respecting ipsec.conf cachecrls= option

10 files changed, 86 insertions, 51 deletions

diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index 1f2448376..87f33480f 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -456,9 +456,6 @@ static void usage(const char *msg)
 	fprintf(stderr, "Usage: charon\n"
 					"         [--help]\n"
 					"         [--version]\n"
-					"         [--strictcrlpolicy]\n"
-					"         [--cachecrls]\n"
-					"         [--crlcheckinterval <interval>]\n"
 					"         [--use-syslog]\n"
 					"         [--debug-<type> <level>]\n"
 					"           <type>:  log context type (dmn|mgr|ike|chd|job|cfg|knl|net|enc|lib)\n"
@@ -474,8 +471,6 @@ static void usage(const char *msg)
  */
 int main(int argc, char *argv[])
 {
-	u_int crl_check_interval = 0;
-	bool cache_crls = FALSE;
 	bool use_syslog = FALSE;
 
 	private_daemon_t *private_charon;
@@ -512,8 +507,6 @@ int main(int argc, char *argv[])
 			{ "help", no_argument, NULL, 'h' },
 			{ "version", no_argument, NULL, 'v' },
 			{ "use-syslog", no_argument, NULL, 'l' },
-			{ "cachecrls", no_argument, NULL, 'C' },
-			{ "crlcheckinterval", required_argument, NULL, 'x' },
 			/* TODO: handle "debug-all" */
 			{ "debug-dmn", required_argument, &signal, DBG_DMN },
 			{ "debug-mgr", required_argument, &signal, DBG_MGR },
@@ -542,12 +535,6 @@ int main(int argc, char *argv[])
 			case 'l':
 				use_syslog = TRUE;
 				continue;
-			case 'C':
-				cache_crls = TRUE;
-				continue;
-			case 'x':
-				crl_check_interval = atoi(optarg);
-				continue;
 			case 0:
 				/* option is in signal */
 				levels[signal] = atoi(optarg);
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
index 6ce2f8f66..38656b8c5 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -73,6 +73,11 @@ struct private_stroke_cred_t {
 	 * mutex to lock lists above
 	 */
 	mutex_t *mutex;
+	
+	/**
+	 * cache CRLs to disk?
+	 */
+	bool cachecrl;
 };
 
 /**
@@ -527,7 +532,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
  */
 static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
 {
-	if (cert->get_type(cert) == CERT_X509_CRL)
+	if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
 	{
 		/* CRLs get cached to /etc/ipsec.d/crls/authkeyId.der */
 		crl_t *crl = (crl_t*)cert;
@@ -561,6 +566,17 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
 }
 
 /**
+ * Implementation of stroke_cred_t.cachecrl.
+ */
+static void cachecrl(private_stroke_cred_t *this, bool enabled)
+{
+	DBG1(DBG_CFG, "crl caching to %s %s",
+		 CRL_DIR, enabled ? "enabled" : "disabled");
+	this->cachecrl = enabled;
+}
+
+
+/**
  * Convert a string of characters into a binary secret
  * A string between single or double quotes is treated as ASCII characters
  * A string prepended by 0x is treated as HEX and prepended by 0s as Base64
@@ -912,6 +928,7 @@ stroke_cred_t *stroke_cred_create()
 	this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg))reread;
 	this->public.load_ca = (certificate_t*(*)(stroke_cred_t*, char *filename))load_ca;
 	this->public.load_peer = (certificate_t*(*)(stroke_cred_t*, char *filename))load_peer;
+	this->public.cachecrl = (void(*)(stroke_cred_t*, bool enabled))cachecrl;
 	this->public.destroy = (void(*)(stroke_cred_t*))destroy;
 	
 	this->certs = linked_list_create();
@@ -922,6 +939,8 @@ stroke_cred_t *stroke_cred_create()
 	load_certs(this);
 	load_secrets(this);
 	
+	this->cachecrl = FALSE;
+	
 	return &this->public;
 }
 
diff --git a/src/charon/plugins/stroke/stroke_cred.h b/src/charon/plugins/stroke/stroke_cred.h
index cbfed1175..1b9ef986e 100644
--- a/src/charon/plugins/stroke/stroke_cred.h
+++ b/src/charon/plugins/stroke/stroke_cred.h
@@ -63,6 +63,13 @@ struct stroke_cred_t {
 	certificate_t* (*load_peer)(stroke_cred_t *this, char *filename);
 	
 	/**
+	 * Enable/Disable CRL caching to disk.
+	 *
+	 * @param enabled		TRUE to enable, FALSE to disable
+	 */
+	void (*cachecrl)(stroke_cred_t *this, bool enabled);
+	
+	/**
      * Destroy a stroke_cred instance.
      */
     void (*destroy)(stroke_cred_t *this);
diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c
index 9ee5a2410..03bc470ea 100644
--- a/src/charon/plugins/stroke/stroke_socket.c
+++ b/src/charon/plugins/stroke/stroke_socket.c
@@ -355,6 +355,13 @@ static void stroke_loglevel(private_stroke_socket_t *this, stroke_msg_t *msg, FI
 	charon->syslog->set_level(charon->syslog, signal, msg->loglevel.level);
 }
 
+/**
+ * set various config options
+ */
+static void stroke_config(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+{
+	this->cred->cachecrl(this->cred, msg->config.cachecrl);
+}
 
