*/
char *pass;
+ /**
+ * Private key decryption password
+ */
+ char *keypass;
+
/**
* users certificate
*/
return FALSE;
}
*key = this->key;
- *me = ID_MATCH_PERFECT;
- *other = ID_MATCH_ANY;
+ if (me)
+ {
+ *me = ID_MATCH_PERFECT;
+ }
+ if (other)
+ {
+ *other = ID_MATCH_ANY;
+ }
this->done = TRUE;
return TRUE;
}
identification_t *other)
{
shared_enumerator_t *enumerator;
+ chunk_t key;
- if (!this->pass || !this->user)
+ switch (type)
{
- return NULL;
- }
- if (type != SHARED_EAP && type != SHARED_IKE)
- {
- return NULL;
- }
- if (me && !me->equals(me, this->user))
- {
- return NULL;
+ case SHARED_EAP:
+ case SHARED_IKE:
+ if (!this->pass || !this->user)
+ {
+ return NULL;
+ }
+ if (me && !me->equals(me, this->user))
+ {
+ return NULL;
+ }
+ key = chunk_create(this->pass, strlen(this->pass));
+ break;
+ case SHARED_PRIVATE_KEY_PASS:
+ if (!this->keypass)
+ {
+ return NULL;
+ }
+ key = chunk_create(this->keypass, strlen(this->keypass));
+ break;
+ default:
+ return NULL;
}
enumerator = malloc_thing(shared_enumerator_t);
enumerator->this = this;
enumerator->done = FALSE;
this->lock->read_lock(this->lock);
- enumerator->key = shared_key_create(type,
- chunk_clone(chunk_create(this->pass,
- strlen(this->pass))));
+ enumerator->key = shared_key_create(type, chunk_clone(key));
return &enumerator->public;
}
this->lock->unlock(this->lock);
}
+/**
+ * Implementation of nm_creds_t.set_key_password
+ */
+static void set_key_password(private_nm_creds_t *this, char *password)
+{
+ this->lock->write_lock(this->lock);
+ free(this->keypass);
+ this->keypass = password ? strdup(password) : NULL;
+ this->lock->unlock(this->lock);
+}
+
/**
* Implementation of nm_creds_t.set_cert_and_key
*/
this->public.add_certificate = (void(*)(nm_creds_t*, certificate_t *cert))add_certificate;
this->public.load_ca_dir = (void(*)(nm_creds_t*, char *dir))load_ca_dir;
this->public.set_username_password = (void(*)(nm_creds_t*, identification_t *id, char *password))set_username_password;
+ this->public.set_key_password = (void(*)(nm_creds_t*, char *password))set_key_password;
this->public.set_cert_and_key = (void(*)(nm_creds_t*, certificate_t *cert, private_key_t *key))set_cert_and_key;
this->public.clear = (void(*)(nm_creds_t*))clear;
this->public.destroy = (void(*)(nm_creds_t*))destroy;
*/
void (*set_username_password)(nm_creds_t *this, identification_t *id,
char *password);
+
+ /**
+ * Set the passphrase to use for private key decryption.
+ *
+ * @param password password to use
+ */
+ void (*set_key_password)(nm_creds_t *this, char *password);
+
/**
* Set the certificate and private key to use for client authentication.
*
*/
void (*set_cert_and_key)(nm_creds_t *this, certificate_t *cert,
private_key_t *key);
+
/**
* Clear the stored credentials.
