shithub: tlsclient

Download patch

ref: dce45f38c8308048d849ede9128a8656e6b2889d
parent: d253ae959d6c505d4a93a981ea097bf7b89442a1
author: Jacob Moody <[email protected]>
date: Sat Sep 4 15:06:56 EDT 2021

add login_-dp9ik

--- a/Make.config
+++ b/Make.config
@@ -1,9 +1,12 @@
 AR=ar
 RANLIB=ranlib
-CC=gcc
 CFLAGS=-Wall -Wno-missing-braces -Wno-parentheses -ggdb -I$(ROOT) -I$(ROOT)/include -c -D_THREAD_SAFE -O2 -fPIC
 O=o
 LDADD=
 TARG=tlsclient
+
+# For OpenBSD switch these two following lines
+OPENSSL=openssl
+#OPENSSL=eopnssl11
 
 all: default
--- a/Makefile
+++ b/Makefile
@@ -12,13 +12,16 @@
 
 default: $(TARG)
 $(TARG): $(LIBS) $(OFILES)
-	$(CC) `pkg-config openssl --libs` $(LDFLAGS) -o $(TARG) $(OFILES) $(LIBS) $(LDADD)
+	$(CC) `pkg-config $(OPENSSL) --libs` $(LDFLAGS) -o $(TARG) $(OFILES) $(LIBS) $(LDADD)
 
+login_-dp9ik: $(LIBS) p9any.$O bsd.$O
+	$(CC) -o login_-dp9ik p9any.$O bsd.$O $(LIBS)
+
 pam_p9.so: $(LIBS) p9any.$O pam.$O
 	$(CC) -shared -o pam_p9.so p9any.$O pam.$O $(LIBS)
 
 cpu.$O: cpu.c
-	$(CC) `pkg-config openssl --cflags` $(CFLAGS) cpu.c -o cpu.o
+	$(CC) `pkg-config $(OPENSSL) --cflags` $(CFLAGS) cpu.c -o cpu.o
 
 p9any.$O: p9any.c
 	$(CC) $(CFLAGS) p9any.c -o p9any.o
@@ -26,9 +29,12 @@
 pam.$O: pam.c
 	$(CC) $(CFLAGS) pam.c -o pam.o
 
+bsd.$O: bsd.c
+	$(CC) $(CFLAGS) bsd.c -o bsd.o
+
 .PHONY: clean
 clean:
-	rm -f *.o */*.o */*.a *.a $(TARG) pam_p9.so
+	rm -f *.o */*.o */*.a *.a $(TARG) pam_p9.so login_-dp9ik
 
 .PHONY: libauthsrv/libauthsrv.a
 libauthsrv/libauthsrv.a:
--- a/README
+++ b/README
@@ -5,6 +5,7 @@
 	tlsclient: tlsclient(1) on unix
 	git-remote-hjgit: git remote helper for using hjgit repos.
 	pam_p9.so: A pam module that authenticates against a 9front auth server.
+	login_-dp9ik: An OpenBSD bsd auth executable that auths against a 9front auth server.
 
 Most of the tlsclient code is pillaged from jsdrawterm: https://github.com/aiju/jsdrawterm
 The main difference between tlsclient and drawterm is that tlsclient has stripped out the
@@ -20,3 +21,7 @@
 
