Add initial cryptographic card login support

Tested with themed greeter and SAK disabled

4 files changed, 297 insertions, 0 deletions

diff --git a/tdm/cryptocardwatcher/CMakeLists.txt b/tdm/cryptocardwatcher/CMakeLists.txt
new file mode 100644
index 000000000..7564ac2cf
--- /dev/null
+++ b/tdm/cryptocardwatcher/CMakeLists.txt
@@ -0,0 +1,32 @@
+#################################################
+#
+#  (C) 2015 Timothy Pearson
+#  kb9vqf (AT) pearsoncomputing.net
+#
+#  Improvements and feedback are welcome
+#
+#  This file is released under GPL >= 2
+#
+#################################################
+
+include_directories(
+  ${CMAKE_CURRENT_BINARY_DIR}
+  ${CMAKE_SOURCE_DIR}/tdmlib
+  ${TDE_INCLUDE_DIR}
+  ${TQT_INCLUDE_DIRS}
+)
+
+link_directories(
+  ${TQT_LIBRARY_DIRS}
+)
+
+
+##### tdecryptocardwatcher (executable) #########
+
+tde_add_executable( tdecryptocardwatcher AUTOMOC
+  SOURCES main.cpp watcher.cc
+  LINK tdecore-shared tdeio-shared dmctl-static
+  DESTINATION ${BIN_INSTALL_DIR}
+  SETUID
+)
+
diff --git a/tdm/cryptocardwatcher/main.cpp b/tdm/cryptocardwatcher/main.cpp
new file mode 100644
index 000000000..5d27ff19b
--- /dev/null
+++ b/tdm/cryptocardwatcher/main.cpp
@@ -0,0 +1,139 @@
+/*
+ * Copyright 2015 Timothy Pearson <kb9vqf@pearsoncomputing.net>
+ * 
+ * This file is part of cryptocardwatcher, the TDE Cryptographic Card Session Monitor
+ * 
+ * cryptocardwatcher is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, either version 3
+ * of the License, or (at your option) any later version.
+ *
+ * cryptocardwatcher is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public
+ * License along with cryptocardwatcher. If not, see http://www.gnu.org/licenses/.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <exception>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <sys/file.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/select.h>
+#include <sys/time.h>
+#include <termios.h>
+#include <signal.h>
+#include <stdint.h>
+
+#include <tqobject.h>
+
+#include <tdeapplication.h>
+#include <tdecmdlineargs.h>
+
+#include <ksslcertificate.h>
+
+#include <tdehardwaredevices.h>
+#include <tdecryptographiccarddevice.h>
+
+#include "watcher.h"
+
+int lockfd = -1;
+char lockFileName[256];
+
+// --------------------------------------------------------------------------------------
+// Useful function from Stack Overflow
+// http://stackoverflow.com/questions/1599459/optimal-lock-file-method
+// --------------------------------------------------------------------------------------
+int tryGetLock(char const *lockName) {
+	mode_t m = umask( 0 );
+	int fd = open( lockName, O_RDWR|O_CREAT, 0666 );
+	umask( m );
+	if( fd >= 0 && flock( fd, LOCK_EX | LOCK_NB ) < 0 ) {
+		close( fd );
+		fd = -1;
+	}
+	return fd;
+}
+// --------------------------------------------------------------------------------------
+
+// --------------------------------------------------------------------------------------
+// Useful function from Stack Overflow
+// http://stackoverflow.com/questions/1599459/optimal-lock-file-method
+// --------------------------------------------------------------------------------------
+void releaseLock(int fd, char const *lockName) {
+	if( fd < 0 ) {
+		return;
+	}
+	remove( lockName );
+	close( fd );
+}
+// --------------------------------------------------------------------------------------
+
+void handle_sigterm(int signum) {
+	if (lockfd >= 0) {
+		releaseLock(lockfd, lockFileName);
+	}
+	exit(0);
+}
+
+static TDECmdLineOptions options[] =
+{
+	TDECmdLineLastOption
+};
+
+int main(int argc, char *argv[]) {
+	int ret = -1;
+
+	// Register cleanup handlers
+	struct sigaction action;
+	memset(&action, 0, sizeof(struct sigaction));
+	action.sa_handler = handle_sigterm;
+	sigaction(SIGTERM, &action, NULL);
+
+	// Ensure only one process is running
+	sprintf(lockFileName, "/var/lock/cryptocardwatcher.lock");
+	lockfd = tryGetLock(lockFileName);
+	if (lockfd < 0) {
+		printf ("[cryptocardwatcher] Another instance of this program is already running!\n[cryptocardwatcher] Lockfile detected at '%s'\n", lockFileName);
+		return -2;
+	}
+
+	// Parse command line arguments
+	TDECmdLineArgs::init(argc, argv, "cryptocardwatcher", "cryptocardwatcher", "TDE Cryptographic Card Session Monitor", "0.1");
+	TDECmdLineArgs::addCmdLineOptions(options);
+	TDEApplication::addCmdLineOptions();
+
+	// Initialize TDE application
+	TDEApplication tdeapp(false, false);
+	tdeapp.disableAutoDcopRegistration();
+	CardWatcher* watcher = new CardWatcher();
+
