diff options
24 files changed, 196 insertions, 196 deletions
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 3cfc57e97..40df77881 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -139,11 +139,15 @@ Plugins to load in ipsec attest tool .BR Note : Many of these options also apply to \fBcharon\-cmd\fR and other \fBcharon\fR derivatives. Just use their respective name (e.g. -\fIcharon\-cmd\fR) instead of \fIcharon\fR. +\fIcharon\-cmd\fR) instead of \fIcharon\fR. For many options defaults +can be defined in the \fIlibstrongswan\fR section. .TP .BR charon.block_threshold " [5]" Maximum number of half-open IKE_SAs for a single peer IP .TP +.BR charon.cert_cache " [yes]" +Whether relations in validated certificate chains should be cached in memory +.TP .BR charon.cisco_unity " [no] Send Cisco Unity vendor ID payload (IKEv1 only) .TP @@ -153,6 +157,31 @@ Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed .BR charon.cookie_threshold " [10]" Number of half-open IKE_SAs that activate the cookie mechanism .TP +.BR charon.crypto_test.bench " [no]" + +.TP +.BR charon.crypto_test.bench_size " [1024]" + +.TP +.BR charon.crypto_test.bench_time " [50]" + +.TP +.BR charon.crypto_test.on_add " [no]" +Test crypto algorithms during registration +.TP +.BR charon.crypto_test.on_create " [no]" +Test crypto algorithms on each crypto primitive instantiation +.TP +.BR charon.crypto_test.required " [no]" +Strictly require at least one test vector to enable an algorithm +.TP +.BR charon.crypto_test.rng_true " [no]" +Whether to test RNG with TRUE quality; requires a lot of entropy +.TP +.BR charon.dh_exponent_ansi_x9_42 " [yes]" +Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical +strength +.TP .BR charon.dns1 .TQ .BR charon.dns2 @@ -161,6 +190,9 @@ DNS servers assigned to peer via configuration payload (CP) .BR charon.dos_protection " [yes]" Enable Denial of Service protection using cookies and aggressiveness checks .TP +.BR charon.ecp_x_coordinate_only " [yes]" +Compliance with the errata for RFC 4753 +.TP .BR charon.filelog Section to define file loggers, see LOGGER CONFIGURATION .TP @@ -183,6 +215,12 @@ Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). .BR charon.hash_and_url " [no]" Enable hash and URL support .TP +.BR charon.host_resolver.max_threads " [3]" +Maximum number of concurrent resolver threads (they are terminated if unused) +.TP +.BR charon.host_resolver.min_threads " [0]" +Minimum number of resolver threads to keep around +.TP .BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]" If enabled responders are allowed to use IKEv1 Aggressive Mode with pre-shared keys, which is discouraged due to security concerns (offline attacks on the @@ -225,6 +263,9 @@ Install virtual IP addresses The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface. .TP +.BR charon.integrity_test " [no]" +Check daemon, libstrongswan and plugin integrity at startup +.TP .BR charon.interfaces_ignore A comma-separated list of network interfaces that should be ignored, if .B charon.interfaces_use @@ -237,6 +278,15 @@ All other interfaces are ignored. .BR charon.keep_alive " [20s]" NAT keep alive interval .TP +.BR charon.leak_detective.detailed " [yes]" +Includes source file names and line numbers in leak detective output +.TP +.BR charon.leak_detective.usage_threshold " [10240]" +Threshold in bytes for leaks to be reported (0 to report all) +.TP +.BR charon.leak_detective.usage_threshold_count " [0]" +Threshold in number of allocations for leaks to be reported (0 to report all) +.TP .BR charon.load Plugins to load in the IKEv2 daemon charon .TP @@ -263,6 +313,10 @@ otherwise a random port will be allocated. .BR charon.process_route " [yes]" Process RTM_NEWROUTE and RTM_DELROUTE events .TP +.BR charon.processor.priority_threads +Subsection to configure the number of reserved threads per priority class +see JOB PRIORITY MANAGEMENT +.TP .BR