Annotation of embedaddon/strongswan/src/libcharon/plugins/vici/vici_cred.c, revision 1.1.1.1
1.1 misho 1: /*
2: * Copyright (C) 2015-2016 Andreas Steffen
3: * Copyright (C) 2016-2017 Tobias Brunner
4: * HSR Hochschule fuer Technik Rapperswil
5: *
6: * Copyright (C) 2014 Martin Willi
7: * Copyright (C) 2014 revosec AG
8: *
9: *
10: * This program is free software; you can redistribute it and/or modify it
11: * under the terms of the GNU General Public License as published by the
12: * Free Software Foundation; either version 2 of the License, or (at your
13: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14: *
15: * This program is distributed in the hope that it will be useful, but
16: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18: * for more details.
19: */
20:
21: #include "vici_cred.h"
22: #include "vici_builder.h"
23: #include "vici_cert_info.h"
24:
25: #include <credentials/sets/mem_cred.h>
26: #include <credentials/certificates/ac.h>
27: #include <credentials/certificates/crl.h>
28: #include <credentials/certificates/x509.h>
29:
30: #include <errno.h>
31:
32: typedef struct private_vici_cred_t private_vici_cred_t;
33:
34: /**
35: * Directory for saved X.509 CRLs
36: */
37: #define CRL_DIR SWANCTLDIR "/x509crl"
38:
39: /**
40: * Private data of an vici_cred_t object.
41: */
42: struct private_vici_cred_t {
43:
44: /**
45: * Public vici_cred_t interface.
46: */
47: vici_cred_t public;
48:
49: /**
50: * Dispatcher
51: */
52: vici_dispatcher_t *dispatcher;
53:
54: /**
55: * credentials
56: */
57: mem_cred_t *creds;
58:
59: /**
60: * separate credential set for token PINs
61: */
62: mem_cred_t *pins;
63:
64: /**
65: * cache CRLs to disk?
66: */
67: bool cachecrl;
68:
69: };
70:
71: METHOD(credential_set_t, cache_cert, void,
72: private_vici_cred_t *this, certificate_t *cert)
73: {
74: if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
75: {
76: /* CRLs get written to /etc/swanctl/x509crl/<authkeyId>.crl */
77: crl_t *crl = (crl_t*)cert;
78:
79: cert->get_ref(cert);
80: if (this->creds->add_crl(this->creds, crl))
81: {
82: char buf[BUF_LEN];
83: chunk_t chunk, hex;
84: bool is_delta_crl;
85:
86: is_delta_crl = crl->is_delta_crl(crl, NULL);
87: chunk = crl->get_authKeyIdentifier(crl);
88: hex = chunk_to_hex(chunk, NULL, FALSE);
89: snprintf(buf, sizeof(buf), "%s/%s%s.crl", CRL_DIR, hex.ptr,
90: is_delta_crl ? "_delta" : "");
91: free(hex.ptr);
92:
93: if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
94: {
95: if (chunk_write(chunk, buf, 022, TRUE))
96: {
97: DBG1(DBG_CFG, " written crl file '%s' (%d bytes)",
98: buf, chunk.len);
99: }
100: else
101: {
102: DBG1(DBG_CFG, " writing crl file '%s' failed: %s",
103: buf, strerror(errno));
104: }
105: free(chunk.ptr);
106: }
107: }
108: }
109: }
110:
111: /**
112: * Create a (error) reply message
113: */
114: static vici_message_t* create_reply(char *fmt, ...)
