credential lookup in mysql/sqlite database

2008-03-14 15:06:42 +00:00 · 2008-03-14 15:06:42 +00:00 · 39ea88f694
parent 9c410a8806
commit 39ea88f694
7 changed files with 493 additions and 2 deletions
--- a/src/charon/plugins/sql/Makefile.am
+++ b/src/charon/plugins/sql/Makefile.am
@ -5,6 +5,6 @@ AM_CFLAGS = -rdynamic

 plugin_LTLIBRARIES = libcharon-sql.la
 libcharon_sql_la_SOURCES = sql_plugin.h sql_plugin.c \
-  sql_config.h sql_config.c
+  sql_config.h sql_config.c sql_cred.h sql_cred.c
 libcharon_sql_la_LDFLAGS = -module

--- a/src/charon/plugins/sql/mysql.sql
+++ b/src/charon/plugins/sql/mysql.sql
@ -81,3 +81,36 @@ CREATE TABLE `traffic_selectors` (
  PRIMARY KEY  (`id`)
 ) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

+
+DROP TABLE IF EXISTS shared_secrets;
+CREATE TABLE shared_secrets (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `type` tinyint(3) unsigned NOT NULL,
+  `local` varchar(64) default NULL,
+  `remote` varchar(64) default NULL,
+  `data` BLOB NOT NULL,
+  PRIMARY KEY  (`id`)
+) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS certificates;
+CREATE TABLE certificates (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `type` tinyint(3) unsigned NOT NULL,
+  `keytype` tinyint(3) unsigned NOT NULL,
+  `keyid` BLOB NOT NULL,
+  `subject` varchar(64) default NULL,
+  `data` BLOB NOT NULL,
+  PRIMARY KEY  (`id`)
+) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS private_keys;
+CREATE TABLE private_keys (
+  `id` int(10) unsigned NOT NULL auto_increment,
+  `type` tinyint(3) unsigned NOT NULL,
+  `keyid` tinyblob NOT NULL,
+  `data` BLOB NOT NULL,
+  PRIMARY KEY  (`id`)
+) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
--- a/src/charon/plugins/sql/sql_cred.c
+++ b/src/charon/plugins/sql/sql_cred.c
@ -0,0 +1,346 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: sql_cred.c 3589 2008-03-13 14:14:44Z martin $
+ */
+
+#include <string.h>
+
+#include "sql_cred.h"
+
+#include <daemon.h>
+
+typedef struct private_sql_cred_t private_sql_cred_t;
+
+/**
+ * Private data of an sql_cred_t object
+ */
+struct private_sql_cred_t {
+
+	/**
+	 * Public part
+	 */
+	sql_cred_t public;
+	
+	/**
+	 * database connection
+	 */
+	database_t *db;
+};
+
+/**
+ * enumerator over private keys
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inner SQL enumerator */
+	enumerator_t *inner;
+	/** currently enumerated private key */
+	private_key_t *current;
+} private_enumerator_t;
+
+/**
+ * Implementation of private_enumerator_t.public.enumerate
+ */
+static bool private_enumerator_enumerate(private_enumerator_t *this,
+										 private_key_t **key)
+{
+	chunk_t blob;
+	int type;
+
+	DESTROY_IF(this->current);
+	while (this->inner->enumerate(this->inner, &type, &blob))
+	{
+		this->current = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+										   BUILD_BLOB_ASN1_DER, chunk_clone(blob),
+										   BUILD_END);
+		if (this->current)
+		{
+			*key = this->current;
+			return TRUE;
+		}
+	}
+	this->current = NULL;
+	return FALSE;
+}
+
+/**
+ * Implementation of private_enumerator_t.public.destroy
+ */
+static void private_enumerator_destroy(private_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of credential_set_t.create_private_enumerator.
+ */
+static enumerator_t* create_private_enumerator(private_sql_cred_t *this,
+											   key_type_t type,
+											   identification_t *id)
+{
+	private_enumerator_t *e;
