summaryrefslogtreecommitdiff
path: root/src/libcharon/plugins/stroke
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2016-03-24 11:59:32 +0100
committerYves-Alexis Perez <corsac@debian.org>2016-03-24 11:59:32 +0100
commit518dd33c94e041db0444c7d1f33da363bb8e3faf (patch)
treee8d1665ffadff7ec40228dda47e81f8f4691cd07 /src/libcharon/plugins/stroke
parentf42f239a632306ed082f6fde878977248eea85cf (diff)
downloadvyos-strongswan-518dd33c94e041db0444c7d1f33da363bb8e3faf.tar.gz
vyos-strongswan-518dd33c94e041db0444c7d1f33da363bb8e3faf.zip
Imported Upstream version 5.4.0
Diffstat (limited to 'src/libcharon/plugins/stroke')
-rw-r--r--src/libcharon/plugins/stroke/Makefile.am1
-rw-r--r--src/libcharon/plugins/stroke/Makefile.in3
-rw-r--r--src/libcharon/plugins/stroke/stroke_config.c123
-rw-r--r--src/libcharon/plugins/stroke/stroke_control.c1
-rw-r--r--src/libcharon/plugins/stroke/stroke_list.c619
-rw-r--r--src/libcharon/plugins/stroke/stroke_socket.c13
6 files changed, 80 insertions, 680 deletions
diff --git a/src/libcharon/plugins/stroke/Makefile.am b/src/libcharon/plugins/stroke/Makefile.am
index b90688791..26edc3dcd 100644
--- a/src/libcharon/plugins/stroke/Makefile.am
+++ b/src/libcharon/plugins/stroke/Makefile.am
@@ -1,6 +1,5 @@
AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan \
- -I$(top_srcdir)/src/libhydra \
-I$(top_srcdir)/src/libcharon \
-I$(top_srcdir)/src/stroke \
-DIPSEC_CONFDIR=\"${sysconfdir}\" \
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index a316f5c25..2b22b333a 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
strongswan_options = @strongswan_options@
swanctldir = @swanctldir@
sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
systemd_daemon_LIBS = @systemd_daemon_LIBS@
systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan \
- -I$(top_srcdir)/src/libhydra \
-I$(top_srcdir)/src/libcharon \
-I$(top_srcdir)/src/stroke \
-DIPSEC_CONFDIR=\"${sysconfdir}\" \
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 68cf83089..d0eb2aac3 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -16,7 +16,6 @@
#include "stroke_config.h"
-#include <hydra.h>
#include <daemon.h>
#include <threading/mutex.h>
#include <utils/lexparser.h>
@@ -201,8 +200,7 @@ static bool is_local(char *address, bool any_allowed)
host = host_create_from_dns(token, 0, 0);
if (host)
{
- if (hydra->kernel_interface->get_interface(
- hydra->kernel_interface, host, NULL))
+ if (charon->kernel->get_interface(charon->kernel, host, NULL))
{
found = TRUE;
}
@@ -313,117 +311,6 @@ static void build_crl_policy(auth_cfg_t *cfg, bool local, int policy)
}
/**
- * Parse public key / signature strength constraints
- */
-static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg)
-{
- enumerator_t *enumerator;
- bool rsa = FALSE, ecdsa = FALSE, bliss = FALSE,
- rsa_len = FALSE, ecdsa_len = FALSE, bliss_strength = FALSE;
- int strength;
- char *token;
-
- enumerator = enumerator_create_token(auth, "-", "");
- while (enumerator->enumerate(enumerator, &token))
- {
- bool found = FALSE;
- int i;
- struct {
- char *name;
- signature_scheme_t scheme;
- key_type_t key;
- } schemes[] = {
- { "md5", SIGN_RSA_EMSA_PKCS1_MD5, KEY_RSA, },
- { "sha1", SIGN_RSA_EMSA_PKCS1_SHA1, KEY_RSA, },
- { "sha224", SIGN_RSA_EMSA_PKCS1_SHA224, KEY_RSA, },
- { "sha256", SIGN_RSA_EMSA_PKCS1_SHA256, KEY_RSA, },
- { "sha384", SIGN_RSA_EMSA_PKCS1_SHA384, KEY_RSA, },
- { "sha512", SIGN_RSA_EMSA_PKCS1_SHA512, KEY_RSA, },
- { "sha1", SIGN_ECDSA_WITH_SHA1_DER, KEY_ECDSA, },
- { "sha256", SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, },