115: {
116: vici_builder_t *builder;
117: va_list args;
118:
119: builder = vici_builder_create();
120: builder->add_kv(builder, "success", fmt ? "no" : "yes");
121: if (fmt)
122: {
123: va_start(args, fmt);
124: builder->vadd_kv(builder, "errmsg", fmt, args);
125: va_end(args);
126: }
127: return builder->finalize(builder);
128: }
129:
130: CALLBACK(load_cert, vici_message_t*,
131: private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
132: {
133: certificate_t *cert;
134: certificate_type_t type;
135: x509_flag_t ext_flag, flag = X509_NONE;
136: x509_t *x509;
137: chunk_t data;
138: bool trusted = TRUE;
139: char *str;
140:
141: str = message->get_str(message, NULL, "type");
142: if (!str)
143: {
144: return create_reply("certificate type missing");
145: }
146: if (enum_from_name(certificate_type_names, str, &type))
147: {
148: if (type == CERT_X509)
149: {
150: str = message->get_str(message, "NONE", "flag");
151: if (!enum_from_name(x509_flag_names, str, &flag))
152: {
153: return create_reply("invalid certificate flag '%s'", str);
154: }
155: }
156: }
157: else if (!vici_cert_info_from_str(str, &type, &flag))
158: {
159: return create_reply("invalid certificate type '%s'", str);
160: }
161:
162: data = message->get_value(message, chunk_empty, "data");
163: if (!data.len)
164: {
165: return create_reply("certificate data missing");
166: }
167:
168: /* do not set CA flag externally */
169: ext_flag = (flag & X509_CA) ? X509_NONE : flag;
170:
171: cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
172: BUILD_BLOB_PEM, data,
173: BUILD_X509_FLAG, ext_flag,
174: BUILD_END);
175: if (!cert)
176: {
177: return create_reply("parsing %N certificate failed",
178: certificate_type_names, type);
179: }
180: DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
181:
182: /* check if CA certificate has CA basic constraint set */
183: if (flag & X509_CA)
184: {
185: char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
186: x509 = (x509_t*)cert;
187:
188: if (!(x509->get_flags(x509) & X509_CA))
189: {
190: cert->destroy(cert);
191: DBG1(DBG_CFG, " %s", err_msg);
192: return create_reply(err_msg);
193: }
194: }
195: if (type == CERT_X509_CRL)
196: {
197: this->creds->add_crl(this->creds, (crl_t*)cert);
198: }
199: else
200: {
201: this->creds->add_cert(this->creds, trusted, cert);
202: }
203: return create_reply(NULL);
204: }
205:
206: CALLBACK(load_key, vici_message_t*,
207: private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
208: {
209: vici_builder_t *builder;
210: key_type_t type;
211: private_key_t *key;
212: chunk_t data, fp;
213: char *str;
214:
215: str = message->get_str(message, NULL, "type");
216: if (!str)
217: {
218: return create_reply("key type missing");
219: }
220: if (strcaseeq(str, "any"))
221: {
222: type = KEY_ANY;
223: }
224: else if (strcaseeq(str, "rsa"))
225: {
226: type = KEY_RSA;
227: }
228: else if (strcaseeq(str, "ecdsa"))
229: {
230: type = KEY_ECDSA;
231: }
232: else if (strcaseeq(str, "bliss"))
233: {
234: type = KEY_BLISS;
235: }
236: else
237: {
238: return create_reply("invalid key type: %s", str);
239: }
240: data = message->get_value(message, chunk_empty, "data");
241: if (!data.len)
242: {
243: return create_reply("key data missing");
244: }
245: key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
246: BUILD_BLOB_PEM, data, BUILD_END);
247: if (!key)
248: {
249: return create_reply("parsing %N private key failed",
250: key_type_names, type);
251: }
252: if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp))
253: {
254: return create_reply("failed to get key id");
255: }
256:
257: DBG1(DBG_CFG, "loaded %N private key", key_type_names, type);
258:
259: builder = vici_builder_create();
260: builder->add_kv(builder, "success", "yes");