+	chunk_t keyid = chunk_empty;
+	
+	if (id)
+	{
+		if (id->get_type(id) != ID_PUBKEY_INFO_SHA1)
+		{
+			DBG1(DBG_CFG, "looking for %N private key", id_type_names, id->get_type(id));
+			return NULL;
+		}
+		keyid = id->get_encoding(id);
+		DBG1(DBG_CFG, "looking for %#B", &keyid);
+	}
+	DBG1(DBG_CFG, "looking for a private key");
+	e = malloc_thing(private_enumerator_t);
+	e->current = NULL;
+	e->public.enumerate = (void*)private_enumerator_enumerate;
+	e->public.destroy = (void*)private_enumerator_destroy;
+	e->inner = this->db->query(this->db,
+			"SELECT type, data FROM private_keys "
+			"WHERE (? OR keyid = ?) AND (? OR type = ?)",
+			DB_INT, id == NULL, DB_BLOB, keyid,
+			DB_INT, type == KEY_ANY, DB_INT, type,
+			DB_INT, DB_BLOB);
+	if (!e->inner)
+	{
+		free(e);
+		return NULL;
+	}
+	return &e->public;
+}
+
+/**
+ * enumerator over certificates
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inner SQL enumerator */
+	enumerator_t *inner;
+	/** currently enumerated cert */
+	certificate_t *current;
+} cert_enumerator_t;
+
+/**
+ * Implementation of cert_enumerator_t.public.enumerate
+ */
+static bool cert_enumerator_enumerate(cert_enumerator_t *this,
+									  certificate_t **cert)
+{
+	chunk_t blob;
+	int type;
+
+	DESTROY_IF(this->current);
+	while (this->inner->enumerate(this->inner, &type, &blob))
+	{
+		this->current = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
+										   BUILD_BLOB_ASN1_DER, chunk_clone(blob),
+										   BUILD_END);
+		if (this->current)
+		{
+			*cert = this->current;
+			return TRUE;
+		}
+	}
+	this->current = NULL;
+	return FALSE;
+}
+
+/**
+ * Implementation of cert_enumerator_t.public.destroy
+ */
+static void cert_enumerator_destroy(cert_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of credential_set_t.create_cert_enumerator.
+ */
+static enumerator_t* create_cert_enumerator(private_sql_cred_t *this,
+										certificate_type_t cert, key_type_t key,
+										identification_t *id, bool trusted)
+{
+	cert_enumerator_t *e;
+	chunk_t enc = chunk_empty;
+	id_type_t type = ID_ANY;
+	
+	if (id)
+	{
+		type = id->get_type(id);
+		enc = id->get_encoding(id);
+	}
+	
+	e = malloc_thing(cert_enumerator_t);
+	e->current = NULL;
+	e->public.enumerate = (void*)cert_enumerator_enumerate;
+	e->public.destroy = (void*)cert_enumerator_destroy;
+	e->inner = this->db->query(this->db,
+			"SELECT type, data FROM certificates "
+			"WHERE (? OR type = ?) AND (? OR keytype = ?) AND "
+			"(? OR (? AND subject = ?) OR (? AND keyid = ?))",
+			DB_INT, cert == CERT_ANY, DB_INT, cert,
+			DB_INT, key == KEY_ANY, DB_INT, key,
+			DB_INT, id == NULL,
+			DB_INT, type == ID_DER_ASN1_DN, DB_BLOB, enc,
+			DB_INT, type == ID_PUBKEY_INFO_SHA1, DB_BLOB, enc,
+			DB_INT, DB_BLOB);
+	if (!e->inner)
+	{
+		free(e);
+		return NULL;
+	}
+	return &e->public;
+}
+
+/**
+ * enumerator over shared keys
+ */
+typedef struct {
+	/** implements enumerator */
+	enumerator_t public;
+	/** inner SQL enumerator */
+	enumerator_t *inner;
+	/** match of me */
+	id_match_t me;
+	/** match of other */
+	id_match_t other;
+	/** currently enumerated private key */
+	shared_key_t *current;
+} shared_enumerator_t;
+
+/**
+ * Implementation of shared_enumerator_t.public.enumerate
+ */
+static bool shared_enumerator_enumerate(shared_enumerator_t *this,
+										shared_key_t **shared,
+										id_match_t *me, id_match_t *other)
+{
+	chunk_t blob;
