.cache' or simply `-C') that saves +the results of its tests to speed up reconfiguring. Caching is +disabled by default to prevent problems with accidental use of stale +cache files. + + If you need to do unusual things to compile the package, please try +to figure out how `configure' could check whether to do them, and mail +diffs or instructions to the address given in the `README' so they can +be considered for the next release. If you are using the cache, and at +some point `config.cache' contains results you don't want to keep, you +may remove or edit it. + + The file `configure.ac' (or `configure.in') is used to create +`configure' by a program called `autoconf'. You need `configure.ac' if +you want to change it or regenerate `configure' using a newer version +of `autoconf'. + + The simplest way to compile this package is: + + 1. `cd' to the directory containing the package's source code and type + `./configure' to configure the package for your system. + + Running `configure' might take a while. While running, it prints + some messages telling which features it is checking for. + + 2. Type `make' to compile the package. + + 3. Optionally, type `make check' to run any self-tests that come with + the package, generally using the just-built uninstalled binaries. + + 4. Type `make install' to install the programs and any data files and + documentation. When installing into a prefix owned by root, it is + recommended that the package be configured and built as a regular + user, and only the `make install' phase executed with root + privileges. + + 5. Optionally, type `make installcheck' to repeat any self-tests, but + this time using the binaries in their final installed location. + This target does not install anything. Running this target as a + regular user, particularly if the prior `make install' required + root privileges, verifies that the installation completed + correctly. + + 6. You can remove the program binaries and object files from the + source code directory by typing `make clean'. To also remove the + files that `configure' created (so you can compile the package for + a different kind of computer), type `make distclean'. There is + also a `make maintainer-clean' target, but that is intended mainly + for the package's developers. If you use it, you may have to get + all sorts of other programs in order to regenerate files that came + with the distribution. + + 7. Often, you can also type `make uninstall' to remove the installed + files again. In practice, not all packages have tested that + uninstallation works correctly, even though it is required by the + GNU Coding Standards. + + 8. Some packages, particularly those that use Automake, provide `make + distcheck', which can by used by developers to test that all other + targets like `make install' and `make uninstall' work correctly. + This target is generally not run by end users. + +Compilers and Options +===================== + + Some systems require unusual options for compilation or linking that +the `configure' script does not know about. Run `./configure --help' +for details on some of the pertinent environment variables. + + You can give `configure' initial values for configuration parameters +by setting variables in the command line or in the environment. Here +is an example: + + ./configure CC=c99 CFLAGS=-g LIBS=-lposix + + *Note Defining Variables::, for more details. + +Compiling For Multiple Architectures +==================================== + + You can compile the package for more than one kind of computer at the +same time, by placing the object files for each architecture in their +own directory. To do this, you can use GNU `make'. `cd' to the +directory where you want the object files and executables to go and run +the `configure' script. `configure' automatically checks for the +source code in the directory that `configure' is in and in `..'. This +is known as a "VPATH" build. + + With a non-GNU `make', it is safer to compile the package for one +architecture at a time in the source code directory. After you have +installed the package for one architecture, use `make distclean' before +reconfiguring for another architecture. + + On MacOS X 10.5 and later systems, you can create libraries and +executables that work on multiple system types--known as "fat" or +"universal" binaries--by specifying multiple `-arch' options to the +compiler but only a single `-arch' option to the preprocessor. Like +this: + + ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ + CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ + CPP="gcc -E" CXXCPP="g++ -E" + + This is not guaranteed to produce working output in all cases, you +may have to build one architecture at a time and combine the results +using the `lipo' tool if you have problems. + +Installation Names +================== + + By default, `make install' installs the package's commands under +`/usr/local/bin', include files under `/usr/local/include', etc. You +can specify an installation prefix other than `/usr/local' by giving +`configure' the option `--prefix=PREFIX', where PREFIX must be an +absolute file name. + + You can specify separate installation prefixes for +architecture-specific files and architecture-independent files. If you +pass the option `--exec-prefix=PREFIX' to `configure', the package uses +PREFIX as the prefix for installing programs and libraries. +Documentation and other data files still use the regular prefix. + + In addition, if you use an unusual directory layout you can give +options like `--bindir=DIR' to specify different values for particular +kinds of files. Run `configure --help' for a list of the directories +you can set and what kinds of files go in them. In general, the +default for these options is expressed in terms of `${prefix}', so that +specifying just `--prefix' will affect all of the other directory +specifications that were not explicitly provided. + + The most portable way to affect installation locations is to pass the +correct locations to `configure'; however, many packages provide one or +both of the following shortcuts of passing variable assignments to the +`make install' command line to change installation locations without +having to reconfigure or recompile. + + The first method involves providing an override variable for each +affected directory. For example, `make install +prefix=/alternate/directory' will choose an alternate location for all +directory configuration variables that were expressed in terms of +`${prefix}'. Any directories that were specified during `configure', +but not in terms of `${prefix}', must each be overridden at install +time for the entire installation to be relocated. The approach of +makefile variable overrides for each directory variable is required by +the GNU Coding Standards, and ideally causes no recompilation. +However, some platforms have known limitations with the semantics of +shared libraries that end up requiring recompilation when using this +method, particularly noticeable in packages that use GNU Libtool. + + The second method involves providing the `DESTDIR' variable. For +example, `make install DESTDIR=/alternate/directory' will prepend +`/alternate/directory' before all installation names. The approach of +`DESTDIR' overrides is not required by the GNU Coding Standards, and +does not work on platforms that have drive letters. On the other hand, +it does better at avoiding recompilation issues, and works well even +when some directory options were not specified in terms of `${prefix}' +at `configure' time. + +Optional Features +================= + + If the package supports it, you can cause programs to be installed +with an extra prefix or suffix on their names by giving `configure' the +option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. + + Some packages pay attention to `--enable-FEATURE' options to +`configure', where FEATURE indicates an optional part of the package. +They may also pay attention to `--with-PACKAGE' options, where PACKAGE +is something like `gnu-as' or `x' (for the X Window System). The +`README' should mention any `--enable-' and `--with-' options that the +package recognizes. + + For packages that use the X Window System, `configure' can usually +find the X include and library files automatically, but if it doesn't, +you can use the `configure' options `--x-includes=DIR' and +`--x-libraries=DIR' to specify their locations. + + Some packages offer the ability to configure how verbose the +execution of `make' will be. For these packages, running `./configure +--enable-silent-rules' sets the default to minimal output, which can be +overridden with `make V=1'; while running `./configure +--disable-silent-rules' sets the default to verbose, which can be +overridden with `make V=0'. + +Particular systems +================== + + On HP-UX, the default C compiler is not ANSI C compatible. If GNU +CC is not installed, it is recommended to use the following options in +order to use an ANSI C compiler: + + ./configure CC="cc -Ae -D_XOPEN_SOURCE=500" + +and if that doesn't work, install pre-built binaries of GCC for HP-UX. + + HP-UX `make' updates targets which have the same time stamps as +their prerequisites, which makes it generally unusable when shipped +generated files such as `configure' are involved. Use GNU `make' +instead. + + On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot +parse its `' header file. The option `-nodtk' can be used as +a workaround. If GNU CC is not installed, it is therefore recommended +to try + + ./configure CC="cc" + +and if that doesn't work, try + + ./configure CC="cc -nodtk" + + On Solaris, don't put `/usr/ucb' early in your `PATH'. This +directory contains several dysfunctional programs; working variants of +these programs are available in `/usr/bin'. So, if you need `/usr/ucb' +in your `PATH', put it _after_ `/usr/bin'. + + On Haiku, software installed for all users goes in `/boot/common', +not `/usr/local'. It is recommended to use the following options: + + ./configure --prefix=/boot/common + +Specifying the System Type +========================== + + There may be some features `configure' cannot figure out +automatically, but needs to determine by the type of machine the package +will run on. Usually, assuming the package is built to be run on the +_same_ architectures, `configure' can figure that out, but if it prints +a message saying it cannot guess the machine type, give it the +`--build=TYPE' option. TYPE can either be a short name for the system +type, such as `sun4', or a canonical name which has the form: + + CPU-COMPANY-SYSTEM + +where SYSTEM can have one of these forms: + + OS + KERNEL-OS + + See the file `config.sub' for the possible values of each field. If +`config.sub' isn't included in this package, then this package doesn't +need to know the machine type. + + If you are _building_ compiler tools for cross-compiling, you should +use the option `--target=TYPE' to select the type of system they will +produce code for. + + If you want to _use_ a cross compiler, that generates code for a +platform different from the build platform, you should specify the +"host" platform (i.e., that on which the generated programs will +eventually be run) with `--host=TYPE'. + +Sharing Defaults +================ + + If you want to set default values for `configure' scripts to share, +you can create a site shell script called `config.site' that gives +default values for variables like `CC', `cache_file', and `prefix'. +`configure' looks for `PREFIX/share/config.site' if it exists, then +`PREFIX/etc/config.site' if it exists. Or, you can set the +`CONFIG_SITE' environment variable to the location of the site script. +A warning: not all `configure' scripts look for a site script. + +Defining Variables +================== + + Variables not defined in a site shell script can be set in the +environment passed to `configure'. However, some packages may run +configure again during the build, and the customized values of these +variables may be lost. In order to avoid this problem, you should set +them in the `configure' command line, using `VAR=value'. For example: + + ./configure CC=/usr/local2/bin/gcc + +causes the specified `gcc' to be used as the C compiler (unless it is +overridden in the site shell script). + +Unfortunately, this technique does not work for `CONFIG_SHELL' due to +an Autoconf limitation. Until the limitation is lifted, you can use +this workaround: + + CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash + +`configure' Invocation +====================== + + `configure' recognizes the following options to control how it +operates. + +`--help' +`-h' + Print a summary of all of the options to `configure', and exit. + +`--help=short' +`--help=recursive' + Print a summary of the options unique to this package's + `configure', and exit. The `short' variant lists options used + only in the top level, while the `recursive' variant lists options + also present in any nested packages. + +`--version' +`-V' + Print the version of Autoconf used to generate the `configure' + script, and exit. + +`--cache-file=FILE' + Enable the cache: use and save the results of the tests in FILE, + traditionally `config.cache'. FILE defaults to `/dev/null' to + disable caching. + +`--config-cache' +`-C' + Alias for `--cache-file=config.cache'. + +`--quiet' +`--silent' +`-q' + Do not print messages saying which checks are being made. To + suppress all normal output, redirect it to `/dev/null' (any error + messages will still be shown). + +`--srcdir=DIR' + Look for the package's source code in directory DIR. Usually + `configure' can determine that directory automatically. + +`--prefix=DIR' + Use DIR as the installation prefix. *note