projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
swanctl: Be more verbose while loading connections and credentials
[strongswan.git] / src / swanctl / commands / load_creds.c
1 /*
2 * Copyright (C) 2014 Martin Willi
3 * Copyright (C) 2014 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #define _GNU_SOURCE
17 #include <stdio.h>
18 #include <errno.h>
19 #include <unistd.h>
20 #include <sys/stat.h>
21
22 #include "command.h"
23 #include "swanctl.h"
24
25 #include <credentials/sets/callback_cred.h>
26
27 /**
28 * Load a single certificate over vici
29 */
30 static bool load_cert(vici_conn_t *conn, bool raw, char *dir,
31 char *type, chunk_t data)
32 {
33 vici_req_t *req;
34 vici_res_t *res;
35 bool ret = TRUE;
36
37 req = vici_begin("load-cert");
38
39 vici_add_key_valuef(req, "type", "%s", type);
40 vici_add_key_value(req, "data", data.ptr, data.len);
41
42 res = vici_submit(req, conn);
43 if (!res)
44 {
45 fprintf(stderr, "load-cert request failed: %s\n", strerror(errno));
46 return FALSE;
47 }
48 if (raw)
49 {
50 vici_dump(res, "load-cert reply", stdout);
51 }
52 else if (!streq(vici_find_str(res, "no", "success"), "yes"))
53 {
54 fprintf(stderr, "loading '%s' failed: %s\n",
55 dir, vici_find_str(res, "", "errmsg"));
56 ret = FALSE;
57 }
58 else
59 {
60 printf("loaded %s certificate '%s'\n", type, dir);
61 }
62 vici_free_res(res);
63 return ret;
64 }
65
66 /**
67 * Load certficiates from a directory
68 */
69 static void load_certs(vici_conn_t *conn, bool raw, char *type, char *dir)
70 {
71 enumerator_t *enumerator;
72 struct stat st;
73 chunk_t *map;
74 char *path;
75
76 enumerator = enumerator_create_directory(dir);
77 if (enumerator)
78 {
79 while (enumerator->enumerate(enumerator, NULL, &path, &st))
80 {
81 if (S_ISREG(st.st_mode))
82 {
83 map = chunk_map(path, FALSE);
84 if (map)
85 {
86 load_cert(conn, raw, path, type, *map);
87 chunk_unmap(map);
88 }
89 else
90 {
91 fprintf(stderr, "mapping '%s' failed: %s, skipped\n",
92 path, strerror(errno));
93 }
94 }
95 }
96 enumerator->destroy(enumerator);
97 }
98 }
99
100 /**
101 * Load a single private key over vici
102 */
103 static bool load_key(vici_conn_t *conn, bool raw, char *dir,
104 char *type, chunk_t data)
105 {
106 vici_req_t *req;
107 vici_res_t *res;
108 bool ret = TRUE;
109
110 req = vici_begin("load-key");
111
112 vici_add_key_valuef(req, "type", "%s", type);
113 vici_add_key_value(req, "data", data.ptr, data.len);
114
115 res = vici_submit(req, conn);
116 if (!res)
117 {
118 fprintf(stderr, "load-key request failed: %s\n", strerror(errno));
119 return FALSE;
120 }
121 if (raw)
122 {
123 vici_dump(res, "load-key reply", stdout);
124 }
125 else if (!streq(vici_find_str(res, "no", "success"), "yes"))
126 {
127 fprintf(stderr, "loading '%s' failed: %s\n",
128 dir, vici_find_str(res, "", "errmsg"));
129 ret = FALSE;
130 }
131 else
132 {
133 printf("loaded %s key '%s'\n", type, dir);
134 }
135 vici_free_res(res);
136 return ret;
137 }
138
139 /**
140 * Callback function to prompt for private key passwords
141 */
142 CALLBACK(password_cb, shared_key_t*,
143 char *prompt, shared_key_type_t type,
144 identification_t *me, identification_t *other,
145 id_match_t *match_me, id_match_t *match_other)
146 {
147 char *pwd;
148
149 if (type != SHARED_PRIVATE_KEY_PASS)
150 {
151 return NULL;
152 }
153 pwd = getpass(prompt);
154 if (!pwd || strlen(pwd) == 0)
155 {
156 return NULL;
157 }
158 if (match_me)
159 {
160 *match_me = ID_MATCH_PERFECT;
161 }
162 if (match_other)
163 {
164 *match_other = ID_MATCH_PERFECT;
165 }
166 return shared_key_create(type, chunk_clone(chunk_from_str(pwd)));
