projects / strongswan.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
swanctl: Load shared secrets from the swanctl.conf secrets section
[strongswan.git] / src / swanctl / commands / load_creds.c
diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index 83f2923..dcfc6fe 100644 (file)
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -16,11 +16,14 @@
 #define _GNU_SOURCE
 #include <stdio.h>
 #include <errno.h>
+#include <unistd.h>
 #include <sys/stat.h>
 
 #include "command.h"
 #include "swanctl.h"
 
+#include <credentials/sets/callback_cred.h>
+
 /**
  * Load a single certificate over vici
  */
@@ -91,6 +94,254 @@ static void load_certs(vici_conn_t *conn, bool raw, char *type, char *dir)
 }
 
 /**
+ * Load a single private key over vici
+ */
+static bool load_key(vici_conn_t *conn, bool raw, char *dir,
+                                         char *type, chunk_t data)
+{
+       vici_req_t *req;
+       vici_res_t *res;
+       bool ret = TRUE;
+
+       req = vici_begin("load-key");
+
+       vici_add_key_valuef(req, "type", "%s", type);
+       vici_add_key_value(req, "data", data.ptr, data.len);
+
+       res = vici_submit(req, conn);
+       if (!res)
+       {
+               fprintf(stderr, "load-key request failed: %s\n", strerror(errno));
+               return FALSE;
+       }
+       if (raw)
+       {
+               vici_dump(res, "load-key reply", stdout);
+       }
+       else if (!streq(vici_find_str(res, "no", "success"), "yes"))
+       {
+               fprintf(stderr, "loading '%s' failed: %s\n",
+                               dir, vici_find_str(res, "", "errmsg"));
+               ret = FALSE;
+       }
+       vici_free_res(res);
+       return ret;
+}
+
+/**
+ * Callback function to prompt for private key passwords
+ */
+CALLBACK(password_cb, shared_key_t*,
+       char *prompt, shared_key_type_t type,
+       identification_t *me, identification_t *other,
+       id_match_t *match_me, id_match_t *match_other)
+{
+       char *pwd;
+
+       if (type != SHARED_PRIVATE_KEY_PASS)
+       {
+               return NULL;
+       }
+       pwd = getpass(prompt);
+       if (!pwd || strlen(pwd) == 0)
+       {
+               return NULL;
+       }
+       if (match_me)
+       {
+               *match_me = ID_MATCH_PERFECT;
+       }
+       if (match_other)
+       {
+               *match_other = ID_MATCH_PERFECT;
+       }
+       return shared_key_create(type, chunk_clone(chunk_from_str(pwd)));
+}
+
+/**
+ * Try to parse a potentially encrypted private key
+ */
+static private_key_t* decrypt_key(char *name, char *type, chunk_t encoding)
+{
+       key_type_t kt = KEY_ANY;
+       private_key_t *private;
+       callback_cred_t *cb;
+       char buf[128];
+
+       if (streq(type, "rsa"))
+       {
+               kt = KEY_RSA;
+       }
+       else if (streq(type, "ecdsa"))
+       {
+               kt = KEY_ECDSA;
+       }
+
+       snprintf(buf, sizeof(buf), "Password for '%s': ", name);
+
+       cb = callback_cred_create_shared(password_cb, buf);
+       lib->credmgr->add_set(lib->credmgr, &cb->set);
+
+       private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, kt,
+                                                                BUILD_BLOB_PEM, encoding, BUILD_END);
+
+       lib->credmgr->remove_set(lib->credmgr, &cb->set);
+       cb->destroy(cb);
+
+       return private;
+}
+
+/**
+ * Try to decrypt and load a private key
+ */
+static bool load_encrypted_key(vici_conn_t *conn, bool raw,
+                                                          char *rel, char *path, char *type, chunk_t data)
+{
+       private_key_t *private;
+       bool loaded = FALSE;
+       chunk_t encoding;
+
+       private = decrypt_key(rel, type, data);
+       if (private)
+       {
+               if (private->get_encoding(private, PRIVKEY_ASN1_DER,
+                                                                 &encoding))
+               {
+                       switch (private->get_type(private))
+                       {
+                               case KEY_RSA:
+                                       loaded = load_key(conn, raw, path, "rsa", encoding);
+                                       break;
+                               case KEY_ECDSA:
+                                       loaded = load_key(conn, raw, path, "ecdsa", encoding);
+                                       break;
+                               default:
+                                       break;
+                       }
+                       chunk_clear(&encoding);
+               }
+               private->destroy(private);
+       }
+       return loaded;
+}
+
+/**
+ * Load private keys from a directory
+ */
+static void load_keys(vici_conn_t *conn, bool raw, bool noprompt,
+                                         char *type, char *dir)
+{
+       enumerator_t *enumerator;
+       struct stat st;
+       chunk_t *map;
+       char *path, *rel;
+
+       enumerator = enumerator_create_directory(dir);
+       if (enumerator)
+       {
+               while (enumerator->enumerate(enumerator, &rel, &path, &st))
+               {
+                       if (S_ISREG(st.st_mode))
+                       {
+                               map = chunk_map(path, FALSE);
+                               if (map)
+                               {
+                                       if (noprompt ||
+                                               !load_encrypted_key(conn, raw, rel, path, type, *map))
+                                       {
+                                               load_key(conn, raw, path, type, *map);
+                                       }
+                                       chunk_unmap(map);
+                               }
+                               else
+                               {
+                                       fprintf(stderr, "mapping '%s' failed: %s, skipped\n",
+                                                       path, strerror(errno));
+                               }
+                       }
+               }
+               enumerator->destroy(enumerator);
+       }
+}
+
+/**
+ * Load a single secret for ids over VICI
+ */
+static bool load_secret(vici_conn_t *conn, char *type, char *owners,
+                                               char *value, bool raw)
+{
+       enumerator_t *enumerator;
+       vici_req_t *req;
+       vici_res_t *res;
+       chunk_t data;
+       bool ret = TRUE;
+
+       req = vici_begin("load-shared");
+
+       vici_add_key_valuef(req, "type", "%s", type);
+       vici_begin_list(req, "owners");
+       enumerator = enumerator_create_token(owners, " ", " ");
+       while (enumerator->enumerate(enumerator, &owners))
+       {
+               vici_add_list_itemf(req, "%s", owners);
+       }
+       enumerator->destroy(enumerator);
+       vici_end_list(req);
+
+       if (strcasepfx(value, "0x"))
+       {
+               data = chunk_from_hex(chunk_from_str(value + 2), NULL);
+       }
+       else if (strcasepfx(value, "0s"))
+       {
+               data = chunk_from_base64(chunk_from_str(value + 2), NULL);
+       }
+       else
+       {
+               data = chunk_clone(chunk_from_str(value));
+       }
+       vici_add_key_value(req, "data", data.ptr, data.len);
+       chunk_clear(&data);
+
+       res = vici_submit(req, conn);
+       if (!res)
+       {
+               fprintf(stderr, "load-shared request failed: %s\n", strerror(errno));
+               return FALSE;
+       }
+       if (raw)
+       {
+               vici_dump(res, "load-shared reply", stdout);
+       }
+       else if (!streq(vici_find_str(res, "no", "success"), "yes"))
+       {
+               fprintf(stderr, "loading shared secret failed: %s\n",
+                               vici_find_str(res, "", "errmsg"));
+               ret = FALSE;
+       }
+       vici_free_res(res);
+       return ret;
+}
+
+/**
+ * Load secrets from settings section
+ */
+static void load_secrets(vici_conn_t *conn, settings_t *cfg,
+                                                char *section, bool raw)
+{
+       enumerator_t *enumerator;
+       char buf[64], *key, *value;
+
+       snprintf(buf, sizeof(buf), "secrets.%s", section);
+       enumerator = cfg->create_key_value_enumerator(cfg, buf);
+       while (enumerator->enumerate(enumerator, &key, &value))
+       {
+               load_secret(conn, section, key, value, raw);
+       }
+       enumerator->destroy(enumerator);
+}
+
+/**
  * Clear all currently loaded credentials
  */
 static bool clear_creds(vici_conn_t *conn, bool raw)
@@ -113,8 +364,10 @@ static bool clear_creds(vici_conn_t *conn, bool raw)
 
