7 files changed, 847 insertions, 0 deletions
diff --git a/src/libcharon/plugins/ipseckey/Makefile.am b/src/libcharon/plugins/ipseckey/Makefile.am
new file mode 100644
index 000000000..0614017a0
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/Makefile.am
@@ -0,0 +1,18 @@
+
+INCLUDES = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-ipseckey.la
+else
+plugin_LTLIBRARIES = libstrongswan-ipseckey.la
+endif
+
+libstrongswan_ipseckey_la_SOURCES = \
+	ipseckey_plugin.h ipseckey_plugin.c \
+	ipseckey_cred.h ipseckey_cred.c \
+	ipseckey.h ipseckey.c
+
+libstrongswan_ipseckey_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/ipseckey/ipseckey.c b/src/libcharon/plugins/ipseckey/ipseckey.c
new file mode 100644
index 000000000..78ae2cc2a
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey.c
@@ -0,0 +1,208 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipseckey.h"
+
+#include <library.h>
+#include <utils/debug.h>
+#include <bio/bio_reader.h>
+
+typedef struct private_ipseckey_t private_ipseckey_t;
+
+/**
+* private data of the ipseckey
+*/
+struct private_ipseckey_t {
+
+	/**
+	 * public functions
+	 */
+	ipseckey_t public;
+
+	/**
+	 * Precedence
+	 */
+	u_int8_t precedence;
+
+	/**
+	 * Gateway type
+	 */
+	u_int8_t gateway_type;
+
+	/**
+	 * Algorithm
+	 */
+	u_int8_t algorithm;
+
+	/**
+	 * Gateway
+	 */
+	chunk_t gateway;
+
+	/**
+	 * Public key
+	 */
+	chunk_t public_key;
+};
+
+METHOD(ipseckey_t, get_precedence, u_int8_t,
+	private_ipseckey_t *this)
+{
+	return this->precedence;
+}
+
+METHOD(ipseckey_t, get_gateway_type, ipseckey_gw_type_t,
+	private_ipseckey_t *this)
+{
+	return this->gateway_type;
+}
+
+METHOD(ipseckey_t, get_algorithm, ipseckey_algorithm_t,
+	private_ipseckey_t *this)
+{
+	return this->algorithm;
+}
+
+METHOD(ipseckey_t, get_gateway, chunk_t,
+	private_ipseckey_t *this)
+{
+	return this->gateway;
+}
+
+METHOD(ipseckey_t, get_public_key, chunk_t,
+	private_ipseckey_t *this)
+{
+	return this->public_key;
+}
+
+METHOD(ipseckey_t, destroy, void,
+	private_ipseckey_t *this)
+{
+	chunk_free(&this->gateway);
+	chunk_free(&this->public_key);
+	free(this);
+}
+
+/*
+ * See header
+ */
+ipseckey_t *ipseckey_create_frm_rr(rr_t *rr)
+{
+	private_ipseckey_t *this;
+	bio_reader_t *reader = NULL;
+	u_int8_t label;
+	chunk_t tmp;
+
+	INIT(this,
+			.public = {
+				.get_precedence = _get_precedence,
+				.get_gateway_type = _get_gateway_type,
+				.get_algorithm = _get_algorithm,
+				.get_gateway = _get_gateway,
+				.get_public_key = _get_public_key,
+				.destroy = _destroy,
+			},
+	);
+
+	if (rr->get_type(rr) != RR_TYPE_IPSECKEY)
+	{
+		DBG1(DBG_CFG, "unable to create an ipseckey out of an RR "
+					  "whose type is not IPSECKEY");
+		free(this);
+		return NULL;
+	}
+
+	/** Parse the content (RDATA field) of the RR */
+	reader = bio_reader_create(rr->get_rdata(rr));
+	if (!reader->read_uint8(reader, &this->precedence) ||