Installation Names:: + for more details, including other options available for fine-tuning + the installation locations. + +`--no-create' +`-n' + Run the configure checks, but stop before creating any output + files. + +`configure' also accepts some other, not widely useful, options. Run +`configure --help' for more details. diff --git a/src/svrcore/INSTALL.win b/src/svrcore/INSTALL.win new file mode 100644 index 0000000..6974d21 --- /dev/null +++ b/src/svrcore/INSTALL.win @@ -0,0 +1,77 @@ +Building: + +If you are not doing an "in-tree" build, you will need to set the environment variables NSPR_INCLUDE_DIR, NSPR_LIB_DIR, NSS_INCLUDE_DIR, and NSS_LIB_DIR to point to the appropriate places. On Windows, if you are using the build method described below (cygwin + MSVC), you should use the "mixed" style path e.g. +export NSPR_INCLUDE_DIR=`cygpath -m $HOME/nspr-4.6.1/include` +etc. +The MSVC compiler (cl.exe) will barf on paths like /cygdrive/c/foo/bar. + +Unix: +See INSTALL for the usual configure + make + make install + +Windows: +Windows has now (as of 2006/2/1) released free versions of their compiler and platform SDKs - everything you need to build svrcore. + +Prerequisites: +First, you must install 3 packages downloaded from Microsoft. If the links don't work, just go to www.microsoft.com and search for their names until you get to the download links for them. +Second, install CygWin - www.cygwin.com +Third, you need nsinstall.exe from the MozTools wintools package (you don't need anything else) - http://ftp.mozilla.org/pub/mozilla.org/mozilla/source/wintools.zip - just unpack the zip file, extract nsinstall.exe, and place in your PATH + +* Microsoft Visual C++ Toolkit 2003 +** http://msdn.microsoft.com/visualc/vctoolkit2003/ - follow the link to download + +* Microsoft Windows Platform SDK +** http://www.microsoft.com/msdownload/platformsdk/sdkupdate/ +** Minimum install: +*** Choose Custom +*** Choose Windows Core SDK - omit any 64 bit options (unless you need 64 bit binaries) and omit source code (unless you really want it) +*** You can omit everything else (unless you just want to fill up your disk) +** Full Install (if you have lots of disk space, network bandwidth, and time) + +* Microsoft .NET Framework SDK +** http://www.microsoft.com/downloads/details.aspx?familyid=9b3a2ca6-3647-4070-9f41-a333c6b9181d&displaylang=en + +* CygWin +** www.cygwin.com +*** Download and run setup +*** Setup allows you to choose which packages you want to install. +*** Minimal Install +**** Archive - tar, zip, unzip +**** Base - most everything here +**** Database - nothing - postgres and bdb are selected by default - deselect them +**** Devel - you really only need binutils, make, and mktemp, but cvs is good to have, and you may be interested in some of the others as well +**** Doc - whatever the defaults are +**** Editors - you probably want some sort of text editor if you don't already have one and don't want to use Notepad/Wordpad +**** Games, Gnome, Graphics - Defaults +**** Interpreters - gawk, perl +**** KDE, Libs, Mail, Math, MinGW, Net, Perl, Publishing, Python - Defaults +**** Shells - ash and bash +**** System - Defaults +**** Text - less +**** Utils - Defaults + patch +**** Web, X11 - Defaults +** After installation is complete, you can have it create a cygwin desktop icon that you launch the cygwin environment from + +Newer versions of the MS VC tools work as well - I've had success using +MS Visual C++ 2005 Express Edition. + +* Setting up your build environment +The first time you launch the cygwin shell, it should create a $HOME/.bash_profile. To set up your PATH, it is easiest to just call vcvars32.bat (provided) +by the MSVC tools) in a batch file that starts up bash. If you would +rather set your PATH manually, add the following to $HOME/.bash_profile: +export INCLUDE="c:\Program Files\Microsoft Visual C++ Toolkit 2003\include;c:\Program Files\Microsoft Platform SDK\Include;c:\Program Files\Microsoft Platform SDK\Include\mfc" +export LIB="c:\Program Files\Microsoft Visual C++ Toolkit 2003\lib;c:\Program Files\Microsoft Platform SDK\Lib;c:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\lib" +export ANONMOZCVSROOT=:pserver:anonymous@cvvs-mirror.mozilla.org:/cvsroot +export CVSROOT=$ANONMOZCVSROOT +export PATH="$HOME/bin:/cygdrive/c/Program Files/Microsoft Visual C++ Toolkit 2003/bin:/cygdrive/c/Program Files/Microsoft Platform SDK/Bin:$PATH" + +I've put my nsinstall.exe in my $HOME/bin directory and put that first in my PATH. This assumes you've used the default paths for all of the MS and cygwin installs. If not, change the paths accordingly. In order for the changes to take effect, re-source your file or logout and login again. + +* Building + + cd mozilla/security/svrcore/src + make -f Makefile.win +If that barfs, that it cannot find lib.exe, or it is using the wrong +version of lib.exe (e.g. the cygwin one), do the following: + make -f Makefile.win AR='link /lib -nologo -out:"$@" + +And that's it. The svrcore.lib will be found in mozilla/dist/*.OBJ/lib and svrcore.h will be found in mozilla/dist/public/svrcore. When you go to build the mozilla ldap c sdk that you have checked out into the same source tree, it will automatically find the files it needs when you use configure --with-svrcore ... diff --git a/src/svrcore/LICENSE b/src/svrcore/LICENSE new file mode 100644 index 0000000..d3ea53f --- /dev/null +++ b/src/svrcore/LICENSE @@ -0,0 +1,27 @@ +***** BEGIN LICENSE BLOCK ***** +Version: MPL 2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, You can obtain one at https://mozilla.org/MPL/2.0/. + +Software distributed under the License is distributed on an "AS IS" basis, +WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +for the specific language governing rights and limitations under the +License. + +The Original Code is the Netscape svrcore library. + +The Initial Developer of the Original Code is +Netscape Communications Corporation. +Portions created by the Initial Developer are Copyright (C) 1998 +the Initial Developer. All Rights Reserved. + +Contributor(s): Terry Hayes (Netscape/AOL) was the primary contributor + +Copyright 2016 Red Hat, Inc. and/or its affiliates. + +Contributor(s): Rich Megginson (Red Hat) + William Brown (Red Hat) + +***** END LICENSE BLOCK ***** diff --git a/src/svrcore/Makefile.am b/src/svrcore/Makefile.am new file mode 100644 index 0000000..5ed5a5a --- /dev/null +++ b/src/svrcore/Makefile.am @@ -0,0 +1,54 @@ +SUBDIRS=src +PACKAGE_VERSION = @PACKAGE_VERSION@ + +EXTRA_DIST= LICENSE \ + svrcore.spec \ + svrcore.pc.in \ + autogen.sh \ + INSTALL.win + +pkgconfigdir= $(libdir)/pkgconfig +pkgconfig_DATA= svrcore.pc + +# if distdir is a git tag, use that for the git archive tag, else +# just assume a developer build and use HEAD +git-archive: + if [ -n "$(SRCDISTDIR)" -a -d "$(SRCDISTDIR)" ] ; then \ + srcdistdir=$(SRCDISTDIR) ; \ + else \ + srcdistdir=`pwd` ; \ + fi ; \ + cd $(srcdir) ; \ + if git show-ref --tags -q $(distdir) ; then \ + gittag=$(distdir) ; \ + else \ + gittag=HEAD ; \ + fi ; \ + git archive --prefix=$(distdir)/ $$gittag | bzip2 > $$srcdistdir/$(distdir).tar.bz2 + +RPMBUILD ?= $(abs_builddir)/rpmbuild + +rpmroot: + $(MKDIR_P) $(RPMBUILD)/BUILD + $(MKDIR_P) $(RPMBUILD)/RPMS + $(MKDIR_P) $(RPMBUILD)/SOURCES + $(MKDIR_P) $(RPMBUILD)/SPECS + $(MKDIR_P) $(RPMBUILD)/SRPMS + +rpmbrprep: git-archive rpmroot + cp $(distdir).tar.bz2 $(RPMBUILD)/SOURCES + sed -e "s/__VERSION__/$(PACKAGE_VERSION)/" < $(srcdir)/svrcore.spec > $(RPMBUILD)/SPECS/svrcore.spec + +# Requires rpmdevtools. Consider making this a dependancy of rpms. +rpmsources: rpmbrprep + spectool -g -S -C $(RPMBUILD)/SOURCES $(RPMBUILD)/SPECS/svrcore.spec + +rpms: rpmbrprep + cd $(RPMBUILD); \ + rpmbuild --define "_topdir $(RPMBUILD)" -ba SPECS/svrcore.spec + +srpm: rpmbrprep + cd $(RPMBUILD); \ + rpmbuild --define "_topdir $(RPMBUILD)" \ + -bs SPECS/svrcore.spec + diff --git a/src/svrcore/NEWS b/src/svrcore/NEWS new file mode 100644 index 0000000..ead330f --- /dev/null +++ b/src/svrcore/NEWS @@ -0,0 +1,31 @@ +svrcore 4.1.3 +============= +* Code quality fixes. + +svrcore 4.1.2 +============= +* Code quality fixes. + +svrcore 4.1.1 +============= +* Code quality and stability fixes. +* Improvements to rpm tooling and spec file. + +svrcore 4.1.0 +============= +* Add support for systemd-ask-pass integration + +svrcore 4.0.4 +============= +* Removed some files generated by autoconf which were +* GPL only + +svrcore 4.0.3.01 +================ +* Moved Makefile to src/Makefile.win for Windows build +* Added support for --with-nspr and --with-nss +* Use PK11_TokenKeyGenWithFlags instead of PK11_KeyGen + +svrcore 4.0.2.02 +================ +* Autotooled the build. diff --git a/src/svrcore/README b/src/svrcore/README new file mode 100644 index 0000000..35bf62d --- /dev/null +++ b/src/svrcore/README @@ -0,0 +1,58 @@ +The Netscape svrcore library + +Terry Hayes wrote the Netscape svrcore library in 1998. +Valerie Chu wrote the ntgetpin.c and related files. + +William Brown wrote systemd integration and related parts. + +svrcore used to contain two major parts. + +The first part is what we released on mozilla. It is a kind of +object-oriented package for handling PIN requests from NSS. The +idea was to provide a standard way for servers to allow PIN input +from a file or from the terminal. There is also a PIN handler +that caches the PIN in memory after encrypting it with a key on +a device (such as a Fortezza card). This allowed a server to +restart without having to reenter the PIN. However since the PIN +is encrypted, a core dump would not expose it. In addition, +removing the device would also make the PIN inaccessible. + +The files are: + +svrcore.h - API definition +alt.c - allows two possible PIN request methods to be used (say + file and then terminal) +cache.c - caches the result from another PIN request method +errors.c - error text +file.c - reads the PIN from a specified file +ntgetpin.c - Windows version of a user prompt for PIN +ntgetpin.rc - Windows resource script for ntgetpin.c +ntresource.h - a generated include file used by ntgetpin.rc +key.ico - an icon used by ntgetpin.rc +logo.ico - an icon used by ntgetpin.rc +pin.c - functions to register a PIN request object with NSS +pk11.c - implementation of the encrypted in-memory caching +std.c - a "standard" PIN object that satisfies requests from a + file or the terminal and allows caching if desired. +std-systemd.c - a "standard" PIN object that satisfies requests from a + file or the terminal, or systemd-ask-pass, and allows caching + if desired. +systemd-ask-pass.c - a PIN object that can request pins from the systemd + ask password api. +user.c - prompts the user for the PIN + +Note: the pk11.c file (secure PIN store) is a pretty good example +of how to encrypt/decrypt with NSS. + +There was a second component of svrcore that handled export policy +configuration. It allowed patching of a single executable (single +program build) to create the export and domestic versions of a +server. This code was discontinued after the export policy changes. + +The LDAP C SDK tools use svrcore. They also implemented their +own PIN object to allow command line PIN entry. The directory +server also implemented its own PIN object to allow a watchdog +process to cache the PIN and restart the server. + +See INSTALL for build instructions +See INSTALL.win for Windows build instructions diff --git a/src/svrcore/TODO b/src/svrcore/TODO new file mode 100644 index 0000000..7bbcd66 --- /dev/null +++ b/src/svrcore/TODO @@ -0,0 +1,3 @@ +* configure.ac: Change bug address +* FIll in NEWS AUTHORS ChangeLog +* Dal with Windows builds diff --git a/src/svrcore/autogen.sh b/src/svrcore/autogen.sh new file mode 100755 index 0000000..8bb628b --- /dev/null +++ b/src/svrcore/autogen.sh @@ -0,0 +1,92 @@ +#!/bin/sh + +# set required versions of tools here +# the version is dotted integers like X.Y.Z where +# X, Y, and Z are integers +# comparisons are done using shell -lt, -gt, etc. +# this works if the numbers are zero filled as well +# so 06 == 6 + +# autoconf version required +# need 2.69 or later +ac_need_maj=2 +ac_need_min=69 +# automake version required +# need 1.13.4 or later +am_need_maj=1 +am_need_min=13 +am_need_rev=4 +# libtool version required +# need 2.4.2 or later +lt_need_maj=2 +lt_need_min=4 +lt_need_rev=2 +# should never have to touch anything below this line unless there is a bug +########################################################################### + +# input +# arg1 - version string in the form "X.Y[.Z]" - the .Z is optional +# args remaining - the needed X, Y, and Z to match +# output +# return 0 - success - the version string is >= the required X.Y.Z +# return 1 - failure - the version string is < the required X.Y.Z +# NOTE: All input must be integers, otherwise you will see shell errors +checkvers() { + vers="$1"; shift + needmaj="$1"; shift + needmin="$1"; shift + needrev="$1"; shift + verslist=`echo $vers | tr '.' ' '` + set $verslist + maj=$1; shift + min=$1; shift + rev=$1; shift + if [ "$maj" -gt "$needmaj" ] ; then return 0; fi + if [ "$maj" -lt "$needmaj" ] ; then return 1; fi + # if we got here, maj == needmaj + if [ -z "$needmin" ] ; then return 0; fi + if [ "$min" -gt "$needmin" ] ; then return 0; fi + if [ "$min" -lt "$needmin" ] ; then return 1; fi + # if we got here, min == needmin + if [ -z "$needrev" ] ; then return 0; fi + if [ "$rev" -gt "$needrev" ] ; then return 0; fi + if [ "$rev" -lt "$needrev" ] ; then return 1; fi + # if we got here, rev == needrev + return 0 +} + +# Check autoconf version +AC_VERSION=`autoconf --version | sed '/^autoconf/ {s/^.* \([1-9][0-9.]