 static int load_creds(vici_conn_t *conn)
 {
-       bool raw = FALSE, clear = FALSE;
-       char *arg;
+       bool raw = FALSE, clear = FALSE, noprompt = FALSE;
+       enumerator_t *enumerator;
+       settings_t *cfg;
+       char *arg, *section;
 
        while (TRUE)
        {
@@ -125,6 +378,9 @@ static int load_creds(vici_conn_t *conn)
                        case 'c':
                                clear = TRUE;
                                continue;
+                       case 'n':
+                               noprompt = TRUE;
+                               continue;
                        case 'r':
                                raw = TRUE;
                                continue;
@@ -150,6 +406,26 @@ static int load_creds(vici_conn_t *conn)
        load_certs(conn, raw, "x509crl", SWANCTL_X509CRLDIR);
        load_certs(conn, raw, "x509ac", SWANCTL_X509ACDIR);
 
+       load_keys(conn, raw, noprompt, "rsa", SWANCTL_RSADIR);
+       load_keys(conn, raw, noprompt, "ecdsa", SWANCTL_ECDSADIR);
+       load_keys(conn, raw, noprompt, "any", SWANCTL_PKCS8DIR);
+
+       cfg = settings_create(SWANCTL_CONF);
+       if (!cfg)
+       {
+               fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF);
+               return EINVAL;
+       }
+
+       enumerator = cfg->create_section_enumerator(cfg, "secrets");
+       while (enumerator->enumerate(enumerator, &section))
+       {
+               load_secrets(conn, cfg, section, raw);
+       }
+       enumerator->destroy(enumerator);
+
+       cfg->destroy(cfg);
+
        return 0;
 }
 
@@ -164,6 +440,7 @@ static void __attribute__ ((constructor))reg()
                {
                        {"help",                'h', 0, "show usage information"},
                        {"clear",               'c', 0, "clear previously loaded credentials"},
+                       {"noprompt",    'n', 0, "do not prompt for passwords"},
                        {"raw",                 'r', 0, "dump raw response message"},
                }
        });
strongSwan - IPsec VPN