charon.receive_delay " [0]" Delay in ms for receiving packets, to simulate larger RTT .TP @@ -327,6 +381,10 @@ might be used as indicator on the number of reserved threads. .TP .BR charon.user Name of the user the daemon changes to after startup +.TP +.BR charon.x509.enforce_critical " [yes]" +Discard certificates with unsupported or unknown critical extensions +. .SS charon.plugins subsection .TP .BR charon.plugins.android_log.loglevel " [1]" @@ -336,6 +394,12 @@ Loglevel for logging to Android specific logger Section to specify arbitrary attributes that are assigned to a peer via configuration payload (CP) .TP +.BR charon.plugins.attr-sql.database +Database URI for attr-sql plugin used by charon +.TP +.BR charon.plugins.attr-sql.lease_history " [yes]" +Enable logging of SQL IP pool leases +.TP .BR charon.plugins.certexpire.csv.cron Cron style string specifying CSV export times .TP @@ -603,6 +667,9 @@ Request peer authentication based on a client certificate .BR charon.plugins.error-notify.socket " [unix://@piddir@/charon.enfy]" Socket provided by the error-notify plugin .TP +.BR charon.plugins.gcrypt.quick_random " [no]" +Use faster random numbers in gcrypt; for testing only, produces weak keys! +.TP .BR charon.plugins.ha.autobalance " [0]" Interval in seconds to automatically balance handled segments between nodes. Set to 0 to disable. @@ -680,6 +747,51 @@ Section to configure the load-tester plugin, see LOAD TESTS .BR charon.plugins.lookip.socket " [unix://@piddir@/charon.lkp]" Socket provided by the lookip plugin .TP +.BR charon.plugins.ntru.max_drbg_requests " [4294967294]" +Number of pseudo-random bit requests from the DRBG before an automatic +reseeding occurs. +.TP +.BR charon.plugins.ntru.parameter_set " [optimum]" +The following parameter sets are available: +.BR x9_98_speed , +.BR x9_98_bandwidth , +.B x9_98_balance +and +.BR optimum , +the last set not being part of the X9.98 standard but having the best performance. +.TP +.BR charon.plugins.openssl.engine_id " [pkcs11]" +ENGINE ID to use in the OpenSSL plugin +.TP +.BR charon.plugins.openssl.fips_mode " [0]" +Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2) +.TP +.BR charon.plugins.pkcs11.modules +List of available PKCS#11 modules +.TP +.BR charon.plugins.pkcs11.load_certs " [yes]" +Whether to load certificates from tokens +.TP +.BR charon.plugins.pkcs11.reload_certs " [no]" +Reload certificates from all tokens if charon receives a SIGHUP +.TP +.BR charon.plugins.pkcs11.use_dh " [no]" +Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option) +.TP +.BR charon.plugins.pkcs11.use_ecc " [no]" +Whether the PKCS#11 modules should be used for ECDH and ECDSA public key +operations. ECDSA private keys can be used regardless of this option +.TP +.BR charon.plugins.pkcs11.use_hasher " [no]" +Whether the PKCS#11 modules should be used to hash data +.TP +.BR charon.plugins.pkcs11.use_pubkey " [no]" +Whether the PKCS#11 modules should be used for public key operations, even for +keys not stored on tokens +.TP +.BR charon.plugins.pkcs11.use_rng " [no]" +Whether the PKCS#11 modules should be used as RNG +.TP .BR charon.plugins.radattr.dir Directory where RADIUS attributes are stored in client-ID specific files. .TP @@ -687,6 +799,16 @@ Directory where RADIUS attributes are stored in client-ID specific files. Attributes are added to all IKE_AUTH messages by default (-1), or only to the IKE_AUTH message with the given IKEv2 message ID. .TP +.BR charon.plugins.random.random " [@random_device@]" +File to read random bytes from, instead of @random_device@ +.TP +.BR charon.plugins.random.urandom " [@urandom_device@]" +File to read pseudo random bytes from, instead of @urandom_device@ +.TP +.BR charon.plugins.random.strong_equals_true " [no]" +If set to yes the RNG_STRONG class reads random bytes from the same source as +the RNG_TRUE class. +.TP .BR charon.plugins.resolve.file " [/etc/resolv.conf]" File where to add DNS server entries .TP @@ -787,6 +909,20 @@ Name of the strongSwan PDP as contained in the AAA certificate .BR charon.plugins.tnc-pdp.timeout Timeout in seconds before closing incomplete connections .TP +.BR charon.plugins.unbound.resolv_conf " [/etc/resolv.conf]" +File to read DNS resolver configuration from +.TP +.BR charon.