+	int type;
+
+	DESTROY_IF(this->current);
+	while (this->inner->enumerate(this->inner, &type, &blob))
+	{
+		this->current = shared_key_create(type, chunk_clone(blob));
+		if (this->current)
+		{
+			*shared = this->current;
+			if (me)
+			{
+				*me = this->me;
+			}
+			if (other)
+			{
+				*other = this->other;
+			}
+			return TRUE;
+		}
+	}
+	this->current = NULL;
+	return FALSE;
+}
+
+/**
+ * Implementation of shared_enumerator_t.public.destroy
+ */
+static void shared_enumerator_destroy(shared_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	this->inner->destroy(this->inner);
+	free(this);
+}
+
+/**
+ * Implementation of credential_set_t.create_shared_enumerator.
+ */
+static enumerator_t* create_shared_enumerator(private_sql_cred_t *this,
+								  shared_key_type_t type, 
+								  identification_t *me, identification_t *other)
+{
+	shared_enumerator_t *e;
+	chunk_t my_chunk = chunk_empty, other_chunk = chunk_empty;
+	
+	e = malloc_thing(shared_enumerator_t);
+	e->me = ID_MATCH_ANY;
+	e->other = ID_MATCH_ANY;
+	if (me)
+	{
+		e->me = ID_MATCH_PERFECT;
+		my_chunk = me->get_encoding(me);
+	}
+	if (other)
+	{
+		e->other = ID_MATCH_PERFECT;
+		other_chunk = other->get_encoding(other);
+	}
+	e->current = NULL;
+	e->public.enumerate = (void*)shared_enumerator_enumerate;
+	e->public.destroy = (void*)shared_enumerator_destroy;
+	e->inner = this->db->query(this->db,
+			"SELECT type, data FROM certificates "
+			"WHERE (? OR local = ?) AND (? OR remote = ?) AND (? OR type = ?)",
+			DB_INT, me == NULL, DB_BLOB, my_chunk,
+			DB_INT, other == NULL, DB_BLOB, other_chunk,
+			DB_INT, type == SHARED_ANY, DB_INT, type,
+			DB_INT, DB_BLOB);
+	if (!e->inner)
+	{
+		free(e);
+		return NULL;
+	}
+	return &e->public;
+}
+
+/**
+ * return null
+ */
+static void *return_null()
+{
+	return NULL;
+}
+
+/**
+ * Implementation of sql_cred_t.destroy.
+ */
+static void destroy(private_sql_cred_t *this)
+{
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+sql_cred_t *sql_cred_create(database_t *db)
+{
+	private_sql_cred_t *this = malloc_thing(private_sql_cred_t);
+	
+	this->public.set.create_private_enumerator = (void*)create_private_enumerator;
+	this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
+	this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
+	this->public.set.create_cdp_enumerator = (void*)return_null;
+	this->public.destroy = (void(*)(sql_cred_t*))destroy;
+	
+	this->db = db;
+	
+	return &this->public;
+}
+
--- a/src/charon/plugins/sql/sql_cred.h
+++ b/src/charon/plugins/sql/sql_cred.h
@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id: sql_cred.h 3594 2008-03-13 14:53:57Z martin $
+ */
+
+/**
+ * @defgroup sql_cred_i sql_cred
+ * @{ @ingroup sql
+ */
+
+#ifndef SQL_CRED_H_
+#define SQL_CRED_H_
+
+#include <credentials/credential_set.h>
+#include <database/database.h>
+
+typedef struct sql_cred_t sql_cred_t;
+
+/**
+ * SQL database credential set.
+ */
+struct sql_cred_t {
+
+	/**
+	 * Implements credential_set_t interface
+	 */
+	credential_set_t set;
+	
+	/**
+	 * Destry the backend.
+	 */
+	void (*destroy)(sql_cred_t *this);	
+};
+
+/**
+ * Create a sql_cred backend instance.
+ *
+ * @param db		underlying database
+ * @return			credential set
+ */
+sql_cred_t *sql_cred_create(database_t *db);
+
+#endif /* SQL_CRED_H_ @}*/
--- a/src/charon/plugins/sql/sql_plugin.c
+++ b/src/charon/plugins/sql/sql_plugin.c
@ -19,6 +19,7 @@