+		!reader->read_uint8(reader, &this->gateway_type) ||
+		!reader->read_uint8(reader, &this->algorithm))
+	{
+		DBG1(DBG_CFG, "ipseckey RR has a wrong format");
+		reader->destroy(reader);
+		free(this);
+	}
+
+	switch (this->gateway_type)
+	{
+		case IPSECKEY_GW_TP_NOT_PRESENT:
+			break;
+
+		case IPSECKEY_GW_TP_IPV4:
+			if (!reader->read_data(reader, 4, &this->gateway))
+			{
+				DBG1(DBG_CFG, "ipseckey gateway field does not contain an "
+							  "IPv4 address as expected");
+				reader->destroy(reader);
+				free(this);
+				return NULL;
+			}
+			this->gateway = chunk_clone(this->gateway);
+			break;
+
+		case IPSECKEY_GW_TP_IPV6:
+			if (!reader->read_data(reader, 16, &this->gateway))
+			{
+				DBG1(DBG_CFG, "ipseckey gateway field does not contain an "
+							  "IPv6 address as expected");
+				reader->destroy(reader);
+				free(this);
+				return NULL;
+			}
+			this->gateway = chunk_clone(this->gateway);
+			break;
+
+		case IPSECKEY_GW_TP_WR_ENC_DNAME:
+			/**
+			 * Uncompressed domain name as defined in RFC 1035 chapter 3.
+			 *
+			 * TODO: Currently we ignore wire encoded domain names.
+			 *
+			 */
+			while (reader->read_uint8(reader, &label) &&
+				   label != 0 && label < 192)
+			{
+				if (!reader->read_data(reader, label, &tmp))
+				{
+					DBG1(DBG_CFG, "wrong wire encoded domain name format "
+								  "in ipseckey gateway field");
+					reader->destroy(reader);
+					free(this);
+					return NULL;
+				}
+			}
+			break;
+
+		default:
+			DBG1(DBG_CFG, "unable to parse ipseckey gateway field");
+			reader->destroy(reader);
+			free(this);
+			return NULL;
+	}
+
+	if (!reader->read_data(reader, reader->remaining(reader),
+						   &this->public_key))
+	{
+		DBG1(DBG_CFG, "failed to read ipseckey public key field");
+		reader->destroy(reader);
+		chunk_free(&this->gateway);
+		free(this);
+		return NULL;
+	}
+	this->public_key = chunk_clone(this->public_key);
+	reader->destroy(reader);
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/ipseckey/ipseckey.h b/src/libcharon/plugins/ipseckey/ipseckey.h
new file mode 100644
index 000000000..0afc067a5
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey.h
@@ -0,0 +1,149 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipseckey_cred_i ipseckey
+ * @{ @ingroup ipseckey
+ */
+
+#ifndef IPSECKEY_H_
+#define IPSECKEY_H_
+
+typedef struct ipseckey_t ipseckey_t;
+typedef enum ipseckey_algorithm_t ipseckey_algorithm_t;
+typedef enum ipseckey_gw_type_t ipseckey_gw_type_t;
+
+#include <library.h>
+
+/**
+ * IPSECKEY gateway types as defined in RFC 4025.
+ */
+enum ipseckey_gw_type_t {
+	/** No gateway is present */
+	IPSECKEY_GW_TP_NOT_PRESENT = 0,
+	/** A 4-byte IPv4 address is present */
+	IPSECKEY_GW_TP_IPV4 = 1,
+	/** A 16-byte IPv6 address is present */
+	IPSECKEY_GW_TP_IPV6 = 2,
+	/** A wire-encoded domain name is present */
+	IPSECKEY_GW_TP_WR_ENC_DNAME = 3,
+};
+
+/**
+ * IPSECKEY algorithms as defined in RFC 4025.
