Re: [systemd-devel] [PATCH] [RFC] Add binary password agent protocol

2014-08-14 Thread Lennart Poettering 
On Mon, 14.07.14 15:43, David Härdeman (da...@hardeman.nu) wrote:

> No problem. Getting it right is part of the systemd philosophy...that
> sometime takes longer
> 
> Anyhow, I've looked at the in-kernel keyring stuff before. Basically
> userspace can request a key via a syscall (or in-kernel code can do
> pretty much the same thing via a similar function call).
> 
> If the key is missing, a placeholder gets created and /sbin/request-key
> is invoked to fill that placeholder with a proper key. The current
> request-key uses config files under /etc to determine how to handle the
> key request.
> 
> The key can then be properly constructed by the add_key sysctl (to write
> the payload to the key).
> 
> As far as I can tell, this could replace the sockets that are currently
> used in systemd, but not much more. All the information in the ask.
> files would still need to be conveyed separately (e.g. by still creating
> the ask. file and providing the path to the file as the callout_info
> in request_key).
> 
> I'm guessing you'd like the dbus API to be a higher-level API that
> userspace can use to get systemd to create the ask. file and call
> request_key()? Are there any advantages of that redirection over doing
> it straight away in the app?

I'd really like to drop the ask. files, too, and do that on the bus.

Some bus API, where clients that can't find the password they need in
the kernel keyring can ask for it in a nice way, which is then
dispatched to a number of agents, which will place the key in the
keyring and then notify the client about it.

This piece of infrastructure should probably also be able to persist
specific keys to disk, a bit like gnome-keyring, but much simpler
because it would only be a persistancy frontend for the kernel
keyring. It should then also do both system-level and user-level keyring
handling...

> Also, I guess this means that systemd would have to add a homegrown
> version of /sbin/request-key (external dependencies for early boot does
> not seem to be part of the systemd way of doing things)?

Well, yeah, I figure. I think the API is awful though. In this day and
age we really shouldn't have a kernel callout-to-userspace anymore, but
use something else, like some netlink event or so... But anyway we shuld
be able to hide this away sufficiently. The idea is that we would then
just make this stub binary drop the request on the bus and get nice
interactivity.

Hope this makes some sense.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] [RFC] Add binary password agent protocol

2014-07-14 Thread David Härdeman 
On Thu, Jul 03, 2014 at 01:41:43PM +0200, Lennart Poettering wrote:
>On Fri, 27.06.14 01:54, David Härdeman (da...@hardeman.nu) wrote:
>
>> Add binary string handling functions and extend the password agent
>> protocol to support binary strings (using "=" as a string prefix
>> instead of "+").
>
>I am feeling a bit uneasy about this one. I have the suspicion that the
>entire password logic should be changed around: we should never transfer
>the passwords in userspace, but use the kernel keyring for this. And the
>queries should probably be triggered via dbus (as soon as kdbus is done,
>and we can use dbus in early-boot). 
>
>THis all makes me want to stay away from this for now. The kernel
>keyring is binary-safe anyway, so half the problem goes away there. The
>kernel also already has a key request API iirc (though a weird one, from
>a cursory look), so we really should align ourselves a lot more with
>that.
>
>Sorry if this sounds disappointing, but I think the proper fix to get
>binary passwords done is the kernel keyring, not just polishing what we
>have right now.

No problem. Getting it right is part of the systemd philosophy...that
sometime takes longer

Anyhow, I've looked at the in-kernel keyring stuff before. Basically
userspace can request a key via a syscall (or in-kernel code can do
pretty much the same thing via a similar function call).

If the key is missing, a placeholder gets created and /sbin/request-key
is invoked to fill that placeholder with a proper key. The current
request-key uses config files under /etc to determine how to handle the
key request.

The key can then be properly constructed by the add_key sysctl (to write
the payload to the key).

As far as I can tell, this could replace the sockets that are currently
used in systemd, but not much more. All the information in the ask.
files would still need to be conveyed separately (e.g. by still creating
the ask. file and providing the path to the file as the callout_info
in request_key).

I'm guessing you'd like the dbus API to be a higher-level API that
userspace can use to get systemd to create the ask. file and call
request_key()? Are there any advantages of that redirection over doing
it straight away in the app?

Also, I guess this means that systemd would have to add a homegrown
version of /sbin/request-key (external dependencies for early boot does
not seem to be part of the systemd way of doing things)?

-- 
David Härdeman
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] [RFC] Add binary password agent protocol

2014-07-03 Thread Lennart Poettering 
On Fri, 27.06.14 01:54, David Härdeman (da...@hardeman.nu) wrote:

> Add binary string handling functions and extend the password agent
> protocol to support binary strings (using "=" as a string prefix
> instead of "+").

I am feeling a bit uneasy about this one. I have the suspicion that the
entire password logic should be changed around: we should never transfer
the passwords in userspace, but use the kernel keyring for this. And the
queries should probably be triggered via dbus (as soon as kdbus is done,
and we can use dbus in early-boot). 

THis all makes me want to stay away from this for now. The kernel
keyring is binary-safe anyway, so half the problem goes away there. The
kernel also already has a key request API iirc (though a weird one, from
a cursory look), so we really should align ourselves a lot more with
that.

Sorry if this sounds disappointing, but I think the proper fix to get
binary passwords done is the kernel keyring, not just polishing what we
have right now.

