Use AUTH_RULE_IDENTITY_LOOSE in NetworkManager backend
[strongswan.git] / src / charon-nm / nm / nm_creds.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "nm_creds.h"
17
18 #include <sys/types.h>
19 #include <sys/stat.h>
20 #include <unistd.h>
21
22 #include <daemon.h>
23 #include <threading/rwlock.h>
24 #include <credentials/certificates/x509.h>
25
26 typedef struct private_nm_creds_t private_nm_creds_t;
27
28 /**
29 * private data of nm_creds
30 */
31 struct private_nm_creds_t {
32
33 /**
34 * public functions
35 */
36 nm_creds_t public;
37
38 /**
39 * List of trusted certificates, certificate_t*
40 */
41 linked_list_t *certs;
42
43 /**
44 * User name
45 */
46 identification_t *user;
47
48 /**
49 * User password
50 */
51 char *pass;
52
53 /**
54 * Private key decryption password / smartcard pin
55 */
56 char *keypass;
57
58 /**
59 * private key ID of smartcard key
60 */
61 chunk_t keyid;
62
63 /**
64 * users certificate
65 */
66 certificate_t *usercert;
67
68 /**
69 * users private key
70 */
71 private_key_t *key;
72
73 /**
74 * read/write lock
75 */
76 rwlock_t *lock;
77 };
78
79 /**
80 * Enumerator for user certificate
81 */
82 static enumerator_t *create_usercert_enumerator(private_nm_creds_t *this,
83 certificate_type_t cert, key_type_t key)
84 {
85 public_key_t *public;
86
87 if (cert != CERT_ANY && cert != this->usercert->get_type(this->usercert))
88 {
89 return NULL;
90 }
91 if (key != KEY_ANY)
92 {
93 public = this->usercert->get_public_key(this->usercert);
94 if (!public)
95 {
96 return NULL;
97 }
98 if (public->get_type(public) != key)
99 {
100 public->destroy(public);
101 return NULL;
102 }
103 public->destroy(public);
104 }
105 this->lock->read_lock(this->lock);
106 return enumerator_create_cleaner(
107 enumerator_create_single(this->usercert, NULL),
108 (void*)this->lock->unlock, this->lock);
109 }
110
111 /**
112 * CA certificate enumerator data
113 */
114 typedef struct {
115 /** ref to credential credential store */
116 private_nm_creds_t *this;
117 /** type of key we are looking for */
118 key_type_t key;
119 /** CA certificate ID */
120 identification_t *id;
121 } cert_data_t;
122
123 /**
124 * Destroy CA certificate enumerator data
125 */
126 static void cert_data_destroy(cert_data_t *data)
127 {
128 data->this->lock->unlock(data->this->lock);
129 free(data);
130 }
131
132 /**
133 * Filter function for certificates enumerator
134 */
135 static bool cert_filter(cert_data_t *data, certificate_t **in,
136 certificate_t **out)
137 {
138 certificate_t *cert = *in;
139 public_key_t *public;
140
141 public = cert->get_public_key(cert);
142 if (!public)
143 {
144 return FALSE;
145 }
146 if (data->key != KEY_ANY && public->get_type(public) != data->key)
147 {
148 public->destroy(public);
149 return FALSE;
150 }
151 if (data->id && data->id->get_type(data->id) == ID_KEY_ID &&
152 public->has_fingerprint(public, data->id->get_encoding(data->id)))
153 {
154 public->destroy(public);
155 *out = cert;
156 return TRUE;
157 }
158 public->destroy(public);
159 if (data->id && !cert->has_subject(cert, data->id))
160 {
161 return FALSE;
162 }
163 *out = cert;
164 return TRUE;
165 }
166
167 /**
168 * Create enumerator for trusted certificates
169 */
170 static enumerator_t *create_trusted_cert_enumerator(private_nm_creds_t *this,
171 key_type_t key, identification_t *id)
172 {
173 cert_data_t *data;
174
175 INIT(data,
176 .this = this,
177 .id = id,
178 .key = key,
179 );
180
181 this->lock->read_lock(this->lock);
182 return enumerator_create_filter(
183 this->certs->create_enumerator(this->certs),
184 (void*)cert_filter, data, (void*)cert_data_destroy);
185 }
186
187 METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
188 private_nm_creds_t *this, certificate_type_t cert, key_type_t key,
189 identification_t *id, bool trusted)
190 {
191 if (id && this->usercert &&
192 id->equals(id, this->usercert->get_subject(this->usercert)))
193 {
194 return create_usercert_enumerator(this, cert, key);
195 }
196 if (cert == CERT_X509 || cert == CERT_ANY)
197 {
198 return create_trusted_cert_enumerator(this, key, id);
