diff options
author | Yves-Alexis Perez <corsac@debian.org> | 2016-03-24 11:59:32 +0100 |
---|---|---|
committer | Yves-Alexis Perez <corsac@debian.org> | 2016-03-24 11:59:32 +0100 |
commit | 518dd33c94e041db0444c7d1f33da363bb8e3faf (patch) | |
tree | e8d1665ffadff7ec40228dda47e81f8f4691cd07 /src/libcharon/plugins/stroke | |
parent | f42f239a632306ed082f6fde878977248eea85cf (diff) | |
download | vyos-strongswan-518dd33c94e041db0444c7d1f33da363bb8e3faf.tar.gz vyos-strongswan-518dd33c94e041db0444c7d1f33da363bb8e3faf.zip |
Imported Upstream version 5.4.0
Diffstat (limited to 'src/libcharon/plugins/stroke')
-rw-r--r-- | src/libcharon/plugins/stroke/Makefile.am | 1 | ||||
-rw-r--r-- | src/libcharon/plugins/stroke/Makefile.in | 3 | ||||
-rw-r--r-- | src/libcharon/plugins/stroke/stroke_config.c | 123 | ||||
-rw-r--r-- | src/libcharon/plugins/stroke/stroke_control.c | 1 | ||||
-rw-r--r-- | src/libcharon/plugins/stroke/stroke_list.c | 619 | ||||
-rw-r--r-- | src/libcharon/plugins/stroke/stroke_socket.c | 13 |
6 files changed, 80 insertions, 680 deletions
diff --git a/src/libcharon/plugins/stroke/Makefile.am b/src/libcharon/plugins/stroke/Makefile.am index b90688791..26edc3dcd 100644 --- a/src/libcharon/plugins/stroke/Makefile.am +++ b/src/libcharon/plugins/stroke/Makefile.am @@ -1,6 +1,5 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/libcharon \ -I$(top_srcdir)/src/stroke \ -DIPSEC_CONFDIR=\"${sysconfdir}\" \ diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in index a316f5c25..2b22b333a 100644 --- a/src/libcharon/plugins/stroke/Makefile.in +++ b/src/libcharon/plugins/stroke/Makefile.in @@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ @@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/libcharon \ -I$(top_srcdir)/src/stroke \ -DIPSEC_CONFDIR=\"${sysconfdir}\" \ diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index 68cf83089..d0eb2aac3 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -16,7 +16,6 @@ #include "stroke_config.h" -#include <hydra.h> #include <daemon.h> #include <threading/mutex.h> #include <utils/lexparser.h> @@ -201,8 +200,7 @@ static bool is_local(char *address, bool any_allowed) host = host_create_from_dns(token, 0, 0); if (host) { - if (hydra->kernel_interface->get_interface( - hydra->kernel_interface, host, NULL)) + if (charon->kernel->get_interface(charon->kernel, host, NULL)) { found = TRUE; } @@ -313,117 +311,6 @@ static void build_crl_policy(auth_cfg_t *cfg, bool local, int policy) } /** - * Parse public key / signature strength constraints - */ -static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg) -{ - enumerator_t *enumerator; - bool rsa = FALSE, ecdsa = FALSE, bliss = FALSE, - rsa_len = FALSE, ecdsa_len = FALSE, bliss_strength = FALSE; - int strength; - char *token; - - enumerator = enumerator_create_token(auth, "-", ""); - while (enumerator->enumerate(enumerator, &token)) - { - bool found = FALSE; - int i; - struct { - char *name; - signature_scheme_t scheme; - key_type_t key; - } schemes[] = { - { "md5", SIGN_RSA_EMSA_PKCS1_MD5, KEY_RSA, }, - { "sha1", SIGN_RSA_EMSA_PKCS1_SHA1, KEY_RSA, }, - { "sha224", SIGN_RSA_EMSA_PKCS1_SHA224, KEY_RSA, }, - { "sha256", SIGN_RSA_EMSA_PKCS1_SHA256, KEY_RSA, }, - { "sha384", SIGN_RSA_EMSA_PKCS1_SHA384, KEY_RSA, }, - { "sha512", SIGN_RSA_EMSA_PKCS1_SHA512, KEY_RSA, }, - { "sha1", SIGN_ECDSA_WITH_SHA1_DER, KEY_ECDSA, }, - { "sha256", SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, }, - { "sha384", SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, }, - { "sha512", SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, }, - { "sha256", SIGN_ECDSA_256, KEY_ECDSA, }, - { "sha384", SIGN_ECDSA_384, KEY_ECDSA, }, - { "sha512", SIGN_ECDSA_521, KEY_ECDSA, }, - { "sha256", SIGN_BLISS_WITH_SHA2_256, KEY_BLISS, }, - { "sha384", SIGN_BLISS_WITH_SHA2_384, KEY_BLISS, }, - { "sha512", SIGN_BLISS_WITH_SHA2_512, KEY_BLISS, }, - }; - - if (rsa_len || ecdsa_len || bliss_strength) - { /* expecting a key strength token */ - strength = atoi(token); - if (strength) - { - if (rsa_len) - { - cfg->add(cfg, AUTH_RULE_RSA_STRENGTH, (uintptr_t)strength); - } - else if (ecdsa_len) - { - cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength); - } - else if (bliss_strength) - { - cfg->add(cfg, AUTH_RULE_BLISS_STRENGTH, (uintptr_t)strength); - } - } - rsa_len = ecdsa_len = bliss_strength = FALSE; - if (strength) - { - continue; - } - } - if (streq(token, "rsa")) - { - rsa = rsa_len = TRUE; - continue; - } - if (streq(token, "ecdsa")) - { - ecdsa = ecdsa_len = TRUE; - continue; - } - if (streq(token, "bliss")) - { - bliss = bliss_strength = TRUE; - continue; - } - if (streq(token, "pubkey")) - { - continue; - } - - for (i = 0; i < countof(schemes); i++) - { - if (streq(schemes[i].name, token)) - { - /* for each matching string, allow the scheme, if: - * - it is an RSA scheme, and we enforced RSA - * - it is an ECDSA scheme, and we enforced ECDSA - * - it is not a key type specific scheme - */ - if ((rsa && schemes[i].key == KEY_RSA) || - (ecdsa && schemes[i].key == KEY_ECDSA) || - (bliss && schemes[i].key == KEY_BLISS) || - (!rsa && !ecdsa && !bliss)) - { - cfg->add(cfg, AUTH_RULE_SIGNATURE_SCHEME, - (uintptr_t)schemes[i].scheme); - } - found = TRUE; - } - } - if (!found) - { - DBG1(DBG_CFG, "ignoring invalid auth token: '%s'", token); - } - } - enumerator->destroy(enumerator); -} - -/** * build authentication config */ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, @@ -619,15 +506,15 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, } /* authentication metod (class, actually) */ - if (strpfx(auth, "pubkey") || + if (strpfx(auth, "ike:") || + strpfx(auth, "pubkey") || strpfx(auth, "rsa") || strpfx(auth, "ecdsa") || strpfx(auth, "bliss")) { cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); build_crl_policy(cfg, local, msg->add_conn.crl_policy); - - parse_pubkey_constraints(auth, cfg); + cfg->add_pubkey_constraints(cfg, auth, TRUE); } else if (streq(auth, "psk") || streq(auth, "secret")) { @@ -660,7 +547,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, if (pos) { *pos = 0; - parse_pubkey_constraints(pos + 1, cfg); + cfg->add_pubkey_constraints(cfg, pos + 1, FALSE); } type = eap_vendor_type_from_string(auth); if (type) diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c index 5a1a5074d..36da5ff21 100644 --- a/src/libcharon/plugins/stroke/stroke_control.c +++ b/src/libcharon/plugins/stroke/stroke_control.c @@ -16,7 +16,6 @@ #include "stroke_control.h" -#include <hydra.h> #include <daemon.h> #include <processing/jobs/delete_ike_sa_job.h> diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index c0192b5c0..0371c7032 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -2,6 +2,9 @@ * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -23,22 +26,12 @@ #include <malloc.h> #endif /* HAVE_MALLINFO */ -#include <hydra.h> #include <daemon.h> #include <collections/linked_list.h> #include <plugins/plugin.h> #include <credentials/certificates/x509.h> -#include <credentials/certificates/ac.h> -#include <credentials/certificates/crl.h> -#include <credentials/certificates/pgp_certificate.h> +#include <credentials/certificates/certificate_printer.h> #include <config/peer_cfg.h> -#include <asn1/asn1.h> -#include <asn1/oid.h> - -/* warning intervals for list functions */ -#define CERT_WARNING_INTERVAL 30 /* days */ -#define CRL_WARNING_INTERVAL 7 /* days */ -#define AC_WARNING_INTERVAL 1 /* day */ typedef struct private_stroke_list_t private_stroke_list_t; @@ -69,6 +62,11 @@ struct private_stroke_list_t { }; /** + * Static certificate printer object + */ +static