diff options
| author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-06-23 11:25:24 +0000 |
|---|---|---|
| committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-06-23 11:25:24 +0000 |
| commit | 41787e147279ff0695e9d759487266a60b80867b (patch) | |
| tree | 8f28566c8fd7106c80d2536d2df540dbb4499cc5 /src/pluto/rcv_whack.c | |
| parent | c3e7f611ea8273c6b3909cb006ade4903a74aad0 (diff) | |
| download | vyos-strongswan-41787e147279ff0695e9d759487266a60b80867b.tar.gz vyos-strongswan-41787e147279ff0695e9d759487266a60b80867b.zip | |
[svn-upgrade] Integrating new upstream version, strongswan (4.3.2)
Diffstat (limited to 'src/pluto/rcv_whack.c')
| -rw-r--r-- | src/pluto/rcv_whack.c | 1013 |
1 files changed, 506 insertions, 507 deletions
diff --git a/src/pluto/rcv_whack.c b/src/pluto/rcv_whack.c index 00fed63ea..013deb446 100644 --- a/src/pluto/rcv_whack.c +++ b/src/pluto/rcv_whack.c @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * RCSID $Id: rcv_whack.c 3252 2007-10-06 21:24:50Z andreas $ */ #include <stdio.h> @@ -27,7 +25,7 @@ #include <netinet/in.h> #include <arpa/inet.h> #include <resolv.h> -#include <arpa/nameser.h> /* missing from <resolv.h> on old systems */ +#include <arpa/nameser.h> /* missing from <resolv.h> on old systems */ #include <sys/queue.h> #include <fcntl.h> @@ -42,17 +40,17 @@ #include "smartcard.h" #include "connections.h" #include "foodgroups.h" -#include "whack.h" /* needs connections.h */ +#include "whack.h" /* needs connections.h */ #include "packet.h" -#include "demux.h" /* needs packet.h */ +#include "demux.h" /* needs packet.h */ #include "state.h" -#include "ipsec_doi.h" /* needs demux.h and state.h */ +#include "ipsec_doi.h" /* needs demux.h and state.h */ #include "kernel.h" #include "rcv_whack.h" #include "log.h" #include "keys.h" -#include "adns.h" /* needs <resolv.h> */ -#include "dnskey.h" /* needs keys.h and adns.h */ +#include "adns.h" /* needs <resolv.h> */ +#include "dnskey.h" /* needs keys.h and adns.h */ #include "server.h" #include "fetch.h" #include "ocsp.h" @@ -63,186 +61,186 @@ /* helper variables and function to decode strings from whack message */ static char *next_str - , *str_roof; + , *str_roof; static bool unpack_str(char **p) { - char *end = memchr(next_str, '\0', str_roof - next_str); - - if (end == NULL) - { - return FALSE; /* fishy: no end found */ - } - else - { - *p = next_str == end? NULL : next_str; - next_str = end + 1; - return TRUE; - } + char *end = memchr(next_str, '\0', str_roof - next_str); + + if (end == NULL) + { + return FALSE; /* fishy: no end found */ + } + else + { + *p = next_str == end? NULL : next_str; + next_str = end + 1; + return TRUE; + } } /* bits loading keys from asynchronous DNS */ enum key_add_attempt { - ka_TXT, + ka_TXT, #ifdef USE_KEYRR - ka_KEY, + ka_KEY, #endif - ka_roof /* largest value + 1 */ + ka_roof /* largest value + 1 */ }; struct key_add_common { - int refCount; - char *diag[ka_roof]; - int whack_fd; - bool success; + int refCount; + char *diag[ka_roof]; + int whack_fd; + bool success; }; struct key_add_continuation { - struct adns_continuation ac; /* common prefix */ - struct key_add_common *common; /* common data */ - enum key_add_attempt lookingfor; + struct adns_continuation ac; /* common prefix */ + struct key_add_common *common; /* common data */ + enum key_add_attempt lookingfor; }; static void key_add_ugh(const struct