Added a flag to register local credential sets exclusively, disabling all others
This commit is contained in:
parent
5d1677f52d
commit
747f837cce
|
@ -576,7 +576,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
|
||||||
pin_data.keyid = chunk;
|
pin_data.keyid = chunk;
|
||||||
pin_data.try = 1;
|
pin_data.try = 1;
|
||||||
cb = callback_cred_create_shared((void*)pin_cb, &pin_data);
|
cb = callback_cred_create_shared((void*)pin_cb, &pin_data);
|
||||||
lib->credmgr->add_local_set(lib->credmgr, &cb->set);
|
lib->credmgr->add_local_set(lib->credmgr, &cb->set, FALSE);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
@ -585,7 +585,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
|
||||||
id = identification_create_from_encoding(ID_KEY_ID, chunk);
|
id = identification_create_from_encoding(ID_KEY_ID, chunk);
|
||||||
mem = mem_cred_create();
|
mem = mem_cred_create();
|
||||||
mem->add_shared(mem, shared, id, NULL);
|
mem->add_shared(mem, shared, id, NULL);
|
||||||
lib->credmgr->add_local_set(lib->credmgr, &mem->set);
|
lib->credmgr->add_local_set(lib->credmgr, &mem->set, FALSE);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* unlock: smartcard needs the pin and potentially calls public set */
|
/* unlock: smartcard needs the pin and potentially calls public set */
|
||||||
|
@ -693,7 +693,7 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr,
|
||||||
pp_data.path = path;
|
pp_data.path = path;
|
||||||
pp_data.try = 1;
|
pp_data.try = 1;
|
||||||
cb = callback_cred_create_shared((void*)passphrase_cb, &pp_data);
|
cb = callback_cred_create_shared((void*)passphrase_cb, &pp_data);
|
||||||
lib->credmgr->add_local_set(lib->credmgr, &cb->set);
|
lib->credmgr->add_local_set(lib->credmgr, &cb->set, FALSE);
|
||||||
|
|
||||||
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
|
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
|
||||||
BUILD_FROM_FILE, path, BUILD_END);
|
BUILD_FROM_FILE, path, BUILD_END);
|
||||||
|
@ -710,7 +710,7 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr,
|
||||||
shared = shared_key_create(SHARED_PRIVATE_KEY_PASS, secret);
|
shared = shared_key_create(SHARED_PRIVATE_KEY_PASS, secret);
|
||||||
mem = mem_cred_create();
|
mem = mem_cred_create();
|
||||||
mem->add_shared(mem, shared, NULL);
|
mem->add_shared(mem, shared, NULL);
|
||||||
lib->credmgr->add_local_set(lib->credmgr, &mem->set);
|
lib->credmgr->add_local_set(lib->credmgr, &mem->set, FALSE);
|
||||||
|
|
||||||
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
|
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
|
||||||
BUILD_FROM_FILE, path, BUILD_END);
|
BUILD_FROM_FILE, path, BUILD_END);
|
||||||
|
|
|
@ -52,6 +52,11 @@ struct private_credential_manager_t {
|
||||||
*/
|
*/
|
||||||
thread_value_t *local_sets;
|
thread_value_t *local_sets;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Exclusive local sets, linked_list_t with credential_set_t
|
||||||
|
*/
|
||||||
|
thread_value_t *exclusive_local_sets;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* trust relationship and certificate cache
|
* trust relationship and certificate cache
|
||||||
*/
|
*/
|
||||||
|
@ -117,12 +122,23 @@ typedef struct {
|
||||||
enumerator_t *global;
|
enumerator_t *global;
|
||||||
/** enumerator over local sets */
|
/** enumerator over local sets */
|
||||||
enumerator_t *local;
|
enumerator_t *local;
|
||||||
|
/** enumerator over exclusive local sets */
|
||||||
|
enumerator_t *exclusive;
|
||||||
} sets_enumerator_t;
|
} sets_enumerator_t;
|
||||||
|
|
||||||
|
|
||||||
METHOD(enumerator_t, sets_enumerate, bool,
|
METHOD(enumerator_t, sets_enumerate, bool,
|
||||||
sets_enumerator_t *this, credential_set_t **set)
|
sets_enumerator_t *this, credential_set_t **set)
|
||||||
{
|
{
|
||||||
|
if (this->exclusive)
|
||||||
|
{
|
||||||
|
if (this->exclusive->enumerate(this->exclusive, set))
|
||||||
|
{ /* only enumerate last added */
|
||||||
|
this->exclusive->destroy(this->exclusive);
|
||||||
|
this->exclusive = NULL;
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
}
|
||||||
if (this->global)
|
if (this->global)
|
||||||
{
|
{
|
||||||
if (this->global->enumerate(this->global, set))
|
if (this->global->enumerate(this->global, set))
|
||||||
|
@ -145,6 +161,7 @@ METHOD(enumerator_t, sets_destroy, void,
|
||||||
{
|
{
|
||||||
DESTROY_IF(this->global);
|
