upstream/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2026-05-28 04:03:29 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Pass environment needed for systemd-ask-pass

Browse source 
systemd-ask-pass allows the pin to be provided by the
systemd-credentials mechanism, but that requires the environment
variable $CREDENTIALS_DIRECTORY to be set. Openvpn when launched
by systemd does have this environment variable available, but it
doesn't pass it through to systemd-ask-pass meaning that
systemd-ask-pass is unable to load the pin from
systemd-credentials.

This change passes the $CREDENTIALS_DIRECTORY environment variable
to the execed systemd-ask-pass invocation so that
systemd-credentials can be used for non-interactive pin entry.

Signed-off-by: William <william@blackhats.net.au>
This commit is contained in:
William 2024-10-22 12:50:30 +10:00
parent 8ae409ad72
commit 976c357499
1 changed files with 25 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
src/openvpn/console_systemd.c
View file

@ -61,6 +61,9 @@ get_console_input_systemd(const char *prompt, const bool echo, char *input, cons
int std_out;
bool ret = false;
struct argv argv = argv_new();
char credentials_directory[128] = {0};
char *env_credentials_directory = NULL;
struct env_set *es = env_set_create(NULL);
argv_printf(&argv, SYSTEMD_ASK_PASSWORD_PATH);
#ifdef SYSTEMD_NEWER_THAN_216
@ -73,7 +76,28 @@ get_console_input_systemd(const char *prompt, const bool echo, char *input, cons
argv_printf_cat(&argv, "--icon network-vpn");
argv_printf_cat(&argv, "%s", prompt);
if ((std_out = openvpn_popen(&argv, NULL)) < 0)
/*
* It seems counter intuitive, but we need to get CREDENTIALS_DIRECTORY directly from getenv.
* This is because during a pkcs11 load, we don't have a way to pass our envp pointer to this
* function as the caller is in a pkcs11 callback without that context.
*
* If we don't pass CREDENTIALS_DIRECTORY down to systemd-ask-pass, it can not automatically
* fill the credential from the systemd-credentials. For more see:
*
* https://www.freedesktop.org/software/systemd/man/latest/systemd-ask-password.html#--credential=
*/
env_credentials_directory = getenv("CREDENTIALS_DIRECTORY");
if (env_credentials_directory)
{
openvpn_snprintf(credentials_directory, sizeof(credentials_directory), "CREDENTIALS_DIRECTORY=%s", env_credentials_directory);
env_set_add(es, credentials_directory);
}
std_out = openvpn_popen(&argv, es);
env_set_destroy(es);
if (std_out < 0)
{
return false;
}