diff options
| -rw-r--r-- | src/libcharon/plugins/stroke/stroke_cred.c | 100 | ||||
| -rw-r--r-- | src/libstrongswan/Android.mk | 1 | ||||
| -rw-r--r-- | src/libstrongswan/Makefile.am | 1 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/sets/callback_cred.c | 141 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/sets/callback_cred.h | 65 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c | 58 |
6 files changed, 268 insertions, 98 deletions
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index 3749bbdcc..e5718e583 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -30,6 +30,7 @@ #include <credentials/certificates/x509.h> #include <credentials/certificates/crl.h> #include <credentials/certificates/ac.h> +#include <credentials/sets/mem_cred.h> #include <utils/linked_list.h> #include <utils/lexparser.h> #include <threading/rwlock.h> @@ -751,6 +752,10 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr, private_key_t *key = NULL; u_int slot; chunk_t chunk; + shared_key_t *shared; + identification_t *id; + mem_cred_t *mem; + callback_set_t *cb; enum { SC_FORMAT_SLOT_MODULE_KEYID, SC_FORMAT_SLOT_KEYID, @@ -816,81 +821,54 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr, DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh); return FALSE; } - - chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL); - if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7)) { if (prompt) { passphrase_cb_data_t data = { .prompt = prompt, - .file = smartcard, + .file = path, }; - switch (format) - { - case SC_FORMAT_SLOT_MODULE_KEYID: - key = lib->creds->create(lib->creds, - CRED_PRIVATE_KEY, KEY_ANY, - BUILD_PKCS11_SLOT, slot, - BUILD_PKCS11_MODULE, module, - BUILD_PKCS11_KEYID, chunk, - BUILD_PASSPHRASE_CALLBACK, - smartcard_cb, &data, BUILD_END); - break; - case SC_FORMAT_SLOT_KEYID: - key = lib->creds->create(lib->creds, - CRED_PRIVATE_KEY, KEY_ANY, - BUILD_PKCS11_SLOT, slot, - BUILD_PKCS11_KEYID, chunk, - BUILD_PASSPHRASE_CALLBACK, - smartcard_cb, &data, BUILD_END); - break; - case SC_FORMAT_KEYID: - key = lib->creds->create(lib->creds, - CRED_PRIVATE_KEY, KEY_ANY, - BUILD_PKCS11_KEYID, chunk, - BUILD_PASSPHRASE_CALLBACK, - smartcard_cb, &data, BUILD_END); - break; - } - } - } - else - { - switch (format) - { - case SC_FORMAT_SLOT_MODULE_KEYID: - key = lib->creds->create(lib->creds, - CRED_PRIVATE_KEY, KEY_ANY, - BUILD_PKCS11_SLOT, slot, - BUILD_PKCS11_MODULE, module, - BUILD_PKCS11_KEYID, chunk, - BUILD_PASSPHRASE, secret, BUILD_END); - break; - case SC_FORMAT_SLOT_KEYID: - key = lib->creds->create(lib->creds, - CRED_PRIVATE_KEY, KEY_ANY, - BUILD_PKCS11_SLOT, slot, - BUILD_PKCS11_KEYID, chunk, - BUILD_PASSPHRASE, secret, BUILD_END); - break; - case SC_FORMAT_KEYID: - key = lib->creds->create(lib->creds, - CRED_PRIVATE_KEY, KEY_ANY, - BUILD_PKCS11_KEYID, chunk, - BUILD_PASSPHRASE, secret, BUILD_END); - break; - } + /* provide our pin in a temporary credential set */ + shared = shared_key_create(SHARED_PIN, secret); + chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL); + id = identification_create_from_encoding(ID_KEY_ID, chunk); + set = mem_cred_create(); + set->add_shared(set, shared, id, NULL); + lib->credmgr->add_local_set(lib->credmgr, &set->set); + /* unlock: smartcard needs the pin and potentially calls public set */ + this->lock->unlock(this->lock); + switch (format) + { + case SC_FORMAT_SLOT_MODULE_KEYID: + key = lib->creds->create(lib->creds, + CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_SLOT, slot, + BUILD_PKCS11_MODULE, module, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + break; + case SC_FORMAT_SLOT_KEYID: + key = lib->creds->create(lib->creds, + CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_SLOT, slot, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + break; + case SC_FORMAT_KEYID: + key = lib->creds->create(lib->creds, + CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + break; } - free(chunk.ptr); + this->lock->write_lock(this->lock); + lib->credmgr->remove_local_set(lib->credmgr, &set->set); + set->destroy(set); + if (key) { DBG1(DBG_CFG, " loaded private key from %.