+ */
+enum ipseckey_algorithm_t {
+	/** No key present */
+	IPSECKEY_ALGORITHM_NONE = 0,
+	/** DSA key */
+	IPSECKEY_ALGORITHM_DSA = 1,
+	/** RSA key */
+	IPSECKEY_ALGORITHM_RSA = 2,
+};
+
+/**
+ * An IPSECKEY.
+ *
+ * Represents an IPSECKEY as defined in RFC 4025:
+ *
+ *      0                   1                   2                   3
+ *    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *   |  precedence   | gateway type  |  algorithm  |     gateway     |
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------+                 +
+ *   ~                            gateway                            ~
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *   |                                                               /
+ *   /                          public key                           /
+ *   /                                                               /
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+ *
+ *
+ * Note: RFC 4025 defines that the algorithm field has a length of 7 bits.
+ * 		 We use 8 bits instead, because the use of 7 bits is very uncommon
+ * 		 in internet protocols and might be an error in RFC 4025
+ * 		 (also the BIND DNS server uses 8 bits for the algorithm field of the
+ * 		 IPSECKEY resource records).
+ *
+ */
+struct ipseckey_t {
+
+	/**
+	 * Get the precedence of the IPSECKEY.
+	 *
+	 * @return		precedence
+	 */
+	u_int8_t (*get_precedence)(ipseckey_t *this);
+
+	/**
+	 * Get the type of the gateway.
+	 *
+	 * The "gateway type" determines the format of the gateway field
+	 * of the IPSECKEY.
+	 *
+	 * @return		gateway type
+	 */
+	ipseckey_gw_type_t (*get_gateway_type)(ipseckey_t *this);
+
+	/**
+	 * Get the algorithm.
+	 *
+	 * The "algorithm" determines the format of the public key field
+	 * of the IPSECKEY.
+	 *
+	 * @return			algorithm
+	 */
+	ipseckey_algorithm_t (*get_algorithm)(ipseckey_t *this);
+
+	/**
+	 * Get the content of the gateway field as chunk.
+	 *
+	 * The content is in network byte order and its format depends on the
+	 * gateway type.
+	 *
+	 * The data pointed by the chunk is still owned by the IPSECKEY.
+	 * Clone it if necessary.
+	 *
+	 * @return			gateway field as chunk
+	 */
+	chunk_t (*get_gateway)(ipseckey_t *this);
+
+	/**
+	 * Get the content of the public key field as chunk.
+	 *
+	 * The format of the public key depends on the algorithm type.
+	 *
+	 * The data pointed by the chunk is still owned by the IPSECKEY.
+	 * Clone it if necessary.
+	 *
+	 * @return			public key field as chunk
+	 */
+	chunk_t (*get_public_key)(ipseckey_t *this);
+
+	/**
+	 * Destroy the IPSECKEY.
+	 */
+	void (*destroy) (ipseckey_t *this);
+};
+
+/**
+ * Create an ipseckey instance out of a resource record.