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]" +File to read DNSSEC trust anchors from (usually root zone KSK). The format of +the file is the standard DNS Zone file format, anchors can be stored as DS or +DNSKEY entries in the file. +.TP +.BR charon.plugins.unbound.dlv_anchors +File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses +the same format as \fItrust_anchors\fR. Only one DLV can be configured, which +is then used as a root trusted DLV, this means that it is a lookaside for +the root. +.TP .BR charon.plugins.updown.dns_handler " [no]" Whether the updown script should handle DNS serves assigned via IKEv1 Mode Config or IKEv2 Config Payloads (if enabled they can't be handled by other @@ -810,142 +946,6 @@ Open/close a PAM session for each active IKE_SA .BR charon.plugins.xauth-pam.trim_email " [yes]" If an email address is given as an XAuth username, trim it to just the username part. -.SS libstrongswan section -.TP -.BR libstrongswan.cert_cache " [yes]" -Whether relations in validated certificate chains should be cached in memory -.TP -.BR libstrongswan.crypto_test.bench " [no]" - -.TP -.BR libstrongswan.crypto_test.bench_size " [1024]" - -.TP -.BR libstrongswan.crypto_test.bench_time " [50]" - -.TP -.BR libstrongswan.crypto_test.on_add " [no]" -Test crypto algorithms during registration -.TP -.BR libstrongswan.crypto_test.on_create " [no]" -Test crypto algorithms on each crypto primitive instantiation -.TP -.BR libstrongswan.crypto_test.required " [no]" -Strictly require at least one test vector to enable an algorithm -.TP -.BR libstrongswan.crypto_test.rng_true " [no]" -Whether to test RNG with TRUE quality; requires a lot of entropy -.TP -.BR libstrongswan.dh_exponent_ansi_x9_42 " [yes]" -Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical -strength -.TP -.BR libstrongswan.ecp_x_coordinate_only " [yes]" -Compliance with the errata for RFC 4753 -.TP -.BR libstrongswan.host_resolver.max_threads " [3]" -Maximum number of concurrent resolver threads (they are terminated if unused) -.TP -.BR libstrongswan.host_resolver.min_threads " [0]" -Minimum number of resolver threads to keep around -.TP -.BR libstrongswan.integrity_test " [no]" -Check daemon, libstrongswan and plugin integrity at startup -.TP -.BR libstrongswan.leak_detective.detailed " [yes]" -Includes source file names and line numbers in leak detective output -.TP -.BR libstrongswan.leak_detective.usage_threshold " [10240]" -Threshold in bytes for leaks to be reported (0 to report all) -.TP -.BR libstrongswan.leak_detective.usage_threshold_count " [0]" -Threshold in number of allocations for leaks to be reported (0 to report all) -.TP -.BR libstrongswan.processor.priority_threads -Subsection to configure the number of reserved threads per priority class -see JOB PRIORITY MANAGEMENT -.TP -.BR libstrongswan.x509.enforce_critical " [yes]" -Discard certificates with unsupported or unknown critical extensions -.SS libstrongswan.plugins subsection -.TP -.BR libstrongswan.plugins.attr-sql.database -Database URI for attr-sql plugin used by charon -.TP -.BR libstrongswan.plugins.attr-sql.lease_history " [yes]" -Enable logging of SQL IP pool leases -.TP -.BR libstrongswan.plugins.gcrypt.quick_random " [no]" -Use faster random numbers in gcrypt; for testing only, produces weak keys! -.TP -.BR libstrongswan.plugins.ntru.max_drbg_requests " [4294967294]" -Number of pseudo-random bit requests from the DRBG before an automatic -reseeding occurs. -.TP -.BR libstrongswan.plugins.ntru.parameter_set " [optimum]" -The