aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/libstrongswan/Makefile.am4
-rw-r--r--src/libstrongswan/crypto/ca.c8
-rw-r--r--src/libstrongswan/utils/fetcher.c206
-rw-r--r--src/pluto/Makefile.am2
-rw-r--r--src/pluto/constants.c8
-rw-r--r--src/pluto/fetch.c10
6 files changed, 206 insertions, 32 deletions
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 0236ba375..b103be193 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -58,6 +58,10 @@ if USE_LIBCURL
libstrongswan_la_LIBADD += -lcurl
endif
+if USE_LIBLDAP
+ libstrongswan_la_LIBADD += -lldap -llber
+endif
+
asn1/oid.c : asn1/oid.txt asn1/oid.pl
cd asn1 && $(PERL) oid.pl
diff --git a/src/libstrongswan/crypto/ca.c b/src/libstrongswan/crypto/ca.c
index 4ec8c8430..9633c77be 100644
--- a/src/libstrongswan/crypto/ca.c
+++ b/src/libstrongswan/crypto/ca.c
@@ -191,12 +191,12 @@ static void add_crl(private_ca_info_t *this, crl_t *crl)
{
this->crl->destroy(this->crl);
this->crl = crl;
- DBG1(" thisUpdate is newer - existing crl replaced");
+ DBG1(" this crl is newer - existing crl replaced");
}
else
{
crl->destroy(crl);
- DBG1(" thisUpdate is not newer - existing crl retained");
+ DBG1(" this crl is older - existing crl retained");
}
}
else
@@ -500,12 +500,12 @@ static cert_status_t verify_by_crl(private_ca_info_t* this, certinfo_t *certinfo
{
this->crl->destroy(this->crl);
this->crl = crl;
- DBG1(" thisUpdate is newer - existing crl replaced");
+ DBG1("this crl is newer - existing crl replaced");
}
else
{
crl->destroy(crl);
- DBG1("thisUpdate is not newer - existing crl retained");
+ DBG1("this crl is older - existing crl retained");
continue;
}
if (crl->is_valid(crl))
diff --git a/src/libstrongswan/utils/fetcher.c b/src/libstrongswan/utils/fetcher.c
index cf83adbdc..d728f0d00 100644
--- a/src/libstrongswan/utils/fetcher.c
+++ b/src/libstrongswan/utils/fetcher.c
@@ -24,6 +24,10 @@
#include <curl/curl.h>
#endif /* LIBCURL */
+#ifdef LIBLDAP
+#include <ldap.h>
+#endif /* LIBLDAP */
+
#include <library.h>
#include <debug.h>
@@ -52,13 +56,20 @@ struct private_fetcher_t {
CURL* curl;
#endif /* LIBCURL */
+#ifdef LIBLDAP
+ /**
+ * we use libldap from http://www.openssl.org/ as a fetcher
+ */
+ LDAP *ldap;
+ LDAPURLDesc *lurl;
+#endif /* LIBLDAP */
};
/**
* writes data into a dynamically resizeable chunk_t
* needed for libcurl responses
*/
-size_t curl_write_buffer(void *ptr, size_t size, size_t nmemb, void *data)
+static size_t curl_write_buffer(void *ptr, size_t size, size_t nmemb, void *data)
{
size_t realsize = size * nmemb;
chunk_t *mem = (chunk_t*)data;
@@ -72,9 +83,9 @@ size_t curl_write_buffer(void *ptr, size_t size, size_t nmemb, void *data)
}
/**
- * Implements fetcher_t.get
+ * Implements fetcher_t.get for http[s] and file URIs
*/
-static chunk_t get(private_fetcher_t *this)
+static chunk_t curl_get(private_fetcher_t *this)
{
chunk_t response = chunk_empty;
@@ -93,17 +104,17 @@ static chunk_t get(private_fetcher_t *this)
curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT, FETCHER_TIMEOUT);
curl_easy_setopt(this->curl, CURLOPT_NOSIGNAL, TRUE);
- DBG1("sending http get request to '%s'...", this->uri);
+ DBG1("sending curl request to '%s'...", this->uri);
res = curl_easy_perform(this->curl);
if (res == CURLE_OK)
{
- DBG1("received valid http response");
+ DBG1("received valid curl response");
response = chunk_clone(curl_response);
}
else
{
- DBG1("http get request to '%s' using libcurl failed: %s",
+ DBG1("curl request to '%s' failed: %s",
this->uri, curl_error_buffer);
}
curl_free(curl_response.ptr);
@@ -115,9 +126,9 @@ static chunk_t get(private_fetcher_t *this)
}
/**
- * Implements fetcher_t.post
+ * Implements fetcher_t.post.