 /**
  * destroy a job context
@@ -448,6 +455,9 @@ static job_requeue_t process(stroke_job_context_t *ctx)
 		case STR_LOGLEVEL:
 			stroke_loglevel(this, msg, out);
 			break;
+		case STR_CONFIG:
+			stroke_config(this, msg, out);
+			break;
 		case STR_LIST:
 			stroke_list(this, msg, out);
 			break;
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index d69b2ced2..23fc95655 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -118,16 +118,6 @@ starter_start_charon (starter_config_t *cfg, bool debug)
     {
 	arg[argc++] = "--use-syslog";
     }
-    if (cfg->setup.cachecrls)
-    {
-	arg[argc++] = "--cachecrls";
-    }
-    if (cfg->setup.crlcheckinterval > 0)
-    {
-	snprintf(buffer1, BUF_LEN, "%u", cfg->setup.crlcheckinterval);
-	arg[argc++] = "--crlcheckinterval";
-	arg[argc++] = buffer1;
-    }
 
     {   /* parse debug string */
     	char *pos, *level, *buf_pos, type[4];
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index db0ab98a3..335042fb5 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -885,7 +885,7 @@ The currently-accepted
 names in a
 .B config
 .B setup
-section are:
+section affecting both daemons are:
 .TP 14
 .B cachecrls
 certificate revocation lists (CRLs) fetched via http or ldap will be cached in
@@ -905,11 +905,6 @@ Accepted values are
 or
 .BR no .
 .TP
-.B crlcheckinterval
-interval in seconds. CRL fetching is enabled if the value is greater than zero.
-Asynchronous, periodic checking for fresh CRLs is currently done by the
-IKEv1 Pluto daemon only.
-.TP
 .B dumpdir
 in what directory should things started by \fBipsec starter\fR
 (notably the Pluto and Charon daemons) be allowed to dump core?
@@ -940,11 +935,37 @@ which reverts to
 if at least one CRL URI is defined and to
 .B no
 if no URI is known.
+.TP
+.B uniqueids
+whether a particular participant ID should be kept unique,
+with any new (automatically keyed)
+connection using an ID from a different IP address
+deemed to replace all old ones using that ID;
+acceptable values are
+.B yes
+(the default)
+and
+.BR no .
+Participant IDs normally \fIare\fR unique,
+so a new (automatically-keyed) connection using the same ID is
+almost invariably intended to replace an old one.
+The IKEv2 daemon also accepts the value
+.B replace
+wich is identical to
+.B yes
+and the value
+.B keep
+to reject new IKE_SA setups and keep the duplicate established earlier.
 .PP
 The following
 .B config section
 parameters are used by the IKEv1 Pluto daemon only:
 .TP
+.B crlcheckinterval
+interval in seconds. CRL fetching is enabled if the value is greater than zero.
+Asynchronous, periodic checking for fresh CRLs is currently done by the
+IKEv1 Pluto daemon only.
+.TP
 .B keep_alive
 interval in seconds between NAT keep alive packets, the default being 20 seconds.
 .TP
@@ -1035,27 +1056,6 @@ Default is none.
 .TP
 .B virtual_private
 defines private networks using a wildcard notation.
-.TP
-.B uniqueids
-whether a particular participant ID should be kept unique,
-with any new (automatically keyed)
-connection using an ID from a different IP address
-deemed to replace all old ones using that ID;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-Participant IDs normally \fIare\fR unique,
-so a new (automatically-keyed) connection using the same ID is
-almost invariably intended to replace an old one.
-The IKEv2 daemon also accepts the value
-.B replace
-wich is identical to
-.B yes
-and the value
-.B keep
-to reject new IKE_SA setups and keep the duplicate established earlier.
 .PP
 The following
 .B config section
diff --git a/src/starter/starter.c b/src/starter/starter.c
index af55961e9..c92b2bc59 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -541,6 +541,7 @@ int main (int argc, char **argv)
 		    /* schedule next try */
 		    alarm(PLUTO_RESTART_DELAY);
 		}
+		starter_stroke_configure(cfg);
 	    }
 	    _action_ &= ~FLAG_ACTION_START_CHARON;
 	}
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index ddac5560b..1ee7ddc60 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -327,4 +327,17 @@ int starter_stroke_del_ca(starter_ca_t *ca)
 	return send_stroke_msg(&msg);
 }
 
+int starter_stroke_configure(starter_config_t *cfg)
+{
+	stroke_msg_t msg;
+    
+	if (cfg->setup.cachecrls)
+	{
+		msg.type = STR_CONFIG;
+		msg.length = offsetof(stroke_msg_t, buffer);
+		msg.config.cachecrl = 1;
+		return send_stroke_msg(&msg);
+	}
+	return 0;
+}
 
diff --git a/src/starter/starterstroke.h b/src/starter/starterstroke.h
index 8d45141ac..5591d1c5a 100644
--- a/src/starter/starterstroke.h
+++ b/src/starter/starterstroke.h
@@ -25,5 +25,6 @@ extern int starter_stroke_route_conn(starter_conn_t *conn);
 extern int starter_stroke_initiate_conn(starter_conn_t *conn);
 extern int starter_stroke_add_ca(starter_ca_t *ca);
 extern int starter_stroke_del_ca(starter_ca_t *ca);
+extern int starter_stroke_configure(starter_config_t *cfg);
 
 #endif /* _STARTER_STROKE_H_ */
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 068f0639f..12df24570 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -169,6 +169,8 @@ struct stroke_msg_t {
 		STR_DEL_CA,
 		/* set a log type to log/not log */
 		STR_LOGLEVEL,
+		/* configure global options for stroke */
+		STR_CONFIG,
 		/* list various objects */
 		STR_LIST,
 		/* reread various objects */
@@ -238,6 +240,11 @@ struct stroke_msg_t {
 			char *type;
 			int level;
 		} loglevel;
+		
+		/* data for STR_CONFIG */
+		struct {
+			int cachecrl;
+		} config;
 
 		/* data for STR_LIST */
 		struct {