- { "sha384", SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, },
- { "sha512", SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, },
- { "sha256", SIGN_ECDSA_256, KEY_ECDSA, },
- { "sha384", SIGN_ECDSA_384, KEY_ECDSA, },
- { "sha512", SIGN_ECDSA_521, KEY_ECDSA, },
- { "sha256", SIGN_BLISS_WITH_SHA2_256, KEY_BLISS, },
- { "sha384", SIGN_BLISS_WITH_SHA2_384, KEY_BLISS, },
- { "sha512", SIGN_BLISS_WITH_SHA2_512, KEY_BLISS, },
- };
-
- if (rsa_len || ecdsa_len || bliss_strength)
- { /* expecting a key strength token */
- strength = atoi(token);
- if (strength)
- {
- if (rsa_len)
- {
- cfg->add(cfg, AUTH_RULE_RSA_STRENGTH, (uintptr_t)strength);
- }
- else if (ecdsa_len)
- {
- cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength);
- }
- else if (bliss_strength)
- {
- cfg->add(cfg, AUTH_RULE_BLISS_STRENGTH, (uintptr_t)strength);
- }
- }
- rsa_len = ecdsa_len = bliss_strength = FALSE;
- if (strength)
- {
- continue;
- }
- }
- if (streq(token, "rsa"))
- {
- rsa = rsa_len = TRUE;
- continue;
- }
- if (streq(token, "ecdsa"))
- {
- ecdsa = ecdsa_len = TRUE;
- continue;
- }
- if (streq(token, "bliss"))
- {
- bliss = bliss_strength = TRUE;
- continue;
- }
- if (streq(token, "pubkey"))
- {
- continue;
- }
-
- for (i = 0; i < countof(schemes); i++)
- {
- if (streq(schemes[i].name, token))
- {
- /* for each matching string, allow the scheme, if:
- * - it is an RSA scheme, and we enforced RSA
- * - it is an ECDSA scheme, and we enforced ECDSA
- * - it is not a key type specific scheme
- */
- if ((rsa && schemes[i].key == KEY_RSA) ||
- (ecdsa && schemes[i].key == KEY_ECDSA) ||
- (bliss && schemes[i].key == KEY_BLISS) ||
- (!rsa && !ecdsa && !bliss))
- {
- cfg->add(cfg, AUTH_RULE_SIGNATURE_SCHEME,
- (uintptr_t)schemes[i].scheme);
- }
- found = TRUE;
- }
- }
- if (!found)
- {
- DBG1(DBG_CFG, "ignoring invalid auth token: '%s'", token);
- }
- }
- enumerator->destroy(enumerator);
-}
-
-/**
* build authentication config
*/
static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
@@ -619,15 +506,15 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
}
/* authentication metod (class, actually) */
- if (strpfx(auth, "pubkey") ||
+ if (strpfx(auth, "ike:") ||
+ strpfx(auth, "pubkey") ||
strpfx(auth, "rsa") ||
strpfx(auth, "ecdsa") ||
strpfx(auth, "bliss"))
{
cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
build_crl_policy(cfg, local, msg->add_conn.crl_policy);
-
- parse_pubkey_constraints(auth, cfg);
+ cfg->add_pubkey_constraints(cfg, auth, TRUE);
}
else if (streq(auth, "psk") || streq(auth, "secret"))
{
@@ -660,7 +547,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
if (pos)
{
*pos = 0;
- parse_pubkey_constraints(pos + 1, cfg);
+ cfg->add_pubkey_constraints(cfg, pos + 1, FALSE);
}
type = eap_vendor_type_from_string(auth);
if (type)
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index 5a1a5074d..36da5ff21 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -16,7 +16,6 @@
#include "stroke_control.h"
-#include <hydra.h>
#include <daemon.h>
#include <processing/jobs/delete_ike_sa_job.h>
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index c0192b5c0..0371c7032 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -2,6 +2,9 @@
* Copyright (C) 2008 Martin Willi
* Hochschule fuer Technik Rapperswil
*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
@@ -23,22 +26,12 @@
#include <malloc.h>
#endif /* HAVE_MALLINFO */
-#include <hydra.h>
#include <daemon.h>
#include <collections/linked_list.h>
#include <plugins/plugin.h>
#include <credentials/certificates/x509.h>
