Hi,
A small patch for removing the encryption of the signon service <--> signon authentication plugins IPC. The encryption handlers are buggy and affect the overall IPC, while being itself not needed at the same time -
the pipes are owner by root. Br, Aurel
>From b23837160a5ffb6de56dcdcd9316bfc916bdd3d8 Mon Sep 17 00:00:00 2001 From: Aurel Popirtac <[email protected]> Date: Sat, 7 May 2011 14:24:40 +0300 Subject: [PATCH 1/1] Removed encryption for the SignOn plugins' IPC. --- src/remotepluginprocess/remotepluginprocess.cpp | 89 +++++++---------------- src/remotepluginprocess/remotepluginprocess.h | 9 +-- src/signond/pluginproxy.cpp | 65 ++++------------- src/signond/pluginproxy.h | 3 - 4 files changed, 43 insertions(+), 123 deletions(-) diff --git a/src/remotepluginprocess/remotepluginprocess.cpp b/src/remotepluginprocess/remotepluginprocess.cpp index a7e0bb6..6331d37 100644 --- a/src/remotepluginprocess/remotepluginprocess.cpp +++ b/src/remotepluginprocess/remotepluginprocess.cpp @@ -51,8 +51,6 @@ namespace RemotePluginProcessNS { m_plugin = NULL; m_readnotifier = NULL; m_errnotifier = NULL; - m_encryptedInDevice = NULL; - m_encryptedOutDevice = NULL; qRegisterMetaType<SignOn::SessionData>("SignOn::SessionData"); qRegisterMetaType<QString>("QString"); @@ -69,11 +67,6 @@ namespace RemotePluginProcessNS { cancelThread->wait(); delete cancelThread; } - - delete m_encryptedInDevice; - m_encryptedInDevice = NULL; - delete m_encryptedOutDevice; - m_encryptedOutDevice = NULL; } RemotePluginProcess* RemotePluginProcess::createRemotePluginProcess(QString &type, QObject *parent) @@ -152,8 +145,8 @@ namespace RemotePluginProcessNS { { TRACE(); - m_infile.open(STDIN_FILENO, QIODevice::ReadOnly); - m_outfile.open(STDOUT_FILENO, QIODevice::WriteOnly); + m_inFile.open(STDIN_FILENO, QIODevice::ReadOnly); + m_outFile.open(STDOUT_FILENO, QIODevice::WriteOnly); m_readnotifier = new QSocketNotifier(STDIN_FILENO, QSocketNotifier::Read); m_errnotifier = new QSocketNotifier(STDIN_FILENO, QSocketNotifier::Exception); @@ -161,40 +154,12 @@ namespace RemotePluginProcessNS { connect(m_readnotifier, SIGNAL(activated(int)), this, SLOT(startTask())); connect(m_errnotifier, SIGNAL(activated(int)), this, SIGNAL(processStopped())); - QDataStream in(&m_infile); - QString key_and_iv_enc; - in >> key_and_iv_enc; - if (key_and_iv_enc.isEmpty()) { - TRACE() << "Failed to read key and iv from stdin"; - return false; - } - SignOnCrypto::Encryptor encryptor; - QString key_and_iv = encryptor.decodeString(key_and_iv_enc); - if (key_and_iv.isEmpty()) { - TRACE() << "Failed to decrypt key and iv"; - return false; - } - QByteArray raw_key_and_iv = QByteArray::fromBase64(key_and_iv.toLatin1()); - if (raw_key_and_iv.size() != 16 + AES_BLOCK_SIZE * 2) { - TRACE() << "Unexpected key or iv size"; - return false; - } - - unsigned char key[16] = {0}; - unsigned char iv_in[AES_BLOCK_SIZE] = {0}; - unsigned char iv_out[AES_BLOCK_SIZE] = {0}; - memcpy(key, raw_key_and_iv.constData(), sizeof(key)); - memcpy(iv_in, raw_key_and_iv.constData() + sizeof(key), sizeof(iv_in)); - memcpy(iv_out, raw_key_and_iv.constData() + sizeof(key) + sizeof(iv_in), sizeof(iv_out)); - m_encryptedInDevice = new EncryptedDevice(&m_infile, key, sizeof(key), iv_in, iv_out); - m_encryptedOutDevice = new EncryptedDevice(&m_outfile, key, sizeof(key), iv_in, iv_out); - if (!cancelThread) - cancelThread = new CancelEventThread(m_plugin, m_encryptedInDevice); + cancelThread = new CancelEventThread(m_plugin); TRACE() << "cancel thread created"; - m_blobIOHandler = new BlobIOHandler(m_encryptedInDevice, m_encryptedOutDevice, this); + m_blobIOHandler = new BlobIOHandler(&m_inFile, &m_outFile, this); connect(m_blobIOHandler, SIGNAL(dataReceived(const