*/
-static chunk_t post(private_fetcher_t *this, const char *request_type, chunk_t request)
+static chunk_t http_post(private_fetcher_t *this, const char *request_type, chunk_t request)
{
chunk_t response = chunk_empty;
@@ -168,14 +179,146 @@ static chunk_t post(private_fetcher_t *this, const char *request_type, chunk_t r
return response;
}
+#ifdef LIBLDAP
+/**
+ * parses the result returned by an ldap query
+ */
+static chunk_t ldap_parse(LDAP *ldap, LDAPMessage *result)
+{
+ chunk_t response = chunk_empty;
+
+ LDAPMessage *entry = ldap_first_entry(ldap, result);
+ if (entry != NULL)
+ {
+ BerElement *ber = NULL;
+ char *attr;
+
+ attr = ldap_first_attribute(ldap, entry, &ber);
+
+ if (attr != NULL)
+ {
+ struct berval **values = ldap_get_values_len(ldap, entry, attr);
+
+ if (values != NULL)
+ {
+ if (values[0] != NULL)
+ {
+ response.len = values[0]->bv_len;
+ response.ptr = malloc(response.len);
+ memcpy(response.ptr, values[0]->bv_val, response.len);
+ if (values[1] != NULL)
+ {
+ DBG1("ldap: more than one value was fetched from LDAP URL");
+ }
+ }
+ else
+ {
+ DBG1("ldap: no values in attribute");
+ }
+ ldap_value_free_len(values);
+ }
+ else
+ {
+ DBG1("ldap: %s", ldap_err2string(ldap_result2error(ldap, entry, 0)));
+ }
+ ldap_memfree(attr);
+ }
+ else
+ {
+ DBG1("ldap: %s", ldap_err2string(ldap_result2error(ldap, entry, 0)));
+ }
+ ber_free(ber, 0);
+ }
+ else
+ {
+ DBG1("ldap: %s", ldap_err2string(ldap_result2error(ldap, result, 0)));
+ }
+ return response;
+}
+#endif /* LIBLDAP */
+
+/**
+ * fetches a binary blob from an ldap url
+ */
+static chunk_t ldap_get(private_fetcher_t *this)
+{
+ chunk_t response = chunk_empty;
+
+#ifdef LIBLDAP
+ if (this->ldap)
+ {
+ int rc;
+ int ldap_version = LDAP_VERSION3;
+
+ struct timeval timeout;
+
+ timeout.tv_sec = FETCHER_TIMEOUT;
+ timeout.tv_usec = 0;
+
+ ldap_set_option(this->ldap, LDAP_OPT_PROTOCOL_VERSION, &ldap_version);
+ ldap_set_option(this->ldap, LDAP_OPT_NETWORK_TIMEOUT, &timeout);
+
+ DBG1("sending ldap request to '%s'...", this->uri);
+
+ rc = ldap_simple_bind_s(this->ldap, NULL, NULL);
+ if (rc == LDAP_SUCCESS)
+ {
+ LDAPMessage *result;
+
+ timeout.tv_sec = FETCHER_TIMEOUT;
+ timeout.tv_usec = 0;
+
+ rc = ldap_search_st(this->ldap, this->lurl->lud_dn,
+ this->lurl->lud_scope,
+ this->lurl->lud_filter,
+ this->lurl->lud_attrs,
+ 0, &timeout, &result);
+
+ if (rc == LDAP_SUCCESS)
+ {
+ response = ldap_parse(this->ldap, result);
+ if (response.ptr)
+ {
+ DBG1("received valid ldap response");
+ }
+ ldap_msgfree(result);
+ }
+ else
+ {
+ DBG1("ldap: %s", ldap_err2string(rc));
+ }
+ }
+ else
+ {
+ DBG1("ldap: %s", ldap_err2string(rc));
+ }
+ ldap_unbind_s(this->ldap);
+ }
+#else /* !LIBLDAP */
+ DBG1("warning: libldap fetching not compiled in");
+#endif /* !LIBLDAP */
+ return response;
+}
+
/**
* Implements fetcher_t.destroy
*/
static void destroy(private_fetcher_t *this)
{
#ifdef LIBCURL
- curl_easy_cleanup(this->curl);
+ if (this->curl)
+ {
+ curl_easy_cleanup(this->curl);
+ }
#endif /* LIBCURL */
+
+#ifdef LIBLDAP
+ if (this->lurl)
+ {
+ ldap_free_urldesc(this->lurl);
+ }
+#endif /* LIBLDAP */
+
free(this);
}
@@ -188,17 +331,48 @@ fetcher_t *fetcher_create(const char *uri)
/* initialize */
this->uri = uri;
+
#ifdef LIBCURL