id *keyid, err_t ugh) { - char name[BUF_LEN]; /* longer IDs will be truncated in message */ + char name[BUF_LEN]; /* longer IDs will be truncated in message */ - (void)idtoa(keyid, name, sizeof(name)); - loglog(RC_NOKEY - , "failure to fetch key for %s from DNS: %s", name, ugh); + (void)idtoa(keyid, name, sizeof(name)); + loglog(RC_NOKEY + , "failure to fetch key for %s from DNS: %s", name, ugh); } /* last one out: turn out the lights */ static void key_add_merge(struct key_add_common *oc, const struct id *keyid) { - if (oc->refCount == 0) - { - enum key_add_attempt kaa; - - /* if no success, print all diagnostics */ - if (!oc->success) - for (kaa = ka_TXT; kaa != ka_roof; kaa++) - key_add_ugh(keyid, oc->diag[kaa]); + if (oc->refCount == 0) + { + enum key_add_attempt kaa; - for (kaa = ka_TXT; kaa != ka_roof; kaa++) - pfreeany(oc->diag[kaa]); + /* if no success, print all diagnostics */ + if (!oc->success) + for (kaa = ka_TXT; kaa != ka_roof; kaa++) + key_add_ugh(keyid, oc->diag[kaa]); - close(oc->whack_fd); - pfree(oc); - } + for (kaa = ka_TXT; kaa != ka_roof; kaa++) + { + free(oc->diag[kaa]); + } + close(oc->whack_fd); + free(oc); + } } static void key_add_continue(struct adns_continuation *ac, err_t ugh) { - struct key_add_continuation *kc = (void *) ac; - struct key_add_common *oc = kc->common; - - passert(whack_log_fd == NULL_FD); - whack_log_fd = oc->whack_fd; - - if (ugh != NULL) - { - oc->diag[kc->lookingfor] = clone_str(ugh, "key add error"); - } - else - { - oc->success = TRUE; - transfer_to_public_keys(kc->ac.gateways_from_dns + struct key_add_continuation *kc = (void *) ac; + struct key_add_common *oc = kc->common; + + passert(whack_log_fd == NULL_FD); + whack_log_fd = oc->whack_fd; + + if (ugh != NULL) + { + oc->diag[kc->lookingfor] = clone_str(ugh); + } + else + { + oc->success = TRUE; + transfer_to_public_keys(kc->ac.gateways_from_dns #ifdef USE_KEYRR - , &kc->ac.keys_from_dns + , &kc->ac.keys_from_dns #endif /* USE_KEYRR */ - ); - } + ); + } - oc->refCount--; - key_add_merge(oc, &ac->id); - whack_log_fd = NULL_FD; + oc->refCount--; + key_add_merge(oc, &ac->id); + whack_log_fd = NULL_FD; } static void key_add_request(const whack_message_t *msg) { - struct id keyid; - err_t ugh = atoid(msg->keyid, &keyid, FALSE); - - if (ugh != NULL) - { - loglog(RC_BADID, "bad --keyid \"%s\": %s", msg->keyid, ugh); - } - else - { - if (!msg->whack_addkey) - delete_public_keys(&keyid, msg->pubkey_alg - , empty_chunk, empty_chunk); - - if (msg->keyval.len == 0) - { - struct key_add_common *oc - = alloc_thing(struct key_add_common - , "key add common things"); - enum key_add_attempt kaa; - - /* initialize state shared by queries */ - oc->refCount = 0; - oc->whack_fd = dup_any(whack_log_fd); - oc->success = FALSE; - - for (kaa = ka_TXT; kaa != ka_roof; kaa++) - { - struct key_add_continuation *kc - = alloc_thing(struct key_add_continuation - , "key add continuation"); - - oc->diag[kaa] = NULL; - oc->refCount++; - kc->common = oc; - kc->lookingfor = kaa; - switch (kaa) + struct id keyid; + err_t ugh = atoid(msg->keyid, &keyid, FALSE); + + if (ugh != NULL) + { + loglog(RC_BADID, "bad --keyid \"%s\": %s", msg->keyid, ugh); + } + else + { + if (!msg->whack_addkey) + delete_public_keys(&keyid, msg->pubkey_alg + , chunk_empty, chunk_empty); + + if (msg->keyval.len == 0) { - case ka_TXT: - ugh = start_adns_query(&keyid - , &keyid /* same */ - , T_TXT - , key_add_continue - , &kc->ac); - break; + struct key_add_common *oc = malloc_thing(struct key_add_common); + enum key_add_attempt kaa; + + /* initialize state shared by queries */ + oc->refCount = 0; + oc->whack_fd = dup_any(whack_log_fd); + oc->success = FALSE; + + for (kaa = ka_TXT; kaa != ka_roof; kaa++) + { + struct key_add_continuation *kc; + + oc->diag[kaa] = NULL; + oc->refCount++; + kc = malloc_thing(struct key_add_continuation); + kc->common = oc; + kc->lookingfor = kaa; + + switch (kaa) + { + case ka_TXT: + ugh = start_adns_query(&keyid + , &keyid /* same */ + , T_TXT + , key_add_continue + , &kc->ac); + break; #ifdef USE_KEYRR - case ka_KEY: - ugh = start_adns_query(&keyid - , NULL - , T_KEY - , key_add_continue - , &kc->ac); - break; + case ka_KEY: + ugh = start_adns_query(&keyid + , NULL + , T_KEY + , key_add_continue + , &kc->ac); + break; #endif /* USE_KEYRR */ - default: - bad_case(kaa); /* suppress gcc warning */ + default: + bad_case(kaa); /* suppress gcc warning */ + } + if (ugh != NULL) + { + oc->diag[kaa] = clone_str(ugh); + oc->refCount--; + } + } + + /* Done launching queries. + * Handle total failure case. + */ + key_add_merge(oc, &keyid); } - if (ugh != NULL) + else { - oc->diag[kaa] = clone_str(ugh, "early key add failure"); - oc->refCount--; + if (!add_public_key(&keyid, DAL_LOCAL, msg->pubkey_alg, msg->keyval, + &pubkeys)) + { + loglog(RC_LOG_SERIOUS, "failed to add public key"); + } } - } - - /* Done launching queries. - * Handle total failure case. - */ - key_add_merge(oc, &keyid); } - else - { - ugh = add_public_key(&keyid, DAL_LOCAL, msg->pubkey_alg - , &msg->keyval, &pubkeys); - if (ugh != NULL) - loglog(RC_LOG_SERIOUS, "%s", ugh); - } - } } /* Handle a kernel request. Supposedly, there's a message in @@ -251,430 +249,431 @@ key_add_request(const whack_message_t *msg) void whack_handle(int whackctlfd) { - whack_message_t msg; - struct sockaddr_un whackaddr; - int whackaddrlen = sizeof(whackaddr); - int whackfd = accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen); - /* Note: actual value in n should fit in int. To print, cast to int. */ - ssize_t n; - - if (whackfd < 0) - { - log_errno((e, "accept() failed in whack_handle()")); - return; - } - if (fcntl(whackfd, F_SETFD, FD_CLOEXEC) < 0) - { - log_errno((e, "failed to set CLOEXEC in whack_handle()")); - close(whackfd); - return; - } + whack_message_t msg; + struct sockaddr_un whackaddr; + int whackaddrlen = sizeof(whackaddr); + int whackfd = accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen); + /* Note: actual value in n should fit in int. To print, cast to int. */ + ssize_t n; + + if (whackfd < 0) + { + log_errno((e, "accept() failed in whack_handle()")); + return; + } + if (fcntl(whackfd, F_SETFD, FD_CLOEXEC) < 0) + { + log_errno((e, "failed to set CLOEXEC in whack_handle()")); + close(whackfd); + return; + } - n = read(whackfd, &msg, sizeof(msg)); + n = read(whackfd, &msg, sizeof(msg)); - if (n == -1) - { - log_errno((e, "read() failed in whack_handle()")); - close(whackfd); - return; - } + if (n == -1) + { + log_errno((e, "read() failed in whack_handle()")); + close(whackfd); + return; + } - whack_log_fd = whackfd; + whack_log_fd = whackfd; - /* sanity check message */ - { - err_t ugh = NULL; + /* sanity check message */ + { + err_t ugh = NULL; - next_str = msg.string; - str_roof = (char *)&msg + n; + next_str = msg.string; + str_roof = (char *)&msg + n; - if ((size_t)n < offsetof(whack_message_t, whack_shutdown) + sizeof(msg.whack_shutdown)) + if ((size_t)n < offsetof(whack_message_t, whack_shutdown) + sizeof(msg.whack_shutdown)) + { + ugh = builddiag("ignoring runt message from whack: got %d bytes", (int)n); + } + else if (msg.magic != WHACK_MAGIC) + { + if (msg.magic == WHACK_BASIC_MAGIC) + { + /* Only shutdown command. Simpler inter-version compatability. */ + if (msg.whack_shutdown) + { + plog("shutting down"); + exit_pluto(0); /* delete lock and leave, with 0 status */ + } + ugh = ""; /* bail early, but without complaint */ + } + else + { + ugh = builddiag("ignoring message from whack with bad magic %d; should be %d; probably wrong version" + , msg.magic, WHACK_MAGIC); + } + } + else if (next_str > str_roof) + { + ugh = builddiag("ignoring truncated message from whack: got %d bytes; expected %u" + , (int) n, (unsigned) sizeof(msg)); + } + else if (!unpack_str(&msg.name) /* string 1 */ + || !unpack_str(&msg.left.id) /* string 2 */ + || !unpack_str(&msg.left.cert) /* string 3 */ + || !unpack_str(&msg.left.ca) /* string 4 */ + || !unpack_str(&msg.left.groups) /* string 5 */ + || !unpack_str(&msg.left.updown) /* string 6 */ + || !unpack_str(&msg.left.virt) /* string 7 */ + || !unpack_str(&msg.right.id) /* string 8 */ + || !unpack_str(&msg.right.cert) /* string 9 */ + || !unpack_str(&msg.right.ca) /* string 10 */ + || !unpack_str(&msg.right.groups) /* string 11 */ + || !unpack_str(&msg.right.updown) /* string 12 */ + || !unpack_str(&msg.right.virt) /* string 13 */ + || !unpack_str(&msg.keyid) /* string 14 */ + || !unpack_str(&msg.myid) /* string 15 */ + || !unpack_str(&msg.cacert) /* string 16 */ + || !unpack_str(&msg.ldaphost) /* string 17 */ + || !unpack_str(&msg.ldapbase) /* string 18 */ + || !unpack_str(&msg.crluri) /* string 19 */ + || !unpack_str(&msg.crluri2) /* string 20 */ + || !unpack_str(&msg.ocspuri) /* string 21 */ + || !unpack_str(&msg.ike) /* string 22 */ + || !unpack_str(&msg.esp) /* string 23 */ + || !unpack_str(&msg.sc_data) /* string 24 */ + || str_roof - next_str != (ptrdiff_t)msg.keyval.len) /* check chunk */ + { + ugh = "message from whack contains bad string"; + } + else + { + msg.keyval.ptr = next_str; /* grab chunk */ + } + + if (ugh != NULL) + { + if (*ugh != '\0') + loglog(RC_BADWHACKMESSAGE, "%s", ugh); + whack_log_fd = NULL_FD; + close(whackfd); + return; + } + } + + if (msg.whack_options) { - ugh = builddiag("ignoring runt message from whack: got %d bytes", (int)n); +#ifdef DEBUG + if (msg.name == NULL) + { + /* we do a two-step so that if either old or new would + * cause the message to print, it will be printed. + */ + cur_debugging |= msg.debugging; + DBG(DBG_CONTROL + , DBG_log("base debugging = %s" + , bitnamesof(debug_bit_names, msg.debugging))); + cur_debugging = base_debugging = msg.debugging; + } + else if (!msg.whack_connection) + { + struct connection *c = con_by_name(msg.name, TRUE); + + if (c != NULL) + { + c->extra_debugging = msg.debugging; + DBG(DBG_CONTROL + , DBG_log("\"%s\" extra_debugging = %s" + , c->name + , bitnamesof(debug_bit_names, c->extra_debugging))); + } + } +#endif + } + + if (msg.whack_myid) + set_myid(MYID_SPECIFIED, msg.myid); + + /* Deleting combined with adding a connection works as replace. + * To make this more useful, in only this combination, + * delete will silently ignore the