]> git.ipfire.org Git - thirdparty/strongswan.git/commitdiff
credentials: Add optional message when retrieving shared secrets
authorTobias Brunner <tobias@strongswan.org>
Fri, 19 Feb 2021 08:38:40 +0000 (09:38 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 19 Feb 2021 09:12:43 +0000 (10:12 +0100)
This allows plugins to provide a message that could be displayed to
users when prompting for passwords.

37 files changed:
src/charon-cmd/cmd/cmd_creds.c
src/charon-nm/nm/nm_creds.c
src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_creds.c
src/frontends/osx/charon-xpc/xpc_channels.c
src/libcharon/plugins/eap_aka_3gpp/eap_aka_3gpp_functions.c
src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c
src/libcharon/plugins/eap_gtc/eap_gtc.c
src/libcharon/plugins/eap_md5/eap_md5.c
src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
src/libcharon/plugins/ha/ha_tunnel.c
src/libcharon/plugins/load_tester/load_tester_creds.c
src/libcharon/plugins/sql/sql_cred.c
src/libcharon/plugins/stroke/stroke_cred.c
src/libcharon/plugins/uci/uci_creds.c
src/libcharon/plugins/xauth_eap/xauth_eap.c
src/libcharon/plugins/xauth_generic/xauth_generic.c
src/libcharon/sa/ikev1/phase1.c
src/libcharon/sa/ikev2/authenticators/psk_authenticator.c
src/libcharon/sa/ikev2/tasks/ike_auth.c
src/libcharon/sa/ikev2/tasks/ike_init.c
src/libpttls/sasl/sasl_plain/sasl_plain.c
src/libstrongswan/credentials/credential_manager.c
src/libstrongswan/credentials/credential_manager.h
src/libstrongswan/credentials/credential_set.h
src/libstrongswan/credentials/sets/callback_cred.c
src/libstrongswan/credentials/sets/callback_cred.h
src/libstrongswan/credentials/sets/mem_cred.c
src/libstrongswan/plugins/openssl/openssl_pkcs12.c
src/libstrongswan/plugins/openssl/openssl_plugin.c
src/libstrongswan/plugins/pem/pem_builder.c
src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
src/libstrongswan/plugins/pkcs12/pkcs12_decode.c
src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.c
src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
src/libtpmtss/plugins/tpm/tpm_private_key.c
src/pki/pki.c
src/swanctl/commands/load_creds.c

index b440cf87728b79d39128d9975720bd354c07da59..8ae918208f7e21251b4a55c30e2908c522d889c9 100644 (file)
@@ -63,13 +63,10 @@ struct private_cmd_creds_t {
        char *identity;
 };
 
-/**
- * Callback function to prompt for secret
- */
-static shared_key_t* callback_shared(private_cmd_creds_t *this,
-                                                               shared_key_type_t type,
-                                                               identification_t *me, identification_t *other,
-                                                               id_match_t *match_me, id_match_t *match_other)
+CALLBACK(callback_shared, shared_key_t*,
+       private_cmd_creds_t *this, shared_key_type_t type, identification_t *me,
+       identification_t *other, const char *msg, id_match_t *match_me,
+       id_match_t *match_other)
 {
        shared_key_t *shared;
        char *label, *pwd = NULL;
@@ -288,7 +285,7 @@ cmd_creds_t *cmd_creds_create()
                .creds = mem_cred_create(),
                .prompted = SHARED_ANY,
        );
-       this->cb = callback_cred_create_shared((void*)callback_shared, this);
+       this->cb = callback_cred_create_shared(callback_shared, this);
 
        lib->credmgr->add_set(lib->credmgr, &this->creds->set);
        lib->credmgr->add_set(lib->credmgr, &this->cb->set);
index 2660d6f5a451be66a8e4373e405b36d2876b8269..529d49dd09a9c1bd0001f5dcf40a76eed5e9695b 100644 (file)
@@ -270,7 +270,7 @@ METHOD(enumerator_t, shared_destroy, void,
 
 METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
        private_nm_creds_t *this, shared_key_type_t type, identification_t *me,
-       identification_t *other)
+       identification_t *other, const char *msg)
 {
        shared_enumerator_t *enumerator;
        chunk_t key;
index 5421dcae085d6a193580f715ba19c3077e978989..b067bd31480d5ae66fe4db5b7a713140c9eea356 100644 (file)
@@ -249,10 +249,10 @@ METHOD(android_creds_t, add_username_password, void,
 
 METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
        private_android_creds_t *this, shared_key_type_t type,
-       identification_t *me, identification_t *other)
+       identification_t *me, identification_t *other, const char *msg)
 {
        return this->creds->set.create_shared_enumerator(&this->creds->set,
-                                                                                                        type, me, other);
+                                                                                                        type, me, other, msg);
 }
 
 METHOD(android_creds_t, load_user_certificate, certificate_t*,
index d013e752b662d4aa41511a99c400494c83729d8f..e8d8fcb4ecabd0b31d65c90443352b2e095973e6 100644 (file)
@@ -458,10 +458,10 @@ static shared_key_t *query_password(xpc_connection_t conn, identification_t *id)
 /**
  * Password query callback
  */
-static shared_key_t* password_cb(private_xpc_channels_t *this,
-                                                                shared_key_type_t type,
-                                                                identification_t *me, identification_t *other,
-                                                                id_match_t *match_me, id_match_t *match_other)
+CALLBACK(password_cb, shared_key_t*,
+       private_xpc_channels_t *this, shared_key_type_t type, identification_t *me,
+       identification_t *other, const char *msg, id_match_t *match_me,
+       id_match_t *match_other)
 {
        shared_key_t *shared = NULL;
        ike_sa_t *ike_sa;
@@ -537,8 +537,7 @@ xpc_channels_t *xpc_channels_create()
                .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
        );
 
-       this->creds = callback_cred_create_shared(
-                                                               (callback_cred_shared_cb_t)password_cb, this);
+       this->creds = callback_cred_create_shared(password_cb, this);
        lib->credmgr->add_set(lib->credmgr, &this->creds->set);
 
        return &this->public;
index d017d2c99638fe5ab35ec9fb606453a14c849f61..68e74790f1bef5e5e9a61dbd00c301c84b0468b6 100644 (file)
@@ -69,7 +69,7 @@ bool eap_aka_3gpp_get_k_opc(identification_t *id, uint8_t k[AKA_K_LEN],
        shared_key_t *shared;
        chunk_t key;
 
-       shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL);
+       shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL, NULL);
        if (!shared)
        {
                return FALSE;
index 414c5f05880ed949365d300cf04bd339a5695305..394616eea8d417db27f84cf3ec44ad191cba8ebe 100644 (file)
@@ -52,7 +52,7 @@ bool eap_aka_3gpp2_get_k(identification_t *id, char k[AKA_K_LEN])
        shared_key_t *shared;
        chunk_t key;
 
-       shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL);
+       shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL, NULL);
        if (shared == NULL)
        {
                return FALSE;
index 95ba090b79ced2843369ab629cbb5e7d3ddd2566..e085631a2891d743a5d30920e17cd950146e7379 100644 (file)
@@ -102,7 +102,7 @@ METHOD(eap_method_t, process_peer, status_t,
        size_t len;
 
        shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP,
-                                                                         this->peer, this->server);
+                                                                         this->peer, this->server, NULL);
        if (shared == NULL)
        {
                DBG1(DBG_IKE, "no EAP key found for '%Y' - '%Y'",
index ab5f7ff6a8231a972e08d47f2a4fdd4b619462df..5748f50beb48f2945ae73920f7e65424c4490039 100644 (file)
@@ -85,7 +85,7 @@ static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response,
        chunk_t concat;
        hasher_t *hasher;
 
-       shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, me, other);
+       shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, me, other, NULL);
        if (shared == NULL)
        {
                DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", me, other);
index 0c33f39f3f86be400bb809b637f1b0f675c22abd..f3e7cd30b05fdc7d0a7b5c664a1d1451ee869377 100644 (file)
@@ -757,7 +757,8 @@ static bool get_nt_hash(private_eap_mschapv2_t *this, identification_t *me,
        chunk_t password;
 