*/
str = nm_setting_vpn_get_data_item(vpn, "userkey");
if (!agent && str)
{
- chunk_t secret;
+ char *secret;
- secret.ptr = (char*)nm_setting_vpn_get_secret(vpn, "password");
- if (secret.ptr)
+ secret = (char*)nm_setting_vpn_get_secret(vpn, "password");
+ if (secret)
{
- secret.len = strlen(secret.ptr);
+ priv->creds->set_key_password(priv->creds, secret);
}
private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
- KEY_RSA, BUILD_FROM_FILE, str,
- BUILD_PASSPHRASE, secret, BUILD_END);
+ KEY_RSA, BUILD_FROM_FILE, str, BUILD_END);
if (!private)
{
g_set_error(err, NM_VPN_PLUGIN_ERROR,
if (path)
{
private_key_t *key;
- chunk_t secret;
- secret.ptr = (char*)nm_setting_vpn_get_secret(settings, "password");
- if (secret.ptr)
- {
- secret.len = strlen(secret.ptr);
- }
/* try to load/decrypt the private key */
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
- KEY_RSA, BUILD_FROM_FILE, path,
- BUILD_PASSPHRASE, secret, BUILD_END);
+ KEY_RSA, BUILD_FROM_FILE, path, BUILD_END);
if (key)
{
key->destroy(key);
}
/**
- * Data to pass to passphrase_cb
+ * Data for passphrase callback
*/
typedef struct {
/** socket we use for prompting */
FILE *prompt;
/** private key file */
- char *file;
- /** buffer for passphrase */
- char buf[256];
+ char *path;
+ /** number of tries */
+ int try;
} passphrase_cb_data_t;
/**
- * Passphrase callback to read from stroke fd
+ * Callback function to receive Passphrases
*/
-chunk_t passphrase_cb(passphrase_cb_data_t *data, int try)
+static shared_key_t* passphrase_cb(passphrase_cb_data_t *data,
+ identification_t *me, identification_t *other,
+ id_match_t *match_me, id_match_t *match_other)
{
- chunk_t secret = chunk_empty;;
+ chunk_t secret;
+ char buf[256];
- if (try > 5)
- {
- fprintf(data->prompt, "invalid passphrase, too many trials\n");
- return chunk_empty;
- }
- if (try == 1)
- {
- fprintf(data->prompt, "Private key '%s' is encrypted\n", data->file);
- }
- else
+ if (data->try > 1)
{
- fprintf(data->prompt, "invalid passphrase\n");
+ if (data->try > 5)
+ {
+ fprintf(data->prompt, "PIN invalid, giving up.\n");
+ return NULL;
+ }
+ fprintf(data->prompt, "PIN invalid!\n");
}
+ data->try++;
+ fprintf(data->prompt, "Private key '%s' is encrypted.\n", data->path);
fprintf(data->prompt, "Passphrase:\n");
- if (fgets(data->buf, sizeof(data->buf), data->prompt))
+ if (fgets(buf, sizeof(buf), data->prompt))
{
- secret = chunk_create(data->buf, strlen(data->buf));
- if (secret.len)
+ secret = chunk_create(buf, strlen(buf));
+ if (secret.len > 1)
{ /* trim appended \n */
secret.len--;
+ if (match_me)
+ {
+ *match_me = ID_MATCH_PERFECT;
+ }
+ if (match_other)
+ {
+ *match_other = ID_MATCH_NONE;
+ }
+ return shared_key_create(SHARED_PRIVATE_KEY_PASS, chunk_clone(secret));
}
}
- return secret;
+ return NULL;
}
/**
if (data->try > 1)
{
- fprintf(data->prompt, "PIN invalid, giving up.\n", data->card);
+ fprintf(data->prompt, "PIN invalid, aborting.\n");
return NULL;
}
data->try++;
chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
{
+ free(secret.ptr);
if (!prompt)
{ /* no IO channel to prompt, skip */
free(chunk.ptr);
{
char path[PATH_MAX];
chunk_t filename;
- chunk_t secret = chunk_empty;
- private_key_t *key = NULL;
+ chunk_t secret;
+ private_key_t *key;
err_t ugh = extract_value(&filename, &line);