*\)$/\1/; q}'` +if checkvers "$AC_VERSION" $ac_need_maj $ac_need_min ; then + echo Found valid autoconf version $AC_VERSION +else + echo "You must have autoconf version $ac_need_maj.$ac_need_min or later installed (found version $AC_VERSION)." + exit 1 +fi + +# Check automake version +AM_VERSION=`automake --version | sed '/^automake/ {s/^.* \([1-9][0-9.]*\)$/\1/; q}'` +if checkvers "$AM_VERSION" $am_need_maj $am_need_min $am_need_rev ; then + echo Found valid automake version $AM_VERSION +else + echo "You must have automake version $am_need_maj.$am_need_min.$am_need_rev or later installed (found version $AM_VERSION)." + exit 1 +fi + +# Check libtool version +# NOTE: some libtool versions report a letter at the end e.g. on RHEL6 +# the version is 2.2.6b - for comparison purposes, just strip off the +# letter - note that the shell -lt and -gt comparisons will fail with +# test: 6b: integer expression expected if the number to compare +# contains a non-digit +LT_VERSION=`libtool --version | sed '/GNU libtool/ {s/^.* \([1-9][0-9a-zA-Z.]*\)$/\1/; s/[a-zA-Z]//g; q}'` +if checkvers "$LT_VERSION" $lt_need_maj $lt_need_min $lt_need_rev ; then + echo Found valid libtool version $LT_VERSION +else + echo "You must have libtool version $lt_need_maj.$lt_need_min.$lt_need_rev or later installed (found version $LT_VERSION)." + exit 1 +fi + +# Run autoreconf +echo "Running autoreconf -fvi" +autoreconf -fvi diff --git a/src/svrcore/configure.ac b/src/svrcore/configure.ac new file mode 100644 index 0000000..b855a42 --- /dev/null +++ b/src/svrcore/configure.ac @@ -0,0 +1,69 @@ +# -*- Autoconf -*- +# Process this file with autoconf to produce a configure script. + +AC_PREREQ(2.59) +AC_INIT(svrcore, 4.1.3, [wibrown@redhat.com, rmeggins@redhat.com], svrcore) +AM_INIT_AUTOMAKE([gnu check-news dist-bzip2]) +AM_MAINTAINER_MODE +AC_CONFIG_SRCDIR([src/svrcore.h]) +AC_CONFIG_HEADER([config.h]) + +AC_PROG_CC +AC_PROG_LIBTOOL + +# Checks for header files. +AC_HEADER_STDC +AC_CHECK_HEADER([string.h],,[AC_ERROR([We need string.h in order to build])]) +AC_CHECK_HEADER([termios.h],,[AC_ERROR([We need termios.h in order to build])]) +AC_CHECK_HEADER([unistd.h],,[AC_ERROR([We need unistd.h in order to build])]) +AC_PROG_CC_STDC + +# Checks for typedefs, structures, and compiler characteristics. +AC_C_CONST + +# Checks for library functions. +AC_FUNC_MALLOC +AC_CHECK_FUNCS([memset strchr strdup]) + +# Check for library dependencies +m4_include(m4/nss.m4) +m4_include(m4/nspr.m4) +m4_include(m4/systemd.m4) + +AC_MSG_CHECKING(for --enable-debug) +AC_ARG_ENABLE(debug, AS_HELP_STRING([--enable-debug], [Enable debug features (default: no)]), +[ + AC_MSG_RESULT(yes) + debug_defs="-g3 -DDEBUG" +], +[ + AC_MSG_RESULT(no) + debug_defs="" +]) +AC_SUBST([debug_defs]) + +AC_MSG_CHECKING(for --enable-asan) +AC_ARG_ENABLE(asan, AS_HELP_STRING([--enable-asan], [Enable gcc address sanitizer options (default: no)]), +[ + AC_MSG_RESULT(yes) + asan_defs="-fsanitize=address -fno-omit-frame-pointer" +], +[ + AC_MSG_RESULT(no) + asan_defs="" +]) +AC_SUBST([asan_defs]) + +AC_SUBST([NSPR_CFLAGS]) +AC_SUBST([NSPR_LIBS]) +AC_SUBST([NSPR_MIN_VER]) +AC_SUBST([NSPR_NAME]) +AC_SUBST([NSS_CFLAGS]) +AC_SUBST([NSS_LIBS]) +AC_SUBST([NSS_MIN_VER]) +AC_SUBST([NSS_NAME]) +AC_SUBST([SYSTEMD_CFLAGS]) +AC_SUBST([PACKAGE_VERSION]) + +AC_CONFIG_FILES([src/Makefile Makefile svrcore.pc]) +AC_OUTPUT diff --git a/src/svrcore/examples/svrcore_driver.c b/src/svrcore/examples/svrcore_driver.c new file mode 100644 index 0000000..2b6703e --- /dev/null +++ b/src/svrcore/examples/svrcore_driver.c @@ -0,0 +1,140 @@ +// +// BEGIN COPYRIGHT BLOCK +// Copyright (C) 2016 Red Hat, Inc. +// All rights reserved. +// +// License: GPL (version 3 or any later version). +// See LICENSE for details. +// END COPYRIGHT BLOCK +// +// Author: William Brown +// + +// Build with gcc -g3 -o svrcore_driver `pkg-config --libs --cflags nspr` `PKG_CONFIG_PATH=/opt/svrcore/lib/pkgconfig pkg-config --cflags --libs svrcore` -L`PKG_CONFIG_PATH=/opt/svrcore/lib/pkgconfig pkg-config --variable=libdir svrcore` svrcore_driver.c + +#include +#include +#include + +int +svrcore_systemd_setup() +{ + PRErrorCode errorCode; + SVRCORESystemdPinObj *StdPinObj; + + StdPinObj = (SVRCORESystemdPinObj *)SVRCORE_GetRegisteredPinObj(); + + if (StdPinObj) { + // This means it's already registered? + return 0; + } + if (SVRCORE_CreateSystemdPinObj(&StdPinObj, 60) != SVRCORE_Success) { + errorCode = PR_GetError(); + printf("Unable to create pin %d\n", errorCode); + return -1; + } + SVRCORE_RegisterPinObj((SVRCOREPinObj *)StdPinObj); + return 0; +} + +int +svrcore_systemd_get_token() +{ + //Actually get the password + // Get the pinobj + SVRCORESystemdPinObj *StdPinObj; + char *pw = NULL; + char *token = NULL; + SVRCOREError err = SVRCORE_Success; + + StdPinObj = (SVRCORESystemdPinObj *)SVRCORE_GetRegisteredPinObj(); + // Are we interactive? + // SVRCORE_SetStdPinInteractive((SVRCOREStdPinObj *) StdPinObj , PR_TRUE); + // what is token? + token = "internal (software)"; + pw = SVRCORE_GetPin( (SVRCOREPinObj *)StdPinObj, token , PR_FALSE); + if ( err != SVRCORE_Success || pw == NULL) { + printf("Couldn't get pin %d \n", err); + } else { + printf("%s\n", pw); + free(pw); + } + // Should set a password into &pw + + // Cleanup + SVRCORE_DestroyRegisteredPinObj(); + + return 0; +} + +int +svrcore_stdsystemd_setup() +{ + PRErrorCode errorCode; + SVRCOREStdSystemdPinObj *StdSysPinObj; + char *filename = "/tmp/pin.txt"; + + StdSysPinObj = (SVRCOREStdSystemdPinObj *)SVRCORE_GetRegisteredPinObj(); + + if (StdSysPinObj) { + // This means it's already registered? + return 0; + } + if (SVRCORE_CreateStdSystemdPinObj(&StdSysPinObj, filename, PR_FALSE, PR_TRUE, 60) != SVRCORE_Success) { + errorCode = PR_GetError(); + printf("Unable to create std systemd pin %d\n", errorCode); + return -1; + } + SVRCORE_RegisterPinObj((SVRCOREPinObj *)StdSysPinObj); + return 0; +} + +int +svrcore_stdsystemd_get_token() +{ + //Actually get the password + // Get the pinobj + SVRCOREStdSystemdPinObj *StdSysPinObj; + char *pw = NULL; + char *token = NULL; + SVRCOREError err = SVRCORE_Success; + + StdSysPinObj = (SVRCOREStdSystemdPinObj *)SVRCORE_GetRegisteredPinObj(); + // Are we interactive? + // SVRCORE_SetStdPinInteractive((SVRCOREStdPinObj *) StdPinObj , PR_TRUE); + // what is token? + token = "internal (software)"; + pw = SVRCORE_GetPin( (SVRCOREPinObj *)StdSysPinObj, token , PR_FALSE); + if ( err != SVRCORE_Success || pw == NULL) { + printf("Couldn't get pin %d \n", err); + } else { + printf("%s\n", pw); + free(pw); + } + // Should set a password into &pw + + // Cleanup + SVRCORE_DestroyRegisteredPinObj(); + + return 0; +} + +int +main(int argc, char **argv) +{ + + int result = 0; + + result = svrcore_systemd_setup(); + if (result == 0) { + svrcore_systemd_get_token(); + } + + result = svrcore_stdsystemd_setup(); + if (result == 0) { + svrcore_stdsystemd_get_token(); + } + return 0; +} + + diff --git a/src/svrcore/m4/nspr.m4 b/src/svrcore/m4/nspr.m4 new file mode 100644 index 0000000..efe33b3 --- /dev/null +++ b/src/svrcore/m4/nspr.m4 @@ -0,0 +1,110 @@ +# -*- tab-width: 4; -*- +# Configure paths for NSPR +# Public domain - Rich Megginson 2007-03-08 +# Based on other Mozilla m4 work by Chris Seawood 2001-04-05 + +AC_CHECKING(for NSPR) + +# check for --with-nspr +AC_MSG_CHECKING(for --with-nspr) +AC_ARG_WITH(nspr, [ --with-nspr=PATH Netscape Portable Runtime (NSPR) directory], +[ + if test -e "$withval"/include/nspr.h -a -d "$withval"/lib + then + AC_MSG_RESULT([using $withval]) + NSPRDIR=$withval + nspr_inc="-I$NSPRDIR/include" + nspr_lib="-L$NSPRDIR/lib" + else + echo + AC_MSG_ERROR([$withval not found]) + fi +], +AC_MSG_RESULT(no)) + +# check for --with-nspr-inc +AC_MSG_CHECKING(for --with-nspr-inc) +AC_ARG_WITH(nspr-inc, [ --with-nspr-inc=PATH Netscape Portable Runtime (NSPR) include file directory], +[ + if test -e "$withval"/nspr.h + then + AC_MSG_RESULT([using $withval]) + nspr_inc="-I$withval" + else + echo + AC_MSG_ERROR([$withval not found]) + fi +], +AC_MSG_RESULT(no)) + +# check for --with-nspr-lib +AC_MSG_CHECKING(for --with-nspr-lib) +AC_ARG_WITH(nspr-lib, [ --with-nspr-lib=PATH Netscape Portable Runtime (NSPR) library directory], +[ + if test -d "$withval" + then + AC_MSG_RESULT([using $withval]) + nspr_lib="-L$withval" + else + echo + AC_MSG_ERROR([$withval not found]) + fi +], +AC_MSG_RESULT(no)) + +# see if we are doing an "in-tree" build with the other +# mozilla components +if test -z "$nspr_inc" -o -z "$nspr_lib" ; then + for nsprpath in "../../dist" "../../dist/*.OBJ" ; do + savedir=`pwd` + cd $nsprpath + abs_nsprpath=`pwd` + cd $savedir + if test -f "$abs_nsprpath/include/nspr/nspr.h" ; then + nspr_inc="-I$abs_nsprpath/include/nspr" + elif test -f "$abs_nsprpath/include/nspr.h" ; then + nspr_inc="-I$abs_nsprpath/include" + fi + if test -d "$abs_nsprpath/lib" ; then + nspr_lib="-L$abs_nsprpath/lib" + fi + if test -n "$nspr_inc" -a -n "$nspr_lib" ; then + break + fi + done +fi + +# if NSPR is not found yet, try pkg-config +# last resort +if test -z "$nspr_inc" -o -z "$nspr_lib" ; then + AC_MSG_CHECKING(for nspr with pkg-config) + AC_PATH_PROG(PKG_CONFIG, pkg-config) + if test -n "$PKG_CONFIG"; then + if $PKG_CONFIG --exists nspr; then + nspr_inc=`$PKG_CONFIG --cflags-only-I nspr` + nspr_lib=`$PKG_CONFIG --libs-only-L nspr` + nspr_ver=`$PKG_CONFIG --modversion nspr` + nspr_name=nspr + AC_MSG_RESULT([using system NSPR]) + elif $PKG_CONFIG --exists dirsec-nspr; then + nspr_inc=`$PKG_CONFIG --cflags-only-I dirsec-nspr` + nspr_lib=`$PKG_CONFIG --libs-only-L dirsec-nspr` + nspr_ver=`$PKG_CONFIG --modversion dirsec-nspr` + nspr_name=dirsec-nspr + AC_MSG_RESULT([using system dirsec NSPR]) + else + AC_MSG_ERROR([NSPR not found, specify with --with-nspr.]) + fi + fi +fi + +NSPR_CFLAGS="$nspr_inc" +NSPR_LIBS="$nspr_lib -lplds4 -lplc4 -lnspr4" +if test -z "$nspr_ver" ; then + nspr_ver=4.6.4 +fi +NSPR_MIN_VER="$nspr_ver" +if test -z "$nspr_name" ; then + nspr_name=nspr +fi +NSPR_NAME="$nspr_name" diff --git a/src/svrcore/m4/nss.m4 b/src/svrcore/m4/nss.m4 new file mode 100644 index 0000000..0a1c481 --- /dev/null +++ b/src/svrcore/m4/nss.m4 @@ -0,0 +1,114 @@ +# -*- tab-width: 4; -*- +# Configure paths for NSPR +# Public domain - Rich Megginson 2007-03-08 +# Based on other Mozilla m4 work by Chris Seawood 2001-04-05 + +AC_CHECKING(for NSS) + +# check for --with-nss +AC_MSG_CHECKING(for --with-nss) +AC_ARG_WITH(nss, [ --with-nss=PATH Network Security Services (NSS) directory], +[ + if test -e "$withval"/include/nss.h -a -d "$withval"/lib + then + AC_MSG_RESULT([using $withval]) + NSSDIR=$withval + nss_inc="-I$NSSDIR/include" + nss_lib="-L$NSSDIR/lib" + else + echo + AC_MSG_ERROR([$withval not found]) + fi +], +AC_MSG_RESULT(no)) + +# check for --with-nss-inc +AC_MSG_CHECKING(for --with-nss-inc) +AC_ARG_WITH(nss-inc, [ --with-nss-inc=PATH Network Security Services (NSS) include directory], +[ + if test -e "$withval"/nss.h + then + AC_MSG_RESULT([using $withval]) + nss_inc="-I$withval" + else + echo + AC_MSG_ERROR([$withval not found]) + fi +], +AC_MSG_RESULT(no)) + +# check for --with-nss-lib +AC_MSG_CHECKING(for --with-nss-lib) +AC_ARG_WITH(nss-lib, [ --with-nss-lib=PATH Network Security Services (NSS) library directory], +[ + if test -d "$withval" + then + AC_MSG_RESULT([using $withval]) + nss_lib="-L$withval" + else + echo + AC_MSG_ERROR([$withval not found]) + fi +], +AC_MSG_RESULT(no)) + +# see if we are building "in tree" with the +# other mozilla components +if test -z "$nss_inc" -o -z "$nss_lib"; then + nsslibpath=`echo ../../dist/*.OBJ/lib | cut -f1 -d' '` + savedir=`pwd` + cd $nsslibpath + abs_nsslibpath=`pwd` + cd $savedir + nssincpath=../../dist/public/nss + savedir=`pwd` + cd $nssincpath + abs_nssincpath=`pwd` + cd $savedir + if test -f "$abs_nssincpath/nss.h" ; then + nss_inc="-I$abs_nssincpath" + fi + if test -d "$abs_nsslibpath" ; then + nss_lib="-L$abs_nsslibpath" + fi + if test -n "$nss_inc" -a -n "$nss_lib" ; then + AC_MSG_CHECKING(using in-tree NSS from $nssincpath $nsslibpath) + else + AC_MSG_CHECKING(could not find in-tree NSS in ../../dist) + fi +fi + +# if NSS is not found yet, try pkg-config +# last resort +if test -z "$nss_inc" -o -z "$nss_lib"; then + AC_MSG_CHECKING(for nss with pkg-config) + AC_PATH_PROG(PKG_CONFIG, pkg-config) + if test -n "$PKG_CONFIG"; then + if $PKG_CONFIG --exists nss; then + nss_inc=`$PKG_CONFIG --cflags-only-I nss` + nss_lib=`$PKG_CONFIG --libs-only-L nss` + nss_ver=`$PKG_CONFIG --modversion nss` + nss_name=nss + AC_MSG_RESULT([using system NSS]) + elif $PKG_CONFIG --exists dirsec-nss; then + nss_inc=`$PKG_CONFIG --cflags-only-I dirsec-nss` + nss_lib=`$PKG_CONFIG --libs-only-L dirsec-nss` + nss_ver=`$PKG_CONFIG --modversion dirsec-nss` + nss_name=dirsec-nss + AC_MSG_RESULT([using system dirsec NSS]) + else + AC_MSG_ERROR([NSS not found, specify with --with-nss.]) + fi + fi +fi + +NSS_CFLAGS="$nss_inc" +NSS_LIBS="$nss_lib -lssl3 -lnss3" +if test -z "$nss_ver" ; then + nss_ver=3.11.4 +fi +NSS_MIN_VER="$nss_ver" +if test -z "$nss_name" ; then + nss_name=nss +fi +NSS_NAME="$nss_name" diff --git a/src/svrcore/m4/systemd.m4 b/src/svrcore/m4/systemd.m4 new file mode 100644 index 0000000..6052acb --- /dev/null +++ b/src/svrcore/m4/systemd.m4 @@ -0,0 +1,41 @@ +# -*- tab-width: 4; -*- +# Configure paths for systemd functionality +# Public domain - William Brown 2016-03-22 + +AC_CHECKING(for systemd) + +## This is a nice simple check: As we don't need to link to systemd, only be able +## to consume some of it's socket api features, we just need to check for user +## intent with --with-systemd + +AC_MSG_CHECKING(for --with-systemd) +AC_ARG_WITH(systemd, AS_HELP_STRING([--with-systemd],[Enable Systemd native integration.]), +[ + if test "$withval" = yes + then + AC_MSG_RESULT([using systemd native