 #include <daemon.h>
 #include "sql_config.h"
+#include "sql_cred.h"

 typedef struct private_sql_plugin_t private_sql_plugin_t;

@ -41,6 +42,11 @@ struct private_sql_plugin_t {
 	 * configuration backend
 	 */
 	sql_config_t *config;
+	
+	/**
+	 * credential set
+	 */
+	sql_cred_t *cred;
 };

 /**
@ -49,7 +55,9 @@ struct private_sql_plugin_t {
 static void destroy(private_sql_plugin_t *this)
 {
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
+	charon->credentials->remove_set(charon->credentials, &this->cred->set);
 	this->config->destroy(this->config);
+	this->cred->destroy(this->cred);
 	this->db->destroy(this->db);
 	free(this);
 }
@ -81,8 +89,10 @@ plugin_t *plugin_create()
 		return NULL;
 	}
 	this->config = sql_config_create(this->db);
-		
+	this->cred = sql_cred_create(this->db);
+	
 	charon->backends->add_backend(charon->backends, &this->config->backend);
+	charon->credentials->add_set(charon->credentials, &this->cred->set);
 	
 	return &this->public.plugin;
 }
--- a/src/charon/plugins/sql/sqlite.sql
+++ b/src/charon/plugins/sql/sqlite.sql
@ -73,3 +73,29 @@ CREATE TABLE traffic_selectors (
  end_port INTEGER NOT NULL default '65535'
 );

