diff options
| -rw-r--r-- | src/charon/Makefile.am | 4 | ||||
| -rw-r--r-- | src/charon/config/connections/connection.c | 53 | ||||
| -rw-r--r-- | src/charon/config/connections/connection.h | 70 | ||||
| -rwxr-xr-x | src/charon/config/credentials/credential_store.h | 9 | ||||
| -rw-r--r-- | src/charon/config/credentials/local_credential_store.c (renamed from src/charon/config/credentials/credential_store.c) | 124 | ||||
| -rw-r--r-- | src/charon/config/credentials/local_credential_store.h | 64 | ||||
| -rw-r--r-- | src/charon/daemon.c | 9 | ||||
| -rw-r--r-- | src/charon/daemon.h | 1 | ||||
| -rw-r--r-- | src/charon/testing/connection_test.c | 5 | ||||
| -rwxr-xr-x | src/charon/threads/stroke_interface.c | 5 | ||||
| -rw-r--r-- | src/libstrongswan/types.h | 13 | ||||
| -rw-r--r-- | src/stroke/stroke.c | 4 | ||||
| -rw-r--r-- | src/stroke/stroke.h | 58 |
13 files changed, 299 insertions, 120 deletions
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am index ab0e8022b..6bf2c0406 100644 --- a/src/charon/Makefile.am +++ b/src/charon/Makefile.am @@ -6,8 +6,8 @@ config/connections/connection.c config/connections/connection.h \ config/connections/local_connection_store.c config/connections/local_connection_store.h config/connections/connection_store.h \ config/policies/policy.c config/policies/policy.h \ config/policies/local_policy_store.c config/policies/policy_store.h config/policies/local_policy_store.h \ -config/credentials/credential_store.c config/credentials/credential_store.h \ -config/traffic_selector.c config/traffic_selector.h \ +config/credentials/local_credential_store.c config/credentials/local_credential_store.h \ +config/credentials/credential_store.h config/traffic_selector.c config/traffic_selector.h \ config/proposal.c config/proposal.h config/configuration.c config/configuration.h \ sa/states/state.c sa/states/state.h sa/states/ike_sa_init_requested.c sa/states/ike_sa_init_requested.h \ sa/states/ike_sa_init_responded.c sa/states/ike_sa_established.c sa/states/ike_sa_established.h \ diff --git a/src/charon/config/connections/connection.c b/src/charon/config/connections/connection.c index a938d8b64..243c89633 100644 --- a/src/charon/config/connections/connection.c +++ b/src/charon/config/connections/connection.c @@ -37,6 +37,15 @@ mapping_t auth_method_m[] = { {MAPPING_END, NULL} }; +/** + * String mappings for cert_policy_t. + */ +mapping_t cert_policy_m[] = { + {CERT_ALWAYS_SEND, "CERT_ALWAYS_SEND"}, + {CERT_SEND_IF_ASKED, "CERT_SEND_IF_ASKED"}, + {CERT_NEVER_SEND, "CERT_NEVER_SEND"}, + {MAPPING_END, NULL} +}; typedef struct private_connection_t private_connection_t; @@ -59,6 +68,21 @@ struct private_connection_t { * Does charon handle this connection? Or can he ignore it? */ bool ikev2; + + /** + * should we send a certificate request? + */ + cert_policy_t cert_req_policy; + + /** + * should we send a certificates? + */ + cert_policy_t cert_policy; + + /** + * ID of us + */ + identification_t *my_id; /** * Host information of my host. @@ -98,6 +122,22 @@ static bool is_ikev2 (private_connection_t *this) } /** + * Implementation of connection_t.get_cert_req_policy. + */ +static cert_policy_t get_cert_req_policy (private_connection_t *this) +{ + return this->cert_req_policy; +} + +/** + * Implementation of connection_t.get_cert_policy. + */ +static cert_policy_t get_cert_policy (private_connection_t *this) +{ + return this->cert_policy; +} + +/** * Implementation of connection_t.get_my_host. */ static host_t *get_my_host (private_connection_t *this) @@ -254,8 +294,8 @@ static connection_t *clone(private_connection_t *this) iterator_t *iterator; proposal_t *proposal; private_connection_t *clone = (private_connection_t*)connection_create( - this->name, - this->ikev2, + this->name, this->ikev2, + this->cert_policy, this->cert_req_policy, this->my_host->clone(this->my_host), this->other_host->clone(this->other_host), this->auth_method); @@ -295,13 +335,18 @@ static void destroy(private_connection_t *this) /** * Described in header. */ -connection_t * connection_create(char *name, bool ikev2, host_t *my_host, host_t *other_host, auth_method_t auth_method) +connection_t * connection_create(char *name, bool ikev2, + cert_policy_t cert_policy, cert_policy_t cert_req_policy, + host_t *my_host, host_t *other_host, + auth_method_t auth_method) { private_connection_t *this = malloc_thing(private_connection_t); /* public functions */ this->public.get_name = (char*(*)(connection_t*))get_name; this->public.is_ikev2 = (bool(*)(connection_t*))is_ikev2; + this->public.get_cert_policy = (cert_policy_t(*)(connection_t*))get_cert_policy; + this->public.get_cert_req_policy = (cert_policy_t(*)(connection_t*))get_cert_req_policy; this->public.get_my_host = (host_t*(*)(connection_t*))get_my_host; this->public.update_my_host = (void(*)(connection_t*,host_t*))update_my_host; this->public.update_other_host = (void(*)(connection_t*,host_t*))update_other_host; @@ -318,6 +363,8 @@ connection_t * connection_create(char *name, bool ikev2, host_t *my_host, host_t /* private variables */ this->name = strdup(name); this->ikev2 = ikev2; + this->cert_policy = cert_policy; + this->cert_req_policy = cert_req_policy; this->my_host = my_host; this->other_host = other_host; this->auth_method = auth_method; diff --git a/src/charon/config/connections/connection.h b/src/charon/config/connections/connection.h index 523574632..50563da4e 100644 --- a/src/charon/config/connections/connection.h +++ b/src/charon/config/connections/connection.h @@ -67,6 +67,36 @@ enum auth_method_t { extern mapping_t auth_method_m[]; +typedef enum cert_policy_t cert_policy_t; + +/** + * Certificate sending policy. This is also used for certificate + * requests when using this definition for the other peer. If + * it is CERT_NEVER_SEND, a certreq is ommited, otherwise its + * included. + * + * @ingroup config + * + * @warning These definitions must be the same as in pluto/starter, + * as they are sent over the stroke socket. + */ +enum cert_policy_t { + /** always send certificates, even when not requested */ + CERT_ALWAYS_SEND = 0, + /** send certificate upon cert request */ + CERT_SEND_IF_ASKED = 1, + /** never send a certificate, even when requested */ + CERT_NEVER_SEND = 2, +}; + +/** + * string mappings for certpolicy_t. + * + * @ingroup config + */ +extern mapping_t cert_policy_m[]; + + typedef struct connection_t connection_t; /** @@ -189,6 +219,28 @@ struct connection_t { bool (*is_ikev2) (connection_t *this); /** + * @brief Should be sent a certificate request for this connection? + * + * A certificate request contains serials of our trusted CA certificates. + * This flag says if such a request is sent on connection setup to + * the peer. It should be ommited when CERT_SEND_NEVER, sended otherwise. + * + * @param this calling object + * @return - TRUE, if certificate request should be sent + */ + cert_policy_t (*get_cert_req_policy) (connection_t *this); + + /** + * @brief Should be sent a certificate for this connection? + * + * Return the policy used to send the certificate. + * + * @param this calling object + * @return certificate sending policy + */ + cert_policy_t (*get_cert_policy) (connection_t *this); + + /** * @brief Get the DH group to use for connection initialization. * * @param this calling object @@ -230,17 +282,19 @@ struct connection_t { * do not modify or destroy them after a call to * connection_create(). Name gets cloned internally. * - * @param name connection identifier - * @param ikev2 TRUE if this is an IKEv2 connection - * @param my_host host_t representing local address - * @param other_host host_t representing