certificate_printer_t *cert_printer = NULL; + +/** * Log tasks of a specific queue to out */ static void log_task_q(FILE *out, ike_sa_t *ike_sa, task_queue_t q, char *name) @@ -139,8 +137,10 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) fprintf(out, "%12s[%d]: %N SPIs: %.16"PRIx64"_i%s %.16"PRIx64"_r%s", ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), ike_version_names, ike_sa->get_version(ike_sa), - id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "", - id->get_responder_spi(id), id->is_initiator(id) ? "" : "*"); + be64toh(id->get_initiator_spi(id)), + id->is_initiator(id) ? "*" : "", + be64toh(id->get_responder_spi(id)), + id->is_initiator(id) ? "" : "*"); if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED) @@ -244,40 +244,36 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) proposal = child_sa->get_proposal(child_sa); if (proposal) { - u_int16_t encr_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED; - u_int16_t encr_size = 0, int_size = 0; - u_int16_t esn = NO_EXT_SEQ_NUMBERS; + u_int16_t alg, ks; bool first = TRUE; - proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, - &encr_alg, &encr_size); - proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, - &int_alg, &int_size); - proposal->get_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, - &esn, NULL); - - if (encr_alg != ENCR_UNDEFINED) + if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, + &alg, &ks) && alg != ENCR_UNDEFINED) { - fprintf(out, "%N", encryption_algorithm_names, encr_alg); + fprintf(out, "%N", encryption_algorithm_names, alg); first = FALSE; - if (encr_size) + if (ks) { - fprintf(out, "_%u", encr_size); + fprintf(out, "_%u", ks); } } - if (int_alg != AUTH_UNDEFINED) + if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, + &alg, &ks) && alg != AUTH_UNDEFINED) { - if (!first) - { - fprintf(out, "/"); - } - fprintf(out, "%N", integrity_algorithm_names, int_alg); - if (int_size) + fprintf(out, "%s%N", first ? "" : "/", + integrity_algorithm_names, alg); + if (ks) { - fprintf(out, "_%u", int_size); + fprintf(out, "_%u", ks); } } - if (esn == EXT_SEQ_NUMBERS) + if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, + &alg, NULL)) + { + fprintf(out, "/%N", diffie_hellman_group_names, alg); + } + if (proposal->get_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, + &alg, NULL) && alg == EXT_SEQ_NUMBERS) { fprintf(out, "/ESN"); } @@ -538,8 +534,8 @@ METHOD(stroke_list_t, status, void, } enumerator->destroy(enumerator); - enumerator = hydra->kernel_interface->create_address_enumerator( - hydra->kernel_interface, ADDR_TYPE_REGULAR); + enumerator = charon->kernel->create_address_enumerator(charon->kernel, + ADDR_TYPE_REGULAR); fprintf(out, "Listening IP addresses:\n"); while (enumerator->enumerate(enumerator, (void**)&host)) { @@ -738,14 +734,20 @@ static linked_list_t* create_unique_cert_list(certificate_type_t type) } /** - * Print a single public key. + * Is there a matching private key? */ -static void list_public_key(public_key_t *public, FILE *out) +static bool has_privkey(certificate_t *cert) { + public_key_t *public; private_key_t *private = NULL; chunk_t keyid; identification_t *id; + public = cert->get_public_key(cert); + if (!public) + { + return FALSE; + } if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid)) { id = identification_create_from_encoding(ID_KEY_ID, keyid); @@ -753,521 +755,56 @@ static void list_public_key(public_key_t *public, FILE *out) public->get_type(public), id, NULL); id->destroy(id); } - - fprintf(out, " pubkey: %N %d bits%s\n", - key_type_names, public->get_type(public), - public->get_keysize(public), - private ? ", has private key" : ""); - if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid)) - { - fprintf(out, " keyid: %#B\n", &keyid); - } - if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid)) - { - fprintf(out, " subjkey: %#B\n", &keyid); - } + public->destroy(public); DESTROY_IF(private); -} - -/** - * list all raw public keys - */ -static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out) -{ - bool first = TRUE; - time_t now = time(NULL), notBefore, notAfter; - enumerator_t *enumerator; - certificate_t *cert; - - enumerator = list->create_enumerator(list); - while (enumerator->enumerate(enumerator, (void**)&cert)) - { - identification_t *subject = cert->get_subject(cert); - public_key_t *public = cert->get_public_key(cert); - - if (public) - { - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of Raw Public Keys:\n"); - first = FALSE; - } - fprintf(out, "\n"); - - /* list subject if available */ - if (subject->get_type(subject) != ID_KEY_ID) - { - fprintf(out, " subject: %#Y\n", subject); - } - - /* list validity if available*/ - cert->get_validity(cert, &now, ¬Before, ¬After); - if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME) - { - fprintf(out, " validity: not before %T, ", ¬Before, utc); - if (now < notBefore) - { - fprintf(out, "not valid yet (valid in %V)\n", &now, ¬Before); - } - else - { - fprintf(out, "ok\n"); - } - fprintf(out, " not after %T, ", ¬After, utc); - if (now > notAfter) - { - fprintf(out, "expired (%V ago)\n", &now, ¬After); - } - else - { - fprintf(out, "ok"); - if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24) - { - fprintf(out, " (expires in %V)", &now, ¬After); - } - fprintf(out, " \n"); - } - } - - list_public_key(public, out); - public->destroy(public); - } - } - enumerator->destroy(enumerator); -} - -/** - * list OpenPGP certificates - */ -static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out) -{ - bool first = TRUE; - time_t now = time(NULL); - enumerator_t *enumerator = list->create_enumerator(list); - certificate_t *cert; - - while (enumerator->enumerate(enumerator, (void**)&cert)) - { - time_t created, until; - public_key_t *public; - pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert; - chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert); - - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of PGP End Entity Certificates:\n"); - first = FALSE; - } - fprintf(out, "\n"); - fprintf(out, " userid: '%Y'\n", cert->get_subject(cert)); - - fprintf(out, " digest: %#B\n", &fingerprint); - - /* list validity */ - cert->get_validity(cert, &now, &created, &until); - fprintf(out, " created: %T\n", &created, utc); - fprintf(out, " until: %T%s\n", &until, utc, - (until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":""); - - public = cert->get_public_key(cert); - if (public) - { - list_public_key(public, out); - public->destroy(public); - } - } - enumerator->destroy(enumerator); + return (private != NULL); } /** * list all X.509 certificates matching the flags */ -static void stroke_list_certs(linked_list_t *list, char *label, - x509_flag_t flags, bool utc, FILE *out) +static void stroke_list_x509_certs(linked_list_t *list, x509_flag_t flag) { - bool first = TRUE; - time_t now = time(NULL); enumerator_t *enumerator; certificate_t *cert; - x509_flag_t flag_mask; - - /* mask all auxiliary flags */ - flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH | X509_IKE_INTERMEDIATE | - X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS); enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, (void**)&cert)) { x509_t *x509 = (x509_t*)cert; - x509_flag_t x509_flags = x509->get_flags(x509) & flag_mask; + x509_flag_t flags = x509->get_flags(x509) & X509_ANY; /* list only if flag is set or flag == 0 */ - if ((x509_flags & flags) || (x509_flags == flags)) + if ((flags & flag) || flags == flag) { - enumerator_t *enumerator; - identification_t *altName; - bool first_altName = TRUE; - u_int pathlen; - chunk_t