pluto and scepclient use the curl and ldap fetcher plugins

author: Andreas Steffen <andreas.steffen@strongswan.org> 2009-04-29 08:09:35 +0000
committer: Andreas Steffen <andreas.steffen@strongswan.org> 2009-04-29 08:09:35 +0000
commit: e67197a7f9c55fde4f9342d4a96ef2800241e0e3 (patch)
tree: af09f999a2ec7fddb98c3e5b04a6d5fff9588ec9 /src/scepclient
parent: 82f0707fa383a4f3edf3545c5e823ff4dc6363e7 (diff)
download: strongswan-e67197a7f9c55fde4f9342d4a96ef2800241e0e3.tar.bz2
strongswan-e67197a7f9c55fde4f9342d4a96ef2800241e0e3.tar.xz
4 files changed, 71 insertions, 135 deletions
diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am
index 2661bc318..f12e6e0f2 100644
--- a/src/scepclient/Makefile.am
+++ b/src/scepclient/Makefile.am
@@ -18,6 +18,7 @@ INCLUDES = \
 AM_CFLAGS = \
 -DIPSEC_CONFDIR=\"${confdir}\" \
 -DIPSEC_PLUGINDIR=\"${plugindir}\" \
+-DPLUGINS=\""${pluto_plugins}\"" \
 -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
 -DDEBUG -DNO_PLUTO
 
@@ -34,23 +35,12 @@ $(LIBFREESWANBUILDDIR)/libfreeswan.a \
 $(LIBCRYPTOBUILDDIR)/libcrypto.a \
 -lgmp
 
-# This compile option activates the memory leak detective
-if USE_LEAK_DETECTIVE
-  AM_CFLAGS += -DLEAK_DETECTIVE
-endif
-
 # This compile option activates smartcard support
 if USE_SMARTCARD
   AM_CFLAGS += -DSMARTCARD
   scepclient_LDADD += -ldl
 endif
 
-# This compile option activates dynamic URL fetching using libcurl
-if USE_CURL
-  AM_CFLAGS += -DLIBCURL
-  scepclient_LDADD += -lcurl
-endif
-
 dist_man_MANS = scepclient.8
 
 ca.o :		$(PLUTODIR)/ca.c $(PLUTODIR)/ca.h
diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c
index f880fe734..84292975d 100644
--- a/src/scepclient/scep.c
+++ b/src/scepclient/scep.c
@@ -25,14 +25,11 @@
 
 #include <freeswan.h>
 
+#include <library.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <asn1/oid.h>
 
-#ifdef LIBCURL
-#include <curl/curl.h>
-#endif
-
 #include "../pluto/constants.h"
 #include "../pluto/defs.h"
 #include "../pluto/rnd.h"
@@ -264,11 +261,11 @@ end:
 	return success;
 }
 
-/* generates a unique fingerprint of the pkcs10 request 
+/**
+ * Generates a unique fingerprint of the pkcs10 request 
  * by computing an MD5 hash over it
  */
-void
-scep_generate_pkcs10_fingerprint(chunk_t pkcs10, chunk_t *fingerprint)
+void scep_generate_pkcs10_fingerprint(chunk_t pkcs10, chunk_t *fingerprint)
 {
 	char buf[MD5_DIGEST_SIZE];
 	chunk_t digest = { buf, sizeof(buf) };
@@ -280,12 +277,12 @@ scep_generate_pkcs10_fingerprint(chunk_t pkcs10, chunk_t *fingerprint)
 	datatot(digest.ptr, digest.len, 16, fingerprint->ptr, fingerprint->len + 1);
 }
 
-/* generate a transaction id as the MD5 hash of an public key
+/**
+ * Generate a transaction id as the MD5 hash of an public key
  * the transaction id is also used as a unique serial number
  */
-void
-scep_generate_transaction_id(const RSA_public_key_t *rsak
-, chunk_t *transID, chunk_t *serialNumber)
+void scep_generate_transaction_id(const RSA_public_key_t *rsak,
+								  chunk_t *transID, chunk_t *serialNumber)
 {
 	char buf[MD5_DIGEST_SIZE];
 
