]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/charon/plugins/nm/nm_creds.c
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
nm uses the distributions trusted root CAs if none is explicitly specified
[thirdparty/strongswan.git] / src / charon / plugins / nm / nm_creds.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "nm_creds.h"
17
18 #include <sys/types.h>
19 #include <sys/stat.h>
20 #include <unistd.h>
21
22 #include <daemon.h>
23 #include <utils/mutex.h>
24 #include <credentials/certificates/x509.h>
25
26 typedef struct private_nm_creds_t private_nm_creds_t;
27
28 /**
29 * private data of nm_creds
30 */
31 struct private_nm_creds_t {
32
33 /**
34 * public functions
35 */
36 nm_creds_t public;
37
38 /**
39 * List of trusted certificates, certificate_t*
40 */
41 linked_list_t *certs;
42
43 /**
44 * User name
45 */
46 identification_t *user;
47
48 /**
49 * User password
50 */
51 char *pass;
52
53 /**
54 * users certificate
55 */
56 certificate_t *usercert;
57
58 /**
59 * users private key
60 */
61 private_key_t *key;
62
63 /**
64 * read/write lock
65 */
66 rwlock_t *lock;
67 };
68
69 /**
70 * Enumerator for user certificate
71 */
72 static enumerator_t *create_usercert_enumerator(private_nm_creds_t *this,
73 certificate_type_t cert, key_type_t key)
74 {
75 public_key_t *public;
76
77 if (cert != CERT_ANY && cert != this->usercert->get_type(this->usercert))
78 {
79 return NULL;
80 }
81 if (key != KEY_ANY)
82 {
83 public = this->usercert->get_public_key(this->usercert);
84 if (!public)
85 {
86 return NULL;
87 }
88 if (public->get_type(public) != key)
89 {
90 public->destroy(public);
91 return NULL;
92 }
93 public->destroy(public);
94 }
95 this->lock->read_lock(this->lock);
96 return enumerator_create_cleaner(
97 enumerator_create_single(this->usercert, NULL),
98 (void*)this->lock->unlock, this->lock);
99 }
100
101 /**
102 * CA certificate enumerator data
103 */
104 typedef struct {
105 /** ref to credential credential store */
106 private_nm_creds_t *this;
107 /** type of key we are looking for */
108 key_type_t key;
109 /** CA certificate ID */
110 identification_t *id;
111 } cert_data_t;
112
113 /**
114 * Destroy CA certificate enumerator data
115 */
116 static void cert_data_destroy(cert_data_t *data)
117 {
118 data->this->lock->unlock(data->this->lock);
119 free(data);
120 }
121
122 /**
123 * Filter function for certificates enumerator
124 */
125 static bool cert_filter(cert_data_t *data, certificate_t **in,
126 certificate_t **out)
127 {
128 certificate_t *cert = *in;
129 public_key_t *public;
130 chunk_t keyid;
131
132 public = cert->get_public_key(cert);
133 if (!public)
134 {
135 return FALSE;
136 }
137 if (data->key != KEY_ANY && public->get_type(public) != data->key)
138 {
139 public->destroy(public);
140 return FALSE;
141 }
142 if (data->id && data->id->get_type(data->id) == ID_KEY_ID &&
143 public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid) &&
144 chunk_equals(keyid, data->id->get_encoding(data->id)))
145 {
146 public->destroy(public);
147 *out = cert;
148 return TRUE;
149 }
150 public->destroy(public);
151 if (data->id && !cert->has_subject(cert, data->id))
152 {
153 return FALSE;
154 }
155 *out = cert;
156 return TRUE;
157 }
158
159 /**
160 * Create enumerator for trusted certificates
161 */
162 static enumerator_t *create_trusted_cert_enumerator(private_nm_creds_t *this,
163 key_type_t key, identification_t *id)
164 {
165 cert_data_t *data = malloc_thing(cert_data_t);
166
167 data->this = this;
168 data->id = id;
169 data->key = key;
170
171 this->lock->read_lock(this->lock);
172 return enumerator_create_filter(
173 this->certs->create_enumerator(this->certs),
174 (void*)cert_filter, data, (void*)cert_data_destroy);
175 }
176
177 /**
178 * Implements credential_set_t.create_cert_enumerator
179 */
180 static enumerator_t* create_cert_enumerator(private_nm_creds_t *this,
181 certificate_type_t cert, key_type_t key,
182 identification_t *id, bool trusted)
183 {
184 if (id && this->usercert &&
185 id->equals(id, this->usercert->get_subject(this->usercert)))
186 {
