From: Tobias Brunner Date: Fri, 19 Feb 2021 08:38:40 +0000 (+0100) Subject: credentials: Add optional message when retrieving shared secrets X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a9ff2025e50b57eebbdf05ac4050fec6d2f1c8d4;p=thirdparty%2Fstrongswan.git credentials: Add optional message when retrieving shared secrets This allows plugins to provide a message that could be displayed to users when prompting for passwords. --- diff --git a/src/charon-cmd/cmd/cmd_creds.c b/src/charon-cmd/cmd/cmd_creds.c index b440cf8772..8ae918208f 100644 --- a/src/charon-cmd/cmd/cmd_creds.c +++ b/src/charon-cmd/cmd/cmd_creds.c @@ -63,13 +63,10 @@ struct private_cmd_creds_t { char *identity; }; -/** - * Callback function to prompt for secret - */ -static shared_key_t* callback_shared(private_cmd_creds_t *this, - shared_key_type_t type, - identification_t *me, identification_t *other, - id_match_t *match_me, id_match_t *match_other) +CALLBACK(callback_shared, shared_key_t*, + private_cmd_creds_t *this, shared_key_type_t type, identification_t *me, + identification_t *other, const char *msg, id_match_t *match_me, + id_match_t *match_other) { shared_key_t *shared; char *label, *pwd = NULL; @@ -288,7 +285,7 @@ cmd_creds_t *cmd_creds_create() .creds = mem_cred_create(), .prompted = SHARED_ANY, ); - this->cb = callback_cred_create_shared((void*)callback_shared, this); + this->cb = callback_cred_create_shared(callback_shared, this); lib->credmgr->add_set(lib->credmgr, &this->creds->set); lib->credmgr->add_set(lib->credmgr, &this->cb->set); diff --git a/src/charon-nm/nm/nm_creds.c b/src/charon-nm/nm/nm_creds.c index 2660d6f5a4..529d49dd09 100644 --- a/src/charon-nm/nm/nm_creds.c +++ b/src/charon-nm/nm/nm_creds.c @@ -270,7 +270,7 @@ METHOD(enumerator_t, shared_destroy, void, METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, private_nm_creds_t *this, shared_key_type_t type, identification_t *me, - identification_t *other) + identification_t *other, const char *msg) { shared_enumerator_t *enumerator; chunk_t key; diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_creds.c b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_creds.c index 5421dcae08..b067bd3148 100644 --- a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_creds.c +++ b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_creds.c @@ -249,10 +249,10 @@ METHOD(android_creds_t, add_username_password, void, METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, private_android_creds_t *this, shared_key_type_t type, - identification_t *me, identification_t *other) + identification_t *me, identification_t *other, const char *msg) { return this->creds->set.create_shared_enumerator(&this->creds->set, - type, me, other); + type, me, other, msg); } METHOD(android_creds_t, load_user_certificate, certificate_t*, diff --git a/src/frontends/osx/charon-xpc/xpc_channels.c b/src/frontends/osx/charon-xpc/xpc_channels.c index d013e752b6..e8d8fcb4ec 100644 --- a/src/frontends/osx/charon-xpc/xpc_channels.c +++ b/src/frontends/osx/charon-xpc/xpc_channels.c @@ -458,10 +458,10 @@ static shared_key_t *query_password(xpc_connection_t conn, identification_t *id) /** * Password query callback */ -static shared_key_t* password_cb(private_xpc_channels_t *this, - shared_key_type_t type, - identification_t *me, identification_t *other, - id_match_t *match_me, id_match_t *match_other) +CALLBACK(password_cb, shared_key_t*, + private_xpc_channels_t *this, shared_key_type_t type, identification_t *me, + identification_t *other, const char *msg, id_match_t *match_me, + id_match_t *match_other) { shared_key_t *shared = NULL; ike_sa_t *ike_sa; @@ -537,8 +537,7 @@ xpc_channels_t *xpc_channels_create() .