serial, authkey; - time_t notBefore, notAfter; - public_key_t *public; - - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of %s:\n", label); - first = FALSE; - } - fprintf(out, "\n"); - - /* list subjectAltNames */ - enumerator = x509->create_subjectAltName_enumerator(x509); - while (enumerator->enumerate(enumerator, (void**)&altName)) - { - if (first_altName) - { - fprintf(out, " altNames: "); - first_altName = FALSE; - } - else - { - fprintf(out, ", "); - } - fprintf(out, "%Y", altName); - } - if (!first_altName) - { - fprintf(out, "\n"); - } - enumerator->destroy(enumerator); - - fprintf(out, " subject: \"%Y\"\n", cert->get_subject(cert)); - fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); - serial = chunk_skip_zero(x509->get_serial(x509)); - fprintf(out, " serial: %#B\n", &serial); - - /* list validity */ - cert->get_validity(cert, &now, ¬Before, ¬After); - fprintf(out, " validity: not before %T, ", ¬Before, utc); - if (now < notBefore) - { - fprintf(out, "not valid yet (valid in %V)\n", &now, ¬Before); - } - else - { - fprintf(out, "ok\n"); - } - fprintf(out, " not after %T, ", ¬After, utc); - if (now > notAfter) - { - fprintf(out, "expired (%V ago)\n", &now, ¬After); - } - else - { - fprintf(out, "ok"); - if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24) - { - fprintf(out, " (expires in %V)", &now, ¬After); - } - fprintf(out, " \n"); - } - - public = cert->get_public_key(cert); - if (public) - { - list_public_key(public, out); - public->destroy(public); - } - - /* list optional authorityKeyIdentifier */ - authkey = x509->get_authKeyIdentifier(x509); - if (authkey.ptr) - { - fprintf(out, " authkey: %#B\n", &authkey); - } - - /* list optional pathLenConstraint */ - pathlen = x509->get_constraint(x509, X509_PATH_LEN); - if (pathlen != X509_NO_CONSTRAINT) - { - fprintf(out, " pathlen: %u\n", pathlen); - } - - /* list optional ipAddrBlocks */ - if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) - { - traffic_selector_t *ipAddrBlock; - bool first_ipAddrBlock = TRUE; - - fprintf(out, " addresses: "); - enumerator = x509->create_ipAddrBlock_enumerator(x509); - while (enumerator->enumerate(enumerator, &ipAddrBlock)) - { - if (first_ipAddrBlock) - { - first_ipAddrBlock = FALSE; - } - else - { - fprintf(out, ", "); - } - fprintf(out, "%R", ipAddrBlock); - } - enumerator->destroy(enumerator); - fprintf(out, "\n"); - } + cert_printer->print_caption(cert_printer, CERT_X509, flag); + cert_printer->print(cert_printer, cert, has_privkey(cert)); } } enumerator->destroy(enumerator); } /** - * list all X.509 attribute certificates + * list all other certificates types */ -static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out) +static void stroke_list_other_certs(certificate_type_t type) { - bool first = TRUE; - time_t notBefore, notAfter, now = time(NULL); enumerator_t *enumerator; certificate_t *cert; + linked_list_t *list; + + list = create_unique_cert_list(type); enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, &cert)) { - ac_t *ac = (ac_t*)cert; - ac_group_type_t type; - identification_t *id; - enumerator_t *groups; - chunk_t chunk; - bool firstgroup = TRUE; - - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of X.509 Attribute Certificates:\n"); - first = FALSE; - } - fprintf(out, "\n"); - - id = cert->get_subject(cert); - if (id) - { - fprintf(out, " holder: \"%Y\"\n", id); - } - id = ac->get_holderIssuer(ac); - if (id) - { - fprintf(out, " hissuer: \"%Y\"\n", id); - } - chunk = chunk_skip_zero(ac->get_holderSerial(ac)); - if (chunk.ptr) - { - fprintf(out, " hserial: %#B\n", &chunk); - } - groups = ac->create_group_enumerator(ac); - while (groups->enumerate(groups, &type, &chunk)) - { - int oid; - char *str; - - if (firstgroup) - { - fprintf(out, " groups: "); - firstgroup = FALSE; - } - else - { - fprintf(out, " "); - } - switch (type) - { - case AC_GROUP_TYPE_STRING: - fprintf(out, "%.