-#include <credentials/certificates/ac.h>
-#include <credentials/certificates/crl.h>
-#include <credentials/certificates/pgp_certificate.h>
+#include <credentials/certificates/certificate_printer.h>
#include <config/peer_cfg.h>
-#include <asn1/asn1.h>
-#include <asn1/oid.h>
-
-/* warning intervals for list functions */
-#define CERT_WARNING_INTERVAL 30 /* days */
-#define CRL_WARNING_INTERVAL 7 /* days */
-#define AC_WARNING_INTERVAL 1 /* day */
typedef struct private_stroke_list_t private_stroke_list_t;
@@ -69,6 +62,11 @@ struct private_stroke_list_t {
};
/**
+ * Static certificate printer object
+ */
+static certificate_printer_t *cert_printer = NULL;
+
+/**
* Log tasks of a specific queue to out
*/
static void log_task_q(FILE *out, ike_sa_t *ike_sa, task_queue_t q, char *name)
@@ -139,8 +137,10 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
fprintf(out, "%12s[%d]: %N SPIs: %.16"PRIx64"_i%s %.16"PRIx64"_r%s",
ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
ike_version_names, ike_sa->get_version(ike_sa),
- id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "",
- id->get_responder_spi(id), id->is_initiator(id) ? "" : "*");
+ be64toh(id->get_initiator_spi(id)),
+ id->is_initiator(id) ? "*" : "",
+ be64toh(id->get_responder_spi(id)),
+ id->is_initiator(id) ? "" : "*");
if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
@@ -244,40 +244,36 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
proposal = child_sa->get_proposal(child_sa);
if (proposal)
{
- u_int16_t encr_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED;
- u_int16_t encr_size = 0, int_size = 0;
- u_int16_t esn = NO_EXT_SEQ_NUMBERS;
+ u_int16_t alg, ks;
bool first = TRUE;
- proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
- &encr_alg, &encr_size);
- proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
- &int_alg, &int_size);
- proposal->get_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS,
- &esn, NULL);
-
- if (encr_alg != ENCR_UNDEFINED)
+ if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
+ &alg, &ks) && alg != ENCR_UNDEFINED)
{
- fprintf(out, "%N", encryption_algorithm_names, encr_alg);
+ fprintf(out, "%N", encryption_algorithm_names, alg);
first = FALSE;
- if (encr_size)
+ if (ks)
{
- fprintf(out, "_%u", encr_size);
+ fprintf(out, "_%u", ks);
}
}
- if (int_alg != AUTH_UNDEFINED)
+ if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
+ &alg, &ks) && alg != AUTH_UNDEFINED)
{
- if (!first)
- {
- fprintf(out, "/");
- }
- fprintf(out, "%N", integrity_algorithm_names, int_alg);
- if (int_size)
+ fprintf(out, "%s%N", first ? "" : "/",
+ integrity_algorithm_names, alg);
+ if (ks)
{
- fprintf(out, "_%u", int_size);
+ fprintf(out, "_%u", ks);
}
}
- if (esn == EXT_SEQ_NUMBERS)
+ if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
+ &alg, NULL))
+ {
+ fprintf(out, "/%N", diffie_hellman_group_names, alg);
+ }
+ if (proposal->get_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS,
+ &alg, NULL) && alg == EXT_SEQ_NUMBERS)
{
fprintf(out, "/ESN");
}
@@ -538,8 +534,8 @@ METHOD(stroke_list_t, status, void,
}
enumerator->destroy(enumerator);
- enumerator = hydra->kernel_interface->create_address_enumerator(
- hydra->kernel_interface, ADDR_TYPE_REGULAR);
+ enumerator = charon->kernel->create_address_enumerator(charon->kernel,
+ ADDR_TYPE_REGULAR);
fprintf(out, "Listening IP addresses:\n");
while (enumerator->enumerate(enumerator, (void**)&host))
{
@@ -738,14 +734,20 @@ static linked_list_t* create_unique_cert_list(certificate_type_t type)
}
/**
- * Print a single public key.