Sorry (in particular, because I didn't reply to your mail any more
quicker, but I was unsure about this whole thing myself...),

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] [RFC] Add binary password agent protocol

2014-06-26 Thread Filipe Brandenburger 
On Thu, Jun 26, 2014 at 4:54 PM, David Härdeman  wrote:
> Add binary string handling functions and extend the password agent
> protocol to support binary strings (using "=" as a string prefix
> instead of "+").

Please also add /test-bstrv to .gitignore.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] [PATCH] [RFC] Add binary password agent protocol

2014-06-26 Thread David Härdeman 
Add binary string handling functions and extend the password agent
protocol to support binary strings (using "=" as a string prefix
instead of "+").
---
 Makefile.am|9 +
 src/ask-password/ask-password.c|   33 +--
 src/cryptsetup/cryptsetup.c|   60 +++---
 src/shared/ask-password-api.c  |   58 +++---
 src/shared/ask-password-api.h  |7 -
 src/shared/bstrv.c |  194 
 src/shared/bstrv.h |   50 +
 src/test/test-bstrv.c  |  122 +
 .../tty-ask-password-agent.c   |   11 +
 9 files changed, 451 insertions(+), 93 deletions(-)
 create mode 100644 src/shared/bstrv.c
 create mode 100644 src/shared/bstrv.h
 create mode 100644 src/test/test-bstrv.c

diff --git a/Makefile.am b/Makefile.am
index e02dede..08705a4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -736,6 +736,8 @@ libsystemd_shared_la_SOURCES = \
src/shared/sleep-config.h \
src/shared/strv.c \
src/shared/strv.h \
+   src/shared/bstrv.c \
+   src/shared/bstrv.h \
src/shared/env-util.c \
src/shared/env-util.h \
src/shared/strbuf.c \
@@ -1219,6 +1221,7 @@ tests += \
test-env-replace \
test-strbuf \
test-strv \
+   test-bstrv \
test-path-util \
test-strxcpyx \
test-unit-name \
@@ -1584,6 +1587,12 @@ test_strv_LDADD = \
libsystemd-internal.la \
libsystemd-shared.la
 
+test_bstrv_SOURCES = \
+src/test/test-bstrv.c
+
+test_bstrv_LDADD = \
+libsystemd-shared.la
+
 test_path_util_SOURCES = \
src/test/test-path-util.c
 
diff --git a/src/ask-password/ask-password.c b/src/ask-password/ask-password.c
index 4d5690c..6a00ea8 100644
--- a/src/ask-password/ask-password.c
+++ b/src/ask-password/ask-password.c
@@ -39,6 +39,7 @@
 #include "macro.h"
 #include "util.h"
 #include "strv.h"
+#include "bstrv.h"
 #include "ask-password-api.h"
 #include "def.h"
 
@@ -147,6 +148,7 @@ static int parse_argv(int argc, char *argv[]) {
 int main(int argc, char *argv[]) {
 int r;
 usec_t timeout;
+_cleanup_bstrv_free_ bstr **passwords = NULL;
 
 log_parse_environment();
 log_open();
@@ -159,28 +161,19 @@ int main(int argc, char *argv[]) {
 else
 timeout = 0;
 
-if (arg_use_tty && isatty(STDIN_FILENO)) {
-char *password = NULL;
-
-if ((r = ask_password_tty(arg_message, timeout, NULL, 
&password)) >= 0) {
-puts(password);
-free(password);
-}
-
-} else {
-char **l;
-
-if ((r = ask_password_agent(arg_message, arg_icon, arg_id, 
timeout, arg_accept_cached, &l)) >= 0) {
-char **p;
-
-STRV_FOREACH(p, l) {
-puts(*p);
+if (arg_use_tty && isatty(STDIN_FILENO))
+r = ask_password_tty(arg_message, timeout, NULL, &passwords);
+else
+r = ask_password_agent(arg_message, arg_icon, arg_id, timeout, 
arg_accept_cached, &passwords);
 
-if (!arg_multiple)
-break;
-}
+if (r >= 0) {
+bstr **p;
 
-strv_free(l);
+BSTRV_FOREACH(p, passwords) {
+fwrite(bstr_data(*p), bstr_length(*p), 1, stdout);
+putchar('\n');
+if (!arg_multiple)
+break;
 }
 }
 
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index a67d85e..a0209e4 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -31,6 +31,7 @@
 #include "util.h"
 #include "path-util.h"
 #include "strv.h"
+#include "bstrv.h"
 #include "ask-password-api.h"
 #include "def.h"
 #include "libudev.h"
@@ -260,9 +261,8 @@ static char *disk_mount_point(const char *label) {
 return NULL;
 }
 
-static int get_password(const char *name, usec_t until, bool accept_cached, 
char ***passwords) {
+static int get_password(const char *name, usec_t until, bool accept_cached, 
bstr ***passwords) {
 int r;
-char **p;
 _cleanup_free_ char *text = NULL;
 _cleanup_free_ char *escaped_name = NULL;
 char *id;
@@ -286,9 +286,9 @@ static int get_password(const char *name, usec_t until, 
bool accept_cached, char
 }
 
 if (arg_verify) {
-_cleanup_strv_free_ char **passwords2 = NULL;
+_cleanup_bstrv_free_ bstr **passwords2 = NULL;
 
-assert(strv_length(*passwords) == 1);
+assert(bstrv_length(*passwords) == 1);