+ *
+ * @param	rr		resource record which contains an IPSECKEY
+ * @return			ipseckey, NULL on failure
+ */
+ipseckey_t *ipseckey_create_frm_rr(rr_t *rr);
+
+#endif /** IPSECKEY_H_ @}*/
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_cred.c b/src/libcharon/plugins/ipseckey/ipseckey_cred.c
new file mode 100644
index 000000000..e8722f12c
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey_cred.c
@@ -0,0 +1,263 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <string.h>
+
+#include "ipseckey_cred.h"
+#include "ipseckey.h"
+
+#include <bio/bio_reader.h>
+#include <daemon.h>
+
+typedef struct private_ipseckey_cred_t private_ipseckey_cred_t;
+
+/**
+ * Private data of an ipseckey_cred_t object
+ */
+struct private_ipseckey_cred_t {
+
+	/**
+	 * Public part
+	 */
+	ipseckey_cred_t public;
+
+	/**
+	 * DNS resolver
+	 */
+	resolver_t *res;
+};
+
+/**
+ * enumerator over certificates
+ */
+typedef struct {
+	/** implements enumerator interface */
+	enumerator_t public;
+	/** inner enumerator (enumerates IPSECKEY resource records) */
+	enumerator_t *inner;
+	/** response of the DNS resolver which contains the IPSECKEYs */
+	resolver_response_t *response;
+	/* IPSECKEYs are not valid before this point in time */
+	time_t notBefore;
+	/* IPSECKEYs are not valid after this point in time */
+	time_t notAfter;
+	/* identity to which the IPSECKEY belongs */
+	identification_t *identity;
+} cert_enumerator_t;
+
+METHOD(enumerator_t, cert_enumerator_enumerate, bool,
+	cert_enumerator_t *this, certificate_t **cert)
+{
+	rr_t *cur_rr = NULL;
+	ipseckey_t *cur_ipseckey = NULL;
+	chunk_t pub_key;
+	public_key_t * key = NULL;
+	bool supported_ipseckey_found = FALSE;
+
+	/* Get the next supported IPSECKEY using the inner enumerator. */
+	while (this->inner->enumerate(this->inner, &cur_rr) &&
+		   !supported_ipseckey_found)
+	{
+		supported_ipseckey_found = TRUE;
+
+		cur_ipseckey = ipseckey_create_frm_rr(cur_rr);
+
+		if (!cur_ipseckey)
+		{
+			DBG1(DBG_CFG, "failed to parse ipseckey - skipping this key");
+			supported_ipseckey_found = FALSE;
+		}
+
+		if (cur_ipseckey &&
+			cur_ipseckey->get_algorithm(cur_ipseckey) != IPSECKEY_ALGORITHM_RSA)
+		{
+			DBG1(DBG_CFG, "unsupported ipseckey algorithm -skipping this key");
+			cur_ipseckey->destroy(cur_ipseckey);
+			supported_ipseckey_found = FALSE;
+		}
+	}
+
+	if (supported_ipseckey_found)
+	{
+		/*
+		 * Wrap the key of the IPSECKEY in a certificate and return this
+		 * certificate.
+		 */
+		pub_key = cur_ipseckey->get_public_key(cur_ipseckey);
+
+		key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+								 BUILD_BLOB_DNSKEY, pub_key,
+								 BUILD_END);
+
+		if (!key)
+		{
+			DBG1(DBG_CFG, "failed to create public key from ipseckey");
+			cur_ipseckey->destroy(cur_ipseckey);
+			return FALSE;
+		}
+
+		*cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+								   CERT_TRUSTED_PUBKEY,
+								   BUILD_PUBLIC_KEY, key,
+								   BUILD_SUBJECT, this->identity,
+								   BUILD_NOT_BEFORE_TIME, this->notBefore,
+								   BUILD_NOT_AFTER_TIME, this->notAfter,
+								   BUILD_END);
+		return TRUE;
+	}
+
+	return FALSE;
+}
+
+METHOD(enumerator_t, cert_enumerator_destroy, void,
+	cert_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	this->response->destroy(this->response);
+	free(this);
+}
+
+METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
+	private_ipseckey_cred_t *this, certificate_type_t cert, key_type_t key,
+	identification_t *id, bool trusted)
+{
+	char *fqdn = NULL;
+	resolver_response_t *response = NULL;
+	rr_set_t *rrset = NULL;
+	enumerator_t *rrsig_enum = NULL;
+	rr_t *rrsig = NULL;
+	bio_reader_t *reader = NULL;
+	chunk_t ignore;