features]) + with_systemd=yes + else + AC_MSG_RESULT(no) + fi +], +AC_MSG_RESULT(no)) + +if test "$with_systemd" = yes; then + AC_MSG_CHECKING(for systemd with pkg-config) + AC_PATH_PROG(PKG_CONFIG, pkg-config) + if test -n "$PKG_CONFIG"; then + if $PKG_CONFIG --exists systemd; then + AC_MSG_CHECKING([systemd found, enabling.]) + SYSTEMD_CFLAGS="-DHAVE_SYSTEMD" + else + AC_MSG_CHECKING([systemd not found, disabling.]) + SYSTEMD_CFLAGS="" + fi + else + AC_MSG_ERROR([pkg-config not found.]) + fi +else + SYSTEMD_CFLAGS="" +fi + diff --git a/src/svrcore/src/Makefile.am b/src/svrcore/src/Makefile.am new file mode 100644 index 0000000..fba3583 --- /dev/null +++ b/src/svrcore/src/Makefile.am @@ -0,0 +1,29 @@ +ASAN_DEFINES = @asan_defs@ +DEBUG_DEFINES = @debug_defs@ + +AM_CPPFLAGS = $(ASAN_DEFINES) $(DEBUG_DEFINES) +AM_LDFLAGS = $(ASAN_DEFINES) $(DEBUG_DEFINES) + +EXTRA_DIST = key.ico \ + logo.ico \ + manifest.mn \ + Makefile.win \ + ntgetpin.rc + +lib_LTLIBRARIES = libsvrcore.la +include_HEADERS = svrcore.h +libsvrcore_la_SOURCES = alt.c \ + cache.c \ + errors.c \ + file.c \ + ntgetpin.c \ + ntresource.h \ + pin.c \ + pk11.c \ + std.c \ + systemd-ask-pass.c \ + std-systemd.c \ + user.c + +libsvrcore_la_LDFLAGS = -version-info 0:0:0 @NSS_LIBS@ @NSPR_LIBS@ +libsvrcore_la_CFLAGS = @NSS_CFLAGS@ @NSPR_CFLAGS@ @SYSTEMD_CFLAGS@ diff --git a/src/svrcore/src/Makefile.win b/src/svrcore/src/Makefile.win new file mode 100644 index 0000000..cc7571a --- /dev/null +++ b/src/svrcore/src/Makefile.win @@ -0,0 +1,77 @@ +#! gmake + +# /* +# * Copyright (C) 1998 Netscape Communications Corporation. +# * All Rights Reserved. +# * +# * Copyright 2016 Red Hat, Inc. and/or its affiliates. +# * +# * This Source Code Form is subject to the terms of the Mozilla Public +# * License, v. 2.0. If a copy of the MPL was not distributed with this +# * file, You can obtain one at https://mozilla.org/MPL/2.0/. +# */ + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +# Build only static library +IMPORT_LIBRARY= +SHARED_LIBRARY= + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + +INCLUDES += -I. + +all release:: + @echo ---- Finished ---- + +coreconf_hack: + cd ../coreconf; $(MAKE) export + $(MAKE) import + +RelEng_bld: coreconf_hack + $(MAKE) + +ifeq ($(OS_ARCH), WINNT) +libs install:: ntsvrcore.res + $(NSINSTALL) -m 444 $< $(SOURCE_LIB_DIR) + +release_md:: + $(INSTALL) -m 444 ntsvrcore.res $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR) +endif + +ntsvrcore.res: ntgetpin.rc + rc -fo $@ -i. $< diff --git a/src/svrcore/src/alt.c b/src/svrcore/src/alt.c new file mode 100644 index 0000000..da0276b --- /dev/null +++ b/src/svrcore/src/alt.c @@ -0,0 +1,107 @@ +/* + * Copyright (C) 1998 Netscape Communications Corporation. + * All Rights Reserved. + * + * Copyright 2016 Red Hat, Inc. and/or its affiliates. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. + */ + +/* + * alt.c - SVRCORE module for reading a PIN from one of two alternate + * sources. + */ + +#if HAVE_CONFIG_H +#include +#endif + +#include +#include +#include + +/* ------------------------------------------------------------ */ +/* + * SVRCOREAltPinObj implementation + */ +struct SVRCOREAltPinObj +{ + SVRCOREPinObj base; + SVRCOREPinObj *primary; + SVRCOREPinObj *alt; +}; +static const SVRCOREPinMethods vtable; + +/* ------------------------------------------------------------ */ +SVRCOREError +SVRCORE_CreateAltPinObj( + SVRCOREAltPinObj **out, + SVRCOREPinObj *primary, SVRCOREPinObj *alt) +{ + SVRCOREError err = SVRCORE_Success; + SVRCOREAltPinObj *obj = 0; + + do { + obj = (SVRCOREAltPinObj *)malloc(sizeof (SVRCOREAltPinObj)); + if (!obj) { err = SVRCORE_NoMemory_Error; break; } + + obj->base.methods = &vtable; + + obj->primary = primary; + obj->alt = alt; + } while(0); + + if (err != SVRCORE_Success) + { + SVRCORE_DestroyAltPinObj(obj); + } + + *out = obj; + + return err; +} + +void +SVRCORE_DestroyAltPinObj( + SVRCOREAltPinObj *obj) +{ + if (!obj) return; + + free(obj); +} + +/* ------------------------------------------------------------ */ +/* + * vtable methods + */ +static void +destroyObject(SVRCOREPinObj *obj) +{ + SVRCORE_DestroyAltPinObj((SVRCOREAltPinObj*)obj); +} + +static char * +getPin(SVRCOREPinObj *pinObj, const char *tokenName, PRBool retry) +{ + SVRCOREAltPinObj *obj = (SVRCOREAltPinObj*)pinObj; + char *res = 0; + + do { + /* Try primary first */ + res = SVRCORE_GetPin(obj->primary, tokenName, retry); + if (res) break; + + /* If unsucessful, try alternate source */ + res = SVRCORE_GetPin(obj->alt, tokenName, retry); + } while(0); + + return res; +} + +/* + * VTable + */ +static const SVRCOREPinMethods vtable = +{ 0, 0, destroyObject, getPin }; diff --git a/src/svrcore/src/cache.c b/src/svrcore/src/cache.c new file mode 100644 index 0000000..cd355c1 --- /dev/null +++ b/src/svrcore/src/cache.c @@ -0,0 +1,227 @@ +/* + * Copyright (C) 1998 Netscape Communications Corporation. + * All Rights Reserved. + * + * Copyright 2016 Red Hat, Inc. and/or its affiliates. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. + */ + +/* + * cache.c - SVRCORE module for caching PIN values + */ + +#if HAVE_CONFIG_H +#include +#endif + +#include + +#include + +/* ------------------------------------------------------------ */ +/* + * Node - for maintaining link list of tokens with cached PINs + */ +typedef struct Node Node; +static void freeNode(Node *node); +static void freeList(Node *list); + +struct Node +{ + Node *next; + char *tokenName; + SVRCOREPk11PinStore *store; +}; + +/* ------------------------------------------------------------ */ +/* + * SVRCORECachedPinObj implementation + */ +struct SVRCORECachedPinObj +{ + SVRCOREPinObj base; + SVRCOREPinObj *alt; + Node *pinList; +}; +static const struct SVRCOREPinMethods vtable; + +/* ------------------------------------------------------------ */ +SVRCOREError +SVRCORE_CreateCachedPinObj( + SVRCORECachedPinObj **out, SVRCOREPinObj *alt) +{ + SVRCOREError err = SVRCORE_Success; + SVRCORECachedPinObj *obj; + + do { + obj = (SVRCORECachedPinObj*)malloc(sizeof (SVRCORECachedPinObj)); + if (!obj) { err = SVRCORE_NoMemory_Error; break; } + + obj->base.methods = &vtable; + + obj->alt = alt; + obj->pinList = 0; + } while(0); + + *out = obj; + return err; +} + +void +SVRCORE_DestroyCachedPinObj(SVRCORECachedPinObj *obj) +{ + if (!obj) return; + + if (obj->pinList) freeList(obj->pinList); + + free(obj); +} + +/* ------------------------------------------------------------ */ +/* + * vtable functions + */ +static void +destroyObject(SVRCOREPinObj *obj) +{ + SVRCORE_DestroyCachedPinObj((SVRCORECachedPinObj*)obj); +} + +static char * +getPin(SVRCOREPinObj *ctx, const char *tokenName, PRBool retry) +{ + SVRCORECachedPinObj *obj = (SVRCORECachedPinObj*)ctx; + Node **link, *node; + char *pin = 0; + + /* + * Look up the value in the cache. Remove the entry if this is + * a retry, or getting the stored value fails. This loop terminates + * with 'pin' set to any valid cached value. + */ + for(link = &obj->pinList;(node = *link) != NULL;link = &node->next) + { + if (strcmp(node->tokenName, tokenName) != 0) continue; + + if (retry || + SVRCORE_Pk11StoreGetPin(&pin, node->store) != SVRCORE_Success) + { + *link = node->next; + + freeNode(node); + } + + break; + } + + /* + * Now loop, attempting to read a pin from the alternate source + * until cancelled, or a valid PIN is provided. + */ + while(!pin) + { + SVRCOREError err; + + /* Call second level */ + pin = SVRCORE_GetPin(obj->alt, tokenName, retry); + + if (!pin) break; /* Cancel */ + + /* Attempt to create a Pin Storage object. This checks the + * password. + */ + do { + Node *node; + + node = (Node*)malloc(sizeof (Node)); + if (!node) { err = SVRCORE_NoMemory_Error; break; } + + node->tokenName = 0; + node->store = 0; + + do { + node->tokenName = strdup(tokenName); + if (!node->tokenName) { err = SVRCORE_NoMemory_Error; break; } + + err = SVRCORE_CreatePk11PinStore(&node->store, tokenName, pin); + } while(0); + + if (err) { freeNode(node); break; } + + node->next = obj->pinList; + obj->pinList = node; + } while(0); + + /* If node creation worked, then pin is correct */ + if (err == SVRCORE_Success) break; + + /* Quit on any error other than IncorrectPassword */ + if (err != SVRCORE_IncorrectPassword_Error) break; + + /* Password was incorrect, treat this as a retry */ + retry = PR_TRUE; + } + + return pin; +} + +/* ------------------------------------------------------------ */ +/* + * SVRCORE_CachedPinGetPin + */ +SVRCOREError +SVRCORE_CachedPinGetPin( + char **out, SVRCORECachedPinObj *obj, + const char *tokenName) +{ + SVRCOREError err; + Node *node; + + *out = 0; + + do { + /* Find a matching PIN node */ + for(node = obj->pinList;node;node = node->next) + { + if (strcmp(node->tokenName, tokenName) == 0) break;; + } + if (!node) { err = SVRCORE_NoSuchToken_Error; break; } + + err = SVRCORE_Pk11StoreGetPin(out, node->store); + } while(0); + + return err; +} + +static const struct SVRCOREPinMethods vtable = +{ 0, 0, destroyObject, getPin }; + +/* ------------------------------------------------------------ */ +/* + * Node implementation + */ +static void freeNode(Node *node) +{ + if (!node) return; + + if (node->store) SVRCORE_DestroyPk11PinStore(node->store); + if (node->tokenName) free(node->tokenName); + + free(node); +} + +static void freeList(Node *list) +{ + Node *n; + + while((n = list) != NULL) + { + list = n->next; + + free(n->tokenName); + free(n); + } +} diff --git a/src/svrcore/src/errors.c b/src/svrcore/src/errors.c new file mode 100644 index 0000000..f001382 --- /dev/null +++ b/src/svrcore/src/errors.c @@ -0,0 +1,28 @@ +/* + * Copyright (C) 1998 Netscape Communications Corporation. + * All Rights Reserved. + * + * Copyright 2016 Red Hat, Inc. and/or its affiliates. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. + */ + +/* + * errors.c - SVRCORE Error strings + */ + +#if HAVE_CONFIG_H +#include +#endif + +#include + +const char * const SVRCORE_Errors[] = { + "Operation completed successfully", + "Not enough memory to complete operation", + "Unspecified error", + "Token missing or unavailable", + "Incorrect password or PIN provided" +}; diff --git a/src/svrcore/src/file.c b/src/svrcore/src/file.c new file mode 100644 index 0000000..59ebf4d --- /dev/null +++ b/src/svrcore/src/file.c @@ -0,0 +1,236 @@ +/* + * Copyright (C) 1998 Netscape Communications Corporation. + * All Rights Reserved. + * + * Copyright 2016 Red Hat, Inc. and/or its affiliates. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. + */ + +/* + * file.c - SVRCORE module for reading PIN from a file + */ + +#if HAVE_CONFIG_H +#include +#endif + +#include +#include +#include + +/* ------------------------------------------------------------ */ +/* + * Node - for maintaining link list of tokens with bad PINs + */ +typedef struct Node Node; +static void freeList(Node *list); + +struct Node +{ + Node *next; + char *tokenName; +}; + +/* ------------------------------------------------------------ */ +/* + * SVRCOREFilePinObj implementation + */ +struct SVRCOREFilePinObj +{ + SVRCOREPinObj base; + char *filename; + PRBool disabled; + Node *badPinList; +}; +static const struct SVRCOREPinMethods vtable; + +/* ------------------------------------------------------------ */ +SVRCOREError +SVRCORE_CreateFilePinObj( + SVRCOREFilePinObj **out, + const char *filename) +{ + SVRCOREError err = SVRCORE_Success; + SVRCOREFilePinObj *obj = 0; + + do { + obj = (SVRCOREFilePinObj*)malloc(sizeof (SVRCOREFilePinObj)); + if (!obj) { err = SVRCORE_NoMemory_Error; break; } + + obj->base.methods = &vtable; + + obj->filename = 0; + obj->disabled = PR_FALSE; + obj->badPinList = 0; + + obj->filename = strdup(filename); + if (!obj->filename) { err = SVRCORE_NoMemory_Error; break; } + + } while(0); + + if (err) + { + SVRCORE_DestroyFilePinObj(obj); + obj = 0; + } + + *out = obj; + return err; +} + +void +SVRCORE_DestroyFilePinObj(SVRCOREFilePinObj *obj) +{ + if (!obj) return; + + if (obj->filename) free(obj->filename); + + if (obj->badPinList) freeList(obj->badPinList); + + free(obj); +} + +/* ------------------------------------------------------------ */ +/* + * vtable functions + */ +static void +destroyObject(SVRCOREPinObj *obj) +{ + SVRCORE_DestroyFilePinObj((SVRCOREFilePinObj*)obj); +} + +static char * +getPin(SVRCOREPinObj *ctx, const char *tokenName, PRBool retry) +{ + SVRCOREFilePinObj *obj = (SVRCOREFilePinObj*)ctx; + PK11SlotInfo *slot; + int is_internal_token = 0; + FILE *pinfile = 0; + char *res = 0; + + /* In really bad situations, where we cannot allocate memory + * for a bad PIN list, the entire PIN object is disabled. + */ + if (obj->disabled) return 0; + + /* + * If the application is retrying the PIN, the one in the file is + * probably wrong. It's important that we avoid returning this + * PIN to the caller each time, since that will result in disabling + * the token. + */ + { + Node *p; + + for(p = obj->badPinList;p;p = p->next) + if (strcmp(p->tokenName, tokenName) == 0) break; + + if (p) return 0; + } + + /* Mark it as bad (in the hash table) so that we remember + * to never return it again. + */ + if (retry) + { + Node *ent = 0; + + do { + ent = (Node *)malloc(sizeof (Node)); + if (!ent) break; + + ent->tokenName = strdup(tokenName); + + if (!ent->tokenName) + { + free(ent); + ent = 0; + } + } while(0); + + /* If adding fails, disable the whole object */ + if (!ent) { + obj->disabled = PR_TRUE; + } + + if (ent) { + /* Add to list */ + ent->next = obj->badPinList; + obj->badPinList = ent; + } + + return 0; + } + + slot = PK11_FindSlotByName((char *)tokenName); + if (slot) { + is_internal_token = PK11_IsInternal(slot); + PK11_FreeSlot(slot); + } + + do { + char line[128]; + + pinfile = fopen(obj->filename, "rt"); + if (!pinfile) break; + + /* Read lines from the file */ + while(fgets(line, sizeof line, pinfile)) + { + char *pin; + char *delim; + + /* Find the ":" */ + delim = strchr(line, ':'); + if (!delim) continue; + + /* Terminate name field and skip ";" */ + *delim++ = 0; + + if (strcmp(line, tokenName) == 0 || + (is_internal_token && + (strcmp(line, "Communicator Certificate DB") == 0 || + strcmp(line, "Internal (Software) Token") == 0))) + { + pin = delim; + delim = strchr(pin, '\n'); + if (delim) *delim = 0; + + res = strdup(pin); + break; + } + } + + /* Clear any sensitive data */ + memset(line, 0, sizeof line); + } while(0); + + if (pinfile) fclose(pinfile); + + return res; +} + +static const struct SVRCOREPinMethods vtable = +{ 0, 0, destroyObject, getPin }; + +/* ------------------------------------------------------------ */ +/* + * Node implementation + */ +static void freeList(Node *list) +{ + Node *n; + + while((n = list) != NULL) + { + list = n->next; + + free(n->tokenName); + free(n); + } +} + diff --git a/src/svrcore/src/key.ico b/src/svrcore/src/key.ico new file mode 100644 index 0000000..02b56a5 Binary files /dev/null and b/src/svrcore/src/key.ico differ diff --git a/src/svrcore/src/logo.ico b/src/svrcore/src/logo.ico new file mode 100644 index 0000000..dd10572 Binary files /dev/null and b/src/svrcore/src/logo.ico differ diff --git a/src/svrcore/src/manifest.mn b/src/svrcore/src/manifest.mn new file mode 100644 index 0000000..c54f902 --- /dev/null +++ b/src/svrcore/src/manifest.mn @@ -0,0 +1,29 @@ +# /* +# * Copyright (C) 1998 Netscape Communications Corporation. +# * All Rights Reserved. +# * +# * Copyright 2016 Red Hat, Inc. and/or its affiliates. +# * +# * This Source Code Form is subject to the terms of the Mozilla Public +# * License, v. 2.0. If a copy of the MPL was not distributed with this +# * file, You can obtain one at https://mozilla.org/MPL/2.0/. +# */ + + +CORE_DEPTH = ../.. + +MODULE = svrcore + +IMPORTS = nspr20/v4.6 nss/NSS_3_10_2_RTM + +RELEASE = svrcore + +LIBRARY_NAME = svrcore + +EXPORTS = svrcore.h + +REQUIRES = nspr20 nss + +CSRCS = user.c pin.c alt.c file.c errors.c pk11.c \ + cache.c std.c ntgetpin.c + diff --git a/src/svrcore/src/ntgetpin.c b/src/svrcore/src/ntgetpin.c new file mode 100644 index 0000000..f9220f9 --- /dev/null +++ b/src/svrcore/src/ntgetpin.c @@ -0,0 +1,146 @@ +/* + * Copyright (C) 1998 Netscape Communications Corporation. + * All Rights Reserved. + * + * Copyright 2016 Red Hat, Inc. and/or its affiliates. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. + */ + +/*********************************************************** + * + * ntgetpin.c - Prompts for the key database passphrase. + * + ***********************************************************/ + +#if HAVE_CONFIG_H +#include +#endif + +#if defined( _WIN32 ) + +#include +#include +#include "ntresource.h" + +#undef Debug +#undef OFF +#undef LITTLE_ENDIAN + +#include +#include +#include + +static char password[512]; + +static void CenterDialog(HWND hwndParent, HWND hwndDialog) +{ + RECT DialogRect; + RECT ParentRect; + POINT Point; + int nWidth; + int nHeight; + + // Determine if the main window exists. This can be useful when + // the application creates the dialog box before it creates the + // main window. If it does exist, retrieve its size to center + // the dialog box with respect to the main window. + if( hwndParent != NULL ) + { + GetClientRect(hwndParent, &ParentRect); + } + else + { + // if main window does not exist, center with respect to desktop + hwndParent = GetDesktopWindow(); + GetWindowRect(hwndParent, &ParentRect); + } + + // get the size of the dialog box + GetWindowRect(hwndDialog, &DialogRect); + + // calculate height and width for MoveWindow() + nWidth = DialogRect.right - DialogRect.left; + nHeight = DialogRect.bottom - DialogRect.top; + + // find center point and convert to screen coordinates + Point.x = (ParentRect.right - ParentRect.left) / 2; + Point.y = (ParentRect.bottom - ParentRect.top) / 2; + + ClientToScreen(hwndParent, &Point); + + // calculate new X, Y starting point + Point.x -= nWidth / 2; + Point.y -= nHeight / 2; + + MoveWindow(hwndDialog, Point.x, Point.y, nWidth, nHeight, FALSE); +} + +static BOOL CALLBACK PinDialogProc(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam) +{ + switch(message) + { + case WM_INITDIALOG: + SetDlgItemText( hDlg, IDC_TOKEN_NAME, (char *)lParam); + CenterDialog(NULL, hDlg); + SendDlgItemMessage(hDlg, IDEDIT, EM_SETLIMITTEXT, sizeof(password), 0); + EnableWindow(GetDlgItem(hDlg, IDOK), FALSE); + return(FALSE); + + case WM_COMMAND: + if(LOWORD(wParam) == IDEDIT) + { + if(HIWORD(wParam) == EN_CHANGE) + { + if(GetDlgItemText(hDlg, IDEDIT, password, + sizeof(password)) > 0) + { + EnableWindow(GetDlgItem(hDlg, IDOK), TRUE); + } + else + { + EnableWindow(GetDlgItem(hDlg, IDOK), FALSE); + } + } + return (FALSE); + } + else if(LOWORD(wParam) == IDOK) + { + GetDlgItemText(hDlg, IDEDIT, password, sizeof(password)); + EndDialog(hDlg, IDOK); + return (TRUE); + } + else if(LOWORD(wParam) == IDCANCEL) + { + memset(password, 0, sizeof(password)); + EndDialog(hDlg, IDCANCEL); + return(FALSE); + } + } + return (FALSE); +} +char* +NT_PromptForPin (const char *tokenName) +{ + int iResult = 0; + + iResult = DialogBoxParam( GetModuleHandle( NULL ), + MAKEINTRESOURCE(IDD_DATABASE_PASSWORD), + HWND_DESKTOP, (DLGPROC) PinDialogProc, (LPARAM)tokenName); + if( iResult == -1 ) + { + iResult = GetLastError(); +/* + ReportSlapdEvent( EVENTLOG_INFORMATION_TYPE, + MSG_SERVER_PASSWORD_DIALOG_FAILED, 0, NULL ); +*/ + return NULL; + } + /* Return no-response if the user click on cancel */ + if (password[0] == 0) return 0; + return strdup(password); +} + +#endif /* defined( _WIN32 ) */ diff --git a/src/svrcore/src/ntgetpin.rc b/src/svrcore/src/ntgetpin.rc new file mode 100644 index 0000000..31634c3 --- /dev/null +++ b/src/svrcore/src/ntgetpin.rc @@ -0,0 +1,92 @@ +//Microsoft Developer Studio generated resource script. +// +#include "ntresource.h" + +#define APSTUDIO_READONLY_SYMBOLS +///////////////////////////////////////////////////////////////////////////// +// +// Generated from the TEXTINCLUDE 2 resource. +// +#include "afxres.h" + +///////////////////////////////////////////////////////////////////////////// +#undef APSTUDIO_READONLY_SYMBOLS + +///////////////////////////////////////////////////////////////////////////// +// English (U.S.) resources + +#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU) +#ifdef _WIN32 +LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US +#pragma code_page(1252) +#endif //_WIN32 + +///////////////////////////////////////////////////////////////////////////// +// +// Dialog +// + +IDD_DATABASE_PASSWORD DIALOG DISCARDABLE 0, 0, 269, 90 +STYLE DS_MODALFRAME | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU +CAPTION "Netscape Server" +FONT 8, "MS Sans Serif" +BEGIN + EDITTEXT IDEDIT,43,44,129,14,ES_PASSWORD | ES_AUTOHSCROLL + DEFPUSHBUTTON "OK",IDOK,206,11,50,14 + PUSHBUTTON "Cancel",IDCANCEL,206,31,50,14 + ICON IDI_KEY,IDC_STATIC,9,23,20,20 + LTEXT "A PIN is required to access",IDC_STATIC,44,15,119,12 + LTEXT "Token Name",IDC_TOKEN_NAME,43,26,132,12 +END + + +///////////////////////////////////////////////////////////////////////////// +// +// Icon +// + +// Icon with lowest ID value placed first to ensure application icon +// remains consistent on all systems. +IDI_KEY ICON DISCARDABLE "KEY.ICO" +IDI_LOGO ICON DISCARDABLE "LOGO.ICO" + +#ifdef APSTUDIO_INVOKED +///////////////////////////////////////////////////////////////////////////// +// +// TEXTINCLUDE +// + +1 TEXTINCLUDE DISCARDABLE +BEGIN + "ntresource.h\0" +END + +2 TEXTINCLUDE DISCARDABLE +BEGIN + "#include ""afxres.h""\r\n" + "\0" +END + +3 TEXTINCLUDE DISCARDABLE +BEGIN + "\r\n" + "\0" +END + +#endif // APSTUDIO_INVOKED + +#endif // English (U.S.) resources +///////////////////////////////////////////////////////////////////////////// + + + +#ifndef APSTUDIO_INVOKED +///////////////////////////////////////////////////////////////////////////// +// +// Generated from the TEXTINCLUDE 3 resource. +// + + +///////////////////////////////////////////////////////////////////////////// +#endif // not APSTUDIO_INVOKED + diff --git a/src/svrcore/src/ntresource.h b/src/svrcore/src/ntresource.h new file mode 100644 index 0000000..a59ae7f --- /dev/null +++ b/src/svrcore/src/ntresource.h @@ -0,0 +1,26 @@ +//{{NO_DEPENDENCIES}} +// Microsoft Developer Studio generated include file. +// Used by ntgetpin.rc +// +#define IDD_DATABASE_PASSWORD 101 +#define IDI_KEY 103 +#define IDI_LOGO 105 +#define IDR_MENU 205 +#define IDEDIT 1000 +#define IDC_TOKEN_NAME 1001 +#define ID_SERVER_RESTART 40001 +#define ID_FILE_EXIT 40003 +#define ID_SERVER_SHUTDOWN 40004 +#define ID_SERVER_SUSPEND 40005 +#define ID_SERVER_RESUME 40006 + +// Next default values for new objects +// +#ifdef APSTUDIO_INVOKED +#ifndef APSTUDIO_READONLY_SYMBOLS +#define _APS_NEXT_RESOURCE_VALUE 106 +#define _APS_NEXT_COMMAND_VALUE 40001 +#define _APS_NEXT_CONTROL_VALUE 1006 +#define _APS_NEXT_SYMED_VALUE 101 +#endif +#endif diff --git a/src/svrcore/src/pin.c b/src/svrcore/src/pin.c new file mode 100644 index 0000000..718768e --- /dev/null +++ b/src/svrcore/src/pin.c @@ -0,0 +1,79 @@ +/* + * Copyright (C) 1998 Netscape Communications Corporation. + * All Rights Reserved. + * + * Copyright 2016 Red Hat, Inc. and/or its affiliates. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. + */ + +/* + * pin.c - SVRCORE module implementing PK11 pin callback support + */ + +#if HAVE_CONFIG_H +#include +#endif + +#include + +#include +#include +#include + +/* + * Global state + */ +static SVRCOREPinObj *pinObj = 0; + +/* + * SVRCORE_Pk11PasswordFunc + * + * DEPRECATED public interface. + */ +static char * +SVRCORE_Pk11PasswordFunc(PK11SlotInfo *slot, PRBool retry, void *ctx) +{ + char *passwd; + + /* If the user has not installed a cbk, then return failure (cancel) */ + if (pinObj == 0) return 0; + + /* Invoke the callback function, translating slot into token name */ + passwd = SVRCORE_GetPin(pinObj, PK11_GetTokenName(slot), retry); + + return passwd; +} + +/* + * SVRCORE_RegisterPinObj + */ +void +SVRCORE_RegisterPinObj(SVRCOREPinObj *obj) +{ + /* Set PK11 callback function to call back here */ + PK11_SetPasswordFunc(SVRCORE_Pk11PasswordFunc); + + /* Set object to use for getPin method */ + pinObj = obj; +} + +/* + * SVRCORE_GetRegisteredPinObj + */ +SVRCOREPinObj * +SVRCORE_GetRegisteredPinObj(void) +{ + return pinObj; +} + +void +SVRCORE_DestroyRegisteredPinObj(void) +{ + if (pinObj) { + pinObj->methods->destroyObj(pinObj); + } + pinObj = 0; +} diff --git a/src/svrcore/src/pk11.c b/src/svrcore/src/pk11.c new file mode 100644 index 0000000..70a64a7 --- /dev/null +++ b/src/svrcore/src/pk11.c @@ -0,0 +1,296 @@ +/* + * Copyright (C) 1998 Netscape Communications Corporation. + * All Rights Reserved. + * + * Copyright 2016 Red Hat, Inc. and/or its affiliates. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. + */ + +/* + * pk11.c - SVRCORE module for securely storing PIN using PK11 + */ + +#if HAVE_CONFIG_H +#include +#endif + +#include + +#include +#include +#include + +/* ------------------------------------------------------------ */ +/* + * Mechanisms for doing the PIN encryption. Each of these lists + * an encryption mechanism, with setup, encode and decode routines that + * use that mechanism. The PK11PinStore looks for a mechanism + * that the token supports, and then uses it. If none is found, + * it will fail. + */ +typedef struct mech_item mech_item; +struct mech_item +{ + CK_MECHANISM_TYPE type; + const char *mechName; +}; + +/* ------------------------------------------------------------ */ +/* + * The table listing all mechanism to try + */ +#define MECH_TABLE_SIZE 4 +static const mech_item table[MECH_TABLE_SIZE] = { + { CKM_SKIPJACK_CBC64, "Skipjack CBC-64 encryption" }, + { CKM_DES3_CBC, "Triple-DES CBC encryption" }, + { CKM_CAST128_CBC, "CAST-128 CBC encryption" }, + { CKM_DES_CBC, "DES CBC encryption" } +}; +static mech_item dflt_mech = { CKM_DES3_CBC, "Triple-DES CBC (default)" }; + + +/* ------------------------------------------------------------ */ +/* + * Implementation + */ +struct SVRCOREPk11PinStore +{ + PK11SlotInfo *slot; + + const mech_item *mech; + + PK11SymKey *key; + SECItem *params; + + int length; + unsigned char *crypt; +}; + + +/* ------------------------------------------------------------ */ +/* + * SVRCORE_CreatePk11PinStore + */ +SVRCOREError +SVRCORE_CreatePk11PinStore( + SVRCOREPk11PinStore **out, + const char *tokenName, const char *pin) +{ + SVRCOREError err; + SVRCOREPk11PinStore *store; + + do { + err = SVRCORE_Success; + + store = (SVRCOREPk11PinStore*)malloc(sizeof *store); + if (store == 0) { err = SVRCORE_NoMemory_Error; break; } + + /* Low-level init */ + store->slot = 0; + store->key = 0; + store->params = 0; + store->crypt = 0; + + /* Use the tokenName to find a PKCS11 slot */ + store->slot = PK11_FindSlotByName((char *)tokenName); + if (store->slot == 0) { err = SVRCORE_NoSuchToken_Error; break; } + + /* Check the password/PIN. This allows access to the token */ + { + SECStatus rv = PK11_CheckUserPassword(store->slot, (char *)pin); + + if (rv == SECSuccess) + ; + else if (rv == SECWouldBlock) + { + err = SVRCORE_IncorrectPassword_Error; + break; + } + else + { + err = SVRCORE_System_Error; + break; + } + } + + /* Find the mechanism that this token can do */ + { + const mech_item *tp; + + store->mech = 0; + for(tp = table;tp < &table[MECH_TABLE_SIZE];tp++) + { + if (PK11_DoesMechanism(store->slot, tp->type)) + { + store->mech = tp; + break; + } + } + /* Default to a mechanism (probably on the internal token */ + if (store->mech == 0) + store->mech = &dflt_mech; + } + + /* Generate a key and parameters to do the encryption */ + store->key = PK11_TokenKeyGenWithFlags(store->slot, store->mech->type, + 0, 0, 0, CKF_ENCRYPT|CKF_DECRYPT, + 0, 0); + if (store->key == 0) + { + /* PR_SetError(xxx); */ + err = SVRCORE_System_Error; + break; + } + + store->params = PK11_GenerateNewParam(store->mech->type, store->key); + if (store->params == 0) + { + err = SVRCORE_System_Error; + break; + } + + /* Compute the size of the encrypted data including necessary padding */ + { + int blocksize = PK11_GetBlockSize(store->mech->type, 0); + + store->length = strlen(pin)+1; + + /* Compute padded size - 0 means stream cipher */ + if (blocksize != 0) + { + store->length += blocksize - (store->length % blocksize); + } + + store->crypt = (unsigned char *)malloc(store->length); + if (!store->crypt) { err = SVRCORE_NoMemory_Error; break; } + } + + /* Encrypt */ + { + unsigned char *plain; + PK11Context *ctx; + SECStatus rv; + int outLen; + + plain = (unsigned char *)malloc(store->length); + if (!plain) { err = SVRCORE_NoMemory_Error; break; } + + /* Pad with 0 bytes */ + memset(plain, 0, store->length); + strcpy((char *)plain, pin); + + ctx = PK11_CreateContextBySymKey(store->mech->type, CKA_ENCRYPT, + store->key, store->params); + if (!ctx) { + err = SVRCORE_System_Error; + free(plain); + break; + } + + do { + rv = PK11_CipherOp(ctx, store->crypt, &outLen, store->length, + plain, store->length); + if (rv) break; + + rv = PK11_Finalize(ctx); + } while(0); + + PK11_DestroyContext(ctx, PR_TRUE); + memset(plain, 0, store->length); + free(plain); + + if (rv) err = SVRCORE_System_Error; + } + } while(0); + + if (err) + { + SVRCORE_DestroyPk11PinStore(store); + store = 0; + } + + *out = store; + return err; +} + +/* + * SVRCORE_DestroyPk11PinStore + */ +void +SVRCORE_DestroyPk11PinStore(SVRCOREPk11PinStore *store) +{ + if (store == 0) return; + + if (store->slot) + { + PK11_FreeSlot(store->slot); + } + + if (store->params) + { + SECITEM_ZfreeItem(store->params, PR_TRUE); + } + + if (store->key) + { + PK11_FreeSymKey(store->key); + } + + if (store->crypt) + { + memset(store->crypt, 0, store->length); + free(store->crypt); + } + + free(store); +} + +SVRCOREError +SVRCORE_Pk11StoreGetPin(char **out, SVRCOREPk11PinStore *store) +{ + SVRCOREError err = SVRCORE_Success; + unsigned char *plain; + SECStatus rv = 0; + PK11Context *ctx = 0; + int outLen; + + do { + plain = (unsigned char *)malloc(store->length); + if (!plain) { err = SVRCORE_NoMemory_Error; break; } + + ctx = PK11_CreateContextBySymKey(store->mech->type, CKA_DECRYPT, + store->key, store->params); + if (!ctx) { err = SVRCORE_System_Error; break; } + + rv = PK11_CipherOp(ctx, plain, &outLen, store->length, + store->crypt, store->length); + if (rv) break; + + rv = PK11_Finalize(ctx); + if (rv) break; + } while(0); + + if (ctx) PK11_DestroyContext(ctx, PR_TRUE); + + if (rv) + { + err = SVRCORE_System_Error; + if (plain) { + memset(plain, 0, store->length); + free(plain); + plain = 0; + } + } + + *out = (char *)plain; + return err; +} + +const char * +SVRCORE_Pk11StoreGetMechName(const SVRCOREPk11PinStore *store) +{ + return store->mech->mechName; +} diff --git a/src/svrcore/src/std-systemd.c b/src/svrcore/src/std-systemd.c new file mode 100644 index 0000000..c1f8ba8 --- /dev/null +++ b/src/svrcore/src/std-systemd.c @@ -0,0 +1,234 @@ +/* + * Copyright (C) 1998 Netscape Communications Corporation. + * All Rights Reserved. + * + * Copyright 2016 Red Hat, Inc. and/or its affiliates. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. + */ + +/* + * std-systemd.c - Extension of the STD module to integrate file, tty and systemd + */ + + +#if HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include + +/* ------------------------------------------------------------ */ +/* + * SVRCOREStdSystemdPinObj implementation + */ +struct SVRCOREStdSystemdPinObj +{ + SVRCOREPinObj base; + SVRCORECachedPinObj *cache; + SVRCOREAltPinObj *alt; + SVRCOREFilePinObj *file; + SVRCOREUserPinObj *user; + SVRCOREAltPinObj *systemdalt; + SVRCORESystemdPinObj *systemd; + + SVRCOREPinObj *top; +}; +static const SVRCOREPinMethods vtable; + +/* ------------------------------------------------------------ */ +SVRCOREError +SVRCORE_CreateStdSystemdPinObj( + SVRCOREStdSystemdPinObj **out, + const char *filename, PRBool cachePINs, + PRBool systemdPINs, uint64_t timeout) +{ +#ifdef HAVE_SYSTEMD + SVRCOREError err = SVRCORE_Success; + SVRCOREStdSystemdPinObj *obj = 0; + + do { + SVRCOREPinObj *top; + + obj = (SVRCOREStdSystemdPinObj *)malloc(sizeof (SVRCOREStdSystemdPinObj)); + if (!obj) { err = SVRCORE_NoMemory_Error; break; } + + obj->base.methods = &vtable; + + obj->cache = 0; + obj->alt = 0; + obj->file = 0; + obj->user = 0; + obj->systemdalt = 0; + obj->systemd = 0; + + err = SVRCORE_CreateUserPinObj(&obj->user); + if (err) { + break; + } + // Automatically detect if we are on an interactive session or not + +#ifdef DEBUG + printf("std-systemd:create() -> interactive %d \n", isatty(fileno(stdin))); +#endif + + // During testing, we want to disable this sometimes ... + // SVRCORE_SetUserPinInteractive(obj->user, PR_FALSE); + SVRCORE_SetUserPinInteractive(obj->user, isatty(fileno(stdin))); + + top = (SVRCOREPinObj*)obj->user; + + /* If filename is provided, splice it into the chain */ + if (filename) + { + err = SVRCORE_CreateFilePinObj(&obj->file, filename); + if (err) { + break; + } + + err = SVRCORE_CreateAltPinObj(&obj->alt, + (SVRCOREPinObj*)obj->file, top); + if (err) { + break; + } + + top = (SVRCOREPinObj*)obj->alt; + } + + if (systemdPINs) { +#ifdef DEBUG + printf("std-systemd:create() -> Creating systemd pin object \n"); +#endif + err = SVRCORE_CreateSystemdPinObj(&obj->systemd, timeout); + if (err) { + break; + } + // Now make a second "alt" object. If pin and user fail, we call systemd +#ifdef DEBUG + printf("std-systemd:create() -> Creating systemd alt pin object \n"); +#endif + err = SVRCORE_CreateAltPinObj(&obj->systemdalt, + top, (SVRCOREPinObj*)obj->systemd); + if (err) { + break; + } + top = (SVRCOREPinObj *)obj->systemdalt; +#ifdef DEBUG + printf("std-systemd:create() -> Success adding systemd alt pin object \n"); +#endif + } + + /* Create cache object if requested */ + if (cachePINs) + { + err = SVRCORE_CreateCachedPinObj(&obj->cache, top); + if (err) { + break; + } + + top = (SVRCOREPinObj*)obj->cache; + } + + obj->top = top; + } while(0); + + *out = obj; + + if (err != SVRCORE_Success) + { + SVRCORE_DestroyStdSystemdPinObj(obj); + *out = NULL; + } + + return err; +#else // systemd + return SVRCORE_MissingFeature; +#endif // Systemd +} + +void +SVRCORE_DestroyStdSystemdPinObj( + SVRCOREStdSystemdPinObj *obj) +{ +#ifdef HAVE_SYSTEMD + if (!obj) return; + + if (obj->user) SVRCORE_DestroyUserPinObj(obj->user); + if (obj->file) SVRCORE_DestroyFilePinObj(obj->file); + if (obj->alt) SVRCORE_DestroyAltPinObj(obj->alt); + if (obj->cache) SVRCORE_DestroyCachedPinObj(obj->cache); + if (obj->systemd) SVRCORE_DestroySystemdPinObj(obj->systemd); + if (obj->systemdalt) SVRCORE_DestroyAltPinObj(obj->systemdalt); + + free(obj); +#endif // Systemd +} + +/* ------------------------------------------------------------ */ + +void +SVRCORE_SetStdSystemdPinInteractive(SVRCOREStdSystemdPinObj *obj, PRBool i) +{ +#ifdef HAVE_SYSTEMD + SVRCORE_SetUserPinInteractive(obj->user, i); +#endif // Systemd +} + +/* ------------------------------------------------------------ */ +/* + * SVRCORE_StdSystemdPinGetPin + */ +SVRCOREError +SVRCORE_StdSystemdPinGetPin(char **pin, SVRCOREStdSystemdPinObj *obj, + const char *tokenName) +{ +#ifdef HAVE_SYSTEMD +#ifdef DEBUG + printf("std-systemd:stdsystem-getpin() -> starting \n"); +#endif + /* Make sure caching is turned on */ + if (!obj->cache) + { + *pin = 0; + return SVRCORE_NoSuchToken_Error; + } + + return SVRCORE_CachedPinGetPin(pin, obj->cache, tokenName); +#else // systemd + return SVRCORE_MissingFeature; +#endif // Systemd +} + +/* ------------------------------------------------------------ */ +/* + * vtable methods + */ +static void +destroyObject(SVRCOREPinObj *obj) +{ + SVRCORE_DestroyStdSystemdPinObj((SVRCOREStdSystemdPinObj*)obj); +} + +static char * +getPin(SVRCOREPinObj *pinObj, const char *tokenName, PRBool retry) +{ +#ifdef DEBUG + printf("std-systemd:getpin() -> starting \n"); +#endif + SVRCOREStdSystemdPinObj *obj = (SVRCOREStdSystemdPinObj*)pinObj; + + /* Just forward call to the top level handler */ + return SVRCORE_GetPin(obj->top, tokenName, retry); +} + +/* + * VTable + */ +static const SVRCOREPinMethods vtable = +{ 0, 0, destroyObject, getPin }; + diff --git a/src/svrcore/src/std.c b/src/svrcore/src/std.c new file mode 100644 index 0000000..d1acfd8 --- /dev/null +++ b/src/svrcore/src/std.c @@ -0,0 +1,167 @@ +/* + * Copyright (C) 1998 Netscape Communications Corporation. + * All Rights Reserved. + * + * Copyright 2016 Red Hat, Inc. and/or its affiliates. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. + */ + +/* + * std.c - StandardSVRCORE module for reading a PIN + */ + +#if HAVE_CONFIG_H +#include +#endif + +#include +#include +#include + +/* ------------------------------------------------------------ */ +/* + * SVRCOREStdPinObj implementation + */ +struct SVRCOREStdPinObj +{ + SVRCOREPinObj base; + SVRCORECachedPinObj *cache; + SVRCOREAltPinObj *alt; + SVRCOREFilePinObj *file; + SVRCOREUserPinObj *user; + + SVRCOREPinObj *top; +}; +static const SVRCOREPinMethods vtable; + +/* ------------------------------------------------------------ */ +SVRCOREError +SVRCORE_CreateStdPinObj( + SVRCOREStdPinObj **out, + const char *filename, PRBool cachePINs) +{ + SVRCOREError err = SVRCORE_Success; + SVRCOREStdPinObj *obj = 0; + + do { + SVRCOREPinObj *top; + + obj = (SVRCOREStdPinObj *)malloc(sizeof (SVRCOREStdPinObj)); + if (!obj) { err = SVRCORE_NoMemory_Error; break; } + + obj->base.methods = &vtable; + + obj->cache = 0; + obj->alt = 0; + obj->file = 0; + obj->user = 0; + + err = SVRCORE_CreateUserPinObj(&obj->user); + if (err) break; + + top = (SVRCOREPinObj*)obj->user; + + /* If filename is provided, splice it into the chain */ + if (filename) + { + err = SVRCORE_CreateFilePinObj(&obj->file, filename); + if (err) break; + + err = SVRCORE_CreateAltPinObj(&obj->alt, + (SVRCOREPinObj*)obj->file, top); + if (err) break; + + top = (SVRCOREPinObj*)obj->alt; + } + + /* Create cache object if requested */ + if (cachePINs) + { + err = SVRCORE_CreateCachedPinObj(&obj->cache, top); + if (err) break; + + top = (SVRCOREPinObj*)obj->cache; + } + + obj->top = top; + } while(0); + + *out = obj; + + if (err != SVRCORE_Success) + { + SVRCORE_DestroyStdPinObj(obj); + *out = NULL; + } + + + return err; +} + +void +SVRCORE_DestroyStdPinObj( + SVRCOREStdPinObj *obj) +{ + if (!obj) return; + + if (obj->user) SVRCORE_DestroyUserPinObj(obj->user); + if (obj->file) SVRCORE_DestroyFilePinObj(obj->file); + if (obj->alt) SVRCORE_DestroyAltPinObj(obj->alt); + if (obj->cache) SVRCORE_DestroyCachedPinObj(obj->cache); + + free(obj); +} + +/* ------------------------------------------------------------ */ + +void +SVRCORE_SetStdPinInteractive(SVRCOREStdPinObj *obj, PRBool i) +{ + SVRCORE_SetUserPinInteractive(obj->user, i); +} + +/* ------------------------------------------------------------ */ +/* + * SVRCORE_StdPinGetPin + */ +SVRCOREError +SVRCORE_StdPinGetPin(char **pin, SVRCOREStdPinObj *obj, + const char *tokenName) +{ + /* Make sure caching is turned on */ + if (!obj->cache) + { + *pin = 0; + return SVRCORE_NoSuchToken_Error; + } + + return SVRCORE_CachedPinGetPin(pin, obj->cache, tokenName); +} + +/* ------------------------------------------------------------ */ +/* + * vtable methods + */ +static void +destroyObject(SVRCOREPinObj *obj) +{ + SVRCORE_DestroyStdPinObj((SVRCOREStdPinObj*)obj); +} + +static char * +getPin(SVRCOREPinObj *pinObj, const char *tokenName, PRBool retry) +{ + SVRCOREStdPinObj *obj = (SVRCOREStdPinObj*)pinObj; + + /* Just forward call to the top level handler */ + return SVRCORE_GetPin(obj->top, tokenName, retry); +} + +/* + * VTable + */ +static const SVRCOREPinMethods vtable = +{ 0, 0, destroyObject, getPin }; diff --git a/src/svrcore/src/svrcore.h b/src/svrcore/src/svrcore.h new file mode 100644 index 0000000..ec91174 --- /dev/null +++ b/src/svrcore/src/svrcore.h @@ -0,0 +1,308 @@ +/* + * Copyright (C) 1998 Netscape Communications Corporation. + * All Rights Reserved. + * + * Copyright 2016 Red Hat, Inc. and/or its affiliates. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. + */ + +#ifndef __SVRCORE_H_ +#define __SVRCORE_H_ + +#include +#include +#include + +PR_BEGIN_EXTERN_C +/* ------------------------------------------------------------ */ +/* + * SVRCOREError - error values generated by components in the + * SVRCORE module. + */ +enum SVRCOREError +{ + SVRCORE_Success = 0, + SVRCORE_NoMemory_Error = 1, + SVRCORE_System_Error = 2, + SVRCORE_NoSuchToken_Error = 3, + SVRCORE_IncorrectPassword_Error = 4, + SVRCORE_IOOperationError = 5, + SVRCORE_SocketError = 6, + SVRCORE_PermissionError = 7, + SVRCORE_ClockError = 8, + SVRCORE_TimeoutError = 9, + SVRCORE_MissingFeature = 10, + SVRCORE_MaximumErrorValue = 10 +}; +typedef enum SVRCOREError SVRCOREError; + + +/* ------------------------------------------------------------ */ +/* + * PIN Object - provides an interface to get the PIN for + * a PKCS11 token. + * + * Methods: + * destroyObj - delete the object + * getPin - retrieve the PIN for the token with name "tokenName". The + * retry flag is set if this request is a retry due to an incorrect + * PIN. Implementations should not return a "cached" copy in this case, + * since it will result in multiple fails, and will disable some tokens. + * The memory allocated for the returned string must be on the system + * heap. It will be released using "free" + */ +typedef struct SVRCOREPinObj SVRCOREPinObj; +typedef struct SVRCOREPinMethods SVRCOREPinMethods; +struct SVRCOREPinMethods +{ + void *(*reserved0)(SVRCOREPinObj *, void *); + void (*reserved1)(SVRCOREPinObj *); + void (*destroyObj)(SVRCOREPinObj* obj); + char *(*getPin)(SVRCOREPinObj *obj, const char *tokenName, PRBool retryFlag); +}; + +struct SVRCOREPinObj +{ + const SVRCOREPinMethods *methods; +}; + +/* + * Methods on SVRCOREPinObj + */ +/* char *SVRCORE_GetPin(SVRCOREPinObj *, char *tokenName, PRBool retry) */ +#define SVRCORE_GetPin(obj, name, retry) \ + (obj)->methods->getPin(obj, name, retry) + +/* void SVRCORE_DestroyPinObj(SVRCOREPinObj *) */ +#define SVRCORE_DestroyPinObj(obj) \ + (obj)->methods->destroyObj(obj) + + +/* ------------------------------------------------------------ */ +/* + * SVRCORE_RegisterPinObj - registers the PIN handling object with the + * PK11 module. + * + * The PIN object's getPin method will be called when the NSS layer + * requires a password/PIN for a token. The caller may provide NULL + * as the pin object, in which case, no password callbacks will be invoked. + * This may be used to unregister the object prior to deleting it. + */ +void +SVRCORE_RegisterPinObj(SVRCOREPinObj *obj); + +/* + * SVRCORE_GetRegisteredPinObj - get the currently registered Pin object + * (if any) + * + * Return a pointer to the currently register Pin object. If none has been + * registered, NULL is returned. + */ +SVRCOREPinObj * +SVRCORE_GetRegisteredPinObj(void); + +/* + * SVRCORE_DestroyRegisteredPinObj - Destroys (frees) the currently registered + * pin object, and zeros the pointer. This way a new object can be created + */ +void +SVRCORE_DestroyRegisteredPinObj(void); + +/* ------------------------------------------------------------ */ +/* + * SVRCOREStdPinObj - implementation of SVRCOREPinObj that + * provides the standard handling for servers. This includes + * optional file lookup, and optional caching + * + * SVRCORE_SetStdPinInteractive - allows the application to declare + * that input via the terminal is no longer possible (set interactive + * to PR_FALSE). See the corresponding routine for UserPinObj + * + * SVRCORE_StdPinGetPin - get a (securely) cached PIN value. Returns + * SVRCORE_NoSuchToken_Error if the object is not set up for caching. + */ +typedef struct SVRCOREStdPinObj SVRCOREStdPinObj; + +SVRCOREError +SVRCORE_CreateStdPinObj(SVRCOREStdPinObj **out, + const char *filename, PRBool cachePINs); + +void +SVRCORE_SetStdPinInteractive(SVRCOREStdPinObj *obj, PRBool interactive); + +SVRCOREError +SVRCORE_StdPinGetPin(char **pin, SVRCOREStdPinObj *obj, + const char *tokenName); + +void +SVRCORE_DestroyStdPinObj(SVRCOREStdPinObj *obj); + +/* ------------------------------------------------------------ */ +/* + * SVRCOREUserPinObj - implementation of SVRCOREPinObj that + * requests the PIN on the terminal. + * + * SVRCORE_SetUserPinInteractive - allows the application to declare + * that input via the terminal is no longer possible (set interactive + * to PR_FALSE). When this is the case, the object returns NULL (no + * PIN available) + */ +typedef struct SVRCOREUserPinObj SVRCOREUserPinObj; + +SVRCOREError +SVRCORE_CreateUserPinObj(SVRCOREUserPinObj **out); + +void +SVRCORE_SetUserPinInteractive(SVRCOREUserPinObj *obj, PRBool interactive); + +void +SVRCORE_DestroyUserPinObj(SVRCOREUserPinObj *obj); + +/* ------------------------------------------------------------ */ +/* + * SVRCOREAltPinObj - allows cascading of PinObj. For example, an + * application can first check a file (FilePinObj) and then the terminal + * (UserPinObj). The primary object is called first then, if no PIN is + * available, the alternate object is called. + * + * This object does not claim ownership of the PinObjs. The application + * must delete them (after deleting the AltPinObj). + */ +typedef struct SVRCOREAltPinObj SVRCOREAltPinObj; + +SVRCOREError +SVRCORE_CreateAltPinObj( + SVRCOREAltPinObj **out, + SVRCOREPinObj *primary, SVRCOREPinObj *alt); + +void SVRCORE_DestroyAltPinObj(SVRCOREAltPinObj *obj); + +/* ------------------------------------------------------------ */ +/* + * SVRCOREFilePinObj - implements reading PINs from a file. The + * name of the file is provided in the constructor. + */ +typedef struct SVRCOREFilePinObj SVRCOREFilePinObj; + +SVRCOREError +SVRCORE_CreateFilePinObj( + SVRCOREFilePinObj **out, + const char *filename); + +void +SVRCORE_DestroyFilePinObj(SVRCOREFilePinObj *obj); + +/* ------------------------------------------------------------ */ +/* + * SVRCORECachedPinObj - implementation of SVRCOREPinObj that + * caches the PIN in a secure way. + * + * SVRCORE_CachedPinGetPin - allows the application to retrieve + * the stored pin. The application should free the value useing free() + * after clearing the memory. + */ +typedef struct SVRCORECachedPinObj SVRCORECachedPinObj; + +SVRCOREError +SVRCORE_CreateCachedPinObj(SVRCORECachedPinObj **out, SVRCOREPinObj *alt); + +SVRCOREError +SVRCORE_CachedPinGetPin(char **pin, SVRCORECachedPinObj *obj, + const char *tokenName); + +void +SVRCORE_DestroyCachedPinObj(SVRCORECachedPinObj *obj); + + +/* ------------------------------------------------------------ */ +/* + * SVRCORESystemdPinObj - implementation of SVRCOREPinObj that + * is able to contact the systemd ask pass api to retrieve + * the PIN material. + */ + +typedef struct SVRCORESystemdPinObj SVRCORESystemdPinObj; + +SVRCOREError +SVRCORE_CreateSystemdPinObj(SVRCORESystemdPinObj **out, uint64_t timeout); + +void +SVRCORE_DestroySystemdPinObj(SVRCORESystemdPinObj *obj); + +/* ------------------------------------------------------------ */ +/* + * SVRCOREStdSystemdPinObj - implementation of SVRCOREPinObj that + * provides the standard handling for servers, including systemd. + * This includes systemd request, optional file lookup, and + * optional caching. + * + * SVRCORE_SetStdSystemdPinInteractive - allows the application to declare + * that input via the terminal is no longer possible (set interactive + * to PR_FALSE). See the corresponding routine for UserPinObj + * + * SVRCORE_StdSystemdPinGetPin - get a (securely) cached PIN value. Returns + * SVRCORE_NoSuchToken_Error if the object is not set up for caching. + */ +typedef struct SVRCOREStdSystemdPinObj SVRCOREStdSystemdPinObj; + +SVRCOREError +SVRCORE_CreateStdSystemdPinObj(SVRCOREStdSystemdPinObj **out, + const char *filename, PRBool cachePINs, PRBool systemdPINs, uint64_t timeout); + +void +SVRCORE_SetStdSystemdPinInteractive(SVRCOREStdSystemdPinObj *obj, PRBool interactive); + +SVRCOREError +SVRCORE_StdSystemdPinGetPin(char **pin, SVRCOREStdSystemdPinObj *obj, + const char *tokenName); + +void +SVRCORE_DestroyStdSystemdPinObj(SVRCOREStdSystemdPinObj *obj); + +/* ------------------------------------------------------------ */ +/* + * Implements SVRCORESecurePinStore interface + */ +typedef struct SVRCOREPk11PinStore SVRCOREPk11PinStore; + +/* + * SVRCORE_GetPk11PinStoreError + */ +SECStatus SVRCORE_Pk11StoreGetError(const SVRCOREPk11PinStore *store); + +/* Experimental */ +const char *SVRCORE_Pk11StoreGetMechName(const SVRCOREPk11PinStore *store); + +/* + * SVRCORE_CreatePk11PinStore + * Args: + * None + * Errors: + * SVRCORE_Success + * SVRCORE_NoMemory_Error + * SVRCORE_NoSuchToken_Error + * SVRCORE_System_Error + * SVRCORE_IncorrectPassword_Error + */ +SVRCOREError +SVRCORE_CreatePk11PinStore( + SVRCOREPk11PinStore **out, /* Output */ + const char *tokenName, + const char *pin); + +SVRCOREError +SVRCORE_Pk11StoreGetPin( + char **out, /* Output */ + SVRCOREPk11PinStore *store); + +void +SVRCORE_DestroyPk11PinStore( + SVRCOREPk11PinStore *store); + + +PR_END_EXTERN_C + +#endif diff --git a/src/svrcore/src/systemd-ask-pass.c b/src/svrcore/src/systemd-ask-pass.c new file mode 100644 index 0000000..ea598d7 --- /dev/null +++ b/src/svrcore/src/systemd-ask-pass.c @@ -0,0 +1,468 @@ +/* + * Copyright (C) 1998 Netscape Communications Corporation. + * All Rights Reserved. + * + * Copyright 2016 Red Hat, Inc. and/or its affiliates. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. + */ + +/* + * systemd-ask-pass.c - SVRCORE module for reading the PIN from systemd integrations. + */ + +#if HAVE_CONFIG_H +#include +#endif + +/* For socket.h to work correct, we need to define __USE_GNU */ +#define _GNU_SOURCE 1 + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +#define PASS_MAX 256 * sizeof(char) +#define NSEC_PER_USEC ((uint64_t) 1000ULL) +#define USEC_PER_SEC ((uint64_t) 1000000ULL) + +struct SVRCORESystemdPinObj +{ + SVRCOREPinObj base; + uint64_t timeout; +}; +static const struct SVRCOREPinMethods vtable; + +SVRCOREError +SVRCORE_CreateSystemdPinObj(SVRCORESystemdPinObj **out, uint64_t timeout) +{ +#ifdef HAVE_SYSTEMD + + SVRCOREError err = SVRCORE_Success; + SVRCORESystemdPinObj *obj = NULL; + + do { // This is used like a "with" statement, to avoid a goto. + obj = (SVRCORESystemdPinObj *)malloc(sizeof(SVRCORESystemdPinObj)); + if (obj == NULL) { + err = SVRCORE_NoMemory_Error; + break; + } + + obj->base.methods = &vtable; + if (timeout == 0) { + obj->timeout = 90; + } else { + obj->timeout = timeout; + } + + } while (0); + + // If error, destrop it, and return err + if (err != SVRCORE_Success) { + SVRCORE_DestroySystemdPinObj(obj); + obj = NULL; + } + + *out = obj; + return err; +#else // systemd + return SVRCORE_MissingFeature; +#endif // Systemd +} + +#ifdef HAVE_SYSTEMD +SVRCOREError +_create_socket(char **path, int *sfd) +{ + SVRCOREError err = SVRCORE_Success; + *sfd = 0; + + int one = 1; + + struct sockaddr_un saddr = { AF_UNIX, {0} }; + // This is the max len of the path + strncpy(saddr.sun_path, *path, 50); + + // Create the socket + + *sfd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0); + if (*sfd < 0) { + err = SVRCORE_SocketError; + goto out; + } + + // bind the socket to the addr + if (bind(*sfd, (const struct sockaddr *) &saddr, sizeof(saddr) ) != 0 ) { + // EACCES == 13 + if (errno == EACCES) { + err = SVRCORE_PermissionError; + } else { + err = SVRCORE_SocketError; + } + goto out; + } + + // set options. Why do we need SO_PASSCRED? I think this makes systemd happy + if (setsockopt(*sfd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) != 0) { + err = SVRCORE_SocketError; + goto out; + } + +out: + + return err; +} + +SVRCOREError +_now(uint64_t *now) +{ + SVRCOREError err = SVRCORE_Success; + struct timespec ts; + // Need to set this from clock_monotonic + timeout + // Of course, systemd invent their own thing, and no docs about until + if (clock_gettime(CLOCK_MONOTONIC, &ts) != 0) { + err = SVRCORE_ClockError; + goto out; + } +out: + *now = ((uint64_t)ts.tv_sec * USEC_PER_SEC) + \ + ((uint64_t)ts.tv_nsec / NSEC_PER_USEC); + return err; +} + +SVRCOREError +_until(uint64_t timeout, uint64_t *until) +{ + SVRCOREError err = SVRCORE_Success; + // Get the timestamp + err = _now(until); + if (err != SVRCORE_Success) { + goto out; + } + *until = *until + (timeout * USEC_PER_SEC); + +out: + return err; +} +#endif // Systemd + +static char * +getPin(SVRCOREPinObj *obj, const char *tokenName, PRBool retry) +{ +#ifdef HAVE_SYSTEMD + SVRCORESystemdPinObj *sobj = (SVRCORESystemdPinObj *)obj; + SVRCOREError err = SVRCORE_Success; + char *tbuf = malloc(PASS_MAX); + char *token = malloc(PASS_MAX); + char *path = "/run/systemd/ask-password"; + int socket_fd = 0; + FILE *tmp_fd = NULL; + uint64_t until = 0; + uint64_t now = 0; + // Now make up the paths we will use. + char *socket_path = NULL; + char *ask_path = NULL; + char *tmp_path = NULL; + + if (token == NULL || tbuf == NULL) { + err = SVRCORE_NoMemory_Error; + goto out; + } + + pid_t pid = getpid(); + + socket_path = malloc(sizeof(char) * 50); + ask_path = malloc(sizeof(char) * 50); + tmp_path = malloc(sizeof(char) * 50); + + if (socket_path == NULL || ask_path == NULL || tmp_path == NULL) { + err = SVRCORE_NoMemory_Error; + if (socket_path) { + *socket_path = '\0'; + } + if (ask_path) { + *ask_path = '\0'; + } + if (tmp_path) { + *tmp_path = '\0'; + } + goto out; + } + + snprintf(socket_path, 50, "%s/sck.%d", path, pid ); + snprintf(ask_path, 50, "%s/ask.%d", path, pid ); + snprintf(tmp_path, 50, "%s/tmp.%d", path, pid ); + +#ifdef DEBUG + printf("systemd:getPin() -> get time until \n"); +#endif + + err = _until(sobj->timeout, &until); + if(err != SVRCORE_Success) { + free(token); + token = NULL; + goto out; + } + +#ifdef DEBUG + printf("systemd:getPin() -> time until %" PRId64 "\n", until); +#endif + +#ifdef DEBUG + printf("systemd:getPin() -> begin ask pid %d\n", pid); +#endif + + // Are there any other pre-conditions we should check? + // mkdir -p "/run/systemd/ask-password", 0755 + if (mkdir(path, 0755) != 0) { + if (errno != EEXIST) { + err = SVRCORE_IOOperationError; + free(token); + token = NULL; + goto out; + } + } + +#ifdef DEBUG + printf("systemd:getPin() -> path exists\n"); +#endif + + // Create the socket + // The socket has to end up as /run/system/ask-password/sck.xxxxx +#ifdef DEBUG + printf("systemd:getPin() -> creating socket %s \n", socket_path); +#endif + + err = _create_socket(&socket_path, &socket_fd); + if (err != SVRCORE_Success) { + fprintf(stderr, "SVRCORE systemd:getPin() -> creating socket FAILED %d\n", err); + free(token); + token = NULL; + goto out; + } + +#ifdef DEBUG + printf("systemd:getPin() -> creating tmp file %s \n", tmp_path); +#endif + + + umask( S_IWGRP | S_IWOTH ); + tmp_fd = fopen(tmp_path, "w"); + + if (tmp_fd == NULL) { + fprintf(stderr, "SVRCORE systemd:getPin() -> opening ask file FAILED\n"); + err = SVRCORE_IOOperationError; + free(token); + token = NULL; + goto out; + } + + // Create the inf file asking for the password + // Write data to the file + // [Ask] + fprintf(tmp_fd, "[Ask]\n"); + // PID=Our Pid + fprintf(tmp_fd, "PID=%d\n", pid); + // Socket=fd of socket, or name? systemd code doesn't make this clear. + fprintf(tmp_fd, "Socket=%s\n", socket_path); + // AcceptCached=0 or 1, but not docs on which means what .... + fprintf(tmp_fd, "AcceptCached=0\n"); + // Echo= Display password as entered or not + fprintf(tmp_fd, "Echo=0\n"); + // NotAfter= Number of microseconds from clock monotonic + timeout + fprintf(tmp_fd, "NotAfter=%" PRIu64 "\n", until); + // Message=Prompt to display + fprintf(tmp_fd, "Message=Enter PIN for %s:\n", tokenName); + // Id=Who wants it + // fprintf(tmp_fd, "Id=svrcore\n"); + // Icon? + fclose(tmp_fd); + + // rename the file to .ask ?? + // -rw-r--r--. 