+ * Is there a matching private key?
*/
-static void list_public_key(public_key_t *public, FILE *out)
+static bool has_privkey(certificate_t *cert)
{
+ public_key_t *public;
private_key_t *private = NULL;
chunk_t keyid;
identification_t *id;
+ public = cert->get_public_key(cert);
+ if (!public)
+ {
+ return FALSE;
+ }
if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
{
id = identification_create_from_encoding(ID_KEY_ID, keyid);
@@ -753,521 +755,56 @@ static void list_public_key(public_key_t *public, FILE *out)
public->get_type(public), id, NULL);
id->destroy(id);
}
-
- fprintf(out, " pubkey: %N %d bits%s\n",
- key_type_names, public->get_type(public),
- public->get_keysize(public),
- private ? ", has private key" : "");
- if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
- {
- fprintf(out, " keyid: %#B\n", &keyid);
- }
- if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
- {
- fprintf(out, " subjkey: %#B\n", &keyid);
- }
+ public->destroy(public);
DESTROY_IF(private);
-}
-
-/**
- * list all raw public keys
- */
-static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
-{
- bool first = TRUE;
- time_t now = time(NULL), notBefore, notAfter;
- enumerator_t *enumerator;
- certificate_t *cert;
-
- enumerator = list->create_enumerator(list);
- while (enumerator->enumerate(enumerator, (void**)&cert))
- {
- identification_t *subject = cert->get_subject(cert);
- public_key_t *public = cert->get_public_key(cert);
-
- if (public)
- {
- if (first)
- {
- fprintf(out, "\n");
- fprintf(out, "List of Raw Public Keys:\n");
- first = FALSE;
- }
- fprintf(out, "\n");
-
- /* list subject if available */
- if (subject->get_type(subject) != ID_KEY_ID)
- {
- fprintf(out, " subject: %#Y\n", subject);
- }
-
- /* list validity if available*/
- cert->get_validity(cert, &now, &notBefore, &notAfter);
- if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME)
- {
- fprintf(out, " validity: not before %T, ", &notBefore, utc);
- if (now < notBefore)
- {
- fprintf(out, "not valid yet (valid in %V)\n", &now, &notBefore);
- }
- else
- {
- fprintf(out, "ok\n");
- }
- fprintf(out, " not after %T, ", &notAfter, utc);
- if (now > notAfter)
- {
- fprintf(out, "expired (%V ago)\n", &now, &notAfter);
- }
- else
- {
- fprintf(out, "ok");
- if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
- {
- fprintf(out, " (expires in %V)", &now, &notAfter);
- }
- fprintf(out, " \n");
- }
- }
-
- list_public_key(public, out);
- public->destroy(public);
- }
- }
- enumerator->destroy(enumerator);
-}
-
-/**
- * list OpenPGP certificates
- */
-static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out)
-{
- bool first = TRUE;
- time_t now = time(NULL);
- enumerator_t *enumerator = list->create_enumerator(list);
- certificate_t *cert;
-
- while (enumerator->enumerate(enumerator, (void**)&cert))
- {
- time_t created, until;
- public_key_t *public;
- pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert;
- chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
-
- if (first)
- {
- fprintf(out, "\n");
- fprintf(out, "List of PGP End Entity Certificates:\n");
- first = FALSE;
- }
- fprintf(out, "\n");
- fprintf(out, " userid: '%Y'\n", cert->get_subject(cert));
-
- fprintf(out, " digest: %#B\n", &fingerprint);