+	u_int32_t nBefore, nAfter;
+	cert_enumerator_t *e;
+
+	if (id && id->get_type(id) == ID_FQDN)
+	{
+		/**	Query the DNS for the required IPSECKEY RRs */
+
+		if (0 >= asprintf(&fqdn, "%Y", id))
+		{
+			DBG1(DBG_CFG, "empty FQDN string");
+			return enumerator_create_empty();
+		}
+
+		DBG1(DBG_CFG, "performing a DNS query for IPSECKEY RRs of '%s'",
+					   fqdn);
+		response = this->res->query(this->res, fqdn, RR_CLASS_IN,
+									RR_TYPE_IPSECKEY);
+		if (!response)
+		{
+			DBG1(DBG_CFG, "  query for IPSECKEY RRs failed");
+			free(fqdn);
+			return enumerator_create_empty();
+		}
+
+		if (!response->has_data(response) ||
+			!response->query_name_exist(response))
+		{
+			DBG1(DBG_CFG, "  unable to retrieve IPSECKEY RRs from the DNS");
+			response->destroy(response);
+			free(fqdn);
+			return enumerator_create_empty();
+		}
+
+		if (!(response->get_security_state(response) == SECURE))
+		{
+			DBG1(DBG_CFG, "  DNSSEC state of IPSECKEY RRs is not secure");
+			response->destroy(response);
+			free(fqdn);
+			return enumerator_create_empty();
+		}
+
+		free(fqdn);
+
+		/** Determine the validity period of the retrieved IPSECKEYs
+		 *
+		 * We use the "Signature Inception" and "Signature Expiration" field
+		 * of the first RRSIG RR to determine the validity period of the
+		 * IPSECKEY RRs. TODO: Take multiple RRSIGs into account.
+		 */
+		rrset = response->get_rr_set(response);
+		rrsig_enum = rrset->create_rrsig_enumerator(rrset);
+		if (!rrsig_enum || !rrsig_enum->enumerate(rrsig_enum, &rrsig))
+		{
+			DBG1(DBG_CFG, "  unable to determine the validity period of "
+						  "IPSECKEY RRs because no RRSIGs are present");
+			DESTROY_IF(rrsig_enum);
+			response->destroy(response);
+			return enumerator_create_empty();
+		}
+
+		/**
+		 * Parse the RRSIG for its validity period (RFC 4034)
+		 */
+		reader = bio_reader_create(rrsig->get_rdata(rrsig));
+		reader->read_data(reader, 8, &ignore);
+		reader->read_uint32(reader, &nAfter);
+		reader->read_uint32(reader, &nBefore);
+		reader->destroy(reader);
+
+		/*Create and return an iterator over the retrieved IPSECKEYs */
+		INIT(e,
+			.public = {
+				.enumerate = (void*)_cert_enumerator_enumerate,
+				.destroy = _cert_enumerator_destroy,
+			},
+			.inner = response->get_rr_set(response)->create_rr_enumerator(
+										  response->get_rr_set(response)),
+			.response = response,
+			.notBefore = nBefore,
+			.notAfter = nAfter,
+			.identity = id,
+		);
+
+		return &e->public;
+	}
+
+
+	return enumerator_create_empty();
+}
+
+METHOD(ipseckey_cred_t, destroy, void,
+	private_ipseckey_cred_t *this)
+{
+	this->res->destroy(this->res);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+ipseckey_cred_t *ipseckey_cred_create(resolver_t *res)
+{
+	private_ipseckey_cred_t *this;
+
+	INIT(this,
+		.public = {
+			.set = {
+				.create_private_enumerator = (void*)return_null,
+				.create_cert_enumerator = _create_cert_enumerator,
+				.create_shared_enumerator = (void*)return_null,
+				.create_cdp_enumerator = (void*)return_null,
+				.cache_cert = (void*)nop,
+			},
+			.destroy = _destroy,
+		},
+		.res = res,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_cred.h b/src/libcharon/plugins/ipseckey/ipseckey_cred.h
new file mode 100644
index 000000000..440020f5d
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey_cred.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipseckey_cred_i ipseckey_cred
+ * @{ @ingroup ipseckey
+ */
+
+#ifndef IPSECKEY_CRED_H_
+#define IPSECKEY_CRED_H_
+
+#include <credentials/credential_set.h>
+#include <resolver/resolver.h>
+
+typedef struct ipseckey_cred_t ipseckey_cred_t;
+
+/**
+ * IPSECKEY credential set.