@@ -319,11 +316,10 @@ scep_generate_transaction_id(const RSA_public_key_t *rsak
 	datatot(digest.ptr, digest.len, 16, transID->ptr, transID->len + 1);
 }
 
-/*
- * builds a transId attribute
+/**
+ * Builds a transId attribute
  */
-chunk_t
-scep_transId_attribute(chunk_t transID)
+chunk_t scep_transId_attribute(chunk_t transID)
 {
 	return asn1_wrap(ASN1_SEQUENCE, "cm"
 				, ASN1_transId_oid
@@ -333,11 +329,10 @@ scep_transId_attribute(chunk_t transID)
 			  );
 }
 
-/*
- * builds a messageType attribute
+/**
+ * Builds a messageType attribute
  */
-chunk_t
-scep_messageType_attribute(scep_msg_t m)
+chunk_t scep_messageType_attribute(scep_msg_t m)
 {
 	chunk_t msgType = {
 		(u_char*)msgType_values[m],
@@ -352,11 +347,10 @@ scep_messageType_attribute(scep_msg_t m)
 			  );
 }
 
-/*
- * builds a senderNonce attribute
+/**
+ * Builds a senderNonce attribute
  */
-chunk_t
-scep_senderNonce_attribute(void)
+chunk_t scep_senderNonce_attribute(void)
 {
 	const size_t nonce_len = 16;
 	u_char nonce_buf[nonce_len];
@@ -372,14 +366,13 @@ scep_senderNonce_attribute(void)
 			  );
 }
 
-/*
- * builds a pkcs7 enveloped and signed scep request
+/**
+ * Builds a pkcs7 enveloped and signed scep request
  */
-chunk_t
-scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg
-, const x509cert_t *enc_cert, int enc_alg
-, const x509cert_t *signer_cert, int digest_alg
-, const RSA_private_key_t *private_key)
+chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
+						   const x509cert_t *enc_cert, int enc_alg,
+						   const x509cert_t *signer_cert, int digest_alg,
+						   const RSA_private_key_t *private_key)
 {
 	chunk_t envelopedData, attributes, request;
 
@@ -400,12 +393,11 @@ scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg
 	return request;
 }
 
-#ifdef LIBCURL
-/* converts a binary request to base64 with 64 characters per line
+/**
+ * Converts a binary request to base64 with 64 characters per line
  * newline and '+' characters are escaped by %0A and %2B, respectively
  */
-static char*
-escape_http_request(chunk_t req)
+static char* escape_http_request(chunk_t req)
 {
 	char *escaped_req = NULL;
 	char *p1, *p2;
@@ -460,70 +452,58 @@ escape_http_request(chunk_t req)
 	free(encoded_req);
 	return escaped_req;
 }
-#endif
 
-/*
- * send a SCEP request via HTTP and wait for a response
+/**
+ * Send a SCEP request via HTTP and wait for a response
  */
-bool
-scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op
-, fetch_request_t req_type, chunk_t *response)
+bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
+					   bool http_get_request, chunk_t *response)
 {
-#ifdef LIBCURL
-	char errorbuffer[CURL_ERROR_SIZE] = "";
+	int len;
+	status_t status;
 	char *complete_url = NULL;
-	struct curl_slist *headers = NULL;
-	CURL *curl;
-	CURLcode res;
 
 	/* initialize response */
 	*response = chunk_empty;
 
-	/* initialize curl context */
-	curl = curl_easy_init();
-	if (curl == NULL)
-	{
-		plog("could not initialize curl context");
-		return FALSE;
-	}
+	DBG(DBG_CONTROL,
+		DBG_log("sending scep request to '%s'", url)
+	)
 
 	if (op == SCEP_PKI_OPERATION)
 	{
 		const char operation[] = "PKIOperation";
 
-		if (req_type == FETCH_GET)
+		if (http_get_request)
 		{
 			char *escaped_req = escape_http_request(pkcs7);
 
 			/* form complete url */
-			int len = strlen(url) + 20 + strlen(operation) + strlen(escaped_req) + 1;
-
+			len = strlen(url) + 20 + strlen(operation) + strlen(escaped_req) + 1;
 			complete_url = malloc(len);
 			snprintf(complete_url, len, "%s?operation=%s&message=%s"
 					, url, operation, escaped_req);
 			free(escaped_req);
 