        /* try to find a stored NT_HASH first */
-       shared = lib->credmgr->get_shared(lib->credmgr, SHARED_NT_HASH, me, other);
+       shared = lib->credmgr->get_shared(lib->credmgr, SHARED_NT_HASH, me, other,
+                                                                         NULL);
        if (shared )
        {
                *nt_hash = chunk_clone(shared->get_key(shared));
@@ -766,7 +767,7 @@ static bool get_nt_hash(private_eap_mschapv2_t *this, identification_t *me,
        }
 
        /* fallback to plaintext password */
-       shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, me, other);
+       shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, me, other, NULL);
        if (shared)
        {
                password = utf8_to_utf16le(shared->get_key(shared));
index ce9505c2b01919a5c07f78ff1f8bf85f464582fa..5d76ace69526afd740a71dcef25b54be3c9f0bae 100644 (file)
@@ -138,7 +138,7 @@ METHOD(enumerator_t, shared_enumerate, bool,
 
 METHOD(ha_creds_t, create_shared_enumerator, enumerator_t*,
        ha_creds_t *this, shared_key_type_t type,
-       identification_t *me, identification_t *other)
+       identification_t *me, identification_t *other, const char *msg)
 {
        shared_enum_t *enumerator;
 
index 827d0b326a23b2c8037165dce377dd10d0046d52..803db9d6f0e9111aa0df0055d7fb6e00d8c473a0 100644 (file)
@@ -428,7 +428,7 @@ CALLBACK(shared_filter, bool,
 
 METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
        private_load_tester_creds_t *this, shared_key_type_t type,
-       identification_t *me, identification_t *other)
+       identification_t *me, identification_t *other, const char *msg)
 {
        shared_key_t *shared;
 
index f86252a768e9c230b7aa43a732aaff57110e1681..7a051cf9bcef376515fc79091a79113071b30754 100644 (file)
@@ -271,7 +271,7 @@ METHOD(enumerator_t, shared_enumerator_destroy, void,
 
 METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
           private_sql_cred_t *this, shared_key_type_t type,
-          identification_t *me, identification_t *other)
+          identification_t *me, identification_t *other, const char *msg)
 {
        shared_enumerator_t *e;
        bool me_defined, other_defined;
index 7fc95657ed501b1cbbbf857b4dfa14d14679df9c..39511bbec39aa321207c98fc3c22a70bd4a6a68c 100644 (file)
@@ -690,10 +690,10 @@ typedef struct {
 /**
  * Callback function to receive passphrases
  */
-static shared_key_t* passphrase_cb(passphrase_cb_data_t *data,
-                                                                  shared_key_type_t type, identification_t *me,
-                                                                  identification_t *other, id_match_t *match_me,
-                                                                  id_match_t *match_other)
+CALLBACK(passphrase_cb, shared_key_t*,
+       passphrase_cb_data_t *data, shared_key_type_t type, identification_t *me,
+       identification_t *other, const char *msg, id_match_t *match_me,
+       id_match_t *match_other)
 {
        static const int max_tries = 3;
        shared_key_t *shared;
@@ -765,9 +765,10 @@ typedef struct {
 /**
  * Callback function to receive PINs
  */
-static shared_key_t* pin_cb(pin_cb_data_t *data, shared_key_type_t type,
-                                                       identification_t *me, identification_t *other,
-                                                       id_match_t *match_me, id_match_t *match_other)
+CALLBACK(pin_cb, shared_key_t*,
+       pin_cb_data_t *data, shared_key_type_t type, identification_t *me,
+       identification_t *other, const char *msg, id_match_t *match_me,
+       id_match_t *match_other)
 {
        chunk_t secret;
        char buf[256];
@@ -880,7 +881,7 @@ static bool load_pin(mem_cred_t *secrets, chunk_t line, int line_nr,
                        .card = smartcard,
                        .keyid = chunk,
                };
-               cb = callback_cred_create_shared((void*)pin_cb, &pin_data);
+               cb = callback_cred_create_shared(pin_cb, &pin_data);
                lib->credmgr->add_local_set(lib->credmgr, &cb->set, FALSE);
        }
        else
@@ -999,7 +1000,7 @@ static bool load_from_file(chunk_t line, int line_nr, FILE *prompt,
                pp_data.cache = mem_cred_create();
                lib->credmgr->add_local_set(lib->credmgr, &pp_data.cache->set, FALSE);
                /* use callback credential set to prompt for the passphrase */
-               cb = callback_cred_create_shared((void*)passphrase_cb, &pp_data);
+               cb = callback_cred_create_shared(passphrase_cb, &pp_data);
                lib->credmgr->add_local_set(lib->credmgr, &cb->set, FALSE);
 