QVariantMap &)), @@ -262,7 +227,7 @@ namespace RemotePluginProcessNS { void RemotePluginProcess::result(const SignOn::SessionData &data) { disableCancelThread(); - QDataStream out(m_encryptedOutDevice); + QDataStream out(&m_outFile); QVariantMap resultDataMap; foreach(QString key, data.propertyNames()) @@ -272,12 +237,12 @@ namespace RemotePluginProcessNS { m_blobIOHandler->sendData(resultDataMap); - m_outfile.flush(); + m_outFile.flush(); } void RemotePluginProcess::store(const SignOn::SessionData &data) { - QDataStream out(m_encryptedOutDevice); + QDataStream out(&m_outFile); QVariantMap storeDataMap; foreach(QString key, data.propertyNames()) @@ -287,19 +252,19 @@ namespace RemotePluginProcessNS { m_blobIOHandler->sendData(storeDataMap); - m_outfile.flush(); + m_outFile.flush(); } void RemotePluginProcess::error(const SignOn::Error &err) { disableCancelThread(); - QDataStream out(m_encryptedOutDevice); + QDataStream out(&m_outFile); out << (quint32)PLUGIN_RESPONSE_ERROR; out << (quint32)err.type(); out << err.message(); - m_outfile.flush(); + m_outFile.flush(); TRACE() << "error is sent" << err.type() << " " << err.message(); } @@ -309,7 +274,7 @@ namespace RemotePluginProcessNS { TRACE(); disableCancelThread(); - QDataStream out(m_encryptedOutDevice); + QDataStream out(&m_outFile); QVariantMap resultDataMap; foreach(QString key, data.propertyNames()) @@ -317,7 +282,7 @@ namespace RemotePluginProcessNS { out << (quint32)PLUGIN_RESPONSE_UI; m_blobIOHandler->sendData(resultDataMap); - m_outfile.flush(); + m_outFile.flush(); } void RemotePluginProcess::refreshed(const SignOn::UiSessionData &data) @@ -325,7 +290,7 @@ namespace RemotePluginProcessNS { TRACE(); disableCancelThread(); - QDataStream out(m_encryptedOutDevice); + QDataStream out(&m_outFile); QVariantMap resultDataMap; foreach(QString key, data.propertyNames()) @@ -337,19 +302,19 @@ namespace RemotePluginProcessNS { m_blobIOHandler->sendData(resultDataMap); - m_outfile.flush(); + m_outFile.flush(); } void RemotePluginProcess::statusChanged(const AuthPluginState state, const QString &message) { TRACE(); - QDataStream out(m_encryptedOutDevice); + QDataStream out(&m_outFile); out << (quint32)PLUGIN_RESPONSE_SIGNAL; out << (quint32)state; out << message; - m_outfile.flush(); + m_outFile.flush(); } QString RemotePluginProcess::getPluginName(const QString &type) @@ -365,7 +330,7 @@ namespace RemotePluginProcessNS { void RemotePluginProcess::type() { - QDataStream out(m_encryptedOutDevice); + QDataStream out(&m_outFile); QByteArray typeBa; typeBa.append(m_plugin->type()); out << typeBa; @@ -373,7 +338,7 @@ namespace RemotePluginProcessNS { void RemotePluginProcess::mechanisms() { - QDataStream out(m_encryptedOutDevice); + QDataStream out(&m_outFile); QStringList mechanisms = m_plugin->mechanisms(); QVariant mechsVar = mechanisms; out << mechsVar; @@ -381,7 +346,7 @@ namespace RemotePluginProcessNS { void RemotePluginProcess::process() { - QDataStream in(m_encryptedInDevice); + QDataStream in(&m_inFile); in >> m_currentMechanism; @@ -397,7 +362,7 @@ namespace RemotePluginProcessNS { void RemotePluginProcess::userActionFinished() { - QDataStream in(m_encryptedInDevice); + QDataStream in(&m_inFile); int processBlobSize = -1; in >> processBlobSize; @@ -409,7 +374,7 @@ namespace RemotePluginProcessNS { void RemotePluginProcess::refresh() { - QDataStream in(m_encryptedInDevice); + QDataStream in(&m_inFile); int processBlobSize = -1; in >> processBlobSize; @@ -508,7 +473,7 @@ namespace RemotePluginProcessNS { quint32 opcode = PLUGIN_OP_STOP; bool is_stopped = false; - QDataStream in(m_encryptedInDevice); + QDataStream in(&m_inFile); in >> opcode; switch (opcode) { @@ -549,7 +514,7 @@ namespace RemotePluginProcessNS { TRACE() << "operation is completed"; if (!is_stopped) { - if (!m_outfile.flush()) + if (!m_outFile.flush()) is_stopped = true; } @@ -560,11 +525,10 @@ namespace RemotePluginProcessNS { } } - CancelEventThread::CancelEventThread(AuthPluginInterface *plugin, EncryptedDevice *encryptedInDevice) + CancelEventThread::CancelEventThread(AuthPluginInterface *plugin) { m_plugin = plugin; m_cancelNotifier = 0; - m_encryptedInDevice = encryptedInDevice; } CancelEventThread::~CancelEventThread() @@ -599,11 +563,10 @@ namespace RemotePluginProcessNS { * Read the actual value of * */ QByteArray ba(buf, 4); - m_encryptedInDevice->setTemporaryDataSource(&ba); quint32 opcode; - QDataStream ds(m_encryptedInDevice); + QDataStream ds(ba); ds >> opcode; - m_encryptedInDevice->clearTemporaryDataSource(); + if (opcode != PLUGIN_OP_CANCEL) qCritical() << "wrong operation code: breakage of remotepluginprocess threads synchronization: " << opcode; diff --git a/src/remotepluginprocess/remotepluginprocess.h b/src/remotepluginprocess/remotepluginprocess.h index bce0486..4790588 100644 --- a/src/remotepluginprocess/remotepluginprocess.h +++ b/src/remotepluginprocess/remotepluginprocess.h @@ -76,7 +76,7 @@ namespace RemotePluginProcessNS { Q_OBJECT public: - CancelEventThread(AuthPluginInterface *plugin, EncryptedDevice *encryptedInDevice); + CancelEventThread(AuthPluginInterface *plugin); ~CancelEventThread(); void run(); @@ -87,7 +87,6 @@ namespace RemotePluginProcessNS { private: AuthPluginInterface *m_plugin; QSocketNotifier *m_cancelNotifier; - EncryptedDevice *m_encryptedInDevice; }; /*! @@ -115,13 +114,11 @@ class RemotePluginProcess : public QObject private: AuthPluginInterface *m_plugin; - QFile m_infile; - QFile m_outfile; + QFile m_inFile; + QFile m_outFile; QSocketNotifier *m_readnotifier; QSocketNotifier *m_errnotifier; - EncryptedDevice *m_encryptedInDevice; - EncryptedDevice *m_encryptedOutDevice; BlobIOHandler *m_blobIOHandler; diff --git a/src/signond/pluginproxy.cpp b/src/signond/pluginproxy.cpp index cd39bba..b6395a1 100644 --- a/src/signond/pluginproxy.cpp +++ b/src/signond/pluginproxy.cpp @@ -109,8 +109,6 @@ namespace SignonDaemonNS { m_isResultObtained = false; m_currentResultOperation = -1; m_process = new PluginProcess(this); - m_encryptedInDevice = NULL; - m_encryptedOutDevice = NULL; #ifdef SIGNOND_TRACE if (criticalsEnabled()) { @@ -155,11 +153,6 @@ namespace SignonDaemonNS { } } } - - delete m_encryptedInDevice; - m_encryptedInDevice = NULL; - delete m_encryptedOutDevice; - m_encryptedOutDevice = NULL; } PluginProxy* PluginProxy::createNewPluginProxy(const QString &type) @@ -202,7 +195,7 @@ namespace SignonDaemonNS { QVariant value = inData.value(SSOUI_KEY_UIPOLICY); m_uiPolicy = value.toInt(); - QDataStream in(m_encryptedInDevice); + QDataStream in(m_process); in << (quint32)PLUGIN_OP_PROCESS; in << mechanism; @@ -221,7 +214,7 @@ namespace SignonDaemonNS { m_cancelKey = cancelKey; - QDataStream in(m_encryptedInDevice); + QDataStream in(m_process); in << (quint32)PLUGIN_OP_PROCESS_UI; @@ -241,7 +234,7 @@ namespace SignonDaemonNS { m_cancelKey = cancelKey; - QDataStream in(m_encryptedInDevice); + QDataStream in(m_process); in << (quint32)PLUGIN_OP_REFRESH; @@ -255,14 +248,14 @@ namespace SignonDaemonNS { void PluginProxy::cancel() { TRACE(); - QDataStream in(m_encryptedInDevice); + QDataStream in(m_process); in << (quint32)PLUGIN_OP_CANCEL; } void PluginProxy::stop() { TRACE(); - QDataStream in(m_encryptedInDevice); + QDataStream in(m_process); in << (quint32)PLUGIN_OP_STOP; } @@ -322,7 +315,7 @@ namespace SignonDaemonNS { return; } - QDataStream reader(m_encryptedOutDevice); + QDataStream