Add argument to credmgr->get_shared that specifies a peer txt message…

…, if sent. Used for eap_gtc
strongswan · Feb 17, 2021 · 9eb052c · 9eb052c
1 parent 4f6bab1
commit 9eb052c
Show file tree

Hide file tree

Showing 9 changed files with 24 additions and 15 deletions.
diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c
@@ -96,13 +96,19 @@ METHOD(eap_method_t, initiate_server, status_t,
 METHOD(eap_method_t, process_peer, status_t,
 	private_eap_gtc_t *this, eap_payload_t *in, eap_payload_t **out)
 {
+        char msg[512];
 	eap_gtc_header_t *res;
 	shared_key_t *shared;
-	chunk_t key;
+	chunk_t key, data;
 	size_t len;
 
+        data = in->get_data(in);
+
+        memset(msg, 0, sizeof(msg));
+        memcpy(msg, data.ptr, min(sizeof(msg)-1, data.len));
+
 	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP,
-									  this->peer, this->server);
+									  this->peer, this->server, msg);
 	if (shared == NULL)
 	{
 		DBG1(DBG_IKE, "no EAP key found for '%Y' - '%Y'",

diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -757,7 +757,7 @@ static bool get_nt_hash(private_eap_mschapv2_t *this, identification_t *me,
 	chunk_t password;
 
 	/* try to find a stored NT_HASH first */
-	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_NT_HASH, me, other);
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_NT_HASH, me, other, "");
 	if (shared )
 	{
 		*nt_hash = chunk_clone(shared->get_key(shared));
@@ -766,7 +766,7 @@ static bool get_nt_hash(private_eap_mschapv2_t *this, identification_t *me,
 	}
 
 	/* fallback to plaintext password */
-	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, me, other);
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, me, other, "");
 	if (shared)
 	{
 		password = utf8_to_utf16le(shared->get_key(shared));

diff --git a/src/libcharon/plugins/vici/vici_prompt.c b/src/libcharon/plugins/vici/vici_prompt.c
@@ -334,7 +334,7 @@ out:;
  * @return                          shared key
  */
 shared_key_t *prompt(void *data, shared_key_type_t type, identification_t *me,
-        identification_t *other)
+        identification_t *other, char *peer_message)
 {
     private_vici_prompt_t *this = data;
     bool sent = FALSE;
@@ -362,6 +362,7 @@ shared_key_t *prompt(void *data, shared_key_type_t type, identification_t *me,
     builder->add_kv(builder, "remote-identity", "%Y", other);
     builder->add_kv(builder, "local-identity", "%Y", me);
     builder->add_kv(builder, "secret-type", type == SHARED_EAP ? "password" : "PIN");
+    builder->add_kv(builder, "peer-message", "%s", peer_message);
     message = builder->finalize(builder);
 
     INIT(in_progress,

diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c
@@ -116,7 +116,7 @@ static shared_key_t *find_shared_key(identification_t *my_id, host_t *me,
 		other_id = any_id;
 	}
 	shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
-										  my_id, other_id);
+										  my_id, other_id, "");
 	if (!shared_key)
 	{
 		DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]",
@@ -191,7 +191,7 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this,
 		if (my_id && other_id)
 		{
 			shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
-												  my_id, other_id);
+												  my_id, other_id, "");
 		}
 		DESTROY_IF(my_id);
 		DESTROY_IF(other_id);

diff --git a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c
@@ -78,7 +78,7 @@ METHOD(authenticator_t, build, status_t,
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
 	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
 		 my_id, auth_method_names, AUTH_PSK);
-	key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id, other_id);
+	key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id, other_id, "");
 	if (!key)
 	{
 		DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);

diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -490,7 +490,7 @@ static bool get_ppk(private_ike_auth_t *this, identification_t *ppk_id)
 {
 	shared_key_t *key;
 
-	key = lib->credmgr->get_shared(lib->credmgr, SHARED_PPK, ppk_id, NULL);
+	key = lib->credmgr->get_shared(lib->credmgr, SHARED_PPK, ppk_id, NULL, "");
 	if (!key)
 	{
 		if (this->peer_cfg->ppk_required(this->peer_cfg))

diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
@@ -417,7 +417,7 @@ METHOD(credential_manager_t, create_shared_enumerator, enumerator_t*,
 
 METHOD(credential_manager_t, get_shared, shared_key_t*,
 	private_credential_manager_t *this, shared_key_type_t type,
-	identification_t *me, identification_t *other)
+	identification_t *me, identification_t *other, char *peer_message)
 {
 	shared_key_t *current, *found = NULL;
 	id_match_t best_me = ID_MATCH_NONE, best_other = ID_MATCH_NONE;
@@ -448,7 +448,7 @@ METHOD(credential_manager_t, get_shared, shared_key_t*,
             enumerator = this->prompt_callbacks->create_enumerator(this->prompt_callbacks);
             while(enumerator->enumerate(enumerator, &data))
             {
-                found = data->cb(data->data, type, me, other);
+                found = data->cb(data->data, type, me, other, peer_message);
                 if (found)
                 {
                     break;

diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h
@@ -74,7 +74,7 @@ typedef void (*credential_hook_t)(void *data, credential_hook_type_t type,
  *                                    NULL in case of failure
  */
 typedef shared_key_t *prompt_callback_t(void *data, shared_key_type_t type, 
-            identification_t *me, identification_t *other);
+            identification_t *me, identification_t *other, char *peer_message);
 
 /**
  * Manages credentials using credential_sets.
@@ -168,7 +168,7 @@ struct credential_manager_t {
 	 * @return			shared_key_t, NULL if none found
 	 */
 	shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type,
-								identification_t *me, identification_t *other);
+								identification_t *me, identification_t *other, char *peer_message);
 	/**
 	 * Get a private key to create a signature.
 	 *

diff --git a/src/swanctl/commands/prompt.c b/src/swanctl/commands/prompt.c
@@ -27,7 +27,7 @@ typedef struct vici_prompt_t vici_prompt_t;
 CALLBACK(prompt_cb, void,
 	vici_prompt_t *this, char *name, vici_res_t *msg)
 {
-        char *a, *our_identity, *their_identity, *secret_type;
+            char *a, *our_identity, *their_identity, *secret_type, *peer_message, txt[256];
         command_format_options_t format = this->format;
 	vici_req_t *req;
 	vici_res_t *res;
@@ -41,12 +41,14 @@ CALLBACK(prompt_cb, void,
         secret_type=vici_find_str(msg, "UNKNOWN", "secret-type");
         our_identity=vici_find_str(msg, "UNKNOWN", "local-identity");
         their_identity=vici_find_str(msg, "UNKNOWN", "remote-identity");
+        peer_message=vici_find_str(msg, "", "peer-message");
         vici_find_str(msg, "UNKNOWN", "secret-type");
         printf("Secret Type: %s\n", secret_type);
         printf("Their identity: %s\n", their_identity);
         printf("Our identity: %s\n", our_identity);
+        snprintf(txt, sizeof(txt), "Peer message: %s. Please enter the password.", peer_message);
         /** Read credentials; One line (password or pin) */
-        a = getpass("Please enter the secret");
+        a = getpass(txt);
         /** ? Need to convert from wide characters (UTF-16) to UTF-8 ? */
         // a = fgets(buf, sizeof(buf), stdin);
         req = vici_begin("prompt-reply");