-
- /* list validity */
- cert->get_validity(cert, &now, &created, &until);
- fprintf(out, " created: %T\n", &created, utc);
- fprintf(out, " until: %T%s\n", &until, utc,
- (until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":"");
-
- public = cert->get_public_key(cert);
- if (public)
- {
- list_public_key(public, out);
- public->destroy(public);
- }
- }
- enumerator->destroy(enumerator);
+ return (private != NULL);
}
/**
* list all X.509 certificates matching the flags
*/
-static void stroke_list_certs(linked_list_t *list, char *label,
- x509_flag_t flags, bool utc, FILE *out)
+static void stroke_list_x509_certs(linked_list_t *list, x509_flag_t flag)
{
- bool first = TRUE;
- time_t now = time(NULL);
enumerator_t *enumerator;
certificate_t *cert;
- x509_flag_t flag_mask;
-
- /* mask all auxiliary flags */
- flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH | X509_IKE_INTERMEDIATE |
- X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS);
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, (void**)&cert))
{
x509_t *x509 = (x509_t*)cert;
- x509_flag_t x509_flags = x509->get_flags(x509) & flag_mask;
+ x509_flag_t flags = x509->get_flags(x509) & X509_ANY;
/* list only if flag is set or flag == 0 */
- if ((x509_flags & flags) || (x509_flags == flags))
+ if ((flags & flag) || flags == flag)
{
- enumerator_t *enumerator;
- identification_t *altName;
- bool first_altName = TRUE;
- u_int pathlen;
- chunk_t serial, authkey;
- time_t notBefore, notAfter;
- public_key_t *public;
-
- if (first)
- {
- fprintf(out, "\n");
- fprintf(out, "List of %s:\n", label);
- first = FALSE;
- }
- fprintf(out, "\n");
-
- /* list subjectAltNames */
- enumerator = x509->create_subjectAltName_enumerator(x509);
- while (enumerator->enumerate(enumerator, (void**)&altName))
- {
- if (first_altName)
- {
- fprintf(out, " altNames: ");
- first_altName = FALSE;
- }
- else
- {
- fprintf(out, ", ");
- }
- fprintf(out, "%Y", altName);
- }
- if (!first_altName)
- {
- fprintf(out, "\n");
- }
- enumerator->destroy(enumerator);
-
- fprintf(out, " subject: \"%Y\"\n", cert->get_subject(cert));
- fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
- serial = chunk_skip_zero(x509->get_serial(x509));
- fprintf(out, " serial: %#B\n", &serial);
-
- /* list validity */
- cert->get_validity(cert, &now, &notBefore, &notAfter);
- fprintf(out, " validity: not before %T, ", &notBefore, utc);
- if (now < notBefore)
- {
- fprintf(out, "not valid yet (valid in %V)\n", &now, &notBefore);
- }
- else
- {
- fprintf(out, "ok\n");
- }
- fprintf(out, " not after %T, ", &notAfter, utc);
- if (now > notAfter)
- {
- fprintf(out, "expired (%V ago)\n", &now, &notAfter);
- }
- else
- {
- fprintf(out, "ok");
- if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
- {
- fprintf(out, " (expires in %V)", &now, &notAfter);
- }
- fprintf(out, " \n");
- }
-
- public = cert->get_public_key(cert);
- if (public)
- {
- list_public_key(public, out);
- public->destroy(public);
- }
-
- /* list optional authorityKeyIdentifier */
- authkey = x509->get_authKeyIdentifier(x509);
- if (authkey.ptr)
- {
- fprintf(out, " authkey: %#B\n", &authkey);
- }
-
- /* list optional pathLenConstraint */