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), ); - this->creds = callback_cred_create_shared( - (callback_cred_shared_cb_t)password_cb, this); + this->creds = callback_cred_create_shared(password_cb, this); lib->credmgr->add_set(lib->credmgr, &this->creds->set); return &this->public; diff --git a/src/libcharon/plugins/eap_aka_3gpp/eap_aka_3gpp_functions.c b/src/libcharon/plugins/eap_aka_3gpp/eap_aka_3gpp_functions.c index d017d2c996..68e74790f1 100644 --- a/src/libcharon/plugins/eap_aka_3gpp/eap_aka_3gpp_functions.c +++ b/src/libcharon/plugins/eap_aka_3gpp/eap_aka_3gpp_functions.c @@ -69,7 +69,7 @@ bool eap_aka_3gpp_get_k_opc(identification_t *id, uint8_t k[AKA_K_LEN], shared_key_t *shared; chunk_t key; - shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL, NULL); if (!shared) { return FALSE; diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c index 414c5f0588..394616eea8 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c +++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c @@ -52,7 +52,7 @@ bool eap_aka_3gpp2_get_k(identification_t *id, char k[AKA_K_LEN]) shared_key_t *shared; chunk_t key; - shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL, NULL); if (shared == NULL) { return FALSE; diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c index 95ba090b79..e085631a28 100644 --- a/src/libcharon/plugins/eap_gtc/eap_gtc.c +++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c @@ -102,7 +102,7 @@ METHOD(eap_method_t, process_peer, status_t, size_t len; shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, - this->peer, this->server); + this->peer, this->server, NULL); if (shared == NULL) { DBG1(DBG_IKE, "no EAP key found for '%Y' - '%Y'", diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c index ab5f7ff6a8..5748f50beb 100644 --- a/src/libcharon/plugins/eap_md5/eap_md5.c +++ b/src/libcharon/plugins/eap_md5/eap_md5.c @@ -85,7 +85,7 @@ static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response, chunk_t concat; hasher_t *hasher; - shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, me, other); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, me, other, NULL); if (shared == NULL) { DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", me, other); diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c index 0c33f39f3f..f3e7cd30b0 100644 --- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c @@ -757,7 +757,8 @@ static bool get_nt_hash(private_eap_mschapv2_t *this, identification_t *me, chunk_t password; /* try to find a stored NT_HASH first */ - shared = lib->credmgr->get_shared(lib->credmgr, SHARED_NT_HASH, me, other); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_NT_HASH, me, other, + NULL); if (shared ) { *nt_hash = chunk_clone(shared->get_key(shared)); @@ -766,7 +767,7 @@ static bool get_nt_hash(private_eap_mschapv2_t *this, identification_t *me, } /* fallback to plaintext password */ - shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, me, other); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, me, other, NULL); if (shared) { password = utf8_to_utf16le(shared->get_key(shared)); diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c index ce9505c2b0..5d76ace695 100644 --- a/src/libcharon/plugins/ha/ha_tunnel.c +++ b/src/libcharon/plugins/ha/ha_tunnel.c @@ -138,7 +138,7 @@ METHOD(enumerator_t, shared_enumerate, bool, METHOD(ha_creds_t, create_shared_enumerator, enumerator_t*, ha_creds_t *this, shared_key_type_t type, - identification_t *me, identification_t *other) + identification_t *me, identification_t *other, const char *msg) { shared_enum_t *enumerator; diff --git a/src/libcharon/plugins/load_tester/load_tester_creds.c b/src/libcharon/plugins/load_tester/load_tester_creds.c index 827d0b326a..803db9d6f0 100644 --- a/src/libcharon/plugins/load_tester/load_tester_creds.c +++ b/src/libcharon/plugins/load_tester/load_tester_creds.c @@ -428,7 +428,7 @@ CALLBACK(shared_filter, bool, METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, private_load_tester_creds_t *this, shared_key_type_t type, - identification_t *me, identification_t *other) + identification_t *me, identification_t *other, const char *msg) { shared_key_t *shared; diff --git a/src/libcharon/plugins/sql/sql_cred.c b/src/libcharon/plugins/sql/sql_cred.c index f86252a768..7a051cf9bc 100644 --- a/src/libcharon/plugins/sql/sql_cred.c +++ b/src/libcharon/plugins/sql/sql_cred.c @@ -271,7 +271,7 @@ METHOD(enumerator_t, shared_enumerator_destroy, void, METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, private_sql_cred_t *this, shared_key_type_t type, - identification_t *me, identification_t *other) + identification_t *me, identification_t *other, const char *msg) { shared_enumerator_t *e; bool me_defined, other_defined; diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index 7fc95657ed..39511bbec3 