remote address - * @param auth_method Authentication method to use for our(!) auth data - * @return connection_t object. + * @param name connection identifier + * @param ikev2 TRUE if this is an IKEv2 connection + * @param cert_policy certificate send policy + * @param cert_req_policy certificate request send policy + * @param my_host host_t representing local address + * @param other_host host_t representing remote address + * @param auth_method Authentication method to use for our(!) auth data + * @return connection_t object. * * @ingroup config */ -connection_t * connection_create(char *name, - bool ikev2, +connection_t * connection_create(char *name, bool ikev2, + cert_policy_t cert_pol, cert_policy_t req_pol, host_t *my_host, host_t *other_host, auth_method_t auth_method); diff --git a/src/charon/config/credentials/credential_store.h b/src/charon/config/credentials/credential_store.h index 4b6623d7c..302eefedc 100755 --- a/src/charon/config/credentials/credential_store.h +++ b/src/charon/config/credentials/credential_store.h @@ -108,6 +108,7 @@ struct credential_store_t { * @return pointer to the added or already existing certificate */ x509_t* (*add_ca_certificate) (credential_store_t *this, x509_t *cert); + /** * @brief Lists all certificates kept in the local credential store. * @@ -143,7 +144,7 @@ struct credential_store_t { * @param this calling object * @param path directory to load certificates from */ - void (*load_ca_certificates) (credential_store_t *this, const char *path); + void (*load_ca_certificates) (credential_store_t *this); /** * @brief Loads CRLs from a default directory. @@ -153,7 +154,7 @@ struct credential_store_t { * @param this calling object * @param path directory to load crls from */ - void (*load_crls) (credential_store_t *this, const char *path); + void (*load_crls) (credential_store_t *this); /** * @brief Loads RSA private keys defined in ipsec.secrets @@ -163,10 +164,8 @@ struct credential_store_t { * key must already be loaded to get the ID from. * * @param this calling object - * @param secretsfile file where secrets are stored - * @param path default directory for private keys */ - void (*load_private_keys) (credential_store_t *this, const char *secretsfile, const char *path); + void (*load_private_keys) (credential_store_t *this); /** * @brief Destroys a credential_store_t object. diff --git a/src/charon/config/credentials/credential_store.c b/src/charon/config/credentials/local_credential_store.c index 6e7d33813..ef128845c 100644 --- a/src/charon/config/credentials/credential_store.c +++ b/src/charon/config/credentials/local_credential_store.c @@ -1,7 +1,7 @@ /** - * @file credential_store.c + * @file local_credential_store.c * - * @brief Implementation of credential_store_t. + * @brief Implementation of local_credential_store_t. * */ @@ -25,7 +25,7 @@ #include <string.h> #include <pthread.h> -#include "credential_store.h" +#include "local_credential_store.h" #include <utils/lexparser.h> #include <utils/linked_list.h> @@ -33,19 +33,19 @@ #include <crypto/x509.h> #include <crypto/crl.h> -#define PATH_BUF 256 +#define PATH_BUF 256 -typedef struct private_credential_store_t private_credential_store_t; +typedef struct private_local_credential_store_t private_local_credential_store_t; /** - * Private data of an credential_store_t object + * Private data of an local_credential_store_t object */ -struct private_credential_store_t { +struct private_local_credential_store_t { /** * Public part */ - credential_store_t public; + local_credential_store_t public; /** * list of key_entry_t's with private keys @@ -85,17 +85,17 @@ struct private_credential_store_t { /** - * Implementation of credential_store_t.get_shared_secret. + * Implementation of local_credential_store_t.get_shared_secret. */ -static status_t