-			curl_easy_setopt(curl, CURLOPT_HTTPGET, TRUE);
-			headers = curl_slist_append(headers, "Pragma:");
-			headers = curl_slist_append(headers, "Host:");
-			headers = curl_slist_append(headers, "Accept:");
-			curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); 
-			curl_easy_setopt(curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
+			status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
+										 FETCH_HTTP_VERSION_1_0, 
+										 FETCH_REQUEST_HEADER, "Pragma:",
+										 FETCH_REQUEST_HEADER, "Host:",
+										 FETCH_REQUEST_HEADER, "Accept:",
+										 FETCH_END);
 		}
 		else /* HTTP_POST */
 		{
 			/* form complete url */
-			int len = strlen(url) + 11 + strlen(operation) + 1;
-
+			len = strlen(url) + 11 + strlen(operation) + 1;
 			complete_url = malloc(len);
 			snprintf(complete_url, len, "%s?operation=%s", url, operation);
 
-			curl_easy_setopt(curl, CURLOPT_HTTPGET, FALSE);
-			headers = curl_slist_append(headers, "Content-Type:");
-			headers = curl_slist_append(headers, "Expect:");
-			curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); 
-			curl_easy_setopt(curl, CURLOPT_POSTFIELDS, (char*)pkcs7.ptr);
-			curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, pkcs7.len);
+			status = lib->fetcher->fetch(lib->fetcher, complete_url, response, 
+										 FETCH_REQUEST_DATA, pkcs7,
+										 FETCH_REQUEST_TYPE, "",
+										 FETCH_REQUEST_HEADER, "Expect:",
+										 FETCH_END);
 		}
 	}
 	else  /* SCEP_GET_CA_CERT */
@@ -531,54 +511,21 @@ scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op
 		const char operation[] = "GetCACert";
 
 		/* form complete url */
-		int len = strlen(url) + 32 + strlen(operation) + 1;
-
+		len = strlen(url) + 32 + strlen(operation) + 1;
 		complete_url = malloc(len);
 		snprintf(complete_url, len, "%s?operation=%s&message=CAIdentifier"
 				, url, operation);
 
-		curl_easy_setopt(curl, CURLOPT_HTTPGET, TRUE);
+		status = lib->fetcher->fetch(lib->fetcher, complete_url, response, 
+									 FETCH_END);
 	}
 
-	curl_easy_setopt(curl, CURLOPT_URL, complete_url);
-	curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
-	curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)response);
-	curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuffer);
-	curl_easy_setopt(curl, CURLOPT_FAILONERROR, TRUE);
-	curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, FETCH_CMD_TIMEOUT);
-		
-	DBG(DBG_CONTROL,
-		DBG_log("sending scep request to '%s'", url)
-	)
-	res = curl_easy_perform(curl);
-		
-	if (res == CURLE_OK)
-	{
-		DBG(DBG_CONTROL,
-			DBG_log("received scep response")
-		)
-		DBG(DBG_RAW,
-			DBG_dump_chunk("SCEP response:\n", *response)
-		)
-	}
-	else
-	{
-		plog("failed to fetch scep response from '%s': %s", url, errorbuffer);
-	}
-	curl_slist_free_all(headers);
-	curl_easy_cleanup(curl);
 	free(complete_url);
-
-	return (res == CURLE_OK);
-#else   /* !LIBCURL */
-	plog("scep error: pluto wasn't compiled with libcurl support");
-	return FALSE;
-#endif  /* !LIBCURL */
+	return (status == SUCCESS);
 }
 
-err_t
-scep_parse_response(chunk_t response, chunk_t transID, contentInfo_t *data
-, scep_attributes_t *attrs, x509cert_t *signer_cert)
+err_t scep_parse_response(chunk_t response, chunk_t transID, contentInfo_t *data,
+						  scep_attributes_t *attrs, x509cert_t *signer_cert)
 {
 	chunk_t attributes;
 
diff --git a/src/scepclient/scep.h b/src/scepclient/scep.h
index 0586a29cb..2a11a246e 100644
--- a/src/scepclient/scep.h
+++ b/src/scepclient/scep.h
@@ -86,7 +86,7 @@ extern chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg
 	, const x509cert_t *signer_cert, int digest_alg
 	, const RSA_private_key_t *private_key);
 extern bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op
-	, fetch_request_t request_type, chunk_t *response);
+	,  bool http_get_request, chunk_t *response);
 extern err_t scep_parse_response(chunk_t response, chunk_t transID
 	, contentInfo_t *data, scep_attributes_t *attrs, x509cert_t *signer_cert);
 