- pathlen = x509->get_constraint(x509, X509_PATH_LEN);
- if (pathlen != X509_NO_CONSTRAINT)
- {
- fprintf(out, " pathlen: %u\n", pathlen);
- }
-
- /* list optional ipAddrBlocks */
- if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
- {
- traffic_selector_t *ipAddrBlock;
- bool first_ipAddrBlock = TRUE;
-
- fprintf(out, " addresses: ");
- enumerator = x509->create_ipAddrBlock_enumerator(x509);
- while (enumerator->enumerate(enumerator, &ipAddrBlock))
- {
- if (first_ipAddrBlock)
- {
- first_ipAddrBlock = FALSE;
- }
- else
- {
- fprintf(out, ", ");
- }
- fprintf(out, "%R", ipAddrBlock);
- }
- enumerator->destroy(enumerator);
- fprintf(out, "\n");
- }
+ cert_printer->print_caption(cert_printer, CERT_X509, flag);
+ cert_printer->print(cert_printer, cert, has_privkey(cert));
}
}
enumerator->destroy(enumerator);
}
/**
- * list all X.509 attribute certificates
+ * list all other certificates types
*/
-static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
+static void stroke_list_other_certs(certificate_type_t type)
{
- bool first = TRUE;
- time_t notBefore, notAfter, now = time(NULL);
enumerator_t *enumerator;
certificate_t *cert;
+ linked_list_t *list;
+
+ list = create_unique_cert_list(type);
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, &cert))
{
- ac_t *ac = (ac_t*)cert;
- ac_group_type_t type;
- identification_t *id;
- enumerator_t *groups;
- chunk_t chunk;
- bool firstgroup = TRUE;
-
- if (first)
- {
- fprintf(out, "\n");
- fprintf(out, "List of X.509 Attribute Certificates:\n");
- first = FALSE;
- }
- fprintf(out, "\n");
-
- id = cert->get_subject(cert);
- if (id)
- {
- fprintf(out, " holder: \"%Y\"\n", id);
- }
- id = ac->get_holderIssuer(ac);
- if (id)
- {
- fprintf(out, " hissuer: \"%Y\"\n", id);
- }
- chunk = chunk_skip_zero(ac->get_holderSerial(ac));
- if (chunk.ptr)
- {
- fprintf(out, " hserial: %#B\n", &chunk);
- }
- groups = ac->create_group_enumerator(ac);
- while (groups->enumerate(groups, &type, &chunk))
- {
- int oid;
- char *str;
-
- if (firstgroup)
- {
- fprintf(out, " groups: ");
- firstgroup = FALSE;
- }
- else
- {
- fprintf(out, " ");
- }
- switch (type)
- {
- case AC_GROUP_TYPE_STRING:
- fprintf(out, "%.*s", (int)chunk.len, chunk.ptr);
- break;
- case AC_GROUP_TYPE_OID:
- oid = asn1_known_oid(chunk);
- if (oid == OID_UNKNOWN)
- {
- str = asn1_oid_to_string(chunk);
- if (str)
- {
- fprintf(out, "%s", str);
- free(str);
- }
- else
- {
- fprintf(out, "OID:%#B", &chunk);
- }
- }
- else
- {
- fprintf(out, "%s", oid_names[oid].name);
- }
- break;
- case AC_GROUP_TYPE_OCTETS:
- fprintf(out, "%#B", &chunk);
- break;
- }
- fprintf(out, "\n");
- }
- groups->destroy(groups);
- fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
- chunk = chunk_skip_zero(ac->get_serial(ac));
- fprintf(out, " serial: %#B\n", &chunk);
-
- /* list validity */
- cert->get_validity(cert, &now, &notBefore, &notAfter);
- fprintf(out, " validity: not before %T, ", &notBefore, utc);
- if (now < notBefore)
- {
- fprintf(out, "not valid yet (valid in %V)\n", &now, &notBefore);
- }
- else
- {
- fprintf(out, "ok\n");
- }
- fprintf(out, " not after %T, ", &notAfter, utc);
- if (now > notAfter)
- {
- fprintf(out, "expired (%V ago)\n", &now, &notAfter);
- }
- else
- {
- fprintf(out, "ok");