261: builder->add_kv(builder, "id", "%+B", &fp);
262: this->creds->add_key(this->creds, key);
263:
264: return builder->finalize(builder);
265: }
266:
267: CALLBACK(unload_key, vici_message_t*,
268: private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
269: {
270: chunk_t keyid;
271: char buf[BUF_LEN], *hex, *msg = NULL;
272:
273: hex = message->get_str(message, NULL, "id");
274: if (!hex)
275: {
276: return create_reply("key id missing");
277: }
278: keyid = chunk_from_hex(chunk_from_str(hex), NULL);
279: snprintf(buf, sizeof(buf), "%+B", &keyid);
280: DBG1(DBG_CFG, "unloaded private key with id %s", buf);
281: if (this->creds->remove_key(this->creds, keyid))
282: { /* also remove any potential PIN associated with this id */
283: this->pins->remove_shared_unique(this->pins, buf);
284: }
285: else
286: {
287: msg = "key not found";
288: }
289: chunk_free(&keyid);
290: return create_reply(msg);
291: }
292:
293: CALLBACK(get_keys, vici_message_t*,
294: private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
295: {
296: vici_builder_t *builder;
297: enumerator_t *enumerator;
298: private_key_t *private;
299: chunk_t keyid;
300:
301: builder = vici_builder_create();
302: builder->begin_list(builder, "keys");
303:
304: enumerator = this->creds->set.create_private_enumerator(&this->creds->set,
305: KEY_ANY, NULL);
306: while (enumerator->enumerate(enumerator, &private))
307: {
308: if (private->get_fingerprint(private, KEYID_PUBKEY_SHA1, &keyid))
309: {
310: builder->add_li(builder, "%+B", &keyid);
311: }
312: }
313: enumerator->destroy(enumerator);
314:
315: builder->end_list(builder);
316: return builder->finalize(builder);
317: }
318:
319: CALLBACK(load_token, vici_message_t*,
320: private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
321: {
322: vici_builder_t *builder;
323: private_key_t *key;
324: shared_key_t *shared = NULL;
325: identification_t *owner;
326: mem_cred_t *set = NULL;
327: chunk_t handle, fp;
328: char buf[BUF_LEN], *hex, *module, *pin, *unique = NULL;
329: int slot;
330:
331: hex = message->get_str(message, NULL, "handle");
332: if (!hex)
333: {
334: return create_reply("keyid missing");
335: }
336: handle = chunk_from_hex(chunk_from_str(hex), NULL);
337: slot = message->get_int(message, -1, "slot");
338: module = message->get_str(message, NULL, "module");
339: pin = message->get_str(message, NULL, "pin");
340:
341: if (pin)
342: { /* provide the pin in a temporary credential set to access the key */
343: shared = shared_key_create(SHARED_PIN, chunk_clone(chunk_from_str(pin)));
344: owner = identification_create_from_encoding(ID_KEY_ID, handle);
345: set = mem_cred_create();
346: set->add_shared(set, shared->get_ref(shared), owner, NULL);
347: lib->credmgr->add_local_set(lib->credmgr, &set->set, FALSE);
348: }
349: if (slot >= 0)
350: {
351: key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
352: BUILD_PKCS11_KEYID, handle,
353: BUILD_PKCS11_SLOT, slot,
354: module ? BUILD_PKCS11_MODULE : BUILD_END, module,
355: BUILD_END);
356: }
357: else
358: {
359: key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
360: BUILD_PKCS11_KEYID, handle,
361: module ? BUILD_PKCS11_MODULE : BUILD_END, module,
362: BUILD_END);
363: }
364: if (set)
365: {
366: lib->credmgr->remove_local_set(lib->credmgr, &set->set);
367: set->destroy(set);
368: }
369: if (!key)
370: {
371: chunk_free(&handle);
372: DESTROY_IF(shared);
373: return create_reply("loading private key from token failed");
374: }
375: builder = vici_builder_create();
376: builder->add_kv(builder, "success", "yes");
377: if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp))
378: {
379: snprintf(buf, sizeof(buf), "%+B", &fp);
380: builder->add_kv(builder, "id", "%s", buf);
381: unique = buf;
382: }
383: if (shared && unique)