lack of the connection. + */ + if (msg.whack_delete) + { + if (msg.whack_ca) + find_ca_info_by_name(msg.name, TRUE); + else + delete_connections_by_name(msg.name, !msg.whack_connection); } - else if (msg.magic != WHACK_MAGIC) + + if (msg.whack_deletestate) { - if (msg.magic == WHACK_BASIC_MAGIC) - { - /* Only shutdown command. Simpler inter-version compatability. */ - if (msg.whack_shutdown) + struct state *st = state_with_serialno(msg.whack_deletestateno); + + if (st == NULL) + { + loglog(RC_UNKNOWN_NAME, "no state #%lu to delete" + , msg.whack_deletestateno); + } + else { - plog("shutting down"); - exit_pluto(0); /* delete lock and leave, with 0 status */ + delete_state(st); } - ugh = ""; /* bail early, but without complaint */ - } - else - { - ugh = builddiag("ignoring message from whack with bad magic %d; should be %d; probably wrong version" - , msg.magic, WHACK_MAGIC); - } - } - else if (next_str > str_roof) - { - ugh = builddiag("ignoring truncated message from whack: got %d bytes; expected %u" - , (int) n, (unsigned) sizeof(msg)); - } - else if (!unpack_str(&msg.name) /* string 1 */ - || !unpack_str(&msg.left.id) /* string 2 */ - || !unpack_str(&msg.left.cert) /* string 3 */ - || !unpack_str(&msg.left.ca) /* string 4 */ - || !unpack_str(&msg.left.groups) /* string 5 */ - || !unpack_str(&msg.left.updown) /* string 6 */ - || !unpack_str(&msg.left.virt) /* string 7 */ - || !unpack_str(&msg.right.id) /* string 8 */ - || !unpack_str(&msg.right.cert) /* string 9 */ - || !unpack_str(&msg.right.ca) /* string 10 */ - || !unpack_str(&msg.right.groups) /* string 11 */ - || !unpack_str(&msg.right.updown) /* string 12 */ - || !unpack_str(&msg.right.virt) /* string 13 */ - || !unpack_str(&msg.keyid) /* string 14 */ - || !unpack_str(&msg.myid) /* string 15 */ - || !unpack_str(&msg.cacert) /* string 16 */ - || !unpack_str(&msg.ldaphost) /* string 17 */ - || !unpack_str(&msg.ldapbase) /* string 18 */ - || !unpack_str(&msg.crluri) /* string 19 */ - || !unpack_str(&msg.crluri2) /* string 20 */ - || !unpack_str(&msg.ocspuri) /* string 21 */ - || !unpack_str(&msg.ike) /* string 22 */ - || !unpack_str(&msg.esp) /* string 23 */ - || !unpack_str(&msg.sc_data) /* string 24 */ - || str_roof - next_str != (ptrdiff_t)msg.keyval.len) /* check chunk */ - { - ugh = "message from whack contains bad string"; } - else + + if (msg.whack_crash) + delete_states_by_peer(&msg.whack_crash_peer); + + if (msg.whack_connection) + add_connection(&msg); + + if (msg.whack_ca && msg.cacert != NULL) + add_ca_info(&msg); + + /* process "listen" before any operation that could require it */ + if (msg.whack_listen) + { + close_peerlog(); /* close any open per-peer logs */ + plog("listening for IKE messages"); + listening = TRUE; + daily_log_reset(); + reset_adns_restart_count(); + set_myFQDN(); + find_ifaces(); + load_preshared_secrets(NULL_FD); + load_groups(); + } + if (msg.whack_unlisten) { - msg.keyval.ptr = next_str; /* grab chunk */ + plog("no longer listening for IKE messages"); + listening = FALSE; } - if (ugh != NULL) + if (msg.whack_reread & REREAD_SECRETS) { - if (*ugh != '\0') - loglog(RC_BADWHACKMESSAGE, "%s", ugh); - whack_log_fd = NULL_FD; - close(whackfd); - return; + load_preshared_secrets(whackfd); } - } - if (msg.whack_options) - { -#ifdef DEBUG - if (msg.name == NULL) - { - /* we do a two-step so that if either old or new would - * cause the message to