167 }
168
169 /**
170 * Try to parse a potentially encrypted private key
171 */
172 static private_key_t* decrypt_key(char *name, char *type, chunk_t encoding)
173 {
174 key_type_t kt = KEY_ANY;
175 private_key_t *private;
176 callback_cred_t *cb;
177 char buf[128];
178
179 if (streq(type, "rsa"))
180 {
181 kt = KEY_RSA;
182 }
183 else if (streq(type, "ecdsa"))
184 {
185 kt = KEY_ECDSA;
186 }
187
188 snprintf(buf, sizeof(buf), "Password for '%s': ", name);
189
190 cb = callback_cred_create_shared(password_cb, buf);
191 lib->credmgr->add_set(lib->credmgr, &cb->set);
192
193 private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, kt,
194 BUILD_BLOB_PEM, encoding, BUILD_END);
195
196 lib->credmgr->remove_set(lib->credmgr, &cb->set);
197 cb->destroy(cb);
198
199 return private;
200 }
201
202 /**
203 * Try to decrypt and load a private key
204 */
205 static bool load_encrypted_key(vici_conn_t *conn, bool raw,
206 char *rel, char *path, char *type, chunk_t data)
207 {
208 private_key_t *private;
209 bool loaded = FALSE;
210 chunk_t encoding;
211
212 private = decrypt_key(rel, type, data);
213 if (private)
214 {
215 if (private->get_encoding(private, PRIVKEY_ASN1_DER,
216 &encoding))
217 {
218 switch (private->get_type(private))
219 {
220 case KEY_RSA:
221 loaded = load_key(conn, raw, path, "rsa", encoding);
222 break;
223 case KEY_ECDSA:
224 loaded = load_key(conn, raw, path, "ecdsa", encoding);
225 break;
226 default:
227 break;
228 }
229 chunk_clear(&encoding);
230 }
231 private->destroy(private);
232 }
233 return loaded;
234 }
235
236 /**
237 * Load private keys from a directory
238 */
239 static void load_keys(vici_conn_t *conn, bool raw, bool noprompt,
240 char *type, char *dir)
241 {
242 enumerator_t *enumerator;
243 struct stat st;
244 chunk_t *map;
245 char *path, *rel;
246
247 enumerator = enumerator_create_directory(dir);
248 if (enumerator)
249 {
250 while (enumerator->enumerate(enumerator, &rel, &path, &st))
251 {
252 if (S_ISREG(st.st_mode))
253 {
254 map = chunk_map(path, FALSE);
255 if (map)
256 {
257 if (noprompt ||
258 !load_encrypted_key(conn, raw, rel, path, type, *map))
259 {
260 load_key(conn, raw, path, type, *map);
261 }
262 chunk_unmap(map);
263 }
264 else
265 {
266 fprintf(stderr, "mapping '%s' failed: %s, skipped\n",
267 path, strerror(errno));
268 }
269 }
270 }
271 enumerator->destroy(enumerator);
272 }
273 }
274
275 /**
276 * Load a single secret for ids over VICI
277 */
278 static bool load_secret(vici_conn_t *conn, char *type, char *owners,
279 char *value, bool raw)
280 {
281 enumerator_t *enumerator;
282 vici_req_t *req;
283 vici_res_t *res;
284 chunk_t data;
285 char *owner;
286 bool ret = TRUE;
287
288 req = vici_begin("load-shared");
289
290 vici_add_key_valuef(req, "type", "%s", type);
291 vici_begin_list(req, "owners");
292 enumerator = enumerator_create_token(owners, " ", " ");
293 while (enumerator->enumerate(enumerator, &owner))
294 {
295 vici_add_list_itemf(req, "%s", owner);
296 }
297 enumerator->destroy(enumerator);
298 vici_end_list(req);
299
300 if (strcasepfx(value, "0x"))
301 {
302 data = chunk_from_hex(chunk_from_str(value + 2), NULL);
303 }
304 else if (strcasepfx(value, "0s"))
305 {
306 data = chunk_from_base64(chunk_from_str(value + 2), NULL);
307 }
308 else
309 {
310 data = chunk_clone(chunk_from_str(value));
311 }
312 vici_add_key_value(req, "data", data.ptr, data.len);
313 chunk_clear(&data);
314
315 res = vici_submit(req, conn);
316 if (!res)
317 {
318 fprintf(stderr, "load-shared request failed: %s\n", strerror(errno));