}
if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
{
- if (prompt)
+ callback_cred_t *cb = NULL;
+ passphrase_cb_data_t pp_data = {
+ .prompt = prompt,
+ .path = path,
+ .try = 1,
+ };
+
+ free(secret.ptr);
+ if (!prompt)
{
- passphrase_cb_data_t data = {
- .prompt = prompt,
- .file = path,
- };
- key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
- key_type, BUILD_FROM_FILE, path,
- BUILD_PASSPHRASE_CALLBACK,
- passphrase_cb, &data, BUILD_END);
+ return TRUE;
}
+ /* use callback credential set to prompt for the passphrase */
+ pp_data.prompt = prompt;
+ pp_data.path = path;
+ pp_data.try = 1;
+ cb = callback_cred_create_shared((void*)passphrase_cb, &pp_data);
+ lib->credmgr->add_local_set(lib->credmgr, &cb->set);
+
+ /* unlock, as the builder might ask for a secret */
+ this->lock->unlock(this->lock);
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
+ BUILD_FROM_FILE, path, BUILD_END);
+ this->lock->write_lock(this->lock);
+
+ lib->credmgr->remove_local_set(lib->credmgr, &cb->set);
+ cb->destroy(cb);
}
else
{
+ mem_cred_t *mem = NULL;
+ shared_key_t *shared;
+
+ /* provide our pin in a temporary credential set */
+ shared = shared_key_create(SHARED_PRIVATE_KEY_PASS, secret);
+ mem = mem_cred_create();
+ mem->add_shared(mem, shared, NULL);
+ lib->credmgr->add_local_set(lib->credmgr, &mem->set);
+
+ /* unlock, as the builder might ask for a secret */
+ this->lock->unlock(this->lock);
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
- BUILD_FROM_FILE, path,
- BUILD_PASSPHRASE, secret, BUILD_END);
+ BUILD_FROM_FILE, path, BUILD_END);
+ this->lock->write_lock(this->lock);
+
+ lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
+ mem->destroy(mem);
}
if (key)
{
{
DBG1(DBG_CFG, " loading private key from '%s' failed", path);
}
- chunk_clear(&secret);
return TRUE;
}
BUILD_BLOB_PGP,
/** DNS public key blob (RFC 4034, RSA specifc RFC 3110), chunk_t */
BUILD_BLOB_DNSKEY,
- /** passphrase for e.g. PEM decryption, smartcard unlock, chunk_t */
- BUILD_PASSPHRASE,
- /** passphrase callback, chunk_t(*fn)(void *user, int try), void *user.
- * The callback is invoked until the returned passphrase is accepted, or
- * a zero-length passphrase is returned. Try starts at 1. */
- BUILD_PASSPHRASE_CALLBACK,
/** key size in bits, as used for key generation, u_int */
BUILD_KEY_SIZE,
/** private key to use for signing, private_key_t* */
/**
* Converts a PEM encoded file into its binary form (RFC 1421, RFC 934)
*/
-static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data,
- bool *pgp)
+static status_t pem_to_bin(chunk_t *blob, bool *pgp)
{
typedef enum {
PEM_PRE = 0,
chunk_t dst = *blob;
chunk_t line = chunk_empty;
chunk_t iv = chunk_empty;
- chunk_t passphrase;
- int try = 0;
u_char iv_buf[HASH_SIZE_MD5];
+ status_t status = NOT_FOUND;
+ enumerator_t *enumerator;
+ shared_key_t *shared;
dst.len = 0;
iv.ptr = iv_buf;
{
return SUCCESS;
}
- if (!cb)
- {
- DBG1(DBG_LIB, " missing passphrase");
- return INVALID_ARG;
- }
- while (TRUE)
+
+ enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+ SHARED_PRIVATE_KEY_PASS, NULL, NULL);
+ while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
{
- passphrase = cb(cb_data, ++try);
- if (!passphrase.len || !passphrase.ptr)
+ chunk_t passphrase, chunk;
+
+ passphrase = shared->get_key(shared);