get_shared_secret(private_credential_store_t *this, identification_t *id, chunk_t *secret) +static status_t get_shared_secret(private_local_credential_store_t *this, identification_t *id, chunk_t *secret) { return FAILED; } /** - * Implementation of credential_store_t.get_rsa_public_key. + * Implementation of local_credential_store_t.get_rsa_public_key. */ -static rsa_public_key_t * get_rsa_public_key(private_credential_store_t *this, identification_t *id) +static rsa_public_key_t *get_rsa_public_key(private_local_credential_store_t *this, identification_t *id) { rsa_public_key_t *found = NULL; @@ -118,9 +118,9 @@ static rsa_public_key_t * get_rsa_public_key(private_credential_store_t *this, i } /** - * Implementation of credential_store_t.get_rsa_private_key. + * Implementation of local_credential_store_t.get_rsa_private_key. */ -static rsa_private_key_t* get_rsa_private_key(private_credential_store_t *this, rsa_public_key_t *pubkey) +static rsa_private_key_t *get_rsa_private_key(private_local_credential_store_t *this, rsa_public_key_t *pubkey) { rsa_private_key_t *found = NULL; rsa_private_key_t *current; @@ -142,9 +142,9 @@ static rsa_private_key_t* get_rsa_private_key(private_credential_store_t *this, } /** - * Implementation of credential_store_t.has_rsa_private_key. + * Implementation of local_credential_store_t.has_rsa_private_key. */ -static bool has_rsa_private_key(private_credential_store_t *this, rsa_public_key_t *pubkey) +static bool has_rsa_private_key(private_local_credential_store_t *this, rsa_public_key_t *pubkey) { bool found = FALSE; rsa_private_key_t *current; @@ -197,25 +197,25 @@ static x509_t* add_certificate(linked_list_t *certs, x509_t *cert) } /** - * Implements credential_store_t.add_end_certificate + * Implements local_credential_store_t.add_end_certificate */ -static x509_t* add_end_certificate(private_credential_store_t *this, x509_t *cert) +static x509_t* add_end_certificate(private_local_credential_store_t *this, x509_t *cert) { return add_certificate(this->certs, cert); } /** - * Implements credential_store_t.add_ca_certificate + * Implements local_credential_store_t.add_ca_certificate */ -static x509_t* add_ca_certificate(private_credential_store_t *this, x509_t *cert) +static x509_t* add_ca_certificate(private_local_credential_store_t *this, x509_t *cert) { return add_certificate(this->ca_certs, cert); } /** - * Implements credential_store_t.log_certificates + * Implements local_credential_store_t.log_certificates */ -static void log_certificates(private_credential_store_t *this, logger_t *logger, bool utc) +static void log_certificates(private_local_credential_store_t *this, logger_t *logger, bool utc) { iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE); @@ -239,9 +239,9 @@ static void log_certificates(private_credential_store_t *this, logger_t *logger, } /** - * Implements credential_store_t.log_ca_certificates + * Implements local_credential_store_t.log_ca_certificates */ -static void log_ca_certificates(private_credential_store_t *this, logger_t *logger, bool utc) +static void log_ca_certificates(private_local_credential_store_t *this, logger_t *logger, bool utc) { iterator_t *iterator = this->ca_certs->create_iterator(this->ca_certs, TRUE); @@ -263,9 +263,9 @@ static void log_ca_certificates(private_credential_store_t *this, logger_t *logg } /** - * Implements credential_store_t.log_crls + * Implements local_credential_store_t.log_crls */ -static void log_crls(private_credential_store_t *this, logger_t *logger, bool utc) +static void log_crls(private_local_credential_store_t *this, logger_t *logger, bool utc) { iterator_t *iterator = this->crls->create_iterator(this->crls, TRUE); @@ -290,21 +290,21 @@ static void log_crls(private_credential_store_t *this, logger_t *logger, bool ut } /** - * Implements