                *result = lib->creds->create(lib->creds, type, subtype,
index c6de4756d1e5f9c99a580d69c25178d1b4a811a4..1990bb0f784e0b867403b77e91678b69adb87531 100644 (file)
@@ -118,7 +118,7 @@ METHOD(enumerator_t, shared_enumerator_destroy, void,
 
 METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
        private_uci_creds_t *this, shared_key_type_t type,
-       identification_t *me, identification_t *other)
+       identification_t *me, identification_t *other, const char *msg)
 {
        shared_enumerator_t *e;
 
index 9e103be1c6f01742f4f12b73c5314f2f97805231..2cf183b622130e9e895e649465dea70e1dc379e1 100644 (file)
@@ -53,12 +53,10 @@ struct private_xauth_eap_t {
        chunk_t pass;
 };
 
-/**
- * Callback credential set function
- */
-static shared_key_t* shared_cb(private_xauth_eap_t *this, shared_key_type_t type,
-                                                          identification_t *me, identification_t *other,
-                                                          id_match_t *match_me, id_match_t *match_other)
+CALLBACK(shared_cb, shared_key_t*,
+       private_xauth_eap_t *this, shared_key_type_t type, identification_t *me,
+       identification_t *other, const char *msg, id_match_t *match_me,
+       id_match_t *match_other)
 {
        shared_key_t *shared;
 
@@ -283,7 +281,7 @@ xauth_eap_t *xauth_eap_create_server(identification_t *server,
                .peer = peer->clone(peer),
        );
 
-       this->cred = callback_cred_create_shared((void*)shared_cb, this);
+       this->cred = callback_cred_create_shared(shared_cb, this);
 
        return &this->public;
 }
index 66422bab6e16b9cde823a92925f6f32f2d1e22f0..8f7c5fc2f58f84ea16697db37eca8fd47534484b 100644 (file)
@@ -88,7 +88,8 @@ METHOD(xauth_method_t, process_peer, status_t,
                                /* FALL */
                        case XAUTH_USER_PASSWORD:
                                shared = lib->credmgr->get_shared(lib->credmgr, type,
-                                                                                                 this->peer, this->server);
+                                                                                                 this->peer, this->server,
+                                                                                                 NULL);
                                if (!shared)
                                {
                                        DBG1(DBG_IKE, "no XAuth %s found for '%Y' - '%Y'",
@@ -177,7 +178,8 @@ METHOD(xauth_method_t, process_server, status_t,
        }
 
        enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
-                                                                               SHARED_EAP, this->server, this->peer);
+                                                                               SHARED_EAP, this->server, this->peer,
+                                                                               NULL);
        while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
        {
                if (chunk_equals_const(shared->get_key(shared), pass))
index fecbd3900c003fc6ed19f244b5ce645849ebd3d2..1a26ed12be4b39d8666899cc3dd456cfad8ff7fb 100644 (file)
@@ -116,7 +116,7 @@ static shared_key_t *find_shared_key(identification_t *my_id, host_t *me,
                other_id = any_id;
        }
        shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
-                                                                                 my_id, other_id);
+                                                                                 my_id, other_id, NULL);
        if (!shared_key)
        {
                DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]",
@@ -191,7 +191,7 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this,
                if (my_id && other_id)
                {
                        shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
-                                                                                                 my_id, other_id);
+                                                                                                 my_id, other_id, NULL);
                }
                DESTROY_IF(my_id);
                DESTROY_IF(other_id);
index 76571e7028ae480b6abdb171186a6076d2567f98..93cba403ab53fba8100c95aaaf7a04ec8a3632c9 100644 (file)
@@ -78,7 +78,8 @@ METHOD(authenticator_t, build, status_t,
        other_id = this->ike_sa->get_other_id(this->ike_sa);
        DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
                 my_id, auth_method_names, AUTH_PSK);
-       key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id, other_id);
+       key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id, other_id,
+                                                                  NULL);
        if (!key)
        {
                DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
@@ -153,7 +154,7 @@ METHOD(authenticator_t, process, status_t,
        my_id = this->ike_sa->get_my_id(this->ike_sa);
        other_id = this->ike_sa->get_other_id(this->ike_sa);
        enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
-                                                                                               SHARED_IKE, my_id, other_id);
+                                                                                       SHARED_IKE, my_id, other_id, NULL);
        while (!authenticated && enumerator->enumerate(enumerator, &key, NULL, NULL))
        {
                keys_found++;
index 54f51d1ebcc66c3307a6b737630364a46a8b4e00..d38c6d217cda09bed5e451e345d21f55d8420b8a 100644 (file)
@@ -490,7 +490,7 @@ static bool get_ppk(private_ike_auth_t *this, identification_t *ppk_id)
 {
        shared_key_t *key;
 