+DROP TABLE IF EXISTS shared_secrets;
+CREATE TABLE shared_secrets (
+	id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+	type INTEGER NOT NULL,
+	local TEXT default NULL,
+	remote TEXT default NULL,
+	data BLOB NOT NULL
+);
+
+DROP TABLE IF EXISTS certificates;
+CREATE TABLE certificates (
+	id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+	type INTEGER NOT NULL,
+	keytype INTEGER NOT NULL,
+	keyid BLOB NOT NULL,
+	subject TEXT default NULL,
+	data BLOB NOT NULL
+);
+
+DROP TABLE IF EXISTS private_keys;
+CREATE TABLE private_keys (
+	id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+	type INTEGER NOT NULL,
+	keyid BLOB NOT NULL,
+	data BLOB NOT NULL
+);
--- a/src/charon/plugins/sql/test.sql
+++ b/src/charon/plugins/sql/test.sql
@ -36,3 +36,24 @@ INSERT INTO peer_configs (
 ) VALUES (
 	'sqltest', 1, 'C=CH, O=Linux strongSwan, CN=martin', 'sidv0150.hsr.ch'
 );
+
+INSERT INTO certificates (
+	type, keytype, keyid, subject, data
+) VALUES (
+	1, 1, 
+	X'5d735be540d27e858bbc56d7b73766d859bac953',
+	'C=CH, O=Linux strongSwan, CN=martin',
+	X'308202fa308201e2a00302010202105af265ae78ff23def7a6a3948c3fa0c1300d06092a864886f70d01010505003039310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310f300d060355040313066d617274696e301e170d3037303432373037313432365a170d3132303432353037313432365a3039310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310f300d060355040313066d617274696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d7b9ba4de23b3d357a3f886795e7fd9fe90a0d793a9e218fcbe46724ae0cdab3ccec36b4a84df13dade48c639254b7b202a200628b04aca017ad179a050dd7b30802c526cfdd0542fc136d9fb1f34f821def01c991ea371b7928fabf9fb3eb824f10c64ba408f78ef200ea0497809f6586de6bc7da83fcad4aaf528b4d33ee49872f3b6045668fe689ccb19202172b7b8e90478484599581d8e0f387e00409fdcc3a2134faecbef59ccf55807be3759d3668ab83e3ad01530d8a9aa6b015c9c5f89b5132cf976cfe4a563cc88f4a70234ff6f7e69f09cd8fea207d34c0c5c034066f8beb04543f0ecde285ab943e916c186f965df28b10e99043b06152accf750203010001300d06092a864886f70d01010505000382010100096342ade5a3f6c95d08f2787beb8aef5000c8ebe92694cb84107e426b863857a602985a2c8f44321b978c7e4bd8e8e80f4ab9319ff69f0e6726052a99143541479afa12940be9277c7120d78d3b97192d15ffa4f3898d295ff63f93af7861e4e12e75c12cc4769519f837dcd8007a3c0f492e880916b39233df77834fb59e308c481dd884fbf1b9a0be25ff4cebef2bcdfa0b94663b28083f3ada41d06bab5ebb8a9fdc983e593748be69de8582f2538be444e4719114850e1e79dd62f5dc2589ab505baaaee3646a2334d730e22ac8810cecd231c61eb6c057d9e114069bf8516947f09ccd69ef8e5f62da10f73c6d0f33ec6ffd940716413206a4e1083187'
+);
+
+INSERT INTO certificates (
+	type, keytype, keyid, subject, data
+) VALUES (
+	1, 1,
+	X'65c7bb4351a284794e4bf3bf60f4df70dc822b21',
+	'C=CH, O=HSR, OU=IntSec, CN=sidv0150.hsr.ch',
+	X'30820503308202eba003020102020149300d06092a864886f70d01010505003045310b3009060355040613024348310c300a060355040a1303485352310f300d060355040b1306496e74536563311730150603550403130e496e745365632032303037204341301e170d3037303131363135323634385a170d3131303131353135323634385a3046310b3009060355040613024348310c300a060355040a1303485352310f300d060355040b1306496e74536563311830160603550403130f73696476303135302e6873722e636830820122300d06092a864886f70d01010105000382010f003082010a0282010100cd946c229f7d52b21da1cb5384e7dcaf6529f760534a56355efd49e87a9c6f1ddd5ff303bd7eb49c23de03adc487456f41eb5f92947bdc8ff8dbe443f8d112e0da2c98145e7c4d1cd15cddd08577f4d4f3d0a2e1da3c08c94cd819758751931e7a9724cc43d73a11b8e176a268b4cdbbf3995cb09723abc9bfc477c25e714a4661a84c078be7404d8986be55f20437e3a6b278a3cc89aec085941f1a1aafaf4b22ae146fe4684d5567dc30658a32087d01b98515070cb1653311cb6102f82a83c638c2a79985dbb9600752e9cbc272014a5c547b4ab59130c3a948658bff794b6f202cf95939ffa73b10521f05c060cecb15f8597ed95d72b9e405ee31f1b5d90203010001a381fc3081f930090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414ed90e64feca21f4b6897992422e0de21b9d6262930750603551d23046e306c80140ab8ed865c4ded8c83a7c681fafb49292d451f43a149a4473045310b3009060355040613024348310c300a060355040a1303485352310f300d060355040b1306496e74536563311730150603550403130e496e745365632032303037204341820900df8d6b00b2efccd8301a0603551d1104133011820f73696476303135302e6873722e6368302d0603551d1f042630243022a020a01e861c687474703a2f2f696e747365632e6873722e63682f6873722e63726c300d06092a864886f70d01010505000382020100a4d7ca2d8e49943102104f0b4aec0c80ab18b2499bc3ac582f1df13e34a11a664ec5ac92df47de5c6ecad1f931f7226a038e65764cc97eb01f6ff022e0745f134824316ca5912e6a648924e1932301b71e95ee00390a1de90ca8f0eb91c5cc781e22828ec1e9a4b3040c193cd5ece18acdf97d0bc0c99c04433301cfe06c29bbd15b18133266c76056cf0c184aaafd25cc4fde60cb02d12bc9f96de41521d4cd1a57d28cb4da80493e39b3f2fe2a1f52c5e787f63837f406999b40fa77928fdd9d97bdb68828a096bc98275c7d6b40c4be020a3787ac9078a8471283a7e7fa2001b65e4558eb9c13e3883d0858f6a56f1260f35edff5953a4a28e785c2f853ab29b8ccee245e7799ab372c2a6e05b75de593be238df7a6c95792d9c67bf33bbe0edbdcda48373ed1097a76324950d1dd3f5f3046b04dc150ee38c69bbd1ceb8421db05bb39f16ec309f5b97aed81b45b04da2603bb0cc8ecff96a627cb8a73d700309fd4dde266196fb51799ca46c7d885da6eee1e300b7d6a4f2c701f8ae3b061f576e8e3028070e8662c120198d8df5993c8c41f3465217ebbcdfcad0706f608c6492ffcac5a69c1e9b610e1a41534ca3f10631ddc045edeba46e35804eb43629241e036acdd701eaf8a634a05250443648bb619ae5192ea281b0ae40ac94e9e38afd14b212b0c09e4a92ca64b61ea520e828273c39a529169d09d555ccf21'
+);
+
+
+