print, it will be printed. - */ - cur_debugging |= msg.debugging; - DBG(DBG_CONTROL - , DBG_log("base debugging = %s" - , bitnamesof(debug_bit_names, msg.debugging))); - cur_debugging = base_debugging = msg.debugging; - } - else if (!msg.whack_connection) - { - struct connection *c = con_by_name(msg.name, TRUE); - - if (c != NULL) - { - c->extra_debugging = msg.debugging; - DBG(DBG_CONTROL - , DBG_log("\"%s\" extra_debugging = %s" - , c->name - , bitnamesof(debug_bit_names, c->extra_debugging))); - } + if (msg.whack_reread & REREAD_CACERTS) + { + load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA); } -#endif - } - - if (msg.whack_myid) - set_myid(MYID_SPECIFIED, msg.myid); - - /* Deleting combined with adding a connection works as replace. - * To make this more useful, in only this combination, - * delete will silently ignore the lack of the connection. - */ - if (msg.whack_delete) - { - if (msg.whack_ca) - find_ca_info_by_name(msg.name, TRUE); - else - delete_connections_by_name(msg.name, !msg.whack_connection); - } - if (msg.whack_deletestate) - { - struct state *st = state_with_serialno(msg.whack_deletestateno); + if (msg.whack_reread & REREAD_AACERTS) + { + load_authcerts("AA cert", AA_CERT_PATH, AUTH_AA); + } - if (st == NULL) + if (msg.whack_reread & REREAD_OCSPCERTS) { - loglog(RC_UNKNOWN_NAME, "no state #%lu to delete" - , msg.whack_deletestateno); + load_authcerts("OCSP cert", OCSP_CERT_PATH, AUTH_OCSP); } - else + + if (msg.whack_reread & REREAD_ACERTS) { - delete_state(st); - } - } - - if (msg.whack_crash) - delete_states_by_peer(&msg.whack_crash_peer); - - if (msg.whack_connection) - add_connection(&msg); - - if (msg.whack_ca && msg.cacert != NULL) - add_ca_info(&msg); - - /* process "listen" before any operation that could require it */ - if (msg.whack_listen) - { - close_peerlog(); /* close any open per-peer logs */ - plog("listening for IKE messages"); - listening = TRUE; - daily_log_reset(); - reset_adns_restart_count(); - set_myFQDN(); - find_ifaces(); - load_preshared_secrets(NULL_FD); - load_groups(); - } - if (msg.whack_unlisten) - { - plog("no longer listening for IKE messages"); - listening = FALSE; - } - - if (msg.whack_reread & REREAD_SECRETS) - { - load_preshared_secrets(whackfd); - } - - if (msg.whack_reread & REREAD_CACERTS) - { - load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA); - } - - if (msg.whack_reread & REREAD_AACERTS) - { - load_authcerts("AA cert", AA_CERT_PATH, AUTH_AA); - } - - if (msg.whack_reread & REREAD_OCSPCERTS) - { - load_authcerts("OCSP cert", OCSP_CERT_PATH, AUTH_OCSP); - } - - if (msg.whack_reread & REREAD_ACERTS) - { - load_acerts(); - } - - if (msg.whack_reread & REREAD_CRLS) - { - load_crls(); - } - - if (msg.whack_purgeocsp) - { - free_ocsp_fetch(); - free_ocsp_cache(); - } - - if (msg.whack_list & LIST_ALGS) - { - ike_alg_list(); - kernel_alg_list(); - } + load_acerts(); + } + + if (msg.whack_reread & REREAD_CRLS) + { + load_crls(); + } + + if (msg.whack_purgeocsp) + { + free_ocsp_fetch(); + free_ocsp_cache(); + } + if (msg.whack_list & LIST_PUBKEYS) - { - list_public_keys(msg.whack_utc); - } - - if (msg.whack_list & LIST_CERTS) - { - list_certs(msg.whack_utc); - } - - if (msg.whack_list & LIST_CACERTS) - { - list_authcerts("CA", AUTH_CA, msg.whack_utc); - } - - if (msg.whack_list & LIST_AACERTS) - { - list_authcerts("AA", AUTH_AA, msg.whack_utc); - } - - if (msg.whack_list & LIST_OCSPCERTS) - { - list_authcerts("OCSP", AUTH_OCSP, msg.whack_utc); - } - - if (msg.whack_list & LIST_ACERTS) - { - list_acerts(msg.whack_utc); - } - - if (msg.whack_list & LIST_GROUPS) - { - list_groups(msg.whack_utc); - } - - if (msg.whack_list & LIST_CAINFOS) - { - list_ca_infos(msg.whack_utc); - } - - if (msg.whack_list & LIST_CRLS) - { - list_crls(msg.whack_utc, strict_crl_policy); - list_crl_fetch_requests(msg.whack_utc); - } - - if (msg.whack_list & LIST_OCSP) - { - list_ocsp_cache(msg.whack_utc, strict_crl_policy); - list_ocsp_fetch_requests(msg.whack_utc); - } - - if (msg.whack_list & LIST_CARDS) - { - scx_list(msg.whack_utc); - } - - if (msg.whack_key) - { - /* add a public key */ - key_add_request(&msg); - } - - if (msg.whack_route) - { - if (!listening) - { - whack_log(RC_DEAF, "need --listen before --route"); - } - if (msg.name == NULL) - { - whack_log(RC_UNKNOWN_NAME - , "whack --route requires a connection name"); + { + list_public_keys(msg.whack_utc); } - else + + if (msg.whack_list & LIST_CERTS) { - struct connection *c = con_by_name(msg.name, TRUE); + list_certs(msg.whack_utc); + } - if (c != NULL && c->ikev1) - { - set_cur_connection(c); - if (!oriented(*c)) - whack_log(RC_ORIENT - , "we have no ipsecN interface for either end of this connection"); - else if (c->policy & POLICY_GROUP) - route_group(c); - else if (!trap_connection(c)) - whack_log(RC_ROUTE, "could not route"); - reset_cur_connection(); - } + if (msg.whack_list & LIST_CACERTS) + { + list_authcerts("CA", AUTH_CA, msg.whack_utc); } - } - if (msg.whack_unroute) - { - if (msg.name == NULL) + if (msg.whack_list & LIST_AACERTS) { - whack_log(RC_UNKNOWN_NAME - , "whack --unroute requires a connection name"); + list_authcerts("AA", AUTH_AA, msg.whack_utc); } - else + + if (msg.whack_list & LIST_OCSPCERTS) { - struct connection *c = con_by_name(msg.name, TRUE); + list_authcerts("OCSP", AUTH_OCSP, msg.whack_utc); + } - if (c != NULL && c->ikev1) - { - struct spd_route *sr; - int fail = 0; + if (msg.whack_list & LIST_ACERTS) + { + list_acerts(msg.whack_utc); + } - set_cur_connection(c); + if (msg.whack_list & LIST_GROUPS) + { + list_groups(msg.whack_utc); + } - for (sr = &c->spd; sr != NULL; sr = sr->next) - { - if (sr->routing >= RT_ROUTED_TUNNEL) - fail++; - } - if (fail > 0) - whack_log(RC_RTBUSY, "cannot unroute: route busy"); - else if (c->policy & POLICY_GROUP) - unroute_group(c); - else - unroute_connection(c); - reset_cur_connection(); - } + if (msg.whack_list & LIST_CAINFOS) + { + list_ca_infos(msg.whack_utc); } - } - if (msg.whack_initiate) - { - if (!listening) + if (msg.whack_list & LIST_CRLS) { - whack_log(RC_DEAF, "need --listen before --initiate"); + list_crls(msg.whack_utc, strict_crl_policy); + list_crl_fetch_requests(msg.whack_utc); } - else if (msg.name == NULL) + + if (msg.whack_list & LIST_OCSP) { - whack_log(RC_UNKNOWN_NAME - , "whack --initiate requires a connection name"); + list_ocsp_cache(msg.whack_utc, strict_crl_policy); + list_ocsp_fetch_requests(msg.whack_utc); } - else + + if (msg.whack_list & LIST_CARDS) { - initiate_connection(msg.name - , msg.whack_async? NULL_FD : dup_any(whackfd)); + scx_list(msg.whack_utc); } - } - if (msg.whack_oppo_initiate) - { - if (!listening) - whack_log(RC_DEAF, "need --listen before opportunistic initiation"); - else - initiate_opportunistic(&msg.oppo_my_client, &msg.oppo_peer_client, 