*s", (int)chunk.len, chunk.ptr); - break; - case AC_GROUP_TYPE_OID: - oid = asn1_known_oid(chunk); - if (oid == OID_UNKNOWN) - { - str = asn1_oid_to_string(chunk); - if (str) - { - fprintf(out, "%s", str); - free(str); - } - else - { - fprintf(out, "OID:%#B", &chunk); - } - } - else - { - fprintf(out, "%s", oid_names[oid].name); - } - break; - case AC_GROUP_TYPE_OCTETS: - fprintf(out, "%#B", &chunk); - break; - } - fprintf(out, "\n"); - } - groups->destroy(groups); - fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); - chunk = chunk_skip_zero(ac->get_serial(ac)); - fprintf(out, " serial: %#B\n", &chunk); - - /* list validity */ - cert->get_validity(cert, &now, ¬Before, ¬After); - fprintf(out, " validity: not before %T, ", ¬Before, utc); - if (now < notBefore) - { - fprintf(out, "not valid yet (valid in %V)\n", &now, ¬Before); - } - else - { - fprintf(out, "ok\n"); - } - fprintf(out, " not after %T, ", ¬After, utc); - if (now > notAfter) - { - fprintf(out, "expired (%V ago)\n", &now, ¬After); - } - else - { - fprintf(out, "ok"); - if (now > notAfter - AC_WARNING_INTERVAL * 60 * 60 * 24) - { - fprintf(out, " (expires in %V)", &now, ¬After); - } - fprintf(out, " \n"); - } - - /* list optional authorityKeyIdentifier */ - chunk = ac->get_authKeyIdentifier(ac); - if (chunk.ptr) - { - fprintf(out, " authkey: %#B\n", &chunk); - } + cert_printer->print_caption(cert_printer, cert->get_type(cert), X509_NONE); + cert_printer->print(cert_printer, cert, has_privkey(cert)); } enumerator->destroy(enumerator); -} - -/** - * list all X.509 CRLs - */ -static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out) -{ - bool first = TRUE; - time_t thisUpdate, nextUpdate, now = time(NULL); - enumerator_t *enumerator = list->create_enumerator(list); - certificate_t *cert; - while (enumerator->enumerate(enumerator, (void**)&cert)) - { - crl_t *crl = (crl_t*)cert; - chunk_t chunk; - - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of X.509 CRLs:\n"); - first = FALSE; - } - fprintf(out, "\n"); - - fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); - - /* list optional crlNumber */ - chunk = chunk_skip_zero(crl->get_serial(crl)); - if (chunk.ptr) - { - fprintf(out, " serial: %#B\n", &chunk); - } - if (crl->is_delta_crl(crl, &chunk)) - { - chunk = chunk_skip_zero(chunk); - fprintf(out, " delta for: %#B\n", &chunk); - } - - /* count the number of revoked certificates */ - { - int count = 0; - enumerator_t *enumerator = crl->create_enumerator(crl); - - while (enumerator->enumerate(enumerator, NULL, NULL, NULL)) - { - count++; - } - fprintf(out, " revoked: %d certificate%s\n", count, - (count == 1)? "" : "s"); - enumerator->destroy(enumerator); - } - - /* list validity */ - cert->get_validity(cert, &now, &thisUpdate, &nextUpdate); - fprintf(out, " updates: this %T\n", &thisUpdate, utc); - fprintf(out, " next %T, ", &nextUpdate, utc); - if (now > nextUpdate) - { - fprintf(out, "expired (%V ago)\n", &now, &nextUpdate); - } - else - { - fprintf(out, "ok"); - if (now > nextUpdate - CRL_WARNING_INTERVAL * 60 * 60 * 24) - { - fprintf(out, " (expires in %V)", &now, &nextUpdate); - } - fprintf(out, " \n"); - } - - /* list optional authorityKeyIdentifier */ - chunk = crl->get_authKeyIdentifier(crl); - if (chunk.ptr) - { - fprintf(out, " authkey: %#B\n", &chunk); - } - } - enumerator->destroy(enumerator); -} - -/** - * list all OCSP responses - */ -static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out) -{ - bool first = TRUE, ok; - enumerator_t *enumerator = list->create_enumerator(list); - certificate_t *cert; - time_t produced, usable, now = time(NULL); - - while (enumerator->enumerate(enumerator, (void**)&cert)) - { - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of