credential_store_t.load_ca_certificates + * Implements local_credential_store_t.load_ca_certificates */ -static void load_ca_certificates(private_credential_store_t *this, const char *path) +static void load_ca_certificates(private_local_credential_store_t *this) { struct dirent* entry; struct stat stb; DIR* dir; x509_t *cert; - this->logger->log(this->logger, CONTROL, "loading ca certificates from '%s/'", path); + this->logger->log(this->logger, CONTROL, "loading ca certificates from '%s/'", CA_CERTIFICATE_DIR); - dir = opendir(path); + dir = opendir(CA_CERTIFICATE_DIR); if (dir == NULL) { - this->logger->log(this->logger, ERROR, "error opening ca certs directory %s'", path); + this->logger->log(this->logger, ERROR, "error opening ca certs directory %s'", CA_CERTIFICATE_DIR); return; } @@ -312,7 +312,7 @@ static void load_ca_certificates(private_credential_store_t *this, const char *p { char file[PATH_BUF]; - snprintf(file, sizeof(file), "%s/%s", path, entry->d_name); + snprintf(file, sizeof(file), "%s/%s", CA_CERTIFICATE_DIR, entry->d_name); if (stat(file, &stb) == -1) { @@ -394,21 +394,21 @@ static crl_t* add_crl(linked_list_t *crls, crl_t *crl, logger_t *logger) } /** - * Implements credential_store_t.load_crls + * Implements local_credential_store_t.load_crls */ -static void load_crls(private_credential_store_t *this, const char *path) +static void load_crls(private_local_credential_store_t *this) { struct dirent* entry; struct stat stb; DIR* dir; crl_t *crl; - this->logger->log(this->logger, CONTROL, "loading crls from '%s/'", path); + this->logger->log(this->logger, CONTROL, "loading crls from '%s/'", CRL_DIR); - dir = opendir(path); + dir = opendir(CRL_DIR); if (dir == NULL) { - this->logger->log(this->logger, ERROR, "error opening crl directory %s'", path); + this->logger->log(this->logger, ERROR, "error opening crl directory %s'", CRL_DIR); return; } @@ -416,7 +416,7 @@ static void load_crls(private_credential_store_t *this, const char *path) { char file[PATH_BUF]; - snprintf(file, sizeof(file), "%s/%s", path, entry->d_name); + snprintf(file, sizeof(file), "%s/%s", CRL_DIR, entry->d_name); if (stat(file, &stb) == -1) { @@ -444,11 +444,11 @@ static void load_crls(private_credential_store_t *this, const char *path) } /** - * Implements credential_store_t.load_private_keys + * Implements local_credential_store_t.load_private_keys */ -static void load_private_keys(private_credential_store_t *this, const char *secretsfile, const char *defaultpath) +static void load_private_keys(private_local_credential_store_t *this) { - FILE *fd = fopen(secretsfile, "r"); + FILE *fd = fopen(SECRETS_FILE, "r"); if (fd) { @@ -456,7 +456,7 @@ static void load_private_keys(private_credential_store_t *this, const char *secr int line_nr = 0; chunk_t chunk, src, line; - this->logger->log(this->logger, CONTROL, "loading secrets from \"%s\"", secretsfile); + this->logger->log(this->logger, CONTROL, "loading secrets from \"%s\"", SECRETS_FILE); fseek(fd, 0, SEEK_END); chunk.len = ftell(fd); @@ -513,7 +513,7 @@ static void load_private_keys(private_credential_store_t *this, const char *secr else { /* relative path name */ - snprintf(path, sizeof(path), "%s/%.*s", defaultpath, filename.len, filename.ptr); + snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR, filename.len, filename.ptr); } rsa_private_key_t *key = rsa_private_key_create_from_file(path, NULL); @@ -543,14 +543,14 @@ error: } else { - this->logger->log(this->logger, ERROR, "could not open file '%s'", secretsfile); + this->logger->log(this->logger, ERROR, "could not open file '%s'", SECRETS_FILE); } } /** - * Implementation of credential_store_t.destroy. + * Implementation of local_credential_store_t.destroy. */ -static void destroy(private_credential_store_t *this) +static void destroy(private_local_credential_store_t *this) { x509_t *cert; crl_t *crl; @@ -592,23 +592,23 @@ static void destroy(private_credential_store_t *this) /** * Described in header. */ -credential_store_t * credential_store_create(bool strict) +local_credential_store_t * local_credential_store_create(bool strict) { - private_credential_store_t *this = malloc_thing(private_credential_store_t); - - this->public.get_shared_secret = (status_t(*)(credential_store_t*,identification_t*,chunk_t*))get_shared_secret; - this->public.get_rsa_private_key = (rsa_private_key_t*(*)(credential_store_t*,rsa_public_key_t*))get_rsa_private_key; - this->public.has_rsa_private_key = (bool(*)(credential_store_t*,rsa_public_key_t*))has_rsa_private_key; - this->public.get_rsa_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_rsa_public_key; - this->public.add_end_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_end_certificate; - this->public.add_ca_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_ca_certificate; - this->public.log_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_certificates; - this->public.log_ca_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_ca_certificates; - this->public.log_crls = (void(*)(credential_store_t*,logger_t*,bool))log_crls; - this->public.load_ca_certificates = (void(*)(credential_store_t*,const char*))load_ca_certificates; - this->public.load_crls = (void(*)(credential_store_t*,const char*))load_crls; - this->public.load_private_keys = (void(*)(credential_store_t*,const char*, const char*))load_private_keys; - this->public.destroy = (void(*)(credential_store_t*))destroy; + private_local_credential_store_t *this = malloc_thing(private_local_credential_store_t); + + this->public.credential_store.get_shared_secret = (status_t(*)(credential_store_t*,identification_t*,chunk_t*))get_shared_secret; + this->public.credential_store.get_rsa_private_key = (rsa_private_key_t*(*)(credential_store_t*,rsa_public_key_t*))get_rsa_private_key; + this->public.credential_store.has_rsa_private_key = (bool(*)(credential_store_t*,rsa_public_key_t*))has_rsa_private_key; + this->public.credential_store.get_rsa_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_rsa_public_key; + this->public.credential_store.add_end_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_end_certificate; + this->public.credential_store.add_ca_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_ca_certificate; + this->public.credential_store.log_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_certificates; + this->public.credential_store.log_ca_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_ca_certificates; + this->public.credential_store.log_crls = (void(*)(credential_store_t*,logger_t*,bool))log_crls; + this->public.credential_store.load_ca_certificates = (void(*)(credential_store_t*))load_ca_certificates; + this->public.credential_store.load_crls = (void(*)(credential_store_t*))load_crls; + this->public.credential_store.load_private_keys = (void(*)(credential_store_t*))load_private_keys; + this->public.credential_store.destroy = (void(*)(credential_store_t*))destroy; /* initialize mutexes */ pthread_mutex_init(&(this->crls_mutex), NULL); diff --git a/src/charon/config/credentials/local_credential_store.h b/src/charon/config/credentials/local_credential_store.h new file mode 100644 index 000000000..f27fe0c2a --- /dev/null +++ b/src/charon/config/credentials/local_credential_store.h @@ -0,0 +1,64 @@ +/** + * @file local_credential_store.h + * + * @brief Interface of local_credential_store_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef LOCAL_CREDENTIAL_H_ +#define LOCAL_CREDENTIAL_H_ + +#include <types.h> +#include <daemon.h> +#include <config/credentials/credential_store.h> + + +typedef struct local_credential_store_t local_credential_store_t; + +/** + * @brief A credential_store_t