diff options
Diffstat (limited to 'src/libcharon/plugins/vici/vici_cred.c')
| -rw-r--r-- | src/libcharon/plugins/vici/vici_cred.c | 86 |
1 files changed, 85 insertions, 1 deletions
diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c index 3411b7d6c..baf285fb8 100644 --- a/src/libcharon/plugins/vici/vici_cred.c +++ b/src/libcharon/plugins/vici/vici_cred.c @@ -2,7 +2,7 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * - * Copyright (C) 2015 Andreas Steffen + * Copyright (C) 2015-2016 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -25,9 +25,16 @@ #include <credentials/certificates/crl.h> #include <credentials/certificates/x509.h> +#include <errno.h> + typedef struct private_vici_cred_t private_vici_cred_t; /** + * Directory for saved X.509 CRLs + */ +#define CRL_DIR SWANCTLDIR "/x509crl" + +/** * Private data of an vici_cred_t object. */ struct private_vici_cred_t { @@ -46,8 +53,54 @@ struct private_vici_cred_t { * credentials */ mem_cred_t *creds; + + /** + * cache CRLs to disk? + */ + bool cachecrl; + }; +METHOD(credential_set_t, cache_cert, void, + private_vici_cred_t *this, certificate_t *cert) +{ + if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl) + { + /* CRLs get written to /etc/swanctl/x509crl/<authkeyId>.crl */ + crl_t *crl = (crl_t*)cert; + + cert->get_ref(cert); + if (this->creds->add_crl(this->creds, crl)) + { + char buf[BUF_LEN]; + chunk_t chunk, hex; + bool is_delta_crl; + + is_delta_crl = crl->is_delta_crl(crl, NULL); + chunk = crl->get_authKeyIdentifier(crl); + hex = chunk_to_hex(chunk, NULL, FALSE); + snprintf(buf, sizeof(buf), "%s/%s%s.crl", CRL_DIR, hex.ptr, + is_delta_crl ? "_delta" : ""); + free(hex.ptr); + + if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk)) + { + if (chunk_write(chunk, buf, 022, TRUE)) + { + DBG1(DBG_CFG, " written crl file '%s' (%d bytes)", + buf, chunk.len); + } + else + { + DBG1(DBG_CFG, " writing crl file '%s' failed: %s", + buf, strerror(errno)); + } + free(chunk.ptr); + } + } + } +} + /** * Create a (error) reply message */ @@ -287,6 +340,24 @@ CALLBACK(clear_creds, vici_message_t*, return create_reply(NULL); } +CALLBACK(flush_certs, vici_message_t*, + private_vici_cred_t *this, char *name, u_int id, vici_message_t *message) +{ + certificate_type_t type = CERT_ANY; + x509_flag_t flag = X509_NONE; + char *str; + + str = message->get_str(message, NULL, "type"); + if (str && !enum_from_name(certificate_type_names, str, &type) && + !vici_cert_info_from_str(str, &type, &flag)) + { + return create_reply("invalid certificate type '%s'", str); + } + lib->credmgr->flush_cache(lib->credmgr, type); + + return create_reply(NULL); +} + static void manage_command(private_vici_cred_t *this, char *name, vici_command_cb_t cb, bool reg) { @@ -300,6 +371,7 @@ static void manage_command(private_vici_cred_t *this, static void manage_commands(private_vici_cred_t *this, bool reg) { manage_command(this, "clear-creds", clear_creds, reg); + manage_command(this, "flush-certs", flush_certs, reg); manage_command(this, "load-cert", load_cert, reg); manage_command(this, "load-key", load_key, reg); manage_command(this, "load-shared", load_shared, reg); @@ -330,6 +402,13 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher) INIT(this, .public = { + .set = { + .create_private_enumerator = (void*)return_null, + .create_cert_enumerator = (void*)return_null, + .create_shared_enumerator = (void*)return_null, + .create_cdp_enumerator = (void*)return_null, + .cache_cert = (void*)_cache_cert, + }, .add_cert = _add_cert, .destroy = _destroy, }, @@ -337,6 +416,11 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher) .creds = mem_cred_create(), ); + if (lib->settings->get_bool(lib->settings, "%s.cache_crls", FALSE, lib->ns)) + { + this->cachecrl = TRUE; + DBG1(DBG_CFG, "crl caching to %s enabled", CRL_DIR); + } lib->credmgr->add_set(lib->credmgr, &this->creds->set); manage_commands(this, TRUE); |