-       key = lib->credmgr->get_shared(lib->credmgr, SHARED_PPK, ppk_id, NULL);
+       key = lib->credmgr->get_shared(lib->credmgr, SHARED_PPK, ppk_id, NULL, NULL);
        if (!key)
        {
                if (this->peer_cfg->ppk_required(this->peer_cfg))
index 477d2caae5ac9560fe4211aa67aeb85db28d124e..56fac1cc3c03e5b479a002593102f692372f3d64 100644 (file)
@@ -291,7 +291,7 @@ static bool send_use_ppk(private_ike_init_t *this)
        {
                /* check if we have at least one PPK available */
                keys = lib->credmgr->create_shared_enumerator(lib->credmgr, SHARED_PPK,
-                                                                                                         NULL, NULL);
+                                                                                                         NULL, NULL, NULL);
                if (keys->enumerate(keys, &key, NULL, NULL))
                {
                        use_ppk = TRUE;
index b2d30e68074128cbbb16c71a984c9b24334fd6de..ae193f5b04d4db35fa407db2d5d9125ef4acbd84 100644 (file)
@@ -80,7 +80,7 @@ METHOD(sasl_mechanism_t, process_server, status_t,
        DESTROY_IF(this->client);
        this->client = identification_create_from_data(authi);
        shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, this->client,
-                                                                         NULL);
+                                                                         NULL, NULL);
        if (!shared)
        {
                DBG1(DBG_CFG, "no shared secret found for '%Y'", this->client);
@@ -106,7 +106,7 @@ METHOD(sasl_mechanism_t, build_client, status_t,
 
        /* we currently use the EAP type of shared secret */
        shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP,
-                                                                         this->client, NULL);
+                                                                         this->client, NULL, NULL);
        if (!shared)
        {
                DBG1(DBG_CFG, "no shared secret found for %Y", this->client);
index 3be0190a1f1a5f5f551101804a31c51212711c0c..66ffa25c51cc63852b69353c980c0f5b48dd5758 100644 (file)
@@ -123,6 +123,7 @@ typedef struct {
        shared_key_type_t type;
        identification_t *me;
        identification_t *other;
+       char *msg;
 } shared_data_t;
 
 /** enumerator over local and global sets */
@@ -376,6 +377,7 @@ static private_key_t* get_private_by_keyid(private_credential_manager_t *this,
 static void destroy_shared_data(shared_data_t *data)
 {
        data->this->lock->unlock(data->this->lock);
+       free(data->msg);
        free(data);
 }
 
@@ -384,12 +386,13 @@ static void destroy_shared_data(shared_data_t *data)
  */
 static enumerator_t *create_shared(credential_set_t *set, shared_data_t *data)
 {
-       return set->create_shared_enumerator(set, data->type, data->me, data->other);
+       return set->create_shared_enumerator(set, data->type, data->me, data->other,
+                                                                                data->msg);
 }
 
 METHOD(credential_manager_t, create_shared_enumerator, enumerator_t*,
        private_credential_manager_t *this, shared_key_type_t type,
-       identification_t *me, identification_t *other)
+       identification_t *me, identification_t *other, const char *msg)
 {
        shared_data_t *data;
 