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -690,10 +690,10 @@ typedef struct { /** * Callback function to receive passphrases */ -static shared_key_t* passphrase_cb(passphrase_cb_data_t *data, - shared_key_type_t type, identification_t *me, - identification_t *other, id_match_t *match_me, - id_match_t *match_other) +CALLBACK(passphrase_cb, shared_key_t*, + passphrase_cb_data_t *data, shared_key_type_t type, identification_t *me, + identification_t *other, const char *msg, id_match_t *match_me, + id_match_t *match_other) { static const int max_tries = 3; shared_key_t *shared; @@ -765,9 +765,10 @@ typedef struct { /** * Callback function to receive PINs */ -static shared_key_t* pin_cb(pin_cb_data_t *data, shared_key_type_t type, - identification_t *me, identification_t *other, - id_match_t *match_me, id_match_t *match_other) +CALLBACK(pin_cb, shared_key_t*, + pin_cb_data_t *data, shared_key_type_t type, identification_t *me, + identification_t *other, const char *msg, id_match_t *match_me, + id_match_t *match_other) { chunk_t secret; char buf[256]; @@ -880,7 +881,7 @@ static bool load_pin(mem_cred_t *secrets, chunk_t line, int line_nr, .card = smartcard, .keyid = chunk, }; - cb = callback_cred_create_shared((void*)pin_cb, &pin_data); + cb = callback_cred_create_shared(pin_cb, &pin_data); lib->credmgr->add_local_set(lib->credmgr, &cb->set, FALSE); } else @@ -999,7 +1000,7 @@ static bool load_from_file(chunk_t line, int line_nr, FILE *prompt, pp_data.cache = mem_cred_create(); lib->credmgr->add_local_set(lib->credmgr, &pp_data.cache->set, FALSE); /* use callback credential set to prompt for the passphrase */ - cb = callback_cred_create_shared((void*)passphrase_cb, &pp_data); + cb = callback_cred_create_shared(passphrase_cb, &pp_data); lib->credmgr->add_local_set(lib->credmgr, &cb->set, FALSE); *result = lib->creds->create(lib->creds, type, subtype, diff --git a/src/libcharon/plugins/uci/uci_creds.c b/src/libcharon/plugins/uci/uci_creds.c index c6de4756d1..1990bb0f78 100644 --- a/src/libcharon/plugins/uci/uci_creds.c +++ b/src/libcharon/plugins/uci/uci_creds.c @@ -118,7 +118,7 @@ METHOD(enumerator_t, shared_enumerator_destroy, void, METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, private_uci_creds_t *this, shared_key_type_t type, - identification_t *me, identification_t *other) + identification_t *me, identification_t *other, const char *msg) { shared_enumerator_t *e; diff --git a/src/libcharon/plugins/xauth_eap/xauth_eap.c b/src/libcharon/plugins/xauth_eap/xauth_eap.c index 9e103be1c6..2cf183b622 100644 --- a/src/libcharon/plugins/xauth_eap/xauth_eap.c +++ b/src/libcharon/plugins/xauth_eap/xauth_eap.c @@ -53,12 +53,10 @@ struct private_xauth_eap_t { chunk_t pass; }; -/** - * Callback credential set function - */ -static shared_key_t* shared_cb(private_xauth_eap_t *this, shared_key_type_t type, - identification_t *me, identification_t *other, - id_match_t *match_me, id_match_t *match_other) +CALLBACK(shared_cb, shared_key_t*, + private_xauth_eap_t *this, shared_key_type_t type, identification_t *me, + identification_t *other, const char *msg, id_match_t *match_me, + id_match_t *match_other) { shared_key_t *shared; @@ -283,7 +281,7 @@ xauth_eap_t *xauth_eap_create_server(identification_t *server, .peer = peer->clone(peer), ); - this->cred = callback_cred_create_shared((void*)shared_cb, this); + this->cred = callback_cred_create_shared(shared_cb, this); return &this->public; } diff --git a/src/libcharon/plugins/xauth_generic/xauth_generic.c b/src/libcharon/plugins/xauth_generic/xauth_generic.c index 66422bab6e..8f7c5fc2f5 100644 --- a/src/libcharon/plugins/xauth_generic/xauth_generic.c +++ b/src/libcharon/plugins/xauth_generic/xauth_generic.c @@ -88,7 +88,8 @@ METHOD(xauth_method_t, process_peer, status_t, /* FALL */ case XAUTH_USER_PASSWORD: shared = lib->credmgr->get_shared(lib->credmgr, type, - this->peer, this->server); + this->peer, this->server, + NULL); if (!shared) { DBG1(DBG_IKE, "no XAuth %s found for '%Y' - '%Y'", @@ -177,7 +178,8 @@ METHOD(xauth_method_t, process_server, status_t, } enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, - SHARED_EAP, this->server, this->peer); + SHARED_EAP, this->server, this->peer, + NULL); while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) { if (chunk_equals_const(shared->get_key(shared), pass)) diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c index fecbd3900c..1a26ed12be 100644 --- a/src/libcharon/sa/ikev1/phase1.c +++ b/src/libcharon/sa/ikev1/phase1.c @@ -116,7 +116,7 @@ static shared_key_t *find_shared_key(identification_t *my_id, host_t *me, other_id = any_id; } shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, - my_id, other_id); + my_id, other_id, NULL); if (!shared_key) { DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]", @@ -191,7 +191,7 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this, if (my_id && other_id) { shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, - my_id, other_id); + my_id, other_id, NULL); } DESTROY_IF(my_id); DESTROY_IF(other_id); diff --git a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c index 76571e7028..93cba403ab 100644 --- a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c @@ -78,7 +78,8 @@ METHOD(authenticator_t, build, status_t, other_id = this->ike_sa->get_other_id(this->ike_sa); DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", my_id, auth_method_names, AUTH_PSK); - key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id, other_id); + key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id, other_id, + NULL); if (!key) { DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id); @@ -153,7 +154,7 @@ METHOD(authenticator_t, process, status_t, my_id = this->ike_sa->get_my_id(this->ike_sa); other_id = this->ike_sa->get_other_id(this->ike_sa); enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, - SHARED_IKE, my_id, other_id); + SHARED_IKE, my_id, other_id, NULL); while (!authenticated && enumerator->enumerate(enumerator, &key, NULL, NULL)) { keys_found++; diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c index 54f51d1ebc..d38c6d217c 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c @@ -490,7 +490,7 @@ static bool get_ppk(private_ike_auth_t *this, identification_t *ppk_id) { shared_key_t *key; - key = lib->credmgr->get_shared(lib->credmgr, SHARED_PPK, ppk_id, NULL); + key = lib->credmgr->get_shared(lib->credmgr, SHARED_PPK, ppk_id, NULL, NULL); if (!key) { if (this->peer_cfg->ppk_required(this->peer_cfg)) diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c index 477d2caae5..56fac1cc3c 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_init.c +++ b/src/libcharon/sa/ikev2/tasks/ike_init.c @@ -291,7 +291,7 @@ static bool send_use_ppk(private_ike_init_t *this) { /* check if we have at least one PPK available */ keys = lib->credmgr->create_shared_enumerator(lib->credmgr, SHARED_PPK, - NULL, NULL); + NULL, NULL, NULL); if (keys->enumerate(keys, &key, NULL, NULL)) { use_ppk = TRUE; diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.c b/src/libpttls/sasl/sasl_plain/sasl_plain.c index b2d30e6807..ae193f5b04 100644 --- a/src/libpttls/sasl/sasl_plain/sasl_plain.c +++ b/src/libpttls/sasl/sasl_plain/sasl_plain.c @@ -80,7 +80,7 @@ METHOD(sasl_mechanism_t, process_server, status_t, DESTROY_IF(this->client); this->client = identification_create_from_data(authi); shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, this->client, - NULL); + NULL, NULL); if (!shared) { DBG1(DBG_CFG, "no shared secret found for '%Y'", this->client); @@ -106,7 +106,7 @@ METHOD(sasl_mechanism_t, build_client, status_t, /* we currently use the EAP type of shared secret */ shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, - this->client, NULL); + this->client, NULL, NULL); if (!shared) { DBG1(DBG_CFG, "no shared secret found for %Y", this->client); diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index 3be0190a1f..66ffa25c51 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -123,6 +123,7 @@ typedef struct { shared_key_type_t type; identification_t *me; identification_t *other; + char *msg; } shared_data_t; /** enumerator over local and global sets */ @@ -376,6 +377,7 @@ static private_key_t* get_private_by_keyid(private_credential_manager_t *this, static void destroy_shared_data(shared_data_t *data) { data->this->lock->unlock(data->this->lock); + free(data->msg); free(data); } @@ -384,12 +386,13 @@ static void destroy_shared_data(shared_data_t *data) */ static enumerator_t *create_shared(credential_set_t *set, shared_data_t *data) { - return