*s", sc.len, sc.ptr); this->private->insert_last(this->private, key); } - chunk_clear(&secret); return TRUE; } diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk index cce17569a..c39ff882c 100644 --- a/src/libstrongswan/Android.mk +++ b/src/libstrongswan/Android.mk @@ -44,6 +44,7 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \ credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \ credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ credentials/sets/mem_cred.c credentials/sets/mem_cred.h \ +credentials/sets/callback_cred.c credentials/sets/callback_cred.h \ credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \ credentials/cert_validator.h \ database/database.h database/database_factory.h database/database_factory.c \ diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index 0c7e1ff9d..ce11a6ef2 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -42,6 +42,7 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \ credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \ credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ credentials/sets/mem_cred.c credentials/sets/mem_cred.h \ +credentials/sets/callback_cred.c credentials/sets/callback_cred.h \ credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \ credentials/cert_validator.h \ database/database.h database/database_factory.h database/database_factory.c \ diff --git a/src/libstrongswan/credentials/sets/callback_cred.c b/src/libstrongswan/credentials/sets/callback_cred.c new file mode 100644 index 000000000..87a0789d3 --- /dev/null +++ b/src/libstrongswan/credentials/sets/callback_cred.c @@ -0,0 +1,141 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "callback_cred.h" + +typedef struct private_callback_cred_t private_callback_cred_t; + +/** + * Private data of an callback_cred_t object. + */ +struct private_callback_cred_t { + + /** + * Public callback_cred_t interface. + */ + callback_cred_t public; + + /** + * Callback of this set, for all types, and generic + */ + union { + void *generic; + callback_cred_shared_cb_t shared; + } cb; + + /** + * Data to pass to callback + */ + void *data; +}; + +/** + * Shared key enumerator on callbacks + */ +typedef struct { + /* implements enumerator_t */ + enumerator_t public; + /* backref to this */ + private_callback_cred_t *this; + /* own identity to match */ + identification_t *me; + /* other identity to match */ + identification_t *other; + /* current shared key */ + shared_key_t *current; +} shared_enumerator_t; + +METHOD(enumerator_t, shared_enumerate, bool, + shared_enumerator_t *this, shared_key_t **out, + id_match_t *match_me, id_match_t *match_other) +{ + DESTROY_IF(this->current); + this->current = this->this->cb.shared(this->this->data, + this->me, this->other, match_me, match_other); + if (this->current) + { + *out = this->current; + return TRUE; + } + return FALSE; +} + +METHOD(enumerator_t, shared_destroy, void, + shared_enumerator_t *this) +{ + DESTROY_IF(this->current); + free(this); +} + +METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, + private_callback_cred_t *this, shared_key_type_t type, + identification_t *me, identification_t *other) +{ + shared_enumerator_t *enumerator; + + INIT(enumerator, + .public = { + .enumerate = (void*)_shared_enumerate, + .destroy = _shared_destroy, + }, + .this = this, + .me = me, + .other = other, + ); + return &enumerator->public; +} + +METHOD(callback_cred_t, destroy, void, + private_callback_cred_t *this) +{ + free(this); +} + +/** + * Create a generic callback credential set + */ +static private_callback_cred_t* create_generic(void *cb, void *data) +{ + private_callback_cred_t *this; + + INIT(this, + .public = { + .set = { + .create_shared_enumerator = (void*)return_null, + .create_private_enumerator = (void*)return_null, + .create_cert_enumerator = (void*)return_null, + .create_cdp_enumerator = (void*)return_null, + .cache_cert = (void*)nop, + }, + .destroy = _destroy, + }, + .cb.generic = cb, + .data = data, + ); + return this; +} + +/** + * See header + */ +callback_cred_t *callback_cred_create_shared(callback_cred_shared_cb_t