0 - , FALSE - , msg.whack_async? NULL_FD : dup_any(whackfd)); - } + if (msg.whack_list & LIST_ALGS) + { + ike_alg_list(); + kernel_alg_list(); + } - if (msg.whack_terminate) - { - if (msg.name == NULL) + if (msg.whack_key) { - whack_log(RC_UNKNOWN_NAME - , "whack --terminate requires a connection name"); + /* add a public key */ + key_add_request(&msg); } - else + + if (msg.whack_route) { - terminate_connection(msg.name); + if (!listening) + { + whack_log(RC_DEAF, "need --listen before --route"); + } + if (msg.name == NULL) + { + whack_log(RC_UNKNOWN_NAME + , "whack --route requires a connection name"); + } + else + { + struct connection *c = con_by_name(msg.name, TRUE); + + if (c != NULL && c->ikev1) + { + set_cur_connection(c); + if (!oriented(*c)) + whack_log(RC_ORIENT + , "we have no ipsecN interface for either end of this connection"); + else if (c->policy & POLICY_GROUP) + route_group(c); + else if (!trap_connection(c)) + whack_log(RC_ROUTE, "could not route"); + reset_cur_connection(); + } + } } - } - if (msg.whack_status) - show_status(msg.whack_statusall, msg.name); + if (msg.whack_unroute) + { + if (msg.name == NULL) + { + whack_log(RC_UNKNOWN_NAME + , "whack --unroute requires a connection name"); + } + else + { + struct connection *c = con_by_name(msg.name, TRUE); + + if (c != NULL && c->ikev1) + { + struct spd_route *sr; + int fail = 0; + + set_cur_connection(c); + + for (sr = &c->spd; sr != NULL; sr = sr->next) + { + if (sr->routing >= RT_ROUTED_TUNNEL) + fail++; + } + if (fail > 0) + whack_log(RC_RTBUSY, "cannot unroute: route busy"); + else if (c->policy & POLICY_GROUP) + unroute_group(c); + else + unroute_connection(c); + reset_cur_connection(); + } + } + } - if (msg.whack_shutdown) - { - plog("shutting down"); - exit_pluto(0); /* delete lock and leave, with 0 status */ - } + if (msg.whack_initiate) + { + if (!listening) + { + whack_log(RC_DEAF, "need --listen before --initiate"); + } + else if (msg.name == NULL) + { + whack_log(RC_UNKNOWN_NAME + , "whack --initiate requires a connection name"); + } + else + { + initiate_connection(msg.name + , msg.whack_async? NULL_FD : dup_any(whackfd)); + } + } - if (msg.whack_sc_op != SC_OP_NONE) - { - if (pkcs11_proxy) - scx_op_via_whack(msg.sc_data, msg.inbase, msg.outbase - , msg.whack_sc_op, msg.keyid, whackfd); - else - plog("pkcs11 access to smartcard not allowed (set pkcs11proxy=yes)"); - } + if (msg.whack_oppo_initiate) + { + if (!listening) + whack_log(RC_DEAF, "need --listen before opportunistic initiation"); + else + initiate_opportunistic(&msg.oppo_my_client, &msg.oppo_peer_client, 0 + , FALSE + , msg.whack_async? NULL_FD : dup_any(whackfd)); + } + + if (msg.whack_terminate) + { + if (msg.name == NULL) + { + whack_log(RC_UNKNOWN_NAME + , "whack --terminate requires a connection name"); + } + else + { + terminate_connection(msg.name); + } + } + + if (msg.whack_status) + show_status(msg.whack_statusall, msg.name); + + if (msg.whack_shutdown) + { + plog("shutting down"); + exit_pluto(0); /* delete lock and leave, with 0 status */ + } - whack_log_fd = NULL_FD; - close(whackfd); + if (msg.whack_sc_op != SC_OP_NONE) + { + if (pkcs11_proxy) + scx_op_via_whack(msg.sc_data, msg.inbase, msg.outbase + , msg.whack_sc_op, msg.keyid, whackfd); + else + plog("pkcs11 access to smartcard not allowed (set pkcs11proxy=yes)"); + } + + whack_log_fd = NULL_FD; + close(whackfd); } /* |