- this->curl = curl_easy_init();
- if (this->curl == NULL)
+ this->curl = NULL;
+#endif /* LIBCURL */
+
+#ifdef LIBLDAP
+ this->lurl = NULL;
+ this->ldap = NULL;
+#endif /* LIBLDAP */
+
+ if (strlen(uri) >= 4 && strncasecmp(uri, "ldap", 4) == 0)
{
- DBG1("curl_easy_init_failed()");
+#ifdef LIBLDAP
+ int rc = ldap_url_parse(uri, &this->lurl);
+
+ if (rc == LDAP_SUCCESS)
+ {
+ this->ldap = ldap_init(this->lurl->lud_host,
+ this->lurl->lud_port);
+ }
+ else
+ {
+ DBG1("ldap: %s", ldap_err2string(rc));
+ this->ldap = NULL;
+ }
+#endif /* LIBLDAP */
+ this->public.get = (chunk_t (*) (fetcher_t*))ldap_get;
}
+ else
+ {
+#ifdef LIBCURL
+ this->curl = curl_easy_init();
+ if (this->curl == NULL)
+ {
+ DBG1("curl_easy_init_failed()");
+ }
#endif /* LIBCURL */
+ this->public.get = (chunk_t (*) (fetcher_t*))curl_get;
+ }
/* public functions */
- this->public.get = (chunk_t (*) (fetcher_t*))get;
- this->public.post = (chunk_t (*) (fetcher_t*,const char*,chunk_t))post;
+ this->public.post = (chunk_t (*) (fetcher_t*,const char*,chunk_t))http_post;
this->public.destroy = (void (*) (fetcher_t*))destroy;
return &this->public;
@@ -209,7 +383,7 @@ fetcher_t *fetcher_create(const char *uri)
*/
void fetcher_initialize(void)
{
- #ifdef LIBCURL
+#ifdef LIBCURL
CURLcode res;
/* initialize libcurl */
@@ -227,7 +401,7 @@ void fetcher_initialize(void)
*/
void fetcher_finalize(void)
{
- #ifdef LIBCURL
+#ifdef LIBCURL
/* finalize libcurl */
DBG1("finalizing libcurl");
curl_global_cleanup();
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index 208dea175..b1b848c76 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -123,7 +123,7 @@ if USE_LIBCURL
endif
# This compile option activates dynamic LDAP CRL fetching
-if USE_LDAP
+if USE_LIBLDAP
pluto_LDADD += -lldap -llber
endif
diff --git a/src/pluto/constants.c b/src/pluto/constants.c
index 1fc5ec422..e7d7216ee 100644
--- a/src/pluto/constants.c
+++ b/src/pluto/constants.c
@@ -41,12 +41,8 @@ const char compile_time_interop_options[] = ""
#ifdef LIBCURL
" LIBCURL"
#endif
-#ifdef LDAP_VER
-#if LDAP_VER == 2
- " LDAP_V2"
-#else
- " LDAP_V3"
-#endif
+#ifdef LIBLDAP
+ " LIBLDAP"
#endif
#ifdef SMARTCARD
" SMARTCARD"
diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c
index d3d922f63..e3e56d3a8 100644
--- a/src/pluto/fetch.c
+++ b/src/pluto/fetch.c
@@ -31,7 +31,7 @@
#include <freeswan.h>
-#ifdef LDAP_VER
+#ifdef LIBLDAP
#include <ldap.h>
#endif
@@ -347,7 +347,7 @@ fetch_curl(char *url, chunk_t *blob)
#endif /* !LIBCURL */
}
-#ifdef LDAP_VER
+#ifdef LIBLDAP
/*
* parses the result returned by an ldap query
*/
@@ -428,7 +428,7 @@ fetch_ldap_url(char *url, chunk_t *blob)
if (ldap != NULL)
{
- int ldap_version = (LDAP_VER == 2)? LDAP_VERSION2 : LDAP_VERSION3;
+ int ldap_version = LDAP_VERSION3;
struct timeval timeout;
timeout.tv_sec = FETCH_CMD_TIMEOUT;
@@ -479,13 +479,13 @@ fetch_ldap_url(char *url, chunk_t *blob)
}
return ugh;
}
-#else /* !LDAP_VER */
+#else /* !LIBLDAP */
static err_t
fetch_ldap_url(char *url, chunk_t *blob)
{
return "LDAP URL fetching not activated in pluto source code";
}
-#endif /* !LDAP_VER */
+#endif /* !LIBLDAP */
/*
* fetch an ASN.1 blob coded in PEM or DER format from a URL
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-15 15:41:42 +0000