+ chunk = chunk_clone(*blob);
+ status = pem_decrypt(&chunk, alg, key_size, iv, passphrase);
+ if (status == SUCCESS)
{
- return INVALID_ARG;
+ memcpy(blob->ptr, chunk.ptr, chunk.len);
+ blob->len = chunk.len;
}
- switch (pem_decrypt(blob, alg, key_size, iv, passphrase))
- {
- case INVALID_ARG:
- /* bad passphrase, retry */
- continue;
- case SUCCESS:
- return SUCCESS;
- default:
- return FAILED;
+ free(chunk.ptr);
+ if (status != INVALID_ARG)
+ { /* try again only if passphrase invalid */
+ break;
}
}
+ enumerator->destroy(enumerator);
+ return status;
}
/**
* load the credential from a blob
*/
static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
- chunk_t(*cb)(void*,int), void *cb_data,
x509_flag_t flags)
{
void *cred = NULL;
blob = chunk_clone(blob);
if (!is_asn1(blob))
{
- if (pem_to_bin(&blob, cb, cb_data, &pgp) != SUCCESS)
+ if (pem_to_bin(&blob, &pgp) != SUCCESS)
{
chunk_clear(&blob);
return NULL;
* load the credential from a file
*/
static void *load_from_file(char *file, credential_type_t type, int subtype,
- chunk_t(*cb)(void*,int), void *cb_data,
x509_flag_t flags)
{
void *cred = NULL;
return NULL;
}
- cred = load_from_blob(chunk_create(addr, sb.st_size), type, subtype,
- cb, cb_data, flags);
+ cred = load_from_blob(chunk_create(addr, sb.st_size), type, subtype, flags);
munmap(addr, sb.st_size);
close(fd);
* load the credential from a file descriptor
*/
static void *load_from_fd(int fd, credential_type_t type, int subtype,
- chunk_t(*cb)(void*,int), void *cb_data,
x509_flag_t flags)
{
char buf[8096];
return NULL;
}
}
- return load_from_blob(chunk_create(buf, total), type, subtype,
- cb, cb_data, flags);
-}
-
-/**
- * passphrase callback to use if passphrase given
- */
-static chunk_t given_passphrase_cb(chunk_t *passphrase, int try)
-{
- if (try > 1)
- { /* try only once for given passphrases */
- return chunk_empty;
- }
- return *passphrase;
+ return load_from_blob(chunk_create(buf, total), type, subtype, flags);
}
/**
{
char *file = NULL;
int fd = -1;
- chunk_t pem = chunk_empty, passphrase = chunk_empty;
- chunk_t (*cb)(void *data, int try) = NULL;
- void *cb_data = NULL;
+ chunk_t pem = chunk_empty;
int flags = 0;
while (TRUE)
case BUILD_BLOB_PEM:
pem = va_arg(args, chunk_t);
continue;
- case BUILD_PASSPHRASE:
- passphrase = va_arg(args, chunk_t);
- if (passphrase.len && passphrase.ptr)
- {
- cb = (void*)given_passphrase_cb;
- cb_data = &passphrase;
- }
- continue;
- case BUILD_PASSPHRASE_CALLBACK:
- cb = va_arg(args, chunk_t(*)(void*,int));
- cb_data = va_arg(args, void*);
- continue;
case BUILD_X509_FLAG:
flags = va_arg(args, int);
continue;
if (pem.len)
{
- return load_from_blob(pem, type, subtype, cb, cb_data, flags);
+ return load_from_blob(pem, type, subtype, flags);
}
if (file)
{
- return load_from_file(file, type, subtype, cb, cb_data, flags);
+ return load_from_file(file, type, subtype, flags);
}
if (fd != -1)
{
- return load_from_fd(fd, type, subtype, cb, cb_data, flags);
+ return load_from_fd(fd, type, subtype, flags);
}
return NULL;
}
#include <credentials/certificates/x509.h>
#include <credentials/certificates/ac.h>
#include <credentials/keys/private_key.h>
+#include <credentials/sets/mem_cred.h>
#include <utils/optionsfrom.h>
#define OPENAC_PATH IPSEC_CONFDIR "/openac"