+	// Initialize SmartCard readers
+	TDEGenericDevice *hwdevice;
+	TDEHardwareDevices *hwdevices = TDEGlobal::hardwareDevices();
+	TDEGenericHardwareList cardReaderList = hwdevices->listByDeviceClass(TDEGenericDeviceType::CryptographicCard);
+	for (hwdevice = cardReaderList.first(); hwdevice; hwdevice = cardReaderList.next()) {
+		TDECryptographicCardDevice* cdevice = static_cast<TDECryptographicCardDevice*>(hwdevice);
+		TQObject::connect(cdevice, TQT_SIGNAL(cardInserted(TDECryptographicCardDevice*)), watcher, TQT_SLOT(cryptographicCardInserted(TDECryptographicCardDevice*)));
+		TQObject::connect(cdevice, TQT_SIGNAL(cardRemoved(TDECryptographicCardDevice*)), watcher, TQT_SLOT(cryptographicCardRemoved(TDECryptographicCardDevice*)));
+		cdevice->enableCardMonitoring(true);
+	}
+
+	// Start TDE application
+	ret = tdeapp.exec();
+
+	// Clean up
+	delete watcher;
+
+	releaseLock(lockfd, lockFileName);
+	return ret;
+}
diff --git a/tdm/cryptocardwatcher/watcher.cc b/tdm/cryptocardwatcher/watcher.cc
new file mode 100644
index 000000000..e25821183
--- /dev/null
+++ b/tdm/cryptocardwatcher/watcher.cc
@@ -0,0 +1,86 @@
+/*
+ * Copyright 2015 Timothy Pearson <kb9vqf@pearsoncomputing.net>
+ *
+ * This file is part of cryptocardwatcher, the TDE Cryptographic Card Session Monitor
+ *
+ * cryptocardwatcher is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, either version 3
+ * of the License, or (at your option) any later version.
+ *
+ * cryptocardwatcher is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public
+ * License along with cryptocardwatcher. If not, see http://www.gnu.org/licenses/.
+ */
+
+#include "watcher.h"
+
+#include <ksslcertificate.h>
+
+#include <tdehardwaredevices.h>
+#include <tdecryptographiccarddevice.h>
+
+#include <dmctl.h>
+#include <kuser.h>
+
+CardWatcher::CardWatcher() : TQObject() {
+	//
+}
+
+CardWatcher::~CardWatcher() {
+	//
+}
+
+void CardWatcher::cryptographicCardInserted(TDECryptographicCardDevice* cdevice) {
+	TQString login_name = TQString::null;
+	X509CertificatePtrList certList = cdevice->cardX509Certificates();
+	if (certList.count() > 0) {
+		KSSLCertificate* card_cert = NULL;
+		card_cert = KSSLCertificate::fromX509(certList[0]);
+		TQStringList cert_subject_parts = TQStringList::split("/", card_cert->getSubject(), false);
+		for (TQStringList::Iterator it = cert_subject_parts.begin(); it != cert_subject_parts.end(); ++it ) {
+			TQString lcpart = (*it).lower();
+			if (lcpart.startsWith("cn=")) {
+				login_name = lcpart.right(lcpart.length() - strlen("cn="));
+			}
+		}
+		delete card_cert;
+	}
+
+	if (login_name != "") {
+		// Determine if user already has an active session
+		DM dm;
+		SessList sess;
+		bool user_active = false;
+		if (dm.localSessions(sess)) {
+			TQString user, loc;
+			for (SessList::ConstIterator it = sess.begin(); it != sess.end(); ++it) {
+				DM::sess2Str2(*it, user, loc);
+				if (user.startsWith(login_name + ": ")) {
+					// Found active session
+					user_active = true;
+				}
+				if (user == "Unused") {
+					if ((*it).vt == dm.activeVT()) {
+						// Found active unused session
+						user_active = true;
+					}
+				}
+			}
+		}
+		if (!user_active) {
+			// Activate new VT
+			DM().startReserve();
+		}
+	}
+}
+
+void CardWatcher::cryptographicCardRemoved(TDECryptographicCardDevice* cdevice) {
+	//
+}
+
+#include "watcher.moc"
\ No newline at end of file
diff --git a/tdm/cryptocardwatcher/watcher.h b/tdm/cryptocardwatcher/watcher.h
new file mode 100644
index 000000000..bfbb010a0
--- /dev/null
+++ b/tdm/cryptocardwatcher/watcher.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2015 Timothy Pearson <kb9vqf@pearsoncomputing.net>
+ * 
+ * This file is part of cryptocardwatcher, the TDE Cryptographic Card Session Monitor
+ * 
+ * cryptocardwatcher is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, either version 3
+ * of the License, or (at your option) any later version.
+ *
+ * cryptocardwatcher is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public
+ * License along with cryptocardwatcher. If not, see http://www.gnu.org/licenses/.
+ */
+
+#ifndef __TDECRYPTOCARDWATCHER_H__
+#define __TDECRYPTOCARDWATCHER_H__
+
+#include <tqobject.h>
+
+class TDECryptographicCardDevice;
+
+class CardWatcher : public TQObject
+{
+	Q_OBJECT
+
+	public:
+		CardWatcher();
+		~CardWatcher();
+
+	public slots:
+		void cryptographicCardInserted(TDECryptographicCardDevice*);
+		void cryptographicCardRemoved(TDECryptographicCardDevice*);
+};
+
+#endif // __TDECRYPTOCARDWATCHER_H__
\ No newline at end of file