199 }
200 return NULL;
201 }
202
203 METHOD(credential_set_t, create_private_enumerator, enumerator_t*,
204 private_nm_creds_t *this, key_type_t type, identification_t *id)
205 {
206 if (this->key == NULL)
207 {
208 return NULL;
209 }
210 if (type != KEY_ANY && type != this->key->get_type(this->key))
211 {
212 return NULL;
213 }
214 if (id && id->get_type(id) != ID_ANY)
215 {
216 if (id->get_type(id) != ID_KEY_ID ||
217 !this->key->has_fingerprint(this->key, id->get_encoding(id)))
218 {
219 return NULL;
220 }
221 }
222 this->lock->read_lock(this->lock);
223 return enumerator_create_cleaner(enumerator_create_single(this->key, NULL),
224 (void*)this->lock->unlock, this->lock);
225 }
226
227 /**
228 * shared key enumerator implementation
229 */
230 typedef struct {
231 enumerator_t public;
232 private_nm_creds_t *this;
233 shared_key_t *key;
234 bool done;
235 } shared_enumerator_t;
236
237 METHOD(enumerator_t, shared_enumerate, bool,
238 shared_enumerator_t *this, shared_key_t **key, id_match_t *me,
239 id_match_t *other)
240 {
241 if (this->done)
242 {
243 return FALSE;
244 }
245 *key = this->key;
246 if (me)
247 {
248 *me = ID_MATCH_PERFECT;
249 }
250 if (other)
251 {
252 *other = ID_MATCH_ANY;
253 }
254 this->done = TRUE;
255 return TRUE;
256 }
257
258 METHOD(enumerator_t, shared_destroy, void,
259 shared_enumerator_t *this)
260 {
261 this->key->destroy(this->key);
262 this->this->lock->unlock(this->this->lock);
263 free(this);
264 }
265
266 METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
267 private_nm_creds_t *this, shared_key_type_t type, identification_t *me,
268 identification_t *other)
269 {
270 shared_enumerator_t *enumerator;
271 chunk_t key;
272
273 this->lock->read_lock(this->lock);
274
275 switch (type)
276 {
277 case SHARED_EAP:
278 case SHARED_IKE:
279 if (!this->pass || !this->user)
280 {
281 goto no_secret;
282 }
283 if (me && !me->equals(me, this->user))
284 {
285 goto no_secret;
286 }
287 key = chunk_create(this->pass, strlen(this->pass));
288 break;
289 case SHARED_PRIVATE_KEY_PASS:
290 if (!this->keypass)
291 {
292 goto no_secret;
293 }
294 key = chunk_create(this->keypass, strlen(this->keypass));
295 break;
296 case SHARED_PIN:
297 if (!this->keypass || !me ||
298 !chunk_equals(me->get_encoding(me), this->keyid))
299 {
300 goto no_secret;
301 }
302 key = chunk_create(this->keypass, strlen(this->keypass));
303 break;
304 default:
305 goto no_secret;
306 }
307
308 INIT(enumerator,
309 .public = {
310 .enumerate = (void*)_shared_enumerate,
311 .destroy = _shared_destroy,
312 },
313 .this = this,
314 );
315 enumerator->key = shared_key_create(type, chunk_clone(key));
316 return &enumerator->public;
317
318 no_secret:
319 this->lock->unlock(this->lock);
320 return NULL;
321 }
322
323 METHOD(nm_creds_t, add_certificate, void,
324 private_nm_creds_t *this, certificate_t *cert)
325 {
326 this->lock->write_lock(this->lock);
327 this->certs->insert_last(this->certs, cert);
328 this->lock->unlock(this->lock);
329 }
330
331 /**
332 * Load a certificate file
333 */
334 static void load_ca_file(private_nm_creds_t *this, char *file)
335 {
336 certificate_t *cert;
337
338 /* We add the CA constraint, as many CAs miss it */
339 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
340 BUILD_FROM_FILE, file, BUILD_END);
341 if (!cert)
342 {
343 DBG1(DBG_CFG, "loading CA certificate '%s' failed", file);
344 }
345 else
346 {
347 DBG2(DBG_CFG, "loaded CA certificate '%Y'", cert->get_subject(cert));
348 x509_t *x509 = (x509_t*)cert;
349 if (!(x509->get_flags(x509) & X509_SELF_SIGNED))
350 {
351 DBG1(DBG_CFG, "%Y is not self signed", cert->get_subject(cert));
352 }
353 this->certs->insert_last(this->certs, cert);
354 }
355 }
356
357 METHOD(nm_creds_t, load_ca_dir, void,
358 private_nm_creds_t *this, char *dir)
359 {
360 enumerator_t *enumerator;
361 char *rel, *abs;
362 struct stat st;
363
364 enumerator = enumerator_create_directory(dir);
365 if (enumerator)
366 {
367 while (enumerator->enumerate(enumerator, &rel, &abs, &st))
368 {
369 /* skip '.', '..' and hidden files */
370 if (rel[0] != '.')
