diff options
Diffstat (limited to 'src/charon/plugins/nm/nm_creds.c')
| -rw-r--r-- | src/charon/plugins/nm/nm_creds.c | 240 |
1 files changed, 176 insertions, 64 deletions
diff --git a/src/charon/plugins/nm/nm_creds.c b/src/charon/plugins/nm/nm_creds.c index 4ea2c36dd..193838e6b 100644 --- a/src/charon/plugins/nm/nm_creds.c +++ b/src/charon/plugins/nm/nm_creds.c @@ -15,8 +15,13 @@ #include "nm_creds.h" +#include <sys/types.h> +#include <sys/stat.h> +#include <unistd.h> + #include <daemon.h> -#include <utils/mutex.h> +#include <threading/rwlock.h> +#include <credentials/certificates/x509.h> typedef struct private_nm_creds_t private_nm_creds_t; @@ -29,32 +34,32 @@ struct private_nm_creds_t { * public functions */ nm_creds_t public; - + /** - * gateway certificate + * List of trusted certificates, certificate_t* */ - certificate_t *cert; - + linked_list_t *certs; + /** - * User name - */ - identification_t *user; - + * User name + */ + identification_t *user; + /** * User password */ char *pass; - + /** * users certificate */ certificate_t *usercert; - + /** * users private key */ private_key_t *key; - + /** * read/write lock */ @@ -68,13 +73,13 @@ static enumerator_t *create_usercert_enumerator(private_nm_creds_t *this, certificate_type_t cert, key_type_t key) { public_key_t *public; - + if (cert != CERT_ANY && cert != this->usercert->get_type(this->usercert)) { return NULL; } if (key != KEY_ANY) - { + { public = this->usercert->get_public_key(this->usercert); if (!public) { @@ -94,6 +99,80 @@ static enumerator_t *create_usercert_enumerator(private_nm_creds_t *this, } /** + * CA certificate enumerator data + */ +typedef struct { + /** ref to credential credential store */ + private_nm_creds_t *this; + /** type of key we are looking for */ + key_type_t key; + /** CA certificate ID */ + identification_t *id; +} cert_data_t; + +/** + * Destroy CA certificate enumerator data + */ +static void cert_data_destroy(cert_data_t *data) +{ + data->this->lock->unlock(data->this->lock); + free(data); +} + +/** + * Filter function for certificates enumerator + */ +static bool cert_filter(cert_data_t *data, certificate_t **in, + certificate_t **out) +{ + certificate_t *cert = *in; + public_key_t *public; + + public = cert->get_public_key(cert); + if (!public) + { + return FALSE; + } + if (data->key != KEY_ANY && public->get_type(public) != data->key) + { + public->destroy(public); + return FALSE; + } + if (data->id && data->id->get_type(data->id) == ID_KEY_ID && + public->has_fingerprint(public, data->id->get_encoding(data->id))) + { + public->destroy(public); + *out = cert; + return TRUE; + } + public->destroy(public); + if (data->id && !cert->has_subject(cert, data->id)) + { + return FALSE; + } + *out = cert; + return TRUE; +} + +/** + * Create enumerator for trusted certificates + */ +static enumerator_t *create_trusted_cert_enumerator(private_nm_creds_t *this, + key_type_t key, identification_t *id) +{ + cert_data_t *data = malloc_thing(cert_data_t); + + data->this = this; + data->id = id; + data->key = key; + + this->lock->read_lock(this->lock); + return enumerator_create_filter( + this->certs->create_enumerator(this->certs), + (void*)cert_filter, data, (void*)cert_data_destroy); +} + +/** * Implements credential_set_t.create_cert_enumerator */ static enumerator_t* create_cert_enumerator(private_nm_creds_t *this, @@ -105,38 +184,11 @@ static enumerator_t* create_cert_enumerator(private_nm_creds_t *this, { return create_usercert_enumerator(this, cert, key); } - - if (!this->cert) - { - return NULL; - } - if (cert != CERT_ANY && cert != this->cert->get_type(this->cert)) + if (cert == CERT_X509 || cert == CERT_ANY) { - return NULL; + return create_trusted_cert_enumerator(this, key, id); } - if (id && !this->cert->has_subject(this->cert, id)) - { - return NULL; - } - if (key != KEY_ANY) - { - public_key_t *public; - - public = this->cert->get_public_key(this->cert); - if (!public) - { - return NULL; - } - if (public->get_type(public) != key) - { - public->destroy(public); - return NULL; - } - public->destroy(public); - } - this->lock->read_lock(this->lock); - return enumerator_create_cleaner(enumerator_create_single(this->cert, NULL), - (void*)this->lock->unlock, this->lock); + return NULL; } /** @@ -155,10 +207,8 @@ static enumerator_t* create_private_enumerator(private_nm_creds_t *this, } if (id && id->get_type(id) != ID_ANY) { - identification_t *keyid; - - keyid = this->key->get_id(this->key, id->get_type(id)); - if (!keyid || !keyid->equals(keyid, id)) + if (id->get_type(id) != ID_KEY_ID || + !this->key->has_fingerprint(this->key, id->get_encoding(id))) { return NULL; } @@ -207,7 +257,7 @@ static void shared_destroy(shared_enumerator_t *this) /** * Implements credential_set_t.create_cert_enumerator */ -static