reader(m_process); reader >> m_currentResultOperation; TRACE() << "PROXY RESULT OPERATION:" << m_currentResultOperation; @@ -430,7 +423,7 @@ namespace SignonDaemonNS { quint32 err; QString errorMessage; - QDataStream stream(m_encryptedOutDevice); + QDataStream stream(m_process); stream >> err; stream >> errorMessage; m_isProcessing = false; @@ -446,7 +439,7 @@ namespace SignonDaemonNS { quint32 state; QString message; - QDataStream stream(m_encryptedOutDevice); + QDataStream stream(m_process); stream >> state; stream >> message; @@ -491,20 +484,16 @@ namespace SignonDaemonNS { if (!restartIfRequired()) return QString(); - QDataStream ds(m_encryptedInDevice); + QDataStream ds(m_process); ds << (quint32)PLUGIN_OP_TYPE; QByteArray typeBa, buffer; bool result; - if ((result = readOnReady(buffer, PLUGINPROCESS_START_TIMEOUT))) { - TemporaryEncryptedDataSourceSetter tedss(m_encryptedOutDevice, &buffer); - QDataStream out(m_encryptedOutDevice); - out >> typeBa; - } else + if (!(result = readOnReady(buffer, PLUGINPROCESS_START_TIMEOUT))) qCritical("PluginProxy returned NULL result"); - return QString::fromLatin1(typeBa); + return QString::fromLatin1(buffer); } QStringList PluginProxy::queryMechanisms() @@ -514,7 +503,7 @@ namespace SignonDaemonNS { if (!restartIfRequired()) return QStringList(); - QDataStream in(m_encryptedInDevice); + QDataStream in(m_process); in << (quint32)PLUGIN_OP_MECHANISMS; QByteArray buffer; @@ -522,10 +511,9 @@ namespace SignonDaemonNS { bool result; if ((result = readOnReady(buffer, PLUGINPROCESS_START_TIMEOUT))) { - TemporaryEncryptedDataSourceSetter tedss(m_encryptedOutDevice, &buffer); QVariant mechanismsVar; - QDataStream out(m_encryptedOutDevice); + QDataStream out(buffer); out >> mechanismsVar; QVariantList varList = mechanismsVar.toList(); @@ -545,32 +533,7 @@ namespace SignonDaemonNS { if (!m_process->waitForStarted(timeout)) return false; - delete m_encryptedInDevice; - m_encryptedInDevice = NULL; - delete m_encryptedOutDevice; - m_encryptedOutDevice = NULL; - - unsigned char key[16] = {0}; - unsigned char iv_in[AES_BLOCK_SIZE] = {0}; - unsigned char iv_out[AES_BLOCK_SIZE] = {0}; - RAND_bytes(key, sizeof(key)); - RAND_bytes(iv_in, sizeof(iv_in)); - RAND_bytes(iv_out, sizeof(iv_out)); - - m_encryptedInDevice = new EncryptedDevice(m_process, key, sizeof(key), iv_out, iv_in); - m_encryptedOutDevice = new EncryptedDevice(m_process, key, sizeof(key), iv_out, iv_in); - - // Pass the key and iv to remotepluginprocess. Encrypt them using - // aegis-crypto so that no other processes can access them - QByteArray key_and_iv; - key_and_iv.append((char *)key, sizeof(key)); - key_and_iv.append((char *)iv_in, sizeof(iv_in)); - key_and_iv.append((char *)iv_out, sizeof(iv_out)); - SignOnCrypto::Encryptor encryptor; - QDataStream in(m_process); - in << encryptor.encodeString(QString::fromLatin1(key_and_iv.toBase64()), m_process->pid()); - - m_blobIOHandler = new BlobIOHandler(m_encryptedOutDevice, m_encryptedInDevice, this); + m_blobIOHandler = new BlobIOHandler(m_process, m_process, this); connect(m_blobIOHandler, SIGNAL(dataReceived(const QVariantMap &)), diff --git a/src/signond/pluginproxy.h b/src/signond/pluginproxy.h index 8832ae2..4dc8232 100644 --- a/src/signond/pluginproxy.h +++ b/src/signond/pluginproxy.h @@ -121,9 +121,6 @@ namespace SignonDaemonNS { PluginProcess *m_process; SignOn::BlobIOHandler *m_blobIOHandler; - - SignOn::EncryptedDevice *m_encryptedInDevice; - SignOn::EncryptedDevice *m_encryptedOutDevice; }; } //namespace SignonDaemonNS -- 1.6.3.3
_______________________________________________ MeeGo-dev mailing list [email protected] http://lists.meego.com/listinfo/meego-dev http://wiki.meego.com/Mailing_list_guidelines
