Implemented a callback based credential set, currently for shared keys only
authorMartin Willi <martin@revosec.ch>
Fri, 16 Jul 2010 14:55:29 +0000 (16:55 +0200)
committerMartin Willi <martin@revosec.ch>
Wed, 4 Aug 2010 07:26:21 +0000 (09:26 +0200)
src/libcharon/plugins/stroke/stroke_cred.c
src/libstrongswan/Android.mk
src/libstrongswan/Makefile.am
src/libstrongswan/credentials/sets/callback_cred.c [new file with mode: 0644]
src/libstrongswan/credentials/sets/callback_cred.h [new file with mode: 0644]
src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c

index 3749bbd..e5718e5 100644 (file)
@@ -30,6 +30,7 @@
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/crl.h>
 #include <credentials/certificates/ac.h>
+#include <credentials/sets/mem_cred.h>
 #include <utils/linked_list.h>
 #include <utils/lexparser.h>
 #include <threading/rwlock.h>
@@ -751,6 +752,10 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
        private_key_t *key = NULL;
        u_int slot;
        chunk_t chunk;
+       shared_key_t *shared;
+       identification_t *id;
+       mem_cred_t *mem;
+       callback_set_t *cb;
        enum {
                SC_FORMAT_SLOT_MODULE_KEYID,
                SC_FORMAT_SLOT_KEYID,
@@ -816,81 +821,54 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
                DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh);
                return FALSE;
        }
-
-       chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
-
        if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
        {
                if (prompt)
                {
                        passphrase_cb_data_t data = {
                                .prompt = prompt,
-                               .file = smartcard,
+                               .file = path,
                        };
 
-                       switch (format)
-                       {
-                               case SC_FORMAT_SLOT_MODULE_KEYID:
-                                       key = lib->creds->create(lib->creds,
-                                                                       CRED_PRIVATE_KEY, KEY_ANY,
-                                                                       BUILD_PKCS11_SLOT, slot,
-                                                                       BUILD_PKCS11_MODULE, module,
-                                                                       BUILD_PKCS11_KEYID, chunk,
-                                                                       BUILD_PASSPHRASE_CALLBACK,
-                                                                       smartcard_cb, &data, BUILD_END);
-                                       break;
-                               case SC_FORMAT_SLOT_KEYID:
-                                       key = lib->creds->create(lib->creds,
-                                                                       CRED_PRIVATE_KEY, KEY_ANY,
-                                                                       BUILD_PKCS11_SLOT, slot,
-                                                                       BUILD_PKCS11_KEYID, chunk,
-                                                                       BUILD_PASSPHRASE_CALLBACK,
-                                                                       smartcard_cb, &data, BUILD_END);
-                                       break;
-                               case SC_FORMAT_KEYID:
-                                       key = lib->creds->create(lib->creds,
-                                                                       CRED_PRIVATE_KEY, KEY_ANY,
-                                                                       BUILD_PKCS11_KEYID, chunk,
-                                                                       BUILD_PASSPHRASE_CALLBACK,
-                                                                       smartcard_cb, &data, BUILD_END);
-                                       break;
-                       }
-               }
-       }
-       else
-       {
-               switch (format)
-               {
-                       case SC_FORMAT_SLOT_MODULE_KEYID:
-                               key = lib->creds->create(lib->creds,
-                                                               CRED_PRIVATE_KEY, KEY_ANY,
-                                                               BUILD_PKCS11_SLOT, slot,
-                                                               BUILD_PKCS11_MODULE, module,
-                                                               BUILD_PKCS11_KEYID, chunk,
-                                                               BUILD_PASSPHRASE, secret, BUILD_END);
-                               break;
-                       case SC_FORMAT_SLOT_KEYID:
-                               key = lib->creds->create(lib->creds,
-                                                               CRED_PRIVATE_KEY, KEY_ANY,
-                                                               BUILD_PKCS11_SLOT, slot,
-                                                               BUILD_PKCS11_KEYID, chunk,
-                                                               BUILD_PASSPHRASE, secret, BUILD_END);
-                               break;
-                       case SC_FORMAT_KEYID:
-                               key = lib->creds->create(lib->creds,
-                                                               CRED_PRIVATE_KEY, KEY_ANY,
-                                                               BUILD_PKCS11_KEYID, chunk,
-                                                               BUILD_PASSPHRASE, secret, BUILD_END);
-                               break;
-               }
+       /* provide our pin in a temporary credential set */
+       shared = shared_key_create(SHARED_PIN, secret);
+       chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+       id = identification_create_from_encoding(ID_KEY_ID, chunk);
+       set = mem_cred_create();
+       set->add_shared(set, shared, id, NULL);
+       lib->credmgr->add_local_set(lib->credmgr, &set->set);
+       /* unlock: smartcard needs the pin and potentially calls public set */
+       this->lock->unlock(this->lock);
+       switch (format)
+       {
+               case SC_FORMAT_SLOT_MODULE_KEYID:
+                       key = lib->creds->create(lib->creds,
+                                                       CRED_PRIVATE_KEY, KEY_ANY,
+                                                       BUILD_PKCS11_SLOT, slot,
+                                                       BUILD_PKCS11_MODULE, module,
+                                                       BUILD_PKCS11_KEYID, chunk, BUILD_END);
+                       break;
+               case SC_FORMAT_SLOT_KEYID:
+                       key = lib->creds->create(lib->creds,
+                                                       CRED_PRIVATE_KEY, KEY_ANY,
+                                                       BUILD_PKCS11_SLOT, slot,
+                                                       BUILD_PKCS11_KEYID, chunk, BUILD_END);
+                       break;
+               case SC_FORMAT_KEYID:
+                       key = lib->creds->create(lib->creds,
+                                                       CRED_PRIVATE_KEY, KEY_ANY,
+                                                       BUILD_PKCS11_KEYID, chunk, BUILD_END);
+                       break;
        }
-       free(chunk.ptr);
+       this->lock->write_lock(this->lock);
+       lib->credmgr->remove_local_set(lib->credmgr, &set->set);
+       set->destroy(set);
+
        if (key)
        {
                DBG1(DBG_CFG, "  loaded private key from %.*s", sc.len, sc.ptr);
                this->private->insert_last(this->private, key);
        }
-       chunk_clear(&secret);
        return TRUE;
 }
 