1 root root 127 Mar 22 13:08 ask.9m8ftM + // srw-------. 1 root root 0 Mar 22 13:08 sck.cf913cf669031308 + +#ifdef DEBUG + printf("systemd:getPin() -> moving tmp file %s to %s\n", tmp_path, ask_path); +#endif + + + if (rename(tmp_path, ask_path) != 0) { + fprintf(stderr, "SVRCORE systemd:getPin() -> renaming ask file FAILED %d\n", err); + err = SVRCORE_IOOperationError; + free(token); + token = NULL; + goto out; + } + + // read on the socket, if nothing, keep looping and check timeout. + while (PR_TRUE) { + struct msghdr msghdr; + struct iovec iovec; + + struct ucred *ucred; + union { + struct cmsghdr cmsghdr; + uint8_t buf[CMSG_SPACE(sizeof(struct ucred))]; + } control; + + ssize_t data_size; + + err = _now(&now); + if (err != SVRCORE_Success) { + free(token); + token = NULL; + goto out; + } + + if (now >= until) { + err = SVRCORE_TimeoutError; + free(token); + token = NULL; + goto out; + } + + // Clear out last loops data + memset(&msghdr, 0, sizeof(struct msghdr)); + memset(&iovec, 0, sizeof(struct iovec)); + memset(&control, 0, sizeof(control)); + + // Setup the structures to recieve data. + iovec.iov_base = tbuf; + iovec.iov_len = PASS_MAX; + + msghdr.msg_iov = &iovec; + msghdr.msg_iovlen = 1; + msghdr.msg_control = &control; + msghdr.msg_controllen = sizeof(control); + + data_size = recvmsg(socket_fd, &msghdr, 0); + // Check if data_size is 0, then check errno + if (data_size < 0) { + if (errno != EAGAIN && errno != EINTR) { + err = SVRCORE_SocketError; + free(token); + token = NULL; + goto out; + } + } +#ifdef DEBUG + printf("systemd:getPin() -> receiving ... %ld %d\n", data_size, errno); +#endif + // Check the response is valid + // Check that the other end is authenticated. + if (msghdr.msg_controllen < CMSG_LEN(sizeof(struct ucred)) || + control.cmsghdr.cmsg_len != CMSG_LEN(sizeof(struct ucred)) || + control.cmsghdr.cmsg_level != SOL_SOCKET || + control.cmsghdr.cmsg_type != SCM_CREDENTIALS) + { + // Ignore this message, it has no auth on the socket +#ifdef DEBUG + printf("systemd:getPin() -> Unauthenticated message \n"); +#endif + sleep(2); + continue; + } + + ucred = (struct ucred *) CMSG_DATA(&control.cmsghdr); + if (ucred->uid != 0) { +#ifdef DEBUG + printf("systemd:getPin() -> Response not by root \n"); +#endif + sleep(2); + continue; + } + +#ifdef DEBUG + printf("systemd:getPin() -> token value %s \n", tbuf); +#endif + + // The response starts with a + to say the value was a success + if (tbuf[0] == '+') { + if (data_size == 1) { + strncpy(token, "", PASS_MAX - 1); + } else { + strncpy(token, tbuf + 1, PASS_MAX - 1); + } + break; + + } + + // Else, if a -, the input was canceled + if (tbuf[0] == '-') { + err = SVRCORE_NoSuchToken_Error; + free(token); + token = NULL; + goto out; + } + + } +out: + + if(tbuf != NULL) { + memset(tbuf, 0, PASS_MAX); + free(tbuf); + } + + if (socket_fd != 0) { + close(socket_fd); + } + + if (socket_path) { + if (*socket_path) { + unlink(socket_path); + } + free(socket_path); + } + if (ask_path) { + if (*ask_path) { + unlink(ask_path); + } + free(ask_path); + } + if (tmp_path) { + if (*tmp_path) { + unlink(tmp_path); + } + free(tmp_path); + } + + return token; + +#else // systemd + return NULL; +#endif // Systemd +} + +void +SVRCORE_DestroySystemdPinObj(SVRCORESystemdPinObj *obj) +{ +#ifdef HAVE_SYSTEMD + if (obj) { + free(obj); + } +#endif // Systemd +} + +static void +destroyObject(SVRCOREPinObj *obj) +{ + SVRCORE_DestroySystemdPinObj((SVRCORESystemdPinObj*)obj); +} + +static const SVRCOREPinMethods vtable = +{ 0, 0, destroyObject, getPin }; + diff --git a/src/svrcore/src/user.c b/src/svrcore/src/user.c new file mode 100644 index 0000000..3da668d --- /dev/null +++ b/src/svrcore/src/user.c @@ -0,0 +1,180 @@ +/* + * Copyright (C) 1998 Netscape Communications Corporation. + * All Rights Reserved. + * + * Copyright 2016 Red Hat, Inc. and/or its affiliates. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. + */ + +/* + * user.c - SVRCORE module for reading PIN from the terminal + */ + +#if HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#ifdef _WIN32 +#include +#endif /* _WIN32 */ + +/* ------------------------------------------------------------ */ +/* I18N */ +static const char retryWarning[] = +"Warning: Incorrect PIN may result in disabling the token"; +static const char prompt[] = "Enter PIN for"; +static const char nt_retryWarning[] = +"Warning: You entered an incorrect PIN. Incorrect PIN may result in disabling the token"; + +struct SVRCOREUserPinObj +{ + SVRCOREPinObj base; + PRBool interactive; +}; +static const struct SVRCOREPinMethods vtable; + +#ifdef _WIN32 +extern char* NT_PromptForPin(const char *tokenName); +#else +/* ------------------------------------------------------------ */ +/* + * Support routines for changing terminal modes on UNIX + */ +#include +#include +static void echoOff(int fd) +{ + if (isatty(fd)) { + struct termios tio; + tcgetattr(fd, &tio); + tio.c_lflag &= ~ECHO; + tcsetattr(fd, TCSAFLUSH, &tio); + } +} + +static void echoOn(int fd) +{ + if (isatty(fd)) { + struct termios tio; + tcgetattr(fd, &tio); + tio.c_lflag |= ECHO; + tcsetattr(fd, TCSAFLUSH, &tio); + } +} +#endif /* _WIN32 */ + +/* ------------------------------------------------------------ */ +SVRCOREError +SVRCORE_CreateUserPinObj(SVRCOREUserPinObj **out) +{ + SVRCOREError err = 0; + SVRCOREUserPinObj *obj = 0; + + do { + obj = (SVRCOREUserPinObj*)malloc(sizeof (SVRCOREUserPinObj)); + if (!obj) { err = 1; break; } + + obj->base.methods = &vtable; + + obj->interactive = PR_TRUE; + } while(0); + + if (err) + { + SVRCORE_DestroyUserPinObj(obj); + obj = 0; + } + + *out = obj; + return err; +} + +void +SVRCORE_DestroyUserPinObj(SVRCOREUserPinObj *obj) +{ + if (obj) free(obj); +} + +void +SVRCORE_SetUserPinInteractive(SVRCOREUserPinObj *obj, PRBool i) +{ + obj->interactive = i; +} + +static void destroyObject(SVRCOREPinObj *obj) +{ + SVRCORE_DestroyUserPinObj((SVRCOREUserPinObj*)obj); +} + + +static char *getPin(SVRCOREPinObj *obj, const char *tokenName, PRBool retry) +{ + SVRCOREUserPinObj *tty = (SVRCOREUserPinObj*)obj; + char line[128]; + char *res; + + /* If the program is not interactive then return no result */ + if (!tty->interactive) return 0; + +#ifdef _WIN32 + if (retry) { + MessageBox(GetDesktopWindow(), nt_retryWarning, + "Netscape Server", MB_ICONEXCLAMATION | MB_OK); + } + return NT_PromptForPin(tokenName); +#else + + if (retry) + fprintf(stdout, "%s\n", retryWarning); + + echoOff(fileno(stdin)); + +/*** + Please Note: the following printf statement was changed from fprintf(stdout,...) because + of an odd problem with the Linux build. The issue is that libc.so has a symbol for stdout + and libstdc++.so which we also reference has a symbol for stdout. Normally the libc.so version + of stdout is resolved first and writing to stdout is no problem. Unfortunately something happens + on Linux which allows the "other" stdout from libstdc++.so to get referenced so that when a call + to fprintf(stdout,...) is made the new stdout which has never been initialized get's written + to causing a sigsegv. At this point we can not easily remove libstdc++.so from the dependencies + because other code which slapd uses happens to be C++ code which causes the reference of + libstdc++.so . + + It was determined that the quickest way to resolve the issue for now was to change the fprintf + calls to printf thereby fixing the crashes on a temp basis. Using printf seems to work because + it references stdout internally which means it will use the one from libc.so . +***/ + printf("%s %s: ", prompt, tokenName); + fflush(stdout); + + /* Read input */ + res = fgets(line, sizeof line, stdin); + + echoOn(fileno(stdin)); + printf("\n"); + + if (!res) return 0; + + /* Find and kill the newline */ + if ((res = strchr(line, '\n')) != NULL) *res = 0; + + /* Return no-response if user typed an empty line */ + if (line[0] == 0) return 0; + + return strdup(line); + +#endif /* _WIN32 */ + +} + +/* + * VTable + */ +static const SVRCOREPinMethods vtable = +{ 0, 0, destroyObject, getPin }; diff --git a/src/svrcore/svrcore.spec b/src/svrcore/svrcore.spec new file mode 100644 index 0000000..f32c050 --- /dev/null +++ b/src/svrcore/svrcore.spec @@ -0,0 +1,147 @@ +%define nspr_version 4.6 +%define nss_version 3.11 + +Summary: Secure PIN handling using NSS crypto +Name: svrcore +Version: __VERSION__ +Release: 1%{?dist} +License: MPL2.0 +URL: https://pagure.io/svrcore +Group: Development/Libraries +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +Requires: nspr >= %{nspr_version} +Requires: nss >= %{nss_version} +BuildRequires: nspr-devel >= %{nspr_version} +BuildRequires: nss-devel >= %{nss_version} +BuildRequires: pkgconfig +BuildRequires: pkgconfig(systemd) +# Needed to support regeneration of the autotool artifacts. +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool + +Source0: http://www.port389.org/binaries/%{name}-%{version}.tar.bz2 + +%description +svrcore provides applications with several ways to handle secure PIN storage +e.g. in an application that must be restarted, but needs the PIN to unlock +the private key and other crypto material, without user intervention. svrcore +uses the facilities provided by NSS. + +%package devel +Summary: Development files for secure PIN handling using NSS crypto +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} +Requires: nspr-devel >= %{nspr_version} +Requires: nss-devel >= %{nss_version} +Requires: pkgconfig + +%description devel +svrcore provides applications with several ways to handle secure PIN storage +e.g. in an application that must be restarted, but needs the PIN to unlock +the private key and other crypto material, without user intervention. svrcore +uses the facilities provided by NSS. + +This package contains header files and symlinks to develop programs which will +use the libsvrcore library. You should install this package if you need to +develop programs which will use the svrcore library. + +%prep +%setup -q + +%build + +autoreconf -fiv +%configure --with-systemd +make + +%install +%{__rm} -rf $RPM_BUILD_ROOT + +make install DESTDIR=$RPM_BUILD_ROOT +rm -f $RPM_BUILD_ROOT%{_libdir}/libsvrcore.a +rm -f $RPM_BUILD_ROOT%{_libdir}/libsvrcore.la + +%clean +%{__rm} -rf $RPM_BUILD_ROOT + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files +%defattr(-,root,root,-) +%doc LICENSE README NEWS +%{_libdir}/libsvrcore.so.* + +%files devel +%defattr(-,root,root,-) +%{_libdir}/pkgconfig/%{name}.pc +%{_libdir}/libsvrcore.so +%{_includedir}/svrcore.h + +%changelog +* Fri Mar 10 2017 Mark Reynolds - 4.1.3 +- Bump version to 4.1.3 +- Ticket 18 - Remove configure outputs +- Ticket 17 - update stdc to c99 to match other projects +- Ticket 16 - with systemd should unset have systemd if pkgconfig not found +- Ticket 14 - svrcore does not detect tty + +* Thu Apr 21 2016 Noriko Hosoi - 4.1.2 +- Code quality improvements + +* Thu Apr 14 2016 William Brown - 4.1.1 +- Code quality and stability improvements +- Improvements to rpm tooling and features + +* Fri Apr 8 2016 William Brown - 4.1.0 +- Added systemd ask password support + +* Tue Mar 13 2007 Rich Megginson - 4.0.4-1 +- Removed some autoconf generated files which were GPL only - all +- code needs to be tri-licensed +- updated version to 4.0.4 +- added empty COPYING file - do not use the one generated by autoreconf +- use bz2 for source tarball instead of gz + +* Wed Dec 13 2006 Rich Megginson - 4.0.3.01-0 +- Fixed support for windows build by moving old makefile to src/Makefile.win +- and updating instructions - I could not get configure/libtool to work +- with cygwin and the msvc compiler +- Added support for --with-nspr and --with-nss and finding nspr/nss +- "in-tree" when building with other mozilla components +- Use PK11_TokenKeyGenWithFlags instead of PK11_KeyGen + +* Fri Dec 08 2006 Toshio Kuratomi - 4.0.2.02-0 +- Test build based on an second experimental autotools version of svrcore. + +* Thu Dec 07 2006 Toshio Kuratomi - 4.0.2.01-0 +- Test build based on an experimental autotools version of svrcore. + +* Thu Jul 13 2006 Rich Megginson - 4.0.2-3 +- Bump spec rev to 3 +- Remove unneeded buildrequires perl, gawk, sed +- Remove leading / from path macros +- Remove provides for package name - done automatically +- Move pkgconfig file stuff under install +- Added LICENSE and README under docs + +* Mon Jun 26 2006 Rich Megginson - 4.0.2-2 +- Bump spec rev to 2 due to change of spec file name from svrcore +- to svrcore-devel to comply with fedora packaging guidelines + +* Thu Jun 22 2006 Rich Megginson - 4.0.2-1 +- Bump rev to 4.0.2; now using HEAD of mozilla/security/coreconf +- which includes the coreconf-location.patch, so got rid of patch + +* Tue Apr 18 2006 Rich Megginson - 4.0.1-3 +- Use pkg-config --variable=includedir to get include dirs + +* Wed Feb 1 2006 Rich - 4.0.1-2 +- Requires nss version was wrong + +* Wed Jan 11 2006 Rich Megginson - 4.01-1 +- Removed svrcore-config - use pkg-config instead + +* Mon Dec 19 2005 Rich Megginson - 4.01-1 +- Initial revision