DESTROY_IF(this->global);
|
||||||
DESTROY_IF(this->local);
|
DESTROY_IF(this->local);
|
||||||
|
DESTROY_IF(this->exclusive);
|
||||||
free(this);
|
free(this);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -154,19 +171,28 @@ METHOD(enumerator_t, sets_destroy, void,
|
||||||
static enumerator_t *create_sets_enumerator(private_credential_manager_t *this)
|
static enumerator_t *create_sets_enumerator(private_credential_manager_t *this)
|
||||||
{
|
{
|
||||||
sets_enumerator_t *enumerator;
|
sets_enumerator_t *enumerator;
|
||||||
linked_list_t *local;
|
linked_list_t *list;
|
||||||
|
|
||||||
INIT(enumerator,
|
INIT(enumerator,
|
||||||
.public = {
|
.public = {
|
||||||
.enumerate = (void*)_sets_enumerate,
|
.enumerate = (void*)_sets_enumerate,
|
||||||
.destroy = _sets_destroy,
|
.destroy = _sets_destroy,
|
||||||
},
|
},
|
||||||
.global = this->sets->create_enumerator(this->sets),
|
|
||||||
);
|
);
|
||||||
local = this->local_sets->get(this->local_sets);
|
|
||||||
if (local)
|
list = this->exclusive_local_sets->get(this->exclusive_local_sets);
|
||||||
|
if (list && list->get_count(list))
|
||||||
{
|
{
|
||||||
enumerator->local = local->create_enumerator(local);
|
enumerator->exclusive = list->create_enumerator(list);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
enumerator->global = this->sets->create_enumerator(this->sets);
|
||||||
|
list = this->local_sets->get(this->local_sets);
|
||||||
|
if (list)
|
||||||
|
{
|
||||||
|
enumerator->local = list->create_enumerator(list);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return &enumerator->public;
|
return &enumerator->public;
|
||||||
}
|
}
|
||||||
|
@ -373,29 +399,53 @@ METHOD(credential_manager_t, get_shared, shared_key_t*,
|
||||||
}
|
}
|
||||||
|
|
||||||
METHOD(credential_manager_t, add_local_set, void,
|
METHOD(credential_manager_t, add_local_set, void,
|
||||||
private_credential_manager_t *this, credential_set_t *set)
|
private_credential_manager_t *this, credential_set_t *set, bool exclusive)
|
||||||
{
|
{
|
||||||
linked_list_t *sets;
|
linked_list_t *sets;
|
||||||
|
thread_value_t *tv;
|
||||||
|
|
||||||
sets = this->local_sets->get(this->local_sets);
|
if (exclusive)
|
||||||
if (!sets)
|
{
|
||||||
{ /* first invocation */
|
tv = this->exclusive_local_sets;
|
||||||
sets = linked_list_create();
|
|
||||||
this->local_sets->set(this->local_sets, sets);
|
|
||||||
}
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
tv = this->local_sets;
|
||||||
|
}
|
||||||
|
sets = tv->get(tv);
|
||||||
|
if (!sets)
|
||||||
|
{
|
||||||
|
sets = linked_list_create();
|
||||||
|
tv->set(tv, sets);
|
||||||
|
}
|
||||||
|
if (exclusive)
|
||||||
|
{
|
||||||
|
sets->insert_first(sets, set);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
sets->insert_last(sets, set);
|
sets->insert_last(sets, set);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
METHOD(credential_manager_t, remove_local_set, void,
|
METHOD(credential_manager_t, remove_local_set, void,
|
||||||
private_credential_manager_t *this, credential_set_t *set)
|
private_credential_manager_t *this, credential_set_t *set)
|
||||||
{
|
{
|
||||||
linked_list_t *sets;
|
linked_list_t *sets;
|
||||||
|
thread_value_t *tv;
|
||||||
|
|
||||||
sets = this->local_sets->get(this->local_sets);
|
tv = this->local_sets;
|
||||||
sets->remove(sets, set, NULL);
|
sets = tv->get(tv);
|
||||||
if (sets->get_count(sets) == 0)
|
if (sets && sets->remove(sets, set, NULL) && sets->get_count(sets) == 0)
|
||||||
{
|
{
|
||||||
this->local_sets->set(this->local_sets, NULL);
|
tv->set(tv, NULL);
|
||||||
|
sets->destroy(sets);
|
||||||
|
}
|
||||||
|
tv = this->exclusive_local_sets;
|
||||||
|
sets = tv->get(tv);
|
||||||
|
if (sets && sets->remove(sets, set, NULL) && sets->get_count(sets) == 0)
|
||||||
|
{
|
||||||
|
tv->set(tv, NULL);
|
||||||
sets->destroy(sets);
|
sets->destroy(sets);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -864,7 +914,7 @@ METHOD(credential_manager_t, create_public_enumerator, enumerator_t*,
|
||||||
if (auth)
|
if (auth)
|
||||||
{
|
{
|
||||||
enumerator->wrapper = auth_cfg_wrapper_create(auth);
|
enumerator->wrapper = auth_cfg_wrapper_create(auth);
|
||||||
add_local_set(this, &enumerator->wrapper->set);
|
add_local_set(this, &enumerator->wrapper->set, FALSE);
|
||||||
}
|
}
|
||||||
this->lock->read_lock(this->lock);
|
