diff options
| author | Martin Willi <martin@revosec.ch> | 2010-07-16 12:17:21 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2010-08-04 09:26:20 +0200 |
| commit | 57522106c4bd1dbf233befb6bf572d391cfe35ae (patch) | |
| tree | df88f09fb67d069de3b3acefaf65b32dae32849d /src/libcharon/plugins | |
| parent | a0bdd5d63e81c11ab367364e703a536c4c20cc00 (diff) | |
| download | strongswan-57522106c4bd1dbf233befb6bf572d391cfe35ae.tar.bz2 strongswan-57522106c4bd1dbf233befb6bf572d391cfe35ae.tar.xz | |
%prompt support for smartcard PIN via "ipsec secrets"
Diffstat (limited to 'src/libcharon/plugins')
| -rw-r--r-- | src/libcharon/plugins/stroke/stroke_cred.c | 123 |
1 files changed, 95 insertions, 28 deletions
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index 6f59dbee6..1b089dfe4 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -679,7 +679,7 @@ typedef struct { } passphrase_cb_data_t; /** - * Passphrase callback to read from whack fd + * Passphrase callback to read from stroke fd */ chunk_t passphrase_cb(passphrase_cb_data_t *data, int try) { @@ -711,6 +711,31 @@ chunk_t passphrase_cb(passphrase_cb_data_t *data, int try) } /** + * Smartcard PIN callback to read from stroke fd + */ +chunk_t smartcard_cb(passphrase_cb_data_t *data, int try) +{ + chunk_t secret = chunk_empty;; + + if (try != 1) + { + fprintf(data->prompt, "invalid passphrase, aborting\n"); + return chunk_empty; + } + fprintf(data->prompt, "Login to '%s' required\n", data->file); + fprintf(data->prompt, "Passphrase:\n"); + if (fgets(data->buf, sizeof(data->buf), data->prompt)) + { + secret = chunk_create(data->buf, strlen(data->buf)); + if (secret.len) + { /* trim appended \n */ + secret.len--; + } + } + return secret; +} + +/** * reload ipsec.secrets */ static void load_secrets(private_stroke_cred_t *this, char *file, int level, @@ -898,10 +923,10 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level, { if (prompt) { - passphrase_cb_data_t data; - - data.prompt = prompt; - data.file = path; + passphrase_cb_data_t data = { + .prompt = prompt, + .file = path, + }; key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, BUILD_FROM_FILE, path, BUILD_PASSPHRASE_CALLBACK, @@ -930,7 +955,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level, { chunk_t sc = chunk_empty, secret = chunk_empty; char smartcard[64], keyid[64], module[64], *pos; - private_key_t *key; + private_key_t *key = NULL; u_int slot; chunk_t chunk; enum { @@ -1000,29 +1025,71 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level, } chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL); - switch (format) + + if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7)) { - case SC_FORMAT_SLOT_MODULE_KEYID: - key = lib->creds->create(lib->creds, - CRED_PRIVATE_KEY, KEY_ANY, - BUILD_PKCS11_SLOT, slot, - BUILD_PKCS11_MODULE, module, - BUILD_PKCS11_KEYID, chunk, - BUILD_PASSPHRASE, secret, BUILD_END); - break; - case SC_FORMAT_SLOT_KEYID: - key = lib->creds->create(lib->creds, - CRED_PRIVATE_KEY, KEY_ANY, - BUILD_PKCS11_SLOT, slot, - BUILD_PKCS11_KEYID, chunk, - BUILD_PASSPHRASE, secret, BUILD_END); - break; - case SC_FORMAT_KEYID: - key = lib->creds->create(lib->creds, - CRED_PRIVATE_KEY, KEY_ANY, - BUILD_PKCS11_KEYID, chunk, - BUILD_PASSPHRASE, secret, BUILD_END); - break; + if (prompt) + { + passphrase_cb_data_t data = { + .prompt = prompt, + .file = smartcard, + }; + + switch (format) + { + case SC_FORMAT_SLOT_MODULE_KEYID: + key = lib->creds->create(lib->creds, + CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_SLOT, slot, + BUILD_PKCS11_MODULE, module, + BUILD_PKCS11_KEYID, chunk, + BUILD_PASSPHRASE_CALLBACK, + smartcard_cb, &data, BUILD_END); + break; + case SC_FORMAT_SLOT_KEYID: + key = lib->creds->create(lib->creds, + CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_SLOT, slot, + BUILD_PKCS11_KEYID, chunk, + BUILD_PASSPHRASE_CALLBACK, + smartcard_cb, &data, BUILD_END); + break; + case SC_FORMAT_KEYID: + key = lib->creds->create(lib->creds, + CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_KEYID, chunk, + BUILD_PASSPHRASE_CALLBACK, + smartcard_cb, &data, BUILD_END); + break; + } + } + } + else + { + switch (format) + { + case SC_FORMAT_SLOT_MODULE_KEYID: + key = lib->creds->create(lib->creds, + CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_SLOT, slot, + BUILD_PKCS11_MODULE, module, + BUILD_PKCS11_KEYID, chunk, + BUILD_PASSPHRASE, secret, BUILD_END); + break; + case SC_FORMAT_SLOT_KEYID: + key = lib->creds->create(lib->creds, + CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_SLOT, slot, + BUILD_PKCS11_KEYID, chunk, + BUILD_PASSPHRASE, secret, BUILD_END); + break; + case SC_FORMAT_KEYID: + key = lib->creds->create(lib->creds, + CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_KEYID, chunk, + BUILD_PASSPHRASE, secret, BUILD_END); + break; + } } free(chunk.ptr); if (key) |