/* load the signer's RSA private key */
if (keyfile != NULL)
{
+ mem_cred_t *mem;
+ shared_key_t *shared;
+
+ mem = mem_cred_create();
+ lib->credmgr->add_set(lib->credmgr, &mem->set);
+ shared = shared_key_create(SHARED_PRIVATE_KEY_PASS,
+ chunk_clone(passphrase));
+ mem->add_shared(mem, shared, NULL);
signerKey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
BUILD_FROM_FILE, keyfile,
- BUILD_PASSPHRASE, passphrase,
BUILD_END);
+ lib->credmgr->remove_set(lib->credmgr, &mem->set);
+ mem->destroy(mem);
if (signerKey == NULL)
{
goto end;
return cert;
}
-/**
- * Passphrase callback to read from whack fd
- */
-chunk_t whack_pass_cb(prompt_pass_t *pass, int try)
-{
- int n;
-
- if (try > MAX_PROMPT_PASS_TRIALS)
- {
- whack_log(RC_LOG_SERIOUS, "invalid passphrase, too many trials");
- return chunk_empty;
- }
- if (try == 1)
- {
- whack_log(RC_ENTERSECRET, "need passphrase for 'private key'");
- }
- else
- {
- whack_log(RC_ENTERSECRET, "invalid passphrase, please try again");
- }
-
- n = read(pass->fd, pass->secret, PROMPT_PASS_LEN);
-
- if (n == -1)
- {
- whack_log(RC_LOG_SERIOUS, "read(whackfd) failed");
- return chunk_empty;
- }
-
- pass->secret[n-1] = '\0';
-
- if (strlen(pass->secret) == 0)
- {
- whack_log(RC_LOG_SERIOUS, "no passphrase entered, aborted");
- return chunk_empty;
- }
- return chunk_create(pass->secret, strlen(pass->secret));
-}
-
-/**
- * Loads a PKCS#1 or PGP private key file
- */
-private_key_t* load_private_key(char* filename, prompt_pass_t *pass,
- key_type_t type)
-{
- private_key_t *key = NULL;
- char *path;
-
- path = concatenate_paths(PRIVATE_KEY_PATH, filename);
- if (pass && pass->prompt && pass->fd != NULL_FD)
- { /* use passphrase callback */
- key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
- BUILD_FROM_FILE, path,
- BUILD_PASSPHRASE_CALLBACK, whack_pass_cb, pass,
- BUILD_END);
- if (key)
- {
- whack_log(RC_SUCCESS, "valid passphrase");
- }
- }
- else if (pass)
- { /* use a given passphrase */
- chunk_t password = chunk_create(pass->secret, strlen(pass->secret));
- key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
- BUILD_FROM_FILE, path,
- BUILD_PASSPHRASE, password, BUILD_END);
- }
- else
- { /* no passphrase */
- key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
- BUILD_FROM_FILE, path, BUILD_END);
-
- }
- if (key)
- {
- plog(" loaded private key from '%s'", filename);
- }
- else
- {
- plog(" syntax error in private key file");
- }
- return key;
-}
-
/**
* Loads a X.509 or OpenPGP certificate
*/
*/
extern bool no_cr_send;
-extern private_key_t* load_private_key(char* filename, prompt_pass_t *pass,
- key_type_t type);
extern cert_t* load_cert(char *filename, const char *label, x509_flag_t flags);
extern cert_t* load_host_cert(char *filename);
extern cert_t* load_ca_cert(char *filename);
#define MAX_PROMPT_PASS_TRIALS 5
#define PROMPT_PASS_LEN 64
-/* struct used to prompt for a secret passphrase
- * from a console with file descriptor fd
- */
-typedef struct {
- char secret[PROMPT_PASS_LEN+1];
- bool prompt;
- int fd;
-} prompt_pass_t;
-
/* filter eliminating the directory entries '.' and '..' */
typedef struct dirent dirent_t;
extern int file_select(const dirent_t *entry);
#include <library.h>
#include <asn1/asn1.h>
#include <credentials/certificates/pgp_certificate.h>