this->lock->read_lock(this->lock);
|
||||||
return &enumerator->public;
|
return &enumerator->public;
|
||||||
|
@ -1105,6 +1155,7 @@ METHOD(credential_manager_t, destroy, void,
|
||||||
this->sets->remove(this->sets, this->cache, NULL);
|
this->sets->remove(this->sets, this->cache, NULL);
|
||||||
this->sets->destroy(this->sets);
|
this->sets->destroy(this->sets);
|
||||||
this->local_sets->destroy(this->local_sets);
|
this->local_sets->destroy(this->local_sets);
|
||||||
|
this->exclusive_local_sets->destroy(this->exclusive_local_sets);
|
||||||
this->cache->destroy(this->cache);
|
this->cache->destroy(this->cache);
|
||||||
this->validators->destroy(this->validators);
|
this->validators->destroy(this->validators);
|
||||||
this->lock->destroy(this->lock);
|
this->lock->destroy(this->lock);
|
||||||
|
@ -1149,6 +1200,7 @@ credential_manager_t *credential_manager_create()
|
||||||
);
|
);
|
||||||
|
|
||||||
this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
|
this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
|
||||||
|
this->exclusive_local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
|
||||||
this->sets->insert_first(this->sets, this->cache);
|
this->sets->insert_first(this->sets, this->cache);
|
||||||
|
|
||||||
return &this->public;
|
return &this->public;
|
||||||
|
|
|
@ -230,10 +230,14 @@ struct credential_manager_t {
|
||||||
* operation, sets may be added for the calling thread only. This
|
* operation, sets may be added for the calling thread only. This
|
||||||
* does not require a write lock and is therefore a much less expensive
|
* does not require a write lock and is therefore a much less expensive
|
||||||
* operation.
|
* operation.
|
||||||
|
* The exclusive option allows to disable all other credential sets
|
||||||
|
* until the set is deregistered.
|
||||||
*
|
*
|
||||||
* @param set set to register
|
* @param set set to register
|
||||||
|
* @param exclusive TRUE to disable all other sets for this thread
|
||||||
*/
|
*/
|
||||||
void (*add_local_set)(credential_manager_t *this, credential_set_t *set);
|
void (*add_local_set)(credential_manager_t *this, credential_set_t *set,
|
||||||
|
bool exclusive);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Unregister a thread local credential set from the manager.
|
* Unregister a thread local credential set from the manager.
|
||||||
|
|
|
@ -103,7 +103,7 @@ static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth)
|
||||||
bool verified = FALSE;
|
bool verified = FALSE;
|
||||||
|
|
||||||
wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response);
|
wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response);
|
||||||
lib->credmgr->add_local_set(lib->credmgr, &wrapper->set);
|
lib->credmgr->add_local_set(lib->credmgr, &wrapper->set, FALSE);
|
||||||
|
|
||||||
subject = &response->certificate;
|
subject = &response->certificate;
|
||||||
responder = subject->get_issuer(subject);
|
responder = subject->get_issuer(subject);
|
||||||
|
|
|
@ -621,7 +621,7 @@ static private_key_t* load_private_key(char* filename, prompt_pass_t *pass,
|
||||||
callback_cred_t *cb;
|
callback_cred_t *cb;
|
||||||
|
|
||||||
cb = callback_cred_create_shared((void*)whack_pass_cb, pass);
|
cb = callback_cred_create_shared((void*)whack_pass_cb, pass);
|
||||||
lib->credmgr->add_local_set(lib->credmgr, &cb->set);
|
lib->credmgr->add_local_set(lib->credmgr, &cb->set, FALSE);
|
||||||
|
|
||||||
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
|
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
|
||||||
BUILD_FROM_FILE, path, BUILD_END);
|
BUILD_FROM_FILE, path, BUILD_END);
|
||||||
|
@ -638,7 +638,7 @@ static private_key_t* load_private_key(char* filename, prompt_pass_t *pass,
|
||||||
shared_key_t *shared;
|
shared_key_t *shared;
|
||||||
|
|
||||||
mem = mem_cred_create();
|
mem = mem_cred_create();
|
||||||
lib->credmgr->add_local_set(lib->credmgr, &mem->set);
|
lib->credmgr->add_local_set(lib->credmgr, &mem->set, FALSE);
|
||||||
shared = shared_key_create(SHARED_PRIVATE_KEY_PASS,
|
shared = shared_key_create(SHARED_PRIVATE_KEY_PASS,
|
||||||
chunk_clone(chunk_create(pass->secret, strlen(pass->secret))));
|
chunk_clone(chunk_create(pass->secret, strlen(pass->secret))));
|
||||||
mem->add_shared(mem, shared, NULL);
|
mem->add_shared(mem, shared, NULL);
|
||||||
|
|
Loading…
Reference in New Issue