- if (now > notAfter - AC_WARNING_INTERVAL * 60 * 60 * 24)
- {
- fprintf(out, " (expires in %V)", &now, &notAfter);
- }
- fprintf(out, " \n");
- }
-
- /* list optional authorityKeyIdentifier */
- chunk = ac->get_authKeyIdentifier(ac);
- if (chunk.ptr)
- {
- fprintf(out, " authkey: %#B\n", &chunk);
- }
+ cert_printer->print_caption(cert_printer, cert->get_type(cert), X509_NONE);
+ cert_printer->print(cert_printer, cert, has_privkey(cert));
}
enumerator->destroy(enumerator);
-}
-
-/**
- * list all X.509 CRLs
- */
-static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
-{
- bool first = TRUE;
- time_t thisUpdate, nextUpdate, now = time(NULL);
- enumerator_t *enumerator = list->create_enumerator(list);
- certificate_t *cert;
- while (enumerator->enumerate(enumerator, (void**)&cert))
- {
- crl_t *crl = (crl_t*)cert;
- chunk_t chunk;
-
- if (first)
- {
- fprintf(out, "\n");
- fprintf(out, "List of X.509 CRLs:\n");
- first = FALSE;
- }
- fprintf(out, "\n");
-
- fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
-
- /* list optional crlNumber */
- chunk = chunk_skip_zero(crl->get_serial(crl));
- if (chunk.ptr)
- {
- fprintf(out, " serial: %#B\n", &chunk);
- }
- if (crl->is_delta_crl(crl, &chunk))
- {
- chunk = chunk_skip_zero(chunk);
- fprintf(out, " delta for: %#B\n", &chunk);
- }
-
- /* count the number of revoked certificates */
- {
- int count = 0;
- enumerator_t *enumerator = crl->create_enumerator(crl);
-
- while (enumerator->enumerate(enumerator, NULL, NULL, NULL))
- {
- count++;
- }
- fprintf(out, " revoked: %d certificate%s\n", count,
- (count == 1)? "" : "s");
- enumerator->destroy(enumerator);
- }
-
- /* list validity */
- cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
- fprintf(out, " updates: this %T\n", &thisUpdate, utc);
- fprintf(out, " next %T, ", &nextUpdate, utc);
- if (now > nextUpdate)
- {
- fprintf(out, "expired (%V ago)\n", &now, &nextUpdate);
- }
- else
- {
- fprintf(out, "ok");
- if (now > nextUpdate - CRL_WARNING_INTERVAL * 60 * 60 * 24)
- {
- fprintf(out, " (expires in %V)", &now, &nextUpdate);
- }
- fprintf(out, " \n");
- }
-
- /* list optional authorityKeyIdentifier */
- chunk = crl->get_authKeyIdentifier(crl);
- if (chunk.ptr)
- {
- fprintf(out, " authkey: %#B\n", &chunk);
- }
- }
- enumerator->destroy(enumerator);
-}
-
-/**
- * list all OCSP responses
- */
-static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
-{
- bool first = TRUE, ok;
- enumerator_t *enumerator = list->create_enumerator(list);
- certificate_t *cert;
- time_t produced, usable, now = time(NULL);
-
- while (enumerator->enumerate(enumerator, (void**)&cert))
- {
- if (first)
- {
- fprintf(out, "\n");
- fprintf(out, "List of OCSP responses:\n");
- fprintf(out, "\n");
- first = FALSE;
- }
- fprintf(out, " signer: \"%Y\"\n", cert->get_issuer(cert));
-
- /* check validity */
- ok = cert->get_validity(cert, &now, &produced, &usable);
- fprintf(out, " validity: produced at %T\n", &produced, utc);
- fprintf(out, " usable till %T, ", &usable, utc);
- if (ok)
- {
- fprintf(out, "ok\n");
- }
- else
- {
- fprintf(out, "expired (%V ago)\n", &now, &usable);
- }
- }
- enumerator->destroy(enumerator);
+ list->destroy_offset(list, offsetof(certificate_t, destroy));
}
/**