319 return FALSE;
320 }
321 if (raw)
322 {
323 vici_dump(res, "load-shared reply", stdout);
324 }
325 else if (!streq(vici_find_str(res, "no", "success"), "yes"))
326 {
327 fprintf(stderr, "loading shared secret failed: %s\n",
328 vici_find_str(res, "", "errmsg"));
329 ret = FALSE;
330 }
331 else
332 {
333 printf("loaded %s secret for: ", type);
334 enumerator = enumerator_create_token(owners, " ", " ");
335 while (enumerator->enumerate(enumerator, &owner))
336 {
337 printf("'%s' ", owner);
338 }
339 enumerator->destroy(enumerator);
340 printf("\n");
341 }
342 vici_free_res(res);
343 return ret;
344 }
345
346 /**
347 * Load secrets from settings section
348 */
349 static void load_secrets(vici_conn_t *conn, settings_t *cfg,
350 char *section, bool raw)
351 {
352 enumerator_t *enumerator;
353 char buf[64], *key, *value;
354
355 snprintf(buf, sizeof(buf), "secrets.%s", section);
356 enumerator = cfg->create_key_value_enumerator(cfg, buf);
357 while (enumerator->enumerate(enumerator, &key, &value))
358 {
359 load_secret(conn, section, key, value, raw);
360 }
361 enumerator->destroy(enumerator);
362 }
363
364 /**
365 * Clear all currently loaded credentials
366 */
367 static bool clear_creds(vici_conn_t *conn, bool raw)
368 {
369 vici_res_t *res;
370
371 res = vici_submit(vici_begin("clear-creds"), conn);
372 if (!res)
373 {
374 fprintf(stderr, "clear-creds request failed: %s\n", strerror(errno));
375 return FALSE;
376 }
377 if (raw)
378 {
379 vici_dump(res, "clear-creds reply", stdout);
380 }
381 vici_free_res(res);
382 return TRUE;
383 }
384
385 static int load_creds(vici_conn_t *conn)
386 {
387 bool raw = FALSE, clear = FALSE, noprompt = FALSE;
388 enumerator_t *enumerator;
389 settings_t *cfg;
390 char *arg, *section;
391
392 while (TRUE)
393 {
394 switch (command_getopt(&arg))
395 {
396 case 'h':
397 return command_usage(NULL);
398 case 'c':
399 clear = TRUE;
400 continue;
401 case 'n':
402 noprompt = TRUE;
403 continue;
404 case 'r':
405 raw = TRUE;
406 continue;
407 case EOF:
408 break;
409 default:
410 return command_usage("invalid --load-creds option");
411 }
412 break;
413 }
414
415 if (clear)
416 {
417 if (!clear_creds(conn, raw))
418 {
419 return ECONNREFUSED;
420 }
421 }
422
423 load_certs(conn, raw, "x509", SWANCTL_X509DIR);
424 load_certs(conn, raw, "x509ca", SWANCTL_X509CADIR);
425 load_certs(conn, raw, "x509aa", SWANCTL_X509AADIR);
426 load_certs(conn, raw, "x509crl", SWANCTL_X509CRLDIR);
427 load_certs(conn, raw, "x509ac", SWANCTL_X509ACDIR);
428
429 load_keys(conn, raw, noprompt, "rsa", SWANCTL_RSADIR);
430 load_keys(conn, raw, noprompt, "ecdsa", SWANCTL_ECDSADIR);
431 load_keys(conn, raw, noprompt, "any", SWANCTL_PKCS8DIR);
432
433 cfg = settings_create(SWANCTL_CONF);
434 if (!cfg)
435 {
436 fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF);
437 return EINVAL;
438 }
439
440 enumerator = cfg->create_section_enumerator(cfg, "secrets");
441 while (enumerator->enumerate(enumerator, &section))
442 {
443 load_secrets(conn, cfg, section, raw);
444 }
445 enumerator->destroy(enumerator);
446
447 cfg->destroy(cfg);
448
449 return 0;
450 }
451
452 /**
453 * Register the command.
454 */
455 static void __attribute__ ((constructor))reg()
456 {
457 command_register((command_t) {
458 load_creds, 's', "load-creds", "(re-)load credentials",
459 {"[--raw]"},
460 {
461 {"help", 'h', 0, "show usage information"},
462 {"clear", 'c', 0, "clear previously loaded credentials"},
463 {"noprompt", 'n', 0, "do not prompt for passwords"},
464 {"raw", 'r', 0, "dump raw response message"},
465 }
466 });
467 }
strongSwan - IPsec VPN