following parameter sets are available: -.BR x9_98_speed , -.BR x9_98_bandwidth , -.B x9_98_balance -and -.BR optimum , -the last set not being part of the X9.98 standard but having the best performance. -.TP -.BR libstrongswan.plugins.openssl.engine_id " [pkcs11]" -ENGINE ID to use in the OpenSSL plugin -.TP -.BR libstrongswan.plugins.openssl.fips_mode " [0]" -Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2) -.TP -.BR libstrongswan.plugins.pkcs11.modules -List of available PKCS#11 modules -.TP -.BR libstrongswan.plugins.pkcs11.load_certs " [yes]" -Whether to load certificates from tokens -.TP -.BR libstrongswan.plugins.pkcs11.reload_certs " [no]" -Reload certificates from all tokens if charon receives a SIGHUP -.TP -.BR libstrongswan.plugins.pkcs11.use_dh " [no]" -Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option) -.TP -.BR libstrongswan.plugins.pkcs11.use_ecc " [no]" -Whether the PKCS#11 modules should be used for ECDH and ECDSA public key -operations. ECDSA private keys can be used regardless of this option -.TP -.BR libstrongswan.plugins.pkcs11.use_hasher " [no]" -Whether the PKCS#11 modules should be used to hash data -.TP -.BR libstrongswan.plugins.pkcs11.use_pubkey " [no]" -Whether the PKCS#11 modules should be used for public key operations, even for -keys not stored on tokens -.TP -.BR libstrongswan.plugins.pkcs11.use_rng " [no]" -Whether the PKCS#11 modules should be used as RNG -.TP -.BR libstrongswan.plugins.random.random " [@random_device@]" -File to read random bytes from, instead of @random_device@ -.TP -.BR libstrongswan.plugins.random.urandom " [@urandom_device@]" -File to read pseudo random bytes from, instead of @urandom_device@ -.TP -.BR libstrongswan.plugins.random.strong_equals_true " [no]" -If set to yes the RNG_STRONG class reads random bytes from the same source as -the RNG_TRUE class. -.TP -.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]" -File to read DNS resolver configuration from -.TP -.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]" -File to read DNSSEC trust anchors from (usually root zone KSK). The format of -the file is the standard DNS Zone file format, anchors can be stored as DS or -DNSKEY entries in the file. -.TP -.BR libstrongswan.plugins.unbound.dlv_anchors -File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses -the same format as \fItrust_anchors\fR. Only one DLV can be configured, which -is then used as a root trusted DLV, this means that it is a lookaside for -the root. .SS libtls section .TP .BR libtls.cipher @@ -1378,22 +1378,22 @@ for one). To ensure that there are always enough threads available for higher priority tasks, threads must be reserved for each priority class. .TP -.BR libstrongswan.processor.priority_threads.critical " [0]" +.BR charon.processor.priority_threads.critical " [0]" Threads reserved for CRITICAL priority class jobs .TP -.BR libstrongswan.processor.priority_threads.high " [0]" +.BR charon.processor.priority_threads.high " [0]" Threads reserved for HIGH priority class jobs .TP -.BR libstrongswan.processor.priority_threads.medium " [0]" +.BR charon.processor.priority_threads.medium " [0]" Threads reserved for MEDIUM priority class jobs .TP -.BR libstrongswan.processor.priority_threads.low " [0]" +.BR charon.processor.priority_threads.low " [0]" Threads reserved for LOW priority class jobs .PP Let's consider the following configuration: .PP .EX - libstrongswan { + charon { processor { priority_threads { high = 1 diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index de19c8d96..3ec0714b6 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -1349,7 +1349,7 @@ credential_manager_t *credential_manager_create() this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy); this->exclusive_local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy); - if (lib->settings->get_bool(lib->settings, "libstrongswan.cert_cache", TRUE)) + if (lib->settings->get_bool(lib->settings, "%s.cert_cache", TRUE, lib->ns)) { this->cache = cert_cache_create(); this->sets->insert_first(this->sets, this->cache); diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c index edcabfe58..dba3f6f6d 100644 --- a/src/libstrongswan/crypto/crypto_factory.c +++ b/src/libstrongswan/crypto/crypto_factory.c @@ -967,11 +967,11 @@ crypto_factory_t *crypto_factory_create() .