+ *
+ * The ipseckey credential set contains IPSECKEYs as certificates of type
+ * pubkey_cert_t.
+ */
+struct ipseckey_cred_t {
+
+	/**
+	 * Implements credential_set_t interface
+	 */
+	credential_set_t set;
+
+	/**
+	 * Destroy the ipseckey_cred.
+	 */
+	void (*destroy)(ipseckey_cred_t *this);
+};
+
+/**
+ * Create an ipseckey_cred instance which uses the given resolver
+ * to query the DNS for IPSECKEY resource records.
+ *
+ * @param res		resolver to use
+ * @return			credential set
+ */
+ipseckey_cred_t *ipseckey_cred_create(resolver_t *res);
+
+#endif /** IPSECKEY_CRED_H_ @}*/
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_plugin.c b/src/libcharon/plugins/ipseckey/ipseckey_plugin.c
new file mode 100644
index 000000000..6f0f10507
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey_plugin.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipseckey_plugin.h"
+
+#include <daemon.h>
+#include "ipseckey_cred.h"
+
+typedef struct private_ipseckey_plugin_t private_ipseckey_plugin_t;
+
+
+/**
+ * private data of the ipseckey plugin
+ */
+struct private_ipseckey_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	ipseckey_plugin_t public;
+
+	/**
+	 * DNS resolver instance
+	 */
+	resolver_t *res;
+
+	/**
+	 * credential set
+	 */
+	ipseckey_cred_t *cred;
+
+	/**
+	 * IPSECKEY based authentication enabled
+	 */
+	bool enabled;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_ipseckey_plugin_t *this)
+{
+	return "ipseckey";
+}
+
+METHOD(plugin_t, destroy, void,
+	private_ipseckey_plugin_t *this)
+{
+	if (this->enabled)
+	{
+		lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
+	}
+	this->res->destroy(this->res);
+	DESTROY_IF(this->cred);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *ipseckey_plugin_create()
+{
+	private_ipseckey_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.reload = (void*)return_false,
+				.destroy = _destroy,
+			},
+		},
+		.res = lib->resolver->create(lib->resolver),
+		.enabled = lib->settings->get_bool(lib->settings,
+								"charon.plugins.ipseckey.enable", FALSE),
+	);
+
+	if (!this->res)
+	{
+		DBG1(DBG_CFG, "ipseckey_plugin: Failed to create"
+					  "a DNS resolver instance");
+		destroy(this);
+		return NULL;
+	}
+
+	if (this->enabled)
+	{
+		this->cred = ipseckey_cred_create(this->res);
+		lib->credmgr->add_set(lib->credmgr, &this->cred->set);
+	}
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/ipseckey/ipseckey_plugin.h b/src/libcharon/plugins/ipseckey/ipseckey_plugin.h
new file mode 100644
index 000000000..95acc79dd
--- /dev/null
+++ b/src/libcharon/plugins/ipseckey/ipseckey_plugin.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2012 Reto Guadagnini
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipseckey ipseckey
+ * @ingroup cplugins
+ *
+ * @defgroup ipseckey_plugin ipseckey_plugin
+ * @{ @ingroup ipseckey
+ */
+
+#ifndef IPSECKEY_PLUGIN_H_
+#define IPSECKEY_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct ipseckey_plugin_t ipseckey_plugin_t;
+
+/**
+ * IPSECKEY plugin
+ *
+ * The IPSECKEY plugin registers a credential set for IPSECKEYs.
+ *
+ * With this credential set it is possible to authenticate tunnel endpoints
+ * using IPSECKEY resource records which are retrieved from the DNS in a secure
+ * way (DNSSEC).
+ */
+struct ipseckey_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** IPSECKEY_PLUGIN_H_ @}*/