set->create_shared_enumerator(set, data->type, data->me, data->other); + return set->create_shared_enumerator(set, data->type, data->me, data->other, + data->msg); } METHOD(credential_manager_t, create_shared_enumerator, enumerator_t*, private_credential_manager_t *this, shared_key_type_t type, - identification_t *me, identification_t *other) + identification_t *me, identification_t *other, const char *msg) { shared_data_t *data; @@ -398,6 +401,7 @@ METHOD(credential_manager_t, create_shared_enumerator, enumerator_t*, .type = type, .me = me, .other = other, + .msg = strdupnull(msg), ); this->lock->read_lock(this->lock); return enumerator_create_nested(create_sets_enumerator(this), @@ -407,14 +411,14 @@ METHOD(credential_manager_t, create_shared_enumerator, enumerator_t*, METHOD(credential_manager_t, get_shared, shared_key_t*, private_credential_manager_t *this, shared_key_type_t type, - identification_t *me, identification_t *other) + identification_t *me, identification_t *other, const char *msg) { shared_key_t *current, *found = NULL; id_match_t best_me = ID_MATCH_NONE, best_other = ID_MATCH_NONE; id_match_t match_me, match_other; enumerator_t *enumerator; - enumerator = create_shared_enumerator(this, type, me, other); + enumerator = create_shared_enumerator(this, type, me, other, msg); while (enumerator->enumerate(enumerator, ¤t, &match_me, &match_other)) { if (match_other > best_other || diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h index a9947dcbc4..0cb7e10951 100644 --- a/src/libstrongswan/credentials/credential_manager.h +++ b/src/libstrongswan/credentials/credential_manager.h @@ -119,14 +119,19 @@ struct credential_manager_t { * shared_key_t*, id_match_t me, id_match_t other * But must accept values for the id_matches. * + * @note The optional message should be a simple text that has been + * sanitized and does not end with e.g. ":". + * * @param type kind of requested shared key * @param first first subject between key is shared * @param second second subject between key is shared + * @param msg optional message that could be displayed to a user * @return enumerator over (shared_key_t*,id_match_t,id_match_t) */ enumerator_t *(*create_shared_enumerator)(credential_manager_t *this, shared_key_type_t type, - identification_t *first, identification_t *second); + identification_t *first, identification_t *second, + const char *msg); /** * Create an enumerator over all Certificate Distribution Points. * @@ -151,13 +156,18 @@ struct credential_manager_t { /** * Get the best matching shared key for two IDs. * + * @note The optional message should be a simple text that has been + * sanitized and does not end with e.g. ":". + * * @param type kind of requested shared key * @param me own identity * @param other peer identity + * @param msg optional message that could be displayed to a user * @return shared_key_t, NULL if none found */ shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type, - identification_t *me, identification_t *other); + identification_t *me, identification_t *other, + const char *msg); /** * Get a private key to create a signature. * diff --git a/src/libstrongswan/credentials/credential_set.h b/src/libstrongswan/credentials/credential_set.h index 9c4db704fe..9f775331c8 100644 --- a/src/libstrongswan/credentials/credential_set.h +++ b/src/libstrongswan/credentials/credential_set.h @@ -78,11 +78,13 @@ struct credential_set_t { * @param type kind of requested shared key * @param me own identity * @param other other identity who owns that secret + * @param msg optional message that could be displayed to a user * @return enumerator as described above */ enumerator_t *(*create_shared_enumerator)(credential_set_t *this, shared_key_type_t type, - identification_t *me, identification_t *other); + identification_t *me, identification_t *other, + const char *msg); /** * Create an enumerator over certificate distribution points. diff --git a/src/libstrongswan/credentials/sets/callback_cred.c b/src/libstrongswan/credentials/sets/callback_cred.c index 0d72452da6..cc456f4855 100644 --- a/src/libstrongswan/credentials/sets/callback_cred.c +++ b/src/libstrongswan/credentials/sets/callback_cred.c @@ -55,6 +55,8 @@ typedef struct { identification_t *me; /* other identity to match */ identification_t *other; + /* optional msg */ + char *msg; /* current shared key */ shared_key_t *current; } shared_enumerator_t; @@ -68,7 +70,8 @@ METHOD(enumerator_t, shared_enumerate, bool, VA_ARGS_VGET(args, out, match_me, match_other); DESTROY_IF(this->current); this->current = this->this->cb.shared(this->this->data, this->type, - this->me, this->other, match_me, match_other); + this->me, this->other, this->msg, match_me, + match_other); if (this->current) { *out = this->current; @@ -81,12 +84,13 @@ METHOD(enumerator_t, shared_destroy, void, shared_enumerator_t *this) { DESTROY_IF(this->current); + free(this->msg); free(this); } METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, private_callback_cred_t *this, shared_key_type_t type, - identification_t *me, identification_t *other) + identification_t *me, identification_t *other, const char *msg) { shared_enumerator_t *enumerator; @@ -100,6 +104,7 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, .type = type, .me = me, .other = other, + .msg = strdupnull(msg), ); return &enumerator->public; } diff --git a/src/libstrongswan/credentials/sets/callback_cred.h b/src/libstrongswan/credentials/sets/callback_cred.h index ea5dafb024..72ccb1ee31 100644 --- a/src/libstrongswan/credentials/sets/callback_cred.h +++ b/src/libstrongswan/credentials/sets/callback_cred.h @@ -31,13 +31,15 @@ typedef struct callback_cred_t callback_cred_t; * @param type type of requested shared key * @param me own identity * @param other other identity + * @param msg optional message that could be displayed to a user * @param match_me match result of own identity * @param match_other match result of other identity */ typedef shared_key_t* (*callback_cred_shared_cb_t)( void *data, shared_key_type_t type, identification_t *me, identification_t *other, - id_match_t *match_me, id_match_t *match_other); + const char *msg, id_match_t *match_me, + id_match_t *match_other); /** * Generic callback using user specified callback functions. diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c index 0a4d512d2a..21f1160a06 100644 --- a/src/libstrongswan/credentials/sets/mem_cred.c +++ b/src/libstrongswan/credentials/sets/mem_cred.c @@ -522,7 +522,7 @@ CALLBACK(shared_filter, bool, METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, private_mem_cred_t *this, shared_key_type_t type, - identification_t *me, identification_t *other) + identification_t *me, identification_t *other, const char *msg) { shared_data_t *data; diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs12.c b/src/libstrongswan/plugins/openssl/openssl_pkcs12.c index c59c77b5bf..ffc40576e0 100644 --- a/src/libstrongswan/plugins/openssl/openssl_pkcs12.c +++ b/src/libstrongswan/plugins/openssl/openssl_pkcs12.c @@ -153,7 +153,7 @@ static bool decrypt_and_unpack(private_pkcs12_t *this) bool success = FALSE; enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, - SHARED_PRIVATE_KEY_PASS, NULL, NULL); + SHARED_PRIVATE_KEY_PASS, NULL, NULL, NULL); while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) { key = shared->get_key(shared); diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index 851d029dde..1a3373bba5 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -343,8 +343,8 @@ static bool login(ENGINE *engine, chunk_t keyid) bool found = FALSE, success = FALSE; id = identification_create_from_encoding(ID_KEY_ID, keyid); - enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, - SHARED_PIN, id, NULL); + enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, SHARED_PIN, + id, NULL, NULL); while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) { found = TRUE; diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c index 3b84eb7eaf..9e42d4baf6 100644 --- a/src/libstrongswan/plugins/pem/pem_builder.c +++ b/src/libstrongswan/plugins/pem/pem_builder.c @@ -341,7 +341,7 @@ static status_t pem_to_bin(chunk_t *blob, bool *pgp) } enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, - SHARED_PRIVATE_KEY_PASS, NULL, NULL); + SHARED_PRIVATE_KEY_PASS, NULL, NULL, NULL); while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) { chunk_t passphrase, chunk; diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c index 6b8be62658..06aad9467b 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c @@ -252,7 +252,7 @@ static bool