- New upstream release.

- Don't disable internal crypto plugins, pluto expects to find them in some cases. - Enable integrity checking.
author: Rene Mayrhofer <rene@mayrhofer.eu.org> 2009-10-21 11:18:20 +0000
committer: Rene Mayrhofer <rene@mayrhofer.eu.org> 2009-10-21 11:18:20 +0000
commit: a9b7f8d4a4a4202facd9690580b38542e7933f00 (patch)
tree: d82a9d506c62cff257e5292845b68df3ca5c60dc /src/scepclient
parent: 12263dccbbb6747d53b97333c3d6f0f17e1bffea (diff)
download: vyos-strongswan-a9b7f8d4a4a4202facd9690580b38542e7933f00.tar.gz
vyos-strongswan-a9b7f8d4a4a4202facd9690580b38542e7933f00.zip
4 files changed, 51 insertions, 46 deletions
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 3919583ef..72cefb3b6 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -79,12 +79,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -149,6 +151,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -189,7 +192,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
diff --git a/src/scepclient/loglite.c b/src/scepclient/loglite.c
index b14e72ecb..87041f114 100644
--- a/src/scepclient/loglite.c
+++ b/src/scepclient/loglite.c
@@ -68,21 +68,23 @@ static void scepclient_dbg(int level, char *fmt, ...)
 
 	if (level <= debug_level)
 	{
-		va_start(args, fmt);
-
 		if (log_to_stderr)
 		{
 			if (level > 1)
 			{
 				fprintf(stderr, "| ");
 			}
+			va_start(args, fmt);
 			vfprintf(stderr, fmt, args);
+			va_end(args);
 			fprintf(stderr, "\n");
 		}
 		if (log_to_syslog)
 		{
 			/* write in memory buffer first */
+			va_start(args, fmt);
 			vsnprintf(buffer, sizeof(buffer), fmt, args);
+			va_end(args);
 
 			/* do a syslog with every line */
 			while (current)
@@ -96,7 +98,6 @@ static void scepclient_dbg(int level, char *fmt, ...)
 				current = next;
 			}
 		}
-		va_end(args);
 	}
 }
 
diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8
index d9bf8e4cc..4b5234da2 100644
--- a/src/scepclient/scepclient.8
+++ b/src/scepclient/scepclient.8
@@ -149,16 +149,22 @@ Change symmetric algorithm to use for encryption of certificate Request.
 The default is \fB3des\-cbc\fP.
 .PP 
 Supported values for \fIalgo\fP:
-.IP "\fBdes\-cbc\fP" 12
-DES CBC encryption (key size = 56 bit).
-.IP "\fB3des\-cbc\fP" 12
+.IP "\fBdes\fP" 12
+DES-CBC encryption (key size = 56 bit).
+.IP "\fB3des\fP" 12
 Triple DES-EDE-CBC encryption (key size = 168 bit).
-.IP "\fBaes128\-cbc\fP" 12
+.IP "\fBaes128\fP" 12
 AES-CBC encryption (key size = 128 bit).
-.IP "\fBaes192\-cbc\fP" 12
+.IP "\fBaes192\fP" 12
 AES-CBC encryption (key size = 192 bit).
-.IP "\fBaes256\-cbc\fP" 12
+.IP "\fBaes256\fP" 12
 AES-CBC encryption (key size = 256 bit).
+.IP "\fBcamellia128\fP" 12
+Camellia-CBC encryption (key size = 128 bit).
+.IP "\fBcamellia192\fP" 12
+Camelllia-CBC encryption (key size = 192 bit).
+.IP "\fBcamellia256\fP" 12
+Camellia-CBC encryption (key size = 256 bit).
 .RE
 .PP 
 .B \-o, \-\-out \fItype\fP[=\fIfilename\fP]
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 0e7ae3e40..6c0166d66 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -41,6 +41,8 @@
 #include <asn1/oid.h>
 #include <utils/optionsfrom.h>
 #include <utils/enumerator.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/proposal/proposal_keywords.h>
 #include <credentials/keys/private_key.h>
 #include <credentials/keys/public_key.h>
 