 	# with git-remote-hjgit in your $PATH
 	git clone hjgit://shithub.us/user/repo
+
+OpenBSD:
+	OpenBSD uses LibreSSL in place of OpenSSL. Unfortunately LibreSSL does
+	have all we need. Tweak Make.config as needed.
--- /dev/null
+++ b/bsd.c
@@ -1,0 +1,143 @@
+#include <sys/types.h>
+#include <sys/resource.h>
+
+#include <errno.h>
+#include <pwd.h>
+#include <readpassphrase.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
+#include <util.h>
+#include <login_cap.h>
+
+#undef login
+
+#include <u.h>
+#include <args.h>
+#include <libc.h>
+#include <auth.h>
+#include <authsrv.h>
+#include <libsec.h>
+
+#include "fncs.h"
+
+char *authserver;
+
+int
+main(int argc, char *argv[])
+{
+	FILE *back = NULL;
+	char *class = NULL, *username = NULL, *wheel = NULL;
+	char response[1024], pbuf[1024], *pass = "";
+	int ch, mode = 0, lastchance = 0, fd = -1;
+	AuthInfo *ai;
+
+	(void)signal(SIGQUIT, SIG_IGN);
+	(void)signal(SIGINT, SIG_IGN);
+	(void)setpriority(PRIO_PROCESS, 0, 0);
+
+	openlog(NULL, LOG_ODELAY, LOG_AUTH);
+
+	while ((ch = getopt(argc, argv, "ds:v:")) != -1) {
+		switch (ch) {
+		case 'd':
+			back = stdout;
+			break;
+		case 's':	/* service */
+			if (strcmp(optarg, "login") == 0)
+				mode = 0;
+			else if (strcmp(optarg, "challenge") == 0)
+				mode = 1;
+			else if (strcmp(optarg, "response") == 0)
+				mode = 2;
+			else {
+				syslog(LOG_ERR, "%s: invalid service", optarg);
+				exit(1);
+			}
+			break;
+		case 'v':
+			if (strncmp(optarg, "wheel=", 6) == 0)
+				wheel = optarg + 6;
+			else if (strncmp(optarg, "lastchance=", 11) == 0)
+				lastchance = (strcmp(optarg + 11, "yes") == 0);
+			else if (strncmp(optarg, "authserver=", 11) == 0)
+				authserver = optarg + 11;
+			break;
+		default:
+			syslog(LOG_ERR, "usage error");
+			exit(1);
+		}
+	}
+
+	switch (argc - optind) {
+	case 2:
+		class = argv[optind + 1];
+		/* FALLTHROUGH */
+	case 1:
+		username = argv[optind];
+		break;
+	default:
+		syslog(LOG_ERR, "usage error");
+		exit(1);
+	}
+
+	if (back == NULL && (back = fdopen(3, "r+")) == NULL) {
+		syslog(LOG_ERR, "reopening back channel: %m");
+		exit(1);
+	}
+	if (wheel != NULL && strcmp(wheel, "yes") != 0) {
+		fprintf(back, BI_VALUE " errormsg %s\n",
+		    "you are not in group wheel");
+		fprintf(back, BI_REJECT "\n");
+		exit(1);
+	}
+
+	if (mode == 1) {
+		fprintf(back, BI_SILENT "\n");
+		exit(0);
+	}
+
+	(void)setpriority(PRIO_PROCESS, 0, -4);
+
+	if (mode == 2) {
+		mode = 0;
+		ch = -1;
+		while (++ch < sizeof(response) &&
+		    read(3, &response[ch], 1) == 1) {
+			if (response[ch] == '\0' && ++mode == 2)
+				break;
+			if (response[ch] == '\0' && mode == 1)
+				pass = response + ch + 1;
+		}
+		if (mode < 2) {
+			syslog(LOG_ERR, "protocol error on back channel");
+			exit(1);
+		}
+	} else {
+		pass = readpassphrase("Password:", pbuf, sizeof(pbuf),
+		    RPP_ECHO_OFF);
+	}
+
+	if (pass == NULL){
+		fprintf(back, BI_REJECT "\n");
+		exit(1);
+	}
+
+	fd = unix_dial(authserver, "17019");
+	if(fd < 0){
+		fprintf(back, BI_REJECT "\n");
+		exit(1);
+	}
+
+	ai = p9any(username, pass, fd);
+	if(ai == nil){
+		fprintf(back, BI_REJECT "\n");
+		exit(1);
+	}
+
+	fprintf(back, BI_AUTH "\n");
+	exit(0);
+}
--- a/include/auth.h
+++ b/include/auth.h
@@ -91,8 +91,6 @@
 extern	int	noworld(char*);
 extern	int	amount(int, char*, int, char*);
 
-extern	int	login(char*, char*, char*);
-
 typedef struct Attr Attr;
 enum {
 	AttrNameval,		/* name=val -- when matching, must have name=val */