implementation using simple credentail lists. + * + * The local_credential_store_t class implements the credential_store_t interface + * as simple as possible. The credentials are stored in lists, and are loaded from + * files on the disk. + * Shared secret are not handled yet, so get_shared_secret always returns NOT_FOUND. + * + * @b Constructors: + * - local_credential_store_create(bool strict) + * + * @ingroup config + */ +struct local_credential_store_t { + + /** + * Implements credential_store_t interface + */ + credential_store_t credential_store; +}; + +/** + * @brief Creates a local_credential_store_t instance. + * + * @param strict enforce a strict crl policy + * @return credential store instance. + * + * @ingroup config + */ +local_credential_store_t *local_credential_store_create(bool strict); + +#endif /* LOCAL_CREDENTIAL_H_ */ diff --git a/src/charon/daemon.c b/src/charon/daemon.c index 71726620b..63edd4234 100644 --- a/src/charon/daemon.c +++ b/src/charon/daemon.c @@ -177,14 +177,13 @@ static void initialize(private_daemon_t *this, bool strict) this->public.send_queue = send_queue_create(); this->public.connections = (connection_store_t*)local_connection_store_create(); this->public.policies = (policy_store_t*)local_policy_store_create(); - this->public.credentials = credential_store_create(strict); + this->public.credentials = (credential_store_t*)local_credential_store_create(strict); /* load keys, ca certificates and crls */ credentials = this->public.credentials; - credentials->load_ca_certificates(credentials, CA_CERTIFICATE_DIR); - credentials->load_crls(credentials, CRL_DIR); - credentials->load_private_keys(credentials, SECRETS_FILE, PRIVATE_KEY_DIR); - + credentials->load_ca_certificates(credentials); + credentials->load_crls(credentials); + credentials->load_private_keys(credentials); /* start building threads, we are multi-threaded NOW */ this->public.stroke = stroke_create(); diff --git a/src/charon/daemon.h b/src/charon/daemon.h index 737db5a22..4f5fbba3d 100644 --- a/src/charon/daemon.h +++ b/src/charon/daemon.h @@ -251,6 +251,7 @@ */ #define SECRETS_FILE CONFIG_DIR "/ipsec.secrets" + typedef struct daemon_t daemon_t; /** diff --git a/src/charon/testing/connection_test.c b/src/charon/testing/connection_test.c index 9ba4ef39b..8f4628610 100644 --- a/src/charon/testing/connection_test.c +++ b/src/charon/testing/connection_test.c @@ -33,7 +33,10 @@ void test_connection(protected_tester_t *tester) { host_t *alice = host_create(AF_INET, "192.168.0.1", 500); host_t *bob = host_create(AF_INET, "192.168.0.2", 500); - connection_t *connection = connection_create("alice-bob", TRUE, alice, bob, RSA_DIGITAL_SIGNATURE); + connection_t *connection = connection_create( + "alice-bob", TRUE, + CERT_ALWAYS_SEND, CERT_ALWAYS_SEND, + alice, bob, RSA_DIGITAL_SIGNATURE); proposal_t *prop1, *prop2, *prop3, *prop4; linked_list_t *list; diff --git a/src/charon/threads/stroke_interface.c b/src/charon/threads/stroke_interface.c index 6a86edbe9..47acb242e 100755 --- a/src/charon/threads/stroke_interface.c +++ b/src/charon/threads/stroke_interface.c @@ -345,6 +345,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg) this->logger->log(this->logger, CONTROL|LEVEL1, " other ca:'%s'", other_ca->get_string(other_ca)); connection = connection_create(msg->add_conn.name, msg->add_conn.ikev2, + msg->add_conn.me.sendcert, msg->add_conn.other.sendcert, my_host, other_host, RSA_DIGITAL_SIGNATURE); if (msg->add_conn.algorithms.ike) @@ -611,11 +612,11 @@ static void stroke_reread(private_stroke_t *this, stroke_msg_t *msg) { if (msg->reread.flags & REREAD_CACERTS) { - charon->credentials->load_ca_certificates(charon->credentials, CA_CERTIFICATE_DIR); + charon->credentials->load_ca_certificates(charon->credentials); } if (msg->reread.flags & REREAD_CRLS) { - charon->credentials->load_crls(charon->credentials, CRL_DIR); + charon->credentials->load_crls(charon->credentials); } } diff --git a/src/libstrongswan/types.h b/src/libstrongswan/types.h index ed67913cf..0a1ea08a0 100644 --- a/src/libstrongswan/types.h +++ b/src/libstrongswan/types.h @@ -109,19 +109,6 @@ enum status_t { CREATED, }; - -/** - * Certificate sending policy - */ -typedef enum certpolicy { - CERT_ALWAYS_SEND = 0, - CERT_SEND_IF_ASKED = 1, - CERT_NEVER_SEND = 2, - - CERT_YES_SEND = 3, /* synonym for CERT_ALWAYS_SEND */ - CERT_NO_SEND = 4 /* synonym for CERT_NEVER_SEND */ -} certpolicy_t; - /** * RFC 2459 CRL reason codes */ diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c index 8cce1950c..c8ec9c728 100644 --- a/src/stroke/stroke.c +++ b/src/stroke/stroke.c @@ -122,7 +122,7 @@ static int add_connection(char *name, msg.add_conn.me.subnet_mask = my_netmask; msg.add_conn.me.cert = NULL; msg.add_conn.me.ca = NULL; - msg.add_conn.me.sendcert = CERT_SEND_IF_ASKED; + msg.add_conn.me.sendcert = 1; msg.add_conn.other.id = push_string(&msg, other_id); msg.add_conn.other.address = push_string(&msg, other_addr); @@ -130,7 +130,7 @@ static int add_connection(char *name, msg.add_conn.other.subnet_mask = other_netmask; msg.add_conn.other.cert = NULL; msg.add_conn.other.ca = NULL; - msg.add_conn.other.sendcert = CERT_SEND_IF_ASKED; + msg.add_conn.other.sendcert = 1; return send_stroke_msg(&msg); } diff --git a/src/stroke/stroke.h b/src/stroke/stroke.h index 0f2f1d030..bf182eb53 100644 --- a/src/stroke/stroke.h +++ b/src/stroke/stroke.h @@ -23,6 +23,8 @@ #ifndef STROKE_H_ #define STROKE_H_ +#include <sys/types.h> + /** * Socket which is used to communicate between charon and stroke */ @@ -30,25 +32,47 @@ #define STROKE_BUF_LEN 2048 +typedef enum list_flag_t list_flag_t; + /** - * Definition of the LIST flags - */ -#define LIST_NONE 0x0000 /* don't list anything */ -#define LIST_CERTS 0x0001 /* list all host/user certs */ -#define LIST_CACERTS 0x0002 /* list all ca certs */ -#define LIST_CRLS 0x0004 /* list all crls */ -#define LIST_ALL 0x0007 /* all list options */ + * Definition of the LIST flags, used for + * the various stroke list* commands. + */ +enum list_flag_t { + /** don't list anything */ + LIST_NONE = 0x0000, + /** list all host/user certs */ + LIST_CERTS = 0x0001, + /** list all ca certs */ + LIST_CACERTS = 0x0002, + /** list all crls */ + LIST_CRLS = 0x0004, + /** all list options */ + LIST_ALL = 0x0007, +}; + +typedef enum reread_flag_t reread_flag_t; /** - * Definition of the REREAD flags - */ -#define REREAD_NONE 0x0000 /* don't reread anything */ -#define REREAD_CACERTS 0x0001 /* reread all ca certs */ -#define REREAD_CRLS 0x0002 /* reread all crls */ -#define REREAD_ALL 0x0003 /* all reread options */ + * Definition of the REREAD flags, used for + * the various stroke reread* commands. + */ +enum reread_flag_t { + /** don't reread anything */ + REREAD_NONE = 0x0000, + /** reread all ca certs */ + REREAD_CACERTS = 0x0001, + /** reread all crls */ + REREAD_CRLS = 0x0002, + /** all reread options */ + REREAD_ALL = 0x0003, +}; typedef struct stroke_end_t stroke_end_t; +/** + * definition of a peer in a stroke message + */ struct stroke_end_t { char *id; char *cert; @@ -56,7 +80,7 @@ struct stroke_end_t { char *address; char *subnet; int subnet_mask; - certpolicy_t sendcert; + int sendcert; }; typedef struct stroke_msg_t stroke_msg_t; @@ -66,7 +90,7 @@ typedef struct stroke_msg_t stroke_msg_t; */ struct stroke_msg_t { /* length of this message with all strings */ - u_int length; + u_int16_t length; /* type of the message */ enum { @@ -134,13 +158,13 @@ struct stroke_msg_t { /* data for STR_LIST */ struct { - u_int flags; + list_flag_t flags; bool utc; } list; /* data for STR_REREAD */ struct { - u_int flags; + reread_flag_t flags; } reread; }; |