@@ -246,9 +248,8 @@ usage(const char *message)
 		" --password (-p) <pw>              challenge password\n"
 		"                                   - if pw is '%%prompt', password gets prompted for\n"
 		" --algorithm (-a) <algo>           use specified algorithm for PKCS#7 encryption\n"
-		"                                   <algo> = des-cbc | 3des-cbc (default) | \n"
-        "                                   aes128-cbc | aes192-cbc | aes256-cbc | \n"
-        "                                   camellia128-cbc | camellia192-cbc | camellia256-cbc\n"
+		"                                   <algo> = des | 3des (default) | aes128| aes192 | \n"
+		"                                   aes256 | camellia128 | camellia192 | camellia256\n"
 		"\n"
 		"Options for enrollment (cert):\n"
 		" --url (-u) <url>                  url of the SCEP server\n"
@@ -385,8 +386,21 @@ int main(int argc, char **argv)
 	scep_response     = chunk_empty;
 	log_to_stderr     = TRUE;
 
-	/* initialize library and optionsfrom */
-	library_init(STRONGSWAN_CONF);
+	/* initialize library */
+	if (!library_init(STRONGSWAN_CONF))
+	{
+		library_deinit();
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	if (lib->integrity &&
+		!lib->integrity->check_file(lib->integrity, "scepclient", argv[0]))
+	{
+		fprintf(stderr, "integrity check of scepclient failed\n");
+		library_deinit();
+		exit(SS_RC_DAEMON_INTEGRITY);
+	}
+
+	/* initialize optionsfrom */
 	options = options_create();
 
 	for (;;)
@@ -698,43 +712,22 @@ int main(int argc, char **argv)
 			continue;
 
 		case 'a':       /*--algorithm */
-			if (strcaseeq("des-cbc", optarg))
-			{
-				pkcs7_symmetric_cipher = OID_DES_CBC;
-			}
-			else if (strcaseeq("3des-cbc", optarg))
-			{
-				pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
-			}
-			else if (strcaseeq("aes128-cbc", optarg))
-			{
-				pkcs7_symmetric_cipher = OID_AES128_CBC;
-			}
-			else if (strcaseeq("aes192-cbc", optarg))
-			{
-				pkcs7_symmetric_cipher = OID_AES192_CBC;
-			}
-			else if (strcaseeq("aes256-cbc", optarg))
-			{
-				pkcs7_symmetric_cipher = OID_AES256_CBC;
-			}
-			else if (strcaseeq("camellia128-cbc", optarg))
-			{
-				pkcs7_symmetric_cipher = OID_CAMELLIA128_CBC;
-			}
-			else if (strcaseeq("camellia192-cbc", optarg))
-			{
-				pkcs7_symmetric_cipher = OID_CAMELLIA192_CBC;
-			}
-			else if (strcaseeq("camellia256-cbc", optarg))
+		{
+			const proposal_token_t *token;
+
+			token = proposal_get_token(optarg, strlen(optarg));
+			if (token == NULL || token->type != ENCRYPTION_ALGORITHM)
 			{
-				pkcs7_symmetric_cipher = OID_CAMELLIA256_CBC;
+				usage("invalid algorithm specified");
 			}
-			else
+			pkcs7_symmetric_cipher = encryption_algorithm_to_oid(
+										token->algorithm, token->keysize);
+			if (pkcs7_symmetric_cipher == OID_UNKNOWN)
 			{
-				usage("invalid encryption algorithm specified");
+				usage("unsupported encryption algorithm specified");
 			}
 			continue;
+		}
 #ifdef DEBUG
 		case 'A':       /* --debug-all */
 			base_debugging |= DBG_ALL;
author	Rene Mayrhofer <rene@mayrhofer.eu.org>	2009-10-21 11:18:20 +0000
committer	Rene Mayrhofer <rene@mayrhofer.eu.org>	2009-10-21 11:18:20 +0000
commit	a9b7f8d4a4a4202facd9690580b38542e7933f00 (patch)
tree	d82a9d506c62cff257e5292845b68df3ca5c60dc /src/scepclient
parent	12263dccbbb6747d53b97333c3d6f0f17e1bffea (diff)
download	vyos-strongswan-a9b7f8d4a4a4202facd9690580b38542e7933f00.tar.gz vyos-strongswan-a9b7f8d4a4a4202facd9690580b38542e7933f00.zip