index cce1756..c39ff88 100644 (file)
@@ -44,6 +44,7 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
 credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
 credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
 credentials/sets/mem_cred.c credentials/sets/mem_cred.h \
+credentials/sets/callback_cred.c credentials/sets/callback_cred.h \
 credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
 credentials/cert_validator.h \
 database/database.h database/database_factory.h database/database_factory.c \
index 0c7e1ff..ce11a6e 100644 (file)
@@ -42,6 +42,7 @@ credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
 credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
 credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
 credentials/sets/mem_cred.c credentials/sets/mem_cred.h \
+credentials/sets/callback_cred.c credentials/sets/callback_cred.h \
 credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
 credentials/cert_validator.h \
 database/database.h database/database_factory.h database/database_factory.c \
diff --git a/src/libstrongswan/credentials/sets/callback_cred.c b/src/libstrongswan/credentials/sets/callback_cred.c
new file mode 100644 (file)
index 0000000..87a0789
--- /dev/null
@@ -0,0 +1,141 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "callback_cred.h"
+
+typedef struct private_callback_cred_t private_callback_cred_t;
+
+/**
+ * Private data of an callback_cred_t object.
+ */
+struct private_callback_cred_t {
+
+       /**
+        * Public callback_cred_t interface.
+        */
+       callback_cred_t public;
+
+       /**
+        * Callback of this set, for all types, and generic
+        */
+       union {
+               void *generic;
+               callback_cred_shared_cb_t shared;
+       } cb;
+
+       /**
+        * Data to pass to callback
+        */
+       void *data;
+};
+
+/**
+ * Shared key enumerator on callbacks
+ */
+typedef struct {
+       /* implements enumerator_t */
+       enumerator_t public;
+       /* backref to this */
+       private_callback_cred_t *this;
+       /* own identity to match */
+       identification_t *me;
+       /* other identity to match */
+       identification_t *other;
+       /* current shared key */
+       shared_key_t *current;
+} shared_enumerator_t;
+
+METHOD(enumerator_t, shared_enumerate, bool,
+       shared_enumerator_t *this, shared_key_t **out,
+       id_match_t *match_me, id_match_t *match_other)
+{
+       DESTROY_IF(this->current);
+       this->current = this->this->cb.shared(this->this->data,
+                                                               this->me, this->other, match_me, match_other);
+       if (this->current)
+       {
+               *out = this->current;
+               return TRUE;
+       }
+       return FALSE;
+}
+
+METHOD(enumerator_t, shared_destroy, void,
+       shared_enumerator_t *this)
+{
+       DESTROY_IF(this->current);
+       free(this);
+}
+
+METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
+       private_callback_cred_t *this, shared_key_type_t type,
+       identification_t *me, identification_t *other)
+{
+       shared_enumerator_t *enumerator;
+
+       INIT(enumerator,
+               .public = {
+                       .enumerate = (void*)_shared_enumerate,
+                       .destroy = _shared_destroy,
+               },
+               .this = this,
+               .me = me,
+               .other = other,
+       );
+       return &enumerator->public;
+}
+
+METHOD(callback_cred_t, destroy, void,
+       private_callback_cred_t *this)
+{
+       free(this);
+}
+
+/**
+ * Create a generic callback credential set
+ */
+static private_callback_cred_t* create_generic(void *cb, void *data)
+{
+       private_callback_cred_t *this;
+
+       INIT(this,
+               .public = {
+                       .set = {
+                               .create_shared_enumerator = (void*)return_null,
+                               .create_private_enumerator = (void*)return_null,
+                               .create_cert_enumerator = (void*)return_null,
+                               .create_cdp_enumerator  = (void*)return_null,
+                               .cache_cert = (void*)nop,
+                       },
+                       .destroy = _destroy,
+               },
+               .cb.generic = cb,
+               .data = data,
+       );
+       return this;
+}
+
+/**
+ * See header
+ */
+callback_cred_t *callback_cred_create_shared(callback_cred_shared_cb_t cb,
+                                                                                        void *data)
+{
+       private_callback_cred_t *this = create_generic(cb, data);
+
+       this->public.set.create_shared_enumerator = _create_shared_enumerator;
+
+       return &this->public;
+}
diff --git a/src/libstrongswan/credentials/sets/callback_cred.h b/src/libstrongswan/credentials/sets/callback_cred.h
new file mode 100644 (file)
index 0000000..9cc5b65
--- /dev/null
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup callback_cred callback_cred
+ * @{ @ingroup sets
+ */
+
+#ifndef CALLBACK_CRED_H_
+#define CALLBACK_CRED_H_
+
+typedef struct callback_cred_t callback_cred_t;
+
+#include <credentials/credential_set.h>
+
+/**
+ * Callback function to get shared keys.
+ *
+ * @param me                   own identity
+ * @param other                        other identity
+ * @param match_me             match result of own identity
+ * @param match_other  match result of other identity
+ */
+typedef shared_key_t* (*callback_cred_shared_cb_t)(void *data,
+                                                               identification_t *me, identification_t *other,
+                                                               id_match_t *match_me, id_match_t *match_other);
+
+/**
+ * Generic callbcack using user specified callback functions.
+ */
+struct callback_cred_t {
+
+       /**
+        * Implements credential_set_t.
+        */
+       credential_set_t set;
+
+       /**
+        * Destroy a callback_cred_t.
+        */
+       void (*destroy)(callback_cred_t *this);
+};
+
+/**
+ * Create a callback_cred instance, for a shared key.
+ *
+ * @param cb           callback function
+ * @param data         data to pass to callback
+ */
+callback_cred_t *callback_cred_create_shared(callback_cred_shared_cb_t cb,
+                                                                                        void *data);
+
+#endif /** CALLBACK_CRED_H_ @}*/
index 2ddffd5..b50ae07 100644 (file)
@@ -331,13 +331,26 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid)
 }
 