384: { /* use the handle as owner, but the key identifier as unique ID */
385: owner = identification_create_from_encoding(ID_KEY_ID, handle);
386: this->pins->add_shared_unique(this->pins, unique, shared,
387: linked_list_create_with_items(owner, NULL));
388: }
389: else
390: {
391: DESTROY_IF(shared);
392: }
393: DBG1(DBG_CFG, "loaded %N private key from token", key_type_names,
394: key->get_type(key));
395: this->creds->add_key(this->creds, key);
396: chunk_free(&handle);
397: return builder->finalize(builder);
398: }
399:
400: CALLBACK(shared_owners, bool,
401: linked_list_t *owners, vici_message_t *message, char *name, chunk_t value)
402: {
403: if (streq(name, "owners"))
404: {
405: char buf[256];
406:
407: if (!vici_stringify(value, buf, sizeof(buf)))
408: {
409: return FALSE;
410: }
411: owners->insert_last(owners, identification_create_from_string(buf));
412: }
413: return TRUE;
414: }
415:
416: CALLBACK(load_shared, vici_message_t*,
417: private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
418: {
419: shared_key_type_t type;
420: linked_list_t *owners;
421: chunk_t data;
422: char *unique, *str, buf[512] = "";
423: enumerator_t *enumerator;
424: identification_t *owner;
425: int len;
426:
427: unique = message->get_str(message, NULL, "id");
428: str = message->get_str(message, NULL, "type");
429: if (!str)
430: {
431: return create_reply("shared key type missing");
432: }
433: if (strcaseeq(str, "ike"))
434: {
435: type = SHARED_IKE;
436: }
437: else if (strcaseeq(str, "eap") || strcaseeq(str, "xauth"))
438: {
439: type = SHARED_EAP;
440: }
441: else if (strcaseeq(str, "ntlm"))
442: {
443: type = SHARED_NT_HASH;
444: }
445: else if (strcaseeq(str, "ppk"))
446: {
447: type = SHARED_PPK;
448: }
449: else
450: {
451: return create_reply("invalid shared key type: %s", str);
452: }
453: data = message->get_value(message, chunk_empty, "data");
454: if (!data.len)
455: {
456: return create_reply("shared key data missing");
457: }
458:
459: owners = linked_list_create();
460: if (!message->parse(message, NULL, NULL, NULL, shared_owners, owners))
461: {
462: owners->destroy_offset(owners, offsetof(identification_t, destroy));
463: return create_reply("parsing shared key owners failed");
464: }
465: if (owners->get_count(owners) == 0)
466: {
467: owners->insert_last(owners, identification_create_from_string("%any"));
468: }
469:
470: enumerator = owners->create_enumerator(owners);
471: while (enumerator->enumerate(enumerator, &owner))
472: {
473: len = strlen(buf);
474: if (len < sizeof(buf))
475: {
476: snprintf(buf + len, sizeof(buf) - len, "%s'%Y'",
477: len ? ", " : "", owner);
478: }
479: }
480: enumerator->destroy(enumerator);
481:
482: if (unique)
483: {
484: DBG1(DBG_CFG, "loaded %N shared key with id '%s' for: %s",
485: shared_key_type_names, type, unique, buf);
486: }
487: else
488: {
489: DBG1(DBG_CFG, "loaded %N shared key for: %s",
490: shared_key_type_names, type, buf);
491: }
492:
493: this->creds->add_shared_unique(this->creds, unique,
494: shared_key_create(type, chunk_clone(data)), owners);
495:
496: return create_reply(NULL);
497: }
498:
499: CALLBACK(unload_shared, vici_message_t*,
500: private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
501: {
502: char *unique;
503:
504: unique = message->get_str(message, NULL, "id");
505: if (!unique)
506: {
507: return create_reply("unique identifier missing");
508: }
509: DBG1(DBG_CFG, "unloaded shared key with id '%s'", unique);
510: this->creds->remove_shared_unique(this->creds, unique);
511: return create_reply(NULL);
512: }
513:
514: CALLBACK(get_shared, vici_message_t*,
515: private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
516: {
517: vici_builder_t *builder;
518: enumerator_t *enumerator;
519: char *unique;