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 9c352c2ca..ae57de1c0 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -48,7 +48,6 @@
 #include "../pluto/pkcs1.h"
 #include "../pluto/pkcs7.h"
 #include "../pluto/certs.h"
-#include "../pluto/fetch.h"
 #include "../pluto/rnd.h"
 
 #include "rsakey.h"
@@ -355,17 +354,17 @@ int main(int argc, char **argv)
 	/* symmetric encryption algorithm used by pkcs7, default is 3DES */
 	int pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
 
-	/* digest algorithm used by pkcs7, default is MD5 */
-	int pkcs7_digest_alg = OID_MD5;
+	/* digest algorithm used by pkcs7, default is SHA-1 */
+	int pkcs7_digest_alg = OID_SHA1;
 
-	/* signature algorithm used by pkcs10, default is MD5 with RSA encryption */
-	int pkcs10_signature_alg = OID_MD5;
+	/* signature algorithm used by pkcs10, default is SHA-1 with RSA encryption */
+	int pkcs10_signature_alg = OID_SHA1;
 
 	/* URL of the SCEP-Server */
 	char *scep_url = NULL;
 
 	/* http request method, default is GET */
-	fetch_request_t request_type = FETCH_GET;
+	bool http_get_request = TRUE;
 
 	/* poll interval time in manual mode in seconds */
 	u_int poll_interval = DEFAULT_POLL_INTERVAL;
@@ -669,13 +668,13 @@ int main(int argc, char **argv)
 			continue;
 
 		case 'm':       /* --method */
-			if (strcaseeq("post", optarg))
+			if (strcaseeq("get", optarg))
 			{
-				request_type = FETCH_POST;
+				http_get_request = TRUE;
 			}
-			else if (strcaseeq("get", optarg))
+			else if (strcaseeq("post", optarg))
 			{
-				request_type = FETCH_GET;
+				http_get_request = FALSE;
 			}
 			else
 			{
@@ -745,7 +744,7 @@ int main(int argc, char **argv)
 
 	/* load plugins, further infrastructure may need it */
 	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, 
-		lib->settings->get_str(lib->settings, "scepclient.load", ""));
+		lib->settings->get_str(lib->settings, "scepclient.load", PLUGINS));
 	print_plugins();
 
 	init_rnd_pool();
@@ -1006,8 +1005,8 @@ int main(int argc, char **argv)
 			exit_scepclient("could not load signature cacert file '%s'", path);
 		x509_ca_sig = cert.u.x509;
 
-		if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION
-			, request_type, &scep_response))
+		if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
+			http_get_request, &scep_response))
 		{
 			exit_scepclient("did not receive a valid scep response");
 		}
@@ -1053,8 +1052,8 @@ int main(int argc, char **argv)
 								, x509_ca_enc, pkcs7_symmetric_cipher
 								, x509_signer, pkcs7_digest_alg, private_key);
 
-			if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION
-			, request_type, &scep_response))
+			if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
+				http_get_request, &scep_response))
 			{
 				exit_scepclient("did not receive a valid scep response");
 			}
author	Andreas Steffen <andreas.steffen@strongswan.org>	2009-04-29 08:09:35 +0000
committer	Andreas Steffen <andreas.steffen@strongswan.org>	2009-04-29 08:09:35 +0000
commit	e67197a7f9c55fde4f9342d4a96ef2800241e0e3 (patch)
tree	af09f999a2ec7fddb98c3e5b04a6d5fff9588ec9 /src/scepclient
parent	82f0707fa383a4f3edf3545c5e823ff4dc6363e7 (diff)
download	strongswan-e67197a7f9c55fde4f9342d4a96ef2800241e0e3.tar.bz2 strongswan-e67197a7f9c55fde4f9342d4a96ef2800241e0e3.tar.xz