187 return create_usercert_enumerator(this, cert, key);
188 }
189 if (cert == CERT_X509 || cert == CERT_ANY)
190 {
191 return create_trusted_cert_enumerator(this, key, id);
192 }
193 return NULL;
194 }
195
196 /**
197 * Implements credential_set_t.create_cert_enumerator
198 */
199 static enumerator_t* create_private_enumerator(private_nm_creds_t *this,
200 key_type_t type, identification_t *id)
201 {
202 if (this->key == NULL)
203 {
204 return NULL;
205 }
206 if (type != KEY_ANY && type != this->key->get_type(this->key))
207 {
208 return NULL;
209 }
210 if (id && id->get_type(id) != ID_ANY)
211 {
212 chunk_t keyid;
213
214 if (id->get_type(id) != ID_KEY_ID ||
215 !this->key->get_fingerprint(this->key, KEY_ID_PUBKEY_SHA1, &keyid) ||
216 !chunk_equals(keyid, id->get_encoding(id)))
217 {
218 return NULL;
219 }
220 }
221 this->lock->read_lock(this->lock);
222 return enumerator_create_cleaner(enumerator_create_single(this->key, NULL),
223 (void*)this->lock->unlock, this->lock);
224 }
225
226 /**
227 * shared key enumerator implementation
228 */
229 typedef struct {
230 enumerator_t public;
231 private_nm_creds_t *this;
232 shared_key_t *key;
233 bool done;
234 } shared_enumerator_t;
235
236 /**
237 * enumerate function for shared enumerator
238 */
239 static bool shared_enumerate(shared_enumerator_t *this, shared_key_t **key,
240 id_match_t *me, id_match_t *other)
241 {
242 if (this->done)
243 {
244 return FALSE;
245 }
246 *key = this->key;
247 *me = ID_MATCH_PERFECT;
248 *other = ID_MATCH_ANY;
249 this->done = TRUE;
250 return TRUE;
251 }
252
253 /**
254 * Destroy function for shared enumerator
255 */
256 static void shared_destroy(shared_enumerator_t *this)
257 {
258 this->key->destroy(this->key);
259 this->this->lock->unlock(this->this->lock);
260 free(this);
261 }
262 /**
263 * Implements credential_set_t.create_cert_enumerator
264 */
265 static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
266 shared_key_type_t type, identification_t *me,
267 identification_t *other)
268 {
269 shared_enumerator_t *enumerator;
270
271 if (!this->pass || !this->user)
272 {
273 return NULL;
274 }
275 if (type != SHARED_EAP && type != SHARED_IKE)
276 {
277 return NULL;
278 }
279 if (me && !me->equals(me, this->user))
280 {
281 return NULL;
282 }
283
284 enumerator = malloc_thing(shared_enumerator_t);
285 enumerator->public.enumerate = (void*)shared_enumerate;
286 enumerator->public.destroy = (void*)shared_destroy;
287 enumerator->this = this;
288 enumerator->done = FALSE;
289 this->lock->read_lock(this->lock);
290 enumerator->key = shared_key_create(type,
291 chunk_clone(chunk_create(this->pass,
292 strlen(this->pass))));
293 return &enumerator->public;
294 }
295
296 /**
297 * Implementation of nm_creds_t.add_certificate
298 */
299 static void add_certificate(private_nm_creds_t *this, certificate_t *cert)
300 {
301 this->lock->write_lock(this->lock);
302 this->certs->insert_last(this->certs, cert);
303 this->lock->unlock(this->lock);
304 }
305
306 /**
307 * Load a certificate file
308 */
309 static void load_ca_file(private_nm_creds_t *this, char *file)
310 {
311 certificate_t *cert;
312
313 /* We add the CA constraint, as many CAs miss it */
314 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
315 BUILD_FROM_FILE, file, BUILD_END);
316 if (!cert)
317 {
318 DBG1(DBG_CFG, "loading CA certificate '%s' failed", file);
319 }
320 else
321 {
322 DBG2(DBG_CFG, "loaded CA certificate '%Y'", cert->get_subject(cert));
323 x509_t *x509 = (x509_t*)cert;
324 if (!(x509->get_flags(x509) & X509_SELF_SIGNED))
325 {
326 DBG1(DBG_CFG, "%Y is not self signed", cert->get_subject(cert));
327 }
328 this->certs->insert_last(this->certs, cert);
329 }
330 }
331
332 /**
333 * Implementation of nm_creds_t.load_ca_dir
334 */
335 static void load_ca_dir(private_nm_creds_t *this, char *dir)
336 {
337 enumerator_t *enumerator;
338 char *rel, *abs;
339 struct stat st;
340
341 enumerator = enumerator_create_directory(dir);
342 if (enumerator)
343 {
344 while (enumerator->enumerate(enumerator, &rel, &abs, &st))
345 {
346 /* skip '.', '..' and hidden files */
347 if (rel[0] != '.')