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), .tester = crypto_tester_create(), .test_on_add = lib->settings->get_bool(lib->settings, - "libstrongswan.crypto_test.on_add", FALSE), + "%s.crypto_test.on_add", FALSE, lib->ns), .test_on_create = lib->settings->get_bool(lib->settings, - "libstrongswan.crypto_test.on_create", FALSE), + "%s.crypto_test.on_create", FALSE, lib->ns), .bench = lib->settings->get_bool(lib->settings, - "libstrongswan.crypto_test.bench", FALSE), + "%s.crypto_test.bench", FALSE, lib->ns), ); return &this->public; diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c index 5a0dccced..30724b16d 100644 --- a/src/libstrongswan/crypto/crypto_tester.c +++ b/src/libstrongswan/crypto/crypto_tester.c @@ -1207,13 +1207,13 @@ crypto_tester_t *crypto_tester_create() .rng = linked_list_create(), .required = lib->settings->get_bool(lib->settings, - "libstrongswan.crypto_test.required", FALSE), + "%s.crypto_test.required", FALSE, lib->ns), .rng_true = lib->settings->get_bool(lib->settings, - "libstrongswan.crypto_test.rng_true", FALSE), + "%s.crypto_test.rng_true", FALSE, lib->ns), .bench_time = lib->settings->get_int(lib->settings, - "libstrongswan.crypto_test.bench_time", 50), + "%s.crypto_test.bench_time", 50, lib->ns), .bench_size = lib->settings->get_int(lib->settings, - "libstrongswan.crypto_test.bench_size", 1024), + "%s.crypto_test.bench_size", 1024, lib->ns), ); /* enforce a block size of 16, should be fine for all algorithms */ diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c index f71ebc671..5c1d08de2 100644 --- a/src/libstrongswan/crypto/diffie_hellman.c +++ b/src/libstrongswan/crypto/diffie_hellman.c @@ -444,7 +444,7 @@ diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group) { if (!dh_params[i].public.subgroup.len && lib->settings->get_int(lib->settings, - "libstrongswan.dh_exponent_ansi_x9_42", TRUE)) + "%s.dh_exponent_ansi_x9_42", TRUE, lib->ns)) { dh_params[i].public.exp_len = dh_params[i].public.prime.len; } diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c index c075fd8b4..0df0c4212 100644 --- a/src/libstrongswan/library.c +++ b/src/libstrongswan/library.c @@ -108,7 +108,7 @@ void library_deinit() } detailed = lib->settings->get_bool(lib->settings, - "libstrongswan.leak_detective.detailed", TRUE); + "%s.leak_detective.detailed", TRUE, lib->ns); /* make sure the cache is clear before unloading plugins */ lib->credmgr->flush_cache(lib->credmgr, CERT_ANY); @@ -318,7 +318,7 @@ bool library_init(char *settings, const char *namespace) } if (lib->settings->get_bool(lib->settings, - "libstrongswan.integrity_test", FALSE)) + "%s.integrity_test", FALSE, lib->ns)) { #ifdef INTEGRITY_TEST this->public.integrity = integrity_checker_create(CHECKSUM_LIBRARY); diff --git a/src/libstrongswan/networking/host_resolver.c b/src/libstrongswan/networking/host_resolver.c index 99a17d17c..10af11a7f 100644 --- a/src/libstrongswan/networking/host_resolver.c +++ b/src/libstrongswan/networking/host_resolver.c @@ -355,11 +355,11 @@ host_resolver_t *host_resolver_create() ); this->min_threads = max(0, lib->settings->get_int(lib->settings, - "libstrongswan.host_resolver.min_threads", - MIN_THREADS_DEFAULT)); + "%s.host_resolver.min_threads", + MIN_THREADS_DEFAULT, lib->ns)); this->max_threads = max(this->min_threads ?: 1, lib->settings->get_int(lib->settings, - "libstrongswan.host_resolver.max_threads", - MAX_THREADS_DEFAULT)); + "%s.host_resolver.max_threads", + MAX_THREADS_DEFAULT, lib->ns)); return &this->public; } diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c index 160db042b..44f3f84b1 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c @@ -194,8 +194,8 @@ plugin_t *gcrypt_plugin_create() /* we currently do not use secure memory */ gcry_control(GCRYCTL_DISABLE_SECMEM, 0); - if (lib->settings->get_bool(lib->settings, - "libstrongswan.plugins.gcrypt.quick_random", FALSE)) + if (lib->settings->get_bool(lib->settings, "%s.plugins.gcrypt.quick_random", + FALSE, lib->ns)) { gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0); } diff --git a/src/libstrongswan/plugins/ntru/ntru_drbg.c b/src/libstrongswan/plugins/ntru/ntru_drbg.c index 6fc13aa0a..181a58939 100644 --- a/src/libstrongswan/plugins/ntru/ntru_drbg.c +++ b/src/libstrongswan/plugins/ntru/ntru_drbg.c @@ -230,8 +230,8 @@ ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str, } max_requests = lib->settings->get_int(lib->settings, - "libstrongswan.plugins.ntru.max_drbg_requests", - MAX_DRBG_REQUESTS); + "%s.plugins.ntru.max_drbg_requests", + MAX_DRBG_REQUESTS, lib->ns); INIT(this, .public = { diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c index a23991b27..39fb261cd 100644 --- a/src/libstrongswan/plugins/ntru/ntru_ke.c +++ b/src/libstrongswan/plugins/ntru/ntru_ke.c @@ -316,7 +316,7 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p) u_int32_t strength; parameter_set = lib->settings->get_str(lib->settings, - "libstrongswan.plugins.ntru.parameter_set", "optimum"); + "%s.plugins.ntru.parameter_set", "optimum", lib->ns); if (streq(parameter_set, "x9_98_speed")) { diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c index 18aa5ceca..cb02c663c 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crl.c +++ b/src/libstrongswan/plugins/openssl/openssl_crl.c @@ -471,7 +471,7 @@ static bool parse_extensions(private_openssl_crl_t *this) default: ok = X509_EXTENSION_get_critical(ext) == 0 || !lib->settings->get_bool(lib->settings, - "libstrongswan.x509.enforce_critical", TRUE); + "%s.x509.enforce_critical", TRUE, lib->ns); if (!ok) { DBG1(DBG_LIB, "found unsupported critical X.509 " diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c index 835ed586e..b487d59a5 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c @@ -201,7 +201,7 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, * http://www.rfc-editor.org/errata_search.php?eid=9 */ x_coordinate_only = lib->settings->get_bool(lib->settings, - "libstrongswan.ecp_x_coordinate_only", TRUE); + "%s.ecp_x_coordinate_only", TRUE, lib->ns); if (!ecp2chunk(this->ec_group, secret, shared_secret, x_coordinate_only)) { goto error; diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index ff2508609..f4aef8200 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -522,7 +522,7 @@ plugin_t *openssl_plugin_create() int fips_mode; fips_mode = lib->settings->get_int(lib->settings, - "libstrongswan.plugins.openssl.fips_mode", FIPS_MODE); + "%s.plugins.openssl.fips_mode", FIPS_MODE, lib->ns); #ifdef OPENSSL_FIPS if (fips_mode) { diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c index 036f53d23..10a35c1fd 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c @@ -558,7 +558,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type, if (!engine_id) { engine_id = lib->settings->get_str(lib->settings, - "libstrongswan.plugins.openssl.engine_id", "pkcs11"); + "%s.plugins.openssl.engine_id", "pkcs11", lib->ns); } engine = ENGINE_by_id(engine_id); if (!engine) diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index 24b12d50c..7a5b206dd 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -1012,7 +1012,7 @@ static bool parse_extensions(private_openssl_x509_t *this) default: ok = X509_EXTENSION_get_critical(ext) == 0 || !lib->settings->get_bool(lib->settings, - "libstrongswan.x509.enforce_critical", TRUE); + "%s.x509.enforce_critical", TRUE, lib->ns); if (!ok) { char buf[80] = ""; diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c