@@ -398,6 +401,7 @@ METHOD(credential_manager_t, create_shared_enumerator, enumerator_t*,
                .type = type,
                .me = me,
                .other = other,
+               .msg = strdupnull(msg),
        );
        this->lock->read_lock(this->lock);
        return enumerator_create_nested(create_sets_enumerator(this),
@@ -407,14 +411,14 @@ METHOD(credential_manager_t, create_shared_enumerator, enumerator_t*,
 
 METHOD(credential_manager_t, get_shared, shared_key_t*,
        private_credential_manager_t *this, shared_key_type_t type,
-       identification_t *me, identification_t *other)
+       identification_t *me, identification_t *other, const char *msg)
 {
        shared_key_t *current, *found = NULL;
        id_match_t best_me = ID_MATCH_NONE, best_other = ID_MATCH_NONE;
        id_match_t match_me, match_other;
        enumerator_t *enumerator;
 
-       enumerator = create_shared_enumerator(this, type, me, other);
+       enumerator = create_shared_enumerator(this, type, me, other, msg);
        while (enumerator->enumerate(enumerator, &current, &match_me, &match_other))
        {
                if (match_other > best_other ||
index a9947dcbc4754a11dd013e89b547f884ca72e2fb..0cb7e109516b3643da9e0c7b881d13592385d951 100644 (file)
@@ -119,14 +119,19 @@ struct credential_manager_t {
         *  shared_key_t*, id_match_t me, id_match_t other
         * But must accept values for the id_matches.
         *
+        * @note The optional message should be a simple text that has been
+        * sanitized and does not end with e.g. ":".
+        *
         * @param type          kind of requested shared key
         * @param first         first subject between key is shared
         * @param second        second subject between key is shared
+        * @param msg           optional message that could be displayed to a user
         * @return                      enumerator over (shared_key_t*,id_match_t,id_match_t)
         */
        enumerator_t *(*create_shared_enumerator)(credential_manager_t *this,
                                                                shared_key_type_t type,
-                                                               identification_t *first, identification_t *second);
+                                                               identification_t *first, identification_t *second,
+                                                               const char *msg);
        /**
         * Create an enumerator over all Certificate Distribution Points.
         *
@@ -151,13 +156,18 @@ struct credential_manager_t {
        /**
         * Get the best matching shared key for two IDs.
         *
+        * @note The optional message should be a simple text that has been
+        * sanitized and does not end with e.g. ":".
+        *
         * @param type          kind of requested shared key
         * @param me            own identity
         * @param other         peer identity
+        * @param msg           optional message that could be displayed to a user
         * @return                      shared_key_t, NULL if none found
         */
        shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type,
-                                                               identification_t *me, identification_t *other);
+                                                               identification_t *me, identification_t *other,
+                                                               const char *msg);
        /**
         * Get a private key to create a signature.
         *
index 9c4db704fe45503daadffb24e7ee6726ec7518c2..9f775331c81fd47e497c6ebc1ab3b4569eb76cb8 100644 (file)
@@ -78,11 +78,13 @@ struct credential_set_t {
         * @param type          kind of requested shared key
         * @param me            own identity
         * @param other         other identity who owns that secret
+        * @param msg           optional message that could be displayed to a user
         * @return                      enumerator as described above
         */
        enumerator_t *(*create_shared_enumerator)(credential_set_t *this,
                                                shared_key_type_t type,
-                                               identification_t *me, identification_t *other);
+                                               identification_t *me, identification_t *other,
+                                               const char *msg);
 
        /**
         * Create an enumerator over certificate distribution points.
index 0d72452da60a590d4639d9e47dc77e3d450c1355..cc456f48552de6267b8b2e8104fd84482a1ea1e6 100644 (file)
@@ -55,6 +55,8 @@ typedef struct {
        identification_t *me;
        /* other identity to match */
        identification_t *other;
+       /* optional msg */
+       char *msg;
        /* current shared key */
        shared_key_t *current;
 } shared_enumerator_t;
@@ -68,7 +70,8 @@ METHOD(enumerator_t, shared_enumerate, bool,
        VA_ARGS_VGET(args, out, match_me, match_other);
        DESTROY_IF(this->current);
        this->current = this->this->cb.shared(this->this->data, this->type,
-                                                               this->me, this->other, match_me, match_other);
+                                                               this->me, this->other, this->msg, match_me,
+                                                               match_other);
        if (this->current)
        {
                *out = this->current;
@@ -81,12 +84,13 @@ METHOD(enumerator_t, shared_destroy, void,
        shared_enumerator_t *this)
 {
        DESTROY_IF(this->current);
+       free(this->msg);
        free(this);
 }
 
 METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
        private_callback_cred_t *this, shared_key_type_t type,
-       identification_t *me, identification_t *other)
+       identification_t *me, identification_t *other, const char *msg)
 {
        shared_enumerator_t *enumerator;
 
@@ -100,6 +104,7 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
                .type = type,
                .me = me,
                .other = other,
+               .msg = strdupnull(msg),
        );
        return &enumerator->public;
 }
index ea5dafb024b047888f945a51127528761de03fd6..72ccb1ee315930c394ea5d188c0a25792d54788a 100644 (file)
@@ -31,13 +31,15 @@ typedef struct callback_cred_t callback_cred_t;
  * @param type                 type of requested shared key
  * @param me                   own identity
  * @param other                        other identity
+ * @param msg                  optional message that could be displayed to a user
  * @param match_me             match result of own identity
  * @param match_other  match result of other identity
  */
 typedef shared_key_t* (*callback_cred_shared_cb_t)(
                                                                void *data, shared_key_type_t type,
                                                                identification_t *me, identification_t *other,
-                                                               id_match_t *match_me, id_match_t *match_other);
+                                                               const char *msg, id_match_t *match_me,
+                                                               id_match_t *match_other);
 
 /**
  * Generic callback using user specified callback functions.
index 0a4d512d2a4cd6c8d3bde9f10fb35a44c3662060..21f1160a063f479f20e7ff38bc31f20e259577d8 100644 (file)
@@ -522,7 +522,7 @@ CALLBACK(shared_filter, bool,
 
 METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
        private_mem_cred_t *this, shared_key_type_t type,
-       identification_t *me, identification_t *other)
+       identification_t *me, identification_t *other, const char *msg)
 {
        shared_data_t *data;
 
index c59c77b5bfd4ec8a1db0999e9dba0d0d60ef6947..ffc40576e0f769ddfaf305545b1b995256d1945a 100644 (file)
@@ -153,7 +153,7 @@ static bool decrypt_and_unpack(private_pkcs12_t *this)
        bool success = FALSE;
 
        enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
-                                                                               SHARED_PRIVATE_KEY_PASS, NULL, NULL);
+                                                                       SHARED_PRIVATE_KEY_PASS, NULL, NULL, NULL);
        while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
        {
                key = shared->get_key(shared);
index 851d029dde2e205594353c8872504aac343869f0..1a3373bba5c19e02493996f4787a3d1ea9e402ac 100644 (file)
@@ -343,8 +343,8 @@ static bool login(ENGINE *engine, chunk_t keyid)
        bool found = FALSE, success = FALSE;
 
        id = identification_create_from_encoding(ID_KEY_ID, keyid);
-       enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
-                                                                                                               SHARED_PIN, id, NULL);
+       enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, SHARED_PIN,
+                                                                                                               id, NULL, NULL);
        while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
        {
                found = TRUE;
index 3b84eb7eaf5daae79745da7d27a982409d687027..9e42d4baf601bb5451de0769acc90c2c647c9f37 100644 (file)
@@ -341,7 +341,7 @@ static status_t pem_to_bin(chunk_t *blob, bool *pgp)
        }
 
        enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
-                                                                                       SHARED_PRIVATE_KEY_PASS, NULL, NULL);
+                                                                       SHARED_PRIVATE_KEY_PASS, NULL, NULL, NULL);
        while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
        {
                chunk_t passphrase, chunk;
index 6b8be62658c2bf522122597f1bfdbcf5ba32f0f5..06aad9467b49d26601b73e1b7818079e383b40bb 100644 (file)
@@ -252,7 +252,7 @@ static bool reauth(private_pkcs11_private_key_t *this,
        bool found = FALSE, success = FALSE;
 
        enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
-                                                                                               SHARED_PIN, this->keyid, NULL);
+                                                                                       SHARED_PIN, this->keyid, NULL, NULL);
        while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
        {
                found = TRUE;
@@ -755,7 +755,7 @@ static bool login(private_pkcs11_private_key_t *this, int slot)
        }
 
        enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
-                                                                                               SHARED_PIN, this->keyid, NULL);
+                                                                                       SHARED_PIN, this->keyid, NULL, NULL);
        while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
        {
                found = TRUE;
index a20c05e9169e2d563f9b231bd3e6b5ada852fbe0..7db7a39db95fd8286b66e9b864ebd497a544af0d 100644 (file)
@@ -343,7 +343,7 @@ static bool verify_mac(hash_algorithm_t hash, chunk_t salt,
        calculated = chunk_alloca(signer->get_block_size(signer));
 
        enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
-                                                                               SHARED_PRIVATE_KEY_PASS, NULL, NULL);
+                                                                       SHARED_PRIVATE_KEY_PASS, NULL, NULL, NULL);
        while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
        {
                if (!pkcs12_derive_key(hash, shared->get_key(shared), salt, iterations,
index 0eb57619cc27bebb86bacd03800aa6891899b6f9..e5390063c4a11711b2aa6b80b0fb950020868ea0 100644 (file)
@@ -54,7 +54,7 @@ static bool decrypt(pkcs5_t *pkcs5, chunk_t data, chunk_t *decrypted)
        bool success = FALSE;
 
        enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
-                                                                               SHARED_PRIVATE_KEY_PASS, NULL, NULL);
+                                                                       SHARED_PRIVATE_KEY_PASS, NULL, NULL, NULL);
        while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
        {
                if (pkcs5->decrypt(pkcs5, shared->get_key(shared), data, decrypted))
index 22b7829a490e9c41bc2afdebf7a43d4ab0a4afec..aec5f3425e3109e3832fd5e9242edfb85ebe0955 100644 (file)
@@ -130,7 +130,7 @@ static private_key_t *decrypt_private_key(pkcs5_t *pkcs5, chunk_t blob)
        private_key_t *private_key = NULL;
 
        enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
-                                                                               SHARED_PRIVATE_KEY_PASS, NULL, NULL);
+                                                                       SHARED_PRIVATE_KEY_PASS, NULL, NULL, NULL);
        while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
        {
                chunk_t decrypted;
index d946fbe56716d6c14081326089a1ca5bc381f125..78fb500de394178a0ec1e9def08f208be0ad9ad7 100644 (file)
@@ -92,7 +92,7 @@ METHOD(private_key_t, sign, bool,
 
        /* check for optional PIN */
        enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
-                                                                               SHARED_PIN, this->keyid, NULL);
+                                                                               SHARED_PIN, this->keyid, NULL, NULL);
        if (enumerator->enumerate(enumerator, &shared, NULL, NULL))
        {
                pin = shared->get_key(shared);
index bb6b278d46b477d13a9f8ee1ebc240d077a38fc6..d9e7a81f74b2e40904ee69dc568a475140e193e9 100644 (file)
@@ -355,9 +355,10 @@ static shared_key_type_t prompted;
 /**
  * Callback function to receive credentials
  */
-static shared_key_t* cb(void *data, shared_key_type_t type,
-                                               identification_t *me, identification_t *other,
-                                               id_match_t *match_me, id_match_t *match_other)
+CALLBACK(cb, shared_key_t*,
+       void *data, shared_key_type_t type, identification_t *me,
+       identification_t *other, const char *msg, id_match_t *match_me,
+       id_match_t *match_other)
 {
        char buf[64], *label, *secret = NULL;
        shared_key_t *shared;
index 2c1947dd1eaddf6fc386c2bb1bd76a098c285f8a..717730199ec78d69001e9340b8eef45ac76cc339 100644 (file)
@@ -223,13 +223,10 @@ typedef struct {
        mem_cred_t *cache;
 } cb_data_t;
 
-/**
- * Callback function to prompt for private key passwords
- */
 CALLBACK(password_cb, shared_key_t*,
-       cb_data_t *data, shared_key_type_t type,
-       identification_t *me, identification_t *other,
-       id_match_t *match_me, id_match_t *match_other)
+       cb_data_t *data, shared_key_type_t type, identification_t *me,
+       identification_t *other, const char *msg, id_match_t *match_me,
+       id_match_t *match_other)
 {
        shared_key_t *shared;
        char *pwd = NULL;