 /**
- * Try a login to the session
+ * Find a PIN and try to log in
  */
-static bool login(private_pkcs11_private_key_t *this, chunk_t pin, int slot)
+static bool login(private_pkcs11_private_key_t *this, chunk_t keyid, int slot)
 {
+       identification_t *id;
+       shared_key_t *shared;
+       chunk_t pin;
        CK_RV rv;
 
+       id = identification_create_from_encoding(ID_KEY_ID, keyid);
+       shared = lib->credmgr->get_shared(lib->credmgr, SHARED_PIN, id, NULL);
+       id->destroy(id);
+       if (!shared)
+       {
+               DBG1(DBG_CFG, "no PIN found for PKCS#11 key %#B", keyid);
+               return FALSE;
+       }
+       pin = shared->get_key(shared);
        rv = this->lib->f->C_Login(this->session, CKU_USER, pin.ptr, pin.len);
+       shared->destroy(shared);
        if (rv != CKR_OK)
        {
                DBG1(DBG_CFG, "login to '%s':%d failed: %N",
@@ -353,14 +366,11 @@ static bool login(private_pkcs11_private_key_t *this, chunk_t pin, int slot)
 pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 {
        private_pkcs11_private_key_t *this;
-       chunk_t (*cb)(void *data, int try) = NULL;
-       void *cb_data = NULL;
        char *module = NULL;
-       chunk_t keyid, pin;
-       int slot = -1, try = 0;
+       chunk_t keyid = chunk_empty;
+       int slot = -1;
        CK_RV rv;
 
-       keyid = pin = chunk_empty;
        while (TRUE)
        {
                switch (va_arg(args, builder_part_t))
@@ -368,13 +378,6 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
                        case BUILD_PKCS11_KEYID:
                                keyid = va_arg(args, chunk_t);
                                continue;
-                       case BUILD_PASSPHRASE:
-                               pin = va_arg(args, chunk_t);
-                               continue;
-                       case BUILD_PASSPHRASE_CALLBACK:
-                               cb = va_arg(args, void*);
-                               cb_data = va_arg(args, void*);
-                               continue;
                        case BUILD_PKCS11_SLOT:
                                slot = va_arg(args, int);
                                continue;
@@ -388,7 +391,7 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
                }
                break;
        }
-       if (!keyid.len || (!pin.len && !cb))
+       if (!keyid.len)
        {
                return NULL;
        }
@@ -444,29 +447,10 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 
        this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 
-       if (pin.ptr)
-       {
-               if (!login(this, pin, slot))
-               {
-                       destroy(this);
-                       return NULL;
-               }
-       }
-       else
+       if (!login(this, keyid, slot))
        {
-               while (TRUE)
-               {
-                       pin = cb(cb_data, ++try);
-                       if (!pin.len)
-                       {
-                               destroy(this);
-                               return NULL;
-                       }
-                       if (login(this, pin, slot))
-                       {
-                               break;
-                       }
-               }
+               destroy(this);
+               return NULL;
        }
 
        if (!find_key(this, keyid))