cb, + void *data) +{ + private_callback_cred_t *this = create_generic(cb, data); + + this->public.set.create_shared_enumerator = _create_shared_enumerator; + + return &this->public; +} diff --git a/src/libstrongswan/credentials/sets/callback_cred.h b/src/libstrongswan/credentials/sets/callback_cred.h new file mode 100644 index 000000000..9cc5b65ea --- /dev/null +++ b/src/libstrongswan/credentials/sets/callback_cred.h @@ -0,0 +1,65 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup callback_cred callback_cred + * @{ @ingroup sets + */ + +#ifndef CALLBACK_CRED_H_ +#define CALLBACK_CRED_H_ + +typedef struct callback_cred_t callback_cred_t; + +#include <credentials/credential_set.h> + +/** + * Callback function to get shared keys. + * + * @param me own identity + * @param other other identity + * @param match_me match result of own identity + * @param match_other match result of other identity + */ +typedef shared_key_t* (*callback_cred_shared_cb_t)(void *data, + identification_t *me, identification_t *other, + id_match_t *match_me, id_match_t *match_other); + +/** + * Generic callbcack using user specified callback functions. + */ +struct callback_cred_t { + + /** + * Implements credential_set_t. + */ + credential_set_t set; + + /** + * Destroy a callback_cred_t. + */ + void (*destroy)(callback_cred_t *this); +}; + +/** + * Create a callback_cred instance, for a shared key. + * + * @param cb callback function + * @param data data to pass to callback + */ +callback_cred_t *callback_cred_create_shared(callback_cred_shared_cb_t cb, + void *data); + +#endif /** CALLBACK_CRED_H_ @}*/ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c index 2ddffd571..b50ae070f 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c @@ -331,13 +331,26 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid) } /** - * Try a login to the session + * Find a PIN and try to log in */ -static bool login(private_pkcs11_private_key_t *this, chunk_t pin, int slot) +static bool login(private_pkcs11_private_key_t *this, chunk_t keyid, int slot) { + identification_t *id; + shared_key_t *shared; + chunk_t pin; CK_RV rv; + id = identification_create_from_encoding(ID_KEY_ID, keyid); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_PIN, id, NULL); + id->destroy(id); + if (!shared) + { + DBG1(DBG_CFG, "no PIN found for PKCS#11 key %#B", keyid); + return FALSE; + } + pin = shared->get_key(shared); rv = this->lib->f->C_Login(this->session, CKU_USER, pin.ptr, pin.len); + shared->destroy(shared); if (rv != CKR_OK) { DBG1(DBG_CFG, "login to '%s':%d failed: %N", @@ -353,14 +366,11 @@ static bool login(private_pkcs11_private_key_t *this, chunk_t pin, int slot) pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args) { private_pkcs11_private_key_t *this; - chunk_t (*cb)(void *data, int try) = NULL; - void *cb_data = NULL; char *module = NULL; - chunk_t keyid, pin; - int slot = -1, try = 0; + chunk_t keyid = chunk_empty; + int slot = -1; CK_RV rv; - keyid = pin = chunk_empty; while (TRUE) { switch (va_arg(args, builder_part_t)) @@ -368,13 +378,6 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args) case BUILD_PKCS11_KEYID: keyid = va_arg(args, chunk_t); continue; - case BUILD_PASSPHRASE: - pin = va_arg(args, chunk_t); - continue; - case BUILD_PASSPHRASE_CALLBACK: - cb = va_arg(args, void*); - cb_data = va_arg(args, void*); - continue; case BUILD_PKCS11_SLOT: slot = va_arg(args, int); continue; @@ -388,7 +391,7 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args) } break; } - if (!keyid.len || (!pin.len && !cb)) + if (!keyid.len) { return NULL; } @@ -444,29 +447,10 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args) this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); - if (pin.ptr) - { - if (!login(this, pin, slot)) - { - destroy(this); - return NULL; - } - } - else + if (!login(this, keyid, slot)) { - while (TRUE) - { - pin = cb(cb_data, ++try); - if (!pin.len) - { - destroy(this); - return NULL; - } - if (login(this, pin, slot)) - { - break; - } - } + destroy(this); + return NULL; } if (!find_key(this, keyid)) |