@@ -1439,19 +976,15 @@ METHOD(stroke_list_t, list, void,
{
linked_list_t *cert_list = NULL;
+ cert_printer = certificate_printer_create(out, TRUE, msg->list.utc);
+
if (msg->list.flags & LIST_PUBKEYS)
{
- linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY);
-
- stroke_list_pubkeys(pubkey_list, msg->list.utc, out);
- pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy));
+ stroke_list_other_certs(CERT_TRUSTED_PUBKEY);
}
if (msg->list.flags & LIST_CERTS)
{
- linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG);
-
- stroke_list_pgp(pgp_list, msg->list.utc, out);
- pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy));
+ stroke_list_other_certs(CERT_GPG);
}
if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS))
{
@@ -1459,47 +992,33 @@ METHOD(stroke_list_t, list, void,
}
if (msg->list.flags & LIST_CERTS)
{
- stroke_list_certs(cert_list, "X.509 End Entity Certificates",
- X509_NONE, msg->list.utc, out);
+ stroke_list_x509_certs(cert_list, X509_NONE);
}
if (msg->list.flags & LIST_CACERTS)
{
- stroke_list_certs(cert_list, "X.509 CA Certificates",
- X509_CA, msg->list.utc, out);
+ stroke_list_x509_certs(cert_list, X509_CA);
}
if (msg->list.flags & LIST_OCSPCERTS)
{
- stroke_list_certs(cert_list, "X.509 OCSP Signer Certificates",
- X509_OCSP_SIGNER, msg->list.utc, out);
+ stroke_list_x509_certs(cert_list, X509_OCSP_SIGNER);
}
if (msg->list.flags & LIST_AACERTS)
{
- stroke_list_certs(cert_list, "X.509 AA Certificates",
- X509_AA, msg->list.utc, out);
+ stroke_list_x509_certs(cert_list, X509_AA);
}
DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
if (msg->list.flags & LIST_ACERTS)
{
- linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC);
-
- stroke_list_acerts(ac_list, msg->list.utc, out);
- ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy));
+ stroke_list_other_certs(CERT_X509_AC);
}
if (msg->list.flags & LIST_CRLS)
{
- linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL);
-
- stroke_list_crls(crl_list, msg->list.utc, out);
- crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy));
+ stroke_list_other_certs(CERT_X509_CRL);
}
if (msg->list.flags & LIST_OCSP)
{
- linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE);
-
- stroke_list_ocsp(ocsp_list, msg->list.utc, out);
-
- ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy));
+ stroke_list_other_certs(CERT_X509_OCSP_RESPONSE);
}
if (msg->list.flags & LIST_ALGS)
{
@@ -1509,6 +1028,8 @@ METHOD(stroke_list_t, list, void,
{
list_plugins(out);
}
+ cert_printer->destroy(cert_printer);
+ cert_printer = NULL;
}
/**
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 29563e32f..ee32dbca2 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -590,17 +590,10 @@ static void stroke_loglevel(private_stroke_socket_t *this,
fprintf(out, "command not allowed!\n");
return;
}
- if (strcaseeq(msg->loglevel.type, "any"))
+ if (!enum_from_name(debug_names, msg->loglevel.type, &group))
{
- group = DBG_ANY;
- }
- else
- {
- if (!enum_from_name(debug_names, msg->loglevel.type, &group))
- {
- fprintf(out, "unknown type '%s'!\n", msg->loglevel.type);
- return;
- }
+ fprintf(out, "unknown type '%s'!\n", msg->loglevel.type);
+ return;
}
charon->set_level(charon, group, msg->loglevel.level);
}