enumerator_t* create_shared_enumerator(private_nm_creds_t *this, +static enumerator_t* create_shared_enumerator(private_nm_creds_t *this, shared_key_type_t type, identification_t *me, identification_t *other) { @@ -225,7 +275,7 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this, { return NULL; } - + enumerator = malloc_thing(shared_enumerator_t); enumerator->public.enumerate = (void*)shared_enumerate; enumerator->public.destroy = (void*)shared_destroy; @@ -239,17 +289,73 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this, } /** - * Implementation of nm_creds_t.set_certificate + * Implementation of nm_creds_t.add_certificate */ -static void set_certificate(private_nm_creds_t *this, certificate_t *cert) +static void add_certificate(private_nm_creds_t *this, certificate_t *cert) { this->lock->write_lock(this->lock); - DESTROY_IF(this->cert); - this->cert = cert; + this->certs->insert_last(this->certs, cert); this->lock->unlock(this->lock); } /** + * Load a certificate file + */ +static void load_ca_file(private_nm_creds_t *this, char *file) +{ + certificate_t *cert; + + /* We add the CA constraint, as many CAs miss it */ + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, file, BUILD_END); + if (!cert) + { + DBG1(DBG_CFG, "loading CA certificate '%s' failed", file); + } + else + { + DBG2(DBG_CFG, "loaded CA certificate '%Y'", cert->get_subject(cert)); + x509_t *x509 = (x509_t*)cert; + if (!(x509->get_flags(x509) & X509_SELF_SIGNED)) + { + DBG1(DBG_CFG, "%Y is not self signed", cert->get_subject(cert)); + } + this->certs->insert_last(this->certs, cert); + } +} + +/** + * Implementation of nm_creds_t.load_ca_dir + */ +static void load_ca_dir(private_nm_creds_t *this, char *dir) +{ + enumerator_t *enumerator; + char *rel, *abs; + struct stat st; + + enumerator = enumerator_create_directory(dir); + if (enumerator) + { + while (enumerator->enumerate(enumerator, &rel, &abs, &st)) + { + /* skip '.', '..' and hidden files */ + if (rel[0] != '.') + { + if (S_ISDIR(st.st_mode)) + { + load_ca_dir(this, abs); + } + else if (S_ISREG(st.st_mode)) + { + load_ca_file(this, abs); + } + } + } + enumerator->destroy(enumerator); + } +} + +/** * Implementation of nm_creds_t.set_password */ static void set_username_password(private_nm_creds_t *this, identification_t *id, @@ -266,7 +372,7 @@ static void set_username_password(private_nm_creds_t *this, identification_t *id /** * Implementation of nm_creds_t.set_cert_and_key */ -static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert, +static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert, private_key_t *key) { this->lock->write_lock(this->lock); @@ -275,14 +381,19 @@ static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert, this->key = key; this->usercert = cert; this->lock->unlock(this->lock); -} +} /** * Implementation of nm_creds_t.clear */ static void clear(private_nm_creds_t *this) { - DESTROY_IF(this->cert); + certificate_t *cert; + + while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS) + { + cert->destroy(cert); + } DESTROY_IF(this->user); free(this->pass); DESTROY_IF(this->usercert); @@ -290,7 +401,6 @@ static void clear(private_nm_creds_t *this) this->key = NULL; this->usercert = NULL; this->pass = NULL; - this->cert = NULL; this->user = NULL; } @@ -300,6 +410,7 @@ static void clear(private_nm_creds_t *this) static void destroy(private_nm_creds_t *this) { clear(this); + this->certs->destroy(this->certs); this->lock->destroy(this->lock); free(this); } @@ -310,26 +421,27 @@ static void destroy(private_nm_creds_t *this) nm_creds_t *nm_creds_create() { private_nm_creds_t *this = malloc_thing(private_nm_creds_t); - + this->public.set.create_private_enumerator = (void*)create_private_enumerator; this->public.set.create_cert_enumerator = (void*)create_cert_enumerator; this->public.set.create_shared_enumerator = (void*)create_shared_enumerator; this->public.set.create_cdp_enumerator = (void*)return_null; this->public.set.cache_cert = (void*)nop; - this->public.set_certificate = (void(*)(nm_creds_t*, certificate_t *cert))set_certificate; + this->public.add_certificate = (void(*)(nm_creds_t*, certificate_t *cert))add_certificate; + this->public.load_ca_dir = (void(*)(nm_creds_t*, char *dir))load_ca_dir; this->public.set_username_password = (void(*)(nm_creds_t*, identification_t *id, char *password))set_username_password; this->public.set_cert_and_key = (void(*)(nm_creds_t*, certificate_t *cert, private_key_t *key))set_cert_and_key; this->public.clear = (void(*)(nm_creds_t*))clear; this->public.destroy = (void(*)(nm_creds_t*))destroy; - + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); - - this->cert = NULL; + + this->certs = linked_list_create(); this->user = NULL; this->pass = NULL; this->usercert = NULL; this->key = NULL; - + return &this->public; } |