index 2e5af95ff..36cc284bf 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c @@ -135,7 +135,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void, }; if (!lib->settings->get_bool(lib->settings, - "libstrongswan.ecp_x_coordinate_only", TRUE)) + "%s.ecp_x_coordinate_only", TRUE, lib->ns)) { /* we only get the x coordinate back */ return; } diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c index 8bda5b66f..96c4a180d 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c @@ -338,7 +338,7 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb, ); enumerator = lib->settings->create_section_enumerator(lib->settings, - "libstrongswan.plugins.pkcs11.modules"); + "%s.plugins.pkcs11.modules", lib->ns); while (enumerator->enumerate(enumerator, &module)) { INIT(entry, @@ -346,7 +346,7 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb, ); entry->path = lib->settings->get_str(lib->settings, - "libstrongswan.plugins.pkcs11.modules.%s.path", NULL, module); + "%s.plugins.pkcs11.modules.%s.path", NULL, lib->ns, module); if (!entry->path) { DBG1(DBG_CFG, "PKCS11 module '%s' lacks library path", module); @@ -355,8 +355,8 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb, } entry->lib = pkcs11_library_create(module, entry->path, lib->settings->get_bool(lib->settings, - "libstrongswan.plugins.pkcs11.modules.%s.os_locking", - FALSE, module)); + "%s.plugins.pkcs11.modules.%s.os_locking", + FALSE, lib->ns, module)); if (!entry->lib) { free(entry); diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c index 3faa59cae..bd2a2c114 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c @@ -83,8 +83,8 @@ static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11, if (add && this->handle_events) { if (lib->settings->get_bool(lib->settings, - "libstrongswan.plugins.pkcs11.modules.%s.load_certs", - TRUE, p11->get_name(p11))) + "%s.plugins.pkcs11.modules.%s.load_certs", + TRUE, lib->ns, p11->get_name(p11))) { creds = pkcs11_creds_create(p11, slot); if (creds) @@ -174,8 +174,8 @@ static bool handle_certs(private_pkcs11_plugin_t *this, METHOD(plugin_t, reload, bool, private_pkcs11_plugin_t *this) { - if (lib->settings->get_bool(lib->settings, - "libstrongswan.plugins.pkcs11.reload_certs", FALSE)) + if (lib->settings->get_bool(lib->settings, "%s.plugins.pkcs11.reload_certs", + FALSE, lib->ns)) { DBG1(DBG_CFG, "reloading certificates from PKCS#11 tokens"); handle_certs(this, NULL, FALSE, NULL); @@ -247,28 +247,28 @@ METHOD(plugin_t, get_features, int, if (!count) { /* initialize only once */ bool use_ecc = lib->settings->get_bool(lib->settings, - "libstrongswan.plugins.pkcs11.use_ecc", FALSE); + "%s.plugins.pkcs11.use_ecc", FALSE, lib->ns); plugin_features_add(f, f_manager, countof(f_manager), &count); /* private key handling for EC keys is not disabled by use_ecc */ plugin_features_add(f, f_privkey, countof(f_privkey), &count); if (lib->settings->get_bool(lib->settings, - "libstrongswan.plugins.pkcs11.use_pubkey", FALSE)) + "%s.plugins.pkcs11.use_pubkey", FALSE, lib->ns)) { plugin_features_add(f, f_pubkey, countof(f_pubkey) - (use_ecc ? 0 : 1), &count); } if (lib->settings->get_bool(lib->settings, - "libstrongswan.plugins.pkcs11.use_hasher", FALSE)) + "%s.plugins.pkcs11.use_hasher", FALSE, lib->ns)) { plugin_features_add(f, f_hash, countof(f_hash), &count); } if (lib->settings->get_bool(lib->settings, - "libstrongswan.plugins.pkcs11.use_rng", FALSE)) + "%s.plugins.pkcs11.use_rng", FALSE, lib->ns)) { plugin_features_add(f, f_rng, countof(f_rng), &count); } if (lib->settings->get_bool(lib->settings, - "libstrongswan.plugins.pkcs11.use_dh", FALSE)) + "%s.plugins.pkcs11.use_dh", FALSE, lib->ns)) { plugin_features_add(f, f_dh, countof(f_dh), &count); if (use_ecc) diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c index 8ac1ac366..1f1079240 100644 --- a/src/libstrongswan/plugins/random/random_plugin.c +++ b/src/libstrongswan/plugins/random/random_plugin.c @@ -143,11 +143,11 @@ plugin_t *random_plugin_create() ); strong_equals_true = lib->settings->get_bool(lib->settings, - "libstrongswan.plugins.random.strong_equals_true", FALSE); + "%s.plugins.random.strong_equals_true", FALSE, lib->ns); urandom_file = lib->settings->get_str(lib->settings, - "libstrongswan.plugins.random.urandom", DEV_URANDOM); + "%s.plugins.random.urandom", DEV_URANDOM, lib->ns); random_file = lib->settings->get_str(lib->settings, - "libstrongswan.plugins.random.random", DEV_RANDOM); + "%s.plugins.random.random", DEV_RANDOM, lib->ns); if (!open_dev(urandom_file, &dev_urandom) || !open_dev(random_file, &dev_random)) { diff --git a/src/libstrongswan/plugins/unbound/unbound_resolver.c b/src/libstrongswan/plugins/unbound/unbound_resolver.c index 42cdbc6cc..745e59d5b 100644 --- a/src/libstrongswan/plugins/unbound/unbound_resolver.c +++ b/src/libstrongswan/plugins/unbound/unbound_resolver.c @@ -97,14 +97,14 @@ resolver_t *unbound_resolver_create(void) char *resolv_conf, *trust_anchors, *dlv_anchors; resolv_conf = lib->settings->get_str(lib->settings, - "libstrongswan.plugins.unbound.resolv_conf", - RESOLV_CONF_FILE); + "%s.plugins.unbound.resolv_conf", + RESOLV_CONF_FILE, lib->ns); trust_anchors = lib->settings->get_str(lib->settings, - "libstrongswan.plugins.unbound.trust_anchors", - TRUST_ANCHOR_FILE); + "%s.plugins.unbound.trust_anchors", + TRUST_ANCHOR_FILE, lib->ns); dlv_anchors = lib->settings->get_str(lib->settings, - "libstrongswan.plugins.unbound.dlv_anchors", - NULL); + "%s.plugins.unbound.dlv_anchors", + NULL, lib->ns); INIT(this, .public = { diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 85c481552..09eda32b3 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -1446,7 +1446,7 @@ static bool parse_certificate(private_x509_cert_t *this) break; default: if (critical && lib->settings->get_bool(lib->settings, - "libstrongswan.x509.enforce_critical", TRUE)) + "%s.x509.enforce_critical", TRUE, lib->ns)) { DBG1(DBG_ASN, "critical '%s' extension not supported", (extn_oid == OID_UNKNOWN) ? "unknown" : diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index efb70c94c..d6057c30f 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -325,7 +325,7 @@ static bool parse(private_x509_crl_t *this) break; default: if (critical && lib->settings->get_bool(lib->settings, - "libstrongswan.x509.enforce_critical", TRUE)) + "%s.x509.enforce_critical", TRUE, lib->ns)) { DBG1(DBG_ASN, "critical '%s' extension not supported", (extn_oid == OID_UNKNOWN) ? "unknown" : diff --git a/src/libstrongswan/processing/processor.c b/src/libstrongswan/processing/processor.c index adbd95685..012b169e3 100644 --- a/src/libstrongswan/processing/processor.c +++ b/src/libstrongswan/processing/processor.c @@ -545,7 +545,7 @@ processor_t *processor_create() { this->jobs[i] = linked_list_create(); this->prio_threads[i] = lib->settings->get_int(lib->settings, - "libstrongswan.processor.priority_threads.%N", 0, + "%s.processor.priority_threads.%N", 0, lib->ns, job_priority_names, i); } diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c index ff80bbc89..6f5a2c87a 100644 --- a/src/libstrongswan/utils/leak_detective.c +++ b/src/libstrongswan/utils/leak_detective.c @@ -754,11 +754,11 @@ METHOD(leak_detective_t, usage, void, size_t sum = 0; thresh = lib->settings->get_int(lib->settings, - "libstrongswan.leak_detective.usage_threshold", 10240); + "%s.leak_detective.usage_threshold", 10240, lib->ns); thresh_count = lib->settings->get_int(lib->settings, - "libstrongswan.leak_detective.usage_threshold_count", 0); + "%s.leak_detective.usage_threshold_count", 0, lib->ns); detailed = lib->settings->get_bool(lib->settings, - "libstrongswan.leak_detective.detailed", TRUE); + "%s.leak_detective.detailed", TRUE, lib->ns); leaks = print_traces(this, cb, user, thresh, thresh_count, detailed, &whitelisted, &sum); |