+#include <credentials/sets/mem_cred.h>
+#include <credentials/sets/callback_cred.h>
#include "constants.h"
#include "defs.h"
return ugh;
}
+/* struct used to prompt for a secret passphrase
+ * from a console with file descriptor fd
+ */
+typedef struct {
+ char secret[PROMPT_PASS_LEN+1];
+ bool prompt;
+ int fd;
+ int try;
+} prompt_pass_t;
+
+/**
+ * Passphrase callback to read from whack fd
+ */
+static shared_key_t* whack_pass_cb(prompt_pass_t *pass,
+ identification_t *me, identification_t *other,
+ id_match_t *match_me, id_match_t *match_other)
+{
+ int n;
+
+ if (pass->try > MAX_PROMPT_PASS_TRIALS)
+ {
+ whack_log(RC_LOG_SERIOUS, "invalid passphrase, too many trials");
+ return NULL;
+ }
+ if (pass->try == 1)
+ {
+ whack_log(RC_ENTERSECRET, "need passphrase for 'private key'");
+ }
+ else
+ {
+ whack_log(RC_ENTERSECRET, "invalid passphrase, please try again");
+ }
+ pass->try++;
+
+ n = read(pass->fd, pass->secret, PROMPT_PASS_LEN);
+ if (n == -1)
+ {
+ whack_log(RC_LOG_SERIOUS, "read(whackfd) failed");
+ return NULL;
+ }
+ pass->secret[n-1] = '\0';
+
+ if (strlen(pass->secret) == 0)
+ {
+ whack_log(RC_LOG_SERIOUS, "no passphrase entered, aborted");
+ return NULL;
+ }
+ if (match_me)
+ {
+ *match_me = ID_MATCH_PERFECT;
+ }
+ if (match_other)
+ {
+ *match_other = ID_MATCH_NONE;
+ }
+ return shared_key_create(SHARED_PRIVATE_KEY_PASS,
+ chunk_clone(chunk_create(pass->secret, strlen(pass->secret))));
+}
+
+/**
+ * Loads a PKCS#1 or PGP private key file
+ */
+static private_key_t* load_private_key(char* filename, prompt_pass_t *pass,
+ key_type_t type)
+{
+ private_key_t *key = NULL;
+ char *path;
+
+ path = concatenate_paths(PRIVATE_KEY_PATH, filename);
+ if (pass && pass->prompt && pass->fd != NULL_FD)
+ { /* use passphrase callback */
+ callback_cred_t *cb;
+
+ cb = callback_cred_create_shared((void*)whack_pass_cb, pass);
+ lib->credmgr->add_local_set(lib->credmgr, &cb->set);
+
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+ BUILD_FROM_FILE, path, BUILD_END);
+ lib->credmgr->remove_local_set(lib->credmgr, &cb->set);
+ cb->destroy(cb);
+ if (key)
+ {
+ whack_log(RC_SUCCESS, "valid passphrase");
+ }
+ }
+ else if (pass)
+ { /* use a given passphrase */
+ mem_cred_t *mem;
+ shared_key_t *shared;
+
+ mem = mem_cred_create();
+ lib->credmgr->add_local_set(lib->credmgr, &mem->set);
+ shared = shared_key_create(SHARED_PRIVATE_KEY_PASS,
+ chunk_clone(chunk_create(pass->secret, strlen(pass->secret))));
+ mem->add_shared(mem, shared, NULL);
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+ BUILD_FROM_FILE, path, BUILD_END);
+ lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
+ mem->destroy(mem);
+ }
+ else
+ { /* no passphrase */
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+ BUILD_FROM_FILE, path, BUILD_END);
+
+ }
+ if (key)
+ {
+ plog(" loaded private key from '%s'", filename);
+ }
+ else
+ {
+ plog(" syntax error in private key file");
+ }
+ return key;
+}
+
/**
* process a key file protected with optional passphrase which can either be
* read from ipsec.secrets or prompted for by using whack
memset(pass.secret,'\0', sizeof(pass.secret));
pass.prompt = FALSE;
pass.fd = whackfd;
+ pass.try = 1;
/* we expect the filename of a PKCS#1 private key file */
projects / thirdparty / strongswan.git / commitdiff