371 {
372 if (S_ISDIR(st.st_mode))
373 {
374 load_ca_dir(this, abs);
375 }
376 else if (S_ISREG(st.st_mode))
377 {
378 load_ca_file(this, abs);
379 }
380 }
381 }
382 enumerator->destroy(enumerator);
383 }
384 }
385
386 METHOD(nm_creds_t, set_username_password, void,
387 private_nm_creds_t *this, identification_t *id, char *password)
388 {
389 this->lock->write_lock(this->lock);
390 DESTROY_IF(this->user);
391 this->user = id->clone(id);
392 free(this->pass);
393 this->pass = strdupnull(password);
394 this->lock->unlock(this->lock);
395 }
396
397 METHOD(nm_creds_t, set_key_password, void,
398 private_nm_creds_t *this, char *password)
399 {
400 this->lock->write_lock(this->lock);
401 free(this->keypass);
402 this->keypass = strdupnull(password);
403 this->lock->unlock(this->lock);
404 }
405
406 METHOD(nm_creds_t, set_pin, void,
407 private_nm_creds_t *this, chunk_t keyid, char *pin)
408 {
409 this->lock->write_lock(this->lock);
410 free(this->keypass);
411 free(this->keyid.ptr);
412 this->keypass = strdupnull(pin);
413 this->keyid = chunk_clone(keyid);
414 this->lock->unlock(this->lock);
415 }
416
417 METHOD(nm_creds_t, set_cert_and_key, void,
418 private_nm_creds_t *this, certificate_t *cert, private_key_t *key)
419 {
420 this->lock->write_lock(this->lock);
421 DESTROY_IF(this->key);
422 DESTROY_IF(this->usercert);
423 this->key = key;
424 this->usercert = cert;
425 this->lock->unlock(this->lock);
426 }
427
428 METHOD(nm_creds_t, clear, void,
429 private_nm_creds_t *this)
430 {
431 certificate_t *cert;
432
433 while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
434 {
435 cert->destroy(cert);
436 }
437 DESTROY_IF(this->user);
438 free(this->pass);
439 free(this->keypass);
440 free(this->keyid.ptr);
441 DESTROY_IF(this->usercert);
442 DESTROY_IF(this->key);
443 this->key = NULL;
444 this->usercert = NULL;
445 this->pass = NULL;
446 this->user = NULL;
447 this->keypass = NULL;
448 this->keyid = chunk_empty;
449 }
450
451 METHOD(nm_creds_t, destroy, void,
452 private_nm_creds_t *this)
453 {
454 clear(this);
455 this->certs->destroy(this->certs);
456 this->lock->destroy(this->lock);
457 free(this);
458 }
459
460 /*
461 * see header file
462 */
463 nm_creds_t *nm_creds_create()
464 {
465 private_nm_creds_t *this;
466
467 INIT(this,
468 .public = {
469 .set = {
470 .create_private_enumerator = _create_private_enumerator,
471 .create_cert_enumerator = _create_cert_enumerator,
472 .create_shared_enumerator = _create_shared_enumerator,
473 .create_cdp_enumerator = (void*)return_null,
474 .cache_cert = (void*)nop,
475 },
476 .add_certificate = _add_certificate,
477 .load_ca_dir = _load_ca_dir,
478 .set_username_password = _set_username_password,
479 .set_key_password = _set_key_password,
480 .set_pin = _set_pin,
481 .set_cert_and_key = _set_cert_and_key,
482 .clear = _clear,
483 .destroy = _destroy,
484 },
485 .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
486 .certs = linked_list_create(),
487 );
488 return &this->public;
489 }
490