OCSP responses:\n"); - fprintf(out, "\n"); - first = FALSE; - } - fprintf(out, " signer: \"%Y\"\n", cert->get_issuer(cert)); - - /* check validity */ - ok = cert->get_validity(cert, &now, &produced, &usable); - fprintf(out, " validity: produced at %T\n", &produced, utc); - fprintf(out, " usable till %T, ", &usable, utc); - if (ok) - { - fprintf(out, "ok\n"); - } - else - { - fprintf(out, "expired (%V ago)\n", &now, &usable); - } - } - enumerator->destroy(enumerator); + list->destroy_offset(list, offsetof(certificate_t, destroy)); } /** @@ -1439,19 +976,15 @@ METHOD(stroke_list_t, list, void, { linked_list_t *cert_list = NULL; + cert_printer = certificate_printer_create(out, TRUE, msg->list.utc); + if (msg->list.flags & LIST_PUBKEYS) { - linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY); - - stroke_list_pubkeys(pubkey_list, msg->list.utc, out); - pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy)); + stroke_list_other_certs(CERT_TRUSTED_PUBKEY); } if (msg->list.flags & LIST_CERTS) { - linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG); - - stroke_list_pgp(pgp_list, msg->list.utc, out); - pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy)); + stroke_list_other_certs(CERT_GPG); } if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS)) { @@ -1459,47 +992,33 @@ METHOD(stroke_list_t, list, void, } if (msg->list.flags & LIST_CERTS) { - stroke_list_certs(cert_list, "X.509 End Entity Certificates", - X509_NONE, msg->list.utc, out); + stroke_list_x509_certs(cert_list, X509_NONE); } if (msg->list.flags & LIST_CACERTS) { - stroke_list_certs(cert_list, "X.509 CA Certificates", - X509_CA, msg->list.utc, out); + stroke_list_x509_certs(cert_list, X509_CA); } if (msg->list.flags & LIST_OCSPCERTS) { - stroke_list_certs(cert_list, "X.509 OCSP Signer Certificates", - X509_OCSP_SIGNER, msg->list.utc, out); + stroke_list_x509_certs(cert_list, X509_OCSP_SIGNER); } if (msg->list.flags & LIST_AACERTS) { - stroke_list_certs(cert_list, "X.509 AA Certificates", - X509_AA, msg->list.utc, out); + stroke_list_x509_certs(cert_list, X509_AA); } DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy)); if (msg->list.flags & LIST_ACERTS) { - linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC); - - stroke_list_acerts(ac_list, msg->list.utc, out); - ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy)); + stroke_list_other_certs(CERT_X509_AC); } if (msg->list.flags & LIST_CRLS) { - linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL); - - stroke_list_crls(crl_list, msg->list.utc, out); - crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy)); + stroke_list_other_certs(CERT_X509_CRL); } if (msg->list.flags & LIST_OCSP) { - linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE); - - stroke_list_ocsp(ocsp_list, msg->list.utc, out); - - ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy)); + stroke_list_other_certs(CERT_X509_OCSP_RESPONSE); } if (msg->list.flags & LIST_ALGS) { @@ -1509,6 +1028,8 @@ METHOD(stroke_list_t, list, void, { list_plugins(out); } + cert_printer->destroy(cert_printer); + cert_printer = NULL; } /** diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index 29563e32f..ee32dbca2 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -590,17 +590,10 @@ static void stroke_loglevel(private_stroke_socket_t *this, fprintf(out, "command not allowed!\n"); return; } - if (strcaseeq(msg->loglevel.type, "any")) + if (!enum_from_name(debug_names, msg->loglevel.type, &group)) { - group = DBG_ANY; - } - else - { - if (!enum_from_name(debug_names, msg->loglevel.type, &group)) - { - fprintf(out, "unknown type '%s'!\n", msg->loglevel.type); - return; - } + fprintf(out, "unknown type '%s'!\n", msg->loglevel.type); + return; } charon->set_level(charon, group, msg->loglevel.level); } |