reauth(private_pkcs11_private_key_t *this, bool found = FALSE, success = FALSE; enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, - SHARED_PIN, this->keyid, NULL); + SHARED_PIN, this->keyid, NULL, NULL); while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) { found = TRUE; @@ -755,7 +755,7 @@ static bool login(private_pkcs11_private_key_t *this, int slot) } enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, - SHARED_PIN, this->keyid, NULL); + SHARED_PIN, this->keyid, NULL, NULL); while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) { found = TRUE; diff --git a/src/libstrongswan/plugins/pkcs12/pkcs12_decode.c b/src/libstrongswan/plugins/pkcs12/pkcs12_decode.c index a20c05e916..7db7a39db9 100644 --- a/src/libstrongswan/plugins/pkcs12/pkcs12_decode.c +++ b/src/libstrongswan/plugins/pkcs12/pkcs12_decode.c @@ -343,7 +343,7 @@ static bool verify_mac(hash_algorithm_t hash, chunk_t salt, calculated = chunk_alloca(signer->get_block_size(signer)); enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, - SHARED_PRIVATE_KEY_PASS, NULL, NULL); + SHARED_PRIVATE_KEY_PASS, NULL, NULL, NULL); while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) { if (!pkcs12_derive_key(hash, shared->get_key(shared), salt, iterations, diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.c index 0eb57619cc..e5390063c4 100644 --- a/src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.c +++ b/src/libstrongswan/plugins/pkcs7/pkcs7_encrypted_data.c @@ -54,7 +54,7 @@ static bool decrypt(pkcs5_t *pkcs5, chunk_t data, chunk_t *decrypted) bool success = FALSE; enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, - SHARED_PRIVATE_KEY_PASS, NULL, NULL); + SHARED_PRIVATE_KEY_PASS, NULL, NULL, NULL); while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) { if (pkcs5->decrypt(pkcs5, shared->get_key(shared), data, decrypted)) diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c index 22b7829a49..aec5f3425e 100644 --- a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c +++ b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c @@ -130,7 +130,7 @@ static private_key_t *decrypt_private_key(pkcs5_t *pkcs5, chunk_t blob) private_key_t *private_key = NULL; enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, - SHARED_PRIVATE_KEY_PASS, NULL, NULL); + SHARED_PRIVATE_KEY_PASS, NULL, NULL, NULL); while (enumerator->enumerate(enumerator, &shared, NULL, NULL)) { chunk_t decrypted; diff --git a/src/libtpmtss/plugins/tpm/tpm_private_key.c b/src/libtpmtss/plugins/tpm/tpm_private_key.c index d946fbe567..78fb500de3 100644 --- a/src/libtpmtss/plugins/tpm/tpm_private_key.c +++ b/src/libtpmtss/plugins/tpm/tpm_private_key.c @@ -92,7 +92,7 @@ METHOD(private_key_t, sign, bool, /* check for optional PIN */ enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, - SHARED_PIN, this->keyid, NULL); + SHARED_PIN, this->keyid, NULL, NULL); if (enumerator->enumerate(enumerator, &shared, NULL, NULL)) { pin = shared->get_key(shared); diff --git a/src/pki/pki.c b/src/pki/pki.c index bb6b278d46..d9e7a81f74 100644 --- a/src/pki/pki.c +++ b/src/pki/pki.c @@ -355,9 +355,10 @@ static shared_key_type_t prompted; /** * Callback function to receive credentials */ -static shared_key_t* cb(void *data, shared_key_type_t type, - identification_t *me, identification_t *other, - id_match_t *match_me, id_match_t *match_other) +CALLBACK(cb, shared_key_t*, + void *data, shared_key_type_t type, identification_t *me, + identification_t *other, const char *msg, id_match_t *match_me, + id_match_t *match_other) { char buf[64], *label, *secret = NULL; shared_key_t *shared; diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c index 2c1947dd1e..717730199e 100644 --- a/src/swanctl/commands/load_creds.c +++ b/src/swanctl/commands/load_creds.c @@ -223,13 +223,10 @@ typedef struct { mem_cred_t *cache; } cb_data_t; -/** - * Callback function to prompt for private key passwords - */ CALLBACK(password_cb, shared_key_t*, - cb_data_t *data, shared_key_type_t type, - identification_t *me, identification_t *other, - id_match_t *match_me, id_match_t *match_other) + cb_data_t *data, shared_key_type_t type, identification_t *me, + identification_t *other, const char *msg, id_match_t *match_me, + id_match_t *match_other) { shared_key_t *shared; char *pwd = NULL;