348 {
349 if (S_ISDIR(st.st_mode))
350 {
351 load_ca_dir(this, abs);
352 }
353 else if (S_ISREG(st.st_mode))
354 {
355 load_ca_file(this, abs);
356 }
357 }
358 }
359 enumerator->destroy(enumerator);
360 }
361 }
362
363 /**
364 * Implementation of nm_creds_t.set_password
365 */
366 static void set_username_password(private_nm_creds_t *this, identification_t *id,
367 char *password)
368 {
369 this->lock->write_lock(this->lock);
370 DESTROY_IF(this->user);
371 this->user = id->clone(id);
372 free(this->pass);
373 this->pass = password ? strdup(password) : NULL;
374 this->lock->unlock(this->lock);
375 }
376
377 /**
378 * Implementation of nm_creds_t.set_cert_and_key
379 */
380 static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert,
381 private_key_t *key)
382 {
383 this->lock->write_lock(this->lock);
384 DESTROY_IF(this->key);
385 DESTROY_IF(this->usercert);
386 this->key = key;
387 this->usercert = cert;
388 this->lock->unlock(this->lock);
389 }
390
391 /**
392 * Implementation of nm_creds_t.clear
393 */
394 static void clear(private_nm_creds_t *this)
395 {
396 certificate_t *cert;
397
398 while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
399 {
400 cert->destroy(cert);
401 }
402 DESTROY_IF(this->user);
403 free(this->pass);
404 DESTROY_IF(this->usercert);
405 DESTROY_IF(this->key);
406 this->key = NULL;
407 this->usercert = NULL;
408 this->pass = NULL;
409 this->user = NULL;
410 }
411
412 /**
413 * Implementation of nm_creds_t.destroy
414 */
415 static void destroy(private_nm_creds_t *this)
416 {
417 clear(this);
418 this->certs->destroy(this->certs);
419 this->lock->destroy(this->lock);
420 free(this);
421 }
422
423 /*
424 * see header file
425 */
426 nm_creds_t *nm_creds_create()
427 {
428 private_nm_creds_t *this = malloc_thing(private_nm_creds_t);
429
430 this->public.set.create_private_enumerator = (void*)create_private_enumerator;
431 this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
432 this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
433 this->public.set.create_cdp_enumerator = (void*)return_null;
434 this->public.set.cache_cert = (void*)nop;
435 this->public.add_certificate = (void(*)(nm_creds_t*, certificate_t *cert))add_certificate;
436 this->public.load_ca_dir = (void(*)(nm_creds_t*, char *dir))load_ca_dir;
437 this->public.set_username_password = (void(*)(nm_creds_t*, identification_t *id, char *password))set_username_password;
438 this->public.set_cert_and_key = (void(*)(nm_creds_t*, certificate_t *cert, private_key_t *key))set_cert_and_key;
439 this->public.clear = (void(*)(nm_creds_t*))clear;
440 this->public.destroy = (void(*)(nm_creds_t*))destroy;
441
442 this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
443
444 this->certs = linked_list_create();
445 this->user = NULL;
446 this->pass = NULL;
447 this->usercert = NULL;
448 this->key = NULL;
449
450 return &this->public;
451 }
452
Unnamed repository; edit this file 'description' to name the repository.