520:
521: builder = vici_builder_create();
522: builder->begin_list(builder, "keys");
523:
524: enumerator = this->creds->create_unique_shared_enumerator(this->creds);
525: while (enumerator->enumerate(enumerator, &unique))
526: {
527: builder->add_li(builder, "%s", unique);
528: }
529: enumerator->destroy(enumerator);
530:
531: builder->end_list(builder);
532: return builder->finalize(builder);
533: }
534:
535: CALLBACK(clear_creds, vici_message_t*,
536: private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
537: {
538: this->creds->clear(this->creds);
539: lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
540:
541: return create_reply(NULL);
542: }
543:
544: CALLBACK(flush_certs, vici_message_t*,
545: private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
546: {
547: certificate_type_t type = CERT_ANY;
548: x509_flag_t flag = X509_NONE;
549: char *str;
550:
551: str = message->get_str(message, NULL, "type");
552: if (str && !enum_from_name(certificate_type_names, str, &type) &&
553: !vici_cert_info_from_str(str, &type, &flag))
554: {
555: return create_reply("invalid certificate type '%s'", str);
556: }
557: lib->credmgr->flush_cache(lib->credmgr, type);
558:
559: return create_reply(NULL);
560: }
561:
562: static void manage_command(private_vici_cred_t *this,
563: char *name, vici_command_cb_t cb, bool reg)
564: {
565: this->dispatcher->manage_command(this->dispatcher, name,
566: reg ? cb : NULL, this);
567: }
568:
569: /**
570: * (Un-)register dispatcher functions
571: */
572: static void manage_commands(private_vici_cred_t *this, bool reg)
573: {
574: manage_command(this, "clear-creds", clear_creds, reg);
575: manage_command(this, "flush-certs", flush_certs, reg);
576: manage_command(this, "load-cert", load_cert, reg);
577: manage_command(this, "load-key", load_key, reg);
578: manage_command(this, "unload-key", unload_key, reg);
579: manage_command(this, "get-keys", get_keys, reg);
580: manage_command(this, "load-token", load_token, reg);
581: manage_command(this, "load-shared", load_shared, reg);
582: manage_command(this, "unload-shared", unload_shared, reg);
583: manage_command(this, "get-shared", get_shared, reg);
584: }
585:
586: METHOD(vici_cred_t, add_cert, certificate_t*,
587: private_vici_cred_t *this, certificate_t *cert)
588: {
589: return this->creds->add_cert_ref(this->creds, TRUE, cert);
590: }
591:
592: METHOD(vici_cred_t, destroy, void,
593: private_vici_cred_t *this)
594: {
595: manage_commands(this, FALSE);
596:
597: lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
598: this->creds->destroy(this->creds);
599: lib->credmgr->remove_set(lib->credmgr, &this->pins->set);
600: this->pins->destroy(this->pins);
601: free(this);
602: }
603:
604: /**
605: * See header
606: */
607: vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
608: {
609: private_vici_cred_t *this;
610:
611: INIT(this,
612: .public = {
613: .set = {
614: .create_private_enumerator = (void*)return_null,
615: .create_cert_enumerator = (void*)return_null,
616: .create_shared_enumerator = (void*)return_null,
617: .create_cdp_enumerator = (void*)return_null,
618: .cache_cert = (void*)_cache_cert,
619: },
620: .add_cert = _add_cert,
621: .destroy = _destroy,
622: },
623: .dispatcher = dispatcher,
624: .creds = mem_cred_create(),
625: .pins = mem_cred_create(),
626: );
627:
628: if (lib->settings->get_bool(lib->settings, "%s.cache_crls", FALSE, lib->ns))
629: {
630: this->cachecrl = TRUE;
631: DBG1(DBG_CFG, "crl caching to %s enabled", CRL_DIR);
632: }
633: lib->credmgr->add_set(lib->credmgr, &this->creds->set);
634: lib->credmgr->add_set(lib->credmgr, &this->pins->set);
635:
636: manage_commands(this, TRUE);
637:
638: return &this->public;
639: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>